2 Unix SMB/CIFS implementation.
3 Password and authentication handling
4 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2001-2004
5 Copyright (C) Gerald Carter 2003
6 Copyright (C) Stefan Metzmacher 2005
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program; if not, write to the Free Software
20 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
24 #include "librpc/gen_ndr/ndr_netlogon.h"
25 #include "system/time.h"
27 #include "lib/ldb/include/ldb.h"
28 #include "auth/auth.h"
29 #include "auth/auth_sam.h"
30 #include "dsdb/samdb/samdb.h"
31 #include "libcli/security/security.h"
32 #include "libcli/ldap/ldap.h"
34 extern const char *user_attrs
[];
35 extern const char *domain_ref_attrs
[];
37 /****************************************************************************
38 Look for the specified user in the sam, return ldb result structures
39 ****************************************************************************/
41 static NTSTATUS
authsam_search_account(TALLOC_CTX
*mem_ctx
, struct ldb_context
*sam_ctx
,
42 const char *account_name
,
43 const char *domain_name
,
44 struct ldb_message
***ret_msgs
,
45 struct ldb_message
***ret_msgs_domain_ref
)
47 struct ldb_message
**msgs_tmp
;
48 struct ldb_message
**msgs
;
49 struct ldb_message
**msgs_domain_ref
;
50 const struct ldb_dn
*partitions_basedn
= samdb_partitions_dn(sam_ctx
, mem_ctx
);
55 const struct ldb_dn
*domain_dn
= NULL
;
58 char *escaped_domain
= ldb_binary_encode_string(mem_ctx
, domain_name
);
59 /* find the domain's DN */
60 ret_domain
= gendb_search(sam_ctx
, mem_ctx
, partitions_basedn
, &msgs_domain_ref
, domain_ref_attrs
,
61 "(&(&(|(&(dnsRoot=%s)(nETBIOSName=*))(nETBIOSName=%s))(objectclass=crossRef))(ncName=*))",
62 escaped_domain
, escaped_domain
);
63 if (ret_domain
== -1) {
64 return NT_STATUS_INTERNAL_DB_CORRUPTION
;
67 if (ret_domain
== 0) {
68 DEBUG(3,("sam_search_user: Couldn't find domain [%s] in samdb.\n",
70 return NT_STATUS_NO_SUCH_USER
;
74 DEBUG(0,("Found %d records matching domain [%s]\n",
75 ret_domain
, domain_name
));
76 return NT_STATUS_INTERNAL_DB_CORRUPTION
;
79 domain_dn
= samdb_result_dn(mem_ctx
, msgs_domain_ref
[0], "nCName", NULL
);
82 /* pull the user attributes */
83 ret
= gendb_search(sam_ctx
, mem_ctx
, domain_dn
, &msgs
, user_attrs
,
84 "(&(sAMAccountName=%s)(objectclass=user))",
85 ldb_binary_encode_string(mem_ctx
, account_name
));
87 return NT_STATUS_INTERNAL_DB_CORRUPTION
;
91 DEBUG(3,("sam_search_user: Couldn't find user [%s\\%s] in samdb, under %s\n",
92 domain_name
, account_name
, ldb_dn_linearize(mem_ctx
, domain_dn
)));
93 return NT_STATUS_NO_SUCH_USER
;
97 DEBUG(0,("Found %d records matching user [%s]\n", ret
, account_name
));
98 return NT_STATUS_INTERNAL_DB_CORRUPTION
;
102 struct dom_sid
*domain_sid
;
104 domain_sid
= samdb_result_sid_prefix(mem_ctx
, msgs
[0], "objectSid");
106 return NT_STATUS_INTERNAL_DB_CORRUPTION
;
109 /* find the domain's DN */
110 ret
= gendb_search(sam_ctx
, mem_ctx
, NULL
, &msgs_tmp
, NULL
,
111 "(&(objectSid=%s)(objectclass=domain))",
112 ldap_encode_ndr_dom_sid(mem_ctx
, domain_sid
));
114 return NT_STATUS_INTERNAL_DB_CORRUPTION
;
118 DEBUG(3,("check_sam_security: Couldn't find domain_sid [%s] in passdb file.\n",
119 dom_sid_string(mem_ctx
, domain_sid
)));
120 return NT_STATUS_NO_SUCH_USER
;
124 DEBUG(0,("Found %d records matching domain_sid [%s]\n",
125 ret
, dom_sid_string(mem_ctx
, domain_sid
)));
126 return NT_STATUS_INTERNAL_DB_CORRUPTION
;
129 ret_domain
= gendb_search(sam_ctx
, mem_ctx
, partitions_basedn
, &msgs_domain_ref
, domain_ref_attrs
,
130 "(nCName=%s)", ldb_dn_linearize(msgs_tmp
, msgs_tmp
[0]->dn
));
132 if (ret_domain
== -1) {
133 return NT_STATUS_INTERNAL_DB_CORRUPTION
;
136 if (ret_domain
== 0) {
137 DEBUG(3,("check_sam_security: Couldn't find domain [%s] in passdb file.\n",
138 ldb_dn_linearize(msgs_tmp
, msgs_tmp
[0]->dn
)));
139 return NT_STATUS_NO_SUCH_USER
;
142 if (ret_domain
> 1) {
143 DEBUG(0,("Found %d records matching domain [%s]\n",
144 ret_domain
, ldb_dn_linearize(msgs_tmp
, msgs_tmp
[0]->dn
)));
145 return NT_STATUS_INTERNAL_DB_CORRUPTION
;
151 *ret_msgs_domain_ref
= msgs_domain_ref
;
156 /****************************************************************************
157 Do a specific test for an smb password being correct, given a smb_password and
158 the lanman and NT responses.
159 ****************************************************************************/
160 static NTSTATUS
authsam_password_ok(struct auth_context
*auth_context
,
163 const struct samr_Password
*lm_pwd
,
164 const struct samr_Password
*nt_pwd
,
165 const struct auth_usersupplied_info
*user_info
,
166 DATA_BLOB
*user_sess_key
,
167 DATA_BLOB
*lm_sess_key
)
171 if (acct_flags
& ACB_PWNOTREQ
) {
172 if (lp_null_passwords()) {
173 DEBUG(3,("Account for user '%s' has no password and null passwords are allowed.\n",
174 user_info
->mapped
.account_name
));
177 DEBUG(3,("Account for user '%s' has no password and null passwords are NOT allowed.\n",
178 user_info
->mapped
.account_name
));
179 return NT_STATUS_LOGON_FAILURE
;
183 switch (user_info
->password_state
) {
184 case AUTH_PASSWORD_PLAIN
:
186 const struct auth_usersupplied_info
*user_info_temp
;
187 status
= encrypt_user_info(mem_ctx
, auth_context
,
189 user_info
, &user_info_temp
);
190 if (!NT_STATUS_IS_OK(status
)) {
191 DEBUG(1, ("Failed to convert plaintext password to password HASH: %s\n", nt_errstr(status
)));
194 user_info
= user_info_temp
;
198 case AUTH_PASSWORD_HASH
:
199 *lm_sess_key
= data_blob(NULL
, 0);
200 *user_sess_key
= data_blob(NULL
, 0);
201 status
= hash_password_check(mem_ctx
,
202 user_info
->password
.hash
.lanman
,
203 user_info
->password
.hash
.nt
,
204 user_info
->mapped
.account_name
,
206 NT_STATUS_NOT_OK_RETURN(status
);
209 case AUTH_PASSWORD_RESPONSE
:
210 status
= ntlm_password_check(mem_ctx
, user_info
->logon_parameters
,
211 &auth_context
->challenge
.data
,
212 &user_info
->password
.response
.lanman
,
213 &user_info
->password
.response
.nt
,
214 user_info
->mapped
.account_name
,
215 user_info
->client
.account_name
,
216 user_info
->client
.domain_name
,
218 user_sess_key
, lm_sess_key
);
219 NT_STATUS_NOT_OK_RETURN(status
);
223 if (user_sess_key
&& user_sess_key
->data
) {
224 talloc_steal(auth_context
, user_sess_key
->data
);
226 if (lm_sess_key
&& lm_sess_key
->data
) {
227 talloc_steal(auth_context
, lm_sess_key
->data
);
235 static NTSTATUS
authsam_authenticate(struct auth_context
*auth_context
,
236 TALLOC_CTX
*mem_ctx
, struct ldb_context
*sam_ctx
,
237 struct ldb_message
**msgs
,
238 struct ldb_message
**msgs_domain_ref
,
239 const struct auth_usersupplied_info
*user_info
,
240 DATA_BLOB
*user_sess_key
, DATA_BLOB
*lm_sess_key
)
242 struct samr_Password
*lm_pwd
, *nt_pwd
;
244 uint16_t acct_flags
= samdb_result_acct_flags(msgs
[0], "userAccountControl");
246 /* Quit if the account was locked out. */
247 if (acct_flags
& ACB_AUTOLOCK
) {
248 DEBUG(3,("check_sam_security: Account for user %s was locked out.\n",
249 user_info
->mapped
.account_name
));
250 return NT_STATUS_ACCOUNT_LOCKED_OUT
;
253 /* You can only do an interactive login to normal accounts */
254 if (user_info
->flags
& USER_INFO_INTERACTIVE_LOGON
) {
255 if (!(acct_flags
& ACB_NORMAL
)) {
256 return NT_STATUS_NO_SUCH_USER
;
260 nt_status
= samdb_result_passwords(mem_ctx
, msgs
[0], &lm_pwd
, &nt_pwd
);
261 NT_STATUS_NOT_OK_RETURN(nt_status
);
263 nt_status
= authsam_password_ok(auth_context
, mem_ctx
,
264 acct_flags
, lm_pwd
, nt_pwd
,
265 user_info
, user_sess_key
, lm_sess_key
);
266 NT_STATUS_NOT_OK_RETURN(nt_status
);
268 nt_status
= authsam_account_ok(mem_ctx
, sam_ctx
,
269 user_info
->logon_parameters
,
272 user_info
->workstation_name
,
273 user_info
->mapped
.account_name
);
280 static NTSTATUS
authsam_check_password_internals(struct auth_method_context
*ctx
,
283 const struct auth_usersupplied_info
*user_info
,
284 struct auth_serversupplied_info
**server_info
)
287 const char *account_name
= user_info
->mapped
.account_name
;
288 struct ldb_message
**msgs
;
289 struct ldb_message
**domain_ref_msgs
;
290 struct ldb_context
*sam_ctx
;
291 DATA_BLOB user_sess_key
, lm_sess_key
;
294 if (!account_name
|| !*account_name
) {
296 return NT_STATUS_NOT_IMPLEMENTED
;
299 tmp_ctx
= talloc_new(mem_ctx
);
301 return NT_STATUS_NO_MEMORY
;
304 sam_ctx
= samdb_connect(tmp_ctx
, system_session(mem_ctx
));
305 if (sam_ctx
== NULL
) {
306 talloc_free(tmp_ctx
);
307 return NT_STATUS_INVALID_SYSTEM_SERVICE
;
310 nt_status
= authsam_search_account(tmp_ctx
, sam_ctx
, account_name
, domain
, &msgs
, &domain_ref_msgs
);
311 if (!NT_STATUS_IS_OK(nt_status
)) {
312 talloc_free(tmp_ctx
);
316 nt_status
= authsam_authenticate(ctx
->auth_ctx
, tmp_ctx
, sam_ctx
, msgs
, domain_ref_msgs
, user_info
,
317 &user_sess_key
, &lm_sess_key
);
318 if (!NT_STATUS_IS_OK(nt_status
)) {
319 talloc_free(tmp_ctx
);
323 nt_status
= authsam_make_server_info(tmp_ctx
, sam_ctx
, msgs
[0], domain_ref_msgs
[0],
324 user_sess_key
, lm_sess_key
,
326 if (!NT_STATUS_IS_OK(nt_status
)) {
327 talloc_free(tmp_ctx
);
331 talloc_steal(mem_ctx
, *server_info
);
332 talloc_free(tmp_ctx
);
337 static NTSTATUS
authsam_ignoredomain_want_check(struct auth_method_context
*ctx
,
339 const struct auth_usersupplied_info
*user_info
)
341 if (!user_info
->mapped
.account_name
|| !*user_info
->mapped
.account_name
) {
342 return NT_STATUS_NOT_IMPLEMENTED
;
348 static NTSTATUS
authsam_ignoredomain_check_password(struct auth_method_context
*ctx
,
350 const struct auth_usersupplied_info
*user_info
,
351 struct auth_serversupplied_info
**server_info
)
353 return authsam_check_password_internals(ctx
, mem_ctx
, NULL
, user_info
, server_info
);
356 /****************************************************************************
357 Check SAM security (above) but with a few extra checks.
358 ****************************************************************************/
359 static NTSTATUS
authsam_want_check(struct auth_method_context
*ctx
,
361 const struct auth_usersupplied_info
*user_info
)
363 BOOL is_local_name
, is_my_domain
;
365 if (!user_info
->mapped
.account_name
|| !*user_info
->mapped
.account_name
) {
366 return NT_STATUS_NOT_IMPLEMENTED
;
369 is_local_name
= is_myname(user_info
->mapped
.domain_name
);
370 is_my_domain
= strequal(user_info
->mapped
.domain_name
, lp_workgroup());
372 /* check whether or not we service this domain/workgroup name */
373 switch (lp_server_role()) {
374 case ROLE_STANDALONE
:
377 case ROLE_DOMAIN_MEMBER
:
378 if (!is_local_name
) {
379 DEBUG(6,("authsam_check_password: %s is not one of my local names (DOMAIN_MEMBER)\n",
380 user_info
->mapped
.domain_name
));
381 return NT_STATUS_NOT_IMPLEMENTED
;
385 case ROLE_DOMAIN_PDC
:
386 case ROLE_DOMAIN_BDC
:
387 if (!is_local_name
&& !is_my_domain
) {
388 DEBUG(6,("authsam_check_password: %s is not one of my local names or domain name (DC)\n",
389 user_info
->mapped
.domain_name
));
390 return NT_STATUS_NOT_IMPLEMENTED
;
395 DEBUG(6,("authsam_check_password: lp_server_role() has an undefined value\n"));
396 return NT_STATUS_NOT_IMPLEMENTED
;
399 /****************************************************************************
400 Check SAM security (above) but with a few extra checks.
401 ****************************************************************************/
402 static NTSTATUS
authsam_check_password(struct auth_method_context
*ctx
,
404 const struct auth_usersupplied_info
*user_info
,
405 struct auth_serversupplied_info
**server_info
)
409 /* check whether or not we service this domain/workgroup name */
410 switch (lp_server_role()) {
411 case ROLE_STANDALONE
:
412 case ROLE_DOMAIN_MEMBER
:
413 domain
= lp_netbios_name();
416 case ROLE_DOMAIN_PDC
:
417 case ROLE_DOMAIN_BDC
:
418 domain
= lp_workgroup();
422 return NT_STATUS_NO_SUCH_USER
;
425 return authsam_check_password_internals(ctx
, mem_ctx
, domain
, user_info
, server_info
);
428 static const struct auth_operations sam_ignoredomain_ops
= {
429 .name
= "sam_ignoredomain",
430 .get_challenge
= auth_get_challenge_not_implemented
,
431 .want_check
= authsam_ignoredomain_want_check
,
432 .check_password
= authsam_ignoredomain_check_password
435 static const struct auth_operations sam_ops
= {
437 .get_challenge
= auth_get_challenge_not_implemented
,
438 .want_check
= authsam_want_check
,
439 .check_password
= authsam_check_password
442 NTSTATUS
auth_sam_init(void)
446 ret
= auth_register(&sam_ops
);
447 if (!NT_STATUS_IS_OK(ret
)) {
448 DEBUG(0,("Failed to register 'sam' auth backend!\n"));
452 ret
= auth_register(&sam_ignoredomain_ops
);
453 if (!NT_STATUS_IS_OK(ret
)) {
454 DEBUG(0,("Failed to register 'sam_ignoredomain' auth backend!\n"));