source3/auth/auth_ntlmssp.c

   1 /*
   2    Unix SMB/Netbios implementation.
   3    Version 3.0
   4    handle NLTMSSP, server side
   5
   6    Copyright (C) Andrew Tridgell      2001
   7    Copyright (C) Andrew Bartlett 2001-2003
   8
   9    This program is free software; you can redistribute it and/or modify
  10    it under the terms of the GNU General Public License as published by
  11    the Free Software Foundation; either version 3 of the License, or
  12    (at your option) any later version.
  13
  14    This program is distributed in the hope that it will be useful,
  15    but WITHOUT ANY WARRANTY; without even the implied warranty of
  16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17    GNU General Public License for more details.
  18
  19    You should have received a copy of the GNU General Public License
  20    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  21 */
  22
  23 #include "includes.h"
  24 #include "auth.h"
  25 #include "../libcli/auth/ntlmssp.h"
  26 #include "ntlmssp_wrap.h"
  27 #include "../librpc/gen_ndr/netlogon.h"
  28 #include "../lib/tsocket/tsocket.h"
  29
  30 NTSTATUS auth_ntlmssp_steal_session_info(TALLOC_CTX *mem_ctx,
  31                                         struct auth_ntlmssp_state *auth_ntlmssp_state,
  32                                         struct auth_session_info **session_info)
  33 {
  34         NTSTATUS nt_status = create_local_token(mem_ctx,
  35                                                 auth_ntlmssp_state->server_info,
  36                                                 &auth_ntlmssp_state->ntlmssp_state->session_key,
  37                                                 session_info);
  38
  39         if (!NT_STATUS_IS_OK(nt_status)) {
  40                 DEBUG(10, ("create_local_token failed: %s\n",
  41                            nt_errstr(nt_status)));
  42         }
  43         return nt_status;
  44 }
  45
  46 /**
  47  * Return the challenge as determined by the authentication subsystem
  48  * @return an 8 byte random challenge
  49  */
  50
  51 static NTSTATUS auth_ntlmssp_get_challenge(const struct ntlmssp_state *ntlmssp_state,
  52                                            uint8_t chal[8])
  53 {
  54         struct auth_ntlmssp_state *auth_ntlmssp_state =
  55                 (struct auth_ntlmssp_state *)ntlmssp_state->callback_private;
  56         auth_ntlmssp_state->auth_context->get_ntlm_challenge(
  57                 auth_ntlmssp_state->auth_context, chal);
  58         return NT_STATUS_OK;
  59 }
  60
  61 /**
  62  * Some authentication methods 'fix' the challenge, so we may not be able to set it
  63  *
  64  * @return If the effective challenge used by the auth subsystem may be modified
  65  */
  66 static bool auth_ntlmssp_may_set_challenge(const struct ntlmssp_state *ntlmssp_state)
  67 {
  68         struct auth_ntlmssp_state *auth_ntlmssp_state =
  69                 (struct auth_ntlmssp_state *)ntlmssp_state->callback_private;
  70         struct auth_context *auth_context = auth_ntlmssp_state->auth_context;
  71
  72         return auth_context->challenge_may_be_modified;
  73 }
  74
  75 /**
  76  * NTLM2 authentication modifies the effective challenge,
  77  * @param challenge The new challenge value
  78  */
  79 static NTSTATUS auth_ntlmssp_set_challenge(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *challenge)
  80 {
  81         struct auth_ntlmssp_state *auth_ntlmssp_state =
  82                 (struct auth_ntlmssp_state *)ntlmssp_state->callback_private;
  83         struct auth_context *auth_context = auth_ntlmssp_state->auth_context;
  84
  85         SMB_ASSERT(challenge->length == 8);
  86
  87         auth_context->challenge = data_blob_talloc(auth_context,
  88                                                    challenge->data, challenge->length);
  89
  90         auth_context->challenge_set_by = "NTLMSSP callback (NTLM2)";
  91
  92         DEBUG(5, ("auth_context challenge set by %s\n", auth_context->challenge_set_by));
  93         DEBUG(5, ("challenge is: \n"));
  94         dump_data(5, auth_context->challenge.data, auth_context->challenge.length);
  95         return NT_STATUS_OK;
  96 }
  97
  98 /**
  99  * Check the password on an NTLMSSP login.
 100  *
 101  * Return the session keys used on the connection.
 102  */
 103
 104 static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state, TALLOC_CTX *mem_ctx,
 105                                             DATA_BLOB *session_key, DATA_BLOB *lm_session_key)
 106 {
 107         struct auth_ntlmssp_state *auth_ntlmssp_state =
 108                 (struct auth_ntlmssp_state *)ntlmssp_state->callback_private;
 109         struct auth_usersupplied_info *user_info = NULL;
 110         NTSTATUS nt_status;
 111         bool username_was_mapped;
 112
 113         /* the client has given us its machine name (which we otherwise would not get on port 445).
 114            we need to possibly reload smb.conf if smb.conf includes depend on the machine name */
 115
 116         set_remote_machine_name(auth_ntlmssp_state->ntlmssp_state->client.netbios_name, True);
 117
 118         /* setup the string used by %U */
 119         /* sub_set_smb_name checks for weird internally */
 120         sub_set_smb_name(auth_ntlmssp_state->ntlmssp_state->user);
 121
 122         lp_load(get_dyn_CONFIGFILE(), false, false, true, true);
 123
 124         nt_status = make_user_info_map(&user_info,
 125                                        auth_ntlmssp_state->ntlmssp_state->user,
 126                                        auth_ntlmssp_state->ntlmssp_state->domain,
 127                                        auth_ntlmssp_state->ntlmssp_state->client.netbios_name,
 128                                        auth_ntlmssp_state->remote_address,
 129                                        auth_ntlmssp_state->ntlmssp_state->lm_resp.data ? &auth_ntlmssp_state->ntlmssp_state->lm_resp : NULL,
 130                                        auth_ntlmssp_state->ntlmssp_state->nt_resp.data ? &auth_ntlmssp_state->ntlmssp_state->nt_resp : NULL,
 131                                        NULL, NULL, NULL,
 132                                        AUTH_PASSWORD_RESPONSE);
 133
 134         if (!NT_STATUS_IS_OK(nt_status)) {
 135                 return nt_status;
 136         }
 137
 138         user_info->logon_parameters = MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT;
 139
 140         nt_status = auth_ntlmssp_state->auth_context->check_ntlm_password(auth_ntlmssp_state->auth_context,
 141                                                                           user_info, &auth_ntlmssp_state->server_info);
 142
 143         username_was_mapped = user_info->was_mapped;
 144
 145         free_user_info(&user_info);
 146
 147         if (!NT_STATUS_IS_OK(nt_status)) {
 148                 return nt_status;
 149         }
 150
 151         auth_ntlmssp_state->server_info->nss_token |= username_was_mapped;
 152
 153         /* Clear out the session keys, and pass them to the caller.
 154          * They will not be used in this form again - instead the
 155          * NTLMSSP code will decide on the final correct session key,
 156          * and put it back here at the end of
 157          * auth_ntlmssp_steal_server_info */
 158         if (auth_ntlmssp_state->server_info->session_key.length) {
 159                 DEBUG(10, ("Got NT session key of length %u\n",
 160                         (unsigned int)auth_ntlmssp_state->server_info->session_key.length));
 161                 *session_key = auth_ntlmssp_state->server_info->session_key;
 162                 talloc_steal(mem_ctx, auth_ntlmssp_state->server_info->session_key.data);
 163                 auth_ntlmssp_state->server_info->session_key = data_blob_null;
 164         }
 165         if (auth_ntlmssp_state->server_info->lm_session_key.length) {
 166                 DEBUG(10, ("Got LM session key of length %u\n",
 167                         (unsigned int)auth_ntlmssp_state->server_info->lm_session_key.length));
 168                 *lm_session_key = auth_ntlmssp_state->server_info->lm_session_key;
 169                 talloc_steal(mem_ctx, auth_ntlmssp_state->server_info->lm_session_key.data);
 170                 auth_ntlmssp_state->server_info->lm_session_key = data_blob_null;
 171         }
 172         return nt_status;
 173 }
 174
 175 static int auth_ntlmssp_state_destructor(void *ptr);
 176
 177 NTSTATUS auth_ntlmssp_start(const struct tsocket_address *remote_address,
 178                             struct auth_ntlmssp_state **auth_ntlmssp_state)
 179 {
 180         NTSTATUS nt_status;
 181         bool is_standalone;
 182         const char *netbios_name;
 183         const char *netbios_domain;
 184         const char *dns_name;
 185         char *dns_domain;
 186         struct auth_ntlmssp_state *ans;
 187         struct auth_context *auth_context;
 188
 189         if ((enum server_role)lp_server_role() == ROLE_STANDALONE) {
 190                 is_standalone = true;
 191         } else {
 192                 is_standalone = false;
 193         }
 194
 195         netbios_name = lp_netbios_name();
 196         netbios_domain = lp_workgroup();
 197         /* This should be a 'netbios domain -> DNS domain' mapping */
 198         dns_domain = get_mydnsdomname(talloc_tos());
 199         if (dns_domain) {
 200                 strlower_m(dns_domain);
 201         }
 202         dns_name = get_mydnsfullname();
 203
 204         ans = talloc_zero(NULL, struct auth_ntlmssp_state);
 205         if (!ans) {
 206                 DEBUG(0,("auth_ntlmssp_start: talloc failed!\n"));
 207                 return NT_STATUS_NO_MEMORY;
 208         }
 209
 210         ans->remote_address = tsocket_address_copy(remote_address, ans);
 211         if (ans->remote_address == NULL) {
 212                 DEBUG(0,("auth_ntlmssp_start: talloc failed!\n"));
 213                 return NT_STATUS_NO_MEMORY;
 214         }
 215
 216         nt_status = ntlmssp_server_start(ans,
 217                                          is_standalone,
 218                                          netbios_name,
 219                                          netbios_domain,
 220                                          dns_name,
 221                                          dns_domain,
 222                                          &ans->ntlmssp_state);
 223         if (!NT_STATUS_IS_OK(nt_status)) {
 224                 return nt_status;
 225         }
 226
 227         nt_status = make_auth_context_subsystem(talloc_tos(), &auth_context);
 228         if (!NT_STATUS_IS_OK(nt_status)) {
 229                 return nt_status;
 230         }
 231         ans->auth_context = talloc_steal(ans, auth_context);
 232
 233         ans->ntlmssp_state->callback_private = ans;
 234         ans->ntlmssp_state->get_challenge = auth_ntlmssp_get_challenge;
 235         ans->ntlmssp_state->may_set_challenge = auth_ntlmssp_may_set_challenge;
 236         ans->ntlmssp_state->set_challenge = auth_ntlmssp_set_challenge;
 237         ans->ntlmssp_state->check_password = auth_ntlmssp_check_password;
 238
 239         talloc_set_destructor((TALLOC_CTX *)ans, auth_ntlmssp_state_destructor);
 240
 241         *auth_ntlmssp_state = ans;
 242         return NT_STATUS_OK;
 243 }
 244
 245 static int auth_ntlmssp_state_destructor(void *ptr)
 246 {
 247         struct auth_ntlmssp_state *ans;
 248
 249         ans = talloc_get_type(ptr, struct auth_ntlmssp_state);
 250
 251         TALLOC_FREE(ans->remote_address);
 252         TALLOC_FREE(ans->server_info);
 253         TALLOC_FREE(ans->ntlmssp_state);
 254         return 0;
 255 }