root/source3/auth/auth_server.c

/* [<][>][^][v][top][bottom][index][help] */

DEFINITIONS

This source file includes following definitions.
  1. server_cryptkey
  2. send_server_keepalive
  3. destroy_server_security
  4. make_server_security_state
  5. auth_get_challenge_server
  6. check_smbserver_security
  7. auth_init_smbserver
  8. auth_server_init

   1 /* 
   2    Unix SMB/CIFS implementation.
   3    Authenticate to a remote server
   4    Copyright (C) Andrew Tridgell 1992-1998
   5    Copyright (C) Andrew Bartlett 2001
   6 
   7    This program is free software; you can redistribute it and/or modify
   8    it under the terms of the GNU General Public License as published by
   9    the Free Software Foundation; either version 3 of the License, or
  10    (at your option) any later version.
  11    
  12    This program is distributed in the hope that it will be useful,
  13    but WITHOUT ANY WARRANTY; without even the implied warranty of
  14    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  15    GNU General Public License for more details.
  16    
  17    You should have received a copy of the GNU General Public License
  18    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  19 */
  20 
  21 #include "includes.h"
  22 
  23 #undef DBGC_CLASS
  24 #define DBGC_CLASS DBGC_AUTH
  25 
  26 extern userdom_struct current_user_info;
  27 
  28 /****************************************************************************
  29  Support for server level security.
  30 ****************************************************************************/
  31 
  32 static struct cli_state *server_cryptkey(TALLOC_CTX *mem_ctx)
     /* [<][>][^][v][top][bottom][index][help] */
  33 {
  34         struct cli_state *cli = NULL;
  35         char *desthost = NULL;
  36         struct sockaddr_storage dest_ss;
  37         const char *p;
  38         char *pserver = NULL;
  39         bool connected_ok = False;
  40         struct named_mutex *mutex = NULL;
  41         NTSTATUS status;
  42 
  43         if (!(cli = cli_initialise()))
  44                 return NULL;
  45 
  46         /* security = server just can't function with spnego */
  47         cli->use_spnego = False;
  48 
  49         pserver = talloc_strdup(mem_ctx, lp_passwordserver());
  50         p = pserver;
  51 
  52         while(next_token_talloc(mem_ctx, &p, &desthost, LIST_SEP)) {
  53 
  54                 desthost = talloc_sub_basic(mem_ctx,
  55                                 current_user_info.smb_name,
  56                                 current_user_info.domain,
  57                                 desthost);
  58                 if (!desthost) {
  59                         return NULL;
  60                 }
  61                 strupper_m(desthost);
  62 
  63                 if(!resolve_name( desthost, &dest_ss, 0x20)) {
  64                         DEBUG(1,("server_cryptkey: Can't resolve address for %s\n",desthost));
  65                         continue;
  66                 }
  67 
  68                 if (ismyaddr((struct sockaddr *)&dest_ss)) {
  69                         DEBUG(1,("Password server loop - disabling password server %s\n",desthost));
  70                         continue;
  71                 }
  72 
  73                 /* we use a mutex to prevent two connections at once - when a
  74                    Win2k PDC get two connections where one hasn't completed a
  75                    session setup yet it will send a TCP reset to the first
  76                    connection (tridge) */
  77 
  78                 mutex = grab_named_mutex(talloc_tos(), desthost, 10);
  79                 if (mutex == NULL) {
  80                         cli_shutdown(cli);
  81                         return NULL;
  82                 }
  83 
  84                 status = cli_connect(cli, desthost, &dest_ss);
  85                 if (NT_STATUS_IS_OK(status)) {
  86                         DEBUG(3,("connected to password server %s\n",desthost));
  87                         connected_ok = True;
  88                         break;
  89                 }
  90                 DEBUG(10,("server_cryptkey: failed to connect to server %s. Error %s\n",
  91                         desthost, nt_errstr(status) ));
  92                 TALLOC_FREE(mutex);
  93         }
  94 
  95         if (!connected_ok) {
  96                 DEBUG(0,("password server not available\n"));
  97                 cli_shutdown(cli);
  98                 return NULL;
  99         }
 100 
 101         if (!attempt_netbios_session_request(&cli, global_myname(),
 102                                              desthost, &dest_ss)) {
 103                 TALLOC_FREE(mutex);
 104                 DEBUG(1,("password server fails session request\n"));
 105                 cli_shutdown(cli);
 106                 return NULL;
 107         }
 108 
 109         if (strequal(desthost,myhostname())) {
 110                 exit_server_cleanly("Password server loop!");
 111         }
 112 
 113         DEBUG(3,("got session\n"));
 114 
 115         status = cli_negprot(cli);
 116 
 117         if (!NT_STATUS_IS_OK(status)) {
 118                 TALLOC_FREE(mutex);
 119                 DEBUG(1, ("%s rejected the negprot: %s\n",
 120                           desthost, nt_errstr(status)));
 121                 cli_shutdown(cli);
 122                 return NULL;
 123         }
 124 
 125         if (cli->protocol < PROTOCOL_LANMAN2 ||
 126             !(cli->sec_mode & NEGOTIATE_SECURITY_USER_LEVEL)) {
 127                 TALLOC_FREE(mutex);
 128                 DEBUG(1,("%s isn't in user level security mode\n",desthost));
 129                 cli_shutdown(cli);
 130                 return NULL;
 131         }
 132 
 133         /* Get the first session setup done quickly, to avoid silly
 134            Win2k bugs.  (The next connection to the server will kill
 135            this one...
 136         */
 137 
 138         if (!NT_STATUS_IS_OK(cli_session_setup(cli, "", "", 0, "", 0,
 139                                                ""))) {
 140                 TALLOC_FREE(mutex);
 141                 DEBUG(0,("%s rejected the initial session setup (%s)\n",
 142                          desthost, cli_errstr(cli)));
 143                 cli_shutdown(cli);
 144                 return NULL;
 145         }
 146 
 147         TALLOC_FREE(mutex);
 148 
 149         DEBUG(3,("password server OK\n"));
 150 
 151         return cli;
 152 }
 153 
 154 struct server_security_state {
 155         struct cli_state *cli;
 156 };
 157 
 158 /****************************************************************************
 159  Send a 'keepalive' packet down the cli pipe.
 160 ****************************************************************************/
 161 
 162 static bool send_server_keepalive(const struct timeval *now,
     /* [<][>][^][v][top][bottom][index][help] */
 163                                   void *private_data)
 164 {
 165         struct server_security_state *state = talloc_get_type_abort(
 166                 private_data, struct server_security_state);
 167 
 168         if (!state->cli || !state->cli->initialised) {
 169                 return False;
 170         }
 171 
 172         if (send_keepalive(state->cli->fd)) {
 173                 return True;
 174         }
 175 
 176         DEBUG( 2, ( "send_server_keepalive: password server keepalive "
 177                     "failed.\n"));
 178         cli_shutdown(state->cli);
 179         state->cli = NULL;
 180         return False;
 181 }
 182 
 183 static int destroy_server_security(struct server_security_state *state)
     /* [<][>][^][v][top][bottom][index][help] */
 184 {
 185         if (state->cli) {
 186                 cli_shutdown(state->cli);
 187         }
 188         return 0;
 189 }
 190 
 191 static struct server_security_state *make_server_security_state(struct cli_state *cli)
     /* [<][>][^][v][top][bottom][index][help] */
 192 {
 193         struct server_security_state *result;
 194 
 195         if (!(result = talloc(NULL, struct server_security_state))) {
 196                 DEBUG(0, ("talloc failed\n"));
 197                 cli_shutdown(cli);
 198                 return NULL;
 199         }
 200 
 201         result->cli = cli;
 202         talloc_set_destructor(result, destroy_server_security);
 203 
 204         if (lp_keepalive() != 0) {
 205                 struct timeval interval;
 206                 interval.tv_sec = lp_keepalive();
 207                 interval.tv_usec = 0;
 208 
 209                 if (event_add_idle(smbd_event_context(), result, interval,
 210                                    "server_security_keepalive",
 211                                    send_server_keepalive,
 212                                    result) == NULL) {
 213                         DEBUG(0, ("event_add_idle failed\n"));
 214                         TALLOC_FREE(result);
 215                         return NULL;
 216                 }
 217         }
 218 
 219         return result;
 220 }
 221 
 222 /****************************************************************************
 223  Get the challenge out of a password server.
 224 ****************************************************************************/
 225 
 226 static DATA_BLOB auth_get_challenge_server(const struct auth_context *auth_context,
     /* [<][>][^][v][top][bottom][index][help] */
 227                                            void **my_private_data, 
 228                                            TALLOC_CTX *mem_ctx)
 229 {
 230         struct cli_state *cli = server_cryptkey(mem_ctx);
 231         
 232         if (cli) {
 233                 DEBUG(3,("using password server validation\n"));
 234 
 235                 if ((cli->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) == 0) {
 236                         /* We can't work with unencrypted password servers
 237                            unless 'encrypt passwords = no' */
 238                         DEBUG(5,("make_auth_info_server: Server is unencrypted, no challenge available..\n"));
 239                         
 240                         /* However, it is still a perfectly fine connection
 241                            to pass that unencrypted password over */
 242                         *my_private_data =
 243                                 (void *)make_server_security_state(cli);
 244                         return data_blob_null;
 245                 } else if (cli->secblob.length < 8) {
 246                         /* We can't do much if we don't get a full challenge */
 247                         DEBUG(2,("make_auth_info_server: Didn't receive a full challenge from server\n"));
 248                         cli_shutdown(cli);
 249                         return data_blob_null;
 250                 }
 251 
 252                 if (!(*my_private_data = (void *)make_server_security_state(cli))) {
 253                         return data_blob(NULL,0);
 254                 }
 255 
 256                 /* The return must be allocated on the caller's mem_ctx, as our own will be
 257                    destoyed just after the call. */
 258                 return data_blob_talloc(auth_context->mem_ctx, cli->secblob.data,8);
 259         } else {
 260                 return data_blob_null;
 261         }
 262 }
 263 
 264 
 265 /****************************************************************************
 266  Check for a valid username and password in security=server mode.
 267   - Validate a password with the password server.
 268 ****************************************************************************/
 269 
 270 static NTSTATUS check_smbserver_security(const struct auth_context *auth_context,
     /* [<][>][^][v][top][bottom][index][help] */
 271                                          void *my_private_data, 
 272                                          TALLOC_CTX *mem_ctx,
 273                                          const auth_usersupplied_info *user_info, 
 274                                          auth_serversupplied_info **server_info)
 275 {
 276         struct server_security_state *state = talloc_get_type_abort(
 277                 my_private_data, struct server_security_state);
 278         struct cli_state *cli;
 279         static bool tested_password_server = False;
 280         static bool bad_password_server = False;
 281         NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED;
 282         bool locally_made_cli = False;
 283 
 284         cli = state->cli;
 285         
 286         if (cli) {
 287         } else {
 288                 cli = server_cryptkey(mem_ctx);
 289                 locally_made_cli = True;
 290         }
 291 
 292         if (!cli || !cli->initialised) {
 293                 DEBUG(1,("password server is not connected (cli not initialised)\n"));
 294                 return NT_STATUS_LOGON_FAILURE;
 295         }  
 296         
 297         if ((cli->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) == 0) {
 298                 if (user_info->encrypted) {
 299                         DEBUG(1,("password server %s is plaintext, but we are encrypted. This just can't work :-(\n", cli->desthost));
 300                         return NT_STATUS_LOGON_FAILURE;         
 301                 }
 302         } else {
 303                 if (memcmp(cli->secblob.data, auth_context->challenge.data, 8) != 0) {
 304                         DEBUG(1,("the challenge that the password server (%s) supplied us is not the one we gave our client. This just can't work :-(\n", cli->desthost));
 305                         return NT_STATUS_LOGON_FAILURE;         
 306                 }
 307         }
 308 
 309         /*
 310          * Attempt a session setup with a totally incorrect password.
 311          * If this succeeds with the guest bit *NOT* set then the password
 312          * server is broken and is not correctly setting the guest bit. We
 313          * need to detect this as some versions of NT4.x are broken. JRA.
 314          */
 315 
 316         /* I sure as hell hope that there aren't servers out there that take 
 317          * NTLMv2 and have this bug, as we don't test for that... 
 318          *  - abartlet@samba.org
 319          */
 320 
 321         if ((!tested_password_server) && (lp_paranoid_server_security())) {
 322                 unsigned char badpass[24];
 323                 char *baduser = NULL;
 324 
 325                 memset(badpass, 0x1f, sizeof(badpass));
 326 
 327                 if((user_info->nt_resp.length == sizeof(badpass)) && 
 328                    !memcmp(badpass, user_info->nt_resp.data, sizeof(badpass))) {
 329                         /* 
 330                          * Very unlikely, our random bad password is the same as the users
 331                          * password.
 332                          */
 333                         memset(badpass, badpass[0]+1, sizeof(badpass));
 334                 }
 335 
 336                 baduser = talloc_asprintf(mem_ctx,
 337                                         "%s%s",
 338                                         INVALID_USER_PREFIX,
 339                                         global_myname());
 340                 if (!baduser) {
 341                         return NT_STATUS_NO_MEMORY;
 342                 }
 343 
 344                 if (NT_STATUS_IS_OK(cli_session_setup(cli, baduser,
 345                                                       (char *)badpass,
 346                                                       sizeof(badpass), 
 347                                                       (char *)badpass,
 348                                                       sizeof(badpass),
 349                                                       user_info->domain))) {
 350 
 351                         /*
 352                          * We connected to the password server so we
 353                          * can say we've tested it.
 354                          */
 355                         tested_password_server = True;
 356 
 357                         if ((SVAL(cli->inbuf,smb_vwv2) & 1) == 0) {
 358                                 DEBUG(0,("server_validate: password server %s allows users as non-guest \
 359 with a bad password.\n", cli->desthost));
 360                                 DEBUG(0,("server_validate: This is broken (and insecure) behaviour. Please do not \
 361 use this machine as the password server.\n"));
 362                                 cli_ulogoff(cli);
 363 
 364                                 /*
 365                                  * Password server has the bug.
 366                                  */
 367                                 bad_password_server = True;
 368                                 return NT_STATUS_LOGON_FAILURE;
 369                         }
 370                         cli_ulogoff(cli);
 371                 }
 372         } else {
 373 
 374                 /*
 375                  * We have already tested the password server.
 376                  * Fail immediately if it has the bug.
 377                  */
 378 
 379                 if(bad_password_server) {
 380                         DEBUG(0,("server_validate: [1] password server %s allows users as non-guest \
 381 with a bad password.\n", cli->desthost));
 382                         DEBUG(0,("server_validate: [1] This is broken (and insecure) behaviour. Please do not \
 383 use this machine as the password server.\n"));
 384                         return NT_STATUS_LOGON_FAILURE;
 385                 }
 386         }
 387 
 388         /*
 389          * Now we know the password server will correctly set the guest bit, or is
 390          * not guest enabled, we can try with the real password.
 391          */
 392 
 393         if (!user_info->encrypted) {
 394                 /* Plaintext available */
 395                 nt_status = cli_session_setup(
 396                         cli, user_info->smb_name, 
 397                         (char *)user_info->plaintext_password.data, 
 398                         user_info->plaintext_password.length, 
 399                         NULL, 0, user_info->domain);
 400 
 401         } else {
 402                 nt_status = cli_session_setup(
 403                         cli, user_info->smb_name, 
 404                         (char *)user_info->lm_resp.data, 
 405                         user_info->lm_resp.length, 
 406                         (char *)user_info->nt_resp.data, 
 407                         user_info->nt_resp.length, 
 408                         user_info->domain);
 409         }
 410 
 411         if (!NT_STATUS_IS_OK(nt_status)) {
 412                 DEBUG(1,("password server %s rejected the password: %s\n",
 413                          cli->desthost, nt_errstr(nt_status)));
 414         }
 415 
 416         /* if logged in as guest then reject */
 417         if ((SVAL(cli->inbuf,smb_vwv2) & 1) != 0) {
 418                 DEBUG(1,("password server %s gave us guest only\n", cli->desthost));
 419                 nt_status = NT_STATUS_LOGON_FAILURE;
 420         }
 421 
 422         cli_ulogoff(cli);
 423 
 424         if (NT_STATUS_IS_OK(nt_status)) {
 425                 fstring real_username;
 426                 struct passwd *pass;
 427 
 428                 if ( (pass = smb_getpwnam( NULL, user_info->internal_username, 
 429                         real_username, True )) != NULL ) 
 430                 {
 431                         /* if a real user check pam account restrictions */
 432                         /* only really perfomed if "obey pam restriction" is true */
 433                         nt_status = smb_pam_accountcheck(pass->pw_name);
 434                         if (  !NT_STATUS_IS_OK(nt_status)) {
 435                                 DEBUG(1, ("PAM account restriction prevents user login\n"));
 436                         } else {
 437 
 438                                 nt_status = make_server_info_pw(server_info, pass->pw_name, pass);
 439                         }
 440                         TALLOC_FREE(pass);
 441                 }
 442                 else
 443                 {
 444                         nt_status = NT_STATUS_NO_SUCH_USER;
 445                 }
 446         }
 447 
 448         if (locally_made_cli) {
 449                 cli_shutdown(cli);
 450         }
 451 
 452         return(nt_status);
 453 }
 454 
 455 static NTSTATUS auth_init_smbserver(struct auth_context *auth_context, const char* param, auth_methods **auth_method) 
     /* [<][>][^][v][top][bottom][index][help] */
 456 {
 457         if (!make_auth_methods(auth_context, auth_method)) {
 458                 return NT_STATUS_NO_MEMORY;
 459         }
 460         (*auth_method)->name = "smbserver";
 461         (*auth_method)->auth = check_smbserver_security;
 462         (*auth_method)->get_chal = auth_get_challenge_server;
 463         return NT_STATUS_OK;
 464 }
 465 
 466 NTSTATUS auth_server_init(void)
     /* [<][>][^][v][top][bottom][index][help] */
 467 {
 468         return smb_register_auth(AUTH_INTERFACE_VERSION, "smbserver", auth_init_smbserver);
 469 }

/* [<][>][^][v][top][bottom][index][help] */