search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
torture/ioctl: add FSCTL_DUP_EXTENTS_TO_FILE tests
[Samba.git] / source4 / utils / ntlm_auth.c
blob75dcebf05714bfaea50096f428a089ead5ee8164
1 /*
2 Unix SMB/CIFS implementation.
3
4 Winbind status program.
5
6 Copyright (C) Tim Potter 2000-2003
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2003-2004
8 Copyright (C) Francesco Chemolli <kinkie@kame.usr.dsi.unimi.it> 2000
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include "system/filesys.h"
26 #include "lib/cmdline/popt_common.h"
27 #include <ldb.h>
28 #include "auth/credentials/credentials.h"
29 #include "auth/gensec/gensec.h"
30 #include "auth/gensec/gensec_internal.h" /* TODO: remove this */
31 #include "auth/auth.h"
32 #include "librpc/gen_ndr/ndr_netlogon.h"
33 #include "auth/auth_sam.h"
34 #include "libcli/auth/libcli_auth.h"
35 #include "libcli/security/security.h"
36 #include "lib/events/events.h"
37 #include "lib/messaging/messaging.h"
38 #include "lib/messaging/irpc.h"
39 #include "auth/ntlmssp/ntlmssp.h"
40 #include "param/param.h"
41 #include "lib/util/base64.h"
42
43 #define INITIAL_BUFFER_SIZE 300
44 #define MAX_BUFFER_SIZE 63000
45
46 enum stdio_helper_mode {
47 SQUID_2_4_BASIC,
48 SQUID_2_5_BASIC,
49 SQUID_2_5_NTLMSSP,
50 NTLMSSP_CLIENT_1,
51 GSS_SPNEGO_CLIENT,
52 GSS_SPNEGO_SERVER,
53 NTLM_SERVER_1,
54 NUM_HELPER_MODES
55 };
56
57 #define NTLM_AUTH_FLAG_USER_SESSION_KEY 0x0004
58 #define NTLM_AUTH_FLAG_LMKEY 0x0008
59
60
61 typedef void (*stdio_helper_function)(enum stdio_helper_mode stdio_helper_mode,
62 struct loadparm_context *lp_ctx,
63 char *buf, int length, void **private1,
64 unsigned int mux_id, void **private2);
65
66 static void manage_squid_basic_request (enum stdio_helper_mode stdio_helper_mode,
67 struct loadparm_context *lp_ctx,
68 char *buf, int length, void **private1,
69 unsigned int mux_id, void **private2);
70
71 static void manage_gensec_request (enum stdio_helper_mode stdio_helper_mode,
72 struct loadparm_context *lp_ctx,
73 char *buf, int length, void **private1,
74 unsigned int mux_id, void **private2);
75
76 static void manage_ntlm_server_1_request (enum stdio_helper_mode stdio_helper_mode,
77 struct loadparm_context *lp_ctx,
78 char *buf, int length, void **private1,
79 unsigned int mux_id, void **private2);
80
81 static void manage_squid_request(struct loadparm_context *lp_ctx,
82 enum stdio_helper_mode helper_mode,
83 stdio_helper_function fn, void **private2);
84
85 static const struct {
86 enum stdio_helper_mode mode;
87 const char *name;
88 stdio_helper_function fn;
89 } stdio_helper_protocols[] = {
90 { SQUID_2_4_BASIC, "squid-2.4-basic", manage_squid_basic_request},
91 { SQUID_2_5_BASIC, "squid-2.5-basic", manage_squid_basic_request},
92 { SQUID_2_5_NTLMSSP, "squid-2.5-ntlmssp", manage_gensec_request},
93 { GSS_SPNEGO_CLIENT, "gss-spnego-client", manage_gensec_request},
94 { GSS_SPNEGO_SERVER, "gss-spnego", manage_gensec_request},
95 { NTLMSSP_CLIENT_1, "ntlmssp-client-1", manage_gensec_request},
96 { NTLM_SERVER_1, "ntlm-server-1", manage_ntlm_server_1_request},
97 { NUM_HELPER_MODES, NULL, NULL}
98 };
99
100 extern int winbindd_fd;
101
102 static const char *opt_username;
103 static const char *opt_domain;
104 static const char *opt_workstation;
105 static const char *opt_password;
106 static int opt_multiplex;
107 static int use_cached_creds;
108 static int opt_allow_mschapv2;
109
110
111 static void mux_printf(unsigned int mux_id, const char *format, ...) PRINTF_ATTRIBUTE(2, 3);
112
113 static void mux_printf(unsigned int mux_id, const char *format, ...)
114 {
115 va_list ap;
116
117 if (opt_multiplex) {
118 x_fprintf(x_stdout, "%d ", mux_id);
119 }
120
121 va_start(ap, format);
122 x_vfprintf(x_stdout, format, ap);
123 va_end(ap);
124 }
125
126
127
128 /* Copy of parse_domain_user from winbindd_util.c. Parse a string of the
129 form DOMAIN/user into a domain and a user */
130
131 static bool parse_ntlm_auth_domain_user(const char *domuser, char **domain,
132 char **user, char winbind_separator)
133 {
134
135 char *p = strchr(domuser, winbind_separator);
136
137 if (!p) {
138 return false;
139 }
140
141 *user = smb_xstrdup(p+1);
142 *domain = smb_xstrdup(domuser);
143 (*domain)[PTR_DIFF(p, domuser)] = 0;
144
145 return true;
146 }
147
148
149 /* Authenticate a user with a plaintext password */
150
151 static bool check_plaintext_auth(const char *user, const char *pass,
152 bool stdout_diagnostics)
153 {
154 return (strcmp(pass, opt_password) == 0);
155 }
156
157 /* authenticate a user with an encrypted username/password */
158
159 static NTSTATUS local_pw_check_specified(struct loadparm_context *lp_ctx,
160 const char *username,
161 const char *domain,
162 const char *workstation,
163 const DATA_BLOB *challenge,
164 const DATA_BLOB *lm_response,
165 const DATA_BLOB *nt_response,
166 uint32_t flags,
167 DATA_BLOB *lm_session_key,
168 DATA_BLOB *user_session_key,
169 char **error_string,
170 char **unix_name)
171 {
172 NTSTATUS nt_status;
173 struct samr_Password lm_pw, nt_pw;
174 struct samr_Password *lm_pwd, *nt_pwd;
175 TALLOC_CTX *mem_ctx = talloc_init("local_pw_check_specified");
176 if (!mem_ctx) {
177 nt_status = NT_STATUS_NO_MEMORY;
178 } else {
179 uint32_t logon_parameters = 0;
180
181 E_md4hash(opt_password, nt_pw.hash);
182 if (E_deshash(opt_password, lm_pw.hash)) {
183 lm_pwd = &lm_pw;
184 } else {
185 lm_pwd = NULL;
186 }
187 nt_pwd = &nt_pw;
188
189 if (opt_allow_mschapv2) {
190 logon_parameters |= MSV1_0_ALLOW_MSVCHAPV2;
191 }
192
193 nt_status = ntlm_password_check(mem_ctx,
194 lpcfg_lanman_auth(lp_ctx),
195 lpcfg_ntlm_auth(lp_ctx),
196 logon_parameters |
197 MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT |
198 MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT,
199 challenge,
200 lm_response,
201 nt_response,
202 username,
203 username,
204 domain,
205 lm_pwd, nt_pwd, user_session_key, lm_session_key);
206
207 if (NT_STATUS_IS_OK(nt_status)) {
208 if (unix_name) {
209 if (asprintf(unix_name, "%s%c%s", domain,
210 *lpcfg_winbind_separator(lp_ctx),
211 username) < 0) {
212 nt_status = NT_STATUS_NO_MEMORY;
213 }
214 }
215 } else {
216 DEBUG(3, ("Login for user [%s]\\[%s]@[%s] failed due to [%s]\n",
217 domain, username, workstation,
218 nt_errstr(nt_status)));
219 }
220 talloc_free(mem_ctx);
221 }
222 if (error_string) {
223 *error_string = strdup(nt_errstr(nt_status));
224 }
225 return nt_status;
226
227
228 }
229
230 static void manage_squid_basic_request(enum stdio_helper_mode stdio_helper_mode,
231 struct loadparm_context *lp_ctx,
232 char *buf, int length, void **private1,
233 unsigned int mux_id, void **private2)
234 {
235 char *user, *pass;
236 user=buf;
237
238 pass = memchr(buf, ' ', length);
239 if (!pass) {
240 DEBUG(2, ("Password not found. Denying access\n"));
241 mux_printf(mux_id, "ERR\n");
242 return;
243 }
244 *pass='\0';
245 pass++;
246
247 if (stdio_helper_mode == SQUID_2_5_BASIC) {
248 rfc1738_unescape(user);
249 rfc1738_unescape(pass);
250 }
251
252 if (check_plaintext_auth(user, pass, false)) {
253 mux_printf(mux_id, "OK\n");
254 } else {
255 mux_printf(mux_id, "ERR\n");
256 }
257 }
258
259 /* This is a bit hairy, but the basic idea is to do a password callback
260 to the calling application. The callback comes from within gensec */
261
262 static void manage_gensec_get_pw_request(enum stdio_helper_mode stdio_helper_mode,
263 struct loadparm_context *lp_ctx,
264 char *buf, int length, void **private1,
265 unsigned int mux_id, void **password)
266 {
267 DATA_BLOB in;
268 if (strlen(buf) < 2) {
269 DEBUG(1, ("query [%s] invalid", buf));
270 mux_printf(mux_id, "BH Query invalid\n");
271 return;
272 }
273
274 if (strlen(buf) > 3) {
275 in = base64_decode_data_blob(buf + 3);
276 } else {
277 in = data_blob(NULL, 0);
278 }
279
280 if (strncmp(buf, "PW ", 3) == 0) {
281
282 *password = talloc_strndup(*private1 /* hopefully the right gensec context, useful to use for talloc */,
283 (const char *)in.data, in.length);
284
285 if (*password == NULL) {
286 DEBUG(1, ("Out of memory\n"));
287 mux_printf(mux_id, "BH Out of memory\n");
288 data_blob_free(&in);
289 return;
290 }
291
292 mux_printf(mux_id, "OK\n");
293 data_blob_free(&in);
294 return;
295 }
296 DEBUG(1, ("Asked for (and expected) a password\n"));
297 mux_printf(mux_id, "BH Expected a password\n");
298 data_blob_free(&in);
299 }
300
301 /**
302 * Callback for password credentials. This is not async, and when
303 * GENSEC and the credentials code is made async, it will look rather
304 * different.
305 */
306
307 static const char *get_password(struct cli_credentials *credentials)
308 {
309 char *password = NULL;
310 void *cb = cli_credentials_callback_data_void(credentials);
311
312 /* Ask for a password */
313 mux_printf((unsigned int)(uintptr_t)cb, "PW\n");
314 cli_credentials_set_callback_data(credentials, NULL);
315
316 manage_squid_request(cmdline_lp_ctx, NUM_HELPER_MODES /* bogus */, manage_gensec_get_pw_request, (void **)&password);
317 return password;
318 }
319
320 /**
321 Check if a string is part of a list.
322 **/
323 static bool in_list(const char *s, const char *list, bool casesensitive)
324 {
325 char *tok;
326 size_t tok_len = 1024;
327 const char *p=list;
328
329 if (!list)
330 return false;
331
332 tok = (char *)malloc(tok_len);
333 if (!tok) {
334 return false;
335 }
336
337 while (next_token(&p, tok, LIST_SEP, tok_len)) {
338 if ((casesensitive?strcmp:strcasecmp_m)(tok,s) == 0) {
339 free(tok);
340 return true;
341 }
342 }
343 free(tok);
344 return false;
345 }
346
347 static void gensec_want_feature_list(struct gensec_security *state, char* feature_list)
348 {
349 if (in_list("NTLMSSP_FEATURE_SESSION_KEY", feature_list, true)) {
350 DEBUG(10, ("want GENSEC_FEATURE_SESSION_KEY\n"));
351 gensec_want_feature(state, GENSEC_FEATURE_SESSION_KEY);
352 }
353 if (in_list("NTLMSSP_FEATURE_SIGN", feature_list, true)) {
354 DEBUG(10, ("want GENSEC_FEATURE_SIGN\n"));
355 gensec_want_feature(state, GENSEC_FEATURE_SIGN);
356 }
357 if (in_list("NTLMSSP_FEATURE_SEAL", feature_list, true)) {
358 DEBUG(10, ("want GENSEC_FEATURE_SEAL\n"));
359 gensec_want_feature(state, GENSEC_FEATURE_SEAL);
360 }
361 }
362
363 static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode,
364 struct loadparm_context *lp_ctx,
365 char *buf, int length, void **private1,
366 unsigned int mux_id, void **private2)
367 {
368 DATA_BLOB in;
369 DATA_BLOB out = data_blob(NULL, 0);
370 char *out_base64 = NULL;
371 const char *reply_arg = NULL;
372 struct gensec_ntlm_state {
373 struct gensec_security *gensec_state;
374 const char *set_password;
375 };
376 struct gensec_ntlm_state *state;
377 struct tevent_context *ev;
378 struct imessaging_context *msg;
379
380 NTSTATUS nt_status;
381 bool first = false;
382 const char *reply_code;
383 struct cli_credentials *creds;
384
385 static char *want_feature_list = NULL;
386 static DATA_BLOB session_key;
387
388 TALLOC_CTX *mem_ctx;
389
390 if (*private1) {
391 state = (struct gensec_ntlm_state *)*private1;
392 } else {
393 state = talloc_zero(NULL, struct gensec_ntlm_state);
394 if (!state) {
395 mux_printf(mux_id, "BH No Memory\n");
396 exit(1);
397 }
398 *private1 = state;
399 if (opt_password) {
400 state->set_password = opt_password;
401 }
402 }
403
404 if (strlen(buf) < 2) {
405 DEBUG(1, ("query [%s] invalid", buf));
406 mux_printf(mux_id, "BH Query invalid\n");
407 return;
408 }
409
410 if (strlen(buf) > 3) {
411 if(strncmp(buf, "SF ", 3) == 0) {
412 DEBUG(10, ("Setting flags to negotiate\n"));
413 talloc_free(want_feature_list);
414 want_feature_list = talloc_strndup(state, buf+3, strlen(buf)-3);
415 mux_printf(mux_id, "OK\n");
416 return;
417 }
418 in = base64_decode_data_blob(buf + 3);
419 } else {
420 in = data_blob(NULL, 0);
421 }
422
423 if (strncmp(buf, "YR", 2) == 0) {
424 if (state->gensec_state) {
425 talloc_free(state->gensec_state);
426 state->gensec_state = NULL;
427 }
428 } else if ( (strncmp(buf, "OK", 2) == 0)) {
429 /* Just return BH, like ntlm_auth from Samba 3 does. */
430 mux_printf(mux_id, "BH Command expected\n");
431 data_blob_free(&in);
432 return;
433 } else if ( (strncmp(buf, "TT ", 3) != 0) &&
434 (strncmp(buf, "KK ", 3) != 0) &&
435 (strncmp(buf, "AF ", 3) != 0) &&
436 (strncmp(buf, "NA ", 3) != 0) &&
437 (strncmp(buf, "UG", 2) != 0) &&
438 (strncmp(buf, "PW ", 3) != 0) &&
439 (strncmp(buf, "GK", 2) != 0) &&
440 (strncmp(buf, "GF", 2) != 0)) {
441 DEBUG(1, ("SPNEGO request [%s] invalid\n", buf));
442 mux_printf(mux_id, "BH SPNEGO request invalid\n");
443 data_blob_free(&in);
444 return;
445 }
446
447 ev = s4_event_context_init(state);
448 if (!ev) {
449 exit(1);
450 }
451
452 mem_ctx = talloc_named(NULL, 0, "manage_gensec_request internal mem_ctx");
453
454 /* setup gensec */
455 if (!(state->gensec_state)) {
456 switch (stdio_helper_mode) {
457 case GSS_SPNEGO_CLIENT:
458 case NTLMSSP_CLIENT_1:
459 /* setup the client side */
460
461 nt_status = gensec_client_start(NULL, &state->gensec_state,
462 lpcfg_gensec_settings(NULL, lp_ctx));
463 if (!NT_STATUS_IS_OK(nt_status)) {
464 talloc_free(mem_ctx);
465 exit(1);
466 }
467
468 break;
469 case GSS_SPNEGO_SERVER:
470 case SQUID_2_5_NTLMSSP:
471 {
472 const char *winbind_method[] = { "winbind", NULL };
473 struct auth4_context *auth_context;
474
475 msg = imessaging_client_init(state, lp_ctx, ev);
476 if (!msg) {
477 talloc_free(mem_ctx);
478 exit(1);
479 }
480 nt_status = auth_context_create_methods(mem_ctx,
481 winbind_method,
482 ev,
483 msg,
484 lp_ctx,
485 NULL,
486 &auth_context);
487
488 if (!NT_STATUS_IS_OK(nt_status)) {
489 talloc_free(mem_ctx);
490 exit(1);
491 }
492
493 if (!NT_STATUS_IS_OK(gensec_server_start(state,
494 lpcfg_gensec_settings(state, lp_ctx),
495 auth_context, &state->gensec_state))) {
496 talloc_free(mem_ctx);
497 exit(1);
498 }
499 break;
500 }
501 default:
502 talloc_free(mem_ctx);
503 abort();
504 }
505
506 creds = cli_credentials_init(state->gensec_state);
507 cli_credentials_set_conf(creds, lp_ctx);
508 if (opt_username) {
509 cli_credentials_set_username(creds, opt_username, CRED_SPECIFIED);
510 }
511 if (opt_domain) {
512 cli_credentials_set_domain(creds, opt_domain, CRED_SPECIFIED);
513 }
514 if (state->set_password) {
515 cli_credentials_set_password(creds, state->set_password, CRED_SPECIFIED);
516 } else {
517 void *cb = (void*)(uintptr_t)mux_id;
518 cli_credentials_set_callback_data(creds, cb);
519 cli_credentials_set_password_callback(creds, get_password);
520 }
521 if (opt_workstation) {
522 cli_credentials_set_workstation(creds, opt_workstation, CRED_SPECIFIED);
523 }
524
525 switch (stdio_helper_mode) {
526 case GSS_SPNEGO_SERVER:
527 case SQUID_2_5_NTLMSSP:
528 cli_credentials_set_machine_account(creds, lp_ctx);
529 break;
530 default:
531 break;
532 }
533
534 gensec_set_credentials(state->gensec_state, creds);
535 gensec_want_feature_list(state->gensec_state, want_feature_list);
536
537 switch (stdio_helper_mode) {
538 case GSS_SPNEGO_CLIENT:
539 case GSS_SPNEGO_SERVER:
540 nt_status = gensec_start_mech_by_oid(state->gensec_state, GENSEC_OID_SPNEGO);
541 if (!in.length) {
542 first = true;
543 }
544 break;
545 case NTLMSSP_CLIENT_1:
546 if (!in.length) {
547 first = true;
548 }
549 /* fall through */
550 case SQUID_2_5_NTLMSSP:
551 nt_status = gensec_start_mech_by_oid(state->gensec_state, GENSEC_OID_NTLMSSP);
552 break;
553 default:
554 talloc_free(mem_ctx);
555 abort();
556 }
557
558 if (!NT_STATUS_IS_OK(nt_status)) {
559 DEBUG(1, ("GENSEC mech failed to start: %s\n", nt_errstr(nt_status)));
560 mux_printf(mux_id, "BH GENSEC mech failed to start\n");
561 talloc_free(mem_ctx);
562 return;
563 }
564
565 }
566
567 /* update */
568
569 if (strncmp(buf, "PW ", 3) == 0) {
570 state->set_password = talloc_strndup(state,
571 (const char *)in.data,
572 in.length);
573
574 cli_credentials_set_password(gensec_get_credentials(state->gensec_state),
575 state->set_password,
576 CRED_SPECIFIED);
577 mux_printf(mux_id, "OK\n");
578 data_blob_free(&in);
579 talloc_free(mem_ctx);
580 return;
581 }
582
583 if (strncmp(buf, "UG", 2) == 0) {
584 int i;
585 char *grouplist = NULL;
586 struct auth_session_info *session_info;
587
588 nt_status = gensec_session_info(state->gensec_state, mem_ctx, &session_info);
589 if (!NT_STATUS_IS_OK(nt_status)) {
590 DEBUG(1, ("gensec_session_info failed: %s\n", nt_errstr(nt_status)));
591 mux_printf(mux_id, "BH %s\n", nt_errstr(nt_status));
592 data_blob_free(&in);
593 talloc_free(mem_ctx);
594 return;
595 }
596
597 /* get the string onto the context */
598 grouplist = talloc_strdup(mem_ctx, "");
599
600 for (i=0; i<session_info->security_token->num_sids; i++) {
601 struct security_token *token = session_info->security_token;
602 const char *sidstr = dom_sid_string(session_info,
603 &token->sids[i]);
604 grouplist = talloc_asprintf_append_buffer(grouplist, "%s,", sidstr);
605 }
606
607 mux_printf(mux_id, "GL %s\n", grouplist);
608 talloc_free(session_info);
609 data_blob_free(&in);
610 talloc_free(mem_ctx);
611 return;
612 }
613
614 if (strncmp(buf, "GK", 2) == 0) {
615 char *base64_key;
616 DEBUG(10, ("Requested session key\n"));
617 nt_status = gensec_session_key(state->gensec_state, mem_ctx, &session_key);
618 if(!NT_STATUS_IS_OK(nt_status)) {
619 DEBUG(1, ("gensec_session_key failed: %s\n", nt_errstr(nt_status)));
620 mux_printf(mux_id, "BH No session key\n");
621 talloc_free(mem_ctx);
622 return;
623 } else {
624 base64_key = base64_encode_data_blob(state, session_key);
625 SMB_ASSERT(base64_key != NULL);
626 mux_printf(mux_id, "GK %s\n", base64_key);
627 talloc_free(base64_key);
628 }
629 talloc_free(mem_ctx);
630 return;
631 }
632
633 if (strncmp(buf, "GF", 2) == 0) {
634 struct ntlmssp_state *ntlmssp_state;
635 uint32_t neg_flags;
636
637 ntlmssp_state = talloc_get_type(state->gensec_state->private_data,
638 struct ntlmssp_state);
639 neg_flags = ntlmssp_state->neg_flags;
640
641 DEBUG(10, ("Requested negotiated feature flags\n"));
642 mux_printf(mux_id, "GF 0x%08x\n", neg_flags);
643 return;
644 }
645
646 nt_status = gensec_update_ev(state->gensec_state, mem_ctx, ev, in, &out);
647
648 /* don't leak 'bad password'/'no such user' info to the network client */
649 nt_status = nt_status_squash(nt_status);
650
651 if (out.length) {
652 out_base64 = base64_encode_data_blob(mem_ctx, out);
653 SMB_ASSERT(out_base64 != NULL);
654 } else {
655 out_base64 = NULL;
656 }
657
658 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
659 reply_arg = "*";
660 if (first) {
661 reply_code = "YR";
662 } else if (state->gensec_state->gensec_role == GENSEC_CLIENT) {
663 reply_code = "KK";
664 } else if (state->gensec_state->gensec_role == GENSEC_SERVER) {
665 reply_code = "TT";
666 } else {
667 abort();
668 }
669
670
671 } else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCESS_DENIED)) {
672 reply_code = "BH NT_STATUS_ACCESS_DENIED";
673 reply_arg = nt_errstr(nt_status);
674 DEBUG(1, ("GENSEC login failed: %s\n", nt_errstr(nt_status)));
675 } else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_UNSUCCESSFUL)) {
676 reply_code = "BH NT_STATUS_UNSUCCESSFUL";
677 reply_arg = nt_errstr(nt_status);
678 DEBUG(1, ("GENSEC login failed: %s\n", nt_errstr(nt_status)));
679 } else if (!NT_STATUS_IS_OK(nt_status)) {
680 reply_code = "NA";
681 reply_arg = nt_errstr(nt_status);
682 DEBUG(1, ("GENSEC login failed: %s\n", nt_errstr(nt_status)));
683 } else if /* OK */ (state->gensec_state->gensec_role == GENSEC_SERVER) {
684 struct auth_session_info *session_info;
685
686 nt_status = gensec_session_info(state->gensec_state, mem_ctx, &session_info);
687 if (!NT_STATUS_IS_OK(nt_status)) {
688 reply_code = "BH Failed to retrive session info";
689 reply_arg = nt_errstr(nt_status);
690 DEBUG(1, ("GENSEC failed to retrieve the session info: %s\n", nt_errstr(nt_status)));
691 } else {
692
693 reply_code = "AF";
694 reply_arg = talloc_asprintf(state->gensec_state,
695 "%s%s%s", session_info->info->domain_name,
696 lpcfg_winbind_separator(lp_ctx), session_info->info->account_name);
697 talloc_free(session_info);
698 }
699 } else if (state->gensec_state->gensec_role == GENSEC_CLIENT) {
700 reply_code = "AF";
701 reply_arg = out_base64;
702 } else {
703 abort();
704 }
705
706 switch (stdio_helper_mode) {
707 case GSS_SPNEGO_SERVER:
708 mux_printf(mux_id, "%s %s %s\n", reply_code,
709 out_base64 ? out_base64 : "*",
710 reply_arg ? reply_arg : "*");
711 break;
712 default:
713 if (out_base64) {
714 mux_printf(mux_id, "%s %s\n", reply_code, out_base64);
715 } else if (reply_arg) {
716 mux_printf(mux_id, "%s %s\n", reply_code, reply_arg);
717 } else {
718 mux_printf(mux_id, "%s\n", reply_code);
719 }
720 }
721
722 talloc_free(mem_ctx);
723 return;
724 }
725
726 static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mode,
727 struct loadparm_context *lp_ctx,
728 char *buf, int length, void **private1,
729 unsigned int mux_id, void **private2)
730 {
731 char *request, *parameter;
732 static DATA_BLOB challenge;
733 static DATA_BLOB lm_response;
734 static DATA_BLOB nt_response;
735 static char *full_username;
736 static char *username;
737 static char *domain;
738 static char *plaintext_password;
739 static bool ntlm_server_1_user_session_key;
740 static bool ntlm_server_1_lm_session_key;
741
742 if (strequal(buf, ".")) {
743 if (!full_username && !username) {
744 mux_printf(mux_id, "Error: No username supplied!\n");
745 } else if (plaintext_password) {
746 /* handle this request as plaintext */
747 if (!full_username) {
748 if (asprintf(&full_username, "%s%c%s", domain, *lpcfg_winbind_separator(lp_ctx), username) < 0) {
749 mux_printf(mux_id, "Error: Out of memory in asprintf!\n.\n");
750 return;
751 }
752 }
753 if (check_plaintext_auth(full_username, plaintext_password, false)) {
754 mux_printf(mux_id, "Authenticated: Yes\n");
755 } else {
756 mux_printf(mux_id, "Authenticated: No\n");
757 }
758 } else if (!lm_response.data && !nt_response.data) {
759 mux_printf(mux_id, "Error: No password supplied!\n");
760 } else if (!challenge.data) {
761 mux_printf(mux_id, "Error: No lanman-challenge supplied!\n");
762 } else {
763 char *error_string = NULL;
764 DATA_BLOB lm_key;
765 DATA_BLOB user_session_key;
766 uint32_t flags = 0;
767
768 if (full_username && !username) {
769 SAFE_FREE(username);
770 SAFE_FREE(domain);
771 if (!parse_ntlm_auth_domain_user(full_username, &username,
772 &domain,
773 *lpcfg_winbind_separator(lp_ctx))) {
774 /* username might be 'tainted', don't print into our new-line deleimianted stream */
775 mux_printf(mux_id, "Error: Could not parse into domain and username\n");
776 }
777 }
778
779 if (!domain) {
780 domain = smb_xstrdup(lpcfg_workgroup(lp_ctx));
781 }
782
783 if (ntlm_server_1_lm_session_key)
784 flags |= NTLM_AUTH_FLAG_LMKEY;
785
786 if (ntlm_server_1_user_session_key)
787 flags |= NTLM_AUTH_FLAG_USER_SESSION_KEY;
788
789 if (!NT_STATUS_IS_OK(
790 local_pw_check_specified(lp_ctx,
791 username,
792 domain,
793 lpcfg_netbios_name(lp_ctx),
794 &challenge,
795 &lm_response,
796 &nt_response,
797 flags,
798 &lm_key,
799 &user_session_key,
800 &error_string,
801 NULL))) {
802
803 mux_printf(mux_id, "Authenticated: No\n");
804 mux_printf(mux_id, "Authentication-Error: %s\n.\n", error_string);
805 SAFE_FREE(error_string);
806 } else {
807 static char zeros[16];
808
809 mux_printf(mux_id, "Authenticated: Yes\n");
810
811 if (ntlm_server_1_lm_session_key
812 && lm_key.length
813 && (memcmp(zeros, lm_key.data,
814 lm_key.length) != 0)) {
815 char hex_lm_key[lm_key.length*2+1];
816 hex_encode_buf(hex_lm_key, lm_key.data,
817 lm_key.length);
818 mux_printf(mux_id, "LANMAN-Session-Key: %s\n", hex_lm_key);
819 }
820
821 if (ntlm_server_1_user_session_key
822 && user_session_key.length
823 && (memcmp(zeros, user_session_key.data,
824 user_session_key.length) != 0)) {
825 char hex_user_session_key[
826 user_session_key.length*2+1];
827 hex_encode_buf(hex_user_session_key,
828 user_session_key.data,
829 user_session_key.length);
830 mux_printf(mux_id, "User-Session-Key: %s\n", hex_user_session_key);
831 }
832 }
833 }
834 /* clear out the state */
835 challenge = data_blob(NULL, 0);
836 nt_response = data_blob(NULL, 0);
837 lm_response = data_blob(NULL, 0);
838 SAFE_FREE(full_username);
839 SAFE_FREE(username);
840 SAFE_FREE(domain);
841 SAFE_FREE(plaintext_password);
842 ntlm_server_1_user_session_key = false;
843 ntlm_server_1_lm_session_key = false;
844 mux_printf(mux_id, ".\n");
845
846 return;
847 }
848
849 request = buf;
850
851 /* Indicates a base64 encoded structure */
852 parameter = strstr(request, ":: ");
853 if (!parameter) {
854 parameter = strstr(request, ": ");
855
856 if (!parameter) {
857 DEBUG(0, ("Parameter not found!\n"));
858 mux_printf(mux_id, "Error: Parameter not found!\n.\n");
859 return;
860 }
861
862 parameter[0] ='\0';
863 parameter++;
864 parameter[0] ='\0';
865 parameter++;
866
867 } else {
868 parameter[0] ='\0';
869 parameter++;
870 parameter[0] ='\0';
871 parameter++;
872 parameter[0] ='\0';
873 parameter++;
874
875 base64_decode_inplace(parameter);
876 }
877
878 if (strequal(request, "LANMAN-Challenge")) {
879 challenge = strhex_to_data_blob(NULL, parameter);
880 if (challenge.length != 8) {
881 mux_printf(mux_id, "Error: hex decode of %s failed! (got %d bytes, expected 8)\n.\n",
882 parameter,
883 (int)challenge.length);
884 challenge = data_blob(NULL, 0);
885 }
886 } else if (strequal(request, "NT-Response")) {
887 nt_response = strhex_to_data_blob(NULL, parameter);
888 if (nt_response.length < 24) {
889 mux_printf(mux_id, "Error: hex decode of %s failed! (only got %d bytes, needed at least 24)\n.\n",
890 parameter,
891 (int)nt_response.length);
892 nt_response = data_blob(NULL, 0);
893 }
894 } else if (strequal(request, "LANMAN-Response")) {
895 lm_response = strhex_to_data_blob(NULL, parameter);
896 if (lm_response.length != 24) {
897 mux_printf(mux_id, "Error: hex decode of %s failed! (got %d bytes, expected 24)\n.\n",
898 parameter,
899 (int)lm_response.length);
900 lm_response = data_blob(NULL, 0);
901 }
902 } else if (strequal(request, "Password")) {
903 plaintext_password = smb_xstrdup(parameter);
904 } else if (strequal(request, "NT-Domain")) {
905 domain = smb_xstrdup(parameter);
906 } else if (strequal(request, "Username")) {
907 username = smb_xstrdup(parameter);
908 } else if (strequal(request, "Full-Username")) {
909 full_username = smb_xstrdup(parameter);
910 } else if (strequal(request, "Request-User-Session-Key")) {
911 ntlm_server_1_user_session_key = strequal(parameter, "Yes");
912 } else if (strequal(request, "Request-LanMan-Session-Key")) {
913 ntlm_server_1_lm_session_key = strequal(parameter, "Yes");
914 } else {
915 mux_printf(mux_id, "Error: Unknown request %s\n.\n", request);
916 }
917 }
918
919 static void manage_squid_request(struct loadparm_context *lp_ctx, enum stdio_helper_mode helper_mode,
920 stdio_helper_function fn, void **private2)
921 {
922 char *buf;
923 char tmp[INITIAL_BUFFER_SIZE+1];
924 unsigned int mux_id = 0;
925 int length, buf_size = 0;
926 char *c;
927 struct mux_private {
928 unsigned int max_mux;
929 void **private_pointers;
930 };
931
932 static struct mux_private *mux_private;
933 static void *normal_private;
934 void **private1;
935
936 buf = talloc_strdup(NULL, "");
937
938 if (buf == NULL) {
939 DEBUG(0, ("Failed to allocate memory for reading the input "
940 "buffer.\n"));
941 x_fprintf(x_stdout, "ERR\n");
942 return;
943 }
944
945 do {
946 /* this is not a typo - x_fgets doesn't work too well under
947 * squid */
948 if (fgets(tmp, INITIAL_BUFFER_SIZE, stdin) == NULL) {
949 if (ferror(stdin)) {
950 DEBUG(1, ("fgets() failed! dying..... errno=%d "
951 "(%s)\n", ferror(stdin),
952 strerror(ferror(stdin))));
953
954 exit(1); /* BIIG buffer */
955 }
956 exit(0);
957 }
958
959 buf = talloc_strdup_append_buffer(buf, tmp);
960 buf_size += INITIAL_BUFFER_SIZE;
961
962 if (buf_size > MAX_BUFFER_SIZE) {
963 DEBUG(0, ("Invalid Request (too large)\n"));
964 x_fprintf(x_stdout, "ERR\n");
965 talloc_free(buf);
966 return;
967 }
968
969 c = strchr(buf, '\n');
970 } while (c == NULL);
971
972 *c = '\0';
973 length = c-buf;
974
975 DEBUG(10, ("Got '%s' from squid (length: %d).\n",buf,length));
976
977 if (buf[0] == '\0') {
978 DEBUG(0, ("Invalid Request (empty)\n"));
979 x_fprintf(x_stdout, "ERR\n");
980 talloc_free(buf);
981 return;
982 }
983
984 if (opt_multiplex) {
985 if (sscanf(buf, "%u ", &mux_id) != 1) {
986 DEBUG(0, ("Invalid Request - no multiplex id\n"));
987 x_fprintf(x_stdout, "ERR\n");
988 talloc_free(buf);
989 return;
990 }
991 if (!mux_private) {
992 mux_private = talloc(NULL, struct mux_private);
993 mux_private->max_mux = 0;
994 mux_private->private_pointers = NULL;
995 }
996
997 c=strchr(buf,' ');
998 if (!c) {
999 DEBUG(0, ("Invalid Request - no data after multiplex id\n"));
1000 x_fprintf(x_stdout, "ERR\n");
1001 talloc_free(buf);
1002 return;
1003 }
1004 c++;
1005 if (mux_id >= mux_private->max_mux) {
1006 unsigned int prev_max = mux_private->max_mux;
1007 mux_private->max_mux = mux_id + 1;
1008 mux_private->private_pointers
1009 = talloc_realloc(mux_private,
1010 mux_private->private_pointers,
1011 void *, mux_private->max_mux);
1012 memset(&mux_private->private_pointers[prev_max], '\0',
1013 (sizeof(*mux_private->private_pointers) * (mux_private->max_mux - prev_max)));
1014 };
1015
1016 private1 = &mux_private->private_pointers[mux_id];
1017 } else {
1018 c = buf;
1019 private1 = &normal_private;
1020 }
1021
1022 fn(helper_mode, lp_ctx, c, length, private1, mux_id, private2);
1023 talloc_free(buf);
1024 }
1025
1026 static void squid_stream(struct loadparm_context *lp_ctx,
1027 enum stdio_helper_mode stdio_mode,
1028 stdio_helper_function fn) {
1029 /* initialize FDescs */
1030 x_setbuf(x_stdout, NULL);
1031 x_setbuf(x_stderr, NULL);
1032 while(1) {
1033 manage_squid_request(lp_ctx, stdio_mode, fn, NULL);
1034 }
1035 }
1036
1037
1038 /* Main program */
1039
1040 enum {
1041 OPT_USERNAME = 1000,
1042 OPT_DOMAIN,
1043 OPT_WORKSTATION,
1044 OPT_CHALLENGE,
1045 OPT_RESPONSE,
1046 OPT_LM,
1047 OPT_NT,
1048 OPT_PASSWORD,
1049 OPT_LM_KEY,
1050 OPT_USER_SESSION_KEY,
1051 OPT_DIAGNOSTICS,
1052 OPT_REQUIRE_MEMBERSHIP,
1053 OPT_MULTIPLEX,
1054 OPT_USE_CACHED_CREDS,
1055 OPT_ALLOW_MSCHAPV2,
1056 };
1057
1058 int main(int argc, const char **argv)
1059 {
1060 static const char *helper_protocol;
1061 int opt;
1062
1063 poptContext pc;
1064
1065 /* NOTE: DO NOT change this interface without considering the implications!
1066 This is an external interface, which other programs will use to interact
1067 with this helper.
1068 */
1069
1070 /* We do not use single-letter command abbreviations, because they harm future
1071 interface stability. */
1072
1073 struct poptOption long_options[] = {
1074 POPT_AUTOHELP
1075 { "helper-protocol", 0, POPT_ARG_STRING, &helper_protocol, OPT_DOMAIN, "operate as a stdio-based helper", "helper protocol to use"},
1076 { "domain", 0, POPT_ARG_STRING, &opt_domain, OPT_DOMAIN, "domain name"},
1077 { "workstation", 0, POPT_ARG_STRING, &opt_workstation, OPT_WORKSTATION, "workstation"},
1078 { "username", 0, POPT_ARG_STRING, &opt_username, OPT_PASSWORD, "Username"},
1079 { "password", 0, POPT_ARG_STRING, &opt_password, OPT_PASSWORD, "User's plaintext password"},
1080 { "multiplex", 0, POPT_ARG_NONE, &opt_multiplex, OPT_MULTIPLEX, "Multiplex Mode"},
1081 { "use-cached-creds", 0, POPT_ARG_NONE, &use_cached_creds, OPT_USE_CACHED_CREDS, "silently ignored for compatibility reasons"},
1082 { "allow-mschapv2", 0, POPT_ARG_NONE, &opt_allow_mschapv2, OPT_ALLOW_MSCHAPV2, "Explicitly allow MSCHAPv2" },
1083 POPT_COMMON_SAMBA
1084 POPT_COMMON_VERSION
1085 { NULL }
1086 };
1087
1088 /* Samba client initialisation */
1089
1090 setup_logging(NULL, DEBUG_STDERR);
1091
1092 /* Parse options */
1093
1094 pc = poptGetContext("ntlm_auth", argc, argv, long_options, 0);
1095
1096 /* Parse command line options */
1097
1098 if (argc == 1) {
1099 poptPrintHelp(pc, stderr, 0);
1100 return 1;
1101 }
1102
1103 pc = poptGetContext(NULL, argc, (const char **)argv, long_options,
1104 POPT_CONTEXT_KEEP_FIRST);
1105
1106 while((opt = poptGetNextOpt(pc)) != -1) {
1107 if (opt < -1) {
1108 break;
1109 }
1110 }
1111 if (opt < -1) {
1112 fprintf(stderr, "%s: %s\n",
1113 poptBadOption(pc, POPT_BADOPTION_NOALIAS),
1114 poptStrerror(opt));
1115 return 1;
1116 }
1117
1118 gensec_init();
1119
1120 if (opt_domain == NULL) {
1121 opt_domain = lpcfg_workgroup(cmdline_lp_ctx);
1122 }
1123
1124 if (helper_protocol) {
1125 int i;
1126 for (i=0; i<NUM_HELPER_MODES; i++) {
1127 if (strcmp(helper_protocol, stdio_helper_protocols[i].name) == 0) {
1128 squid_stream(cmdline_lp_ctx, stdio_helper_protocols[i].mode, stdio_helper_protocols[i].fn);
1129 exit(0);
1130 }
1131 }
1132 x_fprintf(x_stderr, "unknown helper protocol [%s]\n\nValid helper protools:\n\n", helper_protocol);
1133
1134 for (i=0; i<NUM_HELPER_MODES; i++) {
1135 x_fprintf(x_stderr, "%s\n", stdio_helper_protocols[i].name);
1136 }
1137
1138 exit(1);
1139 }
1140
1141 if (!opt_username) {
1142 x_fprintf(x_stderr, "username must be specified!\n\n");
1143 poptPrintHelp(pc, stderr, 0);
1144 exit(1);
1145 }
1146
1147 if (opt_workstation == NULL) {
1148 opt_workstation = lpcfg_netbios_name(cmdline_lp_ctx);
1149 }
1150
1151 if (!opt_password) {
1152 char pwd[256] = {0};
1153 int rc;
1154
1155 rc = samba_getpass("Password: ", pwd, sizeof(pwd), false, false);
1156 if (rc == 0) {
1157 opt_password = smb_xstrdup(pwd);
1158 }
1159 }
1160
1161 {
1162 char *user;
1163
1164 if (asprintf(&user, "%s%c%s", opt_domain,
1165 *lpcfg_winbind_separator(cmdline_lp_ctx),
1166 opt_username) < 0) {
1167 return 1;
1168 }
1169 if (!check_plaintext_auth(user, opt_password, true)) {
1170 return 1;
1171 }
1172 }
1173
1174 /* Exit code */
1175
1176 poptFreeContext(pc);
1177 return 0;
1178 }
Samba GIT mirror