search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
winbind: Enforce user group policy when enabled
[Samba.git] / source3 / winbindd / winbindd_pam.c
blobf306bdad0f899f687db4c82dc6a477893a289c50
1 /*
2 Unix SMB/CIFS implementation.
3
4 Winbind daemon - pam auth funcions
5
6 Copyright (C) Andrew Tridgell 2000
7 Copyright (C) Tim Potter 2001
8 Copyright (C) Andrew Bartlett 2001-2002
9 Copyright (C) Guenther Deschner 2005
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 3 of the License, or
14 (at your option) any later version.
15
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
20
21 You should have received a copy of the GNU General Public License
22 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 */
24
25 #include "includes.h"
26 #include "ntdomain.h"
27 #include "winbindd.h"
28 #include "libsmb/namequery.h"
29 #include "../libcli/auth/libcli_auth.h"
30 #include "libcli/auth/pam_errors.h"
31 #include "../librpc/gen_ndr/ndr_samr_c.h"
32 #include "librpc/rpc/dcesrv_core.h"
33 #include "librpc/gen_ndr/ndr_winbind.h"
34 #include "rpc_client/cli_pipe.h"
35 #include "rpc_client/cli_samr.h"
36 #include "../librpc/gen_ndr/ndr_netlogon.h"
37 #include "rpc_client/cli_netlogon.h"
38 #include "smb_krb5.h"
39 #include "../libcli/security/security.h"
40 #include "ads.h"
41 #include "../librpc/gen_ndr/krb5pac.h"
42 #include "passdb/machine_sid.h"
43 #include "auth.h"
44 #include "../lib/tsocket/tsocket.h"
45 #include "auth/kerberos/pac_utils.h"
46 #include "auth/gensec/gensec.h"
47 #include "librpc/crypto/gse_krb5.h"
48 #include "lib/afs/afs_funcs.h"
49 #include "libsmb/samlogon_cache.h"
50 #include "rpc_client/util_netlogon.h"
51 #include "param/param.h"
52 #include "messaging/messaging.h"
53 #include "lib/util/string_wrappers.h"
54 #include "lib/crypto/gnutls_helpers.h"
55
56 #include "lib/crypto/gnutls_helpers.h"
57 #include <gnutls/crypto.h>
58 #include "lib/global_contexts.h"
59
60 #undef DBGC_CLASS
61 #define DBGC_CLASS DBGC_WINBIND
62
63 #define LOGON_KRB5_FAIL_CLOCK_SKEW 0x02000000
64
65 static NTSTATUS append_info3_as_txt(TALLOC_CTX *mem_ctx,
66 struct winbindd_response *resp,
67 uint16_t validation_level,
68 union netr_Validation *validation)
69 {
70 struct netr_SamInfo3 *info3 = NULL;
71 char *ex = NULL;
72 uint32_t i;
73 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
74 TALLOC_CTX *frame = talloc_stackframe();
75
76 status = map_validation_to_info3(frame,
77 validation_level,
78 validation,
79 &info3);
80 if (!NT_STATUS_IS_OK(status)) {
81 goto out;
82 }
83
84 resp->data.auth.info3.logon_time =
85 nt_time_to_unix(info3->base.logon_time);
86 resp->data.auth.info3.logoff_time =
87 nt_time_to_unix(info3->base.logoff_time);
88 resp->data.auth.info3.kickoff_time =
89 nt_time_to_unix(info3->base.kickoff_time);
90 resp->data.auth.info3.pass_last_set_time =
91 nt_time_to_unix(info3->base.last_password_change);
92 resp->data.auth.info3.pass_can_change_time =
93 nt_time_to_unix(info3->base.allow_password_change);
94 resp->data.auth.info3.pass_must_change_time =
95 nt_time_to_unix(info3->base.force_password_change);
96
97 resp->data.auth.info3.logon_count = info3->base.logon_count;
98 resp->data.auth.info3.bad_pw_count = info3->base.bad_password_count;
99
100 resp->data.auth.info3.user_rid = info3->base.rid;
101 resp->data.auth.info3.group_rid = info3->base.primary_gid;
102 sid_to_fstring(resp->data.auth.info3.dom_sid, info3->base.domain_sid);
103
104 resp->data.auth.info3.num_groups = info3->base.groups.count;
105 resp->data.auth.info3.user_flgs = info3->base.user_flags;
106
107 resp->data.auth.info3.acct_flags = info3->base.acct_flags;
108 resp->data.auth.info3.num_other_sids = info3->sidcount;
109
110 fstrcpy(resp->data.auth.info3.user_name,
111 info3->base.account_name.string);
112 fstrcpy(resp->data.auth.info3.full_name,
113 info3->base.full_name.string);
114 fstrcpy(resp->data.auth.info3.logon_script,
115 info3->base.logon_script.string);
116 fstrcpy(resp->data.auth.info3.profile_path,
117 info3->base.profile_path.string);
118 fstrcpy(resp->data.auth.info3.home_dir,
119 info3->base.home_directory.string);
120 fstrcpy(resp->data.auth.info3.dir_drive,
121 info3->base.home_drive.string);
122
123 fstrcpy(resp->data.auth.info3.logon_srv,
124 info3->base.logon_server.string);
125 fstrcpy(resp->data.auth.info3.logon_dom,
126 info3->base.logon_domain.string);
127
128 resp->data.auth.validation_level = validation_level;
129 if (validation_level == 6) {
130 fstrcpy(resp->data.auth.info6.dns_domainname,
131 validation->sam6->dns_domainname.string);
132 fstrcpy(resp->data.auth.info6.principal_name,
133 validation->sam6->principal_name.string);
134 }
135
136 ex = talloc_strdup(frame, "");
137 if (ex == NULL) {
138 status = NT_STATUS_NO_MEMORY;
139 goto out;
140 }
141
142 for (i=0; i < info3->base.groups.count; i++) {
143 ex = talloc_asprintf_append_buffer(ex, "0x%08X:0x%08X\n",
144 info3->base.groups.rids[i].rid,
145 info3->base.groups.rids[i].attributes);
146 if (ex == NULL) {
147 status = NT_STATUS_NO_MEMORY;
148 goto out;
149 }
150 }
151
152 for (i=0; i < info3->sidcount; i++) {
153 struct dom_sid_buf sidbuf;
154
155 ex = talloc_asprintf_append_buffer(
156 ex,
157 "%s:0x%08X\n",
158 dom_sid_str_buf(info3->sids[i].sid, &sidbuf),
159 info3->sids[i].attributes);
160 if (ex == NULL) {
161 status = NT_STATUS_NO_MEMORY;
162 goto out;
163 }
164 }
165
166 resp->length += talloc_get_size(ex);
167 resp->extra_data.data = talloc_move(mem_ctx, &ex);
168
169 status = NT_STATUS_OK;
170 out:
171 TALLOC_FREE(frame);
172 return status;
173 }
174
175 static NTSTATUS append_info3_as_ndr(TALLOC_CTX *mem_ctx,
176 struct winbindd_response *resp,
177 struct netr_SamInfo3 *info3)
178 {
179 DATA_BLOB blob;
180 enum ndr_err_code ndr_err;
181
182 ndr_err = ndr_push_struct_blob(&blob, mem_ctx, info3,
183 (ndr_push_flags_fn_t)ndr_push_netr_SamInfo3);
184 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
185 DEBUG(0,("append_info3_as_ndr: failed to append\n"));
186 return ndr_map_error2ntstatus(ndr_err);
187 }
188
189 resp->extra_data.data = blob.data;
190 resp->length += blob.length;
191
192 return NT_STATUS_OK;
193 }
194
195 static NTSTATUS append_unix_username(uint16_t validation_level,
196 union netr_Validation *validation,
197 const char *name_domain,
198 const char *name_user,
199 TALLOC_CTX *mem_ctx,
200 char **_unix_username)
201 {
202 TALLOC_CTX *tmp_ctx = NULL;
203 const char *nt_username = NULL;
204 const char *nt_domain = NULL;
205 char *unix_username = NULL;
206 struct netr_SamBaseInfo *base_info = NULL;
207 NTSTATUS status;
208
209 tmp_ctx = talloc_new(mem_ctx);
210 if (tmp_ctx == NULL) {
211 return NT_STATUS_NO_MEMORY;
212 }
213
214 /* We've been asked to return the unix username, per
215 'winbind use default domain' settings and the like */
216
217 switch (validation_level) {
218 case 3:
219 base_info = &validation->sam3->base;
220 break;
221 case 6:
222 base_info = &validation->sam6->base;
223 break;
224 default:
225 DBG_ERR("Invalid validation level %d\n", validation_level);
226 status = NT_STATUS_INTERNAL_ERROR;
227 goto out;
228 }
229
230 nt_domain = talloc_strdup(tmp_ctx, base_info->logon_domain.string);
231 if (!nt_domain) {
232 /* If the server didn't give us one, just use the one
233 * we sent them */
234 nt_domain = name_domain;
235 }
236
237 nt_username = talloc_strdup(tmp_ctx, base_info->account_name.string);
238 if (!nt_username) {
239 /* If the server didn't give us one, just use the one
240 * we sent them */
241 nt_username = name_user;
242 }
243
244 unix_username = fill_domain_username_talloc(tmp_ctx,
245 nt_domain,
246 nt_username,
247 true);
248 if (unix_username == NULL) {
249 status = NT_STATUS_NO_MEMORY;
250 goto out;
251 }
252
253 DBG_INFO("Setting unix username to [%s]\n", unix_username);
254
255 *_unix_username = talloc_move(mem_ctx, &unix_username);
256
257 status = NT_STATUS_OK;
258 out:
259 TALLOC_FREE(tmp_ctx);
260
261 return status;
262 }
263
264 static NTSTATUS append_afs_token(uint16_t validation_level,
265 union netr_Validation *validation,
266 const char *name_domain,
267 const char *name_user,
268 TALLOC_CTX *mem_ctx,
269 DATA_BLOB *_blob)
270 {
271 TALLOC_CTX *tmp_ctx = NULL;
272 char *afsname = NULL;
273 char *cell;
274 char *token;
275 struct netr_SamBaseInfo *base_info = NULL;
276 NTSTATUS status;
277
278 tmp_ctx = talloc_new(mem_ctx);
279 if (tmp_ctx == NULL) {
280 return NT_STATUS_NO_MEMORY;
281 }
282
283 switch (validation_level) {
284 case 3:
285 base_info = &validation->sam3->base;
286 break;
287 case 6:
288 base_info = &validation->sam6->base;
289 break;
290 default:
291 DBG_ERR("Invalid validation level %d\n", validation_level);
292 status = NT_STATUS_INTERNAL_ERROR;
293 goto out;
294 }
295
296 afsname = talloc_strdup(tmp_ctx, lp_afs_username_map());
297 if (afsname == NULL) {
298 status = NT_STATUS_NO_MEMORY;
299 goto out;
300 }
301
302 afsname = talloc_string_sub(tmp_ctx,
303 lp_afs_username_map(),
304 "%D", name_domain);
305 afsname = talloc_string_sub(tmp_ctx, afsname,
306 "%u", name_user);
307 afsname = talloc_string_sub(tmp_ctx, afsname,
308 "%U", name_user);
309
310 {
311 struct dom_sid user_sid;
312 struct dom_sid_buf sidstr;
313
314 sid_compose(&user_sid, base_info->domain_sid, base_info->rid);
315 afsname = talloc_string_sub(
316 tmp_ctx,
317 afsname,
318 "%s",
319 dom_sid_str_buf(&user_sid, &sidstr));
320 }
321
322 if (afsname == NULL) {
323 status = NT_STATUS_NO_MEMORY;
324 goto out;
325 }
326
327 if (!strlower_m(afsname)) {
328 status = NT_STATUS_INVALID_PARAMETER;
329 goto out;
330 }
331
332 DEBUG(10, ("Generating token for user %s\n", afsname));
333
334 cell = strchr(afsname, '@');
335
336 if (cell == NULL) {
337 status = NT_STATUS_NO_MEMORY;
338 goto out;
339 }
340
341 *cell = '\0';
342 cell += 1;
343
344 token = afs_createtoken_str(afsname, cell);
345 if (token == NULL) {
346 status = NT_STATUS_OK;
347 goto out;
348 }
349
350 talloc_steal(mem_ctx, token);
351 *_blob = data_blob_string_const_null(token);
352
353 status = NT_STATUS_OK;
354 out:
355 TALLOC_FREE(tmp_ctx);
356
357 return status;
358 }
359
360 NTSTATUS extra_data_to_sid_array(const char *group_sid,
361 TALLOC_CTX *mem_ctx,
362 struct wbint_SidArray **_sid_array)
363 {
364 TALLOC_CTX *tmp_ctx = NULL;
365 struct wbint_SidArray *sid_array = NULL;
366 struct dom_sid *require_membership_of_sid = NULL;
367 uint32_t num_require_membership_of_sid = 0;
368 char *req_sid = NULL;
369 const char *p = NULL;
370 NTSTATUS status;
371
372 if (_sid_array == NULL) {
373 return NT_STATUS_INVALID_PARAMETER;
374 }
375
376 *_sid_array = NULL;
377
378 tmp_ctx = talloc_new(mem_ctx);
379 if (tmp_ctx == NULL) {
380 return NT_STATUS_NO_MEMORY;
381 }
382
383 sid_array = talloc_zero(tmp_ctx, struct wbint_SidArray);
384 if (sid_array == NULL) {
385 status = NT_STATUS_NO_MEMORY;
386 goto fail;
387 }
388
389 if (!group_sid || !group_sid[0]) {
390 /* NO sid supplied, all users may access */
391 status = NT_STATUS_OK;
392 /*
393 * Always return an allocated wbint_SidArray,
394 * even if the array is empty.
395 */
396 goto out;
397 }
398
399 num_require_membership_of_sid = 0;
400 require_membership_of_sid = NULL;
401 p = group_sid;
402
403 while (next_token_talloc(tmp_ctx, &p, &req_sid, ",")) {
404 struct dom_sid sid;
405
406 if (!string_to_sid(&sid, req_sid)) {
407 DBG_ERR("check_info3_in_group: could not parse %s "
408 "as a SID!\n", req_sid);
409 status = NT_STATUS_INVALID_PARAMETER;
410 goto fail;
411 }
412
413 status = add_sid_to_array(tmp_ctx, &sid,
414 &require_membership_of_sid,
415 &num_require_membership_of_sid);
416 if (!NT_STATUS_IS_OK(status)) {
417 DBG_ERR("add_sid_to_array failed\n");
418 goto fail;
419 }
420 }
421
422 sid_array->num_sids = num_require_membership_of_sid;
423 sid_array->sids = talloc_move(sid_array, &require_membership_of_sid);
424
425 status = NT_STATUS_OK;
426 out:
427 *_sid_array = talloc_move(mem_ctx, &sid_array);
428
429 fail:
430 TALLOC_FREE(tmp_ctx);
431
432 return status;
433 }
434
435 static NTSTATUS check_info3_in_group(struct netr_SamInfo3 *info3,
436 struct wbint_SidArray *sid_array)
437 /**
438 * Check whether a user belongs to a group or list of groups.
439 *
440 * @param mem_ctx talloc memory context.
441 * @param info3 user information, including group membership info.
442 * @param group_sid One or more groups , separated by commas.
443 *
444 * @return NT_STATUS_OK on success,
445 * NT_STATUS_LOGON_FAILURE if the user does not belong,
446 * or other NT_STATUS_IS_ERR(status) for other kinds of failure.
447 */
448 {
449 size_t i;
450 struct security_token *token;
451 NTSTATUS status;
452
453 /* Parse the 'required group' SID */
454
455 if (sid_array == NULL || sid_array->num_sids == 0) {
456 /* NO sid supplied, all users may access */
457 return NT_STATUS_OK;
458 }
459
460 token = talloc_zero(talloc_tos(), struct security_token);
461 if (token == NULL) {
462 DEBUG(0, ("talloc failed\n"));
463 return NT_STATUS_NO_MEMORY;
464 }
465
466 status = sid_array_from_info3(talloc_tos(), info3,
467 &token->sids,
468 &token->num_sids,
469 true);
470 if (!NT_STATUS_IS_OK(status)) {
471 return status;
472 }
473
474 if (!NT_STATUS_IS_OK(status = add_aliases(get_global_sam_sid(),
475 token))
476 || !NT_STATUS_IS_OK(status = add_aliases(&global_sid_Builtin,
477 token))) {
478 DEBUG(3, ("could not add aliases: %s\n",
479 nt_errstr(status)));
480 return status;
481 }
482
483 security_token_debug(DBGC_CLASS, 10, token);
484
485 for (i=0; i<sid_array->num_sids; i++) {
486 struct dom_sid_buf buf;
487 DEBUG(10, ("Checking SID %s\n",
488 dom_sid_str_buf(&sid_array->sids[i],
489 &buf)));
490 if (nt_token_check_sid(&sid_array->sids[i],
491 token)) {
492 DEBUG(10, ("Access ok\n"));
493 return NT_STATUS_OK;
494 }
495 }
496
497 /* Do not distinguish this error from a wrong username/pw */
498
499 return NT_STATUS_LOGON_FAILURE;
500 }
501
502 struct winbindd_domain *find_auth_domain(uint8_t flags,
503 const char *domain_name)
504 {
505 struct winbindd_domain *domain;
506
507 if (IS_DC) {
508 domain = find_domain_from_name_noinit(domain_name);
509 if (domain == NULL) {
510 DEBUG(3, ("Authentication for domain [%s] refused "
511 "as it is not a trusted domain\n",
512 domain_name));
513 return NULL;
514 }
515
516 if (domain->secure_channel_type != SEC_CHAN_NULL) {
517 return domain;
518 }
519
520 return domain->routing_domain;
521 }
522
523 if (strequal(domain_name, get_global_sam_name())) {
524 return find_domain_from_name_noinit(domain_name);
525 }
526
527 if (lp_winbind_use_krb5_enterprise_principals()) {
528 /*
529 * If we use enterprise principals
530 * we always go trough our primary domain
531 * and follow the WRONG_REALM replies.
532 */
533 flags &= ~WBFLAG_PAM_CONTACT_TRUSTDOM;
534 }
535
536 /* we can auth against trusted domains */
537 if (flags & WBFLAG_PAM_CONTACT_TRUSTDOM) {
538 domain = find_domain_from_name_noinit(domain_name);
539 if (domain == NULL) {
540 DEBUG(3, ("Authentication for domain [%s] skipped "
541 "as it is not a trusted domain\n",
542 domain_name));
543 } else {
544 return domain;
545 }
546 }
547
548 return find_our_domain();
549 }
550
551 static NTSTATUS get_password_policy(struct winbindd_domain *domain,
552 TALLOC_CTX *mem_ctx,
553 struct samr_DomInfo1 **_policy)
554 {
555 NTSTATUS status;
556 struct samr_DomInfo1 *policy = NULL;
557
558 if ( !winbindd_can_contact_domain( domain ) ) {
559 DBG_INFO("No inbound trust to contact domain %s\n",
560 domain->name);
561 return NT_STATUS_NOT_SUPPORTED;
562 }
563
564 policy = talloc_zero(mem_ctx, struct samr_DomInfo1);
565 if (policy == NULL) {
566 return NT_STATUS_NO_MEMORY;
567 }
568
569 status = wb_cache_password_policy(domain, mem_ctx, policy);
570 if (NT_STATUS_IS_ERR(status)) {
571 TALLOC_FREE(policy);
572 return status;
573 }
574
575 *_policy = talloc_move(mem_ctx, &policy);
576
577 return NT_STATUS_OK;
578 }
579
580 static NTSTATUS get_max_bad_attempts_from_lockout_policy(struct winbindd_domain *domain,
581 TALLOC_CTX *mem_ctx,
582 uint16_t *lockout_threshold)
583 {
584 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
585 struct samr_DomInfo12 lockout_policy;
586
587 *lockout_threshold = 0;
588
589 status = wb_cache_lockout_policy(domain, mem_ctx, &lockout_policy);
590 if (NT_STATUS_IS_ERR(status)) {
591 return status;
592 }
593
594 *lockout_threshold = lockout_policy.lockout_threshold;
595
596 return NT_STATUS_OK;
597 }
598
599 static NTSTATUS get_pwd_properties(struct winbindd_domain *domain,
600 TALLOC_CTX *mem_ctx,
601 uint32_t *password_properties)
602 {
603 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
604 struct samr_DomInfo1 password_policy;
605
606 *password_properties = 0;
607
608 status = wb_cache_password_policy(domain, mem_ctx, &password_policy);
609 if (NT_STATUS_IS_ERR(status)) {
610 return status;
611 }
612
613 *password_properties = password_policy.password_properties;
614
615 return NT_STATUS_OK;
616 }
617
618 #ifdef HAVE_KRB5
619
620 static const char *generate_krb5_ccache(TALLOC_CTX *mem_ctx,
621 const char *type,
622 uid_t uid,
623 const char **user_ccache_file)
624 {
625 /* accept FILE and WRFILE as krb5_cc_type from the client and then
626 * build the full ccname string based on the user's uid here -
627 * Guenther*/
628
629 const char *gen_cc = NULL;
630
631 if (uid != -1) {
632 if (strequal(type, "FILE")) {
633 gen_cc = talloc_asprintf(
634 mem_ctx, "FILE:/tmp/krb5cc_%d", uid);
635 }
636 if (strequal(type, "WRFILE")) {
637 gen_cc = talloc_asprintf(
638 mem_ctx, "WRFILE:/tmp/krb5cc_%d", uid);
639 }
640 if (strequal(type, "KEYRING")) {
641 gen_cc = talloc_asprintf(
642 mem_ctx, "KEYRING:persistent:%d", uid);
643 }
644 if (strequal(type, "KCM")) {
645 gen_cc = talloc_asprintf(mem_ctx,
646 "KCM:%d",
647 uid);
648 }
649
650 if (strnequal(type, "FILE:/", 6) ||
651 strnequal(type, "WRFILE:/", 8) ||
652 strnequal(type, "DIR:/", 5)) {
653
654 /* we allow only one "%u" substitution */
655
656 char *p;
657
658 p = strchr(type, '%');
659 if (p != NULL) {
660
661 p++;
662
663 if (p != NULL && *p == 'u' && strchr(p, '%') == NULL) {
664 char uid_str[sizeof("18446744073709551615")];
665
666 snprintf(uid_str, sizeof(uid_str), "%u", uid);
667
668 gen_cc = talloc_string_sub2(mem_ctx,
669 type,
670 "%u",
671 uid_str,
672 /* remove_unsafe_characters */
673 false,
674 /* replace_once */
675 true,
676 /* allow_trailing_dollar */
677 false);
678 }
679 }
680 }
681 }
682
683 *user_ccache_file = gen_cc;
684
685 if (gen_cc == NULL) {
686 gen_cc = talloc_strdup(mem_ctx, "MEMORY:winbindd_pam_ccache");
687 }
688 if (gen_cc == NULL) {
689 DEBUG(0,("out of memory\n"));
690 return NULL;
691 }
692
693 DEBUG(10, ("using ccache: %s%s\n", gen_cc,
694 (*user_ccache_file == NULL) ? " (internal)":""));
695
696 return gen_cc;
697 }
698
699 #endif
700
701 uid_t get_uid_from_request(struct winbindd_request *request)
702 {
703 uid_t uid;
704
705 uid = request->data.auth.uid;
706
707 if (uid == (uid_t)-1) {
708 DEBUG(1,("invalid uid: '%u'\n", (unsigned int)uid));
709 return -1;
710 }
711 return uid;
712 }
713
714 /**********************************************************************
715 Authenticate a user with a clear text password using Kerberos and fill up
716 ccache if required
717 **********************************************************************/
718
719 static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
720 struct winbindd_domain *domain,
721 const char *user,
722 const char *pass,
723 const char *krb5_cc_type,
724 uid_t uid,
725 struct netr_SamInfo6 **info6,
726 const char **_krb5ccname)
727 {
728 #ifdef HAVE_KRB5
729 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
730 krb5_error_code krb5_ret;
731 const char *cc = NULL;
732 const char *principal_s = NULL;
733 char *realm = NULL;
734 fstring name_namespace, name_domain, name_user;
735 time_t ticket_lifetime = 0;
736 time_t renewal_until = 0;
737 time_t time_offset = 0;
738 const char *user_ccache_file;
739 struct PAC_LOGON_INFO *logon_info = NULL;
740 struct PAC_UPN_DNS_INFO *upn_dns_info = NULL;
741 struct PAC_DATA *pac_data = NULL;
742 struct PAC_DATA_CTR *pac_data_ctr = NULL;
743 const char *local_service;
744 uint32_t i;
745 struct netr_SamInfo6 *info6_copy = NULL;
746 char *canon_principal = NULL;
747 char *canon_realm = NULL;
748 bool ok;
749
750 *info6 = NULL;
751
752 if (domain->alt_name == NULL) {
753 return NT_STATUS_INVALID_PARAMETER;
754 }
755
756 if (_krb5ccname != NULL) {
757 *_krb5ccname = NULL;
758 }
759
760 /* 1st step:
761 * prepare a krb5_cc_cache string for the user */
762
763 if (uid == -1) {
764 DEBUG(0,("no valid uid\n"));
765 }
766
767 cc = generate_krb5_ccache(mem_ctx,
768 krb5_cc_type,
769 uid,
770 &user_ccache_file);
771 if (cc == NULL) {
772 return NT_STATUS_NO_MEMORY;
773 }
774
775
776 /* 2nd step:
777 * get kerberos properties */
778
779 if (domain->backend_data.ads_conn != NULL) {
780 time_offset = domain->backend_data.ads_conn->auth.time_offset;
781 }
782
783
784 /* 3rd step:
785 * do kerberos auth and setup ccache as the user */
786
787 ok = parse_domain_user(user, name_namespace, name_domain, name_user);
788 if (!ok) {
789 return NT_STATUS_INVALID_PARAMETER;
790 }
791
792 realm = talloc_strdup(mem_ctx, domain->alt_name);
793 if (realm == NULL) {
794 return NT_STATUS_NO_MEMORY;
795 }
796
797 if (!strupper_m(realm)) {
798 return NT_STATUS_INVALID_PARAMETER;
799 }
800
801 if (lp_winbind_use_krb5_enterprise_principals() &&
802 name_namespace[0] != '\0')
803 {
804 principal_s = talloc_asprintf(mem_ctx,
805 "%s@%s@%s",
806 name_user,
807 name_namespace,
808 realm);
809 } else {
810 principal_s = talloc_asprintf(mem_ctx,
811 "%s@%s",
812 name_user,
813 realm);
814 }
815 if (principal_s == NULL) {
816 return NT_STATUS_NO_MEMORY;
817 }
818
819 local_service = talloc_asprintf(mem_ctx, "%s$@%s",
820 lp_netbios_name(), lp_realm());
821 if (local_service == NULL) {
822 return NT_STATUS_NO_MEMORY;
823 }
824
825
826 /* if this is a user ccache, we need to act as the user to let the krb5
827 * library handle the chown, etc. */
828
829 /************************ ENTERING NON-ROOT **********************/
830
831 if (user_ccache_file != NULL) {
832 set_effective_uid(uid);
833 DEBUG(10,("winbindd_raw_kerberos_login: uid is %d\n", uid));
834 }
835
836 result = kerberos_return_pac(mem_ctx,
837 principal_s,
838 pass,
839 time_offset,
840 &ticket_lifetime,
841 &renewal_until,
842 cc,
843 true,
844 true,
845 WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
846 NULL,
847 local_service,
848 &canon_principal,
849 &canon_realm,
850 &pac_data_ctr);
851 if (user_ccache_file != NULL) {
852 gain_root_privilege();
853 }
854
855 /************************ RETURNED TO ROOT **********************/
856
857 if (!NT_STATUS_IS_OK(result)) {
858 goto failed;
859 }
860
861 if (pac_data_ctr == NULL) {
862 goto failed;
863 }
864
865 pac_data = pac_data_ctr->pac_data;
866 if (pac_data == NULL) {
867 goto failed;
868 }
869
870 for (i=0; i < pac_data->num_buffers; i++) {
871
872 if (pac_data->buffers[i].type == PAC_TYPE_LOGON_INFO) {
873 logon_info = pac_data->buffers[i].info->logon_info.info;
874 continue;
875 }
876
877 if (pac_data->buffers[i].type == PAC_TYPE_UPN_DNS_INFO) {
878 upn_dns_info = &pac_data->buffers[i].info->upn_dns_info;
879 continue;
880 }
881 }
882
883 if (logon_info == NULL) {
884 DEBUG(10,("Missing logon_info in ticket of %s\n",
885 principal_s));
886 return NT_STATUS_INVALID_PARAMETER;
887 }
888
889 DEBUG(10,("winbindd_raw_kerberos_login: winbindd validated ticket of %s\n",
890 principal_s));
891
892 result = create_info6_from_pac(mem_ctx, logon_info,
893 upn_dns_info, &info6_copy);
894 if (!NT_STATUS_IS_OK(result)) {
895 goto failed;
896 }
897
898 /* if we had a user's ccache then return that string for the pam
899 * environment */
900
901 if (user_ccache_file != NULL) {
902
903 if (_krb5ccname != NULL) {
904 *_krb5ccname = talloc_steal(mem_ctx, user_ccache_file);
905 }
906
907 result = add_ccache_to_list(principal_s,
908 cc,
909 user,
910 pass,
911 realm,
912 uid,
913 time(NULL),
914 ticket_lifetime,
915 renewal_until,
916 false,
917 canon_principal,
918 canon_realm);
919
920 if (!NT_STATUS_IS_OK(result)) {
921 DEBUG(10,("winbindd_raw_kerberos_login: failed to add ccache to list: %s\n",
922 nt_errstr(result)));
923 }
924 } else {
925
926 /* need to delete the memory cred cache, it is not used anymore */
927
928 krb5_ret = ads_kdestroy(cc);
929 if (krb5_ret) {
930 DEBUG(3,("winbindd_raw_kerberos_login: "
931 "could not destroy krb5 credential cache: "
932 "%s\n", error_message(krb5_ret)));
933 }
934
935 }
936 *info6 = info6_copy;
937 return NT_STATUS_OK;
938
939 failed:
940 /*
941 * Do not delete an existing valid credential cache, if the user
942 * e.g. enters a wrong password
943 */
944 if ((strequal(krb5_cc_type, "FILE") || strequal(krb5_cc_type, "WRFILE"))
945 && user_ccache_file != NULL) {
946 return result;
947 }
948
949 /* we could have created a new credential cache with a valid tgt in it
950 * but we werent able to get or verify the service ticket for this
951 * local host and therefor didn't get the PAC, we need to remove that
952 * cache entirely now */
953
954 krb5_ret = ads_kdestroy(cc);
955 if (krb5_ret) {
956 DEBUG(3,("winbindd_raw_kerberos_login: "
957 "could not destroy krb5 credential cache: "
958 "%s\n", error_message(krb5_ret)));
959 }
960
961 if (!NT_STATUS_IS_OK(remove_ccache(user))) {
962 DEBUG(3,("winbindd_raw_kerberos_login: "
963 "could not remove ccache for user %s\n",
964 user));
965 }
966
967 return result;
968 #else
969 return NT_STATUS_NOT_SUPPORTED;
970 #endif /* HAVE_KRB5 */
971 }
972
973 /****************************************************************
974 ****************************************************************/
975
976 bool check_request_flags(uint32_t flags)
977 {
978 uint32_t flags_edata = WBFLAG_PAM_AFS_TOKEN |
979 WBFLAG_PAM_INFO3_TEXT |
980 WBFLAG_PAM_INFO3_NDR;
981
982 if ( ( (flags & flags_edata) == WBFLAG_PAM_AFS_TOKEN) ||
983 ( (flags & flags_edata) == WBFLAG_PAM_INFO3_NDR) ||
984 ( (flags & flags_edata) == WBFLAG_PAM_INFO3_TEXT)||
985 !(flags & flags_edata) ) {
986 return true;
987 }
988
989 DEBUG(1, ("check_request_flags: invalid request flags[0x%08X]\n",
990 flags));
991
992 return false;
993 }
994
995 /****************************************************************
996 ****************************************************************/
997
998 NTSTATUS append_auth_data(TALLOC_CTX *mem_ctx,
999 struct winbindd_response *resp,
1000 uint32_t request_flags,
1001 uint16_t validation_level,
1002 union netr_Validation *validation,
1003 const char *name_domain,
1004 const char *name_user)
1005 {
1006 struct netr_SamInfo3 *info3 = NULL;
1007 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1008
1009 result = map_validation_to_info3(talloc_tos(),
1010 validation_level,
1011 validation,
1012 &info3);
1013 if (!NT_STATUS_IS_OK(result)) {
1014 goto out;
1015 }
1016
1017 if (request_flags & WBFLAG_PAM_USER_SESSION_KEY) {
1018 memcpy(resp->data.auth.user_session_key,
1019 info3->base.key.key,
1020 sizeof(resp->data.auth.user_session_key)
1021 /* 16 */);
1022 }
1023
1024 if (request_flags & WBFLAG_PAM_LMKEY) {
1025 memcpy(resp->data.auth.first_8_lm_hash,
1026 info3->base.LMSessKey.key,
1027 sizeof(resp->data.auth.first_8_lm_hash)
1028 /* 8 */);
1029 }
1030
1031 if (request_flags & WBFLAG_PAM_UNIX_NAME) {
1032 char *unix_username = NULL;
1033 result = append_unix_username(validation_level,
1034 validation,
1035 name_domain,
1036 name_user,
1037 mem_ctx,
1038 &unix_username);
1039 if (!NT_STATUS_IS_OK(result)) {
1040 DEBUG(10,("Failed to append Unix Username: %s\n",
1041 nt_errstr(result)));
1042 goto out;
1043 }
1044 fstrcpy(resp->data.auth.unix_username, unix_username);
1045 TALLOC_FREE(unix_username);
1046 }
1047
1048 /* currently, anything from here on potentially overwrites extra_data. */
1049
1050 if (request_flags & WBFLAG_PAM_INFO3_NDR) {
1051 result = append_info3_as_ndr(mem_ctx, resp, info3);
1052 if (!NT_STATUS_IS_OK(result)) {
1053 DEBUG(10,("Failed to append INFO3 (NDR): %s\n",
1054 nt_errstr(result)));
1055 goto out;
1056 }
1057 }
1058
1059 if (request_flags & WBFLAG_PAM_INFO3_TEXT) {
1060 result = append_info3_as_txt(mem_ctx, resp,
1061 validation_level,
1062 validation);
1063 if (!NT_STATUS_IS_OK(result)) {
1064 DEBUG(10,("Failed to append INFO3 (TXT): %s\n",
1065 nt_errstr(result)));
1066 goto out;
1067 }
1068 }
1069
1070 if (request_flags & WBFLAG_PAM_AFS_TOKEN) {
1071 DATA_BLOB blob = data_blob_null;
1072 result = append_afs_token(validation_level,
1073 validation,
1074 name_domain,
1075 name_user,
1076 mem_ctx,
1077 &blob);
1078 if (!NT_STATUS_IS_OK(result)) {
1079 DEBUG(10,("Failed to append AFS token: %s\n",
1080 nt_errstr(result)));
1081 goto out;
1082 }
1083 resp->extra_data.data = blob.data;
1084 resp->length += blob.length;
1085 }
1086
1087 result = NT_STATUS_OK;
1088 out:
1089 TALLOC_FREE(info3);
1090 return result;
1091 }
1092
1093 static NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain,
1094 bool krb5_auth,
1095 const char *user,
1096 const char *pass,
1097 const char *krb5_cc_type,
1098 uid_t uid,
1099 TALLOC_CTX *mem_ctx,
1100 uint16_t *_validation_level,
1101 union netr_Validation **_validation,
1102 const char **_krb5ccname)
1103 {
1104 TALLOC_CTX *tmp_ctx = NULL;
1105 NTSTATUS result = NT_STATUS_LOGON_FAILURE;
1106 uint16_t max_allowed_bad_attempts;
1107 fstring name_namespace, name_domain, name_user;
1108 struct dom_sid sid;
1109 enum lsa_SidType type;
1110 uchar new_nt_pass[NT_HASH_LEN];
1111 const uint8_t *cached_nt_pass;
1112 const uint8_t *cached_salt;
1113 struct netr_SamInfo3 *my_info3;
1114 time_t kickoff_time, must_change_time;
1115 bool password_good = false;
1116 bool ok;
1117 #ifdef HAVE_KRB5
1118 struct winbindd_tdc_domain *tdc_domain = NULL;
1119 #endif
1120
1121 if (_validation == NULL) {
1122 return NT_STATUS_INVALID_PARAMETER;
1123 }
1124 *_validation = NULL;
1125
1126 if (_krb5ccname != NULL) {
1127 *_krb5ccname = NULL;
1128 }
1129
1130 DEBUG(10,("winbindd_dual_pam_auth_cached\n"));
1131
1132 tmp_ctx = talloc_new(mem_ctx);
1133 if (tmp_ctx == NULL) {
1134 return NT_STATUS_NO_MEMORY;
1135 }
1136
1137 /* Parse domain and username */
1138
1139 ok = parse_domain_user(user, name_namespace, name_domain, name_user);
1140 if (!ok) {
1141 DBG_DEBUG("parse_domain_user failed\n");
1142 result = NT_STATUS_NO_SUCH_USER;
1143 goto out;
1144 }
1145
1146 if (!lookup_cached_name(name_namespace,
1147 name_domain,
1148 name_user,
1149 &sid,
1150 &type)) {
1151 DEBUG(10,("winbindd_dual_pam_auth_cached: no such user in the cache\n"));
1152 result = NT_STATUS_NO_SUCH_USER;
1153 goto out;
1154 }
1155
1156 if (type != SID_NAME_USER) {
1157 DEBUG(10,("winbindd_dual_pam_auth_cached: not a user (%s)\n", sid_type_lookup(type)));
1158 result = NT_STATUS_LOGON_FAILURE;
1159 goto out;
1160 }
1161
1162 result = winbindd_get_creds(domain,
1163 tmp_ctx,
1164 &sid,
1165 &my_info3,
1166 &cached_nt_pass,
1167 &cached_salt);
1168 if (!NT_STATUS_IS_OK(result)) {
1169 DEBUG(10,("winbindd_dual_pam_auth_cached: failed to get creds: %s\n", nt_errstr(result)));
1170 goto out;
1171 }
1172
1173 E_md4hash(pass, new_nt_pass);
1174
1175 dump_data_pw("new_nt_pass", new_nt_pass, NT_HASH_LEN);
1176 dump_data_pw("cached_nt_pass", cached_nt_pass, NT_HASH_LEN);
1177 if (cached_salt) {
1178 dump_data_pw("cached_salt", cached_salt, NT_HASH_LEN);
1179 }
1180
1181 if (cached_salt) {
1182 /* In this case we didn't store the nt_hash itself,
1183 but the MD5 combination of salt + nt_hash. */
1184 uchar salted_hash[NT_HASH_LEN];
1185 gnutls_hash_hd_t hash_hnd = NULL;
1186 int rc;
1187
1188 rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5);
1189 if (rc < 0) {
1190 result = gnutls_error_to_ntstatus(
1191 rc, NT_STATUS_HASH_NOT_SUPPORTED);
1192 goto out;
1193 }
1194
1195 rc = gnutls_hash(hash_hnd, cached_salt, 16);
1196 if (rc < 0) {
1197 gnutls_hash_deinit(hash_hnd, NULL);
1198 result = gnutls_error_to_ntstatus(
1199 rc, NT_STATUS_HASH_NOT_SUPPORTED);
1200 goto out;
1201 }
1202 rc = gnutls_hash(hash_hnd, new_nt_pass, 16);
1203 if (rc < 0) {
1204 gnutls_hash_deinit(hash_hnd, NULL);
1205 result = gnutls_error_to_ntstatus(
1206 rc, NT_STATUS_HASH_NOT_SUPPORTED);
1207 goto out;
1208 }
1209 gnutls_hash_deinit(hash_hnd, salted_hash);
1210
1211 password_good = mem_equal_const_time(cached_nt_pass, salted_hash,
1212 NT_HASH_LEN);
1213 } else {
1214 /* Old cached cred - direct store of nt_hash (bad bad bad !). */
1215 password_good = mem_equal_const_time(cached_nt_pass, new_nt_pass,
1216 NT_HASH_LEN);
1217 }
1218
1219 if (password_good) {
1220
1221 /* User *DOES* know the password, update logon_time and reset
1222 * bad_pw_count */
1223
1224 my_info3->base.user_flags |= NETLOGON_CACHED_ACCOUNT;
1225
1226 if (my_info3->base.acct_flags & ACB_AUTOLOCK) {
1227 result = NT_STATUS_ACCOUNT_LOCKED_OUT;
1228 goto out;
1229 }
1230
1231 if (my_info3->base.acct_flags & ACB_DISABLED) {
1232 result = NT_STATUS_ACCOUNT_DISABLED;
1233 goto out;
1234 }
1235
1236 if (my_info3->base.acct_flags & ACB_WSTRUST) {
1237 result = NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT;
1238 goto out;
1239 }
1240
1241 if (my_info3->base.acct_flags & ACB_SVRTRUST) {
1242 result = NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT;
1243 goto out;
1244 }
1245
1246 if (my_info3->base.acct_flags & ACB_DOMTRUST) {
1247 result = NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT;
1248 goto out;
1249 }
1250
1251 if (!(my_info3->base.acct_flags & ACB_NORMAL)) {
1252 DEBUG(0,("winbindd_dual_pam_auth_cached: whats wrong with that one?: 0x%08x\n",
1253 my_info3->base.acct_flags));
1254 result = NT_STATUS_LOGON_FAILURE;
1255 goto out;
1256 }
1257
1258 kickoff_time = nt_time_to_unix(my_info3->base.kickoff_time);
1259 if (kickoff_time != 0 && time(NULL) > kickoff_time) {
1260 result = NT_STATUS_ACCOUNT_EXPIRED;
1261 goto out;
1262 }
1263
1264 must_change_time = nt_time_to_unix(my_info3->base.force_password_change);
1265 if (must_change_time != 0 && must_change_time < time(NULL)) {
1266 /* we allow grace logons when the password has expired */
1267 my_info3->base.user_flags |= NETLOGON_GRACE_LOGON;
1268 /* return NT_STATUS_PASSWORD_EXPIRED; */
1269 goto success;
1270 }
1271
1272 #ifdef HAVE_KRB5
1273 if ((krb5_auth) &&
1274 ((tdc_domain = wcache_tdc_fetch_domain(tmp_ctx, name_domain)) != NULL) &&
1275 ((tdc_domain->trust_type & LSA_TRUST_TYPE_UPLEVEL) ||
1276 /* used to cope with the case winbindd starting without network. */
1277 !strequal(tdc_domain->domain_name, tdc_domain->dns_name))) {
1278 const char *cc = NULL;
1279 char *realm = NULL;
1280 const char *principal_s = NULL;
1281 const char *user_ccache_file;
1282
1283 if (domain->alt_name == NULL) {
1284 result = NT_STATUS_INVALID_PARAMETER;
1285 goto out;
1286 }
1287
1288 if (uid == -1) {
1289 DEBUG(0,("winbindd_dual_pam_auth_cached: invalid uid\n"));
1290 result = NT_STATUS_INVALID_PARAMETER;
1291 goto out;
1292 }
1293
1294 cc = generate_krb5_ccache(tmp_ctx,
1295 krb5_cc_type,
1296 uid,
1297 &user_ccache_file);
1298 if (cc == NULL) {
1299 result = NT_STATUS_NO_MEMORY;
1300 goto out;
1301 }
1302
1303 realm = talloc_strdup(tmp_ctx, domain->alt_name);
1304 if (realm == NULL) {
1305 result = NT_STATUS_NO_MEMORY;
1306 goto out;
1307 }
1308
1309 if (!strupper_m(realm)) {
1310 result = NT_STATUS_INVALID_PARAMETER;
1311 goto out;
1312 }
1313
1314 principal_s = talloc_asprintf(tmp_ctx, "%s@%s", name_user, realm);
1315 if (principal_s == NULL) {
1316 result = NT_STATUS_NO_MEMORY;
1317 goto out;
1318 }
1319
1320 if (user_ccache_file != NULL) {
1321
1322 if (_krb5ccname != NULL) {
1323 *_krb5ccname = talloc_move(mem_ctx,
1324 &user_ccache_file);
1325 }
1326
1327 result = add_ccache_to_list(principal_s,
1328 cc,
1329 user,
1330 pass,
1331 realm,
1332 uid,
1333 time(NULL),
1334 time(NULL) + lp_winbind_cache_time(),
1335 time(NULL) + WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
1336 true,
1337 principal_s,
1338 realm);
1339
1340 if (!NT_STATUS_IS_OK(result)) {
1341 DEBUG(10,("winbindd_dual_pam_auth_cached: failed "
1342 "to add ccache to list: %s\n",
1343 nt_errstr(result)));
1344 }
1345 }
1346 }
1347 #endif /* HAVE_KRB5 */
1348 success:
1349 /* FIXME: we possibly should handle logon hours as well (does xp when
1350 * offline?) see auth/auth_sam.c:sam_account_ok for details */
1351
1352 unix_to_nt_time(&my_info3->base.logon_time, time(NULL));
1353 my_info3->base.bad_password_count = 0;
1354
1355 result = winbindd_update_creds_by_info3(domain,
1356 user,
1357 pass,
1358 my_info3);
1359 if (!NT_STATUS_IS_OK(result)) {
1360 DEBUG(1,("winbindd_dual_pam_auth_cached: failed to update creds: %s\n",
1361 nt_errstr(result)));
1362 goto out;
1363 }
1364
1365 result = map_info3_to_validation(mem_ctx,
1366 my_info3,
1367 _validation_level,
1368 _validation);
1369 if (!NT_STATUS_IS_OK(result)) {
1370 DBG_ERR("map_info3_to_validation failed: %s\n",
1371 nt_errstr(result));
1372 goto out;
1373 }
1374
1375 result = NT_STATUS_OK;
1376 goto out;
1377 }
1378
1379 /* User does *NOT* know the correct password, modify info3 accordingly, but only if online */
1380 if (domain->online == false) {
1381 goto failed;
1382 }
1383
1384 /* failure of this is not critical */
1385 result = get_max_bad_attempts_from_lockout_policy(domain, tmp_ctx, &max_allowed_bad_attempts);
1386 if (!NT_STATUS_IS_OK(result)) {
1387 DEBUG(10,("winbindd_dual_pam_auth_cached: failed to get max_allowed_bad_attempts. "
1388 "Won't be able to honour account lockout policies\n"));
1389 }
1390
1391 /* increase counter */
1392 my_info3->base.bad_password_count++;
1393
1394 if (max_allowed_bad_attempts == 0) {
1395 goto failed;
1396 }
1397
1398 /* lockout user */
1399 if (my_info3->base.bad_password_count >= max_allowed_bad_attempts) {
1400
1401 uint32_t password_properties;
1402
1403 result = get_pwd_properties(domain, tmp_ctx, &password_properties);
1404 if (!NT_STATUS_IS_OK(result)) {
1405 DEBUG(10,("winbindd_dual_pam_auth_cached: failed to get password properties.\n"));
1406 }
1407
1408 if ((my_info3->base.rid != DOMAIN_RID_ADMINISTRATOR) ||
1409 (password_properties & DOMAIN_PASSWORD_LOCKOUT_ADMINS)) {
1410 my_info3->base.acct_flags |= ACB_AUTOLOCK;
1411 }
1412 }
1413
1414 failed:
1415 result = winbindd_update_creds_by_info3(domain, user, NULL, my_info3);
1416 if (!NT_STATUS_IS_OK(result)) {
1417 DEBUG(0,("winbindd_dual_pam_auth_cached: failed to update creds %s\n",
1418 nt_errstr(result)));
1419 }
1420
1421 result = NT_STATUS_LOGON_FAILURE;
1422
1423 out:
1424 TALLOC_FREE(tmp_ctx);
1425
1426 return result;
1427 }
1428
1429 static NTSTATUS winbindd_dual_pam_auth_kerberos(struct winbindd_domain *domain,
1430 const char *user,
1431 const char *pass,
1432 const char *krb5_cc_type,
1433 uid_t uid,
1434 TALLOC_CTX *mem_ctx,
1435 uint16_t *_validation_level,
1436 union netr_Validation **_validation,
1437 const char **_krb5ccname)
1438 {
1439 struct netr_SamInfo6 *info6 = NULL;
1440 struct winbindd_domain *contact_domain;
1441 fstring name_namespace, name_domain, name_user;
1442 NTSTATUS result;
1443 bool ok;
1444
1445 DEBUG(10,("winbindd_dual_pam_auth_kerberos\n"));
1446
1447 /* Parse domain and username */
1448
1449 ok = parse_domain_user(user,
1450 name_namespace,
1451 name_domain,
1452 name_user);
1453 if (!ok) {
1454 result = NT_STATUS_INVALID_PARAMETER;
1455 goto done;
1456 }
1457
1458 /* what domain should we contact? */
1459
1460 if (lp_winbind_use_krb5_enterprise_principals()) {
1461 contact_domain = find_auth_domain(0, name_namespace);
1462 } else {
1463 contact_domain = find_domain_from_name(name_namespace);
1464 }
1465 if (contact_domain == NULL) {
1466 DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
1467 user, name_domain, name_user, name_namespace));
1468 result = NT_STATUS_NO_SUCH_USER;
1469 goto done;
1470 }
1471
1472 if (contact_domain->initialized &&
1473 contact_domain->active_directory) {
1474 goto try_login;
1475 }
1476
1477 if (!contact_domain->initialized) {
1478 init_dc_connection(contact_domain, false);
1479 }
1480
1481 if (!contact_domain->active_directory) {
1482 DEBUG(3,("krb5 auth requested but domain (%s) is not Active Directory\n",
1483 contact_domain->name));
1484 return NT_STATUS_INVALID_LOGON_TYPE;
1485 }
1486 try_login:
1487 result = winbindd_raw_kerberos_login(
1488 mem_ctx,
1489 contact_domain,
1490 user,
1491 pass,
1492 krb5_cc_type,
1493 uid,
1494 &info6,
1495 _krb5ccname);
1496 if (!NT_STATUS_IS_OK(result)) {
1497 goto done;
1498 }
1499
1500 result = map_info6_to_validation(mem_ctx,
1501 info6,
1502 _validation_level,
1503 _validation);
1504 TALLOC_FREE(info6);
1505 if (!NT_STATUS_IS_OK(result)) {
1506 DBG_ERR("map_info6_to_validation failed: %s\n",
1507 nt_errstr(result));
1508 }
1509
1510 done:
1511 return result;
1512 }
1513
1514 static NTSTATUS winbindd_dual_auth_passdb(TALLOC_CTX *mem_ctx,
1515 uint32_t logon_parameters,
1516 const char *domain,
1517 const char *user,
1518 const uint64_t logon_id,
1519 const char *client_name,
1520 const int client_pid,
1521 const DATA_BLOB *challenge,
1522 const DATA_BLOB *lm_resp,
1523 const DATA_BLOB *nt_resp,
1524 const struct tsocket_address *remote,
1525 const struct tsocket_address *local,
1526 bool interactive,
1527 uint8_t *pauthoritative,
1528 struct netr_SamInfo3 **pinfo3)
1529 {
1530 struct auth_context *auth_context;
1531 struct auth_serversupplied_info *server_info;
1532 struct auth_usersupplied_info *user_info = NULL;
1533 struct netr_SamInfo3 *info3;
1534 NTSTATUS status;
1535 bool ok;
1536 TALLOC_CTX *frame = talloc_stackframe();
1537
1538 /*
1539 * We are authoritative by default
1540 */
1541 *pauthoritative = 1;
1542
1543 status = make_user_info(frame, &user_info, user, user, domain, domain,
1544 lp_netbios_name(), remote, local,
1545 "winbind",
1546 lm_resp, nt_resp, NULL, NULL,
1547 NULL, AUTH_PASSWORD_RESPONSE);
1548 if (!NT_STATUS_IS_OK(status)) {
1549 DEBUG(10, ("make_user_info failed: %s\n", nt_errstr(status)));
1550 TALLOC_FREE(frame);
1551 return status;
1552 }
1553
1554 user_info->logon_parameters = logon_parameters;
1555 user_info->logon_id = logon_id;
1556 user_info->auth_description = talloc_asprintf(
1557 frame, "PASSDB, %s, %d", client_name, client_pid);
1558 if (user_info->auth_description == NULL) {
1559 TALLOC_FREE(frame);
1560 return NT_STATUS_NO_MEMORY;
1561 }
1562
1563 /* We don't want to come back to winbindd or to do PAM account checks */
1564 user_info->flags |= USER_INFO_INFO3_AND_NO_AUTHZ;
1565
1566 if (interactive) {
1567 user_info->flags |= USER_INFO_INTERACTIVE_LOGON;
1568 }
1569
1570 status = make_auth3_context_for_winbind(frame, &auth_context);
1571 if (!NT_STATUS_IS_OK(status)) {
1572 DBG_ERR("make_auth3_context_for_winbind failed: %s\n",
1573 nt_errstr(status));
1574 TALLOC_FREE(frame);
1575 return status;
1576 }
1577
1578 ok = auth3_context_set_challenge(auth_context,
1579 challenge->data, "fixed");
1580 if (!ok) {
1581 TALLOC_FREE(frame);
1582 return NT_STATUS_NO_MEMORY;
1583 }
1584
1585 status = auth_check_ntlm_password(mem_ctx,
1586 auth_context,
1587 user_info,
1588 &server_info,
1589 pauthoritative);
1590 if (!NT_STATUS_IS_OK(status)) {
1591 TALLOC_FREE(frame);
1592 return status;
1593 }
1594
1595 info3 = talloc_zero(mem_ctx, struct netr_SamInfo3);
1596 if (info3 == NULL) {
1597 TALLOC_FREE(frame);
1598 return NT_STATUS_NO_MEMORY;
1599 }
1600
1601 status = serverinfo_to_SamInfo3(server_info, info3);
1602 if (!NT_STATUS_IS_OK(status)) {
1603 TALLOC_FREE(frame);
1604 TALLOC_FREE(info3);
1605 DEBUG(0, ("serverinfo_to_SamInfo3 failed: %s\n",
1606 nt_errstr(status)));
1607 return status;
1608 }
1609
1610 *pinfo3 = info3;
1611 DBG_DEBUG("Authenticating user %s\\%s returned %s\n",
1612 domain,
1613 user,
1614 nt_errstr(status));
1615 TALLOC_FREE(frame);
1616 return status;
1617 }
1618
1619 static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
1620 TALLOC_CTX *mem_ctx,
1621 uint32_t logon_parameters,
1622 const char *username,
1623 const char *password,
1624 const char *domainname,
1625 const char *workstation,
1626 const uint64_t logon_id,
1627 bool plaintext_given,
1628 DATA_BLOB chal,
1629 DATA_BLOB lm_response,
1630 DATA_BLOB nt_response,
1631 bool interactive,
1632 uint8_t *authoritative,
1633 uint32_t *flags,
1634 uint16_t *_validation_level,
1635 union netr_Validation **_validation)
1636 {
1637 int attempts = 0;
1638 int netr_attempts = 0;
1639 bool retry = false;
1640 NTSTATUS result;
1641 enum netr_LogonInfoClass logon_type_i;
1642 enum netr_LogonInfoClass logon_type_n;
1643 uint16_t validation_level = UINT16_MAX;
1644 union netr_Validation *validation = NULL;
1645 TALLOC_CTX *base_ctx = NULL;
1646 struct netr_SamBaseInfo *base_info = NULL;
1647
1648 do {
1649 struct rpc_pipe_client *netlogon_pipe;
1650 struct netlogon_creds_cli_context *netlogon_creds_ctx = NULL;
1651
1652 retry = false;
1653
1654 result = cm_connect_netlogon_secure(domain, &netlogon_pipe,
1655 &netlogon_creds_ctx);
1656
1657 if (NT_STATUS_EQUAL(result,
1658 NT_STATUS_CANT_ACCESS_DOMAIN_INFO)) {
1659 /*
1660 * This means we don't have a trust account.
1661 */
1662 *authoritative = 0;
1663 result = NT_STATUS_NO_SUCH_USER;
1664 break;
1665 }
1666
1667 if (!NT_STATUS_IS_OK(result)) {
1668 DEBUG(3,("Could not open handle to NETLOGON pipe "
1669 "(error: %s, attempts: %d)\n",
1670 nt_errstr(result), netr_attempts));
1671
1672 /* After the first retry always close the connection */
1673 if (netr_attempts > 0) {
1674 DEBUG(3, ("This is again a problem for this "
1675 "particular call, forcing the close "
1676 "of this connection\n"));
1677 invalidate_cm_connection(domain);
1678 }
1679
1680 /* After the second retry failover to the next DC */
1681 if (netr_attempts > 1) {
1682 /*
1683 * If the netlogon server is not reachable then
1684 * it is possible that the DC is rebuilding
1685 * sysvol and shutdown netlogon for that time.
1686 * We should failover to the next dc.
1687 */
1688 DEBUG(3, ("This is the third problem for this "
1689 "particular call, adding DC to the "
1690 "negative cache list: %s %s\n", domain->name, domain->dcname));
1691 add_failed_connection_entry(domain->name,
1692 domain->dcname,
1693 result);
1694 saf_delete(domain->name);
1695 }
1696
1697 /* Only allow 3 retries */
1698 if (netr_attempts < 3) {
1699 DEBUG(3, ("The connection to netlogon "
1700 "failed, retrying\n"));
1701 netr_attempts++;
1702 retry = true;
1703 continue;
1704 }
1705 return result;
1706 }
1707
1708 logon_type_i = NetlogonInteractiveInformation;
1709 logon_type_n = NetlogonNetworkInformation;
1710 if (domain->domain_trust_attribs & LSA_TRUST_ATTRIBUTE_WITHIN_FOREST) {
1711 logon_type_i = NetlogonInteractiveTransitiveInformation;
1712 logon_type_n = NetlogonNetworkTransitiveInformation;
1713 }
1714
1715 if (domain->domain_trust_attribs & LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) {
1716 logon_type_i = NetlogonInteractiveTransitiveInformation;
1717 logon_type_n = NetlogonNetworkTransitiveInformation;
1718 }
1719
1720 if (domain->domain_trust_attribs & LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE) {
1721 logon_type_i = NetlogonInteractiveInformation;
1722 logon_type_n = NetlogonNetworkInformation;
1723 }
1724
1725 if (domain->domain_trust_attribs & LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN) {
1726 logon_type_i = NetlogonInteractiveInformation;
1727 logon_type_n = NetlogonNetworkInformation;
1728 }
1729
1730 netr_attempts = 0;
1731 if (plaintext_given) {
1732 result = rpccli_netlogon_password_logon(
1733 netlogon_creds_ctx,
1734 netlogon_pipe->binding_handle,
1735 mem_ctx,
1736 logon_parameters,
1737 domainname,
1738 username,
1739 password,
1740 workstation,
1741 logon_id,
1742 logon_type_i,
1743 authoritative,
1744 flags,
1745 &validation_level,
1746 &validation);
1747 } else if (interactive) {
1748 result = rpccli_netlogon_interactive_logon(
1749 netlogon_creds_ctx,
1750 netlogon_pipe->binding_handle,
1751 mem_ctx,
1752 logon_parameters,
1753 username,
1754 domainname,
1755 workstation,
1756 logon_id,
1757 lm_response,
1758 nt_response,
1759 logon_type_i,
1760 authoritative,
1761 flags,
1762 &validation_level,
1763 &validation);
1764 } else {
1765 result = rpccli_netlogon_network_logon(
1766 netlogon_creds_ctx,
1767 netlogon_pipe->binding_handle,
1768 mem_ctx,
1769 logon_parameters,
1770 username,
1771 domainname,
1772 workstation,
1773 logon_id,
1774 chal,
1775 lm_response,
1776 nt_response,
1777 logon_type_n,
1778 authoritative,
1779 flags,
1780 &validation_level,
1781 &validation);
1782 }
1783
1784 /*
1785 * we increment this after the "feature negotiation"
1786 * for can_do_samlogon_ex and can_do_validation6
1787 */
1788 attempts += 1;
1789
1790 /* We have to try a second time as cm_connect_netlogon
1791 might not yet have noticed that the DC has killed
1792 our connection. */
1793
1794 if (!rpccli_is_connected(netlogon_pipe)) {
1795 retry = true;
1796 continue;
1797 }
1798
1799 /* if we get access denied, a possible cause was that we had
1800 an open connection to the DC, but someone changed our
1801 machine account password out from underneath us using 'net
1802 rpc changetrustpw' */
1803
1804 if ( NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) ) {
1805 DEBUG(1,("winbind_samlogon_retry_loop: sam_logon returned "
1806 "ACCESS_DENIED. Maybe the DC has Restrict "
1807 "NTLM set or the trust account "
1808 "password was changed and we didn't know it. "
1809 "Killing connections to domain %s\n",
1810 domainname));
1811 invalidate_cm_connection(domain);
1812 retry = true;
1813 }
1814
1815 if (NT_STATUS_EQUAL(result, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
1816 /*
1817 * Got DCERPC_FAULT_OP_RNG_ERROR for SamLogon
1818 * (no Ex). This happens against old Samba
1819 * DCs, if LogonSamLogonEx() fails with an error
1820 * e.g. NT_STATUS_NO_SUCH_USER or NT_STATUS_WRONG_PASSWORD.
1821 *
1822 * The server will log something like this:
1823 * api_net_sam_logon_ex: Failed to marshall NET_R_SAM_LOGON_EX.
1824 *
1825 * This sets the whole connection into a fault_state mode
1826 * and all following request get NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE.
1827 *
1828 * This also happens to our retry with LogonSamLogonWithFlags()
1829 * and LogonSamLogon().
1830 *
1831 * In order to recover from this situation, we need to
1832 * drop the connection.
1833 */
1834 invalidate_cm_connection(domain);
1835 result = NT_STATUS_LOGON_FAILURE;
1836 break;
1837 }
1838
1839 } while ( (attempts < 2) && retry );
1840
1841 if (NT_STATUS_EQUAL(result, NT_STATUS_IO_TIMEOUT)) {
1842 DEBUG(3,("winbind_samlogon_retry_loop: sam_network_logon(ex) "
1843 "returned NT_STATUS_IO_TIMEOUT after the retry. "
1844 "Killing connections to domain %s\n",
1845 domainname));
1846 invalidate_cm_connection(domain);
1847 }
1848
1849 if (!NT_STATUS_IS_OK(result)) {
1850 return result;
1851 }
1852
1853 switch (validation_level) {
1854 case 3:
1855 base_ctx = validation->sam3;
1856 base_info = &validation->sam3->base;
1857 break;
1858 case 6:
1859 base_ctx = validation->sam6;
1860 base_info = &validation->sam6->base;
1861 break;
1862 default:
1863 smb_panic(__location__);
1864 }
1865
1866 if (base_info->acct_flags == 0 || base_info->account_name.string == NULL) {
1867 struct dom_sid user_sid;
1868 struct dom_sid_buf sid_buf;
1869 const char *acct_flags_src = "server";
1870 const char *acct_name_src = "server";
1871
1872 /*
1873 * Handle the case where a NT4 DC does not fill in the acct_flags in
1874 * the samlogon reply info3. Yes, in 2021, there are still admins
1875 * arround with real NT4 DCs.
1876 *
1877 * We used to call dcerpc_samr_QueryUserInfo(level=16) to fetch
1878 * acct_flags, but as NT4 DCs reject authentication with workstation
1879 * accounts with NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT, even if
1880 * MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT is specified, we only ever got
1881 * ACB_NORMAL back (maybe with ACB_PWNOEXP in addition).
1882 *
1883 * For network logons NT4 DCs also skip the
1884 * account_name, so we have to fallback to the
1885 * one given by the client.
1886 */
1887
1888 if (base_info->acct_flags == 0) {
1889 base_info->acct_flags = ACB_NORMAL;
1890 if (base_info->force_password_change == NTTIME_MAX) {
1891 base_info->acct_flags |= ACB_PWNOEXP;
1892 }
1893 acct_flags_src = "calculated";
1894 }
1895
1896 if (base_info->account_name.string == NULL) {
1897 base_info->account_name.string = talloc_strdup(base_ctx,
1898 username);
1899 if (base_info->account_name.string == NULL) {
1900 TALLOC_FREE(validation);
1901 return NT_STATUS_NO_MEMORY;
1902 }
1903 acct_name_src = "client";
1904 }
1905
1906 sid_compose(&user_sid, base_info->domain_sid, base_info->rid);
1907
1908 DBG_DEBUG("Fallback to %s_acct_flags[0x%x] %s_acct_name[%s] for %s\n",
1909 acct_flags_src,
1910 base_info->acct_flags,
1911 acct_name_src,
1912 base_info->account_name.string,
1913 dom_sid_str_buf(&user_sid, &sid_buf));
1914 }
1915
1916 *_validation_level = validation_level;
1917 *_validation = validation;
1918 return NT_STATUS_OK;
1919 }
1920
1921 static NTSTATUS nt_dual_auth_passdb(TALLOC_CTX *mem_ctx,
1922 fstring name_user,
1923 fstring name_domain,
1924 const char *pass,
1925 uint64_t logon_id,
1926 const char *client_name,
1927 const int client_pid,
1928 const struct tsocket_address *remote,
1929 const struct tsocket_address *local,
1930 uint8_t *authoritative,
1931 struct netr_SamInfo3 **info3)
1932 {
1933 unsigned char local_nt_response[24];
1934 uchar chal[8];
1935 DATA_BLOB chal_blob;
1936 DATA_BLOB lm_resp;
1937 DATA_BLOB nt_resp;
1938
1939 /* do password magic */
1940
1941 generate_random_buffer(chal, sizeof(chal));
1942 chal_blob = data_blob_const(chal, sizeof(chal));
1943
1944 if (lp_client_ntlmv2_auth()) {
1945 DATA_BLOB server_chal;
1946 DATA_BLOB names_blob;
1947 server_chal = data_blob_const(chal, 8);
1948
1949 /* note that the 'workgroup' here is for the local
1950 machine. The 'server name' must match the
1951 'workstation' passed to the actual SamLogon call.
1952 */
1953 names_blob = NTLMv2_generate_names_blob(mem_ctx,
1954 lp_netbios_name(),
1955 lp_workgroup());
1956
1957 if (!SMBNTLMv2encrypt(mem_ctx, name_user, name_domain,
1958 pass, &server_chal, &names_blob,
1959 &lm_resp, &nt_resp, NULL, NULL)) {
1960 data_blob_free(&names_blob);
1961 DEBUG(0, ("SMBNTLMv2encrypt() failed!\n"));
1962 return NT_STATUS_NO_MEMORY;
1963 }
1964 data_blob_free(&names_blob);
1965 } else {
1966 int rc;
1967 lm_resp = data_blob_null;
1968
1969 rc = SMBNTencrypt(pass, chal, local_nt_response);
1970 if (rc != 0) {
1971 DEBUG(0, ("SMBNTencrypt() failed!\n"));
1972 return gnutls_error_to_ntstatus(rc,
1973 NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
1974 }
1975
1976 nt_resp = data_blob_talloc(mem_ctx, local_nt_response,
1977 sizeof(local_nt_response));
1978 }
1979
1980 return winbindd_dual_auth_passdb(talloc_tos(), 0, name_domain,
1981 name_user, logon_id, client_name,
1982 client_pid, &chal_blob, &lm_resp,
1983 &nt_resp, remote, local,
1984 true, /* interactive */
1985 authoritative, info3);
1986 }
1987
1988 static NTSTATUS winbindd_dual_pam_auth_samlogon(
1989 TALLOC_CTX *mem_ctx,
1990 struct winbindd_domain *domain,
1991 const char *user,
1992 const char *pass,
1993 uint64_t logon_id,
1994 const char *client_name,
1995 const int client_pid,
1996 uint32_t request_flags,
1997 const struct tsocket_address *remote,
1998 const struct tsocket_address *local,
1999 uint16_t *_validation_level,
2000 union netr_Validation **_validation)
2001 {
2002 fstring name_namespace, name_domain, name_user;
2003 NTSTATUS result;
2004 uint8_t authoritative = 1;
2005 uint32_t flags = 0;
2006 uint16_t validation_level = 0;
2007 union netr_Validation *validation = NULL;
2008 bool ok;
2009
2010 DEBUG(10,("winbindd_dual_pam_auth_samlogon\n"));
2011
2012 /* Parse domain and username */
2013
2014 ok = parse_domain_user(user, name_namespace, name_domain, name_user);
2015 if (!ok) {
2016 return NT_STATUS_INVALID_PARAMETER;
2017 }
2018
2019 /*
2020 * We check against domain->name instead of
2021 * name_domain, as find_auth_domain() ->
2022 * find_domain_from_name_noinit() already decided
2023 * that we are in a child for the correct domain.
2024 *
2025 * name_domain can also be lp_realm()
2026 * we need to check against domain->name.
2027 */
2028 if (strequal(domain->name, get_global_sam_name())) {
2029 struct netr_SamInfo3 *info3 = NULL;
2030
2031 result = nt_dual_auth_passdb(mem_ctx, name_user, name_domain,
2032 pass, logon_id, client_name,
2033 client_pid, remote, local,
2034 &authoritative, &info3);
2035
2036 /*
2037 * We need to try the remote NETLOGON server if this is
2038 * not authoritative (for example on the RODC).
2039 */
2040 if (authoritative != 0) {
2041 if (!NT_STATUS_IS_OK(result)) {
2042 return result;
2043 }
2044 result = map_info3_to_validation(mem_ctx,
2045 info3,
2046 &validation_level,
2047 &validation);
2048 TALLOC_FREE(info3);
2049 if (!NT_STATUS_IS_OK(result)) {
2050 return result;
2051 }
2052
2053 goto done;
2054 }
2055 }
2056
2057 /* check authentication loop */
2058
2059 result = winbind_samlogon_retry_loop(domain,
2060 mem_ctx,
2061 0,
2062 name_user,
2063 pass,
2064 name_domain,
2065 lp_netbios_name(),
2066 logon_id,
2067 true, /* plaintext_given */
2068 data_blob_null,
2069 data_blob_null, data_blob_null,
2070 true, /* interactive */
2071 &authoritative,
2072 &flags,
2073 &validation_level,
2074 &validation);
2075 if (!NT_STATUS_IS_OK(result)) {
2076 return result;
2077 }
2078
2079 done:
2080 *_validation_level = validation_level;
2081 *_validation = validation;
2082
2083 return NT_STATUS_OK;
2084 }
2085
2086 /*
2087 * @brief generate an authentication message in the logs.
2088 *
2089 */
2090 static void log_authentication(
2091 TALLOC_CTX *mem_ctx,
2092 const struct winbindd_domain *domain,
2093 const char *client_name,
2094 pid_t client_pid,
2095 uint16_t validation_level,
2096 union netr_Validation *validation,
2097 const struct timeval start_time,
2098 const uint64_t logon_id,
2099 const char *command,
2100 const char *user_name,
2101 const char *domain_name,
2102 const char *workstation,
2103 const DATA_BLOB lm_resp,
2104 const DATA_BLOB nt_resp,
2105 const struct tsocket_address *remote,
2106 const struct tsocket_address *local,
2107 NTSTATUS result)
2108 {
2109 struct auth_usersupplied_info *ui = NULL;
2110 struct dom_sid *sid = NULL;
2111 struct loadparm_context *lp_ctx = NULL;
2112 struct imessaging_context *msg_ctx = NULL;
2113 struct netr_SamBaseInfo *base_info = NULL;
2114
2115 if (validation != NULL) {
2116 switch (validation_level) {
2117 case 3:
2118 base_info = &validation->sam3->base;
2119 break;
2120 case 6:
2121 base_info = &validation->sam6->base;
2122 break;
2123 default:
2124 DBG_WARNING("Unexpected validation level '%d'\n",
2125 validation_level);
2126 break;
2127 }
2128 }
2129
2130 ui = talloc_zero(mem_ctx, struct auth_usersupplied_info);
2131 ui->logon_id = logon_id;
2132 ui->service_description = "winbind";
2133 ui->password.response.nt.length = nt_resp.length;
2134 ui->password.response.nt.data = nt_resp.data;
2135 ui->password.response.lanman.length = lm_resp.length;
2136 ui->password.response.lanman.data = lm_resp.data;
2137 if (nt_resp.length == 0 && lm_resp.length == 0) {
2138 ui->password_state = AUTH_PASSWORD_PLAIN;
2139 } else {
2140 ui->password_state = AUTH_PASSWORD_RESPONSE;
2141 }
2142 /*
2143 * In the event of a failure ui->auth_description will be null,
2144 * the logging code handles this correctly so it can be ignored.
2145 */
2146 ui->auth_description = talloc_asprintf(
2147 ui,
2148 "%s, %s, %d",
2149 command,
2150 client_name,
2151 client_pid);
2152 if (ui->auth_description == NULL) {
2153 DBG_ERR("OOM Unable to create auth_description");
2154 }
2155 ui->client.account_name = user_name;
2156 ui->client.domain_name = domain_name;
2157 ui->workstation_name = workstation;
2158 ui->remote_host = remote;
2159 ui->local_host = local;
2160
2161 if (base_info != NULL) {
2162 sid = dom_sid_dup(ui, base_info->domain_sid);
2163 if (sid != NULL) {
2164 sid_append_rid(sid, base_info->rid);
2165 }
2166 }
2167
2168 if (lp_auth_event_notification()) {
2169 lp_ctx = loadparm_init_s3(ui, loadparm_s3_helpers());
2170 msg_ctx = imessaging_client_init(
2171 ui, lp_ctx, global_event_context());
2172 }
2173 log_authentication_event(
2174 msg_ctx,
2175 lp_ctx,
2176 &start_time,
2177 ui,
2178 result,
2179 base_info != NULL ? base_info->logon_domain.string : "",
2180 base_info != NULL ? base_info->account_name.string : "",
2181 sid);
2182 TALLOC_FREE(ui);
2183 }
2184
2185 NTSTATUS _wbint_PamAuth(struct pipes_struct *p,
2186 struct wbint_PamAuth *r)
2187 {
2188 struct winbindd_domain *domain = wb_child_domain();
2189 NTSTATUS result = NT_STATUS_LOGON_FAILURE;
2190 NTSTATUS krb5_result = NT_STATUS_OK;
2191 fstring name_namespace, name_domain, name_user;
2192 char *mapped_user = NULL;
2193 const char *domain_user = NULL;
2194 uint16_t validation_level = UINT16_MAX;
2195 union netr_Validation *validation = NULL;
2196 struct netr_SamBaseInfo *base_info = NULL;
2197 NTSTATUS name_map_status = NT_STATUS_UNSUCCESSFUL;
2198 bool ok;
2199 uint64_t logon_id = 0;
2200 const struct timeval start_time = timeval_current();
2201 const struct tsocket_address *remote = NULL;
2202 const struct tsocket_address *local = NULL;
2203 const char *krb5ccname = NULL;
2204 uid_t uid;
2205 pid_t client_pid;
2206
2207 if (domain == NULL) {
2208 return NT_STATUS_REQUEST_NOT_ACCEPTED;
2209 }
2210
2211 /* Cut client_pid to 32bit */
2212 client_pid = r->in.client_pid;
2213 if ((uint64_t)client_pid != r->in.client_pid) {
2214 DBG_DEBUG("pid out of range\n");
2215 return NT_STATUS_INVALID_PARAMETER;
2216 }
2217
2218 /* Cut uid to 32bit */
2219 uid = r->in.info->uid;
2220 if ((uint64_t)uid != r->in.info->uid) {
2221 DBG_DEBUG("uid out of range\n");
2222 return NT_STATUS_INVALID_PARAMETER;
2223 }
2224
2225 /*
2226 * Generate a logon_id for this session.
2227 */
2228 logon_id = generate_random_u64();
2229 remote = dcesrv_connection_get_remote_address(p->dce_call->conn);
2230 local = dcesrv_connection_get_local_address(p->dce_call->conn);
2231 DEBUG(3, ("[%"PRIu32"]: dual pam auth %s\n", client_pid,
2232 r->in.info->username));
2233
2234 /* Parse domain and username */
2235
2236 name_map_status = normalize_name_unmap(p->mem_ctx,
2237 r->in.info->username,
2238 &mapped_user);
2239
2240 /* If the name normalization didn't actually do anything,
2241 just use the original name */
2242
2243 if (!NT_STATUS_IS_OK(name_map_status) &&
2244 !NT_STATUS_EQUAL(name_map_status, NT_STATUS_FILE_RENAMED))
2245 {
2246 mapped_user = discard_const(r->in.info->username);
2247 }
2248
2249 ok = parse_domain_user(mapped_user,
2250 name_namespace,
2251 name_domain,
2252 name_user);
2253 if (!ok) {
2254 result = NT_STATUS_INVALID_PARAMETER;
2255 goto done;
2256 }
2257
2258 if (mapped_user != r->in.info->username) {
2259 domain_user = talloc_asprintf(talloc_tos(),
2260 "%s%c%s",
2261 name_domain,
2262 *lp_winbind_separator(),
2263 name_user);
2264 if (domain_user == NULL) {
2265 result = NT_STATUS_NO_MEMORY;
2266 goto done;
2267 }
2268 r->in.info->username = domain_user;
2269 }
2270
2271 if (!domain->online) {
2272 result = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
2273 if (domain->startup) {
2274 /* Logons are very important to users. If we're offline and
2275 we get a request within the first 30 seconds of startup,
2276 try very hard to find a DC and go online. */
2277
2278 DEBUG(10,("winbindd_dual_pam_auth: domain: %s offline and auth "
2279 "request in startup mode.\n", domain->name ));
2280
2281 winbindd_flush_negative_conn_cache(domain);
2282 result = init_dc_connection(domain, false);
2283 }
2284 }
2285
2286 DEBUG(10,("winbindd_dual_pam_auth: domain: %s last was %s\n", domain->name, domain->online ? "online":"offline"));
2287
2288 /* Check for Kerberos authentication */
2289 if (domain->online && (r->in.flags & WBFLAG_PAM_KRB5)) {
2290 result = winbindd_dual_pam_auth_kerberos(
2291 domain,
2292 r->in.info->username,
2293 r->in.info->password,
2294 r->in.info->krb5_cc_type,
2295 uid,
2296 p->mem_ctx,
2297 &validation_level,
2298 &validation,
2299 &krb5ccname);
2300
2301 /* save for later */
2302 krb5_result = result;
2303
2304 if (NT_STATUS_IS_OK(result)) {
2305 DEBUG(10,("winbindd_dual_pam_auth_kerberos succeeded\n"));
2306 goto process_result;
2307 }
2308
2309 DBG_DEBUG("winbindd_dual_pam_auth_kerberos failed: %s\n",
2310 nt_errstr(result));
2311
2312 if (NT_STATUS_EQUAL(result, NT_STATUS_NO_LOGON_SERVERS) ||
2313 NT_STATUS_EQUAL(result, NT_STATUS_IO_TIMEOUT) ||
2314 NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
2315 DEBUG(10,("winbindd_dual_pam_auth_kerberos setting domain to offline\n"));
2316 set_domain_offline( domain );
2317 goto cached_logon;
2318 }
2319
2320 /* there are quite some NT_STATUS errors where there is no
2321 * point in retrying with a samlogon, we explictly have to take
2322 * care not to increase the bad logon counter on the DC */
2323
2324 if (NT_STATUS_EQUAL(result, NT_STATUS_ACCOUNT_DISABLED) ||
2325 NT_STATUS_EQUAL(result, NT_STATUS_ACCOUNT_EXPIRED) ||
2326 NT_STATUS_EQUAL(result, NT_STATUS_ACCOUNT_LOCKED_OUT) ||
2327 NT_STATUS_EQUAL(result, NT_STATUS_INVALID_LOGON_HOURS) ||
2328 NT_STATUS_EQUAL(result, NT_STATUS_INVALID_WORKSTATION) ||
2329 NT_STATUS_EQUAL(result, NT_STATUS_LOGON_FAILURE) ||
2330 NT_STATUS_EQUAL(result, NT_STATUS_NO_SUCH_USER) ||
2331 NT_STATUS_EQUAL(result, NT_STATUS_PASSWORD_EXPIRED) ||
2332 NT_STATUS_EQUAL(result, NT_STATUS_PASSWORD_MUST_CHANGE) ||
2333 NT_STATUS_EQUAL(result, NT_STATUS_WRONG_PASSWORD)) {
2334 goto done;
2335 }
2336
2337 if (r->in.flags & WBFLAG_PAM_FALLBACK_AFTER_KRB5) {
2338 DEBUG(3,("falling back to samlogon\n"));
2339 goto sam_logon;
2340 } else {
2341 goto cached_logon;
2342 }
2343 }
2344
2345 sam_logon:
2346 /* Check for Samlogon authentication */
2347 if (domain->online) {
2348 result = winbindd_dual_pam_auth_samlogon(
2349 p->mem_ctx,
2350 domain,
2351 r->in.info->username,
2352 r->in.info->password,
2353 logon_id,
2354 r->in.client_name,
2355 client_pid,
2356 r->in.flags,
2357 remote,
2358 local,
2359 &validation_level,
2360 &validation);
2361
2362 if (NT_STATUS_IS_OK(result)) {
2363 DEBUG(10,("winbindd_dual_pam_auth_samlogon succeeded\n"));
2364
2365 switch (validation_level) {
2366 case 3:
2367 base_info = &validation->sam3->base;
2368 break;
2369 case 6:
2370 base_info = &validation->sam6->base;
2371 break;
2372 default:
2373 DBG_ERR("Bad validation level %d\n",
2374 validation_level);
2375 result = NT_STATUS_INTERNAL_ERROR;
2376 goto done;
2377 }
2378
2379 /* add the Krb5 err if we have one */
2380 if ( NT_STATUS_EQUAL(krb5_result, NT_STATUS_TIME_DIFFERENCE_AT_DC ) ) {
2381 base_info->user_flags |= LOGON_KRB5_FAIL_CLOCK_SKEW;
2382 }
2383
2384 goto process_result;
2385 }
2386
2387 DEBUG(10,("winbindd_dual_pam_auth_samlogon failed: %s\n",
2388 nt_errstr(result)));
2389
2390 if (NT_STATUS_EQUAL(result, NT_STATUS_NO_LOGON_SERVERS) ||
2391 NT_STATUS_EQUAL(result, NT_STATUS_IO_TIMEOUT) ||
2392 NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND))
2393 {
2394 DEBUG(10,("winbindd_dual_pam_auth_samlogon setting domain to offline\n"));
2395 set_domain_offline( domain );
2396 goto cached_logon;
2397 }
2398
2399 if (domain->online) {
2400 /* We're still online - fail. */
2401 goto done;
2402 }
2403 }
2404
2405 cached_logon:
2406 /* Check for Cached logons */
2407 if (!domain->online && (r->in.flags & WBFLAG_PAM_CACHED_LOGIN) &&
2408 lp_winbind_offline_logon()) {
2409 result = winbindd_dual_pam_auth_cached(domain,
2410 (r->in.flags & WBFLAG_PAM_KRB5),
2411 r->in.info->username,
2412 r->in.info->password,
2413 r->in.info->krb5_cc_type,
2414 uid,
2415 p->mem_ctx,
2416 &validation_level,
2417 &validation,
2418 &krb5ccname);
2419
2420 if (!NT_STATUS_IS_OK(result)) {
2421 DEBUG(10,("winbindd_dual_pam_auth_cached failed: %s\n", nt_errstr(result)));
2422 goto done;
2423 }
2424 DEBUG(10,("winbindd_dual_pam_auth_cached succeeded\n"));
2425 }
2426
2427 process_result:
2428
2429 if (NT_STATUS_IS_OK(result)) {
2430 struct dom_sid user_sid;
2431 TALLOC_CTX *base_ctx = NULL;
2432 struct netr_SamInfo3 *info3 = NULL;
2433
2434 switch (validation_level) {
2435 case 3:
2436 base_ctx = validation->sam3;
2437 base_info = &validation->sam3->base;
2438 break;
2439 case 6:
2440 base_ctx = validation->sam6;
2441 base_info = &validation->sam6->base;
2442 break;
2443 default:
2444 DBG_ERR("Bad validation level %d\n", validation_level);
2445 result = NT_STATUS_INTERNAL_ERROR;
2446 goto done;
2447 }
2448
2449 sid_compose(&user_sid, base_info->domain_sid, base_info->rid);
2450
2451 if (base_info->full_name.string == NULL) {
2452 struct netr_SamInfo3 *cached_info3;
2453
2454 cached_info3 = netsamlogon_cache_get(p->mem_ctx,
2455 &user_sid);
2456 if (cached_info3 != NULL &&
2457 cached_info3->base.full_name.string != NULL) {
2458 base_info->full_name.string = talloc_strdup(
2459 base_ctx,
2460 cached_info3->base.full_name.string);
2461 if (base_info->full_name.string == NULL) {
2462 result = NT_STATUS_NO_MEMORY;
2463 goto done;
2464 }
2465 } else {
2466
2467 /* this might fail so we don't check the return code */
2468 wcache_query_user_fullname(domain,
2469 base_ctx,
2470 &user_sid,
2471 &base_info->full_name.string);
2472 }
2473 }
2474
2475 result = map_validation_to_info3(talloc_tos(),
2476 validation_level,
2477 validation,
2478 &info3);
2479 if (!NT_STATUS_IS_OK(result)) {
2480 goto done;
2481 }
2482
2483 wcache_invalidate_samlogon(find_domain_from_name(name_domain),
2484 &user_sid);
2485 netsamlogon_cache_store(name_user, info3);
2486
2487 /* save name_to_sid info as early as possible (only if
2488 this is our primary domain so we don't invalidate
2489 the cache entry by storing the seq_num for the wrong
2490 domain). */
2491 if ( domain->primary ) {
2492 cache_name2sid(domain, name_domain, name_user,
2493 SID_NAME_USER, &user_sid);
2494 }
2495
2496 /* Check if the user is in the right group */
2497
2498 result = check_info3_in_group(info3,
2499 r->in.require_membership_of_sid);
2500 if (!NT_STATUS_IS_OK(result)) {
2501 char *s = NDR_PRINT_STRUCT_STRING(p->mem_ctx,
2502 wbint_SidArray,
2503 r->in.require_membership_of_sid);
2504 DBG_NOTICE("User %s is not in the required groups:\n",
2505 r->in.info->username);
2506 DEBUGADD(DBGLVL_NOTICE, ("%s", s));
2507 DEBUGADD(DBGLVL_NOTICE,
2508 ("Plaintext authentication is rejected\n"));
2509 goto done;
2510 }
2511
2512 if (!is_allowed_domain(info3->base.logon_domain.string)) {
2513 DBG_NOTICE("Authentication failed for user [%s] "
2514 "from firewalled domain [%s]\n",
2515 info3->base.account_name.string,
2516 info3->base.logon_domain.string);
2517 result = NT_STATUS_AUTHENTICATION_FIREWALL_FAILED;
2518 goto done;
2519 }
2520
2521 r->out.validation = talloc_zero(p->mem_ctx,
2522 struct wbint_Validation);
2523 if (r->out.validation == NULL) {
2524 result = NT_STATUS_NO_MEMORY;
2525 goto done;
2526 }
2527
2528 r->out.validation->level = validation_level;
2529 r->out.validation->validation = talloc_steal(r->out.validation,
2530 validation);
2531 r->out.validation->krb5ccname = talloc_steal(r->out.validation,
2532 krb5ccname);
2533 if ((r->in.flags & WBFLAG_PAM_CACHED_LOGIN)
2534 && lp_winbind_offline_logon()) {
2535
2536 result = winbindd_store_creds(domain,
2537 r->in.info->username,
2538 r->in.info->password,
2539 info3);
2540 }
2541
2542 result = NT_STATUS_OK;
2543 }
2544
2545 done:
2546 /* give us a more useful (more correct?) error code */
2547 if ((NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) ||
2548 (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)))) {
2549 result = NT_STATUS_NO_LOGON_SERVERS;
2550 }
2551
2552 DBG_PREFIX(NT_STATUS_IS_OK(result) ? 5 : 2,
2553 ("Plain-text authentication for user %s returned %s"
2554 " (PAM: %d)\n",
2555 r->in.info->username,
2556 nt_errstr(result),
2557 nt_status_to_pam(result)));
2558
2559 /*
2560 * Log the winbind pam authentication, the logon_id will tie this to
2561 * any of the logons invoked from this request.
2562 */
2563
2564 log_authentication(
2565 p->mem_ctx,
2566 domain,
2567 r->in.client_name,
2568 client_pid,
2569 validation_level,
2570 validation,
2571 start_time,
2572 logon_id,
2573 "PAM_AUTH",
2574 name_user,
2575 name_domain,
2576 NULL,
2577 data_blob_null,
2578 data_blob_null,
2579 remote,
2580 local,
2581 result);
2582
2583 if (NT_STATUS_IS_OK(result)) {
2584 gpupdate_user_init(r->in.info->username);
2585 }
2586
2587 return result;
2588 }
2589
2590 NTSTATUS winbind_dual_SamLogon(struct winbindd_domain *domain,
2591 TALLOC_CTX *mem_ctx,
2592 bool interactive,
2593 uint32_t logon_parameters,
2594 const char *name_user,
2595 const char *name_domain,
2596 const char *workstation,
2597 const uint64_t logon_id,
2598 const char* client_name,
2599 const int client_pid,
2600 DATA_BLOB chal_blob,
2601 DATA_BLOB lm_response,
2602 DATA_BLOB nt_response,
2603 const struct tsocket_address *remote,
2604 const struct tsocket_address *local,
2605 uint8_t *authoritative,
2606 bool skip_sam,
2607 uint32_t *flags,
2608 uint16_t *_validation_level,
2609 union netr_Validation **_validation)
2610 {
2611 uint16_t validation_level = 0;
2612 union netr_Validation *validation = NULL;
2613 NTSTATUS result;
2614
2615 /*
2616 * We check against domain->name instead of
2617 * name_domain, as find_auth_domain() ->
2618 * find_domain_from_name_noinit() already decided
2619 * that we are in a child for the correct domain.
2620 *
2621 * name_domain can also be lp_realm()
2622 * we need to check against domain->name.
2623 */
2624 if (!skip_sam && strequal(domain->name, get_global_sam_name())) {
2625 struct netr_SamInfo3 *info3 = NULL;
2626
2627 result = winbindd_dual_auth_passdb(
2628 talloc_tos(),
2629 logon_parameters,
2630 name_domain, name_user,
2631 logon_id,
2632 client_name,
2633 client_pid,
2634 &chal_blob, &lm_response, &nt_response,
2635 remote,
2636 local,
2637 interactive,
2638 authoritative,
2639 &info3);
2640 if (NT_STATUS_IS_OK(result)) {
2641 result = map_info3_to_validation(mem_ctx,
2642 info3,
2643 &validation_level,
2644 &validation);
2645 TALLOC_FREE(info3);
2646 if (!NT_STATUS_IS_OK(result)) {
2647 goto done;
2648 }
2649 }
2650
2651 /*
2652 * We need to try the remote NETLOGON server if this is
2653 * not authoritative.
2654 */
2655 if (*authoritative != 0) {
2656 *flags = 0;
2657 goto process_result;
2658 }
2659 }
2660
2661 result = winbind_samlogon_retry_loop(domain,
2662 mem_ctx,
2663 logon_parameters,
2664 name_user,
2665 NULL, /* password */
2666 name_domain,
2667 /* Bug #3248 - found by Stefan Burkei. */
2668 workstation, /* We carefully set this above so use it... */
2669 logon_id,
2670 false, /* plaintext_given */
2671 chal_blob,
2672 lm_response,
2673 nt_response,
2674 interactive,
2675 authoritative,
2676 flags,
2677 &validation_level,
2678 &validation);
2679 if (!NT_STATUS_IS_OK(result)) {
2680 goto done;
2681 }
2682
2683 process_result:
2684
2685 if (NT_STATUS_IS_OK(result)) {
2686 struct dom_sid user_sid;
2687 TALLOC_CTX *base_ctx = NULL;
2688 struct netr_SamBaseInfo *base_info = NULL;
2689 struct netr_SamInfo3 *info3 = NULL;
2690
2691 switch (validation_level) {
2692 case 3:
2693 base_ctx = validation->sam3;
2694 base_info = &validation->sam3->base;
2695 break;
2696 case 6:
2697 base_ctx = validation->sam6;
2698 base_info = &validation->sam6->base;
2699 break;
2700 default:
2701 result = NT_STATUS_INTERNAL_ERROR;
2702 goto done;
2703 }
2704
2705 sid_compose(&user_sid, base_info->domain_sid, base_info->rid);
2706
2707 if (base_info->full_name.string == NULL) {
2708 struct netr_SamInfo3 *cached_info3;
2709
2710 cached_info3 = netsamlogon_cache_get(mem_ctx,
2711 &user_sid);
2712 if (cached_info3 != NULL &&
2713 cached_info3->base.full_name.string != NULL)
2714 {
2715 base_info->full_name.string = talloc_strdup(
2716 base_ctx,
2717 cached_info3->base.full_name.string);
2718 } else {
2719
2720 /* this might fail so we don't check the return code */
2721 wcache_query_user_fullname(domain,
2722 base_ctx,
2723 &user_sid,
2724 &base_info->full_name.string);
2725 }
2726 }
2727
2728 result = map_validation_to_info3(talloc_tos(),
2729 validation_level,
2730 validation,
2731 &info3);
2732 if (!NT_STATUS_IS_OK(result)) {
2733 goto done;
2734 }
2735 wcache_invalidate_samlogon(find_domain_from_name(name_domain),
2736 &user_sid);
2737 netsamlogon_cache_store(name_user, info3);
2738 TALLOC_FREE(info3);
2739 }
2740
2741 done:
2742
2743 /* give us a more useful (more correct?) error code */
2744 if ((NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) ||
2745 (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)))) {
2746 result = NT_STATUS_NO_LOGON_SERVERS;
2747 }
2748
2749 DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2,
2750 ("NTLM CRAP authentication for user [%s]\\[%s] returned %s\n",
2751 name_domain,
2752 name_user,
2753 nt_errstr(result)));
2754
2755 if (!NT_STATUS_IS_OK(result)) {
2756 return result;
2757 }
2758
2759 *_validation_level = validation_level;
2760 *_validation = validation;
2761 return NT_STATUS_OK;
2762 }
2763
2764 NTSTATUS _wbint_PamAuthCrap(struct pipes_struct *p, struct wbint_PamAuthCrap *r)
2765 {
2766 struct winbindd_domain *domain = wb_child_domain();
2767 NTSTATUS result;
2768 uint64_t logon_id = 0;
2769 uint8_t authoritative = 1;
2770 uint32_t flags = 0;
2771 uint16_t validation_level = UINT16_MAX;
2772 union netr_Validation *validation = NULL;
2773 const struct timeval start_time = timeval_current();
2774 const struct tsocket_address *remote = NULL;
2775 const struct tsocket_address *local = NULL;
2776 struct netr_SamInfo3 *info3 = NULL;
2777 pid_t client_pid;
2778
2779 if (domain == NULL) {
2780 return NT_STATUS_REQUEST_NOT_ACCEPTED;
2781 }
2782
2783 /* Cut client_pid to 32bit */
2784 client_pid = r->in.client_pid;
2785 if ((uint64_t)client_pid != r->in.client_pid) {
2786 DBG_DEBUG("pid out of range\n");
2787 return NT_STATUS_INVALID_PARAMETER;
2788 }
2789
2790 logon_id = generate_random_u64();
2791 remote = dcesrv_connection_get_remote_address(p->dce_call->conn);
2792 local = dcesrv_connection_get_local_address(p->dce_call->conn);
2793
2794 DBG_NOTICE("[%"PRIu32"]: pam auth crap domain: %s user: %s\n",
2795 client_pid, r->in.domain, r->in.user);
2796
2797 result = winbind_dual_SamLogon(domain,
2798 p->mem_ctx,
2799 false, /* interactive */
2800 r->in.logon_parameters,
2801 r->in.user,
2802 r->in.domain,
2803 r->in.workstation,
2804 logon_id,
2805 r->in.client_name,
2806 client_pid,
2807 r->in.chal,
2808 r->in.lm_resp,
2809 r->in.nt_resp,
2810 remote,
2811 local,
2812 &authoritative,
2813 false,
2814 &flags,
2815 &validation_level,
2816 &validation);
2817 if (!NT_STATUS_IS_OK(result)) {
2818 goto done;
2819 }
2820
2821 result = map_validation_to_info3(p->mem_ctx,
2822 validation_level,
2823 validation,
2824 &info3);
2825 if (!NT_STATUS_IS_OK(result)) {
2826 goto done;
2827 }
2828
2829 /* Check if the user is in the right group */
2830 result = check_info3_in_group(info3, r->in.require_membership_of_sid);
2831 if (!NT_STATUS_IS_OK(result)) {
2832 char *s = NDR_PRINT_STRUCT_STRING(p->mem_ctx,
2833 wbint_SidArray,
2834 r->in.require_membership_of_sid);
2835 DBG_NOTICE("User %s is not in the required groups:\n",
2836 r->in.user);
2837 DEBUGADD(DBGLVL_NOTICE, ("%s", s));
2838 DEBUGADD(DBGLVL_NOTICE,
2839 ("CRAP authentication is rejected\n"));
2840 goto done;
2841 }
2842
2843 if (!is_allowed_domain(info3->base.logon_domain.string)) {
2844 DBG_NOTICE("Authentication failed for user [%s] "
2845 "from firewalled domain [%s]\n",
2846 info3->base.account_name.string,
2847 info3->base.logon_domain.string);
2848 result = NT_STATUS_AUTHENTICATION_FIREWALL_FAILED;
2849 goto done;
2850 }
2851
2852 r->out.validation = talloc_zero(p->mem_ctx,
2853 struct wbint_PamAuthCrapValidation);
2854 if (r->out.validation == NULL) {
2855 result = NT_STATUS_NO_MEMORY;
2856 goto done;
2857 }
2858
2859 r->out.validation->level = validation_level;
2860 r->out.validation->validation = talloc_move(r->out.validation,
2861 &validation);
2862 done:
2863
2864 if (r->in.flags & WBFLAG_PAM_NT_STATUS_SQUASH) {
2865 result = nt_status_squash(result);
2866 }
2867
2868 *r->out.authoritative = authoritative;
2869
2870 /*
2871 * Log the winbind pam authentication, the logon_id will tie this to
2872 * any of the logons invoked from this request.
2873 */
2874 log_authentication(
2875 p->mem_ctx,
2876 domain,
2877 r->in.client_name,
2878 client_pid,
2879 r->out.validation->level,
2880 r->out.validation->validation,
2881 start_time,
2882 logon_id,
2883 "NTLM_AUTH",
2884 r->in.user,
2885 r->in.domain,
2886 r->in.workstation,
2887 r->in.lm_resp,
2888 r->in.nt_resp,
2889 remote,
2890 local,
2891 result);
2892
2893 return result;
2894 }
2895
2896 NTSTATUS _wbint_PamAuthChangePassword(struct pipes_struct *p,
2897 struct wbint_PamAuthChangePassword *r)
2898 {
2899 struct winbindd_domain *contact_domain = wb_child_domain();
2900 struct policy_handle dom_pol;
2901 struct rpc_pipe_client *cli = NULL;
2902 bool got_info = false;
2903 struct samr_DomInfo1 *info = NULL;
2904 struct userPwdChangeFailureInformation *reject = NULL;
2905 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
2906 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
2907 fstring namespace, domain, user;
2908 struct dcerpc_binding_handle *b = NULL;
2909 bool ok;
2910 pid_t client_pid;
2911
2912 ZERO_STRUCT(dom_pol);
2913
2914 if (contact_domain == NULL) {
2915 return NT_STATUS_REQUEST_NOT_ACCEPTED;
2916 }
2917
2918 /* Cut client_pid to 32bit */
2919 client_pid = r->in.client_pid;
2920 if ((uint64_t)client_pid != r->in.client_pid) {
2921 DBG_DEBUG("pid out of range\n");
2922 return NT_STATUS_INVALID_PARAMETER;
2923 }
2924
2925 DBG_NOTICE("[%"PRIu32"]: dual pam chauthtok %s\n",
2926 client_pid, r->in.user);
2927
2928 ok = parse_domain_user(r->in.user,
2929 namespace,
2930 domain,
2931 user);
2932 if (!ok) {
2933 goto done;
2934 }
2935
2936 if (!is_allowed_domain(domain)) {
2937 DBG_NOTICE("Authentication failed for user [%s] "
2938 "from firewalled domain [%s]\n",
2939 user, domain);
2940 result = NT_STATUS_AUTHENTICATION_FIREWALL_FAILED;
2941 goto done;
2942 }
2943
2944 /* Initialize reject reason */
2945 *r->out.reject_reason = Undefined;
2946
2947 /* Get sam handle */
2948
2949 result = cm_connect_sam(contact_domain,
2950 p->mem_ctx,
2951 true,
2952 &cli,
2953 &dom_pol);
2954 if (!NT_STATUS_IS_OK(result)) {
2955 DEBUG(1, ("could not get SAM handle on DC for %s\n", domain));
2956 goto done;
2957 }
2958
2959 b = cli->binding_handle;
2960
2961 status = dcerpc_samr_chgpasswd_user4(cli->binding_handle,
2962 p->mem_ctx,
2963 cli->srv_name_slash,
2964 user,
2965 r->in.old_password,
2966 r->in.new_password,
2967 &result);
2968 if (NT_STATUS_IS_OK(status) && NT_STATUS_IS_OK(result)) {
2969 /* Password successfully changed. */
2970 goto done;
2971 }
2972 if (!NT_STATUS_IS_OK(status)) {
2973 if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE) ||
2974 NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED) ||
2975 NT_STATUS_EQUAL(status, NT_STATUS_NOT_IMPLEMENTED)) {
2976 /* DO NOT FALLBACK TO RC4 */
2977 if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED) {
2978 result = NT_STATUS_STRONG_CRYPTO_NOT_SUPPORTED;
2979 goto process_result;
2980 }
2981 }
2982 } else {
2983 /* Password change was unsuccessful. */
2984 if (!NT_STATUS_IS_OK(result)) {
2985 goto done;
2986 }
2987 }
2988
2989 result = rpccli_samr_chgpasswd_user3(cli,
2990 p->mem_ctx,
2991 user,
2992 r->in.new_password,
2993 r->in.old_password,
2994 &info,
2995 &reject);
2996
2997 /* Windows 2003 returns NT_STATUS_PASSWORD_RESTRICTION */
2998
2999 if (NT_STATUS_EQUAL(result, NT_STATUS_PASSWORD_RESTRICTION) ) {
3000
3001 *r->out.dominfo = talloc_steal(p->mem_ctx, info);
3002 *r->out.reject_reason = reject->extendedFailureReason;
3003
3004 got_info = true;
3005 }
3006
3007 /* atm the pidl generated rpccli_samr_ChangePasswordUser3 function will
3008 * return with NT_STATUS_BUFFER_TOO_SMALL for w2k dcs as w2k just
3009 * returns with 4byte error code (NT_STATUS_NOT_SUPPORTED) which is too
3010 * short to comply with the samr_ChangePasswordUser3 idl - gd */
3011
3012 /* only fallback when the chgpasswd_user3 call is not supported */
3013 if (NT_STATUS_EQUAL(result, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE) ||
3014 NT_STATUS_EQUAL(result, NT_STATUS_NOT_SUPPORTED) ||
3015 NT_STATUS_EQUAL(result, NT_STATUS_BUFFER_TOO_SMALL) ||
3016 NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) {
3017
3018 DEBUG(10,("Password change with chgpasswd_user3 failed with: %s, retrying chgpasswd_user2\n",
3019 nt_errstr(result)));
3020
3021 result = rpccli_samr_chgpasswd_user2(cli,
3022 p->mem_ctx,
3023 user,
3024 r->in.new_password,
3025 r->in.old_password);
3026
3027 /* Windows 2000 returns NT_STATUS_ACCOUNT_RESTRICTION.
3028 Map to the same status code as Windows 2003. */
3029
3030 if ( NT_STATUS_EQUAL(NT_STATUS_ACCOUNT_RESTRICTION, result ) ) {
3031 result = NT_STATUS_PASSWORD_RESTRICTION;
3032 }
3033 }
3034
3035 done:
3036
3037 if (NT_STATUS_IS_OK(result)
3038 && (r->in.flags & WBFLAG_PAM_CACHED_LOGIN)
3039 && lp_winbind_offline_logon()) {
3040 result = winbindd_update_creds_by_name(contact_domain, user,
3041 r->in.new_password);
3042 /* Again, this happens when we login from gdm or xdm
3043 * and the password expires, *BUT* cached crendentials
3044 * doesn't exist. winbindd_update_creds_by_name()
3045 * returns NT_STATUS_NO_SUCH_USER.
3046 * This is not a failure.
3047 * --- BoYang
3048 * */
3049 if (NT_STATUS_EQUAL(result, NT_STATUS_NO_SUCH_USER)) {
3050 result = NT_STATUS_OK;
3051 }
3052
3053 if (!NT_STATUS_IS_OK(result)) {
3054 DEBUG(10, ("Failed to store creds: %s\n",
3055 nt_errstr(result)));
3056 goto process_result;
3057 }
3058 }
3059
3060 if (!NT_STATUS_IS_OK(result) && !got_info && contact_domain) {
3061
3062 NTSTATUS policy_ret;
3063
3064 policy_ret = get_password_policy(contact_domain,
3065 p->mem_ctx,
3066 &info);
3067
3068 /* failure of this is non critical, it will just provide no
3069 * additional information to the client why the change has
3070 * failed - Guenther */
3071
3072 if (!NT_STATUS_IS_OK(policy_ret)) {
3073 DEBUG(10,("Failed to get password policies: %s\n", nt_errstr(policy_ret)));
3074 goto process_result;
3075 }
3076
3077 *r->out.dominfo = talloc_steal(p->mem_ctx, info);
3078 }
3079
3080 process_result:
3081
3082 if (strequal(contact_domain->name, get_global_sam_name())) {
3083 /* FIXME: internal rpc pipe does not cache handles yet */
3084 if (b) {
3085 if (is_valid_policy_hnd(&dom_pol)) {
3086 NTSTATUS _result;
3087 dcerpc_samr_Close(b,
3088 p->mem_ctx,
3089 &dom_pol,
3090 &_result);
3091 }
3092 TALLOC_FREE(cli);
3093 }
3094 }
3095
3096 DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2,
3097 ("Password change for user [%s]\\[%s] returned %s (PAM: %d)\n",
3098 domain,
3099 user,
3100 nt_errstr(result),
3101 nt_status_to_pam(result)));
3102
3103 return result;
3104 }
3105
3106 NTSTATUS _wbint_PamLogOff(struct pipes_struct *p, struct wbint_PamLogOff *r)
3107 {
3108 struct winbindd_domain *domain = wb_child_domain();
3109 NTSTATUS result = NT_STATUS_NOT_SUPPORTED;
3110 pid_t client_pid;
3111 uid_t user_uid;
3112
3113 if (domain == NULL) {
3114 return NT_STATUS_REQUEST_NOT_ACCEPTED;
3115 }
3116
3117 /* Cut client_pid to 32bit */
3118 client_pid = r->in.client_pid;
3119 if ((uint64_t)client_pid != r->in.client_pid) {
3120 DBG_DEBUG("pid out of range\n");
3121 return NT_STATUS_INVALID_PARAMETER;
3122 }
3123
3124 /* Cut uid to 32bit */
3125 user_uid = r->in.uid;
3126 if ((uint64_t)user_uid != r->in.uid) {
3127 DBG_DEBUG("uid out of range\n");
3128 return NT_STATUS_INVALID_PARAMETER;
3129 }
3130
3131 DBG_NOTICE("[%"PRIu32"]: pam dual logoff %s\n", client_pid, r->in.user);
3132
3133 if (!(r->in.flags & WBFLAG_PAM_KRB5)) {
3134 result = NT_STATUS_OK;
3135 goto process_result;
3136 }
3137
3138 if ((r->in.krb5ccname == NULL) || (strlen(r->in.krb5ccname) == 0)) {
3139 result = NT_STATUS_OK;
3140 goto process_result;
3141 }
3142
3143 #ifdef HAVE_KRB5
3144
3145 if (user_uid == (uid_t)-1) {
3146 DBG_DEBUG("Invalid uid for user '%s'\n", r->in.user);
3147 goto process_result;
3148 }
3149
3150 /* what we need here is to find the corresponding krb5 ccache name *we*
3151 * created for a given username and destroy it */
3152
3153 if (!ccache_entry_exists(r->in.user)) {
3154 result = NT_STATUS_OK;
3155 DBG_DEBUG("No entry found for user '%s'.\n", r->in.user);
3156 goto process_result;
3157 }
3158
3159 if (!ccache_entry_identical(r->in.user, user_uid, r->in.krb5ccname)) {
3160 DBG_DEBUG("Cached entry differs for user '%s'\n", r->in.user);
3161 goto process_result;
3162 }
3163
3164 result = remove_ccache(r->in.user);
3165 if (!NT_STATUS_IS_OK(result)) {
3166 DBG_DEBUG("Failed to remove ccache for user '%s': %s\n",
3167 r->in.user, nt_errstr(result));
3168 goto process_result;
3169 }
3170
3171 /*
3172 * Remove any mlock'ed memory creds in the child
3173 * we might be using for krb5 ticket renewal.
3174 */
3175
3176 winbindd_delete_memory_creds(r->in.user);
3177
3178 #else
3179 result = NT_STATUS_NOT_SUPPORTED;
3180 #endif
3181
3182 process_result:
3183
3184 return result;
3185 }
3186
3187 /* Change user password with auth crap*/
3188
3189 NTSTATUS _wbint_PamAuthCrapChangePassword(struct pipes_struct *p,
3190 struct wbint_PamAuthCrapChangePassword *r)
3191 {
3192 NTSTATUS result;
3193 fstring namespace, domain, user;
3194 struct policy_handle dom_pol;
3195 struct winbindd_domain *contact_domain = wb_child_domain();
3196 struct rpc_pipe_client *cli = NULL;
3197 struct dcerpc_binding_handle *b = NULL;
3198 pid_t client_pid;
3199
3200 ZERO_STRUCT(dom_pol);
3201
3202 if (contact_domain == NULL) {
3203 return NT_STATUS_REQUEST_NOT_ACCEPTED;
3204 }
3205
3206 /* Cut client_pid to 32bit */
3207 client_pid = r->in.client_pid;
3208 if ((uint64_t)client_pid != r->in.client_pid) {
3209 DBG_DEBUG("pid out of range\n");
3210 return NT_STATUS_INVALID_PARAMETER;
3211 }
3212
3213 domain[0] = '\0';
3214 namespace[0] = '\0';
3215 user[0] = '\0';
3216
3217 DBG_NOTICE("[%"PRIu32"]: pam change pswd auth crap domain: %s "
3218 "user: %s\n", client_pid, r->in.domain, r->in.user);
3219
3220 if (lp_winbind_offline_logon()) {
3221 DEBUG(0,("Refusing password change as winbind offline logons are enabled. "));
3222 DEBUGADD(0,("Changing passwords here would risk inconsistent logons\n"));
3223 result = NT_STATUS_ACCESS_DENIED;
3224 goto done;
3225 }
3226
3227 if (r->in.domain != NULL && strlen(r->in.domain) > 0) {
3228 fstrcpy(domain, r->in.domain);
3229 } else {
3230 bool ok;
3231
3232 ok = parse_domain_user(r->in.user,
3233 namespace,
3234 domain,
3235 user);
3236 if (!ok) {
3237 result = NT_STATUS_INVALID_PARAMETER;
3238 goto done;
3239 }
3240
3241 if (strlen(domain) == 0) {
3242 DBG_NOTICE("no domain specified with username (%s) - "
3243 "failing auth\n", r->in.user);
3244 result = NT_STATUS_NO_SUCH_USER;
3245 goto done;
3246 }
3247 }
3248
3249 if (!*domain && lp_winbind_use_default_domain()) {
3250 fstrcpy(domain,lp_workgroup());
3251 }
3252
3253 if (!is_allowed_domain(domain)) {
3254 DBG_NOTICE("Authentication failed for user [%s] "
3255 "from firewalled domain [%s]\n",
3256 r->in.user,
3257 domain);
3258 result = NT_STATUS_AUTHENTICATION_FIREWALL_FAILED;
3259 goto done;
3260 }
3261
3262 if(!*user) {
3263 fstrcpy(user, r->in.user);
3264 }
3265
3266 /* Get sam handle */
3267
3268 result = cm_connect_sam(contact_domain,
3269 p->mem_ctx,
3270 true,
3271 &cli,
3272 &dom_pol);
3273 if (!NT_STATUS_IS_OK(result)) {
3274 DEBUG(1, ("could not get SAM handle on DC for %s\n", domain));
3275 goto done;
3276 }
3277
3278 b = cli->binding_handle;
3279
3280 result = rpccli_samr_chng_pswd_auth_crap(cli,
3281 p->mem_ctx,
3282 user,
3283 r->in.new_nt_pswd,
3284 r->in.old_nt_hash_enc,
3285 r->in.new_lm_pswd,
3286 r->in.old_lm_hash_enc);
3287
3288 done:
3289
3290 if (strequal(contact_domain->name, get_global_sam_name())) {
3291 /* FIXME: internal rpc pipe does not cache handles yet */
3292 if (b) {
3293 if (is_valid_policy_hnd(&dom_pol)) {
3294 NTSTATUS _result;
3295 dcerpc_samr_Close(b,
3296 p->mem_ctx,
3297 &dom_pol,
3298 &_result);
3299 }
3300 TALLOC_FREE(cli);
3301 }
3302 }
3303
3304 DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2,
3305 ("Password change for user [%s]\\[%s] returned %s (PAM: %d)\n",
3306 domain, user,
3307 nt_errstr(result),
3308 nt_status_to_pam(result)));
3309
3310 return result;
3311 }
3312
3313 #ifdef HAVE_KRB5
3314 static NTSTATUS extract_pac_vrfy_sigs(TALLOC_CTX *mem_ctx, DATA_BLOB pac_blob,
3315 struct PAC_DATA **p_pac_data)
3316 {
3317 krb5_context krbctx = NULL;
3318 krb5_error_code k5ret;
3319 krb5_keytab keytab;
3320 krb5_kt_cursor cursor;
3321 krb5_keytab_entry entry;
3322 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
3323
3324 ZERO_STRUCT(entry);
3325 ZERO_STRUCT(cursor);
3326
3327 k5ret = smb_krb5_init_context_common(&krbctx);
3328 if (k5ret) {
3329 DBG_ERR("kerberos init context failed (%s)\n",
3330 error_message(k5ret));
3331 status = krb5_to_nt_status(k5ret);
3332 goto out;
3333 }
3334
3335 k5ret = gse_krb5_get_server_keytab(krbctx, &keytab);
3336 if (k5ret) {
3337 DEBUG(1, ("Failed to get keytab: %s\n",
3338 error_message(k5ret)));
3339 status = krb5_to_nt_status(k5ret);
3340 goto out_free;
3341 }
3342
3343 k5ret = krb5_kt_start_seq_get(krbctx, keytab, &cursor);
3344 if (k5ret) {
3345 DEBUG(1, ("Failed to start seq: %s\n",
3346 error_message(k5ret)));
3347 status = krb5_to_nt_status(k5ret);
3348 goto out_keytab;
3349 }
3350
3351 k5ret = krb5_kt_next_entry(krbctx, keytab, &entry, &cursor);
3352 while (k5ret == 0) {
3353 status = kerberos_decode_pac(mem_ctx,
3354 pac_blob,
3355 krbctx,
3356 NULL, /* krbtgt_keyblock */
3357 KRB5_KT_KEY(&entry), /* service_keyblock */
3358 NULL, /* client_principal */
3359 0, /* tgs_authtime */
3360 p_pac_data);
3361 if (NT_STATUS_IS_OK(status)) {
3362 break;
3363 }
3364 k5ret = smb_krb5_kt_free_entry(krbctx, &entry);
3365 k5ret = krb5_kt_next_entry(krbctx, keytab, &entry, &cursor);
3366 }
3367
3368 k5ret = krb5_kt_end_seq_get(krbctx, keytab, &cursor);
3369 if (k5ret) {
3370 DEBUG(1, ("Failed to end seq: %s\n",
3371 error_message(k5ret)));
3372 }
3373 out_keytab:
3374 k5ret = krb5_kt_close(krbctx, keytab);
3375 if (k5ret) {
3376 DEBUG(1, ("Failed to close keytab: %s\n",
3377 error_message(k5ret)));
3378 }
3379 out_free:
3380 krb5_free_context(krbctx);
3381 out:
3382 return status;
3383 }
3384
3385 NTSTATUS winbindd_pam_auth_pac_verify(struct winbindd_cli_state *state,
3386 TALLOC_CTX *mem_ctx,
3387 bool *p_is_trusted,
3388 uint16_t *p_validation_level,
3389 union netr_Validation **p_validation)
3390 {
3391 struct winbindd_request *req = state->request;
3392 DATA_BLOB pac_blob;
3393 struct PAC_DATA *pac_data = NULL;
3394 struct PAC_LOGON_INFO *logon_info = NULL;
3395 struct PAC_UPN_DNS_INFO *upn_dns_info = NULL;
3396 struct netr_SamInfo6 *info6 = NULL;
3397 uint16_t validation_level = 0;
3398 union netr_Validation *validation = NULL;
3399 struct netr_SamInfo3 *info3_copy = NULL;
3400 NTSTATUS result;
3401 bool is_trusted = false;
3402 uint32_t i;
3403 TALLOC_CTX *tmp_ctx = NULL;
3404
3405 tmp_ctx = talloc_new(mem_ctx);
3406 if (tmp_ctx == NULL) {
3407 return NT_STATUS_NO_MEMORY;
3408 }
3409
3410 *p_is_trusted = false;
3411 *p_validation_level = 0;
3412 *p_validation = NULL;
3413
3414 pac_blob = data_blob_const(req->extra_data.data, req->extra_len);
3415 result = extract_pac_vrfy_sigs(tmp_ctx, pac_blob, &pac_data);
3416 if (NT_STATUS_IS_OK(result)) {
3417 is_trusted = true;
3418 }
3419 if (NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED)) {
3420 /* Try without signature verification */
3421 result = kerberos_decode_pac(tmp_ctx,
3422 pac_blob,
3423 NULL, /* krb5_context */
3424 NULL, /* krbtgt_keyblock */
3425 NULL, /* service_keyblock */
3426 NULL, /* client_principal */
3427 0, /* tgs_authtime */
3428 &pac_data);
3429 }
3430 if (!NT_STATUS_IS_OK(result)) {
3431 DEBUG(1, ("Error during PAC signature verification: %s\n",
3432 nt_errstr(result)));
3433 goto out;
3434 }
3435
3436 for (i=0; i < pac_data->num_buffers; i++) {
3437 if (pac_data->buffers[i].type == PAC_TYPE_LOGON_INFO) {
3438 logon_info = pac_data->buffers[i].info->logon_info.info;
3439 continue;
3440 }
3441 if (pac_data->buffers[i].type == PAC_TYPE_UPN_DNS_INFO) {
3442 upn_dns_info = &pac_data->buffers[i].info->upn_dns_info;
3443 continue;
3444 }
3445 }
3446
3447 result = create_info6_from_pac(tmp_ctx,
3448 logon_info,
3449 upn_dns_info,
3450 &info6);
3451 if (!NT_STATUS_IS_OK(result)) {
3452 goto out;
3453 }
3454
3455 if (!is_allowed_domain(info6->base.logon_domain.string)) {
3456 DBG_NOTICE("Authentication failed for user [%s] "
3457 "from firewalled domain [%s]\n",
3458 info6->base.account_name.string,
3459 info6->base.logon_domain.string);
3460 result = NT_STATUS_AUTHENTICATION_FIREWALL_FAILED;
3461 goto out;
3462 }
3463
3464 result = map_info6_to_validation(tmp_ctx,
3465 info6,
3466 &validation_level,
3467 &validation);
3468 if (!NT_STATUS_IS_OK(result)) {
3469 goto out;
3470 }
3471
3472 result = map_validation_to_info3(tmp_ctx,
3473 validation_level,
3474 validation,
3475 &info3_copy);
3476 if (!NT_STATUS_IS_OK(result)) {
3477 goto out;
3478 }
3479
3480 if (is_trusted) {
3481 /*
3482 * Signature verification succeeded, we can
3483 * trust the PAC and prime the netsamlogon
3484 * and name2sid caches. DO NOT DO THIS
3485 * in the signature verification failed
3486 * code path.
3487 */
3488 struct winbindd_domain *domain = NULL;
3489
3490 netsamlogon_cache_store(NULL, info3_copy);
3491
3492 /*
3493 * We're in the parent here, so find the child
3494 * pointer from the PAC domain name.
3495 */
3496 domain = find_lookup_domain_from_name(
3497 info3_copy->base.logon_domain.string);
3498 if (domain && domain->primary ) {
3499 struct dom_sid user_sid;
3500 struct dom_sid_buf buf;
3501
3502 sid_compose(&user_sid,
3503 info3_copy->base.domain_sid,
3504 info3_copy->base.rid);
3505
3506 cache_name2sid_trusted(domain,
3507 info3_copy->base.logon_domain.string,
3508 info3_copy->base.account_name.string,
3509 SID_NAME_USER,
3510 &user_sid);
3511
3512 DBG_INFO("PAC for user %s\\%s SID %s primed cache\n",
3513 info3_copy->base.logon_domain.string,
3514 info3_copy->base.account_name.string,
3515 dom_sid_str_buf(&user_sid, &buf));
3516 }
3517 }
3518
3519 *p_is_trusted = is_trusted;
3520 *p_validation_level = validation_level;
3521 *p_validation = talloc_move(mem_ctx, &validation);
3522
3523 result = NT_STATUS_OK;
3524 out:
3525 TALLOC_FREE(tmp_ctx);
3526 return result;
3527 }
3528 #else /* HAVE_KRB5 */
3529 NTSTATUS winbindd_pam_auth_pac_verify(struct winbindd_cli_state *state,
3530 TALLOC_CTX *mem_ctx,
3531 bool *p_is_trusted,
3532 uint16_t *p_validation_level,
3533 union netr_Validation **p_validation);
3534 {
3535
3536 *p_is_trusted = false;
3537 *p_validation_level = 0;
3538 *p_validation = NULL;
3539 return NT_STATUS_NO_SUCH_USER;
3540 }
3541 #endif /* HAVE_KRB5 */
Samba GIT mirror