search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s4-auth: Log SMB authorization for bare NTLM (NTLMSSP/krb5 already done)
[Samba.git] / source4 / smb_server / smb / sesssetup.c
blob594efd0c02d9eaf5f82ecca54fc90df2737966ea
1
2 /*
3 Unix SMB/CIFS implementation.
4 handle SMBsessionsetup
5 Copyright (C) Andrew Tridgell 1998-2001
6 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2001-2005
7 Copyright (C) Jim McDonough 2002
8 Copyright (C) Luke Howard 2003
9 Copyright (C) Stefan Metzmacher 2005
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 3 of the License, or
14 (at your option) any later version.
15
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
20
21 You should have received a copy of the GNU General Public License
22 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 */
24
25 #include "includes.h"
26 #include <tevent.h>
27 #include "version.h"
28 #include "auth/gensec/gensec.h"
29 #include "auth/auth.h"
30 #include "smb_server/smb_server.h"
31 #include "smbd/service_stream.h"
32 #include "param/param.h"
33 #include "../lib/tsocket/tsocket.h"
34 #include "lib/stream/packet.h"
35
36 struct sesssetup_context {
37 struct auth4_context *auth_context;
38 struct smbsrv_request *req;
39 };
40
41 /*
42 * Log the SMB authentication, as by not calling GENSEC we won't log
43 * it during the gensec_session_info().
44 */
45 void smbsrv_not_spengo_sesssetup_authz_log(struct smbsrv_request *req,
46 struct auth_session_info *session_info)
47 {
48 struct tsocket_address *local_address;
49 struct tsocket_address *remote_address;
50 TALLOC_CTX *frame = talloc_stackframe();
51
52 remote_address = socket_get_remote_addr(req->smb_conn->connection->socket,
53 frame);
54 local_address = socket_get_local_addr(req->smb_conn->connection->socket,
55 frame);
56
57 log_successful_authz_event(remote_address,
58 local_address,
59 "SMB",
60 "bare-NTLM",
61 session_info);
62
63 talloc_free(frame);
64 return;
65 }
66
67
68 /*
69 setup the OS, Lanman and domain portions of a session setup reply
70 */
71 static void sesssetup_common_strings(struct smbsrv_request *req,
72 char **os, char **lanman, char **domain)
73 {
74 (*os) = talloc_asprintf(req, "Unix");
75 (*lanman) = talloc_asprintf(req, "Samba %s", SAMBA_VERSION_STRING);
76 (*domain) = talloc_asprintf(req, "%s",
77 lpcfg_workgroup(req->smb_conn->lp_ctx));
78 }
79
80 static void smbsrv_sesssetup_backend_send(struct smbsrv_request *req,
81 union smb_sesssetup *sess,
82 NTSTATUS status)
83 {
84 if (NT_STATUS_IS_OK(status)) {
85 req->smb_conn->negotiate.done_sesssetup = true;
86 /* we need to keep the session long term */
87 req->session = talloc_steal(req->smb_conn, req->session);
88 }
89 smbsrv_reply_sesssetup_send(req, sess, status);
90 }
91
92 static void sesssetup_old_send(struct tevent_req *subreq)
93 {
94 struct sesssetup_context *state = tevent_req_callback_data(subreq, struct sesssetup_context);
95 struct smbsrv_request *req = state->req;
96
97 union smb_sesssetup *sess = talloc_get_type(req->io_ptr, union smb_sesssetup);
98 struct auth_user_info_dc *user_info_dc = NULL;
99 struct auth_session_info *session_info;
100 struct smbsrv_session *smb_sess;
101 NTSTATUS status;
102 uint8_t authoritative = 0;
103 uint32_t flags;
104
105 status = auth_check_password_recv(subreq, req, &user_info_dc,
106 &authoritative);
107 TALLOC_FREE(subreq);
108 if (!NT_STATUS_IS_OK(status)) goto failed;
109
110 flags = AUTH_SESSION_INFO_DEFAULT_GROUPS;
111 if (user_info_dc->info->authenticated) {
112 flags |= AUTH_SESSION_INFO_AUTHENTICATED;
113 }
114 /* This references user_info_dc into session_info */
115 status = req->smb_conn->negotiate.auth_context->generate_session_info(req->smb_conn->negotiate.auth_context,
116 req,
117 user_info_dc, sess->old.in.user,
118 flags, &session_info);
119 if (!NT_STATUS_IS_OK(status)) goto failed;
120
121 /* allocate a new session */
122 smb_sess = smbsrv_session_new(req->smb_conn, req, NULL);
123 if (!smb_sess) {
124 status = NT_STATUS_INSUFFICIENT_RESOURCES;
125 goto failed;
126 }
127
128 smbsrv_not_spengo_sesssetup_authz_log(req, session_info);
129
130 /* Ensure this is marked as a 'real' vuid, not one
131 * simply valid for the session setup leg */
132 status = smbsrv_session_sesssetup_finished(smb_sess, session_info);
133 if (!NT_STATUS_IS_OK(status)) goto failed;
134
135 /* To correctly process any AndX packet (like a tree connect)
136 * we need to fill in the session on the request here */
137 req->session = smb_sess;
138 sess->old.out.vuid = smb_sess->vuid;
139
140 failed:
141 status = nt_status_squash(status);
142 smbsrv_sesssetup_backend_send(req, sess, status);
143 }
144
145 /*
146 handler for old style session setup
147 */
148 static void sesssetup_old(struct smbsrv_request *req, union smb_sesssetup *sess)
149 {
150 struct auth_usersupplied_info *user_info = NULL;
151 struct tsocket_address *remote_address, *local_address;
152 const char *remote_machine = NULL;
153 struct tevent_req *subreq;
154 struct sesssetup_context *state;
155
156 sess->old.out.vuid = 0;
157 sess->old.out.action = 0;
158
159 sesssetup_common_strings(req,
160 &sess->old.out.os,
161 &sess->old.out.lanman,
162 &sess->old.out.domain);
163
164 if (!req->smb_conn->negotiate.done_sesssetup) {
165 req->smb_conn->negotiate.max_send = sess->old.in.bufsize;
166 }
167
168 if (req->smb_conn->negotiate.calling_name) {
169 remote_machine = req->smb_conn->negotiate.calling_name->name;
170 }
171
172 remote_address = socket_get_remote_addr(req->smb_conn->connection->socket, req);
173 if (!remote_address) goto nomem;
174
175 if (!remote_machine) {
176 remote_machine = tsocket_address_inet_addr_string(remote_address, req);
177 if (!remote_machine) goto nomem;
178 }
179
180 local_address = socket_get_local_addr(req->smb_conn->connection->socket, req);
181 if (!local_address) goto nomem;
182
183 user_info = talloc_zero(req, struct auth_usersupplied_info);
184 if (!user_info) goto nomem;
185
186 user_info->service_description = "SMB";
187
188 user_info->mapped_state = false;
189 user_info->logon_parameters = 0;
190 user_info->flags = 0;
191 user_info->client.account_name = sess->old.in.user;
192 user_info->client.domain_name = sess->old.in.domain;
193 user_info->workstation_name = remote_machine;
194
195 user_info->remote_host = talloc_steal(user_info, remote_address);
196 user_info->local_host = talloc_steal(user_info, local_address);
197
198 user_info->password_state = AUTH_PASSWORD_RESPONSE;
199 user_info->password.response.lanman = sess->old.in.password;
200 user_info->password.response.lanman.data = talloc_steal(user_info, sess->old.in.password.data);
201 user_info->password.response.nt = data_blob(NULL, 0);
202
203 state = talloc(req, struct sesssetup_context);
204 if (!state) goto nomem;
205
206 if (req->smb_conn->negotiate.auth_context) {
207 state->auth_context = req->smb_conn->negotiate.auth_context;
208 } else {
209 /* TODO: should we use just "anonymous" here? */
210 NTSTATUS status = auth_context_create(state,
211 req->smb_conn->connection->event.ctx,
212 req->smb_conn->connection->msg_ctx,
213 req->smb_conn->lp_ctx,
214 &state->auth_context);
215 if (!NT_STATUS_IS_OK(status)) {
216 smbsrv_sesssetup_backend_send(req, sess, status);
217 return;
218 }
219 }
220
221 state->req = req;
222
223 subreq = auth_check_password_send(state,
224 req->smb_conn->connection->event.ctx,
225 req->smb_conn->negotiate.auth_context,
226 user_info);
227 if (!subreq) goto nomem;
228 tevent_req_set_callback(subreq, sesssetup_old_send, state);
229 return;
230
231 nomem:
232 smbsrv_sesssetup_backend_send(req, sess, NT_STATUS_NO_MEMORY);
233 }
234
235 static void sesssetup_nt1_send(struct tevent_req *subreq)
236 {
237 struct sesssetup_context *state = tevent_req_callback_data(subreq, struct sesssetup_context);
238 struct smbsrv_request *req = state->req;
239 union smb_sesssetup *sess = talloc_get_type(req->io_ptr, union smb_sesssetup);
240 struct auth_user_info_dc *user_info_dc = NULL;
241 struct auth_session_info *session_info;
242 struct smbsrv_session *smb_sess;
243 uint8_t authoritative = 0;
244 uint32_t flags;
245 NTSTATUS status;
246
247 status = auth_check_password_recv(subreq, req, &user_info_dc,
248 &authoritative);
249 TALLOC_FREE(subreq);
250 if (!NT_STATUS_IS_OK(status)) goto failed;
251
252 flags = AUTH_SESSION_INFO_DEFAULT_GROUPS;
253 if (user_info_dc->info->authenticated) {
254 flags |= AUTH_SESSION_INFO_AUTHENTICATED;
255 }
256 /* This references user_info_dc into session_info */
257 status = state->auth_context->generate_session_info(state->auth_context,
258 req,
259 user_info_dc,
260 sess->nt1.in.user,
261 flags,
262 &session_info);
263 if (!NT_STATUS_IS_OK(status)) goto failed;
264
265 /* allocate a new session */
266 smb_sess = smbsrv_session_new(req->smb_conn, req, NULL);
267 if (!smb_sess) {
268 status = NT_STATUS_INSUFFICIENT_RESOURCES;
269 goto failed;
270 }
271
272 smbsrv_not_spengo_sesssetup_authz_log(req, session_info);
273
274 /* Ensure this is marked as a 'real' vuid, not one
275 * simply valid for the session setup leg */
276 status = smbsrv_session_sesssetup_finished(smb_sess, session_info);
277 if (!NT_STATUS_IS_OK(status)) goto failed;
278
279 /* To correctly process any AndX packet (like a tree connect)
280 * we need to fill in the session on the request here */
281 req->session = smb_sess;
282 sess->nt1.out.vuid = smb_sess->vuid;
283
284 if (!smbsrv_setup_signing(req->smb_conn, &session_info->session_key, &sess->nt1.in.password2)) {
285 /* Already signing, or disabled */
286 goto done;
287 }
288
289 done:
290 status = NT_STATUS_OK;
291 failed:
292 status = nt_status_squash(status);
293 smbsrv_sesssetup_backend_send(req, sess, status);
294 }
295
296 /*
297 handler for NT1 style session setup
298 */
299 static void sesssetup_nt1(struct smbsrv_request *req, union smb_sesssetup *sess)
300 {
301 NTSTATUS status;
302 struct auth_usersupplied_info *user_info = NULL;
303 struct tsocket_address *remote_address, *local_address;
304 const char *remote_machine = NULL;
305 struct tevent_req *subreq;
306 struct sesssetup_context *state;
307 bool allow_raw = lpcfg_raw_ntlmv2_auth(req->smb_conn->lp_ctx);
308
309 sess->nt1.out.vuid = 0;
310 sess->nt1.out.action = 0;
311
312 sesssetup_common_strings(req,
313 &sess->nt1.out.os,
314 &sess->nt1.out.lanman,
315 &sess->nt1.out.domain);
316
317 if (!req->smb_conn->negotiate.done_sesssetup) {
318 req->smb_conn->negotiate.max_send = sess->nt1.in.bufsize;
319 req->smb_conn->negotiate.client_caps = sess->nt1.in.capabilities;
320 }
321
322 state = talloc(req, struct sesssetup_context);
323 if (!state) goto nomem;
324
325 state->req = req;
326
327 if (req->smb_conn->negotiate.oid) {
328 if (sess->nt1.in.user && *sess->nt1.in.user) {
329 /* We can't accept a normal login, because we
330 * don't have a challenge */
331 status = NT_STATUS_LOGON_FAILURE;
332 goto failed;
333 }
334
335 /* TODO: should we use just "anonymous" here? */
336 status = auth_context_create(state,
337 req->smb_conn->connection->event.ctx,
338 req->smb_conn->connection->msg_ctx,
339 req->smb_conn->lp_ctx,
340 &state->auth_context);
341 if (!NT_STATUS_IS_OK(status)) goto failed;
342 } else if (req->smb_conn->negotiate.auth_context) {
343 state->auth_context = req->smb_conn->negotiate.auth_context;
344 } else {
345 /* TODO: should we use just "anonymous" here? */
346 status = auth_context_create(state,
347 req->smb_conn->connection->event.ctx,
348 req->smb_conn->connection->msg_ctx,
349 req->smb_conn->lp_ctx,
350 &state->auth_context);
351 if (!NT_STATUS_IS_OK(status)) goto failed;
352 }
353
354 if (req->smb_conn->negotiate.calling_name) {
355 remote_machine = req->smb_conn->negotiate.calling_name->name;
356 }
357
358 remote_address = socket_get_remote_addr(req->smb_conn->connection->socket, req);
359 if (!remote_address) goto nomem;
360
361 if (!remote_machine) {
362 remote_machine = tsocket_address_inet_addr_string(remote_address, req);
363 if (!remote_machine) goto nomem;
364 }
365
366 local_address = socket_get_local_addr(req->smb_conn->connection->socket, req);
367 if (!local_address) goto nomem;
368
369 user_info = talloc_zero(req, struct auth_usersupplied_info);
370 if (!user_info) goto nomem;
371
372 user_info->service_description = "SMB";
373 user_info->auth_description = "bare-NTLM";
374
375 user_info->mapped_state = false;
376 user_info->logon_parameters = 0;
377 user_info->flags = 0;
378 user_info->client.account_name = sess->nt1.in.user;
379 user_info->client.domain_name = sess->nt1.in.domain;
380 user_info->workstation_name = remote_machine;
381 user_info->remote_host = talloc_steal(user_info, remote_address);
382 user_info->local_host = talloc_steal(user_info, local_address);
383
384 user_info->password_state = AUTH_PASSWORD_RESPONSE;
385 user_info->password.response.lanman = sess->nt1.in.password1;
386 user_info->password.response.lanman.data = talloc_steal(user_info, sess->nt1.in.password1.data);
387 user_info->password.response.nt = sess->nt1.in.password2;
388 user_info->password.response.nt.data = talloc_steal(user_info, sess->nt1.in.password2.data);
389
390 if (!allow_raw && user_info->password.response.nt.length >= 48) {
391 /*
392 * NTLMv2_RESPONSE has at least 48 bytes
393 * and should only be supported via NTLMSSP.
394 */
395 status = NT_STATUS_INVALID_PARAMETER;
396 goto failed;
397 }
398
399 subreq = auth_check_password_send(state,
400 req->smb_conn->connection->event.ctx,
401 state->auth_context,
402 user_info);
403 if (!subreq) goto nomem;
404 tevent_req_set_callback(subreq, sesssetup_nt1_send, state);
405
406 return;
407
408 nomem:
409 status = NT_STATUS_NO_MEMORY;
410 failed:
411 status = nt_status_squash(status);
412 smbsrv_sesssetup_backend_send(req, sess, status);
413 }
414
415 struct sesssetup_spnego_state {
416 struct smbsrv_request *req;
417 union smb_sesssetup *sess;
418 struct smbsrv_session *smb_sess;
419 };
420
421 static void sesssetup_spnego_send(struct tevent_req *subreq)
422 {
423 struct sesssetup_spnego_state *s = tevent_req_callback_data(subreq,
424 struct sesssetup_spnego_state);
425 struct smbsrv_request *req = s->req;
426 union smb_sesssetup *sess = s->sess;
427 struct smbsrv_session *smb_sess = s->smb_sess;
428 struct auth_session_info *session_info = NULL;
429 NTSTATUS status;
430 NTSTATUS skey_status;
431 DATA_BLOB session_key;
432
433 status = gensec_update_recv(subreq, req, &sess->spnego.out.secblob);
434 packet_recv_enable(req->smb_conn->packet);
435 TALLOC_FREE(subreq);
436 if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
437 goto done;
438 } else if (!NT_STATUS_IS_OK(status)) {
439 goto failed;
440 }
441
442 status = gensec_session_info(smb_sess->gensec_ctx, smb_sess, &session_info);
443 if (!NT_STATUS_IS_OK(status)) goto failed;
444
445 /* The session_key is only needed until the end of the smbsrv_setup_signing() call */
446 skey_status = gensec_session_key(smb_sess->gensec_ctx, req, &session_key);
447 if (NT_STATUS_IS_OK(skey_status)) {
448 smbsrv_setup_signing(req->smb_conn, &session_key, NULL);
449 }
450
451 /* Ensure this is marked as a 'real' vuid, not one
452 * simply valid for the session setup leg */
453 status = smbsrv_session_sesssetup_finished(smb_sess, session_info);
454 if (!NT_STATUS_IS_OK(status)) goto failed;
455
456 req->session = smb_sess;
457
458 done:
459 sess->spnego.out.vuid = smb_sess->vuid;
460 failed:
461 status = nt_status_squash(status);
462 smbsrv_sesssetup_backend_send(req, sess, status);
463 if (!NT_STATUS_IS_OK(status) &&
464 !NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
465 talloc_free(smb_sess);
466 }
467 }
468
469 /*
470 handler for SPNEGO style session setup
471 */
472 static void sesssetup_spnego(struct smbsrv_request *req, union smb_sesssetup *sess)
473 {
474 NTSTATUS status;
475 struct smbsrv_session *smb_sess = NULL;
476 bool is_smb_sess_new = false;
477 struct sesssetup_spnego_state *s = NULL;
478 uint16_t vuid;
479 struct tevent_req *subreq;
480
481 sess->spnego.out.vuid = 0;
482 sess->spnego.out.action = 0;
483
484 sesssetup_common_strings(req,
485 &sess->spnego.out.os,
486 &sess->spnego.out.lanman,
487 &sess->spnego.out.workgroup);
488
489 if (!req->smb_conn->negotiate.done_sesssetup) {
490 req->smb_conn->negotiate.max_send = sess->spnego.in.bufsize;
491 req->smb_conn->negotiate.client_caps = sess->spnego.in.capabilities;
492 }
493
494 vuid = SVAL(req->in.hdr,HDR_UID);
495
496 /* lookup an existing session */
497 if (vuid == 0) {
498 struct gensec_security *gensec_ctx;
499 struct tsocket_address *remote_address, *local_address;
500 status = samba_server_gensec_start(req,
501 req->smb_conn->connection->event.ctx,
502 req->smb_conn->connection->msg_ctx,
503 req->smb_conn->lp_ctx,
504 req->smb_conn->negotiate.server_credentials,
505 "cifs",
506 &gensec_ctx);
507 if (!NT_STATUS_IS_OK(status)) {
508 DEBUG(1, ("Failed to start GENSEC server code: %s\n", nt_errstr(status)));
509 goto failed;
510 }
511
512 gensec_want_feature(gensec_ctx, GENSEC_FEATURE_SESSION_KEY);
513
514 remote_address = socket_get_remote_addr(req->smb_conn->connection->socket,
515 req);
516 if (!remote_address) {
517 status = NT_STATUS_INTERNAL_ERROR;
518 DBG_ERR("Failed to obtain remote address");
519 goto failed;
520 }
521
522 status = gensec_set_remote_address(gensec_ctx,
523 remote_address);
524 if (!NT_STATUS_IS_OK(status)) {
525 DBG_ERR("Failed to set remote address");
526 goto failed;
527 }
528
529 local_address = socket_get_local_addr(req->smb_conn->connection->socket,
530 req);
531 if (!local_address) {
532 status = NT_STATUS_INTERNAL_ERROR;
533 DBG_ERR("Failed to obtain local address");
534 goto failed;
535 }
536
537 status = gensec_set_local_address(gensec_ctx,
538 local_address);
539 if (!NT_STATUS_IS_OK(status)) {
540 DBG_ERR("Failed to set local address");
541 goto failed;
542 }
543
544 status = gensec_set_target_service_description(gensec_ctx,
545 "SMB");
546
547 if (!NT_STATUS_IS_OK(status)) {
548 DBG_ERR("Failed to set service description");
549 goto failed;
550 }
551
552 status = gensec_start_mech_by_oid(gensec_ctx, req->smb_conn->negotiate.oid);
553 if (!NT_STATUS_IS_OK(status)) {
554 DEBUG(1, ("Failed to start GENSEC %s server code: %s\n",
555 gensec_get_name_by_oid(gensec_ctx, req->smb_conn->negotiate.oid), nt_errstr(status)));
556 goto failed;
557 }
558
559 /* allocate a new session */
560 smb_sess = smbsrv_session_new(req->smb_conn, req->smb_conn, gensec_ctx);
561 if (!smb_sess) {
562 status = NT_STATUS_INSUFFICIENT_RESOURCES;
563 goto failed;
564 }
565 is_smb_sess_new = true;
566 } else {
567 smb_sess = smbsrv_session_find_sesssetup(req->smb_conn, vuid);
568 }
569
570 if (!smb_sess) {
571 status = NT_STATUS_DOS(ERRSRV, ERRbaduid);
572 goto failed;
573 }
574
575 if (smb_sess->session_info) {
576 status = NT_STATUS_INVALID_PARAMETER;
577 goto failed;
578 }
579
580 if (!smb_sess->gensec_ctx) {
581 status = NT_STATUS_INTERNAL_ERROR;
582 DEBUG(1, ("Internal ERROR: no gensec_ctx on session: %s\n", nt_errstr(status)));
583 goto failed;
584 }
585
586 s = talloc(req, struct sesssetup_spnego_state);
587 if (!s) goto nomem;
588 s->req = req;
589 s->sess = sess;
590 s->smb_sess = smb_sess;
591
592 subreq = gensec_update_send(s,
593 req->smb_conn->connection->event.ctx,
594 smb_sess->gensec_ctx,
595 sess->spnego.in.secblob);
596 if (!subreq) {
597 goto nomem;
598 }
599 /* disable receipt of more packets on this socket until we've
600 finished with the session setup. This avoids a problem with
601 crashes if we get EOF on the socket while processing a session
602 setup */
603 packet_recv_disable(req->smb_conn->packet);
604 tevent_req_set_callback(subreq, sesssetup_spnego_send, s);
605
606 return;
607
608 nomem:
609 status = NT_STATUS_NO_MEMORY;
610 failed:
611 if (is_smb_sess_new) {
612 talloc_free(smb_sess);
613 }
614 status = nt_status_squash(status);
615 smbsrv_sesssetup_backend_send(req, sess, status);
616 }
617
618 /*
619 backend for sessionsetup call - this takes all 3 variants of the call
620 */
621 void smbsrv_sesssetup_backend(struct smbsrv_request *req,
622 union smb_sesssetup *sess)
623 {
624 switch (sess->old.level) {
625 case RAW_SESSSETUP_OLD:
626 sesssetup_old(req, sess);
627 return;
628
629 case RAW_SESSSETUP_NT1:
630 sesssetup_nt1(req, sess);
631 return;
632
633 case RAW_SESSSETUP_SPNEGO:
634 sesssetup_spnego(req, sess);
635 return;
636
637 case RAW_SESSSETUP_SMB2:
638 break;
639 }
640
641 smbsrv_sesssetup_backend_send(req, sess, NT_STATUS_INVALID_LEVEL);
642 }
Samba GIT mirror