search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3: use monotonic clock for time deltas in smbget
[Samba/ita.git] / source4 / auth / system_session.c
blobbec22c16005249664372c459e8b9bf9fc3f23599
1 /*
2 Unix SMB/CIFS implementation.
3 Authentication utility functions
4 Copyright (C) Andrew Tridgell 1992-1998
5 Copyright (C) Andrew Bartlett 2001-2010
6 Copyright (C) Jeremy Allison 2000-2001
7 Copyright (C) Rafal Szczesniak 2002
8 Copyright (C) Stefan Metzmacher 2005
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include "libcli/security/security.h"
26 #include "auth/credentials/credentials.h"
27 #include "param/param.h"
28 #include "auth/auth.h" /* for auth_serversupplied_info */
29 #include "auth/session.h"
30 #include "auth/system_session_proto.h"
31
32 /**
33 * Create the SID list for this user.
34 *
35 * @note Specialised version for system sessions that doesn't use the SAM.
36 */
37 static NTSTATUS create_token(TALLOC_CTX *mem_ctx,
38 struct dom_sid *user_sid,
39 struct dom_sid *group_sid,
40 unsigned int n_groupSIDs,
41 struct dom_sid **groupSIDs,
42 bool is_authenticated,
43 struct security_token **token)
44 {
45 struct security_token *ptoken;
46 unsigned int i;
47
48 ptoken = security_token_initialise(mem_ctx);
49 NT_STATUS_HAVE_NO_MEMORY(ptoken);
50
51 ptoken->sids = talloc_array(ptoken, struct dom_sid, n_groupSIDs + 5);
52 NT_STATUS_HAVE_NO_MEMORY(ptoken->sids);
53
54 ptoken->sids[PRIMARY_USER_SID_INDEX] = *user_sid;
55 ptoken->sids[PRIMARY_GROUP_SID_INDEX] = *group_sid;
56 ptoken->privilege_mask = 0;
57
58 /*
59 * Finally add the "standard" SIDs.
60 * The only difference between guest and "anonymous"
61 * is the addition of Authenticated_Users.
62 */
63
64 if (!dom_sid_parse(SID_WORLD, &ptoken->sids[2])) {
65 return NT_STATUS_INTERNAL_ERROR;
66 }
67 if (!dom_sid_parse(SID_NT_NETWORK, &ptoken->sids[3])) {
68 return NT_STATUS_INTERNAL_ERROR;
69 }
70 ptoken->num_sids = 4;
71
72 if (is_authenticated) {
73 if (!dom_sid_parse(SID_NT_AUTHENTICATED_USERS, &ptoken->sids[4])) {
74 return NT_STATUS_INTERNAL_ERROR;
75 }
76 ptoken->num_sids++;
77 }
78
79 for (i = 0; i < n_groupSIDs; i++) {
80 size_t check_sid_idx;
81 for (check_sid_idx = 1;
82 check_sid_idx < ptoken->num_sids;
83 check_sid_idx++) {
84 if (dom_sid_equal(&ptoken->sids[check_sid_idx], groupSIDs[i])) {
85 break;
86 }
87 }
88
89 if (check_sid_idx == ptoken->num_sids) {
90 ptoken->sids[ptoken->num_sids++] = *groupSIDs[i];
91 }
92 }
93
94 *token = ptoken;
95
96 /* Shortcuts to prevent recursion and avoid lookups */
97 if (ptoken->sids == NULL) {
98 ptoken->privilege_mask = 0;
99 return NT_STATUS_OK;
100 }
101
102 if (security_token_is_system(ptoken)) {
103 ptoken->privilege_mask = ~0;
104 } else if (security_token_is_anonymous(ptoken)) {
105 ptoken->privilege_mask = 0;
106 } else if (security_token_has_builtin_administrators(ptoken)) {
107 ptoken->privilege_mask = ~0;
108 } else {
109 /* All other 'users' get a empty priv set so far */
110 ptoken->privilege_mask = 0;
111 }
112 return NT_STATUS_OK;
113 }
114
115 NTSTATUS auth_generate_simple_session_info(TALLOC_CTX *mem_ctx,
116 struct auth_serversupplied_info *server_info,
117 struct auth_session_info **_session_info)
118 {
119 struct auth_session_info *session_info;
120 NTSTATUS nt_status;
121
122 session_info = talloc(mem_ctx, struct auth_session_info);
123 NT_STATUS_HAVE_NO_MEMORY(session_info);
124
125 session_info->server_info = talloc_reference(session_info, server_info);
126
127 /* unless set otherwise, the session key is the user session
128 * key from the auth subsystem */
129 session_info->session_key = server_info->user_session_key;
130
131 nt_status = create_token(session_info,
132 server_info->account_sid,
133 server_info->primary_group_sid,
134 server_info->n_domain_groups,
135 server_info->domain_groups,
136 server_info->authenticated,
137 &session_info->security_token);
138 NT_STATUS_NOT_OK_RETURN(nt_status);
139
140 session_info->credentials = NULL;
141
142 *_session_info = session_info;
143 return NT_STATUS_OK;
144 }
145
146
147 /*
148 prevent the static system session being freed
149 */
150 static int system_session_destructor(struct auth_session_info *info)
151 {
152 return -1;
153 }
154
155 /* Create a security token for a session SYSTEM (the most
156 * trusted/prvilaged account), including the local machine account as
157 * the off-host credentials
158 */
159 _PUBLIC_ struct auth_session_info *system_session(struct loadparm_context *lp_ctx)
160 {
161 static struct auth_session_info *static_session;
162 NTSTATUS nt_status;
163
164 if (static_session) {
165 return static_session;
166 }
167
168 nt_status = auth_system_session_info(talloc_autofree_context(),
169 lp_ctx,
170 &static_session);
171 if (!NT_STATUS_IS_OK(nt_status)) {
172 talloc_free(static_session);
173 static_session = NULL;
174 return NULL;
175 }
176 talloc_set_destructor(static_session, system_session_destructor);
177 return static_session;
178 }
179
180 NTSTATUS auth_system_session_info(TALLOC_CTX *parent_ctx,
181 struct loadparm_context *lp_ctx,
182 struct auth_session_info **_session_info)
183 {
184 NTSTATUS nt_status;
185 struct auth_serversupplied_info *server_info = NULL;
186 struct auth_session_info *session_info = NULL;
187 TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
188
189 nt_status = auth_system_server_info(mem_ctx, lpcfg_netbios_name(lp_ctx),
190 &server_info);
191 if (!NT_STATUS_IS_OK(nt_status)) {
192 talloc_free(mem_ctx);
193 return nt_status;
194 }
195
196 /* references the server_info into the session_info */
197 nt_status = auth_generate_session_info(parent_ctx, NULL, server_info, 0, &session_info);
198 talloc_free(mem_ctx);
199
200 NT_STATUS_NOT_OK_RETURN(nt_status);
201
202 session_info->credentials = cli_credentials_init(session_info);
203 if (!session_info->credentials) {
204 return NT_STATUS_NO_MEMORY;
205 }
206
207 cli_credentials_set_conf(session_info->credentials, lp_ctx);
208
209 cli_credentials_set_machine_account_pending(session_info->credentials, lp_ctx);
210 *_session_info = session_info;
211
212 return NT_STATUS_OK;
213 }
214
215 NTSTATUS auth_system_server_info(TALLOC_CTX *mem_ctx, const char *netbios_name,
216 struct auth_serversupplied_info **_server_info)
217 {
218 struct auth_serversupplied_info *server_info;
219
220 server_info = talloc(mem_ctx, struct auth_serversupplied_info);
221 NT_STATUS_HAVE_NO_MEMORY(server_info);
222
223 server_info->account_sid = dom_sid_parse_talloc(server_info, SID_NT_SYSTEM);
224 NT_STATUS_HAVE_NO_MEMORY(server_info->account_sid);
225
226 /* is this correct? */
227 server_info->primary_group_sid = dom_sid_parse_talloc(server_info, SID_BUILTIN_ADMINISTRATORS);
228 NT_STATUS_HAVE_NO_MEMORY(server_info->primary_group_sid);
229
230 server_info->n_domain_groups = 0;
231 server_info->domain_groups = NULL;
232
233 /* annoying, but the Anonymous really does have a session key,
234 and it is all zeros! */
235 server_info->user_session_key = data_blob_talloc(server_info, NULL, 16);
236 NT_STATUS_HAVE_NO_MEMORY(server_info->user_session_key.data);
237
238 server_info->lm_session_key = data_blob_talloc(server_info, NULL, 16);
239 NT_STATUS_HAVE_NO_MEMORY(server_info->lm_session_key.data);
240
241 data_blob_clear(&server_info->user_session_key);
242 data_blob_clear(&server_info->lm_session_key);
243
244 server_info->account_name = talloc_strdup(server_info, "SYSTEM");
245 NT_STATUS_HAVE_NO_MEMORY(server_info->account_name);
246
247 server_info->domain_name = talloc_strdup(server_info, "NT AUTHORITY");
248 NT_STATUS_HAVE_NO_MEMORY(server_info->domain_name);
249
250 server_info->full_name = talloc_strdup(server_info, "System");
251 NT_STATUS_HAVE_NO_MEMORY(server_info->full_name);
252
253 server_info->logon_script = talloc_strdup(server_info, "");
254 NT_STATUS_HAVE_NO_MEMORY(server_info->logon_script);
255
256 server_info->profile_path = talloc_strdup(server_info, "");
257 NT_STATUS_HAVE_NO_MEMORY(server_info->profile_path);
258
259 server_info->home_directory = talloc_strdup(server_info, "");
260 NT_STATUS_HAVE_NO_MEMORY(server_info->home_directory);
261
262 server_info->home_drive = talloc_strdup(server_info, "");
263 NT_STATUS_HAVE_NO_MEMORY(server_info->home_drive);
264
265 server_info->logon_server = talloc_strdup(server_info, netbios_name);
266 NT_STATUS_HAVE_NO_MEMORY(server_info->logon_server);
267
268 server_info->last_logon = 0;
269 server_info->last_logoff = 0;
270 server_info->acct_expiry = 0;
271 server_info->last_password_change = 0;
272 server_info->allow_password_change = 0;
273 server_info->force_password_change = 0;
274
275 server_info->logon_count = 0;
276 server_info->bad_password_count = 0;
277
278 server_info->acct_flags = ACB_NORMAL;
279
280 server_info->authenticated = true;
281
282 *_server_info = server_info;
283
284 return NT_STATUS_OK;
285 }
286
287
288 static NTSTATUS auth_domain_admin_server_info(TALLOC_CTX *mem_ctx,
289 const char *netbios_name,
290 const char *domain_name,
291 struct dom_sid *domain_sid,
292 struct auth_serversupplied_info **_server_info)
293 {
294 struct auth_serversupplied_info *server_info;
295
296 server_info = talloc(mem_ctx, struct auth_serversupplied_info);
297 NT_STATUS_HAVE_NO_MEMORY(server_info);
298
299 server_info->account_sid = dom_sid_add_rid(server_info, domain_sid, DOMAIN_RID_ADMINISTRATOR);
300 NT_STATUS_HAVE_NO_MEMORY(server_info->account_sid);
301
302 server_info->primary_group_sid = dom_sid_add_rid(server_info, domain_sid, DOMAIN_RID_USERS);
303 NT_STATUS_HAVE_NO_MEMORY(server_info->primary_group_sid);
304
305 server_info->n_domain_groups = 6;
306 server_info->domain_groups = talloc_array(server_info, struct dom_sid *, server_info->n_domain_groups);
307
308 server_info->domain_groups[0] = dom_sid_parse_talloc(server_info, SID_BUILTIN_ADMINISTRATORS);
309 server_info->domain_groups[1] = dom_sid_add_rid(server_info, domain_sid, DOMAIN_RID_ADMINS);
310 server_info->domain_groups[2] = dom_sid_add_rid(server_info, domain_sid, DOMAIN_RID_USERS);
311 server_info->domain_groups[3] = dom_sid_add_rid(server_info, domain_sid, DOMAIN_RID_ENTERPRISE_ADMINS);
312 server_info->domain_groups[4] = dom_sid_add_rid(server_info, domain_sid, DOMAIN_RID_POLICY_ADMINS);
313 server_info->domain_groups[5] = dom_sid_add_rid(server_info, domain_sid, DOMAIN_RID_SCHEMA_ADMINS);
314
315 /* What should the session key be?*/
316 server_info->user_session_key = data_blob_talloc(server_info, NULL, 16);
317 NT_STATUS_HAVE_NO_MEMORY(server_info->user_session_key.data);
318
319 server_info->lm_session_key = data_blob_talloc(server_info, NULL, 16);
320 NT_STATUS_HAVE_NO_MEMORY(server_info->lm_session_key.data);
321
322 data_blob_clear(&server_info->user_session_key);
323 data_blob_clear(&server_info->lm_session_key);
324
325 server_info->account_name = talloc_strdup(server_info, "Administrator");
326 NT_STATUS_HAVE_NO_MEMORY(server_info->account_name);
327
328 server_info->domain_name = talloc_strdup(server_info, domain_name);
329 NT_STATUS_HAVE_NO_MEMORY(server_info->domain_name);
330
331 server_info->full_name = talloc_strdup(server_info, "Administrator");
332 NT_STATUS_HAVE_NO_MEMORY(server_info->full_name);
333
334 server_info->logon_script = talloc_strdup(server_info, "");
335 NT_STATUS_HAVE_NO_MEMORY(server_info->logon_script);
336
337 server_info->profile_path = talloc_strdup(server_info, "");
338 NT_STATUS_HAVE_NO_MEMORY(server_info->profile_path);
339
340 server_info->home_directory = talloc_strdup(server_info, "");
341 NT_STATUS_HAVE_NO_MEMORY(server_info->home_directory);
342
343 server_info->home_drive = talloc_strdup(server_info, "");
344 NT_STATUS_HAVE_NO_MEMORY(server_info->home_drive);
345
346 server_info->logon_server = talloc_strdup(server_info, netbios_name);
347 NT_STATUS_HAVE_NO_MEMORY(server_info->logon_server);
348
349 server_info->last_logon = 0;
350 server_info->last_logoff = 0;
351 server_info->acct_expiry = 0;
352 server_info->last_password_change = 0;
353 server_info->allow_password_change = 0;
354 server_info->force_password_change = 0;
355
356 server_info->logon_count = 0;
357 server_info->bad_password_count = 0;
358
359 server_info->acct_flags = ACB_NORMAL;
360
361 server_info->authenticated = true;
362
363 *_server_info = server_info;
364
365 return NT_STATUS_OK;
366 }
367
368 static NTSTATUS auth_domain_admin_session_info(TALLOC_CTX *parent_ctx,
369 struct loadparm_context *lp_ctx,
370 struct dom_sid *domain_sid,
371 struct auth_session_info **_session_info)
372 {
373 NTSTATUS nt_status;
374 struct auth_serversupplied_info *server_info = NULL;
375 struct auth_session_info *session_info = NULL;
376 TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
377
378 nt_status = auth_domain_admin_server_info(mem_ctx, lpcfg_netbios_name(lp_ctx),
379 lpcfg_workgroup(lp_ctx), domain_sid,
380 &server_info);
381 if (!NT_STATUS_IS_OK(nt_status)) {
382 talloc_free(mem_ctx);
383 return nt_status;
384 }
385
386 session_info = talloc(mem_ctx, struct auth_session_info);
387 NT_STATUS_HAVE_NO_MEMORY(session_info);
388
389 session_info->server_info = talloc_reference(session_info, server_info);
390
391 /* unless set otherwise, the session key is the user session
392 * key from the auth subsystem */
393 session_info->session_key = server_info->user_session_key;
394
395 nt_status = create_token(session_info,
396 server_info->account_sid,
397 server_info->primary_group_sid,
398 server_info->n_domain_groups,
399 server_info->domain_groups,
400 true,
401 &session_info->security_token);
402 NT_STATUS_NOT_OK_RETURN(nt_status);
403
404 session_info->credentials = cli_credentials_init(session_info);
405 if (!session_info->credentials) {
406 return NT_STATUS_NO_MEMORY;
407 }
408
409 cli_credentials_set_conf(session_info->credentials, lp_ctx);
410
411 *_session_info = session_info;
412
413 return NT_STATUS_OK;
414 }
415
416 _PUBLIC_ struct auth_session_info *admin_session(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx, struct dom_sid *domain_sid)
417 {
418 NTSTATUS nt_status;
419 struct auth_session_info *session_info = NULL;
420 nt_status = auth_domain_admin_session_info(mem_ctx,
421 lp_ctx,
422 domain_sid,
423 &session_info);
424 if (!NT_STATUS_IS_OK(nt_status)) {
425 return NULL;
426 }
427 return session_info;
428 }
429
430 _PUBLIC_ NTSTATUS auth_anonymous_session_info(TALLOC_CTX *parent_ctx,
431 struct loadparm_context *lp_ctx,
432 struct auth_session_info **_session_info)
433 {
434 NTSTATUS nt_status;
435 struct auth_serversupplied_info *server_info = NULL;
436 struct auth_session_info *session_info = NULL;
437 TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
438
439 nt_status = auth_anonymous_server_info(mem_ctx,
440 lpcfg_netbios_name(lp_ctx),
441 &server_info);
442 if (!NT_STATUS_IS_OK(nt_status)) {
443 talloc_free(mem_ctx);
444 return nt_status;
445 }
446
447 /* references the server_info into the session_info */
448 nt_status = auth_generate_session_info(parent_ctx, NULL, server_info, 0, &session_info);
449 talloc_free(mem_ctx);
450
451 NT_STATUS_NOT_OK_RETURN(nt_status);
452
453 session_info->credentials = cli_credentials_init(session_info);
454 if (!session_info->credentials) {
455 return NT_STATUS_NO_MEMORY;
456 }
457
458 cli_credentials_set_conf(session_info->credentials, lp_ctx);
459 cli_credentials_set_anonymous(session_info->credentials);
460
461 *_session_info = session_info;
462
463 return NT_STATUS_OK;
464 }
465
466 _PUBLIC_ NTSTATUS auth_anonymous_server_info(TALLOC_CTX *mem_ctx,
467 const char *netbios_name,
468 struct auth_serversupplied_info **_server_info)
469 {
470 struct auth_serversupplied_info *server_info;
471 server_info = talloc(mem_ctx, struct auth_serversupplied_info);
472 NT_STATUS_HAVE_NO_MEMORY(server_info);
473
474 server_info->account_sid = dom_sid_parse_talloc(server_info, SID_NT_ANONYMOUS);
475 NT_STATUS_HAVE_NO_MEMORY(server_info->account_sid);
476
477 /* The anonymous user has only one SID in it's token, but we need to fill something in here */
478 server_info->primary_group_sid = dom_sid_parse_talloc(server_info, SID_NT_ANONYMOUS);
479 NT_STATUS_HAVE_NO_MEMORY(server_info->primary_group_sid);
480
481 server_info->n_domain_groups = 0;
482 server_info->domain_groups = NULL;
483
484 /* annoying, but the Anonymous really does have a session key... */
485 server_info->user_session_key = data_blob_talloc(server_info, NULL, 16);
486 NT_STATUS_HAVE_NO_MEMORY(server_info->user_session_key.data);
487
488 server_info->lm_session_key = data_blob_talloc(server_info, NULL, 16);
489 NT_STATUS_HAVE_NO_MEMORY(server_info->lm_session_key.data);
490
491 /* and it is all zeros! */
492 data_blob_clear(&server_info->user_session_key);
493 data_blob_clear(&server_info->lm_session_key);
494
495 server_info->account_name = talloc_strdup(server_info, "ANONYMOUS LOGON");
496 NT_STATUS_HAVE_NO_MEMORY(server_info->account_name);
497
498 server_info->domain_name = talloc_strdup(server_info, "NT AUTHORITY");
499 NT_STATUS_HAVE_NO_MEMORY(server_info->domain_name);
500
501 server_info->full_name = talloc_strdup(server_info, "Anonymous Logon");
502 NT_STATUS_HAVE_NO_MEMORY(server_info->full_name);
503
504 server_info->logon_script = talloc_strdup(server_info, "");
505 NT_STATUS_HAVE_NO_MEMORY(server_info->logon_script);
506
507 server_info->profile_path = talloc_strdup(server_info, "");
508 NT_STATUS_HAVE_NO_MEMORY(server_info->profile_path);
509
510 server_info->home_directory = talloc_strdup(server_info, "");
511 NT_STATUS_HAVE_NO_MEMORY(server_info->home_directory);
512
513 server_info->home_drive = talloc_strdup(server_info, "");
514 NT_STATUS_HAVE_NO_MEMORY(server_info->home_drive);
515
516 server_info->logon_server = talloc_strdup(server_info, netbios_name);
517 NT_STATUS_HAVE_NO_MEMORY(server_info->logon_server);
518
519 server_info->last_logon = 0;
520 server_info->last_logoff = 0;
521 server_info->acct_expiry = 0;
522 server_info->last_password_change = 0;
523 server_info->allow_password_change = 0;
524 server_info->force_password_change = 0;
525
526 server_info->logon_count = 0;
527 server_info->bad_password_count = 0;
528
529 server_info->acct_flags = ACB_NORMAL;
530
531 server_info->authenticated = false;
532
533 *_server_info = server_info;
534
535 return NT_STATUS_OK;
536 }
537