2 Unix SMB/CIFS implementation.
4 Winbind status program.
6 Copyright (C) Tim Potter 2000-2003
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2003-2004
8 Copyright (C) Francesco Chemolli <kinkie@kame.usr.dsi.unimi.it> 2000
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 #include "system/filesys.h"
26 #include "lib/cmdline/popt_common.h"
27 #include "lib/ldb/include/ldb.h"
28 #include "auth/credentials/credentials.h"
29 #include "auth/gensec/gensec.h"
30 #include "auth/auth.h"
31 #include "librpc/gen_ndr/ndr_netlogon.h"
32 #include "auth/auth_sam.h"
33 #include "auth/ntlm/ntlm_check.h"
35 #include "libcli/auth/libcli_auth.h"
36 #include "libcli/security/security.h"
37 #include "lib/events/events.h"
38 #include "lib/messaging/messaging.h"
39 #include "lib/messaging/irpc.h"
40 #include "auth/ntlmssp/ntlmssp.h"
41 #include "param/param.h"
43 #define INITIAL_BUFFER_SIZE 300
44 #define MAX_BUFFER_SIZE 63000
46 enum stdio_helper_mode
{
57 #define NTLM_AUTH_FLAG_USER_SESSION_KEY 0x0004
58 #define NTLM_AUTH_FLAG_LMKEY 0x0008
61 typedef void (*stdio_helper_function
)(enum stdio_helper_mode stdio_helper_mode
,
62 struct loadparm_context
*lp_ctx
,
63 char *buf
, int length
, void **private,
64 unsigned int mux_id
, void **private2
);
66 static void manage_squid_basic_request (enum stdio_helper_mode stdio_helper_mode
,
67 struct loadparm_context
*lp_ctx
,
68 char *buf
, int length
, void **private,
69 unsigned int mux_id
, void **private2
);
71 static void manage_gensec_request (enum stdio_helper_mode stdio_helper_mode
,
72 struct loadparm_context
*lp_ctx
,
73 char *buf
, int length
, void **private,
74 unsigned int mux_id
, void **private2
);
76 static void manage_ntlm_server_1_request (enum stdio_helper_mode stdio_helper_mode
,
77 struct loadparm_context
*lp_ctx
,
78 char *buf
, int length
, void **private,
79 unsigned int mux_id
, void **private2
);
81 static void manage_squid_request(struct loadparm_context
*lp_ctx
,
82 enum stdio_helper_mode helper_mode
,
83 stdio_helper_function fn
, void **private2
);
86 enum stdio_helper_mode mode
;
88 stdio_helper_function fn
;
89 } stdio_helper_protocols
[] = {
90 { SQUID_2_4_BASIC
, "squid-2.4-basic", manage_squid_basic_request
},
91 { SQUID_2_5_BASIC
, "squid-2.5-basic", manage_squid_basic_request
},
92 { SQUID_2_5_NTLMSSP
, "squid-2.5-ntlmssp", manage_gensec_request
},
93 { GSS_SPNEGO_CLIENT
, "gss-spnego-client", manage_gensec_request
},
94 { GSS_SPNEGO_SERVER
, "gss-spnego", manage_gensec_request
},
95 { NTLMSSP_CLIENT_1
, "ntlmssp-client-1", manage_gensec_request
},
96 { NTLM_SERVER_1
, "ntlm-server-1", manage_ntlm_server_1_request
},
97 { NUM_HELPER_MODES
, NULL
, NULL
}
100 extern int winbindd_fd
;
102 static const char *opt_username
;
103 static const char *opt_domain
;
104 static const char *opt_workstation
;
105 static const char *opt_password
;
106 static int opt_multiplex
;
107 static int use_cached_creds
;
110 static void mux_printf(unsigned int mux_id
, const char *format
, ...) PRINTF_ATTRIBUTE(2, 3);
112 static void mux_printf(unsigned int mux_id
, const char *format
, ...)
117 x_fprintf(x_stdout
, "%d ", mux_id
);
120 va_start(ap
, format
);
121 x_vfprintf(x_stdout
, format
, ap
);
127 /* Copy of parse_domain_user from winbindd_util.c. Parse a string of the
128 form DOMAIN/user into a domain and a user */
130 static bool parse_ntlm_auth_domain_user(const char *domuser
, fstring domain
,
131 fstring user
, char winbind_separator
)
134 char *p
= strchr(domuser
, winbind_separator
);
141 fstrcpy(domain
, domuser
);
142 domain
[PTR_DIFF(p
, domuser
)] = 0;
148 * Decode a base64 string into a DATA_BLOB - simple and slow algorithm
150 static DATA_BLOB
base64_decode_data_blob(TALLOC_CTX
*mem_ctx
, const char *s
)
152 DATA_BLOB ret
= data_blob_talloc(mem_ctx
, s
, strlen(s
)+1);
153 ret
.length
= ldb_base64_decode((char *)ret
.data
);
158 * Encode a base64 string into a talloc()ed string caller to free.
160 static char *base64_encode_data_blob(TALLOC_CTX
*mem_ctx
, DATA_BLOB data
)
162 return ldb_base64_encode(mem_ctx
, (const char *)data
.data
, data
.length
);
166 * Decode a base64 string in-place - wrapper for the above
168 static void base64_decode_inplace(char *s
)
170 ldb_base64_decode(s
);
175 /* Authenticate a user with a plaintext password */
177 static bool check_plaintext_auth(const char *user
, const char *pass
,
178 bool stdout_diagnostics
)
180 return (strcmp(pass
, opt_password
) == 0);
183 /* authenticate a user with an encrypted username/password */
185 static NTSTATUS
local_pw_check_specified(struct loadparm_context
*lp_ctx
,
186 const char *username
,
188 const char *workstation
,
189 const DATA_BLOB
*challenge
,
190 const DATA_BLOB
*lm_response
,
191 const DATA_BLOB
*nt_response
,
193 DATA_BLOB
*lm_session_key
,
194 DATA_BLOB
*user_session_key
,
199 struct samr_Password lm_pw
, nt_pw
;
200 struct samr_Password
*lm_pwd
, *nt_pwd
;
201 TALLOC_CTX
*mem_ctx
= talloc_init("local_pw_check_specified");
203 nt_status
= NT_STATUS_NO_MEMORY
;
206 E_md4hash(opt_password
, nt_pw
.hash
);
207 if (E_deshash(opt_password
, lm_pw
.hash
)) {
215 nt_status
= ntlm_password_check(mem_ctx
,
217 MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT
|
218 MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT
,
225 lm_pwd
, nt_pwd
, user_session_key
, lm_session_key
);
227 if (NT_STATUS_IS_OK(nt_status
)) {
231 *lp_winbind_separator(lp_ctx
),
235 DEBUG(3, ("Login for user [%s]\\[%s]@[%s] failed due to [%s]\n",
236 domain
, username
, workstation
,
237 nt_errstr(nt_status
)));
239 talloc_free(mem_ctx
);
242 *error_string
= strdup(nt_errstr(nt_status
));
249 static void manage_squid_basic_request(enum stdio_helper_mode stdio_helper_mode
,
250 struct loadparm_context
*lp_ctx
,
251 char *buf
, int length
, void **private,
252 unsigned int mux_id
, void **private2
)
257 pass
= memchr(buf
, ' ', length
);
259 DEBUG(2, ("Password not found. Denying access\n"));
260 mux_printf(mux_id
, "ERR\n");
266 if (stdio_helper_mode
== SQUID_2_5_BASIC
) {
267 rfc1738_unescape(user
);
268 rfc1738_unescape(pass
);
271 if (check_plaintext_auth(user
, pass
, false)) {
272 mux_printf(mux_id
, "OK\n");
274 mux_printf(mux_id
, "ERR\n");
278 /* This is a bit hairy, but the basic idea is to do a password callback
279 to the calling application. The callback comes from within gensec */
281 static void manage_gensec_get_pw_request(enum stdio_helper_mode stdio_helper_mode
,
282 struct loadparm_context
*lp_ctx
,
283 char *buf
, int length
, void **private,
284 unsigned int mux_id
, void **password
)
287 if (strlen(buf
) < 2) {
288 DEBUG(1, ("query [%s] invalid", buf
));
289 mux_printf(mux_id
, "BH Query invalid\n");
293 if (strlen(buf
) > 3) {
294 in
= base64_decode_data_blob(NULL
, buf
+ 3);
296 in
= data_blob(NULL
, 0);
299 if (strncmp(buf
, "PW ", 3) == 0) {
301 *password
= talloc_strndup(*private /* hopefully the right gensec context, useful to use for talloc */,
302 (const char *)in
.data
, in
.length
);
304 if (*password
== NULL
) {
305 DEBUG(1, ("Out of memory\n"));
306 mux_printf(mux_id
, "BH Out of memory\n");
311 mux_printf(mux_id
, "OK\n");
315 DEBUG(1, ("Asked for (and expected) a password\n"));
316 mux_printf(mux_id
, "BH Expected a password\n");
321 * Callback for password credentials. This is not async, and when
322 * GENSEC and the credentials code is made async, it will look rather
326 static const char *get_password(struct cli_credentials
*credentials
)
328 char *password
= NULL
;
330 /* Ask for a password */
331 mux_printf((unsigned int)(uintptr_t)credentials
->priv_data
, "PW\n");
332 credentials
->priv_data
= NULL
;
334 manage_squid_request(cmdline_lp_ctx
, NUM_HELPER_MODES
/* bogus */, manage_gensec_get_pw_request
, (void **)&password
);
339 Check if a string is part of a list.
341 static bool in_list(const char *s
, const char *list
, bool casesensitive
)
344 size_t tok_len
= 1024;
350 tok
= (char *)malloc(tok_len
);
355 while (next_token(&p
, tok
, LIST_SEP
, tok_len
)) {
356 if ((casesensitive
?strcmp
:strcasecmp_m
)(tok
,s
) == 0) {
365 static void gensec_want_feature_list(struct gensec_security
*state
, char* feature_list
)
367 if (in_list("NTLMSSP_FEATURE_SESSION_KEY", feature_list
, true)) {
368 DEBUG(10, ("want GENSEC_FEATURE_SESSION_KEY\n"));
369 gensec_want_feature(state
, GENSEC_FEATURE_SESSION_KEY
);
371 if (in_list("NTLMSSP_FEATURE_SIGN", feature_list
, true)) {
372 DEBUG(10, ("want GENSEC_FEATURE_SIGN\n"));
373 gensec_want_feature(state
, GENSEC_FEATURE_SIGN
);
375 if (in_list("NTLMSSP_FEATURE_SEAL", feature_list
, true)) {
376 DEBUG(10, ("want GENSEC_FEATURE_SEAL\n"));
377 gensec_want_feature(state
, GENSEC_FEATURE_SEAL
);
381 static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode
,
382 struct loadparm_context
*lp_ctx
,
383 char *buf
, int length
, void **private,
384 unsigned int mux_id
, void **private2
)
387 DATA_BLOB out
= data_blob(NULL
, 0);
388 char *out_base64
= NULL
;
389 const char *reply_arg
= NULL
;
390 struct gensec_ntlm_state
{
391 struct gensec_security
*gensec_state
;
392 const char *set_password
;
394 struct gensec_ntlm_state
*state
;
395 struct event_context
*ev
;
396 struct messaging_context
*msg
;
400 const char *reply_code
;
401 struct cli_credentials
*creds
;
403 static char *want_feature_list
= NULL
;
404 static DATA_BLOB session_key
;
409 state
= (struct gensec_ntlm_state
*)*private;
411 state
= talloc_zero(NULL
, struct gensec_ntlm_state
);
413 mux_printf(mux_id
, "BH No Memory\n");
418 state
->set_password
= opt_password
;
422 if (strlen(buf
) < 2) {
423 DEBUG(1, ("query [%s] invalid", buf
));
424 mux_printf(mux_id
, "BH Query invalid\n");
428 if (strlen(buf
) > 3) {
429 if(strncmp(buf
, "SF ", 3) == 0) {
430 DEBUG(10, ("Setting flags to negotiate\n"));
431 talloc_free(want_feature_list
);
432 want_feature_list
= talloc_strndup(state
, buf
+3, strlen(buf
)-3);
433 mux_printf(mux_id
, "OK\n");
436 in
= base64_decode_data_blob(NULL
, buf
+ 3);
438 in
= data_blob(NULL
, 0);
441 if (strncmp(buf
, "YR", 2) == 0) {
442 if (state
->gensec_state
) {
443 talloc_free(state
->gensec_state
);
444 state
->gensec_state
= NULL
;
446 } else if ( (strncmp(buf
, "OK", 2) == 0)) {
447 /* Just return BH, like ntlm_auth from Samba 3 does. */
448 mux_printf(mux_id
, "BH Command expected\n");
451 } else if ( (strncmp(buf
, "TT ", 3) != 0) &&
452 (strncmp(buf
, "KK ", 3) != 0) &&
453 (strncmp(buf
, "AF ", 3) != 0) &&
454 (strncmp(buf
, "NA ", 3) != 0) &&
455 (strncmp(buf
, "UG", 2) != 0) &&
456 (strncmp(buf
, "PW ", 3) != 0) &&
457 (strncmp(buf
, "GK", 2) != 0) &&
458 (strncmp(buf
, "GF", 2) != 0)) {
459 DEBUG(1, ("SPNEGO request [%s] invalid\n", buf
));
460 mux_printf(mux_id
, "BH SPNEGO request invalid\n");
465 ev
= s4_event_context_init(state
);
470 if (!(state
->gensec_state
)) {
471 switch (stdio_helper_mode
) {
472 case GSS_SPNEGO_CLIENT
:
473 case NTLMSSP_CLIENT_1
:
474 /* setup the client side */
476 nt_status
= gensec_client_start(NULL
, &state
->gensec_state
, ev
, lp_ctx
);
477 if (!NT_STATUS_IS_OK(nt_status
)) {
482 case GSS_SPNEGO_SERVER
:
483 case SQUID_2_5_NTLMSSP
:
484 msg
= messaging_client_init(state
, lp_messaging_path(state
, lp_ctx
),
485 lp_iconv_convenience(lp_ctx
), ev
);
489 if (!NT_STATUS_IS_OK(gensec_server_start(state
, ev
, lp_ctx
, msg
, &state
->gensec_state
))) {
497 creds
= cli_credentials_init(state
->gensec_state
);
498 cli_credentials_set_conf(creds
, lp_ctx
);
500 cli_credentials_set_username(creds
, opt_username
, CRED_SPECIFIED
);
503 cli_credentials_set_domain(creds
, opt_domain
, CRED_SPECIFIED
);
505 if (state
->set_password
) {
506 cli_credentials_set_password(creds
, state
->set_password
, CRED_SPECIFIED
);
508 cli_credentials_set_password_callback(creds
, get_password
);
509 creds
->priv_data
= (void*)(uintptr_t)mux_id
;
511 if (opt_workstation
) {
512 cli_credentials_set_workstation(creds
, opt_workstation
, CRED_SPECIFIED
);
515 switch (stdio_helper_mode
) {
516 case GSS_SPNEGO_SERVER
:
517 case SQUID_2_5_NTLMSSP
:
518 cli_credentials_set_machine_account(creds
, lp_ctx
);
524 gensec_set_credentials(state
->gensec_state
, creds
);
525 gensec_want_feature_list(state
->gensec_state
, want_feature_list
);
527 switch (stdio_helper_mode
) {
528 case GSS_SPNEGO_CLIENT
:
529 case GSS_SPNEGO_SERVER
:
530 nt_status
= gensec_start_mech_by_oid(state
->gensec_state
, GENSEC_OID_SPNEGO
);
535 case NTLMSSP_CLIENT_1
:
540 case SQUID_2_5_NTLMSSP
:
541 nt_status
= gensec_start_mech_by_oid(state
->gensec_state
, GENSEC_OID_NTLMSSP
);
547 if (!NT_STATUS_IS_OK(nt_status
)) {
548 DEBUG(1, ("GENSEC mech failed to start: %s\n", nt_errstr(nt_status
)));
549 mux_printf(mux_id
, "BH GENSEC mech failed to start\n");
556 mem_ctx
= talloc_named(NULL
, 0, "manage_gensec_request internal mem_ctx");
558 if (strncmp(buf
, "PW ", 3) == 0) {
559 state
->set_password
= talloc_strndup(state
,
560 (const char *)in
.data
,
563 cli_credentials_set_password(gensec_get_credentials(state
->gensec_state
),
566 mux_printf(mux_id
, "OK\n");
568 talloc_free(mem_ctx
);
572 if (strncmp(buf
, "UG", 2) == 0) {
574 char *grouplist
= NULL
;
575 struct auth_session_info
*session_info
;
577 nt_status
= gensec_session_info(state
->gensec_state
, &session_info
);
578 if (!NT_STATUS_IS_OK(nt_status
)) {
579 DEBUG(1, ("gensec_session_info failed: %s\n", nt_errstr(nt_status
)));
580 mux_printf(mux_id
, "BH %s\n", nt_errstr(nt_status
));
582 talloc_free(mem_ctx
);
586 /* get the string onto the context */
587 grouplist
= talloc_strdup(mem_ctx
, "");
589 for (i
=0; i
<session_info
->security_token
->num_sids
; i
++) {
590 struct security_token
*token
= session_info
->security_token
;
591 const char *sidstr
= dom_sid_string(session_info
,
593 grouplist
= talloc_asprintf_append_buffer(grouplist
, "%s,", sidstr
);
596 mux_printf(mux_id
, "GL %s\n", grouplist
);
597 talloc_free(session_info
);
599 talloc_free(mem_ctx
);
603 if (strncmp(buf
, "GK", 2) == 0) {
605 DEBUG(10, ("Requested session key\n"));
606 nt_status
= gensec_session_key(state
->gensec_state
, &session_key
);
607 if(!NT_STATUS_IS_OK(nt_status
)) {
608 DEBUG(1, ("gensec_session_key failed: %s\n", nt_errstr(nt_status
)));
609 mux_printf(mux_id
, "BH No session key\n");
610 talloc_free(mem_ctx
);
613 base64_key
= base64_encode_data_blob(state
, session_key
);
614 mux_printf(mux_id
, "GK %s\n", base64_key
);
615 talloc_free(base64_key
);
617 talloc_free(mem_ctx
);
621 if (strncmp(buf
, "GF", 2) == 0) {
622 struct gensec_ntlmssp_state
*gensec_ntlmssp_state
;
625 gensec_ntlmssp_state
= talloc_get_type(state
->gensec_state
->private_data
,
626 struct gensec_ntlmssp_state
);
627 neg_flags
= gensec_ntlmssp_state
->neg_flags
;
629 DEBUG(10, ("Requested negotiated feature flags\n"));
630 mux_printf(mux_id
, "GF 0x%08x\n", neg_flags
);
634 nt_status
= gensec_update(state
->gensec_state
, mem_ctx
, in
, &out
);
636 /* don't leak 'bad password'/'no such user' info to the network client */
637 nt_status
= auth_nt_status_squash(nt_status
);
640 out_base64
= base64_encode_data_blob(mem_ctx
, out
);
645 if (NT_STATUS_EQUAL(nt_status
, NT_STATUS_MORE_PROCESSING_REQUIRED
)) {
649 } else if (state
->gensec_state
->gensec_role
== GENSEC_CLIENT
) {
651 } else if (state
->gensec_state
->gensec_role
== GENSEC_SERVER
) {
658 } else if (NT_STATUS_EQUAL(nt_status
, NT_STATUS_ACCESS_DENIED
)) {
659 reply_code
= "BH NT_STATUS_ACCESS_DENIED";
660 reply_arg
= nt_errstr(nt_status
);
661 DEBUG(1, ("GENSEC login failed: %s\n", nt_errstr(nt_status
)));
662 } else if (NT_STATUS_EQUAL(nt_status
, NT_STATUS_UNSUCCESSFUL
)) {
663 reply_code
= "BH NT_STATUS_UNSUCCESSFUL";
664 reply_arg
= nt_errstr(nt_status
);
665 DEBUG(1, ("GENSEC login failed: %s\n", nt_errstr(nt_status
)));
666 } else if (!NT_STATUS_IS_OK(nt_status
)) {
668 reply_arg
= nt_errstr(nt_status
);
669 DEBUG(1, ("GENSEC login failed: %s\n", nt_errstr(nt_status
)));
670 } else if /* OK */ (state
->gensec_state
->gensec_role
== GENSEC_SERVER
) {
671 struct auth_session_info
*session_info
;
673 nt_status
= gensec_session_info(state
->gensec_state
, &session_info
);
674 if (!NT_STATUS_IS_OK(nt_status
)) {
675 reply_code
= "BH Failed to retrive session info";
676 reply_arg
= nt_errstr(nt_status
);
677 DEBUG(1, ("GENSEC failed to retreive the session info: %s\n", nt_errstr(nt_status
)));
681 reply_arg
= talloc_asprintf(state
->gensec_state
,
682 "%s%s%s", session_info
->server_info
->domain_name
,
683 lp_winbind_separator(lp_ctx
), session_info
->server_info
->account_name
);
684 talloc_free(session_info
);
686 } else if (state
->gensec_state
->gensec_role
== GENSEC_CLIENT
) {
688 reply_arg
= out_base64
;
693 switch (stdio_helper_mode
) {
694 case GSS_SPNEGO_SERVER
:
695 mux_printf(mux_id
, "%s %s %s\n", reply_code
,
696 out_base64
? out_base64
: "*",
697 reply_arg
? reply_arg
: "*");
701 mux_printf(mux_id
, "%s %s\n", reply_code
, out_base64
);
702 } else if (reply_arg
) {
703 mux_printf(mux_id
, "%s %s\n", reply_code
, reply_arg
);
705 mux_printf(mux_id
, "%s\n", reply_code
);
709 talloc_free(mem_ctx
);
713 static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mode
,
714 struct loadparm_context
*lp_ctx
,
715 char *buf
, int length
, void **private,
716 unsigned int mux_id
, void **private2
)
718 char *request
, *parameter
;
719 static DATA_BLOB challenge
;
720 static DATA_BLOB lm_response
;
721 static DATA_BLOB nt_response
;
722 static char *full_username
;
723 static char *username
;
725 static char *plaintext_password
;
726 static bool ntlm_server_1_user_session_key
;
727 static bool ntlm_server_1_lm_session_key
;
729 if (strequal(buf
, ".")) {
730 if (!full_username
&& !username
) {
731 mux_printf(mux_id
, "Error: No username supplied!\n");
732 } else if (plaintext_password
) {
733 /* handle this request as plaintext */
734 if (!full_username
) {
735 if (asprintf(&full_username
, "%s%c%s", domain
, *lp_winbind_separator(lp_ctx
), username
) == -1) {
736 mux_printf(mux_id
, "Error: Out of memory in asprintf!\n.\n");
740 if (check_plaintext_auth(full_username
, plaintext_password
, false)) {
741 mux_printf(mux_id
, "Authenticated: Yes\n");
743 mux_printf(mux_id
, "Authenticated: No\n");
745 } else if (!lm_response
.data
&& !nt_response
.data
) {
746 mux_printf(mux_id
, "Error: No password supplied!\n");
747 } else if (!challenge
.data
) {
748 mux_printf(mux_id
, "Error: No lanman-challenge supplied!\n");
750 char *error_string
= NULL
;
752 DATA_BLOB user_session_key
;
755 if (full_username
&& !username
) {
759 if (!parse_ntlm_auth_domain_user(full_username
, fstr_user
, fstr_domain
,
760 *lp_winbind_separator(lp_ctx
))) {
761 /* username might be 'tainted', don't print into our new-line deleimianted stream */
762 mux_printf(mux_id
, "Error: Could not parse into domain and username\n");
766 username
= smb_xstrdup(fstr_user
);
767 domain
= smb_xstrdup(fstr_domain
);
771 domain
= smb_xstrdup(lp_workgroup(lp_ctx
));
774 if (ntlm_server_1_lm_session_key
)
775 flags
|= NTLM_AUTH_FLAG_LMKEY
;
777 if (ntlm_server_1_user_session_key
)
778 flags
|= NTLM_AUTH_FLAG_USER_SESSION_KEY
;
780 if (!NT_STATUS_IS_OK(
781 local_pw_check_specified(lp_ctx
,
784 lp_netbios_name(lp_ctx
),
794 mux_printf(mux_id
, "Authenticated: No\n");
795 mux_printf(mux_id
, "Authentication-Error: %s\n.\n", error_string
);
796 SAFE_FREE(error_string
);
798 static char zeros
[16];
800 char *hex_user_session_key
;
802 mux_printf(mux_id
, "Authenticated: Yes\n");
804 if (ntlm_server_1_lm_session_key
806 && (memcmp(zeros
, lm_key
.data
,
807 lm_key
.length
) != 0)) {
808 hex_encode(lm_key
.data
,
811 mux_printf(mux_id
, "LANMAN-Session-Key: %s\n", hex_lm_key
);
812 SAFE_FREE(hex_lm_key
);
815 if (ntlm_server_1_user_session_key
816 && user_session_key
.length
817 && (memcmp(zeros
, user_session_key
.data
,
818 user_session_key
.length
) != 0)) {
819 hex_encode(user_session_key
.data
,
820 user_session_key
.length
,
821 &hex_user_session_key
);
822 mux_printf(mux_id
, "User-Session-Key: %s\n", hex_user_session_key
);
823 SAFE_FREE(hex_user_session_key
);
827 /* clear out the state */
828 challenge
= data_blob(NULL
, 0);
829 nt_response
= data_blob(NULL
, 0);
830 lm_response
= data_blob(NULL
, 0);
831 SAFE_FREE(full_username
);
834 SAFE_FREE(plaintext_password
);
835 ntlm_server_1_user_session_key
= false;
836 ntlm_server_1_lm_session_key
= false;
837 mux_printf(mux_id
, ".\n");
844 /* Indicates a base64 encoded structure */
845 parameter
= strstr(request
, ":: ");
847 parameter
= strstr(request
, ": ");
850 DEBUG(0, ("Parameter not found!\n"));
851 mux_printf(mux_id
, "Error: Parameter not found!\n.\n");
868 base64_decode_inplace(parameter
);
871 if (strequal(request
, "LANMAN-Challenge")) {
872 challenge
= strhex_to_data_blob(parameter
);
873 if (challenge
.length
!= 8) {
874 mux_printf(mux_id
, "Error: hex decode of %s failed! (got %d bytes, expected 8)\n.\n",
876 (int)challenge
.length
);
877 challenge
= data_blob(NULL
, 0);
879 } else if (strequal(request
, "NT-Response")) {
880 nt_response
= strhex_to_data_blob(parameter
);
881 if (nt_response
.length
< 24) {
882 mux_printf(mux_id
, "Error: hex decode of %s failed! (only got %d bytes, needed at least 24)\n.\n",
884 (int)nt_response
.length
);
885 nt_response
= data_blob(NULL
, 0);
887 } else if (strequal(request
, "LANMAN-Response")) {
888 lm_response
= strhex_to_data_blob(parameter
);
889 if (lm_response
.length
!= 24) {
890 mux_printf(mux_id
, "Error: hex decode of %s failed! (got %d bytes, expected 24)\n.\n",
892 (int)lm_response
.length
);
893 lm_response
= data_blob(NULL
, 0);
895 } else if (strequal(request
, "Password")) {
896 plaintext_password
= smb_xstrdup(parameter
);
897 } else if (strequal(request
, "NT-Domain")) {
898 domain
= smb_xstrdup(parameter
);
899 } else if (strequal(request
, "Username")) {
900 username
= smb_xstrdup(parameter
);
901 } else if (strequal(request
, "Full-Username")) {
902 full_username
= smb_xstrdup(parameter
);
903 } else if (strequal(request
, "Request-User-Session-Key")) {
904 ntlm_server_1_user_session_key
= strequal(parameter
, "Yes");
905 } else if (strequal(request
, "Request-LanMan-Session-Key")) {
906 ntlm_server_1_lm_session_key
= strequal(parameter
, "Yes");
908 mux_printf(mux_id
, "Error: Unknown request %s\n.\n", request
);
912 static void manage_squid_request(struct loadparm_context
*lp_ctx
, enum stdio_helper_mode helper_mode
,
913 stdio_helper_function fn
, void **private2
)
916 char tmp
[INITIAL_BUFFER_SIZE
+1];
917 unsigned int mux_id
= 0;
918 int length
, buf_size
= 0;
921 unsigned int max_mux
;
922 void **private_pointers
;
925 static struct mux_private
*mux_private
;
926 static void *normal_private
;
929 buf
= talloc_strdup(NULL
, "");
932 DEBUG(0, ("Failed to allocate memory for reading the input "
934 x_fprintf(x_stdout
, "ERR\n");
939 /* this is not a typo - x_fgets doesn't work too well under
941 if (fgets(tmp
, INITIAL_BUFFER_SIZE
, stdin
) == NULL
) {
943 DEBUG(1, ("fgets() failed! dying..... errno=%d "
944 "(%s)\n", ferror(stdin
),
945 strerror(ferror(stdin
))));
947 exit(1); /* BIIG buffer */
952 buf
= talloc_strdup_append_buffer(buf
, tmp
);
953 buf_size
+= INITIAL_BUFFER_SIZE
;
955 if (buf_size
> MAX_BUFFER_SIZE
) {
956 DEBUG(0, ("Invalid Request (too large)\n"));
957 x_fprintf(x_stdout
, "ERR\n");
962 c
= strchr(buf
, '\n');
968 DEBUG(10, ("Got '%s' from squid (length: %d).\n",buf
,length
));
970 if (buf
[0] == '\0') {
971 DEBUG(0, ("Invalid Request (empty)\n"));
972 x_fprintf(x_stdout
, "ERR\n");
978 if (sscanf(buf
, "%u ", &mux_id
) != 1) {
979 DEBUG(0, ("Invalid Request - no multiplex id\n"));
980 x_fprintf(x_stdout
, "ERR\n");
985 mux_private
= talloc(NULL
, struct mux_private
);
986 mux_private
->max_mux
= 0;
987 mux_private
->private_pointers
= NULL
;
992 DEBUG(0, ("Invalid Request - no data after multiplex id\n"));
993 x_fprintf(x_stdout
, "ERR\n");
998 if (mux_id
>= mux_private
->max_mux
) {
999 unsigned int prev_max
= mux_private
->max_mux
;
1000 mux_private
->max_mux
= mux_id
+ 1;
1001 mux_private
->private_pointers
1002 = talloc_realloc(mux_private
,
1003 mux_private
->private_pointers
,
1004 void *, mux_private
->max_mux
);
1005 memset(&mux_private
->private_pointers
[prev_max
], '\0',
1006 (sizeof(*mux_private
->private_pointers
) * (mux_private
->max_mux
- prev_max
)));
1009 private = &mux_private
->private_pointers
[mux_id
];
1012 private = &normal_private
;
1015 fn(helper_mode
, lp_ctx
, c
, length
, private, mux_id
, private2
);
1019 static void squid_stream(struct loadparm_context
*lp_ctx
,
1020 enum stdio_helper_mode stdio_mode
,
1021 stdio_helper_function fn
) {
1022 /* initialize FDescs */
1023 x_setbuf(x_stdout
, NULL
);
1024 x_setbuf(x_stderr
, NULL
);
1026 manage_squid_request(lp_ctx
, stdio_mode
, fn
, NULL
);
1034 OPT_USERNAME
= 1000,
1043 OPT_USER_SESSION_KEY
,
1045 OPT_REQUIRE_MEMBERSHIP
,
1047 OPT_USE_CACHED_CREDS
,
1050 int main(int argc
, const char **argv
)
1052 static const char *helper_protocol
;
1057 /* NOTE: DO NOT change this interface without considering the implications!
1058 This is an external interface, which other programs will use to interact
1062 /* We do not use single-letter command abbreviations, because they harm future
1063 interface stability. */
1065 struct poptOption long_options
[] = {
1067 { "helper-protocol", 0, POPT_ARG_STRING
, &helper_protocol
, OPT_DOMAIN
, "operate as a stdio-based helper", "helper protocol to use"},
1068 { "domain", 0, POPT_ARG_STRING
, &opt_domain
, OPT_DOMAIN
, "domain name"},
1069 { "workstation", 0, POPT_ARG_STRING
, &opt_workstation
, OPT_WORKSTATION
, "workstation"},
1070 { "username", 0, POPT_ARG_STRING
, &opt_username
, OPT_PASSWORD
, "Username"},
1071 { "password", 0, POPT_ARG_STRING
, &opt_password
, OPT_PASSWORD
, "User's plaintext password"},
1072 { "multiplex", 0, POPT_ARG_NONE
, &opt_multiplex
, OPT_MULTIPLEX
, "Multiplex Mode"},
1073 { "use-cached-creds", 0, POPT_ARG_NONE
, &use_cached_creds
, OPT_USE_CACHED_CREDS
, "silently ignored for compatibility reasons"},
1079 /* Samba client initialisation */
1081 setup_logging(NULL
, DEBUG_STDERR
);
1085 pc
= poptGetContext("ntlm_auth", argc
, argv
, long_options
, 0);
1087 /* Parse command line options */
1090 poptPrintHelp(pc
, stderr
, 0);
1094 pc
= poptGetContext(NULL
, argc
, (const char **)argv
, long_options
,
1095 POPT_CONTEXT_KEEP_FIRST
);
1097 while((opt
= poptGetNextOpt(pc
)) != -1) {
1103 fprintf(stderr
, "%s: %s\n",
1104 poptBadOption(pc
, POPT_BADOPTION_NOALIAS
),
1109 gensec_init(cmdline_lp_ctx
);
1111 if (opt_domain
== NULL
) {
1112 opt_domain
= lp_workgroup(cmdline_lp_ctx
);
1115 if (helper_protocol
) {
1117 for (i
=0; i
<NUM_HELPER_MODES
; i
++) {
1118 if (strcmp(helper_protocol
, stdio_helper_protocols
[i
].name
) == 0) {
1119 squid_stream(cmdline_lp_ctx
, stdio_helper_protocols
[i
].mode
, stdio_helper_protocols
[i
].fn
);
1123 x_fprintf(x_stderr
, "unknown helper protocol [%s]\n\nValid helper protools:\n\n", helper_protocol
);
1125 for (i
=0; i
<NUM_HELPER_MODES
; i
++) {
1126 x_fprintf(x_stderr
, "%s\n", stdio_helper_protocols
[i
].name
);
1132 if (!opt_username
) {
1133 x_fprintf(x_stderr
, "username must be specified!\n\n");
1134 poptPrintHelp(pc
, stderr
, 0);
1138 if (opt_workstation
== NULL
) {
1139 opt_workstation
= lp_netbios_name(cmdline_lp_ctx
);
1142 if (!opt_password
) {
1143 opt_password
= getpass("password: ");
1149 asprintf(&user
, "%s%c%s", opt_domain
, *lp_winbind_separator(cmdline_lp_ctx
), opt_username
);
1150 if (!check_plaintext_auth(user
, opt_password
, true)) {
1157 poptFreeContext(pc
);