search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3: Fix an uninitialized variable read
[Samba/bb.git] / source3 / smbd / sesssetup.c
blob68cb8d3a267a9d8c6cb31e54624fdc85a5c1ac45
1 /*
2 Unix SMB/CIFS implementation.
3 handle SMBsessionsetup
4 Copyright (C) Andrew Tridgell 1998-2001
5 Copyright (C) Andrew Bartlett 2001
6 Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002
7 Copyright (C) Luke Howard 2003
8 Copyright (C) Volker Lendecke 2007
9 Copyright (C) Jeremy Allison 2007
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 3 of the License, or
14 (at your option) any later version.
15
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
20
21 You should have received a copy of the GNU General Public License
22 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 */
24
25 #include "includes.h"
26 #include "smbd/globals.h"
27 #include "../libcli/auth/spnego.h"
28
29 /* For split krb5 SPNEGO blobs. */
30 struct pending_auth_data {
31 struct pending_auth_data *prev, *next;
32 uint16 vuid; /* Tag for this entry. */
33 uint16 smbpid; /* Alternate tag for this entry. */
34 size_t needed_len;
35 DATA_BLOB partial_data;
36 };
37
38 /*
39 on a logon error possibly map the error to success if "map to guest"
40 is set approriately
41 */
42 static NTSTATUS do_map_to_guest(NTSTATUS status,
43 auth_serversupplied_info **server_info,
44 const char *user, const char *domain)
45 {
46 if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) {
47 if ((lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_USER) ||
48 (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_PASSWORD)) {
49 DEBUG(3,("No such user %s [%s] - using guest account\n",
50 user, domain));
51 status = make_server_info_guest(NULL, server_info);
52 }
53 }
54
55 if (NT_STATUS_EQUAL(status, NT_STATUS_WRONG_PASSWORD)) {
56 if (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_PASSWORD) {
57 DEBUG(3,("Registered username %s for guest access\n",
58 user));
59 status = make_server_info_guest(NULL, server_info);
60 }
61 }
62
63 return status;
64 }
65
66 /****************************************************************************
67 Add the standard 'Samba' signature to the end of the session setup.
68 ****************************************************************************/
69
70 static int push_signature(uint8 **outbuf)
71 {
72 char *lanman;
73 int result, tmp;
74
75 result = 0;
76
77 tmp = message_push_string(outbuf, "Unix", STR_TERMINATE);
78
79 if (tmp == -1) return -1;
80 result += tmp;
81
82 if (asprintf(&lanman, "Samba %s", samba_version_string()) != -1) {
83 tmp = message_push_string(outbuf, lanman, STR_TERMINATE);
84 SAFE_FREE(lanman);
85 }
86 else {
87 tmp = message_push_string(outbuf, "Samba", STR_TERMINATE);
88 }
89
90 if (tmp == -1) return -1;
91 result += tmp;
92
93 tmp = message_push_string(outbuf, lp_workgroup(), STR_TERMINATE);
94
95 if (tmp == -1) return -1;
96 result += tmp;
97
98 return result;
99 }
100
101 /****************************************************************************
102 Send a security blob via a session setup reply.
103 ****************************************************************************/
104
105 static void reply_sesssetup_blob(struct smb_request *req,
106 DATA_BLOB blob,
107 NTSTATUS nt_status)
108 {
109 if (!NT_STATUS_IS_OK(nt_status) &&
110 !NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
111 reply_nterror(req, nt_status_squash(nt_status));
112 return;
113 }
114
115 nt_status = nt_status_squash(nt_status);
116 SIVAL(req->outbuf, smb_rcls, NT_STATUS_V(nt_status));
117 SSVAL(req->outbuf, smb_vwv0, 0xFF); /* no chaining possible */
118 SSVAL(req->outbuf, smb_vwv3, blob.length);
119
120 if ((message_push_blob(&req->outbuf, blob) == -1)
121 || (push_signature(&req->outbuf) == -1)) {
122 reply_nterror(req, NT_STATUS_NO_MEMORY);
123 }
124 }
125
126 /****************************************************************************
127 Do a 'guest' logon, getting back the
128 ****************************************************************************/
129
130 static NTSTATUS check_guest_password(auth_serversupplied_info **server_info)
131 {
132 struct auth_context *auth_context;
133 auth_usersupplied_info *user_info = NULL;
134
135 NTSTATUS nt_status;
136 unsigned char chal[8];
137
138 ZERO_STRUCT(chal);
139
140 DEBUG(3,("Got anonymous request\n"));
141
142 if (!NT_STATUS_IS_OK(nt_status = make_auth_context_fixed(&auth_context,
143 chal))) {
144 return nt_status;
145 }
146
147 if (!make_user_info_guest(&user_info)) {
148 (auth_context->free)(&auth_context);
149 return NT_STATUS_NO_MEMORY;
150 }
151
152 nt_status = auth_context->check_ntlm_password(auth_context,
153 user_info,
154 server_info);
155 (auth_context->free)(&auth_context);
156 free_user_info(&user_info);
157 return nt_status;
158 }
159
160
161 #ifdef HAVE_KRB5
162
163 #if 0
164 /* Experiment that failed. See "only happens with a KDC" comment below. */
165 /****************************************************************************
166 Cerate a clock skew error blob for a Windows client.
167 ****************************************************************************/
168
169 static bool make_krb5_skew_error(DATA_BLOB *pblob_out)
170 {
171 krb5_context context = NULL;
172 krb5_error_code kerr = 0;
173 krb5_data reply;
174 krb5_principal host_princ = NULL;
175 char *host_princ_s = NULL;
176 bool ret = False;
177
178 *pblob_out = data_blob_null;
179
180 initialize_krb5_error_table();
181 kerr = krb5_init_context(&context);
182 if (kerr) {
183 return False;
184 }
185 /* Create server principal. */
186 asprintf(&host_princ_s, "%s$@%s", global_myname(), lp_realm());
187 if (!host_princ_s) {
188 goto out;
189 }
190 strlower_m(host_princ_s);
191
192 kerr = smb_krb5_parse_name(context, host_princ_s, &host_princ);
193 if (kerr) {
194 DEBUG(10,("make_krb5_skew_error: smb_krb5_parse_name failed "
195 "for name %s: Error %s\n",
196 host_princ_s, error_message(kerr) ));
197 goto out;
198 }
199
200 kerr = smb_krb5_mk_error(context, KRB5KRB_AP_ERR_SKEW,
201 host_princ, &reply);
202 if (kerr) {
203 DEBUG(10,("make_krb5_skew_error: smb_krb5_mk_error "
204 "failed: Error %s\n",
205 error_message(kerr) ));
206 goto out;
207 }
208
209 *pblob_out = data_blob(reply.data, reply.length);
210 kerberos_free_data_contents(context,&reply);
211 ret = True;
212
213 out:
214
215 if (host_princ_s) {
216 SAFE_FREE(host_princ_s);
217 }
218 if (host_princ) {
219 krb5_free_principal(context, host_princ);
220 }
221 krb5_free_context(context);
222 return ret;
223 }
224 #endif
225
226 /****************************************************************************
227 Reply to a session setup spnego negotiate packet for kerberos.
228 ****************************************************************************/
229
230 static void reply_spnego_kerberos(struct smb_request *req,
231 DATA_BLOB *secblob,
232 const char *mechOID,
233 uint16 vuid,
234 bool *p_invalidate_vuid)
235 {
236 TALLOC_CTX *mem_ctx;
237 DATA_BLOB ticket;
238 char *client, *p, *domain;
239 fstring netbios_domain_name;
240 struct passwd *pw;
241 fstring user;
242 int sess_vuid = req->vuid;
243 NTSTATUS ret = NT_STATUS_OK;
244 struct PAC_DATA *pac_data = NULL;
245 DATA_BLOB ap_rep, ap_rep_wrapped, response;
246 auth_serversupplied_info *server_info = NULL;
247 DATA_BLOB session_key = data_blob_null;
248 uint8 tok_id[2];
249 DATA_BLOB nullblob = data_blob_null;
250 fstring real_username;
251 bool map_domainuser_to_guest = False;
252 bool username_was_mapped;
253 struct PAC_LOGON_INFO *logon_info = NULL;
254 struct smbd_server_connection *sconn = smbd_server_conn;
255
256 ZERO_STRUCT(ticket);
257 ZERO_STRUCT(ap_rep);
258 ZERO_STRUCT(ap_rep_wrapped);
259 ZERO_STRUCT(response);
260
261 /* Normally we will always invalidate the intermediate vuid. */
262 *p_invalidate_vuid = True;
263
264 mem_ctx = talloc_init("reply_spnego_kerberos");
265 if (mem_ctx == NULL) {
266 reply_nterror(req, nt_status_squash(NT_STATUS_NO_MEMORY));
267 return;
268 }
269
270 if (!spnego_parse_krb5_wrap(*secblob, &ticket, tok_id)) {
271 talloc_destroy(mem_ctx);
272 reply_nterror(req, nt_status_squash(NT_STATUS_LOGON_FAILURE));
273 return;
274 }
275
276 ret = ads_verify_ticket(mem_ctx, lp_realm(), 0, &ticket,
277 &client, &pac_data, &ap_rep,
278 &session_key, True);
279
280 data_blob_free(&ticket);
281
282 if (!NT_STATUS_IS_OK(ret)) {
283 #if 0
284 /* Experiment that failed.
285 * See "only happens with a KDC" comment below. */
286
287 if (NT_STATUS_EQUAL(ret, NT_STATUS_TIME_DIFFERENCE_AT_DC)) {
288
289 /*
290 * Windows in this case returns
291 * NT_STATUS_MORE_PROCESSING_REQUIRED
292 * with a negTokenTarg blob containing an krb5_error
293 * struct ASN1 encoded containing KRB5KRB_AP_ERR_SKEW.
294 * The client then fixes its clock and continues rather
295 * than giving an error. JRA.
296 * -- Looks like this only happens with a KDC. JRA.
297 */
298
299 bool ok = make_krb5_skew_error(&ap_rep);
300 if (!ok) {
301 talloc_destroy(mem_ctx);
302 return ERROR_NT(nt_status_squash(
303 NT_STATUS_LOGON_FAILURE));
304 }
305 ap_rep_wrapped = spnego_gen_krb5_wrap(ap_rep,
306 TOK_ID_KRB_ERROR);
307 response = spnego_gen_auth_response(&ap_rep_wrapped,
308 ret, OID_KERBEROS5_OLD);
309 reply_sesssetup_blob(conn, inbuf, outbuf, response,
310 NT_STATUS_MORE_PROCESSING_REQUIRED);
311
312 /*
313 * In this one case we don't invalidate the
314 * intermediate vuid as we're expecting the client
315 * to re-use it for the next sessionsetupX packet. JRA.
316 */
317
318 *p_invalidate_vuid = False;
319
320 data_blob_free(&ap_rep);
321 data_blob_free(&ap_rep_wrapped);
322 data_blob_free(&response);
323 talloc_destroy(mem_ctx);
324 return -1; /* already replied */
325 }
326 #else
327 if (!NT_STATUS_EQUAL(ret, NT_STATUS_TIME_DIFFERENCE_AT_DC)) {
328 ret = NT_STATUS_LOGON_FAILURE;
329 }
330 #endif
331 DEBUG(1,("Failed to verify incoming ticket with error %s!\n",
332 nt_errstr(ret)));
333 talloc_destroy(mem_ctx);
334 reply_nterror(req, nt_status_squash(ret));
335 return;
336 }
337
338 DEBUG(3,("Ticket name is [%s]\n", client));
339
340 p = strchr_m(client, '@');
341 if (!p) {
342 DEBUG(3,("Doesn't look like a valid principal\n"));
343 data_blob_free(&ap_rep);
344 data_blob_free(&session_key);
345 talloc_destroy(mem_ctx);
346 reply_nterror(req,nt_status_squash(NT_STATUS_LOGON_FAILURE));
347 return;
348 }
349
350 *p = 0;
351
352 /* save the PAC data if we have it */
353
354 if (pac_data) {
355 logon_info = get_logon_info_from_pac(pac_data);
356 if (logon_info) {
357 netsamlogon_cache_store( client, &logon_info->info3 );
358 }
359 }
360
361 if (!strequal(p+1, lp_realm())) {
362 DEBUG(3,("Ticket for foreign realm %s@%s\n", client, p+1));
363 if (!lp_allow_trusted_domains()) {
364 data_blob_free(&ap_rep);
365 data_blob_free(&session_key);
366 talloc_destroy(mem_ctx);
367 reply_nterror(req, nt_status_squash(
368 NT_STATUS_LOGON_FAILURE));
369 return;
370 }
371 }
372
373 /* this gives a fully qualified user name (ie. with full realm).
374 that leads to very long usernames, but what else can we do? */
375
376 domain = p+1;
377
378 if (logon_info && logon_info->info3.base.domain.string) {
379 fstrcpy(netbios_domain_name,
380 logon_info->info3.base.domain.string);
381 domain = netbios_domain_name;
382 DEBUG(10, ("Mapped to [%s] (using PAC)\n", domain));
383
384 } else {
385
386 /* If we have winbind running, we can (and must) shorten the
387 username by using the short netbios name. Otherwise we will
388 have inconsistent user names. With Kerberos, we get the
389 fully qualified realm, with ntlmssp we get the short
390 name. And even w2k3 does use ntlmssp if you for example
391 connect to an ip address. */
392
393 wbcErr wbc_status;
394 struct wbcDomainInfo *info = NULL;
395
396 DEBUG(10, ("Mapping [%s] to short name\n", domain));
397
398 wbc_status = wbcDomainInfo(domain, &info);
399
400 if (WBC_ERROR_IS_OK(wbc_status)) {
401
402 fstrcpy(netbios_domain_name,
403 info->short_name);
404
405 wbcFreeMemory(info);
406 domain = netbios_domain_name;
407 DEBUG(10, ("Mapped to [%s] (using Winbind)\n", domain));
408 } else {
409 DEBUG(3, ("Could not find short name: %s\n",
410 wbcErrorString(wbc_status)));
411 }
412 }
413
414 fstr_sprintf(user, "%s%c%s", domain, *lp_winbind_separator(), client);
415
416 /* lookup the passwd struct, create a new user if necessary */
417
418 username_was_mapped = map_username(sconn, user);
419
420 pw = smb_getpwnam( mem_ctx, user, real_username, True );
421
422 if (pw) {
423 /* if a real user check pam account restrictions */
424 /* only really perfomed if "obey pam restriction" is true */
425 /* do this before an eventual mapping to guest occurs */
426 ret = smb_pam_accountcheck(pw->pw_name);
427 if ( !NT_STATUS_IS_OK(ret)) {
428 DEBUG(1,("PAM account restriction "
429 "prevents user login\n"));
430 data_blob_free(&ap_rep);
431 data_blob_free(&session_key);
432 TALLOC_FREE(mem_ctx);
433 reply_nterror(req, nt_status_squash(ret));
434 return;
435 }
436 }
437
438 if (!pw) {
439
440 /* this was originally the behavior of Samba 2.2, if a user
441 did not have a local uid but has been authenticated, then
442 map them to a guest account */
443
444 if (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_UID){
445 map_domainuser_to_guest = True;
446 fstrcpy(user,lp_guestaccount());
447 pw = smb_getpwnam( mem_ctx, user, real_username, True );
448 }
449
450 /* extra sanity check that the guest account is valid */
451
452 if ( !pw ) {
453 DEBUG(1,("Username %s is invalid on this system\n",
454 user));
455 data_blob_free(&ap_rep);
456 data_blob_free(&session_key);
457 TALLOC_FREE(mem_ctx);
458 reply_nterror(req, nt_status_squash(
459 NT_STATUS_LOGON_FAILURE));
460 return;
461 }
462 }
463
464 /* setup the string used by %U */
465
466 sub_set_smb_name( real_username );
467 reload_services(True);
468
469 if ( map_domainuser_to_guest ) {
470 make_server_info_guest(NULL, &server_info);
471 } else if (logon_info) {
472 /* pass the unmapped username here since map_username()
473 will be called again from inside make_server_info_info3() */
474
475 ret = make_server_info_info3(mem_ctx, client, domain,
476 &server_info, &logon_info->info3);
477 if ( !NT_STATUS_IS_OK(ret) ) {
478 DEBUG(1,("make_server_info_info3 failed: %s!\n",
479 nt_errstr(ret)));
480 data_blob_free(&ap_rep);
481 data_blob_free(&session_key);
482 TALLOC_FREE(mem_ctx);
483 reply_nterror(req, nt_status_squash(ret));
484 return;
485 }
486
487 } else {
488 /*
489 * We didn't get a PAC, we have to make up the user
490 * ourselves. Try to ask the pdb backend to provide
491 * SID consistency with ntlmssp session setup
492 */
493 struct samu *sampass;
494
495 sampass = samu_new(talloc_tos());
496 if (sampass == NULL) {
497 ret = NT_STATUS_NO_MEMORY;
498 data_blob_free(&ap_rep);
499 data_blob_free(&session_key);
500 TALLOC_FREE(mem_ctx);
501 reply_nterror(req, nt_status_squash(ret));
502 return;
503 }
504
505 if (pdb_getsampwnam(sampass, real_username)) {
506 DEBUG(10, ("found user %s in passdb, calling "
507 "make_server_info_sam\n", real_username));
508 ret = make_server_info_sam(&server_info, sampass);
509 } else {
510 /*
511 * User not in passdb, make it up artificially
512 */
513 TALLOC_FREE(sampass);
514 DEBUG(10, ("didn't find user %s in passdb, calling "
515 "make_server_info_pw\n", real_username));
516 ret = make_server_info_pw(&server_info, real_username,
517 pw);
518 }
519
520 if ( !NT_STATUS_IS_OK(ret) ) {
521 DEBUG(1,("make_server_info_[sam|pw] failed: %s!\n",
522 nt_errstr(ret)));
523 data_blob_free(&ap_rep);
524 data_blob_free(&session_key);
525 TALLOC_FREE(mem_ctx);
526 reply_nterror(req, nt_status_squash(ret));
527 return;
528 }
529
530 /* make_server_info_pw does not set the domain. Without this
531 * we end up with the local netbios name in substitutions for
532 * %D. */
533
534 if (server_info->sam_account != NULL) {
535 pdb_set_domain(server_info->sam_account,
536 domain, PDB_SET);
537 }
538 }
539
540 server_info->nss_token |= username_was_mapped;
541
542 /* we need to build the token for the user. make_server_info_guest()
543 already does this */
544
545 if ( !server_info->ptok ) {
546 ret = create_local_token( server_info );
547 if ( !NT_STATUS_IS_OK(ret) ) {
548 DEBUG(10,("failed to create local token: %s\n",
549 nt_errstr(ret)));
550 data_blob_free(&ap_rep);
551 data_blob_free(&session_key);
552 TALLOC_FREE( mem_ctx );
553 TALLOC_FREE( server_info );
554 reply_nterror(req, nt_status_squash(ret));
555 return;
556 }
557 }
558
559 if (!is_partial_auth_vuid(sconn, sess_vuid)) {
560 sess_vuid = register_initial_vuid(sconn);
561 }
562
563 data_blob_free(&server_info->user_session_key);
564 server_info->user_session_key = session_key;
565 session_key = data_blob_null;
566
567 /* register_existing_vuid keeps the server info */
568 /* register_existing_vuid takes ownership of session_key on success,
569 * no need to free after this on success. A better interface would copy
570 * it.... */
571
572 sess_vuid = register_existing_vuid(sconn,
573 sess_vuid,
574 server_info,
575 nullblob,
576 client);
577
578 reply_outbuf(req, 4, 0);
579 SSVAL(req->outbuf,smb_uid,sess_vuid);
580
581 if (sess_vuid == UID_FIELD_INVALID ) {
582 ret = NT_STATUS_LOGON_FAILURE;
583 } else {
584 /* current_user_info is changed on new vuid */
585 reload_services( True );
586
587 SSVAL(req->outbuf, smb_vwv3, 0);
588
589 if (server_info->guest) {
590 SSVAL(req->outbuf,smb_vwv2,1);
591 }
592
593 SSVAL(req->outbuf, smb_uid, sess_vuid);
594
595 /* Successful logon. Keep this vuid. */
596 *p_invalidate_vuid = False;
597 }
598
599 /* wrap that up in a nice GSS-API wrapping */
600 if (NT_STATUS_IS_OK(ret)) {
601 ap_rep_wrapped = spnego_gen_krb5_wrap(ap_rep,
602 TOK_ID_KRB_AP_REP);
603 } else {
604 ap_rep_wrapped = data_blob_null;
605 }
606 response = spnego_gen_auth_response(&ap_rep_wrapped, ret,
607 mechOID);
608 reply_sesssetup_blob(req, response, ret);
609
610 data_blob_free(&ap_rep);
611 data_blob_free(&ap_rep_wrapped);
612 data_blob_free(&response);
613 TALLOC_FREE(mem_ctx);
614 }
615
616 #endif
617
618 /****************************************************************************
619 Send a session setup reply, wrapped in SPNEGO.
620 Get vuid and check first.
621 End the NTLMSSP exchange context if we are OK/complete fail
622 This should be split into two functions, one to handle each
623 leg of the NTLM auth steps.
624 ***************************************************************************/
625
626 static void reply_spnego_ntlmssp(struct smb_request *req,
627 uint16 vuid,
628 AUTH_NTLMSSP_STATE **auth_ntlmssp_state,
629 DATA_BLOB *ntlmssp_blob, NTSTATUS nt_status,
630 const char *OID,
631 bool wrap)
632 {
633 DATA_BLOB response;
634 struct auth_serversupplied_info *server_info = NULL;
635 struct smbd_server_connection *sconn = smbd_server_conn;
636
637 if (NT_STATUS_IS_OK(nt_status)) {
638 server_info = (*auth_ntlmssp_state)->server_info;
639 } else {
640 nt_status = do_map_to_guest(nt_status,
641 &server_info,
642 (*auth_ntlmssp_state)->ntlmssp_state->user,
643 (*auth_ntlmssp_state)->ntlmssp_state->domain);
644 }
645
646 reply_outbuf(req, 4, 0);
647
648 SSVAL(req->outbuf, smb_uid, vuid);
649
650 if (NT_STATUS_IS_OK(nt_status)) {
651 DATA_BLOB nullblob = data_blob_null;
652
653 if (!is_partial_auth_vuid(sconn, vuid)) {
654 nt_status = NT_STATUS_LOGON_FAILURE;
655 goto out;
656 }
657
658 data_blob_free(&server_info->user_session_key);
659 server_info->user_session_key =
660 data_blob_talloc(
661 server_info,
662 (*auth_ntlmssp_state)->ntlmssp_state->session_key.data,
663 (*auth_ntlmssp_state)->ntlmssp_state->session_key.length);
664
665 /* register_existing_vuid keeps the server info */
666 if (register_existing_vuid(sconn, vuid,
667 server_info, nullblob,
668 (*auth_ntlmssp_state)->ntlmssp_state->user) !=
669 vuid) {
670 nt_status = NT_STATUS_LOGON_FAILURE;
671 goto out;
672 }
673
674 (*auth_ntlmssp_state)->server_info = NULL;
675
676 /* current_user_info is changed on new vuid */
677 reload_services( True );
678
679 SSVAL(req->outbuf, smb_vwv3, 0);
680
681 if (server_info->guest) {
682 SSVAL(req->outbuf,smb_vwv2,1);
683 }
684 }
685
686 out:
687
688 if (wrap) {
689 response = spnego_gen_auth_response(ntlmssp_blob,
690 nt_status, OID);
691 } else {
692 response = *ntlmssp_blob;
693 }
694
695 reply_sesssetup_blob(req, response, nt_status);
696 if (wrap) {
697 data_blob_free(&response);
698 }
699
700 /* NT_STATUS_MORE_PROCESSING_REQUIRED from our NTLMSSP code tells us,
701 and the other end, that we are not finished yet. */
702
703 if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
704 /* NB. This is *NOT* an error case. JRA */
705 auth_ntlmssp_end(auth_ntlmssp_state);
706 if (!NT_STATUS_IS_OK(nt_status)) {
707 /* Kill the intermediate vuid */
708 invalidate_vuid(sconn, vuid);
709 }
710 }
711 }
712
713 /****************************************************************************
714 Is this a krb5 mechanism ?
715 ****************************************************************************/
716
717 NTSTATUS parse_spnego_mechanisms(DATA_BLOB blob_in,
718 DATA_BLOB *pblob_out,
719 char **kerb_mechOID)
720 {
721 char *OIDs[ASN1_MAX_OIDS];
722 int i;
723 NTSTATUS ret = NT_STATUS_OK;
724
725 *kerb_mechOID = NULL;
726
727 /* parse out the OIDs and the first sec blob */
728 if (!parse_negTokenTarg(blob_in, OIDs, pblob_out)) {
729 return NT_STATUS_LOGON_FAILURE;
730 }
731
732 /* only look at the first OID for determining the mechToken --
733 according to RFC2478, we should choose the one we want
734 and renegotiate, but i smell a client bug here..
735
736 Problem observed when connecting to a member (samba box)
737 of an AD domain as a user in a Samba domain. Samba member
738 server sent back krb5/mskrb5/ntlmssp as mechtypes, but the
739 client (2ksp3) replied with ntlmssp/mskrb5/krb5 and an
740 NTLMSSP mechtoken. --jerry */
741
742 #ifdef HAVE_KRB5
743 if (strcmp(OID_KERBEROS5, OIDs[0]) == 0 ||
744 strcmp(OID_KERBEROS5_OLD, OIDs[0]) == 0) {
745 *kerb_mechOID = SMB_STRDUP(OIDs[0]);
746 if (*kerb_mechOID == NULL) {
747 ret = NT_STATUS_NO_MEMORY;
748 }
749 }
750 #endif
751
752 for (i=0;OIDs[i];i++) {
753 DEBUG(5,("parse_spnego_mechanisms: Got OID %s\n", OIDs[i]));
754 talloc_free(OIDs[i]);
755 }
756 return ret;
757 }
758
759 /****************************************************************************
760 Fall back from krb5 to NTLMSSP.
761 ****************************************************************************/
762
763 static void reply_spnego_downgrade_to_ntlmssp(struct smb_request *req,
764 uint16 vuid)
765 {
766 DATA_BLOB response;
767
768 reply_outbuf(req, 4, 0);
769 SSVAL(req->outbuf,smb_uid,vuid);
770
771 DEBUG(3,("reply_spnego_downgrade_to_ntlmssp: Got krb5 ticket in SPNEGO "
772 "but set to downgrade to NTLMSSP\n"));
773
774 response = spnego_gen_auth_response(NULL,
775 NT_STATUS_MORE_PROCESSING_REQUIRED,
776 OID_NTLMSSP);
777 reply_sesssetup_blob(req, response, NT_STATUS_MORE_PROCESSING_REQUIRED);
778 data_blob_free(&response);
779 }
780
781 /****************************************************************************
782 Reply to a session setup spnego negotiate packet.
783 ****************************************************************************/
784
785 static void reply_spnego_negotiate(struct smb_request *req,
786 uint16 vuid,
787 DATA_BLOB blob1,
788 AUTH_NTLMSSP_STATE **auth_ntlmssp_state)
789 {
790 DATA_BLOB secblob;
791 DATA_BLOB chal;
792 char *kerb_mech = NULL;
793 NTSTATUS status;
794 struct smbd_server_connection *sconn = smbd_server_conn;
795
796 status = parse_spnego_mechanisms(blob1, &secblob, &kerb_mech);
797 if (!NT_STATUS_IS_OK(status)) {
798 /* Kill the intermediate vuid */
799 invalidate_vuid(sconn, vuid);
800 reply_nterror(req, nt_status_squash(status));
801 return;
802 }
803
804 DEBUG(3,("reply_spnego_negotiate: Got secblob of size %lu\n",
805 (unsigned long)secblob.length));
806
807 #ifdef HAVE_KRB5
808 if (kerb_mech && ((lp_security()==SEC_ADS) ||
809 USE_KERBEROS_KEYTAB) ) {
810 bool destroy_vuid = True;
811 reply_spnego_kerberos(req, &secblob, kerb_mech,
812 vuid, &destroy_vuid);
813 data_blob_free(&secblob);
814 if (destroy_vuid) {
815 /* Kill the intermediate vuid */
816 invalidate_vuid(sconn, vuid);
817 }
818 SAFE_FREE(kerb_mech);
819 return;
820 }
821 #endif
822
823 if (*auth_ntlmssp_state) {
824 auth_ntlmssp_end(auth_ntlmssp_state);
825 }
826
827 if (kerb_mech) {
828 data_blob_free(&secblob);
829 /* The mechtoken is a krb5 ticket, but
830 * we need to fall back to NTLM. */
831 reply_spnego_downgrade_to_ntlmssp(req, vuid);
832 SAFE_FREE(kerb_mech);
833 return;
834 }
835
836 status = auth_ntlmssp_start(auth_ntlmssp_state);
837 if (!NT_STATUS_IS_OK(status)) {
838 /* Kill the intermediate vuid */
839 invalidate_vuid(sconn, vuid);
840 reply_nterror(req, nt_status_squash(status));
841 return;
842 }
843
844 status = auth_ntlmssp_update(*auth_ntlmssp_state,
845 secblob, &chal);
846
847 data_blob_free(&secblob);
848
849 reply_spnego_ntlmssp(req, vuid, auth_ntlmssp_state,
850 &chal, status, OID_NTLMSSP, true);
851
852 data_blob_free(&chal);
853
854 /* already replied */
855 return;
856 }
857
858 /****************************************************************************
859 Reply to a session setup spnego auth packet.
860 ****************************************************************************/
861
862 static void reply_spnego_auth(struct smb_request *req,
863 uint16 vuid,
864 DATA_BLOB blob1,
865 AUTH_NTLMSSP_STATE **auth_ntlmssp_state)
866 {
867 DATA_BLOB auth = data_blob_null;
868 DATA_BLOB auth_reply = data_blob_null;
869 DATA_BLOB secblob = data_blob_null;
870 NTSTATUS status = NT_STATUS_LOGON_FAILURE;
871 struct smbd_server_connection *sconn = smbd_server_conn;
872
873 if (!spnego_parse_auth(blob1, &auth)) {
874 #if 0
875 file_save("auth.dat", blob1.data, blob1.length);
876 #endif
877 /* Kill the intermediate vuid */
878 invalidate_vuid(sconn, vuid);
879
880 reply_nterror(req, nt_status_squash(
881 NT_STATUS_LOGON_FAILURE));
882 return;
883 }
884
885 if (auth.data[0] == ASN1_APPLICATION(0)) {
886 /* Might be a second negTokenTarg packet */
887 char *kerb_mech = NULL;
888
889 status = parse_spnego_mechanisms(auth, &secblob, &kerb_mech);
890
891 if (!NT_STATUS_IS_OK(status)) {
892 /* Kill the intermediate vuid */
893 invalidate_vuid(sconn, vuid);
894 reply_nterror(req, nt_status_squash(status));
895 return;
896 }
897
898 DEBUG(3,("reply_spnego_auth: Got secblob of size %lu\n",
899 (unsigned long)secblob.length));
900 #ifdef HAVE_KRB5
901 if (kerb_mech && ((lp_security()==SEC_ADS) ||
902 USE_KERBEROS_KEYTAB)) {
903 bool destroy_vuid = True;
904 reply_spnego_kerberos(req, &secblob, kerb_mech,
905 vuid, &destroy_vuid);
906 data_blob_free(&secblob);
907 data_blob_free(&auth);
908 if (destroy_vuid) {
909 /* Kill the intermediate vuid */
910 invalidate_vuid(sconn, vuid);
911 }
912 SAFE_FREE(kerb_mech);
913 return;
914 }
915 #endif
916 /* Can't blunder into NTLMSSP auth if we have
917 * a krb5 ticket. */
918
919 if (kerb_mech) {
920 /* Kill the intermediate vuid */
921 invalidate_vuid(sconn, vuid);
922 DEBUG(3,("reply_spnego_auth: network "
923 "misconfiguration, client sent us a "
924 "krb5 ticket and kerberos security "
925 "not enabled\n"));
926 reply_nterror(req, nt_status_squash(
927 NT_STATUS_LOGON_FAILURE));
928 SAFE_FREE(kerb_mech);
929 }
930 }
931
932 /* If we get here it wasn't a negTokenTarg auth packet. */
933 data_blob_free(&secblob);
934
935 if (!*auth_ntlmssp_state) {
936 status = auth_ntlmssp_start(auth_ntlmssp_state);
937 if (!NT_STATUS_IS_OK(status)) {
938 /* Kill the intermediate vuid */
939 invalidate_vuid(sconn, vuid);
940 reply_nterror(req, nt_status_squash(status));
941 return;
942 }
943 }
944
945 status = auth_ntlmssp_update(*auth_ntlmssp_state,
946 auth, &auth_reply);
947
948 data_blob_free(&auth);
949
950 /* Don't send the mechid as we've already sent this (RFC4178). */
951
952 reply_spnego_ntlmssp(req, vuid,
953 auth_ntlmssp_state,
954 &auth_reply, status, NULL, true);
955
956 data_blob_free(&auth_reply);
957
958 /* and tell smbd that we have already replied to this packet */
959 return;
960 }
961
962 /****************************************************************************
963 Delete an entry on the list.
964 ****************************************************************************/
965
966 static void delete_partial_auth(struct smbd_server_connection *sconn,
967 struct pending_auth_data *pad)
968 {
969 if (!pad) {
970 return;
971 }
972 DLIST_REMOVE(sconn->smb1.pd_list, pad);
973 data_blob_free(&pad->partial_data);
974 SAFE_FREE(pad);
975 }
976
977 /****************************************************************************
978 Search for a partial SPNEGO auth fragment matching an smbpid.
979 ****************************************************************************/
980
981 static struct pending_auth_data *get_pending_auth_data(
982 struct smbd_server_connection *sconn,
983 uint16_t smbpid)
984 {
985 struct pending_auth_data *pad;
986 /*
987 * NOTE: using the smbpid here is completely wrong...
988 * see [MS-SMB]
989 * 3.3.5.3 Receiving an SMB_COM_SESSION_SETUP_ANDX Request
990 */
991 for (pad = sconn->smb1.pd_list; pad; pad = pad->next) {
992 if (pad->smbpid == smbpid) {
993 break;
994 }
995 }
996 return pad;
997 }
998
999 /****************************************************************************
1000 Check the size of an SPNEGO blob. If we need more return
1001 NT_STATUS_MORE_PROCESSING_REQUIRED, else return NT_STATUS_OK. Don't allow
1002 the blob to be more than 64k.
1003 ****************************************************************************/
1004
1005 static NTSTATUS check_spnego_blob_complete(struct smbd_server_connection *sconn,
1006 uint16 smbpid, uint16 vuid,
1007 DATA_BLOB *pblob)
1008 {
1009 struct pending_auth_data *pad = NULL;
1010 ASN1_DATA *data;
1011 size_t needed_len = 0;
1012
1013 pad = get_pending_auth_data(sconn, smbpid);
1014
1015 /* Ensure we have some data. */
1016 if (pblob->length == 0) {
1017 /* Caller can cope. */
1018 DEBUG(2,("check_spnego_blob_complete: zero blob length !\n"));
1019 delete_partial_auth(sconn, pad);
1020 return NT_STATUS_OK;
1021 }
1022
1023 /* Were we waiting for more data ? */
1024 if (pad) {
1025 DATA_BLOB tmp_blob;
1026 size_t copy_len = MIN(65536, pblob->length);
1027
1028 /* Integer wrap paranoia.... */
1029
1030 if (pad->partial_data.length + copy_len <
1031 pad->partial_data.length ||
1032 pad->partial_data.length + copy_len < copy_len) {
1033
1034 DEBUG(2,("check_spnego_blob_complete: integer wrap "
1035 "pad->partial_data.length = %u, "
1036 "copy_len = %u\n",
1037 (unsigned int)pad->partial_data.length,
1038 (unsigned int)copy_len ));
1039
1040 delete_partial_auth(sconn, pad);
1041 return NT_STATUS_INVALID_PARAMETER;
1042 }
1043
1044 DEBUG(10,("check_spnego_blob_complete: "
1045 "pad->partial_data.length = %u, "
1046 "pad->needed_len = %u, "
1047 "copy_len = %u, "
1048 "pblob->length = %u,\n",
1049 (unsigned int)pad->partial_data.length,
1050 (unsigned int)pad->needed_len,
1051 (unsigned int)copy_len,
1052 (unsigned int)pblob->length ));
1053
1054 tmp_blob = data_blob(NULL,
1055 pad->partial_data.length + copy_len);
1056
1057 /* Concatenate the two (up to copy_len) bytes. */
1058 memcpy(tmp_blob.data,
1059 pad->partial_data.data,
1060 pad->partial_data.length);
1061 memcpy(tmp_blob.data + pad->partial_data.length,
1062 pblob->data,
1063 copy_len);
1064
1065 /* Replace the partial data. */
1066 data_blob_free(&pad->partial_data);
1067 pad->partial_data = tmp_blob;
1068 ZERO_STRUCT(tmp_blob);
1069
1070 /* Are we done ? */
1071 if (pblob->length >= pad->needed_len) {
1072 /* Yes, replace pblob. */
1073 data_blob_free(pblob);
1074 *pblob = pad->partial_data;
1075 ZERO_STRUCT(pad->partial_data);
1076 delete_partial_auth(sconn, pad);
1077 return NT_STATUS_OK;
1078 }
1079
1080 /* Still need more data. */
1081 pad->needed_len -= copy_len;
1082 return NT_STATUS_MORE_PROCESSING_REQUIRED;
1083 }
1084
1085 if ((pblob->data[0] != ASN1_APPLICATION(0)) &&
1086 (pblob->data[0] != ASN1_CONTEXT(1))) {
1087 /* Not something we can determine the
1088 * length of.
1089 */
1090 return NT_STATUS_OK;
1091 }
1092
1093 /* This is a new SPNEGO sessionsetup - see if
1094 * the data given in this blob is enough.
1095 */
1096
1097 data = asn1_init(NULL);
1098 if (data == NULL) {
1099 return NT_STATUS_NO_MEMORY;
1100 }
1101
1102 asn1_load(data, *pblob);
1103 asn1_start_tag(data, pblob->data[0]);
1104 if (data->has_error || data->nesting == NULL) {
1105 asn1_free(data);
1106 /* Let caller catch. */
1107 return NT_STATUS_OK;
1108 }
1109
1110 /* Integer wrap paranoia.... */
1111
1112 if (data->nesting->taglen + data->nesting->start < data->nesting->taglen ||
1113 data->nesting->taglen + data->nesting->start < data->nesting->start) {
1114
1115 DEBUG(2,("check_spnego_blob_complete: integer wrap "
1116 "data.nesting->taglen = %u, "
1117 "data.nesting->start = %u\n",
1118 (unsigned int)data->nesting->taglen,
1119 (unsigned int)data->nesting->start ));
1120
1121 asn1_free(data);
1122 return NT_STATUS_INVALID_PARAMETER;
1123 }
1124
1125 /* Total length of the needed asn1 is the tag length
1126 * plus the current offset. */
1127
1128 needed_len = data->nesting->taglen + data->nesting->start;
1129 asn1_free(data);
1130
1131 DEBUG(10,("check_spnego_blob_complete: needed_len = %u, "
1132 "pblob->length = %u\n",
1133 (unsigned int)needed_len,
1134 (unsigned int)pblob->length ));
1135
1136 if (needed_len <= pblob->length) {
1137 /* Nothing to do - blob is complete. */
1138 return NT_STATUS_OK;
1139 }
1140
1141 /* Refuse the blob if it's bigger than 64k. */
1142 if (needed_len > 65536) {
1143 DEBUG(2,("check_spnego_blob_complete: needed_len "
1144 "too large (%u)\n",
1145 (unsigned int)needed_len ));
1146 return NT_STATUS_INVALID_PARAMETER;
1147 }
1148
1149 /* We must store this blob until complete. */
1150 if (!(pad = SMB_MALLOC_P(struct pending_auth_data))) {
1151 return NT_STATUS_NO_MEMORY;
1152 }
1153 pad->needed_len = needed_len - pblob->length;
1154 pad->partial_data = data_blob(pblob->data, pblob->length);
1155 if (pad->partial_data.data == NULL) {
1156 SAFE_FREE(pad);
1157 return NT_STATUS_NO_MEMORY;
1158 }
1159 pad->smbpid = smbpid;
1160 pad->vuid = vuid;
1161 DLIST_ADD(sconn->smb1.pd_list, pad);
1162
1163 return NT_STATUS_MORE_PROCESSING_REQUIRED;
1164 }
1165
1166 /****************************************************************************
1167 Reply to a session setup command.
1168 conn POINTER CAN BE NULL HERE !
1169 ****************************************************************************/
1170
1171 static void reply_sesssetup_and_X_spnego(struct smb_request *req)
1172 {
1173 const uint8 *p;
1174 DATA_BLOB blob1;
1175 size_t bufrem;
1176 char *tmp;
1177 const char *native_os;
1178 const char *native_lanman;
1179 const char *primary_domain;
1180 const char *p2;
1181 uint16 data_blob_len = SVAL(req->vwv+7, 0);
1182 enum remote_arch_types ra_type = get_remote_arch();
1183 int vuid = req->vuid;
1184 user_struct *vuser = NULL;
1185 NTSTATUS status = NT_STATUS_OK;
1186 uint16 smbpid = req->smbpid;
1187 struct smbd_server_connection *sconn = smbd_server_conn;
1188
1189 DEBUG(3,("Doing spnego session setup\n"));
1190
1191 if (global_client_caps == 0) {
1192 global_client_caps = IVAL(req->vwv+10, 0);
1193
1194 if (!(global_client_caps & CAP_STATUS32)) {
1195 remove_from_common_flags2(FLAGS2_32_BIT_ERROR_CODES);
1196 }
1197
1198 }
1199
1200 p = req->buf;
1201
1202 if (data_blob_len == 0) {
1203 /* an invalid request */
1204 reply_nterror(req, nt_status_squash(NT_STATUS_LOGON_FAILURE));
1205 return;
1206 }
1207
1208 bufrem = smbreq_bufrem(req, p);
1209 /* pull the spnego blob */
1210 blob1 = data_blob(p, MIN(bufrem, data_blob_len));
1211
1212 #if 0
1213 file_save("negotiate.dat", blob1.data, blob1.length);
1214 #endif
1215
1216 p2 = (char *)req->buf + blob1.length;
1217
1218 p2 += srvstr_pull_req_talloc(talloc_tos(), req, &tmp, p2,
1219 STR_TERMINATE);
1220 native_os = tmp ? tmp : "";
1221
1222 p2 += srvstr_pull_req_talloc(talloc_tos(), req, &tmp, p2,
1223 STR_TERMINATE);
1224 native_lanman = tmp ? tmp : "";
1225
1226 p2 += srvstr_pull_req_talloc(talloc_tos(), req, &tmp, p2,
1227 STR_TERMINATE);
1228 primary_domain = tmp ? tmp : "";
1229
1230 DEBUG(3,("NativeOS=[%s] NativeLanMan=[%s] PrimaryDomain=[%s]\n",
1231 native_os, native_lanman, primary_domain));
1232
1233 if ( ra_type == RA_WIN2K ) {
1234 /* Vista sets neither the OS or lanman strings */
1235
1236 if ( !strlen(native_os) && !strlen(native_lanman) )
1237 set_remote_arch(RA_VISTA);
1238
1239 /* Windows 2003 doesn't set the native lanman string,
1240 but does set primary domain which is a bug I think */
1241
1242 if ( !strlen(native_lanman) ) {
1243 ra_lanman_string( primary_domain );
1244 } else {
1245 ra_lanman_string( native_lanman );
1246 }
1247 }
1248
1249 /* Did we get a valid vuid ? */
1250 if (!is_partial_auth_vuid(sconn, vuid)) {
1251 /* No, then try and see if this is an intermediate sessionsetup
1252 * for a large SPNEGO packet. */
1253 struct pending_auth_data *pad;
1254 pad = get_pending_auth_data(sconn, smbpid);
1255 if (pad) {
1256 DEBUG(10,("reply_sesssetup_and_X_spnego: found "
1257 "pending vuid %u\n",
1258 (unsigned int)pad->vuid ));
1259 vuid = pad->vuid;
1260 }
1261 }
1262
1263 /* Do we have a valid vuid now ? */
1264 if (!is_partial_auth_vuid(sconn, vuid)) {
1265 /* No, start a new authentication setup. */
1266 vuid = register_initial_vuid(sconn);
1267 if (vuid == UID_FIELD_INVALID) {
1268 data_blob_free(&blob1);
1269 reply_nterror(req, nt_status_squash(
1270 NT_STATUS_INVALID_PARAMETER));
1271 return;
1272 }
1273 }
1274
1275 vuser = get_partial_auth_user_struct(sconn, vuid);
1276 /* This MUST be valid. */
1277 if (!vuser) {
1278 smb_panic("reply_sesssetup_and_X_spnego: invalid vuid.");
1279 }
1280
1281 /* Large (greater than 4k) SPNEGO blobs are split into multiple
1282 * sessionsetup requests as the Windows limit on the security blob
1283 * field is 4k. Bug #4400. JRA.
1284 */
1285
1286 status = check_spnego_blob_complete(sconn, smbpid, vuid, &blob1);
1287 if (!NT_STATUS_IS_OK(status)) {
1288 if (!NT_STATUS_EQUAL(status,
1289 NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1290 /* Real error - kill the intermediate vuid */
1291 invalidate_vuid(sconn, vuid);
1292 }
1293 data_blob_free(&blob1);
1294 reply_nterror(req, nt_status_squash(status));
1295 return;
1296 }
1297
1298 if (blob1.data[0] == ASN1_APPLICATION(0)) {
1299
1300 /* its a negTokenTarg packet */
1301
1302 reply_spnego_negotiate(req, vuid, blob1,
1303 &vuser->auth_ntlmssp_state);
1304 data_blob_free(&blob1);
1305 return;
1306 }
1307
1308 if (blob1.data[0] == ASN1_CONTEXT(1)) {
1309
1310 /* its a auth packet */
1311
1312 reply_spnego_auth(req, vuid, blob1,
1313 &vuser->auth_ntlmssp_state);
1314 data_blob_free(&blob1);
1315 return;
1316 }
1317
1318 if (strncmp((char *)(blob1.data), "NTLMSSP", 7) == 0) {
1319 DATA_BLOB chal;
1320
1321 if (!vuser->auth_ntlmssp_state) {
1322 status = auth_ntlmssp_start(&vuser->auth_ntlmssp_state);
1323 if (!NT_STATUS_IS_OK(status)) {
1324 /* Kill the intermediate vuid */
1325 invalidate_vuid(sconn, vuid);
1326 data_blob_free(&blob1);
1327 reply_nterror(req, nt_status_squash(status));
1328 return;
1329 }
1330 }
1331
1332 status = auth_ntlmssp_update(vuser->auth_ntlmssp_state,
1333 blob1, &chal);
1334
1335 data_blob_free(&blob1);
1336
1337 reply_spnego_ntlmssp(req, vuid,
1338 &vuser->auth_ntlmssp_state,
1339 &chal, status, OID_NTLMSSP, false);
1340 data_blob_free(&chal);
1341 return;
1342 }
1343
1344 /* what sort of packet is this? */
1345 DEBUG(1,("Unknown packet in reply_sesssetup_and_X_spnego\n"));
1346
1347 data_blob_free(&blob1);
1348
1349 reply_nterror(req, nt_status_squash(NT_STATUS_LOGON_FAILURE));
1350 }
1351
1352 /****************************************************************************
1353 On new VC == 0, shutdown *all* old connections and users.
1354 It seems that only NT4.x does this. At W2K and above (XP etc.).
1355 a new session setup with VC==0 is ignored.
1356 ****************************************************************************/
1357
1358 static int shutdown_other_smbds(struct db_record *rec,
1359 const struct connections_key *key,
1360 const struct connections_data *crec,
1361 void *private_data)
1362 {
1363 const char *ip = (const char *)private_data;
1364
1365 if (!process_exists(crec->pid)) {
1366 return 0;
1367 }
1368
1369 if (procid_is_me(&crec->pid)) {
1370 return 0;
1371 }
1372
1373 if (strcmp(ip, crec->addr) != 0) {
1374 return 0;
1375 }
1376
1377 DEBUG(0,("shutdown_other_smbds: shutting down pid %u "
1378 "(IP %s)\n", (unsigned int)procid_to_pid(&crec->pid), ip));
1379
1380 messaging_send(smbd_messaging_context(), crec->pid, MSG_SHUTDOWN,
1381 &data_blob_null);
1382 return 0;
1383 }
1384
1385 static void setup_new_vc_session(void)
1386 {
1387 char addr[INET6_ADDRSTRLEN];
1388
1389 DEBUG(2,("setup_new_vc_session: New VC == 0, if NT4.x "
1390 "compatible we would close all old resources.\n"));
1391 #if 0
1392 conn_close_all();
1393 invalidate_all_vuids();
1394 #endif
1395 if (lp_reset_on_zero_vc()) {
1396 connections_forall(shutdown_other_smbds,
1397 CONST_DISCARD(void *,
1398 client_addr(get_client_fd(),addr,sizeof(addr))));
1399 }
1400 }
1401
1402 /****************************************************************************
1403 Reply to a session setup command.
1404 ****************************************************************************/
1405
1406 void reply_sesssetup_and_X(struct smb_request *req)
1407 {
1408 int sess_vuid;
1409 int smb_bufsize;
1410 DATA_BLOB lm_resp;
1411 DATA_BLOB nt_resp;
1412 DATA_BLOB plaintext_password;
1413 char *tmp;
1414 const char *user;
1415 fstring sub_user; /* Sainitised username for substituion */
1416 const char *domain;
1417 const char *native_os;
1418 const char *native_lanman;
1419 const char *primary_domain;
1420 auth_usersupplied_info *user_info = NULL;
1421 auth_serversupplied_info *server_info = NULL;
1422 uint16 smb_flag2 = req->flags2;
1423
1424 NTSTATUS nt_status;
1425 struct smbd_server_connection *sconn = smbd_server_conn;
1426
1427 bool doencrypt = sconn->smb1.negprot.encrypted_passwords;
1428
1429 START_PROFILE(SMBsesssetupX);
1430
1431 ZERO_STRUCT(lm_resp);
1432 ZERO_STRUCT(nt_resp);
1433 ZERO_STRUCT(plaintext_password);
1434
1435 DEBUG(3,("wct=%d flg2=0x%x\n", req->wct, req->flags2));
1436
1437 /* a SPNEGO session setup has 12 command words, whereas a normal
1438 NT1 session setup has 13. See the cifs spec. */
1439 if (req->wct == 12 &&
1440 (req->flags2 & FLAGS2_EXTENDED_SECURITY)) {
1441
1442 if (!sconn->smb1.negprot.spnego) {
1443 DEBUG(0,("reply_sesssetup_and_X: Rejecting attempt "
1444 "at SPNEGO session setup when it was not "
1445 "negotiated.\n"));
1446 reply_nterror(req, nt_status_squash(
1447 NT_STATUS_LOGON_FAILURE));
1448 END_PROFILE(SMBsesssetupX);
1449 return;
1450 }
1451
1452 if (SVAL(req->vwv+4, 0) == 0) {
1453 setup_new_vc_session();
1454 }
1455
1456 reply_sesssetup_and_X_spnego(req);
1457 END_PROFILE(SMBsesssetupX);
1458 return;
1459 }
1460
1461 smb_bufsize = SVAL(req->vwv+2, 0);
1462
1463 if (get_Protocol() < PROTOCOL_NT1) {
1464 uint16 passlen1 = SVAL(req->vwv+7, 0);
1465
1466 /* Never do NT status codes with protocols before NT1 as we
1467 * don't get client caps. */
1468 remove_from_common_flags2(FLAGS2_32_BIT_ERROR_CODES);
1469
1470 if ((passlen1 > MAX_PASS_LEN) || (passlen1 > req->buflen)) {
1471 reply_nterror(req, nt_status_squash(
1472 NT_STATUS_INVALID_PARAMETER));
1473 END_PROFILE(SMBsesssetupX);
1474 return;
1475 }
1476
1477 if (doencrypt) {
1478 lm_resp = data_blob(req->buf, passlen1);
1479 } else {
1480 plaintext_password = data_blob(req->buf, passlen1+1);
1481 /* Ensure null termination */
1482 plaintext_password.data[passlen1] = 0;
1483 }
1484
1485 srvstr_pull_req_talloc(talloc_tos(), req, &tmp,
1486 req->buf + passlen1, STR_TERMINATE);
1487 user = tmp ? tmp : "";
1488
1489 domain = "";
1490
1491 } else {
1492 uint16 passlen1 = SVAL(req->vwv+7, 0);
1493 uint16 passlen2 = SVAL(req->vwv+8, 0);
1494 enum remote_arch_types ra_type = get_remote_arch();
1495 const uint8_t *p = req->buf;
1496 const uint8_t *save_p = req->buf;
1497 uint16 byte_count;
1498
1499
1500 if(global_client_caps == 0) {
1501 global_client_caps = IVAL(req->vwv+11, 0);
1502
1503 if (!(global_client_caps & CAP_STATUS32)) {
1504 remove_from_common_flags2(
1505 FLAGS2_32_BIT_ERROR_CODES);
1506 }
1507
1508 /* client_caps is used as final determination if
1509 * client is NT or Win95. This is needed to return
1510 * the correct error codes in some circumstances.
1511 */
1512
1513 if(ra_type == RA_WINNT || ra_type == RA_WIN2K ||
1514 ra_type == RA_WIN95) {
1515 if(!(global_client_caps & (CAP_NT_SMBS|
1516 CAP_STATUS32))) {
1517 set_remote_arch( RA_WIN95);
1518 }
1519 }
1520 }
1521
1522 if (!doencrypt) {
1523 /* both Win95 and WinNT stuff up the password
1524 * lengths for non-encrypting systems. Uggh.
1525
1526 if passlen1==24 its a win95 system, and its setting
1527 the password length incorrectly. Luckily it still
1528 works with the default code because Win95 will null
1529 terminate the password anyway
1530
1531 if passlen1>0 and passlen2>0 then maybe its a NT box
1532 and its setting passlen2 to some random value which
1533 really stuffs things up. we need to fix that one. */
1534
1535 if (passlen1 > 0 && passlen2 > 0 && passlen2 != 24 &&
1536 passlen2 != 1) {
1537 passlen2 = 0;
1538 }
1539 }
1540
1541 /* check for nasty tricks */
1542 if (passlen1 > MAX_PASS_LEN
1543 || passlen1 > smbreq_bufrem(req, p)) {
1544 reply_nterror(req, nt_status_squash(
1545 NT_STATUS_INVALID_PARAMETER));
1546 END_PROFILE(SMBsesssetupX);
1547 return;
1548 }
1549
1550 if (passlen2 > MAX_PASS_LEN
1551 || passlen2 > smbreq_bufrem(req, p+passlen1)) {
1552 reply_nterror(req, nt_status_squash(
1553 NT_STATUS_INVALID_PARAMETER));
1554 END_PROFILE(SMBsesssetupX);
1555 return;
1556 }
1557
1558 /* Save the lanman2 password and the NT md4 password. */
1559
1560 if ((doencrypt) && (passlen1 != 0) && (passlen1 != 24)) {
1561 doencrypt = False;
1562 }
1563
1564 if (doencrypt) {
1565 lm_resp = data_blob(p, passlen1);
1566 nt_resp = data_blob(p+passlen1, passlen2);
1567 } else if (lp_security() != SEC_SHARE) {
1568 /*
1569 * In share level we should ignore any passwords, so
1570 * only read them if we're not.
1571 */
1572 char *pass = NULL;
1573 bool unic= smb_flag2 & FLAGS2_UNICODE_STRINGS;
1574
1575 if (unic && (passlen2 == 0) && passlen1) {
1576 /* Only a ascii plaintext password was sent. */
1577 (void)srvstr_pull_talloc(talloc_tos(),
1578 req->inbuf,
1579 req->flags2,
1580 &pass,
1581 req->buf,
1582 passlen1,
1583 STR_TERMINATE|STR_ASCII);
1584 } else {
1585 (void)srvstr_pull_talloc(talloc_tos(),
1586 req->inbuf,
1587 req->flags2,
1588 &pass,
1589 req->buf,
1590 unic ? passlen2 : passlen1,
1591 STR_TERMINATE);
1592 }
1593 if (!pass) {
1594 reply_nterror(req, nt_status_squash(
1595 NT_STATUS_INVALID_PARAMETER));
1596 END_PROFILE(SMBsesssetupX);
1597 return;
1598 }
1599 plaintext_password = data_blob(pass, strlen(pass)+1);
1600 }
1601
1602 p += passlen1 + passlen2;
1603
1604 p += srvstr_pull_req_talloc(talloc_tos(), req, &tmp, p,
1605 STR_TERMINATE);
1606 user = tmp ? tmp : "";
1607
1608 p += srvstr_pull_req_talloc(talloc_tos(), req, &tmp, p,
1609 STR_TERMINATE);
1610 domain = tmp ? tmp : "";
1611
1612 p += srvstr_pull_req_talloc(talloc_tos(), req, &tmp, p,
1613 STR_TERMINATE);
1614 native_os = tmp ? tmp : "";
1615
1616 p += srvstr_pull_req_talloc(talloc_tos(), req, &tmp, p,
1617 STR_TERMINATE);
1618 native_lanman = tmp ? tmp : "";
1619
1620 /* not documented or decoded by Ethereal but there is one more
1621 * string in the extra bytes which is the same as the
1622 * PrimaryDomain when using extended security. Windows NT 4
1623 * and 2003 use this string to store the native lanman string.
1624 * Windows 9x does not include a string here at all so we have
1625 * to check if we have any extra bytes left */
1626
1627 byte_count = SVAL(req->vwv+13, 0);
1628 if ( PTR_DIFF(p, save_p) < byte_count) {
1629 p += srvstr_pull_req_talloc(talloc_tos(), req, &tmp, p,
1630 STR_TERMINATE);
1631 primary_domain = tmp ? tmp : "";
1632 } else {
1633 primary_domain = talloc_strdup(talloc_tos(), "null");
1634 }
1635
1636 DEBUG(3,("Domain=[%s] NativeOS=[%s] NativeLanMan=[%s] "
1637 "PrimaryDomain=[%s]\n",
1638 domain, native_os, native_lanman, primary_domain));
1639
1640 if ( ra_type == RA_WIN2K ) {
1641 if ( strlen(native_lanman) == 0 )
1642 ra_lanman_string( primary_domain );
1643 else
1644 ra_lanman_string( native_lanman );
1645 }
1646
1647 }
1648
1649 if (SVAL(req->vwv+4, 0) == 0) {
1650 setup_new_vc_session();
1651 }
1652
1653 DEBUG(3,("sesssetupX:name=[%s]\\[%s]@[%s]\n",
1654 domain, user, get_remote_machine_name()));
1655
1656 if (*user) {
1657 if (sconn->smb1.negprot.spnego) {
1658
1659 /* This has to be here, because this is a perfectly
1660 * valid behaviour for guest logons :-( */
1661
1662 DEBUG(0,("reply_sesssetup_and_X: Rejecting attempt "
1663 "at 'normal' session setup after "
1664 "negotiating spnego.\n"));
1665 reply_nterror(req, nt_status_squash(
1666 NT_STATUS_LOGON_FAILURE));
1667 END_PROFILE(SMBsesssetupX);
1668 return;
1669 }
1670 fstrcpy(sub_user, user);
1671 } else {
1672 fstrcpy(sub_user, lp_guestaccount());
1673 }
1674
1675 sub_set_smb_name(sub_user);
1676
1677 reload_services(True);
1678
1679 if (lp_security() == SEC_SHARE) {
1680 /* In share level we should ignore any passwords */
1681
1682 data_blob_free(&lm_resp);
1683 data_blob_free(&nt_resp);
1684 data_blob_clear_free(&plaintext_password);
1685
1686 map_username(sconn, sub_user);
1687 add_session_user(sconn, sub_user);
1688 add_session_workgroup(sconn, domain);
1689 /* Then force it to null for the benfit of the code below */
1690 user = "";
1691 }
1692
1693 if (!*user) {
1694
1695 nt_status = check_guest_password(&server_info);
1696
1697 } else if (doencrypt) {
1698 struct auth_context *negprot_auth_context = NULL;
1699 negprot_auth_context = sconn->smb1.negprot.auth_context;
1700 if (!negprot_auth_context) {
1701 DEBUG(0, ("reply_sesssetup_and_X: Attempted encrypted "
1702 "session setup without negprot denied!\n"));
1703 reply_nterror(req, nt_status_squash(
1704 NT_STATUS_LOGON_FAILURE));
1705 END_PROFILE(SMBsesssetupX);
1706 return;
1707 }
1708 nt_status = make_user_info_for_reply_enc(&user_info, user,
1709 domain,
1710 lm_resp, nt_resp);
1711 if (NT_STATUS_IS_OK(nt_status)) {
1712 nt_status = negprot_auth_context->check_ntlm_password(
1713 negprot_auth_context,
1714 user_info,
1715 &server_info);
1716 }
1717 } else {
1718 struct auth_context *plaintext_auth_context = NULL;
1719
1720 nt_status = make_auth_context_subsystem(
1721 &plaintext_auth_context);
1722
1723 if (NT_STATUS_IS_OK(nt_status)) {
1724 uint8_t chal[8];
1725
1726 plaintext_auth_context->get_ntlm_challenge(
1727 plaintext_auth_context, chal);
1728
1729 if (!make_user_info_for_reply(&user_info,
1730 user, domain, chal,
1731 plaintext_password)) {
1732 nt_status = NT_STATUS_NO_MEMORY;
1733 }
1734
1735 if (NT_STATUS_IS_OK(nt_status)) {
1736 nt_status = plaintext_auth_context->check_ntlm_password(
1737 plaintext_auth_context,
1738 user_info,
1739 &server_info);
1740
1741 (plaintext_auth_context->free)(
1742 &plaintext_auth_context);
1743 }
1744 }
1745 }
1746
1747 free_user_info(&user_info);
1748
1749 if (!NT_STATUS_IS_OK(nt_status)) {
1750 nt_status = do_map_to_guest(nt_status, &server_info,
1751 user, domain);
1752 }
1753
1754 if (!NT_STATUS_IS_OK(nt_status)) {
1755 data_blob_free(&nt_resp);
1756 data_blob_free(&lm_resp);
1757 data_blob_clear_free(&plaintext_password);
1758 reply_nterror(req, nt_status_squash(nt_status));
1759 END_PROFILE(SMBsesssetupX);
1760 return;
1761 }
1762
1763 /* Ensure we can't possible take a code path leading to a
1764 * null defref. */
1765 if (!server_info) {
1766 reply_nterror(req, nt_status_squash(NT_STATUS_LOGON_FAILURE));
1767 END_PROFILE(SMBsesssetupX);
1768 return;
1769 }
1770
1771 if (!server_info->ptok) {
1772 nt_status = create_local_token(server_info);
1773
1774 if (!NT_STATUS_IS_OK(nt_status)) {
1775 DEBUG(10, ("create_local_token failed: %s\n",
1776 nt_errstr(nt_status)));
1777 data_blob_free(&nt_resp);
1778 data_blob_free(&lm_resp);
1779 data_blob_clear_free(&plaintext_password);
1780 reply_nterror(req, nt_status_squash(nt_status));
1781 END_PROFILE(SMBsesssetupX);
1782 return;
1783 }
1784 }
1785
1786 data_blob_clear_free(&plaintext_password);
1787
1788 /* it's ok - setup a reply */
1789 reply_outbuf(req, 3, 0);
1790 if (get_Protocol() >= PROTOCOL_NT1) {
1791 push_signature(&req->outbuf);
1792 /* perhaps grab OS version here?? */
1793 }
1794
1795 if (server_info->guest) {
1796 SSVAL(req->outbuf,smb_vwv2,1);
1797 }
1798
1799 /* register the name and uid as being validated, so further connections
1800 to a uid can get through without a password, on the same VC */
1801
1802 if (lp_security() == SEC_SHARE) {
1803 sess_vuid = UID_FIELD_INVALID;
1804 TALLOC_FREE(server_info);
1805 } else {
1806 /* Ignore the initial vuid. */
1807 sess_vuid = register_initial_vuid(sconn);
1808 if (sess_vuid == UID_FIELD_INVALID) {
1809 data_blob_free(&nt_resp);
1810 data_blob_free(&lm_resp);
1811 reply_nterror(req, nt_status_squash(
1812 NT_STATUS_LOGON_FAILURE));
1813 END_PROFILE(SMBsesssetupX);
1814 return;
1815 }
1816 /* register_existing_vuid keeps the server info */
1817 sess_vuid = register_existing_vuid(sconn, sess_vuid,
1818 server_info,
1819 nt_resp.data ? nt_resp : lm_resp,
1820 sub_user);
1821 if (sess_vuid == UID_FIELD_INVALID) {
1822 data_blob_free(&nt_resp);
1823 data_blob_free(&lm_resp);
1824 reply_nterror(req, nt_status_squash(
1825 NT_STATUS_LOGON_FAILURE));
1826 END_PROFILE(SMBsesssetupX);
1827 return;
1828 }
1829
1830 /* current_user_info is changed on new vuid */
1831 reload_services( True );
1832 }
1833
1834 data_blob_free(&nt_resp);
1835 data_blob_free(&lm_resp);
1836
1837 SSVAL(req->outbuf,smb_uid,sess_vuid);
1838 SSVAL(req->inbuf,smb_uid,sess_vuid);
1839 req->vuid = sess_vuid;
1840
1841 if (!sconn->smb1.sessions.done_sesssetup) {
1842 sconn->smb1.sessions.max_send =
1843 MIN(sconn->smb1.sessions.max_send,smb_bufsize);
1844 }
1845 sconn->smb1.sessions.done_sesssetup = true;
1846
1847 END_PROFILE(SMBsesssetupX);
1848 chain_reply(req);
1849 return;
1850 }