search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
smbd: Fix cached dos attributes
[Samba.git] / source3 / winbindd / winbindd_ccache_access.c
blob36e7ab0c89038f15ea5ab409509cba5a4828ae6b
1 /*
2 Unix SMB/CIFS implementation.
3
4 Winbind daemon - cached credentials functions
5
6 Copyright (C) Robert O'Callahan 2006
7 Copyright (C) Jeremy Allison 2006 (minor fixes to fit into Samba and
8 protect against integer wrap).
9 Copyright (C) Andrew Bartlett 2011
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 3 of the License, or
14 (at your option) any later version.
15
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
20
21 You should have received a copy of the GNU General Public License
22 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 */
24
25 #include "includes.h"
26 #include "winbindd.h"
27 #include "auth/gensec/gensec.h"
28 #include "auth_generic.h"
29 #include "lib/util/string_wrappers.h"
30
31 #undef DBGC_CLASS
32 #define DBGC_CLASS DBGC_WINBIND
33
34 static bool client_can_access_ccache_entry(uid_t client_uid,
35 struct WINBINDD_MEMORY_CREDS *entry)
36 {
37 if (client_uid == entry->uid || client_uid == 0) {
38 DEBUG(10, ("Access granted to uid %u\n", (unsigned int)client_uid));
39 return True;
40 }
41
42 DEBUG(1, ("Access denied to uid %u (expected %u)\n",
43 (unsigned int)client_uid, (unsigned int)entry->uid));
44 return False;
45 }
46
47 static NTSTATUS do_ntlm_auth_with_stored_pw(const char *namespace,
48 const char *domain,
49 const char *username,
50 const char *password,
51 const DATA_BLOB initial_msg,
52 const DATA_BLOB challenge_msg,
53 TALLOC_CTX *mem_ctx,
54 DATA_BLOB *auth_msg,
55 uint8_t session_key[16],
56 uint8_t *new_spnego)
57 {
58 NTSTATUS status;
59 struct auth_generic_state *auth_generic_state = NULL;
60 DATA_BLOB reply, session_key_blob;
61
62 status = auth_generic_client_prepare(mem_ctx, &auth_generic_state);
63
64 if (!NT_STATUS_IS_OK(status)) {
65 DEBUG(1, ("Could not start NTLMSSP client: %s\n",
66 nt_errstr(status)));
67 goto done;
68 }
69
70 status = auth_generic_set_username(auth_generic_state, username);
71
72 if (!NT_STATUS_IS_OK(status)) {
73 DEBUG(1, ("Could not set username: %s\n",
74 nt_errstr(status)));
75 goto done;
76 }
77
78 status = auth_generic_set_domain(auth_generic_state, domain);
79
80 if (!NT_STATUS_IS_OK(status)) {
81 DEBUG(1, ("Could not set domain: %s\n",
82 nt_errstr(status)));
83 goto done;
84 }
85
86 status = auth_generic_set_password(auth_generic_state, password);
87
88 if (!NT_STATUS_IS_OK(status)) {
89 DEBUG(1, ("Could not set password: %s\n",
90 nt_errstr(status)));
91 goto done;
92 }
93
94 if (initial_msg.length == 0) {
95 gensec_want_feature(auth_generic_state->gensec_security,
96 GENSEC_FEATURE_SESSION_KEY);
97 }
98
99 status = auth_generic_client_start_by_name(auth_generic_state,
100 "ntlmssp_resume_ccache");
101 if (!NT_STATUS_IS_OK(status)) {
102 DEBUG(1, ("Could not start NTLMSSP resume mech: %s\n",
103 nt_errstr(status)));
104 goto done;
105 }
106
107 /*
108 * We inject the initial NEGOTIATE message our caller used
109 * in order to get the state machine into the correct position.
110 */
111 reply = data_blob_null;
112 status = gensec_update(auth_generic_state->gensec_security,
113 talloc_tos(), initial_msg, &reply);
114 data_blob_free(&reply);
115
116 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
117 DEBUG(1, ("Failed to create initial message! [%s]\n",
118 nt_errstr(status)));
119 goto done;
120 }
121
122 /* Now we are ready to handle the server's actual response. */
123 status = gensec_update(auth_generic_state->gensec_security,
124 mem_ctx, challenge_msg, &reply);
125 if (!NT_STATUS_EQUAL(status, NT_STATUS_OK)) {
126 DEBUG(1, ("We didn't get a response to the challenge! [%s]\n",
127 nt_errstr(status)));
128 data_blob_free(&reply);
129 goto done;
130 }
131
132 status = gensec_session_key(auth_generic_state->gensec_security,
133 talloc_tos(), &session_key_blob);
134 if (!NT_STATUS_EQUAL(status, NT_STATUS_OK)) {
135 DEBUG(1, ("We didn't get the session key we requested! [%s]\n",
136 nt_errstr(status)));
137 data_blob_free(&reply);
138 goto done;
139 }
140
141 if (session_key_blob.length != 16) {
142 DEBUG(1, ("invalid session key length %d\n",
143 (int)session_key_blob.length));
144 data_blob_free(&reply);
145 goto done;
146 }
147 memcpy(session_key, session_key_blob.data, 16);
148 data_blob_free(&session_key_blob);
149 *auth_msg = reply;
150 *new_spnego = gensec_have_feature(auth_generic_state->gensec_security,
151 GENSEC_FEATURE_NEW_SPNEGO);
152 status = NT_STATUS_OK;
153
154 done:
155 TALLOC_FREE(auth_generic_state);
156 return status;
157 }
158
159 static bool check_client_uid(struct winbindd_cli_state *state, uid_t uid)
160 {
161 int ret;
162 uid_t ret_uid;
163 gid_t ret_gid;
164
165 ret_uid = (uid_t)-1;
166
167 ret = getpeereid(state->sock, &ret_uid, &ret_gid);
168 if (ret != 0) {
169 DEBUG(1, ("check_client_uid: Could not get socket peer uid: %s; "
170 "denying access\n", strerror(errno)));
171 return False;
172 }
173
174 if (uid != ret_uid && ret_uid != sec_initial_uid()) {
175 DEBUG(1, ("check_client_uid: Client lied about its uid: said %u, "
176 "actually was %u; denying access\n",
177 (unsigned int)uid, (unsigned int)ret_uid));
178 return False;
179 }
180
181 return True;
182 }
183
184 bool winbindd_ccache_ntlm_auth(struct winbindd_cli_state *state)
185 {
186 struct winbindd_domain *domain;
187 char *name_namespace = NULL;
188 char *name_domain = NULL;
189 char *name_user = NULL;
190 char *auth_user = NULL;
191 NTSTATUS result = NT_STATUS_NOT_SUPPORTED;
192 struct WINBINDD_MEMORY_CREDS *entry;
193 DATA_BLOB initial, challenge, auth;
194 uint32_t initial_blob_len, challenge_blob_len, extra_len;
195 bool ok;
196
197 /* Ensure null termination */
198 state->request->data.ccache_ntlm_auth.user[
199 sizeof(state->request->data.ccache_ntlm_auth.user)-1]='\0';
200
201 DEBUG(3, ("[%5lu]: perform NTLM auth on behalf of user %s\n", (unsigned long)state->pid,
202 state->request->data.ccache_ntlm_auth.user));
203
204 /* Parse domain and username */
205
206 auth_user = state->request->data.ccache_ntlm_auth.user;
207 ok = canonicalize_username(state,
208 &auth_user,
209 &name_namespace,
210 &name_domain,
211 &name_user);
212 if (!ok) {
213 DBG_INFO("cannot parse domain and user from name [%s]\n",
214 state->request->data.ccache_ntlm_auth.user);
215 return false;
216 }
217
218 fstrcpy(state->request->data.ccache_ntlm_auth.user, auth_user);
219 TALLOC_FREE(auth_user);
220
221 domain = find_auth_domain(state->request->flags, name_domain);
222
223 if (domain == NULL) {
224 DBG_INFO("can't get domain [%s]\n", name_domain);
225 return false;
226 }
227
228 if (!check_client_uid(state, state->request->data.ccache_ntlm_auth.uid)) {
229 return false;
230 }
231
232 /* validate blob lengths */
233 initial_blob_len = state->request->data.ccache_ntlm_auth.initial_blob_len;
234 challenge_blob_len = state->request->data.ccache_ntlm_auth.challenge_blob_len;
235 extra_len = state->request->extra_len;
236
237 if (initial_blob_len > extra_len || challenge_blob_len > extra_len ||
238 initial_blob_len + challenge_blob_len > extra_len ||
239 initial_blob_len + challenge_blob_len < initial_blob_len ||
240 initial_blob_len + challenge_blob_len < challenge_blob_len) {
241
242 DBG_DEBUG("blob lengths overrun "
243 "or wrap. Buffer [%d+%d > %d]\n",
244 initial_blob_len,
245 challenge_blob_len,
246 extra_len);
247 goto process_result;
248 }
249
250 TALLOC_FREE(name_namespace);
251 TALLOC_FREE(name_domain);
252 TALLOC_FREE(name_user);
253 /* Parse domain and username */
254 ok = parse_domain_user(state,
255 state->request->data.ccache_ntlm_auth.user,
256 &name_namespace,
257 &name_domain,
258 &name_user);
259 if (!ok) {
260 DBG_DEBUG("cannot parse domain and user from name [%s]\n",
261 state->request->data.ccache_ntlm_auth.user);
262 goto process_result;
263 }
264
265 entry = find_memory_creds_by_name(state->request->data.ccache_ntlm_auth.user);
266 if (entry == NULL || entry->nt_hash == NULL || entry->lm_hash == NULL) {
267 DBG_DEBUG("could not find credentials for user %s\n",
268 state->request->data.ccache_ntlm_auth.user);
269 goto process_result;
270 }
271
272 DBG_DEBUG("found ccache [%s]\n", entry->username);
273
274 if (!client_can_access_ccache_entry(state->request->data.ccache_ntlm_auth.uid, entry)) {
275 goto process_result;
276 }
277
278 if (initial_blob_len == 0 && challenge_blob_len == 0) {
279 /* this is just a probe to see if credentials are available. */
280 result = NT_STATUS_OK;
281 state->response->data.ccache_ntlm_auth.auth_blob_len = 0;
282 goto process_result;
283 }
284
285 initial = data_blob_const(state->request->extra_data.data,
286 initial_blob_len);
287 challenge = data_blob_const(
288 state->request->extra_data.data + initial_blob_len,
289 state->request->data.ccache_ntlm_auth.challenge_blob_len);
290
291 result = do_ntlm_auth_with_stored_pw(
292 name_namespace,
293 name_domain,
294 name_user,
295 entry->pass,
296 initial,
297 challenge,
298 talloc_tos(),
299 &auth,
300 state->response->data.ccache_ntlm_auth.session_key,
301 &state->response->data.ccache_ntlm_auth.new_spnego);
302
303 if (!NT_STATUS_IS_OK(result)) {
304 goto process_result;
305 }
306
307 state->response->extra_data.data = talloc_memdup(
308 state->mem_ctx, auth.data, auth.length);
309 if (!state->response->extra_data.data) {
310 result = NT_STATUS_NO_MEMORY;
311 goto process_result;
312 }
313 state->response->length += auth.length;
314 state->response->data.ccache_ntlm_auth.auth_blob_len = auth.length;
315
316 data_blob_free(&auth);
317
318 process_result:
319 TALLOC_FREE(name_namespace);
320 TALLOC_FREE(name_domain);
321 TALLOC_FREE(name_user);
322 return NT_STATUS_IS_OK(result);
323 }
324
325 bool winbindd_ccache_save(struct winbindd_cli_state *state)
326 {
327 struct winbindd_domain *domain;
328 char *name_namespace = NULL;
329 char *name_domain = NULL;
330 char *name_user = NULL;
331 char *save_user = NULL;
332 NTSTATUS status;
333 bool ok;
334
335 /* Ensure null termination */
336 state->request->data.ccache_save.user[
337 sizeof(state->request->data.ccache_save.user)-1]='\0';
338 state->request->data.ccache_save.pass[
339 sizeof(state->request->data.ccache_save.pass)-1]='\0';
340
341 DEBUG(3, ("[%5lu]: save password of user %s\n",
342 (unsigned long)state->pid,
343 state->request->data.ccache_save.user));
344
345 /* Parse domain and username */
346
347
348 save_user = state->request->data.ccache_save.user;
349 ok = canonicalize_username(state,
350 &save_user,
351 &name_namespace,
352 &name_domain,
353 &name_user);
354 if (!ok) {
355 DEBUG(5,("winbindd_ccache_save: cannot parse domain and user "
356 "from name [%s]\n",
357 state->request->data.ccache_save.user));
358 return false;
359 }
360
361 fstrcpy(state->request->data.ccache_save.user, save_user);
362
363 /*
364 * The domain is checked here only for compatibility
365 * reasons. We used to do the winbindd memory ccache for
366 * ntlm_auth in the domain child. With that code, we had to
367 * make sure that we do have a domain around to send this
368 * to. Now we do the memory cache in the parent winbindd,
369 * where it would not matter if we have a domain or not.
370 */
371
372 domain = find_auth_domain(state->request->flags, name_domain);
373 if (domain == NULL) {
374 DEBUG(5, ("winbindd_ccache_save: can't get domain [%s]\n",
375 name_domain));
376 return false;
377 }
378
379 if (!check_client_uid(state, state->request->data.ccache_save.uid)) {
380 return false;
381 }
382
383 status = winbindd_add_memory_creds(
384 state->request->data.ccache_save.user,
385 state->request->data.ccache_save.uid,
386 state->request->data.ccache_save.pass);
387
388 if (!NT_STATUS_IS_OK(status)) {
389 DEBUG(1, ("winbindd_add_memory_creds failed %s\n",
390 nt_errstr(status)));
391 return false;
392 }
393 return true;
394 }
Samba GIT mirror