1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
|
/*
* NTLMSSP Acceptor
* DCERPC Server functions
* Copyright (C) Simo Sorce 2010.
* Copyright (C) Andrew Bartlett 2011.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, see <http://www.gnu.org/licenses/>.
*/
#include "includes.h"
#include "rpc_server/dcesrv_ntlmssp.h"
#include "../auth/ntlmssp/ntlmssp.h"
#include "ntlmssp_wrap.h"
#include "auth.h"
#include "auth/gensec/gensec.h"
NTSTATUS ntlmssp_server_auth_start(TALLOC_CTX *mem_ctx,
bool do_sign,
bool do_seal,
bool is_dcerpc,
DATA_BLOB *token_in,
DATA_BLOB *token_out,
const struct tsocket_address *remote_address,
struct gensec_security **ctx)
{
struct auth_generic_state *a = NULL;
NTSTATUS status;
status = auth_generic_prepare(remote_address, &a);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, (__location__ ": auth_generic_prepare failed: %s\n",
nt_errstr(status)));
return status;
}
if (do_sign) {
gensec_want_feature(a->gensec_security, GENSEC_FEATURE_SIGN);
}
if (do_seal) {
/* Always implies both sign and seal for ntlmssp */
gensec_want_feature(a->gensec_security, GENSEC_FEATURE_SEAL);
}
if (is_dcerpc) {
gensec_want_feature(a->gensec_security, GENSEC_FEATURE_DCE_STYLE);
}
status = auth_ntlmssp_start(a);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, (__location__ ": auth_ntlmssp_start failed: %s\n",
nt_errstr(status)));
return status;
}
status = gensec_update(a->gensec_security, mem_ctx, NULL, *token_in, token_out);
if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
DEBUG(0, (__location__ ": auth_ntlmssp_update failed: %s\n",
nt_errstr(status)));
goto done;
}
/* steal ntlmssp context too */
*ctx = talloc_move(mem_ctx, &a->gensec_security);
status = NT_STATUS_OK;
done:
TALLOC_FREE(a);
return status;
}
NTSTATUS ntlmssp_server_step(struct gensec_security *gensec_security,
TALLOC_CTX *mem_ctx,
DATA_BLOB *token_in,
DATA_BLOB *token_out)
{
NTSTATUS status;
/* this has to be done as root in order to verify the password */
become_root();
status = gensec_update(gensec_security, mem_ctx, NULL, *token_in, token_out);
unbecome_root();
return status;
}
NTSTATUS ntlmssp_server_check_flags(struct gensec_security *gensec_security,
bool do_sign, bool do_seal)
{
if (do_sign && !gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
DEBUG(1, (__location__ "Integrity was requested but client "
"failed to negotiate signing.\n"));
return NT_STATUS_ACCESS_DENIED;
}
if (do_seal && !gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
DEBUG(1, (__location__ "Privacy was requested but client "
"failed to negotiate sealing.\n"));
return NT_STATUS_ACCESS_DENIED;
}
return NT_STATUS_OK;
}
NTSTATUS ntlmssp_server_get_user_info(struct gensec_security *gensec_security,
TALLOC_CTX *mem_ctx,
struct auth_session_info **session_info)
{
NTSTATUS status;
status = gensec_session_info(gensec_security, mem_ctx, session_info);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, (__location__ ": Failed to get authenticated user "
"info: %s\n", nt_errstr(status)));
return status;
}
DEBUG(5, (__location__ "OK: user: %s domain: %s\n",
(*session_info)->info->account_name,
(*session_info)->info->domain_name));
return NT_STATUS_OK;
}
|