From 50547a9950062311a4952846960b15e1d6cdfdf5 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 3 Feb 2012 17:09:37 +1100 Subject: [PATCH] s3-auth: Follow auth_ntlmssp and use auth4_context for Session Setup This patch ensures consistency in behaviour between NTLMSSP and NTLM session setup handlers. By calling the same layer that auth_ntlmssp calls, we can not only allow redirection of all authentication to the AD DC, we ensure that map to guest and username map handling is consistent, even in the file server alone. Andrew Bartlett --- source3/auth/auth_util.c | 20 +++++++-------- source3/smbd/globals.h | 2 +- source3/smbd/negprot.c | 2 +- source3/smbd/sesssetup.c | 63 +++++++++++++++--------------------------------- 4 files changed, 32 insertions(+), 55 deletions(-) diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 06aa9c51084..21a8642751a 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -347,8 +347,8 @@ bool make_user_info_for_reply(struct auth_usersupplied_info **user_info, return false; } - ret = make_user_info_map( - user_info, smb_name, client_domain, + ret = make_user_info( + user_info, smb_name, smb_name, client_domain, client_domain, get_remote_machine_name(), remote_address, local_lm_blob.data ? &local_lm_blob : NULL, @@ -376,14 +376,14 @@ NTSTATUS make_user_info_for_reply_enc(struct auth_usersupplied_info **user_info, const struct tsocket_address *remote_address, DATA_BLOB lm_resp, DATA_BLOB nt_resp) { - return make_user_info_map(user_info, smb_name, - client_domain, - get_remote_machine_name(), - remote_address, - lm_resp.data && (lm_resp.length > 0) ? &lm_resp : NULL, - nt_resp.data && (nt_resp.length > 0) ? &nt_resp : NULL, - NULL, NULL, NULL, - AUTH_PASSWORD_RESPONSE); + return make_user_info(user_info, smb_name, smb_name, + client_domain, client_domain, + get_remote_machine_name(), + remote_address, + lm_resp.data && (lm_resp.length > 0) ? &lm_resp : NULL, + nt_resp.data && (nt_resp.length > 0) ? &nt_resp : NULL, + NULL, NULL, NULL, + AUTH_PASSWORD_RESPONSE); } /**************************************************************************** diff --git a/source3/smbd/globals.h b/source3/smbd/globals.h index bfa649b98bc..5b65711b990 100644 --- a/source3/smbd/globals.h +++ b/source3/smbd/globals.h @@ -509,7 +509,7 @@ struct smbd_server_connection { struct { bool encrypted_passwords; bool spnego; - struct auth_context *auth_context; + struct auth4_context *auth_context; bool done; /* * Size of the data we can receive. Set by us. diff --git a/source3/smbd/negprot.c b/source3/smbd/negprot.c index 8a6b509fea0..e44ac5cb751 100644 --- a/source3/smbd/negprot.c +++ b/source3/smbd/negprot.c @@ -44,7 +44,7 @@ static void get_challenge(struct smbd_server_connection *sconn, uint8 buff[8]) } DEBUG(10, ("get challenge: creating negprot_global_auth_context\n")); - nt_status = make_auth_context_subsystem( + nt_status = make_auth4_context( sconn, &sconn->smb1.negprot.auth_context); if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(0, ("make_auth_context_subsystem returned %s", diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c index da306b97bc7..b2e1f2421fc 100644 --- a/source3/smbd/sesssetup.c +++ b/source3/smbd/sesssetup.c @@ -77,31 +77,33 @@ static int push_signature(uint8 **outbuf) ****************************************************************************/ static NTSTATUS check_guest_password(const struct tsocket_address *remote_address, - struct auth_serversupplied_info **server_info) + TALLOC_CTX *mem_ctx, + struct auth_session_info **session_info) { - struct auth_context *auth_context; + struct auth4_context *auth_context; struct auth_usersupplied_info *user_info = NULL; - + uint8_t chal[8]; NTSTATUS nt_status; - static unsigned char chal[8] = { 0, }; DEBUG(3,("Got anonymous request\n")); - nt_status = make_auth_context_fixed(talloc_tos(), &auth_context, chal); + nt_status = make_auth4_context(talloc_tos(), &auth_context); if (!NT_STATUS_IS_OK(nt_status)) { return nt_status; } + auth_context->get_ntlm_challenge(auth_context, + chal); + if (!make_user_info_guest(remote_address, &user_info)) { TALLOC_FREE(auth_context); return NT_STATUS_NO_MEMORY; } - nt_status = auth_context->check_ntlm_password(auth_context, - user_info, - server_info); - TALLOC_FREE(auth_context); + nt_status = auth_check_password_session_info(auth_context, + mem_ctx, user_info, session_info); free_user_info(&user_info); + TALLOC_FREE(auth_context); return nt_status; } @@ -396,7 +398,6 @@ void reply_sesssetup_and_X(struct smb_request *req) const char *native_lanman; const char *primary_domain; struct auth_usersupplied_info *user_info = NULL; - struct auth_serversupplied_info *server_info = NULL; struct auth_session_info *session_info = NULL; uint16 smb_flag2 = req->flags2; @@ -671,10 +672,10 @@ void reply_sesssetup_and_X(struct smb_request *req) if (!*user) { - nt_status = check_guest_password(sconn->remote_address, &server_info); + nt_status = check_guest_password(sconn->remote_address, req, &session_info); } else if (doencrypt) { - struct auth_context *negprot_auth_context = NULL; + struct auth4_context *negprot_auth_context = NULL; negprot_auth_context = sconn->smb1.negprot.auth_context; if (!negprot_auth_context) { DEBUG(0, ("reply_sesssetup_and_X: Attempted encrypted " @@ -689,15 +690,13 @@ void reply_sesssetup_and_X(struct smb_request *req) sconn->remote_address, lm_resp, nt_resp); if (NT_STATUS_IS_OK(nt_status)) { - nt_status = negprot_auth_context->check_ntlm_password( - negprot_auth_context, - user_info, - &server_info); + nt_status = auth_check_password_session_info(negprot_auth_context, + req, user_info, &session_info); } } else { - struct auth_context *plaintext_auth_context = NULL; + struct auth4_context *plaintext_auth_context = NULL; - nt_status = make_auth_context_subsystem( + nt_status = make_auth4_context( talloc_tos(), &plaintext_auth_context); if (NT_STATUS_IS_OK(nt_status)) { @@ -715,38 +714,16 @@ void reply_sesssetup_and_X(struct smb_request *req) } if (NT_STATUS_IS_OK(nt_status)) { - nt_status = plaintext_auth_context->check_ntlm_password( - plaintext_auth_context, - user_info, - &server_info); - - TALLOC_FREE(plaintext_auth_context); + nt_status = auth_check_password_session_info(plaintext_auth_context, + req, user_info, &session_info); } + TALLOC_FREE(plaintext_auth_context); } } free_user_info(&user_info); if (!NT_STATUS_IS_OK(nt_status)) { - nt_status = do_map_to_guest_server_info(nt_status, &server_info, - user, domain); - } - - if (!NT_STATUS_IS_OK(nt_status)) { - data_blob_free(&nt_resp); - data_blob_free(&lm_resp); - data_blob_clear_free(&plaintext_password); - reply_nterror(req, nt_status_squash(nt_status)); - END_PROFILE(SMBsesssetupX); - return; - } - - nt_status = create_local_token(req, server_info, NULL, sub_user, &session_info); - TALLOC_FREE(server_info); - - if (!NT_STATUS_IS_OK(nt_status)) { - DEBUG(10, ("create_local_token failed: %s\n", - nt_errstr(nt_status))); data_blob_free(&nt_resp); data_blob_free(&lm_resp); data_blob_clear_free(&plaintext_password); -- 2.11.4.GIT