2 Unix SMB/Netbios implementation.
4 handle GENSEC authentication, server side
6 Copyright (C) Andrew Tridgell 2001
7 Copyright (C) Andrew Bartlett 2001-2003,2011
8 Copyright (C) Simo Sorce 2010.
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
26 #include "../lib/tsocket/tsocket.h"
27 #include "auth/gensec/gensec.h"
28 #include "lib/param/param.h"
30 #include "libcli/auth/krb5_wrap.h"
32 #include "librpc/crypto/gse.h"
33 #include "auth/credentials/credentials.h"
35 static NTSTATUS
auth3_generate_session_info_pac(struct auth4_context
*auth_ctx
,
37 struct smb_krb5_context
*smb_krb5_context
,
39 const char *princ_name
,
40 const struct tsocket_address
*remote_address
,
41 uint32_t session_info_flags
,
42 struct auth_session_info
**session_info
)
45 struct PAC_DATA
*pac_data
= NULL
;
46 struct PAC_LOGON_INFO
*logon_info
= NULL
;
58 tmp_ctx
= talloc_new(mem_ctx
);
60 return NT_STATUS_NO_MEMORY
;
65 status
= kerberos_decode_pac(tmp_ctx
,
67 NULL
, NULL
, NULL
, NULL
, 0, &pac_data
);
69 status
= NT_STATUS_ACCESS_DENIED
;
71 if (!NT_STATUS_IS_OK(status
)) {
75 /* get logon name and logon info */
76 for (i
= 0; i
< pac_data
->num_buffers
; i
++) {
77 struct PAC_BUFFER
*data_buf
= &pac_data
->buffers
[i
];
79 switch (data_buf
->type
) {
80 case PAC_TYPE_LOGON_INFO
:
81 if (!data_buf
->info
) {
84 logon_info
= data_buf
->info
->logon_info
.info
;
91 DEBUG(1, ("Invalid PAC data, missing logon info!\n"));
92 status
= NT_STATUS_NOT_FOUND
;
97 rc
= get_remote_hostname(remote_address
,
101 status
= NT_STATUS_NO_MEMORY
;
104 if (strequal(rhost
, "UNKNOWN")) {
105 rhost
= tsocket_address_inet_addr_string(remote_address
,
108 status
= NT_STATUS_NO_MEMORY
;
113 status
= get_user_from_kerberos_info(tmp_ctx
, rhost
,
114 princ_name
, logon_info
,
115 &is_mapped
, &is_guest
,
118 if (!NT_STATUS_IS_OK(status
)) {
119 DEBUG(1, ("Failed to map kerberos principal to system user "
120 "(%s)\n", nt_errstr(status
)));
121 status
= NT_STATUS_ACCESS_DENIED
;
125 /* save the PAC data if we have it */
127 netsamlogon_cache_store(ntuser
, &logon_info
->info3
);
130 /* setup the string used by %U */
131 sub_set_smb_name(username
);
133 /* reload services so that the new %U is taken into account */
134 lp_load(get_dyn_CONFIGFILE(), false, false, true, true);
136 status
= make_session_info_krb5(mem_ctx
,
137 ntuser
, ntdomain
, username
, pw
,
138 logon_info
, is_guest
, is_mapped
, NULL
/* No session key for now, caller will sort it out */,
140 if (!NT_STATUS_IS_OK(status
)) {
141 DEBUG(1, ("Failed to map kerberos pac to server info (%s)\n",
143 status
= NT_STATUS_ACCESS_DENIED
;
147 DEBUG(5, (__location__
"OK: user: %s domain: %s client: %s\n",
148 ntuser
, ntdomain
, rhost
));
150 status
= NT_STATUS_OK
;
153 TALLOC_FREE(tmp_ctx
);
157 NTSTATUS
auth_generic_prepare(TALLOC_CTX
*mem_ctx
,
158 const struct tsocket_address
*remote_address
,
159 struct gensec_security
**gensec_security_out
)
161 struct gensec_security
*gensec_security
;
162 struct auth_context
*auth_context
;
165 TALLOC_CTX
*tmp_ctx
= talloc_new(mem_ctx
);
166 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx
);
168 nt_status
= make_auth_context_subsystem(tmp_ctx
, &auth_context
);
169 if (!NT_STATUS_IS_OK(nt_status
)) {
170 TALLOC_FREE(tmp_ctx
);
174 if (auth_context
->prepare_gensec
) {
175 nt_status
= auth_context
->prepare_gensec(tmp_ctx
,
177 if (!NT_STATUS_IS_OK(nt_status
)) {
178 TALLOC_FREE(tmp_ctx
);
182 struct gensec_settings
*gensec_settings
;
183 struct loadparm_context
*lp_ctx
;
185 struct cli_credentials
*server_credentials
;
186 struct auth4_context
*auth4_context
= talloc_zero(tmp_ctx
, struct auth4_context
);
187 if (auth4_context
== NULL
) {
188 DEBUG(10, ("failed to allocate auth4_context failed\n"));
189 TALLOC_FREE(tmp_ctx
);
190 return NT_STATUS_NO_MEMORY
;
192 auth4_context
->generate_session_info_pac
= auth3_generate_session_info_pac
;
194 lp_ctx
= loadparm_init_s3(tmp_ctx
, loadparm_s3_context());
195 if (lp_ctx
== NULL
) {
196 DEBUG(10, ("loadparm_init_s3 failed\n"));
197 TALLOC_FREE(tmp_ctx
);
198 return NT_STATUS_INVALID_SERVER_STATE
;
201 gensec_settings
= lpcfg_gensec_settings(tmp_ctx
, lp_ctx
);
202 if (lp_ctx
== NULL
) {
203 DEBUG(10, ("lpcfg_gensec_settings failed\n"));
204 TALLOC_FREE(tmp_ctx
);
205 return NT_STATUS_NO_MEMORY
;
208 gensec_settings
->backends
= talloc_zero_array(gensec_settings
, struct gensec_security_ops
*, 3);
209 if (gensec_settings
->backends
== NULL
) {
210 TALLOC_FREE(tmp_ctx
);
211 return NT_STATUS_NO_MEMORY
;
214 gensec_settings
->backends
[0] = &gensec_ntlmssp3_server_ops
;
216 #if defined(HAVE_KRB5) && defined(HAVE_GSS_WRAP_IOV)
217 gensec_settings
->backends
[1] = &gensec_gse_krb5_security_ops
;
221 * This is anonymous for now, because we just use it
222 * to set the kerberos state at the moment
224 server_credentials
= cli_credentials_init_anon(tmp_ctx
);
225 if (!server_credentials
) {
226 DEBUG(0, ("auth_generic_prepare: Failed to init server credentials\n"));
227 return NT_STATUS_NO_MEMORY
;
230 cli_credentials_set_conf(server_credentials
, lp_ctx
);
232 if (lp_security() == SEC_ADS
|| USE_KERBEROS_KEYTAB
) {
233 cli_credentials_set_kerberos_state(server_credentials
, CRED_AUTO_USE_KERBEROS
);
235 cli_credentials_set_kerberos_state(server_credentials
, CRED_DONT_USE_KERBEROS
);
238 nt_status
= gensec_server_start(tmp_ctx
, gensec_settings
,
239 auth4_context
, &gensec_security
);
241 if (!NT_STATUS_IS_OK(nt_status
)) {
242 TALLOC_FREE(tmp_ctx
);
246 gensec_set_credentials(gensec_security
, server_credentials
);
248 talloc_unlink(tmp_ctx
, lp_ctx
);
249 talloc_unlink(tmp_ctx
, server_credentials
);
250 talloc_unlink(tmp_ctx
, gensec_settings
);
251 talloc_unlink(tmp_ctx
, auth4_context
);
254 nt_status
= gensec_set_remote_address(gensec_security
,
256 if (!NT_STATUS_IS_OK(nt_status
)) {
257 TALLOC_FREE(tmp_ctx
);
261 *gensec_security_out
= talloc_steal(mem_ctx
, gensec_security
);
262 TALLOC_FREE(tmp_ctx
);