2 Unix SMB/CIFS implementation.
3 Authentication utility functions
4 Copyright (C) Andrew Tridgell 1992-1998
5 Copyright (C) Andrew Bartlett 2001-2010
6 Copyright (C) Jeremy Allison 2000-2001
7 Copyright (C) Rafal Szczesniak 2002
8 Copyright (C) Stefan Metzmacher 2005
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 #include "libcli/security/security.h"
26 #include "auth/credentials/credentials.h"
27 #include "param/param.h"
28 #include "auth/auth.h" /* for auth_user_info_dc */
29 #include "auth/session.h"
30 #include "auth/system_session_proto.h"
34 prevent the static system session being freed
36 static int system_session_destructor(struct auth_session_info
*info
)
41 /* Create a security token for a session SYSTEM (the most
42 * trusted/prvilaged account), including the local machine account as
43 * the off-host credentials
45 _PUBLIC_
struct auth_session_info
*system_session(struct loadparm_context
*lp_ctx
)
47 static struct auth_session_info
*static_session
;
51 return static_session
;
54 nt_status
= auth_system_session_info(talloc_autofree_context(),
57 if (!NT_STATUS_IS_OK(nt_status
)) {
58 talloc_free(static_session
);
59 static_session
= NULL
;
62 talloc_set_destructor(static_session
, system_session_destructor
);
63 return static_session
;
66 NTSTATUS
auth_system_session_info(TALLOC_CTX
*parent_ctx
,
67 struct loadparm_context
*lp_ctx
,
68 struct auth_session_info
**_session_info
)
71 struct auth_user_info_dc
*user_info_dc
= NULL
;
72 struct auth_session_info
*session_info
= NULL
;
73 TALLOC_CTX
*mem_ctx
= talloc_new(parent_ctx
);
75 nt_status
= auth_system_user_info_dc(mem_ctx
, lpcfg_netbios_name(lp_ctx
),
77 if (!NT_STATUS_IS_OK(nt_status
)) {
82 /* references the user_info_dc into the session_info */
83 nt_status
= auth_generate_session_info(parent_ctx
, NULL
, NULL
, user_info_dc
, AUTH_SESSION_INFO_SIMPLE_PRIVILEGES
, &session_info
);
86 NT_STATUS_NOT_OK_RETURN(nt_status
);
88 session_info
->credentials
= cli_credentials_init(session_info
);
89 if (!session_info
->credentials
) {
90 return NT_STATUS_NO_MEMORY
;
93 cli_credentials_set_conf(session_info
->credentials
, lp_ctx
);
95 cli_credentials_set_machine_account_pending(session_info
->credentials
, lp_ctx
);
96 *_session_info
= session_info
;
101 NTSTATUS
auth_system_user_info_dc(TALLOC_CTX
*mem_ctx
, const char *netbios_name
,
102 struct auth_user_info_dc
**_user_info_dc
)
104 struct auth_user_info_dc
*user_info_dc
;
105 struct auth_user_info
*info
;
107 user_info_dc
= talloc(mem_ctx
, struct auth_user_info_dc
);
108 NT_STATUS_HAVE_NO_MEMORY(user_info_dc
);
110 /* This returns a pointer to a struct dom_sid, which is the
111 * same as a 1 element list of struct dom_sid */
112 user_info_dc
->num_sids
= 1;
113 user_info_dc
->sids
= dom_sid_parse_talloc(user_info_dc
, SID_NT_SYSTEM
);
114 NT_STATUS_HAVE_NO_MEMORY(user_info_dc
->sids
);
116 /* annoying, but the Anonymous really does have a session key,
117 and it is all zeros! */
118 user_info_dc
->user_session_key
= data_blob_talloc(user_info_dc
, NULL
, 16);
119 NT_STATUS_HAVE_NO_MEMORY(user_info_dc
->user_session_key
.data
);
121 user_info_dc
->lm_session_key
= data_blob_talloc(user_info_dc
, NULL
, 16);
122 NT_STATUS_HAVE_NO_MEMORY(user_info_dc
->lm_session_key
.data
);
124 data_blob_clear(&user_info_dc
->user_session_key
);
125 data_blob_clear(&user_info_dc
->lm_session_key
);
127 user_info_dc
->info
= info
= talloc_zero(user_info_dc
, struct auth_user_info
);
128 NT_STATUS_HAVE_NO_MEMORY(user_info_dc
->info
);
130 info
->account_name
= talloc_strdup(info
, "SYSTEM");
131 NT_STATUS_HAVE_NO_MEMORY(info
->account_name
);
133 info
->domain_name
= talloc_strdup(info
, "NT AUTHORITY");
134 NT_STATUS_HAVE_NO_MEMORY(info
->domain_name
);
136 info
->full_name
= talloc_strdup(info
, "System");
137 NT_STATUS_HAVE_NO_MEMORY(info
->full_name
);
139 info
->logon_script
= talloc_strdup(info
, "");
140 NT_STATUS_HAVE_NO_MEMORY(info
->logon_script
);
142 info
->profile_path
= talloc_strdup(info
, "");
143 NT_STATUS_HAVE_NO_MEMORY(info
->profile_path
);
145 info
->home_directory
= talloc_strdup(info
, "");
146 NT_STATUS_HAVE_NO_MEMORY(info
->home_directory
);
148 info
->home_drive
= talloc_strdup(info
, "");
149 NT_STATUS_HAVE_NO_MEMORY(info
->home_drive
);
151 info
->logon_server
= talloc_strdup(info
, netbios_name
);
152 NT_STATUS_HAVE_NO_MEMORY(info
->logon_server
);
154 info
->last_logon
= 0;
155 info
->last_logoff
= 0;
156 info
->acct_expiry
= 0;
157 info
->last_password_change
= 0;
158 info
->allow_password_change
= 0;
159 info
->force_password_change
= 0;
161 info
->logon_count
= 0;
162 info
->bad_password_count
= 0;
164 info
->acct_flags
= ACB_NORMAL
;
166 info
->authenticated
= true;
168 *_user_info_dc
= user_info_dc
;
174 static NTSTATUS
auth_domain_admin_user_info_dc(TALLOC_CTX
*mem_ctx
,
175 const char *netbios_name
,
176 const char *domain_name
,
177 struct dom_sid
*domain_sid
,
178 struct auth_user_info_dc
**_user_info_dc
)
180 struct auth_user_info_dc
*user_info_dc
;
181 struct auth_user_info
*info
;
183 user_info_dc
= talloc(mem_ctx
, struct auth_user_info_dc
);
184 NT_STATUS_HAVE_NO_MEMORY(user_info_dc
);
186 user_info_dc
->num_sids
= 7;
187 user_info_dc
->sids
= talloc_array(user_info_dc
, struct dom_sid
, user_info_dc
->num_sids
);
189 user_info_dc
->sids
[PRIMARY_USER_SID_INDEX
] = *domain_sid
;
190 sid_append_rid(&user_info_dc
->sids
[PRIMARY_USER_SID_INDEX
], DOMAIN_RID_ADMINISTRATOR
);
192 user_info_dc
->sids
[PRIMARY_GROUP_SID_INDEX
] = *domain_sid
;
193 sid_append_rid(&user_info_dc
->sids
[PRIMARY_USER_SID_INDEX
], DOMAIN_RID_USERS
);
195 user_info_dc
->sids
[2] = global_sid_Builtin_Administrators
;
197 user_info_dc
->sids
[3] = *domain_sid
;
198 sid_append_rid(&user_info_dc
->sids
[3], DOMAIN_RID_ADMINS
);
199 user_info_dc
->sids
[4] = *domain_sid
;
200 sid_append_rid(&user_info_dc
->sids
[4], DOMAIN_RID_ENTERPRISE_ADMINS
);
201 user_info_dc
->sids
[5] = *domain_sid
;
202 sid_append_rid(&user_info_dc
->sids
[5], DOMAIN_RID_POLICY_ADMINS
);
203 user_info_dc
->sids
[6] = *domain_sid
;
204 sid_append_rid(&user_info_dc
->sids
[6], DOMAIN_RID_SCHEMA_ADMINS
);
206 /* What should the session key be?*/
207 user_info_dc
->user_session_key
= data_blob_talloc(user_info_dc
, NULL
, 16);
208 NT_STATUS_HAVE_NO_MEMORY(user_info_dc
->user_session_key
.data
);
210 user_info_dc
->lm_session_key
= data_blob_talloc(user_info_dc
, NULL
, 16);
211 NT_STATUS_HAVE_NO_MEMORY(user_info_dc
->lm_session_key
.data
);
213 data_blob_clear(&user_info_dc
->user_session_key
);
214 data_blob_clear(&user_info_dc
->lm_session_key
);
216 user_info_dc
->info
= info
= talloc_zero(user_info_dc
, struct auth_user_info
);
217 NT_STATUS_HAVE_NO_MEMORY(user_info_dc
->info
);
219 info
->account_name
= talloc_strdup(info
, "Administrator");
220 NT_STATUS_HAVE_NO_MEMORY(info
->account_name
);
222 info
->domain_name
= talloc_strdup(info
, domain_name
);
223 NT_STATUS_HAVE_NO_MEMORY(info
->domain_name
);
225 info
->full_name
= talloc_strdup(info
, "Administrator");
226 NT_STATUS_HAVE_NO_MEMORY(info
->full_name
);
228 info
->logon_script
= talloc_strdup(info
, "");
229 NT_STATUS_HAVE_NO_MEMORY(info
->logon_script
);
231 info
->profile_path
= talloc_strdup(info
, "");
232 NT_STATUS_HAVE_NO_MEMORY(info
->profile_path
);
234 info
->home_directory
= talloc_strdup(info
, "");
235 NT_STATUS_HAVE_NO_MEMORY(info
->home_directory
);
237 info
->home_drive
= talloc_strdup(info
, "");
238 NT_STATUS_HAVE_NO_MEMORY(info
->home_drive
);
240 info
->logon_server
= talloc_strdup(info
, netbios_name
);
241 NT_STATUS_HAVE_NO_MEMORY(info
->logon_server
);
243 info
->last_logon
= 0;
244 info
->last_logoff
= 0;
245 info
->acct_expiry
= 0;
246 info
->last_password_change
= 0;
247 info
->allow_password_change
= 0;
248 info
->force_password_change
= 0;
250 info
->logon_count
= 0;
251 info
->bad_password_count
= 0;
253 info
->acct_flags
= ACB_NORMAL
;
255 info
->authenticated
= true;
257 *_user_info_dc
= user_info_dc
;
262 static NTSTATUS
auth_domain_admin_session_info(TALLOC_CTX
*parent_ctx
,
263 struct loadparm_context
*lp_ctx
,
264 struct dom_sid
*domain_sid
,
265 struct auth_session_info
**session_info
)
268 struct auth_user_info_dc
*user_info_dc
= NULL
;
269 TALLOC_CTX
*mem_ctx
= talloc_new(parent_ctx
);
271 NT_STATUS_HAVE_NO_MEMORY(mem_ctx
);
273 nt_status
= auth_domain_admin_user_info_dc(mem_ctx
, lpcfg_netbios_name(lp_ctx
),
274 lpcfg_workgroup(lp_ctx
), domain_sid
,
276 if (!NT_STATUS_IS_OK(nt_status
)) {
277 talloc_free(mem_ctx
);
281 nt_status
= auth_generate_session_info(mem_ctx
, NULL
, NULL
, user_info_dc
,
282 AUTH_SESSION_INFO_SIMPLE_PRIVILEGES
|AUTH_SESSION_INFO_AUTHENTICATED
|AUTH_SESSION_INFO_DEFAULT_GROUPS
,
284 /* There is already a reference between the sesion_info and user_info_dc */
285 if (NT_STATUS_IS_OK(nt_status
)) {
286 talloc_steal(parent_ctx
, *session_info
);
288 talloc_free(mem_ctx
);
292 _PUBLIC_
struct auth_session_info
*admin_session(TALLOC_CTX
*mem_ctx
, struct loadparm_context
*lp_ctx
, struct dom_sid
*domain_sid
)
295 struct auth_session_info
*session_info
= NULL
;
296 nt_status
= auth_domain_admin_session_info(mem_ctx
,
300 if (!NT_STATUS_IS_OK(nt_status
)) {
306 _PUBLIC_ NTSTATUS
auth_anonymous_session_info(TALLOC_CTX
*parent_ctx
,
307 struct loadparm_context
*lp_ctx
,
308 struct auth_session_info
**_session_info
)
311 struct auth_user_info_dc
*user_info_dc
= NULL
;
312 struct auth_session_info
*session_info
= NULL
;
313 TALLOC_CTX
*mem_ctx
= talloc_new(parent_ctx
);
315 nt_status
= auth_anonymous_user_info_dc(mem_ctx
,
316 lpcfg_netbios_name(lp_ctx
),
318 if (!NT_STATUS_IS_OK(nt_status
)) {
319 talloc_free(mem_ctx
);
323 /* references the user_info_dc into the session_info */
324 nt_status
= auth_generate_session_info(parent_ctx
, NULL
, NULL
, user_info_dc
, AUTH_SESSION_INFO_SIMPLE_PRIVILEGES
, &session_info
);
325 talloc_free(mem_ctx
);
327 NT_STATUS_NOT_OK_RETURN(nt_status
);
329 session_info
->credentials
= cli_credentials_init(session_info
);
330 if (!session_info
->credentials
) {
331 return NT_STATUS_NO_MEMORY
;
334 cli_credentials_set_conf(session_info
->credentials
, lp_ctx
);
335 cli_credentials_set_anonymous(session_info
->credentials
);
337 *_session_info
= session_info
;
342 _PUBLIC_ NTSTATUS
auth_anonymous_user_info_dc(TALLOC_CTX
*mem_ctx
,
343 const char *netbios_name
,
344 struct auth_user_info_dc
**_user_info_dc
)
346 struct auth_user_info_dc
*user_info_dc
;
347 struct auth_user_info
*info
;
348 user_info_dc
= talloc(mem_ctx
, struct auth_user_info_dc
);
349 NT_STATUS_HAVE_NO_MEMORY(user_info_dc
);
351 /* This returns a pointer to a struct dom_sid, which is the
352 * same as a 1 element list of struct dom_sid */
353 user_info_dc
->num_sids
= 1;
354 user_info_dc
->sids
= dom_sid_parse_talloc(user_info_dc
, SID_NT_ANONYMOUS
);
355 NT_STATUS_HAVE_NO_MEMORY(user_info_dc
->sids
);
357 /* annoying, but the Anonymous really does have a session key... */
358 user_info_dc
->user_session_key
= data_blob_talloc(user_info_dc
, NULL
, 16);
359 NT_STATUS_HAVE_NO_MEMORY(user_info_dc
->user_session_key
.data
);
361 user_info_dc
->lm_session_key
= data_blob_talloc(user_info_dc
, NULL
, 16);
362 NT_STATUS_HAVE_NO_MEMORY(user_info_dc
->lm_session_key
.data
);
364 /* and it is all zeros! */
365 data_blob_clear(&user_info_dc
->user_session_key
);
366 data_blob_clear(&user_info_dc
->lm_session_key
);
368 user_info_dc
->info
= info
= talloc_zero(user_info_dc
, struct auth_user_info
);
369 NT_STATUS_HAVE_NO_MEMORY(user_info_dc
->info
);
371 info
->account_name
= talloc_strdup(info
, "ANONYMOUS LOGON");
372 NT_STATUS_HAVE_NO_MEMORY(info
->account_name
);
374 info
->domain_name
= talloc_strdup(info
, "NT AUTHORITY");
375 NT_STATUS_HAVE_NO_MEMORY(info
->domain_name
);
377 info
->full_name
= talloc_strdup(info
, "Anonymous Logon");
378 NT_STATUS_HAVE_NO_MEMORY(info
->full_name
);
380 info
->logon_script
= talloc_strdup(info
, "");
381 NT_STATUS_HAVE_NO_MEMORY(info
->logon_script
);
383 info
->profile_path
= talloc_strdup(info
, "");
384 NT_STATUS_HAVE_NO_MEMORY(info
->profile_path
);
386 info
->home_directory
= talloc_strdup(info
, "");
387 NT_STATUS_HAVE_NO_MEMORY(info
->home_directory
);
389 info
->home_drive
= talloc_strdup(info
, "");
390 NT_STATUS_HAVE_NO_MEMORY(info
->home_drive
);
392 info
->logon_server
= talloc_strdup(info
, netbios_name
);
393 NT_STATUS_HAVE_NO_MEMORY(info
->logon_server
);
395 info
->last_logon
= 0;
396 info
->last_logoff
= 0;
397 info
->acct_expiry
= 0;
398 info
->last_password_change
= 0;
399 info
->allow_password_change
= 0;
400 info
->force_password_change
= 0;
402 info
->logon_count
= 0;
403 info
->bad_password_count
= 0;
405 info
->acct_flags
= ACB_NORMAL
;
407 info
->authenticated
= false;
409 *_user_info_dc
= user_info_dc
;