1/* 2 Unix SMB/CIFS implementation. 3 Authentication utility functions 4 Copyright (C) Andrew Tridgell 1992-1998 5 Copyright (C) Andrew Bartlett 2001 6 Copyright (C) Jeremy Allison 2000-2001 7 Copyright (C) Rafal Szczesniak 2002 8 Copyright (C) Stefan Metzmacher 2005 9 10 This program is free software; you can redistribute it and/or modify 11 it under the terms of the GNU General Public License as published by 12 the Free Software Foundation; either version 3 of the License, or 13 (at your option) any later version. 14 15 This program is distributed in the hope that it will be useful, 16 but WITHOUT ANY WARRANTY; without even the implied warranty of 17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18 GNU General Public License for more details. 19 20 You should have received a copy of the GNU General Public License 21 along with this program. If not, see <http://www.gnu.org/licenses/>. 22*/ 23 24#include "includes.h" 25#include "libcli/security/security.h" 26#include "libcli/auth/libcli_auth.h" 27#include "auth/credentials/credentials.h" 28#include "param/param.h" 29#include "auth/auth.h" /* for auth_serversupplied_info */ 30#include "auth/session.h" 31#include "auth/system_session_proto.h" 32 33/** 34 * Create the SID list for this user. 35 * 36 * @note Specialised version for system sessions that doesn't use the SAM. 37 */ 38static NTSTATUS create_token(TALLOC_CTX *mem_ctx, 39 struct dom_sid *user_sid, 40 struct dom_sid *group_sid, 41 int n_groupSIDs, 42 struct dom_sid **groupSIDs, 43 bool is_authenticated, 44 struct security_token **token) 45{ 46 struct security_token *ptoken; 47 int i; 48 49 ptoken = security_token_initialise(mem_ctx); 50 NT_STATUS_HAVE_NO_MEMORY(ptoken); 51 52 ptoken->sids = talloc_array(ptoken, struct dom_sid *, n_groupSIDs + 5); 53 NT_STATUS_HAVE_NO_MEMORY(ptoken->sids); 54 55 ptoken->user_sid = talloc_reference(ptoken, user_sid); 56 ptoken->group_sid = talloc_reference(ptoken, group_sid); 57 ptoken->privilege_mask = 0; 58 59 ptoken->sids[0] = ptoken->user_sid; 60 ptoken->sids[1] = ptoken->group_sid; 61 62 /* 63 * Finally add the "standard" SIDs. 64 * The only difference between guest and "anonymous" 65 * is the addition of Authenticated_Users. 66 */ 67 ptoken->sids[2] = dom_sid_parse_talloc(ptoken->sids, SID_WORLD); 68 NT_STATUS_HAVE_NO_MEMORY(ptoken->sids[2]); 69 ptoken->sids[3] = dom_sid_parse_talloc(ptoken->sids, SID_NT_NETWORK); 70 NT_STATUS_HAVE_NO_MEMORY(ptoken->sids[3]); 71 ptoken->num_sids = 4; 72 73 if (is_authenticated) { 74 ptoken->sids[4] = dom_sid_parse_talloc(ptoken->sids, SID_NT_AUTHENTICATED_USERS); 75 NT_STATUS_HAVE_NO_MEMORY(ptoken->sids[4]); 76 ptoken->num_sids++; 77 } 78 79 for (i = 0; i < n_groupSIDs; i++) { 80 size_t check_sid_idx; 81 for (check_sid_idx = 1; 82 check_sid_idx < ptoken->num_sids; 83 check_sid_idx++) { 84 if (dom_sid_equal(ptoken->sids[check_sid_idx], groupSIDs[i])) { 85 break; 86 } 87 } 88 89 if (check_sid_idx == ptoken->num_sids) { 90 ptoken->sids[ptoken->num_sids++] = talloc_reference(ptoken->sids, groupSIDs[i]); 91 } 92 } 93 94 *token = ptoken; 95 96 /* Shortcuts to prevent recursion and avoid lookups */ 97 if (ptoken->user_sid == NULL) { 98 ptoken->privilege_mask = 0; 99 return NT_STATUS_OK; 100 } 101 102 if (security_token_is_system(ptoken)) { 103 ptoken->privilege_mask = ~0; 104 return NT_STATUS_OK; 105 } 106 107 if (security_token_is_anonymous(ptoken)) { 108 ptoken->privilege_mask = 0; 109 return NT_STATUS_OK; 110 } 111 112 DEBUG(0, ("Created token was not system or anonymous token!")); 113 *token = NULL; 114 return NT_STATUS_INTERNAL_ERROR; 115} 116 117static NTSTATUS generate_session_info(TALLOC_CTX *mem_ctx, 118 struct auth_serversupplied_info *server_info, 119 struct auth_session_info **_session_info) 120{ 121 struct auth_session_info *session_info; 122 NTSTATUS nt_status; 123 124 session_info = talloc(mem_ctx, struct auth_session_info); 125 NT_STATUS_HAVE_NO_MEMORY(session_info); 126 127 session_info->server_info = talloc_reference(session_info, server_info); 128 129 /* unless set otherwise, the session key is the user session 130 * key from the auth subsystem */ 131 session_info->session_key = server_info->user_session_key; 132 133 nt_status = create_token(session_info, 134 server_info->account_sid, 135 server_info->primary_group_sid, 136 server_info->n_domain_groups, 137 server_info->domain_groups, 138 server_info->authenticated, 139 &session_info->security_token); 140 NT_STATUS_NOT_OK_RETURN(nt_status); 141 142 session_info->credentials = NULL; 143 144 *_session_info = session_info; 145 return NT_STATUS_OK; 146} 147 148 149 150/* Create a security token for a session SYSTEM (the most 151 * trusted/prvilaged account), including the local machine account as 152 * the off-host credentials 153 */ 154_PUBLIC_ struct auth_session_info *system_session(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx) 155{ 156 NTSTATUS nt_status; 157 struct auth_session_info *session_info = NULL; 158 nt_status = auth_system_session_info(mem_ctx, 159 lp_ctx, 160 &session_info); 161 if (!NT_STATUS_IS_OK(nt_status)) { 162 return NULL; 163 } 164 return session_info; 165} 166 167static NTSTATUS _auth_system_session_info(TALLOC_CTX *parent_ctx, 168 struct loadparm_context *lp_ctx, 169 bool anonymous_credentials, 170 struct auth_session_info **_session_info) 171{ 172 NTSTATUS nt_status; 173 struct auth_serversupplied_info *server_info = NULL; 174 struct auth_session_info *session_info = NULL; 175 TALLOC_CTX *mem_ctx = talloc_new(parent_ctx); 176 177 nt_status = auth_system_server_info(mem_ctx, lp_netbios_name(lp_ctx), 178 &server_info); 179 if (!NT_STATUS_IS_OK(nt_status)) { 180 talloc_free(mem_ctx); 181 return nt_status; 182 } 183 184 /* references the server_info into the session_info */ 185 nt_status = generate_session_info(parent_ctx, server_info, &session_info); 186 talloc_free(mem_ctx); 187 188 NT_STATUS_NOT_OK_RETURN(nt_status); 189 190 session_info->credentials = cli_credentials_init(session_info); 191 if (!session_info->credentials) { 192 return NT_STATUS_NO_MEMORY; 193 } 194 195 cli_credentials_set_conf(session_info->credentials, lp_ctx); 196 197 if (anonymous_credentials) { 198 cli_credentials_set_anonymous(session_info->credentials); 199 } else { 200 cli_credentials_set_machine_account_pending(session_info->credentials, lp_ctx); 201 } 202 *_session_info = session_info; 203 204 return NT_STATUS_OK; 205} 206 207/* 208 Create a system session, but with anonymous credentials (so we do not need to open secrets.ldb) 209*/ 210_PUBLIC_ struct auth_session_info *system_session_anon(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx) 211{ 212 NTSTATUS nt_status; 213 struct auth_session_info *session_info = NULL; 214 nt_status = _auth_system_session_info(mem_ctx, lp_ctx, false, &session_info); 215 if (!NT_STATUS_IS_OK(nt_status)) { 216 return NULL; 217 } 218 return session_info; 219} 220 221 222 223_PUBLIC_ NTSTATUS auth_system_session_info(TALLOC_CTX *parent_ctx, 224 struct loadparm_context *lp_ctx, 225 struct auth_session_info **_session_info) 226{ 227 return _auth_system_session_info(parent_ctx, 228 lp_ctx, 229 lp_parm_bool(lp_ctx, NULL, "system", "anonymous", false), 230 _session_info); 231} 232 233NTSTATUS auth_system_server_info(TALLOC_CTX *mem_ctx, const char *netbios_name, 234 struct auth_serversupplied_info **_server_info) 235{ 236 struct auth_serversupplied_info *server_info; 237 238 server_info = talloc(mem_ctx, struct auth_serversupplied_info); 239 NT_STATUS_HAVE_NO_MEMORY(server_info); 240 241 server_info->account_sid = dom_sid_parse_talloc(server_info, SID_NT_SYSTEM); 242 NT_STATUS_HAVE_NO_MEMORY(server_info->account_sid); 243 244 /* is this correct? */ 245 server_info->primary_group_sid = dom_sid_parse_talloc(server_info, SID_BUILTIN_ADMINISTRATORS); 246 NT_STATUS_HAVE_NO_MEMORY(server_info->primary_group_sid); 247 248 server_info->n_domain_groups = 0; 249 server_info->domain_groups = NULL; 250 251 /* annoying, but the Anonymous really does have a session key, 252 and it is all zeros! */ 253 server_info->user_session_key = data_blob_talloc(server_info, NULL, 16); 254 NT_STATUS_HAVE_NO_MEMORY(server_info->user_session_key.data); 255 256 server_info->lm_session_key = data_blob_talloc(server_info, NULL, 16); 257 NT_STATUS_HAVE_NO_MEMORY(server_info->lm_session_key.data); 258 259 data_blob_clear(&server_info->user_session_key); 260 data_blob_clear(&server_info->lm_session_key); 261 262 server_info->account_name = talloc_strdup(server_info, "SYSTEM"); 263 NT_STATUS_HAVE_NO_MEMORY(server_info->account_name); 264 265 server_info->domain_name = talloc_strdup(server_info, "NT AUTHORITY"); 266 NT_STATUS_HAVE_NO_MEMORY(server_info->domain_name); 267 268 server_info->full_name = talloc_strdup(server_info, "System"); 269 NT_STATUS_HAVE_NO_MEMORY(server_info->full_name); 270 271 server_info->logon_script = talloc_strdup(server_info, ""); 272 NT_STATUS_HAVE_NO_MEMORY(server_info->logon_script); 273 274 server_info->profile_path = talloc_strdup(server_info, ""); 275 NT_STATUS_HAVE_NO_MEMORY(server_info->profile_path); 276 277 server_info->home_directory = talloc_strdup(server_info, ""); 278 NT_STATUS_HAVE_NO_MEMORY(server_info->home_directory); 279 280 server_info->home_drive = talloc_strdup(server_info, ""); 281 NT_STATUS_HAVE_NO_MEMORY(server_info->home_drive); 282 283 server_info->logon_server = talloc_strdup(server_info, netbios_name); 284 NT_STATUS_HAVE_NO_MEMORY(server_info->logon_server); 285 286 server_info->last_logon = 0; 287 server_info->last_logoff = 0; 288 server_info->acct_expiry = 0; 289 server_info->last_password_change = 0; 290 server_info->allow_password_change = 0; 291 server_info->force_password_change = 0; 292 293 server_info->logon_count = 0; 294 server_info->bad_password_count = 0; 295 296 server_info->acct_flags = ACB_NORMAL; 297 298 server_info->authenticated = true; 299 300 *_server_info = server_info; 301 302 return NT_STATUS_OK; 303} 304 305 306/* Create server info for the Administrator account. This should only be used 307 * during provisioning when we need to impersonate Administrator but 308 * the account has not been created yet */ 309 310static NTSTATUS create_admin_token(TALLOC_CTX *mem_ctx, 311 struct dom_sid *user_sid, 312 struct dom_sid *group_sid, 313 int n_groupSIDs, 314 struct dom_sid **groupSIDs, 315 struct security_token **token) 316{ 317 struct security_token *ptoken; 318 int i; 319 320 ptoken = security_token_initialise(mem_ctx); 321 NT_STATUS_HAVE_NO_MEMORY(ptoken); 322 323 ptoken->sids = talloc_array(ptoken, struct dom_sid *, n_groupSIDs + 3); 324 NT_STATUS_HAVE_NO_MEMORY(ptoken->sids); 325 326 ptoken->user_sid = talloc_reference(ptoken, user_sid); 327 ptoken->group_sid = talloc_reference(ptoken, group_sid); 328 ptoken->privilege_mask = 0; 329 330 ptoken->sids[0] = ptoken->user_sid; 331 ptoken->sids[1] = ptoken->group_sid; 332 ptoken->sids[2] = dom_sid_parse_talloc(ptoken->sids, SID_NT_AUTHENTICATED_USERS); 333 NT_STATUS_HAVE_NO_MEMORY(ptoken->sids[2]); 334 ptoken->num_sids = 3; 335 336 337 for (i = 0; i < n_groupSIDs; i++) { 338 size_t check_sid_idx; 339 for (check_sid_idx = 1; 340 check_sid_idx < ptoken->num_sids; 341 check_sid_idx++) { 342 if (dom_sid_equal(ptoken->sids[check_sid_idx], groupSIDs[i])) { 343 break; 344 } 345 } 346 347 if (check_sid_idx == ptoken->num_sids) { 348 ptoken->sids[ptoken->num_sids++] = talloc_reference(ptoken->sids, groupSIDs[i]); 349 } 350 } 351 352 *token = ptoken; 353 ptoken->privilege_mask = ~0; 354 return NT_STATUS_OK; 355} 356 357static NTSTATUS auth_domain_admin_server_info(TALLOC_CTX *mem_ctx, 358 const char *netbios_name, 359 const char *domain_name, 360 struct dom_sid *domain_sid, 361 struct auth_serversupplied_info **_server_info) 362{ 363 struct auth_serversupplied_info *server_info; 364 365 server_info = talloc(mem_ctx, struct auth_serversupplied_info); 366 NT_STATUS_HAVE_NO_MEMORY(server_info); 367 368 server_info->account_sid = dom_sid_add_rid(server_info, domain_sid, DOMAIN_RID_ADMINISTRATOR); 369 NT_STATUS_HAVE_NO_MEMORY(server_info->account_sid); 370 371 server_info->primary_group_sid = dom_sid_add_rid(server_info, domain_sid, DOMAIN_RID_USERS); 372 NT_STATUS_HAVE_NO_MEMORY(server_info->primary_group_sid); 373 374 server_info->n_domain_groups = 6; 375 server_info->domain_groups = talloc_array(server_info, struct dom_sid *, server_info->n_domain_groups); 376 377 server_info->domain_groups[0] = dom_sid_parse_talloc(server_info, SID_BUILTIN_ADMINISTRATORS); 378 server_info->domain_groups[1] = dom_sid_add_rid(server_info, domain_sid, DOMAIN_RID_ADMINS); 379 server_info->domain_groups[2] = dom_sid_add_rid(server_info, domain_sid, DOMAIN_RID_USERS); 380 server_info->domain_groups[3] = dom_sid_add_rid(server_info, domain_sid, DOMAIN_RID_ENTERPRISE_ADMINS); 381 server_info->domain_groups[4] = dom_sid_add_rid(server_info, domain_sid, DOMAIN_RID_POLICY_ADMINS); 382 server_info->domain_groups[5] = dom_sid_add_rid(server_info, domain_sid, DOMAIN_RID_SCHEMA_ADMINS); 383 384 /* What should the session key be?*/ 385 server_info->user_session_key = data_blob_talloc(server_info, NULL, 16); 386 NT_STATUS_HAVE_NO_MEMORY(server_info->user_session_key.data); 387 388 server_info->lm_session_key = data_blob_talloc(server_info, NULL, 16); 389 NT_STATUS_HAVE_NO_MEMORY(server_info->lm_session_key.data); 390 391 data_blob_clear(&server_info->user_session_key); 392 data_blob_clear(&server_info->lm_session_key); 393 394 server_info->account_name = talloc_strdup(server_info, "Administrator"); 395 NT_STATUS_HAVE_NO_MEMORY(server_info->account_name); 396 397 server_info->domain_name = talloc_strdup(server_info, domain_name); 398 NT_STATUS_HAVE_NO_MEMORY(server_info->domain_name); 399 400 server_info->full_name = talloc_strdup(server_info, "Administrator"); 401 NT_STATUS_HAVE_NO_MEMORY(server_info->full_name); 402 403 server_info->logon_script = talloc_strdup(server_info, ""); 404 NT_STATUS_HAVE_NO_MEMORY(server_info->logon_script); 405 406 server_info->profile_path = talloc_strdup(server_info, ""); 407 NT_STATUS_HAVE_NO_MEMORY(server_info->profile_path); 408 409 server_info->home_directory = talloc_strdup(server_info, ""); 410 NT_STATUS_HAVE_NO_MEMORY(server_info->home_directory); 411 412 server_info->home_drive = talloc_strdup(server_info, ""); 413 NT_STATUS_HAVE_NO_MEMORY(server_info->home_drive); 414 415 server_info->logon_server = talloc_strdup(server_info, netbios_name); 416 NT_STATUS_HAVE_NO_MEMORY(server_info->logon_server); 417 418 server_info->last_logon = 0; 419 server_info->last_logoff = 0; 420 server_info->acct_expiry = 0; 421 server_info->last_password_change = 0; 422 server_info->allow_password_change = 0; 423 server_info->force_password_change = 0; 424 425 server_info->logon_count = 0; 426 server_info->bad_password_count = 0; 427 428 server_info->acct_flags = ACB_NORMAL; 429 430 server_info->authenticated = true; 431 432 *_server_info = server_info; 433 434 return NT_STATUS_OK; 435} 436 437static NTSTATUS auth_domain_admin_session_info(TALLOC_CTX *parent_ctx, 438 struct loadparm_context *lp_ctx, 439 struct dom_sid *domain_sid, 440 struct auth_session_info **_session_info) 441{ 442 NTSTATUS nt_status; 443 struct auth_serversupplied_info *server_info = NULL; 444 struct auth_session_info *session_info = NULL; 445 TALLOC_CTX *mem_ctx = talloc_new(parent_ctx); 446 447 nt_status = auth_domain_admin_server_info(mem_ctx, lp_netbios_name(lp_ctx), 448 lp_workgroup(lp_ctx), domain_sid, 449 &server_info); 450 if (!NT_STATUS_IS_OK(nt_status)) { 451 talloc_free(mem_ctx); 452 return nt_status; 453 } 454 455 session_info = talloc(mem_ctx, struct auth_session_info); 456 NT_STATUS_HAVE_NO_MEMORY(session_info); 457 458 session_info->server_info = talloc_reference(session_info, server_info); 459 460 /* unless set otherwise, the session key is the user session 461 * key from the auth subsystem */ 462 session_info->session_key = server_info->user_session_key; 463 464 nt_status = create_admin_token(session_info, 465 server_info->account_sid, 466 server_info->primary_group_sid, 467 server_info->n_domain_groups, 468 server_info->domain_groups, 469 &session_info->security_token); 470 NT_STATUS_NOT_OK_RETURN(nt_status); 471 472 session_info->credentials = cli_credentials_init(session_info); 473 if (!session_info->credentials) { 474 return NT_STATUS_NO_MEMORY; 475 } 476 477 cli_credentials_set_conf(session_info->credentials, lp_ctx); 478 479 *_session_info = session_info; 480 481 return NT_STATUS_OK; 482} 483 484_PUBLIC_ struct auth_session_info *admin_session(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx, struct dom_sid *domain_sid) 485{ 486 NTSTATUS nt_status; 487 struct auth_session_info *session_info = NULL; 488 nt_status = auth_domain_admin_session_info(mem_ctx, 489 lp_ctx, 490 domain_sid, 491 &session_info); 492 if (!NT_STATUS_IS_OK(nt_status)) { 493 return NULL; 494 } 495 return session_info; 496} 497