search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s4-domain-join: do not add DFSR entries when joining, this should be done in the...
[Samba/gebeck_regimport.git] / source3 / auth / auth_server.c
blob8a9e5cdf205597268b5dacd7ef6786ba77a74397
1 /*
2 Unix SMB/CIFS implementation.
3 Authenticate to a remote server
4 Copyright (C) Andrew Tridgell 1992-1998
5 Copyright (C) Andrew Bartlett 2001
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
11
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
16
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
19 */
20
21 #include "includes.h"
22 #include "auth.h"
23 #include "system/passwd.h"
24 #include "smbd/smbd.h"
25 #include "libsmb/libsmb.h"
26
27 #undef DBGC_CLASS
28 #define DBGC_CLASS DBGC_AUTH
29
30 extern userdom_struct current_user_info;
31
32 /****************************************************************************
33 Support for server level security.
34 ****************************************************************************/
35
36 static struct cli_state *server_cryptkey(TALLOC_CTX *mem_ctx)
37 {
38 struct cli_state *cli = NULL;
39 char *desthost = NULL;
40 struct sockaddr_storage dest_ss;
41 const char *p;
42 char *pserver = NULL;
43 bool connected_ok = False;
44 struct named_mutex *mutex = NULL;
45 NTSTATUS status;
46 /* security = server just can't function with spnego */
47 int flags = CLI_FULL_CONNECTION_DONT_SPNEGO;
48 uint16_t sec_mode = 0;
49
50 pserver = talloc_strdup(mem_ctx, lp_passwordserver());
51 p = pserver;
52
53 while(next_token_talloc(mem_ctx, &p, &desthost, LIST_SEP)) {
54
55 desthost = talloc_sub_basic(mem_ctx,
56 current_user_info.smb_name,
57 current_user_info.domain,
58 desthost);
59 if (!desthost) {
60 return NULL;
61 }
62 strupper_m(desthost);
63
64 if (strequal(desthost, myhostname())) {
65 DEBUG(1,("Password server loop - disabling "
66 "password server %s\n", desthost));
67 continue;
68 }
69
70 if(!resolve_name( desthost, &dest_ss, 0x20, false)) {
71 DEBUG(1,("server_cryptkey: Can't resolve address for %s\n",desthost));
72 continue;
73 }
74
75 if (ismyaddr((struct sockaddr *)(void *)&dest_ss)) {
76 DEBUG(1,("Password server loop - disabling password server %s\n",desthost));
77 continue;
78 }
79
80 /* we use a mutex to prevent two connections at once - when a
81 Win2k PDC get two connections where one hasn't completed a
82 session setup yet it will send a TCP reset to the first
83 connection (tridge) */
84
85 mutex = grab_named_mutex(talloc_tos(), desthost, 10);
86 if (mutex == NULL) {
87 return NULL;
88 }
89
90 status = cli_connect_nb(desthost, &dest_ss, 0, 0x20,
91 lp_netbios_name(), Undefined, flags, &cli);
92 if (NT_STATUS_IS_OK(status)) {
93 DEBUG(3,("connected to password server %s\n",desthost));
94 connected_ok = True;
95 break;
96 }
97 DEBUG(10,("server_cryptkey: failed to connect to server %s. Error %s\n",
98 desthost, nt_errstr(status) ));
99 TALLOC_FREE(mutex);
100 }
101
102 if (!connected_ok) {
103 DEBUG(0,("password server not available\n"));
104 return NULL;
105 }
106
107 DEBUG(3,("got session\n"));
108
109 status = cli_negprot(cli, PROTOCOL_NT1);
110
111 if (!NT_STATUS_IS_OK(status)) {
112 TALLOC_FREE(mutex);
113 DEBUG(1, ("%s rejected the negprot: %s\n",
114 desthost, nt_errstr(status)));
115 cli_shutdown(cli);
116 return NULL;
117 }
118
119 sec_mode = cli_state_security_mode(cli);
120 if (cli_state_protocol(cli) < PROTOCOL_LANMAN2 ||
121 !(sec_mode & NEGOTIATE_SECURITY_USER_LEVEL)) {
122 TALLOC_FREE(mutex);
123 DEBUG(1,("%s isn't in user level security mode\n",desthost));
124 cli_shutdown(cli);
125 return NULL;
126 }
127
128 /* Get the first session setup done quickly, to avoid silly
129 Win2k bugs. (The next connection to the server will kill
130 this one...
131 */
132
133 status = cli_session_setup(cli, "", "", 0, "", 0, "");
134 if (!NT_STATUS_IS_OK(status)) {
135 TALLOC_FREE(mutex);
136 DEBUG(0,("%s rejected the initial session setup (%s)\n",
137 desthost, nt_errstr(status)));
138 cli_shutdown(cli);
139 return NULL;
140 }
141
142 TALLOC_FREE(mutex);
143
144 DEBUG(3,("password server OK\n"));
145
146 return cli;
147 }
148
149 struct server_security_state {
150 struct cli_state *cli;
151 };
152
153 /****************************************************************************
154 Send a 'keepalive' packet down the cli pipe.
155 ****************************************************************************/
156
157 static bool send_server_keepalive(const struct timeval *now,
158 void *private_data)
159 {
160 struct server_security_state *state = talloc_get_type_abort(
161 private_data, struct server_security_state);
162 NTSTATUS status;
163 unsigned char garbage[16];
164
165 if (!cli_state_is_connected(state->cli)) {
166 return false;
167 }
168
169 /* Ping the server to keep the connection alive using SMBecho. */
170 memset(garbage, 0xf0, sizeof(garbage));
171 status = cli_echo(state->cli, 1, data_blob_const(garbage, sizeof(garbage)));
172 if (NT_STATUS_IS_OK(status)) {
173 return true;
174 }
175
176 DEBUG(2,("send_server_keepalive: password server SMBecho failed: %s\n",
177 nt_errstr(status)));
178 cli_shutdown(state->cli);
179 state->cli = NULL;
180 return false;
181 }
182
183 static int destroy_server_security(struct server_security_state *state)
184 {
185 if (state->cli) {
186 cli_shutdown(state->cli);
187 }
188 return 0;
189 }
190
191 static struct server_security_state *make_server_security_state(struct cli_state *cli)
192 {
193 struct server_security_state *result;
194
195 if (!(result = talloc(NULL, struct server_security_state))) {
196 DEBUG(0, ("talloc failed\n"));
197 cli_shutdown(cli);
198 return NULL;
199 }
200
201 result->cli = cli;
202 talloc_set_destructor(result, destroy_server_security);
203
204 if (lp_keepalive() != 0) {
205 struct timeval interval;
206 interval.tv_sec = lp_keepalive();
207 interval.tv_usec = 0;
208
209 if (event_add_idle(server_event_context(), result, interval,
210 "server_security_keepalive",
211 send_server_keepalive,
212 result) == NULL) {
213 DEBUG(0, ("event_add_idle failed\n"));
214 TALLOC_FREE(result);
215 return NULL;
216 }
217 }
218
219 return result;
220 }
221
222 /****************************************************************************
223 Get the challenge out of a password server.
224 ****************************************************************************/
225
226 static DATA_BLOB auth_get_challenge_server(const struct auth_context *auth_context,
227 void **my_private_data,
228 TALLOC_CTX *mem_ctx)
229 {
230 struct cli_state *cli = server_cryptkey(mem_ctx);
231
232 if (cli) {
233 uint16_t sec_mode = cli_state_security_mode(cli);
234 const uint8_t *server_challenge = cli_state_server_challenge(cli);
235
236 DEBUG(3,("using password server validation\n"));
237
238 if ((sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) == 0) {
239 /* We can't work with unencrypted password servers
240 unless 'encrypt passwords = no' */
241 DEBUG(5,("make_auth_info_server: Server is unencrypted, no challenge available..\n"));
242
243 /* However, it is still a perfectly fine connection
244 to pass that unencrypted password over */
245 *my_private_data =
246 (void *)make_server_security_state(cli);
247 return data_blob_null;
248 }
249
250 if (!(*my_private_data = (void *)make_server_security_state(cli))) {
251 return data_blob(NULL,0);
252 }
253
254 /* The return must be allocated on the caller's mem_ctx, as our own will be
255 destoyed just after the call. */
256 return data_blob_talloc(discard_const_p(TALLOC_CTX, auth_context), server_challenge ,8);
257 } else {
258 return data_blob_null;
259 }
260 }
261
262
263 /****************************************************************************
264 Check for a valid username and password in security=server mode.
265 - Validate a password with the password server.
266 ****************************************************************************/
267
268 static NTSTATUS check_smbserver_security(const struct auth_context *auth_context,
269 void *my_private_data,
270 TALLOC_CTX *mem_ctx,
271 const struct auth_usersupplied_info *user_info,
272 struct auth_serversupplied_info **server_info)
273 {
274 struct server_security_state *state = NULL;
275 struct cli_state *cli = NULL;
276 static bool tested_password_server = False;
277 static bool bad_password_server = False;
278 NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED;
279 bool locally_made_cli = False;
280 uint16_t sec_mode = 0;
281
282 DEBUG(10, ("check_smbserver_security: Check auth for: [%s]\n",
283 user_info->mapped.account_name));
284
285 if (my_private_data == NULL) {
286 DEBUG(10,("check_smbserver_security: "
287 "password server is not connected\n"));
288 return NT_STATUS_LOGON_FAILURE;
289 }
290
291 state = talloc_get_type_abort(my_private_data, struct server_security_state);
292 cli = state->cli;
293
294 if (cli) {
295 } else {
296 cli = server_cryptkey(mem_ctx);
297 locally_made_cli = True;
298 }
299
300 if (!cli_state_is_connected(cli)) {
301 DEBUG(1,("password server is not connected (cli not initialised)\n"));
302 return NT_STATUS_LOGON_FAILURE;
303 }
304
305 sec_mode = cli_state_security_mode(cli);
306 if ((sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) == 0) {
307 if (user_info->password_state != AUTH_PASSWORD_PLAIN) {
308 DEBUG(1,("password server %s is plaintext, but we are encrypted. This just can't work :-(\n", cli_state_remote_name(cli)));
309 return NT_STATUS_LOGON_FAILURE;
310 }
311 } else {
312 const uint8_t *server_challenge = cli_state_server_challenge(cli);
313
314 if (memcmp(server_challenge, auth_context->challenge.data, 8) != 0) {
315 DEBUG(1,("the challenge that the password server (%s) supplied us is not the one we gave our client. This just can't work :-(\n", cli_state_remote_name(cli)));
316 return NT_STATUS_LOGON_FAILURE;
317 }
318 }
319
320 /*
321 * Attempt a session setup with a totally incorrect password.
322 * If this succeeds with the guest bit *NOT* set then the password
323 * server is broken and is not correctly setting the guest bit. We
324 * need to detect this as some versions of NT4.x are broken. JRA.
325 */
326
327 /* I sure as hell hope that there aren't servers out there that take
328 * NTLMv2 and have this bug, as we don't test for that...
329 * - abartlet@samba.org
330 */
331
332 if ((!tested_password_server) && (lp_paranoid_server_security())) {
333 unsigned char badpass[24];
334 char *baduser = NULL;
335
336 memset(badpass, 0x1f, sizeof(badpass));
337
338 if((user_info->password.response.nt.length == sizeof(badpass)) &&
339 !memcmp(badpass, user_info->password.response.nt.data, sizeof(badpass))) {
340 /*
341 * Very unlikely, our random bad password is the same as the users
342 * password.
343 */
344 memset(badpass, badpass[0]+1, sizeof(badpass));
345 }
346
347 baduser = talloc_asprintf(mem_ctx,
348 "%s%s",
349 INVALID_USER_PREFIX,
350 lp_netbios_name());
351 if (!baduser) {
352 return NT_STATUS_NO_MEMORY;
353 }
354
355 if (NT_STATUS_IS_OK(cli_session_setup(cli, baduser,
356 (char *)badpass,
357 sizeof(badpass),
358 (char *)badpass,
359 sizeof(badpass),
360 user_info->mapped.domain_name))) {
361
362 /*
363 * We connected to the password server so we
364 * can say we've tested it.
365 */
366 tested_password_server = True;
367
368 if (!cli->is_guestlogin) {
369 DEBUG(0,("server_validate: password server %s allows users as non-guest \
370 with a bad password.\n", cli_state_remote_name(cli)));
371 DEBUG(0,("server_validate: This is broken (and insecure) behaviour. Please do not \
372 use this machine as the password server.\n"));
373 cli_ulogoff(cli);
374
375 /*
376 * Password server has the bug.
377 */
378 bad_password_server = True;
379 return NT_STATUS_LOGON_FAILURE;
380 }
381 cli_ulogoff(cli);
382 }
383 } else {
384
385 /*
386 * We have already tested the password server.
387 * Fail immediately if it has the bug.
388 */
389
390 if(bad_password_server) {
391 DEBUG(0,("server_validate: [1] password server %s allows users as non-guest \
392 with a bad password.\n", cli_state_remote_name(cli)));
393 DEBUG(0,("server_validate: [1] This is broken (and insecure) behaviour. Please do not \
394 use this machine as the password server.\n"));
395 return NT_STATUS_LOGON_FAILURE;
396 }
397 }
398
399 /*
400 * Now we know the password server will correctly set the guest bit, or is
401 * not guest enabled, we can try with the real password.
402 */
403 switch (user_info->password_state) {
404 case AUTH_PASSWORD_PLAIN:
405 /* Plaintext available */
406 nt_status = cli_session_setup(
407 cli, user_info->client.account_name,
408 user_info->password.plaintext,
409 strlen(user_info->password.plaintext),
410 NULL, 0, user_info->mapped.domain_name);
411 break;
412
413 /* currently the hash values include a challenge-response as well */
414 case AUTH_PASSWORD_HASH:
415 case AUTH_PASSWORD_RESPONSE:
416 nt_status = cli_session_setup(
417 cli, user_info->client.account_name,
418 (char *)user_info->password.response.lanman.data,
419 user_info->password.response.lanman.length,
420 (char *)user_info->password.response.nt.data,
421 user_info->password.response.nt.length,
422 user_info->mapped.domain_name);
423 break;
424 default:
425 DEBUG(0,("user_info constructed for user '%s' was invalid - password_state=%u invalid.\n",user_info->mapped.account_name, user_info->password_state));
426 nt_status = NT_STATUS_INTERNAL_ERROR;
427 }
428
429 if (!NT_STATUS_IS_OK(nt_status)) {
430 DEBUG(1,("password server %s rejected the password: %s\n",
431 cli_state_remote_name(cli), nt_errstr(nt_status)));
432 }
433
434 /* if logged in as guest then reject */
435 if (cli->is_guestlogin) {
436 DEBUG(1,("password server %s gave us guest only\n",
437 cli_state_remote_name(cli)));
438 nt_status = NT_STATUS_LOGON_FAILURE;
439 }
440
441 cli_ulogoff(cli);
442
443 if (NT_STATUS_IS_OK(nt_status)) {
444 char *real_username = NULL;
445 struct passwd *pass = NULL;
446
447 if ( (pass = smb_getpwnam(talloc_tos(), user_info->mapped.account_name,
448 &real_username, True )) != NULL )
449 {
450 nt_status = make_server_info_pw(server_info, pass->pw_name, pass);
451 TALLOC_FREE(pass);
452 TALLOC_FREE(real_username);
453 }
454 else
455 {
456 nt_status = NT_STATUS_NO_SUCH_USER;
457 }
458 }
459
460 if (locally_made_cli) {
461 cli_shutdown(cli);
462 }
463
464 return(nt_status);
465 }
466
467 static NTSTATUS auth_init_smbserver(struct auth_context *auth_context, const char* param, auth_methods **auth_method)
468 {
469 struct auth_methods *result;
470
471 result = talloc_zero(auth_context, struct auth_methods);
472 if (result == NULL) {
473 return NT_STATUS_NO_MEMORY;
474 }
475 result->name = "smbserver";
476 result->auth = check_smbserver_security;
477 result->get_chal = auth_get_challenge_server;
478
479 *auth_method = result;
480 return NT_STATUS_OK;
481 }
482
483 NTSTATUS auth_server_init(void)
484 {
485 return smb_register_auth(AUTH_INTERFACE_VERSION, "smbserver", auth_init_smbserver);
486 }
reg import