2 Unix SMB/CIFS implementation.
3 Password and authentication handling
4 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2001-2004
5 Copyright (C) Gerald Carter 2003
6 Copyright (C) Stefan Metzmacher 2005
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program; if not, write to the Free Software
20 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
24 #include "librpc/gen_ndr/ndr_netlogon.h"
25 #include "system/time.h"
27 #include "lib/ldb/include/ldb.h"
28 #include "auth/auth.h"
29 #include "auth/auth_sam.h"
30 #include "dsdb/samdb/samdb.h"
31 #include "libcli/security/security.h"
32 #include "libcli/ldap/ldap.h"
34 extern const char *user_attrs
[];
35 extern const char *domain_ref_attrs
[];
37 /****************************************************************************
38 Look for the specified user in the sam, return ldb result structures
39 ****************************************************************************/
41 static NTSTATUS
authsam_search_account(TALLOC_CTX
*mem_ctx
, struct ldb_context
*sam_ctx
,
42 const char *account_name
,
43 const char *domain_name
,
44 struct ldb_message
***ret_msgs
,
45 struct ldb_message
***ret_msgs_domain_ref
)
47 struct ldb_message
**msgs_tmp
;
48 struct ldb_message
**msgs
;
49 struct ldb_message
**msgs_domain_ref
;
50 struct ldb_dn
*partitions_basedn
= samdb_partitions_dn(sam_ctx
, mem_ctx
);
55 struct ldb_dn
*domain_dn
= NULL
;
58 domain_dn
= samdb_domain_to_dn(sam_ctx
, mem_ctx
, domain_name
);
60 return NT_STATUS_INTERNAL_DB_CORRUPTION
;
64 /* pull the user attributes */
65 ret
= gendb_search(sam_ctx
, mem_ctx
, domain_dn
, &msgs
, user_attrs
,
66 "(&(sAMAccountName=%s)(objectclass=user))",
67 ldb_binary_encode_string(mem_ctx
, account_name
));
69 return NT_STATUS_INTERNAL_DB_CORRUPTION
;
73 DEBUG(3,("sam_search_user: Couldn't find user [%s\\%s] in samdb, under %s\n",
74 domain_name
, account_name
, ldb_dn_get_linearized(domain_dn
)));
75 return NT_STATUS_NO_SUCH_USER
;
79 DEBUG(0,("Found %d records matching user [%s]\n", ret
, account_name
));
80 return NT_STATUS_INTERNAL_DB_CORRUPTION
;
84 struct dom_sid
*domain_sid
;
86 domain_sid
= samdb_result_sid_prefix(mem_ctx
, msgs
[0], "objectSid");
88 return NT_STATUS_INTERNAL_DB_CORRUPTION
;
91 /* find the domain's DN */
92 ret
= gendb_search(sam_ctx
, mem_ctx
, NULL
, &msgs_tmp
, NULL
,
93 "(&(objectSid=%s)(objectClass=domain))",
94 ldap_encode_ndr_dom_sid(mem_ctx
, domain_sid
));
96 return NT_STATUS_INTERNAL_DB_CORRUPTION
;
100 DEBUG(3,("check_sam_security: Couldn't find domain_sid [%s] in passdb file.\n",
101 dom_sid_string(mem_ctx
, domain_sid
)));
102 return NT_STATUS_NO_SUCH_USER
;
106 DEBUG(0,("Found %d records matching domain_sid [%s]\n",
107 ret
, dom_sid_string(mem_ctx
, domain_sid
)));
108 return NT_STATUS_INTERNAL_DB_CORRUPTION
;
111 domain_dn
= msgs_tmp
[0]->dn
;
114 ret_domain
= gendb_search(sam_ctx
, mem_ctx
, partitions_basedn
, &msgs_domain_ref
, domain_ref_attrs
,
115 "(nCName=%s)", ldb_dn_get_linearized(domain_dn
));
116 if (ret_domain
== -1) {
117 return NT_STATUS_INTERNAL_DB_CORRUPTION
;
120 if (ret_domain
== 0) {
121 DEBUG(3,("check_sam_security: Couldn't find domain [%s] in passdb file.\n",
122 ldb_dn_get_linearized(msgs_tmp
[0]->dn
)));
123 return NT_STATUS_NO_SUCH_USER
;
126 if (ret_domain
> 1) {
127 DEBUG(0,("Found %d records matching domain [%s]\n",
128 ret_domain
, ldb_dn_get_linearized(msgs_tmp
[0]->dn
)));
129 return NT_STATUS_INTERNAL_DB_CORRUPTION
;
133 *ret_msgs_domain_ref
= msgs_domain_ref
;
138 /****************************************************************************
139 Do a specific test for an smb password being correct, given a smb_password and
140 the lanman and NT responses.
141 ****************************************************************************/
142 static NTSTATUS
authsam_password_ok(struct auth_context
*auth_context
,
145 const struct samr_Password
*lm_pwd
,
146 const struct samr_Password
*nt_pwd
,
147 const struct auth_usersupplied_info
*user_info
,
148 DATA_BLOB
*user_sess_key
,
149 DATA_BLOB
*lm_sess_key
)
153 if (acct_flags
& ACB_PWNOTREQ
) {
154 if (lp_null_passwords()) {
155 DEBUG(3,("Account for user '%s' has no password and null passwords are allowed.\n",
156 user_info
->mapped
.account_name
));
159 DEBUG(3,("Account for user '%s' has no password and null passwords are NOT allowed.\n",
160 user_info
->mapped
.account_name
));
161 return NT_STATUS_LOGON_FAILURE
;
165 switch (user_info
->password_state
) {
166 case AUTH_PASSWORD_PLAIN
:
168 const struct auth_usersupplied_info
*user_info_temp
;
169 status
= encrypt_user_info(mem_ctx
, auth_context
,
171 user_info
, &user_info_temp
);
172 if (!NT_STATUS_IS_OK(status
)) {
173 DEBUG(1, ("Failed to convert plaintext password to password HASH: %s\n", nt_errstr(status
)));
176 user_info
= user_info_temp
;
180 case AUTH_PASSWORD_HASH
:
181 *lm_sess_key
= data_blob(NULL
, 0);
182 *user_sess_key
= data_blob(NULL
, 0);
183 status
= hash_password_check(mem_ctx
,
184 user_info
->password
.hash
.lanman
,
185 user_info
->password
.hash
.nt
,
186 user_info
->mapped
.account_name
,
188 NT_STATUS_NOT_OK_RETURN(status
);
191 case AUTH_PASSWORD_RESPONSE
:
192 status
= ntlm_password_check(mem_ctx
, user_info
->logon_parameters
,
193 &auth_context
->challenge
.data
,
194 &user_info
->password
.response
.lanman
,
195 &user_info
->password
.response
.nt
,
196 user_info
->mapped
.account_name
,
197 user_info
->client
.account_name
,
198 user_info
->client
.domain_name
,
200 user_sess_key
, lm_sess_key
);
201 NT_STATUS_NOT_OK_RETURN(status
);
205 if (user_sess_key
&& user_sess_key
->data
) {
206 talloc_steal(auth_context
, user_sess_key
->data
);
208 if (lm_sess_key
&& lm_sess_key
->data
) {
209 talloc_steal(auth_context
, lm_sess_key
->data
);
217 static NTSTATUS
authsam_authenticate(struct auth_context
*auth_context
,
218 TALLOC_CTX
*mem_ctx
, struct ldb_context
*sam_ctx
,
219 struct ldb_message
**msgs
,
220 struct ldb_message
**msgs_domain_ref
,
221 const struct auth_usersupplied_info
*user_info
,
222 DATA_BLOB
*user_sess_key
, DATA_BLOB
*lm_sess_key
)
224 struct samr_Password
*lm_pwd
, *nt_pwd
;
226 uint16_t acct_flags
= samdb_result_acct_flags(msgs
[0], "userAccountControl");
228 /* Quit if the account was locked out. */
229 if (acct_flags
& ACB_AUTOLOCK
) {
230 DEBUG(3,("check_sam_security: Account for user %s was locked out.\n",
231 user_info
->mapped
.account_name
));
232 return NT_STATUS_ACCOUNT_LOCKED_OUT
;
235 /* You can only do an interactive login to normal accounts */
236 if (user_info
->flags
& USER_INFO_INTERACTIVE_LOGON
) {
237 if (!(acct_flags
& ACB_NORMAL
)) {
238 return NT_STATUS_NO_SUCH_USER
;
242 nt_status
= samdb_result_passwords(mem_ctx
, msgs
[0], &lm_pwd
, &nt_pwd
);
243 NT_STATUS_NOT_OK_RETURN(nt_status
);
245 nt_status
= authsam_password_ok(auth_context
, mem_ctx
,
246 acct_flags
, lm_pwd
, nt_pwd
,
247 user_info
, user_sess_key
, lm_sess_key
);
248 NT_STATUS_NOT_OK_RETURN(nt_status
);
250 nt_status
= authsam_account_ok(mem_ctx
, sam_ctx
,
251 user_info
->logon_parameters
,
254 user_info
->workstation_name
,
255 user_info
->mapped
.account_name
);
262 static NTSTATUS
authsam_check_password_internals(struct auth_method_context
*ctx
,
265 const struct auth_usersupplied_info
*user_info
,
266 struct auth_serversupplied_info
**server_info
)
269 const char *account_name
= user_info
->mapped
.account_name
;
270 struct ldb_message
**msgs
;
271 struct ldb_message
**domain_ref_msgs
;
272 struct ldb_context
*sam_ctx
;
273 DATA_BLOB user_sess_key
, lm_sess_key
;
276 if (!account_name
|| !*account_name
) {
278 return NT_STATUS_NOT_IMPLEMENTED
;
281 tmp_ctx
= talloc_new(mem_ctx
);
283 return NT_STATUS_NO_MEMORY
;
286 sam_ctx
= samdb_connect(tmp_ctx
, system_session(mem_ctx
));
287 if (sam_ctx
== NULL
) {
288 talloc_free(tmp_ctx
);
289 return NT_STATUS_INVALID_SYSTEM_SERVICE
;
292 nt_status
= authsam_search_account(tmp_ctx
, sam_ctx
, account_name
, domain
, &msgs
, &domain_ref_msgs
);
293 if (!NT_STATUS_IS_OK(nt_status
)) {
294 talloc_free(tmp_ctx
);
298 nt_status
= authsam_authenticate(ctx
->auth_ctx
, tmp_ctx
, sam_ctx
, msgs
, domain_ref_msgs
, user_info
,
299 &user_sess_key
, &lm_sess_key
);
300 if (!NT_STATUS_IS_OK(nt_status
)) {
301 talloc_free(tmp_ctx
);
305 nt_status
= authsam_make_server_info(tmp_ctx
, sam_ctx
, msgs
[0], domain_ref_msgs
[0],
306 user_sess_key
, lm_sess_key
,
308 if (!NT_STATUS_IS_OK(nt_status
)) {
309 talloc_free(tmp_ctx
);
313 talloc_steal(mem_ctx
, *server_info
);
314 talloc_free(tmp_ctx
);
319 static NTSTATUS
authsam_ignoredomain_want_check(struct auth_method_context
*ctx
,
321 const struct auth_usersupplied_info
*user_info
)
323 if (!user_info
->mapped
.account_name
|| !*user_info
->mapped
.account_name
) {
324 return NT_STATUS_NOT_IMPLEMENTED
;
330 static NTSTATUS
authsam_ignoredomain_check_password(struct auth_method_context
*ctx
,
332 const struct auth_usersupplied_info
*user_info
,
333 struct auth_serversupplied_info
**server_info
)
335 return authsam_check_password_internals(ctx
, mem_ctx
, NULL
, user_info
, server_info
);
338 /****************************************************************************
339 Check SAM security (above) but with a few extra checks.
340 ****************************************************************************/
341 static NTSTATUS
authsam_want_check(struct auth_method_context
*ctx
,
343 const struct auth_usersupplied_info
*user_info
)
345 BOOL is_local_name
, is_my_domain
;
347 if (!user_info
->mapped
.account_name
|| !*user_info
->mapped
.account_name
) {
348 return NT_STATUS_NOT_IMPLEMENTED
;
351 is_local_name
= is_myname(user_info
->mapped
.domain_name
);
352 is_my_domain
= strequal(user_info
->mapped
.domain_name
, lp_workgroup());
354 /* check whether or not we service this domain/workgroup name */
355 switch (lp_server_role()) {
356 case ROLE_STANDALONE
:
359 case ROLE_DOMAIN_MEMBER
:
360 if (!is_local_name
) {
361 DEBUG(6,("authsam_check_password: %s is not one of my local names (DOMAIN_MEMBER)\n",
362 user_info
->mapped
.domain_name
));
363 return NT_STATUS_NOT_IMPLEMENTED
;
367 case ROLE_DOMAIN_CONTROLLER
:
368 if (!is_local_name
&& !is_my_domain
) {
369 DEBUG(6,("authsam_check_password: %s is not one of my local names or domain name (DC)\n",
370 user_info
->mapped
.domain_name
));
371 return NT_STATUS_NOT_IMPLEMENTED
;
376 DEBUG(6,("authsam_check_password: lp_server_role() has an undefined value\n"));
377 return NT_STATUS_NOT_IMPLEMENTED
;
380 /****************************************************************************
381 Check SAM security (above) but with a few extra checks.
382 ****************************************************************************/
383 static NTSTATUS
authsam_check_password(struct auth_method_context
*ctx
,
385 const struct auth_usersupplied_info
*user_info
,
386 struct auth_serversupplied_info
**server_info
)
390 /* check whether or not we service this domain/workgroup name */
391 switch (lp_server_role()) {
392 case ROLE_STANDALONE
:
393 case ROLE_DOMAIN_MEMBER
:
394 domain
= lp_netbios_name();
397 case ROLE_DOMAIN_CONTROLLER
:
398 domain
= lp_workgroup();
402 return NT_STATUS_NO_SUCH_USER
;
405 return authsam_check_password_internals(ctx
, mem_ctx
, domain
, user_info
, server_info
);
408 static const struct auth_operations sam_ignoredomain_ops
= {
409 .name
= "sam_ignoredomain",
410 .get_challenge
= auth_get_challenge_not_implemented
,
411 .want_check
= authsam_ignoredomain_want_check
,
412 .check_password
= authsam_ignoredomain_check_password
415 static const struct auth_operations sam_ops
= {
417 .get_challenge
= auth_get_challenge_not_implemented
,
418 .want_check
= authsam_want_check
,
419 .check_password
= authsam_check_password
422 NTSTATUS
auth_sam_init(void)
426 ret
= auth_register(&sam_ops
);
427 if (!NT_STATUS_IS_OK(ret
)) {
428 DEBUG(0,("Failed to register 'sam' auth backend!\n"));
432 ret
= auth_register(&sam_ignoredomain_ops
);
433 if (!NT_STATUS_IS_OK(ret
)) {
434 DEBUG(0,("Failed to register 'sam_ignoredomain' auth backend!\n"));