1 /*
2 Unix SMB/CIFS implementation.
3 Authentication utility functions
4 Copyright (C) Andrew Tridgell 1992-1998
5 Copyright (C) Andrew Bartlett 2001
6 Copyright (C) Jeremy Allison 2000-2001
7 Copyright (C) Rafal Szczesniak 2002
8 Copyright (C) Stefan Metzmacher 2005
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 2 of the License, or
13 (at your option) any later version.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program; if not, write to the Free Software
22 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
23 */
24
25 #include "includes.h"
26 #include "auth/auth.h"
27 #include "libcli/security/security.h"
28 #include "libcli/auth/libcli_auth.h"
29 #include "dsdb/samdb/samdb.h"
30 #include "auth/credentials/credentials.h"
31 #include "auth/credentials/credentials_krb5.h"
32
33 /* this default function can be used by mostly all backends
34 * which don't want to set a challenge
35 */
auth_get_challenge_not_implemented(struct auth_method_context * ctx,TALLOC_CTX * mem_ctx,DATA_BLOB * challenge)36 NTSTATUS auth_get_challenge_not_implemented(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx, DATA_BLOB *challenge)
37 {
38 /* we don't want to set a challenge */
39 return NT_STATUS_NOT_IMPLEMENTED;
40 }
41
42 /****************************************************************************
43 Create an auth_usersupplied_data structure after appropriate mapping.
44 ****************************************************************************/
45
map_user_info(TALLOC_CTX * mem_ctx,const struct auth_usersupplied_info * user_info,struct auth_usersupplied_info ** user_info_mapped)46 NTSTATUS map_user_info(TALLOC_CTX *mem_ctx,
47 const struct auth_usersupplied_info *user_info,
48 struct auth_usersupplied_info **user_info_mapped)
49 {
50 const char *domain;
51 char *account_name;
52 char *d;
53 DEBUG(5,("map_user_info: Mapping user [%s]\\[%s] from workstation [%s]\n",
54 user_info->client.domain_name, user_info->client.account_name, user_info->workstation_name));
55
56 account_name = talloc_strdup(mem_ctx, user_info->client.account_name);
57 if (!account_name) {
58 return NT_STATUS_NO_MEMORY;
59 }
60
61 /* don't allow "" as a domain, fixes a Win9X bug
62 where it doens't supply a domain for logon script
63 'net use' commands. */
64
65 /* Split user@realm names into user and realm components. This is TODO to fix with proper userprincipalname support */
66 if (user_info->client.domain_name && *user_info->client.domain_name) {
67 domain = user_info->client.domain_name;
68 } else if (strchr_m(user_info->client.account_name, '@')) {
69 d = strchr_m(account_name, '@');
70 if (!d) {
71 return NT_STATUS_INTERNAL_ERROR;
72 }
73 d[0] = '\0';
74 d++;
75 domain = d;
76 } else {
77 domain = lp_workgroup();
78 }
79
80 *user_info_mapped = talloc(mem_ctx, struct auth_usersupplied_info);
81 if (!*user_info_mapped) {
82 return NT_STATUS_NO_MEMORY;
83 }
84 talloc_reference(*user_info_mapped, user_info);
85 **user_info_mapped = *user_info;
86 (*user_info_mapped)->mapped_state = True;
87 (*user_info_mapped)->mapped.domain_name = talloc_strdup(*user_info_mapped, domain);
88 (*user_info_mapped)->mapped.account_name = talloc_strdup(*user_info_mapped, account_name);
89 talloc_free(account_name);
90 if (!(*user_info_mapped)->mapped.domain_name
91 || !(*user_info_mapped)->mapped.account_name) {
92 return NT_STATUS_NO_MEMORY;
93 }
94
95 return NT_STATUS_OK;
96 }
97
98 /****************************************************************************
99 Create an auth_usersupplied_data structure after appropriate mapping.
100 ****************************************************************************/
101
encrypt_user_info(TALLOC_CTX * mem_ctx,struct auth_context * auth_context,enum auth_password_state to_state,const struct auth_usersupplied_info * user_info_in,const struct auth_usersupplied_info ** user_info_encrypted)102 NTSTATUS encrypt_user_info(TALLOC_CTX *mem_ctx, struct auth_context *auth_context,
103 enum auth_password_state to_state,
104 const struct auth_usersupplied_info *user_info_in,
105 const struct auth_usersupplied_info **user_info_encrypted)
106 {
107 NTSTATUS nt_status;
108 struct auth_usersupplied_info *user_info_temp;
109 switch (to_state) {
110 case AUTH_PASSWORD_RESPONSE:
111 switch (user_info_in->password_state) {
112 case AUTH_PASSWORD_PLAIN:
113 {
114 const struct auth_usersupplied_info *user_info_temp2;
115 nt_status = encrypt_user_info(mem_ctx, auth_context,
116 AUTH_PASSWORD_HASH,
117 user_info_in, &user_info_temp2);
118 if (!NT_STATUS_IS_OK(nt_status)) {
119 return nt_status;
120 }
121 user_info_in = user_info_temp2;
122 /* fall through */
123 }
124 case AUTH_PASSWORD_HASH:
125 {
126 const uint8_t *challenge;
127 DATA_BLOB chall_blob;
128 user_info_temp = talloc(mem_ctx, struct auth_usersupplied_info);
129 if (!user_info_temp) {
130 return NT_STATUS_NO_MEMORY;
131 }
132 talloc_reference(user_info_temp, user_info_in);
133 *user_info_temp = *user_info_in;
134 user_info_temp->mapped_state = to_state;
135
136 nt_status = auth_get_challenge(auth_context, &challenge);
137 if (!NT_STATUS_IS_OK(nt_status)) {
138 return nt_status;
139 }
140
141 chall_blob = data_blob_talloc(mem_ctx, challenge, 8);
142 if (lp_client_ntlmv2_auth()) {
143 DATA_BLOB names_blob = NTLMv2_generate_names_blob(mem_ctx, lp_netbios_name(), lp_workgroup());
144 DATA_BLOB lmv2_response, ntlmv2_response, lmv2_session_key, ntlmv2_session_key;
145
146 if (!SMBNTLMv2encrypt_hash(user_info_temp,
147 user_info_in->client.account_name,
148 user_info_in->client.domain_name,
149 user_info_in->password.hash.nt->hash, &chall_blob,
150 &names_blob,
151 &lmv2_response, &ntlmv2_response,
152 &lmv2_session_key, &ntlmv2_session_key)) {
153 data_blob_free(&names_blob);
154 return NT_STATUS_NO_MEMORY;
155 }
156 data_blob_free(&names_blob);
157 user_info_temp->password.response.lanman = lmv2_response;
158 user_info_temp->password.response.nt = ntlmv2_response;
159
160 data_blob_free(&lmv2_session_key);
161 data_blob_free(&ntlmv2_session_key);
162 } else {
163 DATA_BLOB blob = data_blob_talloc(mem_ctx, NULL, 24);
164 SMBOWFencrypt(user_info_in->password.hash.nt->hash, challenge, blob.data);
165
166 user_info_temp->password.response.nt = blob;
167 if (lp_client_lanman_auth() && user_info_in->password.hash.lanman) {
168 DATA_BLOB lm_blob = data_blob_talloc(mem_ctx, NULL, 24);
169 SMBOWFencrypt(user_info_in->password.hash.lanman->hash, challenge, blob.data);
170 user_info_temp->password.response.lanman = lm_blob;
171 } else {
172 /* if not sending the LM password, send the NT password twice */
173 user_info_temp->password.response.lanman = user_info_temp->password.response.nt;
174 }
175 }
176
177 user_info_in = user_info_temp;
178 /* fall through */
179 }
180 case AUTH_PASSWORD_RESPONSE:
181 *user_info_encrypted = user_info_in;
182 }
183 break;
184 case AUTH_PASSWORD_HASH:
185 {
186 switch (user_info_in->password_state) {
187 case AUTH_PASSWORD_PLAIN:
188 {
189 struct samr_Password lanman;
190 struct samr_Password nt;
191
192 user_info_temp = talloc(mem_ctx, struct auth_usersupplied_info);
193 if (!user_info_temp) {
194 return NT_STATUS_NO_MEMORY;
195 }
196 talloc_reference(user_info_temp, user_info_in);
197 *user_info_temp = *user_info_in;
198 user_info_temp->mapped_state = to_state;
199
200 if (E_deshash(user_info_in->password.plaintext, lanman.hash)) {
201 user_info_temp->password.hash.lanman = talloc(user_info_temp,
202 struct samr_Password);
203 *user_info_temp->password.hash.lanman = lanman;
204 } else {
205 user_info_temp->password.hash.lanman = NULL;
206 }
207
208 E_md4hash(user_info_in->password.plaintext, nt.hash);
209 user_info_temp->password.hash.nt = talloc(user_info_temp,
210 struct samr_Password);
211 *user_info_temp->password.hash.nt = nt;
212
213 user_info_in = user_info_temp;
214 /* fall through */
215 }
216 case AUTH_PASSWORD_HASH:
217 *user_info_encrypted = user_info_in;
218 break;
219 default:
220 return NT_STATUS_INVALID_PARAMETER;
221 break;
222 }
223 break;
224 }
225 default:
226 return NT_STATUS_INVALID_PARAMETER;
227 }
228
229 return NT_STATUS_OK;
230 }
231
232 /***************************************************************************
233 Make a server_info struct from the info3 returned by a domain logon
234 ***************************************************************************/
make_server_info_netlogon_validation(TALLOC_CTX * mem_ctx,const char * account_name,uint16_t validation_level,union netr_Validation * validation,struct auth_serversupplied_info ** _server_info)235 NTSTATUS make_server_info_netlogon_validation(TALLOC_CTX *mem_ctx,
236 const char *account_name,
237 uint16_t validation_level,
238 union netr_Validation *validation,
239 struct auth_serversupplied_info **_server_info)
240 {
241 struct auth_serversupplied_info *server_info;
242 struct netr_SamBaseInfo *base = NULL;
243 int i;
244
245 switch (validation_level) {
246 case 2:
247 if (!validation || !validation->sam2) {
248 return NT_STATUS_INVALID_PARAMETER;
249 }
250 base = &validation->sam2->base;
251 break;
252 case 3:
253 if (!validation || !validation->sam3) {
254 return NT_STATUS_INVALID_PARAMETER;
255 }
256 base = &validation->sam3->base;
257 break;
258 case 6:
259 if (!validation || !validation->sam6) {
260 return NT_STATUS_INVALID_PARAMETER;
261 }
262 base = &validation->sam6->base;
263 break;
264 default:
265 return NT_STATUS_INVALID_LEVEL;
266 }
267
268 server_info = talloc(mem_ctx, struct auth_serversupplied_info);
269 NT_STATUS_HAVE_NO_MEMORY(server_info);
270
271 /*
272 Here is where we should check the list of
273 trusted domains, and verify that the SID
274 matches.
275 */
276 server_info->account_sid = dom_sid_add_rid(server_info, base->domain_sid, base->rid);
277 NT_STATUS_HAVE_NO_MEMORY(server_info->account_sid);
278
279
280 server_info->primary_group_sid = dom_sid_add_rid(server_info, base->domain_sid, base->primary_gid);
281 NT_STATUS_HAVE_NO_MEMORY(server_info->primary_group_sid);
282
283 server_info->n_domain_groups = base->groups.count;
284 if (base->groups.count) {
285 server_info->domain_groups = talloc_array(server_info, struct dom_sid*, base->groups.count);
286 NT_STATUS_HAVE_NO_MEMORY(server_info->domain_groups);
287 } else {
288 server_info->domain_groups = NULL;
289 }
290
291 for (i = 0; i < base->groups.count; i++) {
292 server_info->domain_groups[i] = dom_sid_add_rid(server_info, base->domain_sid, base->groups.rids[i].rid);
293 NT_STATUS_HAVE_NO_MEMORY(server_info->domain_groups[i]);
294 }
295
296 /* Copy 'other' sids. We need to do sid filtering here to
297 prevent possible elevation of privileges. See:
298
299 http://www.microsoft.com/windows2000/techinfo/administration/security/sidfilter.asp
300 */
301
302 if (validation_level == 3) {
303 struct dom_sid **dgrps = server_info->domain_groups;
304 size_t sidcount = server_info->n_domain_groups + validation->sam3->sidcount;
305 size_t n_dgrps = server_info->n_domain_groups;
306
307 if (validation->sam3->sidcount > 0) {
308 dgrps = talloc_realloc(server_info, dgrps, struct dom_sid*, sidcount);
309 NT_STATUS_HAVE_NO_MEMORY(dgrps);
310
311 for (i = 0; i < validation->sam3->sidcount; i++) {
312 dgrps[n_dgrps + i] = talloc_reference(dgrps, validation->sam3->sids[i].sid);
313 }
314 }
315
316 server_info->n_domain_groups = sidcount;
317 server_info->domain_groups = dgrps;
318
319 /* Where are the 'global' sids?... */
320 }
321
322 if (base->account_name.string) {
323 server_info->account_name = talloc_reference(server_info, base->account_name.string);
324 } else {
325 server_info->account_name = talloc_strdup(server_info, account_name);
326 NT_STATUS_HAVE_NO_MEMORY(server_info->account_name);
327 }
328
329 server_info->domain_name = talloc_reference(server_info, base->domain.string);
330 server_info->full_name = talloc_reference(server_info, base->full_name.string);
331 server_info->logon_script = talloc_reference(server_info, base->logon_script.string);
332 server_info->profile_path = talloc_reference(server_info, base->profile_path.string);
333 server_info->home_directory = talloc_reference(server_info, base->home_directory.string);
334 server_info->home_drive = talloc_reference(server_info, base->home_drive.string);
335 server_info->logon_server = talloc_reference(server_info, base->logon_server.string);
336 server_info->last_logon = base->last_logon;
337 server_info->last_logoff = base->last_logoff;
338 server_info->acct_expiry = base->acct_expiry;
339 server_info->last_password_change = base->last_password_change;
340 server_info->allow_password_change = base->allow_password_change;
341 server_info->force_password_change = base->force_password_change;
342 server_info->logon_count = base->logon_count;
343 server_info->bad_password_count = base->bad_password_count;
344 server_info->acct_flags = base->acct_flags;
345
346 server_info->authenticated = True;
347
348 /* ensure we are never given NULL session keys */
349
350 if (all_zero(base->key.key, sizeof(base->key.key))) {
351 server_info->user_session_key = data_blob(NULL, 0);
352 } else {
353 server_info->user_session_key = data_blob_talloc(server_info, base->key.key, sizeof(base->key.key));
354 NT_STATUS_HAVE_NO_MEMORY(server_info->user_session_key.data);
355 }
356
357 if (all_zero(base->LMSessKey.key, sizeof(base->LMSessKey.key))) {
358 server_info->lm_session_key = data_blob(NULL, 0);
359 } else {
360 server_info->lm_session_key = data_blob_talloc(server_info, base->LMSessKey.key, sizeof(base->LMSessKey.key));
361 NT_STATUS_HAVE_NO_MEMORY(server_info->lm_session_key.data);
362 }
363
364 *_server_info = server_info;
365 return NT_STATUS_OK;
366 }
367
368
auth_anonymous_server_info(TALLOC_CTX * mem_ctx,struct auth_serversupplied_info ** _server_info)369 NTSTATUS auth_anonymous_server_info(TALLOC_CTX *mem_ctx, struct auth_serversupplied_info **_server_info)
370 {
371 struct auth_serversupplied_info *server_info;
372 server_info = talloc(mem_ctx, struct auth_serversupplied_info);
373 NT_STATUS_HAVE_NO_MEMORY(server_info);
374
375 server_info->account_sid = dom_sid_parse_talloc(server_info, SID_NT_ANONYMOUS);
376 NT_STATUS_HAVE_NO_MEMORY(server_info->account_sid);
377
378 /* is this correct? */
379 server_info->primary_group_sid = dom_sid_parse_talloc(server_info, SID_BUILTIN_GUESTS);
380 NT_STATUS_HAVE_NO_MEMORY(server_info->primary_group_sid);
381
382 server_info->n_domain_groups = 0;
383 server_info->domain_groups = NULL;
384
385 /* annoying, but the Anonymous really does have a session key,
386 and it is all zeros! */
387 server_info->user_session_key = data_blob_talloc(server_info, NULL, 16);
388 NT_STATUS_HAVE_NO_MEMORY(server_info->user_session_key.data);
389
390 server_info->lm_session_key = data_blob_talloc(server_info, NULL, 16);
391 NT_STATUS_HAVE_NO_MEMORY(server_info->lm_session_key.data);
392
393 data_blob_clear(&server_info->user_session_key);
394 data_blob_clear(&server_info->lm_session_key);
395
396 server_info->account_name = talloc_strdup(server_info, "ANONYMOUS LOGON");
397 NT_STATUS_HAVE_NO_MEMORY(server_info->account_name);
398
399 server_info->domain_name = talloc_strdup(server_info, "NT AUTHORITY");
400 NT_STATUS_HAVE_NO_MEMORY(server_info->domain_name);
401
402 server_info->full_name = talloc_strdup(server_info, "Anonymous Logon");
403 NT_STATUS_HAVE_NO_MEMORY(server_info->full_name);
404
405 server_info->logon_script = talloc_strdup(server_info, "");
406 NT_STATUS_HAVE_NO_MEMORY(server_info->logon_script);
407
408 server_info->profile_path = talloc_strdup(server_info, "");
409 NT_STATUS_HAVE_NO_MEMORY(server_info->profile_path);
410
411 server_info->home_directory = talloc_strdup(server_info, "");
412 NT_STATUS_HAVE_NO_MEMORY(server_info->home_directory);
413
414 server_info->home_drive = talloc_strdup(server_info, "");
415 NT_STATUS_HAVE_NO_MEMORY(server_info->home_drive);
416
417 server_info->logon_server = talloc_strdup(server_info, lp_netbios_name());
418 NT_STATUS_HAVE_NO_MEMORY(server_info->logon_server);
419
420 server_info->last_logon = 0;
421 server_info->last_logoff = 0;
422 server_info->acct_expiry = 0;
423 server_info->last_password_change = 0;
424 server_info->allow_password_change = 0;
425 server_info->force_password_change = 0;
426
427 server_info->logon_count = 0;
428 server_info->bad_password_count = 0;
429
430 server_info->acct_flags = ACB_NORMAL;
431
432 server_info->authenticated = False;
433
434 *_server_info = server_info;
435
436 return NT_STATUS_OK;
437 }
438
auth_system_server_info(TALLOC_CTX * mem_ctx,struct auth_serversupplied_info ** _server_info)439 NTSTATUS auth_system_server_info(TALLOC_CTX *mem_ctx, struct auth_serversupplied_info **_server_info)
440 {
441 struct auth_serversupplied_info *server_info;
442 server_info = talloc(mem_ctx, struct auth_serversupplied_info);
443 NT_STATUS_HAVE_NO_MEMORY(server_info);
444
445 server_info->account_sid = dom_sid_parse_talloc(server_info, SID_NT_SYSTEM);
446 NT_STATUS_HAVE_NO_MEMORY(server_info->account_sid);
447
448 /* is this correct? */
449 server_info->primary_group_sid = dom_sid_parse_talloc(server_info, SID_BUILTIN_ADMINISTRATORS);
450 NT_STATUS_HAVE_NO_MEMORY(server_info->primary_group_sid);
451
452 server_info->n_domain_groups = 0;
453 server_info->domain_groups = NULL;
454
455 /* annoying, but the Anonymous really does have a session key,
456 and it is all zeros! */
457 server_info->user_session_key = data_blob_talloc(server_info, NULL, 16);
458 NT_STATUS_HAVE_NO_MEMORY(server_info->user_session_key.data);
459
460 server_info->lm_session_key = data_blob_talloc(server_info, NULL, 16);
461 NT_STATUS_HAVE_NO_MEMORY(server_info->lm_session_key.data);
462
463 data_blob_clear(&server_info->user_session_key);
464 data_blob_clear(&server_info->lm_session_key);
465
466 server_info->account_name = talloc_strdup(server_info, "SYSTEM");
467 NT_STATUS_HAVE_NO_MEMORY(server_info->account_name);
468
469 server_info->domain_name = talloc_strdup(server_info, "NT AUTHORITY");
470 NT_STATUS_HAVE_NO_MEMORY(server_info->domain_name);
471
472 server_info->full_name = talloc_strdup(server_info, "System");
473 NT_STATUS_HAVE_NO_MEMORY(server_info->full_name);
474
475 server_info->logon_script = talloc_strdup(server_info, "");
476 NT_STATUS_HAVE_NO_MEMORY(server_info->logon_script);
477
478 server_info->profile_path = talloc_strdup(server_info, "");
479 NT_STATUS_HAVE_NO_MEMORY(server_info->profile_path);
480
481 server_info->home_directory = talloc_strdup(server_info, "");
482 NT_STATUS_HAVE_NO_MEMORY(server_info->home_directory);
483
484 server_info->home_drive = talloc_strdup(server_info, "");
485 NT_STATUS_HAVE_NO_MEMORY(server_info->home_drive);
486
487 server_info->logon_server = talloc_strdup(server_info, lp_netbios_name());
488 NT_STATUS_HAVE_NO_MEMORY(server_info->logon_server);
489
490 server_info->last_logon = 0;
491 server_info->last_logoff = 0;
492 server_info->acct_expiry = 0;
493 server_info->last_password_change = 0;
494 server_info->allow_password_change = 0;
495 server_info->force_password_change = 0;
496
497 server_info->logon_count = 0;
498 server_info->bad_password_count = 0;
499
500 server_info->acct_flags = ACB_NORMAL;
501
502 server_info->authenticated = True;
503
504 *_server_info = server_info;
505
506 return NT_STATUS_OK;
507 }
508
auth_generate_session_info(TALLOC_CTX * mem_ctx,struct auth_serversupplied_info * server_info,struct auth_session_info ** _session_info)509 NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
510 struct auth_serversupplied_info *server_info,
511 struct auth_session_info **_session_info)
512 {
513 struct auth_session_info *session_info;
514 NTSTATUS nt_status;
515
516 session_info = talloc(mem_ctx, struct auth_session_info);
517 NT_STATUS_HAVE_NO_MEMORY(session_info);
518
519 session_info->server_info = talloc_reference(session_info, server_info);
520
521 /* unless set otherwise, the session key is the user session
522 * key from the auth subsystem */
523 session_info->session_key = server_info->user_session_key;
524
525 nt_status = security_token_create(session_info,
526 server_info->account_sid,
527 server_info->primary_group_sid,
528 server_info->n_domain_groups,
529 server_info->domain_groups,
530 server_info->authenticated,
531 &session_info->security_token);
532 NT_STATUS_NOT_OK_RETURN(nt_status);
533
534 session_info->credentials = NULL;
535
536 *_session_info = session_info;
537 return NT_STATUS_OK;
538 }
539
auth_anonymous_session_info(TALLOC_CTX * parent_ctx,struct auth_session_info ** _session_info)540 NTSTATUS auth_anonymous_session_info(TALLOC_CTX *parent_ctx,
541 struct auth_session_info **_session_info)
542 {
543 NTSTATUS nt_status;
544 struct auth_serversupplied_info *server_info = NULL;
545 struct auth_session_info *session_info = NULL;
546 TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
547
548 nt_status = auth_anonymous_server_info(mem_ctx,
549 &server_info);
550 if (!NT_STATUS_IS_OK(nt_status)) {
551 talloc_free(mem_ctx);
552 return nt_status;
553 }
554
555 /* references the server_info into the session_info */
556 nt_status = auth_generate_session_info(parent_ctx, server_info, &session_info);
557 talloc_free(mem_ctx);
558
559 NT_STATUS_NOT_OK_RETURN(nt_status);
560
561 session_info->credentials = cli_credentials_init(session_info);
562 if (!session_info->credentials) {
563 return NT_STATUS_NO_MEMORY;
564 }
565
566 cli_credentials_set_conf(session_info->credentials);
567 cli_credentials_set_anonymous(session_info->credentials);
568
569 *_session_info = session_info;
570
571 return NT_STATUS_OK;
572 }
573
anonymous_session(TALLOC_CTX * mem_ctx)574 struct auth_session_info *anonymous_session(TALLOC_CTX *mem_ctx)
575 {
576 NTSTATUS nt_status;
577 struct auth_session_info *session_info = NULL;
578 nt_status = auth_anonymous_session_info(mem_ctx, &session_info);
579 if (!NT_STATUS_IS_OK(nt_status)) {
580 return NULL;
581 }
582 return session_info;
583 }
584
auth_system_session_info(TALLOC_CTX * parent_ctx,struct auth_session_info ** _session_info)585 NTSTATUS auth_system_session_info(TALLOC_CTX *parent_ctx,
586 struct auth_session_info **_session_info)
587 {
588 NTSTATUS nt_status;
589 struct auth_serversupplied_info *server_info = NULL;
590 struct auth_session_info *session_info = NULL;
591 TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
592
593 nt_status = auth_system_server_info(mem_ctx,
594 &server_info);
595 if (!NT_STATUS_IS_OK(nt_status)) {
596 talloc_free(mem_ctx);
597 return nt_status;
598 }
599
600 /* references the server_info into the session_info */
601 nt_status = auth_generate_session_info(parent_ctx, server_info, &session_info);
602 talloc_free(mem_ctx);
603
604 NT_STATUS_NOT_OK_RETURN(nt_status);
605
606 session_info->credentials = cli_credentials_init(session_info);
607 if (!session_info->credentials) {
608 return NT_STATUS_NO_MEMORY;
609 }
610
611 cli_credentials_set_conf(session_info->credentials);
612
613 if (lp_parm_bool(-1,"system","anonymous", False)) {
614 cli_credentials_set_anonymous(session_info->credentials);
615 } else {
616 cli_credentials_set_machine_account_pending(session_info->credentials);
617 }
618 *_session_info = session_info;
619
620 return NT_STATUS_OK;
621 }
622
system_session(TALLOC_CTX * mem_ctx)623 _PUBLIC_ struct auth_session_info *system_session(TALLOC_CTX *mem_ctx)
624 {
625 NTSTATUS nt_status;
626 struct auth_session_info *session_info = NULL;
627 nt_status = auth_system_session_info(mem_ctx, &session_info);
628 if (!NT_STATUS_IS_OK(nt_status)) {
629 return NULL;
630 }
631 return session_info;
632 }
633
634 /****************************************************************************
635 prints a struct auth_session_info security token to debug output.
636 ****************************************************************************/
auth_session_info_debug(int dbg_lev,const struct auth_session_info * session_info)637 void auth_session_info_debug(int dbg_lev,
638 const struct auth_session_info *session_info)
639 {
640 if (!session_info) {
641 DEBUG(dbg_lev, ("Session Info: (NULL)\n"));
642 return;
643 }
644
645 security_token_debug(dbg_lev, session_info->security_token);
646 }
647
648 /**
649 * Squash an NT_STATUS in line with security requirements.
650 * In an attempt to avoid giving the whole game away when users
651 * are authenticating, NT replaces both NT_STATUS_NO_SUCH_USER and
652 * NT_STATUS_WRONG_PASSWORD with NT_STATUS_LOGON_FAILURE in certain situations
653 * (session setups in particular).
654 *
655 * @param nt_status NTSTATUS input for squashing.
656 * @return the 'squashed' nt_status
657 **/
auth_nt_status_squash(NTSTATUS nt_status)658 NTSTATUS auth_nt_status_squash(NTSTATUS nt_status)
659 {
660 if NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER) {
661 /* Match WinXP and don't give the game away */
662 return NT_STATUS_LOGON_FAILURE;
663 } else if NT_STATUS_EQUAL(nt_status, NT_STATUS_WRONG_PASSWORD) {
664 /* Match WinXP and don't give the game away */
665 return NT_STATUS_LOGON_FAILURE;
666 }
667
668 return nt_status;
669 }
670