/*
Unix SMB/CIFS implementation.
Authentication utility functions
Copyright (C) Volker Lendecke 2010
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see .
*/
#include "includes.h"
#include "../lib/crypto/arcfour.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_AUTH
static int server_info_dtor(struct auth_serversupplied_info *server_info)
{
TALLOC_FREE(server_info->sam_account);
ZERO_STRUCTP(server_info);
return 0;
}
/***************************************************************************
Make a server_info struct. Free with TALLOC_FREE().
***************************************************************************/
struct auth_serversupplied_info *make_server_info(TALLOC_CTX *mem_ctx)
{
struct auth_serversupplied_info *result;
result = TALLOC_ZERO_P(mem_ctx, struct auth_serversupplied_info);
if (result == NULL) {
DEBUG(0, ("talloc failed\n"));
return NULL;
}
talloc_set_destructor(result, server_info_dtor);
/* Initialise the uid and gid values to something non-zero
which may save us from giving away root access if there
is a bug in allocating these fields. */
result->utok.uid = -1;
result->utok.gid = -1;
return result;
}
/*******************************************************************
gets a domain user's groups from their already-calculated NT_USER_TOKEN
********************************************************************/
static NTSTATUS nt_token_to_group_list(TALLOC_CTX *mem_ctx,
const struct dom_sid *domain_sid,
size_t num_sids,
const struct dom_sid *sids,
int *numgroups,
struct samr_RidWithAttribute **pgids)
{
int i;
*numgroups=0;
*pgids = NULL;
for (i=0; isam_account;
user_sid = pdb_get_user_sid(sampw);
group_sid = pdb_get_group_sid(sampw);
if (pipe_session_key && pipe_session_key_len != 16) {
DEBUG(0,("serverinfo_to_SamInfo3: invalid "
"pipe_session_key_len[%zu] != 16\n",
pipe_session_key_len));
return NT_STATUS_INTERNAL_ERROR;
}
if ((user_sid == NULL) || (group_sid == NULL)) {
DEBUG(1, ("_netr_LogonSamLogon: User without group or user SID\n"));
return NT_STATUS_UNSUCCESSFUL;
}
sid_copy(&domain_sid, user_sid);
sid_split_rid(&domain_sid, &user_rid);
sid = sid_dup_talloc(mem_ctx, &domain_sid);
if (!sid) {
return NT_STATUS_NO_MEMORY;
}
if (!sid_peek_check_rid(&domain_sid, group_sid, &group_rid)) {
DEBUG(1, ("_netr_LogonSamLogon: user %s\\%s has user sid "
"%s\n but group sid %s.\n"
"The conflicting domain portions are not "
"supported for NETLOGON calls\n",
pdb_get_domain(sampw),
pdb_get_username(sampw),
sid_string_dbg(user_sid),
sid_string_dbg(group_sid)));
return NT_STATUS_UNSUCCESSFUL;
}
if(server_info->login_server) {
my_name = server_info->login_server;
} else {
my_name = global_myname();
}
status = nt_token_to_group_list(mem_ctx, &domain_sid,
server_info->num_sids,
server_info->sids,
&num_gids, &gids);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
if (server_info->user_session_key.length) {
memcpy(user_session_key.key,
server_info->user_session_key.data,
MIN(sizeof(user_session_key.key),
server_info->user_session_key.length));
if (pipe_session_key) {
arcfour_crypt(user_session_key.key, pipe_session_key, 16);
}
}
if (server_info->lm_session_key.length) {
memcpy(lm_session_key.key,
server_info->lm_session_key.data,
MIN(sizeof(lm_session_key.key),
server_info->lm_session_key.length));
if (pipe_session_key) {
arcfour_crypt(lm_session_key.key, pipe_session_key, 8);
}
}
groups.count = num_gids;
groups.rids = TALLOC_ARRAY(mem_ctx, struct samr_RidWithAttribute, groups.count);
if (!groups.rids) {
return NT_STATUS_NO_MEMORY;
}
for (i=0; i < groups.count; i++) {
groups.rids[i].rid = gids[i].rid;
groups.rids[i].attributes = gids[i].attributes;
}
unix_to_nt_time(&last_logon, pdb_get_logon_time(sampw));
unix_to_nt_time(&last_logoff, get_time_t_max());
unix_to_nt_time(&acct_expiry, get_time_t_max());
unix_to_nt_time(&last_password_change, pdb_get_pass_last_set_time(sampw));
unix_to_nt_time(&allow_password_change, pdb_get_pass_can_change_time(sampw));
unix_to_nt_time(&force_password_change, pdb_get_pass_must_change_time(sampw));
base->last_logon = last_logon;
base->last_logoff = last_logoff;
base->acct_expiry = acct_expiry;
base->last_password_change = last_password_change;
base->allow_password_change = allow_password_change;
base->force_password_change = force_password_change;
base->account_name.string = talloc_strdup(mem_ctx, pdb_get_username(sampw));
base->full_name.string = talloc_strdup(mem_ctx, pdb_get_fullname(sampw));
base->logon_script.string = talloc_strdup(mem_ctx, pdb_get_logon_script(sampw));
base->profile_path.string = talloc_strdup(mem_ctx, pdb_get_profile_path(sampw));
base->home_directory.string = talloc_strdup(mem_ctx, pdb_get_homedir(sampw));
base->home_drive.string = talloc_strdup(mem_ctx, pdb_get_dir_drive(sampw));
base->logon_count = 0; /* ?? */
base->bad_password_count = 0; /* ?? */
base->rid = user_rid;
base->primary_gid = group_rid;
base->groups = groups;
base->user_flags = NETLOGON_EXTRA_SIDS;
base->key = user_session_key;
base->logon_server.string = talloc_strdup(mem_ctx, my_name);
base->domain.string = talloc_strdup(mem_ctx, pdb_get_domain(sampw));
base->domain_sid = sid;
base->LMSessKey = lm_session_key;
base->acct_flags = pdb_get_acct_ctrl(sampw);
ZERO_STRUCT(user_session_key);
ZERO_STRUCT(lm_session_key);
return NT_STATUS_OK;
}
/****************************************************************************
inits a netr_SamInfo2 structure from an auth_serversupplied_info. sam2 must
already be initialized and is used as the talloc parent for its members.
*****************************************************************************/
NTSTATUS serverinfo_to_SamInfo2(struct auth_serversupplied_info *server_info,
uint8_t *pipe_session_key,
size_t pipe_session_key_len,
struct netr_SamInfo2 *sam2)
{
NTSTATUS status;
status = serverinfo_to_SamInfo_base(sam2,
server_info,
pipe_session_key,
pipe_session_key_len,
&sam2->base);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
return NT_STATUS_OK;
}
/****************************************************************************
inits a netr_SamInfo3 structure from an auth_serversupplied_info. sam3 must
already be initialized and is used as the talloc parent for its members.
*****************************************************************************/
NTSTATUS serverinfo_to_SamInfo3(struct auth_serversupplied_info *server_info,
uint8_t *pipe_session_key,
size_t pipe_session_key_len,
struct netr_SamInfo3 *sam3)
{
NTSTATUS status;
status = serverinfo_to_SamInfo_base(sam3,
server_info,
pipe_session_key,
pipe_session_key_len,
&sam3->base);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
sam3->sidcount = 0;
sam3->sids = NULL;
return NT_STATUS_OK;
}
/****************************************************************************
inits a netr_SamInfo6 structure from an auth_serversupplied_info. sam6 must
already be initialized and is used as the talloc parent for its members.
*****************************************************************************/
NTSTATUS serverinfo_to_SamInfo6(struct auth_serversupplied_info *server_info,
uint8_t *pipe_session_key,
size_t pipe_session_key_len,
struct netr_SamInfo6 *sam6)
{
NTSTATUS status;
struct pdb_domain_info *dominfo;
if ((pdb_capabilities() & PDB_CAP_ADS) == 0) {
DEBUG(10,("Not adding validation info level 6 "
"without ADS passdb backend\n"));
return NT_STATUS_INVALID_INFO_CLASS;
}
dominfo = pdb_get_domain_info(sam6);
if (dominfo == NULL) {
return NT_STATUS_NO_MEMORY;
}
status = serverinfo_to_SamInfo_base(sam6,
server_info,
pipe_session_key,
pipe_session_key_len,
&sam6->base);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
sam6->sidcount = 0;
sam6->sids = NULL;
sam6->dns_domainname.string = talloc_strdup(sam6, dominfo->dns_domain);
if (sam6->dns_domainname.string == NULL) {
return NT_STATUS_NO_MEMORY;
}
sam6->principle.string = talloc_asprintf(sam6, "%s@%s",
pdb_get_username(server_info->sam_account),
sam6->dns_domainname.string);
if (sam6->principle.string == NULL) {
return NT_STATUS_NO_MEMORY;
}
return NT_STATUS_OK;
}
static NTSTATUS sids_to_samr_RidWithAttributeArray(
TALLOC_CTX *mem_ctx,
struct samr_RidWithAttributeArray *groups,
const struct dom_sid *domain_sid,
const struct dom_sid *sids,
size_t num_sids)
{
unsigned int i;
bool ok;
groups->rids = talloc_array(mem_ctx,
struct samr_RidWithAttribute, num_sids);
if (!groups->rids) {
return NT_STATUS_NO_MEMORY;
}
for (i = 0; i < num_sids; i++) {
ok = sid_peek_check_rid(domain_sid, &sids[i],
&groups->rids[i].rid);
if (!ok) continue;
groups->rids[i].attributes = SE_GROUP_MANDATORY |
SE_GROUP_ENABLED_BY_DEFAULT |
SE_GROUP_ENABLED;
groups->count++;
}
return NT_STATUS_OK;
}
#define RET_NOMEM(ptr) do { \
if (!ptr) { \
TALLOC_FREE(info3); \
return NT_STATUS_NO_MEMORY; \
} } while(0)
NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx,
struct samu *samu,
const char *login_server,
struct netr_SamInfo3 **_info3)
{
struct netr_SamInfo3 *info3;
const struct dom_sid *user_sid;
const struct dom_sid *group_sid;
struct dom_sid domain_sid;
struct dom_sid *group_sids;
size_t num_group_sids;
const char *tmp;
gid_t *gids;
NTSTATUS status;
bool ok;
user_sid = pdb_get_user_sid(samu);
group_sid = pdb_get_group_sid(samu);
if (!user_sid || !group_sid) {
DEBUG(1, ("Sam account is missing sids!\n"));
return NT_STATUS_UNSUCCESSFUL;
}
info3 = talloc_zero(mem_ctx, struct netr_SamInfo3);
if (!info3) {
return NT_STATUS_NO_MEMORY;
}
unix_to_nt_time(&info3->base.last_logon, pdb_get_logon_time(samu));
unix_to_nt_time(&info3->base.last_logoff, get_time_t_max());
unix_to_nt_time(&info3->base.acct_expiry, get_time_t_max());
unix_to_nt_time(&info3->base.last_password_change,
pdb_get_pass_last_set_time(samu));
unix_to_nt_time(&info3->base.allow_password_change,
pdb_get_pass_can_change_time(samu));
unix_to_nt_time(&info3->base.force_password_change,
pdb_get_pass_must_change_time(samu));
tmp = pdb_get_username(samu);
if (tmp) {
info3->base.account_name.string = talloc_strdup(info3, tmp);
RET_NOMEM(info3->base.account_name.string);
}
tmp = pdb_get_fullname(samu);
if (tmp) {
info3->base.full_name.string = talloc_strdup(info3, tmp);
RET_NOMEM(info3->base.full_name.string);
}
tmp = pdb_get_logon_script(samu);
if (tmp) {
info3->base.logon_script.string = talloc_strdup(info3, tmp);
RET_NOMEM(info3->base.logon_script.string);
}
if (tmp) {
info3->base.profile_path.string = talloc_strdup(info3, tmp);
RET_NOMEM(info3->base.profile_path.string);
}
if (tmp) {
info3->base.home_directory.string = talloc_strdup(info3, tmp);
RET_NOMEM(info3->base.home_directory.string);
}
if (tmp) {
info3->base.home_drive.string = talloc_strdup(info3, tmp);
RET_NOMEM(info3->base.home_drive.string);
}
info3->base.logon_count = pdb_get_logon_count(samu);
info3->base.bad_password_count = pdb_get_bad_password_count(samu);
sid_copy(&domain_sid, user_sid);
sid_split_rid(&domain_sid, &info3->base.rid);
ok = sid_peek_check_rid(&domain_sid, group_sid,
&info3->base.primary_gid);
if (!ok) {
DEBUG(1, ("The primary group sid domain does not"
"match user sid domain for user: %s\n",
pdb_get_username(samu)));
TALLOC_FREE(info3);
return NT_STATUS_UNSUCCESSFUL;
}
status = pdb_enum_group_memberships(mem_ctx, samu,
&group_sids, &gids,
&num_group_sids);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to get groups from sam account.\n"));
TALLOC_FREE(info3);
return status;
}
status = sids_to_samr_RidWithAttributeArray(info3,
&info3->base.groups,
&domain_sid,
group_sids,
num_group_sids);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(info3);
return status;
}
/* We don't need sids and gids after the conversion */
TALLOC_FREE(group_sids);
TALLOC_FREE(gids);
num_group_sids = 0;
/* FIXME: should we add other flags ? */
info3->base.user_flags = NETLOGON_EXTRA_SIDS;
if (login_server) {
info3->base.logon_server.string = talloc_strdup(info3, login_server);
RET_NOMEM(info3->base.logon_server.string);
}
info3->base.domain.string = talloc_strdup(info3,
pdb_get_domain(samu));
RET_NOMEM(info3->base.domain.string);
info3->base.domain_sid = sid_dup_talloc(info3, &domain_sid);
RET_NOMEM(info3->base.domain_sid);
info3->base.acct_flags = pdb_get_acct_ctrl(samu);
*_info3 = info3;
return NT_STATUS_OK;
}
#undef RET_NOMEM
#define RET_NOMEM(ptr) do { \
if (!ptr) { \
TALLOC_FREE(info3); \
return NULL; \
} } while(0)
struct netr_SamInfo3 *copy_netr_SamInfo3(TALLOC_CTX *mem_ctx,
struct netr_SamInfo3 *orig)
{
struct netr_SamInfo3 *info3;
info3 = talloc(mem_ctx, struct netr_SamInfo3);
if (!info3) return NULL;
/* first copy all, then realloc pointers */
info3->base = orig->base;
info3->base.account_name.string =
talloc_strdup(info3, orig->base.account_name.string);
RET_NOMEM(info3->base.account_name.string);
info3->base.full_name.string =
talloc_strdup(info3, orig->base.full_name.string);
RET_NOMEM(info3->base.full_name.string);
info3->base.logon_script.string =
talloc_strdup(info3, orig->base.logon_script.string);
RET_NOMEM(info3->base.logon_script.string);
info3->base.profile_path.string =
talloc_strdup(info3, orig->base.profile_path.string);
RET_NOMEM(info3->base.profile_path.string);
info3->base.home_directory.string =
talloc_strdup(info3, orig->base.home_directory.string);
RET_NOMEM(info3->base.home_directory.string);
info3->base.home_drive.string =
talloc_strdup(info3, orig->base.home_drive.string);
RET_NOMEM(info3->base.home_drive.string);
info3->base.groups.rids =
talloc_memdup(info3, orig->base.groups.rids,
(sizeof(struct samr_RidWithAttribute) *
orig->base.groups.count));
RET_NOMEM(info3->base.groups.rids);
info3->base.logon_server.string =
talloc_strdup(info3, orig->base.logon_server.string);
RET_NOMEM(info3->base.logon_server.string);
info3->base.domain.string =
talloc_strdup(info3, orig->base.domain.string);
RET_NOMEM(info3->base.domain.string);
info3->base.domain_sid = sid_dup_talloc(info3, orig->base.domain_sid);
RET_NOMEM(info3->base.domain_sid);
info3->sids = talloc_memdup(info3, orig->sids,
(sizeof(struct netr_SidAttr) *
orig->sidcount));
RET_NOMEM(info3->sids);
return info3;
}