2 Unix SMB/Netbios implementation.
4 handle GENSEC authentication, server side
6 Copyright (C) Andrew Tridgell 2001
7 Copyright (C) Andrew Bartlett 2001-2003,2011
8 Copyright (C) Simo Sorce 2010.
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
26 #include "../lib/tsocket/tsocket.h"
27 #include "auth/gensec/gensec.h"
28 #include "lib/param/param.h"
30 #include "libcli/auth/krb5_wrap.h"
32 #include "librpc/crypto/gse.h"
33 #include "auth/credentials/credentials.h"
35 static NTSTATUS
auth3_generate_session_info_pac(struct auth4_context
*auth_ctx
,
37 struct smb_krb5_context
*smb_krb5_context
,
39 const char *princ_name
,
40 const struct tsocket_address
*remote_address
,
41 uint32_t session_info_flags
,
42 struct auth_session_info
**session_info
)
45 struct PAC_DATA
*pac_data
= NULL
;
46 struct PAC_LOGON_INFO
*logon_info
= NULL
;
58 tmp_ctx
= talloc_new(mem_ctx
);
60 return NT_STATUS_NO_MEMORY
;
65 status
= kerberos_decode_pac(tmp_ctx
,
67 NULL
, NULL
, NULL
, NULL
, 0, &pac_data
);
69 status
= NT_STATUS_ACCESS_DENIED
;
71 if (!NT_STATUS_IS_OK(status
)) {
75 /* get logon name and logon info */
76 for (i
= 0; i
< pac_data
->num_buffers
; i
++) {
77 struct PAC_BUFFER
*data_buf
= &pac_data
->buffers
[i
];
79 switch (data_buf
->type
) {
80 case PAC_TYPE_LOGON_INFO
:
81 if (!data_buf
->info
) {
84 logon_info
= data_buf
->info
->logon_info
.info
;
91 DEBUG(1, ("Invalid PAC data, missing logon info!\n"));
92 status
= NT_STATUS_NOT_FOUND
;
97 rc
= get_remote_hostname(remote_address
,
101 status
= NT_STATUS_NO_MEMORY
;
104 if (strequal(rhost
, "UNKNOWN")) {
105 rhost
= tsocket_address_inet_addr_string(remote_address
,
108 status
= NT_STATUS_NO_MEMORY
;
113 status
= get_user_from_kerberos_info(tmp_ctx
, rhost
,
114 princ_name
, logon_info
,
115 &is_mapped
, &is_guest
,
118 if (!NT_STATUS_IS_OK(status
)) {
119 DEBUG(1, ("Failed to map kerberos principal to system user "
120 "(%s)\n", nt_errstr(status
)));
121 status
= NT_STATUS_ACCESS_DENIED
;
125 /* save the PAC data if we have it */
127 netsamlogon_cache_store(ntuser
, &logon_info
->info3
);
130 /* setup the string used by %U */
131 sub_set_smb_name(username
);
133 /* reload services so that the new %U is taken into account */
134 lp_load(get_dyn_CONFIGFILE(), false, false, true, true);
136 status
= make_session_info_krb5(mem_ctx
,
137 ntuser
, ntdomain
, username
, pw
,
138 logon_info
, is_guest
, is_mapped
, NULL
/* No session key for now, caller will sort it out */,
140 if (!NT_STATUS_IS_OK(status
)) {
141 DEBUG(1, ("Failed to map kerberos pac to server info (%s)\n",
143 status
= NT_STATUS_ACCESS_DENIED
;
147 DEBUG(5, (__location__
"OK: user: %s domain: %s client: %s\n",
148 ntuser
, ntdomain
, rhost
));
150 status
= NT_STATUS_OK
;
153 TALLOC_FREE(tmp_ctx
);
157 static struct auth4_context
*make_auth4_context_s3(TALLOC_CTX
*mem_ctx
, struct auth_context
*auth_context
)
159 struct auth4_context
*auth4_context
= talloc_zero(mem_ctx
, struct auth4_context
);
160 if (auth4_context
== NULL
) {
161 DEBUG(10, ("failed to allocate auth4_context failed\n"));
164 auth4_context
->generate_session_info_pac
= auth3_generate_session_info_pac
;
165 auth4_context
->generate_session_info
= auth3_generate_session_info
;
166 auth4_context
->get_ntlm_challenge
= auth3_get_challenge
;
167 auth4_context
->set_ntlm_challenge
= auth3_set_challenge
;
168 auth4_context
->challenge_may_be_modified
= auth3_may_set_challenge
;
169 auth4_context
->check_ntlm_password
= auth3_check_password
;
170 auth4_context
->private_data
= talloc_steal(auth4_context
, auth_context
);
171 return auth4_context
;
174 NTSTATUS
make_auth4_context(TALLOC_CTX
*mem_ctx
, struct auth4_context
**auth4_context_out
)
176 struct auth_context
*auth_context
;
179 TALLOC_CTX
*tmp_ctx
= talloc_new(mem_ctx
);
180 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx
);
182 nt_status
= make_auth_context_subsystem(tmp_ctx
, &auth_context
);
183 if (!NT_STATUS_IS_OK(nt_status
)) {
184 TALLOC_FREE(tmp_ctx
);
188 if (auth_context
->make_auth4_context
) {
189 nt_status
= auth_context
->make_auth4_context(mem_ctx
, auth4_context_out
);
190 TALLOC_FREE(tmp_ctx
);
194 struct auth4_context
*auth4_context
= make_auth4_context_s3(tmp_ctx
, auth_context
);
195 if (auth4_context
== NULL
) {
196 TALLOC_FREE(tmp_ctx
);
197 return NT_STATUS_NO_MEMORY
;
199 *auth4_context_out
= talloc_steal(mem_ctx
, auth4_context
);
200 TALLOC_FREE(tmp_ctx
);
205 NTSTATUS
auth_generic_prepare(TALLOC_CTX
*mem_ctx
,
206 const struct tsocket_address
*remote_address
,
207 struct gensec_security
**gensec_security_out
)
209 struct gensec_security
*gensec_security
;
210 struct auth_context
*auth_context
;
213 TALLOC_CTX
*tmp_ctx
= talloc_new(mem_ctx
);
214 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx
);
216 nt_status
= make_auth_context_subsystem(tmp_ctx
, &auth_context
);
217 if (!NT_STATUS_IS_OK(nt_status
)) {
218 TALLOC_FREE(tmp_ctx
);
222 if (auth_context
->prepare_gensec
) {
223 nt_status
= auth_context
->prepare_gensec(tmp_ctx
,
225 if (!NT_STATUS_IS_OK(nt_status
)) {
226 TALLOC_FREE(tmp_ctx
);
230 struct gensec_settings
*gensec_settings
;
231 struct loadparm_context
*lp_ctx
;
233 struct cli_credentials
*server_credentials
;
234 const char *dns_name
;
235 const char *dns_domain
;
236 struct auth4_context
*auth4_context
= make_auth4_context_s3(tmp_ctx
, auth_context
);
237 if (auth4_context
== NULL
) {
238 TALLOC_FREE(tmp_ctx
);
239 return NT_STATUS_NO_MEMORY
;
242 lp_ctx
= loadparm_init_s3(tmp_ctx
, loadparm_s3_context());
243 if (lp_ctx
== NULL
) {
244 DEBUG(10, ("loadparm_init_s3 failed\n"));
245 TALLOC_FREE(tmp_ctx
);
246 return NT_STATUS_INVALID_SERVER_STATE
;
249 gensec_settings
= lpcfg_gensec_settings(tmp_ctx
, lp_ctx
);
250 if (lp_ctx
== NULL
) {
251 DEBUG(10, ("lpcfg_gensec_settings failed\n"));
252 TALLOC_FREE(tmp_ctx
);
253 return NT_STATUS_NO_MEMORY
;
257 * This should be a 'netbios domain -> DNS domain'
258 * mapping, and can currently validly return NULL on
259 * poorly configured systems.
261 * This is used for the NTLMSSP server
264 dns_name
= get_mydnsfullname();
265 if (dns_name
== NULL
) {
269 dns_domain
= get_mydnsdomname(tmp_ctx
);
270 if (dns_domain
== NULL
) {
274 gensec_settings
->server_dns_name
= strlower_talloc(gensec_settings
, dns_name
);
275 if (gensec_settings
->server_dns_name
== NULL
) {
276 TALLOC_FREE(tmp_ctx
);
277 return NT_STATUS_NO_MEMORY
;
280 gensec_settings
->server_dns_domain
= strlower_talloc(gensec_settings
, dns_domain
);
281 if (gensec_settings
->server_dns_domain
== NULL
) {
282 TALLOC_FREE(tmp_ctx
);
283 return NT_STATUS_NO_MEMORY
;
286 gensec_settings
->backends
= talloc_zero_array(gensec_settings
,
287 struct gensec_security_ops
*, 4);
288 if (gensec_settings
->backends
== NULL
) {
289 TALLOC_FREE(tmp_ctx
);
290 return NT_STATUS_NO_MEMORY
;
295 gensec_settings
->backends
[idx
++] = gensec_security_by_oid(NULL
, GENSEC_OID_NTLMSSP
);
297 #if defined(HAVE_KRB5)
298 gensec_settings
->backends
[idx
++] = &gensec_gse_krb5_security_ops
;
301 gensec_settings
->backends
[idx
++] = gensec_security_by_oid(NULL
,
305 * This is anonymous for now, because we just use it
306 * to set the kerberos state at the moment
308 server_credentials
= cli_credentials_init_anon(tmp_ctx
);
309 if (!server_credentials
) {
310 DEBUG(0, ("auth_generic_prepare: Failed to init server credentials\n"));
311 return NT_STATUS_NO_MEMORY
;
314 cli_credentials_set_conf(server_credentials
, lp_ctx
);
316 if (lp_security() == SEC_ADS
|| USE_KERBEROS_KEYTAB
) {
317 cli_credentials_set_kerberos_state(server_credentials
, CRED_AUTO_USE_KERBEROS
);
319 cli_credentials_set_kerberos_state(server_credentials
, CRED_DONT_USE_KERBEROS
);
322 nt_status
= gensec_server_start(tmp_ctx
, gensec_settings
,
323 auth4_context
, &gensec_security
);
325 if (!NT_STATUS_IS_OK(nt_status
)) {
326 TALLOC_FREE(tmp_ctx
);
330 gensec_set_credentials(gensec_security
, server_credentials
);
332 talloc_unlink(tmp_ctx
, lp_ctx
);
333 talloc_unlink(tmp_ctx
, server_credentials
);
334 talloc_unlink(tmp_ctx
, gensec_settings
);
335 talloc_unlink(tmp_ctx
, auth4_context
);
338 nt_status
= gensec_set_remote_address(gensec_security
,
340 if (!NT_STATUS_IS_OK(nt_status
)) {
341 TALLOC_FREE(tmp_ctx
);
345 *gensec_security_out
= talloc_steal(mem_ctx
, gensec_security
);
346 TALLOC_FREE(tmp_ctx
);
350 NTSTATUS
auth_check_password_session_info(struct auth4_context
*auth_context
,
352 struct auth_usersupplied_info
*user_info
,
353 struct auth_session_info
**session_info
)
358 nt_status
= auth_context
->check_ntlm_password(auth_context
,
361 &server_info
, NULL
, NULL
);
363 if (NT_STATUS_IS_OK(nt_status
)) {
364 nt_status
= auth_context
->generate_session_info(auth_context
,
367 user_info
->client
.account_name
,
368 AUTH_SESSION_INFO_UNIX_TOKEN
|
369 AUTH_SESSION_INFO_DEFAULT_GROUPS
,
371 TALLOC_FREE(server_info
);