Line data    Source code

       1             : /*
       2             :    Unix SMB/Netbios implementation.
       3             :    Version 3.0
       4             :    handle NLTMSSP, client server side parsing
       5             : 
       6             :    Copyright (C) Andrew Tridgell      2001
       7             :    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2001-2005
       8             :    Copyright (C) Stefan Metzmacher 2005
       9             : 
      10             :    This program is free software; you can redistribute it and/or modify
      11             :    it under the terms of the GNU General Public License as published by
      12             :    the Free Software Foundation; either version 3 of the License, or
      13             :    (at your option) any later version.
      14             : 
      15             :    This program is distributed in the hope that it will be useful,
      16             :    but WITHOUT ANY WARRANTY; without even the implied warranty of
      17             :    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
      18             :    GNU General Public License for more details.
      19             : 
      20             :    You should have received a copy of the GNU General Public License
      21             :    along with this program.  If not, see <http://www.gnu.org/licenses/>.
      22             : */
      23             : 
      24             : #include "includes.h"
      25             : #include "system/network.h"
      26             : #include "lib/tsocket/tsocket.h"
      27             : #include "auth/ntlmssp/ntlmssp.h"
      28             : #include "../librpc/gen_ndr/ndr_ntlmssp.h"
      29             : #include "auth/ntlmssp/ntlmssp_ndr.h"
      30             : #include "auth/ntlmssp/ntlmssp_private.h"
      31             : #include "../libcli/auth/libcli_auth.h"
      32             : #include "../lib/crypto/crypto.h"
      33             : #include "auth/gensec/gensec.h"
      34             : #include "auth/gensec/gensec_internal.h"
      35             : #include "auth/common_auth.h"
      36             : #include "param/param.h"
      37             : #include "param/loadparm.h"
      38             : #include "libds/common/roles.h"
      39             : 
      40             : #undef DBGC_CLASS
      41             : #define DBGC_CLASS DBGC_AUTH
      42             : 
      43             : /**
      44             :  * Return the credentials of a logged on user, including session keys
      45             :  * etc.
      46             :  *
      47             :  * Only valid after a successful authentication
      48             :  *
      49             :  * May only be called once per authentication.
      50             :  *
      51             :  */
      52             : 
      53       33607 : NTSTATUS gensec_ntlmssp_session_info(struct gensec_security *gensec_security,
      54             :                                      TALLOC_CTX *mem_ctx,
      55             :                                      struct auth_session_info **session_info)
      56             : {
      57         156 :         NTSTATUS nt_status;
      58         156 :         struct gensec_ntlmssp_context *gensec_ntlmssp =
      59       33607 :                 talloc_get_type_abort(gensec_security->private_data,
      60             :                                       struct gensec_ntlmssp_context);
      61       33607 :         uint32_t session_info_flags = 0;
      62             : 
      63       33607 :         if (gensec_security->want_features & GENSEC_FEATURE_UNIX_TOKEN) {
      64       22536 :                 session_info_flags |= AUTH_SESSION_INFO_UNIX_TOKEN;
      65             :         }
      66             : 
      67       33607 :         session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS;
      68       33607 :         session_info_flags |= AUTH_SESSION_INFO_NTLM;
      69             : 
      70       33607 :         if (gensec_security->auth_context && gensec_security->auth_context->generate_session_info) {
      71       33763 :                 nt_status = gensec_security->auth_context->generate_session_info(gensec_security->auth_context, mem_ctx,
      72             :                                                                                  gensec_ntlmssp->server_returned_info,
      73       33607 :                                                                                  gensec_ntlmssp->ntlmssp_state->user,
      74             :                                                                                  session_info_flags,
      75             :                                                                                  session_info);
      76             :         } else {
      77           0 :                 DEBUG(0, ("Cannot generate a session_info without the auth_context\n"));
      78           0 :                 return NT_STATUS_INTERNAL_ERROR;
      79             :         }
      80             : 
      81       33607 :         NT_STATUS_NOT_OK_RETURN(nt_status);
      82             : 
      83       33763 :         nt_status = gensec_ntlmssp_session_key(gensec_security, *session_info,
      84       33607 :                                                &(*session_info)->session_key);
      85       33607 :         if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_USER_SESSION_KEY)) {
      86          28 :                 (*session_info)->session_key = data_blob_null;
      87          28 :                 nt_status = NT_STATUS_OK;
      88             :         }
      89             : 
      90       33607 :         return nt_status;
      91             : }
      92             : 
      93             : /**
      94             :  * Start NTLMSSP on the server side
      95             :  *
      96             :  */
      97       70410 : NTSTATUS gensec_ntlmssp_server_start(struct gensec_security *gensec_security)
      98             : {
      99         165 :         NTSTATUS nt_status;
     100         165 :         struct ntlmssp_state *ntlmssp_state;
     101         165 :         struct gensec_ntlmssp_context *gensec_ntlmssp;
     102         165 :         const char *netbios_name;
     103         165 :         const char *netbios_domain;
     104         165 :         const char *dns_name;
     105         165 :         const char *dns_domain;
     106         165 :         enum server_role role;
     107             : 
     108       70410 :         role = lpcfg_server_role(gensec_security->settings->lp_ctx);
     109             : 
     110       70410 :         nt_status = gensec_ntlmssp_start(gensec_security);
     111       70410 :         NT_STATUS_NOT_OK_RETURN(nt_status);
     112             : 
     113         165 :         gensec_ntlmssp =
     114       70410 :                 talloc_get_type_abort(gensec_security->private_data,
     115             :                                       struct gensec_ntlmssp_context);
     116             : 
     117       70410 :         ntlmssp_state = talloc_zero(gensec_ntlmssp,
     118             :                                     struct ntlmssp_state);
     119       70410 :         if (!ntlmssp_state) {
     120           0 :                 return NT_STATUS_NO_MEMORY;
     121             :         }
     122       70410 :         gensec_ntlmssp->ntlmssp_state = ntlmssp_state;
     123             : 
     124       70410 :         ntlmssp_state->role = NTLMSSP_SERVER;
     125             : 
     126       70410 :         ntlmssp_state->expected_state = NTLMSSP_NEGOTIATE;
     127             : 
     128       70575 :         ntlmssp_state->allow_lm_response =
     129       70410 :                 lpcfg_lanman_auth(gensec_security->settings->lp_ctx);
     130             : 
     131      106326 :         if (ntlmssp_state->allow_lm_response &&
     132       35916 :             gensec_setting_bool(gensec_security->settings,
     133             :                                 "ntlmssp_server", "allow_lm_key", false))
     134             :         {
     135           0 :                 ntlmssp_state->allow_lm_key = true;
     136             :         }
     137             : 
     138       70410 :         ntlmssp_state->force_old_spnego = false;
     139             : 
     140       70410 :         if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "force_old_spnego", false)) {
     141             :                 /*
     142             :                  * For testing Windows 2000 mode
     143             :                  */
     144        1472 :                 ntlmssp_state->force_old_spnego = true;
     145             :         }
     146             : 
     147       70410 :         ntlmssp_state->neg_flags =
     148             :                 NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_VERSION;
     149             : 
     150       70410 :         if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "128bit", true)) {
     151       70410 :                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_128;
     152             :         }
     153             : 
     154       70410 :         if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "56bit", true)) {
     155       70410 :                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_56;
     156             :         }
     157             : 
     158       70410 :         if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "keyexchange", true)) {
     159       70410 :                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_KEY_EXCH;
     160             :         }
     161             : 
     162       70410 :         if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "alwayssign", true)) {
     163       70410 :                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_ALWAYS_SIGN;
     164             :         }
     165             : 
     166       70410 :         if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "ntlm2", true)) {
     167       70410 :                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_NTLM2;
     168             :         }
     169             : 
     170       70410 :         if (ntlmssp_state->allow_lm_key) {
     171           0 :                 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_LM_KEY;
     172             :         }
     173             : 
     174             :         /*
     175             :          * We always allow NTLMSSP_NEGOTIATE_SIGN and NTLMSSP_NEGOTIATE_SEAL.
     176             :          *
     177             :          * These will be removed if the client doesn't want them.
     178             :          */
     179       70410 :         ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
     180       70410 :         ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL;
     181             : 
     182             : 
     183       70410 :         if (role == ROLE_STANDALONE) {
     184       31848 :                 ntlmssp_state->server.is_standalone = true;
     185             :         } else {
     186       38562 :                 ntlmssp_state->server.is_standalone = false;
     187             :         }
     188             : 
     189       70410 :         if (gensec_security->settings->server_netbios_name) {
     190         136 :                 netbios_name = gensec_security->settings->server_netbios_name;
     191             :         } else {
     192       70274 :                 netbios_name = lpcfg_netbios_name(gensec_security->settings->lp_ctx);
     193             :         }
     194             : 
     195       70410 :         if (gensec_security->settings->server_netbios_domain) {
     196         136 :                 netbios_domain = gensec_security->settings->server_netbios_domain;
     197             :         } else {
     198       70274 :                 netbios_domain = lpcfg_workgroup(gensec_security->settings->lp_ctx);
     199             :         }
     200             : 
     201       70410 :         if (gensec_security->settings->server_dns_name) {
     202       56255 :                 dns_name = gensec_security->settings->server_dns_name;
     203             :         } else {
     204       14155 :                 dns_name = lpcfg_dns_hostname(gensec_security->settings->lp_ctx);
     205             :         }
     206             : 
     207       70410 :         if (gensec_security->settings->server_dns_domain) {
     208       56255 :                 dns_domain = gensec_security->settings->server_dns_domain;
     209             :         } else {
     210       14155 :                 dns_domain = lpcfg_dnsdomain(gensec_security->settings->lp_ctx);
     211             :         }
     212             : 
     213       70410 :         ntlmssp_state->server.netbios_name = talloc_strdup(ntlmssp_state, netbios_name);
     214       70410 :         NT_STATUS_HAVE_NO_MEMORY(ntlmssp_state->server.netbios_name);
     215             : 
     216       70410 :         ntlmssp_state->server.netbios_domain = talloc_strdup(ntlmssp_state, netbios_domain);
     217       70410 :         NT_STATUS_HAVE_NO_MEMORY(ntlmssp_state->server.netbios_domain);
     218             : 
     219       70410 :         ntlmssp_state->server.dns_name = talloc_strdup(ntlmssp_state, dns_name);
     220       70410 :         NT_STATUS_HAVE_NO_MEMORY(ntlmssp_state->server.dns_name);
     221             : 
     222       70410 :         ntlmssp_state->server.dns_domain = talloc_strdup(ntlmssp_state, dns_domain);
     223       70410 :         NT_STATUS_HAVE_NO_MEMORY(ntlmssp_state->server.dns_domain);
     224             : 
     225       70410 :         ntlmssp_state->neg_flags |= ntlmssp_state->required_flags;
     226       70410 :         ntlmssp_state->conf_flags = ntlmssp_state->neg_flags;
     227             : 
     228       70410 :         return NT_STATUS_OK;
     229             : }
     230             :