diff options
Diffstat (limited to 'source4/utils')
-rw-r--r-- | source4/utils/ntlm_auth.c | 832 |
1 files changed, 70 insertions, 762 deletions
diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index d70b0b5d2b..7690a549f7 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -34,7 +34,6 @@ enum stdio_helper_mode { SQUID_2_5_BASIC, SQUID_2_5_NTLMSSP, NTLMSSP_CLIENT_1, - GSS_SPNEGO, GSS_SPNEGO_CLIENT, NTLM_SERVER_1, NUM_HELPER_MODES @@ -53,14 +52,8 @@ static void manage_squid_basic_request (enum stdio_helper_mode stdio_helper_mode static void manage_squid_ntlmssp_request (enum stdio_helper_mode stdio_helper_mode, char *buf, int length); -static void manage_client_ntlmssp_request (enum stdio_helper_mode stdio_helper_mode, - char *buf, int length); - -static void manage_gss_spnego_request (enum stdio_helper_mode stdio_helper_mode, - char *buf, int length); - -static void manage_gss_spnego_client_request (enum stdio_helper_mode stdio_helper_mode, - char *buf, int length); +static void manage_gensec_client_request (enum stdio_helper_mode stdio_helper_mode, + char *buf, int length); static void manage_ntlm_server_1_request (enum stdio_helper_mode stdio_helper_mode, char *buf, int length); @@ -73,9 +66,8 @@ static const struct { { SQUID_2_4_BASIC, "squid-2.4-basic", manage_squid_basic_request}, { SQUID_2_5_BASIC, "squid-2.5-basic", manage_squid_basic_request}, { SQUID_2_5_NTLMSSP, "squid-2.5-ntlmssp", manage_squid_ntlmssp_request}, - { NTLMSSP_CLIENT_1, "ntlmssp-client-1", manage_client_ntlmssp_request}, - { GSS_SPNEGO, "gss-spnego", manage_gss_spnego_request}, - { GSS_SPNEGO_CLIENT, "gss-spnego-client", manage_gss_spnego_client_request}, + { NTLMSSP_CLIENT_1, "ntlmssp-client-1", manage_gensec_client_request}, + { GSS_SPNEGO_CLIENT, "gss-spnego-client", manage_gensec_client_request}, { NTLM_SERVER_1, "ntlm-server-1", manage_ntlm_server_1_request}, { NUM_HELPER_MODES, NULL, NULL} }; @@ -218,52 +210,6 @@ static NTSTATUS local_pw_check(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *u return nt_status; } -static NTSTATUS ntlm_auth_start_ntlmssp_client(struct ntlmssp_state **client_ntlmssp_state) -{ - NTSTATUS status; - if ( (opt_username == NULL) || (opt_domain == NULL) ) { - DEBUG(1, ("Need username and domain for NTLMSSP\n")); - return status; - } - - status = ntlmssp_client_start(client_ntlmssp_state); - - if (!NT_STATUS_IS_OK(status)) { - DEBUG(1, ("Could not start NTLMSSP client: %s\n", - nt_errstr(status))); - ntlmssp_end(client_ntlmssp_state); - return status; - } - - status = ntlmssp_set_username(*client_ntlmssp_state, opt_username); - - if (!NT_STATUS_IS_OK(status)) { - DEBUG(1, ("Could not set username: %s\n", - nt_errstr(status))); - ntlmssp_end(client_ntlmssp_state); - return status; - } - - status = ntlmssp_set_domain(*client_ntlmssp_state, opt_domain); - - if (!NT_STATUS_IS_OK(status)) { - DEBUG(1, ("Could not set domain: %s\n", - nt_errstr(status))); - ntlmssp_end(client_ntlmssp_state); - return status; - } - - status = ntlmssp_set_password(*client_ntlmssp_state, opt_password); - - if (!NT_STATUS_IS_OK(status)) { - DEBUG(1, ("Could not set password: %s\n", - nt_errstr(status))); - ntlmssp_end(client_ntlmssp_state); - return status; - } - return NT_STATUS_OK; -} - static NTSTATUS ntlm_auth_start_ntlmssp_server(struct ntlmssp_state **ntlmssp_state) { NTSTATUS status = ntlmssp_server_start(ntlmssp_state); @@ -367,102 +313,6 @@ static void manage_squid_ntlmssp_request(enum stdio_helper_mode stdio_helper_mod data_blob_free(&request); } -static void manage_client_ntlmssp_request(enum stdio_helper_mode stdio_helper_mode, - char *buf, int length) -{ - static struct ntlmssp_state *ntlmssp_state = NULL; - DATA_BLOB request, reply; - NTSTATUS nt_status; - BOOL first = False; - - if (strlen(buf) < 2) { - DEBUG(1, ("NTLMSSP query [%s] invalid", buf)); - x_fprintf(x_stdout, "BH\n"); - return; - } - - if (strlen(buf) > 3) { - request = base64_decode_data_blob(buf + 3); - } else { - request = data_blob(NULL, 0); - } - - if (strncmp(buf, "PW ", 3) == 0) { - /* We asked for a password and obviously got it :-) */ - - opt_password = strndup((const char *)request.data, request.length); - - if (opt_password == NULL) { - DEBUG(1, ("Out of memory\n")); - x_fprintf(x_stdout, "BH\n"); - data_blob_free(&request); - return; - } - - x_fprintf(x_stdout, "OK\n"); - data_blob_free(&request); - return; - } - - if (opt_password == NULL) { - - /* Request a password from the calling process. After - sending it, the calling process should retry asking for the negotiate. */ - - DEBUG(10, ("Requesting password\n")); - x_fprintf(x_stdout, "PW\n"); - return; - } - - if (strncmp(buf, "YR", 2) == 0) { - if (ntlmssp_state) - ntlmssp_end(&ntlmssp_state); - } else if (strncmp(buf, "TT", 2) == 0) { - - } else { - DEBUG(1, ("NTLMSSP query [%s] invalid", buf)); - x_fprintf(x_stdout, "BH\n"); - return; - } - - if (!ntlmssp_state) { - if (!NT_STATUS_IS_OK(nt_status = ntlm_auth_start_ntlmssp_client(&ntlmssp_state))) { - x_fprintf(x_stdout, "BH %s\n", nt_errstr(nt_status)); - return; - } - first = True; - } - - DEBUG(10, ("got NTLMSSP packet:\n")); - dump_data(10, (const char *)request.data, request.length); - - nt_status = ntlmssp_update(ntlmssp_state, NULL, request, &reply); - - if (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { - char *reply_base64 = base64_encode_data_blob(reply); - if (first) { - x_fprintf(x_stdout, "YR %s\n", reply_base64); - } else { - x_fprintf(x_stdout, "KK %s\n", reply_base64); - } - SAFE_FREE(reply_base64); - data_blob_free(&reply); - DEBUG(10, ("NTLMSSP challenge\n")); - } else if (NT_STATUS_IS_OK(nt_status)) { - x_fprintf(x_stdout, "AF\n"); - DEBUG(10, ("NTLMSSP OK!\n")); - if (ntlmssp_state) - ntlmssp_end(&ntlmssp_state); - } else { - x_fprintf(x_stdout, "BH %s\n", nt_errstr(nt_status)); - DEBUG(0, ("NTLMSSP BH: %s\n", nt_errstr(nt_status))); - if (ntlmssp_state) - ntlmssp_end(&ntlmssp_state); - } - - data_blob_free(&request); -} - static void manage_squid_basic_request(enum stdio_helper_mode stdio_helper_mode, char *buf, int length) { @@ -490,654 +340,111 @@ static void manage_squid_basic_request(enum stdio_helper_mode stdio_helper_mode, } } -static void offer_gss_spnego_mechs(void) { - - DATA_BLOB token; - struct spnego_data spnego; - ssize_t len; - char *reply_base64; - - pstring principal; - pstring myname_lower; - - ZERO_STRUCT(spnego); - - pstrcpy(myname_lower, global_myname()); - strlower_m(myname_lower); - - pstr_sprintf(principal, "%s$@%s", myname_lower, lp_realm()); - - /* Server negTokenInit (mech offerings) */ - spnego.type = SPNEGO_NEG_TOKEN_INIT; - spnego.negTokenInit.mechTypes = smb_xmalloc(sizeof(char *) * 3); -#ifdef HAVE_KRB5 - spnego.negTokenInit.mechTypes[0] = smb_xstrdup(OID_KERBEROS5_OLD); - spnego.negTokenInit.mechTypes[1] = smb_xstrdup(OID_NTLMSSP); - spnego.negTokenInit.mechTypes[2] = NULL; -#else - spnego.negTokenInit.mechTypes[0] = smb_xstrdup(OID_NTLMSSP); - spnego.negTokenInit.mechTypes[1] = NULL; -#endif - - - spnego.negTokenInit.mechListMIC = data_blob(principal, - strlen(principal)); - - len = write_spnego_data(&token, &spnego); - free_spnego_data(&spnego); - - if (len == -1) { - DEBUG(1, ("Could not write SPNEGO data blob\n")); - x_fprintf(x_stdout, "BH\n"); - return; - } - - reply_base64 = base64_encode_data_blob(token); - x_fprintf(x_stdout, "TT %s *\n", reply_base64); - - SAFE_FREE(reply_base64); - data_blob_free(&token); - DEBUG(10, ("sent SPNEGO negTokenInit\n")); - return; -} - -static void manage_gss_spnego_request(enum stdio_helper_mode stdio_helper_mode, - char *buf, int length) +static void manage_gensec_client_request(enum stdio_helper_mode stdio_helper_mode, + char *buf, int length) { - static struct ntlmssp_state *ntlmssp_state = NULL; - struct spnego_data request, response; - DATA_BLOB token; - NTSTATUS status; - ssize_t len; - - char *user = NULL; - char *domain = NULL; - - const char *reply_code; - char *reply_base64; - pstring reply_argument; + DATA_BLOB in; + DATA_BLOB out; + char *out_base64; + static struct gensec_security gensec_state; + NTSTATUS nt_status; + BOOL first = False; if (strlen(buf) < 2) { - DEBUG(1, ("SPENGO query [%s] invalid", buf)); + DEBUG(1, ("query [%s] invalid", buf)); x_fprintf(x_stdout, "BH\n"); return; } - if (strncmp(buf, "YR", 2) == 0) { - if (ntlmssp_state) - ntlmssp_end(&ntlmssp_state); - } else if (strncmp(buf, "KK", 2) == 0) { - - } else { - DEBUG(1, ("SPENGO query [%s] invalid", buf)); - x_fprintf(x_stdout, "BH\n"); - return; - } - - if ( (strlen(buf) == 2)) { - - /* no client data, get the negTokenInit offering - mechanisms */ - - offer_gss_spnego_mechs(); - return; - } - - /* All subsequent requests have a blob. This might be negTokenInit or negTokenTarg */ - - if (strlen(buf) <= 3) { - DEBUG(1, ("GSS-SPNEGO query [%s] invalid\n", buf)); - x_fprintf(x_stdout, "BH\n"); - return; - } - - token = base64_decode_data_blob(buf + 3); - len = read_spnego_data(token, &request); - data_blob_free(&token); - - if (len == -1) { - DEBUG(1, ("GSS-SPNEGO query [%s] invalid", buf)); - x_fprintf(x_stdout, "BH\n"); - return; - } - - if (request.type == SPNEGO_NEG_TOKEN_INIT) { - - /* Second request from Client. This is where the - client offers its mechanism to use. */ - - if ( (request.negTokenInit.mechTypes == NULL) || - (request.negTokenInit.mechTypes[0] == NULL) ) { - DEBUG(1, ("Client did not offer any mechanism")); - x_fprintf(x_stdout, "BH\n"); - return; - } - - if (strcmp(request.negTokenInit.mechTypes[0], OID_NTLMSSP) == 0) { - - if ( request.negTokenInit.mechToken.data == NULL ) { - DEBUG(1, ("Client did not provide NTLMSSP data\n")); - x_fprintf(x_stdout, "BH\n"); - return; - } - - if ( ntlmssp_state != NULL ) { - DEBUG(1, ("Client wants a new NTLMSSP challenge, but " - "already got one\n")); - x_fprintf(x_stdout, "BH\n"); - ntlmssp_end(&ntlmssp_state); - return; - } - - if (!NT_STATUS_IS_OK(status = ntlm_auth_start_ntlmssp_server(&ntlmssp_state))) { - x_fprintf(x_stdout, "BH %s\n", nt_errstr(status)); - return; - } - - DEBUG(10, ("got NTLMSSP packet:\n")); - dump_data(10, (const char *)request.negTokenInit.mechToken.data, - request.negTokenInit.mechToken.length); - - response.type = SPNEGO_NEG_TOKEN_TARG; - response.negTokenTarg.supportedMech = strdup(OID_NTLMSSP); - response.negTokenTarg.mechListMIC = data_blob(NULL, 0); - - status = ntlmssp_update(ntlmssp_state, - NULL, - request.negTokenInit.mechToken, - &response.negTokenTarg.responseToken); - } - -#ifdef HAVE_KRB5 - if (strcmp(request.negTokenInit.mechTypes[0], OID_KERBEROS5_OLD) == 0) { - - char *principal; - DATA_BLOB auth_data; - DATA_BLOB ap_rep; - DATA_BLOB session_key; - - if ( request.negTokenInit.mechToken.data == NULL ) { - DEBUG(1, ("Client did not provide Kerberos data\n")); - x_fprintf(x_stdout, "BH\n"); - return; - } - - response.type = SPNEGO_NEG_TOKEN_TARG; - response.negTokenTarg.supportedMech = strdup(OID_KERBEROS5_OLD); - response.negTokenTarg.mechListMIC = data_blob(NULL, 0); - response.negTokenTarg.responseToken = data_blob(NULL, 0); - - status = ads_verify_ticket(lp_realm(), - &request.negTokenInit.mechToken, - &principal, &auth_data, &ap_rep, - &session_key); - - /* Now in "principal" we have the name we are - authenticated as. */ - - if (NT_STATUS_IS_OK(status)) { - - domain = strchr(principal, '@'); - - if (domain == NULL) { - DEBUG(1, ("Did not get a valid principal " - "from ads_verify_ticket\n")); - x_fprintf(x_stdout, "BH\n"); - return; - } - - *domain++ = '\0'; - domain = strdup(domain); - user = strdup(principal); - - data_blob_free(&ap_rep); - data_blob_free(&auth_data); - - SAFE_FREE(principal); - } - } -#endif - - } else { - - if ( (request.negTokenTarg.supportedMech == NULL) || - ( strcmp(request.negTokenTarg.supportedMech, OID_NTLMSSP) != 0 ) ) { - /* Kerberos should never send a negTokenTarg, OID_NTLMSSP - is the only one we support that sends this stuff */ - DEBUG(1, ("Got a negTokenTarg for something non-NTLMSSP: %s\n", - request.negTokenTarg.supportedMech)); - x_fprintf(x_stdout, "BH\n"); - return; - } - - if (request.negTokenTarg.responseToken.data == NULL) { - DEBUG(1, ("Got a negTokenTarg without a responseToken!\n")); - x_fprintf(x_stdout, "BH\n"); - return; - } - - status = ntlmssp_update(ntlmssp_state, - NULL, - request.negTokenTarg.responseToken, - &response.negTokenTarg.responseToken); - - response.type = SPNEGO_NEG_TOKEN_TARG; - response.negTokenTarg.supportedMech = strdup(OID_NTLMSSP); - response.negTokenTarg.mechListMIC = data_blob(NULL, 0); - - if (NT_STATUS_IS_OK(status)) { - user = strdup(ntlmssp_state->user); - domain = strdup(ntlmssp_state->domain); - ntlmssp_end(&ntlmssp_state); - } - } - - free_spnego_data(&request); - - if (NT_STATUS_IS_OK(status)) { - response.negTokenTarg.negResult = SPNEGO_ACCEPT_COMPLETED; - reply_code = "AF"; - pstr_sprintf(reply_argument, "%s\\%s", domain, user); - } else if (NT_STATUS_EQUAL(status, - NT_STATUS_MORE_PROCESSING_REQUIRED)) { - response.negTokenTarg.negResult = SPNEGO_ACCEPT_INCOMPLETE; - reply_code = "TT"; - pstr_sprintf(reply_argument, "*"); + if (strlen(buf) > 3) { + in = base64_decode_data_blob(buf + 3); } else { - response.negTokenTarg.negResult = SPNEGO_REJECT; - reply_code = "NA"; - pstrcpy(reply_argument, nt_errstr(status)); - } - - SAFE_FREE(user); - SAFE_FREE(domain); - - len = write_spnego_data(&token, &response); - free_spnego_data(&response); - - if (len == -1) { - DEBUG(1, ("Could not write SPNEGO data blob\n")); - x_fprintf(x_stdout, "BH\n"); - return; - } - - reply_base64 = base64_encode_data_blob(token); - - x_fprintf(x_stdout, "%s %s %s\n", - reply_code, reply_base64, reply_argument); - - SAFE_FREE(reply_base64); - data_blob_free(&token); - - return; -} - -static struct ntlmssp_state *client_ntlmssp_state = NULL; - -static BOOL manage_client_ntlmssp_init(struct spnego_data spnego) -{ - NTSTATUS status; - DATA_BLOB null_blob = data_blob(NULL, 0); - DATA_BLOB to_server; - char *to_server_base64; - const char *my_mechs[] = {OID_NTLMSSP, NULL}; - - DEBUG(10, ("Got spnego negTokenInit with NTLMSSP\n")); - - if (client_ntlmssp_state != NULL) { - DEBUG(1, ("Request for initial SPNEGO request where " - "we already have a state\n")); - return False; - } - - if (!client_ntlmssp_state) { - if (!NT_STATUS_IS_OK(status = ntlm_auth_start_ntlmssp_client(&client_ntlmssp_state))) { - x_fprintf(x_stdout, "BH %s\n", nt_errstr(status)); - return False; - } - } - - - if (opt_password == NULL) { - - /* Request a password from the calling process. After - sending it, the calling process should retry with - the negTokenInit. */ - - DEBUG(10, ("Requesting password\n")); - x_fprintf(x_stdout, "PW\n"); - return True; - } - - spnego.type = SPNEGO_NEG_TOKEN_INIT; - spnego.negTokenInit.mechTypes = my_mechs; - spnego.negTokenInit.reqFlags = 0; - spnego.negTokenInit.mechListMIC = null_blob; - - status = ntlmssp_update(client_ntlmssp_state, - NULL, - null_blob, - &spnego.negTokenInit.mechToken); - - if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { - DEBUG(1, ("Expected MORE_PROCESSING_REQUIRED, got: %s\n", - nt_errstr(status))); - ntlmssp_end(&client_ntlmssp_state); - return False; - } - - write_spnego_data(&to_server, &spnego); - data_blob_free(&spnego.negTokenInit.mechToken); - - to_server_base64 = base64_encode_data_blob(to_server); - data_blob_free(&to_server); - x_fprintf(x_stdout, "KK %s\n", to_server_base64); - SAFE_FREE(to_server_base64); - return True; -} - -static void manage_client_ntlmssp_targ(struct spnego_data spnego) -{ - NTSTATUS status; - DATA_BLOB null_blob = data_blob(NULL, 0); - DATA_BLOB request; - DATA_BLOB to_server; - char *to_server_base64; - - DEBUG(10, ("Got spnego negTokenTarg with NTLMSSP\n")); - - if (client_ntlmssp_state == NULL) { - DEBUG(1, ("Got NTLMSSP tArg without a client state\n")); - x_fprintf(x_stdout, "BH\n"); - ntlmssp_end(&client_ntlmssp_state); - return; - } - - if (spnego.negTokenTarg.negResult == SPNEGO_REJECT) { - x_fprintf(x_stdout, "NA\n"); - ntlmssp_end(&client_ntlmssp_state); - return; - } - - if (spnego.negTokenTarg.negResult == SPNEGO_ACCEPT_COMPLETED) { - x_fprintf(x_stdout, "AF\n"); - ntlmssp_end(&client_ntlmssp_state); - return; - } - - status = ntlmssp_update(client_ntlmssp_state, - NULL, - spnego.negTokenTarg.responseToken, - &request); - - if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { - DEBUG(1, ("Expected MORE_PROCESSING_REQUIRED from " - "ntlmssp_update, got: %s\n", - nt_errstr(status))); - x_fprintf(x_stdout, "BH\n"); - data_blob_free(&request); - ntlmssp_end(&client_ntlmssp_state); - return; - } - - spnego.type = SPNEGO_NEG_TOKEN_TARG; - spnego.negTokenTarg.negResult = SPNEGO_ACCEPT_INCOMPLETE; - spnego.negTokenTarg.supportedMech = OID_NTLMSSP; - spnego.negTokenTarg.responseToken = request; - spnego.negTokenTarg.mechListMIC = null_blob; - - write_spnego_data(&to_server, &spnego); - data_blob_free(&request); - - to_server_base64 = base64_encode_data_blob(to_server); - data_blob_free(&to_server); - x_fprintf(x_stdout, "KK %s\n", to_server_base64); - SAFE_FREE(to_server_base64); - return; -} - -#ifdef HAVE_KRB5 - -static BOOL manage_client_krb5_init(struct spnego_data spnego) -{ - char *principal; - DATA_BLOB tkt, to_server; - DATA_BLOB session_key_krb5 = data_blob(NULL, 0); - struct spnego_data reply; - char *reply_base64; - int retval; - - const char *my_mechs[] = {OID_KERBEROS5_OLD, NULL}; - ssize_t len; - - if ( (spnego.negTokenInit.mechListMIC.data == NULL) || - (spnego.negTokenInit.mechListMIC.length == 0) ) { - DEBUG(1, ("Did not get a principal for krb5\n")); - return False; + in = data_blob(NULL, 0); } - principal = malloc(spnego.negTokenInit.mechListMIC.length+1); - - if (principal == NULL) { - DEBUG(1, ("Could not malloc principal\n")); - return False; - } - - memcpy(principal, spnego.negTokenInit.mechListMIC.data, - spnego.negTokenInit.mechListMIC.length); - principal[spnego.negTokenInit.mechListMIC.length] = '\0'; - - retval = cli_krb5_get_ticket(principal, 0, &tkt, &session_key_krb5); - - if (retval) { - - pstring user; - - /* Let's try to first get the TGT, for that we need a - password. */ - - if (opt_password == NULL) { - DEBUG(10, ("Requesting password\n")); - x_fprintf(x_stdout, "PW\n"); - return True; - } - - pstr_sprintf(user, "%s@%s", opt_username, opt_domain); - - if ((retval = kerberos_kinit_password(user, opt_password, - 0, NULL))) { - DEBUG(10, ("Requesting TGT failed: %s\n", error_message(retval))); - return False; - } - - retval = cli_krb5_get_ticket(principal, 0, &tkt, &session_key_krb5); - - if (retval) { - DEBUG(10, ("Kinit suceeded, but getting a ticket failed: %s\n", error_message(retval))); - return False; - } - } - - data_blob_free(&session_key_krb5); - - ZERO_STRUCT(reply); - - reply.type = SPNEGO_NEG_TOKEN_INIT; - reply.negTokenInit.mechTypes = my_mechs; - reply.negTokenInit.reqFlags = 0; - reply.negTokenInit.mechToken = tkt; - reply.negTokenInit.mechListMIC = data_blob(NULL, 0); - - len = write_spnego_data(&to_server, &reply); - data_blob_free(&tkt); - - if (len == -1) { - DEBUG(1, ("Could not write SPNEGO data blob\n")); - return False; - } - - reply_base64 = base64_encode_data_blob(to_server); - x_fprintf(x_stdout, "KK %s *\n", reply_base64); - - SAFE_FREE(reply_base64); - data_blob_free(&to_server); - DEBUG(10, ("sent GSS-SPNEGO KERBEROS5 negTokenInit\n")); - return True; -} - -static void manage_client_krb5_targ(struct spnego_data spnego) -{ - switch (spnego.negTokenTarg.negResult) { - case SPNEGO_ACCEPT_INCOMPLETE: - DEBUG(1, ("Got a Kerberos negTokenTarg with ACCEPT_INCOMPLETE\n")); - x_fprintf(x_stdout, "BH\n"); - break; - case SPNEGO_ACCEPT_COMPLETED: - DEBUG(10, ("Accept completed\n")); - x_fprintf(x_stdout, "AF\n"); - break; - case SPNEGO_REJECT: - DEBUG(10, ("Rejected\n")); - x_fprintf(x_stdout, "NA\n"); - break; - default: - DEBUG(1, ("Got an invalid negTokenTarg\n")); - x_fprintf(x_stdout, "AF\n"); - } -} - -#endif - -static void manage_gss_spnego_client_request(enum stdio_helper_mode stdio_helper_mode, - char *buf, int length) -{ - DATA_BLOB request; - struct spnego_data spnego; - ssize_t len; - - if (strlen(buf) <= 3) { - DEBUG(1, ("SPNEGO query [%s] too short\n", buf)); - x_fprintf(x_stdout, "BH\n"); - return; - } - - request = base64_decode_data_blob(buf+3); - if (strncmp(buf, "PW ", 3) == 0) { /* We asked for a password and obviously got it :-) */ - opt_password = strndup((const char *)request.data, request.length); + opt_password = strndup((const char *)in.data, in.length); if (opt_password == NULL) { DEBUG(1, ("Out of memory\n")); x_fprintf(x_stdout, "BH\n"); - data_blob_free(&request); + data_blob_free(&in); return; } x_fprintf(x_stdout, "OK\n"); - data_blob_free(&request); + data_blob_free(&in); return; } - - if ( (strncmp(buf, "TT ", 3) != 0) && + if (strncmp(buf, "YR", 2) == 0) { + if (gensec_state.ops) { + gensec_state.ops->end(&gensec_state); + gensec_state.ops = NULL; + } + } else if ( (strncmp(buf, "TT ", 3) != 0) && (strncmp(buf, "AF ", 3) != 0) && (strncmp(buf, "NA ", 3) != 0) ) { DEBUG(1, ("SPNEGO request [%s] invalid\n", buf)); x_fprintf(x_stdout, "BH\n"); - data_blob_free(&request); + data_blob_free(&in); return; } - /* So we got a server challenge to generate a SPNEGO - client-to-server request... */ - - len = read_spnego_data(request, &spnego); - data_blob_free(&request); - - if (len == -1) { - DEBUG(1, ("Could not read SPNEGO data for [%s]\n", buf)); - x_fprintf(x_stdout, "BH\n"); + if (!opt_password) { + x_fprintf(x_stdout, "PW\n"); + data_blob_free(&in); return; } - if (spnego.type == SPNEGO_NEG_TOKEN_INIT) { - - /* The server offers a list of mechanisms */ - - char **mechType = spnego.negTokenInit.mechTypes; - - while (*mechType != NULL) { - -#ifdef HAVE_KRB5 - if ( (strcmp(*mechType, OID_KERBEROS5_OLD) == 0) || - (strcmp(*mechType, OID_KERBEROS5) == 0) ) { - if (manage_client_krb5_init(spnego)) - goto out; - } -#endif - - if (strcmp(*mechType, OID_NTLMSSP) == 0) { - if (manage_client_ntlmssp_init(spnego)) - goto out; - } - - mechType++; + /* setup gensec */ + if (!gensec_state.ops) { + if (stdio_helper_mode == GSS_SPNEGO_CLIENT) { + gensec_state.ops = gensec_security_by_oid(OID_SPNEGO); + } else if (stdio_helper_mode == NTLMSSP_CLIENT_1) { + gensec_state.ops = gensec_security_by_oid(OID_NTLMSSP); + } else { + exit(1); } + gensec_state.user.name = opt_username; + gensec_state.user.domain = opt_domain; + gensec_state.user.password = opt_password; + nt_status = gensec_state.ops->client_start(&gensec_state); - DEBUG(1, ("Server offered no compatible mechanism\n")); - x_fprintf(x_stdout, "BH\n"); - return; + if (!NT_STATUS_IS_OK(nt_status)) { + DEBUG(1, ("SPENGO login failed to initialise: %s\n", nt_errstr(nt_status))); + x_fprintf(x_stdout, "BH\n"); + return; + } + if (!in.length) { + first = True; + } } + + /* update */ - if (spnego.type == SPNEGO_NEG_TOKEN_TARG) { - - if (spnego.negTokenTarg.supportedMech == NULL) { - /* On accept/reject Windows does not send the - mechanism anymore. Handle that here and - shut down the mechanisms. */ - - switch (spnego.negTokenTarg.negResult) { - case SPNEGO_ACCEPT_COMPLETED: - x_fprintf(x_stdout, "AF\n"); - break; - case SPNEGO_REJECT: - x_fprintf(x_stdout, "NA\n"); - break; - default: - DEBUG(1, ("Got a negTokenTarg with no mech and an " - "unknown negResult: %d\n", - spnego.negTokenTarg.negResult)); - x_fprintf(x_stdout, "BH\n"); - } - - ntlmssp_end(&client_ntlmssp_state); - goto out; - } + nt_status = gensec_state.ops->update(&gensec_state, NULL, in, &out); + + if (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { - if (strcmp(spnego.negTokenTarg.supportedMech, - OID_NTLMSSP) == 0) { - manage_client_ntlmssp_targ(spnego); - goto out; + out_base64 = base64_encode_data_blob(out); + if (first) { + x_fprintf(x_stdout, "YR %s\n", out_base64); + } else { + x_fprintf(x_stdout, "KK %s\n", out_base64); } + SAFE_FREE(out_base64); -#if HAVE_KRB5 - if (strcmp(spnego.negTokenTarg.supportedMech, - OID_KERBEROS5_OLD) == 0) { - manage_client_krb5_targ(spnego); - goto out; - } -#endif + } else if (!NT_STATUS_IS_OK(nt_status)) { + DEBUG(1, ("SPENGO login failed: %s\n", nt_errstr(nt_status))); + x_fprintf(x_stdout, "BH\n"); + } else { + x_fprintf(x_stdout, "AF\n"); } - DEBUG(1, ("Got an SPNEGO token I could not handle [%s]!\n", buf)); - x_fprintf(x_stdout, "BH\n"); - return; - - out: - free_spnego_data(&spnego); return; } @@ -1428,6 +735,7 @@ enum { { "helper-protocol", 0, POPT_ARG_STRING, &helper_protocol, OPT_DOMAIN, "operate as a stdio-based helper", "helper protocol to use"}, { "domain", 0, POPT_ARG_STRING, &opt_domain, OPT_DOMAIN, "domain name"}, { "workstation", 0, POPT_ARG_STRING, &opt_workstation, OPT_WORKSTATION, "workstation"}, + { "username", 0, POPT_ARG_STRING, &opt_username, OPT_PASSWORD, "Username"}, { "password", 0, POPT_ARG_STRING, &opt_password, OPT_PASSWORD, "User's plaintext password"}, POPT_COMMON_SAMBA POPT_TABLEEND @@ -1469,6 +777,10 @@ enum { return 1; } + if (opt_domain == NULL) { + opt_domain = lp_workgroup(); + } + if (helper_protocol) { int i; for (i=0; i<NUM_HELPER_MODES; i++) { @@ -1492,10 +804,6 @@ enum { exit(1); } - if (opt_domain == NULL) { - opt_domain = lp_workgroup(); - } - if (opt_workstation == NULL) { opt_workstation = lp_netbios_name(); } |