2 Unix SMB/CIFS implementation.
4 helper functions for NAMED PIPE servers
6 Copyright (C) Stefan (metze) Metzmacher 2008
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 #include "smbd/service.h"
25 #include "param/param.h"
26 #include "auth/auth.h"
27 #include "auth/session.h"
28 #include "auth/auth_sam_reply.h"
29 #include "lib/socket/socket.h"
30 #include "lib/tsocket/tsocket.h"
31 #include "libcli/util/tstream.h"
32 #include "librpc/gen_ndr/ndr_named_pipe_auth.h"
33 #include "system/passwd.h"
34 #include "system/network.h"
35 #include "libcli/raw/smb.h"
36 #include "auth/credentials/credentials.h"
37 #include "auth/credentials/credentials_krb5.h"
38 #include "libcli/security/dom_sid.h"
40 struct named_pipe_socket
{
41 const char *pipe_name
;
42 const char *pipe_path
;
43 const struct stream_server_ops
*ops
;
47 struct named_pipe_connection
{
48 struct stream_connection
*connection
;
49 const struct named_pipe_socket
*pipe_sock
;
50 struct tstream_context
*tstream
;
53 static void named_pipe_terminate_connection(struct named_pipe_connection
*pipe_conn
, const char *reason
)
55 stream_terminate_connection(pipe_conn
->connection
, reason
);
58 static NTSTATUS
named_pipe_full_request(void *private_data
, DATA_BLOB blob
, size_t *size
)
60 if (blob
.length
< 8) {
61 return STATUS_MORE_ENTRIES
;
64 if (memcmp(NAMED_PIPE_AUTH_MAGIC
, &blob
.data
[4], 4) != 0) {
65 DEBUG(0,("named_pipe_full_request: wrong protocol\n"));
67 /* the error will be handled in named_pipe_recv_auth_request */
71 *size
= 4 + RIVAL(blob
.data
, 0);
72 if (*size
> blob
.length
) {
73 return STATUS_MORE_ENTRIES
;
79 static void named_pipe_auth_request(struct tevent_req
*subreq
);
81 static void named_pipe_accept(struct stream_connection
*conn
)
83 struct named_pipe_socket
*pipe_sock
= talloc_get_type(conn
->private_data
,
84 struct named_pipe_socket
);
85 struct named_pipe_connection
*pipe_conn
;
86 struct tevent_req
*subreq
;
89 pipe_conn
= talloc_zero(conn
, struct named_pipe_connection
);
90 if (pipe_conn
== NULL
) {
91 stream_terminate_connection(conn
,
92 "named_pipe_accept: out of memory");
96 TALLOC_FREE(conn
->event
.fde
);
99 * We have to duplicate the fd, cause it gets closed when the tstream
100 * is freed and you shouldn't work a fd the tstream is based on.
102 fd
= dup(socket_get_fd(conn
->socket
));
106 reason
= talloc_asprintf(conn
,
107 "named_pipe_accept: failed to duplicate the file descriptor - %s",
109 if (reason
== NULL
) {
110 reason
= strerror(errno
);
112 stream_terminate_connection(conn
, reason
);
114 rc
= tstream_bsd_existing_socket(pipe_conn
,
116 &pipe_conn
->tstream
);
118 stream_terminate_connection(conn
,
119 "named_pipe_accept: out of memory");
123 pipe_conn
->connection
= conn
;
124 pipe_conn
->pipe_sock
= pipe_sock
;
125 conn
->private_data
= pipe_conn
;
128 * The named pipe pdu's have the length as 8 byte (initial_read_size),
129 * named_pipe_full_request provides the pdu length then.
131 subreq
= tstream_read_pdu_blob_send(pipe_conn
,
132 pipe_conn
->connection
->event
.ctx
,
134 8, /* initial_read_size */
135 named_pipe_full_request
,
137 if (subreq
== NULL
) {
138 named_pipe_terminate_connection(pipe_conn
,
139 "named_pipe_accept: "
140 "no memory for tstream_read_pdu_blob_send");
143 tevent_req_set_callback(subreq
, named_pipe_auth_request
, pipe_conn
);
146 struct named_pipe_call
{
147 struct named_pipe_connection
*pipe_conn
;
150 struct iovec out_iov
[1];
154 static void named_pipe_handover_connection(struct tevent_req
*subreq
);
156 static void named_pipe_auth_request(struct tevent_req
*subreq
)
158 struct named_pipe_connection
*pipe_conn
= tevent_req_callback_data(subreq
,
159 struct named_pipe_connection
);
160 struct stream_connection
*conn
= pipe_conn
->connection
;
161 struct named_pipe_call
*call
;
162 enum ndr_err_code ndr_err
;
163 union netr_Validation val
;
164 struct auth_serversupplied_info
*server_info
;
165 struct named_pipe_auth_req pipe_request
;
166 struct named_pipe_auth_rep pipe_reply
;
167 struct auth_context
*auth_context
;
168 uint32_t session_flags
= 0;
169 struct dom_sid
*anonymous_sid
;
173 call
= talloc(pipe_conn
, struct named_pipe_call
);
175 named_pipe_terminate_connection(pipe_conn
,
176 "named_pipe_auth_request: "
177 "no memory for named_pipe_call");
180 call
->pipe_conn
= pipe_conn
;
182 status
= tstream_read_pdu_blob_recv(subreq
,
186 if (!NT_STATUS_IS_OK(status
)) {
189 reason
= talloc_asprintf(call
, "named_pipe_call_loop: "
190 "tstream_read_pdu_blob_recv() - %s",
192 if (reason
== NULL
) {
193 reason
= nt_errstr(status
);
196 named_pipe_terminate_connection(pipe_conn
, reason
);
200 DEBUG(10,("Received named_pipe packet of length %lu from %s\n",
201 (long) call
->in
.length
,
202 tsocket_address_string(pipe_conn
->connection
->remote_address
, call
)));
203 dump_data(11, call
->in
.data
, call
->in
.length
);
206 * TODO: check it's a root (uid == 0) pipe
209 ZERO_STRUCT(pipe_reply
);
210 pipe_reply
.level
= 0;
211 pipe_reply
.status
= NT_STATUS_INTERNAL_ERROR
;
213 /* parse the passed credentials */
214 ndr_err
= ndr_pull_struct_blob_all(
218 (ndr_pull_flags_fn_t
) ndr_pull_named_pipe_auth_req
);
219 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
220 pipe_reply
.status
= ndr_map_error2ntstatus(ndr_err
);
221 DEBUG(2, ("Could not unmarshall named_pipe_auth_req: %s\n",
222 nt_errstr(pipe_reply
.status
)));
227 NDR_PRINT_DEBUG(named_pipe_auth_req
, &pipe_request
);
230 if (strcmp(NAMED_PIPE_AUTH_MAGIC
, pipe_request
.magic
) != 0) {
231 DEBUG(2, ("named_pipe_auth_req: invalid magic '%s' != %s\n",
232 pipe_request
.magic
, NAMED_PIPE_AUTH_MAGIC
));
233 pipe_reply
.status
= NT_STATUS_INVALID_PARAMETER
;
237 switch (pipe_request
.level
) {
240 * anon connection, we don't create a session info
243 pipe_reply
.level
= 0;
244 pipe_reply
.status
= NT_STATUS_OK
;
247 val
.sam3
= &pipe_request
.info
.info1
;
249 pipe_reply
.level
= 1;
250 pipe_reply
.status
= make_server_info_netlogon_validation(pipe_conn
,
254 if (!NT_STATUS_IS_OK(pipe_reply
.status
)) {
255 DEBUG(2, ("make_server_info_netlogon_validation returned "
256 "%s\n", nt_errstr(pipe_reply
.status
)));
260 pipe_reply
.status
= auth_context_create(conn
,
261 conn
->event
.ctx
, conn
->msg_ctx
,
264 if (!NT_STATUS_IS_OK(pipe_reply
.status
)) {
265 DEBUG(2, ("auth_context_create returned "
266 "%s\n", nt_errstr(pipe_reply
.status
)));
270 anonymous_sid
= dom_sid_parse_talloc(auth_context
, SID_NT_ANONYMOUS
);
271 if (anonymous_sid
== NULL
) {
272 named_pipe_terminate_connection(pipe_conn
, "Failed to parse Anonymous SID ");
273 talloc_free(auth_context
);
277 session_flags
= AUTH_SESSION_INFO_DEFAULT_GROUPS
;
278 if (!dom_sid_equal(anonymous_sid
, server_info
->account_sid
)) {
279 session_flags
|= AUTH_SESSION_INFO_AUTHENTICATED
;
282 /* setup the session_info on the connection */
283 pipe_reply
.status
= auth_context
->generate_session_info(conn
,
287 &conn
->session_info
);
288 talloc_free(auth_context
);
289 if (!NT_STATUS_IS_OK(pipe_reply
.status
)) {
290 DEBUG(2, ("auth_generate_session_info failed: %s\n",
291 nt_errstr(pipe_reply
.status
)));
297 pipe_reply
.level
= 2;
298 pipe_reply
.info
.info2
.file_type
= FILE_TYPE_MESSAGE_MODE_PIPE
;
299 pipe_reply
.info
.info2
.device_state
= 0xff | 0x0400 | 0x0100;
300 pipe_reply
.info
.info2
.allocation_size
= 4096;
302 if (pipe_request
.info
.info2
.sam_info3
== NULL
) {
304 * anon connection, we don't create a session info
307 pipe_reply
.status
= NT_STATUS_OK
;
311 val
.sam3
= pipe_request
.info
.info2
.sam_info3
;
313 pipe_reply
.status
= make_server_info_netlogon_validation(pipe_conn
,
314 val
.sam3
->base
.account_name
.string
,
315 3, &val
, &server_info
);
316 if (!NT_STATUS_IS_OK(pipe_reply
.status
)) {
317 DEBUG(2, ("make_server_info_netlogon_validation returned "
318 "%s\n", nt_errstr(pipe_reply
.status
)));
322 /* setup the session_info on the connection */
323 pipe_reply
.status
= auth_context_create(conn
,
324 conn
->event
.ctx
, conn
->msg_ctx
,
327 if (!NT_STATUS_IS_OK(pipe_reply
.status
)) {
328 DEBUG(2, ("auth_context_create returned "
329 "%s\n", nt_errstr(pipe_reply
.status
)));
333 anonymous_sid
= dom_sid_parse_talloc(auth_context
, SID_NT_ANONYMOUS
);
334 if (anonymous_sid
== NULL
) {
335 named_pipe_terminate_connection(pipe_conn
, "Failed to parse Anonymous SID ");
336 talloc_free(auth_context
);
340 session_flags
= AUTH_SESSION_INFO_DEFAULT_GROUPS
;
341 if (!dom_sid_equal(anonymous_sid
, server_info
->account_sid
)) {
342 session_flags
|= AUTH_SESSION_INFO_AUTHENTICATED
;
345 pipe_reply
.status
= auth_context
->generate_session_info(conn
,
349 &conn
->session_info
);
350 talloc_free(auth_context
);
351 if (!NT_STATUS_IS_OK(pipe_reply
.status
)) {
352 DEBUG(2, ("auth_generate_session_info failed: %s\n",
353 nt_errstr(pipe_reply
.status
)));
357 conn
->session_info
->session_key
= data_blob_const(pipe_request
.info
.info2
.session_key
,
358 pipe_request
.info
.info2
.session_key_length
);
359 talloc_steal(conn
->session_info
, pipe_request
.info
.info2
.session_key
);
363 pipe_reply
.level
= 3;
364 pipe_reply
.info
.info3
.file_type
= FILE_TYPE_MESSAGE_MODE_PIPE
;
365 pipe_reply
.info
.info3
.device_state
= 0xff | 0x0400 | 0x0100;
366 pipe_reply
.info
.info3
.allocation_size
= 4096;
368 if (pipe_request
.info
.info3
.server_addr
== NULL
) {
369 pipe_reply
.status
= NT_STATUS_INVALID_ADDRESS
;
370 DEBUG(2, ("Missing server address\n"));
373 if (pipe_request
.info
.info3
.client_addr
== NULL
) {
374 pipe_reply
.status
= NT_STATUS_INVALID_ADDRESS
;
375 DEBUG(2, ("Missing client address\n"));
379 ret
= tsocket_address_inet_from_strings(conn
, "ip",
380 pipe_request
.info
.info3
.server_addr
,
381 pipe_request
.info
.info3
.server_port
,
382 &conn
->local_address
);
384 DEBUG(2, ("Invalid server address[%s] port[%u] - %s\n",
385 pipe_request
.info
.info3
.server_addr
,
386 pipe_request
.info
.info3
.server_port
,
388 pipe_reply
.status
= NT_STATUS_INVALID_ADDRESS
;
392 ret
= tsocket_address_inet_from_strings(conn
, "ip",
393 pipe_request
.info
.info3
.client_addr
,
394 pipe_request
.info
.info3
.client_port
,
395 &conn
->remote_address
);
397 DEBUG(2, ("Invalid client address[%s] port[%u] - %s\n",
398 pipe_request
.info
.info3
.client_addr
,
399 pipe_request
.info
.info3
.client_port
,
401 pipe_reply
.status
= NT_STATUS_INVALID_ADDRESS
;
405 if (pipe_request
.info
.info3
.sam_info3
== NULL
) {
407 * anon connection, we don't create a session info
410 pipe_reply
.status
= NT_STATUS_OK
;
414 val
.sam3
= pipe_request
.info
.info3
.sam_info3
;
416 pipe_reply
.status
= make_server_info_netlogon_validation(pipe_conn
,
417 val
.sam3
->base
.account_name
.string
,
418 3, &val
, &server_info
);
419 if (!NT_STATUS_IS_OK(pipe_reply
.status
)) {
420 DEBUG(2, ("make_server_info_netlogon_validation returned "
421 "%s\n", nt_errstr(pipe_reply
.status
)));
425 /* setup the session_info on the connection */
426 pipe_reply
.status
= auth_context_create(conn
,
427 conn
->event
.ctx
, conn
->msg_ctx
,
430 if (!NT_STATUS_IS_OK(pipe_reply
.status
)) {
431 DEBUG(2, ("auth_context_create returned "
432 "%s\n", nt_errstr(pipe_reply
.status
)));
436 anonymous_sid
= dom_sid_parse_talloc(auth_context
, SID_NT_ANONYMOUS
);
437 if (anonymous_sid
== NULL
) {
438 named_pipe_terminate_connection(pipe_conn
, "Failed to parse Anonymous SID ");
439 talloc_free(auth_context
);
443 session_flags
= AUTH_SESSION_INFO_DEFAULT_GROUPS
;
444 if (!dom_sid_equal(anonymous_sid
, server_info
->account_sid
)) {
445 session_flags
|= AUTH_SESSION_INFO_AUTHENTICATED
;
448 /* setup the session_info on the connection */
449 pipe_reply
.status
= auth_context
->generate_session_info(conn
,
453 &conn
->session_info
);
454 talloc_free(auth_context
);
455 if (!NT_STATUS_IS_OK(pipe_reply
.status
)) {
456 DEBUG(2, ("auth_generate_session_info failed: %s\n",
457 nt_errstr(pipe_reply
.status
)));
461 if (pipe_request
.info
.info3
.gssapi_delegated_creds_length
) {
462 OM_uint32 minor_status
;
463 gss_buffer_desc cred_token
;
464 gss_cred_id_t cred_handle
;
465 const char *error_string
;
467 DEBUG(10, ("named_pipe_auth: delegated credentials supplied by client\n"));
469 cred_token
.value
= pipe_request
.info
.info3
.gssapi_delegated_creds
;
470 cred_token
.length
= pipe_request
.info
.info3
.gssapi_delegated_creds_length
;
472 ret
= gss_import_cred(&minor_status
,
475 if (ret
!= GSS_S_COMPLETE
) {
476 pipe_reply
.status
= NT_STATUS_INTERNAL_ERROR
;
480 conn
->session_info
->credentials
= cli_credentials_init(conn
->session_info
);
481 if (conn
->session_info
->credentials
== NULL
) {
482 pipe_reply
.status
= NT_STATUS_NO_MEMORY
;
486 cli_credentials_set_conf(conn
->session_info
->credentials
,
488 /* Just so we don't segfault trying to get at a username */
489 cli_credentials_set_anonymous(conn
->session_info
->credentials
);
491 ret
= cli_credentials_set_client_gss_creds(conn
->session_info
->credentials
,
495 CRED_SPECIFIED
, &error_string
);
497 pipe_reply
.status
= NT_STATUS_INTERNAL_ERROR
;
498 DEBUG(2, ("Failed to set pipe forwarded creds: %s\n", error_string
));
502 /* This credential handle isn't useful for password authentication, so ensure nobody tries to do that */
503 cli_credentials_set_kerberos_state(conn
->session_info
->credentials
,
504 CRED_MUST_USE_KERBEROS
);
507 conn
->session_info
->session_key
= data_blob_const(pipe_request
.info
.info3
.session_key
,
508 pipe_request
.info
.info3
.session_key_length
);
509 talloc_steal(conn
->session_info
, pipe_request
.info
.info3
.session_key
);
513 DEBUG(0, ("named_pipe_auth_req: unknown level %u\n",
514 pipe_request
.level
));
515 pipe_reply
.level
= 0;
516 pipe_reply
.status
= NT_STATUS_INVALID_LEVEL
;
521 /* create the output */
522 ndr_err
= ndr_push_struct_blob(&call
->out
, pipe_conn
,
524 (ndr_push_flags_fn_t
)ndr_push_named_pipe_auth_rep
);
525 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
527 status
= ndr_map_error2ntstatus(ndr_err
);
529 reason
= talloc_asprintf(pipe_conn
, "named_pipe_auth_request: could not marshall named_pipe_auth_rep: %s\n",
531 if (reason
== NULL
) {
532 reason
= "named_pipe_auth_request: could not marshall named_pipe_auth_rep";
534 named_pipe_terminate_connection(pipe_conn
, reason
);
538 DEBUG(10,("named_pipe_auth_request: named_pipe_auth reply[%u]\n",
539 (unsigned) call
->out
.length
));
540 dump_data(11, call
->out
.data
, call
->out
.length
);
542 NDR_PRINT_DEBUG(named_pipe_auth_rep
, &pipe_reply
);
545 call
->status
= pipe_reply
.status
;
547 call
->out_iov
[0].iov_base
= call
->out
.data
;
548 call
->out_iov
[0].iov_len
= call
->out
.length
;
550 subreq
= tstream_writev_send(call
,
551 pipe_conn
->connection
->event
.ctx
,
554 if (subreq
== NULL
) {
555 named_pipe_terminate_connection(pipe_conn
, "named_pipe_auth_request: "
556 "no memory for tstream_writev_send");
560 tevent_req_set_callback(subreq
, named_pipe_handover_connection
, call
);
563 static void named_pipe_handover_connection(struct tevent_req
*subreq
)
565 struct named_pipe_call
*call
= tevent_req_callback_data(subreq
,
566 struct named_pipe_call
);
567 struct named_pipe_connection
*pipe_conn
= call
->pipe_conn
;
568 struct stream_connection
*conn
= pipe_conn
->connection
;
572 rc
= tstream_writev_recv(subreq
, &sys_errno
);
577 reason
= talloc_asprintf(call
, "named_pipe_handover_connection: "
578 "tstream_writev_recv() - %d:%s",
579 sys_errno
, strerror(sys_errno
));
580 if (reason
== NULL
) {
581 reason
= "named_pipe_handover_connection: "
582 "tstream_writev_recv() failed";
585 named_pipe_terminate_connection(pipe_conn
, reason
);
589 if (!NT_STATUS_IS_OK(call
->status
)) {
592 reason
= talloc_asprintf(call
, "named_pipe_handover_connection: "
593 "reply status - %s", nt_errstr(call
->status
));
594 if (reason
== NULL
) {
595 reason
= nt_errstr(call
->status
);
598 named_pipe_terminate_connection(pipe_conn
, reason
);
603 * remove the named_pipe layer together with its packet layer
605 conn
->ops
= pipe_conn
->pipe_sock
->ops
;
606 conn
->private_data
= pipe_conn
->pipe_sock
->private_data
;
607 talloc_unlink(conn
, pipe_conn
);
609 conn
->event
.fde
= tevent_add_fd(conn
->event
.ctx
,
611 socket_get_fd(conn
->socket
),
613 stream_io_handler_fde
,
615 if (conn
->event
.fde
== NULL
) {
616 named_pipe_terminate_connection(pipe_conn
, "named_pipe_handover_connection: "
617 "setting up the stream_io_handler_fde failed");
622 * hand over to the real pipe implementation,
623 * now that we have setup the transport session_info
625 conn
->ops
->accept_connection(conn
);
627 DEBUG(10,("named_pipe_handover_connection[%s]: succeeded\n",
630 /* we don't have to free call here as the connection got closed */
634 called when a pipe socket becomes readable
636 static void named_pipe_recv(struct stream_connection
*conn
, uint16_t flags
)
638 struct named_pipe_connection
*pipe_conn
= talloc_get_type(
639 conn
->private_data
, struct named_pipe_connection
);
641 named_pipe_terminate_connection(pipe_conn
,
642 "named_pipe_recv: called");
646 called when a pipe socket becomes writable
648 static void named_pipe_send(struct stream_connection
*conn
, uint16_t flags
)
650 struct named_pipe_connection
*pipe_conn
= talloc_get_type(
651 conn
->private_data
, struct named_pipe_connection
);
653 named_pipe_terminate_connection(pipe_conn
,
654 "named_pipe_send: called");
657 static const struct stream_server_ops named_pipe_stream_ops
= {
658 .name
= "named_pipe",
659 .accept_connection
= named_pipe_accept
,
660 .recv_handler
= named_pipe_recv
,
661 .send_handler
= named_pipe_send
,
664 NTSTATUS
stream_setup_named_pipe(struct tevent_context
*event_context
,
665 struct loadparm_context
*lp_ctx
,
666 const struct model_ops
*model_ops
,
667 const struct stream_server_ops
*stream_ops
,
668 const char *pipe_name
,
672 struct named_pipe_socket
*pipe_sock
;
673 NTSTATUS status
= NT_STATUS_NO_MEMORY
;;
675 pipe_sock
= talloc(event_context
, struct named_pipe_socket
);
676 if (pipe_sock
== NULL
) {
680 /* remember the details about the pipe */
681 pipe_sock
->pipe_name
= talloc_strdup(pipe_sock
, pipe_name
);
682 if (pipe_sock
->pipe_name
== NULL
) {
686 dirname
= talloc_asprintf(pipe_sock
, "%s/np", lp_ncalrpc_dir(lp_ctx
));
687 if (dirname
== NULL
) {
691 if (!directory_create_or_exist(dirname
, geteuid(), 0700)) {
692 status
= map_nt_error_from_unix(errno
);
693 DEBUG(0,(__location__
": Failed to create stream pipe directory %s - %s\n",
694 dirname
, nt_errstr(status
)));
698 if (strncmp(pipe_name
, "\\pipe\\", 6) == 0) {
702 pipe_sock
->pipe_path
= talloc_asprintf(pipe_sock
, "%s/%s", dirname
,
704 if (pipe_sock
->pipe_path
== NULL
) {
708 talloc_free(dirname
);
710 pipe_sock
->ops
= stream_ops
;
711 pipe_sock
->private_data
= talloc_reference(pipe_sock
, private_data
);
713 status
= stream_setup_socket(event_context
,
716 &named_pipe_stream_ops
,
718 pipe_sock
->pipe_path
,
722 if (!NT_STATUS_IS_OK(status
)) {
728 talloc_free(pipe_sock
);