2 Unix SMB/CIFS implementation.
3 Authentication utility functions
4 Copyright (C) Andrew Tridgell 1992-1998
5 Copyright (C) Andrew Bartlett 2001
6 Copyright (C) Jeremy Allison 2000-2001
7 Copyright (C) Rafal Szczesniak 2002
8 Copyright (C) Stefan Metzmacher 2005
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 2 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program; if not, write to the Free Software
22 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
26 #include "auth/auth.h"
27 #include "libcli/security/security.h"
28 #include "libcli/auth/libcli_auth.h"
29 #include "dsdb/samdb/samdb.h"
30 #include "auth/credentials/credentials.h"
31 #include "auth/credentials/credentials_krb5.h"
33 /* this default function can be used by mostly all backends
34 * which don't want to set a challenge
36 NTSTATUS
auth_get_challenge_not_implemented(struct auth_method_context
*ctx
, TALLOC_CTX
*mem_ctx
, DATA_BLOB
*challenge
)
38 /* we don't want to set a challenge */
39 return NT_STATUS_NOT_IMPLEMENTED
;
42 /****************************************************************************
43 Create an auth_usersupplied_data structure after appropriate mapping.
44 ****************************************************************************/
46 NTSTATUS
map_user_info(TALLOC_CTX
*mem_ctx
,
47 const struct auth_usersupplied_info
*user_info
,
48 struct auth_usersupplied_info
**user_info_mapped
)
53 DEBUG(5,("map_user_info: Mapping user [%s]\\[%s] from workstation [%s]\n",
54 user_info
->client
.domain_name
, user_info
->client
.account_name
, user_info
->workstation_name
));
56 account_name
= talloc_strdup(mem_ctx
, user_info
->client
.account_name
);
58 return NT_STATUS_NO_MEMORY
;
61 /* don't allow "" as a domain, fixes a Win9X bug
62 where it doens't supply a domain for logon script
63 'net use' commands. */
65 /* Split user@realm names into user and realm components. This is TODO to fix with proper userprincipalname support */
66 if (user_info
->client
.domain_name
&& *user_info
->client
.domain_name
) {
67 domain
= user_info
->client
.domain_name
;
68 } else if (strchr_m(user_info
->client
.account_name
, '@')) {
69 d
= strchr_m(account_name
, '@');
71 return NT_STATUS_INTERNAL_ERROR
;
77 domain
= lp_workgroup();
80 *user_info_mapped
= talloc(mem_ctx
, struct auth_usersupplied_info
);
81 if (!*user_info_mapped
) {
82 return NT_STATUS_NO_MEMORY
;
84 talloc_reference(*user_info_mapped
, user_info
);
85 **user_info_mapped
= *user_info
;
86 (*user_info_mapped
)->mapped_state
= True
;
87 (*user_info_mapped
)->mapped
.domain_name
= talloc_strdup(*user_info_mapped
, domain
);
88 (*user_info_mapped
)->mapped
.account_name
= talloc_strdup(*user_info_mapped
, account_name
);
89 talloc_free(account_name
);
90 if (!(*user_info_mapped
)->mapped
.domain_name
91 || !(*user_info_mapped
)->mapped
.account_name
) {
92 return NT_STATUS_NO_MEMORY
;
98 /****************************************************************************
99 Create an auth_usersupplied_data structure after appropriate mapping.
100 ****************************************************************************/
102 NTSTATUS
encrypt_user_info(TALLOC_CTX
*mem_ctx
, struct auth_context
*auth_context
,
103 enum auth_password_state to_state
,
104 const struct auth_usersupplied_info
*user_info_in
,
105 const struct auth_usersupplied_info
**user_info_encrypted
)
108 struct auth_usersupplied_info
*user_info_temp
;
110 case AUTH_PASSWORD_RESPONSE
:
111 switch (user_info_in
->password_state
) {
112 case AUTH_PASSWORD_PLAIN
:
114 const struct auth_usersupplied_info
*user_info_temp2
;
115 nt_status
= encrypt_user_info(mem_ctx
, auth_context
,
117 user_info_in
, &user_info_temp2
);
118 if (!NT_STATUS_IS_OK(nt_status
)) {
121 user_info_in
= user_info_temp2
;
124 case AUTH_PASSWORD_HASH
:
126 const uint8_t *challenge
;
127 DATA_BLOB chall_blob
;
128 user_info_temp
= talloc(mem_ctx
, struct auth_usersupplied_info
);
129 if (!user_info_temp
) {
130 return NT_STATUS_NO_MEMORY
;
132 talloc_reference(user_info_temp
, user_info_in
);
133 *user_info_temp
= *user_info_in
;
134 user_info_temp
->mapped_state
= to_state
;
136 nt_status
= auth_get_challenge(auth_context
, &challenge
);
137 if (!NT_STATUS_IS_OK(nt_status
)) {
141 chall_blob
= data_blob_talloc(mem_ctx
, challenge
, 8);
142 if (lp_client_ntlmv2_auth()) {
143 DATA_BLOB names_blob
= NTLMv2_generate_names_blob(mem_ctx
, lp_netbios_name(), lp_workgroup());
144 DATA_BLOB lmv2_response
, ntlmv2_response
, lmv2_session_key
, ntlmv2_session_key
;
146 if (!SMBNTLMv2encrypt_hash(user_info_temp
,
147 user_info_in
->client
.account_name
,
148 user_info_in
->client
.domain_name
,
149 user_info_in
->password
.hash
.nt
->hash
, &chall_blob
,
151 &lmv2_response
, &ntlmv2_response
,
152 &lmv2_session_key
, &ntlmv2_session_key
)) {
153 data_blob_free(&names_blob
);
154 return NT_STATUS_NO_MEMORY
;
156 data_blob_free(&names_blob
);
157 user_info_temp
->password
.response
.lanman
= lmv2_response
;
158 user_info_temp
->password
.response
.nt
= ntlmv2_response
;
160 data_blob_free(&lmv2_session_key
);
161 data_blob_free(&ntlmv2_session_key
);
163 DATA_BLOB blob
= data_blob_talloc(mem_ctx
, NULL
, 24);
164 SMBOWFencrypt(user_info_in
->password
.hash
.nt
->hash
, challenge
, blob
.data
);
166 user_info_temp
->password
.response
.nt
= blob
;
167 if (lp_client_lanman_auth() && user_info_in
->password
.hash
.lanman
) {
168 DATA_BLOB lm_blob
= data_blob_talloc(mem_ctx
, NULL
, 24);
169 SMBOWFencrypt(user_info_in
->password
.hash
.lanman
->hash
, challenge
, blob
.data
);
170 user_info_temp
->password
.response
.lanman
= lm_blob
;
172 /* if not sending the LM password, send the NT password twice */
173 user_info_temp
->password
.response
.lanman
= user_info_temp
->password
.response
.nt
;
177 user_info_in
= user_info_temp
;
180 case AUTH_PASSWORD_RESPONSE
:
181 *user_info_encrypted
= user_info_in
;
184 case AUTH_PASSWORD_HASH
:
186 switch (user_info_in
->password_state
) {
187 case AUTH_PASSWORD_PLAIN
:
189 struct samr_Password lanman
;
190 struct samr_Password nt
;
192 user_info_temp
= talloc(mem_ctx
, struct auth_usersupplied_info
);
193 if (!user_info_temp
) {
194 return NT_STATUS_NO_MEMORY
;
196 talloc_reference(user_info_temp
, user_info_in
);
197 *user_info_temp
= *user_info_in
;
198 user_info_temp
->mapped_state
= to_state
;
200 if (E_deshash(user_info_in
->password
.plaintext
, lanman
.hash
)) {
201 user_info_temp
->password
.hash
.lanman
= talloc(user_info_temp
,
202 struct samr_Password
);
203 *user_info_temp
->password
.hash
.lanman
= lanman
;
205 user_info_temp
->password
.hash
.lanman
= NULL
;
208 E_md4hash(user_info_in
->password
.plaintext
, nt
.hash
);
209 user_info_temp
->password
.hash
.nt
= talloc(user_info_temp
,
210 struct samr_Password
);
211 *user_info_temp
->password
.hash
.nt
= nt
;
213 user_info_in
= user_info_temp
;
216 case AUTH_PASSWORD_HASH
:
217 *user_info_encrypted
= user_info_in
;
220 return NT_STATUS_INVALID_PARAMETER
;
226 return NT_STATUS_INVALID_PARAMETER
;
232 /***************************************************************************
233 Make a server_info struct from the info3 returned by a domain logon
234 ***************************************************************************/
235 NTSTATUS
make_server_info_netlogon_validation(TALLOC_CTX
*mem_ctx
,
236 const char *account_name
,
237 uint16_t validation_level
,
238 union netr_Validation
*validation
,
239 struct auth_serversupplied_info
**_server_info
)
241 struct auth_serversupplied_info
*server_info
;
242 struct netr_SamBaseInfo
*base
= NULL
;
245 switch (validation_level
) {
247 if (!validation
|| !validation
->sam2
) {
248 return NT_STATUS_INVALID_PARAMETER
;
250 base
= &validation
->sam2
->base
;
253 if (!validation
|| !validation
->sam3
) {
254 return NT_STATUS_INVALID_PARAMETER
;
256 base
= &validation
->sam3
->base
;
259 if (!validation
|| !validation
->sam6
) {
260 return NT_STATUS_INVALID_PARAMETER
;
262 base
= &validation
->sam6
->base
;
265 return NT_STATUS_INVALID_LEVEL
;
268 server_info
= talloc(mem_ctx
, struct auth_serversupplied_info
);
269 NT_STATUS_HAVE_NO_MEMORY(server_info
);
272 Here is where we should check the list of
273 trusted domains, and verify that the SID
276 server_info
->account_sid
= dom_sid_add_rid(server_info
, base
->domain_sid
, base
->rid
);
277 NT_STATUS_HAVE_NO_MEMORY(server_info
->account_sid
);
280 server_info
->primary_group_sid
= dom_sid_add_rid(server_info
, base
->domain_sid
, base
->primary_gid
);
281 NT_STATUS_HAVE_NO_MEMORY(server_info
->primary_group_sid
);
283 server_info
->n_domain_groups
= base
->groups
.count
;
284 if (base
->groups
.count
) {
285 server_info
->domain_groups
= talloc_array(server_info
, struct dom_sid
*, base
->groups
.count
);
286 NT_STATUS_HAVE_NO_MEMORY(server_info
->domain_groups
);
288 server_info
->domain_groups
= NULL
;
291 for (i
= 0; i
< base
->groups
.count
; i
++) {
292 server_info
->domain_groups
[i
] = dom_sid_add_rid(server_info
, base
->domain_sid
, base
->groups
.rids
[i
].rid
);
293 NT_STATUS_HAVE_NO_MEMORY(server_info
->domain_groups
[i
]);
296 /* Copy 'other' sids. We need to do sid filtering here to
297 prevent possible elevation of privileges. See:
299 http://www.microsoft.com/windows2000/techinfo/administration/security/sidfilter.asp
302 if (validation_level
== 3) {
303 struct dom_sid
**dgrps
= server_info
->domain_groups
;
304 size_t sidcount
= server_info
->n_domain_groups
+ validation
->sam3
->sidcount
;
305 size_t n_dgrps
= server_info
->n_domain_groups
;
307 if (validation
->sam3
->sidcount
> 0) {
308 dgrps
= talloc_realloc(server_info
, dgrps
, struct dom_sid
*, sidcount
);
309 NT_STATUS_HAVE_NO_MEMORY(dgrps
);
311 for (i
= 0; i
< validation
->sam3
->sidcount
; i
++) {
312 dgrps
[n_dgrps
+ i
] = talloc_reference(dgrps
, validation
->sam3
->sids
[i
].sid
);
316 server_info
->n_domain_groups
= sidcount
;
317 server_info
->domain_groups
= dgrps
;
319 /* Where are the 'global' sids?... */
322 if (base
->account_name
.string
) {
323 server_info
->account_name
= talloc_reference(server_info
, base
->account_name
.string
);
325 server_info
->account_name
= talloc_strdup(server_info
, account_name
);
326 NT_STATUS_HAVE_NO_MEMORY(server_info
->account_name
);
329 server_info
->domain_name
= talloc_reference(server_info
, base
->domain
.string
);
330 server_info
->full_name
= talloc_reference(server_info
, base
->full_name
.string
);
331 server_info
->logon_script
= talloc_reference(server_info
, base
->logon_script
.string
);
332 server_info
->profile_path
= talloc_reference(server_info
, base
->profile_path
.string
);
333 server_info
->home_directory
= talloc_reference(server_info
, base
->home_directory
.string
);
334 server_info
->home_drive
= talloc_reference(server_info
, base
->home_drive
.string
);
335 server_info
->logon_server
= talloc_reference(server_info
, base
->logon_server
.string
);
336 server_info
->last_logon
= base
->last_logon
;
337 server_info
->last_logoff
= base
->last_logoff
;
338 server_info
->acct_expiry
= base
->acct_expiry
;
339 server_info
->last_password_change
= base
->last_password_change
;
340 server_info
->allow_password_change
= base
->allow_password_change
;
341 server_info
->force_password_change
= base
->force_password_change
;
342 server_info
->logon_count
= base
->logon_count
;
343 server_info
->bad_password_count
= base
->bad_password_count
;
344 server_info
->acct_flags
= base
->acct_flags
;
346 server_info
->authenticated
= True
;
348 /* ensure we are never given NULL session keys */
350 if (all_zero(base
->key
.key
, sizeof(base
->key
.key
))) {
351 server_info
->user_session_key
= data_blob(NULL
, 0);
353 server_info
->user_session_key
= data_blob_talloc(server_info
, base
->key
.key
, sizeof(base
->key
.key
));
354 NT_STATUS_HAVE_NO_MEMORY(server_info
->user_session_key
.data
);
357 if (all_zero(base
->LMSessKey
.key
, sizeof(base
->LMSessKey
.key
))) {
358 server_info
->lm_session_key
= data_blob(NULL
, 0);
360 server_info
->lm_session_key
= data_blob_talloc(server_info
, base
->LMSessKey
.key
, sizeof(base
->LMSessKey
.key
));
361 NT_STATUS_HAVE_NO_MEMORY(server_info
->lm_session_key
.data
);
364 *_server_info
= server_info
;
369 NTSTATUS
auth_anonymous_server_info(TALLOC_CTX
*mem_ctx
, struct auth_serversupplied_info
**_server_info
)
371 struct auth_serversupplied_info
*server_info
;
372 server_info
= talloc(mem_ctx
, struct auth_serversupplied_info
);
373 NT_STATUS_HAVE_NO_MEMORY(server_info
);
375 server_info
->account_sid
= dom_sid_parse_talloc(server_info
, SID_NT_ANONYMOUS
);
376 NT_STATUS_HAVE_NO_MEMORY(server_info
->account_sid
);
378 /* is this correct? */
379 server_info
->primary_group_sid
= dom_sid_parse_talloc(server_info
, SID_BUILTIN_GUESTS
);
380 NT_STATUS_HAVE_NO_MEMORY(server_info
->primary_group_sid
);
382 server_info
->n_domain_groups
= 0;
383 server_info
->domain_groups
= NULL
;
385 /* annoying, but the Anonymous really does have a session key,
386 and it is all zeros! */
387 server_info
->user_session_key
= data_blob_talloc(server_info
, NULL
, 16);
388 NT_STATUS_HAVE_NO_MEMORY(server_info
->user_session_key
.data
);
390 server_info
->lm_session_key
= data_blob_talloc(server_info
, NULL
, 16);
391 NT_STATUS_HAVE_NO_MEMORY(server_info
->lm_session_key
.data
);
393 data_blob_clear(&server_info
->user_session_key
);
394 data_blob_clear(&server_info
->lm_session_key
);
396 server_info
->account_name
= talloc_strdup(server_info
, "ANONYMOUS LOGON");
397 NT_STATUS_HAVE_NO_MEMORY(server_info
->account_name
);
399 server_info
->domain_name
= talloc_strdup(server_info
, "NT AUTHORITY");
400 NT_STATUS_HAVE_NO_MEMORY(server_info
->domain_name
);
402 server_info
->full_name
= talloc_strdup(server_info
, "Anonymous Logon");
403 NT_STATUS_HAVE_NO_MEMORY(server_info
->full_name
);
405 server_info
->logon_script
= talloc_strdup(server_info
, "");
406 NT_STATUS_HAVE_NO_MEMORY(server_info
->logon_script
);
408 server_info
->profile_path
= talloc_strdup(server_info
, "");
409 NT_STATUS_HAVE_NO_MEMORY(server_info
->profile_path
);
411 server_info
->home_directory
= talloc_strdup(server_info
, "");
412 NT_STATUS_HAVE_NO_MEMORY(server_info
->home_directory
);
414 server_info
->home_drive
= talloc_strdup(server_info
, "");
415 NT_STATUS_HAVE_NO_MEMORY(server_info
->home_drive
);
417 server_info
->logon_server
= talloc_strdup(server_info
, lp_netbios_name());
418 NT_STATUS_HAVE_NO_MEMORY(server_info
->logon_server
);
420 server_info
->last_logon
= 0;
421 server_info
->last_logoff
= 0;
422 server_info
->acct_expiry
= 0;
423 server_info
->last_password_change
= 0;
424 server_info
->allow_password_change
= 0;
425 server_info
->force_password_change
= 0;
427 server_info
->logon_count
= 0;
428 server_info
->bad_password_count
= 0;
430 server_info
->acct_flags
= ACB_NORMAL
;
432 server_info
->authenticated
= False
;
434 *_server_info
= server_info
;
439 NTSTATUS
auth_system_server_info(TALLOC_CTX
*mem_ctx
, struct auth_serversupplied_info
**_server_info
)
441 struct auth_serversupplied_info
*server_info
;
442 server_info
= talloc(mem_ctx
, struct auth_serversupplied_info
);
443 NT_STATUS_HAVE_NO_MEMORY(server_info
);
445 server_info
->account_sid
= dom_sid_parse_talloc(server_info
, SID_NT_SYSTEM
);
446 NT_STATUS_HAVE_NO_MEMORY(server_info
->account_sid
);
448 /* is this correct? */
449 server_info
->primary_group_sid
= dom_sid_parse_talloc(server_info
, SID_BUILTIN_ADMINISTRATORS
);
450 NT_STATUS_HAVE_NO_MEMORY(server_info
->primary_group_sid
);
452 server_info
->n_domain_groups
= 0;
453 server_info
->domain_groups
= NULL
;
455 /* annoying, but the Anonymous really does have a session key,
456 and it is all zeros! */
457 server_info
->user_session_key
= data_blob_talloc(server_info
, NULL
, 16);
458 NT_STATUS_HAVE_NO_MEMORY(server_info
->user_session_key
.data
);
460 server_info
->lm_session_key
= data_blob_talloc(server_info
, NULL
, 16);
461 NT_STATUS_HAVE_NO_MEMORY(server_info
->lm_session_key
.data
);
463 data_blob_clear(&server_info
->user_session_key
);
464 data_blob_clear(&server_info
->lm_session_key
);
466 server_info
->account_name
= talloc_strdup(server_info
, "SYSTEM");
467 NT_STATUS_HAVE_NO_MEMORY(server_info
->account_name
);
469 server_info
->domain_name
= talloc_strdup(server_info
, "NT AUTHORITY");
470 NT_STATUS_HAVE_NO_MEMORY(server_info
->domain_name
);
472 server_info
->full_name
= talloc_strdup(server_info
, "System");
473 NT_STATUS_HAVE_NO_MEMORY(server_info
->full_name
);
475 server_info
->logon_script
= talloc_strdup(server_info
, "");
476 NT_STATUS_HAVE_NO_MEMORY(server_info
->logon_script
);
478 server_info
->profile_path
= talloc_strdup(server_info
, "");
479 NT_STATUS_HAVE_NO_MEMORY(server_info
->profile_path
);
481 server_info
->home_directory
= talloc_strdup(server_info
, "");
482 NT_STATUS_HAVE_NO_MEMORY(server_info
->home_directory
);
484 server_info
->home_drive
= talloc_strdup(server_info
, "");
485 NT_STATUS_HAVE_NO_MEMORY(server_info
->home_drive
);
487 server_info
->logon_server
= talloc_strdup(server_info
, lp_netbios_name());
488 NT_STATUS_HAVE_NO_MEMORY(server_info
->logon_server
);
490 server_info
->last_logon
= 0;
491 server_info
->last_logoff
= 0;
492 server_info
->acct_expiry
= 0;
493 server_info
->last_password_change
= 0;
494 server_info
->allow_password_change
= 0;
495 server_info
->force_password_change
= 0;
497 server_info
->logon_count
= 0;
498 server_info
->bad_password_count
= 0;
500 server_info
->acct_flags
= ACB_NORMAL
;
502 server_info
->authenticated
= True
;
504 *_server_info
= server_info
;
509 NTSTATUS
auth_generate_session_info(TALLOC_CTX
*mem_ctx
,
510 struct auth_serversupplied_info
*server_info
,
511 struct auth_session_info
**_session_info
)
513 struct auth_session_info
*session_info
;
516 session_info
= talloc(mem_ctx
, struct auth_session_info
);
517 NT_STATUS_HAVE_NO_MEMORY(session_info
);
519 session_info
->server_info
= talloc_reference(session_info
, server_info
);
521 /* unless set otherwise, the session key is the user session
522 * key from the auth subsystem */
523 session_info
->session_key
= server_info
->user_session_key
;
525 nt_status
= security_token_create(session_info
,
526 server_info
->account_sid
,
527 server_info
->primary_group_sid
,
528 server_info
->n_domain_groups
,
529 server_info
->domain_groups
,
530 server_info
->authenticated
,
531 &session_info
->security_token
);
532 NT_STATUS_NOT_OK_RETURN(nt_status
);
534 session_info
->credentials
= NULL
;
536 *_session_info
= session_info
;
540 NTSTATUS
auth_anonymous_session_info(TALLOC_CTX
*parent_ctx
,
541 struct auth_session_info
**_session_info
)
544 struct auth_serversupplied_info
*server_info
= NULL
;
545 struct auth_session_info
*session_info
= NULL
;
546 TALLOC_CTX
*mem_ctx
= talloc_new(parent_ctx
);
548 nt_status
= auth_anonymous_server_info(mem_ctx
,
550 if (!NT_STATUS_IS_OK(nt_status
)) {
551 talloc_free(mem_ctx
);
555 /* references the server_info into the session_info */
556 nt_status
= auth_generate_session_info(parent_ctx
, server_info
, &session_info
);
557 talloc_free(mem_ctx
);
559 NT_STATUS_NOT_OK_RETURN(nt_status
);
561 session_info
->credentials
= cli_credentials_init(session_info
);
562 if (!session_info
->credentials
) {
563 return NT_STATUS_NO_MEMORY
;
566 cli_credentials_set_conf(session_info
->credentials
);
567 cli_credentials_set_anonymous(session_info
->credentials
);
569 *_session_info
= session_info
;
574 struct auth_session_info
*anonymous_session(TALLOC_CTX
*mem_ctx
)
577 struct auth_session_info
*session_info
= NULL
;
578 nt_status
= auth_anonymous_session_info(mem_ctx
, &session_info
);
579 if (!NT_STATUS_IS_OK(nt_status
)) {
585 NTSTATUS
auth_system_session_info(TALLOC_CTX
*parent_ctx
,
586 struct auth_session_info
**_session_info
)
589 struct auth_serversupplied_info
*server_info
= NULL
;
590 struct auth_session_info
*session_info
= NULL
;
591 TALLOC_CTX
*mem_ctx
= talloc_new(parent_ctx
);
593 nt_status
= auth_system_server_info(mem_ctx
,
595 if (!NT_STATUS_IS_OK(nt_status
)) {
596 talloc_free(mem_ctx
);
600 /* references the server_info into the session_info */
601 nt_status
= auth_generate_session_info(parent_ctx
, server_info
, &session_info
);
602 talloc_free(mem_ctx
);
604 NT_STATUS_NOT_OK_RETURN(nt_status
);
606 session_info
->credentials
= cli_credentials_init(session_info
);
607 if (!session_info
->credentials
) {
608 return NT_STATUS_NO_MEMORY
;
611 cli_credentials_set_conf(session_info
->credentials
);
613 if (lp_parm_bool(-1,"system","anonymous", False
)) {
614 cli_credentials_set_anonymous(session_info
->credentials
);
616 cli_credentials_set_machine_account_pending(session_info
->credentials
);
618 *_session_info
= session_info
;
623 struct auth_session_info
*system_session(TALLOC_CTX
*mem_ctx
)
626 struct auth_session_info
*session_info
= NULL
;
627 nt_status
= auth_system_session_info(mem_ctx
, &session_info
);
628 if (!NT_STATUS_IS_OK(nt_status
)) {
634 /****************************************************************************
635 prints a struct auth_session_info security token to debug output.
636 ****************************************************************************/
637 void auth_session_info_debug(int dbg_lev
,
638 const struct auth_session_info
*session_info
)
641 DEBUG(dbg_lev
, ("Session Info: (NULL)\n"));
645 security_token_debug(dbg_lev
, session_info
->security_token
);
649 * Squash an NT_STATUS in line with security requirements.
650 * In an attempt to avoid giving the whole game away when users
651 * are authenticating, NT replaces both NT_STATUS_NO_SUCH_USER and
652 * NT_STATUS_WRONG_PASSWORD with NT_STATUS_LOGON_FAILURE in certain situations
653 * (session setups in particular).
655 * @param nt_status NTSTATUS input for squashing.
656 * @return the 'squashed' nt_status
658 NTSTATUS
auth_nt_status_squash(NTSTATUS nt_status
)
660 if NT_STATUS_EQUAL(nt_status
, NT_STATUS_NO_SUCH_USER
) {
661 /* Match WinXP and don't give the game away */
662 return NT_STATUS_LOGON_FAILURE
;
663 } else if NT_STATUS_EQUAL(nt_status
, NT_STATUS_WRONG_PASSWORD
) {
664 /* Match WinXP and don't give the game away */
665 return NT_STATUS_LOGON_FAILURE
;