search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
selftest: generate a ramdon domain sid during provision and export as SAMSID/[TRUST_...
[Samba.git] / source4 / auth / system_session.c
blob4c5290db71a5654b54d051cefffff04c559bca91
1 /*
2 Unix SMB/CIFS implementation.
3 Authentication utility functions
4 Copyright (C) Andrew Tridgell 1992-1998
5 Copyright (C) Andrew Bartlett 2001-2010
6 Copyright (C) Jeremy Allison 2000-2001
7 Copyright (C) Rafal Szczesniak 2002
8 Copyright (C) Stefan Metzmacher 2005
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include "libcli/security/security.h"
26 #include "auth/credentials/credentials.h"
27 #include "param/param.h"
28 #include "auth/auth.h" /* for auth_user_info_dc */
29 #include "auth/session.h"
30 #include "auth/system_session_proto.h"
31
32
33 /*
34 prevent the static system session being freed
35 */
36 static int system_session_destructor(struct auth_session_info *info)
37 {
38 return -1;
39 }
40
41 /* Create a security token for a session SYSTEM (the most
42 * trusted/prvilaged account), including the local machine account as
43 * the off-host credentials
44 */
45 _PUBLIC_ struct auth_session_info *system_session(struct loadparm_context *lp_ctx)
46 {
47 static struct auth_session_info *static_session;
48 NTSTATUS nt_status;
49
50 if (static_session) {
51 return static_session;
52 }
53
54 /*
55 * Use NULL here, not the autofree context for this
56 * static pointer. The destructor prevents freeing this
57 * memory anyway.
58 */
59 nt_status = auth_system_session_info(NULL,
60 lp_ctx,
61 &static_session);
62 if (!NT_STATUS_IS_OK(nt_status)) {
63 talloc_free(static_session);
64 static_session = NULL;
65 return NULL;
66 }
67 talloc_set_destructor(static_session, system_session_destructor);
68 return static_session;
69 }
70
71 NTSTATUS auth_system_session_info(TALLOC_CTX *parent_ctx,
72 struct loadparm_context *lp_ctx,
73 struct auth_session_info **_session_info)
74 {
75 NTSTATUS nt_status;
76 struct auth_user_info_dc *user_info_dc = NULL;
77 struct auth_session_info *session_info = NULL;
78 TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
79
80 nt_status = auth_system_user_info_dc(mem_ctx, lpcfg_netbios_name(lp_ctx),
81 &user_info_dc);
82 if (!NT_STATUS_IS_OK(nt_status)) {
83 talloc_free(mem_ctx);
84 return nt_status;
85 }
86
87 /* references the user_info_dc into the session_info */
88 nt_status = auth_generate_session_info(parent_ctx, NULL, NULL, user_info_dc, AUTH_SESSION_INFO_SIMPLE_PRIVILEGES, &session_info);
89 talloc_free(mem_ctx);
90
91 NT_STATUS_NOT_OK_RETURN(nt_status);
92
93 session_info->credentials = cli_credentials_init(session_info);
94 if (!session_info->credentials) {
95 return NT_STATUS_NO_MEMORY;
96 }
97
98 cli_credentials_set_conf(session_info->credentials, lp_ctx);
99
100 cli_credentials_set_machine_account_pending(session_info->credentials, lp_ctx);
101 *_session_info = session_info;
102
103 return NT_STATUS_OK;
104 }
105
106 NTSTATUS auth_system_user_info_dc(TALLOC_CTX *mem_ctx, const char *netbios_name,
107 struct auth_user_info_dc **_user_info_dc)
108 {
109 struct auth_user_info_dc *user_info_dc;
110 struct auth_user_info *info;
111
112 user_info_dc = talloc(mem_ctx, struct auth_user_info_dc);
113 NT_STATUS_HAVE_NO_MEMORY(user_info_dc);
114
115 /* This returns a pointer to a struct dom_sid, which is the
116 * same as a 1 element list of struct dom_sid */
117 user_info_dc->num_sids = 1;
118 user_info_dc->sids = dom_sid_parse_talloc(user_info_dc, SID_NT_SYSTEM);
119 NT_STATUS_HAVE_NO_MEMORY(user_info_dc->sids);
120
121 /* annoying, but the Anonymous really does have a session key,
122 and it is all zeros! */
123 user_info_dc->user_session_key = data_blob_talloc(user_info_dc, NULL, 16);
124 NT_STATUS_HAVE_NO_MEMORY(user_info_dc->user_session_key.data);
125
126 user_info_dc->lm_session_key = data_blob_talloc(user_info_dc, NULL, 16);
127 NT_STATUS_HAVE_NO_MEMORY(user_info_dc->lm_session_key.data);
128
129 data_blob_clear(&user_info_dc->user_session_key);
130 data_blob_clear(&user_info_dc->lm_session_key);
131
132 user_info_dc->info = info = talloc_zero(user_info_dc, struct auth_user_info);
133 NT_STATUS_HAVE_NO_MEMORY(user_info_dc->info);
134
135 info->account_name = talloc_strdup(info, "SYSTEM");
136 NT_STATUS_HAVE_NO_MEMORY(info->account_name);
137
138 info->domain_name = talloc_strdup(info, "NT AUTHORITY");
139 NT_STATUS_HAVE_NO_MEMORY(info->domain_name);
140
141 info->full_name = talloc_strdup(info, "System");
142 NT_STATUS_HAVE_NO_MEMORY(info->full_name);
143
144 info->logon_script = talloc_strdup(info, "");
145 NT_STATUS_HAVE_NO_MEMORY(info->logon_script);
146
147 info->profile_path = talloc_strdup(info, "");
148 NT_STATUS_HAVE_NO_MEMORY(info->profile_path);
149
150 info->home_directory = talloc_strdup(info, "");
151 NT_STATUS_HAVE_NO_MEMORY(info->home_directory);
152
153 info->home_drive = talloc_strdup(info, "");
154 NT_STATUS_HAVE_NO_MEMORY(info->home_drive);
155
156 info->logon_server = talloc_strdup(info, netbios_name);
157 NT_STATUS_HAVE_NO_MEMORY(info->logon_server);
158
159 info->last_logon = 0;
160 info->last_logoff = 0;
161 info->acct_expiry = 0;
162 info->last_password_change = 0;
163 info->allow_password_change = 0;
164 info->force_password_change = 0;
165
166 info->logon_count = 0;
167 info->bad_password_count = 0;
168
169 info->acct_flags = ACB_NORMAL;
170
171 info->authenticated = true;
172
173 *_user_info_dc = user_info_dc;
174
175 return NT_STATUS_OK;
176 }
177
178
179 static NTSTATUS auth_domain_admin_user_info_dc(TALLOC_CTX *mem_ctx,
180 const char *netbios_name,
181 const char *domain_name,
182 struct dom_sid *domain_sid,
183 struct auth_user_info_dc **_user_info_dc)
184 {
185 struct auth_user_info_dc *user_info_dc;
186 struct auth_user_info *info;
187
188 user_info_dc = talloc(mem_ctx, struct auth_user_info_dc);
189 NT_STATUS_HAVE_NO_MEMORY(user_info_dc);
190
191 user_info_dc->num_sids = 7;
192 user_info_dc->sids = talloc_array(user_info_dc, struct dom_sid, user_info_dc->num_sids);
193
194 user_info_dc->sids[PRIMARY_USER_SID_INDEX] = *domain_sid;
195 sid_append_rid(&user_info_dc->sids[PRIMARY_USER_SID_INDEX], DOMAIN_RID_ADMINISTRATOR);
196
197 user_info_dc->sids[PRIMARY_GROUP_SID_INDEX] = *domain_sid;
198 sid_append_rid(&user_info_dc->sids[PRIMARY_GROUP_SID_INDEX], DOMAIN_RID_USERS);
199
200 user_info_dc->sids[2] = global_sid_Builtin_Administrators;
201
202 user_info_dc->sids[3] = *domain_sid;
203 sid_append_rid(&user_info_dc->sids[3], DOMAIN_RID_ADMINS);
204 user_info_dc->sids[4] = *domain_sid;
205 sid_append_rid(&user_info_dc->sids[4], DOMAIN_RID_ENTERPRISE_ADMINS);
206 user_info_dc->sids[5] = *domain_sid;
207 sid_append_rid(&user_info_dc->sids[5], DOMAIN_RID_POLICY_ADMINS);
208 user_info_dc->sids[6] = *domain_sid;
209 sid_append_rid(&user_info_dc->sids[6], DOMAIN_RID_SCHEMA_ADMINS);
210
211 /* What should the session key be?*/
212 user_info_dc->user_session_key = data_blob_talloc(user_info_dc, NULL, 16);
213 NT_STATUS_HAVE_NO_MEMORY(user_info_dc->user_session_key.data);
214
215 user_info_dc->lm_session_key = data_blob_talloc(user_info_dc, NULL, 16);
216 NT_STATUS_HAVE_NO_MEMORY(user_info_dc->lm_session_key.data);
217
218 data_blob_clear(&user_info_dc->user_session_key);
219 data_blob_clear(&user_info_dc->lm_session_key);
220
221 user_info_dc->info = info = talloc_zero(user_info_dc, struct auth_user_info);
222 NT_STATUS_HAVE_NO_MEMORY(user_info_dc->info);
223
224 info->account_name = talloc_strdup(info, "Administrator");
225 NT_STATUS_HAVE_NO_MEMORY(info->account_name);
226
227 info->domain_name = talloc_strdup(info, domain_name);
228 NT_STATUS_HAVE_NO_MEMORY(info->domain_name);
229
230 info->full_name = talloc_strdup(info, "Administrator");
231 NT_STATUS_HAVE_NO_MEMORY(info->full_name);
232
233 info->logon_script = talloc_strdup(info, "");
234 NT_STATUS_HAVE_NO_MEMORY(info->logon_script);
235
236 info->profile_path = talloc_strdup(info, "");
237 NT_STATUS_HAVE_NO_MEMORY(info->profile_path);
238
239 info->home_directory = talloc_strdup(info, "");
240 NT_STATUS_HAVE_NO_MEMORY(info->home_directory);
241
242 info->home_drive = talloc_strdup(info, "");
243 NT_STATUS_HAVE_NO_MEMORY(info->home_drive);
244
245 info->logon_server = talloc_strdup(info, netbios_name);
246 NT_STATUS_HAVE_NO_MEMORY(info->logon_server);
247
248 info->last_logon = 0;
249 info->last_logoff = 0;
250 info->acct_expiry = 0;
251 info->last_password_change = 0;
252 info->allow_password_change = 0;
253 info->force_password_change = 0;
254
255 info->logon_count = 0;
256 info->bad_password_count = 0;
257
258 info->acct_flags = ACB_NORMAL;
259
260 info->authenticated = true;
261
262 *_user_info_dc = user_info_dc;
263
264 return NT_STATUS_OK;
265 }
266
267 static NTSTATUS auth_domain_admin_session_info(TALLOC_CTX *parent_ctx,
268 struct loadparm_context *lp_ctx,
269 struct dom_sid *domain_sid,
270 struct auth_session_info **session_info)
271 {
272 NTSTATUS nt_status;
273 struct auth_user_info_dc *user_info_dc = NULL;
274 TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
275
276 NT_STATUS_HAVE_NO_MEMORY(mem_ctx);
277
278 nt_status = auth_domain_admin_user_info_dc(mem_ctx, lpcfg_netbios_name(lp_ctx),
279 lpcfg_workgroup(lp_ctx), domain_sid,
280 &user_info_dc);
281 if (!NT_STATUS_IS_OK(nt_status)) {
282 talloc_free(mem_ctx);
283 return nt_status;
284 }
285
286 nt_status = auth_generate_session_info(mem_ctx, NULL, NULL, user_info_dc,
287 AUTH_SESSION_INFO_SIMPLE_PRIVILEGES|AUTH_SESSION_INFO_AUTHENTICATED|AUTH_SESSION_INFO_DEFAULT_GROUPS,
288 session_info);
289 /* There is already a reference between the sesion_info and user_info_dc */
290 if (NT_STATUS_IS_OK(nt_status)) {
291 talloc_steal(parent_ctx, *session_info);
292 }
293 talloc_free(mem_ctx);
294 return nt_status;
295 }
296
297 _PUBLIC_ struct auth_session_info *admin_session(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx, struct dom_sid *domain_sid)
298 {
299 NTSTATUS nt_status;
300 struct auth_session_info *session_info = NULL;
301 nt_status = auth_domain_admin_session_info(mem_ctx,
302 lp_ctx,
303 domain_sid,
304 &session_info);
305 if (!NT_STATUS_IS_OK(nt_status)) {
306 return NULL;
307 }
308 return session_info;
309 }
310
311 _PUBLIC_ NTSTATUS auth_anonymous_session_info(TALLOC_CTX *parent_ctx,
312 struct loadparm_context *lp_ctx,
313 struct auth_session_info **_session_info)
314 {
315 NTSTATUS nt_status;
316 struct auth_user_info_dc *user_info_dc = NULL;
317 struct auth_session_info *session_info = NULL;
318 TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
319
320 nt_status = auth_anonymous_user_info_dc(mem_ctx,
321 lpcfg_netbios_name(lp_ctx),
322 &user_info_dc);
323 if (!NT_STATUS_IS_OK(nt_status)) {
324 talloc_free(mem_ctx);
325 return nt_status;
326 }
327
328 /* references the user_info_dc into the session_info */
329 nt_status = auth_generate_session_info(parent_ctx, NULL, NULL, user_info_dc, AUTH_SESSION_INFO_SIMPLE_PRIVILEGES, &session_info);
330 talloc_free(mem_ctx);
331
332 NT_STATUS_NOT_OK_RETURN(nt_status);
333
334 session_info->credentials = cli_credentials_init(session_info);
335 if (!session_info->credentials) {
336 return NT_STATUS_NO_MEMORY;
337 }
338
339 cli_credentials_set_conf(session_info->credentials, lp_ctx);
340 cli_credentials_set_anonymous(session_info->credentials);
341
342 *_session_info = session_info;
343
344 return NT_STATUS_OK;
345 }
346
347 _PUBLIC_ NTSTATUS auth_anonymous_user_info_dc(TALLOC_CTX *mem_ctx,
348 const char *netbios_name,
349 struct auth_user_info_dc **_user_info_dc)
350 {
351 struct auth_user_info_dc *user_info_dc;
352 struct auth_user_info *info;
353 user_info_dc = talloc(mem_ctx, struct auth_user_info_dc);
354 NT_STATUS_HAVE_NO_MEMORY(user_info_dc);
355
356 /* This returns a pointer to a struct dom_sid, which is the
357 * same as a 1 element list of struct dom_sid */
358 user_info_dc->num_sids = 1;
359 user_info_dc->sids = dom_sid_parse_talloc(user_info_dc, SID_NT_ANONYMOUS);
360 NT_STATUS_HAVE_NO_MEMORY(user_info_dc->sids);
361
362 /* annoying, but the Anonymous really does have a session key... */
363 user_info_dc->user_session_key = data_blob_talloc(user_info_dc, NULL, 16);
364 NT_STATUS_HAVE_NO_MEMORY(user_info_dc->user_session_key.data);
365
366 user_info_dc->lm_session_key = data_blob_talloc(user_info_dc, NULL, 16);
367 NT_STATUS_HAVE_NO_MEMORY(user_info_dc->lm_session_key.data);
368
369 /* and it is all zeros! */
370 data_blob_clear(&user_info_dc->user_session_key);
371 data_blob_clear(&user_info_dc->lm_session_key);
372
373 user_info_dc->info = info = talloc_zero(user_info_dc, struct auth_user_info);
374 NT_STATUS_HAVE_NO_MEMORY(user_info_dc->info);
375
376 info->account_name = talloc_strdup(info, "ANONYMOUS LOGON");
377 NT_STATUS_HAVE_NO_MEMORY(info->account_name);
378
379 info->domain_name = talloc_strdup(info, "NT AUTHORITY");
380 NT_STATUS_HAVE_NO_MEMORY(info->domain_name);
381
382 info->full_name = talloc_strdup(info, "Anonymous Logon");
383 NT_STATUS_HAVE_NO_MEMORY(info->full_name);
384
385 info->logon_script = talloc_strdup(info, "");
386 NT_STATUS_HAVE_NO_MEMORY(info->logon_script);
387
388 info->profile_path = talloc_strdup(info, "");
389 NT_STATUS_HAVE_NO_MEMORY(info->profile_path);
390
391 info->home_directory = talloc_strdup(info, "");
392 NT_STATUS_HAVE_NO_MEMORY(info->home_directory);
393
394 info->home_drive = talloc_strdup(info, "");
395 NT_STATUS_HAVE_NO_MEMORY(info->home_drive);
396
397 info->logon_server = talloc_strdup(info, netbios_name);
398 NT_STATUS_HAVE_NO_MEMORY(info->logon_server);
399
400 info->last_logon = 0;
401 info->last_logoff = 0;
402 info->acct_expiry = 0;
403 info->last_password_change = 0;
404 info->allow_password_change = 0;
405 info->force_password_change = 0;
406
407 info->logon_count = 0;
408 info->bad_password_count = 0;
409
410 info->acct_flags = ACB_NORMAL;
411
412 info->authenticated = false;
413
414 *_user_info_dc = user_info_dc;
415
416 return NT_STATUS_OK;
417 }
418
Samba GIT mirror