search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
dsdb-acl: make use of acl_check_access_on_objectclass() for the object in acl_delete()
[Samba/gebeck_regimport.git] / source4 / auth / system_session.c
blob3b9edd779df7a466909ff6af1535d0a594ba6c3e
1 /*
2 Unix SMB/CIFS implementation.
3 Authentication utility functions
4 Copyright (C) Andrew Tridgell 1992-1998
5 Copyright (C) Andrew Bartlett 2001-2010
6 Copyright (C) Jeremy Allison 2000-2001
7 Copyright (C) Rafal Szczesniak 2002
8 Copyright (C) Stefan Metzmacher 2005
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include "libcli/security/security.h"
26 #include "auth/credentials/credentials.h"
27 #include "param/param.h"
28 #include "auth/auth.h" /* for auth_user_info_dc */
29 #include "auth/session.h"
30 #include "auth/system_session_proto.h"
31
32
33 /*
34 prevent the static system session being freed
35 */
36 static int system_session_destructor(struct auth_session_info *info)
37 {
38 return -1;
39 }
40
41 /* Create a security token for a session SYSTEM (the most
42 * trusted/prvilaged account), including the local machine account as
43 * the off-host credentials
44 */
45 _PUBLIC_ struct auth_session_info *system_session(struct loadparm_context *lp_ctx)
46 {
47 static struct auth_session_info *static_session;
48 NTSTATUS nt_status;
49
50 if (static_session) {
51 return static_session;
52 }
53
54 nt_status = auth_system_session_info(talloc_autofree_context(),
55 lp_ctx,
56 &static_session);
57 if (!NT_STATUS_IS_OK(nt_status)) {
58 talloc_free(static_session);
59 static_session = NULL;
60 return NULL;
61 }
62 talloc_set_destructor(static_session, system_session_destructor);
63 return static_session;
64 }
65
66 NTSTATUS auth_system_session_info(TALLOC_CTX *parent_ctx,
67 struct loadparm_context *lp_ctx,
68 struct auth_session_info **_session_info)
69 {
70 NTSTATUS nt_status;
71 struct auth_user_info_dc *user_info_dc = NULL;
72 struct auth_session_info *session_info = NULL;
73 TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
74
75 nt_status = auth_system_user_info_dc(mem_ctx, lpcfg_netbios_name(lp_ctx),
76 &user_info_dc);
77 if (!NT_STATUS_IS_OK(nt_status)) {
78 talloc_free(mem_ctx);
79 return nt_status;
80 }
81
82 /* references the user_info_dc into the session_info */
83 nt_status = auth_generate_session_info(parent_ctx, NULL, NULL, user_info_dc, AUTH_SESSION_INFO_SIMPLE_PRIVILEGES, &session_info);
84 talloc_free(mem_ctx);
85
86 NT_STATUS_NOT_OK_RETURN(nt_status);
87
88 session_info->credentials = cli_credentials_init(session_info);
89 if (!session_info->credentials) {
90 return NT_STATUS_NO_MEMORY;
91 }
92
93 cli_credentials_set_conf(session_info->credentials, lp_ctx);
94
95 cli_credentials_set_machine_account_pending(session_info->credentials, lp_ctx);
96 *_session_info = session_info;
97
98 return NT_STATUS_OK;
99 }
100
101 NTSTATUS auth_system_user_info_dc(TALLOC_CTX *mem_ctx, const char *netbios_name,
102 struct auth_user_info_dc **_user_info_dc)
103 {
104 struct auth_user_info_dc *user_info_dc;
105 struct auth_user_info *info;
106
107 user_info_dc = talloc(mem_ctx, struct auth_user_info_dc);
108 NT_STATUS_HAVE_NO_MEMORY(user_info_dc);
109
110 /* This returns a pointer to a struct dom_sid, which is the
111 * same as a 1 element list of struct dom_sid */
112 user_info_dc->num_sids = 1;
113 user_info_dc->sids = dom_sid_parse_talloc(user_info_dc, SID_NT_SYSTEM);
114 NT_STATUS_HAVE_NO_MEMORY(user_info_dc->sids);
115
116 /* annoying, but the Anonymous really does have a session key,
117 and it is all zeros! */
118 user_info_dc->user_session_key = data_blob_talloc(user_info_dc, NULL, 16);
119 NT_STATUS_HAVE_NO_MEMORY(user_info_dc->user_session_key.data);
120
121 user_info_dc->lm_session_key = data_blob_talloc(user_info_dc, NULL, 16);
122 NT_STATUS_HAVE_NO_MEMORY(user_info_dc->lm_session_key.data);
123
124 data_blob_clear(&user_info_dc->user_session_key);
125 data_blob_clear(&user_info_dc->lm_session_key);
126
127 user_info_dc->info = info = talloc_zero(user_info_dc, struct auth_user_info);
128 NT_STATUS_HAVE_NO_MEMORY(user_info_dc->info);
129
130 info->account_name = talloc_strdup(info, "SYSTEM");
131 NT_STATUS_HAVE_NO_MEMORY(info->account_name);
132
133 info->domain_name = talloc_strdup(info, "NT AUTHORITY");
134 NT_STATUS_HAVE_NO_MEMORY(info->domain_name);
135
136 info->full_name = talloc_strdup(info, "System");
137 NT_STATUS_HAVE_NO_MEMORY(info->full_name);
138
139 info->logon_script = talloc_strdup(info, "");
140 NT_STATUS_HAVE_NO_MEMORY(info->logon_script);
141
142 info->profile_path = talloc_strdup(info, "");
143 NT_STATUS_HAVE_NO_MEMORY(info->profile_path);
144
145 info->home_directory = talloc_strdup(info, "");
146 NT_STATUS_HAVE_NO_MEMORY(info->home_directory);
147
148 info->home_drive = talloc_strdup(info, "");
149 NT_STATUS_HAVE_NO_MEMORY(info->home_drive);
150
151 info->logon_server = talloc_strdup(info, netbios_name);
152 NT_STATUS_HAVE_NO_MEMORY(info->logon_server);
153
154 info->last_logon = 0;
155 info->last_logoff = 0;
156 info->acct_expiry = 0;
157 info->last_password_change = 0;
158 info->allow_password_change = 0;
159 info->force_password_change = 0;
160
161 info->logon_count = 0;
162 info->bad_password_count = 0;
163
164 info->acct_flags = ACB_NORMAL;
165
166 info->authenticated = true;
167
168 *_user_info_dc = user_info_dc;
169
170 return NT_STATUS_OK;
171 }
172
173
174 static NTSTATUS auth_domain_admin_user_info_dc(TALLOC_CTX *mem_ctx,
175 const char *netbios_name,
176 const char *domain_name,
177 struct dom_sid *domain_sid,
178 struct auth_user_info_dc **_user_info_dc)
179 {
180 struct auth_user_info_dc *user_info_dc;
181 struct auth_user_info *info;
182
183 user_info_dc = talloc(mem_ctx, struct auth_user_info_dc);
184 NT_STATUS_HAVE_NO_MEMORY(user_info_dc);
185
186 user_info_dc->num_sids = 7;
187 user_info_dc->sids = talloc_array(user_info_dc, struct dom_sid, user_info_dc->num_sids);
188
189 user_info_dc->sids[PRIMARY_USER_SID_INDEX] = *domain_sid;
190 sid_append_rid(&user_info_dc->sids[PRIMARY_USER_SID_INDEX], DOMAIN_RID_ADMINISTRATOR);
191
192 user_info_dc->sids[PRIMARY_GROUP_SID_INDEX] = *domain_sid;
193 sid_append_rid(&user_info_dc->sids[PRIMARY_GROUP_SID_INDEX], DOMAIN_RID_USERS);
194
195 user_info_dc->sids[2] = global_sid_Builtin_Administrators;
196
197 user_info_dc->sids[3] = *domain_sid;
198 sid_append_rid(&user_info_dc->sids[3], DOMAIN_RID_ADMINS);
199 user_info_dc->sids[4] = *domain_sid;
200 sid_append_rid(&user_info_dc->sids[4], DOMAIN_RID_ENTERPRISE_ADMINS);
201 user_info_dc->sids[5] = *domain_sid;
202 sid_append_rid(&user_info_dc->sids[5], DOMAIN_RID_POLICY_ADMINS);
203 user_info_dc->sids[6] = *domain_sid;
204 sid_append_rid(&user_info_dc->sids[6], DOMAIN_RID_SCHEMA_ADMINS);
205
206 /* What should the session key be?*/
207 user_info_dc->user_session_key = data_blob_talloc(user_info_dc, NULL, 16);
208 NT_STATUS_HAVE_NO_MEMORY(user_info_dc->user_session_key.data);
209
210 user_info_dc->lm_session_key = data_blob_talloc(user_info_dc, NULL, 16);
211 NT_STATUS_HAVE_NO_MEMORY(user_info_dc->lm_session_key.data);
212
213 data_blob_clear(&user_info_dc->user_session_key);
214 data_blob_clear(&user_info_dc->lm_session_key);
215
216 user_info_dc->info = info = talloc_zero(user_info_dc, struct auth_user_info);
217 NT_STATUS_HAVE_NO_MEMORY(user_info_dc->info);
218
219 info->account_name = talloc_strdup(info, "Administrator");
220 NT_STATUS_HAVE_NO_MEMORY(info->account_name);
221
222 info->domain_name = talloc_strdup(info, domain_name);
223 NT_STATUS_HAVE_NO_MEMORY(info->domain_name);
224
225 info->full_name = talloc_strdup(info, "Administrator");
226 NT_STATUS_HAVE_NO_MEMORY(info->full_name);
227
228 info->logon_script = talloc_strdup(info, "");
229 NT_STATUS_HAVE_NO_MEMORY(info->logon_script);
230
231 info->profile_path = talloc_strdup(info, "");
232 NT_STATUS_HAVE_NO_MEMORY(info->profile_path);
233
234 info->home_directory = talloc_strdup(info, "");
235 NT_STATUS_HAVE_NO_MEMORY(info->home_directory);
236
237 info->home_drive = talloc_strdup(info, "");
238 NT_STATUS_HAVE_NO_MEMORY(info->home_drive);
239
240 info->logon_server = talloc_strdup(info, netbios_name);
241 NT_STATUS_HAVE_NO_MEMORY(info->logon_server);
242
243 info->last_logon = 0;
244 info->last_logoff = 0;
245 info->acct_expiry = 0;
246 info->last_password_change = 0;
247 info->allow_password_change = 0;
248 info->force_password_change = 0;
249
250 info->logon_count = 0;
251 info->bad_password_count = 0;
252
253 info->acct_flags = ACB_NORMAL;
254
255 info->authenticated = true;
256
257 *_user_info_dc = user_info_dc;
258
259 return NT_STATUS_OK;
260 }
261
262 static NTSTATUS auth_domain_admin_session_info(TALLOC_CTX *parent_ctx,
263 struct loadparm_context *lp_ctx,
264 struct dom_sid *domain_sid,
265 struct auth_session_info **session_info)
266 {
267 NTSTATUS nt_status;
268 struct auth_user_info_dc *user_info_dc = NULL;
269 TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
270
271 NT_STATUS_HAVE_NO_MEMORY(mem_ctx);
272
273 nt_status = auth_domain_admin_user_info_dc(mem_ctx, lpcfg_netbios_name(lp_ctx),
274 lpcfg_workgroup(lp_ctx), domain_sid,
275 &user_info_dc);
276 if (!NT_STATUS_IS_OK(nt_status)) {
277 talloc_free(mem_ctx);
278 return nt_status;
279 }
280
281 nt_status = auth_generate_session_info(mem_ctx, NULL, NULL, user_info_dc,
282 AUTH_SESSION_INFO_SIMPLE_PRIVILEGES|AUTH_SESSION_INFO_AUTHENTICATED|AUTH_SESSION_INFO_DEFAULT_GROUPS,
283 session_info);
284 /* There is already a reference between the sesion_info and user_info_dc */
285 if (NT_STATUS_IS_OK(nt_status)) {
286 talloc_steal(parent_ctx, *session_info);
287 }
288 talloc_free(mem_ctx);
289 return nt_status;
290 }
291
292 _PUBLIC_ struct auth_session_info *admin_session(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx, struct dom_sid *domain_sid)
293 {
294 NTSTATUS nt_status;
295 struct auth_session_info *session_info = NULL;
296 nt_status = auth_domain_admin_session_info(mem_ctx,
297 lp_ctx,
298 domain_sid,
299 &session_info);
300 if (!NT_STATUS_IS_OK(nt_status)) {
301 return NULL;
302 }
303 return session_info;
304 }
305
306 _PUBLIC_ NTSTATUS auth_anonymous_session_info(TALLOC_CTX *parent_ctx,
307 struct loadparm_context *lp_ctx,
308 struct auth_session_info **_session_info)
309 {
310 NTSTATUS nt_status;
311 struct auth_user_info_dc *user_info_dc = NULL;
312 struct auth_session_info *session_info = NULL;
313 TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
314
315 nt_status = auth_anonymous_user_info_dc(mem_ctx,
316 lpcfg_netbios_name(lp_ctx),
317 &user_info_dc);
318 if (!NT_STATUS_IS_OK(nt_status)) {
319 talloc_free(mem_ctx);
320 return nt_status;
321 }
322
323 /* references the user_info_dc into the session_info */
324 nt_status = auth_generate_session_info(parent_ctx, NULL, NULL, user_info_dc, AUTH_SESSION_INFO_SIMPLE_PRIVILEGES, &session_info);
325 talloc_free(mem_ctx);
326
327 NT_STATUS_NOT_OK_RETURN(nt_status);
328
329 session_info->credentials = cli_credentials_init(session_info);
330 if (!session_info->credentials) {
331 return NT_STATUS_NO_MEMORY;
332 }
333
334 cli_credentials_set_conf(session_info->credentials, lp_ctx);
335 cli_credentials_set_anonymous(session_info->credentials);
336
337 *_session_info = session_info;
338
339 return NT_STATUS_OK;
340 }
341
342 _PUBLIC_ NTSTATUS auth_anonymous_user_info_dc(TALLOC_CTX *mem_ctx,
343 const char *netbios_name,
344 struct auth_user_info_dc **_user_info_dc)
345 {
346 struct auth_user_info_dc *user_info_dc;
347 struct auth_user_info *info;
348 user_info_dc = talloc(mem_ctx, struct auth_user_info_dc);
349 NT_STATUS_HAVE_NO_MEMORY(user_info_dc);
350
351 /* This returns a pointer to a struct dom_sid, which is the
352 * same as a 1 element list of struct dom_sid */
353 user_info_dc->num_sids = 1;
354 user_info_dc->sids = dom_sid_parse_talloc(user_info_dc, SID_NT_ANONYMOUS);
355 NT_STATUS_HAVE_NO_MEMORY(user_info_dc->sids);
356
357 /* annoying, but the Anonymous really does have a session key... */
358 user_info_dc->user_session_key = data_blob_talloc(user_info_dc, NULL, 16);
359 NT_STATUS_HAVE_NO_MEMORY(user_info_dc->user_session_key.data);
360
361 user_info_dc->lm_session_key = data_blob_talloc(user_info_dc, NULL, 16);
362 NT_STATUS_HAVE_NO_MEMORY(user_info_dc->lm_session_key.data);
363
364 /* and it is all zeros! */
365 data_blob_clear(&user_info_dc->user_session_key);
366 data_blob_clear(&user_info_dc->lm_session_key);
367
368 user_info_dc->info = info = talloc_zero(user_info_dc, struct auth_user_info);
369 NT_STATUS_HAVE_NO_MEMORY(user_info_dc->info);
370
371 info->account_name = talloc_strdup(info, "ANONYMOUS LOGON");
372 NT_STATUS_HAVE_NO_MEMORY(info->account_name);
373
374 info->domain_name = talloc_strdup(info, "NT AUTHORITY");
375 NT_STATUS_HAVE_NO_MEMORY(info->domain_name);
376
377 info->full_name = talloc_strdup(info, "Anonymous Logon");
378 NT_STATUS_HAVE_NO_MEMORY(info->full_name);
379
380 info->logon_script = talloc_strdup(info, "");
381 NT_STATUS_HAVE_NO_MEMORY(info->logon_script);
382
383 info->profile_path = talloc_strdup(info, "");
384 NT_STATUS_HAVE_NO_MEMORY(info->profile_path);
385
386 info->home_directory = talloc_strdup(info, "");
387 NT_STATUS_HAVE_NO_MEMORY(info->home_directory);
388
389 info->home_drive = talloc_strdup(info, "");
390 NT_STATUS_HAVE_NO_MEMORY(info->home_drive);
391
392 info->logon_server = talloc_strdup(info, netbios_name);
393 NT_STATUS_HAVE_NO_MEMORY(info->logon_server);
394
395 info->last_logon = 0;
396 info->last_logoff = 0;
397 info->acct_expiry = 0;
398 info->last_password_change = 0;
399 info->allow_password_change = 0;
400 info->force_password_change = 0;
401
402 info->logon_count = 0;
403 info->bad_password_count = 0;
404
405 info->acct_flags = ACB_NORMAL;
406
407 info->authenticated = false;
408
409 *_user_info_dc = user_info_dc;
410
411 return NT_STATUS_OK;
412 }
413
reg import