Line data Source code
1 : /*
2 : Unix SMB/Netbios implementation.
3 : Version 3.0
4 : handle GENSEC authentication, server side
5 :
6 : Copyright (C) Andrew Tridgell 2001
7 : Copyright (C) Andrew Bartlett 2001-2003,2011
8 : Copyright (C) Simo Sorce 2010.
9 :
10 : This program is free software; you can redistribute it and/or modify
11 : it under the terms of the GNU General Public License as published by
12 : the Free Software Foundation; either version 3 of the License, or
13 : (at your option) any later version.
14 :
15 : This program is distributed in the hope that it will be useful,
16 : but WITHOUT ANY WARRANTY; without even the implied warranty of
17 : MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 : GNU General Public License for more details.
19 :
20 : You should have received a copy of the GNU General Public License
21 : along with this program. If not, see <http://www.gnu.org/licenses/>.
22 : */
23 :
24 : #include "includes.h"
25 : #include <tevent.h>
26 : #include "../lib/util/tevent_ntstatus.h"
27 : #include "auth.h"
28 : #include "../lib/tsocket/tsocket.h"
29 : #include "auth/gensec/gensec.h"
30 : #include "lib/param/param.h"
31 : #ifdef HAVE_KRB5
32 : #include "librpc/gen_ndr/ndr_krb5pac.h"
33 : #include "auth/kerberos/pac_utils.h"
34 : #include "nsswitch/libwbclient/wbclient.h"
35 : #endif
36 : #include "librpc/crypto/gse.h"
37 : #include "auth/credentials/credentials.h"
38 : #include "lib/param/loadparm.h"
39 : #include "librpc/gen_ndr/dcerpc.h"
40 : #include "source3/lib/substitute.h"
41 :
42 878 : static NTSTATUS generate_pac_session_info(
43 : TALLOC_CTX *mem_ctx,
44 : const char *princ_name,
45 : const char *rhost,
46 : DATA_BLOB *pac_blob,
47 : struct auth_session_info **psession_info)
48 : {
49 0 : NTSTATUS status;
50 878 : struct wbcAuthUserParams params = {0};
51 878 : struct wbcAuthUserInfo *info = NULL;
52 878 : struct wbcAuthErrorInfo *err = NULL;
53 878 : struct auth_serversupplied_info *server_info = NULL;
54 878 : char *original_user_name = NULL;
55 878 : char *p = NULL;
56 0 : wbcErr wbc_err;
57 :
58 : /*
59 : * Let winbind decode the PAC.
60 : * This will also store the user
61 : * data in the netsamlogon cache.
62 : *
63 : * This used to be a cache prime
64 : * optimization, but now we delegate
65 : * all logic to winbindd, as we require
66 : * winbindd as domain member anyway.
67 : */
68 878 : params.level = WBC_AUTH_USER_LEVEL_PAC;
69 878 : params.password.pac.data = pac_blob->data;
70 878 : params.password.pac.length = pac_blob->length;
71 :
72 : /* we are contacting the privileged pipe */
73 878 : become_root();
74 878 : wbc_err = wbcAuthenticateUserEx(¶ms, &info, &err);
75 878 : unbecome_root();
76 :
77 : /*
78 : * As this is merely a cache prime
79 : * WBC_ERR_WINBIND_NOT_AVAILABLE
80 : * is not a fatal error, treat it
81 : * as success.
82 : */
83 :
84 878 : switch (wbc_err) {
85 876 : case WBC_ERR_SUCCESS:
86 876 : break;
87 0 : case WBC_ERR_WINBIND_NOT_AVAILABLE:
88 0 : status = NT_STATUS_NO_LOGON_SERVERS;
89 0 : DBG_ERR("winbindd not running - "
90 : "but required as domain member: %s\n",
91 : nt_errstr(status));
92 2 : return status;
93 2 : case WBC_ERR_AUTH_ERROR:
94 2 : wbcFreeMemory(err);
95 2 : return NT_STATUS(err->nt_status);
96 0 : case WBC_ERR_NO_MEMORY:
97 0 : return NT_STATUS_NO_MEMORY;
98 0 : default:
99 0 : return NT_STATUS_LOGON_FAILURE;
100 : }
101 :
102 876 : status = make_server_info_wbcAuthUserInfo(mem_ctx,
103 876 : info->account_name,
104 876 : info->domain_name,
105 : info,
106 : &server_info);
107 876 : wbcFreeMemory(info);
108 876 : if (!NT_STATUS_IS_OK(status)) {
109 4 : DEBUG(10, ("make_server_info_wbcAuthUserInfo failed: %s\n",
110 : nt_errstr(status)));
111 4 : return status;
112 : }
113 :
114 : /* We skip doing this step if the caller asked us not to */
115 872 : if (!(server_info->guest)) {
116 872 : const char *unix_username = server_info->unix_name;
117 :
118 : /* We might not be root if we are an RPC call */
119 872 : become_root();
120 872 : status = smb_pam_accountcheck(unix_username, rhost);
121 872 : unbecome_root();
122 :
123 872 : if (!NT_STATUS_IS_OK(status)) {
124 0 : DEBUG(3, ("check_ntlm_password: PAM Account for user [%s] "
125 : "FAILED with error %s\n",
126 : unix_username, nt_errstr(status)));
127 0 : return status;
128 : }
129 :
130 872 : DEBUG(5, ("check_ntlm_password: PAM Account for user [%s] "
131 : "succeeded\n", unix_username));
132 : }
133 :
134 872 : DEBUG(3, ("Kerberos ticket principal name is [%s]\n", princ_name));
135 :
136 872 : p = strchr_m(princ_name, '@');
137 872 : if (!p) {
138 0 : DEBUG(3, ("[%s] Doesn't look like a valid principal\n",
139 : princ_name));
140 0 : return NT_STATUS_LOGON_FAILURE;
141 : }
142 :
143 872 : original_user_name = talloc_strndup(mem_ctx,
144 : princ_name,
145 872 : p - princ_name);
146 872 : if (original_user_name == NULL) {
147 0 : return NT_STATUS_NO_MEMORY;
148 : }
149 :
150 872 : status = create_local_token(
151 : mem_ctx, server_info, NULL, original_user_name, psession_info);
152 872 : if (!NT_STATUS_IS_OK(status)) {
153 0 : DEBUG(10, ("create_local_token failed: %s\n",
154 : nt_errstr(status)));
155 0 : return status;
156 : }
157 :
158 872 : return NT_STATUS_OK;
159 : }
160 :
161 0 : static NTSTATUS generate_krb5_session_info(
162 : TALLOC_CTX *mem_ctx,
163 : const char *princ_name,
164 : const char *rhost,
165 : DATA_BLOB *pac_blob,
166 : struct auth_session_info **psession_info)
167 : {
168 0 : bool is_mapped = false;
169 0 : bool is_guest = false;
170 0 : char *ntuser = NULL;
171 0 : char *ntdomain = NULL;
172 0 : char *username = NULL;
173 0 : struct passwd *pw = NULL;
174 0 : NTSTATUS status;
175 :
176 0 : if (pac_blob != NULL) {
177 0 : struct PAC_LOGON_NAME *logon_name = NULL;
178 0 : struct PAC_LOGON_INFO *logon_info = NULL;
179 0 : struct PAC_DATA *pac_data = NULL;
180 0 : enum ndr_err_code ndr_err;
181 0 : size_t i;
182 :
183 0 : pac_data = talloc_zero(mem_ctx, struct PAC_DATA);
184 0 : if (pac_data == NULL) {
185 0 : return NT_STATUS_NO_MEMORY;
186 : }
187 :
188 0 : ndr_err = ndr_pull_struct_blob(pac_blob,
189 : pac_data,
190 : pac_data,
191 : (ndr_pull_flags_fn_t)
192 : ndr_pull_PAC_DATA);
193 0 : if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
194 0 : status = ndr_map_error2ntstatus(ndr_err);
195 0 : DBG_ERR("Can't parse the PAC: %s\n", nt_errstr(status));
196 0 : return status;
197 : }
198 :
199 0 : if (pac_data->num_buffers < 4) {
200 0 : DBG_ERR("We expect at least 4 PAC buffers.\n");
201 0 : return NT_STATUS_INVALID_PARAMETER;
202 : }
203 :
204 0 : for (i = 0; i < pac_data->num_buffers; i++) {
205 0 : struct PAC_BUFFER *data_buf = &pac_data->buffers[i];
206 :
207 0 : switch (data_buf->type) {
208 0 : case PAC_TYPE_LOGON_NAME:
209 0 : logon_name = &data_buf->info->logon_name;
210 0 : break;
211 0 : case PAC_TYPE_LOGON_INFO:
212 0 : if (!data_buf->info) {
213 0 : break;
214 : }
215 0 : logon_info = data_buf->info->logon_info.info;
216 0 : break;
217 0 : default:
218 0 : break;
219 : }
220 : }
221 :
222 0 : if (logon_name == NULL) {
223 0 : TALLOC_FREE(pac_data);
224 0 : DBG_ERR("PAC without logon_name\n");
225 0 : return NT_STATUS_INVALID_PARAMETER;
226 : }
227 :
228 0 : if (logon_info != NULL) {
229 : /*
230 : * In standalone mode we don't expect a MS-PAC!
231 : * we only support MIT realms
232 : */
233 0 : TALLOC_FREE(pac_data);
234 0 : status = NT_STATUS_BAD_TOKEN_TYPE;
235 0 : DBG_WARNING("Unexpected PAC for [%s] in standalone mode - %s\n",
236 : princ_name, nt_errstr(status));
237 0 : return status;
238 : }
239 :
240 0 : TALLOC_FREE(pac_data);
241 : }
242 :
243 0 : status = get_user_from_kerberos_info(mem_ctx,
244 : rhost,
245 : princ_name,
246 : &is_mapped,
247 : &is_guest,
248 : &ntuser,
249 : &ntdomain,
250 : &username,
251 : &pw);
252 0 : if (!NT_STATUS_IS_OK(status)) {
253 0 : DBG_NOTICE("Failed to map kerberos principal to system user "
254 : "(%s)\n", nt_errstr(status));
255 0 : return NT_STATUS_ACCESS_DENIED;
256 : }
257 :
258 0 : status = make_session_info_krb5(mem_ctx,
259 : ntuser,
260 : ntdomain,
261 : username,
262 : pw,
263 : is_guest,
264 : is_mapped,
265 : psession_info);
266 0 : if (!NT_STATUS_IS_OK(status)) {
267 0 : DEBUG(1, ("Failed to map kerberos pac to server info (%s)\n",
268 : nt_errstr(status)));
269 0 : status = nt_status_squash(status);
270 0 : return status;
271 : }
272 :
273 0 : return NT_STATUS_OK;
274 : }
275 :
276 878 : static NTSTATUS auth3_generate_session_info_pac(
277 : struct auth4_context *auth_ctx,
278 : TALLOC_CTX *mem_ctx,
279 : struct smb_krb5_context *smb_krb5_context,
280 : DATA_BLOB *pac_blob,
281 : const char *princ_name,
282 : const struct tsocket_address *remote_address,
283 : uint32_t session_info_flags,
284 : struct auth_session_info **psession_info)
285 : {
286 878 : enum server_role server_role = lp_server_role();
287 878 : struct auth_session_info *session_info = NULL;
288 0 : const char *rhost;
289 0 : NTSTATUS status;
290 878 : TALLOC_CTX *tmp_ctx = NULL;
291 :
292 878 : tmp_ctx = talloc_new(mem_ctx);
293 878 : if (tmp_ctx == NULL) {
294 0 : return NT_STATUS_NO_MEMORY;
295 : }
296 :
297 878 : if (tsocket_address_is_inet(remote_address, "ip")) {
298 878 : rhost = tsocket_address_inet_addr_string(remote_address,
299 : tmp_ctx);
300 878 : if (rhost == NULL) {
301 0 : status = NT_STATUS_NO_MEMORY;
302 0 : goto done;
303 : }
304 : } else {
305 0 : rhost = "127.0.0.1";
306 : }
307 :
308 878 : switch (server_role) {
309 878 : case ROLE_DOMAIN_MEMBER:
310 : case ROLE_DOMAIN_BDC:
311 : case ROLE_DOMAIN_PDC:
312 : case ROLE_ACTIVE_DIRECTORY_DC:
313 : case ROLE_IPA_DC:
314 : /* This requires a complete MS-PAC including logon_info */
315 878 : status = generate_pac_session_info(
316 : tmp_ctx, princ_name, rhost, pac_blob, &session_info);
317 878 : break;
318 0 : case ROLE_STANDALONE:
319 : /* This requires no PAC or a minimal PAC */
320 0 : status = generate_krb5_session_info(
321 : tmp_ctx, princ_name, rhost, pac_blob, &session_info);
322 0 : break;
323 0 : default:
324 0 : status = NT_STATUS_INVALID_PARAMETER;
325 0 : goto done;
326 : }
327 :
328 878 : if (!NT_STATUS_IS_OK(status)) {
329 6 : goto done;
330 : }
331 :
332 : /* setup the string used by %U */
333 872 : set_current_user_info(session_info->unix_info->sanitized_username,
334 872 : session_info->unix_info->unix_name,
335 872 : session_info->info->domain_name);
336 :
337 : /* reload services so that the new %U is taken into account */
338 872 : lp_load_with_shares(get_dyn_CONFIGFILE());
339 :
340 872 : DEBUG(5, (__location__ "OK: user: %s domain: %s client: %s\n",
341 : session_info->info->account_name,
342 : session_info->info->domain_name,
343 : rhost));
344 :
345 872 : *psession_info = talloc_move(mem_ctx, &session_info);
346 :
347 872 : status = NT_STATUS_OK;
348 878 : done:
349 878 : TALLOC_FREE(tmp_ctx);
350 878 : return status;
351 : }
352 :
353 78616 : static struct auth4_context *make_auth4_context_s3(TALLOC_CTX *mem_ctx, struct auth_context *auth_context)
354 : {
355 78616 : struct auth4_context *auth4_context = talloc_zero(mem_ctx, struct auth4_context);
356 78616 : if (auth4_context == NULL) {
357 0 : DEBUG(10, ("failed to allocate auth4_context failed\n"));
358 0 : return NULL;
359 : }
360 78616 : auth4_context->generate_session_info_pac = auth3_generate_session_info_pac;
361 78616 : auth4_context->generate_session_info = auth3_generate_session_info;
362 78616 : auth4_context->get_ntlm_challenge = auth3_get_challenge;
363 78616 : auth4_context->set_ntlm_challenge = auth3_set_challenge;
364 78616 : auth4_context->check_ntlm_password_send = auth3_check_password_send;
365 78616 : auth4_context->check_ntlm_password_recv = auth3_check_password_recv;
366 78616 : auth4_context->private_data = talloc_steal(auth4_context, auth_context);
367 78616 : return auth4_context;
368 : }
369 :
370 34177 : NTSTATUS make_auth4_context(TALLOC_CTX *mem_ctx, struct auth4_context **auth4_context_out)
371 : {
372 0 : struct auth_context *auth_context;
373 0 : NTSTATUS nt_status;
374 :
375 34177 : TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
376 34177 : NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
377 :
378 34177 : nt_status = make_auth3_context_for_ntlm(tmp_ctx, &auth_context);
379 34177 : if (!NT_STATUS_IS_OK(nt_status)) {
380 0 : TALLOC_FREE(tmp_ctx);
381 0 : return nt_status;
382 : }
383 :
384 34177 : if (auth_context->make_auth4_context) {
385 15472 : nt_status = auth_context->make_auth4_context(auth_context, mem_ctx, auth4_context_out);
386 15472 : TALLOC_FREE(tmp_ctx);
387 15472 : return nt_status;
388 :
389 : } else {
390 18705 : struct auth4_context *auth4_context = make_auth4_context_s3(tmp_ctx, auth_context);
391 18705 : if (auth4_context == NULL) {
392 0 : TALLOC_FREE(tmp_ctx);
393 0 : return NT_STATUS_NO_MEMORY;
394 : }
395 18705 : *auth4_context_out = talloc_steal(mem_ctx, auth4_context);
396 18705 : TALLOC_FREE(tmp_ctx);
397 18705 : return NT_STATUS_OK;
398 : }
399 : }
400 :
401 83936 : NTSTATUS auth_generic_prepare(TALLOC_CTX *mem_ctx,
402 : const struct tsocket_address *remote_address,
403 : const struct tsocket_address *local_address,
404 : const char *service_description,
405 : struct gensec_security **gensec_security_out)
406 : {
407 2131 : struct gensec_security *gensec_security;
408 83936 : struct auth_context *auth_context = NULL;
409 2131 : NTSTATUS nt_status;
410 :
411 83936 : TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
412 83936 : NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
413 :
414 83936 : nt_status = make_auth3_context_for_ntlm(tmp_ctx, &auth_context);
415 83936 : if (!NT_STATUS_IS_OK(nt_status)) {
416 0 : goto done;
417 : }
418 :
419 83936 : if (auth_context->prepare_gensec) {
420 24025 : nt_status = auth_context->prepare_gensec(auth_context, tmp_ctx,
421 : &gensec_security);
422 24025 : if (!NT_STATUS_IS_OK(nt_status)) {
423 0 : goto done;
424 : }
425 : } else {
426 59911 : const struct gensec_security_ops **backends = NULL;
427 0 : struct gensec_settings *gensec_settings;
428 0 : struct loadparm_context *lp_ctx;
429 59911 : size_t idx = 0;
430 0 : struct cli_credentials *server_credentials;
431 0 : const char *dns_name;
432 0 : const char *dns_domain;
433 0 : bool ok;
434 59911 : struct auth4_context *auth4_context = make_auth4_context_s3(tmp_ctx, auth_context);
435 59911 : if (auth4_context == NULL) {
436 0 : goto nomem;
437 : }
438 :
439 59911 : lp_ctx = loadparm_init_s3(tmp_ctx, loadparm_s3_helpers());
440 59911 : if (lp_ctx == NULL) {
441 0 : DEBUG(10, ("loadparm_init_s3 failed\n"));
442 0 : nt_status = NT_STATUS_INVALID_SERVER_STATE;
443 0 : goto done;
444 : }
445 :
446 59911 : gensec_settings = lpcfg_gensec_settings(tmp_ctx, lp_ctx);
447 59911 : if (lp_ctx == NULL) {
448 0 : DEBUG(10, ("lpcfg_gensec_settings failed\n"));
449 0 : goto nomem;
450 : }
451 :
452 : /*
453 : * This should be a 'netbios domain -> DNS domain'
454 : * mapping, and can currently validly return NULL on
455 : * poorly configured systems.
456 : *
457 : * This is used for the NTLMSSP server
458 : *
459 : */
460 59911 : dns_name = get_mydnsfullname();
461 59911 : if (dns_name == NULL) {
462 0 : dns_name = "";
463 : }
464 :
465 59911 : dns_domain = get_mydnsdomname(tmp_ctx);
466 59911 : if (dns_domain == NULL) {
467 0 : dns_domain = "";
468 : }
469 :
470 59911 : gensec_settings->server_dns_name = strlower_talloc(gensec_settings, dns_name);
471 59911 : if (gensec_settings->server_dns_name == NULL) {
472 0 : goto nomem;
473 : }
474 :
475 59911 : gensec_settings->server_dns_domain = strlower_talloc(gensec_settings, dns_domain);
476 59911 : if (gensec_settings->server_dns_domain == NULL) {
477 0 : goto nomem;
478 : }
479 :
480 59911 : backends = talloc_zero_array(gensec_settings,
481 : const struct gensec_security_ops *, 6);
482 59911 : if (backends == NULL) {
483 0 : goto nomem;
484 : }
485 59911 : gensec_settings->backends = backends;
486 :
487 59911 : gensec_init();
488 :
489 : /* These need to be in priority order, krb5 before NTLMSSP */
490 : #if defined(HAVE_KRB5)
491 59911 : backends[idx++] = gensec_gse_security_by_oid(
492 : GENSEC_OID_KERBEROS5);
493 : #endif
494 :
495 59911 : backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_NTLMSSP);
496 :
497 59911 : backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_SPNEGO);
498 :
499 59911 : backends[idx++] = gensec_security_by_auth_type(NULL, DCERPC_AUTH_TYPE_SCHANNEL);
500 :
501 59911 : backends[idx++] = gensec_security_by_auth_type(NULL, DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM);
502 :
503 : /*
504 : * This is anonymous for now, because we just use it
505 : * to set the kerberos state at the moment
506 : */
507 59911 : server_credentials = cli_credentials_init_anon(tmp_ctx);
508 59911 : if (!server_credentials) {
509 0 : DEBUG(0, ("auth_generic_prepare: Failed to init server credentials\n"));
510 0 : goto nomem;
511 : }
512 :
513 59911 : ok = cli_credentials_set_conf(server_credentials, lp_ctx);
514 59911 : if (!ok) {
515 0 : DBG_ERR("Failed to set server credentials defaults "
516 : "from smb.conf.\n");
517 0 : goto nomem;
518 : }
519 :
520 59911 : if (lp_security() == SEC_ADS || USE_KERBEROS_KEYTAB) {
521 4455 : cli_credentials_set_kerberos_state(server_credentials,
522 : CRED_USE_KERBEROS_DESIRED,
523 : CRED_SPECIFIED);
524 : } else {
525 55456 : cli_credentials_set_kerberos_state(server_credentials,
526 : CRED_USE_KERBEROS_DISABLED,
527 : CRED_SPECIFIED);
528 : }
529 :
530 59911 : nt_status = gensec_server_start(tmp_ctx, gensec_settings,
531 : auth4_context, &gensec_security);
532 :
533 59911 : if (!NT_STATUS_IS_OK(nt_status)) {
534 0 : goto done;
535 : }
536 :
537 59911 : nt_status = gensec_set_credentials(
538 : gensec_security, server_credentials);
539 59911 : if (!NT_STATUS_IS_OK(nt_status)) {
540 0 : goto done;
541 : }
542 : }
543 :
544 83936 : nt_status = gensec_set_remote_address(gensec_security,
545 : remote_address);
546 83936 : if (!NT_STATUS_IS_OK(nt_status)) {
547 0 : goto done;
548 : }
549 :
550 83936 : nt_status = gensec_set_local_address(gensec_security,
551 : local_address);
552 83936 : if (!NT_STATUS_IS_OK(nt_status)) {
553 0 : goto done;
554 : }
555 :
556 83936 : nt_status = gensec_set_target_service_description(gensec_security,
557 : service_description);
558 83936 : if (!NT_STATUS_IS_OK(nt_status)) {
559 0 : goto done;
560 : }
561 :
562 83936 : *gensec_security_out = talloc_move(mem_ctx, &gensec_security);
563 83936 : nt_status = NT_STATUS_OK;
564 83936 : goto done;
565 0 : nomem:
566 0 : nt_status = NT_STATUS_NO_MEMORY;
567 83936 : done:
568 83936 : TALLOC_FREE(tmp_ctx);
569 83936 : return nt_status;
570 : }
571 :
572 : /*
573 : * Check a username and password, and return the final session_info.
574 : * We also log the authorization of the session here, just as
575 : * gensec_session_info() does.
576 : */
577 98 : NTSTATUS auth_check_password_session_info(struct auth4_context *auth_context,
578 : TALLOC_CTX *mem_ctx,
579 : struct auth_usersupplied_info *user_info,
580 : struct auth_session_info **session_info)
581 : {
582 0 : NTSTATUS nt_status;
583 0 : void *server_info;
584 98 : uint8_t authoritative = 1;
585 98 : struct tevent_context *ev = NULL;
586 98 : struct tevent_req *subreq = NULL;
587 0 : bool ok;
588 :
589 98 : ev = samba_tevent_context_init(talloc_tos());
590 98 : if (ev == NULL) {
591 0 : return NT_STATUS_NO_MEMORY;
592 : }
593 :
594 98 : subreq = auth_context->check_ntlm_password_send(ev, ev,
595 : auth_context,
596 : user_info);
597 98 : if (subreq == NULL) {
598 0 : TALLOC_FREE(ev);
599 0 : return NT_STATUS_NO_MEMORY;
600 : }
601 98 : ok = tevent_req_poll_ntstatus(subreq, ev, &nt_status);
602 98 : if (!ok) {
603 0 : TALLOC_FREE(ev);
604 0 : return nt_status;
605 : }
606 98 : nt_status = auth_context->check_ntlm_password_recv(subreq,
607 : talloc_tos(),
608 : &authoritative,
609 : &server_info,
610 : NULL, NULL);
611 98 : TALLOC_FREE(ev);
612 98 : if (!NT_STATUS_IS_OK(nt_status)) {
613 2 : return nt_status;
614 : }
615 :
616 96 : nt_status = auth_context->generate_session_info(auth_context,
617 : mem_ctx,
618 : server_info,
619 : user_info->client.account_name,
620 : AUTH_SESSION_INFO_UNIX_TOKEN |
621 : AUTH_SESSION_INFO_DEFAULT_GROUPS |
622 : AUTH_SESSION_INFO_NTLM,
623 : session_info);
624 96 : TALLOC_FREE(server_info);
625 :
626 96 : if (!NT_STATUS_IS_OK(nt_status)) {
627 0 : return nt_status;
628 : }
629 :
630 : /*
631 : * This is rather redundant (the authentication has just been
632 : * logged, with much the same details), but because we want to
633 : * log all authorizations consistently (be they NLTM, NTLMSSP
634 : * or krb5) we log this info again as an authorization.
635 : */
636 96 : log_successful_authz_event(auth_context->msg_ctx,
637 : auth_context->lp_ctx,
638 : user_info->remote_host,
639 : user_info->local_host,
640 : user_info->service_description,
641 : user_info->auth_description,
642 : AUTHZ_TRANSPORT_PROTECTION_SMB,
643 : *session_info,
644 : NULL /* client_audit_info */,
645 : NULL /* server_audit_info */);
646 :
647 96 : return nt_status;
648 : }
|
