s3:auth: add make_{server,session}_info_anonymous()

It's important to have them separated from make_{server,session}_info_guest(), because there's a fundamental difference between anonymous (the client requested no authentication) and guest (the server lies about the authentication failure). The following is the difference between guest and anonymous token: security_token: struct security_token - num_sids : 0x0000000a (10) - sids: ARRAY(10) - sids : S-1-5-21-3793881525-3372187982-3724979742-501 - sids : S-1-5-21-3793881525-3372187982-3724979742-514 - sids : S-1-22-2-65534 - sids : S-1-22-2-65533 + num_sids : 0x00000009 (9) + sids: ARRAY(9) + sids : S-1-5-7 sids : S-1-1-0 sids : S-1-5-2 - sids : S-1-5-32-546 sids : S-1-22-1-65533 + sids : S-1-22-2-65534 + sids : S-1-22-2-100004 sids : S-1-22-2-100002 sids : S-1-22-2-100003 + sids : S-1-22-2-65533 privilege_mask : 0x0000000000000000 (0) ... unix_token : * unix_token: struct security_unix_token uid : 0x000000000000fffd (65533) gid : 0x000000000000fffe (65534) - ngroups : 0x00000004 (4) - groups: ARRAY(4) + ngroups : 0x00000005 (5) + groups: ARRAY(5) groups : 0x000000000000fffe (65534) - groups : 0x000000000000fffd (65533) + groups : 0x00000000000186a4 (100004) groups : 0x00000000000186a2 (100002) groups : 0x00000000000186a3 (100003) + groups : 0x000000000000fffd (65533) info: struct auth_user_info account_name : * - account_name : 'nobody' + account_name : 'ANONYMOUS LOGON' user_principal_name : NULL user_principal_constructed: 0x00 (0) domain_name : * - domain_name : 'SAMBA-TEST' + domain_name : 'NT AUTHORITY' dns_domain_name : NULL - full_name : NULL - logon_script : NULL - profile_path : NULL - home_directory : NULL - home_drive : NULL - logon_server : NULL + full_name : * + full_name : 'Anonymous Logon' + logon_script : * + logon_script : '' + profile_path : * + profile_path : '' + home_directory : * + home_directory : '' + home_drive : * + home_drive : '' + logon_server : * + logon_server : 'LOCALNT4DC2' last_logon : NTTIME(0) last_logoff : NTTIME(0) acct_expiry : NTTIME(0) last_password_change : NTTIME(0) allow_password_change : NTTIME(0) force_password_change : NTTIME(0) logon_count : 0x0000 (0) bad_password_count : 0x0000 (0) - acct_flags : 0x00000000 (0) + acct_flags : 0x00000010 (16) authenticated : 0x00 (0) security_token: struct security_token num_sids : 0x00000006 (6) sids: ARRAY(6) + sids : S-1-5-7 + sids : S-1-1-0 + sids : S-1-5-2 sids : S-1-22-1-65533 sids : S-1-22-2-65534 sids : S-1-22-2-65533 - sids : S-1-1-0 - sids : S-1-5-2 - sids : S-1-5-32-546 privilege_mask : 0x0000000000000000 (0) BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (similar to commit 6afb6b67a198c88ab8fa3fee931729c43605716d)
author: Stefan Metzmacher <metze@samba.org> 2018-03-02 14:39:44 +0100
committer: Stefan Metzmacher <metze@samba.org> 2018-03-20 17:13:08 +0100
commit: 8f69498ab6fa85dc3d23a1453224a654a9bedead (patch)
tree: 94668c0368bc8f6102a7b220a574e65b71665b40 /source3/auth
parent: c3fdc6157377e71cf354fae5b59b823a4ebaa0eb (diff)
download: samba-8f69498ab6fa85dc3d23a1453224a654a9bedead.tar.gz
2 files changed, 146 insertions, 1 deletions
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index a151ac13724..a1dde2cc7be 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -1484,6 +1484,87 @@ done:
 	return status;
 }
 
+static NTSTATUS make_new_session_info_anonymous(TALLOC_CTX *mem_ctx,
+					struct auth_session_info **session_info)
+{
+	TALLOC_CTX *frame = talloc_stackframe();
+	const char *guest_account = lp_guest_account();
+	struct auth_user_info_dc *user_info_dc = NULL;
+	struct passwd *pwd = NULL;
+	uint32_t hint_flags = 0;
+	uint32_t session_info_flags = 0;
+	NTSTATUS status;
+
+	/*
+	 * We use the guest account for the unix token
+	 * while we use a true anonymous nt token.
+	 *
+	 * It's very important to have a separate
+	 * nt token for anonymous.
+	 */
+
+	pwd = Get_Pwnam_alloc(frame, guest_account);
+	if (pwd == NULL) {
+		DBG_ERR("Unable to locate guest account [%s]!\n",
+			guest_account);
+		status = NT_STATUS_NO_SUCH_USER;
+		goto done;
+	}
+
+	status = auth_anonymous_user_info_dc(frame, lp_netbios_name(),
+					     &user_info_dc);
+	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(0, ("auth_anonymous_user_info_dc failed: %s\n",
+			  nt_errstr(status)));
+		goto done;
+	}
+
+	/*
+	 * Note we don't pass AUTH3_UNIX_HINT_QUALIFIED_NAME
+	 * nor AUTH3_UNIX_HINT_ISOLATED_NAME here
+	 * as we want the unix name be found by getpwuid_alloc().
+	 */
+
+	status = auth3_user_info_dc_add_hints(user_info_dc,
+					      pwd->pw_uid,
+					      pwd->pw_gid,
+					      hint_flags);
+	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(0, ("auth3_user_info_dc_add_hints failed: %s\n",
+			  nt_errstr(status)));
+		goto done;
+	}
+
+	/*
+	 * In future we may want to remove
+	 * AUTH_SESSION_INFO_DEFAULT_GROUPS.
+	 *
+	 * Similar to Windows with EveryoneIncludesAnonymous
+	 * and RestrictAnonymous.
+	 *
+	 * We may introduce AUTH_SESSION_INFO_ANON_WORLD...
+	 *
+	 * But for this is required to keep the existing tests
+	 * working.
+	 */
+	session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS;
+	session_info_flags |= AUTH_SESSION_INFO_SIMPLE_PRIVILEGES;
+	session_info_flags |= AUTH_SESSION_INFO_UNIX_TOKEN;
+	status = auth3_session_info_create(mem_ctx, user_info_dc,
+					   "",
+					   session_info_flags,
+					   session_info);
+	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(0, ("auth3_session_info_create failed: %s\n",
+			  nt_errstr(status)));
+		goto done;
+	}
+
+done:
+	TALLOC_FREE(frame);
+	return status;
+}
+
 /****************************************************************************
   Fake a auth_session_info just from a username (as a
   session_info structure, with create_local_token() already called on
@@ -1661,15 +1742,30 @@ bool session_info_set_session_key(struct auth_session_info *info,
 }
 
 static struct auth_session_info *guest_info = NULL;
+static struct auth_session_info *anonymous_info = NULL;
 
 static struct auth_serversupplied_info *guest_server_info = NULL;
 
 bool init_guest_info(void)
 {
+	NTSTATUS status;
+
 	if (guest_info != NULL)
 		return true;
 
-	return NT_STATUS_IS_OK(make_new_session_info_guest(&guest_info, &guest_server_info));
+	status = make_new_session_info_guest(&guest_info,
+					     &guest_server_info);
+	if (!NT_STATUS_IS_OK(status)) {
+		return false;
+	}
+
+	status = make_new_session_info_anonymous(NULL,
+						 &anonymous_info);
+	if (!NT_STATUS_IS_OK(status)) {
+		return false;
+	}
+
+	return true;
 }
 
 NTSTATUS make_server_info_guest(TALLOC_CTX *mem_ctx,
@@ -1690,6 +1786,51 @@ NTSTATUS make_session_info_guest(TALLOC_CTX *mem_ctx,
 	return (*session_info != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
 }
 
+NTSTATUS make_server_info_anonymous(TALLOC_CTX *mem_ctx,
+				    struct auth_serversupplied_info **server_info)
+{
+	if (anonymous_info == NULL) {
+		return NT_STATUS_UNSUCCESSFUL;
+	}
+
+	/*
+	 * This is trickier than it would appear to need to be because
+	 * we are trying to avoid certain costly operations when the
+	 * structure is converted to a 'auth_session_info' again in
+	 * create_local_token()
+	 *
+	 * We use a guest server_info, but with the anonymous session info,
+	 * which means create_local_token() will return a copy
+	 * of the anonymous token.
+	 *
+	 * The server info is just used as legacy in order to
+	 * keep existing code working. Maybe some debug messages
+	 * will still refer to guest instead of anonymous.
+	 */
+	*server_info = copy_session_info_serverinfo_guest(mem_ctx, anonymous_info,
+							  guest_server_info);
+	if (*server_info == NULL) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	return NT_STATUS_OK;
+}
+
+NTSTATUS make_session_info_anonymous(TALLOC_CTX *mem_ctx,
+				     struct auth_session_info **session_info)
+{
+	if (anonymous_info == NULL) {
+		return NT_STATUS_UNSUCCESSFUL;
+	}
+
+	*session_info = copy_session_info(mem_ctx, anonymous_info);
+	if (*session_info == NULL) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	return NT_STATUS_OK;
+}
+
 static struct auth_session_info *system_info = NULL;
 
 NTSTATUS init_system_session_info(void)
diff --git a/source3/auth/proto.h b/source3/auth/proto.h
index 84e20093218..0ce34742ab6 100644
--- a/source3/auth/proto.h
+++ b/source3/auth/proto.h
@@ -284,6 +284,10 @@ NTSTATUS make_server_info_guest(TALLOC_CTX *mem_ctx,
 				struct auth_serversupplied_info **server_info);
 NTSTATUS make_session_info_guest(TALLOC_CTX *mem_ctx,
 				struct auth_session_info **server_info);
+NTSTATUS make_server_info_anonymous(TALLOC_CTX *mem_ctx,
+				    struct auth_serversupplied_info **server_info);
+NTSTATUS make_session_info_anonymous(TALLOC_CTX *mem_ctx,
+				     struct auth_session_info **psession_info);
 NTSTATUS make_session_info_system(TALLOC_CTX *mem_ctx,
 				 struct auth_session_info **session_info);
 const struct auth_session_info *get_session_info_system(void);
author	Stefan Metzmacher <metze@samba.org>	2018-03-02 14:39:44 +0100
committer	Stefan Metzmacher <metze@samba.org>	2018-03-20 17:13:08 +0100
commit	8f69498ab6fa85dc3d23a1453224a654a9bedead (patch)
tree	94668c0368bc8f6102a7b220a574e65b71665b40 /source3/auth
parent	c3fdc6157377e71cf354fae5b59b823a4ebaa0eb (diff)
download	samba-8f69498ab6fa85dc3d23a1453224a654a9bedead.tar.gz