s3:smbd: always use the gensec code path in smb2_sesssetup.c

The other code pathes are unused, because we always have the spnego gensec module. metze
author: Stefan Metzmacher <metze@samba.org> 2012-01-13 12:24:47 +0100
committer: Stefan Metzmacher <metze@samba.org> 2012-01-31 20:17:10 +0100
commit: 58e401fae28728d7f28106216b4bbffa8cb0df93 (patch)
tree: 1d8cdcc68ba80921e754beb931315607a81de9d1 /source3/smbd/smb2_sesssetup.c
parent: 5ad7665b6377768d3710b00b25aeb530131924cc (diff)
download: samba-58e401fae28728d7f28106216b4bbffa8cb0df93.tar.gz
samba-58e401fae28728d7f28106216b4bbffa8cb0df93.tar.bz2
samba-58e401fae28728d7f28106216b4bbffa8cb0df93.zip
1 files changed, 7 insertions, 460 deletions
diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c
index 3163ac0794..3f6a2d7d51 100644
--- a/source3/smbd/smb2_sesssetup.c
+++ b/source3/smbd/smb2_sesssetup.c
@@ -23,12 +23,7 @@
 #include "smbd/smbd.h"
 #include "smbd/globals.h"
 #include "../libcli/smb/smb_common.h"
-#include "../libcli/auth/spnego.h"
 #include "../auth/gensec/gensec.h"
-#include "../auth/ntlmssp/ntlmssp.h"
-#include "../librpc/gen_ndr/krb5pac.h"
-#include "libads/kerberos_proto.h"
-#include "../lib/util/asn1.h"
 #include "auth.h"
 #include "../lib/tsocket/tsocket.h"
 #include "../libcli/security/security.h"
@@ -143,292 +138,6 @@ static int smbd_smb2_session_destructor(struct smbd_smb2_session *session)
 	return 0;
 }
 
-#ifdef HAVE_KRB5
-static NTSTATUS smbd_smb2_session_setup_krb5(struct smbd_smb2_session *session,
-					struct smbd_smb2_request *smb2req,
-					uint8_t in_security_mode,
-					const DATA_BLOB *secblob,
-					const char *mechOID,
-					uint16_t *out_session_flags,
-					DATA_BLOB *out_security_buffer,
-					uint64_t *out_session_id)
-{
-	DATA_BLOB ap_rep = data_blob_null;
-	DATA_BLOB ap_rep_wrapped = data_blob_null;
-	DATA_BLOB ticket = data_blob_null;
-	DATA_BLOB session_key = data_blob_null;
-	DATA_BLOB secblob_out = data_blob_null;
-	uint8 tok_id[2];
-	struct PAC_LOGON_INFO *logon_info = NULL;
-	char *principal = NULL;
-	char *user = NULL;
-	char *domain = NULL;
-	struct passwd *pw = NULL;
-	NTSTATUS status;
-	char *real_username;
-	bool username_was_mapped = false;
-	bool map_domainuser_to_guest = false;
-	bool guest = false;
-
-	if (!spnego_parse_krb5_wrap(talloc_tos(), *secblob, &ticket, tok_id)) {
-		status = NT_STATUS_LOGON_FAILURE;
-		goto fail;
-	}
-
-	status = ads_verify_ticket(smb2req, lp_realm(), 0, &ticket,
-				   &principal, &logon_info, &ap_rep,
-				   &session_key, true);
-
-	if (!NT_STATUS_IS_OK(status)) {
-		DEBUG(1,("smb2: Failed to verify incoming ticket with error %s!\n",
-			nt_errstr(status)));
-		if (!NT_STATUS_EQUAL(status, NT_STATUS_TIME_DIFFERENCE_AT_DC)) {
-			status = NT_STATUS_LOGON_FAILURE;
-		}
-		goto fail;
-	}
-
-	status = get_user_from_kerberos_info(talloc_tos(),
-					     session->sconn->remote_hostname,
-					     principal, logon_info,
-					     &username_was_mapped,
-					     &map_domainuser_to_guest,
-					     &user, &domain,
-					     &real_username, &pw);
-	if (!NT_STATUS_IS_OK(status)) {
-		goto fail;
-	}
-
-	/* save the PAC data if we have it */
-	if (logon_info) {
-		netsamlogon_cache_store(user, &logon_info->info3);
-	}
-
-	/* setup the string used by %U */
-	sub_set_smb_name(real_username);
-
-	/* reload services so that the new %U is taken into account */
-	reload_services(smb2req->sconn, conn_snum_used, true);
-
-	status = make_session_info_krb5(session,
-					user, domain, real_username, pw,
-					logon_info, map_domainuser_to_guest,
-					username_was_mapped,
-					&session_key,
-					&session->session_info);
-	if (!NT_STATUS_IS_OK(status)) {
-		DEBUG(1, ("smb2: make_server_info_krb5 failed\n"));
-		goto fail;
-	}
-
-	if ((in_security_mode & SMB2_NEGOTIATE_SIGNING_REQUIRED) ||
-	     lp_server_signing() == SMB_SIGNING_REQUIRED) {
-		session->do_signing = true;
-	}
-
-	if (security_session_user_level(session->session_info, NULL) < SECURITY_USER) {
-		/* we map anonymous to guest internally */
-		*out_session_flags |= SMB2_SESSION_FLAG_IS_GUEST;
-		*out_session_flags |= SMB2_SESSION_FLAG_IS_NULL;
-		/* force no signing */
-		session->do_signing = false;
-		guest = true;
-	}
-
-	session->session_key = session->session_info->session_key;
-
-	session->compat_vuser = talloc_zero(session, user_struct);
-	if (session->compat_vuser == NULL) {
-		status = NT_STATUS_NO_MEMORY;
-		goto fail;
-	}
-	session->compat_vuser->gensec_security = NULL;
-	session->compat_vuser->homes_snum = -1;
-	session->compat_vuser->session_info = session->session_info;
-	session->compat_vuser->session_keystr = NULL;
-	session->compat_vuser->vuid = session->vuid;
-	DLIST_ADD(session->sconn->smb1.sessions.validated_users, session->compat_vuser);
-
-	if (security_session_user_level(session->session_info, NULL) >= SECURITY_USER) {
-		session->compat_vuser->homes_snum =
-			register_homes_share(session->session_info->unix_info->unix_name);
-	}
-
-	if (!session_claim(session->sconn, session->compat_vuser)) {
-		DEBUG(1, ("smb2: Failed to claim session "
-			"for vuid=%d\n",
-			session->compat_vuser->vuid));
-		goto fail;
-	}
-
-	set_current_user_info(session->session_info->unix_info->sanitized_username,
-			      session->session_info->unix_info->unix_name,
-			      session->session_info->info->domain_name);
-
-	reload_services(smb2req->sconn, conn_snum_used, true);
-
-	session->status = NT_STATUS_OK;
-
-	/*
-	 * we attach the session to the request
-	 * so that the response can be signed
-	 */
-	smb2req->session = session;
-	if (!guest) {
-		smb2req->do_signing = true;
-	}
-
-	global_client_caps |= (CAP_LEVEL_II_OPLOCKS|CAP_STATUS32);
-        status = NT_STATUS_OK;
-
-	/* wrap that up in a nice GSS-API wrapping */
-	ap_rep_wrapped = spnego_gen_krb5_wrap(talloc_tos(), ap_rep,
-				TOK_ID_KRB_AP_REP);
-
-	secblob_out = spnego_gen_auth_response(
-					talloc_tos(),
-					&ap_rep_wrapped,
-					status,
-					mechOID);
-
-	*out_security_buffer = data_blob_talloc(smb2req,
-						secblob_out.data,
-						secblob_out.length);
-	if (secblob_out.data && out_security_buffer->data == NULL) {
-		status = NT_STATUS_NO_MEMORY;
-		goto fail;
-	}
-
-	data_blob_free(&ap_rep);
-	data_blob_free(&ap_rep_wrapped);
-	data_blob_free(&ticket);
-	data_blob_free(&session_key);
-	data_blob_free(&secblob_out);
-
-	*out_session_id = session->vuid;
-
-	return NT_STATUS_OK;
-
-  fail:
-
-	data_blob_free(&ap_rep);
-	data_blob_free(&ap_rep_wrapped);
-	data_blob_free(&ticket);
-	data_blob_free(&session_key);
-	data_blob_free(&secblob_out);
-
-	ap_rep_wrapped = data_blob_null;
-	secblob_out = spnego_gen_auth_response(
-					talloc_tos(),
-					&ap_rep_wrapped,
-					status,
-					mechOID);
-
-	*out_security_buffer = data_blob_talloc(smb2req,
-						secblob_out.data,
-						secblob_out.length);
-	data_blob_free(&secblob_out);
-	return status;
-}
-#endif
-
-static NTSTATUS smbd_smb2_spnego_negotiate(struct smbd_smb2_session *session,
-					struct smbd_smb2_request *smb2req,
-					uint8_t in_security_mode,
-					DATA_BLOB in_security_buffer,
-					uint16_t *out_session_flags,
-					DATA_BLOB *out_security_buffer,
-					uint64_t *out_session_id)
-{
-	DATA_BLOB secblob_in = data_blob_null;
-	DATA_BLOB chal_out = data_blob_null;
-	char *kerb_mech = NULL;
-	NTSTATUS status;
-
-	/* Ensure we have no old NTLM state around. */
-	TALLOC_FREE(session->gensec_security);
-
-	status = parse_spnego_mechanisms(talloc_tos(), in_security_buffer,
-			&secblob_in, &kerb_mech);
-	if (!NT_STATUS_IS_OK(status)) {
-		goto out;
-	}
-
-#ifdef HAVE_KRB5
-	if (kerb_mech && ((lp_security()==SEC_ADS) ||
-				USE_KERBEROS_KEYTAB) ) {
-		status = smbd_smb2_session_setup_krb5(session,
-				smb2req,
-				in_security_mode,
-				&secblob_in,
-				kerb_mech,
-				out_session_flags,
-				out_security_buffer,
-				out_session_id);
-
-		goto out;
-	}
-#endif
-
-	if (kerb_mech) {
-		/* The mechtoken is a krb5 ticket, but
-		 * we need to fall back to NTLM. */
-
-		DEBUG(3,("smb2: Got krb5 ticket in SPNEGO "
-			"but set to downgrade to NTLMSSP\n"));
-
-		status = NT_STATUS_MORE_PROCESSING_REQUIRED;
-	} else {
-		/* Fall back to NTLMSSP. */
-		status = auth_generic_prepare(session, session->sconn->remote_address,
-					    &session->gensec_security);
-		if (!NT_STATUS_IS_OK(status)) {
-			goto out;
-		}
-
-		gensec_want_feature(session->gensec_security, GENSEC_FEATURE_SESSION_KEY);
-		gensec_want_feature(session->gensec_security, GENSEC_FEATURE_UNIX_TOKEN);
-
-		status = gensec_start_mech_by_oid(session->gensec_security, GENSEC_OID_NTLMSSP);
-		if (!NT_STATUS_IS_OK(status)) {
-			goto out;
-		}
-
-		status = gensec_update(session->gensec_security,
-				       talloc_tos(), NULL,
-				       secblob_in,
-				       &chal_out);
-	}
-
-	if (!NT_STATUS_IS_OK(status) &&
-			!NT_STATUS_EQUAL(status,
-				NT_STATUS_MORE_PROCESSING_REQUIRED)) {
-		goto out;
-	}
-
-	*out_security_buffer = spnego_gen_auth_response(smb2req,
-						&chal_out,
-						status,
-						OID_NTLMSSP);
-	if (out_security_buffer->data == NULL) {
-		status = NT_STATUS_NO_MEMORY;
-		goto out;
-	}
-	*out_session_id = session->vuid;
-
-  out:
-
-	data_blob_free(&secblob_in);
-	data_blob_free(&chal_out);
-	TALLOC_FREE(kerb_mech);
-	if (!NT_STATUS_IS_OK(status) &&
-			!NT_STATUS_EQUAL(status,
-				NT_STATUS_MORE_PROCESSING_REQUIRED)) {
-		TALLOC_FREE(session);
-	}
-	return status;
-}
-
 static NTSTATUS smbd_smb2_common_ntlmssp_auth_return(struct smbd_smb2_session *session,
 					struct smbd_smb2_request *smb2req,
 					uint8_t in_security_mode,
@@ -503,138 +212,6 @@ static NTSTATUS smbd_smb2_common_ntlmssp_auth_return(struct smbd_smb2_session *s
 	return NT_STATUS_OK;
 }
 
-static NTSTATUS smbd_smb2_spnego_auth(struct smbd_smb2_session *session,
-					struct smbd_smb2_request *smb2req,
-					uint8_t in_security_mode,
-					DATA_BLOB in_security_buffer,
-					uint16_t *out_session_flags,
-					DATA_BLOB *out_security_buffer,
-					uint64_t *out_session_id)
-{
-	DATA_BLOB auth = data_blob_null;
-	DATA_BLOB auth_out = data_blob_null;
-	NTSTATUS status;
-
-	if (!spnego_parse_auth(talloc_tos(), in_security_buffer, &auth)) {
-		TALLOC_FREE(session);
-		return NT_STATUS_LOGON_FAILURE;
-	}
-
-	if (auth.data[0] == ASN1_APPLICATION(0)) {
-		/* Might be a second negTokenTarg packet */
-		DATA_BLOB secblob_in = data_blob_null;
-		char *kerb_mech = NULL;
-
-		status = parse_spnego_mechanisms(talloc_tos(),
-				in_security_buffer,
-				&secblob_in, &kerb_mech);
-		if (!NT_STATUS_IS_OK(status)) {
-			TALLOC_FREE(session);
-			return status;
-		}
-
-#ifdef HAVE_KRB5
-		if (kerb_mech && ((lp_security()==SEC_ADS) ||
-					USE_KERBEROS_KEYTAB) ) {
-			status = smbd_smb2_session_setup_krb5(session,
-					smb2req,
-					in_security_mode,
-					&secblob_in,
-					kerb_mech,
-					out_session_flags,
-					out_security_buffer,
-					out_session_id);
-
-			data_blob_free(&secblob_in);
-			TALLOC_FREE(kerb_mech);
-			if (!NT_STATUS_IS_OK(status)) {
-				TALLOC_FREE(session);
-			}
-			return status;
-		}
-#endif
-
-		/* Can't blunder into NTLMSSP auth if we have
-		 * a krb5 ticket. */
-
-		if (kerb_mech) {
-			DEBUG(3,("smb2: network "
-				"misconfiguration, client sent us a "
-				"krb5 ticket and kerberos security "
-				"not enabled\n"));
-			TALLOC_FREE(session);
-			data_blob_free(&secblob_in);
-			TALLOC_FREE(kerb_mech);
-			return NT_STATUS_LOGON_FAILURE;
-		}
-
-		data_blob_free(&secblob_in);
-	}
-
-	if (session->gensec_security == NULL) {
-		status = auth_generic_prepare(session, session->sconn->remote_address,
-					    &session->gensec_security);
-		if (!NT_STATUS_IS_OK(status)) {
-			data_blob_free(&auth);
-			TALLOC_FREE(session);
-			return status;
-		}
-
-		gensec_want_feature(session->gensec_security, GENSEC_FEATURE_SESSION_KEY);
-		gensec_want_feature(session->gensec_security, GENSEC_FEATURE_UNIX_TOKEN);
-
-		status = gensec_start_mech_by_oid(session->gensec_security, GENSEC_OID_NTLMSSP);
-		if (!NT_STATUS_IS_OK(status)) {
-			data_blob_free(&auth);
-			TALLOC_FREE(session);
-			return status;
-		}
-	}
-
-	status = gensec_update(session->gensec_security,
-			       talloc_tos(), NULL,
-			       auth,
-			       &auth_out);
-	/* If status is NT_STATUS_OK then we need to get the token.
-	 * Map to guest is now internal to auth_ntlmssp */
-	if (NT_STATUS_IS_OK(status)) {
-		status = gensec_session_info(session->gensec_security,
-					     session,
-					     &session->session_info);
-	}
-
-	if (!NT_STATUS_IS_OK(status) &&
-			!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
-		data_blob_free(&auth);
-		TALLOC_FREE(session);
-		return status;
-	}
-
-	data_blob_free(&auth);
-
-	*out_security_buffer = spnego_gen_auth_response(smb2req,
-				&auth_out, status, NULL);
-
-	if (out_security_buffer->data == NULL) {
-		TALLOC_FREE(session);
-		return NT_STATUS_NO_MEMORY;
-	}
-
-	*out_session_id = session->vuid;
-
-	if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
-		return NT_STATUS_MORE_PROCESSING_REQUIRED;
-	}
-
-	/* We're done - claim the session. */
-	return smbd_smb2_common_ntlmssp_auth_return(session,
-						smb2req,
-						in_security_mode,
-						in_security_buffer,
-						out_session_flags,
-						out_session_id);
-}
-
 static NTSTATUS smbd_smb2_raw_ntlmssp_auth(struct smbd_smb2_session *session,
 					struct smbd_smb2_request *smb2req,
 					uint8_t in_security_mode,
@@ -754,43 +331,13 @@ static NTSTATUS smbd_smb2_session_setup(struct smbd_smb2_request *smb2req,
 		return NT_STATUS_REQUEST_NOT_ACCEPTED;
 	}
 
-	/* Handle either raw NTLMSSP or hand off the whole blob to
-	 * GENSEC.  The processing at this layer is essentially
-	 * identical regardless.  In particular, both rely only on the
-	 * status code (not the contents of the packet) and do not
-	 * wrap the result */
-	if (session->sconn->use_gensec_hook
-	    || ntlmssp_blob_matches_magic(&in_security_buffer)) {
-		return smbd_smb2_raw_ntlmssp_auth(session,
-						smb2req,
-						in_security_mode,
-						in_security_buffer,
-						out_session_flags,
-						out_security_buffer,
-						out_session_id);
-	} else if (in_security_buffer.data[0] == ASN1_APPLICATION(0)) {
-		return smbd_smb2_spnego_negotiate(session,
-						smb2req,
-						in_security_mode,
-						in_security_buffer,
-						out_session_flags,
-						out_security_buffer,
-						out_session_id);
-	} else if (in_security_buffer.data[0] == ASN1_CONTEXT(1)) {
-		return smbd_smb2_spnego_auth(session,
-						smb2req,
-						in_security_mode,
-						in_security_buffer,
-						out_session_flags,
-						out_security_buffer,
-						out_session_id);
-	}
-
-	/* Unknown packet type. */
-	DEBUG(1,("Unknown packet type %u in smb2 sessionsetup\n",
-		(unsigned int)in_security_buffer.data[0] ));
-	TALLOC_FREE(session);
-	return NT_STATUS_LOGON_FAILURE;
+	return smbd_smb2_raw_ntlmssp_auth(session,
+					  smb2req,
+					  in_security_mode,
+					  in_security_buffer,
+					  out_session_flags,
+					  out_security_buffer,
+					  out_session_id);
 }
 
 NTSTATUS smbd_smb2_request_process_logoff(struct smbd_smb2_request *req)
author	Stefan Metzmacher <metze@samba.org>	2012-01-13 12:24:47 +0100
committer	Stefan Metzmacher <metze@samba.org>	2012-01-31 20:17:10 +0100
commit	58e401fae28728d7f28106216b4bbffa8cb0df93 (patch)
tree	1d8cdcc68ba80921e754beb931315607a81de9d1 /source3/smbd/smb2_sesssetup.c
parent	5ad7665b6377768d3710b00b25aeb530131924cc (diff)
download	samba-58e401fae28728d7f28106216b4bbffa8cb0df93.tar.gz samba-58e401fae28728d7f28106216b4bbffa8cb0df93.tar.bz2 samba-58e401fae28728d7f28106216b4bbffa8cb0df93.zip