search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s4/test: Run DrsDeleteObjectTestCase as part of S4 testing
[Samba.git] / source3 / auth / auth_ntlmssp.c
blobdf4666aaeee71be3ee108ae15decc853b0fe85c4
1 /*
2 Unix SMB/Netbios implementation.
3 Version 3.0
4 handle NLTMSSP, server side
5
6 Copyright (C) Andrew Tridgell 2001
7 Copyright (C) Andrew Bartlett 2001-2003
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 */
22
23 #include "includes.h"
24 #include "../libcli/auth/ntlmssp.h"
25
26 struct auth_ntlmssp_state {
27 TALLOC_CTX *mem_ctx;
28 struct auth_context *auth_context;
29 struct auth_serversupplied_info *server_info;
30 struct ntlmssp_state *ntlmssp_state;
31 };
32
33 NTSTATUS auth_ntlmssp_sign_packet(struct auth_ntlmssp_state *auth_ntlmssp_state,
34 TALLOC_CTX *sig_mem_ctx,
35 const uint8_t *data, size_t length,
36 const uint8_t *whole_pdu, size_t pdu_length,
37 DATA_BLOB *sig)
38 {
39 return ntlmssp_sign_packet(auth_ntlmssp_state->ntlmssp_state, sig_mem_ctx, data, length, whole_pdu, pdu_length, sig);
40 }
41
42 NTSTATUS auth_ntlmssp_check_packet(struct auth_ntlmssp_state *auth_ntlmssp_state,
43 const uint8_t *data, size_t length,
44 const uint8_t *whole_pdu, size_t pdu_length,
45 const DATA_BLOB *sig)
46 {
47 return ntlmssp_check_packet(auth_ntlmssp_state->ntlmssp_state, data, length, whole_pdu, pdu_length, sig);
48 }
49
50 NTSTATUS auth_ntlmssp_seal_packet(struct auth_ntlmssp_state *auth_ntlmssp_state,
51 TALLOC_CTX *sig_mem_ctx,
52 uint8_t *data, size_t length,
53 const uint8_t *whole_pdu, size_t pdu_length,
54 DATA_BLOB *sig)
55 {
56 return ntlmssp_seal_packet(auth_ntlmssp_state->ntlmssp_state, sig_mem_ctx, data, length, whole_pdu, pdu_length, sig);
57 }
58
59 NTSTATUS auth_ntlmssp_unseal_packet(struct auth_ntlmssp_state *auth_ntlmssp_state,
60 uint8_t *data, size_t length,
61 const uint8_t *whole_pdu, size_t pdu_length,
62 const DATA_BLOB *sig)
63 {
64 return ntlmssp_unseal_packet(auth_ntlmssp_state->ntlmssp_state, data, length, whole_pdu, pdu_length, sig);
65 }
66
67 bool auth_ntlmssp_negotiated_sign(struct auth_ntlmssp_state *auth_ntlmssp_state)
68 {
69 return auth_ntlmssp_state->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN;
70 }
71
72 bool auth_ntlmssp_negotiated_seal(struct auth_ntlmssp_state *auth_ntlmssp_state)
73 {
74 return auth_ntlmssp_state->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL;
75 }
76
77 void auth_ntlmssp_want_sign(struct auth_ntlmssp_state *auth_ntlmssp_state)
78 {
79
80 }
81
82 void auth_ntlmssp_want_seal(struct auth_ntlmssp_state *auth_ntlmssp_state)
83 {
84
85 }
86
87 struct auth_serversupplied_info *auth_ntlmssp_server_info(TALLOC_CTX *mem_ctx,
88 struct auth_ntlmssp_state *auth_ntlmssp_state)
89 {
90 struct auth_serversupplied_info *server_info = auth_ntlmssp_state->server_info;
91 data_blob_free(&server_info->user_session_key);
92 server_info->user_session_key =
93 data_blob_talloc(
94 server_info,
95 auth_ntlmssp_state->ntlmssp_state->session_key.data,
96 auth_ntlmssp_state->ntlmssp_state->session_key.length);
97 if (auth_ntlmssp_state->ntlmssp_state->session_key.length && !server_info->user_session_key.data) {
98 return NULL;
99 }
100 auth_ntlmssp_state->server_info = NULL;
101 return talloc_steal(mem_ctx, server_info);
102 }
103
104 struct ntlmssp_state *auth_ntlmssp_get_ntlmssp_state(struct auth_ntlmssp_state *auth_ntlmssp_state)
105 {
106 return auth_ntlmssp_state->ntlmssp_state;
107 }
108
109 /* Needed for 'map to guest' and 'smb username' processing */
110 const char *auth_ntlmssp_get_username(struct auth_ntlmssp_state *auth_ntlmssp_state)
111 {
112 return auth_ntlmssp_state->ntlmssp_state->user;
113 }
114
115 const char *auth_ntlmssp_get_domain(struct auth_ntlmssp_state *auth_ntlmssp_state)
116 {
117 return auth_ntlmssp_state->ntlmssp_state->domain;
118 }
119
120 const char *auth_ntlmssp_get_client(struct auth_ntlmssp_state *auth_ntlmssp_state)
121 {
122 return auth_ntlmssp_state->ntlmssp_state->client.netbios_name;
123 }
124
125 /**
126 * Return the challenge as determined by the authentication subsystem
127 * @return an 8 byte random challenge
128 */
129
130 static NTSTATUS auth_ntlmssp_get_challenge(const struct ntlmssp_state *ntlmssp_state,
131 uint8_t chal[8])
132 {
133 struct auth_ntlmssp_state *auth_ntlmssp_state =
134 (struct auth_ntlmssp_state *)ntlmssp_state->callback_private;
135 auth_ntlmssp_state->auth_context->get_ntlm_challenge(
136 auth_ntlmssp_state->auth_context, chal);
137 return NT_STATUS_OK;
138 }
139
140 /**
141 * Some authentication methods 'fix' the challenge, so we may not be able to set it
142 *
143 * @return If the effective challenge used by the auth subsystem may be modified
144 */
145 static bool auth_ntlmssp_may_set_challenge(const struct ntlmssp_state *ntlmssp_state)
146 {
147 struct auth_ntlmssp_state *auth_ntlmssp_state =
148 (struct auth_ntlmssp_state *)ntlmssp_state->callback_private;
149 struct auth_context *auth_context = auth_ntlmssp_state->auth_context;
150
151 return auth_context->challenge_may_be_modified;
152 }
153
154 /**
155 * NTLM2 authentication modifies the effective challenge,
156 * @param challenge The new challenge value
157 */
158 static NTSTATUS auth_ntlmssp_set_challenge(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *challenge)
159 {
160 struct auth_ntlmssp_state *auth_ntlmssp_state =
161 (struct auth_ntlmssp_state *)ntlmssp_state->callback_private;
162 struct auth_context *auth_context = auth_ntlmssp_state->auth_context;
163
164 SMB_ASSERT(challenge->length == 8);
165
166 auth_context->challenge = data_blob_talloc(auth_context,
167 challenge->data, challenge->length);
168
169 auth_context->challenge_set_by = "NTLMSSP callback (NTLM2)";
170
171 DEBUG(5, ("auth_context challenge set by %s\n", auth_context->challenge_set_by));
172 DEBUG(5, ("challenge is: \n"));
173 dump_data(5, auth_context->challenge.data, auth_context->challenge.length);
174 return NT_STATUS_OK;
175 }
176
177 /**
178 * Check the password on an NTLMSSP login.
179 *
180 * Return the session keys used on the connection.
181 */
182
183 static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *user_session_key, DATA_BLOB *lm_session_key)
184 {
185 struct auth_ntlmssp_state *auth_ntlmssp_state =
186 (struct auth_ntlmssp_state *)ntlmssp_state->callback_private;
187 struct auth_usersupplied_info *user_info = NULL;
188 NTSTATUS nt_status;
189 bool username_was_mapped;
190
191 /* the client has given us its machine name (which we otherwise would not get on port 445).
192 we need to possibly reload smb.conf if smb.conf includes depend on the machine name */
193
194 set_remote_machine_name(auth_ntlmssp_state->ntlmssp_state->client.netbios_name, True);
195
196 /* setup the string used by %U */
197 /* sub_set_smb_name checks for weird internally */
198 sub_set_smb_name(auth_ntlmssp_state->ntlmssp_state->user);
199
200 reload_services(True);
201
202 nt_status = make_user_info_map(&user_info,
203 auth_ntlmssp_state->ntlmssp_state->user,
204 auth_ntlmssp_state->ntlmssp_state->domain,
205 auth_ntlmssp_state->ntlmssp_state->client.netbios_name,
206 auth_ntlmssp_state->ntlmssp_state->lm_resp.data ? &auth_ntlmssp_state->ntlmssp_state->lm_resp : NULL,
207 auth_ntlmssp_state->ntlmssp_state->nt_resp.data ? &auth_ntlmssp_state->ntlmssp_state->nt_resp : NULL,
208 NULL, NULL, NULL,
209 True);
210
211 user_info->logon_parameters = MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT;
212
213 if (!NT_STATUS_IS_OK(nt_status)) {
214 return nt_status;
215 }
216
217 nt_status = auth_ntlmssp_state->auth_context->check_ntlm_password(auth_ntlmssp_state->auth_context,
218 user_info, &auth_ntlmssp_state->server_info);
219
220 username_was_mapped = user_info->was_mapped;
221
222 free_user_info(&user_info);
223
224 if (!NT_STATUS_IS_OK(nt_status)) {
225 return nt_status;
226 }
227
228 auth_ntlmssp_state->server_info->nss_token |= username_was_mapped;
229
230 nt_status = create_local_token(auth_ntlmssp_state->server_info);
231
232 if (!NT_STATUS_IS_OK(nt_status)) {
233 DEBUG(10, ("create_local_token failed: %s\n",
234 nt_errstr(nt_status)));
235 return nt_status;
236 }
237
238 if (auth_ntlmssp_state->server_info->user_session_key.length) {
239 DEBUG(10, ("Got NT session key of length %u\n",
240 (unsigned int)auth_ntlmssp_state->server_info->user_session_key.length));
241 *user_session_key = data_blob_talloc(auth_ntlmssp_state->mem_ctx,
242 auth_ntlmssp_state->server_info->user_session_key.data,
243 auth_ntlmssp_state->server_info->user_session_key.length);
244 }
245 if (auth_ntlmssp_state->server_info->lm_session_key.length) {
246 DEBUG(10, ("Got LM session key of length %u\n",
247 (unsigned int)auth_ntlmssp_state->server_info->lm_session_key.length));
248 *lm_session_key = data_blob_talloc(auth_ntlmssp_state->mem_ctx,
249 auth_ntlmssp_state->server_info->lm_session_key.data,
250 auth_ntlmssp_state->server_info->lm_session_key.length);
251 }
252 return nt_status;
253 }
254
255 NTSTATUS auth_ntlmssp_start(struct auth_ntlmssp_state **auth_ntlmssp_state)
256 {
257 NTSTATUS nt_status;
258 TALLOC_CTX *mem_ctx;
259 bool is_standalone;
260 const char *netbios_name;
261 const char *netbios_domain;
262 const char *dns_name;
263 char *dns_domain;
264
265 if ((enum server_types)lp_server_role() == ROLE_STANDALONE) {
266 is_standalone = true;
267 } else {
268 is_standalone = false;
269 }
270
271 netbios_name = global_myname();
272 netbios_domain = lp_workgroup();
273 /* This should be a 'netbios domain -> DNS domain' mapping */
274 dns_domain = get_mydnsdomname(talloc_tos());
275 if (dns_domain) {
276 strlower_m(dns_domain);
277 }
278 dns_name = get_mydnsfullname();
279
280 mem_ctx = talloc_init("AUTH NTLMSSP context");
281
282 *auth_ntlmssp_state = TALLOC_ZERO_P(mem_ctx, struct auth_ntlmssp_state);
283 if (!*auth_ntlmssp_state) {
284 DEBUG(0,("auth_ntlmssp_start: talloc failed!\n"));
285 talloc_destroy(mem_ctx);
286 return NT_STATUS_NO_MEMORY;
287 }
288
289 ZERO_STRUCTP(*auth_ntlmssp_state);
290
291 (*auth_ntlmssp_state)->mem_ctx = mem_ctx;
292
293 nt_status = ntlmssp_server_start(NULL,
294 is_standalone,
295 netbios_name,
296 netbios_domain,
297 dns_name,
298 dns_domain,
299 &(*auth_ntlmssp_state)->ntlmssp_state);
300 if (!NT_STATUS_IS_OK(nt_status)) {
301 return nt_status;
302 }
303
304 if (!NT_STATUS_IS_OK(nt_status = make_auth_context_subsystem(&(*auth_ntlmssp_state)->auth_context))) {
305 return nt_status;
306 }
307
308 (*auth_ntlmssp_state)->ntlmssp_state->callback_private = (*auth_ntlmssp_state);
309 (*auth_ntlmssp_state)->ntlmssp_state->get_challenge = auth_ntlmssp_get_challenge;
310 (*auth_ntlmssp_state)->ntlmssp_state->may_set_challenge = auth_ntlmssp_may_set_challenge;
311 (*auth_ntlmssp_state)->ntlmssp_state->set_challenge = auth_ntlmssp_set_challenge;
312 (*auth_ntlmssp_state)->ntlmssp_state->check_password = auth_ntlmssp_check_password;
313
314 return NT_STATUS_OK;
315 }
316
317 void auth_ntlmssp_end(struct auth_ntlmssp_state **auth_ntlmssp_state)
318 {
319 TALLOC_CTX *mem_ctx;
320
321 if (*auth_ntlmssp_state == NULL) {
322 return;
323 }
324
325 mem_ctx = (*auth_ntlmssp_state)->mem_ctx;
326 if ((*auth_ntlmssp_state)->ntlmssp_state) {
327 ntlmssp_end(&(*auth_ntlmssp_state)->ntlmssp_state);
328 }
329 if ((*auth_ntlmssp_state)->auth_context) {
330 ((*auth_ntlmssp_state)->auth_context->free)(&(*auth_ntlmssp_state)->auth_context);
331 }
332 if ((*auth_ntlmssp_state)->server_info) {
333 TALLOC_FREE((*auth_ntlmssp_state)->server_info);
334 }
335 talloc_destroy(mem_ctx);
336 *auth_ntlmssp_state = NULL;
337 }
338
339 NTSTATUS auth_ntlmssp_update(struct auth_ntlmssp_state *auth_ntlmssp_state,
340 const DATA_BLOB request, DATA_BLOB *reply)
341 {
342 return ntlmssp_update(auth_ntlmssp_state->ntlmssp_state, request, reply);
343 }
Samba GIT mirror