3 Unix SMB/CIFS implementation.
5 Copyright (C) Andrew Tridgell 1998-2001
6 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2001-2005
7 Copyright (C) Jim McDonough 2002
8 Copyright (C) Luke Howard 2003
9 Copyright (C) Stefan Metzmacher 2005
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 3 of the License, or
14 (at your option) any later version.
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
21 You should have received a copy of the GNU General Public License
22 along with this program. If not, see <http://www.gnu.org/licenses/>.
28 #include "auth/gensec/gensec.h"
29 #include "auth/auth.h"
30 #include "smb_server/smb_server.h"
31 #include "smbd/service_stream.h"
32 #include "param/param.h"
33 #include "../lib/tsocket/tsocket.h"
34 #include "lib/stream/packet.h"
36 struct sesssetup_context
{
37 struct auth4_context
*auth_context
;
38 struct smbsrv_request
*req
;
42 * Log the SMB authentication, as by not calling GENSEC we won't log
43 * it during the gensec_session_info().
45 void smbsrv_not_spengo_sesssetup_authz_log(struct smbsrv_request
*req
,
46 struct auth_session_info
*session_info
)
48 struct tsocket_address
*local_address
;
49 struct tsocket_address
*remote_address
;
50 TALLOC_CTX
*frame
= talloc_stackframe();
52 remote_address
= socket_get_remote_addr(req
->smb_conn
->connection
->socket
,
54 local_address
= socket_get_local_addr(req
->smb_conn
->connection
->socket
,
57 log_successful_authz_event(remote_address
,
69 setup the OS, Lanman and domain portions of a session setup reply
71 static void sesssetup_common_strings(struct smbsrv_request
*req
,
72 char **os
, char **lanman
, char **domain
)
74 (*os
) = talloc_asprintf(req
, "Unix");
75 (*lanman
) = talloc_asprintf(req
, "Samba %s", SAMBA_VERSION_STRING
);
76 (*domain
) = talloc_asprintf(req
, "%s",
77 lpcfg_workgroup(req
->smb_conn
->lp_ctx
));
80 static void smbsrv_sesssetup_backend_send(struct smbsrv_request
*req
,
81 union smb_sesssetup
*sess
,
84 if (NT_STATUS_IS_OK(status
)) {
85 req
->smb_conn
->negotiate
.done_sesssetup
= true;
86 /* we need to keep the session long term */
87 req
->session
= talloc_steal(req
->smb_conn
, req
->session
);
89 smbsrv_reply_sesssetup_send(req
, sess
, status
);
92 static void sesssetup_old_send(struct tevent_req
*subreq
)
94 struct sesssetup_context
*state
= tevent_req_callback_data(subreq
, struct sesssetup_context
);
95 struct smbsrv_request
*req
= state
->req
;
97 union smb_sesssetup
*sess
= talloc_get_type(req
->io_ptr
, union smb_sesssetup
);
98 struct auth_user_info_dc
*user_info_dc
= NULL
;
99 struct auth_session_info
*session_info
;
100 struct smbsrv_session
*smb_sess
;
102 uint8_t authoritative
= 0;
105 status
= auth_check_password_recv(subreq
, req
, &user_info_dc
,
108 if (!NT_STATUS_IS_OK(status
)) goto failed
;
110 flags
= AUTH_SESSION_INFO_DEFAULT_GROUPS
;
111 if (user_info_dc
->info
->authenticated
) {
112 flags
|= AUTH_SESSION_INFO_AUTHENTICATED
;
114 /* This references user_info_dc into session_info */
115 status
= req
->smb_conn
->negotiate
.auth_context
->generate_session_info(req
->smb_conn
->negotiate
.auth_context
,
117 user_info_dc
, sess
->old
.in
.user
,
118 flags
, &session_info
);
119 if (!NT_STATUS_IS_OK(status
)) goto failed
;
121 /* allocate a new session */
122 smb_sess
= smbsrv_session_new(req
->smb_conn
, req
, NULL
);
124 status
= NT_STATUS_INSUFFICIENT_RESOURCES
;
128 smbsrv_not_spengo_sesssetup_authz_log(req
, session_info
);
130 /* Ensure this is marked as a 'real' vuid, not one
131 * simply valid for the session setup leg */
132 status
= smbsrv_session_sesssetup_finished(smb_sess
, session_info
);
133 if (!NT_STATUS_IS_OK(status
)) goto failed
;
135 /* To correctly process any AndX packet (like a tree connect)
136 * we need to fill in the session on the request here */
137 req
->session
= smb_sess
;
138 sess
->old
.out
.vuid
= smb_sess
->vuid
;
141 status
= nt_status_squash(status
);
142 smbsrv_sesssetup_backend_send(req
, sess
, status
);
146 handler for old style session setup
148 static void sesssetup_old(struct smbsrv_request
*req
, union smb_sesssetup
*sess
)
150 struct auth_usersupplied_info
*user_info
= NULL
;
151 struct tsocket_address
*remote_address
, *local_address
;
152 const char *remote_machine
= NULL
;
153 struct tevent_req
*subreq
;
154 struct sesssetup_context
*state
;
156 sess
->old
.out
.vuid
= 0;
157 sess
->old
.out
.action
= 0;
159 sesssetup_common_strings(req
,
161 &sess
->old
.out
.lanman
,
162 &sess
->old
.out
.domain
);
164 if (!req
->smb_conn
->negotiate
.done_sesssetup
) {
165 req
->smb_conn
->negotiate
.max_send
= sess
->old
.in
.bufsize
;
168 if (req
->smb_conn
->negotiate
.calling_name
) {
169 remote_machine
= req
->smb_conn
->negotiate
.calling_name
->name
;
172 remote_address
= socket_get_remote_addr(req
->smb_conn
->connection
->socket
, req
);
173 if (!remote_address
) goto nomem
;
175 if (!remote_machine
) {
176 remote_machine
= tsocket_address_inet_addr_string(remote_address
, req
);
177 if (!remote_machine
) goto nomem
;
180 local_address
= socket_get_local_addr(req
->smb_conn
->connection
->socket
, req
);
181 if (!local_address
) goto nomem
;
183 user_info
= talloc_zero(req
, struct auth_usersupplied_info
);
184 if (!user_info
) goto nomem
;
186 user_info
->service_description
= "SMB";
188 user_info
->mapped_state
= false;
189 user_info
->logon_parameters
= 0;
190 user_info
->flags
= 0;
191 user_info
->client
.account_name
= sess
->old
.in
.user
;
192 user_info
->client
.domain_name
= sess
->old
.in
.domain
;
193 user_info
->workstation_name
= remote_machine
;
195 user_info
->remote_host
= talloc_steal(user_info
, remote_address
);
196 user_info
->local_host
= talloc_steal(user_info
, local_address
);
198 user_info
->password_state
= AUTH_PASSWORD_RESPONSE
;
199 user_info
->password
.response
.lanman
= sess
->old
.in
.password
;
200 user_info
->password
.response
.lanman
.data
= talloc_steal(user_info
, sess
->old
.in
.password
.data
);
201 user_info
->password
.response
.nt
= data_blob(NULL
, 0);
203 state
= talloc(req
, struct sesssetup_context
);
204 if (!state
) goto nomem
;
206 if (req
->smb_conn
->negotiate
.auth_context
) {
207 state
->auth_context
= req
->smb_conn
->negotiate
.auth_context
;
209 /* TODO: should we use just "anonymous" here? */
210 NTSTATUS status
= auth_context_create(state
,
211 req
->smb_conn
->connection
->event
.ctx
,
212 req
->smb_conn
->connection
->msg_ctx
,
213 req
->smb_conn
->lp_ctx
,
214 &state
->auth_context
);
215 if (!NT_STATUS_IS_OK(status
)) {
216 smbsrv_sesssetup_backend_send(req
, sess
, status
);
223 subreq
= auth_check_password_send(state
,
224 req
->smb_conn
->connection
->event
.ctx
,
225 req
->smb_conn
->negotiate
.auth_context
,
227 if (!subreq
) goto nomem
;
228 tevent_req_set_callback(subreq
, sesssetup_old_send
, state
);
232 smbsrv_sesssetup_backend_send(req
, sess
, NT_STATUS_NO_MEMORY
);
235 static void sesssetup_nt1_send(struct tevent_req
*subreq
)
237 struct sesssetup_context
*state
= tevent_req_callback_data(subreq
, struct sesssetup_context
);
238 struct smbsrv_request
*req
= state
->req
;
239 union smb_sesssetup
*sess
= talloc_get_type(req
->io_ptr
, union smb_sesssetup
);
240 struct auth_user_info_dc
*user_info_dc
= NULL
;
241 struct auth_session_info
*session_info
;
242 struct smbsrv_session
*smb_sess
;
243 uint8_t authoritative
= 0;
247 status
= auth_check_password_recv(subreq
, req
, &user_info_dc
,
250 if (!NT_STATUS_IS_OK(status
)) goto failed
;
252 flags
= AUTH_SESSION_INFO_DEFAULT_GROUPS
;
253 if (user_info_dc
->info
->authenticated
) {
254 flags
|= AUTH_SESSION_INFO_AUTHENTICATED
;
256 /* This references user_info_dc into session_info */
257 status
= state
->auth_context
->generate_session_info(state
->auth_context
,
263 if (!NT_STATUS_IS_OK(status
)) goto failed
;
265 /* allocate a new session */
266 smb_sess
= smbsrv_session_new(req
->smb_conn
, req
, NULL
);
268 status
= NT_STATUS_INSUFFICIENT_RESOURCES
;
272 smbsrv_not_spengo_sesssetup_authz_log(req
, session_info
);
274 /* Ensure this is marked as a 'real' vuid, not one
275 * simply valid for the session setup leg */
276 status
= smbsrv_session_sesssetup_finished(smb_sess
, session_info
);
277 if (!NT_STATUS_IS_OK(status
)) goto failed
;
279 /* To correctly process any AndX packet (like a tree connect)
280 * we need to fill in the session on the request here */
281 req
->session
= smb_sess
;
282 sess
->nt1
.out
.vuid
= smb_sess
->vuid
;
284 if (!smbsrv_setup_signing(req
->smb_conn
, &session_info
->session_key
, &sess
->nt1
.in
.password2
)) {
285 /* Already signing, or disabled */
290 status
= NT_STATUS_OK
;
292 status
= nt_status_squash(status
);
293 smbsrv_sesssetup_backend_send(req
, sess
, status
);
297 handler for NT1 style session setup
299 static void sesssetup_nt1(struct smbsrv_request
*req
, union smb_sesssetup
*sess
)
302 struct auth_usersupplied_info
*user_info
= NULL
;
303 struct tsocket_address
*remote_address
, *local_address
;
304 const char *remote_machine
= NULL
;
305 struct tevent_req
*subreq
;
306 struct sesssetup_context
*state
;
307 bool allow_raw
= lpcfg_raw_ntlmv2_auth(req
->smb_conn
->lp_ctx
);
309 sess
->nt1
.out
.vuid
= 0;
310 sess
->nt1
.out
.action
= 0;
312 sesssetup_common_strings(req
,
314 &sess
->nt1
.out
.lanman
,
315 &sess
->nt1
.out
.domain
);
317 if (!req
->smb_conn
->negotiate
.done_sesssetup
) {
318 req
->smb_conn
->negotiate
.max_send
= sess
->nt1
.in
.bufsize
;
319 req
->smb_conn
->negotiate
.client_caps
= sess
->nt1
.in
.capabilities
;
322 state
= talloc(req
, struct sesssetup_context
);
323 if (!state
) goto nomem
;
327 if (req
->smb_conn
->negotiate
.oid
) {
328 if (sess
->nt1
.in
.user
&& *sess
->nt1
.in
.user
) {
329 /* We can't accept a normal login, because we
330 * don't have a challenge */
331 status
= NT_STATUS_LOGON_FAILURE
;
335 /* TODO: should we use just "anonymous" here? */
336 status
= auth_context_create(state
,
337 req
->smb_conn
->connection
->event
.ctx
,
338 req
->smb_conn
->connection
->msg_ctx
,
339 req
->smb_conn
->lp_ctx
,
340 &state
->auth_context
);
341 if (!NT_STATUS_IS_OK(status
)) goto failed
;
342 } else if (req
->smb_conn
->negotiate
.auth_context
) {
343 state
->auth_context
= req
->smb_conn
->negotiate
.auth_context
;
345 /* TODO: should we use just "anonymous" here? */
346 status
= auth_context_create(state
,
347 req
->smb_conn
->connection
->event
.ctx
,
348 req
->smb_conn
->connection
->msg_ctx
,
349 req
->smb_conn
->lp_ctx
,
350 &state
->auth_context
);
351 if (!NT_STATUS_IS_OK(status
)) goto failed
;
354 if (req
->smb_conn
->negotiate
.calling_name
) {
355 remote_machine
= req
->smb_conn
->negotiate
.calling_name
->name
;
358 remote_address
= socket_get_remote_addr(req
->smb_conn
->connection
->socket
, req
);
359 if (!remote_address
) goto nomem
;
361 if (!remote_machine
) {
362 remote_machine
= tsocket_address_inet_addr_string(remote_address
, req
);
363 if (!remote_machine
) goto nomem
;
366 local_address
= socket_get_local_addr(req
->smb_conn
->connection
->socket
, req
);
367 if (!local_address
) goto nomem
;
369 user_info
= talloc_zero(req
, struct auth_usersupplied_info
);
370 if (!user_info
) goto nomem
;
372 user_info
->service_description
= "SMB";
373 user_info
->auth_description
= "bare-NTLM";
375 user_info
->mapped_state
= false;
376 user_info
->logon_parameters
= 0;
377 user_info
->flags
= 0;
378 user_info
->client
.account_name
= sess
->nt1
.in
.user
;
379 user_info
->client
.domain_name
= sess
->nt1
.in
.domain
;
380 user_info
->workstation_name
= remote_machine
;
381 user_info
->remote_host
= talloc_steal(user_info
, remote_address
);
382 user_info
->local_host
= talloc_steal(user_info
, local_address
);
384 user_info
->password_state
= AUTH_PASSWORD_RESPONSE
;
385 user_info
->password
.response
.lanman
= sess
->nt1
.in
.password1
;
386 user_info
->password
.response
.lanman
.data
= talloc_steal(user_info
, sess
->nt1
.in
.password1
.data
);
387 user_info
->password
.response
.nt
= sess
->nt1
.in
.password2
;
388 user_info
->password
.response
.nt
.data
= talloc_steal(user_info
, sess
->nt1
.in
.password2
.data
);
390 if (!allow_raw
&& user_info
->password
.response
.nt
.length
>= 48) {
392 * NTLMv2_RESPONSE has at least 48 bytes
393 * and should only be supported via NTLMSSP.
395 status
= NT_STATUS_INVALID_PARAMETER
;
399 subreq
= auth_check_password_send(state
,
400 req
->smb_conn
->connection
->event
.ctx
,
403 if (!subreq
) goto nomem
;
404 tevent_req_set_callback(subreq
, sesssetup_nt1_send
, state
);
409 status
= NT_STATUS_NO_MEMORY
;
411 status
= nt_status_squash(status
);
412 smbsrv_sesssetup_backend_send(req
, sess
, status
);
415 struct sesssetup_spnego_state
{
416 struct smbsrv_request
*req
;
417 union smb_sesssetup
*sess
;
418 struct smbsrv_session
*smb_sess
;
421 static void sesssetup_spnego_send(struct tevent_req
*subreq
)
423 struct sesssetup_spnego_state
*s
= tevent_req_callback_data(subreq
,
424 struct sesssetup_spnego_state
);
425 struct smbsrv_request
*req
= s
->req
;
426 union smb_sesssetup
*sess
= s
->sess
;
427 struct smbsrv_session
*smb_sess
= s
->smb_sess
;
428 struct auth_session_info
*session_info
= NULL
;
430 NTSTATUS skey_status
;
431 DATA_BLOB session_key
;
433 status
= gensec_update_recv(subreq
, req
, &sess
->spnego
.out
.secblob
);
434 packet_recv_enable(req
->smb_conn
->packet
);
436 if (NT_STATUS_EQUAL(status
, NT_STATUS_MORE_PROCESSING_REQUIRED
)) {
438 } else if (!NT_STATUS_IS_OK(status
)) {
442 status
= gensec_session_info(smb_sess
->gensec_ctx
, smb_sess
, &session_info
);
443 if (!NT_STATUS_IS_OK(status
)) goto failed
;
445 /* The session_key is only needed until the end of the smbsrv_setup_signing() call */
446 skey_status
= gensec_session_key(smb_sess
->gensec_ctx
, req
, &session_key
);
447 if (NT_STATUS_IS_OK(skey_status
)) {
448 smbsrv_setup_signing(req
->smb_conn
, &session_key
, NULL
);
451 /* Ensure this is marked as a 'real' vuid, not one
452 * simply valid for the session setup leg */
453 status
= smbsrv_session_sesssetup_finished(smb_sess
, session_info
);
454 if (!NT_STATUS_IS_OK(status
)) goto failed
;
456 req
->session
= smb_sess
;
459 sess
->spnego
.out
.vuid
= smb_sess
->vuid
;
461 status
= nt_status_squash(status
);
462 smbsrv_sesssetup_backend_send(req
, sess
, status
);
463 if (!NT_STATUS_IS_OK(status
) &&
464 !NT_STATUS_EQUAL(status
, NT_STATUS_MORE_PROCESSING_REQUIRED
)) {
465 talloc_free(smb_sess
);
470 handler for SPNEGO style session setup
472 static void sesssetup_spnego(struct smbsrv_request
*req
, union smb_sesssetup
*sess
)
475 struct smbsrv_session
*smb_sess
= NULL
;
476 bool is_smb_sess_new
= false;
477 struct sesssetup_spnego_state
*s
= NULL
;
479 struct tevent_req
*subreq
;
481 sess
->spnego
.out
.vuid
= 0;
482 sess
->spnego
.out
.action
= 0;
484 sesssetup_common_strings(req
,
485 &sess
->spnego
.out
.os
,
486 &sess
->spnego
.out
.lanman
,
487 &sess
->spnego
.out
.workgroup
);
489 if (!req
->smb_conn
->negotiate
.done_sesssetup
) {
490 req
->smb_conn
->negotiate
.max_send
= sess
->spnego
.in
.bufsize
;
491 req
->smb_conn
->negotiate
.client_caps
= sess
->spnego
.in
.capabilities
;
494 vuid
= SVAL(req
->in
.hdr
,HDR_UID
);
496 /* lookup an existing session */
498 struct gensec_security
*gensec_ctx
;
499 struct tsocket_address
*remote_address
, *local_address
;
500 status
= samba_server_gensec_start(req
,
501 req
->smb_conn
->connection
->event
.ctx
,
502 req
->smb_conn
->connection
->msg_ctx
,
503 req
->smb_conn
->lp_ctx
,
504 req
->smb_conn
->negotiate
.server_credentials
,
507 if (!NT_STATUS_IS_OK(status
)) {
508 DEBUG(1, ("Failed to start GENSEC server code: %s\n", nt_errstr(status
)));
512 gensec_want_feature(gensec_ctx
, GENSEC_FEATURE_SESSION_KEY
);
514 remote_address
= socket_get_remote_addr(req
->smb_conn
->connection
->socket
,
516 if (!remote_address
) {
517 status
= NT_STATUS_INTERNAL_ERROR
;
518 DBG_ERR("Failed to obtain remote address");
522 status
= gensec_set_remote_address(gensec_ctx
,
524 if (!NT_STATUS_IS_OK(status
)) {
525 DBG_ERR("Failed to set remote address");
529 local_address
= socket_get_local_addr(req
->smb_conn
->connection
->socket
,
531 if (!local_address
) {
532 status
= NT_STATUS_INTERNAL_ERROR
;
533 DBG_ERR("Failed to obtain local address");
537 status
= gensec_set_local_address(gensec_ctx
,
539 if (!NT_STATUS_IS_OK(status
)) {
540 DBG_ERR("Failed to set local address");
544 status
= gensec_set_target_service_description(gensec_ctx
,
547 if (!NT_STATUS_IS_OK(status
)) {
548 DBG_ERR("Failed to set service description");
552 status
= gensec_start_mech_by_oid(gensec_ctx
, req
->smb_conn
->negotiate
.oid
);
553 if (!NT_STATUS_IS_OK(status
)) {
554 DEBUG(1, ("Failed to start GENSEC %s server code: %s\n",
555 gensec_get_name_by_oid(gensec_ctx
, req
->smb_conn
->negotiate
.oid
), nt_errstr(status
)));
559 /* allocate a new session */
560 smb_sess
= smbsrv_session_new(req
->smb_conn
, req
->smb_conn
, gensec_ctx
);
562 status
= NT_STATUS_INSUFFICIENT_RESOURCES
;
565 is_smb_sess_new
= true;
567 smb_sess
= smbsrv_session_find_sesssetup(req
->smb_conn
, vuid
);
571 status
= NT_STATUS_DOS(ERRSRV
, ERRbaduid
);
575 if (smb_sess
->session_info
) {
576 status
= NT_STATUS_INVALID_PARAMETER
;
580 if (!smb_sess
->gensec_ctx
) {
581 status
= NT_STATUS_INTERNAL_ERROR
;
582 DEBUG(1, ("Internal ERROR: no gensec_ctx on session: %s\n", nt_errstr(status
)));
586 s
= talloc(req
, struct sesssetup_spnego_state
);
590 s
->smb_sess
= smb_sess
;
592 subreq
= gensec_update_send(s
,
593 req
->smb_conn
->connection
->event
.ctx
,
594 smb_sess
->gensec_ctx
,
595 sess
->spnego
.in
.secblob
);
599 /* disable receipt of more packets on this socket until we've
600 finished with the session setup. This avoids a problem with
601 crashes if we get EOF on the socket while processing a session
603 packet_recv_disable(req
->smb_conn
->packet
);
604 tevent_req_set_callback(subreq
, sesssetup_spnego_send
, s
);
609 status
= NT_STATUS_NO_MEMORY
;
611 if (is_smb_sess_new
) {
612 talloc_free(smb_sess
);
614 status
= nt_status_squash(status
);
615 smbsrv_sesssetup_backend_send(req
, sess
, status
);
619 backend for sessionsetup call - this takes all 3 variants of the call
621 void smbsrv_sesssetup_backend(struct smbsrv_request
*req
,
622 union smb_sesssetup
*sess
)
624 switch (sess
->old
.level
) {
625 case RAW_SESSSETUP_OLD
:
626 sesssetup_old(req
, sess
);
629 case RAW_SESSSETUP_NT1
:
630 sesssetup_nt1(req
, sess
);
633 case RAW_SESSSETUP_SPNEGO
:
634 sesssetup_spnego(req
, sess
);
637 case RAW_SESSSETUP_SMB2
:
641 smbsrv_sesssetup_backend_send(req
, sess
, NT_STATUS_INVALID_LEVEL
);