search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
mount.cifs: check access of credential files before opening
[Samba.git] / source / auth / auth_util.c
blob7897a921efdee8002027d1b871cf4017cdcdbd2d
1 /*
2 Unix SMB/CIFS implementation.
3 Authentication utility functions
4 Copyright (C) Andrew Tridgell 1992-1998
5 Copyright (C) Andrew Bartlett 2001
6 Copyright (C) Jeremy Allison 2000-2001
7 Copyright (C) Rafal Szczesniak 2002
8 Copyright (C) Volker Lendecke 2006
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 2 of the License, or
13 (at your option) any later version.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program; if not, write to the Free Software
22 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
23 */
24
25 #include "includes.h"
26
27 #undef DBGC_CLASS
28 #define DBGC_CLASS DBGC_AUTH
29
30 static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx,
31 const DOM_SID *user_sid,
32 BOOL is_guest,
33 int num_groupsids,
34 const DOM_SID *groupsids);
35
36 /****************************************************************************
37 Create a UNIX user on demand.
38 ****************************************************************************/
39
40 static int smb_create_user(const char *domain, const char *unix_username, const char *homedir)
41 {
42 pstring add_script;
43 int ret;
44
45 pstrcpy(add_script, lp_adduser_script());
46 if (! *add_script)
47 return -1;
48 all_string_sub(add_script, "%u", unix_username, sizeof(pstring));
49 if (domain)
50 all_string_sub(add_script, "%D", domain, sizeof(pstring));
51 if (homedir)
52 all_string_sub(add_script, "%H", homedir, sizeof(pstring));
53 ret = smbrun(add_script,NULL);
54 flush_pwnam_cache();
55 DEBUG(ret ? 0 : 3,("smb_create_user: Running the command `%s' gave %d\n",add_script,ret));
56 return ret;
57 }
58
59 /****************************************************************************
60 Create an auth_usersupplied_data structure
61 ****************************************************************************/
62
63 static NTSTATUS make_user_info(auth_usersupplied_info **user_info,
64 const char *smb_name,
65 const char *internal_username,
66 const char *client_domain,
67 const char *domain,
68 const char *wksta_name,
69 DATA_BLOB *lm_pwd, DATA_BLOB *nt_pwd,
70 DATA_BLOB *lm_interactive_pwd, DATA_BLOB *nt_interactive_pwd,
71 DATA_BLOB *plaintext,
72 BOOL encrypted)
73 {
74
75 DEBUG(5,("attempting to make a user_info for %s (%s)\n", internal_username, smb_name));
76
77 *user_info = SMB_MALLOC_P(auth_usersupplied_info);
78 if (*user_info == NULL) {
79 DEBUG(0,("malloc failed for user_info (size %lu)\n", (unsigned long)sizeof(*user_info)));
80 return NT_STATUS_NO_MEMORY;
81 }
82
83 ZERO_STRUCTP(*user_info);
84
85 DEBUG(5,("making strings for %s's user_info struct\n", internal_username));
86
87 (*user_info)->smb_name = SMB_STRDUP(smb_name);
88 if ((*user_info)->smb_name == NULL) {
89 free_user_info(user_info);
90 return NT_STATUS_NO_MEMORY;
91 }
92
93 (*user_info)->internal_username = SMB_STRDUP(internal_username);
94 if ((*user_info)->internal_username == NULL) {
95 free_user_info(user_info);
96 return NT_STATUS_NO_MEMORY;
97 }
98
99 (*user_info)->domain = SMB_STRDUP(domain);
100 if ((*user_info)->domain == NULL) {
101 free_user_info(user_info);
102 return NT_STATUS_NO_MEMORY;
103 }
104
105 (*user_info)->client_domain = SMB_STRDUP(client_domain);
106 if ((*user_info)->client_domain == NULL) {
107 free_user_info(user_info);
108 return NT_STATUS_NO_MEMORY;
109 }
110
111 (*user_info)->wksta_name = SMB_STRDUP(wksta_name);
112 if ((*user_info)->wksta_name == NULL) {
113 free_user_info(user_info);
114 return NT_STATUS_NO_MEMORY;
115 }
116
117 DEBUG(5,("making blobs for %s's user_info struct\n", internal_username));
118
119 if (lm_pwd)
120 (*user_info)->lm_resp = data_blob(lm_pwd->data, lm_pwd->length);
121 if (nt_pwd)
122 (*user_info)->nt_resp = data_blob(nt_pwd->data, nt_pwd->length);
123 if (lm_interactive_pwd)
124 (*user_info)->lm_interactive_pwd = data_blob(lm_interactive_pwd->data, lm_interactive_pwd->length);
125 if (nt_interactive_pwd)
126 (*user_info)->nt_interactive_pwd = data_blob(nt_interactive_pwd->data, nt_interactive_pwd->length);
127
128 if (plaintext)
129 (*user_info)->plaintext_password = data_blob(plaintext->data, plaintext->length);
130
131 (*user_info)->encrypted = encrypted;
132
133 (*user_info)->logon_parameters = 0;
134
135 DEBUG(10,("made an %sencrypted user_info for %s (%s)\n", encrypted ? "":"un" , internal_username, smb_name));
136
137 return NT_STATUS_OK;
138 }
139
140 /****************************************************************************
141 Create an auth_usersupplied_data structure after appropriate mapping.
142 ****************************************************************************/
143
144 NTSTATUS make_user_info_map(auth_usersupplied_info **user_info,
145 const char *smb_name,
146 const char *client_domain,
147 const char *wksta_name,
148 DATA_BLOB *lm_pwd, DATA_BLOB *nt_pwd,
149 DATA_BLOB *lm_interactive_pwd, DATA_BLOB *nt_interactive_pwd,
150 DATA_BLOB *plaintext,
151 BOOL encrypted)
152 {
153 const char *domain;
154 NTSTATUS result;
155 BOOL was_mapped;
156 fstring internal_username;
157 fstrcpy(internal_username, smb_name);
158 was_mapped = map_username(internal_username);
159
160 DEBUG(5, ("make_user_info_map: Mapping user [%s]\\[%s] from workstation [%s]\n",
161 client_domain, smb_name, wksta_name));
162
163 /* don't allow "" as a domain, fixes a Win9X bug
164 where it doens't supply a domain for logon script
165 'net use' commands. */
166
167 if ( *client_domain )
168 domain = client_domain;
169 else
170 domain = lp_workgroup();
171
172 /* do what win2k does. Always map unknown domains to our own
173 and let the "passdb backend" handle unknown users. */
174
175 if ( !is_trusted_domain(domain) && !strequal(domain, get_global_sam_name()) )
176 domain = my_sam_name();
177
178 /* we know that it is a trusted domain (and we are allowing them) or it is our domain */
179
180 result = make_user_info(user_info, smb_name, internal_username,
181 client_domain, domain, wksta_name,
182 lm_pwd, nt_pwd,
183 lm_interactive_pwd, nt_interactive_pwd,
184 plaintext, encrypted);
185 if (NT_STATUS_IS_OK(result)) {
186 (*user_info)->was_mapped = was_mapped;
187 }
188 return result;
189 }
190
191 /****************************************************************************
192 Create an auth_usersupplied_data, making the DATA_BLOBs here.
193 Decrypt and encrypt the passwords.
194 ****************************************************************************/
195
196 BOOL make_user_info_netlogon_network(auth_usersupplied_info **user_info,
197 const char *smb_name,
198 const char *client_domain,
199 const char *wksta_name,
200 uint32 logon_parameters,
201 const uchar *lm_network_pwd,
202 int lm_pwd_len,
203 const uchar *nt_network_pwd,
204 int nt_pwd_len)
205 {
206 BOOL ret;
207 NTSTATUS status;
208 DATA_BLOB lm_blob = data_blob(lm_network_pwd, lm_pwd_len);
209 DATA_BLOB nt_blob = data_blob(nt_network_pwd, nt_pwd_len);
210
211 status = make_user_info_map(user_info,
212 smb_name, client_domain,
213 wksta_name,
214 lm_pwd_len ? &lm_blob : NULL,
215 nt_pwd_len ? &nt_blob : NULL,
216 NULL, NULL, NULL,
217 True);
218
219 if (NT_STATUS_IS_OK(status)) {
220 (*user_info)->logon_parameters = logon_parameters;
221 }
222 ret = NT_STATUS_IS_OK(status) ? True : False;
223
224 data_blob_free(&lm_blob);
225 data_blob_free(&nt_blob);
226 return ret;
227 }
228
229 /****************************************************************************
230 Create an auth_usersupplied_data, making the DATA_BLOBs here.
231 Decrypt and encrypt the passwords.
232 ****************************************************************************/
233
234 BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info,
235 const char *smb_name,
236 const char *client_domain,
237 const char *wksta_name,
238 uint32 logon_parameters,
239 const uchar chal[8],
240 const uchar lm_interactive_pwd[16],
241 const uchar nt_interactive_pwd[16],
242 const uchar *dc_sess_key)
243 {
244 char lm_pwd[16];
245 char nt_pwd[16];
246 unsigned char local_lm_response[24];
247 unsigned char local_nt_response[24];
248 unsigned char key[16];
249
250 ZERO_STRUCT(key);
251 memcpy(key, dc_sess_key, 8);
252
253 if (lm_interactive_pwd)
254 memcpy(lm_pwd, lm_interactive_pwd, sizeof(lm_pwd));
255
256 if (nt_interactive_pwd)
257 memcpy(nt_pwd, nt_interactive_pwd, sizeof(nt_pwd));
258
259 #ifdef DEBUG_PASSWORD
260 DEBUG(100,("key:"));
261 dump_data(100, (char *)key, sizeof(key));
262
263 DEBUG(100,("lm owf password:"));
264 dump_data(100, lm_pwd, sizeof(lm_pwd));
265
266 DEBUG(100,("nt owf password:"));
267 dump_data(100, nt_pwd, sizeof(nt_pwd));
268 #endif
269
270 if (lm_interactive_pwd)
271 SamOEMhash((uchar *)lm_pwd, key, sizeof(lm_pwd));
272
273 if (nt_interactive_pwd)
274 SamOEMhash((uchar *)nt_pwd, key, sizeof(nt_pwd));
275
276 #ifdef DEBUG_PASSWORD
277 DEBUG(100,("decrypt of lm owf password:"));
278 dump_data(100, lm_pwd, sizeof(lm_pwd));
279
280 DEBUG(100,("decrypt of nt owf password:"));
281 dump_data(100, nt_pwd, sizeof(nt_pwd));
282 #endif
283
284 if (lm_interactive_pwd)
285 SMBOWFencrypt((const unsigned char *)lm_pwd, chal,
286 local_lm_response);
287
288 if (nt_interactive_pwd)
289 SMBOWFencrypt((const unsigned char *)nt_pwd, chal,
290 local_nt_response);
291
292 /* Password info paranoia */
293 ZERO_STRUCT(key);
294
295 {
296 BOOL ret;
297 NTSTATUS nt_status;
298 DATA_BLOB local_lm_blob;
299 DATA_BLOB local_nt_blob;
300
301 DATA_BLOB lm_interactive_blob;
302 DATA_BLOB nt_interactive_blob;
303
304 if (lm_interactive_pwd) {
305 local_lm_blob = data_blob(local_lm_response,
306 sizeof(local_lm_response));
307 lm_interactive_blob = data_blob(lm_pwd,
308 sizeof(lm_pwd));
309 ZERO_STRUCT(lm_pwd);
310 }
311
312 if (nt_interactive_pwd) {
313 local_nt_blob = data_blob(local_nt_response,
314 sizeof(local_nt_response));
315 nt_interactive_blob = data_blob(nt_pwd,
316 sizeof(nt_pwd));
317 ZERO_STRUCT(nt_pwd);
318 }
319
320 nt_status = make_user_info_map(
321 user_info,
322 smb_name, client_domain, wksta_name,
323 lm_interactive_pwd ? &local_lm_blob : NULL,
324 nt_interactive_pwd ? &local_nt_blob : NULL,
325 lm_interactive_pwd ? &lm_interactive_blob : NULL,
326 nt_interactive_pwd ? &nt_interactive_blob : NULL,
327 NULL, True);
328
329 if (NT_STATUS_IS_OK(nt_status)) {
330 (*user_info)->logon_parameters = logon_parameters;
331 }
332
333 ret = NT_STATUS_IS_OK(nt_status) ? True : False;
334 data_blob_free(&local_lm_blob);
335 data_blob_free(&local_nt_blob);
336 data_blob_free(&lm_interactive_blob);
337 data_blob_free(&nt_interactive_blob);
338 return ret;
339 }
340 }
341
342
343 /****************************************************************************
344 Create an auth_usersupplied_data structure
345 ****************************************************************************/
346
347 BOOL make_user_info_for_reply(auth_usersupplied_info **user_info,
348 const char *smb_name,
349 const char *client_domain,
350 const uint8 chal[8],
351 DATA_BLOB plaintext_password)
352 {
353
354 DATA_BLOB local_lm_blob;
355 DATA_BLOB local_nt_blob;
356 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
357
358 /*
359 * Not encrypted - do so.
360 */
361
362 DEBUG(5,("make_user_info_for_reply: User passwords not in encrypted "
363 "format.\n"));
364
365 if (plaintext_password.data) {
366 unsigned char local_lm_response[24];
367
368 #ifdef DEBUG_PASSWORD
369 DEBUG(10,("Unencrypted password (len %d):\n",
370 (int)plaintext_password.length));
371 dump_data(100, (const char *)plaintext_password.data,
372 plaintext_password.length);
373 #endif
374
375 SMBencrypt( (const char *)plaintext_password.data,
376 (const uchar*)chal, local_lm_response);
377 local_lm_blob = data_blob(local_lm_response, 24);
378
379 /* We can't do an NT hash here, as the password needs to be
380 case insensitive */
381 local_nt_blob = data_blob(NULL, 0);
382
383 } else {
384 local_lm_blob = data_blob(NULL, 0);
385 local_nt_blob = data_blob(NULL, 0);
386 }
387
388 ret = make_user_info_map(
389 user_info, smb_name, client_domain,
390 get_remote_machine_name(),
391 local_lm_blob.data ? &local_lm_blob : NULL,
392 local_nt_blob.data ? &local_nt_blob : NULL,
393 NULL, NULL,
394 plaintext_password.data ? &plaintext_password : NULL,
395 False);
396
397 data_blob_free(&local_lm_blob);
398 return NT_STATUS_IS_OK(ret) ? True : False;
399 }
400
401 /****************************************************************************
402 Create an auth_usersupplied_data structure
403 ****************************************************************************/
404
405 NTSTATUS make_user_info_for_reply_enc(auth_usersupplied_info **user_info,
406 const char *smb_name,
407 const char *client_domain,
408 DATA_BLOB lm_resp, DATA_BLOB nt_resp)
409 {
410 return make_user_info_map(user_info, smb_name,
411 client_domain,
412 get_remote_machine_name(),
413 lm_resp.data ? &lm_resp : NULL,
414 nt_resp.data ? &nt_resp : NULL,
415 NULL, NULL, NULL,
416 True);
417 }
418
419 /****************************************************************************
420 Create a guest user_info blob, for anonymous authenticaion.
421 ****************************************************************************/
422
423 BOOL make_user_info_guest(auth_usersupplied_info **user_info)
424 {
425 NTSTATUS nt_status;
426
427 nt_status = make_user_info(user_info,
428 "","",
429 "","",
430 "",
431 NULL, NULL,
432 NULL, NULL,
433 NULL,
434 True);
435
436 return NT_STATUS_IS_OK(nt_status) ? True : False;
437 }
438
439 /****************************************************************************
440 prints a NT_USER_TOKEN to debug output.
441 ****************************************************************************/
442
443 void debug_nt_user_token(int dbg_class, int dbg_lev, NT_USER_TOKEN *token)
444 {
445 size_t i;
446
447 if (!token) {
448 DEBUGC(dbg_class, dbg_lev, ("NT user token: (NULL)\n"));
449 return;
450 }
451
452 DEBUGC(dbg_class, dbg_lev,
453 ("NT user token of user %s\n",
454 sid_string_static(&token->user_sids[0]) ));
455 DEBUGADDC(dbg_class, dbg_lev,
456 ("contains %lu SIDs\n", (unsigned long)token->num_sids));
457 for (i = 0; i < token->num_sids; i++)
458 DEBUGADDC(dbg_class, dbg_lev,
459 ("SID[%3lu]: %s\n", (unsigned long)i,
460 sid_string_static(&token->user_sids[i])));
461
462 dump_se_priv( dbg_class, dbg_lev, &token->privileges );
463 }
464
465 /****************************************************************************
466 prints a UNIX 'token' to debug output.
467 ****************************************************************************/
468
469 void debug_unix_user_token(int dbg_class, int dbg_lev, uid_t uid, gid_t gid,
470 int n_groups, gid_t *groups)
471 {
472 int i;
473 DEBUGC(dbg_class, dbg_lev,
474 ("UNIX token of user %ld\n", (long int)uid));
475
476 DEBUGADDC(dbg_class, dbg_lev,
477 ("Primary group is %ld and contains %i supplementary "
478 "groups\n", (long int)gid, n_groups));
479 for (i = 0; i < n_groups; i++)
480 DEBUGADDC(dbg_class, dbg_lev, ("Group[%3i]: %ld\n", i,
481 (long int)groups[i]));
482 }
483
484 /******************************************************************************
485 Create a token for the root user to be used internally by smbd.
486 This is similar to running under the context of the LOCAL_SYSTEM account
487 in Windows. This is a read-only token. Do not modify it or free() it.
488 Create a copy if your need to change it.
489 ******************************************************************************/
490
491 NT_USER_TOKEN *get_root_nt_token( void )
492 {
493 static NT_USER_TOKEN *token = NULL;
494 DOM_SID u_sid, g_sid;
495 struct passwd *pw;
496
497 if ( token )
498 return token;
499
500 if ( !(pw = sys_getpwnam( "root" )) ) {
501 DEBUG(0,("get_root_nt_token: getpwnam\"root\") failed!\n"));
502 return NULL;
503 }
504
505 /* get the user and primary group SIDs; although the
506 BUILTIN\Administrators SId is really the one that matters here */
507
508 uid_to_sid(&u_sid, pw->pw_uid);
509 gid_to_sid(&g_sid, pw->pw_gid);
510
511 token = create_local_nt_token(NULL, &u_sid, False,
512 1, &global_sid_Builtin_Administrators);
513 return token;
514 }
515
516 static int server_info_dtor(auth_serversupplied_info *server_info)
517 {
518 TALLOC_FREE(server_info->sam_account);
519 ZERO_STRUCTP(server_info);
520 return 0;
521 }
522
523 /***************************************************************************
524 Make a server_info struct. Free with TALLOC_FREE().
525 ***************************************************************************/
526
527 static auth_serversupplied_info *make_server_info(TALLOC_CTX *mem_ctx)
528 {
529 struct auth_serversupplied_info *result;
530
531 result = TALLOC_ZERO_P(mem_ctx, auth_serversupplied_info);
532 if (result == NULL) {
533 DEBUG(0, ("talloc failed\n"));
534 return NULL;
535 }
536
537 talloc_set_destructor(result, server_info_dtor);
538
539 /* Initialise the uid and gid values to something non-zero
540 which may save us from giving away root access if there
541 is a bug in allocating these fields. */
542
543 result->uid = -1;
544 result->gid = -1;
545 return result;
546 }
547
548 /***************************************************************************
549 Is the incoming username our own machine account ?
550 If so, the connection is almost certainly from winbindd.
551 ***************************************************************************/
552
553 static BOOL is_our_machine_account(const char *username)
554 {
555 BOOL ret;
556 char *truncname = NULL;
557 size_t ulen = strlen(username);
558
559 if (ulen == 0 || username[ulen-1] != '$') {
560 return False;
561 }
562 truncname = SMB_STRDUP(username);
563 if (!truncname) {
564 return False;
565 }
566 truncname[ulen-1] = '\0';
567 ret = strequal(truncname, global_myname());
568 SAFE_FREE(truncname);
569 return ret;
570 }
571
572 /***************************************************************************
573 Make (and fill) a user_info struct from a struct samu
574 ***************************************************************************/
575
576 NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info,
577 struct samu *sampass)
578 {
579 struct passwd *pwd;
580 gid_t *gids;
581 auth_serversupplied_info *result;
582 int i;
583 size_t num_gids;
584 DOM_SID unix_group_sid;
585 const char *username = pdb_get_username(sampass);
586
587 if ( !(pwd = getpwnam_alloc(NULL, username)) ) {
588 DEBUG(1, ("User %s in passdb, but getpwnam() fails!\n",
589 username));
590 return NT_STATUS_NO_SUCH_USER;
591 }
592
593 if ( !(result = make_server_info(NULL)) ) {
594 TALLOC_FREE(pwd);
595 return NT_STATUS_NO_MEMORY;
596 }
597
598 result->sam_account = sampass;
599 result->unix_name = talloc_strdup(result, pwd->pw_name);
600 result->gid = pwd->pw_gid;
601 result->uid = pwd->pw_uid;
602
603 TALLOC_FREE(pwd);
604
605 if (IS_DC && is_our_machine_account(username)) {
606 /*
607 * Ensure for a connection from our own
608 * machine account (from winbindd on a DC)
609 * there are no supplementary groups.
610 * Prevents loops in calling gid_to_sid().
611 */
612 result->sids = NULL;
613 gids = NULL;
614 result->num_sids = 0;
615
616 /*
617 * This is a hack of monstrous proportions.
618 * If we know it's winbindd talking to us,
619 * we know we must never recurse into it,
620 * so turn off contacting winbindd for this
621 * entire process. This will get fixed when
622 * winbindd doesn't need to talk to smbd on
623 * a PDC. JRA.
624 */
625
626 winbind_off();
627
628 DEBUG(10, ("make_server_info_sam: our machine account %s "
629 "setting supplementary group list empty and "
630 "turning off winbindd requests.\n",
631 username));
632 } else {
633 NTSTATUS status = pdb_enum_group_memberships(result, sampass,
634 &result->sids, &gids,
635 &result->num_sids);
636
637 if (!NT_STATUS_IS_OK(status)) {
638 DEBUG(10, ("pdb_enum_group_memberships failed: %s\n",
639 nt_errstr(status)));
640 result->sam_account = NULL; /* Don't free on error exit. */
641 TALLOC_FREE(result);
642 return status;
643 }
644 }
645
646 /* Add the "Unix Group" SID for each gid to catch mapped groups
647 and their Unix equivalent. This is to solve the backwards
648 compatibility problem of 'valid users = +ntadmin' where
649 ntadmin has been paired with "Domain Admins" in the group
650 mapping table. Otherwise smb.conf would need to be changed
651 to 'valid user = "Domain Admins"'. --jerry */
652
653 num_gids = result->num_sids;
654 for ( i=0; i<num_gids; i++ ) {
655 if ( !gid_to_unix_groups_sid( gids[i], &unix_group_sid ) ) {
656 DEBUG(1,("make_server_info_sam: Failed to create SID "
657 "for gid %d!\n", gids[i]));
658 continue;
659 }
660 if (!add_sid_to_array_unique( result, &unix_group_sid,
661 &result->sids, &result->num_sids )) {
662 result->sam_account = NULL; /* Don't free on error exit. */
663 TALLOC_FREE(result);
664 return NT_STATUS_NO_MEMORY;
665 }
666 }
667
668 /* For now we throw away the gids and convert via sid_to_gid
669 * later. This needs fixing, but I'd like to get the code straight and
670 * simple first. */
671
672 TALLOC_FREE(gids);
673
674 DEBUG(5,("make_server_info_sam: made server info for user %s -> %s\n",
675 pdb_get_username(sampass), result->unix_name));
676
677 *server_info = result;
678
679 return NT_STATUS_OK;
680 }
681
682 /*
683 * Add alias SIDs from memberships within the partially created token SID list
684 */
685
686 static NTSTATUS add_aliases(const DOM_SID *domain_sid,
687 struct nt_user_token *token)
688 {
689 uint32 *aliases;
690 size_t i, num_aliases;
691 NTSTATUS status;
692 TALLOC_CTX *tmp_ctx;
693
694 if (!(tmp_ctx = talloc_init("add_aliases"))) {
695 return NT_STATUS_NO_MEMORY;
696 }
697
698 aliases = NULL;
699 num_aliases = 0;
700
701 status = pdb_enum_alias_memberships(tmp_ctx, domain_sid,
702 token->user_sids,
703 token->num_sids,
704 &aliases, &num_aliases);
705
706 if (!NT_STATUS_IS_OK(status)) {
707 DEBUG(10, ("pdb_enum_alias_memberships failed: %s\n",
708 nt_errstr(status)));
709 TALLOC_FREE(tmp_ctx);
710 return status;
711 }
712
713 for (i=0; i<num_aliases; i++) {
714 DOM_SID alias_sid;
715 sid_compose(&alias_sid, domain_sid, aliases[i]);
716 if (!add_sid_to_array_unique(token, &alias_sid,
717 &token->user_sids,
718 &token->num_sids)) {
719 DEBUG(0, ("add_sid_to_array failed\n"));
720 TALLOC_FREE(tmp_ctx);
721 return NT_STATUS_NO_MEMORY;
722 }
723 }
724
725 TALLOC_FREE(tmp_ctx);
726 return NT_STATUS_OK;
727 }
728
729 static NTSTATUS log_nt_token(TALLOC_CTX *tmp_ctx, NT_USER_TOKEN *token)
730 {
731 char *command;
732 char *group_sidstr;
733 size_t i;
734
735 if ((lp_log_nt_token_command() == NULL) ||
736 (strlen(lp_log_nt_token_command()) == 0)) {
737 return NT_STATUS_OK;
738 }
739
740 group_sidstr = talloc_strdup(tmp_ctx, "");
741 for (i=1; i<token->num_sids; i++) {
742 group_sidstr = talloc_asprintf(
743 tmp_ctx, "%s %s", group_sidstr,
744 sid_string_static(&token->user_sids[i]));
745 }
746
747 command = talloc_string_sub(
748 tmp_ctx, lp_log_nt_token_command(),
749 "%s", sid_string_static(&token->user_sids[0]));
750 command = talloc_string_sub(tmp_ctx, command, "%t", group_sidstr);
751
752 if (command == NULL) {
753 return NT_STATUS_NO_MEMORY;
754 }
755
756 DEBUG(8, ("running command: [%s]\n", command));
757 if (smbrun(command, NULL) != 0) {
758 DEBUG(0, ("Could not log NT token\n"));
759 return NT_STATUS_ACCESS_DENIED;
760 }
761
762 return NT_STATUS_OK;
763 }
764
765 /*******************************************************************
766 *******************************************************************/
767
768 static NTSTATUS add_builtin_administrators( struct nt_user_token *token )
769 {
770 DOM_SID domadm;
771
772 /* nothing to do if we aren't in a domain */
773
774 if ( !(IS_DC || lp_server_role()==ROLE_DOMAIN_MEMBER) ) {
775 return NT_STATUS_OK;
776 }
777
778 /* Find the Domain Admins SID */
779
780 if ( IS_DC ) {
781 sid_copy( &domadm, get_global_sam_sid() );
782 } else {
783 if ( !secrets_fetch_domain_sid( lp_workgroup(), &domadm ) )
784 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
785 }
786 sid_append_rid( &domadm, DOMAIN_GROUP_RID_ADMINS );
787
788 /* Add Administrators if the user beloongs to Domain Admins */
789
790 if ( nt_token_check_sid( &domadm, token ) ) {
791 if (!add_sid_to_array(token, &global_sid_Builtin_Administrators,
792 &token->user_sids, &token->num_sids)) {
793 return NT_STATUS_NO_MEMORY;
794 }
795 }
796
797 return NT_STATUS_OK;
798 }
799
800 /*******************************************************************
801 *******************************************************************/
802
803 static NTSTATUS create_builtin_users( void )
804 {
805 NTSTATUS status;
806 DOM_SID dom_users;
807
808 status = pdb_create_builtin_alias( BUILTIN_ALIAS_RID_USERS );
809 if ( !NT_STATUS_IS_OK(status) ) {
810 DEBUG(0,("create_builtin_users: Failed to create Users\n"));
811 return status;
812 }
813
814 /* add domain users */
815 if ((IS_DC || (lp_server_role() == ROLE_DOMAIN_MEMBER))
816 && secrets_fetch_domain_sid(lp_workgroup(), &dom_users))
817 {
818 sid_append_rid(&dom_users, DOMAIN_GROUP_RID_USERS );
819 status = pdb_add_aliasmem( &global_sid_Builtin_Users, &dom_users);
820 if ( !NT_STATUS_IS_OK(status) ) {
821 DEBUG(0,("create_builtin_users: Failed to add Domain Users to"
822 " Users\n"));
823 return status;
824 }
825 }
826
827 return NT_STATUS_OK;
828 }
829
830 /*******************************************************************
831 *******************************************************************/
832
833 static NTSTATUS create_builtin_administrators( void )
834 {
835 NTSTATUS status;
836 DOM_SID dom_admins, root_sid;
837 fstring root_name;
838 enum lsa_SidType type;
839 TALLOC_CTX *ctx;
840 BOOL ret;
841
842 status = pdb_create_builtin_alias( BUILTIN_ALIAS_RID_ADMINS );
843 if ( !NT_STATUS_IS_OK(status) ) {
844 DEBUG(0,("create_builtin_administrators: Failed to create Administrators\n"));
845 return status;
846 }
847
848 /* add domain admins */
849 if ((IS_DC || (lp_server_role() == ROLE_DOMAIN_MEMBER))
850 && secrets_fetch_domain_sid(lp_workgroup(), &dom_admins))
851 {
852 sid_append_rid(&dom_admins, DOMAIN_GROUP_RID_ADMINS);
853 status = pdb_add_aliasmem( &global_sid_Builtin_Administrators, &dom_admins );
854 if ( !NT_STATUS_IS_OK(status) ) {
855 DEBUG(0,("create_builtin_administrators: Failed to add Domain Admins"
856 " Administrators\n"));
857 return status;
858 }
859 }
860
861 /* add root */
862 if ( (ctx = talloc_init("create_builtin_administrators")) == NULL ) {
863 return NT_STATUS_NO_MEMORY;
864 }
865 fstr_sprintf( root_name, "%s\\root", get_global_sam_name() );
866 ret = lookup_name( ctx, root_name, LOOKUP_NAME_DOMAIN, NULL, NULL, &root_sid, &type );
867 TALLOC_FREE( ctx );
868
869 if ( ret ) {
870 status = pdb_add_aliasmem( &global_sid_Builtin_Administrators, &root_sid );
871 if ( !NT_STATUS_IS_OK(status) ) {
872 DEBUG(0,("create_builtin_administrators: Failed to add root"
873 " Administrators\n"));
874 return status;
875 }
876 }
877
878 return NT_STATUS_OK;
879 }
880
881 /*******************************************************************
882 Create a NT token for the user, expanding local aliases
883 *******************************************************************/
884
885 static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx,
886 const DOM_SID *user_sid,
887 BOOL is_guest,
888 int num_groupsids,
889 const DOM_SID *groupsids)
890 {
891 struct nt_user_token *result = NULL;
892 int i;
893 NTSTATUS status;
894 gid_t gid;
895
896 DEBUG(10, ("Create local NT token for %s\n", sid_string_static(user_sid)));
897
898 if (!(result = TALLOC_ZERO_P(mem_ctx, NT_USER_TOKEN))) {
899 DEBUG(0, ("talloc failed\n"));
900 return NULL;
901 }
902
903 /* Add the user and primary group sid */
904
905 if (!add_sid_to_array(result, user_sid,
906 &result->user_sids, &result->num_sids)) {
907 return NULL;
908 }
909
910 /* For guest, num_groupsids may be zero. */
911 if (num_groupsids) {
912 if (!add_sid_to_array(result, &groupsids[0],
913 &result->user_sids, &result->num_sids)) {
914 return NULL;
915 }
916 }
917
918 /* Add in BUILTIN sids */
919
920 if (!add_sid_to_array(result, &global_sid_World,
921 &result->user_sids, &result->num_sids)) {
922 return NULL;
923 }
924 if (!add_sid_to_array(result, &global_sid_Network,
925 &result->user_sids, &result->num_sids)) {
926 return NULL;
927 }
928
929 if (is_guest) {
930 if (!add_sid_to_array(result, &global_sid_Builtin_Guests,
931 &result->user_sids, &result->num_sids)) {
932 return NULL;
933 }
934 } else {
935 if (!add_sid_to_array(result, &global_sid_Authenticated_Users,
936 &result->user_sids, &result->num_sids)) {
937 return NULL;
938 }
939 }
940
941 /* Now the SIDs we got from authentication. These are the ones from
942 * the info3 struct or from the pdb_enum_group_memberships, depending
943 * on who authenticated the user.
944 * Note that we start the for loop at "1" here, we already added the
945 * first group sid as primary above. */
946
947 for (i=1; i<num_groupsids; i++) {
948 if (!add_sid_to_array_unique(result, &groupsids[i],
949 &result->user_sids, &result->num_sids)) {
950 return NULL;
951 }
952 }
953
954 /* Deal with the BUILTIN\Administrators group. If the SID can
955 be resolved then assume that the add_aliasmem( S-1-5-32 )
956 handled it. */
957
958 if ( !sid_to_gid( &global_sid_Builtin_Administrators, &gid ) ) {
959 /* We can only create a mapping if winbind is running
960 and the nested group functionality has been enabled */
961
962 if ( lp_winbind_nested_groups() && winbind_ping() ) {
963 become_root();
964 status = create_builtin_administrators( );
965 if ( !NT_STATUS_IS_OK(status) ) {
966 DEBUG(2,("create_local_nt_token: Failed to create BUILTIN\\Administrators group!\n"));
967 /* don't fail, just log the message */
968 }
969 unbecome_root();
970 }
971 else {
972 status = add_builtin_administrators( result );
973 if ( !NT_STATUS_IS_OK(status) ) {
974 /* just log a complaint but do not fail */
975 DEBUG(3,("create_local_nt_token: failed to check for local Administrators"
976 " membership (%s)\n", nt_errstr(status)));
977 }
978 }
979 }
980
981 /* Deal with the BUILTIN\Users group. If the SID can
982 be resolved then assume that the add_aliasmem( S-1-5-32 )
983 handled it. */
984
985 if ( !sid_to_gid( &global_sid_Builtin_Users, &gid ) ) {
986 /* We can only create a mapping if winbind is running
987 and the nested group functionality has been enabled */
988
989 if ( lp_winbind_nested_groups() && winbind_ping() ) {
990 become_root();
991 status = create_builtin_users( );
992 if ( !NT_STATUS_IS_OK(status) ) {
993 DEBUG(2,("create_local_nt_token: Failed to create BUILTIN\\Users group!\n"));
994 /* don't fail, just log the message */
995 }
996 unbecome_root();
997 }
998 }
999
1000 /* Deal with local groups */
1001
1002 if (lp_winbind_nested_groups()) {
1003
1004 become_root();
1005
1006 /* Now add the aliases. First the one from our local SAM */
1007
1008 status = add_aliases(get_global_sam_sid(), result);
1009
1010 if (!NT_STATUS_IS_OK(status)) {
1011 unbecome_root();
1012 TALLOC_FREE(result);
1013 return NULL;
1014 }
1015
1016 /* Finally the builtin ones */
1017
1018 status = add_aliases(&global_sid_Builtin, result);
1019
1020 if (!NT_STATUS_IS_OK(status)) {
1021 unbecome_root();
1022 TALLOC_FREE(result);
1023 return NULL;
1024 }
1025
1026 unbecome_root();
1027 }
1028
1029
1030 get_privileges_for_sids(&result->privileges, result->user_sids,
1031 result->num_sids);
1032 return result;
1033 }
1034
1035 /*
1036 * Create the token to use from server_info->sam_account and
1037 * server_info->sids (the info3/sam groups). Find the unix gids.
1038 */
1039
1040 NTSTATUS create_local_token(auth_serversupplied_info *server_info)
1041 {
1042 TALLOC_CTX *mem_ctx;
1043 NTSTATUS status;
1044 size_t i;
1045
1046
1047 mem_ctx = talloc_new(NULL);
1048 if (mem_ctx == NULL) {
1049 DEBUG(0, ("talloc_new failed\n"));
1050 return NT_STATUS_NO_MEMORY;
1051 }
1052
1053 /*
1054 * If winbind is not around, we can not make much use of the SIDs the
1055 * domain controller provided us with. Likewise if the user name was
1056 * mapped to some local unix user.
1057 */
1058
1059 if (((lp_server_role() == ROLE_DOMAIN_MEMBER) && !winbind_ping()) ||
1060 (server_info->was_mapped)) {
1061 status = create_token_from_username(server_info,
1062 server_info->unix_name,
1063 server_info->guest,
1064 &server_info->uid,
1065 &server_info->gid,
1066 &server_info->unix_name,
1067 &server_info->ptok);
1068
1069 } else {
1070 server_info->ptok = create_local_nt_token(
1071 server_info,
1072 pdb_get_user_sid(server_info->sam_account),
1073 server_info->guest,
1074 server_info->num_sids, server_info->sids);
1075 status = server_info->ptok ?
1076 NT_STATUS_OK : NT_STATUS_NO_SUCH_USER;
1077 }
1078
1079 if (!NT_STATUS_IS_OK(status)) {
1080 TALLOC_FREE(mem_ctx);
1081 return status;
1082 }
1083
1084 /* Convert the SIDs to gids. */
1085
1086 server_info->n_groups = 0;
1087 server_info->groups = NULL;
1088
1089 /* Start at index 1, where the groups start. */
1090
1091 for (i=1; i<server_info->ptok->num_sids; i++) {
1092 gid_t gid;
1093 DOM_SID *sid = &server_info->ptok->user_sids[i];
1094
1095 if (!sid_to_gid(sid, &gid)) {
1096 DEBUG(10, ("Could not convert SID %s to gid, "
1097 "ignoring it\n", sid_string_static(sid)));
1098 continue;
1099 }
1100 add_gid_to_array_unique(server_info, gid, &server_info->groups,
1101 &server_info->n_groups);
1102 }
1103
1104 debug_nt_user_token(DBGC_AUTH, 10, server_info->ptok);
1105
1106 status = log_nt_token(mem_ctx, server_info->ptok);
1107
1108 TALLOC_FREE(mem_ctx);
1109 return status;
1110 }
1111
1112 /*
1113 * Create an artificial NT token given just a username. (Initially indended
1114 * for force user)
1115 *
1116 * We go through lookup_name() to avoid problems we had with 'winbind use
1117 * default domain'.
1118 *
1119 * We have 3 cases:
1120 *
1121 * unmapped unix users: Go directly to nss to find the user's group.
1122 *
1123 * A passdb user: The list of groups is provided by pdb_enum_group_memberships.
1124 *
1125 * If the user is provided by winbind, the primary gid is set to "domain
1126 * users" of the user's domain. For an explanation why this is necessary, see
1127 * the thread starting at
1128 * http://lists.samba.org/archive/samba-technical/2006-January/044803.html.
1129 */
1130
1131 NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username,
1132 BOOL is_guest,
1133 uid_t *uid, gid_t *gid,
1134 char **found_username,
1135 struct nt_user_token **token)
1136 {
1137 NTSTATUS result = NT_STATUS_NO_SUCH_USER;
1138 TALLOC_CTX *tmp_ctx;
1139 DOM_SID user_sid;
1140 enum lsa_SidType type;
1141 gid_t *gids;
1142 DOM_SID *group_sids;
1143 DOM_SID unix_group_sid;
1144 size_t num_group_sids;
1145 size_t num_gids;
1146 size_t i;
1147
1148 tmp_ctx = talloc_new(NULL);
1149 if (tmp_ctx == NULL) {
1150 DEBUG(0, ("talloc_new failed\n"));
1151 return NT_STATUS_NO_MEMORY;
1152 }
1153
1154 if (!lookup_name_smbconf(tmp_ctx, username, LOOKUP_NAME_ALL,
1155 NULL, NULL, &user_sid, &type)) {
1156 DEBUG(1, ("lookup_name_smbconf for %s failed\n", username));
1157 goto done;
1158 }
1159
1160 if (type != SID_NAME_USER) {
1161 DEBUG(1, ("%s is a %s, not a user\n", username,
1162 sid_type_lookup(type)));
1163 goto done;
1164 }
1165
1166 if (!sid_to_uid(&user_sid, uid)) {
1167 DEBUG(1, ("sid_to_uid for %s (%s) failed\n",
1168 username, sid_string_static(&user_sid)));
1169 goto done;
1170 }
1171
1172 if (sid_check_is_in_our_domain(&user_sid)) {
1173 BOOL ret;
1174
1175 /* This is a passdb user, so ask passdb */
1176
1177 struct samu *sam_acct = NULL;
1178
1179 if ( !(sam_acct = samu_new( tmp_ctx )) ) {
1180 result = NT_STATUS_NO_MEMORY;
1181 goto done;
1182 }
1183
1184 become_root();
1185 ret = pdb_getsampwsid(sam_acct, &user_sid);
1186 unbecome_root();
1187
1188 if (!ret) {
1189 DEBUG(1, ("pdb_getsampwsid(%s) for user %s failed\n",
1190 sid_string_static(&user_sid), username));
1191 DEBUGADD(1, ("Fall back to unix user %s\n", username));
1192 goto unix_user;
1193 }
1194
1195 result = pdb_enum_group_memberships(tmp_ctx, sam_acct,
1196 &group_sids, &gids,
1197 &num_group_sids);
1198 if (!NT_STATUS_IS_OK(result)) {
1199 DEBUG(10, ("enum_group_memberships failed for %s\n",
1200 username));
1201 DEBUGADD(1, ("Fall back to unix user %s\n", username));
1202 goto unix_user;
1203 }
1204
1205 /* see the smb_panic() in pdb_default_enum_group_memberships */
1206 SMB_ASSERT(num_group_sids > 0);
1207
1208 *gid = gids[0];
1209
1210 /* Ensure we're returning the found_username on the right context. */
1211 *found_username = talloc_strdup(mem_ctx,
1212 pdb_get_username(sam_acct));
1213
1214 } else if (sid_check_is_in_unix_users(&user_sid)) {
1215
1216 /* This is a unix user not in passdb. We need to ask nss
1217 * directly, without consulting passdb */
1218
1219 struct passwd *pass;
1220
1221 /*
1222 * This goto target is used as a fallback for the passdb
1223 * case. The concrete bug report is when passdb gave us an
1224 * unmapped gid.
1225 */
1226
1227 unix_user:
1228
1229 uid_to_unix_users_sid(*uid, &user_sid);
1230
1231 pass = getpwuid_alloc(tmp_ctx, *uid);
1232 if (pass == NULL) {
1233 DEBUG(1, ("getpwuid(%d) for user %s failed\n",
1234 *uid, username));
1235 goto done;
1236 }
1237
1238 if (!getgroups_unix_user(tmp_ctx, username, pass->pw_gid,
1239 &gids, &num_group_sids)) {
1240 DEBUG(1, ("getgroups_unix_user for user %s failed\n",
1241 username));
1242 goto done;
1243 }
1244
1245 if (num_group_sids) {
1246 group_sids = TALLOC_ARRAY(tmp_ctx, DOM_SID, num_group_sids);
1247 if (group_sids == NULL) {
1248 DEBUG(1, ("TALLOC_ARRAY failed\n"));
1249 result = NT_STATUS_NO_MEMORY;
1250 goto done;
1251 }
1252 } else {
1253 group_sids = NULL;
1254 }
1255
1256 for (i=0; i<num_group_sids; i++) {
1257 gid_to_sid(&group_sids[i], gids[i]);
1258 }
1259
1260 /* In getgroups_unix_user we always set the primary gid */
1261 SMB_ASSERT(num_group_sids > 0);
1262
1263 *gid = gids[0];
1264
1265 /* Ensure we're returning the found_username on the right context. */
1266 *found_username = talloc_strdup(mem_ctx, pass->pw_name);
1267 } else {
1268
1269 /* This user is from winbind, force the primary gid to the
1270 * user's "domain users" group. Under certain circumstances
1271 * (user comes from NT4), this might be a loss of
1272 * information. But we can not rely on winbind getting the
1273 * correct info. AD might prohibit winbind looking up that
1274 * information. */
1275
1276 uint32 dummy;
1277
1278 num_group_sids = 1;
1279 group_sids = TALLOC_ARRAY(tmp_ctx, DOM_SID, num_group_sids);
1280 if (group_sids == NULL) {
1281 DEBUG(1, ("TALLOC_ARRAY failed\n"));
1282 result = NT_STATUS_NO_MEMORY;
1283 goto done;
1284 }
1285
1286 sid_copy(&group_sids[0], &user_sid);
1287 sid_split_rid(&group_sids[0], &dummy);
1288 sid_append_rid(&group_sids[0], DOMAIN_GROUP_RID_USERS);
1289
1290 if (!sid_to_gid(&group_sids[0], gid)) {
1291 DEBUG(1, ("sid_to_gid(%s) failed\n",
1292 sid_string_static(&group_sids[0])));
1293 goto done;
1294 }
1295
1296 gids = gid;
1297
1298 /* Ensure we're returning the found_username on the right context. */
1299 *found_username = talloc_strdup(mem_ctx, username);
1300 }
1301
1302 /* Add the "Unix Group" SID for each gid to catch mapped groups
1303 and their Unix equivalent. This is to solve the backwards
1304 compatibility problem of 'valid users = +ntadmin' where
1305 ntadmin has been paired with "Domain Admins" in the group
1306 mapping table. Otherwise smb.conf would need to be changed
1307 to 'valid user = "Domain Admins"'. --jerry */
1308
1309 num_gids = num_group_sids;
1310 for ( i=0; i<num_gids; i++ ) {
1311 gid_t high, low;
1312
1313 /* don't pickup anything managed by Winbind */
1314
1315 if ( lp_idmap_gid(&low, &high) && (gids[i] >= low) && (gids[i] <= high) )
1316 continue;
1317
1318 if ( !gid_to_unix_groups_sid( gids[i], &unix_group_sid ) ) {
1319 DEBUG(1,("create_token_from_username: Failed to create SID "
1320 "for gid %d!\n", gids[i]));
1321 continue;
1322 }
1323 if (!add_sid_to_array_unique(tmp_ctx, &unix_group_sid,
1324 &group_sids, &num_group_sids )) {
1325 result = NT_STATUS_NO_MEMORY;
1326 goto done;
1327 }
1328 }
1329
1330 /* Ensure we're creating the nt_token on the right context. */
1331 *token = create_local_nt_token(mem_ctx, &user_sid,
1332 is_guest, num_group_sids, group_sids);
1333
1334 if ((*token == NULL) || (*found_username == NULL)) {
1335 result = NT_STATUS_NO_MEMORY;
1336 goto done;
1337 }
1338
1339 result = NT_STATUS_OK;
1340 done:
1341 TALLOC_FREE(tmp_ctx);
1342 return result;
1343 }
1344
1345 /***************************************************************************
1346 Build upon create_token_from_username:
1347
1348 Expensive helper function to figure out whether a user given its name is
1349 member of a particular group.
1350 ***************************************************************************/
1351
1352 BOOL user_in_group_sid(const char *username, const DOM_SID *group_sid)
1353 {
1354 NTSTATUS status;
1355 uid_t uid;
1356 gid_t gid;
1357 char *found_username;
1358 struct nt_user_token *token;
1359 BOOL result;
1360
1361 TALLOC_CTX *mem_ctx;
1362
1363 mem_ctx = talloc_new(NULL);
1364 if (mem_ctx == NULL) {
1365 DEBUG(0, ("talloc_new failed\n"));
1366 return False;
1367 }
1368
1369 status = create_token_from_username(mem_ctx, username, False,
1370 &uid, &gid, &found_username,
1371 &token);
1372
1373 if (!NT_STATUS_IS_OK(status)) {
1374 DEBUG(10, ("could not create token for %s\n", username));
1375 return False;
1376 }
1377
1378 result = nt_token_check_sid(group_sid, token);
1379
1380 TALLOC_FREE(mem_ctx);
1381 return result;
1382
1383 }
1384
1385 BOOL user_in_group(const char *username, const char *groupname)
1386 {
1387 TALLOC_CTX *mem_ctx;
1388 DOM_SID group_sid;
1389 BOOL ret;
1390
1391 mem_ctx = talloc_new(NULL);
1392 if (mem_ctx == NULL) {
1393 DEBUG(0, ("talloc_new failed\n"));
1394 return False;
1395 }
1396
1397 ret = lookup_name(mem_ctx, groupname, LOOKUP_NAME_ALL,
1398 NULL, NULL, &group_sid, NULL);
1399 TALLOC_FREE(mem_ctx);
1400
1401 if (!ret) {
1402 DEBUG(10, ("lookup_name for (%s) failed.\n", groupname));
1403 return False;
1404 }
1405
1406 return user_in_group_sid(username, &group_sid);
1407 }
1408
1409
1410 /***************************************************************************
1411 Make (and fill) a user_info struct from a 'struct passwd' by conversion
1412 to a struct samu
1413 ***************************************************************************/
1414
1415 NTSTATUS make_server_info_pw(auth_serversupplied_info **server_info,
1416 char *unix_username,
1417 struct passwd *pwd)
1418 {
1419 NTSTATUS status;
1420 struct samu *sampass = NULL;
1421 gid_t *gids;
1422 char *qualified_name = NULL;
1423 TALLOC_CTX *mem_ctx = NULL;
1424 DOM_SID u_sid;
1425 enum lsa_SidType type;
1426 auth_serversupplied_info *result;
1427
1428 if ( !(sampass = samu_new( NULL )) ) {
1429 return NT_STATUS_NO_MEMORY;
1430 }
1431
1432 status = samu_set_unix( sampass, pwd );
1433 if (!NT_STATUS_IS_OK(status)) {
1434 return status;
1435 }
1436
1437 result = make_server_info(NULL);
1438 if (result == NULL) {
1439 TALLOC_FREE(sampass);
1440 return NT_STATUS_NO_MEMORY;
1441 }
1442
1443 result->sam_account = sampass;
1444 result->unix_name = talloc_strdup(result, unix_username);
1445 result->uid = pwd->pw_uid;
1446 result->gid = pwd->pw_gid;
1447
1448 status = pdb_enum_group_memberships(result, sampass,
1449 &result->sids, &gids,
1450 &result->num_sids);
1451
1452 if (!NT_STATUS_IS_OK(status)) {
1453 DEBUG(10, ("pdb_enum_group_memberships failed: %s\n",
1454 nt_errstr(status)));
1455 TALLOC_FREE(result);
1456 return status;
1457 }
1458
1459 /*
1460 * The SID returned in server_info->sam_account is based
1461 * on our SAM sid even though for a pure UNIX account this should
1462 * not be the case as it doesn't really exist in the SAM db.
1463 * This causes lookups on "[in]valid users" to fail as they
1464 * will lookup this name as a "Unix User" SID to check against
1465 * the user token. Fix this by adding the "Unix User"\unix_username
1466 * SID to the sid array. The correct fix should probably be
1467 * changing the server_info->sam_account user SID to be a
1468 * S-1-22 Unix SID, but this might break old configs where
1469 * plaintext passwords were used with no SAM backend.
1470 */
1471
1472 mem_ctx = talloc_init("make_server_info_pw_tmp");
1473 if (!mem_ctx) {
1474 TALLOC_FREE(result);
1475 return NT_STATUS_NO_MEMORY;
1476 }
1477
1478 qualified_name = talloc_asprintf(mem_ctx, "%s\\%s",
1479 unix_users_domain_name(),
1480 unix_username );
1481 if (!qualified_name) {
1482 TALLOC_FREE(result);
1483 TALLOC_FREE(mem_ctx);
1484 return NT_STATUS_NO_MEMORY;
1485 }
1486
1487 if (!lookup_name(mem_ctx, qualified_name, LOOKUP_NAME_ALL,
1488 NULL, NULL,
1489 &u_sid, &type)) {
1490 TALLOC_FREE(result);
1491 TALLOC_FREE(mem_ctx);
1492 return NT_STATUS_NO_SUCH_USER;
1493 }
1494
1495 TALLOC_FREE(mem_ctx);
1496
1497 if (type != SID_NAME_USER) {
1498 TALLOC_FREE(result);
1499 return NT_STATUS_NO_SUCH_USER;
1500 }
1501
1502 if (!add_sid_to_array_unique(result, &u_sid,
1503 &result->sids,
1504 &result->num_sids)) {
1505 TALLOC_FREE(result);
1506 return NT_STATUS_NO_MEMORY;
1507 }
1508
1509 /* For now we throw away the gids and convert via sid_to_gid
1510 * later. This needs fixing, but I'd like to get the code straight and
1511 * simple first. */
1512 TALLOC_FREE(gids);
1513
1514 *server_info = result;
1515
1516 return NT_STATUS_OK;
1517 }
1518
1519 /***************************************************************************
1520 Make (and fill) a user_info struct for a guest login.
1521 This *must* succeed for smbd to start. If there is no mapping entry for
1522 the guest gid, then create one.
1523 ***************************************************************************/
1524
1525 static NTSTATUS make_new_server_info_guest(auth_serversupplied_info **server_info)
1526 {
1527 NTSTATUS status;
1528 struct samu *sampass = NULL;
1529 DOM_SID guest_sid;
1530 BOOL ret;
1531 static const char zeros[16] = { 0, };
1532
1533 if ( !(sampass = samu_new( NULL )) ) {
1534 return NT_STATUS_NO_MEMORY;
1535 }
1536
1537 sid_copy(&guest_sid, get_global_sam_sid());
1538 sid_append_rid(&guest_sid, DOMAIN_USER_RID_GUEST);
1539
1540 become_root();
1541 ret = pdb_getsampwsid(sampass, &guest_sid);
1542 unbecome_root();
1543
1544 if (!ret) {
1545 TALLOC_FREE(sampass);
1546 return NT_STATUS_NO_SUCH_USER;
1547 }
1548
1549 status = make_server_info_sam(server_info, sampass);
1550 if (!NT_STATUS_IS_OK(status)) {
1551 TALLOC_FREE(sampass);
1552 return status;
1553 }
1554
1555 (*server_info)->guest = True;
1556
1557 status = create_local_token(*server_info);
1558 if (!NT_STATUS_IS_OK(status)) {
1559 DEBUG(10, ("create_local_token failed: %s\n",
1560 nt_errstr(status)));
1561 return status;
1562 }
1563
1564 /* annoying, but the Guest really does have a session key, and it is
1565 all zeros! */
1566 (*server_info)->user_session_key = data_blob(zeros, sizeof(zeros));
1567 (*server_info)->lm_session_key = data_blob(zeros, sizeof(zeros));
1568
1569 return NT_STATUS_OK;
1570 }
1571
1572 static auth_serversupplied_info *copy_serverinfo(auth_serversupplied_info *src)
1573 {
1574 auth_serversupplied_info *dst;
1575
1576 dst = make_server_info(NULL);
1577 if (dst == NULL) {
1578 return NULL;
1579 }
1580
1581 dst->guest = src->guest;
1582 dst->uid = src->uid;
1583 dst->gid = src->gid;
1584 dst->n_groups = src->n_groups;
1585 if (src->n_groups != 0) {
1586 dst->groups = (gid_t *)TALLOC_MEMDUP(
1587 dst, src->groups, sizeof(gid_t)*dst->n_groups);
1588 } else {
1589 dst->groups = NULL;
1590 }
1591
1592 if (src->ptok) {
1593 dst->ptok = dup_nt_token(dst, src->ptok);
1594 if (!dst->ptok) {
1595 TALLOC_FREE(dst);
1596 return NULL;
1597 }
1598 }
1599
1600 dst->user_session_key = data_blob_talloc( dst, src->user_session_key.data,
1601 src->user_session_key.length);
1602
1603 dst->lm_session_key = data_blob_talloc(dst, src->lm_session_key.data,
1604 src->lm_session_key.length);
1605
1606 dst->sam_account = samu_new(NULL);
1607 if (!dst->sam_account) {
1608 TALLOC_FREE(dst);
1609 return NULL;
1610 }
1611
1612 if (!pdb_copy_sam_account(dst->sam_account, src->sam_account)) {
1613 TALLOC_FREE(dst);
1614 return NULL;
1615 }
1616
1617 dst->pam_handle = NULL;
1618 dst->unix_name = talloc_strdup(dst, src->unix_name);
1619 if (!dst->unix_name) {
1620 TALLOC_FREE(dst);
1621 return NULL;
1622 }
1623
1624 return dst;
1625 }
1626
1627 static auth_serversupplied_info *guest_info = NULL;
1628
1629 BOOL init_guest_info(void)
1630 {
1631 if (guest_info != NULL)
1632 return True;
1633
1634 return NT_STATUS_IS_OK(make_new_server_info_guest(&guest_info));
1635 }
1636
1637 NTSTATUS make_server_info_guest(auth_serversupplied_info **server_info)
1638 {
1639 *server_info = copy_serverinfo(guest_info);
1640 return (*server_info != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
1641 }
1642
1643 BOOL copy_current_user(struct current_user *dst, struct current_user *src)
1644 {
1645 gid_t *groups;
1646 NT_USER_TOKEN *nt_token;
1647
1648 groups = (gid_t *)memdup(src->ut.groups,
1649 sizeof(gid_t) * src->ut.ngroups);
1650 if ((src->ut.ngroups != 0) && (groups == NULL)) {
1651 return False;
1652 }
1653
1654 nt_token = dup_nt_token(NULL, src->nt_user_token);
1655 if (nt_token == NULL) {
1656 SAFE_FREE(groups);
1657 return False;
1658 }
1659
1660 dst->conn = src->conn;
1661 dst->vuid = src->vuid;
1662 dst->ut.uid = src->ut.uid;
1663 dst->ut.gid = src->ut.gid;
1664 dst->ut.ngroups = src->ut.ngroups;
1665 dst->ut.groups = groups;
1666 dst->nt_user_token = nt_token;
1667 return True;
1668 }
1669
1670 BOOL set_current_user_guest(struct current_user *dst)
1671 {
1672 gid_t *groups;
1673 NT_USER_TOKEN *nt_token;
1674
1675 groups = (gid_t *)memdup(guest_info->groups,
1676 sizeof(gid_t) * guest_info->n_groups);
1677 if (groups == NULL) {
1678 return False;
1679 }
1680
1681 nt_token = dup_nt_token(NULL, guest_info->ptok);
1682 if (nt_token == NULL) {
1683 SAFE_FREE(groups);
1684 return False;
1685 }
1686
1687 TALLOC_FREE(dst->nt_user_token);
1688 SAFE_FREE(dst->ut.groups);
1689
1690 /* dst->conn is never really dereferenced, it's only tested for
1691 * equality in uid.c */
1692 dst->conn = NULL;
1693
1694 dst->vuid = UID_FIELD_INVALID;
1695 dst->ut.uid = guest_info->uid;
1696 dst->ut.gid = guest_info->gid;
1697 dst->ut.ngroups = guest_info->n_groups;
1698 dst->ut.groups = groups;
1699 dst->nt_user_token = nt_token;
1700 return True;
1701 }
1702
1703 /***************************************************************************
1704 Purely internal function for make_server_info_info3
1705 Fill the sam account from getpwnam
1706 ***************************************************************************/
1707 static NTSTATUS fill_sam_account(TALLOC_CTX *mem_ctx,
1708 const char *domain,
1709 const char *username,
1710 char **found_username,
1711 uid_t *uid, gid_t *gid,
1712 struct samu *account,
1713 BOOL *username_was_mapped)
1714 {
1715 NTSTATUS nt_status;
1716 fstring dom_user, lower_username;
1717 fstring real_username;
1718 struct passwd *passwd;
1719
1720 fstrcpy( lower_username, username );
1721 strlower_m( lower_username );
1722
1723 fstr_sprintf(dom_user, "%s%c%s", domain, *lp_winbind_separator(),
1724 lower_username);
1725
1726 /* Get the passwd struct. Try to create the account is necessary. */
1727
1728 *username_was_mapped = map_username( dom_user );
1729
1730 if ( !(passwd = smb_getpwnam( NULL, dom_user, real_username, True )) )
1731 return NT_STATUS_NO_SUCH_USER;
1732
1733 *uid = passwd->pw_uid;
1734 *gid = passwd->pw_gid;
1735
1736 /* This is pointless -- there is no suport for differing
1737 unix and windows names. Make sure to always store the
1738 one we actually looked up and succeeded. Have I mentioned
1739 why I hate the 'winbind use default domain' parameter?
1740 --jerry */
1741
1742 *found_username = talloc_strdup( mem_ctx, real_username );
1743
1744 DEBUG(5,("fill_sam_account: located username was [%s]\n", *found_username));
1745
1746 nt_status = samu_set_unix( account, passwd );
1747
1748 TALLOC_FREE(passwd);
1749
1750 return nt_status;
1751 }
1752
1753 /****************************************************************************
1754 Wrapper to allow the getpwnam() call to strip the domain name and
1755 try again in case a local UNIX user is already there. Also run through
1756 the username if we fallback to the username only.
1757 ****************************************************************************/
1758
1759 struct passwd *smb_getpwnam( TALLOC_CTX *mem_ctx, char *domuser,
1760 fstring save_username, BOOL create )
1761 {
1762 struct passwd *pw = NULL;
1763 char *p;
1764 fstring username;
1765
1766 /* we only save a copy of the username it has been mangled
1767 by winbindd use default domain */
1768
1769 save_username[0] = '\0';
1770
1771 /* don't call map_username() here since it has to be done higher
1772 up the stack so we don't call it mutliple times */
1773
1774 fstrcpy( username, domuser );
1775
1776 p = strchr_m( username, *lp_winbind_separator() );
1777
1778 /* code for a DOMAIN\user string */
1779
1780 if ( p ) {
1781 fstring strip_username;
1782
1783 pw = Get_Pwnam_alloc( mem_ctx, domuser );
1784 if ( pw ) {
1785 /* make sure we get the case of the username correct */
1786 /* work around 'winbind use default domain = yes' */
1787
1788 if ( !strchr_m( pw->pw_name, *lp_winbind_separator() ) ) {
1789 char *domain;
1790
1791 /* split the domain and username into 2 strings */
1792 *p = '\0';
1793 domain = username;
1794
1795 fstr_sprintf(save_username, "%s%c%s", domain, *lp_winbind_separator(), pw->pw_name);
1796 }
1797 else
1798 fstrcpy( save_username, pw->pw_name );
1799
1800 /* whew -- done! */
1801 return pw;
1802 }
1803
1804 /* setup for lookup of just the username */
1805 /* remember that p and username are overlapping memory */
1806
1807 p++;
1808 fstrcpy( strip_username, p );
1809 fstrcpy( username, strip_username );
1810 }
1811
1812 /* just lookup a plain username */
1813
1814 pw = Get_Pwnam_alloc(mem_ctx, username);
1815
1816 /* Create local user if requested but only if winbindd
1817 is not running. We need to protect against cases
1818 where winbindd is failing and then prematurely
1819 creating users in /etc/passwd */
1820
1821 if ( !pw && create && !winbind_ping() ) {
1822 /* Don't add a machine account. */
1823 if (username[strlen(username)-1] == '$')
1824 return NULL;
1825
1826 smb_create_user(NULL, username, NULL);
1827 pw = Get_Pwnam_alloc(mem_ctx, username);
1828 }
1829
1830 /* one last check for a valid passwd struct */
1831
1832 if ( pw )
1833 fstrcpy( save_username, pw->pw_name );
1834
1835 return pw;
1836 }
1837
1838 /***************************************************************************
1839 Make a server_info struct from the info3 returned by a domain logon
1840 ***************************************************************************/
1841
1842 NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
1843 const char *sent_nt_username,
1844 const char *domain,
1845 auth_serversupplied_info **server_info,
1846 NET_USER_INFO_3 *info3)
1847 {
1848 static const char zeros[16] = { 0, };
1849
1850 NTSTATUS nt_status = NT_STATUS_OK;
1851 char *found_username;
1852 const char *nt_domain;
1853 const char *nt_username;
1854 struct samu *sam_account = NULL;
1855 DOM_SID user_sid;
1856 DOM_SID group_sid;
1857 BOOL username_was_mapped;
1858
1859 uid_t uid;
1860 gid_t gid;
1861
1862 size_t i;
1863
1864 auth_serversupplied_info *result;
1865
1866 /*
1867 Here is where we should check the list of
1868 trusted domains, and verify that the SID
1869 matches.
1870 */
1871
1872 sid_copy(&user_sid, &info3->dom_sid.sid);
1873 if (!sid_append_rid(&user_sid, info3->user_rid)) {
1874 return NT_STATUS_INVALID_PARAMETER;
1875 }
1876
1877 sid_copy(&group_sid, &info3->dom_sid.sid);
1878 if (!sid_append_rid(&group_sid, info3->group_rid)) {
1879 return NT_STATUS_INVALID_PARAMETER;
1880 }
1881
1882 if (!(nt_username = unistr2_tdup(mem_ctx, &(info3->uni_user_name)))) {
1883 /* If the server didn't give us one, just use the one we sent
1884 * them */
1885 nt_username = sent_nt_username;
1886 }
1887
1888 if (!(nt_domain = unistr2_tdup(mem_ctx, &(info3->uni_logon_dom)))) {
1889 /* If the server didn't give us one, just use the one we sent
1890 * them */
1891 nt_domain = domain;
1892 }
1893
1894 /* try to fill the SAM account.. If getpwnam() fails, then try the
1895 add user script (2.2.x behavior).
1896
1897 We use the _unmapped_ username here in an attempt to provide
1898 consistent username mapping behavior between kerberos and NTLM[SSP]
1899 authentication in domain mode security. I.E. Username mapping
1900 should be applied to the fully qualified username
1901 (e.g. DOMAIN\user) and not just the login name. Yes this means we
1902 called map_username() unnecessarily in make_user_info_map() but
1903 that is how the current code is designed. Making the change here
1904 is the least disruptive place. -- jerry */
1905
1906 if ( !(sam_account = samu_new( NULL )) ) {
1907 return NT_STATUS_NO_MEMORY;
1908 }
1909
1910 /* this call will try to create the user if necessary */
1911
1912 nt_status = fill_sam_account(mem_ctx, nt_domain, sent_nt_username,
1913 &found_username, &uid, &gid, sam_account,
1914 &username_was_mapped);
1915
1916
1917 /* if we still don't have a valid unix account check for
1918 'map to guest = bad uid' */
1919
1920 if (!NT_STATUS_IS_OK(nt_status)) {
1921 TALLOC_FREE( sam_account );
1922 if ( lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_UID ) {
1923 make_server_info_guest(server_info);
1924 return NT_STATUS_OK;
1925 }
1926 return nt_status;
1927 }
1928
1929 if (!pdb_set_nt_username(sam_account, nt_username, PDB_CHANGED)) {
1930 TALLOC_FREE(sam_account);
1931 return NT_STATUS_NO_MEMORY;
1932 }
1933
1934 if (!pdb_set_username(sam_account, nt_username, PDB_CHANGED)) {
1935 TALLOC_FREE(sam_account);
1936 return NT_STATUS_NO_MEMORY;
1937 }
1938
1939 if (!pdb_set_domain(sam_account, nt_domain, PDB_CHANGED)) {
1940 TALLOC_FREE(sam_account);
1941 return NT_STATUS_NO_MEMORY;
1942 }
1943
1944 if (!pdb_set_user_sid(sam_account, &user_sid, PDB_CHANGED)) {
1945 TALLOC_FREE(sam_account);
1946 return NT_STATUS_UNSUCCESSFUL;
1947 }
1948
1949 if (!pdb_set_group_sid(sam_account, &group_sid, PDB_CHANGED)) {
1950 TALLOC_FREE(sam_account);
1951 return NT_STATUS_UNSUCCESSFUL;
1952 }
1953
1954 if (!pdb_set_fullname(sam_account,
1955 unistr2_static(&(info3->uni_full_name)),
1956 PDB_CHANGED)) {
1957 TALLOC_FREE(sam_account);
1958 return NT_STATUS_NO_MEMORY;
1959 }
1960
1961 if (!pdb_set_logon_script(sam_account,
1962 unistr2_static(&(info3->uni_logon_script)),
1963 PDB_CHANGED)) {
1964 TALLOC_FREE(sam_account);
1965 return NT_STATUS_NO_MEMORY;
1966 }
1967
1968 if (!pdb_set_profile_path(sam_account,
1969 unistr2_static(&(info3->uni_profile_path)),
1970 PDB_CHANGED)) {
1971 TALLOC_FREE(sam_account);
1972 return NT_STATUS_NO_MEMORY;
1973 }
1974
1975 if (!pdb_set_homedir(sam_account,
1976 unistr2_static(&(info3->uni_home_dir)),
1977 PDB_CHANGED)) {
1978 TALLOC_FREE(sam_account);
1979 return NT_STATUS_NO_MEMORY;
1980 }
1981
1982 if (!pdb_set_dir_drive(sam_account,
1983 unistr2_static(&(info3->uni_dir_drive)),
1984 PDB_CHANGED)) {
1985 TALLOC_FREE(sam_account);
1986 return NT_STATUS_NO_MEMORY;
1987 }
1988
1989 if (!pdb_set_acct_ctrl(sam_account, info3->acct_flags, PDB_CHANGED)) {
1990 TALLOC_FREE(sam_account);
1991 return NT_STATUS_NO_MEMORY;
1992 }
1993
1994 if (!pdb_set_pass_last_set_time(
1995 sam_account,
1996 nt_time_to_unix(info3->pass_last_set_time),
1997 PDB_CHANGED)) {
1998 TALLOC_FREE(sam_account);
1999 return NT_STATUS_NO_MEMORY;
2000 }
2001
2002 if (!pdb_set_pass_can_change_time(
2003 sam_account,
2004 nt_time_to_unix(info3->pass_can_change_time),
2005 PDB_CHANGED)) {
2006 TALLOC_FREE(sam_account);
2007 return NT_STATUS_NO_MEMORY;
2008 }
2009
2010 if (!pdb_set_pass_must_change_time(
2011 sam_account,
2012 nt_time_to_unix(info3->pass_must_change_time),
2013 PDB_CHANGED)) {
2014 TALLOC_FREE(sam_account);
2015 return NT_STATUS_NO_MEMORY;
2016 }
2017
2018 result = make_server_info(NULL);
2019 if (result == NULL) {
2020 DEBUG(4, ("make_server_info failed!\n"));
2021 TALLOC_FREE(sam_account);
2022 return NT_STATUS_NO_MEMORY;
2023 }
2024
2025 /* save this here to _net_sam_logon() doesn't fail (it assumes a
2026 valid struct samu) */
2027
2028 result->sam_account = sam_account;
2029 result->unix_name = talloc_strdup(result, found_username);
2030
2031 /* Fill in the unix info we found on the way */
2032
2033 result->uid = uid;
2034 result->gid = gid;
2035
2036 /* Create a 'combined' list of all SIDs we might want in the SD */
2037
2038 result->num_sids = 0;
2039 result->sids = NULL;
2040
2041 /* and create (by appending rids) the 'domain' sids */
2042
2043 for (i = 0; i < info3->num_groups2; i++) {
2044 DOM_SID sid;
2045 if (!sid_compose(&sid, &info3->dom_sid.sid,
2046 info3->gids[i].g_rid)) {
2047 DEBUG(3,("could not append additional group rid "
2048 "0x%x\n", info3->gids[i].g_rid));
2049 TALLOC_FREE(result);
2050 return NT_STATUS_INVALID_PARAMETER;
2051 }
2052 if (!add_sid_to_array(result, &sid, &result->sids,
2053 &result->num_sids)) {
2054 TALLOC_FREE(result);
2055 return NT_STATUS_NO_MEMORY;
2056 }
2057 }
2058
2059 /* Copy 'other' sids. We need to do sid filtering here to
2060 prevent possible elevation of privileges. See:
2061
2062 http://www.microsoft.com/windows2000/techinfo/administration/security/sidfilter.asp
2063 */
2064
2065 for (i = 0; i < info3->num_other_sids; i++) {
2066 if (!add_sid_to_array(result, &info3->other_sids[i].sid,
2067 &result->sids,
2068 &result->num_sids)) {
2069 TALLOC_FREE(result);
2070 return NT_STATUS_NO_MEMORY;
2071 }
2072 }
2073
2074 result->login_server = unistr2_tdup(result,
2075 &(info3->uni_logon_srv));
2076
2077 /* ensure we are never given NULL session keys */
2078
2079 if (memcmp(info3->user_sess_key, zeros, sizeof(zeros)) == 0) {
2080 result->user_session_key = data_blob(NULL, 0);
2081 } else {
2082 result->user_session_key = data_blob_talloc(
2083 result, info3->user_sess_key,
2084 sizeof(info3->user_sess_key));
2085 }
2086
2087 if (memcmp(info3->lm_sess_key, zeros, 8) == 0) {
2088 result->lm_session_key = data_blob(NULL, 0);
2089 } else {
2090 result->lm_session_key = data_blob_talloc(
2091 result, info3->lm_sess_key,
2092 sizeof(info3->lm_sess_key));
2093 }
2094
2095 result->was_mapped = username_was_mapped;
2096
2097 *server_info = result;
2098
2099 return NT_STATUS_OK;
2100 }
2101
2102 /***************************************************************************
2103 Free a user_info struct
2104 ***************************************************************************/
2105
2106 void free_user_info(auth_usersupplied_info **user_info)
2107 {
2108 DEBUG(5,("attempting to free (and zero) a user_info structure\n"));
2109 if (*user_info != NULL) {
2110 if ((*user_info)->smb_name) {
2111 DEBUG(10,("structure was created for %s\n",
2112 (*user_info)->smb_name));
2113 }
2114 SAFE_FREE((*user_info)->smb_name);
2115 SAFE_FREE((*user_info)->internal_username);
2116 SAFE_FREE((*user_info)->client_domain);
2117 SAFE_FREE((*user_info)->domain);
2118 SAFE_FREE((*user_info)->wksta_name);
2119 data_blob_free(&(*user_info)->lm_resp);
2120 data_blob_free(&(*user_info)->nt_resp);
2121 data_blob_clear_free(&(*user_info)->lm_interactive_pwd);
2122 data_blob_clear_free(&(*user_info)->nt_interactive_pwd);
2123 data_blob_clear_free(&(*user_info)->plaintext_password);
2124 ZERO_STRUCT(**user_info);
2125 }
2126 SAFE_FREE(*user_info);
2127 }
2128
2129 /***************************************************************************
2130 Make an auth_methods struct
2131 ***************************************************************************/
2132
2133 BOOL make_auth_methods(struct auth_context *auth_context, auth_methods **auth_method)
2134 {
2135 if (!auth_context) {
2136 smb_panic("no auth_context supplied to "
2137 "make_auth_methods()!\n");
2138 }
2139
2140 if (!auth_method) {
2141 smb_panic("make_auth_methods: pointer to auth_method pointer "
2142 "is NULL!\n");
2143 }
2144
2145 *auth_method = TALLOC_P(auth_context->mem_ctx, auth_methods);
2146 if (!*auth_method) {
2147 DEBUG(0,("make_auth_method: malloc failed!\n"));
2148 return False;
2149 }
2150 ZERO_STRUCTP(*auth_method);
2151
2152 return True;
2153 }
2154
2155 /****************************************************************************
2156 Duplicate a SID token.
2157 ****************************************************************************/
2158
2159 NT_USER_TOKEN *dup_nt_token(TALLOC_CTX *mem_ctx, const NT_USER_TOKEN *ptoken)
2160 {
2161 NT_USER_TOKEN *token;
2162
2163 if (!ptoken)
2164 return NULL;
2165
2166 token = TALLOC_P(mem_ctx, NT_USER_TOKEN);
2167 if (token == NULL) {
2168 DEBUG(0, ("talloc failed\n"));
2169 return NULL;
2170 }
2171
2172 ZERO_STRUCTP(token);
2173
2174 if (ptoken->user_sids && ptoken->num_sids) {
2175 token->user_sids = (DOM_SID *)TALLOC_MEMDUP(
2176 token, ptoken->user_sids, sizeof(DOM_SID) * ptoken->num_sids );
2177
2178 if (token->user_sids == NULL) {
2179 DEBUG(0, ("TALLOC_MEMDUP failed\n"));
2180 TALLOC_FREE(token);
2181 return NULL;
2182 }
2183 token->num_sids = ptoken->num_sids;
2184 }
2185
2186 /* copy the privileges; don't consider failure to be critical here */
2187
2188 if ( !se_priv_copy( &token->privileges, &ptoken->privileges ) ) {
2189 DEBUG(0,("dup_nt_token: Failure to copy SE_PRIV!. "
2190 "Continuing with 0 privileges assigned.\n"));
2191 }
2192
2193 return token;
2194 }
2195
2196 /****************************************************************************
2197 Check for a SID in an NT_USER_TOKEN
2198 ****************************************************************************/
2199
2200 BOOL nt_token_check_sid ( const DOM_SID *sid, const NT_USER_TOKEN *token )
2201 {
2202 int i;
2203
2204 if ( !sid || !token )
2205 return False;
2206
2207 for ( i=0; i<token->num_sids; i++ ) {
2208 if ( sid_equal( sid, &token->user_sids[i] ) )
2209 return True;
2210 }
2211
2212 return False;
2213 }
2214
2215 BOOL nt_token_check_domain_rid( NT_USER_TOKEN *token, uint32 rid )
2216 {
2217 DOM_SID domain_sid;
2218
2219 /* if we are a domain member, the get the domain SID, else for
2220 a DC or standalone server, use our own SID */
2221
2222 if ( lp_server_role() == ROLE_DOMAIN_MEMBER ) {
2223 if ( !secrets_fetch_domain_sid( lp_workgroup(),
2224 &domain_sid ) ) {
2225 DEBUG(1,("nt_token_check_domain_rid: Cannot lookup "
2226 "SID for domain [%s]\n", lp_workgroup()));
2227 return False;
2228 }
2229 }
2230 else
2231 sid_copy( &domain_sid, get_global_sam_sid() );
2232
2233 sid_append_rid( &domain_sid, rid );
2234
2235 return nt_token_check_sid( &domain_sid, token );\
2236 }
2237
2238 /**
2239 * Verify whether or not given domain is trusted.
2240 *
2241 * @param domain_name name of the domain to be verified
2242 * @return true if domain is one of the trusted once or
2243 * false if otherwise
2244 **/
2245
2246 BOOL is_trusted_domain(const char* dom_name)
2247 {
2248 DOM_SID trustdom_sid;
2249 BOOL ret;
2250
2251 /* no trusted domains for a standalone server */
2252
2253 if ( lp_server_role() == ROLE_STANDALONE )
2254 return False;
2255
2256 /* if we are a DC, then check for a direct trust relationships */
2257
2258 if ( IS_DC ) {
2259 become_root();
2260 DEBUG (5,("is_trusted_domain: Checking for domain trust with "
2261 "[%s]\n", dom_name ));
2262 ret = secrets_fetch_trusted_domain_password(dom_name, NULL,
2263 NULL, NULL);
2264 unbecome_root();
2265 if (ret)
2266 return True;
2267 }
2268 else {
2269 NSS_STATUS result;
2270
2271 /* If winbind is around, ask it */
2272
2273 result = wb_is_trusted_domain(dom_name);
2274
2275 if (result == NSS_STATUS_SUCCESS) {
2276 return True;
2277 }
2278
2279 if (result == NSS_STATUS_NOTFOUND) {
2280 /* winbind could not find the domain */
2281 return False;
2282 }
2283
2284 /* The only other possible result is that winbind is not up
2285 and running. We need to update the trustdom_cache
2286 ourselves */
2287
2288 update_trustdom_cache();
2289 }
2290
2291 /* now the trustdom cache should be available a DC could still
2292 * have a transitive trust so fall back to the cache of trusted
2293 * domains (like a domain member would use */
2294
2295 if ( trustdom_cache_fetch(dom_name, &trustdom_sid) ) {
2296 return True;
2297 }
2298
2299 return False;
2300 }
2301
Samba GIT mirror