search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s4:rpc_srv:getncchanges: 4.5 anc emulation uses qsort(), not ldb_qsort()
[samba.git] / source3 / winbindd / winbindd_ccache_access.c
blobcc395ad3bda535cfc4932cc4e71c002f7c9a3a00
1 /*
2 Unix SMB/CIFS implementation.
3
4 Winbind daemon - cached credentials functions
5
6 Copyright (C) Robert O'Callahan 2006
7 Copyright (C) Jeremy Allison 2006 (minor fixes to fit into Samba and
8 protect against integer wrap).
9 Copyright (C) Andrew Bartlett 2011
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 3 of the License, or
14 (at your option) any later version.
15
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
20
21 You should have received a copy of the GNU General Public License
22 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 */
24
25 #include "includes.h"
26 #include "winbindd.h"
27 #include "auth/gensec/gensec.h"
28 #include "auth_generic.h"
29 #include "lib/util/string_wrappers.h"
30
31 #undef DBGC_CLASS
32 #define DBGC_CLASS DBGC_WINBIND
33
34 static bool client_can_access_ccache_entry(uid_t client_uid,
35 struct WINBINDD_MEMORY_CREDS *entry)
36 {
37 if (client_uid == entry->uid || client_uid == 0) {
38 DEBUG(10, ("Access granted to uid %u\n", (unsigned int)client_uid));
39 return True;
40 }
41
42 DEBUG(1, ("Access denied to uid %u (expected %u)\n",
43 (unsigned int)client_uid, (unsigned int)entry->uid));
44 return False;
45 }
46
47 static NTSTATUS do_ntlm_auth_with_stored_pw(const char *namespace,
48 const char *domain,
49 const char *username,
50 const char *password,
51 const DATA_BLOB initial_msg,
52 const DATA_BLOB challenge_msg,
53 TALLOC_CTX *mem_ctx,
54 DATA_BLOB *auth_msg,
55 uint8_t session_key[16],
56 uint8_t *new_spnego)
57 {
58 NTSTATUS status;
59 struct auth_generic_state *auth_generic_state = NULL;
60 DATA_BLOB reply, session_key_blob;
61
62 status = auth_generic_client_prepare(mem_ctx, &auth_generic_state);
63
64 if (!NT_STATUS_IS_OK(status)) {
65 DEBUG(1, ("Could not start NTLMSSP client: %s\n",
66 nt_errstr(status)));
67 goto done;
68 }
69
70 status = auth_generic_set_username(auth_generic_state, username);
71
72 if (!NT_STATUS_IS_OK(status)) {
73 DEBUG(1, ("Could not set username: %s\n",
74 nt_errstr(status)));
75 goto done;
76 }
77
78 status = auth_generic_set_domain(auth_generic_state, domain);
79
80 if (!NT_STATUS_IS_OK(status)) {
81 DEBUG(1, ("Could not set domain: %s\n",
82 nt_errstr(status)));
83 goto done;
84 }
85
86 status = auth_generic_set_password(auth_generic_state, password);
87
88 if (!NT_STATUS_IS_OK(status)) {
89 DEBUG(1, ("Could not set password: %s\n",
90 nt_errstr(status)));
91 goto done;
92 }
93
94 if (initial_msg.length == 0) {
95 gensec_want_feature(auth_generic_state->gensec_security,
96 GENSEC_FEATURE_SESSION_KEY);
97 }
98
99 status = auth_generic_client_start_by_name(auth_generic_state,
100 "ntlmssp_resume_ccache");
101 if (!NT_STATUS_IS_OK(status)) {
102 DEBUG(1, ("Could not start NTLMSSP resume mech: %s\n",
103 nt_errstr(status)));
104 goto done;
105 }
106
107 /*
108 * We inject the initial NEGOTIATE message our caller used
109 * in order to get the state machine into the correct position.
110 */
111 reply = data_blob_null;
112 status = gensec_update(auth_generic_state->gensec_security,
113 talloc_tos(), initial_msg, &reply);
114 data_blob_free(&reply);
115
116 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
117 DEBUG(1, ("Failed to create initial message! [%s]\n",
118 nt_errstr(status)));
119 goto done;
120 }
121
122 /* Now we are ready to handle the server's actual response. */
123 status = gensec_update(auth_generic_state->gensec_security,
124 mem_ctx, challenge_msg, &reply);
125 if (!NT_STATUS_EQUAL(status, NT_STATUS_OK)) {
126 DEBUG(1, ("We didn't get a response to the challenge! [%s]\n",
127 nt_errstr(status)));
128 data_blob_free(&reply);
129 goto done;
130 }
131
132 status = gensec_session_key(auth_generic_state->gensec_security,
133 talloc_tos(), &session_key_blob);
134 if (!NT_STATUS_EQUAL(status, NT_STATUS_OK)) {
135 DEBUG(1, ("We didn't get the session key we requested! [%s]\n",
136 nt_errstr(status)));
137 data_blob_free(&reply);
138 goto done;
139 }
140
141 if (session_key_blob.length != 16) {
142 DEBUG(1, ("invalid session key length %d\n",
143 (int)session_key_blob.length));
144 data_blob_free(&reply);
145 goto done;
146 }
147 memcpy(session_key, session_key_blob.data, 16);
148 data_blob_free(&session_key_blob);
149 *auth_msg = reply;
150 *new_spnego = gensec_have_feature(auth_generic_state->gensec_security,
151 GENSEC_FEATURE_NEW_SPNEGO);
152 status = NT_STATUS_OK;
153
154 done:
155 TALLOC_FREE(auth_generic_state);
156 return status;
157 }
158
159 static bool check_client_uid(struct winbindd_cli_state *state, uid_t uid)
160 {
161 int ret;
162 uid_t ret_uid;
163 gid_t ret_gid;
164
165 ret_uid = (uid_t)-1;
166
167 ret = getpeereid(state->sock, &ret_uid, &ret_gid);
168 if (ret != 0) {
169 DEBUG(1, ("check_client_uid: Could not get socket peer uid: %s; "
170 "denying access\n", strerror(errno)));
171 return False;
172 }
173
174 if (uid != ret_uid && ret_uid != sec_initial_uid()) {
175 DEBUG(1, ("check_client_uid: Client lied about its uid: said %u, "
176 "actually was %u; denying access\n",
177 (unsigned int)uid, (unsigned int)ret_uid));
178 return False;
179 }
180
181 return True;
182 }
183
184 bool winbindd_ccache_ntlm_auth(struct winbindd_cli_state *state)
185 {
186 struct winbindd_domain *domain;
187 char *name_namespace = NULL;
188 char *name_domain = NULL;
189 char *name_user = NULL;
190 char *auth_user = NULL;
191 NTSTATUS result = NT_STATUS_NOT_SUPPORTED;
192 struct WINBINDD_MEMORY_CREDS *entry;
193 DATA_BLOB initial, challenge, auth;
194 uint32_t initial_blob_len, challenge_blob_len, extra_len;
195 bool ok;
196
197 /* Ensure null termination */
198 state->request->data.ccache_ntlm_auth.user[
199 sizeof(state->request->data.ccache_ntlm_auth.user)-1]='\0';
200
201 DEBUG(3, ("[%5lu]: perform NTLM auth on behalf of user %s\n", (unsigned long)state->pid,
202 state->request->data.ccache_ntlm_auth.user));
203
204 /* Parse domain and username */
205
206 auth_user = state->request->data.ccache_ntlm_auth.user;
207 ok = canonicalize_username(state,
208 &auth_user,
209 &name_namespace,
210 &name_domain,
211 &name_user);
212 if (!ok) {
213 DEBUG(5,("winbindd_ccache_ntlm_auth: cannot parse domain and user from name [%s]\n",
214 state->request->data.ccache_ntlm_auth.user));
215 return false;
216 }
217
218 fstrcpy(state->request->data.ccache_ntlm_auth.user, auth_user);
219 TALLOC_FREE(auth_user);
220
221 domain = find_auth_domain(state->request->flags, name_domain);
222
223 if (domain == NULL) {
224 DEBUG(5,("winbindd_ccache_ntlm_auth: can't get domain [%s]\n",
225 name_domain));
226 return false;
227 }
228
229 if (!check_client_uid(state, state->request->data.ccache_ntlm_auth.uid)) {
230 return false;
231 }
232
233 /* validate blob lengths */
234 initial_blob_len = state->request->data.ccache_ntlm_auth.initial_blob_len;
235 challenge_blob_len = state->request->data.ccache_ntlm_auth.challenge_blob_len;
236 extra_len = state->request->extra_len;
237
238 if (initial_blob_len > extra_len || challenge_blob_len > extra_len ||
239 initial_blob_len + challenge_blob_len > extra_len ||
240 initial_blob_len + challenge_blob_len < initial_blob_len ||
241 initial_blob_len + challenge_blob_len < challenge_blob_len) {
242
243 DEBUG(10,("winbindd_dual_ccache_ntlm_auth: blob lengths overrun "
244 "or wrap. Buffer [%d+%d > %d]\n",
245 initial_blob_len,
246 challenge_blob_len,
247 extra_len));
248 goto process_result;
249 }
250
251 TALLOC_FREE(name_namespace);
252 TALLOC_FREE(name_domain);
253 TALLOC_FREE(name_user);
254 /* Parse domain and username */
255 ok = parse_domain_user(state,
256 state->request->data.ccache_ntlm_auth.user,
257 &name_namespace,
258 &name_domain,
259 &name_user);
260 if (!ok) {
261 DEBUG(10,("winbindd_dual_ccache_ntlm_auth: cannot parse "
262 "domain and user from name [%s]\n",
263 state->request->data.ccache_ntlm_auth.user));
264 goto process_result;
265 }
266
267 entry = find_memory_creds_by_name(state->request->data.ccache_ntlm_auth.user);
268 if (entry == NULL || entry->nt_hash == NULL || entry->lm_hash == NULL) {
269 DEBUG(10,("winbindd_dual_ccache_ntlm_auth: could not find "
270 "credentials for user %s\n",
271 state->request->data.ccache_ntlm_auth.user));
272 goto process_result;
273 }
274
275 DEBUG(10,("winbindd_dual_ccache_ntlm_auth: found ccache [%s]\n", entry->username));
276
277 if (!client_can_access_ccache_entry(state->request->data.ccache_ntlm_auth.uid, entry)) {
278 goto process_result;
279 }
280
281 if (initial_blob_len == 0 && challenge_blob_len == 0) {
282 /* this is just a probe to see if credentials are available. */
283 result = NT_STATUS_OK;
284 state->response->data.ccache_ntlm_auth.auth_blob_len = 0;
285 goto process_result;
286 }
287
288 initial = data_blob_const(state->request->extra_data.data,
289 initial_blob_len);
290 challenge = data_blob_const(
291 state->request->extra_data.data + initial_blob_len,
292 state->request->data.ccache_ntlm_auth.challenge_blob_len);
293
294 result = do_ntlm_auth_with_stored_pw(
295 name_namespace,
296 name_domain,
297 name_user,
298 entry->pass,
299 initial,
300 challenge,
301 talloc_tos(),
302 &auth,
303 state->response->data.ccache_ntlm_auth.session_key,
304 &state->response->data.ccache_ntlm_auth.new_spnego);
305
306 if (!NT_STATUS_IS_OK(result)) {
307 goto process_result;
308 }
309
310 state->response->extra_data.data = talloc_memdup(
311 state->mem_ctx, auth.data, auth.length);
312 if (!state->response->extra_data.data) {
313 result = NT_STATUS_NO_MEMORY;
314 goto process_result;
315 }
316 state->response->length += auth.length;
317 state->response->data.ccache_ntlm_auth.auth_blob_len = auth.length;
318
319 data_blob_free(&auth);
320
321 process_result:
322 TALLOC_FREE(name_namespace);
323 TALLOC_FREE(name_domain);
324 TALLOC_FREE(name_user);
325 return NT_STATUS_IS_OK(result);
326 }
327
328 bool winbindd_ccache_save(struct winbindd_cli_state *state)
329 {
330 struct winbindd_domain *domain;
331 char *name_namespace = NULL;
332 char *name_domain = NULL;
333 char *name_user = NULL;
334 char *save_user = NULL;
335 NTSTATUS status;
336 bool ok;
337
338 /* Ensure null termination */
339 state->request->data.ccache_save.user[
340 sizeof(state->request->data.ccache_save.user)-1]='\0';
341 state->request->data.ccache_save.pass[
342 sizeof(state->request->data.ccache_save.pass)-1]='\0';
343
344 DEBUG(3, ("[%5lu]: save password of user %s\n",
345 (unsigned long)state->pid,
346 state->request->data.ccache_save.user));
347
348 /* Parse domain and username */
349
350
351 save_user = state->request->data.ccache_save.user;
352 ok = canonicalize_username(state,
353 &save_user,
354 &name_namespace,
355 &name_domain,
356 &name_user);
357 if (!ok) {
358 DEBUG(5,("winbindd_ccache_save: cannot parse domain and user "
359 "from name [%s]\n",
360 state->request->data.ccache_save.user));
361 return false;
362 }
363
364 fstrcpy(state->request->data.ccache_save.user, save_user);
365
366 /*
367 * The domain is checked here only for compatibility
368 * reasons. We used to do the winbindd memory ccache for
369 * ntlm_auth in the domain child. With that code, we had to
370 * make sure that we do have a domain around to send this
371 * to. Now we do the memory cache in the parent winbindd,
372 * where it would not matter if we have a domain or not.
373 */
374
375 domain = find_auth_domain(state->request->flags, name_domain);
376 if (domain == NULL) {
377 DEBUG(5, ("winbindd_ccache_save: can't get domain [%s]\n",
378 name_domain));
379 return false;
380 }
381
382 if (!check_client_uid(state, state->request->data.ccache_save.uid)) {
383 return false;
384 }
385
386 status = winbindd_add_memory_creds(
387 state->request->data.ccache_save.user,
388 state->request->data.ccache_save.uid,
389 state->request->data.ccache_save.pass);
390
391 if (!NT_STATUS_IS_OK(status)) {
392 DEBUG(1, ("winbindd_add_memory_creds failed %s\n",
393 nt_errstr(status)));
394 return false;
395 }
396 return true;
397 }
Samba git mirror