search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Fix bug #6224 - nmbd waits 5 minutes at startup before checking if it needs to run...
[Samba.git] / source / auth / auth_util.c
blob24b05a566416bf5853aaa0dd38ee885254faa211
1 /*
2 Unix SMB/CIFS implementation.
3 Authentication utility functions
4 Copyright (C) Andrew Tridgell 1992-1998
5 Copyright (C) Andrew Bartlett 2001
6 Copyright (C) Jeremy Allison 2000-2001
7 Copyright (C) Rafal Szczesniak 2002
8 Copyright (C) Volker Lendecke 2006
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25
26 #undef DBGC_CLASS
27 #define DBGC_CLASS DBGC_AUTH
28
29 /****************************************************************************
30 Ensure primary group SID is always at position 0 in a
31 auth_serversupplied_info struct.
32 ****************************************************************************/
33
34 static void sort_sid_array_for_smbd(auth_serversupplied_info *result,
35 const DOM_SID *pgroup_sid)
36 {
37 unsigned int i;
38
39 if (!result->sids) {
40 return;
41 }
42
43 if (sid_compare(&result->sids[0], pgroup_sid)==0) {
44 return;
45 }
46
47 for (i = 1; i < result->num_sids; i++) {
48 if (sid_compare(pgroup_sid,
49 &result->sids[i]) == 0) {
50 sid_copy(&result->sids[i], &result->sids[0]);
51 sid_copy(&result->sids[0], pgroup_sid);
52 return;
53 }
54 }
55 }
56
57 /****************************************************************************
58 Create a UNIX user on demand.
59 ****************************************************************************/
60
61 static int smb_create_user(const char *domain, const char *unix_username, const char *homedir)
62 {
63 TALLOC_CTX *ctx = talloc_tos();
64 char *add_script;
65 int ret;
66
67 add_script = talloc_strdup(ctx, lp_adduser_script());
68 if (!add_script || !*add_script) {
69 return -1;
70 }
71 add_script = talloc_all_string_sub(ctx,
72 add_script,
73 "%u",
74 unix_username);
75 if (!add_script) {
76 return -1;
77 }
78 if (domain) {
79 add_script = talloc_all_string_sub(ctx,
80 add_script,
81 "%D",
82 domain);
83 if (!add_script) {
84 return -1;
85 }
86 }
87 if (homedir) {
88 add_script = talloc_all_string_sub(ctx,
89 add_script,
90 "%H",
91 homedir);
92 if (!add_script) {
93 return -1;
94 }
95 }
96 ret = smbrun(add_script,NULL);
97 flush_pwnam_cache();
98 DEBUG(ret ? 0 : 3,
99 ("smb_create_user: Running the command `%s' gave %d\n",
100 add_script,ret));
101 return ret;
102 }
103
104 /****************************************************************************
105 Create an auth_usersupplied_data structure
106 ****************************************************************************/
107
108 static NTSTATUS make_user_info(auth_usersupplied_info **user_info,
109 const char *smb_name,
110 const char *internal_username,
111 const char *client_domain,
112 const char *domain,
113 const char *wksta_name,
114 DATA_BLOB *lm_pwd, DATA_BLOB *nt_pwd,
115 DATA_BLOB *lm_interactive_pwd, DATA_BLOB *nt_interactive_pwd,
116 DATA_BLOB *plaintext,
117 bool encrypted)
118 {
119
120 DEBUG(5,("attempting to make a user_info for %s (%s)\n", internal_username, smb_name));
121
122 *user_info = SMB_MALLOC_P(auth_usersupplied_info);
123 if (*user_info == NULL) {
124 DEBUG(0,("malloc failed for user_info (size %lu)\n", (unsigned long)sizeof(*user_info)));
125 return NT_STATUS_NO_MEMORY;
126 }
127
128 ZERO_STRUCTP(*user_info);
129
130 DEBUG(5,("making strings for %s's user_info struct\n", internal_username));
131
132 (*user_info)->smb_name = SMB_STRDUP(smb_name);
133 if ((*user_info)->smb_name == NULL) {
134 free_user_info(user_info);
135 return NT_STATUS_NO_MEMORY;
136 }
137
138 (*user_info)->internal_username = SMB_STRDUP(internal_username);
139 if ((*user_info)->internal_username == NULL) {
140 free_user_info(user_info);
141 return NT_STATUS_NO_MEMORY;
142 }
143
144 (*user_info)->domain = SMB_STRDUP(domain);
145 if ((*user_info)->domain == NULL) {
146 free_user_info(user_info);
147 return NT_STATUS_NO_MEMORY;
148 }
149
150 (*user_info)->client_domain = SMB_STRDUP(client_domain);
151 if ((*user_info)->client_domain == NULL) {
152 free_user_info(user_info);
153 return NT_STATUS_NO_MEMORY;
154 }
155
156 (*user_info)->wksta_name = SMB_STRDUP(wksta_name);
157 if ((*user_info)->wksta_name == NULL) {
158 free_user_info(user_info);
159 return NT_STATUS_NO_MEMORY;
160 }
161
162 DEBUG(5,("making blobs for %s's user_info struct\n", internal_username));
163
164 if (lm_pwd)
165 (*user_info)->lm_resp = data_blob(lm_pwd->data, lm_pwd->length);
166 if (nt_pwd)
167 (*user_info)->nt_resp = data_blob(nt_pwd->data, nt_pwd->length);
168 if (lm_interactive_pwd)
169 (*user_info)->lm_interactive_pwd = data_blob(lm_interactive_pwd->data, lm_interactive_pwd->length);
170 if (nt_interactive_pwd)
171 (*user_info)->nt_interactive_pwd = data_blob(nt_interactive_pwd->data, nt_interactive_pwd->length);
172
173 if (plaintext)
174 (*user_info)->plaintext_password = data_blob(plaintext->data, plaintext->length);
175
176 (*user_info)->encrypted = encrypted;
177
178 (*user_info)->logon_parameters = 0;
179
180 DEBUG(10,("made an %sencrypted user_info for %s (%s)\n", encrypted ? "":"un" , internal_username, smb_name));
181
182 return NT_STATUS_OK;
183 }
184
185 /****************************************************************************
186 Create an auth_usersupplied_data structure after appropriate mapping.
187 ****************************************************************************/
188
189 NTSTATUS make_user_info_map(auth_usersupplied_info **user_info,
190 const char *smb_name,
191 const char *client_domain,
192 const char *wksta_name,
193 DATA_BLOB *lm_pwd, DATA_BLOB *nt_pwd,
194 DATA_BLOB *lm_interactive_pwd, DATA_BLOB *nt_interactive_pwd,
195 DATA_BLOB *plaintext,
196 bool encrypted)
197 {
198 const char *domain;
199 NTSTATUS result;
200 bool was_mapped;
201 fstring internal_username;
202 fstrcpy(internal_username, smb_name);
203 was_mapped = map_username(internal_username);
204
205 DEBUG(5, ("make_user_info_map: Mapping user [%s]\\[%s] from workstation [%s]\n",
206 client_domain, smb_name, wksta_name));
207
208 /* don't allow "" as a domain, fixes a Win9X bug
209 where it doens't supply a domain for logon script
210 'net use' commands. */
211
212 if ( *client_domain )
213 domain = client_domain;
214 else
215 domain = lp_workgroup();
216
217 /* do what win2k does. Always map unknown domains to our own
218 and let the "passdb backend" handle unknown users. */
219
220 if ( !is_trusted_domain(domain) && !strequal(domain, get_global_sam_name()) )
221 domain = my_sam_name();
222
223 /* we know that it is a trusted domain (and we are allowing them) or it is our domain */
224
225 result = make_user_info(user_info, smb_name, internal_username,
226 client_domain, domain, wksta_name,
227 lm_pwd, nt_pwd,
228 lm_interactive_pwd, nt_interactive_pwd,
229 plaintext, encrypted);
230 if (NT_STATUS_IS_OK(result)) {
231 (*user_info)->was_mapped = was_mapped;
232 }
233 return result;
234 }
235
236 /****************************************************************************
237 Create an auth_usersupplied_data, making the DATA_BLOBs here.
238 Decrypt and encrypt the passwords.
239 ****************************************************************************/
240
241 bool make_user_info_netlogon_network(auth_usersupplied_info **user_info,
242 const char *smb_name,
243 const char *client_domain,
244 const char *wksta_name,
245 uint32 logon_parameters,
246 const uchar *lm_network_pwd,
247 int lm_pwd_len,
248 const uchar *nt_network_pwd,
249 int nt_pwd_len)
250 {
251 bool ret;
252 NTSTATUS status;
253 DATA_BLOB lm_blob = data_blob(lm_network_pwd, lm_pwd_len);
254 DATA_BLOB nt_blob = data_blob(nt_network_pwd, nt_pwd_len);
255
256 status = make_user_info_map(user_info,
257 smb_name, client_domain,
258 wksta_name,
259 lm_pwd_len ? &lm_blob : NULL,
260 nt_pwd_len ? &nt_blob : NULL,
261 NULL, NULL, NULL,
262 True);
263
264 if (NT_STATUS_IS_OK(status)) {
265 (*user_info)->logon_parameters = logon_parameters;
266 }
267 ret = NT_STATUS_IS_OK(status) ? True : False;
268
269 data_blob_free(&lm_blob);
270 data_blob_free(&nt_blob);
271 return ret;
272 }
273
274 /****************************************************************************
275 Create an auth_usersupplied_data, making the DATA_BLOBs here.
276 Decrypt and encrypt the passwords.
277 ****************************************************************************/
278
279 bool make_user_info_netlogon_interactive(auth_usersupplied_info **user_info,
280 const char *smb_name,
281 const char *client_domain,
282 const char *wksta_name,
283 uint32 logon_parameters,
284 const uchar chal[8],
285 const uchar lm_interactive_pwd[16],
286 const uchar nt_interactive_pwd[16],
287 const uchar *dc_sess_key)
288 {
289 unsigned char lm_pwd[16];
290 unsigned char nt_pwd[16];
291 unsigned char local_lm_response[24];
292 unsigned char local_nt_response[24];
293 unsigned char key[16];
294
295 ZERO_STRUCT(key);
296 memcpy(key, dc_sess_key, 8);
297
298 if (lm_interactive_pwd)
299 memcpy(lm_pwd, lm_interactive_pwd, sizeof(lm_pwd));
300
301 if (nt_interactive_pwd)
302 memcpy(nt_pwd, nt_interactive_pwd, sizeof(nt_pwd));
303
304 #ifdef DEBUG_PASSWORD
305 DEBUG(100,("key:"));
306 dump_data(100, key, sizeof(key));
307
308 DEBUG(100,("lm owf password:"));
309 dump_data(100, lm_pwd, sizeof(lm_pwd));
310
311 DEBUG(100,("nt owf password:"));
312 dump_data(100, nt_pwd, sizeof(nt_pwd));
313 #endif
314
315 if (lm_interactive_pwd)
316 SamOEMhash(lm_pwd, key, sizeof(lm_pwd));
317
318 if (nt_interactive_pwd)
319 SamOEMhash(nt_pwd, key, sizeof(nt_pwd));
320
321 #ifdef DEBUG_PASSWORD
322 DEBUG(100,("decrypt of lm owf password:"));
323 dump_data(100, lm_pwd, sizeof(lm_pwd));
324
325 DEBUG(100,("decrypt of nt owf password:"));
326 dump_data(100, nt_pwd, sizeof(nt_pwd));
327 #endif
328
329 if (lm_interactive_pwd)
330 SMBOWFencrypt(lm_pwd, chal,
331 local_lm_response);
332
333 if (nt_interactive_pwd)
334 SMBOWFencrypt(nt_pwd, chal,
335 local_nt_response);
336
337 /* Password info paranoia */
338 ZERO_STRUCT(key);
339
340 {
341 bool ret;
342 NTSTATUS nt_status;
343 DATA_BLOB local_lm_blob;
344 DATA_BLOB local_nt_blob;
345
346 DATA_BLOB lm_interactive_blob;
347 DATA_BLOB nt_interactive_blob;
348
349 if (lm_interactive_pwd) {
350 local_lm_blob = data_blob(local_lm_response,
351 sizeof(local_lm_response));
352 lm_interactive_blob = data_blob(lm_pwd,
353 sizeof(lm_pwd));
354 ZERO_STRUCT(lm_pwd);
355 }
356
357 if (nt_interactive_pwd) {
358 local_nt_blob = data_blob(local_nt_response,
359 sizeof(local_nt_response));
360 nt_interactive_blob = data_blob(nt_pwd,
361 sizeof(nt_pwd));
362 ZERO_STRUCT(nt_pwd);
363 }
364
365 nt_status = make_user_info_map(
366 user_info,
367 smb_name, client_domain, wksta_name,
368 lm_interactive_pwd ? &local_lm_blob : NULL,
369 nt_interactive_pwd ? &local_nt_blob : NULL,
370 lm_interactive_pwd ? &lm_interactive_blob : NULL,
371 nt_interactive_pwd ? &nt_interactive_blob : NULL,
372 NULL, True);
373
374 if (NT_STATUS_IS_OK(nt_status)) {
375 (*user_info)->logon_parameters = logon_parameters;
376 }
377
378 ret = NT_STATUS_IS_OK(nt_status) ? True : False;
379 data_blob_free(&local_lm_blob);
380 data_blob_free(&local_nt_blob);
381 data_blob_free(&lm_interactive_blob);
382 data_blob_free(&nt_interactive_blob);
383 return ret;
384 }
385 }
386
387
388 /****************************************************************************
389 Create an auth_usersupplied_data structure
390 ****************************************************************************/
391
392 bool make_user_info_for_reply(auth_usersupplied_info **user_info,
393 const char *smb_name,
394 const char *client_domain,
395 const uint8 chal[8],
396 DATA_BLOB plaintext_password)
397 {
398
399 DATA_BLOB local_lm_blob;
400 DATA_BLOB local_nt_blob;
401 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
402
403 /*
404 * Not encrypted - do so.
405 */
406
407 DEBUG(5,("make_user_info_for_reply: User passwords not in encrypted "
408 "format.\n"));
409
410 if (plaintext_password.data) {
411 unsigned char local_lm_response[24];
412
413 #ifdef DEBUG_PASSWORD
414 DEBUG(10,("Unencrypted password (len %d):\n",
415 (int)plaintext_password.length));
416 dump_data(100, plaintext_password.data,
417 plaintext_password.length);
418 #endif
419
420 SMBencrypt( (const char *)plaintext_password.data,
421 (const uchar*)chal, local_lm_response);
422 local_lm_blob = data_blob(local_lm_response, 24);
423
424 /* We can't do an NT hash here, as the password needs to be
425 case insensitive */
426 local_nt_blob = data_blob_null;
427
428 } else {
429 local_lm_blob = data_blob_null;
430 local_nt_blob = data_blob_null;
431 }
432
433 ret = make_user_info_map(
434 user_info, smb_name, client_domain,
435 get_remote_machine_name(),
436 local_lm_blob.data ? &local_lm_blob : NULL,
437 local_nt_blob.data ? &local_nt_blob : NULL,
438 NULL, NULL,
439 plaintext_password.data ? &plaintext_password : NULL,
440 False);
441
442 data_blob_free(&local_lm_blob);
443 return NT_STATUS_IS_OK(ret) ? True : False;
444 }
445
446 /****************************************************************************
447 Create an auth_usersupplied_data structure
448 ****************************************************************************/
449
450 NTSTATUS make_user_info_for_reply_enc(auth_usersupplied_info **user_info,
451 const char *smb_name,
452 const char *client_domain,
453 DATA_BLOB lm_resp, DATA_BLOB nt_resp)
454 {
455 return make_user_info_map(user_info, smb_name,
456 client_domain,
457 get_remote_machine_name(),
458 lm_resp.data ? &lm_resp : NULL,
459 nt_resp.data ? &nt_resp : NULL,
460 NULL, NULL, NULL,
461 True);
462 }
463
464 /****************************************************************************
465 Create a guest user_info blob, for anonymous authenticaion.
466 ****************************************************************************/
467
468 bool make_user_info_guest(auth_usersupplied_info **user_info)
469 {
470 NTSTATUS nt_status;
471
472 nt_status = make_user_info(user_info,
473 "","",
474 "","",
475 "",
476 NULL, NULL,
477 NULL, NULL,
478 NULL,
479 True);
480
481 return NT_STATUS_IS_OK(nt_status) ? True : False;
482 }
483
484 static int server_info_dtor(auth_serversupplied_info *server_info)
485 {
486 TALLOC_FREE(server_info->sam_account);
487 ZERO_STRUCTP(server_info);
488 return 0;
489 }
490
491 /***************************************************************************
492 Make a server_info struct. Free with TALLOC_FREE().
493 ***************************************************************************/
494
495 static auth_serversupplied_info *make_server_info(TALLOC_CTX *mem_ctx)
496 {
497 struct auth_serversupplied_info *result;
498
499 result = TALLOC_ZERO_P(mem_ctx, auth_serversupplied_info);
500 if (result == NULL) {
501 DEBUG(0, ("talloc failed\n"));
502 return NULL;
503 }
504
505 talloc_set_destructor(result, server_info_dtor);
506
507 /* Initialise the uid and gid values to something non-zero
508 which may save us from giving away root access if there
509 is a bug in allocating these fields. */
510
511 result->uid = -1;
512 result->gid = -1;
513 return result;
514 }
515
516 /***************************************************************************
517 Is the incoming username our own machine account ?
518 If so, the connection is almost certainly from winbindd.
519 ***************************************************************************/
520
521 static bool is_our_machine_account(const char *username)
522 {
523 bool ret;
524 char *truncname = NULL;
525 size_t ulen = strlen(username);
526
527 if (ulen == 0 || username[ulen-1] != '$') {
528 return false;
529 }
530 truncname = SMB_STRDUP(username);
531 if (!truncname) {
532 return false;
533 }
534 truncname[ulen-1] = '\0';
535 ret = strequal(truncname, global_myname());
536 SAFE_FREE(truncname);
537 return ret;
538 }
539
540 /***************************************************************************
541 Make (and fill) a user_info struct from a struct samu
542 ***************************************************************************/
543
544 NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info,
545 struct samu *sampass)
546 {
547 struct passwd *pwd;
548 gid_t *gids;
549 auth_serversupplied_info *result;
550 const char *username = pdb_get_username(sampass);
551 NTSTATUS status;
552
553 if ( !(result = make_server_info(NULL)) ) {
554 return NT_STATUS_NO_MEMORY;
555 }
556
557 if ( !(pwd = getpwnam_alloc(result, username)) ) {
558 DEBUG(1, ("User %s in passdb, but getpwnam() fails!\n",
559 pdb_get_username(sampass)));
560 TALLOC_FREE(result);
561 return NT_STATUS_NO_SUCH_USER;
562 }
563
564 result->sam_account = sampass;
565 result->unix_name = pwd->pw_name;
566 /* Ensure that we keep pwd->pw_name, because we will free pwd below */
567 talloc_steal(result, pwd->pw_name);
568 result->gid = pwd->pw_gid;
569 result->uid = pwd->pw_uid;
570
571 TALLOC_FREE(pwd);
572
573 if (IS_DC && is_our_machine_account(username)) {
574 /*
575 * Ensure for a connection from our own
576 * machine account (from winbindd on a DC)
577 * there are no supplementary groups.
578 * Prevents loops in calling gid_to_sid().
579 */
580 result->sids = NULL;
581 gids = NULL;
582 result->num_sids = 0;
583
584 /*
585 * This is a hack of monstrous proportions.
586 * If we know it's winbindd talking to us,
587 * we know we must never recurse into it,
588 * so turn off contacting winbindd for this
589 * entire process. This will get fixed when
590 * winbindd doesn't need to talk to smbd on
591 * a PDC. JRA.
592 */
593
594 (void)winbind_off();
595
596 DEBUG(10, ("make_server_info_sam: our machine account %s "
597 "setting supplementary group list empty and "
598 "turning off winbindd requests.\n",
599 username));
600 } else {
601 status = pdb_enum_group_memberships(result, sampass,
602 &result->sids, &gids,
603 &result->num_sids);
604
605 if (!NT_STATUS_IS_OK(status)) {
606 DEBUG(10, ("pdb_enum_group_memberships failed: %s\n",
607 nt_errstr(status)));
608 result->sam_account = NULL; /* Don't free on error exit. */
609 TALLOC_FREE(result);
610 return status;
611 }
612 }
613
614 /* For now we throw away the gids and convert via sid_to_gid
615 * later. This needs fixing, but I'd like to get the code straight and
616 * simple first. */
617
618 TALLOC_FREE(gids);
619
620 DEBUG(5,("make_server_info_sam: made server info for user %s -> %s\n",
621 pdb_get_username(sampass), result->unix_name));
622
623 *server_info = result;
624 /* Ensure thaat the sampass will be freed with the result */
625 talloc_steal(result, sampass);
626
627 return NT_STATUS_OK;
628 }
629
630 static NTSTATUS log_nt_token(TALLOC_CTX *tmp_ctx, NT_USER_TOKEN *token)
631 {
632 char *command;
633 char *group_sidstr;
634 size_t i;
635
636 if ((lp_log_nt_token_command() == NULL) ||
637 (strlen(lp_log_nt_token_command()) == 0)) {
638 return NT_STATUS_OK;
639 }
640
641 group_sidstr = talloc_strdup(tmp_ctx, "");
642 for (i=1; i<token->num_sids; i++) {
643 group_sidstr = talloc_asprintf(
644 tmp_ctx, "%s %s", group_sidstr,
645 sid_string_talloc(tmp_ctx, &token->user_sids[i]));
646 }
647
648 command = talloc_string_sub(
649 tmp_ctx, lp_log_nt_token_command(),
650 "%s", sid_string_talloc(tmp_ctx, &token->user_sids[0]));
651 command = talloc_string_sub(tmp_ctx, command, "%t", group_sidstr);
652
653 if (command == NULL) {
654 return NT_STATUS_NO_MEMORY;
655 }
656
657 DEBUG(8, ("running command: [%s]\n", command));
658 if (smbrun(command, NULL) != 0) {
659 DEBUG(0, ("Could not log NT token\n"));
660 return NT_STATUS_ACCESS_DENIED;
661 }
662
663 return NT_STATUS_OK;
664 }
665
666 /*
667 * Create the token to use from server_info->sam_account and
668 * server_info->sids (the info3/sam groups). Find the unix gids.
669 */
670
671 NTSTATUS create_local_token(auth_serversupplied_info *server_info)
672 {
673 TALLOC_CTX *mem_ctx;
674 NTSTATUS status;
675 size_t i;
676 struct dom_sid tmp_sid;
677
678 /*
679 * If winbind is not around, we can not make much use of the SIDs the
680 * domain controller provided us with. Likewise if the user name was
681 * mapped to some local unix user.
682 */
683
684 if (((lp_server_role() == ROLE_DOMAIN_MEMBER) && !winbind_ping()) ||
685 (server_info->was_mapped)) {
686 status = create_token_from_username(server_info,
687 server_info->unix_name,
688 server_info->guest,
689 &server_info->uid,
690 &server_info->gid,
691 &server_info->unix_name,
692 &server_info->ptok);
693
694 } else {
695 server_info->ptok = create_local_nt_token(
696 server_info,
697 pdb_get_user_sid(server_info->sam_account),
698 server_info->guest,
699 server_info->num_sids, server_info->sids);
700 status = server_info->ptok ?
701 NT_STATUS_OK : NT_STATUS_NO_SUCH_USER;
702 }
703
704 if (!NT_STATUS_IS_OK(status)) {
705 return status;
706 }
707
708 /* Convert the SIDs to gids. */
709
710 server_info->n_groups = 0;
711 server_info->groups = NULL;
712
713 /* Start at index 1, where the groups start. */
714
715 for (i=1; i<server_info->ptok->num_sids; i++) {
716 gid_t gid;
717 DOM_SID *sid = &server_info->ptok->user_sids[i];
718
719 if (!sid_to_gid(sid, &gid)) {
720 DEBUG(10, ("Could not convert SID %s to gid, "
721 "ignoring it\n", sid_string_dbg(sid)));
722 continue;
723 }
724 add_gid_to_array_unique(server_info, gid, &server_info->groups,
725 &server_info->n_groups);
726 }
727
728 if (!uid_to_unix_users_sid(server_info->uid, &tmp_sid)) {
729 DEBUG(1,("create_local_token: Failed to create SID "
730 "for uid %d!\n", server_info->uid));
731 }
732 add_sid_to_array_unique(server_info->ptok, &tmp_sid,
733 &server_info->ptok->user_sids,
734 &server_info->ptok->num_sids);
735
736 if (!gid_to_unix_groups_sid( server_info->gid, &tmp_sid)) {
737 DEBUG(1,("create_local_token: Failed to create SID "
738 "for gid %d!\n", server_info->gid));
739 }
740 add_sid_to_array_unique(server_info->ptok, &tmp_sid,
741 &server_info->ptok->user_sids,
742 &server_info->ptok->num_sids);
743
744 for ( i=0; i<server_info->n_groups; i++ ) {
745 if (!gid_to_unix_groups_sid( server_info->groups[i], &tmp_sid ) ) {
746 DEBUG(1,("create_local_token: Failed to create SID "
747 "for gid %d!\n", server_info->groups[i]));
748 continue;
749 }
750 add_sid_to_array_unique(server_info->ptok, &tmp_sid,
751 &server_info->ptok->user_sids,
752 &server_info->ptok->num_sids);
753 }
754
755 debug_nt_user_token(DBGC_AUTH, 10, server_info->ptok);
756 debug_unix_user_token(DBGC_AUTH, 10,
757 server_info->uid,
758 server_info->gid,
759 server_info->n_groups,
760 server_info->groups);
761
762 mem_ctx = talloc_new(NULL);
763 if (mem_ctx == NULL) {
764 DEBUG(0, ("talloc_new failed\n"));
765 return NT_STATUS_NO_MEMORY;
766 }
767
768 status = log_nt_token(mem_ctx, server_info->ptok);
769
770 TALLOC_FREE(mem_ctx);
771 return status;
772 }
773
774 /*
775 * Create an artificial NT token given just a username. (Initially intended
776 * for force user)
777 *
778 * We go through lookup_name() to avoid problems we had with 'winbind use
779 * default domain'.
780 *
781 * We have 3 cases:
782 *
783 * unmapped unix users: Go directly to nss to find the user's group.
784 *
785 * A passdb user: The list of groups is provided by pdb_enum_group_memberships.
786 *
787 * If the user is provided by winbind, the primary gid is set to "domain
788 * users" of the user's domain. For an explanation why this is necessary, see
789 * the thread starting at
790 * http://lists.samba.org/archive/samba-technical/2006-January/044803.html.
791 */
792
793 NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username,
794 bool is_guest,
795 uid_t *uid, gid_t *gid,
796 char **found_username,
797 struct nt_user_token **token)
798 {
799 NTSTATUS result = NT_STATUS_NO_SUCH_USER;
800 TALLOC_CTX *tmp_ctx;
801 DOM_SID user_sid;
802 enum lsa_SidType type;
803 gid_t *gids;
804 DOM_SID *group_sids;
805 DOM_SID unix_group_sid;
806 size_t num_group_sids;
807 size_t num_gids;
808 size_t i;
809
810 tmp_ctx = talloc_new(NULL);
811 if (tmp_ctx == NULL) {
812 DEBUG(0, ("talloc_new failed\n"));
813 return NT_STATUS_NO_MEMORY;
814 }
815
816 if (!lookup_name_smbconf(tmp_ctx, username, LOOKUP_NAME_ALL,
817 NULL, NULL, &user_sid, &type)) {
818 DEBUG(1, ("lookup_name_smbconf for %s failed\n", username));
819 goto done;
820 }
821
822 if (type != SID_NAME_USER) {
823 DEBUG(1, ("%s is a %s, not a user\n", username,
824 sid_type_lookup(type)));
825 goto done;
826 }
827
828 if (sid_check_is_in_our_domain(&user_sid)) {
829 bool ret;
830
831 /* This is a passdb user, so ask passdb */
832
833 struct samu *sam_acct = NULL;
834
835 if ( !(sam_acct = samu_new( tmp_ctx )) ) {
836 result = NT_STATUS_NO_MEMORY;
837 goto done;
838 }
839
840 become_root();
841 ret = pdb_getsampwsid(sam_acct, &user_sid);
842 unbecome_root();
843
844 if (!ret) {
845 DEBUG(1, ("pdb_getsampwsid(%s) for user %s failed\n",
846 sid_string_dbg(&user_sid), username));
847 DEBUGADD(1, ("Fall back to unix user %s\n", username));
848 goto unix_user;
849 }
850
851 result = pdb_enum_group_memberships(tmp_ctx, sam_acct,
852 &group_sids, &gids,
853 &num_group_sids);
854 if (!NT_STATUS_IS_OK(result)) {
855 DEBUG(10, ("enum_group_memberships failed for %s\n",
856 username));
857 DEBUGADD(1, ("Fall back to unix user %s\n", username));
858 goto unix_user;
859 }
860
861 /* see the smb_panic() in pdb_default_enum_group_memberships */
862 SMB_ASSERT(num_group_sids > 0);
863
864 *gid = gids[0];
865
866 /* Ensure we're returning the found_username on the right context. */
867 *found_username = talloc_strdup(mem_ctx,
868 pdb_get_username(sam_acct));
869
870 } else if (sid_check_is_in_unix_users(&user_sid)) {
871
872 /* This is a unix user not in passdb. We need to ask nss
873 * directly, without consulting passdb */
874
875 struct passwd *pass;
876
877 /*
878 * This goto target is used as a fallback for the passdb
879 * case. The concrete bug report is when passdb gave us an
880 * unmapped gid.
881 */
882
883 unix_user:
884
885 if (!sid_to_uid(&user_sid, uid)) {
886 DEBUG(1, ("sid_to_uid for %s (%s) failed\n",
887 username, sid_string_dbg(&user_sid)));
888 goto done;
889 }
890
891 uid_to_unix_users_sid(*uid, &user_sid);
892
893 pass = getpwuid_alloc(tmp_ctx, *uid);
894 if (pass == NULL) {
895 DEBUG(1, ("getpwuid(%d) for user %s failed\n",
896 *uid, username));
897 goto done;
898 }
899
900 if (!getgroups_unix_user(tmp_ctx, username, pass->pw_gid,
901 &gids, &num_group_sids)) {
902 DEBUG(1, ("getgroups_unix_user for user %s failed\n",
903 username));
904 goto done;
905 }
906
907 if (num_group_sids) {
908 group_sids = TALLOC_ARRAY(tmp_ctx, DOM_SID, num_group_sids);
909 if (group_sids == NULL) {
910 DEBUG(1, ("TALLOC_ARRAY failed\n"));
911 result = NT_STATUS_NO_MEMORY;
912 goto done;
913 }
914 } else {
915 group_sids = NULL;
916 }
917
918 for (i=0; i<num_group_sids; i++) {
919 gid_to_sid(&group_sids[i], gids[i]);
920 }
921
922 /* In getgroups_unix_user we always set the primary gid */
923 SMB_ASSERT(num_group_sids > 0);
924
925 *gid = gids[0];
926
927 /* Ensure we're returning the found_username on the right context. */
928 *found_username = talloc_strdup(mem_ctx, pass->pw_name);
929 } else {
930
931 /* This user is from winbind, force the primary gid to the
932 * user's "domain users" group. Under certain circumstances
933 * (user comes from NT4), this might be a loss of
934 * information. But we can not rely on winbind getting the
935 * correct info. AD might prohibit winbind looking up that
936 * information. */
937
938 uint32 dummy;
939
940 num_group_sids = 1;
941 group_sids = TALLOC_ARRAY(tmp_ctx, DOM_SID, num_group_sids);
942 if (group_sids == NULL) {
943 DEBUG(1, ("TALLOC_ARRAY failed\n"));
944 result = NT_STATUS_NO_MEMORY;
945 goto done;
946 }
947
948 sid_copy(&group_sids[0], &user_sid);
949 sid_split_rid(&group_sids[0], &dummy);
950 sid_append_rid(&group_sids[0], DOMAIN_GROUP_RID_USERS);
951
952 if (!sid_to_gid(&group_sids[0], gid)) {
953 DEBUG(1, ("sid_to_gid(%s) failed\n",
954 sid_string_dbg(&group_sids[0])));
955 goto done;
956 }
957
958 gids = gid;
959
960 /* Ensure we're returning the found_username on the right context. */
961 *found_username = talloc_strdup(mem_ctx, username);
962 }
963
964 /* Add the "Unix Group" SID for each gid to catch mapped groups
965 and their Unix equivalent. This is to solve the backwards
966 compatibility problem of 'valid users = +ntadmin' where
967 ntadmin has been paired with "Domain Admins" in the group
968 mapping table. Otherwise smb.conf would need to be changed
969 to 'valid user = "Domain Admins"'. --jerry */
970
971 num_gids = num_group_sids;
972 for ( i=0; i<num_gids; i++ ) {
973 gid_t high, low;
974
975 /* don't pickup anything managed by Winbind */
976
977 if ( lp_idmap_gid(&low, &high) && (gids[i] >= low) && (gids[i] <= high) )
978 continue;
979
980 if ( !gid_to_unix_groups_sid( gids[i], &unix_group_sid ) ) {
981 DEBUG(1,("create_token_from_username: Failed to create SID "
982 "for gid %d!\n", gids[i]));
983 continue;
984 }
985 result = add_sid_to_array_unique(tmp_ctx, &unix_group_sid,
986 &group_sids, &num_group_sids);
987 if (!NT_STATUS_IS_OK(result)) {
988 goto done;
989 }
990 }
991
992 /* Ensure we're creating the nt_token on the right context. */
993 *token = create_local_nt_token(mem_ctx, &user_sid,
994 is_guest, num_group_sids, group_sids);
995
996 if ((*token == NULL) || (*found_username == NULL)) {
997 result = NT_STATUS_NO_MEMORY;
998 goto done;
999 }
1000
1001 result = NT_STATUS_OK;
1002 done:
1003 TALLOC_FREE(tmp_ctx);
1004 return result;
1005 }
1006
1007 /***************************************************************************
1008 Build upon create_token_from_username:
1009
1010 Expensive helper function to figure out whether a user given its name is
1011 member of a particular group.
1012 ***************************************************************************/
1013
1014 bool user_in_group_sid(const char *username, const DOM_SID *group_sid)
1015 {
1016 NTSTATUS status;
1017 uid_t uid;
1018 gid_t gid;
1019 char *found_username;
1020 struct nt_user_token *token;
1021 bool result;
1022
1023 TALLOC_CTX *mem_ctx;
1024
1025 mem_ctx = talloc_new(NULL);
1026 if (mem_ctx == NULL) {
1027 DEBUG(0, ("talloc_new failed\n"));
1028 return False;
1029 }
1030
1031 status = create_token_from_username(mem_ctx, username, False,
1032 &uid, &gid, &found_username,
1033 &token);
1034
1035 if (!NT_STATUS_IS_OK(status)) {
1036 DEBUG(10, ("could not create token for %s\n", username));
1037 return False;
1038 }
1039
1040 result = nt_token_check_sid(group_sid, token);
1041
1042 TALLOC_FREE(mem_ctx);
1043 return result;
1044
1045 }
1046
1047 bool user_in_group(const char *username, const char *groupname)
1048 {
1049 TALLOC_CTX *mem_ctx;
1050 DOM_SID group_sid;
1051 bool ret;
1052
1053 mem_ctx = talloc_new(NULL);
1054 if (mem_ctx == NULL) {
1055 DEBUG(0, ("talloc_new failed\n"));
1056 return False;
1057 }
1058
1059 ret = lookup_name(mem_ctx, groupname, LOOKUP_NAME_ALL,
1060 NULL, NULL, &group_sid, NULL);
1061 TALLOC_FREE(mem_ctx);
1062
1063 if (!ret) {
1064 DEBUG(10, ("lookup_name for (%s) failed.\n", groupname));
1065 return False;
1066 }
1067
1068 return user_in_group_sid(username, &group_sid);
1069 }
1070
1071
1072 /***************************************************************************
1073 Make (and fill) a user_info struct from a 'struct passwd' by conversion
1074 to a struct samu
1075 ***************************************************************************/
1076
1077 NTSTATUS make_server_info_pw(auth_serversupplied_info **server_info,
1078 char *unix_username,
1079 struct passwd *pwd)
1080 {
1081 NTSTATUS status;
1082 struct samu *sampass = NULL;
1083 gid_t *gids;
1084 char *qualified_name = NULL;
1085 TALLOC_CTX *mem_ctx = NULL;
1086 DOM_SID u_sid;
1087 enum lsa_SidType type;
1088 auth_serversupplied_info *result;
1089
1090 if ( !(sampass = samu_new( NULL )) ) {
1091 return NT_STATUS_NO_MEMORY;
1092 }
1093
1094 status = samu_set_unix( sampass, pwd );
1095 if (!NT_STATUS_IS_OK(status)) {
1096 return status;
1097 }
1098
1099 result = make_server_info(NULL);
1100 if (result == NULL) {
1101 TALLOC_FREE(sampass);
1102 return NT_STATUS_NO_MEMORY;
1103 }
1104
1105 result->sam_account = sampass;
1106 result->unix_name = talloc_strdup(result, unix_username);
1107 result->uid = pwd->pw_uid;
1108 result->gid = pwd->pw_gid;
1109
1110 status = pdb_enum_group_memberships(result, sampass,
1111 &result->sids, &gids,
1112 &result->num_sids);
1113
1114 if (!NT_STATUS_IS_OK(status)) {
1115 DEBUG(10, ("pdb_enum_group_memberships failed: %s\n",
1116 nt_errstr(status)));
1117 TALLOC_FREE(result);
1118 return status;
1119 }
1120
1121 /*
1122 * The SID returned in server_info->sam_account is based
1123 * on our SAM sid even though for a pure UNIX account this should
1124 * not be the case as it doesn't really exist in the SAM db.
1125 * This causes lookups on "[in]valid users" to fail as they
1126 * will lookup this name as a "Unix User" SID to check against
1127 * the user token. Fix this by adding the "Unix User"\unix_username
1128 * SID to the sid array. The correct fix should probably be
1129 * changing the server_info->sam_account user SID to be a
1130 * S-1-22 Unix SID, but this might break old configs where
1131 * plaintext passwords were used with no SAM backend.
1132 */
1133
1134 mem_ctx = talloc_init("make_server_info_pw_tmp");
1135 if (!mem_ctx) {
1136 TALLOC_FREE(result);
1137 return NT_STATUS_NO_MEMORY;
1138 }
1139
1140 qualified_name = talloc_asprintf(mem_ctx, "%s\\%s",
1141 unix_users_domain_name(),
1142 unix_username );
1143 if (!qualified_name) {
1144 TALLOC_FREE(result);
1145 TALLOC_FREE(mem_ctx);
1146 return NT_STATUS_NO_MEMORY;
1147 }
1148
1149 if (!lookup_name(mem_ctx, qualified_name, LOOKUP_NAME_ALL,
1150 NULL, NULL,
1151 &u_sid, &type)) {
1152 TALLOC_FREE(result);
1153 TALLOC_FREE(mem_ctx);
1154 return NT_STATUS_NO_SUCH_USER;
1155 }
1156
1157 TALLOC_FREE(mem_ctx);
1158
1159 if (type != SID_NAME_USER) {
1160 TALLOC_FREE(result);
1161 return NT_STATUS_NO_SUCH_USER;
1162 }
1163
1164 status = add_sid_to_array_unique(result, &u_sid,
1165 &result->sids,
1166 &result->num_sids);
1167 if (!NT_STATUS_IS_OK(status)) {
1168 TALLOC_FREE(result);
1169 return status;
1170 }
1171
1172 /* For now we throw away the gids and convert via sid_to_gid
1173 * later. This needs fixing, but I'd like to get the code straight and
1174 * simple first. */
1175 TALLOC_FREE(gids);
1176
1177 *server_info = result;
1178
1179 return NT_STATUS_OK;
1180 }
1181
1182 /***************************************************************************
1183 Make (and fill) a user_info struct for a guest login.
1184 This *must* succeed for smbd to start. If there is no mapping entry for
1185 the guest gid, then create one.
1186 ***************************************************************************/
1187
1188 static NTSTATUS make_new_server_info_guest(auth_serversupplied_info **server_info)
1189 {
1190 NTSTATUS status;
1191 struct samu *sampass = NULL;
1192 DOM_SID guest_sid;
1193 bool ret;
1194 char zeros[16];
1195
1196 if ( !(sampass = samu_new( NULL )) ) {
1197 return NT_STATUS_NO_MEMORY;
1198 }
1199
1200 sid_copy(&guest_sid, get_global_sam_sid());
1201 sid_append_rid(&guest_sid, DOMAIN_USER_RID_GUEST);
1202
1203 become_root();
1204 ret = pdb_getsampwsid(sampass, &guest_sid);
1205 unbecome_root();
1206
1207 if (!ret) {
1208 TALLOC_FREE(sampass);
1209 return NT_STATUS_NO_SUCH_USER;
1210 }
1211
1212 status = make_server_info_sam(server_info, sampass);
1213 if (!NT_STATUS_IS_OK(status)) {
1214 TALLOC_FREE(sampass);
1215 return status;
1216 }
1217
1218 (*server_info)->guest = True;
1219
1220 status = create_local_token(*server_info);
1221 if (!NT_STATUS_IS_OK(status)) {
1222 DEBUG(10, ("create_local_token failed: %s\n",
1223 nt_errstr(status)));
1224 return status;
1225 }
1226
1227 /* annoying, but the Guest really does have a session key, and it is
1228 all zeros! */
1229 ZERO_STRUCT(zeros);
1230 (*server_info)->user_session_key = data_blob(zeros, sizeof(zeros));
1231 (*server_info)->lm_session_key = data_blob(zeros, sizeof(zeros));
1232
1233 return NT_STATUS_OK;
1234 }
1235
1236 static auth_serversupplied_info *copy_serverinfo(auth_serversupplied_info *src)
1237 {
1238 auth_serversupplied_info *dst;
1239
1240 dst = make_server_info(NULL);
1241 if (dst == NULL) {
1242 return NULL;
1243 }
1244
1245 dst->guest = src->guest;
1246 dst->uid = src->uid;
1247 dst->gid = src->gid;
1248 dst->n_groups = src->n_groups;
1249 if (src->n_groups != 0) {
1250 dst->groups = (gid_t *)TALLOC_MEMDUP(
1251 dst, src->groups, sizeof(gid_t)*dst->n_groups);
1252 } else {
1253 dst->groups = NULL;
1254 }
1255
1256 if (src->ptok) {
1257 dst->ptok = dup_nt_token(dst, src->ptok);
1258 if (!dst->ptok) {
1259 TALLOC_FREE(dst);
1260 return NULL;
1261 }
1262 }
1263
1264 dst->user_session_key = data_blob_talloc( dst, src->user_session_key.data,
1265 src->user_session_key.length);
1266
1267 dst->lm_session_key = data_blob_talloc(dst, src->lm_session_key.data,
1268 src->lm_session_key.length);
1269
1270 dst->sam_account = samu_new(NULL);
1271 if (!dst->sam_account) {
1272 TALLOC_FREE(dst);
1273 return NULL;
1274 }
1275
1276 if (!pdb_copy_sam_account(dst->sam_account, src->sam_account)) {
1277 TALLOC_FREE(dst);
1278 return NULL;
1279 }
1280
1281 dst->pam_handle = NULL;
1282 dst->unix_name = talloc_strdup(dst, src->unix_name);
1283 if (!dst->unix_name) {
1284 TALLOC_FREE(dst);
1285 return NULL;
1286 }
1287
1288 return dst;
1289 }
1290
1291 static auth_serversupplied_info *guest_info = NULL;
1292
1293 bool init_guest_info(void)
1294 {
1295 if (guest_info != NULL)
1296 return True;
1297
1298 return NT_STATUS_IS_OK(make_new_server_info_guest(&guest_info));
1299 }
1300
1301 NTSTATUS make_server_info_guest(auth_serversupplied_info **server_info)
1302 {
1303 *server_info = copy_serverinfo(guest_info);
1304 return (*server_info != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
1305 }
1306
1307 bool copy_current_user(struct current_user *dst, struct current_user *src)
1308 {
1309 gid_t *groups;
1310 NT_USER_TOKEN *nt_token;
1311
1312 groups = (gid_t *)memdup(src->ut.groups,
1313 sizeof(gid_t) * src->ut.ngroups);
1314 if ((src->ut.ngroups != 0) && (groups == NULL)) {
1315 return False;
1316 }
1317
1318 nt_token = dup_nt_token(NULL, src->nt_user_token);
1319 if (nt_token == NULL) {
1320 SAFE_FREE(groups);
1321 return False;
1322 }
1323
1324 dst->conn = src->conn;
1325 dst->vuid = src->vuid;
1326 dst->ut.uid = src->ut.uid;
1327 dst->ut.gid = src->ut.gid;
1328 dst->ut.ngroups = src->ut.ngroups;
1329 dst->ut.groups = groups;
1330 dst->nt_user_token = nt_token;
1331 return True;
1332 }
1333
1334 bool set_current_user_guest(struct current_user *dst)
1335 {
1336 gid_t *groups;
1337 NT_USER_TOKEN *nt_token;
1338
1339 groups = (gid_t *)memdup(guest_info->groups,
1340 sizeof(gid_t) * guest_info->n_groups);
1341 if (groups == NULL) {
1342 return False;
1343 }
1344
1345 nt_token = dup_nt_token(NULL, guest_info->ptok);
1346 if (nt_token == NULL) {
1347 SAFE_FREE(groups);
1348 return False;
1349 }
1350
1351 TALLOC_FREE(dst->nt_user_token);
1352 SAFE_FREE(dst->ut.groups);
1353
1354 /* dst->conn is never really dereferenced, it's only tested for
1355 * equality in uid.c */
1356 dst->conn = NULL;
1357
1358 dst->vuid = UID_FIELD_INVALID;
1359 dst->ut.uid = guest_info->uid;
1360 dst->ut.gid = guest_info->gid;
1361 dst->ut.ngroups = guest_info->n_groups;
1362 dst->ut.groups = groups;
1363 dst->nt_user_token = nt_token;
1364 return True;
1365 }
1366
1367 /***************************************************************************
1368 Purely internal function for make_server_info_info3
1369 Fill the sam account from getpwnam
1370 ***************************************************************************/
1371 static NTSTATUS fill_sam_account(TALLOC_CTX *mem_ctx,
1372 const char *domain,
1373 const char *username,
1374 char **found_username,
1375 uid_t *uid, gid_t *gid,
1376 struct samu *account,
1377 bool *username_was_mapped)
1378 {
1379 NTSTATUS nt_status;
1380 fstring dom_user, lower_username;
1381 fstring real_username;
1382 struct passwd *passwd;
1383
1384 fstrcpy( lower_username, username );
1385 strlower_m( lower_username );
1386
1387 fstr_sprintf(dom_user, "%s%c%s", domain, *lp_winbind_separator(),
1388 lower_username);
1389
1390 /* Get the passwd struct. Try to create the account is necessary. */
1391
1392 *username_was_mapped = map_username( dom_user );
1393
1394 if ( !(passwd = smb_getpwnam( NULL, dom_user, real_username, True )) )
1395 return NT_STATUS_NO_SUCH_USER;
1396
1397 *uid = passwd->pw_uid;
1398 *gid = passwd->pw_gid;
1399
1400 /* This is pointless -- there is no suport for differing
1401 unix and windows names. Make sure to always store the
1402 one we actually looked up and succeeded. Have I mentioned
1403 why I hate the 'winbind use default domain' parameter?
1404 --jerry */
1405
1406 *found_username = talloc_strdup( mem_ctx, real_username );
1407
1408 DEBUG(5,("fill_sam_account: located username was [%s]\n", *found_username));
1409
1410 nt_status = samu_set_unix( account, passwd );
1411
1412 TALLOC_FREE(passwd);
1413
1414 return nt_status;
1415 }
1416
1417 /****************************************************************************
1418 Wrapper to allow the getpwnam() call to strip the domain name and
1419 try again in case a local UNIX user is already there. Also run through
1420 the username if we fallback to the username only.
1421 ****************************************************************************/
1422
1423 struct passwd *smb_getpwnam( TALLOC_CTX *mem_ctx, char *domuser,
1424 fstring save_username, bool create )
1425 {
1426 struct passwd *pw = NULL;
1427 char *p;
1428 fstring username;
1429
1430 /* we only save a copy of the username it has been mangled
1431 by winbindd use default domain */
1432
1433 save_username[0] = '\0';
1434
1435 /* don't call map_username() here since it has to be done higher
1436 up the stack so we don't call it mutliple times */
1437
1438 fstrcpy( username, domuser );
1439
1440 p = strchr_m( username, *lp_winbind_separator() );
1441
1442 /* code for a DOMAIN\user string */
1443
1444 if ( p ) {
1445 fstring strip_username;
1446
1447 pw = Get_Pwnam_alloc( mem_ctx, domuser );
1448 if ( pw ) {
1449 /* make sure we get the case of the username correct */
1450 /* work around 'winbind use default domain = yes' */
1451
1452 if ( !strchr_m( pw->pw_name, *lp_winbind_separator() ) ) {
1453 char *domain;
1454
1455 /* split the domain and username into 2 strings */
1456 *p = '\0';
1457 domain = username;
1458
1459 fstr_sprintf(save_username, "%s%c%s", domain, *lp_winbind_separator(), pw->pw_name);
1460 }
1461 else
1462 fstrcpy( save_username, pw->pw_name );
1463
1464 /* whew -- done! */
1465 return pw;
1466 }
1467
1468 /* setup for lookup of just the username */
1469 /* remember that p and username are overlapping memory */
1470
1471 p++;
1472 fstrcpy( strip_username, p );
1473 fstrcpy( username, strip_username );
1474 }
1475
1476 /* just lookup a plain username */
1477
1478 pw = Get_Pwnam_alloc(mem_ctx, username);
1479
1480 /* Create local user if requested but only if winbindd
1481 is not running. We need to protect against cases
1482 where winbindd is failing and then prematurely
1483 creating users in /etc/passwd */
1484
1485 if ( !pw && create && !winbind_ping() ) {
1486 /* Don't add a machine account. */
1487 if (username[strlen(username)-1] == '$')
1488 return NULL;
1489
1490 smb_create_user(NULL, username, NULL);
1491 pw = Get_Pwnam_alloc(mem_ctx, username);
1492 }
1493
1494 /* one last check for a valid passwd struct */
1495
1496 if ( pw )
1497 fstrcpy( save_username, pw->pw_name );
1498
1499 return pw;
1500 }
1501
1502 /***************************************************************************
1503 Make a server_info struct from the info3 returned by a domain logon
1504 ***************************************************************************/
1505
1506 NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
1507 const char *sent_nt_username,
1508 const char *domain,
1509 auth_serversupplied_info **server_info,
1510 struct netr_SamInfo3 *info3)
1511 {
1512 char zeros[16];
1513
1514 NTSTATUS nt_status = NT_STATUS_OK;
1515 char *found_username = NULL;
1516 const char *nt_domain;
1517 const char *nt_username;
1518 struct samu *sam_account = NULL;
1519 DOM_SID user_sid;
1520 DOM_SID group_sid;
1521 bool username_was_mapped;
1522
1523 uid_t uid = (uid_t)-1;
1524 gid_t gid = (gid_t)-1;
1525
1526 auth_serversupplied_info *result;
1527
1528 /*
1529 Here is where we should check the list of
1530 trusted domains, and verify that the SID
1531 matches.
1532 */
1533
1534 sid_copy(&user_sid, info3->base.domain_sid);
1535 if (!sid_append_rid(&user_sid, info3->base.rid)) {
1536 return NT_STATUS_INVALID_PARAMETER;
1537 }
1538
1539 sid_copy(&group_sid, info3->base.domain_sid);
1540 if (!sid_append_rid(&group_sid, info3->base.primary_gid)) {
1541 return NT_STATUS_INVALID_PARAMETER;
1542 }
1543
1544 nt_username = talloc_strdup(mem_ctx, info3->base.account_name.string);
1545 if (!nt_username) {
1546 /* If the server didn't give us one, just use the one we sent
1547 * them */
1548 nt_username = sent_nt_username;
1549 }
1550
1551 nt_domain = talloc_strdup(mem_ctx, info3->base.domain.string);
1552 if (!nt_domain) {
1553 /* If the server didn't give us one, just use the one we sent
1554 * them */
1555 nt_domain = domain;
1556 }
1557
1558 /* try to fill the SAM account.. If getpwnam() fails, then try the
1559 add user script (2.2.x behavior).
1560
1561 We use the _unmapped_ username here in an attempt to provide
1562 consistent username mapping behavior between kerberos and NTLM[SSP]
1563 authentication in domain mode security. I.E. Username mapping
1564 should be applied to the fully qualified username
1565 (e.g. DOMAIN\user) and not just the login name. Yes this means we
1566 called map_username() unnecessarily in make_user_info_map() but
1567 that is how the current code is designed. Making the change here
1568 is the least disruptive place. -- jerry */
1569
1570 if ( !(sam_account = samu_new( NULL )) ) {
1571 return NT_STATUS_NO_MEMORY;
1572 }
1573
1574 /* this call will try to create the user if necessary */
1575
1576 nt_status = fill_sam_account(mem_ctx, nt_domain, sent_nt_username,
1577 &found_username, &uid, &gid, sam_account,
1578 &username_was_mapped);
1579
1580
1581 /* if we still don't have a valid unix account check for
1582 'map to guest = bad uid' */
1583
1584 if (!NT_STATUS_IS_OK(nt_status)) {
1585 TALLOC_FREE( sam_account );
1586 if ( lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_UID ) {
1587 make_server_info_guest(server_info);
1588 return NT_STATUS_OK;
1589 }
1590 return nt_status;
1591 }
1592
1593 if (!pdb_set_nt_username(sam_account, nt_username, PDB_CHANGED)) {
1594 TALLOC_FREE(sam_account);
1595 return NT_STATUS_NO_MEMORY;
1596 }
1597
1598 if (!pdb_set_username(sam_account, nt_username, PDB_CHANGED)) {
1599 TALLOC_FREE(sam_account);
1600 return NT_STATUS_NO_MEMORY;
1601 }
1602
1603 if (!pdb_set_domain(sam_account, nt_domain, PDB_CHANGED)) {
1604 TALLOC_FREE(sam_account);
1605 return NT_STATUS_NO_MEMORY;
1606 }
1607
1608 if (!pdb_set_user_sid(sam_account, &user_sid, PDB_CHANGED)) {
1609 TALLOC_FREE(sam_account);
1610 return NT_STATUS_UNSUCCESSFUL;
1611 }
1612
1613 if (!pdb_set_group_sid(sam_account, &group_sid, PDB_CHANGED)) {
1614 TALLOC_FREE(sam_account);
1615 return NT_STATUS_UNSUCCESSFUL;
1616 }
1617
1618 if (!pdb_set_fullname(sam_account,
1619 info3->base.full_name.string,
1620 PDB_CHANGED)) {
1621 TALLOC_FREE(sam_account);
1622 return NT_STATUS_NO_MEMORY;
1623 }
1624
1625 if (!pdb_set_logon_script(sam_account,
1626 info3->base.logon_script.string,
1627 PDB_CHANGED)) {
1628 TALLOC_FREE(sam_account);
1629 return NT_STATUS_NO_MEMORY;
1630 }
1631
1632 if (!pdb_set_profile_path(sam_account,
1633 info3->base.profile_path.string,
1634 PDB_CHANGED)) {
1635 TALLOC_FREE(sam_account);
1636 return NT_STATUS_NO_MEMORY;
1637 }
1638
1639 if (!pdb_set_homedir(sam_account,
1640 info3->base.home_directory.string,
1641 PDB_CHANGED)) {
1642 TALLOC_FREE(sam_account);
1643 return NT_STATUS_NO_MEMORY;
1644 }
1645
1646 if (!pdb_set_dir_drive(sam_account,
1647 info3->base.home_drive.string,
1648 PDB_CHANGED)) {
1649 TALLOC_FREE(sam_account);
1650 return NT_STATUS_NO_MEMORY;
1651 }
1652
1653 if (!pdb_set_acct_ctrl(sam_account, info3->base.acct_flags, PDB_CHANGED)) {
1654 TALLOC_FREE(sam_account);
1655 return NT_STATUS_NO_MEMORY;
1656 }
1657
1658 if (!pdb_set_pass_last_set_time(
1659 sam_account,
1660 nt_time_to_unix(info3->base.last_password_change),
1661 PDB_CHANGED)) {
1662 TALLOC_FREE(sam_account);
1663 return NT_STATUS_NO_MEMORY;
1664 }
1665
1666 if (!pdb_set_pass_can_change_time(
1667 sam_account,
1668 nt_time_to_unix(info3->base.allow_password_change),
1669 PDB_CHANGED)) {
1670 TALLOC_FREE(sam_account);
1671 return NT_STATUS_NO_MEMORY;
1672 }
1673
1674 if (!pdb_set_pass_must_change_time(
1675 sam_account,
1676 nt_time_to_unix(info3->base.force_password_change),
1677 PDB_CHANGED)) {
1678 TALLOC_FREE(sam_account);
1679 return NT_STATUS_NO_MEMORY;
1680 }
1681
1682 result = make_server_info(NULL);
1683 if (result == NULL) {
1684 DEBUG(4, ("make_server_info failed!\n"));
1685 TALLOC_FREE(sam_account);
1686 return NT_STATUS_NO_MEMORY;
1687 }
1688
1689 /* save this here to _net_sam_logon() doesn't fail (it assumes a
1690 valid struct samu) */
1691
1692 result->sam_account = sam_account;
1693 result->unix_name = talloc_strdup(result, found_username);
1694
1695 /* Fill in the unix info we found on the way */
1696
1697 result->uid = uid;
1698 result->gid = gid;
1699
1700 /* Create a 'combined' list of all SIDs we might want in the SD */
1701
1702 result->num_sids = 0;
1703 result->sids = NULL;
1704
1705 nt_status = sid_array_from_info3(result, info3,
1706 &result->sids,
1707 &result->num_sids,
1708 false, false);
1709 if (!NT_STATUS_IS_OK(nt_status)) {
1710 TALLOC_FREE(result);
1711 return nt_status;
1712 }
1713
1714 /* Ensure the primary group sid is at position 0. */
1715 sort_sid_array_for_smbd(result, &group_sid);
1716
1717 result->login_server = talloc_strdup(result,
1718 info3->base.logon_server.string);
1719
1720 /* ensure we are never given NULL session keys */
1721
1722 ZERO_STRUCT(zeros);
1723
1724 if (memcmp(info3->base.key.key, zeros, sizeof(zeros)) == 0) {
1725 result->user_session_key = data_blob_null;
1726 } else {
1727 result->user_session_key = data_blob_talloc(
1728 result, info3->base.key.key,
1729 sizeof(info3->base.key.key));
1730 }
1731
1732 if (memcmp(info3->base.LMSessKey.key, zeros, 8) == 0) {
1733 result->lm_session_key = data_blob_null;
1734 } else {
1735 result->lm_session_key = data_blob_talloc(
1736 result, info3->base.LMSessKey.key,
1737 sizeof(info3->base.LMSessKey.key));
1738 }
1739
1740 result->was_mapped = username_was_mapped;
1741
1742 *server_info = result;
1743
1744 return NT_STATUS_OK;
1745 }
1746
1747 /*****************************************************************************
1748 Make a server_info struct from the wbcAuthUserInfo returned by a domain logon
1749 ******************************************************************************/
1750
1751 NTSTATUS make_server_info_wbcAuthUserInfo(TALLOC_CTX *mem_ctx,
1752 const char *sent_nt_username,
1753 const char *domain,
1754 const struct wbcAuthUserInfo *info,
1755 auth_serversupplied_info **server_info)
1756 {
1757 char zeros[16];
1758
1759 NTSTATUS nt_status = NT_STATUS_OK;
1760 char *found_username = NULL;
1761 const char *nt_domain;
1762 const char *nt_username;
1763 struct samu *sam_account = NULL;
1764 DOM_SID user_sid;
1765 DOM_SID group_sid;
1766 bool username_was_mapped;
1767 uint32_t i;
1768
1769 uid_t uid = (uid_t)-1;
1770 gid_t gid = (gid_t)-1;
1771
1772 auth_serversupplied_info *result;
1773
1774 result = make_server_info(NULL);
1775 if (result == NULL) {
1776 DEBUG(4, ("make_server_info failed!\n"));
1777 return NT_STATUS_NO_MEMORY;
1778 }
1779
1780 /*
1781 Here is where we should check the list of
1782 trusted domains, and verify that the SID
1783 matches.
1784 */
1785
1786 memcpy(&user_sid, &info->sids[0].sid, sizeof(user_sid));
1787 memcpy(&group_sid, &info->sids[1].sid, sizeof(group_sid));
1788
1789 if (info->account_name) {
1790 nt_username = talloc_strdup(result, info->account_name);
1791 } else {
1792 /* If the server didn't give us one, just use the one we sent
1793 * them */
1794 nt_username = talloc_strdup(result, sent_nt_username);
1795 }
1796 if (!nt_username) {
1797 TALLOC_FREE(result);
1798 return NT_STATUS_NO_MEMORY;
1799 }
1800
1801 if (info->domain_name) {
1802 nt_domain = talloc_strdup(result, info->domain_name);
1803 } else {
1804 /* If the server didn't give us one, just use the one we sent
1805 * them */
1806 nt_domain = talloc_strdup(result, domain);
1807 }
1808 if (!nt_domain) {
1809 TALLOC_FREE(result);
1810 return NT_STATUS_NO_MEMORY;
1811 }
1812
1813 /* try to fill the SAM account.. If getpwnam() fails, then try the
1814 add user script (2.2.x behavior).
1815
1816 We use the _unmapped_ username here in an attempt to provide
1817 consistent username mapping behavior between kerberos and NTLM[SSP]
1818 authentication in domain mode security. I.E. Username mapping
1819 should be applied to the fully qualified username
1820 (e.g. DOMAIN\user) and not just the login name. Yes this means we
1821 called map_username() unnecessarily in make_user_info_map() but
1822 that is how the current code is designed. Making the change here
1823 is the least disruptive place. -- jerry */
1824
1825 if ( !(sam_account = samu_new( result )) ) {
1826 TALLOC_FREE(result);
1827 return NT_STATUS_NO_MEMORY;
1828 }
1829
1830 /* this call will try to create the user if necessary */
1831
1832 nt_status = fill_sam_account(result, nt_domain, sent_nt_username,
1833 &found_username, &uid, &gid, sam_account,
1834 &username_was_mapped);
1835
1836 /* if we still don't have a valid unix account check for
1837 'map to guest = bad uid' */
1838
1839 if (!NT_STATUS_IS_OK(nt_status)) {
1840 TALLOC_FREE( result );
1841 if ( lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_UID ) {
1842 make_server_info_guest(server_info);
1843 return NT_STATUS_OK;
1844 }
1845 return nt_status;
1846 }
1847
1848 if (!pdb_set_nt_username(sam_account, nt_username, PDB_CHANGED)) {
1849 TALLOC_FREE(result);
1850 return NT_STATUS_NO_MEMORY;
1851 }
1852
1853 if (!pdb_set_username(sam_account, nt_username, PDB_CHANGED)) {
1854 TALLOC_FREE(result);
1855 return NT_STATUS_NO_MEMORY;
1856 }
1857
1858 if (!pdb_set_domain(sam_account, nt_domain, PDB_CHANGED)) {
1859 TALLOC_FREE(result);
1860 return NT_STATUS_NO_MEMORY;
1861 }
1862
1863 if (!pdb_set_user_sid(sam_account, &user_sid, PDB_CHANGED)) {
1864 TALLOC_FREE(result);
1865 return NT_STATUS_UNSUCCESSFUL;
1866 }
1867
1868 if (!pdb_set_group_sid(sam_account, &group_sid, PDB_CHANGED)) {
1869 TALLOC_FREE(result);
1870 return NT_STATUS_UNSUCCESSFUL;
1871 }
1872
1873 if (!pdb_set_fullname(sam_account, info->full_name, PDB_CHANGED)) {
1874 TALLOC_FREE(result);
1875 return NT_STATUS_NO_MEMORY;
1876 }
1877
1878 if (!pdb_set_logon_script(sam_account, info->logon_script, PDB_CHANGED)) {
1879 TALLOC_FREE(result);
1880 return NT_STATUS_NO_MEMORY;
1881 }
1882
1883 if (!pdb_set_profile_path(sam_account, info->profile_path, PDB_CHANGED)) {
1884 TALLOC_FREE(result);
1885 return NT_STATUS_NO_MEMORY;
1886 }
1887
1888 if (!pdb_set_homedir(sam_account, info->home_directory, PDB_CHANGED)) {
1889 TALLOC_FREE(result);
1890 return NT_STATUS_NO_MEMORY;
1891 }
1892
1893 if (!pdb_set_dir_drive(sam_account, info->home_drive, PDB_CHANGED)) {
1894 TALLOC_FREE(result);
1895 return NT_STATUS_NO_MEMORY;
1896 }
1897
1898 if (!pdb_set_acct_ctrl(sam_account, info->acct_flags, PDB_CHANGED)) {
1899 TALLOC_FREE(result);
1900 return NT_STATUS_NO_MEMORY;
1901 }
1902
1903 if (!pdb_set_pass_last_set_time(
1904 sam_account,
1905 nt_time_to_unix(info->pass_last_set_time),
1906 PDB_CHANGED)) {
1907 TALLOC_FREE(result);
1908 return NT_STATUS_NO_MEMORY;
1909 }
1910
1911 if (!pdb_set_pass_can_change_time(
1912 sam_account,
1913 nt_time_to_unix(info->pass_can_change_time),
1914 PDB_CHANGED)) {
1915 TALLOC_FREE(result);
1916 return NT_STATUS_NO_MEMORY;
1917 }
1918
1919 if (!pdb_set_pass_must_change_time(
1920 sam_account,
1921 nt_time_to_unix(info->pass_must_change_time),
1922 PDB_CHANGED)) {
1923 TALLOC_FREE(result);
1924 return NT_STATUS_NO_MEMORY;
1925 }
1926
1927 /* save this here to _net_sam_logon() doesn't fail (it assumes a
1928 valid struct samu) */
1929
1930 result->sam_account = sam_account;
1931 result->unix_name = talloc_strdup(result, found_username);
1932
1933 result->login_server = talloc_strdup(result, info->logon_server);
1934
1935 /* Fill in the unix info we found on the way */
1936
1937 result->uid = uid;
1938 result->gid = gid;
1939
1940 /* Create a 'combined' list of all SIDs we might want in the SD */
1941
1942 result->num_sids = info->num_sids - 2;
1943 result->sids = talloc_array(result, DOM_SID, result->num_sids);
1944 if (result->sids == NULL) {
1945 TALLOC_FREE(result);
1946 return NT_STATUS_NO_MEMORY;
1947 }
1948
1949 for (i=0; i < result->num_sids; i++) {
1950 memcpy(&result->sids[i], &info->sids[i+2].sid, sizeof(result->sids[i]));
1951 }
1952
1953 /* Ensure the primary group sid is at position 0. */
1954 sort_sid_array_for_smbd(result, &group_sid);
1955
1956 /* ensure we are never given NULL session keys */
1957
1958 ZERO_STRUCT(zeros);
1959
1960 if (memcmp(info->user_session_key, zeros, sizeof(zeros)) == 0) {
1961 result->user_session_key = data_blob_null;
1962 } else {
1963 result->user_session_key = data_blob_talloc(
1964 result, info->user_session_key,
1965 sizeof(info->user_session_key));
1966 }
1967
1968 if (memcmp(info->lm_session_key, zeros, 8) == 0) {
1969 result->lm_session_key = data_blob_null;
1970 } else {
1971 result->lm_session_key = data_blob_talloc(
1972 result, info->lm_session_key,
1973 sizeof(info->lm_session_key));
1974 }
1975
1976 result->was_mapped = username_was_mapped;
1977
1978 *server_info = result;
1979
1980 return NT_STATUS_OK;
1981 }
1982
1983 /***************************************************************************
1984 Free a user_info struct
1985 ***************************************************************************/
1986
1987 void free_user_info(auth_usersupplied_info **user_info)
1988 {
1989 DEBUG(5,("attempting to free (and zero) a user_info structure\n"));
1990 if (*user_info != NULL) {
1991 if ((*user_info)->smb_name) {
1992 DEBUG(10,("structure was created for %s\n",
1993 (*user_info)->smb_name));
1994 }
1995 SAFE_FREE((*user_info)->smb_name);
1996 SAFE_FREE((*user_info)->internal_username);
1997 SAFE_FREE((*user_info)->client_domain);
1998 SAFE_FREE((*user_info)->domain);
1999 SAFE_FREE((*user_info)->wksta_name);
2000 data_blob_free(&(*user_info)->lm_resp);
2001 data_blob_free(&(*user_info)->nt_resp);
2002 data_blob_clear_free(&(*user_info)->lm_interactive_pwd);
2003 data_blob_clear_free(&(*user_info)->nt_interactive_pwd);
2004 data_blob_clear_free(&(*user_info)->plaintext_password);
2005 ZERO_STRUCT(**user_info);
2006 }
2007 SAFE_FREE(*user_info);
2008 }
2009
2010 /***************************************************************************
2011 Make an auth_methods struct
2012 ***************************************************************************/
2013
2014 bool make_auth_methods(struct auth_context *auth_context, auth_methods **auth_method)
2015 {
2016 if (!auth_context) {
2017 smb_panic("no auth_context supplied to "
2018 "make_auth_methods()!\n");
2019 }
2020
2021 if (!auth_method) {
2022 smb_panic("make_auth_methods: pointer to auth_method pointer "
2023 "is NULL!\n");
2024 }
2025
2026 *auth_method = TALLOC_P(auth_context->mem_ctx, auth_methods);
2027 if (!*auth_method) {
2028 DEBUG(0,("make_auth_method: malloc failed!\n"));
2029 return False;
2030 }
2031 ZERO_STRUCTP(*auth_method);
2032
2033 return True;
2034 }
2035
2036 /**
2037 * Verify whether or not given domain is trusted.
2038 *
2039 * @param domain_name name of the domain to be verified
2040 * @return true if domain is one of the trusted once or
2041 * false if otherwise
2042 **/
2043
2044 bool is_trusted_domain(const char* dom_name)
2045 {
2046 DOM_SID trustdom_sid;
2047 bool ret;
2048
2049 /* no trusted domains for a standalone server */
2050
2051 if ( lp_server_role() == ROLE_STANDALONE )
2052 return False;
2053
2054 /* if we are a DC, then check for a direct trust relationships */
2055
2056 if ( IS_DC ) {
2057 become_root();
2058 DEBUG (5,("is_trusted_domain: Checking for domain trust with "
2059 "[%s]\n", dom_name ));
2060 ret = pdb_get_trusteddom_pw(dom_name, NULL, NULL, NULL);
2061 unbecome_root();
2062 if (ret)
2063 return True;
2064 }
2065 else {
2066 wbcErr result;
2067
2068 /* If winbind is around, ask it */
2069
2070 result = wb_is_trusted_domain(dom_name);
2071
2072 if (result == WBC_ERR_SUCCESS) {
2073 return True;
2074 }
2075
2076 if (result == WBC_ERR_DOMAIN_NOT_FOUND) {
2077 /* winbind could not find the domain */
2078 return False;
2079 }
2080
2081 /* The only other possible result is that winbind is not up
2082 and running. We need to update the trustdom_cache
2083 ourselves */
2084
2085 update_trustdom_cache();
2086 }
2087
2088 /* now the trustdom cache should be available a DC could still
2089 * have a transitive trust so fall back to the cache of trusted
2090 * domains (like a domain member would use */
2091
2092 if ( trustdom_cache_fetch(dom_name, &trustdom_sid) ) {
2093 return True;
2094 }
2095
2096 return False;
2097 }
2098
Samba GIT mirror