2 Unix SMB/CIFS implementation.
3 Authentication utility functions
4 Copyright (C) Andrew Tridgell 1992-1998
5 Copyright (C) Andrew Bartlett 2001-2010
6 Copyright (C) Jeremy Allison 2000-2001
7 Copyright (C) Rafal Szczesniak 2002
8 Copyright (C) Stefan Metzmacher 2005
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 #include "libcli/security/security.h"
26 #include "auth/credentials/credentials.h"
27 #include "param/param.h"
28 #include "auth/auth.h" /* for auth_serversupplied_info */
29 #include "auth/session.h"
30 #include "auth/system_session_proto.h"
33 * Create the SID list for this user.
35 * @note Specialised version for system sessions that doesn't use the SAM.
37 static NTSTATUS
create_token(TALLOC_CTX
*mem_ctx
,
38 struct dom_sid
*user_sid
,
39 struct dom_sid
*group_sid
,
40 unsigned int n_groupSIDs
,
41 struct dom_sid
**groupSIDs
,
42 bool is_authenticated
,
43 struct security_token
**token
)
45 struct security_token
*ptoken
;
48 ptoken
= security_token_initialise(mem_ctx
);
49 NT_STATUS_HAVE_NO_MEMORY(ptoken
);
51 ptoken
->sids
= talloc_array(ptoken
, struct dom_sid
, n_groupSIDs
+ 5);
52 NT_STATUS_HAVE_NO_MEMORY(ptoken
->sids
);
54 ptoken
->sids
[PRIMARY_USER_SID_INDEX
] = *user_sid
;
55 ptoken
->sids
[PRIMARY_GROUP_SID_INDEX
] = *group_sid
;
56 ptoken
->privilege_mask
= 0;
59 * Finally add the "standard" SIDs.
60 * The only difference between guest and "anonymous"
61 * is the addition of Authenticated_Users.
64 if (!dom_sid_parse(SID_WORLD
, &ptoken
->sids
[2])) {
65 return NT_STATUS_INTERNAL_ERROR
;
67 if (!dom_sid_parse(SID_NT_NETWORK
, &ptoken
->sids
[3])) {
68 return NT_STATUS_INTERNAL_ERROR
;
72 if (is_authenticated
) {
73 if (!dom_sid_parse(SID_NT_AUTHENTICATED_USERS
, &ptoken
->sids
[4])) {
74 return NT_STATUS_INTERNAL_ERROR
;
79 for (i
= 0; i
< n_groupSIDs
; i
++) {
81 for (check_sid_idx
= 1;
82 check_sid_idx
< ptoken
->num_sids
;
84 if (dom_sid_equal(&ptoken
->sids
[check_sid_idx
], groupSIDs
[i
])) {
89 if (check_sid_idx
== ptoken
->num_sids
) {
90 ptoken
->sids
[ptoken
->num_sids
++] = *groupSIDs
[i
];
96 /* Shortcuts to prevent recursion and avoid lookups */
97 if (ptoken
->sids
== NULL
) {
98 ptoken
->privilege_mask
= 0;
102 if (security_token_is_system(ptoken
)) {
103 ptoken
->privilege_mask
= ~0;
104 } else if (security_token_is_anonymous(ptoken
)) {
105 ptoken
->privilege_mask
= 0;
106 } else if (security_token_has_builtin_administrators(ptoken
)) {
107 ptoken
->privilege_mask
= ~0;
109 /* All other 'users' get a empty priv set so far */
110 ptoken
->privilege_mask
= 0;
115 NTSTATUS
auth_generate_simple_session_info(TALLOC_CTX
*mem_ctx
,
116 struct auth_serversupplied_info
*server_info
,
117 struct auth_session_info
**_session_info
)
119 struct auth_session_info
*session_info
;
122 session_info
= talloc(mem_ctx
, struct auth_session_info
);
123 NT_STATUS_HAVE_NO_MEMORY(session_info
);
125 session_info
->server_info
= talloc_reference(session_info
, server_info
);
127 /* unless set otherwise, the session key is the user session
128 * key from the auth subsystem */
129 session_info
->session_key
= server_info
->user_session_key
;
131 nt_status
= create_token(session_info
,
132 server_info
->account_sid
,
133 server_info
->primary_group_sid
,
134 server_info
->n_domain_groups
,
135 server_info
->domain_groups
,
136 server_info
->authenticated
,
137 &session_info
->security_token
);
138 NT_STATUS_NOT_OK_RETURN(nt_status
);
140 session_info
->credentials
= NULL
;
142 *_session_info
= session_info
;
148 prevent the static system session being freed
150 static int system_session_destructor(struct auth_session_info
*info
)
155 /* Create a security token for a session SYSTEM (the most
156 * trusted/prvilaged account), including the local machine account as
157 * the off-host credentials
159 _PUBLIC_
struct auth_session_info
*system_session(struct loadparm_context
*lp_ctx
)
161 static struct auth_session_info
*static_session
;
164 if (static_session
) {
165 return static_session
;
168 nt_status
= auth_system_session_info(talloc_autofree_context(),
171 if (!NT_STATUS_IS_OK(nt_status
)) {
172 talloc_free(static_session
);
173 static_session
= NULL
;
176 talloc_set_destructor(static_session
, system_session_destructor
);
177 return static_session
;
180 NTSTATUS
auth_system_session_info(TALLOC_CTX
*parent_ctx
,
181 struct loadparm_context
*lp_ctx
,
182 struct auth_session_info
**_session_info
)
185 struct auth_serversupplied_info
*server_info
= NULL
;
186 struct auth_session_info
*session_info
= NULL
;
187 TALLOC_CTX
*mem_ctx
= talloc_new(parent_ctx
);
189 nt_status
= auth_system_server_info(mem_ctx
, lpcfg_netbios_name(lp_ctx
),
191 if (!NT_STATUS_IS_OK(nt_status
)) {
192 talloc_free(mem_ctx
);
196 /* references the server_info into the session_info */
197 nt_status
= auth_generate_session_info(parent_ctx
, NULL
, server_info
, 0, &session_info
);
198 talloc_free(mem_ctx
);
200 NT_STATUS_NOT_OK_RETURN(nt_status
);
202 session_info
->credentials
= cli_credentials_init(session_info
);
203 if (!session_info
->credentials
) {
204 return NT_STATUS_NO_MEMORY
;
207 cli_credentials_set_conf(session_info
->credentials
, lp_ctx
);
209 cli_credentials_set_machine_account_pending(session_info
->credentials
, lp_ctx
);
210 *_session_info
= session_info
;
215 NTSTATUS
auth_system_server_info(TALLOC_CTX
*mem_ctx
, const char *netbios_name
,
216 struct auth_serversupplied_info
**_server_info
)
218 struct auth_serversupplied_info
*server_info
;
220 server_info
= talloc(mem_ctx
, struct auth_serversupplied_info
);
221 NT_STATUS_HAVE_NO_MEMORY(server_info
);
223 server_info
->account_sid
= dom_sid_parse_talloc(server_info
, SID_NT_SYSTEM
);
224 NT_STATUS_HAVE_NO_MEMORY(server_info
->account_sid
);
226 /* is this correct? */
227 server_info
->primary_group_sid
= dom_sid_parse_talloc(server_info
, SID_BUILTIN_ADMINISTRATORS
);
228 NT_STATUS_HAVE_NO_MEMORY(server_info
->primary_group_sid
);
230 server_info
->n_domain_groups
= 0;
231 server_info
->domain_groups
= NULL
;
233 /* annoying, but the Anonymous really does have a session key,
234 and it is all zeros! */
235 server_info
->user_session_key
= data_blob_talloc(server_info
, NULL
, 16);
236 NT_STATUS_HAVE_NO_MEMORY(server_info
->user_session_key
.data
);
238 server_info
->lm_session_key
= data_blob_talloc(server_info
, NULL
, 16);
239 NT_STATUS_HAVE_NO_MEMORY(server_info
->lm_session_key
.data
);
241 data_blob_clear(&server_info
->user_session_key
);
242 data_blob_clear(&server_info
->lm_session_key
);
244 server_info
->account_name
= talloc_strdup(server_info
, "SYSTEM");
245 NT_STATUS_HAVE_NO_MEMORY(server_info
->account_name
);
247 server_info
->domain_name
= talloc_strdup(server_info
, "NT AUTHORITY");
248 NT_STATUS_HAVE_NO_MEMORY(server_info
->domain_name
);
250 server_info
->full_name
= talloc_strdup(server_info
, "System");
251 NT_STATUS_HAVE_NO_MEMORY(server_info
->full_name
);
253 server_info
->logon_script
= talloc_strdup(server_info
, "");
254 NT_STATUS_HAVE_NO_MEMORY(server_info
->logon_script
);
256 server_info
->profile_path
= talloc_strdup(server_info
, "");
257 NT_STATUS_HAVE_NO_MEMORY(server_info
->profile_path
);
259 server_info
->home_directory
= talloc_strdup(server_info
, "");
260 NT_STATUS_HAVE_NO_MEMORY(server_info
->home_directory
);
262 server_info
->home_drive
= talloc_strdup(server_info
, "");
263 NT_STATUS_HAVE_NO_MEMORY(server_info
->home_drive
);
265 server_info
->logon_server
= talloc_strdup(server_info
, netbios_name
);
266 NT_STATUS_HAVE_NO_MEMORY(server_info
->logon_server
);
268 server_info
->last_logon
= 0;
269 server_info
->last_logoff
= 0;
270 server_info
->acct_expiry
= 0;
271 server_info
->last_password_change
= 0;
272 server_info
->allow_password_change
= 0;
273 server_info
->force_password_change
= 0;
275 server_info
->logon_count
= 0;
276 server_info
->bad_password_count
= 0;
278 server_info
->acct_flags
= ACB_NORMAL
;
280 server_info
->authenticated
= true;
282 *_server_info
= server_info
;
288 static NTSTATUS
auth_domain_admin_server_info(TALLOC_CTX
*mem_ctx
,
289 const char *netbios_name
,
290 const char *domain_name
,
291 struct dom_sid
*domain_sid
,
292 struct auth_serversupplied_info
**_server_info
)
294 struct auth_serversupplied_info
*server_info
;
296 server_info
= talloc(mem_ctx
, struct auth_serversupplied_info
);
297 NT_STATUS_HAVE_NO_MEMORY(server_info
);
299 server_info
->account_sid
= dom_sid_add_rid(server_info
, domain_sid
, DOMAIN_RID_ADMINISTRATOR
);
300 NT_STATUS_HAVE_NO_MEMORY(server_info
->account_sid
);
302 server_info
->primary_group_sid
= dom_sid_add_rid(server_info
, domain_sid
, DOMAIN_RID_USERS
);
303 NT_STATUS_HAVE_NO_MEMORY(server_info
->primary_group_sid
);
305 server_info
->n_domain_groups
= 6;
306 server_info
->domain_groups
= talloc_array(server_info
, struct dom_sid
*, server_info
->n_domain_groups
);
308 server_info
->domain_groups
[0] = dom_sid_parse_talloc(server_info
, SID_BUILTIN_ADMINISTRATORS
);
309 server_info
->domain_groups
[1] = dom_sid_add_rid(server_info
, domain_sid
, DOMAIN_RID_ADMINS
);
310 server_info
->domain_groups
[2] = dom_sid_add_rid(server_info
, domain_sid
, DOMAIN_RID_USERS
);
311 server_info
->domain_groups
[3] = dom_sid_add_rid(server_info
, domain_sid
, DOMAIN_RID_ENTERPRISE_ADMINS
);
312 server_info
->domain_groups
[4] = dom_sid_add_rid(server_info
, domain_sid
, DOMAIN_RID_POLICY_ADMINS
);
313 server_info
->domain_groups
[5] = dom_sid_add_rid(server_info
, domain_sid
, DOMAIN_RID_SCHEMA_ADMINS
);
315 /* What should the session key be?*/
316 server_info
->user_session_key
= data_blob_talloc(server_info
, NULL
, 16);
317 NT_STATUS_HAVE_NO_MEMORY(server_info
->user_session_key
.data
);
319 server_info
->lm_session_key
= data_blob_talloc(server_info
, NULL
, 16);
320 NT_STATUS_HAVE_NO_MEMORY(server_info
->lm_session_key
.data
);
322 data_blob_clear(&server_info
->user_session_key
);
323 data_blob_clear(&server_info
->lm_session_key
);
325 server_info
->account_name
= talloc_strdup(server_info
, "Administrator");
326 NT_STATUS_HAVE_NO_MEMORY(server_info
->account_name
);
328 server_info
->domain_name
= talloc_strdup(server_info
, domain_name
);
329 NT_STATUS_HAVE_NO_MEMORY(server_info
->domain_name
);
331 server_info
->full_name
= talloc_strdup(server_info
, "Administrator");
332 NT_STATUS_HAVE_NO_MEMORY(server_info
->full_name
);
334 server_info
->logon_script
= talloc_strdup(server_info
, "");
335 NT_STATUS_HAVE_NO_MEMORY(server_info
->logon_script
);
337 server_info
->profile_path
= talloc_strdup(server_info
, "");
338 NT_STATUS_HAVE_NO_MEMORY(server_info
->profile_path
);
340 server_info
->home_directory
= talloc_strdup(server_info
, "");
341 NT_STATUS_HAVE_NO_MEMORY(server_info
->home_directory
);
343 server_info
->home_drive
= talloc_strdup(server_info
, "");
344 NT_STATUS_HAVE_NO_MEMORY(server_info
->home_drive
);
346 server_info
->logon_server
= talloc_strdup(server_info
, netbios_name
);
347 NT_STATUS_HAVE_NO_MEMORY(server_info
->logon_server
);
349 server_info
->last_logon
= 0;
350 server_info
->last_logoff
= 0;
351 server_info
->acct_expiry
= 0;
352 server_info
->last_password_change
= 0;
353 server_info
->allow_password_change
= 0;
354 server_info
->force_password_change
= 0;
356 server_info
->logon_count
= 0;
357 server_info
->bad_password_count
= 0;
359 server_info
->acct_flags
= ACB_NORMAL
;
361 server_info
->authenticated
= true;
363 *_server_info
= server_info
;
368 static NTSTATUS
auth_domain_admin_session_info(TALLOC_CTX
*parent_ctx
,
369 struct loadparm_context
*lp_ctx
,
370 struct dom_sid
*domain_sid
,
371 struct auth_session_info
**_session_info
)
374 struct auth_serversupplied_info
*server_info
= NULL
;
375 struct auth_session_info
*session_info
= NULL
;
376 TALLOC_CTX
*mem_ctx
= talloc_new(parent_ctx
);
378 nt_status
= auth_domain_admin_server_info(mem_ctx
, lpcfg_netbios_name(lp_ctx
),
379 lpcfg_workgroup(lp_ctx
), domain_sid
,
381 if (!NT_STATUS_IS_OK(nt_status
)) {
382 talloc_free(mem_ctx
);
386 session_info
= talloc(mem_ctx
, struct auth_session_info
);
387 NT_STATUS_HAVE_NO_MEMORY(session_info
);
389 session_info
->server_info
= talloc_reference(session_info
, server_info
);
391 /* unless set otherwise, the session key is the user session
392 * key from the auth subsystem */
393 session_info
->session_key
= server_info
->user_session_key
;
395 nt_status
= create_token(session_info
,
396 server_info
->account_sid
,
397 server_info
->primary_group_sid
,
398 server_info
->n_domain_groups
,
399 server_info
->domain_groups
,
401 &session_info
->security_token
);
402 NT_STATUS_NOT_OK_RETURN(nt_status
);
404 session_info
->credentials
= cli_credentials_init(session_info
);
405 if (!session_info
->credentials
) {
406 return NT_STATUS_NO_MEMORY
;
409 cli_credentials_set_conf(session_info
->credentials
, lp_ctx
);
411 *_session_info
= session_info
;
416 _PUBLIC_
struct auth_session_info
*admin_session(TALLOC_CTX
*mem_ctx
, struct loadparm_context
*lp_ctx
, struct dom_sid
*domain_sid
)
419 struct auth_session_info
*session_info
= NULL
;
420 nt_status
= auth_domain_admin_session_info(mem_ctx
,
424 if (!NT_STATUS_IS_OK(nt_status
)) {
430 _PUBLIC_ NTSTATUS
auth_anonymous_session_info(TALLOC_CTX
*parent_ctx
,
431 struct loadparm_context
*lp_ctx
,
432 struct auth_session_info
**_session_info
)
435 struct auth_serversupplied_info
*server_info
= NULL
;
436 struct auth_session_info
*session_info
= NULL
;
437 TALLOC_CTX
*mem_ctx
= talloc_new(parent_ctx
);
439 nt_status
= auth_anonymous_server_info(mem_ctx
,
440 lpcfg_netbios_name(lp_ctx
),
442 if (!NT_STATUS_IS_OK(nt_status
)) {
443 talloc_free(mem_ctx
);
447 /* references the server_info into the session_info */
448 nt_status
= auth_generate_session_info(parent_ctx
, NULL
, server_info
, 0, &session_info
);
449 talloc_free(mem_ctx
);
451 NT_STATUS_NOT_OK_RETURN(nt_status
);
453 session_info
->credentials
= cli_credentials_init(session_info
);
454 if (!session_info
->credentials
) {
455 return NT_STATUS_NO_MEMORY
;
458 cli_credentials_set_conf(session_info
->credentials
, lp_ctx
);
459 cli_credentials_set_anonymous(session_info
->credentials
);
461 *_session_info
= session_info
;
466 _PUBLIC_ NTSTATUS
auth_anonymous_server_info(TALLOC_CTX
*mem_ctx
,
467 const char *netbios_name
,
468 struct auth_serversupplied_info
**_server_info
)
470 struct auth_serversupplied_info
*server_info
;
471 server_info
= talloc(mem_ctx
, struct auth_serversupplied_info
);
472 NT_STATUS_HAVE_NO_MEMORY(server_info
);
474 server_info
->account_sid
= dom_sid_parse_talloc(server_info
, SID_NT_ANONYMOUS
);
475 NT_STATUS_HAVE_NO_MEMORY(server_info
->account_sid
);
477 /* The anonymous user has only one SID in it's token, but we need to fill something in here */
478 server_info
->primary_group_sid
= dom_sid_parse_talloc(server_info
, SID_NT_ANONYMOUS
);
479 NT_STATUS_HAVE_NO_MEMORY(server_info
->primary_group_sid
);
481 server_info
->n_domain_groups
= 0;
482 server_info
->domain_groups
= NULL
;
484 /* annoying, but the Anonymous really does have a session key... */
485 server_info
->user_session_key
= data_blob_talloc(server_info
, NULL
, 16);
486 NT_STATUS_HAVE_NO_MEMORY(server_info
->user_session_key
.data
);
488 server_info
->lm_session_key
= data_blob_talloc(server_info
, NULL
, 16);
489 NT_STATUS_HAVE_NO_MEMORY(server_info
->lm_session_key
.data
);
491 /* and it is all zeros! */
492 data_blob_clear(&server_info
->user_session_key
);
493 data_blob_clear(&server_info
->lm_session_key
);
495 server_info
->account_name
= talloc_strdup(server_info
, "ANONYMOUS LOGON");
496 NT_STATUS_HAVE_NO_MEMORY(server_info
->account_name
);
498 server_info
->domain_name
= talloc_strdup(server_info
, "NT AUTHORITY");
499 NT_STATUS_HAVE_NO_MEMORY(server_info
->domain_name
);
501 server_info
->full_name
= talloc_strdup(server_info
, "Anonymous Logon");
502 NT_STATUS_HAVE_NO_MEMORY(server_info
->full_name
);
504 server_info
->logon_script
= talloc_strdup(server_info
, "");
505 NT_STATUS_HAVE_NO_MEMORY(server_info
->logon_script
);
507 server_info
->profile_path
= talloc_strdup(server_info
, "");
508 NT_STATUS_HAVE_NO_MEMORY(server_info
->profile_path
);
510 server_info
->home_directory
= talloc_strdup(server_info
, "");
511 NT_STATUS_HAVE_NO_MEMORY(server_info
->home_directory
);
513 server_info
->home_drive
= talloc_strdup(server_info
, "");
514 NT_STATUS_HAVE_NO_MEMORY(server_info
->home_drive
);
516 server_info
->logon_server
= talloc_strdup(server_info
, netbios_name
);
517 NT_STATUS_HAVE_NO_MEMORY(server_info
->logon_server
);
519 server_info
->last_logon
= 0;
520 server_info
->last_logoff
= 0;
521 server_info
->acct_expiry
= 0;
522 server_info
->last_password_change
= 0;
523 server_info
->allow_password_change
= 0;
524 server_info
->force_password_change
= 0;
526 server_info
->logon_count
= 0;
527 server_info
->bad_password_count
= 0;
529 server_info
->acct_flags
= ACB_NORMAL
;
531 server_info
->authenticated
= false;
533 *_server_info
= server_info
;