2 Unix SMB/CIFS implementation.
3 Password and authentication handling
4 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2001-2009
5 Copyright (C) Gerald Carter 2003
6 Copyright (C) Stefan Metzmacher 2005
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 #include "librpc/gen_ndr/ndr_netlogon.h"
24 #include "system/time.h"
25 #include "lib/ldb/include/ldb.h"
26 #include "../lib/util/util_ldb.h"
27 #include "auth/auth.h"
28 #include "auth/ntlm/ntlm_check.h"
29 #include "auth/ntlm/auth_proto.h"
30 #include "auth/auth_sam.h"
31 #include "dsdb/samdb/samdb.h"
32 #include "libcli/security/security.h"
33 #include "libcli/ldap/ldap_ndr.h"
34 #include "param/param.h"
36 extern const char *user_attrs
[];
37 extern const char *domain_ref_attrs
[];
39 /****************************************************************************
40 Look for the specified user in the sam, return ldb result structures
41 ****************************************************************************/
43 static NTSTATUS
authsam_search_account(TALLOC_CTX
*mem_ctx
, struct ldb_context
*sam_ctx
,
44 const char *account_name
,
45 const char *domain_name
,
46 struct ldb_message
***ret_msgs
,
47 struct ldb_message
***ret_msgs_domain_ref
)
49 struct ldb_message
**msgs_tmp
;
50 struct ldb_message
**msgs
;
51 struct ldb_message
**msgs_domain_ref
;
52 struct ldb_dn
*partitions_basedn
= samdb_partitions_dn(sam_ctx
, mem_ctx
);
57 struct ldb_dn
*domain_dn
= NULL
;
60 domain_dn
= samdb_domain_to_dn(sam_ctx
, mem_ctx
, domain_name
);
62 return NT_STATUS_INTERNAL_DB_CORRUPTION
;
66 /* pull the user attributes */
67 ret
= gendb_search(sam_ctx
, mem_ctx
, domain_dn
, &msgs
, user_attrs
,
68 "(&(sAMAccountName=%s)(objectclass=user))",
69 ldb_binary_encode_string(mem_ctx
, account_name
));
71 return NT_STATUS_INTERNAL_DB_CORRUPTION
;
75 DEBUG(3,("sam_search_user: Couldn't find user [%s\\%s] in samdb, under %s\n",
76 domain_name
, account_name
, ldb_dn_get_linearized(domain_dn
)));
77 return NT_STATUS_NO_SUCH_USER
;
81 DEBUG(0,("Found %d records matching user [%s]\n", ret
, account_name
));
82 return NT_STATUS_INTERNAL_DB_CORRUPTION
;
86 struct dom_sid
*domain_sid
;
88 domain_sid
= samdb_result_sid_prefix(mem_ctx
, msgs
[0], "objectSid");
90 return NT_STATUS_INTERNAL_DB_CORRUPTION
;
93 /* find the domain's DN */
94 ret
= gendb_search(sam_ctx
, mem_ctx
, NULL
, &msgs_tmp
, NULL
,
95 "(&(objectSid=%s)(objectClass=domain))",
96 ldap_encode_ndr_dom_sid(mem_ctx
, domain_sid
));
98 return NT_STATUS_INTERNAL_DB_CORRUPTION
;
102 DEBUG(3,("check_sam_security: Couldn't find domain_sid [%s] in passdb file.\n",
103 dom_sid_string(mem_ctx
, domain_sid
)));
104 return NT_STATUS_NO_SUCH_USER
;
108 DEBUG(0,("Found %d records matching domain_sid [%s]\n",
109 ret
, dom_sid_string(mem_ctx
, domain_sid
)));
110 return NT_STATUS_INTERNAL_DB_CORRUPTION
;
113 domain_dn
= msgs_tmp
[0]->dn
;
116 ret_domain
= gendb_search(sam_ctx
, mem_ctx
, partitions_basedn
, &msgs_domain_ref
, domain_ref_attrs
,
117 "(nCName=%s)", ldb_dn_get_linearized(domain_dn
));
118 if (ret_domain
== -1) {
119 return NT_STATUS_INTERNAL_DB_CORRUPTION
;
122 if (ret_domain
== 0) {
123 DEBUG(3,("check_sam_security: Couldn't find domain [%s] in passdb file.\n",
124 ldb_dn_get_linearized(msgs_tmp
[0]->dn
)));
125 return NT_STATUS_NO_SUCH_USER
;
128 if (ret_domain
> 1) {
129 DEBUG(0,("Found %d records matching domain [%s]\n",
130 ret_domain
, ldb_dn_get_linearized(msgs_tmp
[0]->dn
)));
131 return NT_STATUS_INTERNAL_DB_CORRUPTION
;
135 *ret_msgs_domain_ref
= msgs_domain_ref
;
140 /****************************************************************************
141 Do a specific test for an smb password being correct, given a smb_password and
142 the lanman and NT responses.
143 ****************************************************************************/
144 static NTSTATUS
authsam_password_ok(struct auth_context
*auth_context
,
147 const struct samr_Password
*lm_pwd
,
148 const struct samr_Password
*nt_pwd
,
149 const struct auth_usersupplied_info
*user_info
,
150 DATA_BLOB
*user_sess_key
,
151 DATA_BLOB
*lm_sess_key
)
155 if (acct_flags
& ACB_PWNOTREQ
) {
156 if (lp_null_passwords(auth_context
->lp_ctx
)) {
157 DEBUG(3,("Account for user '%s' has no password and null passwords are allowed.\n",
158 user_info
->mapped
.account_name
));
159 *lm_sess_key
= data_blob(NULL
, 0);
160 *user_sess_key
= data_blob(NULL
, 0);
163 DEBUG(3,("Account for user '%s' has no password and null passwords are NOT allowed.\n",
164 user_info
->mapped
.account_name
));
165 return NT_STATUS_LOGON_FAILURE
;
169 switch (user_info
->password_state
) {
170 case AUTH_PASSWORD_PLAIN
:
172 const struct auth_usersupplied_info
*user_info_temp
;
173 status
= encrypt_user_info(mem_ctx
, auth_context
,
175 user_info
, &user_info_temp
);
176 if (!NT_STATUS_IS_OK(status
)) {
177 DEBUG(1, ("Failed to convert plaintext password to password HASH: %s\n", nt_errstr(status
)));
180 user_info
= user_info_temp
;
184 case AUTH_PASSWORD_HASH
:
185 *lm_sess_key
= data_blob(NULL
, 0);
186 *user_sess_key
= data_blob(NULL
, 0);
187 status
= hash_password_check(mem_ctx
,
188 lp_lanman_auth(auth_context
->lp_ctx
),
189 user_info
->password
.hash
.lanman
,
190 user_info
->password
.hash
.nt
,
191 user_info
->mapped
.account_name
,
193 NT_STATUS_NOT_OK_RETURN(status
);
196 case AUTH_PASSWORD_RESPONSE
:
197 status
= ntlm_password_check(mem_ctx
,
198 lp_lanman_auth(auth_context
->lp_ctx
),
199 lp_ntlm_auth(auth_context
->lp_ctx
),
200 user_info
->logon_parameters
,
201 &auth_context
->challenge
.data
,
202 &user_info
->password
.response
.lanman
,
203 &user_info
->password
.response
.nt
,
204 user_info
->mapped
.account_name
,
205 user_info
->client
.account_name
,
206 user_info
->client
.domain_name
,
208 user_sess_key
, lm_sess_key
);
209 NT_STATUS_NOT_OK_RETURN(status
);
213 if (user_sess_key
&& user_sess_key
->data
) {
214 talloc_steal(auth_context
, user_sess_key
->data
);
216 if (lm_sess_key
&& lm_sess_key
->data
) {
217 talloc_steal(auth_context
, lm_sess_key
->data
);
225 static NTSTATUS
authsam_authenticate(struct auth_context
*auth_context
,
226 TALLOC_CTX
*mem_ctx
, struct ldb_context
*sam_ctx
,
227 struct ldb_message
**msgs
,
228 struct ldb_message
**msgs_domain_ref
,
229 const struct auth_usersupplied_info
*user_info
,
230 DATA_BLOB
*user_sess_key
, DATA_BLOB
*lm_sess_key
)
232 struct samr_Password
*lm_pwd
, *nt_pwd
;
234 struct ldb_dn
*domain_dn
= samdb_result_dn(sam_ctx
, mem_ctx
, msgs_domain_ref
[0], "nCName", NULL
);
236 uint16_t acct_flags
= samdb_result_acct_flags(sam_ctx
, mem_ctx
, msgs
[0], domain_dn
);
238 /* Quit if the account was locked out. */
239 if (acct_flags
& ACB_AUTOLOCK
) {
240 DEBUG(3,("check_sam_security: Account for user %s was locked out.\n",
241 user_info
->mapped
.account_name
));
242 return NT_STATUS_ACCOUNT_LOCKED_OUT
;
245 /* You can only do an interactive login to normal accounts */
246 if (user_info
->flags
& USER_INFO_INTERACTIVE_LOGON
) {
247 if (!(acct_flags
& ACB_NORMAL
)) {
248 return NT_STATUS_NO_SUCH_USER
;
252 nt_status
= samdb_result_passwords(mem_ctx
, auth_context
->lp_ctx
, msgs
[0], &lm_pwd
, &nt_pwd
);
253 NT_STATUS_NOT_OK_RETURN(nt_status
);
255 nt_status
= authsam_password_ok(auth_context
, mem_ctx
,
256 acct_flags
, lm_pwd
, nt_pwd
,
257 user_info
, user_sess_key
, lm_sess_key
);
258 NT_STATUS_NOT_OK_RETURN(nt_status
);
260 nt_status
= authsam_account_ok(mem_ctx
, sam_ctx
,
261 user_info
->logon_parameters
,
264 user_info
->workstation_name
,
265 user_info
->mapped
.account_name
,
273 static NTSTATUS
authsam_check_password_internals(struct auth_method_context
*ctx
,
276 const struct auth_usersupplied_info
*user_info
,
277 struct auth_serversupplied_info
**server_info
)
280 const char *account_name
= user_info
->mapped
.account_name
;
281 struct ldb_message
**msgs
;
282 struct ldb_message
**domain_ref_msgs
;
283 struct ldb_context
*sam_ctx
;
284 DATA_BLOB user_sess_key
, lm_sess_key
;
287 if (!account_name
|| !*account_name
) {
289 return NT_STATUS_NOT_IMPLEMENTED
;
292 tmp_ctx
= talloc_new(mem_ctx
);
294 return NT_STATUS_NO_MEMORY
;
297 sam_ctx
= samdb_connect(tmp_ctx
, ctx
->auth_ctx
->event_ctx
, ctx
->auth_ctx
->lp_ctx
, system_session(mem_ctx
, ctx
->auth_ctx
->lp_ctx
));
298 if (sam_ctx
== NULL
) {
299 talloc_free(tmp_ctx
);
300 return NT_STATUS_INVALID_SYSTEM_SERVICE
;
303 nt_status
= authsam_search_account(tmp_ctx
, sam_ctx
, account_name
, domain
, &msgs
, &domain_ref_msgs
);
304 if (!NT_STATUS_IS_OK(nt_status
)) {
305 talloc_free(tmp_ctx
);
309 nt_status
= authsam_authenticate(ctx
->auth_ctx
, tmp_ctx
, sam_ctx
, msgs
, domain_ref_msgs
, user_info
,
310 &user_sess_key
, &lm_sess_key
);
311 if (!NT_STATUS_IS_OK(nt_status
)) {
312 talloc_free(tmp_ctx
);
316 nt_status
= authsam_make_server_info(tmp_ctx
, sam_ctx
, lp_netbios_name(ctx
->auth_ctx
->lp_ctx
),
317 msgs
[0], domain_ref_msgs
[0],
318 user_sess_key
, lm_sess_key
,
320 if (!NT_STATUS_IS_OK(nt_status
)) {
321 talloc_free(tmp_ctx
);
325 talloc_steal(mem_ctx
, *server_info
);
326 talloc_free(tmp_ctx
);
331 static NTSTATUS
authsam_ignoredomain_want_check(struct auth_method_context
*ctx
,
333 const struct auth_usersupplied_info
*user_info
)
335 if (!user_info
->mapped
.account_name
|| !*user_info
->mapped
.account_name
) {
336 return NT_STATUS_NOT_IMPLEMENTED
;
342 static NTSTATUS
authsam_ignoredomain_check_password(struct auth_method_context
*ctx
,
344 const struct auth_usersupplied_info
*user_info
,
345 struct auth_serversupplied_info
**server_info
)
347 return authsam_check_password_internals(ctx
, mem_ctx
, NULL
, user_info
, server_info
);
350 /****************************************************************************
351 Check SAM security (above) but with a few extra checks.
352 ****************************************************************************/
353 static NTSTATUS
authsam_want_check(struct auth_method_context
*ctx
,
355 const struct auth_usersupplied_info
*user_info
)
357 bool is_local_name
, is_my_domain
;
359 if (!user_info
->mapped
.account_name
|| !*user_info
->mapped
.account_name
) {
360 return NT_STATUS_NOT_IMPLEMENTED
;
363 is_local_name
= lp_is_myname(ctx
->auth_ctx
->lp_ctx
,
364 user_info
->mapped
.domain_name
);
365 is_my_domain
= lp_is_mydomain(ctx
->auth_ctx
->lp_ctx
,
366 user_info
->mapped
.domain_name
);
368 /* check whether or not we service this domain/workgroup name */
369 switch (lp_server_role(ctx
->auth_ctx
->lp_ctx
)) {
370 case ROLE_STANDALONE
:
373 case ROLE_DOMAIN_MEMBER
:
374 if (!is_local_name
) {
375 DEBUG(6,("authsam_check_password: %s is not one of my local names (DOMAIN_MEMBER)\n",
376 user_info
->mapped
.domain_name
));
377 return NT_STATUS_NOT_IMPLEMENTED
;
381 case ROLE_DOMAIN_CONTROLLER
:
382 if (!is_local_name
&& !is_my_domain
) {
383 DEBUG(6,("authsam_check_password: %s is not one of my local names or domain name (DC)\n",
384 user_info
->mapped
.domain_name
));
385 return NT_STATUS_NOT_IMPLEMENTED
;
390 DEBUG(6,("authsam_check_password: lp_server_role() has an undefined value\n"));
391 return NT_STATUS_NOT_IMPLEMENTED
;
394 /****************************************************************************
395 Check SAM security (above) but with a few extra checks.
396 ****************************************************************************/
397 static NTSTATUS
authsam_check_password(struct auth_method_context
*ctx
,
399 const struct auth_usersupplied_info
*user_info
,
400 struct auth_serversupplied_info
**server_info
)
404 /* check whether or not we service this domain/workgroup name */
405 switch (lp_server_role(ctx
->auth_ctx
->lp_ctx
)) {
406 case ROLE_STANDALONE
:
407 case ROLE_DOMAIN_MEMBER
:
408 domain
= lp_netbios_name(ctx
->auth_ctx
->lp_ctx
);
411 case ROLE_DOMAIN_CONTROLLER
:
412 domain
= lp_workgroup(ctx
->auth_ctx
->lp_ctx
);
416 return NT_STATUS_NO_SUCH_USER
;
419 return authsam_check_password_internals(ctx
, mem_ctx
, domain
, user_info
, server_info
);
423 /* Used in the gensec_gssapi and gensec_krb5 server-side code, where the PAC isn't available */
424 NTSTATUS
authsam_get_server_info_principal(TALLOC_CTX
*mem_ctx
,
425 struct auth_context
*auth_context
,
426 const char *principal
,
427 struct auth_serversupplied_info
**server_info
)
430 DATA_BLOB user_sess_key
= data_blob(NULL
, 0);
431 DATA_BLOB lm_sess_key
= data_blob(NULL
, 0);
433 struct ldb_message
**msgs
;
434 struct ldb_message
**msgs_domain_ref
;
435 struct ldb_context
*sam_ctx
;
437 TALLOC_CTX
*tmp_ctx
= talloc_new(mem_ctx
);
439 return NT_STATUS_NO_MEMORY
;
442 sam_ctx
= samdb_connect(tmp_ctx
, auth_context
->event_ctx
, auth_context
->lp_ctx
,
443 system_session(tmp_ctx
, auth_context
->lp_ctx
));
444 if (sam_ctx
== NULL
) {
445 talloc_free(tmp_ctx
);
446 return NT_STATUS_INVALID_SYSTEM_SERVICE
;
449 nt_status
= sam_get_results_principal(sam_ctx
, tmp_ctx
, principal
,
450 &msgs
, &msgs_domain_ref
);
451 if (!NT_STATUS_IS_OK(nt_status
)) {
455 nt_status
= authsam_make_server_info(tmp_ctx
, sam_ctx
,
456 lp_netbios_name(auth_context
->lp_ctx
),
457 msgs
[0], msgs_domain_ref
[0],
458 user_sess_key
, lm_sess_key
,
460 if (NT_STATUS_IS_OK(nt_status
)) {
461 talloc_steal(mem_ctx
, *server_info
);
463 talloc_free(tmp_ctx
);
467 static const struct auth_operations sam_ignoredomain_ops
= {
468 .name
= "sam_ignoredomain",
469 .get_challenge
= auth_get_challenge_not_implemented
,
470 .want_check
= authsam_ignoredomain_want_check
,
471 .check_password
= authsam_ignoredomain_check_password
,
472 .get_server_info_principal
= authsam_get_server_info_principal
475 static const struct auth_operations sam_ops
= {
477 .get_challenge
= auth_get_challenge_not_implemented
,
478 .want_check
= authsam_want_check
,
479 .check_password
= authsam_check_password
,
480 .get_server_info_principal
= authsam_get_server_info_principal
483 _PUBLIC_ NTSTATUS
auth_sam_init(void)
487 ret
= auth_register(&sam_ops
);
488 if (!NT_STATUS_IS_OK(ret
)) {
489 DEBUG(0,("Failed to register 'sam' auth backend!\n"));
493 ret
= auth_register(&sam_ignoredomain_ops
);
494 if (!NT_STATUS_IS_OK(ret
)) {
495 DEBUG(0,("Failed to register 'sam_ignoredomain' auth backend!\n"));