2 Unix SMB/Netbios implementation.
4 handle GENSEC authentication, server side
6 Copyright (C) Andrew Tridgell 2001
7 Copyright (C) Andrew Bartlett 2001-2003,2011
8 Copyright (C) Simo Sorce 2010.
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
26 #include "../lib/tsocket/tsocket.h"
27 #include "auth/gensec/gensec.h"
28 #include "lib/param/param.h"
30 #include "auth/kerberos/pac_utils.h"
32 #include "librpc/crypto/gse.h"
33 #include "auth/credentials/credentials.h"
35 static NTSTATUS
auth3_generate_session_info_pac(struct auth4_context
*auth_ctx
,
37 struct smb_krb5_context
*smb_krb5_context
,
39 const char *princ_name
,
40 const struct tsocket_address
*remote_address
,
41 uint32_t session_info_flags
,
42 struct auth_session_info
**session_info
)
45 struct PAC_LOGON_INFO
*logon_info
= NULL
;
56 tmp_ctx
= talloc_new(mem_ctx
);
58 return NT_STATUS_NO_MEMORY
;
63 status
= kerberos_pac_logon_info(tmp_ctx
, *pac_blob
, NULL
, NULL
,
64 NULL
, NULL
, 0, &logon_info
);
66 status
= NT_STATUS_ACCESS_DENIED
;
68 if (!NT_STATUS_IS_OK(status
)) {
73 rc
= get_remote_hostname(remote_address
,
77 status
= NT_STATUS_NO_MEMORY
;
80 if (strequal(rhost
, "UNKNOWN")) {
81 rhost
= tsocket_address_inet_addr_string(remote_address
,
84 status
= NT_STATUS_NO_MEMORY
;
89 status
= get_user_from_kerberos_info(tmp_ctx
, rhost
,
90 princ_name
, logon_info
,
91 &is_mapped
, &is_guest
,
94 if (!NT_STATUS_IS_OK(status
)) {
95 DEBUG(1, ("Failed to map kerberos principal to system user "
96 "(%s)\n", nt_errstr(status
)));
97 status
= NT_STATUS_ACCESS_DENIED
;
101 /* save the PAC data if we have it */
103 netsamlogon_cache_store(ntuser
, &logon_info
->info3
);
106 /* setup the string used by %U */
107 sub_set_smb_name(username
);
109 /* reload services so that the new %U is taken into account */
110 lp_load(get_dyn_CONFIGFILE(), false, false, true, true);
112 status
= make_session_info_krb5(mem_ctx
,
113 ntuser
, ntdomain
, username
, pw
,
114 logon_info
, is_guest
, is_mapped
, NULL
/* No session key for now, caller will sort it out */,
116 if (!NT_STATUS_IS_OK(status
)) {
117 DEBUG(1, ("Failed to map kerberos pac to server info (%s)\n",
119 status
= NT_STATUS_ACCESS_DENIED
;
123 DEBUG(5, (__location__
"OK: user: %s domain: %s client: %s\n",
124 ntuser
, ntdomain
, rhost
));
126 status
= NT_STATUS_OK
;
129 TALLOC_FREE(tmp_ctx
);
133 static struct auth4_context
*make_auth4_context_s3(TALLOC_CTX
*mem_ctx
, struct auth_context
*auth_context
)
135 struct auth4_context
*auth4_context
= talloc_zero(mem_ctx
, struct auth4_context
);
136 if (auth4_context
== NULL
) {
137 DEBUG(10, ("failed to allocate auth4_context failed\n"));
140 auth4_context
->generate_session_info_pac
= auth3_generate_session_info_pac
;
141 auth4_context
->generate_session_info
= auth3_generate_session_info
;
142 auth4_context
->get_ntlm_challenge
= auth3_get_challenge
;
143 auth4_context
->set_ntlm_challenge
= auth3_set_challenge
;
144 auth4_context
->check_ntlm_password
= auth3_check_password
;
145 auth4_context
->private_data
= talloc_steal(auth4_context
, auth_context
);
146 return auth4_context
;
149 NTSTATUS
make_auth4_context(TALLOC_CTX
*mem_ctx
, struct auth4_context
**auth4_context_out
)
151 struct auth_context
*auth_context
;
154 TALLOC_CTX
*tmp_ctx
= talloc_new(mem_ctx
);
155 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx
);
157 nt_status
= make_auth_context_subsystem(tmp_ctx
, &auth_context
);
158 if (!NT_STATUS_IS_OK(nt_status
)) {
159 TALLOC_FREE(tmp_ctx
);
163 if (auth_context
->make_auth4_context
) {
164 nt_status
= auth_context
->make_auth4_context(mem_ctx
, auth4_context_out
);
165 TALLOC_FREE(tmp_ctx
);
169 struct auth4_context
*auth4_context
= make_auth4_context_s3(tmp_ctx
, auth_context
);
170 if (auth4_context
== NULL
) {
171 TALLOC_FREE(tmp_ctx
);
172 return NT_STATUS_NO_MEMORY
;
174 *auth4_context_out
= talloc_steal(mem_ctx
, auth4_context
);
175 TALLOC_FREE(tmp_ctx
);
180 NTSTATUS
auth_generic_prepare(TALLOC_CTX
*mem_ctx
,
181 const struct tsocket_address
*remote_address
,
182 struct gensec_security
**gensec_security_out
)
184 struct gensec_security
*gensec_security
;
185 struct auth_context
*auth_context
;
188 TALLOC_CTX
*tmp_ctx
= talloc_new(mem_ctx
);
189 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx
);
191 nt_status
= make_auth_context_subsystem(tmp_ctx
, &auth_context
);
192 if (!NT_STATUS_IS_OK(nt_status
)) {
193 TALLOC_FREE(tmp_ctx
);
197 if (auth_context
->prepare_gensec
) {
198 nt_status
= auth_context
->prepare_gensec(tmp_ctx
,
200 if (!NT_STATUS_IS_OK(nt_status
)) {
201 TALLOC_FREE(tmp_ctx
);
205 struct gensec_settings
*gensec_settings
;
206 struct loadparm_context
*lp_ctx
;
208 struct cli_credentials
*server_credentials
;
209 const char *dns_name
;
210 const char *dns_domain
;
211 struct auth4_context
*auth4_context
= make_auth4_context_s3(tmp_ctx
, auth_context
);
212 if (auth4_context
== NULL
) {
213 TALLOC_FREE(tmp_ctx
);
214 return NT_STATUS_NO_MEMORY
;
217 lp_ctx
= loadparm_init_s3(tmp_ctx
, loadparm_s3_helpers());
218 if (lp_ctx
== NULL
) {
219 DEBUG(10, ("loadparm_init_s3 failed\n"));
220 TALLOC_FREE(tmp_ctx
);
221 return NT_STATUS_INVALID_SERVER_STATE
;
224 gensec_settings
= lpcfg_gensec_settings(tmp_ctx
, lp_ctx
);
225 if (lp_ctx
== NULL
) {
226 DEBUG(10, ("lpcfg_gensec_settings failed\n"));
227 TALLOC_FREE(tmp_ctx
);
228 return NT_STATUS_NO_MEMORY
;
232 * This should be a 'netbios domain -> DNS domain'
233 * mapping, and can currently validly return NULL on
234 * poorly configured systems.
236 * This is used for the NTLMSSP server
239 dns_name
= get_mydnsfullname();
240 if (dns_name
== NULL
) {
244 dns_domain
= get_mydnsdomname(tmp_ctx
);
245 if (dns_domain
== NULL
) {
249 gensec_settings
->server_dns_name
= strlower_talloc(gensec_settings
, dns_name
);
250 if (gensec_settings
->server_dns_name
== NULL
) {
251 TALLOC_FREE(tmp_ctx
);
252 return NT_STATUS_NO_MEMORY
;
255 gensec_settings
->server_dns_domain
= strlower_talloc(gensec_settings
, dns_domain
);
256 if (gensec_settings
->server_dns_domain
== NULL
) {
257 TALLOC_FREE(tmp_ctx
);
258 return NT_STATUS_NO_MEMORY
;
261 gensec_settings
->backends
= talloc_zero_array(gensec_settings
,
262 struct gensec_security_ops
*, 4);
263 if (gensec_settings
->backends
== NULL
) {
264 TALLOC_FREE(tmp_ctx
);
265 return NT_STATUS_NO_MEMORY
;
270 /* These need to be in priority order, krb5 before NTLMSSP */
271 #if defined(HAVE_KRB5)
272 gensec_settings
->backends
[idx
++] = &gensec_gse_krb5_security_ops
;
275 gensec_settings
->backends
[idx
++] = gensec_security_by_oid(NULL
, GENSEC_OID_NTLMSSP
);
277 gensec_settings
->backends
[idx
++] = gensec_security_by_oid(NULL
,
281 * This is anonymous for now, because we just use it
282 * to set the kerberos state at the moment
284 server_credentials
= cli_credentials_init_anon(tmp_ctx
);
285 if (!server_credentials
) {
286 DEBUG(0, ("auth_generic_prepare: Failed to init server credentials\n"));
287 return NT_STATUS_NO_MEMORY
;
290 cli_credentials_set_conf(server_credentials
, lp_ctx
);
292 if (lp_security() == SEC_ADS
|| USE_KERBEROS_KEYTAB
) {
293 cli_credentials_set_kerberos_state(server_credentials
, CRED_AUTO_USE_KERBEROS
);
295 cli_credentials_set_kerberos_state(server_credentials
, CRED_DONT_USE_KERBEROS
);
298 nt_status
= gensec_server_start(tmp_ctx
, gensec_settings
,
299 auth4_context
, &gensec_security
);
301 if (!NT_STATUS_IS_OK(nt_status
)) {
302 TALLOC_FREE(tmp_ctx
);
306 gensec_set_credentials(gensec_security
, server_credentials
);
308 talloc_unlink(tmp_ctx
, lp_ctx
);
309 talloc_unlink(tmp_ctx
, server_credentials
);
310 talloc_unlink(tmp_ctx
, gensec_settings
);
311 talloc_unlink(tmp_ctx
, auth4_context
);
314 nt_status
= gensec_set_remote_address(gensec_security
,
316 if (!NT_STATUS_IS_OK(nt_status
)) {
317 TALLOC_FREE(tmp_ctx
);
321 *gensec_security_out
= talloc_steal(mem_ctx
, gensec_security
);
322 TALLOC_FREE(tmp_ctx
);
326 NTSTATUS
auth_check_password_session_info(struct auth4_context
*auth_context
,
328 struct auth_usersupplied_info
*user_info
,
329 struct auth_session_info
**session_info
)
334 nt_status
= auth_context
->check_ntlm_password(auth_context
,
337 &server_info
, NULL
, NULL
);
339 if (NT_STATUS_IS_OK(nt_status
)) {
340 nt_status
= auth_context
->generate_session_info(auth_context
,
343 user_info
->client
.account_name
,
344 AUTH_SESSION_INFO_UNIX_TOKEN
|
345 AUTH_SESSION_INFO_DEFAULT_GROUPS
,
347 TALLOC_FREE(server_info
);