search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
r14403: * modifies create_local_nt_token() to create a BUILTIN\Administrators
[Samba.git] / source / nsswitch / winbindd_pam.c
blobd460c1476991ff9479e3cc24501d6ae0654207fd
1 /*
2 Unix SMB/CIFS implementation.
3
4 Winbind daemon - pam auth funcions
5
6 Copyright (C) Andrew Tridgell 2000
7 Copyright (C) Tim Potter 2001
8 Copyright (C) Andrew Bartlett 2001-2002
9 Copyright (C) Guenther Deschner 2005
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 2 of the License, or
14 (at your option) any later version.
15
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
20
21 You should have received a copy of the GNU General Public License
22 along with this program; if not, write to the Free Software
23 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
24 */
25
26 #include "includes.h"
27 #include "winbindd.h"
28 #undef DBGC_CLASS
29 #define DBGC_CLASS DBGC_WINBIND
30
31 static NTSTATUS append_info3_as_txt(TALLOC_CTX *mem_ctx,
32 struct winbindd_cli_state *state,
33 NET_USER_INFO_3 *info3)
34 {
35 fstring str_sid;
36
37 state->response.data.auth.info3.logon_time =
38 nt_time_to_unix(&(info3->logon_time));
39 state->response.data.auth.info3.logoff_time =
40 nt_time_to_unix(&(info3->logoff_time));
41 state->response.data.auth.info3.kickoff_time =
42 nt_time_to_unix(&(info3->kickoff_time));
43 state->response.data.auth.info3.pass_last_set_time =
44 nt_time_to_unix(&(info3->pass_last_set_time));
45 state->response.data.auth.info3.pass_can_change_time =
46 nt_time_to_unix(&(info3->pass_can_change_time));
47 state->response.data.auth.info3.pass_must_change_time =
48 nt_time_to_unix(&(info3->pass_must_change_time));
49
50 state->response.data.auth.info3.logon_count = info3->logon_count;
51 state->response.data.auth.info3.bad_pw_count = info3->bad_pw_count;
52
53 state->response.data.auth.info3.user_rid = info3->user_rid;
54 state->response.data.auth.info3.group_rid = info3->group_rid;
55 sid_to_string(str_sid, &(info3->dom_sid.sid));
56 fstrcpy(state->response.data.auth.info3.dom_sid, str_sid);
57
58 state->response.data.auth.info3.num_groups = info3->num_groups;
59 state->response.data.auth.info3.user_flgs = info3->user_flgs;
60
61 state->response.data.auth.info3.acct_flags = info3->acct_flags;
62 state->response.data.auth.info3.num_other_sids = info3->num_other_sids;
63
64 unistr2_to_ascii(state->response.data.auth.info3.user_name,
65 &info3->uni_user_name, -1);
66 unistr2_to_ascii(state->response.data.auth.info3.full_name,
67 &info3->uni_full_name, -1);
68 unistr2_to_ascii(state->response.data.auth.info3.logon_script,
69 &info3->uni_logon_script, -1);
70 unistr2_to_ascii(state->response.data.auth.info3.profile_path,
71 &info3->uni_profile_path, -1);
72 unistr2_to_ascii(state->response.data.auth.info3.home_dir,
73 &info3->uni_home_dir, -1);
74 unistr2_to_ascii(state->response.data.auth.info3.dir_drive,
75 &info3->uni_dir_drive, -1);
76
77 unistr2_to_ascii(state->response.data.auth.info3.logon_srv,
78 &info3->uni_logon_srv, -1);
79 unistr2_to_ascii(state->response.data.auth.info3.logon_dom,
80 &info3->uni_logon_dom, -1);
81
82 return NT_STATUS_OK;
83 }
84
85 static NTSTATUS append_info3_as_ndr(TALLOC_CTX *mem_ctx,
86 struct winbindd_cli_state *state,
87 NET_USER_INFO_3 *info3)
88 {
89 prs_struct ps;
90 uint32 size;
91 if (!prs_init(&ps, 256 /* Random, non-zero number */, mem_ctx, MARSHALL)) {
92 return NT_STATUS_NO_MEMORY;
93 }
94 if (!net_io_user_info3("", info3, &ps, 1, 3, False)) {
95 prs_mem_free(&ps);
96 return NT_STATUS_UNSUCCESSFUL;
97 }
98
99 size = prs_data_size(&ps);
100 state->response.extra_data = SMB_MALLOC(size);
101 if (!state->response.extra_data) {
102 prs_mem_free(&ps);
103 return NT_STATUS_NO_MEMORY;
104 }
105 memset( state->response.extra_data, '\0', size );
106 prs_copy_all_data_out(state->response.extra_data, &ps);
107 state->response.length += size;
108 prs_mem_free(&ps);
109 return NT_STATUS_OK;
110 }
111
112 static NTSTATUS check_info3_in_group(TALLOC_CTX *mem_ctx,
113 NET_USER_INFO_3 *info3,
114 const char *group_sid)
115 {
116 DOM_SID require_membership_of_sid;
117 DOM_SID *all_sids;
118 size_t num_all_sids = (2 + info3->num_groups2 + info3->num_other_sids);
119 size_t i, j = 0;
120
121 /* Parse the 'required group' SID */
122
123 if (!group_sid || !group_sid[0]) {
124 /* NO sid supplied, all users may access */
125 return NT_STATUS_OK;
126 }
127
128 if (!string_to_sid(&require_membership_of_sid, group_sid)) {
129 DEBUG(0, ("check_info3_in_group: could not parse %s as a SID!",
130 group_sid));
131
132 return NT_STATUS_INVALID_PARAMETER;
133 }
134
135 all_sids = TALLOC_ARRAY(mem_ctx, DOM_SID, num_all_sids);
136 if (!all_sids)
137 return NT_STATUS_NO_MEMORY;
138
139 /* and create (by appending rids) the 'domain' sids */
140
141 sid_copy(&all_sids[0], &(info3->dom_sid.sid));
142
143 if (!sid_append_rid(&all_sids[0], info3->user_rid)) {
144 DEBUG(3,("could not append user's primary RID 0x%x\n",
145 info3->user_rid));
146
147 return NT_STATUS_INVALID_PARAMETER;
148 }
149 j++;
150
151 sid_copy(&all_sids[1], &(info3->dom_sid.sid));
152
153 if (!sid_append_rid(&all_sids[1], info3->group_rid)) {
154 DEBUG(3,("could not append additional group rid 0x%x\n",
155 info3->group_rid));
156
157 return NT_STATUS_INVALID_PARAMETER;
158 }
159 j++;
160
161 for (i = 0; i < info3->num_groups2; i++) {
162
163 sid_copy(&all_sids[j], &(info3->dom_sid.sid));
164
165 if (!sid_append_rid(&all_sids[j], info3->gids[i].g_rid)) {
166 DEBUG(3,("could not append additional group rid 0x%x\n",
167 info3->gids[i].g_rid));
168
169 return NT_STATUS_INVALID_PARAMETER;
170 }
171 j++;
172 }
173
174 /* Copy 'other' sids. We need to do sid filtering here to
175 prevent possible elevation of privileges. See:
176
177 http://www.microsoft.com/windows2000/techinfo/administration/security/sidfilter.asp
178 */
179
180 for (i = 0; i < info3->num_other_sids; i++) {
181 sid_copy(&all_sids[info3->num_groups2 + i + 2],
182 &info3->other_sids[i].sid);
183 j++;
184 }
185
186 for (i = 0; i < j; i++) {
187 fstring sid1, sid2;
188 DEBUG(10, ("User has SID: %s\n",
189 sid_to_string(sid1, &all_sids[i])));
190 if (sid_equal(&require_membership_of_sid, &all_sids[i])) {
191 DEBUG(10, ("SID %s matches %s - user permitted to authenticate!\n",
192 sid_to_string(sid1, &require_membership_of_sid), sid_to_string(sid2, &all_sids[i])));
193 return NT_STATUS_OK;
194 }
195 }
196
197 /* Do not distinguish this error from a wrong username/pw */
198
199 return NT_STATUS_LOGON_FAILURE;
200 }
201
202 static struct winbindd_domain *find_auth_domain(struct winbindd_cli_state *state,
203 const char *domain_name)
204 {
205 struct winbindd_domain *domain;
206
207 if (IS_DC) {
208 domain = find_domain_from_name_noinit(domain_name);
209 if (domain == NULL) {
210 DEBUG(3, ("Authentication for domain [%s] refused"
211 "as it is not a trusted domain\n",
212 domain_name));
213 }
214 return domain;
215 }
216
217 if (is_myname(domain_name)) {
218 DEBUG(3, ("Authentication for domain %s (local domain "
219 "to this server) not supported at this "
220 "stage\n", domain_name));
221 return NULL;
222 }
223
224 return find_our_domain();
225 }
226
227 static void set_auth_errors(struct winbindd_response *resp, NTSTATUS result)
228 {
229 resp->data.auth.nt_status = NT_STATUS_V(result);
230 fstrcpy(resp->data.auth.nt_status_string, nt_errstr(result));
231
232 /* we might have given a more useful error above */
233 if (*resp->data.auth.error_string == '\0')
234 fstrcpy(resp->data.auth.error_string,
235 get_friendly_nt_error_msg(result));
236 resp->data.auth.pam_error = nt_status_to_pam(result);
237 }
238
239 static NTSTATUS fillup_password_policy(struct winbindd_domain *domain,
240 struct winbindd_cli_state *state)
241 {
242 struct winbindd_methods *methods;
243 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
244 SAM_UNK_INFO_1 password_policy;
245
246 methods = domain->methods;
247
248 status = methods->password_policy(domain, state->mem_ctx, &password_policy);
249 if (NT_STATUS_IS_ERR(status)) {
250 return status;
251 }
252
253 state->response.data.auth.policy.min_length_password =
254 password_policy.min_length_password;
255 state->response.data.auth.policy.password_history =
256 password_policy.password_history;
257 state->response.data.auth.policy.password_properties =
258 password_policy.password_properties;
259 state->response.data.auth.policy.expire =
260 nt_time_to_unix_abs(&(password_policy.expire));
261 state->response.data.auth.policy.min_passwordage =
262 nt_time_to_unix_abs(&(password_policy.min_passwordage));
263
264 return NT_STATUS_OK;
265 }
266
267 static NTSTATUS get_max_bad_attempts_from_lockout_policy(struct winbindd_domain *domain,
268 TALLOC_CTX *mem_ctx,
269 uint16 *max_allowed_bad_attempts)
270 {
271 struct winbindd_methods *methods;
272 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
273 SAM_UNK_INFO_12 lockout_policy;
274
275 *max_allowed_bad_attempts = 0;
276
277 methods = domain->methods;
278
279 status = methods->lockout_policy(domain, mem_ctx, &lockout_policy);
280 if (NT_STATUS_IS_ERR(status)) {
281 return status;
282 }
283
284 *max_allowed_bad_attempts = lockout_policy.bad_attempt_lockout;
285
286 return NT_STATUS_OK;
287 }
288
289 static NTSTATUS get_pwd_properties(struct winbindd_domain *domain,
290 TALLOC_CTX *mem_ctx,
291 uint32 *password_properties)
292 {
293 struct winbindd_methods *methods;
294 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
295 SAM_UNK_INFO_1 password_policy;
296
297 *password_properties = 0;
298
299 methods = domain->methods;
300
301 status = methods->password_policy(domain, mem_ctx, &password_policy);
302 if (NT_STATUS_IS_ERR(status)) {
303 return status;
304 }
305
306 *password_properties = password_policy.password_properties;
307
308 return NT_STATUS_OK;
309 }
310
311 static const char *generate_krb5_ccache(TALLOC_CTX *mem_ctx,
312 const char *type,
313 uid_t uid,
314 BOOL *internal_ccache)
315 {
316 /* accept FILE and WRFILE as krb5_cc_type from the client and then
317 * build the full ccname string based on the user's uid here -
318 * Guenther*/
319
320 const char *gen_cc = NULL;
321
322 *internal_ccache = True;
323
324 if (uid == -1) {
325 goto memory_ccache;
326 }
327
328 if (!type || type[0] == '\0') {
329 goto memory_ccache;
330 }
331
332 if (strequal(type, "FILE")) {
333 gen_cc = talloc_asprintf(mem_ctx, "FILE:/tmp/krb5cc_%d", uid);
334 } else if (strequal(type, "WRFILE")) {
335 gen_cc = talloc_asprintf(mem_ctx, "WRFILE:/tmp/krb5cc_%d", uid);
336 } else {
337 DEBUG(10,("we don't allow to set a %s type ccache\n", type));
338 goto memory_ccache;
339 }
340
341 *internal_ccache = False;
342 goto done;
343
344 memory_ccache:
345 gen_cc = talloc_strdup(mem_ctx, "MEMORY:winbind_cache");
346
347 done:
348 if (gen_cc == NULL) {
349 DEBUG(0,("out of memory\n"));
350 return NULL;
351 }
352
353 DEBUG(10,("using ccache: %s %s\n", gen_cc, *internal_ccache ? "(internal)":""));
354
355 return gen_cc;
356 }
357
358 static uid_t get_uid_from_state(struct winbindd_cli_state *state)
359 {
360 uid_t uid = -1;
361
362 uid = state->request.data.auth.uid;
363
364 if (uid < 0) {
365 DEBUG(1,("invalid uid: '%d'\n", uid));
366 return -1;
367 }
368 return uid;
369 }
370
371 static void setup_return_cc_name(struct winbindd_cli_state *state, const char *cc)
372 {
373 const char *type = state->request.data.auth.krb5_cc_type;
374
375 state->response.data.auth.krb5ccname[0] = '\0';
376
377 if (type[0] == '\0') {
378 return;
379 }
380
381 if (!strequal(type, "FILE") &&
382 !strequal(type, "WRFILE")) {
383 DEBUG(10,("won't return krbccname for a %s type ccache\n",
384 type));
385 return;
386 }
387
388 fstrcpy(state->response.data.auth.krb5ccname, cc);
389 }
390
391 /**********************************************************************
392 Authenticate a user with a clear text password using Kerberos and fill up
393 ccache if required
394 **********************************************************************/
395 static NTSTATUS winbindd_raw_kerberos_login(struct winbindd_domain *domain,
396 struct winbindd_cli_state *state,
397 NET_USER_INFO_3 **info3)
398 {
399 #ifdef HAVE_KRB5
400 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
401 krb5_error_code krb5_ret;
402 DATA_BLOB tkt, session_key_krb5;
403 DATA_BLOB ap_rep, session_key;
404 PAC_DATA *pac_data = NULL;
405 PAC_LOGON_INFO *logon_info = NULL;
406 char *client_princ = NULL;
407 char *client_princ_out = NULL;
408 char *local_service = NULL;
409 const char *cc = NULL;
410 const char *principal_s = NULL;
411 const char *service = NULL;
412 char *realm = NULL;
413 fstring name_domain, name_user;
414 time_t ticket_lifetime = 0;
415 time_t renewal_until = 0;
416 uid_t uid = -1;
417 ADS_STRUCT *ads;
418 time_t time_offset = 0;
419 BOOL internal_ccache = True;
420
421 ZERO_STRUCT(session_key);
422 ZERO_STRUCT(session_key_krb5);
423 ZERO_STRUCT(tkt);
424 ZERO_STRUCT(ap_rep);
425
426 ZERO_STRUCTP(info3);
427
428 *info3 = NULL;
429
430 /* 1st step:
431 * prepare a krb5_cc_cache string for the user */
432
433 uid = get_uid_from_state(state);
434 if (uid == -1) {
435 DEBUG(0,("no valid uid\n"));
436 }
437
438 cc = generate_krb5_ccache(state->mem_ctx,
439 state->request.data.auth.krb5_cc_type,
440 state->request.data.auth.uid,
441 &internal_ccache);
442 if (cc == NULL) {
443 return NT_STATUS_NO_MEMORY;
444 }
445
446
447 /* 2nd step:
448 * get kerberos properties */
449
450 if (domain->private_data) {
451 ads = (ADS_STRUCT *)domain->private_data;
452 time_offset = ads->auth.time_offset;
453 }
454
455
456 /* 3rd step:
457 * do kerberos auth and setup ccache as the user */
458
459 parse_domain_user(state->request.data.auth.user, name_domain, name_user);
460
461 realm = domain->alt_name;
462 strupper_m(realm);
463
464 principal_s = talloc_asprintf(state->mem_ctx, "%s@%s", name_user, realm);
465 if (principal_s == NULL) {
466 return NT_STATUS_NO_MEMORY;
467 }
468
469 service = talloc_asprintf(state->mem_ctx, "%s/%s@%s", KRB5_TGS_NAME, realm, realm);
470 if (service == NULL) {
471 return NT_STATUS_NO_MEMORY;
472 }
473
474 /* if this is a user ccache, we need to act as the user to let the krb5
475 * library handle the chown, etc. */
476
477 /************************ NON-ROOT **********************/
478
479 if (!internal_ccache) {
480
481 seteuid(uid);
482 DEBUG(10,("winbindd_raw_kerberos_login: uid is %d\n", uid));
483 }
484
485 krb5_ret = kerberos_kinit_password(principal_s,
486 state->request.data.auth.pass,
487 time_offset,
488 &ticket_lifetime,
489 &renewal_until,
490 cc,
491 True,
492 WINBINDD_PAM_AUTH_KRB5_RENEW_TIME);
493
494 if (krb5_ret) {
495 DEBUG(1,("winbindd_raw_kerberos_login: kinit failed for '%s' with: %s (%d)\n",
496 principal_s, error_message(krb5_ret), krb5_ret));
497 result = krb5_to_nt_status(krb5_ret);
498 goto done;
499 }
500
501 /* does http_timestring use heimdals libroken strftime?? - Guenther */
502 DEBUG(10,("got TGT for %s in %s (valid until: %s (%d), renewable till: %s (%d))\n",
503 principal_s, cc,
504 http_timestring(ticket_lifetime), (int)ticket_lifetime,
505 http_timestring(renewal_until), (int)renewal_until));
506
507 client_princ = talloc_strdup(state->mem_ctx, global_myname());
508 if (client_princ == NULL) {
509 result = NT_STATUS_NO_MEMORY;
510 goto done;
511 }
512 strlower_m(client_princ);
513
514 local_service = talloc_asprintf(state->mem_ctx, "HOST/%s@%s", client_princ, lp_realm());
515 if (local_service == NULL) {
516 DEBUG(0,("winbindd_raw_kerberos_login: out of memory\n"));
517 result = NT_STATUS_NO_MEMORY;
518 goto done;
519 }
520
521 krb5_ret = cli_krb5_get_ticket(local_service,
522 time_offset,
523 &tkt,
524 &session_key_krb5,
525 0,
526 cc);
527 if (krb5_ret) {
528 DEBUG(1,("winbindd_raw_kerberos_login: failed to get ticket for: %s\n",
529 local_service));
530 result = krb5_to_nt_status(krb5_ret);
531 goto done;
532 }
533
534 if (!internal_ccache) {
535 seteuid(0);
536 }
537
538 /************************ NON-ROOT **********************/
539
540 result = ads_verify_ticket(state->mem_ctx,
541 lp_realm(),
542 &tkt,
543 &client_princ_out,
544 &pac_data,
545 &ap_rep,
546 &session_key);
547 if (!NT_STATUS_IS_OK(result)) {
548 DEBUG(0,("winbindd_raw_kerberos_login: ads_verify_ticket failed: %s\n",
549 nt_errstr(result)));
550 goto done;
551 }
552
553 DEBUG(10,("winbindd_raw_kerberos_login: winbindd validated ticket of %s\n",
554 local_service));
555
556 if (!pac_data) {
557 DEBUG(3,("winbindd_raw_kerberos_login: no pac data\n"));
558 result = NT_STATUS_INVALID_PARAMETER;
559 goto done;
560 }
561
562 logon_info = get_logon_info_from_pac(pac_data);
563 if (logon_info == NULL) {
564 DEBUG(1,("winbindd_raw_kerberos_login: no logon info\n"));
565 result = NT_STATUS_INVALID_PARAMETER;
566 goto done;
567 }
568
569
570 /* last step:
571 * put results together */
572
573 *info3 = &logon_info->info3;
574
575 /* if we had a user's ccache then return that string for the pam
576 * environment */
577
578 if (!internal_ccache) {
579
580 setup_return_cc_name(state, cc);
581
582 result = add_ccache_to_list(principal_s,
583 cc,
584 service,
585 state->request.data.auth.user,
586 NULL,
587 state->request.data.auth.pass,
588 uid,
589 time(NULL),
590 ticket_lifetime,
591 renewal_until,
592 lp_winbind_refresh_tickets());
593
594 if (!NT_STATUS_IS_OK(result)) {
595 DEBUG(10,("winbindd_raw_kerberos_login: failed to add ccache to list: %s\n",
596 nt_errstr(result)));
597 }
598 }
599
600 result = NT_STATUS_OK;
601
602 done:
603 data_blob_free(&session_key);
604 data_blob_free(&session_key_krb5);
605 data_blob_free(&ap_rep);
606 data_blob_free(&tkt);
607
608 SAFE_FREE(client_princ_out);
609
610 if (!internal_ccache) {
611 seteuid(0);
612 }
613
614 return result;
615 #else
616 return NT_STATUS_NOT_SUPPORTED;
617 #endif /* HAVE_KRB5 */
618 }
619
620 void winbindd_pam_auth(struct winbindd_cli_state *state)
621 {
622 struct winbindd_domain *domain;
623 fstring name_domain, name_user;
624
625 /* Ensure null termination */
626 state->request.data.auth.user
627 [sizeof(state->request.data.auth.user)-1]='\0';
628
629 /* Ensure null termination */
630 state->request.data.auth.pass
631 [sizeof(state->request.data.auth.pass)-1]='\0';
632
633 DEBUG(3, ("[%5lu]: pam auth %s\n", (unsigned long)state->pid,
634 state->request.data.auth.user));
635
636 /* Parse domain and username */
637
638 if (!parse_domain_user(state->request.data.auth.user,
639 name_domain, name_user)) {
640 set_auth_errors(&state->response, NT_STATUS_NO_SUCH_USER);
641 DEBUG(5, ("Plain text authentication for %s returned %s "
642 "(PAM: %d)\n",
643 state->request.data.auth.user,
644 state->response.data.auth.nt_status_string,
645 state->response.data.auth.pam_error));
646 request_error(state);
647 return;
648 }
649
650 domain = find_auth_domain(state, name_domain);
651
652 if (domain == NULL) {
653 set_auth_errors(&state->response, NT_STATUS_NO_SUCH_USER);
654 DEBUG(5, ("Plain text authentication for %s returned %s "
655 "(PAM: %d)\n",
656 state->request.data.auth.user,
657 state->response.data.auth.nt_status_string,
658 state->response.data.auth.pam_error));
659 request_error(state);
660 return;
661 }
662
663 sendto_domain(state, domain);
664 }
665
666 NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain,
667 struct winbindd_cli_state *state,
668 NET_USER_INFO_3 **info3)
669 {
670 NTSTATUS result = NT_STATUS_LOGON_FAILURE;
671 uint16 max_allowed_bad_attempts;
672 fstring name_domain, name_user;
673 DOM_SID sid;
674 enum SID_NAME_USE type;
675 uchar new_nt_pass[NT_HASH_LEN];
676 const uint8 *cached_nt_pass;
677 NET_USER_INFO_3 *my_info3;
678 time_t kickoff_time, must_change_time;
679
680 *info3 = NULL;
681
682 ZERO_STRUCTP(info3);
683
684 DEBUG(10,("winbindd_dual_pam_auth_cached\n"));
685
686 /* Parse domain and username */
687
688 parse_domain_user(state->request.data.auth.user, name_domain, name_user);
689
690
691 if (!lookup_cached_name(state->mem_ctx,
692 name_domain,
693 name_user,
694 &sid,
695 &type)) {
696 DEBUG(10,("winbindd_dual_pam_auth_cached: no such user in the cache\n"));
697 return NT_STATUS_NO_SUCH_USER;
698 }
699
700 if (type != SID_NAME_USER) {
701 DEBUG(10,("winbindd_dual_pam_auth_cached: not a user (%s)\n", sid_type_lookup(type)));
702 return NT_STATUS_LOGON_FAILURE;
703 }
704
705 result = winbindd_get_creds(domain,
706 state->mem_ctx,
707 &sid,
708 &my_info3,
709 &cached_nt_pass);
710 if (!NT_STATUS_IS_OK(result)) {
711 DEBUG(10,("winbindd_dual_pam_auth_cached: failed to get creds: %s\n", nt_errstr(result)));
712 return result;
713 }
714
715 *info3 = my_info3;
716
717 E_md4hash(state->request.data.auth.pass, new_nt_pass);
718
719 dump_data(100, (const char *)new_nt_pass, NT_HASH_LEN);
720 dump_data(100, (const char *)cached_nt_pass, NT_HASH_LEN);
721
722 if (!memcmp(cached_nt_pass, new_nt_pass, NT_HASH_LEN)) {
723
724 /* User *DOES* know the password, update logon_time and reset
725 * bad_pw_count */
726
727 my_info3->user_flgs |= LOGON_CACHED_ACCOUNT;
728
729 if (my_info3->acct_flags & ACB_AUTOLOCK) {
730 return NT_STATUS_ACCOUNT_LOCKED_OUT;
731 }
732
733 if (my_info3->acct_flags & ACB_DISABLED) {
734 return NT_STATUS_ACCOUNT_DISABLED;
735 }
736
737 if (my_info3->acct_flags & ACB_WSTRUST) {
738 return NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT;
739 }
740
741 if (my_info3->acct_flags & ACB_SVRTRUST) {
742 return NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT;
743 }
744
745 if (my_info3->acct_flags & ACB_DOMTRUST) {
746 return NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT;
747 }
748
749 if (!(my_info3->acct_flags & ACB_NORMAL)) {
750 DEBUG(10,("winbindd_dual_pam_auth_cached: whats wrong with that one?: 0x%08x\n",
751 my_info3->acct_flags));
752 return NT_STATUS_LOGON_FAILURE;
753 }
754
755 kickoff_time = nt_time_to_unix(&my_info3->kickoff_time);
756 if (kickoff_time != 0 && time(NULL) > kickoff_time) {
757 return NT_STATUS_ACCOUNT_EXPIRED;
758 }
759
760 must_change_time = nt_time_to_unix(&my_info3->pass_must_change_time);
761 if (must_change_time != 0 && must_change_time < time(NULL)) {
762 return NT_STATUS_PASSWORD_EXPIRED;
763 }
764
765 /* FIXME: we possibly should handle logon hours as well (does xp when
766 * offline?) see auth/auth_sam.c:sam_account_ok for details */
767
768 unix_to_nt_time(&my_info3->logon_time, time(NULL));
769 my_info3->bad_pw_count = 0;
770
771 result = winbindd_update_creds_by_info3(domain,
772 state->mem_ctx,
773 state->request.data.auth.user,
774 state->request.data.auth.pass,
775 my_info3);
776 if (!NT_STATUS_IS_OK(result)) {
777 DEBUG(1,("failed to update creds: %s\n", nt_errstr(result)));
778 return result;
779 }
780
781 return NT_STATUS_OK;
782
783 }
784
785 /* User does *NOT* know the correct password, modify info3 accordingly */
786
787 /* failure of this is not critical */
788 result = get_max_bad_attempts_from_lockout_policy(domain, state->mem_ctx, &max_allowed_bad_attempts);
789 if (!NT_STATUS_IS_OK(result)) {
790 DEBUG(10,("winbindd_dual_pam_auth_cached: failed to get max_allowed_bad_attempts. "
791 "Won't be able to honour account lockout policies\n"));
792 }
793
794 /* increase counter */
795 my_info3->bad_pw_count++;
796
797 if (max_allowed_bad_attempts == 0) {
798 goto failed;
799 }
800
801 /* lockout user */
802 if (my_info3->bad_pw_count >= max_allowed_bad_attempts) {
803
804 uint32 password_properties;
805
806 result = get_pwd_properties(domain, state->mem_ctx, &password_properties);
807 if (!NT_STATUS_IS_OK(result)) {
808 DEBUG(10,("winbindd_dual_pam_auth_cached: failed to get password properties.\n"));
809 }
810
811 if ((my_info3->user_rid != DOMAIN_USER_RID_ADMIN) ||
812 (password_properties & DOMAIN_LOCKOUT_ADMINS)) {
813 my_info3->acct_flags |= ACB_AUTOLOCK;
814 }
815 }
816
817 failed:
818 result = winbindd_update_creds_by_info3(domain,
819 state->mem_ctx,
820 state->request.data.auth.user,
821 NULL,
822 my_info3);
823
824 if (!NT_STATUS_IS_OK(result)) {
825 DEBUG(0,("winbindd_dual_pam_auth_cached: failed to update creds %s\n",
826 nt_errstr(result)));
827 }
828
829 return NT_STATUS_LOGON_FAILURE;
830 }
831
832 NTSTATUS winbindd_dual_pam_auth_kerberos(struct winbindd_domain *domain,
833 struct winbindd_cli_state *state,
834 NET_USER_INFO_3 **info3)
835 {
836 struct winbindd_domain *contact_domain;
837 fstring name_domain, name_user;
838 NTSTATUS result;
839
840 DEBUG(10,("winbindd_dual_pam_auth_kerberos\n"));
841
842 /* Parse domain and username */
843
844 parse_domain_user(state->request.data.auth.user, name_domain, name_user);
845
846 /* what domain should we contact? */
847
848 if ( IS_DC ) {
849 if (!(contact_domain = find_domain_from_name(name_domain))) {
850 DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
851 state->request.data.auth.user, name_domain, name_user, name_domain));
852 result = NT_STATUS_NO_SUCH_USER;
853 goto done;
854 }
855
856 } else {
857 if (is_myname(name_domain)) {
858 DEBUG(3, ("Authentication for domain %s (local domain to this server) not supported at this stage\n", name_domain));
859 result = NT_STATUS_NO_SUCH_USER;
860 goto done;
861 }
862
863 contact_domain = find_domain_from_name(name_domain);
864 if (contact_domain == NULL) {
865 DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
866 state->request.data.auth.user, name_domain, name_user, name_domain));
867
868 contact_domain = find_our_domain();
869 }
870 }
871
872 set_dc_type_and_flags(contact_domain);
873
874 if (!contact_domain->active_directory) {
875 DEBUG(3,("krb5 auth requested but domain is not Active Directory\n"));
876 return NT_STATUS_INVALID_LOGON_TYPE;
877 }
878
879 result = winbindd_raw_kerberos_login(contact_domain, state, info3);
880 done:
881 return result;
882 }
883
884 NTSTATUS winbindd_dual_pam_auth_samlogon(struct winbindd_domain *domain,
885 struct winbindd_cli_state *state,
886 NET_USER_INFO_3 **info3)
887 {
888
889 struct rpc_pipe_client *netlogon_pipe;
890 uchar chal[8];
891 DATA_BLOB lm_resp;
892 DATA_BLOB nt_resp;
893 int attempts = 0;
894 unsigned char local_lm_response[24];
895 unsigned char local_nt_response[24];
896 struct winbindd_domain *contact_domain;
897 fstring name_domain, name_user;
898 BOOL retry;
899 NTSTATUS result;
900 NET_USER_INFO_3 *my_info3;
901
902 ZERO_STRUCTP(info3);
903
904 *info3 = NULL;
905
906 my_info3 = TALLOC_ZERO_P(state->mem_ctx, NET_USER_INFO_3);
907 if (my_info3 == NULL) {
908 return NT_STATUS_NO_MEMORY;
909 }
910
911
912 DEBUG(10,("winbindd_dual_pam_auth_samlogon\n"));
913
914 /* Parse domain and username */
915
916 parse_domain_user(state->request.data.auth.user, name_domain, name_user);
917
918 /* do password magic */
919
920
921 generate_random_buffer(chal, 8);
922 if (lp_client_ntlmv2_auth()) {
923 DATA_BLOB server_chal;
924 DATA_BLOB names_blob;
925 DATA_BLOB nt_response;
926 DATA_BLOB lm_response;
927 server_chal = data_blob_talloc(state->mem_ctx, chal, 8);
928
929 /* note that the 'workgroup' here is a best guess - we don't know
930 the server's domain at this point. The 'server name' is also
931 dodgy...
932 */
933 names_blob = NTLMv2_generate_names_blob(global_myname(), lp_workgroup());
934
935 if (!SMBNTLMv2encrypt(name_user, name_domain,
936 state->request.data.auth.pass,
937 &server_chal,
938 &names_blob,
939 &lm_response, &nt_response, NULL)) {
940 data_blob_free(&names_blob);
941 data_blob_free(&server_chal);
942 DEBUG(0, ("winbindd_pam_auth: SMBNTLMv2encrypt() failed!\n"));
943 result = NT_STATUS_NO_MEMORY;
944 goto done;
945 }
946 data_blob_free(&names_blob);
947 data_blob_free(&server_chal);
948 lm_resp = data_blob_talloc(state->mem_ctx, lm_response.data,
949 lm_response.length);
950 nt_resp = data_blob_talloc(state->mem_ctx, nt_response.data,
951 nt_response.length);
952 data_blob_free(&lm_response);
953 data_blob_free(&nt_response);
954
955 } else {
956 if (lp_client_lanman_auth()
957 && SMBencrypt(state->request.data.auth.pass,
958 chal,
959 local_lm_response)) {
960 lm_resp = data_blob_talloc(state->mem_ctx,
961 local_lm_response,
962 sizeof(local_lm_response));
963 } else {
964 lm_resp = data_blob(NULL, 0);
965 }
966 SMBNTencrypt(state->request.data.auth.pass,
967 chal,
968 local_nt_response);
969
970 nt_resp = data_blob_talloc(state->mem_ctx,
971 local_nt_response,
972 sizeof(local_nt_response));
973 }
974
975 /* what domain should we contact? */
976
977 if ( IS_DC ) {
978 if (!(contact_domain = find_domain_from_name(name_domain))) {
979 DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
980 state->request.data.auth.user, name_domain, name_user, name_domain));
981 result = NT_STATUS_NO_SUCH_USER;
982 goto done;
983 }
984
985 } else {
986 if (is_myname(name_domain)) {
987 DEBUG(3, ("Authentication for domain %s (local domain to this server) not supported at this stage\n", name_domain));
988 result = NT_STATUS_NO_SUCH_USER;
989 goto done;
990 }
991
992 contact_domain = find_our_domain();
993 }
994
995 /* check authentication loop */
996
997 do {
998
999 ZERO_STRUCTP(my_info3);
1000 retry = False;
1001
1002 result = cm_connect_netlogon(contact_domain, &netlogon_pipe);
1003
1004 if (!NT_STATUS_IS_OK(result)) {
1005 DEBUG(3, ("could not open handle to NETLOGON pipe\n"));
1006 goto done;
1007 }
1008
1009 result = rpccli_netlogon_sam_network_logon(netlogon_pipe,
1010 state->mem_ctx,
1011 0,
1012 contact_domain->dcname, /* server name */
1013 name_user, /* user name */
1014 name_domain, /* target domain */
1015 global_myname(), /* workstation */
1016 chal,
1017 lm_resp,
1018 nt_resp,
1019 my_info3);
1020 attempts += 1;
1021
1022 /* We have to try a second time as cm_connect_netlogon
1023 might not yet have noticed that the DC has killed
1024 our connection. */
1025
1026 if (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)) {
1027 retry = True;
1028 continue;
1029 }
1030
1031 /* if we get access denied, a possible cause was that we had
1032 and open connection to the DC, but someone changed our
1033 machine account password out from underneath us using 'net
1034 rpc changetrustpw' */
1035
1036 if ( NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) ) {
1037 DEBUG(3,("winbindd_pam_auth: sam_logon returned "
1038 "ACCESS_DENIED. Maybe the trust account "
1039 "password was changed and we didn't know it. "
1040 "Killing connections to domain %s\n",
1041 name_domain));
1042 invalidate_cm_connection(&contact_domain->conn);
1043 retry = True;
1044 }
1045
1046 } while ( (attempts < 2) && retry );
1047
1048 *info3 = my_info3;
1049 done:
1050 return result;
1051 }
1052
1053 enum winbindd_result winbindd_dual_pam_auth(struct winbindd_domain *domain,
1054 struct winbindd_cli_state *state)
1055 {
1056 NTSTATUS result = NT_STATUS_LOGON_FAILURE;
1057 fstring name_domain, name_user;
1058 NET_USER_INFO_3 *info3 = NULL;
1059
1060 /* Ensure null termination */
1061 state->request.data.auth.user[sizeof(state->request.data.auth.user)-1]='\0';
1062
1063 /* Ensure null termination */
1064 state->request.data.auth.pass[sizeof(state->request.data.auth.pass)-1]='\0';
1065
1066 DEBUG(3, ("[%5lu]: dual pam auth %s\n", (unsigned long)state->pid,
1067 state->request.data.auth.user));
1068
1069 /* Parse domain and username */
1070
1071 parse_domain_user(state->request.data.auth.user, name_domain, name_user);
1072
1073 DEBUG(10,("winbindd_dual_pam_auth: domain: %s last was %s\n", domain->name, domain->online ? "online":"offline"));
1074
1075 /* Check for Kerberos authentication */
1076 if (domain->online && (state->request.flags & WBFLAG_PAM_KRB5)) {
1077
1078 result = winbindd_dual_pam_auth_kerberos(domain, state, &info3);
1079
1080 if (NT_STATUS_IS_OK(result)) {
1081 DEBUG(10,("winbindd_dual_pam_auth_kerberos succeeded\n"));
1082 goto process_result;
1083 } else {
1084 DEBUG(10,("winbindd_dual_pam_auth_kerberos failed: %s\n", nt_errstr(result)));
1085 }
1086
1087 if (NT_STATUS_EQUAL(result, NT_STATUS_NO_LOGON_SERVERS)) {
1088 DEBUG(10,("winbindd_dual_pam_auth_kerberos setting domain to offline\n"));
1089 domain->online = False;
1090 }
1091
1092 if (state->request.flags & WBFLAG_PAM_FALLBACK_AFTER_KRB5) {
1093 DEBUG(3,("falling back to samlogon\n"));
1094 goto sam_logon;
1095 } else {
1096 goto cached_logon;
1097 }
1098 }
1099
1100 sam_logon:
1101 /* Check for Samlogon authentication */
1102 if (domain->online) {
1103 result = winbindd_dual_pam_auth_samlogon(domain, state, &info3);
1104
1105 if (NT_STATUS_IS_OK(result)) {
1106 DEBUG(10,("winbindd_dual_pam_auth_samlogon succeeded\n"));
1107 goto process_result;
1108 } else {
1109 DEBUG(10,("winbindd_dual_pam_auth_samlogon failed: %s\n", nt_errstr(result)));
1110 if (domain->online) {
1111 /* We're still online - fail. */
1112 goto done;
1113 }
1114 /* Else drop through and see if we can check offline.... */
1115 }
1116 }
1117
1118 cached_logon:
1119 /* Check for Cached logons */
1120 if (!domain->online && (state->request.flags & WBFLAG_PAM_CACHED_LOGIN) &&
1121 lp_winbind_offline_logon()) {
1122
1123 result = winbindd_dual_pam_auth_cached(domain, state, &info3);
1124
1125 if (NT_STATUS_IS_OK(result)) {
1126 DEBUG(10,("winbindd_dual_pam_auth_cached succeeded\n"));
1127 goto process_result;
1128 } else {
1129 DEBUG(10,("winbindd_dual_pam_auth_cached failed: %s\n", nt_errstr(result)));
1130 goto done;
1131 }
1132 }
1133
1134 process_result:
1135
1136 if (NT_STATUS_IS_OK(result)) {
1137
1138 DOM_SID user_sid;
1139
1140 /* In all codepaths were result == NT_STATUS_OK info3 must have
1141 been initialized. */
1142 if (!info3) {
1143 result = NT_STATUS_INTERNAL_ERROR;
1144 goto done;
1145 }
1146
1147 netsamlogon_cache_store(name_user, info3);
1148 wcache_invalidate_samlogon(find_domain_from_name(name_domain), info3);
1149
1150 /* save name_to_sid info as early as possible */
1151 sid_compose(&user_sid, &info3->dom_sid.sid, info3->user_rid);
1152 cache_name2sid(domain, name_domain, name_user, SID_NAME_USER, &user_sid);
1153
1154 /* Check if the user is in the right group */
1155
1156 if (!NT_STATUS_IS_OK(result = check_info3_in_group(state->mem_ctx, info3,
1157 state->request.data.auth.require_membership_of_sid))) {
1158 DEBUG(3, ("User %s is not in the required group (%s), so plaintext authentication is rejected\n",
1159 state->request.data.auth.user,
1160 state->request.data.auth.require_membership_of_sid));
1161 goto done;
1162 }
1163
1164 if (state->request.flags & WBFLAG_PAM_INFO3_NDR) {
1165 result = append_info3_as_ndr(state->mem_ctx, state, info3);
1166 if (!NT_STATUS_IS_OK(result)) {
1167 DEBUG(10,("Failed to append INFO3 (NDR): %s\n", nt_errstr(result)));
1168 goto done;
1169 }
1170 }
1171
1172 if (state->request.flags & WBFLAG_PAM_INFO3_TEXT) {
1173 result = append_info3_as_txt(state->mem_ctx, state, info3);
1174 if (!NT_STATUS_IS_OK(result)) {
1175 DEBUG(10,("Failed to append INFO3 (TXT): %s\n", nt_errstr(result)));
1176 goto done;
1177 }
1178
1179 }
1180
1181 if ((state->request.flags & WBFLAG_PAM_CACHED_LOGIN) &&
1182 lp_winbind_offline_logon()) {
1183
1184 result = winbindd_store_creds(domain,
1185 state->mem_ctx,
1186 state->request.data.auth.user,
1187 state->request.data.auth.pass,
1188 info3, NULL);
1189 if (!NT_STATUS_IS_OK(result)) {
1190 DEBUG(10,("Failed to store creds: %s\n", nt_errstr(result)));
1191 goto done;
1192 }
1193
1194 }
1195
1196 result = fillup_password_policy(domain, state);
1197
1198 if (!NT_STATUS_IS_OK(result)) {
1199 DEBUG(10,("Failed to get password policies: %s\n", nt_errstr(result)));
1200 goto done;
1201 }
1202
1203 }
1204
1205 done:
1206 /* give us a more useful (more correct?) error code */
1207 if ((NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) ||
1208 (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)))) {
1209 result = NT_STATUS_NO_LOGON_SERVERS;
1210 }
1211
1212 state->response.data.auth.nt_status = NT_STATUS_V(result);
1213 fstrcpy(state->response.data.auth.nt_status_string, nt_errstr(result));
1214
1215 /* we might have given a more useful error above */
1216 if (!*state->response.data.auth.error_string)
1217 fstrcpy(state->response.data.auth.error_string, get_friendly_nt_error_msg(result));
1218 state->response.data.auth.pam_error = nt_status_to_pam(result);
1219
1220 DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2, ("Plain-text authentication for user %s returned %s (PAM: %d)\n",
1221 state->request.data.auth.user,
1222 state->response.data.auth.nt_status_string,
1223 state->response.data.auth.pam_error));
1224
1225 if ( NT_STATUS_IS_OK(result) &&
1226 (state->request.flags & WBFLAG_PAM_AFS_TOKEN) ) {
1227
1228 char *afsname = talloc_strdup(state->mem_ctx,
1229 lp_afs_username_map());
1230 char *cell;
1231
1232 if (afsname == NULL) {
1233 goto no_token;
1234 }
1235
1236 afsname = talloc_string_sub(state->mem_ctx,
1237 lp_afs_username_map(),
1238 "%D", name_domain);
1239 afsname = talloc_string_sub(state->mem_ctx, afsname,
1240 "%u", name_user);
1241 afsname = talloc_string_sub(state->mem_ctx, afsname,
1242 "%U", name_user);
1243
1244 {
1245 DOM_SID user_sid;
1246 fstring sidstr;
1247
1248 sid_copy(&user_sid, &info3->dom_sid.sid);
1249 sid_append_rid(&user_sid, info3->user_rid);
1250 sid_to_string(sidstr, &user_sid);
1251 afsname = talloc_string_sub(state->mem_ctx, afsname,
1252 "%s", sidstr);
1253 }
1254
1255 if (afsname == NULL) {
1256 goto no_token;
1257 }
1258
1259 strlower_m(afsname);
1260
1261 DEBUG(10, ("Generating token for user %s\n", afsname));
1262
1263 cell = strchr(afsname, '@');
1264
1265 if (cell == NULL) {
1266 goto no_token;
1267 }
1268
1269 *cell = '\0';
1270 cell += 1;
1271
1272 /* Append an AFS token string */
1273 state->response.extra_data =
1274 afs_createtoken_str(afsname, cell);
1275
1276 if (state->response.extra_data != NULL)
1277 state->response.length +=
1278 strlen(state->response.extra_data)+1;
1279
1280 no_token:
1281 TALLOC_FREE(afsname);
1282 }
1283
1284 return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
1285 }
1286
1287
1288 /**********************************************************************
1289 Challenge Response Authentication Protocol
1290 **********************************************************************/
1291
1292 void winbindd_pam_auth_crap(struct winbindd_cli_state *state)
1293 {
1294 struct winbindd_domain *domain = NULL;
1295 const char *domain_name = NULL;
1296 NTSTATUS result;
1297
1298 if (!state->privileged) {
1299 char *error_string = NULL;
1300 DEBUG(2, ("winbindd_pam_auth_crap: non-privileged access "
1301 "denied. !\n"));
1302 DEBUGADD(2, ("winbindd_pam_auth_crap: Ensure permissions "
1303 "on %s are set correctly.\n",
1304 get_winbind_priv_pipe_dir()));
1305 /* send a better message than ACCESS_DENIED */
1306 error_string = talloc_asprintf(state->mem_ctx,
1307 "winbind client not authorized "
1308 "to use winbindd_pam_auth_crap."
1309 " Ensure permissions on %s "
1310 "are set correctly.",
1311 get_winbind_priv_pipe_dir());
1312 fstrcpy(state->response.data.auth.error_string, error_string);
1313 result = NT_STATUS_ACCESS_DENIED;
1314 goto done;
1315 }
1316
1317 /* Ensure null termination */
1318 state->request.data.auth_crap.user
1319 [sizeof(state->request.data.auth_crap.user)-1]=0;
1320 state->request.data.auth_crap.domain
1321 [sizeof(state->request.data.auth_crap.domain)-1]=0;
1322
1323 DEBUG(3, ("[%5lu]: pam auth crap domain: [%s] user: %s\n",
1324 (unsigned long)state->pid,
1325 state->request.data.auth_crap.domain,
1326 state->request.data.auth_crap.user));
1327
1328 if (*state->request.data.auth_crap.domain != '\0') {
1329 domain_name = state->request.data.auth_crap.domain;
1330 } else if (lp_winbind_use_default_domain()) {
1331 domain_name = lp_workgroup();
1332 }
1333
1334 if (domain_name != NULL)
1335 domain = find_auth_domain(state, domain_name);
1336
1337 if (domain != NULL) {
1338 sendto_domain(state, domain);
1339 return;
1340 }
1341
1342 result = NT_STATUS_NO_SUCH_USER;
1343
1344 done:
1345 set_auth_errors(&state->response, result);
1346 DEBUG(5, ("CRAP authentication for %s\\%s returned %s (PAM: %d)\n",
1347 state->request.data.auth_crap.domain,
1348 state->request.data.auth_crap.user,
1349 state->response.data.auth.nt_status_string,
1350 state->response.data.auth.pam_error));
1351 request_error(state);
1352 return;
1353 }
1354
1355
1356 enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
1357 struct winbindd_cli_state *state)
1358 {
1359 NTSTATUS result;
1360 NET_USER_INFO_3 info3;
1361 struct rpc_pipe_client *netlogon_pipe;
1362 const char *name_user = NULL;
1363 const char *name_domain = NULL;
1364 const char *workstation;
1365 struct winbindd_domain *contact_domain;
1366 int attempts = 0;
1367 BOOL retry;
1368
1369 DATA_BLOB lm_resp, nt_resp;
1370
1371 /* This is child-only, so no check for privileged access is needed
1372 anymore */
1373
1374 /* Ensure null termination */
1375 state->request.data.auth_crap.user[sizeof(state->request.data.auth_crap.user)-1]=0;
1376 state->request.data.auth_crap.domain[sizeof(state->request.data.auth_crap.domain)-1]=0;
1377
1378 name_user = state->request.data.auth_crap.user;
1379
1380 if (*state->request.data.auth_crap.domain) {
1381 name_domain = state->request.data.auth_crap.domain;
1382 } else if (lp_winbind_use_default_domain()) {
1383 name_domain = lp_workgroup();
1384 } else {
1385 DEBUG(5,("no domain specified with username (%s) - failing auth\n",
1386 name_user));
1387 result = NT_STATUS_NO_SUCH_USER;
1388 goto done;
1389 }
1390
1391 DEBUG(3, ("[%5lu]: pam auth crap domain: %s user: %s\n", (unsigned long)state->pid,
1392 name_domain, name_user));
1393
1394 if (*state->request.data.auth_crap.workstation) {
1395 workstation = state->request.data.auth_crap.workstation;
1396 } else {
1397 workstation = global_myname();
1398 }
1399
1400 if (state->request.data.auth_crap.lm_resp_len > sizeof(state->request.data.auth_crap.lm_resp)
1401 || state->request.data.auth_crap.nt_resp_len > sizeof(state->request.data.auth_crap.nt_resp)) {
1402 DEBUG(0, ("winbindd_pam_auth_crap: invalid password length %u/%u\n",
1403 state->request.data.auth_crap.lm_resp_len,
1404 state->request.data.auth_crap.nt_resp_len));
1405 result = NT_STATUS_INVALID_PARAMETER;
1406 goto done;
1407 }
1408
1409 lm_resp = data_blob_talloc(state->mem_ctx, state->request.data.auth_crap.lm_resp,
1410 state->request.data.auth_crap.lm_resp_len);
1411 nt_resp = data_blob_talloc(state->mem_ctx, state->request.data.auth_crap.nt_resp,
1412 state->request.data.auth_crap.nt_resp_len);
1413
1414 /* what domain should we contact? */
1415
1416 if ( IS_DC ) {
1417 if (!(contact_domain = find_domain_from_name(name_domain))) {
1418 DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
1419 state->request.data.auth_crap.user, name_domain, name_user, name_domain));
1420 result = NT_STATUS_NO_SUCH_USER;
1421 goto done;
1422 }
1423 } else {
1424 if (is_myname(name_domain)) {
1425 DEBUG(3, ("Authentication for domain %s (local domain to this server) not supported at this stage\n", name_domain));
1426 result = NT_STATUS_NO_SUCH_USER;
1427 goto done;
1428 }
1429 contact_domain = find_our_domain();
1430 }
1431
1432 do {
1433 ZERO_STRUCT(info3);
1434 retry = False;
1435
1436 netlogon_pipe = NULL;
1437 result = cm_connect_netlogon(contact_domain, &netlogon_pipe);
1438
1439 if (!NT_STATUS_IS_OK(result)) {
1440 DEBUG(3, ("could not open handle to NETLOGON pipe (error: %s)\n",
1441 nt_errstr(result)));
1442 goto done;
1443 }
1444
1445 result = rpccli_netlogon_sam_network_logon(netlogon_pipe,
1446 state->mem_ctx,
1447 state->request.data.auth_crap.logon_parameters,
1448 contact_domain->dcname,
1449 name_user,
1450 name_domain,
1451 /* Bug #3248 - found by Stefan Burkei. */
1452 workstation, /* We carefully set this above so use it... */
1453 state->request.data.auth_crap.chal,
1454 lm_resp,
1455 nt_resp,
1456 &info3);
1457
1458 attempts += 1;
1459
1460 /* We have to try a second time as cm_connect_netlogon
1461 might not yet have noticed that the DC has killed
1462 our connection. */
1463
1464 if (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)) {
1465 retry = True;
1466 continue;
1467 }
1468
1469 /* if we get access denied, a possible cause was that we had and open
1470 connection to the DC, but someone changed our machine account password
1471 out from underneath us using 'net rpc changetrustpw' */
1472
1473 if ( NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) ) {
1474 DEBUG(3,("winbindd_pam_auth: sam_logon returned "
1475 "ACCESS_DENIED. Maybe the trust account "
1476 "password was changed and we didn't know it. "
1477 "Killing connections to domain %s\n",
1478 name_domain));
1479 invalidate_cm_connection(&contact_domain->conn);
1480 retry = True;
1481 }
1482
1483 } while ( (attempts < 2) && retry );
1484
1485 if (NT_STATUS_IS_OK(result)) {
1486
1487 netsamlogon_cache_store(name_user, &info3);
1488 wcache_invalidate_samlogon(find_domain_from_name(name_domain), &info3);
1489
1490 /* Check if the user is in the right group */
1491
1492 if (!NT_STATUS_IS_OK(result = check_info3_in_group(state->mem_ctx, &info3,
1493 state->request.data.auth_crap.require_membership_of_sid))) {
1494 DEBUG(3, ("User %s is not in the required group (%s), so plaintext authentication is rejected\n",
1495 state->request.data.auth_crap.user,
1496 state->request.data.auth_crap.require_membership_of_sid));
1497 goto done;
1498 }
1499
1500 if (state->request.flags & WBFLAG_PAM_INFO3_NDR) {
1501 result = append_info3_as_ndr(state->mem_ctx, state, &info3);
1502 } else if (state->request.flags & WBFLAG_PAM_UNIX_NAME) {
1503 /* ntlm_auth should return the unix username, per
1504 'winbind use default domain' settings and the like */
1505
1506 fstring username_out;
1507 const char *nt_username, *nt_domain;
1508 if (!(nt_username = unistr2_tdup(state->mem_ctx, &(info3.uni_user_name)))) {
1509 /* If the server didn't give us one, just use the one we sent them */
1510 nt_username = name_user;
1511 }
1512
1513 if (!(nt_domain = unistr2_tdup(state->mem_ctx, &(info3.uni_logon_dom)))) {
1514 /* If the server didn't give us one, just use the one we sent them */
1515 nt_domain = name_domain;
1516 }
1517
1518 fill_domain_username(username_out, nt_domain, nt_username, True);
1519
1520 DEBUG(5, ("Setting unix username to [%s]\n", username_out));
1521
1522 state->response.extra_data = SMB_STRDUP(username_out);
1523 if (!state->response.extra_data) {
1524 result = NT_STATUS_NO_MEMORY;
1525 goto done;
1526 }
1527 state->response.length += strlen(state->response.extra_data)+1;
1528 }
1529
1530 if (state->request.flags & WBFLAG_PAM_USER_SESSION_KEY) {
1531 memcpy(state->response.data.auth.user_session_key, info3.user_sess_key,
1532 sizeof(state->response.data.auth.user_session_key) /* 16 */);
1533 }
1534 if (state->request.flags & WBFLAG_PAM_LMKEY) {
1535 memcpy(state->response.data.auth.first_8_lm_hash, info3.lm_sess_key,
1536 sizeof(state->response.data.auth.first_8_lm_hash) /* 8 */);
1537 }
1538 }
1539
1540 done:
1541
1542 /* give us a more useful (more correct?) error code */
1543 if ((NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) ||
1544 (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)))) {
1545 result = NT_STATUS_NO_LOGON_SERVERS;
1546 }
1547
1548 if (state->request.flags & WBFLAG_PAM_NT_STATUS_SQUASH) {
1549 result = nt_status_squash(result);
1550 }
1551
1552 state->response.data.auth.nt_status = NT_STATUS_V(result);
1553 fstrcpy(state->response.data.auth.nt_status_string, nt_errstr(result));
1554
1555 /* we might have given a more useful error above */
1556 if (!*state->response.data.auth.error_string) {
1557 fstrcpy(state->response.data.auth.error_string, get_friendly_nt_error_msg(result));
1558 }
1559 state->response.data.auth.pam_error = nt_status_to_pam(result);
1560
1561 DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2,
1562 ("NTLM CRAP authentication for user [%s]\\[%s] returned %s (PAM: %d)\n",
1563 name_domain,
1564 name_user,
1565 state->response.data.auth.nt_status_string,
1566 state->response.data.auth.pam_error));
1567
1568 return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
1569 }
1570
1571 /* Change a user password */
1572
1573 void winbindd_pam_chauthtok(struct winbindd_cli_state *state)
1574 {
1575 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1576 char *oldpass;
1577 char *newpass = NULL;
1578 fstring domain, user;
1579 POLICY_HND dom_pol;
1580 struct winbindd_domain *contact_domain;
1581 struct rpc_pipe_client *cli;
1582 BOOL got_info = False;
1583 SAM_UNK_INFO_1 info;
1584 SAMR_CHANGE_REJECT reject;
1585
1586 DEBUG(3, ("[%5lu]: pam chauthtok %s\n", (unsigned long)state->pid,
1587 state->request.data.chauthtok.user));
1588
1589 /* Setup crap */
1590
1591 parse_domain_user(state->request.data.chauthtok.user, domain, user);
1592
1593 contact_domain = find_domain_from_name(domain);
1594 if (!contact_domain) {
1595 DEBUG(3, ("Cannot change password for [%s] -> [%s]\\[%s] as %s is not a trusted domain\n",
1596 state->request.data.chauthtok.user, domain, user, domain));
1597 result = NT_STATUS_NO_SUCH_USER;
1598 goto done;
1599 }
1600
1601 /* Change password */
1602
1603 oldpass = state->request.data.chauthtok.oldpass;
1604 newpass = state->request.data.chauthtok.newpass;
1605
1606 /* Get sam handle */
1607
1608 result = cm_connect_sam(contact_domain, state->mem_ctx, &cli,
1609 &dom_pol);
1610 if (!NT_STATUS_IS_OK(result)) {
1611 DEBUG(1, ("could not get SAM handle on DC for %s\n", domain));
1612 goto done;
1613 }
1614
1615 result = rpccli_samr_chgpasswd3(cli, state->mem_ctx, user, newpass, oldpass, &info, &reject);
1616
1617 /* FIXME: need to check for other error codes ? */
1618 if (NT_STATUS_EQUAL(result, NT_STATUS_PASSWORD_RESTRICTION)) {
1619
1620 state->response.data.auth.policy.min_length_password =
1621 info.min_length_password;
1622 state->response.data.auth.policy.password_history =
1623 info.password_history;
1624 state->response.data.auth.policy.password_properties =
1625 info.password_properties;
1626 state->response.data.auth.policy.expire =
1627 nt_time_to_unix_abs(&info.expire);
1628 state->response.data.auth.policy.min_passwordage =
1629 nt_time_to_unix_abs(&info.min_passwordage);
1630
1631 state->response.data.auth.reject_reason =
1632 reject.reject_reason;
1633
1634 got_info = True;
1635
1636 } else if (!NT_STATUS_IS_OK(result)) {
1637
1638 DEBUG(10,("Password change with chgpasswd3 failed with: %s, retrying chgpasswd_user\n",
1639 nt_errstr(result)));
1640
1641 state->response.data.auth.reject_reason = 0;
1642
1643 result = rpccli_samr_chgpasswd_user(cli, state->mem_ctx, user, newpass, oldpass);
1644 }
1645
1646 done:
1647 if (NT_STATUS_IS_OK(result) && (state->request.flags & WBFLAG_PAM_CACHED_LOGIN) &&
1648 lp_winbind_offline_logon()) {
1649
1650 NTSTATUS cred_ret;
1651
1652 cred_ret = winbindd_update_creds_by_name(contact_domain,
1653 state->mem_ctx, user,
1654 newpass);
1655 if (!NT_STATUS_IS_OK(cred_ret)) {
1656 DEBUG(10,("Failed to store creds: %s\n", nt_errstr(cred_ret)));
1657 goto process_result; /* FIXME: hm, risking inconsistant cache ? */
1658 }
1659 }
1660
1661 if (!NT_STATUS_IS_OK(result) && !got_info && contact_domain) {
1662
1663 NTSTATUS policy_ret;
1664
1665 policy_ret = fillup_password_policy(contact_domain, state);
1666
1667 /* failure of this is non critical, it will just provide no
1668 * additional information to the client why the change has
1669 * failed - Guenther */
1670
1671 if (!NT_STATUS_IS_OK(policy_ret)) {
1672 DEBUG(10,("Failed to get password policies: %s\n", nt_errstr(policy_ret)));
1673 goto process_result;
1674 }
1675 }
1676
1677 process_result:
1678
1679 state->response.data.auth.nt_status = NT_STATUS_V(result);
1680 fstrcpy(state->response.data.auth.nt_status_string, nt_errstr(result));
1681 fstrcpy(state->response.data.auth.error_string, get_friendly_nt_error_msg(result));
1682 state->response.data.auth.pam_error = nt_status_to_pam(result);
1683
1684 DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2,
1685 ("Password change for user [%s]\\[%s] returned %s (PAM: %d)\n",
1686 domain,
1687 user,
1688 state->response.data.auth.nt_status_string,
1689 state->response.data.auth.pam_error));
1690
1691 if (NT_STATUS_IS_OK(result)) {
1692 request_ok(state);
1693 } else {
1694 request_error(state);
1695 }
1696 }
1697
1698 void winbindd_pam_logoff(struct winbindd_cli_state *state)
1699 {
1700 struct winbindd_domain *domain;
1701 fstring name_domain, user;
1702
1703 DEBUG(3, ("[%5lu]: pam logoff %s\n", (unsigned long)state->pid,
1704 state->request.data.logoff.user));
1705
1706 /* Ensure null termination */
1707 state->request.data.logoff.user
1708 [sizeof(state->request.data.logoff.user)-1]='\0';
1709
1710 state->request.data.logoff.krb5ccname
1711 [sizeof(state->request.data.logoff.krb5ccname)-1]='\0';
1712
1713 parse_domain_user(state->request.data.logoff.user, name_domain, user);
1714
1715 domain = find_auth_domain(state, name_domain);
1716
1717 if (domain == NULL) {
1718 set_auth_errors(&state->response, NT_STATUS_NO_SUCH_USER);
1719 DEBUG(5, ("Pam Logoff for %s returned %s "
1720 "(PAM: %d)\n",
1721 state->request.data.auth.user,
1722 state->response.data.auth.nt_status_string,
1723 state->response.data.auth.pam_error));
1724 request_error(state);
1725 return;
1726 }
1727
1728 sendto_domain(state, domain);
1729 }
1730
1731 enum winbindd_result winbindd_dual_pam_logoff(struct winbindd_domain *domain,
1732 struct winbindd_cli_state *state)
1733 {
1734 NTSTATUS result = NT_STATUS_NOT_SUPPORTED;
1735 struct WINBINDD_CCACHE_ENTRY *entry;
1736 int ret;
1737
1738 DEBUG(3, ("[%5lu]: pam dual logoff %s\n", (unsigned long)state->pid,
1739 state->request.data.logoff.user));
1740
1741 if (!(state->request.flags & WBFLAG_PAM_KRB5)) {
1742 result = NT_STATUS_OK;
1743 goto process_result;
1744 }
1745
1746 #ifdef HAVE_KRB5
1747
1748 /* what we need here is to find the corresponding krb5 ccache name *we*
1749 * created for a given username and destroy it (as the user who created it) */
1750
1751 entry = get_ccache_by_username(state->request.data.logoff.user);
1752 if (entry == NULL) {
1753 DEBUG(10,("winbindd_pam_logoff: could not get ccname for user %s\n",
1754 state->request.data.logoff.user));
1755 goto process_result;
1756 }
1757
1758 DEBUG(10,("winbindd_pam_logoff: found ccache [%s]\n", entry->ccname));
1759
1760 if (entry->uid < 0 || state->request.data.logoff.uid < 0) {
1761 DEBUG(0,("winbindd_pam_logoff: invalid uid\n"));
1762 goto process_result;
1763 }
1764
1765 if (entry->uid != state->request.data.logoff.uid) {
1766 DEBUG(0,("winbindd_pam_logoff: uid's differ: %d != %d\n",
1767 entry->uid, state->request.data.logoff.uid));
1768 goto process_result;
1769 }
1770
1771 if (!strcsequal(entry->ccname, state->request.data.logoff.krb5ccname)) {
1772 DEBUG(0,("winbindd_pam_logoff: krb5ccnames differ: (daemon) %s != (client) %s\n",
1773 entry->ccname, state->request.data.logoff.krb5ccname));
1774 goto process_result;
1775 }
1776
1777 seteuid(entry->uid);
1778
1779 ret = ads_kdestroy(entry->ccname);
1780
1781 seteuid(0);
1782
1783 if (ret) {
1784 DEBUG(0,("winbindd_pam_logoff: failed to destroy user ccache %s with: %s\n",
1785 entry->ccname, error_message(ret)));
1786 } else {
1787 DEBUG(10,("winbindd_pam_logoff: successfully destroyed ccache %s for user %s\n",
1788 entry->ccname, state->request.data.logoff.user));
1789 remove_ccache_by_ccname(entry->ccname);
1790 }
1791
1792 result = krb5_to_nt_status(ret);
1793 #else
1794 result = NT_STATUS_NOT_SUPPORTED;
1795 #endif
1796
1797 process_result:
1798 state->response.data.auth.nt_status = NT_STATUS_V(result);
1799 fstrcpy(state->response.data.auth.nt_status_string, nt_errstr(result));
1800 fstrcpy(state->response.data.auth.error_string, get_friendly_nt_error_msg(result));
1801 state->response.data.auth.pam_error = nt_status_to_pam(result);
1802
1803 return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
1804 }
1805
Samba GIT mirror