2 Unix SMB/CIFS implementation.
3 Authentication utility functions
4 Copyright (C) Andrew Tridgell 1992-1998
5 Copyright (C) Andrew Bartlett 2001-2010
6 Copyright (C) Jeremy Allison 2000-2001
7 Copyright (C) Rafal Szczesniak 2002
8 Copyright (C) Stefan Metzmacher 2005
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 #include "libcli/security/security.h"
26 #include "auth/credentials/credentials.h"
27 #include "param/param.h"
28 #include "auth/auth.h" /* for auth_user_info_dc */
29 #include "auth/session.h"
30 #include "auth/system_session_proto.h"
33 #define DBGC_CLASS DBGC_AUTH
36 prevent the static system session being freed
38 static int system_session_destructor(struct auth_session_info
*info
)
43 /* Create a security token for a session SYSTEM (the most
44 * trusted/privileged account), including the local machine account as
45 * the off-host credentials
47 _PUBLIC_
struct auth_session_info
*system_session(struct loadparm_context
*lp_ctx
)
49 static struct auth_session_info
*static_session
;
53 return static_session
;
57 * Use NULL here, not the autofree context for this
58 * static pointer. The destructor prevents freeing this
61 nt_status
= auth_system_session_info(NULL
,
64 if (!NT_STATUS_IS_OK(nt_status
)) {
65 TALLOC_FREE(static_session
);
68 talloc_set_destructor(static_session
, system_session_destructor
);
69 return static_session
;
72 NTSTATUS
auth_system_session_info(TALLOC_CTX
*parent_ctx
,
73 struct loadparm_context
*lp_ctx
,
74 struct auth_session_info
**_session_info
)
77 struct auth_user_info_dc
*user_info_dc
= NULL
;
78 struct auth_session_info
*session_info
= NULL
;
79 TALLOC_CTX
*mem_ctx
= NULL
;
82 mem_ctx
= talloc_new(parent_ctx
);
83 if (mem_ctx
== NULL
) {
84 return NT_STATUS_NO_MEMORY
;
87 nt_status
= auth_system_user_info_dc(mem_ctx
, lpcfg_netbios_name(lp_ctx
),
89 if (!NT_STATUS_IS_OK(nt_status
)) {
94 /* references the user_info_dc into the session_info */
95 nt_status
= auth_generate_session_info(parent_ctx
, NULL
, NULL
, user_info_dc
, AUTH_SESSION_INFO_SIMPLE_PRIVILEGES
, &session_info
);
98 NT_STATUS_NOT_OK_RETURN(nt_status
);
100 session_info
->credentials
= cli_credentials_init(session_info
);
101 if (!session_info
->credentials
) {
102 return NT_STATUS_NO_MEMORY
;
105 ok
= cli_credentials_set_conf(session_info
->credentials
, lp_ctx
);
107 return NT_STATUS_INTERNAL_ERROR
;
110 cli_credentials_set_machine_account_pending(session_info
->credentials
, lp_ctx
);
111 *_session_info
= session_info
;
116 NTSTATUS
auth_system_user_info_dc(TALLOC_CTX
*mem_ctx
, const char *netbios_name
,
117 struct auth_user_info_dc
**_user_info_dc
)
119 struct auth_user_info_dc
*user_info_dc
;
120 struct auth_user_info
*info
;
122 user_info_dc
= talloc_zero(mem_ctx
, struct auth_user_info_dc
);
123 NT_STATUS_HAVE_NO_MEMORY(user_info_dc
);
125 /* This returns a pointer to a struct dom_sid, which is the
126 * same as a 1 element list of struct dom_sid */
127 user_info_dc
->num_sids
= 1;
128 user_info_dc
->sids
= dom_sid_dup(user_info_dc
, &global_sid_System
);
129 NT_STATUS_HAVE_NO_MEMORY(user_info_dc
->sids
);
131 /* annoying, but the Anonymous really does have a session key,
132 and it is all zeros! */
133 user_info_dc
->user_session_key
= data_blob_talloc(user_info_dc
, NULL
, 16);
134 NT_STATUS_HAVE_NO_MEMORY(user_info_dc
->user_session_key
.data
);
136 user_info_dc
->lm_session_key
= data_blob_talloc(user_info_dc
, NULL
, 16);
137 NT_STATUS_HAVE_NO_MEMORY(user_info_dc
->lm_session_key
.data
);
139 data_blob_clear(&user_info_dc
->user_session_key
);
140 data_blob_clear(&user_info_dc
->lm_session_key
);
142 user_info_dc
->info
= info
= talloc_zero(user_info_dc
, struct auth_user_info
);
143 NT_STATUS_HAVE_NO_MEMORY(user_info_dc
->info
);
145 info
->account_name
= talloc_strdup(info
, "SYSTEM");
146 NT_STATUS_HAVE_NO_MEMORY(info
->account_name
);
148 info
->domain_name
= talloc_strdup(info
, "NT AUTHORITY");
149 NT_STATUS_HAVE_NO_MEMORY(info
->domain_name
);
151 info
->full_name
= talloc_strdup(info
, "System");
152 NT_STATUS_HAVE_NO_MEMORY(info
->full_name
);
154 info
->logon_script
= talloc_strdup(info
, "");
155 NT_STATUS_HAVE_NO_MEMORY(info
->logon_script
);
157 info
->profile_path
= talloc_strdup(info
, "");
158 NT_STATUS_HAVE_NO_MEMORY(info
->profile_path
);
160 info
->home_directory
= talloc_strdup(info
, "");
161 NT_STATUS_HAVE_NO_MEMORY(info
->home_directory
);
163 info
->home_drive
= talloc_strdup(info
, "");
164 NT_STATUS_HAVE_NO_MEMORY(info
->home_drive
);
166 info
->logon_server
= talloc_strdup(info
, netbios_name
);
167 NT_STATUS_HAVE_NO_MEMORY(info
->logon_server
);
169 info
->last_logon
= 0;
170 info
->last_logoff
= 0;
171 info
->acct_expiry
= 0;
172 info
->last_password_change
= 0;
173 info
->allow_password_change
= 0;
174 info
->force_password_change
= 0;
176 info
->logon_count
= 0;
177 info
->bad_password_count
= 0;
179 info
->acct_flags
= ACB_NORMAL
;
181 info
->authenticated
= true;
183 *_user_info_dc
= user_info_dc
;
189 static NTSTATUS
auth_domain_admin_user_info_dc(TALLOC_CTX
*mem_ctx
,
190 const char *netbios_name
,
191 const char *domain_name
,
192 struct dom_sid
*domain_sid
,
193 struct auth_user_info_dc
**_user_info_dc
)
195 struct auth_user_info_dc
*user_info_dc
;
196 struct auth_user_info
*info
;
198 user_info_dc
= talloc_zero(mem_ctx
, struct auth_user_info_dc
);
199 NT_STATUS_HAVE_NO_MEMORY(user_info_dc
);
201 user_info_dc
->num_sids
= 7;
202 user_info_dc
->sids
= talloc_array(user_info_dc
, struct dom_sid
, user_info_dc
->num_sids
);
204 user_info_dc
->sids
[PRIMARY_USER_SID_INDEX
] = *domain_sid
;
205 sid_append_rid(&user_info_dc
->sids
[PRIMARY_USER_SID_INDEX
], DOMAIN_RID_ADMINISTRATOR
);
207 user_info_dc
->sids
[PRIMARY_GROUP_SID_INDEX
] = *domain_sid
;
208 sid_append_rid(&user_info_dc
->sids
[PRIMARY_GROUP_SID_INDEX
], DOMAIN_RID_USERS
);
210 user_info_dc
->sids
[2] = global_sid_Builtin_Administrators
;
212 user_info_dc
->sids
[3] = *domain_sid
;
213 sid_append_rid(&user_info_dc
->sids
[3], DOMAIN_RID_ADMINS
);
214 user_info_dc
->sids
[4] = *domain_sid
;
215 sid_append_rid(&user_info_dc
->sids
[4], DOMAIN_RID_ENTERPRISE_ADMINS
);
216 user_info_dc
->sids
[5] = *domain_sid
;
217 sid_append_rid(&user_info_dc
->sids
[5], DOMAIN_RID_POLICY_ADMINS
);
218 user_info_dc
->sids
[6] = *domain_sid
;
219 sid_append_rid(&user_info_dc
->sids
[6], DOMAIN_RID_SCHEMA_ADMINS
);
221 /* What should the session key be?*/
222 user_info_dc
->user_session_key
= data_blob_talloc(user_info_dc
, NULL
, 16);
223 NT_STATUS_HAVE_NO_MEMORY(user_info_dc
->user_session_key
.data
);
225 user_info_dc
->lm_session_key
= data_blob_talloc(user_info_dc
, NULL
, 16);
226 NT_STATUS_HAVE_NO_MEMORY(user_info_dc
->lm_session_key
.data
);
228 data_blob_clear(&user_info_dc
->user_session_key
);
229 data_blob_clear(&user_info_dc
->lm_session_key
);
231 user_info_dc
->info
= info
= talloc_zero(user_info_dc
, struct auth_user_info
);
232 NT_STATUS_HAVE_NO_MEMORY(user_info_dc
->info
);
234 info
->account_name
= talloc_strdup(info
, "Administrator");
235 NT_STATUS_HAVE_NO_MEMORY(info
->account_name
);
237 info
->domain_name
= talloc_strdup(info
, domain_name
);
238 NT_STATUS_HAVE_NO_MEMORY(info
->domain_name
);
240 info
->full_name
= talloc_strdup(info
, "Administrator");
241 NT_STATUS_HAVE_NO_MEMORY(info
->full_name
);
243 info
->logon_script
= talloc_strdup(info
, "");
244 NT_STATUS_HAVE_NO_MEMORY(info
->logon_script
);
246 info
->profile_path
= talloc_strdup(info
, "");
247 NT_STATUS_HAVE_NO_MEMORY(info
->profile_path
);
249 info
->home_directory
= talloc_strdup(info
, "");
250 NT_STATUS_HAVE_NO_MEMORY(info
->home_directory
);
252 info
->home_drive
= talloc_strdup(info
, "");
253 NT_STATUS_HAVE_NO_MEMORY(info
->home_drive
);
255 info
->logon_server
= talloc_strdup(info
, netbios_name
);
256 NT_STATUS_HAVE_NO_MEMORY(info
->logon_server
);
258 info
->last_logon
= 0;
259 info
->last_logoff
= 0;
260 info
->acct_expiry
= 0;
261 info
->last_password_change
= 0;
262 info
->allow_password_change
= 0;
263 info
->force_password_change
= 0;
265 info
->logon_count
= 0;
266 info
->bad_password_count
= 0;
268 info
->acct_flags
= ACB_NORMAL
;
270 info
->authenticated
= true;
272 *_user_info_dc
= user_info_dc
;
277 static NTSTATUS
auth_domain_admin_session_info(TALLOC_CTX
*parent_ctx
,
278 struct loadparm_context
*lp_ctx
,
279 struct dom_sid
*domain_sid
,
280 struct auth_session_info
**session_info
)
283 struct auth_user_info_dc
*user_info_dc
= NULL
;
284 TALLOC_CTX
*mem_ctx
= talloc_new(parent_ctx
);
286 NT_STATUS_HAVE_NO_MEMORY(mem_ctx
);
288 nt_status
= auth_domain_admin_user_info_dc(mem_ctx
, lpcfg_netbios_name(lp_ctx
),
289 lpcfg_workgroup(lp_ctx
), domain_sid
,
291 if (!NT_STATUS_IS_OK(nt_status
)) {
292 talloc_free(mem_ctx
);
296 nt_status
= auth_generate_session_info(mem_ctx
, NULL
, NULL
, user_info_dc
,
297 AUTH_SESSION_INFO_SIMPLE_PRIVILEGES
|AUTH_SESSION_INFO_AUTHENTICATED
|AUTH_SESSION_INFO_DEFAULT_GROUPS
,
299 /* There is already a reference between the sesion_info and user_info_dc */
300 if (NT_STATUS_IS_OK(nt_status
)) {
301 talloc_steal(parent_ctx
, *session_info
);
303 talloc_free(mem_ctx
);
307 _PUBLIC_
struct auth_session_info
*admin_session(TALLOC_CTX
*mem_ctx
, struct loadparm_context
*lp_ctx
, struct dom_sid
*domain_sid
)
310 struct auth_session_info
*session_info
= NULL
;
311 nt_status
= auth_domain_admin_session_info(mem_ctx
,
315 if (!NT_STATUS_IS_OK(nt_status
)) {
321 _PUBLIC_ NTSTATUS
auth_anonymous_session_info(TALLOC_CTX
*parent_ctx
,
322 struct loadparm_context
*lp_ctx
,
323 struct auth_session_info
**_session_info
)
326 struct auth_user_info_dc
*user_info_dc
= NULL
;
327 struct auth_session_info
*session_info
= NULL
;
328 TALLOC_CTX
*mem_ctx
= talloc_new(parent_ctx
);
331 nt_status
= auth_anonymous_user_info_dc(mem_ctx
,
332 lpcfg_netbios_name(lp_ctx
),
334 if (!NT_STATUS_IS_OK(nt_status
)) {
335 talloc_free(mem_ctx
);
339 /* references the user_info_dc into the session_info */
340 nt_status
= auth_generate_session_info(parent_ctx
, NULL
, NULL
, user_info_dc
, AUTH_SESSION_INFO_SIMPLE_PRIVILEGES
, &session_info
);
341 talloc_free(mem_ctx
);
343 NT_STATUS_NOT_OK_RETURN(nt_status
);
345 session_info
->credentials
= cli_credentials_init(session_info
);
346 if (!session_info
->credentials
) {
347 return NT_STATUS_NO_MEMORY
;
350 ok
= cli_credentials_set_conf(session_info
->credentials
, lp_ctx
);
352 return NT_STATUS_INTERNAL_ERROR
;
354 cli_credentials_set_anonymous(session_info
->credentials
);
356 *_session_info
= session_info
;
361 _PUBLIC_ NTSTATUS
auth_anonymous_user_info_dc(TALLOC_CTX
*mem_ctx
,
362 const char *netbios_name
,
363 struct auth_user_info_dc
**_user_info_dc
)
365 struct auth_user_info_dc
*user_info_dc
;
366 struct auth_user_info
*info
;
367 user_info_dc
= talloc_zero(mem_ctx
, struct auth_user_info_dc
);
368 NT_STATUS_HAVE_NO_MEMORY(user_info_dc
);
370 /* This returns a pointer to a struct dom_sid, which is the
371 * same as a 1 element list of struct dom_sid */
372 user_info_dc
->num_sids
= 1;
373 user_info_dc
->sids
= dom_sid_dup(user_info_dc
, &global_sid_Anonymous
);
374 NT_STATUS_HAVE_NO_MEMORY(user_info_dc
->sids
);
376 /* annoying, but the Anonymous really does have a session key... */
377 user_info_dc
->user_session_key
= data_blob_talloc(user_info_dc
, NULL
, 16);
378 NT_STATUS_HAVE_NO_MEMORY(user_info_dc
->user_session_key
.data
);
380 user_info_dc
->lm_session_key
= data_blob_talloc(user_info_dc
, NULL
, 16);
381 NT_STATUS_HAVE_NO_MEMORY(user_info_dc
->lm_session_key
.data
);
383 /* and it is all zeros! */
384 data_blob_clear(&user_info_dc
->user_session_key
);
385 data_blob_clear(&user_info_dc
->lm_session_key
);
387 user_info_dc
->info
= info
= talloc_zero(user_info_dc
, struct auth_user_info
);
388 NT_STATUS_HAVE_NO_MEMORY(user_info_dc
->info
);
390 info
->account_name
= talloc_strdup(info
, "ANONYMOUS LOGON");
391 NT_STATUS_HAVE_NO_MEMORY(info
->account_name
);
393 info
->domain_name
= talloc_strdup(info
, "NT AUTHORITY");
394 NT_STATUS_HAVE_NO_MEMORY(info
->domain_name
);
396 info
->full_name
= talloc_strdup(info
, "Anonymous Logon");
397 NT_STATUS_HAVE_NO_MEMORY(info
->full_name
);
399 info
->logon_script
= talloc_strdup(info
, "");
400 NT_STATUS_HAVE_NO_MEMORY(info
->logon_script
);
402 info
->profile_path
= talloc_strdup(info
, "");
403 NT_STATUS_HAVE_NO_MEMORY(info
->profile_path
);
405 info
->home_directory
= talloc_strdup(info
, "");
406 NT_STATUS_HAVE_NO_MEMORY(info
->home_directory
);
408 info
->home_drive
= talloc_strdup(info
, "");
409 NT_STATUS_HAVE_NO_MEMORY(info
->home_drive
);
411 info
->logon_server
= talloc_strdup(info
, netbios_name
);
412 NT_STATUS_HAVE_NO_MEMORY(info
->logon_server
);
414 info
->last_logon
= 0;
415 info
->last_logoff
= 0;
416 info
->acct_expiry
= 0;
417 info
->last_password_change
= 0;
418 info
->allow_password_change
= 0;
419 info
->force_password_change
= 0;
421 info
->logon_count
= 0;
422 info
->bad_password_count
= 0;
424 info
->acct_flags
= ACB_NORMAL
;
426 info
->authenticated
= false;
428 *_user_info_dc
= user_info_dc
;