Line data Source code
1 : /*
2 : Unix SMB/CIFS implementation.
3 : Authentication utility functions
4 : Copyright (C) Andrew Tridgell 1992-1998
5 : Copyright (C) Andrew Bartlett 2001-2010
6 : Copyright (C) Jeremy Allison 2000-2001
7 : Copyright (C) Rafal Szczesniak 2002
8 : Copyright (C) Stefan Metzmacher 2005
9 :
10 : This program is free software; you can redistribute it and/or modify
11 : it under the terms of the GNU General Public License as published by
12 : the Free Software Foundation; either version 3 of the License, or
13 : (at your option) any later version.
14 :
15 : This program is distributed in the hope that it will be useful,
16 : but WITHOUT ANY WARRANTY; without even the implied warranty of
17 : MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 : GNU General Public License for more details.
19 :
20 : You should have received a copy of the GNU General Public License
21 : along with this program. If not, see <http://www.gnu.org/licenses/>.
22 : */
23 :
24 : #include "includes.h"
25 : #include "libcli/security/security.h"
26 : #include "auth/credentials/credentials.h"
27 : #include "param/param.h"
28 : #include "auth/auth.h" /* for auth_user_info_dc */
29 : #include "auth/session.h"
30 : #include "auth/system_session_proto.h"
31 :
32 : #undef DBGC_CLASS
33 : #define DBGC_CLASS DBGC_AUTH
34 :
35 : /*
36 : prevent the static system session being freed
37 : */
38 0 : static int system_session_destructor(struct auth_session_info *info)
39 : {
40 0 : return -1;
41 : }
42 :
43 : /* Create a security token for a session SYSTEM (the most
44 : * trusted/privileged account), including the local machine account as
45 : * the off-host credentials
46 : */
47 131348 : _PUBLIC_ struct auth_session_info *system_session(struct loadparm_context *lp_ctx)
48 : {
49 : static struct auth_session_info *static_session;
50 : NTSTATUS nt_status;
51 :
52 131348 : if (static_session) {
53 127336 : return static_session;
54 : }
55 :
56 : /*
57 : * Use NULL here, not the autofree context for this
58 : * static pointer. The destructor prevents freeing this
59 : * memory anyway.
60 : */
61 4012 : nt_status = auth_system_session_info(NULL,
62 : lp_ctx,
63 : &static_session);
64 4012 : if (!NT_STATUS_IS_OK(nt_status)) {
65 2 : TALLOC_FREE(static_session);
66 2 : return NULL;
67 : }
68 4010 : talloc_set_destructor(static_session, system_session_destructor);
69 4010 : return static_session;
70 : }
71 :
72 4012 : NTSTATUS auth_system_session_info(TALLOC_CTX *parent_ctx,
73 : struct loadparm_context *lp_ctx,
74 : struct auth_session_info **_session_info)
75 : {
76 : NTSTATUS nt_status;
77 4012 : struct auth_user_info_dc *user_info_dc = NULL;
78 4012 : struct auth_session_info *session_info = NULL;
79 4012 : TALLOC_CTX *mem_ctx = NULL;
80 : bool ok;
81 :
82 4012 : mem_ctx = talloc_new(parent_ctx);
83 4012 : if (mem_ctx == NULL) {
84 0 : return NT_STATUS_NO_MEMORY;
85 : }
86 :
87 4012 : nt_status = auth_system_user_info_dc(mem_ctx, lpcfg_netbios_name(lp_ctx),
88 : &user_info_dc);
89 4012 : if (!NT_STATUS_IS_OK(nt_status)) {
90 2 : talloc_free(mem_ctx);
91 2 : return nt_status;
92 : }
93 :
94 : /* references the user_info_dc into the session_info */
95 4010 : nt_status = auth_generate_session_info(parent_ctx, NULL, NULL, user_info_dc, AUTH_SESSION_INFO_SIMPLE_PRIVILEGES, &session_info);
96 4010 : talloc_free(mem_ctx);
97 :
98 4010 : NT_STATUS_NOT_OK_RETURN(nt_status);
99 :
100 4010 : session_info->credentials = cli_credentials_init(session_info);
101 4010 : if (!session_info->credentials) {
102 0 : return NT_STATUS_NO_MEMORY;
103 : }
104 :
105 4010 : ok = cli_credentials_set_conf(session_info->credentials, lp_ctx);
106 4010 : if (!ok) {
107 0 : return NT_STATUS_INTERNAL_ERROR;
108 : }
109 :
110 4010 : cli_credentials_set_machine_account_pending(session_info->credentials, lp_ctx);
111 4010 : *_session_info = session_info;
112 :
113 4010 : return NT_STATUS_OK;
114 : }
115 :
116 4634 : NTSTATUS auth_system_user_info_dc(TALLOC_CTX *mem_ctx, const char *netbios_name,
117 : struct auth_user_info_dc **_user_info_dc)
118 : {
119 : struct auth_user_info_dc *user_info_dc;
120 : struct auth_user_info *info;
121 :
122 4634 : user_info_dc = talloc_zero(mem_ctx, struct auth_user_info_dc);
123 4634 : NT_STATUS_HAVE_NO_MEMORY(user_info_dc);
124 :
125 : /* This returns a pointer to a struct dom_sid, which is the
126 : * same as a 1 element list of struct dom_sid */
127 4634 : user_info_dc->num_sids = 1;
128 4634 : user_info_dc->sids = dom_sid_dup(user_info_dc, &global_sid_System);
129 4634 : NT_STATUS_HAVE_NO_MEMORY(user_info_dc->sids);
130 :
131 : /* annoying, but the Anonymous really does have a session key,
132 : and it is all zeros! */
133 4634 : user_info_dc->user_session_key = data_blob_talloc(user_info_dc, NULL, 16);
134 4634 : NT_STATUS_HAVE_NO_MEMORY(user_info_dc->user_session_key.data);
135 :
136 4634 : user_info_dc->lm_session_key = data_blob_talloc(user_info_dc, NULL, 16);
137 4634 : NT_STATUS_HAVE_NO_MEMORY(user_info_dc->lm_session_key.data);
138 :
139 4634 : data_blob_clear(&user_info_dc->user_session_key);
140 4634 : data_blob_clear(&user_info_dc->lm_session_key);
141 :
142 4634 : user_info_dc->info = info = talloc_zero(user_info_dc, struct auth_user_info);
143 4634 : NT_STATUS_HAVE_NO_MEMORY(user_info_dc->info);
144 :
145 4634 : info->account_name = talloc_strdup(info, "SYSTEM");
146 4634 : NT_STATUS_HAVE_NO_MEMORY(info->account_name);
147 :
148 4634 : info->domain_name = talloc_strdup(info, "NT AUTHORITY");
149 4634 : NT_STATUS_HAVE_NO_MEMORY(info->domain_name);
150 :
151 4634 : info->full_name = talloc_strdup(info, "System");
152 4634 : NT_STATUS_HAVE_NO_MEMORY(info->full_name);
153 :
154 4634 : info->logon_script = talloc_strdup(info, "");
155 4634 : NT_STATUS_HAVE_NO_MEMORY(info->logon_script);
156 :
157 4634 : info->profile_path = talloc_strdup(info, "");
158 4634 : NT_STATUS_HAVE_NO_MEMORY(info->profile_path);
159 :
160 4634 : info->home_directory = talloc_strdup(info, "");
161 4634 : NT_STATUS_HAVE_NO_MEMORY(info->home_directory);
162 :
163 4634 : info->home_drive = talloc_strdup(info, "");
164 4634 : NT_STATUS_HAVE_NO_MEMORY(info->home_drive);
165 :
166 4634 : info->logon_server = talloc_strdup(info, netbios_name);
167 4634 : NT_STATUS_HAVE_NO_MEMORY(info->logon_server);
168 :
169 4632 : info->last_logon = 0;
170 4632 : info->last_logoff = 0;
171 4632 : info->acct_expiry = 0;
172 4632 : info->last_password_change = 0;
173 4632 : info->allow_password_change = 0;
174 4632 : info->force_password_change = 0;
175 :
176 4632 : info->logon_count = 0;
177 4632 : info->bad_password_count = 0;
178 :
179 4632 : info->acct_flags = ACB_NORMAL;
180 :
181 4632 : info->authenticated = true;
182 :
183 4632 : *_user_info_dc = user_info_dc;
184 :
185 4632 : return NT_STATUS_OK;
186 : }
187 :
188 :
189 391 : static NTSTATUS auth_domain_admin_user_info_dc(TALLOC_CTX *mem_ctx,
190 : const char *netbios_name,
191 : const char *domain_name,
192 : struct dom_sid *domain_sid,
193 : struct auth_user_info_dc **_user_info_dc)
194 : {
195 : struct auth_user_info_dc *user_info_dc;
196 : struct auth_user_info *info;
197 :
198 391 : user_info_dc = talloc_zero(mem_ctx, struct auth_user_info_dc);
199 391 : NT_STATUS_HAVE_NO_MEMORY(user_info_dc);
200 :
201 391 : user_info_dc->num_sids = 7;
202 391 : user_info_dc->sids = talloc_array(user_info_dc, struct dom_sid, user_info_dc->num_sids);
203 :
204 391 : user_info_dc->sids[PRIMARY_USER_SID_INDEX] = *domain_sid;
205 391 : sid_append_rid(&user_info_dc->sids[PRIMARY_USER_SID_INDEX], DOMAIN_RID_ADMINISTRATOR);
206 :
207 391 : user_info_dc->sids[PRIMARY_GROUP_SID_INDEX] = *domain_sid;
208 391 : sid_append_rid(&user_info_dc->sids[PRIMARY_GROUP_SID_INDEX], DOMAIN_RID_USERS);
209 :
210 391 : user_info_dc->sids[2] = global_sid_Builtin_Administrators;
211 :
212 391 : user_info_dc->sids[3] = *domain_sid;
213 391 : sid_append_rid(&user_info_dc->sids[3], DOMAIN_RID_ADMINS);
214 391 : user_info_dc->sids[4] = *domain_sid;
215 391 : sid_append_rid(&user_info_dc->sids[4], DOMAIN_RID_ENTERPRISE_ADMINS);
216 391 : user_info_dc->sids[5] = *domain_sid;
217 391 : sid_append_rid(&user_info_dc->sids[5], DOMAIN_RID_POLICY_ADMINS);
218 391 : user_info_dc->sids[6] = *domain_sid;
219 391 : sid_append_rid(&user_info_dc->sids[6], DOMAIN_RID_SCHEMA_ADMINS);
220 :
221 : /* What should the session key be?*/
222 391 : user_info_dc->user_session_key = data_blob_talloc(user_info_dc, NULL, 16);
223 391 : NT_STATUS_HAVE_NO_MEMORY(user_info_dc->user_session_key.data);
224 :
225 391 : user_info_dc->lm_session_key = data_blob_talloc(user_info_dc, NULL, 16);
226 391 : NT_STATUS_HAVE_NO_MEMORY(user_info_dc->lm_session_key.data);
227 :
228 391 : data_blob_clear(&user_info_dc->user_session_key);
229 391 : data_blob_clear(&user_info_dc->lm_session_key);
230 :
231 391 : user_info_dc->info = info = talloc_zero(user_info_dc, struct auth_user_info);
232 391 : NT_STATUS_HAVE_NO_MEMORY(user_info_dc->info);
233 :
234 391 : info->account_name = talloc_strdup(info, "Administrator");
235 391 : NT_STATUS_HAVE_NO_MEMORY(info->account_name);
236 :
237 391 : info->domain_name = talloc_strdup(info, domain_name);
238 391 : NT_STATUS_HAVE_NO_MEMORY(info->domain_name);
239 :
240 391 : info->full_name = talloc_strdup(info, "Administrator");
241 391 : NT_STATUS_HAVE_NO_MEMORY(info->full_name);
242 :
243 391 : info->logon_script = talloc_strdup(info, "");
244 391 : NT_STATUS_HAVE_NO_MEMORY(info->logon_script);
245 :
246 391 : info->profile_path = talloc_strdup(info, "");
247 391 : NT_STATUS_HAVE_NO_MEMORY(info->profile_path);
248 :
249 391 : info->home_directory = talloc_strdup(info, "");
250 391 : NT_STATUS_HAVE_NO_MEMORY(info->home_directory);
251 :
252 391 : info->home_drive = talloc_strdup(info, "");
253 391 : NT_STATUS_HAVE_NO_MEMORY(info->home_drive);
254 :
255 391 : info->logon_server = talloc_strdup(info, netbios_name);
256 391 : NT_STATUS_HAVE_NO_MEMORY(info->logon_server);
257 :
258 391 : info->last_logon = 0;
259 391 : info->last_logoff = 0;
260 391 : info->acct_expiry = 0;
261 391 : info->last_password_change = 0;
262 391 : info->allow_password_change = 0;
263 391 : info->force_password_change = 0;
264 :
265 391 : info->logon_count = 0;
266 391 : info->bad_password_count = 0;
267 :
268 391 : info->acct_flags = ACB_NORMAL;
269 :
270 391 : info->authenticated = true;
271 :
272 391 : *_user_info_dc = user_info_dc;
273 :
274 391 : return NT_STATUS_OK;
275 : }
276 :
277 391 : static NTSTATUS auth_domain_admin_session_info(TALLOC_CTX *parent_ctx,
278 : struct loadparm_context *lp_ctx,
279 : struct dom_sid *domain_sid,
280 : struct auth_session_info **session_info)
281 : {
282 : NTSTATUS nt_status;
283 391 : struct auth_user_info_dc *user_info_dc = NULL;
284 391 : TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
285 :
286 391 : NT_STATUS_HAVE_NO_MEMORY(mem_ctx);
287 :
288 391 : nt_status = auth_domain_admin_user_info_dc(mem_ctx, lpcfg_netbios_name(lp_ctx),
289 : lpcfg_workgroup(lp_ctx), domain_sid,
290 : &user_info_dc);
291 391 : if (!NT_STATUS_IS_OK(nt_status)) {
292 0 : talloc_free(mem_ctx);
293 0 : return nt_status;
294 : }
295 :
296 391 : nt_status = auth_generate_session_info(mem_ctx, NULL, NULL, user_info_dc,
297 : AUTH_SESSION_INFO_SIMPLE_PRIVILEGES|AUTH_SESSION_INFO_AUTHENTICATED|AUTH_SESSION_INFO_DEFAULT_GROUPS,
298 : session_info);
299 : /* There is already a reference between the sesion_info and user_info_dc */
300 391 : if (NT_STATUS_IS_OK(nt_status)) {
301 391 : talloc_steal(parent_ctx, *session_info);
302 : }
303 391 : talloc_free(mem_ctx);
304 391 : return nt_status;
305 : }
306 :
307 391 : _PUBLIC_ struct auth_session_info *admin_session(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx, struct dom_sid *domain_sid)
308 : {
309 : NTSTATUS nt_status;
310 391 : struct auth_session_info *session_info = NULL;
311 391 : nt_status = auth_domain_admin_session_info(mem_ctx,
312 : lp_ctx,
313 : domain_sid,
314 : &session_info);
315 391 : if (!NT_STATUS_IS_OK(nt_status)) {
316 0 : return NULL;
317 : }
318 391 : return session_info;
319 : }
320 :
321 31084 : _PUBLIC_ NTSTATUS auth_anonymous_session_info(TALLOC_CTX *parent_ctx,
322 : struct loadparm_context *lp_ctx,
323 : struct auth_session_info **_session_info)
324 : {
325 : NTSTATUS nt_status;
326 31084 : struct auth_user_info_dc *user_info_dc = NULL;
327 31084 : struct auth_session_info *session_info = NULL;
328 31084 : TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
329 : bool ok;
330 :
331 31084 : nt_status = auth_anonymous_user_info_dc(mem_ctx,
332 : lpcfg_netbios_name(lp_ctx),
333 : &user_info_dc);
334 31084 : if (!NT_STATUS_IS_OK(nt_status)) {
335 0 : talloc_free(mem_ctx);
336 0 : return nt_status;
337 : }
338 :
339 : /* references the user_info_dc into the session_info */
340 31084 : nt_status = auth_generate_session_info(parent_ctx, NULL, NULL, user_info_dc, AUTH_SESSION_INFO_SIMPLE_PRIVILEGES, &session_info);
341 31084 : talloc_free(mem_ctx);
342 :
343 31084 : NT_STATUS_NOT_OK_RETURN(nt_status);
344 :
345 31084 : session_info->credentials = cli_credentials_init(session_info);
346 31084 : if (!session_info->credentials) {
347 0 : return NT_STATUS_NO_MEMORY;
348 : }
349 :
350 31084 : ok = cli_credentials_set_conf(session_info->credentials, lp_ctx);
351 31084 : if (!ok) {
352 0 : return NT_STATUS_INTERNAL_ERROR;
353 : }
354 31084 : cli_credentials_set_anonymous(session_info->credentials);
355 :
356 31084 : *_session_info = session_info;
357 :
358 31084 : return NT_STATUS_OK;
359 : }
360 :
361 32717 : _PUBLIC_ NTSTATUS auth_anonymous_user_info_dc(TALLOC_CTX *mem_ctx,
362 : const char *netbios_name,
363 : struct auth_user_info_dc **_user_info_dc)
364 : {
365 : struct auth_user_info_dc *user_info_dc;
366 : struct auth_user_info *info;
367 32717 : user_info_dc = talloc_zero(mem_ctx, struct auth_user_info_dc);
368 32717 : NT_STATUS_HAVE_NO_MEMORY(user_info_dc);
369 :
370 : /* This returns a pointer to a struct dom_sid, which is the
371 : * same as a 1 element list of struct dom_sid */
372 32717 : user_info_dc->num_sids = 1;
373 32717 : user_info_dc->sids = dom_sid_dup(user_info_dc, &global_sid_Anonymous);
374 32717 : NT_STATUS_HAVE_NO_MEMORY(user_info_dc->sids);
375 :
376 : /* annoying, but the Anonymous really does have a session key... */
377 32717 : user_info_dc->user_session_key = data_blob_talloc(user_info_dc, NULL, 16);
378 32717 : NT_STATUS_HAVE_NO_MEMORY(user_info_dc->user_session_key.data);
379 :
380 32717 : user_info_dc->lm_session_key = data_blob_talloc(user_info_dc, NULL, 16);
381 32717 : NT_STATUS_HAVE_NO_MEMORY(user_info_dc->lm_session_key.data);
382 :
383 : /* and it is all zeros! */
384 32717 : data_blob_clear(&user_info_dc->user_session_key);
385 32717 : data_blob_clear(&user_info_dc->lm_session_key);
386 :
387 32717 : user_info_dc->info = info = talloc_zero(user_info_dc, struct auth_user_info);
388 32717 : NT_STATUS_HAVE_NO_MEMORY(user_info_dc->info);
389 :
390 32717 : info->account_name = talloc_strdup(info, "ANONYMOUS LOGON");
391 32717 : NT_STATUS_HAVE_NO_MEMORY(info->account_name);
392 :
393 32717 : info->domain_name = talloc_strdup(info, "NT AUTHORITY");
394 32717 : NT_STATUS_HAVE_NO_MEMORY(info->domain_name);
395 :
396 32717 : info->full_name = talloc_strdup(info, "Anonymous Logon");
397 32717 : NT_STATUS_HAVE_NO_MEMORY(info->full_name);
398 :
399 32717 : info->logon_script = talloc_strdup(info, "");
400 32717 : NT_STATUS_HAVE_NO_MEMORY(info->logon_script);
401 :
402 32717 : info->profile_path = talloc_strdup(info, "");
403 32717 : NT_STATUS_HAVE_NO_MEMORY(info->profile_path);
404 :
405 32717 : info->home_directory = talloc_strdup(info, "");
406 32717 : NT_STATUS_HAVE_NO_MEMORY(info->home_directory);
407 :
408 32717 : info->home_drive = talloc_strdup(info, "");
409 32717 : NT_STATUS_HAVE_NO_MEMORY(info->home_drive);
410 :
411 32717 : info->logon_server = talloc_strdup(info, netbios_name);
412 32717 : NT_STATUS_HAVE_NO_MEMORY(info->logon_server);
413 :
414 32717 : info->last_logon = 0;
415 32717 : info->last_logoff = 0;
416 32717 : info->acct_expiry = 0;
417 32717 : info->last_password_change = 0;
418 32717 : info->allow_password_change = 0;
419 32717 : info->force_password_change = 0;
420 :
421 32717 : info->logon_count = 0;
422 32717 : info->bad_password_count = 0;
423 :
424 32717 : info->acct_flags = ACB_NORMAL;
425 :
426 32717 : info->authenticated = false;
427 :
428 32717 : *_user_info_dc = user_info_dc;
429 :
430 32717 : return NT_STATUS_OK;
431 : }
432 :
|
