/src/samba/source4/auth/ntlm/auth_simple.c

Source
/* 
   Unix SMB/CIFS implementation.

   auth functions

   Copyright (C) Simo Sorce 2005
   Copyright (C) Andrew Tridgell 2005
   Copyright (C) Andrew Bartlett 2005
   
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
   the Free Software Foundation; either version 3 of the License, or
   (at your option) any later version.
   
   This program is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   GNU General Public License for more details.
   
   You should have received a copy of the GNU General Public License
   along with this program.  If not, see <http://www.gnu.org/licenses/>.
*/

#include "includes.h"
#include <tevent.h>
#include "lib/util/tevent_ntstatus.h"
#include "auth/auth.h"
#include "dsdb/samdb/samdb.h"
#include "lib/param/param.h"

#undef DBGC_CLASS
#define DBGC_CLASS DBGC_AUTH

struct authenticate_ldap_simple_bind_state {
  bool using_tls;
  struct auth4_context *auth_context;
  struct auth_usersupplied_info *user_info;
  struct auth_session_info *session_info;
};

static void authenticate_ldap_simple_bind_done(struct tevent_req *subreq);

_PUBLIC_ struct tevent_req *authenticate_ldap_simple_bind_send(TALLOC_CTX *mem_ctx,
          struct tevent_context *ev,
          struct imessaging_context *msg,
          struct loadparm_context *lp_ctx,
          struct tsocket_address *remote_address,
          struct tsocket_address *local_address,
          bool using_tls,
          const char *dn,
          const char *password)
{
  struct tevent_req *req = NULL;
  struct authenticate_ldap_simple_bind_state *state = NULL;
  struct auth_usersupplied_info *user_info = NULL;
  const char *nt4_domain = NULL;
  const char *nt4_username = NULL;
  struct tevent_req *subreq = NULL;
  NTSTATUS status;

  req = tevent_req_create(mem_ctx, &state,
        struct authenticate_ldap_simple_bind_state);
  if (req == NULL) {
    return NULL;
  }
  state->using_tls = using_tls;

  status = auth_context_create(state, ev, msg, lp_ctx,
             &state->auth_context);
  if (tevent_req_nterror(req, status)) {
    return tevent_req_post(req, ev);
  }

  user_info = talloc_zero(state, struct auth_usersupplied_info);
  if (tevent_req_nomem(user_info, req)) {
    return tevent_req_post(req, ev);
  }
  state->user_info = user_info;

  user_info->client.account_name = dn;
  /* No client.domain_name, use account_name instead */
  /* user_info->mapped.* will be filled below */

  user_info->workstation_name = lpcfg_netbios_name(lp_ctx);

  user_info->remote_host = remote_address;
  user_info->local_host = local_address;

  user_info->service_description = "LDAP";

  if (using_tls) {
    user_info->auth_description = "simple bind/TLS";
  } else {
    user_info->auth_description = "simple bind";
  }

  user_info->password_state = AUTH_PASSWORD_PLAIN;
  user_info->password.plaintext = talloc_strdup(user_info, password);
  if (tevent_req_nomem(user_info->password.plaintext, req)) {
    return tevent_req_post(req, ev);
  }

  user_info->flags = USER_INFO_CASE_INSENSITIVE_USERNAME |
    USER_INFO_DONT_CHECK_UNIX_ACCOUNT;

  user_info->logon_parameters =
    MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT |
    MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT |
    MSV1_0_CLEARTEXT_PASSWORD_ALLOWED |
    MSV1_0_CLEARTEXT_PASSWORD_SUPPLIED;

  status = crack_auto_name_to_nt4_name(state, state->auth_context->sam_ctx,
               dn, &nt4_domain, &nt4_username);
  if (!NT_STATUS_IS_OK(status)) {
    log_authentication_event(msg, lp_ctx,
           &state->auth_context->start_time,
           user_info, status,
           NULL, NULL, NULL,
           NULL /* client_audit_info */,
           NULL /* server_audit_info */);
  }
  if (tevent_req_nterror(req, status)) {
    return tevent_req_post(req, ev);
  }

  user_info->orig_client = user_info->client;
  user_info->client.account_name = nt4_username;
  user_info->client.domain_name = nt4_domain;
  user_info->cracknames_called = true;

  subreq = auth_check_password_send(state, ev,
            state->auth_context,
            state->user_info);
  if (tevent_req_nomem(subreq, req)) {
    return tevent_req_post(req, ev);
  }
  tevent_req_set_callback(subreq, authenticate_ldap_simple_bind_done, req);

  return req;
}

static void authenticate_ldap_simple_bind_done(struct tevent_req *subreq)
{
  struct tevent_req *req =
    tevent_req_callback_data(subreq,
    struct tevent_req);
  struct authenticate_ldap_simple_bind_state *state =
    tevent_req_data(req,
    struct authenticate_ldap_simple_bind_state);
  struct auth4_context *auth_context = state->auth_context;
  struct auth_usersupplied_info *user_info = state->user_info;
  const char *nt4_username = user_info->mapped.account_name;
  const struct tsocket_address *remote_address = user_info->remote_host;
  const struct tsocket_address *local_address = user_info->local_host;
  const char *transport_protection = AUTHZ_TRANSPORT_PROTECTION_NONE;
  struct auth_user_info_dc *user_info_dc = NULL;
  uint8_t authoritative = 1;
  uint32_t flags = 0;
  NTSTATUS nt_status;

  if (state->using_tls) {
    transport_protection = AUTHZ_TRANSPORT_PROTECTION_TLS;
  }

  nt_status = auth_check_password_recv(subreq, state,
               &user_info_dc,
               &authoritative);
  TALLOC_FREE(subreq);
  if (tevent_req_nterror(req, nt_status)) {
    return;
  }

  flags = AUTH_SESSION_INFO_DEFAULT_GROUPS;
  if (!(user_info_dc->info->user_flags & NETLOGON_GUEST)) {
    flags |= AUTH_SESSION_INFO_AUTHENTICATED;
  }

  nt_status = auth_context->generate_session_info(auth_context,
              state,
              user_info_dc,
              nt4_username,
              flags,
              &state->session_info);
  if (tevent_req_nterror(req, nt_status)) {
    return;
  }

  log_successful_authz_event(auth_context->msg_ctx,
           auth_context->lp_ctx,
           remote_address,
           local_address,
           "LDAP",
           "simple bind",
           transport_protection,
           state->session_info,
           NULL /* client_audit_info */,
           NULL /* server_audit_info */);

  tevent_req_done(req);
}

_PUBLIC_ NTSTATUS authenticate_ldap_simple_bind_recv(struct tevent_req *req,
          TALLOC_CTX *mem_ctx,
          struct auth_session_info **session_info)
{
  struct authenticate_ldap_simple_bind_state *state =
    tevent_req_data(req,
    struct authenticate_ldap_simple_bind_state);
  NTSTATUS status;

  *session_info = NULL;

  if (tevent_req_is_nterror(req, &status)) {
    tevent_req_received(req);
    return status;
  }

  *session_info = talloc_move(mem_ctx, &state->session_info);
  tevent_req_received(req);
  return NT_STATUS_OK;
}

Coverage Report

Created: 2026-04-01 06:26

Line	Count	Source
1		/*
2		Unix SMB/CIFS implementation.
3
4		auth functions
5
6		Copyright (C) Simo Sorce 2005
7		Copyright (C) Andrew Tridgell 2005
8		Copyright (C) Andrew Bartlett 2005
9
10		This program is free software; you can redistribute it and/or modify
11		it under the terms of the GNU General Public License as published by
12		the Free Software Foundation; either version 3 of the License, or
13		(at your option) any later version.
14
15		This program is distributed in the hope that it will be useful,
16		but WITHOUT ANY WARRANTY; without even the implied warranty of
17		MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18		GNU General Public License for more details.
19
20		You should have received a copy of the GNU General Public License
21		along with this program. If not, see <http://www.gnu.org/licenses/>.
22		*/
23
24		#include "includes.h"
25		#include <tevent.h>
26		#include "lib/util/tevent_ntstatus.h"
27		#include "auth/auth.h"
28		#include "dsdb/samdb/samdb.h"
29		#include "lib/param/param.h"
30
31		#undef DBGC_CLASS
32		#define DBGC_CLASS DBGC_AUTH
33
34		struct authenticate_ldap_simple_bind_state {
35		bool using_tls;
36		struct auth4_context *auth_context;
37		struct auth_usersupplied_info *user_info;
38		struct auth_session_info *session_info;
39		};
40
41		static void authenticate_ldap_simple_bind_done(struct tevent_req *subreq);
42
43		_PUBLIC_ struct tevent_req authenticate_ldap_simple_bind_send(TALLOC_CTX mem_ctx,
44		struct tevent_context *ev,
45		struct imessaging_context *msg,
46		struct loadparm_context *lp_ctx,
47		struct tsocket_address *remote_address,
48		struct tsocket_address *local_address,
49		bool using_tls,
50		const char *dn,
51		const char *password)
52	0	{
53	0	struct tevent_req *req = NULL;
54	0	struct authenticate_ldap_simple_bind_state *state = NULL;
55	0	struct auth_usersupplied_info *user_info = NULL;
56	0	const char *nt4_domain = NULL;
57	0	const char *nt4_username = NULL;
58	0	struct tevent_req *subreq = NULL;
59	0	NTSTATUS status;
60
61	0	req = tevent_req_create(mem_ctx, &state,
62	0	struct authenticate_ldap_simple_bind_state);
63	0	if (req == NULL) {
64	0	return NULL;
65	0	}
66	0	state->using_tls = using_tls;
67
68	0	status = auth_context_create(state, ev, msg, lp_ctx,
69	0	&state->auth_context);
70	0	if (tevent_req_nterror(req, status)) {
71	0	return tevent_req_post(req, ev);
72	0	}
73
74	0	user_info = talloc_zero(state, struct auth_usersupplied_info);
75	0	if (tevent_req_nomem(user_info, req)) {
76	0	return tevent_req_post(req, ev);
77	0	}
78	0	state->user_info = user_info;
79
80	0	user_info->client.account_name = dn;
81		/* No client.domain_name, use account_name instead */
82		/* user_info->mapped.* will be filled below */
83
84	0	user_info->workstation_name = lpcfg_netbios_name(lp_ctx);
85
86	0	user_info->remote_host = remote_address;
87	0	user_info->local_host = local_address;
88
89	0	user_info->service_description = "LDAP";
90
91	0	if (using_tls) {
92	0	user_info->auth_description = "simple bind/TLS";
93	0	} else {
94	0	user_info->auth_description = "simple bind";
95	0	}
96
97	0	user_info->password_state = AUTH_PASSWORD_PLAIN;
98	0	user_info->password.plaintext = talloc_strdup(user_info, password);
99	0	if (tevent_req_nomem(user_info->password.plaintext, req)) {
100	0	return tevent_req_post(req, ev);
101	0	}
102
103	0	user_info->flags = USER_INFO_CASE_INSENSITIVE_USERNAME \|
104	0	USER_INFO_DONT_CHECK_UNIX_ACCOUNT;
105
106	0	user_info->logon_parameters =
107	0	MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT \|
108	0	MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT \|
109	0	MSV1_0_CLEARTEXT_PASSWORD_ALLOWED \|
110	0	MSV1_0_CLEARTEXT_PASSWORD_SUPPLIED;
111
112	0	status = crack_auto_name_to_nt4_name(state, state->auth_context->sam_ctx,
113	0	dn, &nt4_domain, &nt4_username);
114	0	if (!NT_STATUS_IS_OK(status)) {
115	0	log_authentication_event(msg, lp_ctx,
116	0	&state->auth_context->start_time,
117	0	user_info, status,
118	0	NULL, NULL, NULL,
119	0	NULL /* client_audit_info */,
120	0	NULL /* server_audit_info */);
121	0	}
122	0	if (tevent_req_nterror(req, status)) {
123	0	return tevent_req_post(req, ev);
124	0	}
125
126	0	user_info->orig_client = user_info->client;
127	0	user_info->client.account_name = nt4_username;
128	0	user_info->client.domain_name = nt4_domain;
129	0	user_info->cracknames_called = true;
130
131	0	subreq = auth_check_password_send(state, ev,
132	0	state->auth_context,
133	0	state->user_info);
134	0	if (tevent_req_nomem(subreq, req)) {
135	0	return tevent_req_post(req, ev);
136	0	}
137	0	tevent_req_set_callback(subreq, authenticate_ldap_simple_bind_done, req);
138
139	0	return req;
140	0	}
141
142		static void authenticate_ldap_simple_bind_done(struct tevent_req *subreq)
143	0	{
144	0	struct tevent_req *req =
145	0	tevent_req_callback_data(subreq,
146	0	struct tevent_req);
147	0	struct authenticate_ldap_simple_bind_state *state =
148	0	tevent_req_data(req,
149	0	struct authenticate_ldap_simple_bind_state);
150	0	struct auth4_context *auth_context = state->auth_context;
151	0	struct auth_usersupplied_info *user_info = state->user_info;
152	0	const char *nt4_username = user_info->mapped.account_name;
153	0	const struct tsocket_address *remote_address = user_info->remote_host;
154	0	const struct tsocket_address *local_address = user_info->local_host;
155	0	const char *transport_protection = AUTHZ_TRANSPORT_PROTECTION_NONE;
156	0	struct auth_user_info_dc *user_info_dc = NULL;
157	0	uint8_t authoritative = 1;
158	0	uint32_t flags = 0;
159	0	NTSTATUS nt_status;
160
161	0	if (state->using_tls) {
162	0	transport_protection = AUTHZ_TRANSPORT_PROTECTION_TLS;
163	0	}
164
165	0	nt_status = auth_check_password_recv(subreq, state,
166	0	&user_info_dc,
167	0	&authoritative);
168	0	TALLOC_FREE(subreq);
169	0	if (tevent_req_nterror(req, nt_status)) {
170	0	return;
171	0	}
172
173	0	flags = AUTH_SESSION_INFO_DEFAULT_GROUPS;
174	0	if (!(user_info_dc->info->user_flags & NETLOGON_GUEST)) {
175	0	flags \|= AUTH_SESSION_INFO_AUTHENTICATED;
176	0	}
177
178	0	nt_status = auth_context->generate_session_info(auth_context,
179	0	state,
180	0	user_info_dc,
181	0	nt4_username,
182	0	flags,
183	0	&state->session_info);
184	0	if (tevent_req_nterror(req, nt_status)) {
185	0	return;
186	0	}
187
188	0	log_successful_authz_event(auth_context->msg_ctx,
189	0	auth_context->lp_ctx,
190	0	remote_address,
191	0	local_address,
192	0	"LDAP",
193	0	"simple bind",
194	0	transport_protection,
195	0	state->session_info,
196	0	NULL /* client_audit_info */,
197	0	NULL /* server_audit_info */);
198
199	0	tevent_req_done(req);
200	0	}
201
202		_PUBLIC_ NTSTATUS authenticate_ldap_simple_bind_recv(struct tevent_req *req,
203		TALLOC_CTX *mem_ctx,
204		struct auth_session_info **session_info)
205	0	{
206	0	struct authenticate_ldap_simple_bind_state *state =
207	0	tevent_req_data(req,
208	0	struct authenticate_ldap_simple_bind_state);
209	0	NTSTATUS status;
210
211	0	*session_info = NULL;
212
213	0	if (tevent_req_is_nterror(req, &status)) {
214	0	tevent_req_received(req);
215	0	return status;
216	0	}
217
218	0	*session_info = talloc_move(mem_ctx, &state->session_info);
219	0	tevent_req_received(req);
220	0	return NT_STATUS_OK;
221	0	}