2 Unix SMB/CIFS implementation.
3 Password and authentication handling
4 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2001-2009
5 Copyright (C) Gerald Carter 2003
6 Copyright (C) Stefan Metzmacher 2005
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 #include "system/time.h"
25 #include "libcli/ldap/ldap_ndr.h"
26 #include "libcli/security/security.h"
27 #include "auth/auth.h"
28 #include "../libcli/auth/ntlm_check.h"
29 #include "auth/ntlm/auth_proto.h"
30 #include "auth/auth_sam.h"
31 #include "dsdb/samdb/samdb.h"
32 #include "dsdb/common/util.h"
33 #include "param/param.h"
34 #include "librpc/gen_ndr/ndr_irpc_c.h"
35 #include "lib/messaging/irpc.h"
36 #include "libcli/auth/libcli_auth.h"
38 NTSTATUS
auth_sam_init(void);
40 extern const char *user_attrs
[];
41 extern const char *domain_ref_attrs
[];
43 /****************************************************************************
44 Look for the specified user in the sam, return ldb result structures
45 ****************************************************************************/
47 static NTSTATUS
authsam_search_account(TALLOC_CTX
*mem_ctx
, struct ldb_context
*sam_ctx
,
48 const char *account_name
,
49 struct ldb_dn
*domain_dn
,
50 struct ldb_message
**ret_msg
)
54 /* pull the user attributes */
55 ret
= dsdb_search_one(sam_ctx
, mem_ctx
, ret_msg
, domain_dn
, LDB_SCOPE_SUBTREE
,
57 DSDB_SEARCH_SHOW_EXTENDED_DN
,
58 "(&(sAMAccountName=%s)(objectclass=user))",
59 ldb_binary_encode_string(mem_ctx
, account_name
));
60 if (ret
== LDB_ERR_NO_SUCH_OBJECT
) {
61 DEBUG(3,("sam_search_user: Couldn't find user [%s] in samdb, under %s\n",
62 account_name
, ldb_dn_get_linearized(domain_dn
)));
63 return NT_STATUS_NO_SUCH_USER
;
65 if (ret
!= LDB_SUCCESS
) {
66 return NT_STATUS_INTERNAL_DB_CORRUPTION
;
72 /****************************************************************************
73 Do a specific test for an smb password being correct, given a smb_password and
74 the lanman and NT responses.
75 ****************************************************************************/
76 static NTSTATUS
authsam_password_ok(struct auth4_context
*auth_context
,
79 const struct samr_Password
*lm_pwd
,
80 const struct samr_Password
*nt_pwd
,
81 const struct auth_usersupplied_info
*user_info
,
82 DATA_BLOB
*user_sess_key
,
83 DATA_BLOB
*lm_sess_key
)
87 switch (user_info
->password_state
) {
88 case AUTH_PASSWORD_PLAIN
:
90 const struct auth_usersupplied_info
*user_info_temp
;
91 status
= encrypt_user_info(mem_ctx
, auth_context
,
93 user_info
, &user_info_temp
);
94 if (!NT_STATUS_IS_OK(status
)) {
95 DEBUG(1, ("Failed to convert plaintext password to password HASH: %s\n", nt_errstr(status
)));
98 user_info
= user_info_temp
;
102 case AUTH_PASSWORD_HASH
:
103 *lm_sess_key
= data_blob(NULL
, 0);
104 *user_sess_key
= data_blob(NULL
, 0);
105 status
= hash_password_check(mem_ctx
,
106 lpcfg_lanman_auth(auth_context
->lp_ctx
),
107 user_info
->password
.hash
.lanman
,
108 user_info
->password
.hash
.nt
,
109 user_info
->mapped
.account_name
,
111 NT_STATUS_NOT_OK_RETURN(status
);
114 case AUTH_PASSWORD_RESPONSE
:
115 status
= ntlm_password_check(mem_ctx
,
116 lpcfg_lanman_auth(auth_context
->lp_ctx
),
117 lpcfg_ntlm_auth(auth_context
->lp_ctx
),
118 user_info
->logon_parameters
,
119 &auth_context
->challenge
.data
,
120 &user_info
->password
.response
.lanman
,
121 &user_info
->password
.response
.nt
,
122 user_info
->mapped
.account_name
,
123 user_info
->client
.account_name
,
124 user_info
->client
.domain_name
,
126 user_sess_key
, lm_sess_key
);
127 NT_STATUS_NOT_OK_RETURN(status
);
136 send a message to the drepl server telling it to initiate a
137 REPL_SECRET getncchanges extended op to fetch the users secrets
139 static void auth_sam_trigger_repl_secret(struct auth4_context
*auth_context
,
140 struct ldb_dn
*user_dn
)
142 struct dcerpc_binding_handle
*irpc_handle
;
143 struct drepl_trigger_repl_secret r
;
144 struct tevent_req
*req
;
147 tmp_ctx
= talloc_new(auth_context
);
148 if (tmp_ctx
== NULL
) {
152 irpc_handle
= irpc_binding_handle_by_name(tmp_ctx
, auth_context
->msg_ctx
,
155 if (irpc_handle
== NULL
) {
156 DEBUG(1,(__location__
": Unable to get binding handle for dreplsrv\n"));
157 TALLOC_FREE(tmp_ctx
);
161 r
.in
.user_dn
= ldb_dn_get_linearized(user_dn
);
164 * This seem to rely on the current IRPC implementation,
165 * which delivers the message in the _send function.
167 * TODO: we need a ONE_WAY IRPC handle and register
168 * a callback and wait for it to be triggered!
170 req
= dcerpc_drepl_trigger_repl_secret_r_send(tmp_ctx
,
171 auth_context
->event_ctx
,
175 /* we aren't interested in a reply */
177 TALLOC_FREE(tmp_ctx
);
182 * Check that a password is OK, and update badPwdCount if required.
185 static NTSTATUS
authsam_password_check_and_record(struct auth4_context
*auth_context
,
187 struct ldb_dn
*domain_dn
,
188 struct ldb_message
*msg
,
190 const struct auth_usersupplied_info
*user_info
,
191 DATA_BLOB
*user_sess_key
,
192 DATA_BLOB
*lm_sess_key
)
195 NTSTATUS auth_status
;
199 struct ldb_context
*sam_ctx
= auth_context
->sam_ctx
;
200 const char * const attrs
[] = { "pwdHistoryLength", NULL
};
201 struct ldb_message
*dom_msg
;
202 struct samr_Password
*lm_pwd
;
203 struct samr_Password
*nt_pwd
;
205 tmp_ctx
= talloc_new(mem_ctx
);
206 if (tmp_ctx
== NULL
) {
207 return NT_STATUS_NO_MEMORY
;
211 * This call does more than what it appears to do, it also
212 * checks for the account lockout.
214 * It is done here so that all parts of Samba that read the
215 * password refuse to even operate on it if the account is
216 * locked out, to avoid mistakes like CVE-2013-4496.
218 nt_status
= samdb_result_passwords(tmp_ctx
, auth_context
->lp_ctx
,
219 msg
, &lm_pwd
, &nt_pwd
);
220 if (!NT_STATUS_IS_OK(nt_status
)) {
221 TALLOC_FREE(tmp_ctx
);
225 if (lm_pwd
== NULL
&& nt_pwd
== NULL
) {
227 if (samdb_rodc(auth_context
->sam_ctx
, &am_rodc
) == LDB_SUCCESS
&& am_rodc
) {
229 * we don't have passwords for this
230 * account. We are an RODC, and this account
231 * may be one for which we either are denied
232 * REPL_SECRET replication or we haven't yet
233 * done the replication. We return
234 * NT_STATUS_NOT_IMPLEMENTED which tells the
235 * auth code to try the next authentication
236 * mechanism. We also send a message to our
237 * drepl server to tell it to try and
238 * replicate the secrets for this account.
240 auth_sam_trigger_repl_secret(auth_context
, msg
->dn
);
241 TALLOC_FREE(tmp_ctx
);
242 return NT_STATUS_NOT_IMPLEMENTED
;
246 auth_status
= authsam_password_ok(auth_context
, tmp_ctx
,
250 user_sess_key
, lm_sess_key
);
251 if (NT_STATUS_IS_OK(auth_status
)) {
252 if (user_sess_key
->data
) {
253 talloc_steal(mem_ctx
, user_sess_key
->data
);
255 if (lm_sess_key
->data
) {
256 talloc_steal(mem_ctx
, lm_sess_key
->data
);
258 TALLOC_FREE(tmp_ctx
);
261 *user_sess_key
= data_blob_null
;
262 *lm_sess_key
= data_blob_null
;
264 if (!NT_STATUS_EQUAL(auth_status
, NT_STATUS_WRONG_PASSWORD
)) {
265 TALLOC_FREE(tmp_ctx
);
270 * We only continue if this was a wrong password
271 * and we'll always return NT_STATUS_WRONG_PASSWORD
272 * no matter what error happens.
275 /* pull the domain password property attributes */
276 ret
= dsdb_search_one(sam_ctx
, tmp_ctx
, &dom_msg
, domain_dn
, LDB_SCOPE_BASE
,
277 attrs
, 0, "objectClass=domain");
278 if (ret
== LDB_SUCCESS
) {
279 history_len
= ldb_msg_find_attr_as_uint(dom_msg
, "pwdHistoryLength", 0);
280 } else if (ret
== LDB_ERR_NO_SUCH_OBJECT
) {
281 DEBUG(3,("Couldn't find domain %s: %s!\n",
282 ldb_dn_get_linearized(domain_dn
),
283 ldb_errstring(sam_ctx
)));
285 DEBUG(3,("error finding domain %s: %s!\n",
286 ldb_dn_get_linearized(domain_dn
),
287 ldb_errstring(sam_ctx
)));
290 for (i
= 1; i
< MIN(history_len
, 3); i
++) {
291 static const struct samr_Password zero_hash
;
292 struct samr_Password zero_string_hash
;
293 struct samr_Password zero_string_des_hash
;
294 struct samr_Password
*nt_history_pwd
= NULL
;
295 struct samr_Password
*lm_history_pwd
= NULL
;
298 int allowed_period_mins
;
299 NTTIME allowed_period
;
301 nt_status
= samdb_result_passwords_from_history(tmp_ctx
,
302 auth_context
->lp_ctx
,
306 if (!NT_STATUS_IS_OK(nt_status
)) {
308 * If we don't find element 'i' we won't find
315 * We choose to avoid any issues
316 * around different LM and NT history
317 * lengths by only checking the NT
320 if (nt_history_pwd
== NULL
) {
322 * If we don't find element 'i' we won't find
328 /* Skip over all-zero hashes in the history */
329 if (memcmp(nt_history_pwd
->hash
, zero_hash
.hash
, 16) == 0) {
334 * This looks odd, but the password_hash module writes this in if
335 * (somehow) we didn't have an old NT hash
338 E_md4hash("", zero_string_hash
.hash
);
339 if (memcmp(nt_history_pwd
->hash
, zero_string_hash
.hash
, 16) == 0) {
343 E_deshash("", zero_string_des_hash
.hash
);
344 if (!lm_history_pwd
|| memcmp(lm_history_pwd
->hash
, zero_string_des_hash
.hash
, 16) == 0) {
345 lm_history_pwd
= NULL
;
348 auth_status
= authsam_password_ok(auth_context
, tmp_ctx
,
355 if (!NT_STATUS_IS_OK(auth_status
)) {
357 * If this was not a correct password, try the next
358 * one from the history
360 *user_sess_key
= data_blob_null
;
361 *lm_sess_key
= data_blob_null
;
367 * The authentication was OK, but not against
368 * the previous password, which is stored at index 1.
370 * We just return the original wrong password.
371 * This skips the update of the bad pwd count,
372 * because this is almost certainly user error
373 * (or automatic login on a computer using a cached
374 * password from before the password change),
377 TALLOC_FREE(tmp_ctx
);
378 return NT_STATUS_WRONG_PASSWORD
;
381 if (user_info
->password_state
!= AUTH_PASSWORD_RESPONSE
) {
383 * The authentication was OK against the previous password,
384 * but it's not a NTLM network authentication.
386 * We just return the original wrong password.
387 * This skips the update of the bad pwd count,
388 * because this is almost certainly user error
389 * (or automatic login on a computer using a cached
390 * password from before the password change),
393 TALLOC_FREE(tmp_ctx
);
394 return NT_STATUS_WRONG_PASSWORD
;
398 * If the password was OK, it's a NTLM network authentication
399 * and it was the previous password.
401 * Now we see if it is within the grace period,
402 * so that we don't break cached sessions on other computers
403 * before the user can lock and unlock their other screens
404 * (resetting their cached password).
406 * See http://support.microsoft.com/kb/906305
407 * OldPasswordAllowedPeriod ("old password allowed period")
408 * is specified in minutes. The default is 60.
410 allowed_period_mins
= lpcfg_old_password_allowed_period(auth_context
->lp_ctx
);
412 * NTTIME uses 100ns units
414 allowed_period
= allowed_period_mins
* 60 * 1000*1000*10;
415 pwdLastSet
= samdb_result_nttime(msg
, "pwdLastSet", 0);
416 unix_to_nt_time(&now
, time(NULL
));
418 if (now
< pwdLastSet
) {
422 * We just return the original wrong password.
423 * This skips the update of the bad pwd count,
424 * because this is almost certainly user error
425 * (or automatic login on a computer using a cached
426 * password from before the password change),
429 TALLOC_FREE(tmp_ctx
);
430 return NT_STATUS_WRONG_PASSWORD
;
433 if ((now
- pwdLastSet
) >= allowed_period
) {
435 * The allowed period is over.
437 * We just return the original wrong password.
438 * This skips the update of the bad pwd count,
439 * because this is almost certainly user error
440 * (or automatic login on a computer using a cached
441 * password from before the password change),
444 TALLOC_FREE(tmp_ctx
);
445 return NT_STATUS_WRONG_PASSWORD
;
449 * We finally allow the authentication with the
450 * previous password within the allowed period.
452 if (user_sess_key
->data
) {
453 talloc_steal(mem_ctx
, user_sess_key
->data
);
455 if (lm_sess_key
->data
) {
456 talloc_steal(mem_ctx
, lm_sess_key
->data
);
459 TALLOC_FREE(tmp_ctx
);
464 * If we are not in the allowed period or match an old password,
465 * we didn't return early. Now update the badPwdCount et al.
467 nt_status
= authsam_update_bad_pwd_count(auth_context
->sam_ctx
,
469 if (!NT_STATUS_IS_OK(nt_status
)) {
471 * We need to return the original
472 * NT_STATUS_WRONG_PASSWORD error, so there isn't
473 * anything more we can do than write something into
476 DEBUG(0, ("Failed to note bad password for user [%s]: %s\n",
477 user_info
->mapped
.account_name
,
478 nt_errstr(nt_status
)));
481 TALLOC_FREE(tmp_ctx
);
482 return NT_STATUS_WRONG_PASSWORD
;
485 static NTSTATUS
authsam_authenticate(struct auth4_context
*auth_context
,
486 TALLOC_CTX
*mem_ctx
, struct ldb_context
*sam_ctx
,
487 struct ldb_dn
*domain_dn
,
488 struct ldb_message
*msg
,
489 const struct auth_usersupplied_info
*user_info
,
490 DATA_BLOB
*user_sess_key
, DATA_BLOB
*lm_sess_key
)
493 uint16_t acct_flags
= samdb_result_acct_flags(msg
, NULL
);
494 TALLOC_CTX
*tmp_ctx
= talloc_new(mem_ctx
);
496 return NT_STATUS_NO_MEMORY
;
499 /* You can only do an interactive login to normal accounts */
500 if (user_info
->flags
& USER_INFO_INTERACTIVE_LOGON
) {
501 if (!(acct_flags
& ACB_NORMAL
)) {
502 TALLOC_FREE(tmp_ctx
);
503 return NT_STATUS_NO_SUCH_USER
;
507 nt_status
= authsam_password_check_and_record(auth_context
, tmp_ctx
,
508 domain_dn
, msg
, acct_flags
,
510 user_sess_key
, lm_sess_key
);
511 if (!NT_STATUS_IS_OK(nt_status
)) {
512 TALLOC_FREE(tmp_ctx
);
516 nt_status
= authsam_account_ok(tmp_ctx
, auth_context
->sam_ctx
,
517 user_info
->logon_parameters
,
520 user_info
->workstation_name
,
521 user_info
->mapped
.account_name
,
523 if (!NT_STATUS_IS_OK(nt_status
)) {
524 TALLOC_FREE(tmp_ctx
);
528 nt_status
= authsam_zero_bad_pwd_count(auth_context
->sam_ctx
, msg
);
529 if (!NT_STATUS_IS_OK(nt_status
)) {
530 TALLOC_FREE(tmp_ctx
);
534 if (user_sess_key
&& user_sess_key
->data
) {
535 talloc_steal(mem_ctx
, user_sess_key
->data
);
537 if (lm_sess_key
&& lm_sess_key
->data
) {
538 talloc_steal(mem_ctx
, lm_sess_key
->data
);
541 TALLOC_FREE(tmp_ctx
);
547 static NTSTATUS
authsam_check_password_internals(struct auth_method_context
*ctx
,
549 const struct auth_usersupplied_info
*user_info
,
550 struct auth_user_info_dc
**user_info_dc
)
553 const char *account_name
= user_info
->mapped
.account_name
;
554 struct ldb_message
*msg
;
555 struct ldb_dn
*domain_dn
;
556 DATA_BLOB user_sess_key
, lm_sess_key
;
559 if (ctx
->auth_ctx
->sam_ctx
== NULL
) {
560 DEBUG(0, ("No SAM available, cannot log in users\n"));
561 return NT_STATUS_INVALID_SYSTEM_SERVICE
;
564 if (!account_name
|| !*account_name
) {
566 return NT_STATUS_NOT_IMPLEMENTED
;
569 tmp_ctx
= talloc_new(mem_ctx
);
571 return NT_STATUS_NO_MEMORY
;
574 domain_dn
= ldb_get_default_basedn(ctx
->auth_ctx
->sam_ctx
);
575 if (domain_dn
== NULL
) {
576 talloc_free(tmp_ctx
);
577 return NT_STATUS_NO_SUCH_DOMAIN
;
580 nt_status
= authsam_search_account(tmp_ctx
, ctx
->auth_ctx
->sam_ctx
, account_name
, domain_dn
, &msg
);
581 if (!NT_STATUS_IS_OK(nt_status
)) {
582 talloc_free(tmp_ctx
);
586 nt_status
= authsam_authenticate(ctx
->auth_ctx
, tmp_ctx
, ctx
->auth_ctx
->sam_ctx
, domain_dn
, msg
, user_info
,
587 &user_sess_key
, &lm_sess_key
);
588 if (!NT_STATUS_IS_OK(nt_status
)) {
589 talloc_free(tmp_ctx
);
593 nt_status
= authsam_make_user_info_dc(tmp_ctx
, ctx
->auth_ctx
->sam_ctx
, lpcfg_netbios_name(ctx
->auth_ctx
->lp_ctx
),
594 lpcfg_sam_name(ctx
->auth_ctx
->lp_ctx
),
597 user_sess_key
, lm_sess_key
,
599 if (!NT_STATUS_IS_OK(nt_status
)) {
600 talloc_free(tmp_ctx
);
604 talloc_steal(mem_ctx
, *user_info_dc
);
605 talloc_free(tmp_ctx
);
610 static NTSTATUS
authsam_ignoredomain_want_check(struct auth_method_context
*ctx
,
612 const struct auth_usersupplied_info
*user_info
)
614 if (!user_info
->mapped
.account_name
|| !*user_info
->mapped
.account_name
) {
615 return NT_STATUS_NOT_IMPLEMENTED
;
621 /****************************************************************************
622 Check SAM security (above) but with a few extra checks.
623 ****************************************************************************/
624 static NTSTATUS
authsam_want_check(struct auth_method_context
*ctx
,
626 const struct auth_usersupplied_info
*user_info
)
628 bool is_local_name
, is_my_domain
;
630 if (!user_info
->mapped
.account_name
|| !*user_info
->mapped
.account_name
) {
631 return NT_STATUS_NOT_IMPLEMENTED
;
634 is_local_name
= lpcfg_is_myname(ctx
->auth_ctx
->lp_ctx
,
635 user_info
->mapped
.domain_name
);
636 is_my_domain
= lpcfg_is_mydomain(ctx
->auth_ctx
->lp_ctx
,
637 user_info
->mapped
.domain_name
);
639 /* check whether or not we service this domain/workgroup name */
640 switch (lpcfg_server_role(ctx
->auth_ctx
->lp_ctx
)) {
641 case ROLE_STANDALONE
:
644 case ROLE_DOMAIN_MEMBER
:
645 if (!is_local_name
) {
646 DEBUG(6,("authsam_check_password: %s is not one of my local names (DOMAIN_MEMBER)\n",
647 user_info
->mapped
.domain_name
));
648 return NT_STATUS_NOT_IMPLEMENTED
;
652 case ROLE_ACTIVE_DIRECTORY_DC
:
653 if (!is_local_name
&& !is_my_domain
) {
654 DEBUG(6,("authsam_check_password: %s is not one of my local names or domain name (DC)\n",
655 user_info
->mapped
.domain_name
));
656 return NT_STATUS_NOT_IMPLEMENTED
;
661 DEBUG(6,("authsam_check_password: lpcfg_server_role() has an undefined value\n"));
662 return NT_STATUS_NOT_IMPLEMENTED
;
666 /* Wrapper for the auth subsystem pointer */
667 static NTSTATUS
authsam_get_user_info_dc_principal_wrapper(TALLOC_CTX
*mem_ctx
,
668 struct auth4_context
*auth_context
,
669 const char *principal
,
670 struct ldb_dn
*user_dn
,
671 struct auth_user_info_dc
**user_info_dc
)
673 return authsam_get_user_info_dc_principal(mem_ctx
, auth_context
->lp_ctx
, auth_context
->sam_ctx
,
674 principal
, user_dn
, user_info_dc
);
676 static const struct auth_operations sam_ignoredomain_ops
= {
677 .name
= "sam_ignoredomain",
678 .want_check
= authsam_ignoredomain_want_check
,
679 .check_password
= authsam_check_password_internals
,
680 .get_user_info_dc_principal
= authsam_get_user_info_dc_principal_wrapper
,
681 .flags
= AUTH_METHOD_LOCAL_SAM
684 static const struct auth_operations sam_ops
= {
686 .want_check
= authsam_want_check
,
687 .check_password
= authsam_check_password_internals
,
688 .get_user_info_dc_principal
= authsam_get_user_info_dc_principal_wrapper
,
689 .flags
= AUTH_METHOD_LOCAL_SAM
692 _PUBLIC_ NTSTATUS
auth4_sam_init(void);
693 _PUBLIC_ NTSTATUS
auth4_sam_init(void)
697 ret
= auth_register(&sam_ops
);
698 if (!NT_STATUS_IS_OK(ret
)) {
699 DEBUG(0,("Failed to register 'sam' auth backend!\n"));
703 ret
= auth_register(&sam_ignoredomain_ops
);
704 if (!NT_STATUS_IS_OK(ret
)) {
705 DEBUG(0,("Failed to register 'sam_ignoredomain' auth backend!\n"));