diff options
Diffstat (limited to 'source3/smbd/sesssetup.c')
-rw-r--r-- | source3/smbd/sesssetup.c | 298 |
1 files changed, 197 insertions, 101 deletions
diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c index 939cdf2a91..f8e8e017e0 100644 --- a/source3/smbd/sesssetup.c +++ b/source3/smbd/sesssetup.c @@ -23,8 +23,7 @@ #include "includes.h" uint32 global_client_caps = 0; - -static struct auth_ntlmssp_state *global_ntlmssp_state; +static struct auth_context *ntlmssp_auth_context = NULL; /* on a logon error possibly map the error to success if "map to guest" @@ -213,7 +212,7 @@ static int reply_spnego_kerberos(connection_struct *conn, send a security blob via a session setup reply ****************************************************************************/ static BOOL reply_sesssetup_blob(connection_struct *conn, char *outbuf, - DATA_BLOB blob, NTSTATUS errcode) + DATA_BLOB blob, uint32 errcode) { char *p; @@ -222,7 +221,7 @@ static BOOL reply_sesssetup_blob(connection_struct *conn, char *outbuf, /* we set NT_STATUS_MORE_PROCESSING_REQUIRED to tell the other end that we aren't finished yet */ - SIVAL(outbuf, smb_rcls, NT_STATUS_V(errcode)); + SIVAL(outbuf, smb_rcls, errcode); SSVAL(outbuf, smb_vwv0, 0xFF); /* no chaining possible */ SSVAL(outbuf, smb_vwv3, blob.length); p = smb_buf(outbuf); @@ -237,50 +236,6 @@ static BOOL reply_sesssetup_blob(connection_struct *conn, char *outbuf, } /**************************************************************************** -send an NTLMSSP blob via a session setup reply, wrapped in SPNEGO -****************************************************************************/ -static BOOL reply_spnego_ntlmssp_blob(connection_struct *conn, char *outbuf, - DATA_BLOB *ntlmssp_blob, NTSTATUS errcode) -{ - DATA_BLOB response; - response = spnego_gen_auth_response(ntlmssp_blob); - reply_sesssetup_blob(conn, outbuf, response, errcode); - data_blob_free(&response); - return True; -} - -/**************************************************************************** - send an OK via a session setup reply, wrapped in SPNEGO. - get vuid and check first. -****************************************************************************/ -static BOOL reply_spnego_ntlmssp_ok(connection_struct *conn, char *outbuf, - AUTH_NTLMSSP_STATE *auth_ntlmssp_state) -{ - int sess_vuid; - pstring user; - DATA_BLOB null_blob = data_blob(NULL, 0); - - sess_vuid = register_vuid(auth_ntlmssp_state->server_info, auth_ntlmssp_state->ntlmssp_state->user /* check this for weird */); - - if (sess_vuid == -1) { - return ERROR_NT(NT_STATUS_LOGON_FAILURE); - } - - set_message(outbuf,4,0,True); - SSVAL(outbuf, smb_vwv3, 0); - - if (auth_ntlmssp_state->server_info->guest) { - SSVAL(outbuf,smb_vwv2,1); - } - - add_signature(outbuf); - - SSVAL(outbuf,smb_uid,sess_vuid); - reply_spnego_ntlmssp_blob(conn, outbuf, &null_blob, NT_STATUS_OK); - return True; -} - -/**************************************************************************** reply to a session setup spnego negotiate packet ****************************************************************************/ static int reply_spnego_negotiate(connection_struct *conn, @@ -292,9 +247,12 @@ static int reply_spnego_negotiate(connection_struct *conn, char *OIDs[ASN1_MAX_OIDS]; DATA_BLOB secblob; int i; + uint32 ntlmssp_command, neg_flags, chal_flags; DATA_BLOB chal, spnego_chal; + const uint8 *cryptkey; BOOL got_kerberos = False; NTSTATUS nt_status; + char *cliname=NULL, *domname=NULL; /* parse out the OIDs and the first sec blob */ if (!parse_negTokenTarg(blob1, OIDs, &secblob)) { @@ -320,57 +278,96 @@ static int reply_spnego_negotiate(connection_struct *conn, } #endif - if (global_ntlmssp_state) { - auth_ntlmssp_end(&global_ntlmssp_state); - } + /* parse the NTLMSSP packet */ +#if 0 + file_save("secblob.dat", secblob.data, secblob.length); +#endif - nt_status = auth_ntlmssp_start(&global_ntlmssp_state); - if (!NT_STATUS_IS_OK(nt_status)) { - return ERROR_NT(nt_status); + if (!msrpc_parse(&secblob, "CddAA", + "NTLMSSP", + &ntlmssp_command, + &neg_flags, + &cliname, + &domname)) { + return ERROR_NT(NT_STATUS_LOGON_FAILURE); } + + data_blob_free(&secblob); - nt_status = auth_ntlmssp_update(global_ntlmssp_state, - secblob, &chal); + if (ntlmssp_command != NTLMSSP_NEGOTIATE) { + return ERROR_NT(NT_STATUS_LOGON_FAILURE); + } - data_blob_free(&secblob); + debug_ntlmssp_flags(neg_flags); - if (!NT_STATUS_IS_OK(nt_status)) { - nt_status = do_map_to_guest(nt_status, - &global_ntlmssp_state->server_info, - global_ntlmssp_state->ntlmssp_state->user, - global_ntlmssp_state->ntlmssp_state->domain); + if (ntlmssp_auth_context) { + (ntlmssp_auth_context->free)(&ntlmssp_auth_context); } - - if (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { - if (!spnego_gen_challenge(&spnego_chal, &chal, NULL)) { - DEBUG(3,("Failed to generate challenge\n")); - data_blob_free(&chal); - return ERROR_NT(NT_STATUS_LOGON_FAILURE); - } - /* now tell the client to send the auth packet */ - reply_sesssetup_blob(conn, outbuf, spnego_chal, nt_status); - - data_blob_free(&chal); - data_blob_free(&spnego_chal); + if (!NT_STATUS_IS_OK(nt_status = make_auth_context_subsystem(&ntlmssp_auth_context))) { + return ERROR_NT(nt_status); + } - /* and tell smbd that we have already replied to this packet */ - return -1; + cryptkey = ntlmssp_auth_context->get_ntlm_challenge(ntlmssp_auth_context); - } else if (NT_STATUS_IS_OK(nt_status)) { - reply_spnego_ntlmssp_ok(conn, outbuf, - global_ntlmssp_state); - auth_ntlmssp_end(&global_ntlmssp_state); + /* Give them the challenge. For now, ignore neg_flags and just + return the flags we want. Obviously this is not correct */ + + chal_flags = NTLMSSP_NEGOTIATE_UNICODE | + NTLMSSP_NEGOTIATE_128 | + NTLMSSP_NEGOTIATE_NTLM | + NTLMSSP_CHAL_TARGET_INFO; + + { + DATA_BLOB domain_blob, struct_blob; + fstring dnsname, dnsdomname; + + msrpc_gen(&domain_blob, + "U", + lp_workgroup()); + + fstrcpy(dnsdomname, (SEC_ADS == lp_security())?lp_realm():""); + strlower(dnsdomname); + + fstrcpy(dnsname, global_myname()); + fstrcat(dnsname, "."); + fstrcat(dnsname, dnsdomname); + strlower(dnsname); + + msrpc_gen(&struct_blob, "aaaaa", + 2, lp_workgroup(), + 1, global_myname(), + 4, dnsdomname, + 3, dnsname, + 0, ""); + + msrpc_gen(&chal, "CdUdbddB", + "NTLMSSP", + NTLMSSP_CHALLENGE, + lp_workgroup(), + chal_flags, + cryptkey, 8, + 0, 0, + struct_blob.data, struct_blob.length); + + data_blob_free(&domain_blob); + data_blob_free(&struct_blob); + } + + if (!spnego_gen_challenge(&spnego_chal, &chal, &chal)) { + DEBUG(3,("Failed to generate challenge\n")); data_blob_free(&chal); + return ERROR_NT(NT_STATUS_LOGON_FAILURE); + } - /* and tell smbd that we have already replied to this packet */ - return -1; - } + /* now tell the client to send the auth packet */ + reply_sesssetup_blob(conn, outbuf, spnego_chal, NT_STATUS_V(NT_STATUS_MORE_PROCESSING_REQUIRED)); - auth_ntlmssp_end(&global_ntlmssp_state); data_blob_free(&chal); + data_blob_free(&spnego_chal); - return ERROR_NT(nt_status_squash(nt_status)); + /* and tell smbd that we have already replied to this packet */ + return -1; } @@ -381,8 +378,23 @@ static int reply_spnego_auth(connection_struct *conn, char *inbuf, char *outbuf, int length, int bufsize, DATA_BLOB blob1) { - DATA_BLOB auth, auth_reply; + DATA_BLOB auth, response; + char *workgroup = NULL, *user = NULL, *machine = NULL; + DATA_BLOB lmhash, nthash, sess_key; + DATA_BLOB plaintext_password = data_blob(NULL, 0); + uint32 ntlmssp_command, neg_flags; NTSTATUS nt_status; + int sess_vuid; + BOOL as_guest; + uint32 auth_flags = AUTH_FLAG_NONE; + auth_usersupplied_info *user_info = NULL; + auth_serversupplied_info *server_info = NULL; + + /* we must have setup the auth context by now */ + if (!ntlmssp_auth_context) { + DEBUG(2,("ntlmssp_auth_context is NULL in reply_spnego_auth\n")); + return ERROR_NT(NT_STATUS_LOGON_FAILURE); + } if (!spnego_parse_auth(blob1, &auth)) { #if 0 @@ -391,22 +403,108 @@ static int reply_spnego_auth(connection_struct *conn, char *inbuf, char *outbuf, return ERROR_NT(NT_STATUS_LOGON_FAILURE); } - nt_status = auth_ntlmssp_update(global_ntlmssp_state, - auth, &auth_reply); + /* now the NTLMSSP encoded auth hashes */ + if (!msrpc_parse(&auth, "CdBBUUUBd", + "NTLMSSP", + &ntlmssp_command, + &lmhash, + &nthash, + &workgroup, + &user, + &machine, + &sess_key, + &neg_flags)) { + return ERROR_NT(NT_STATUS_LOGON_FAILURE); + } data_blob_free(&auth); - data_blob_free(&auth_reply); + data_blob_free(&sess_key); + + DEBUG(3,("Got user=[%s] workgroup=[%s] machine=[%s] len1=%d len2=%d\n", + user, workgroup, machine, lmhash.length, nthash.length)); + + /* the client has given us its machine name (which we otherwise would not get on port 445). + we need to possibly reload smb.conf if smb.conf includes depend on the machine name */ + + set_remote_machine_name(machine); + + /* setup the string used by %U */ + sub_set_smb_name(user); + + reload_services(True); + +#if 0 + file_save("nthash1.dat", nthash.data, nthash.length); + file_save("lmhash1.dat", lmhash.data, lmhash.length); +#endif - if (NT_STATUS_IS_OK(nt_status)) { - reply_spnego_ntlmssp_ok(conn, outbuf, - global_ntlmssp_state); - auth_ntlmssp_end(&global_ntlmssp_state); + if (lmhash.length) { + auth_flags |= AUTH_FLAG_LM_RESP; + } + + if (nthash.length == 24) { + auth_flags |= AUTH_FLAG_NTLM_RESP; + } else if (nthash.length > 24) { + auth_flags |= AUTH_FLAG_NTLMv2_RESP; + }; + + nt_status = make_user_info_map(&user_info, user, workgroup, machine, + lmhash, nthash, plaintext_password, + auth_flags, True); + + /* it looks a bit weird, but this function returns int type... */ + if (!NT_STATUS_IS_OK(nt_status)) { + return ERROR_NT(NT_STATUS_NO_MEMORY); + } + + nt_status = ntlmssp_auth_context->check_ntlm_password(ntlmssp_auth_context, user_info, &server_info); + + if (!NT_STATUS_IS_OK(nt_status)) { + nt_status = do_map_to_guest(nt_status, &server_info, user, workgroup); + } + + SAFE_FREE(workgroup); + SAFE_FREE(machine); + + (ntlmssp_auth_context->free)(&ntlmssp_auth_context); + + free_user_info(&user_info); + + data_blob_free(&lmhash); + + data_blob_free(&nthash); - } else { /* !NT_STATUS_IS_OK(nt_status) */ - auth_ntlmssp_end(&global_ntlmssp_state); + if (!NT_STATUS_IS_OK(nt_status)) { + SAFE_FREE(user); return ERROR_NT(nt_status_squash(nt_status)); } + as_guest = server_info->guest; + + sess_vuid = register_vuid(server_info, user); + free_server_info(&server_info); + + SAFE_FREE(user); + + if (sess_vuid == -1) { + return ERROR_NT(NT_STATUS_LOGON_FAILURE); + } + + set_message(outbuf,4,0,True); + SSVAL(outbuf, smb_vwv3, 0); + + if (as_guest) { + SSVAL(outbuf,smb_vwv2,1); + } + + add_signature(outbuf); + + SSVAL(outbuf,smb_uid,sess_vuid); + SSVAL(inbuf,smb_uid,sess_vuid); + + response = spnego_gen_auth_response(); + reply_sesssetup_blob(conn, outbuf, response, 0); + /* and tell smbd that we have already replied to this packet */ return -1; } @@ -688,10 +786,6 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf, nt_status = check_guest_password(&server_info); } else if (doencrypt) { - if (!negprot_global_auth_context) { - DEBUG(0, ("reply_sesssetup_and_X: Attempted encrypted session setup without negprot denied!\n")); - return ERROR_NT(NT_STATUS_LOGON_FAILURE); - } nt_status = make_user_info_for_reply_enc(&user_info, user, domain, lm_resp, nt_resp); if (NT_STATUS_IS_OK(nt_status)) { @@ -736,8 +830,10 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf, } /* it's ok - setup a reply */ - set_message(outbuf,3,0,True); - if (Protocol == PROTOCOL_NT1) { + if (Protocol < PROTOCOL_NT1) { + set_message(outbuf,3,0,True); + } else { + set_message(outbuf,3,0,True); add_signature(outbuf); /* perhaps grab OS version here?? */ } |