2 Unix SMB/Netbios implementation.
4 handle NLTMSSP, client server side parsing
6 Copyright (C) Andrew Tridgell 2001
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2001-2005
8 Copyright (C) Stefan Metzmacher 2005
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 #include "system/network.h"
26 #include "lib/tsocket/tsocket.h"
27 #include "auth/ntlmssp/ntlmssp.h"
28 #include "../librpc/gen_ndr/ndr_ntlmssp.h"
29 #include "auth/ntlmssp/ntlmssp_ndr.h"
30 #include "auth/ntlmssp/ntlmssp_private.h"
31 #include "../libcli/auth/libcli_auth.h"
32 #include "../lib/crypto/crypto.h"
33 #include "auth/gensec/gensec.h"
34 #include "auth/gensec/gensec_internal.h"
35 #include "auth/common_auth.h"
36 #include "param/param.h"
40 * Return the credentials of a logged on user, including session keys
43 * Only valid after a successful authentication
45 * May only be called once per authentication.
49 NTSTATUS
gensec_ntlmssp_session_info(struct gensec_security
*gensec_security
,
51 struct auth_session_info
**session_info
)
54 struct gensec_ntlmssp_context
*gensec_ntlmssp
=
55 talloc_get_type_abort(gensec_security
->private_data
,
56 struct gensec_ntlmssp_context
);
57 uint32_t session_info_flags
= 0;
59 if (gensec_security
->want_features
& GENSEC_FEATURE_UNIX_TOKEN
) {
60 session_info_flags
|= AUTH_SESSION_INFO_UNIX_TOKEN
;
63 session_info_flags
|= AUTH_SESSION_INFO_DEFAULT_GROUPS
;
65 if (gensec_security
->auth_context
&& gensec_security
->auth_context
->generate_session_info
) {
66 nt_status
= gensec_security
->auth_context
->generate_session_info(gensec_security
->auth_context
, mem_ctx
,
67 gensec_ntlmssp
->server_returned_info
,
68 gensec_ntlmssp
->ntlmssp_state
->user
,
72 DEBUG(0, ("Cannot generate a session_info without the auth_context\n"));
73 return NT_STATUS_INTERNAL_ERROR
;
76 NT_STATUS_NOT_OK_RETURN(nt_status
);
78 nt_status
= gensec_ntlmssp_session_key(gensec_security
, *session_info
,
79 &(*session_info
)->session_key
);
80 if (NT_STATUS_EQUAL(nt_status
, NT_STATUS_NO_USER_SESSION_KEY
)) {
81 (*session_info
)->session_key
= data_blob_null
;
82 nt_status
= NT_STATUS_OK
;
89 * Start NTLMSSP on the server side
92 NTSTATUS
gensec_ntlmssp_server_start(struct gensec_security
*gensec_security
)
95 struct ntlmssp_state
*ntlmssp_state
;
96 struct gensec_ntlmssp_context
*gensec_ntlmssp
;
97 const char *netbios_name
;
98 const char *netbios_domain
;
100 const char *dns_domain
;
102 nt_status
= gensec_ntlmssp_start(gensec_security
);
103 NT_STATUS_NOT_OK_RETURN(nt_status
);
106 talloc_get_type_abort(gensec_security
->private_data
,
107 struct gensec_ntlmssp_context
);
109 ntlmssp_state
= talloc_zero(gensec_ntlmssp
,
110 struct ntlmssp_state
);
111 if (!ntlmssp_state
) {
112 return NT_STATUS_NO_MEMORY
;
114 gensec_ntlmssp
->ntlmssp_state
= ntlmssp_state
;
116 ntlmssp_state
->role
= NTLMSSP_SERVER
;
118 ntlmssp_state
->expected_state
= NTLMSSP_NEGOTIATE
;
120 if (lpcfg_lanman_auth(gensec_security
->settings
->lp_ctx
) &&
121 gensec_setting_bool(gensec_security
->settings
,
122 "ntlmssp_server", "allow_lm_key", false))
124 ntlmssp_state
->allow_lm_key
= true;
127 ntlmssp_state
->neg_flags
=
128 NTLMSSP_NEGOTIATE_NTLM
| NTLMSSP_NEGOTIATE_VERSION
;
130 if (gensec_setting_bool(gensec_security
->settings
, "ntlmssp_server", "128bit", true)) {
131 ntlmssp_state
->neg_flags
|= NTLMSSP_NEGOTIATE_128
;
134 if (gensec_setting_bool(gensec_security
->settings
, "ntlmssp_server", "56bit", true)) {
135 ntlmssp_state
->neg_flags
|= NTLMSSP_NEGOTIATE_56
;
138 if (gensec_setting_bool(gensec_security
->settings
, "ntlmssp_server", "keyexchange", true)) {
139 ntlmssp_state
->neg_flags
|= NTLMSSP_NEGOTIATE_KEY_EXCH
;
142 if (gensec_setting_bool(gensec_security
->settings
, "ntlmssp_server", "alwayssign", true)) {
143 ntlmssp_state
->neg_flags
|= NTLMSSP_NEGOTIATE_ALWAYS_SIGN
;
146 if (gensec_setting_bool(gensec_security
->settings
, "ntlmssp_server", "ntlm2", true)) {
147 ntlmssp_state
->neg_flags
|= NTLMSSP_NEGOTIATE_NTLM2
;
150 if (gensec_security
->want_features
& GENSEC_FEATURE_SESSION_KEY
) {
151 ntlmssp_state
->neg_flags
|= NTLMSSP_NEGOTIATE_SIGN
;
153 if (gensec_security
->want_features
& GENSEC_FEATURE_SIGN
) {
154 ntlmssp_state
->neg_flags
|= NTLMSSP_NEGOTIATE_SIGN
;
156 if (gensec_security
->want_features
& GENSEC_FEATURE_SEAL
) {
157 ntlmssp_state
->neg_flags
|= NTLMSSP_NEGOTIATE_SIGN
;
158 ntlmssp_state
->neg_flags
|= NTLMSSP_NEGOTIATE_SEAL
;
161 if (lpcfg_server_role(gensec_security
->settings
->lp_ctx
) == ROLE_STANDALONE
) {
162 ntlmssp_state
->server
.is_standalone
= true;
164 ntlmssp_state
->server
.is_standalone
= false;
167 if (gensec_security
->settings
->server_netbios_name
) {
168 netbios_name
= gensec_security
->settings
->server_netbios_name
;
170 netbios_name
= lpcfg_netbios_name(gensec_security
->settings
->lp_ctx
);
173 if (gensec_security
->settings
->server_netbios_domain
) {
174 netbios_domain
= gensec_security
->settings
->server_netbios_domain
;
176 netbios_domain
= lpcfg_workgroup(gensec_security
->settings
->lp_ctx
);
179 if (gensec_security
->settings
->server_dns_name
) {
180 dns_name
= gensec_security
->settings
->server_dns_name
;
182 const char *dnsdomain
= lpcfg_dnsdomain(gensec_security
->settings
->lp_ctx
);
183 char *lower_netbiosname
;
185 lower_netbiosname
= strlower_talloc(ntlmssp_state
, netbios_name
);
186 NT_STATUS_HAVE_NO_MEMORY(lower_netbiosname
);
188 /* Find out the DNS host name */
189 if (dnsdomain
&& dnsdomain
[0] != '\0') {
190 dns_name
= talloc_asprintf(ntlmssp_state
, "%s.%s",
193 talloc_free(lower_netbiosname
);
194 NT_STATUS_HAVE_NO_MEMORY(dns_name
);
196 dns_name
= lower_netbiosname
;
200 if (gensec_security
->settings
->server_dns_domain
) {
201 dns_domain
= gensec_security
->settings
->server_dns_domain
;
203 dns_domain
= lpcfg_dnsdomain(gensec_security
->settings
->lp_ctx
);
206 ntlmssp_state
->server
.netbios_name
= talloc_strdup(ntlmssp_state
, netbios_name
);
207 NT_STATUS_HAVE_NO_MEMORY(ntlmssp_state
->server
.netbios_name
);
209 ntlmssp_state
->server
.netbios_domain
= talloc_strdup(ntlmssp_state
, netbios_domain
);
210 NT_STATUS_HAVE_NO_MEMORY(ntlmssp_state
->server
.netbios_domain
);
212 ntlmssp_state
->server
.dns_name
= talloc_strdup(ntlmssp_state
, dns_name
);
213 NT_STATUS_HAVE_NO_MEMORY(ntlmssp_state
->server
.dns_name
);
215 ntlmssp_state
->server
.dns_domain
= talloc_strdup(ntlmssp_state
, dns_domain
);
216 NT_STATUS_HAVE_NO_MEMORY(ntlmssp_state
->server
.dns_domain
);