s3:auth/server_info: the primary rid should be in the groups rid array (bug #8798)
[Samba.git] / source3 / winbindd / winbindd_pam.c
blob4c078dfadee5f9201e72175f5b07694b01c318b0
1 /*
2 Unix SMB/CIFS implementation.
4 Winbind daemon - pam auth funcions
6 Copyright (C) Andrew Tridgell 2000
7 Copyright (C) Tim Potter 2001
8 Copyright (C) Andrew Bartlett 2001-2002
9 Copyright (C) Guenther Deschner 2005
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 3 of the License, or
14 (at your option) any later version.
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
21 You should have received a copy of the GNU General Public License
22 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 #include "includes.h"
26 #include "winbindd.h"
27 #include "../libcli/auth/libcli_auth.h"
28 #include "../librpc/gen_ndr/ndr_samr_c.h"
29 #include "rpc_client/cli_pipe.h"
30 #include "rpc_client/cli_samr.h"
31 #include "../librpc/gen_ndr/ndr_netlogon.h"
32 #include "rpc_client/cli_netlogon.h"
33 #include "smb_krb5.h"
34 #include "../lib/crypto/arcfour.h"
35 #include "../libcli/security/security.h"
36 #include "ads.h"
37 #include "../librpc/gen_ndr/krb5pac.h"
38 #include "passdb/machine_sid.h"
39 #include "auth.h"
41 #undef DBGC_CLASS
42 #define DBGC_CLASS DBGC_WINBIND
44 #define LOGON_KRB5_FAIL_CLOCK_SKEW 0x02000000
46 static NTSTATUS append_info3_as_txt(TALLOC_CTX *mem_ctx,
47 struct winbindd_response *resp,
48 struct netr_SamInfo3 *info3)
50 char *ex;
51 uint32_t i;
53 resp->data.auth.info3.logon_time =
54 nt_time_to_unix(info3->base.last_logon);
55 resp->data.auth.info3.logoff_time =
56 nt_time_to_unix(info3->base.last_logoff);
57 resp->data.auth.info3.kickoff_time =
58 nt_time_to_unix(info3->base.acct_expiry);
59 resp->data.auth.info3.pass_last_set_time =
60 nt_time_to_unix(info3->base.last_password_change);
61 resp->data.auth.info3.pass_can_change_time =
62 nt_time_to_unix(info3->base.allow_password_change);
63 resp->data.auth.info3.pass_must_change_time =
64 nt_time_to_unix(info3->base.force_password_change);
66 resp->data.auth.info3.logon_count = info3->base.logon_count;
67 resp->data.auth.info3.bad_pw_count = info3->base.bad_password_count;
69 resp->data.auth.info3.user_rid = info3->base.rid;
70 resp->data.auth.info3.group_rid = info3->base.primary_gid;
71 sid_to_fstring(resp->data.auth.info3.dom_sid, info3->base.domain_sid);
73 resp->data.auth.info3.num_groups = info3->base.groups.count;
74 resp->data.auth.info3.user_flgs = info3->base.user_flags;
76 resp->data.auth.info3.acct_flags = info3->base.acct_flags;
77 resp->data.auth.info3.num_other_sids = info3->sidcount;
79 fstrcpy(resp->data.auth.info3.user_name,
80 info3->base.account_name.string);
81 fstrcpy(resp->data.auth.info3.full_name,
82 info3->base.full_name.string);
83 fstrcpy(resp->data.auth.info3.logon_script,
84 info3->base.logon_script.string);
85 fstrcpy(resp->data.auth.info3.profile_path,
86 info3->base.profile_path.string);
87 fstrcpy(resp->data.auth.info3.home_dir,
88 info3->base.home_directory.string);
89 fstrcpy(resp->data.auth.info3.dir_drive,
90 info3->base.home_drive.string);
92 fstrcpy(resp->data.auth.info3.logon_srv,
93 info3->base.logon_server.string);
94 fstrcpy(resp->data.auth.info3.logon_dom,
95 info3->base.domain.string);
97 ex = talloc_strdup(mem_ctx, "");
98 NT_STATUS_HAVE_NO_MEMORY(ex);
100 for (i=0; i < info3->base.groups.count; i++) {
101 ex = talloc_asprintf_append_buffer(ex, "0x%08X:0x%08X\n",
102 info3->base.groups.rids[i].rid,
103 info3->base.groups.rids[i].attributes);
104 NT_STATUS_HAVE_NO_MEMORY(ex);
107 for (i=0; i < info3->sidcount; i++) {
108 char *sid;
110 sid = dom_sid_string(mem_ctx, info3->sids[i].sid);
111 NT_STATUS_HAVE_NO_MEMORY(sid);
113 ex = talloc_asprintf_append_buffer(ex, "%s:0x%08X\n",
114 sid,
115 info3->sids[i].attributes);
116 NT_STATUS_HAVE_NO_MEMORY(ex);
118 talloc_free(sid);
121 resp->extra_data.data = ex;
122 resp->length += talloc_get_size(ex);
124 return NT_STATUS_OK;
127 static NTSTATUS append_info3_as_ndr(TALLOC_CTX *mem_ctx,
128 struct winbindd_response *resp,
129 struct netr_SamInfo3 *info3)
131 DATA_BLOB blob;
132 enum ndr_err_code ndr_err;
134 ndr_err = ndr_push_struct_blob(&blob, mem_ctx, info3,
135 (ndr_push_flags_fn_t)ndr_push_netr_SamInfo3);
136 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
137 DEBUG(0,("append_info3_as_ndr: failed to append\n"));
138 return ndr_map_error2ntstatus(ndr_err);
141 resp->extra_data.data = blob.data;
142 resp->length += blob.length;
144 return NT_STATUS_OK;
147 static NTSTATUS append_unix_username(TALLOC_CTX *mem_ctx,
148 struct winbindd_response *resp,
149 const struct netr_SamInfo3 *info3,
150 const char *name_domain,
151 const char *name_user)
153 /* We've been asked to return the unix username, per
154 'winbind use default domain' settings and the like */
156 const char *nt_username, *nt_domain;
158 nt_domain = talloc_strdup(mem_ctx, info3->base.domain.string);
159 if (!nt_domain) {
160 /* If the server didn't give us one, just use the one
161 * we sent them */
162 nt_domain = name_domain;
165 nt_username = talloc_strdup(mem_ctx, info3->base.account_name.string);
166 if (!nt_username) {
167 /* If the server didn't give us one, just use the one
168 * we sent them */
169 nt_username = name_user;
172 fill_domain_username(resp->data.auth.unix_username,
173 nt_domain, nt_username, true);
175 DEBUG(5, ("Setting unix username to [%s]\n",
176 resp->data.auth.unix_username));
178 return NT_STATUS_OK;
181 static NTSTATUS append_afs_token(TALLOC_CTX *mem_ctx,
182 struct winbindd_response *resp,
183 const struct netr_SamInfo3 *info3,
184 const char *name_domain,
185 const char *name_user)
187 char *afsname = NULL;
188 char *cell;
189 char *token;
191 afsname = talloc_strdup(mem_ctx, lp_afs_username_map());
192 if (afsname == NULL) {
193 return NT_STATUS_NO_MEMORY;
196 afsname = talloc_string_sub(mem_ctx,
197 lp_afs_username_map(),
198 "%D", name_domain);
199 afsname = talloc_string_sub(mem_ctx, afsname,
200 "%u", name_user);
201 afsname = talloc_string_sub(mem_ctx, afsname,
202 "%U", name_user);
205 struct dom_sid user_sid;
206 fstring sidstr;
208 sid_compose(&user_sid, info3->base.domain_sid,
209 info3->base.rid);
210 sid_to_fstring(sidstr, &user_sid);
211 afsname = talloc_string_sub(mem_ctx, afsname,
212 "%s", sidstr);
215 if (afsname == NULL) {
216 return NT_STATUS_NO_MEMORY;
219 strlower_m(afsname);
221 DEBUG(10, ("Generating token for user %s\n", afsname));
223 cell = strchr(afsname, '@');
225 if (cell == NULL) {
226 return NT_STATUS_NO_MEMORY;
229 *cell = '\0';
230 cell += 1;
232 token = afs_createtoken_str(afsname, cell);
233 if (token == NULL) {
234 return NT_STATUS_OK;
236 resp->extra_data.data = talloc_strdup(mem_ctx, token);
237 if (resp->extra_data.data == NULL) {
238 return NT_STATUS_NO_MEMORY;
240 resp->length += strlen((const char *)resp->extra_data.data)+1;
242 return NT_STATUS_OK;
245 static NTSTATUS check_info3_in_group(struct netr_SamInfo3 *info3,
246 const char *group_sid)
248 * Check whether a user belongs to a group or list of groups.
250 * @param mem_ctx talloc memory context.
251 * @param info3 user information, including group membership info.
252 * @param group_sid One or more groups , separated by commas.
254 * @return NT_STATUS_OK on success,
255 * NT_STATUS_LOGON_FAILURE if the user does not belong,
256 * or other NT_STATUS_IS_ERR(status) for other kinds of failure.
259 struct dom_sid *require_membership_of_sid;
260 uint32_t num_require_membership_of_sid;
261 char *req_sid;
262 const char *p;
263 struct dom_sid sid;
264 size_t i;
265 struct security_token *token;
266 TALLOC_CTX *frame = talloc_stackframe();
267 NTSTATUS status;
269 /* Parse the 'required group' SID */
271 if (!group_sid || !group_sid[0]) {
272 /* NO sid supplied, all users may access */
273 return NT_STATUS_OK;
276 token = talloc_zero(talloc_tos(), struct security_token);
277 if (token == NULL) {
278 DEBUG(0, ("talloc failed\n"));
279 TALLOC_FREE(frame);
280 return NT_STATUS_NO_MEMORY;
283 num_require_membership_of_sid = 0;
284 require_membership_of_sid = NULL;
286 p = group_sid;
288 while (next_token_talloc(talloc_tos(), &p, &req_sid, ",")) {
289 if (!string_to_sid(&sid, req_sid)) {
290 DEBUG(0, ("check_info3_in_group: could not parse %s "
291 "as a SID!", req_sid));
292 TALLOC_FREE(frame);
293 return NT_STATUS_INVALID_PARAMETER;
296 status = add_sid_to_array(talloc_tos(), &sid,
297 &require_membership_of_sid,
298 &num_require_membership_of_sid);
299 if (!NT_STATUS_IS_OK(status)) {
300 DEBUG(0, ("add_sid_to_array failed\n"));
301 TALLOC_FREE(frame);
302 return status;
306 status = sid_array_from_info3(talloc_tos(), info3,
307 &token->sids,
308 &token->num_sids,
309 true, false);
310 if (!NT_STATUS_IS_OK(status)) {
311 TALLOC_FREE(frame);
312 return status;
315 if (!NT_STATUS_IS_OK(status = add_aliases(get_global_sam_sid(),
316 token))
317 || !NT_STATUS_IS_OK(status = add_aliases(&global_sid_Builtin,
318 token))) {
319 DEBUG(3, ("could not add aliases: %s\n",
320 nt_errstr(status)));
321 TALLOC_FREE(frame);
322 return status;
325 security_token_debug(DBGC_CLASS, 10, token);
327 for (i=0; i<num_require_membership_of_sid; i++) {
328 DEBUG(10, ("Checking SID %s\n", sid_string_dbg(
329 &require_membership_of_sid[i])));
330 if (nt_token_check_sid(&require_membership_of_sid[i],
331 token)) {
332 DEBUG(10, ("Access ok\n"));
333 TALLOC_FREE(frame);
334 return NT_STATUS_OK;
338 /* Do not distinguish this error from a wrong username/pw */
340 TALLOC_FREE(frame);
341 return NT_STATUS_LOGON_FAILURE;
344 struct winbindd_domain *find_auth_domain(uint8_t flags,
345 const char *domain_name)
347 struct winbindd_domain *domain;
349 if (IS_DC) {
350 domain = find_domain_from_name_noinit(domain_name);
351 if (domain == NULL) {
352 DEBUG(3, ("Authentication for domain [%s] refused "
353 "as it is not a trusted domain\n",
354 domain_name));
356 return domain;
359 if (strequal(domain_name, get_global_sam_name())) {
360 return find_domain_from_name_noinit(domain_name);
363 /* we can auth against trusted domains */
364 if (flags & WBFLAG_PAM_CONTACT_TRUSTDOM) {
365 domain = find_domain_from_name_noinit(domain_name);
366 if (domain == NULL) {
367 DEBUG(3, ("Authentication for domain [%s] skipped "
368 "as it is not a trusted domain\n",
369 domain_name));
370 } else {
371 return domain;
375 return find_our_domain();
378 static void fill_in_password_policy(struct winbindd_response *r,
379 const struct samr_DomInfo1 *p)
381 r->data.auth.policy.min_length_password =
382 p->min_password_length;
383 r->data.auth.policy.password_history =
384 p->password_history_length;
385 r->data.auth.policy.password_properties =
386 p->password_properties;
387 r->data.auth.policy.expire =
388 nt_time_to_unix_abs((NTTIME *)&(p->max_password_age));
389 r->data.auth.policy.min_passwordage =
390 nt_time_to_unix_abs((NTTIME *)&(p->min_password_age));
393 static NTSTATUS fillup_password_policy(struct winbindd_domain *domain,
394 struct winbindd_response *response)
396 TALLOC_CTX *frame = talloc_stackframe();
397 struct winbindd_methods *methods;
398 NTSTATUS status;
399 struct samr_DomInfo1 password_policy;
401 if ( !winbindd_can_contact_domain( domain ) ) {
402 DEBUG(5,("fillup_password_policy: No inbound trust to "
403 "contact domain %s\n", domain->name));
404 status = NT_STATUS_NOT_SUPPORTED;
405 goto done;
408 methods = domain->methods;
410 status = methods->password_policy(domain, talloc_tos(), &password_policy);
411 if (NT_STATUS_IS_ERR(status)) {
412 goto done;
415 fill_in_password_policy(response, &password_policy);
417 done:
418 TALLOC_FREE(frame);
419 return NT_STATUS_OK;
422 static NTSTATUS get_max_bad_attempts_from_lockout_policy(struct winbindd_domain *domain,
423 TALLOC_CTX *mem_ctx,
424 uint16 *lockout_threshold)
426 struct winbindd_methods *methods;
427 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
428 struct samr_DomInfo12 lockout_policy;
430 *lockout_threshold = 0;
432 methods = domain->methods;
434 status = methods->lockout_policy(domain, mem_ctx, &lockout_policy);
435 if (NT_STATUS_IS_ERR(status)) {
436 return status;
439 *lockout_threshold = lockout_policy.lockout_threshold;
441 return NT_STATUS_OK;
444 static NTSTATUS get_pwd_properties(struct winbindd_domain *domain,
445 TALLOC_CTX *mem_ctx,
446 uint32 *password_properties)
448 struct winbindd_methods *methods;
449 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
450 struct samr_DomInfo1 password_policy;
452 *password_properties = 0;
454 methods = domain->methods;
456 status = methods->password_policy(domain, mem_ctx, &password_policy);
457 if (NT_STATUS_IS_ERR(status)) {
458 return status;
461 *password_properties = password_policy.password_properties;
463 return NT_STATUS_OK;
466 #ifdef HAVE_KRB5
468 static const char *generate_krb5_ccache(TALLOC_CTX *mem_ctx,
469 const char *type,
470 uid_t uid,
471 const char **user_ccache_file)
473 /* accept FILE and WRFILE as krb5_cc_type from the client and then
474 * build the full ccname string based on the user's uid here -
475 * Guenther*/
477 const char *gen_cc = NULL;
479 if (uid != -1) {
480 if (strequal(type, "FILE")) {
481 gen_cc = talloc_asprintf(
482 mem_ctx, "FILE:/tmp/krb5cc_%d", uid);
484 if (strequal(type, "WRFILE")) {
485 gen_cc = talloc_asprintf(
486 mem_ctx, "WRFILE:/tmp/krb5cc_%d", uid);
490 *user_ccache_file = gen_cc;
492 if (gen_cc == NULL) {
493 gen_cc = talloc_strdup(mem_ctx, "MEMORY:winbindd_pam_ccache");
495 if (gen_cc == NULL) {
496 DEBUG(0,("out of memory\n"));
497 return NULL;
500 DEBUG(10, ("using ccache: %s%s\n", gen_cc,
501 (*user_ccache_file == NULL) ? " (internal)":""));
503 return gen_cc;
506 #endif
508 uid_t get_uid_from_request(struct winbindd_request *request)
510 uid_t uid;
512 uid = request->data.auth.uid;
514 if (uid < 0) {
515 DEBUG(1,("invalid uid: '%u'\n", (unsigned int)uid));
516 return -1;
518 return uid;
521 /**********************************************************************
522 Authenticate a user with a clear text password using Kerberos and fill up
523 ccache if required
524 **********************************************************************/
526 static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
527 struct winbindd_domain *domain,
528 const char *user,
529 const char *pass,
530 const char *krb5_cc_type,
531 uid_t uid,
532 struct netr_SamInfo3 **info3,
533 fstring krb5ccname)
535 #ifdef HAVE_KRB5
536 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
537 krb5_error_code krb5_ret;
538 const char *cc = NULL;
539 const char *principal_s = NULL;
540 const char *service = NULL;
541 char *realm = NULL;
542 fstring name_domain, name_user;
543 time_t ticket_lifetime = 0;
544 time_t renewal_until = 0;
545 ADS_STRUCT *ads;
546 time_t time_offset = 0;
547 const char *user_ccache_file;
548 struct PAC_LOGON_INFO *logon_info = NULL;
550 *info3 = NULL;
552 /* 1st step:
553 * prepare a krb5_cc_cache string for the user */
555 if (uid == -1) {
556 DEBUG(0,("no valid uid\n"));
559 cc = generate_krb5_ccache(mem_ctx,
560 krb5_cc_type,
561 uid,
562 &user_ccache_file);
563 if (cc == NULL) {
564 return NT_STATUS_NO_MEMORY;
568 /* 2nd step:
569 * get kerberos properties */
571 if (domain->private_data) {
572 ads = (ADS_STRUCT *)domain->private_data;
573 time_offset = ads->auth.time_offset;
577 /* 3rd step:
578 * do kerberos auth and setup ccache as the user */
580 parse_domain_user(user, name_domain, name_user);
582 realm = domain->alt_name;
583 strupper_m(realm);
585 principal_s = talloc_asprintf(mem_ctx, "%s@%s", name_user, realm);
586 if (principal_s == NULL) {
587 return NT_STATUS_NO_MEMORY;
590 service = talloc_asprintf(mem_ctx, "%s/%s@%s", KRB5_TGS_NAME, realm, realm);
591 if (service == NULL) {
592 return NT_STATUS_NO_MEMORY;
595 /* if this is a user ccache, we need to act as the user to let the krb5
596 * library handle the chown, etc. */
598 /************************ ENTERING NON-ROOT **********************/
600 if (user_ccache_file != NULL) {
601 set_effective_uid(uid);
602 DEBUG(10,("winbindd_raw_kerberos_login: uid is %d\n", uid));
605 result = kerberos_return_pac(mem_ctx,
606 principal_s,
607 pass,
608 time_offset,
609 &ticket_lifetime,
610 &renewal_until,
612 true,
613 true,
614 WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
615 NULL,
616 &logon_info);
617 if (user_ccache_file != NULL) {
618 gain_root_privilege();
621 /************************ RETURNED TO ROOT **********************/
623 if (!NT_STATUS_IS_OK(result)) {
624 goto failed;
627 *info3 = &logon_info->info3;
629 DEBUG(10,("winbindd_raw_kerberos_login: winbindd validated ticket of %s\n",
630 principal_s));
632 /* if we had a user's ccache then return that string for the pam
633 * environment */
635 if (user_ccache_file != NULL) {
637 fstrcpy(krb5ccname, user_ccache_file);
639 result = add_ccache_to_list(principal_s,
641 service,
642 user,
643 realm,
644 uid,
645 time(NULL),
646 ticket_lifetime,
647 renewal_until,
648 false);
650 if (!NT_STATUS_IS_OK(result)) {
651 DEBUG(10,("winbindd_raw_kerberos_login: failed to add ccache to list: %s\n",
652 nt_errstr(result)));
654 } else {
656 /* need to delete the memory cred cache, it is not used anymore */
658 krb5_ret = ads_kdestroy(cc);
659 if (krb5_ret) {
660 DEBUG(3,("winbindd_raw_kerberos_login: "
661 "could not destroy krb5 credential cache: "
662 "%s\n", error_message(krb5_ret)));
667 return NT_STATUS_OK;
669 failed:
671 /* we could have created a new credential cache with a valid tgt in it
672 * but we werent able to get or verify the service ticket for this
673 * local host and therefor didn't get the PAC, we need to remove that
674 * cache entirely now */
676 krb5_ret = ads_kdestroy(cc);
677 if (krb5_ret) {
678 DEBUG(3,("winbindd_raw_kerberos_login: "
679 "could not destroy krb5 credential cache: "
680 "%s\n", error_message(krb5_ret)));
683 if (!NT_STATUS_IS_OK(remove_ccache(user))) {
684 DEBUG(3,("winbindd_raw_kerberos_login: "
685 "could not remove ccache for user %s\n",
686 user));
689 return result;
690 #else
691 return NT_STATUS_NOT_SUPPORTED;
692 #endif /* HAVE_KRB5 */
695 /****************************************************************
696 ****************************************************************/
698 bool check_request_flags(uint32_t flags)
700 uint32_t flags_edata = WBFLAG_PAM_AFS_TOKEN |
701 WBFLAG_PAM_INFO3_TEXT |
702 WBFLAG_PAM_INFO3_NDR;
704 if ( ( (flags & flags_edata) == WBFLAG_PAM_AFS_TOKEN) ||
705 ( (flags & flags_edata) == WBFLAG_PAM_INFO3_NDR) ||
706 ( (flags & flags_edata) == WBFLAG_PAM_INFO3_TEXT)||
707 !(flags & flags_edata) ) {
708 return true;
711 DEBUG(1, ("check_request_flags: invalid request flags[0x%08X]\n",
712 flags));
714 return false;
717 /****************************************************************
718 ****************************************************************/
720 static NTSTATUS append_auth_data(TALLOC_CTX *mem_ctx,
721 struct winbindd_response *resp,
722 uint32_t request_flags,
723 struct netr_SamInfo3 *info3,
724 const char *name_domain,
725 const char *name_user)
727 NTSTATUS result;
729 if (request_flags & WBFLAG_PAM_USER_SESSION_KEY) {
730 memcpy(resp->data.auth.user_session_key,
731 info3->base.key.key,
732 sizeof(resp->data.auth.user_session_key)
733 /* 16 */);
736 if (request_flags & WBFLAG_PAM_LMKEY) {
737 memcpy(resp->data.auth.first_8_lm_hash,
738 info3->base.LMSessKey.key,
739 sizeof(resp->data.auth.first_8_lm_hash)
740 /* 8 */);
743 if (request_flags & WBFLAG_PAM_UNIX_NAME) {
744 result = append_unix_username(mem_ctx, resp,
745 info3, name_domain, name_user);
746 if (!NT_STATUS_IS_OK(result)) {
747 DEBUG(10,("Failed to append Unix Username: %s\n",
748 nt_errstr(result)));
749 return result;
753 /* currently, anything from here on potentially overwrites extra_data. */
755 if (request_flags & WBFLAG_PAM_INFO3_NDR) {
756 result = append_info3_as_ndr(mem_ctx, resp, info3);
757 if (!NT_STATUS_IS_OK(result)) {
758 DEBUG(10,("Failed to append INFO3 (NDR): %s\n",
759 nt_errstr(result)));
760 return result;
764 if (request_flags & WBFLAG_PAM_INFO3_TEXT) {
765 result = append_info3_as_txt(mem_ctx, resp, info3);
766 if (!NT_STATUS_IS_OK(result)) {
767 DEBUG(10,("Failed to append INFO3 (TXT): %s\n",
768 nt_errstr(result)));
769 return result;
773 if (request_flags & WBFLAG_PAM_AFS_TOKEN) {
774 result = append_afs_token(mem_ctx, resp,
775 info3, name_domain, name_user);
776 if (!NT_STATUS_IS_OK(result)) {
777 DEBUG(10,("Failed to append AFS token: %s\n",
778 nt_errstr(result)));
779 return result;
783 return NT_STATUS_OK;
786 static NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain,
787 struct winbindd_cli_state *state,
788 struct netr_SamInfo3 **info3)
790 NTSTATUS result = NT_STATUS_LOGON_FAILURE;
791 uint16 max_allowed_bad_attempts;
792 fstring name_domain, name_user;
793 struct dom_sid sid;
794 enum lsa_SidType type;
795 uchar new_nt_pass[NT_HASH_LEN];
796 const uint8 *cached_nt_pass;
797 const uint8 *cached_salt;
798 struct netr_SamInfo3 *my_info3;
799 time_t kickoff_time, must_change_time;
800 bool password_good = false;
801 #ifdef HAVE_KRB5
802 struct winbindd_tdc_domain *tdc_domain = NULL;
803 #endif
805 *info3 = NULL;
807 ZERO_STRUCTP(info3);
809 DEBUG(10,("winbindd_dual_pam_auth_cached\n"));
811 /* Parse domain and username */
813 parse_domain_user(state->request->data.auth.user, name_domain, name_user);
816 if (!lookup_cached_name(name_domain,
817 name_user,
818 &sid,
819 &type)) {
820 DEBUG(10,("winbindd_dual_pam_auth_cached: no such user in the cache\n"));
821 return NT_STATUS_NO_SUCH_USER;
824 if (type != SID_NAME_USER) {
825 DEBUG(10,("winbindd_dual_pam_auth_cached: not a user (%s)\n", sid_type_lookup(type)));
826 return NT_STATUS_LOGON_FAILURE;
829 result = winbindd_get_creds(domain,
830 state->mem_ctx,
831 &sid,
832 &my_info3,
833 &cached_nt_pass,
834 &cached_salt);
835 if (!NT_STATUS_IS_OK(result)) {
836 DEBUG(10,("winbindd_dual_pam_auth_cached: failed to get creds: %s\n", nt_errstr(result)));
837 return result;
840 *info3 = my_info3;
842 E_md4hash(state->request->data.auth.pass, new_nt_pass);
844 dump_data_pw("new_nt_pass", new_nt_pass, NT_HASH_LEN);
845 dump_data_pw("cached_nt_pass", cached_nt_pass, NT_HASH_LEN);
846 if (cached_salt) {
847 dump_data_pw("cached_salt", cached_salt, NT_HASH_LEN);
850 if (cached_salt) {
851 /* In this case we didn't store the nt_hash itself,
852 but the MD5 combination of salt + nt_hash. */
853 uchar salted_hash[NT_HASH_LEN];
854 E_md5hash(cached_salt, new_nt_pass, salted_hash);
856 password_good = (memcmp(cached_nt_pass, salted_hash,
857 NT_HASH_LEN) == 0);
858 } else {
859 /* Old cached cred - direct store of nt_hash (bad bad bad !). */
860 password_good = (memcmp(cached_nt_pass, new_nt_pass,
861 NT_HASH_LEN) == 0);
864 if (password_good) {
866 /* User *DOES* know the password, update logon_time and reset
867 * bad_pw_count */
869 my_info3->base.user_flags |= NETLOGON_CACHED_ACCOUNT;
871 if (my_info3->base.acct_flags & ACB_AUTOLOCK) {
872 return NT_STATUS_ACCOUNT_LOCKED_OUT;
875 if (my_info3->base.acct_flags & ACB_DISABLED) {
876 return NT_STATUS_ACCOUNT_DISABLED;
879 if (my_info3->base.acct_flags & ACB_WSTRUST) {
880 return NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT;
883 if (my_info3->base.acct_flags & ACB_SVRTRUST) {
884 return NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT;
887 if (my_info3->base.acct_flags & ACB_DOMTRUST) {
888 return NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT;
891 if (!(my_info3->base.acct_flags & ACB_NORMAL)) {
892 DEBUG(0,("winbindd_dual_pam_auth_cached: whats wrong with that one?: 0x%08x\n",
893 my_info3->base.acct_flags));
894 return NT_STATUS_LOGON_FAILURE;
897 kickoff_time = nt_time_to_unix(my_info3->base.acct_expiry);
898 if (kickoff_time != 0 && time(NULL) > kickoff_time) {
899 return NT_STATUS_ACCOUNT_EXPIRED;
902 must_change_time = nt_time_to_unix(my_info3->base.force_password_change);
903 if (must_change_time != 0 && must_change_time < time(NULL)) {
904 /* we allow grace logons when the password has expired */
905 my_info3->base.user_flags |= NETLOGON_GRACE_LOGON;
906 /* return NT_STATUS_PASSWORD_EXPIRED; */
907 goto success;
910 #ifdef HAVE_KRB5
911 if ((state->request->flags & WBFLAG_PAM_KRB5) &&
912 ((tdc_domain = wcache_tdc_fetch_domain(state->mem_ctx, name_domain)) != NULL) &&
913 ((tdc_domain->trust_type & NETR_TRUST_TYPE_UPLEVEL) ||
914 /* used to cope with the case winbindd starting without network. */
915 !strequal(tdc_domain->domain_name, tdc_domain->dns_name))) {
917 uid_t uid = -1;
918 const char *cc = NULL;
919 char *realm = NULL;
920 const char *principal_s = NULL;
921 const char *service = NULL;
922 const char *user_ccache_file;
924 uid = get_uid_from_request(state->request);
925 if (uid == -1) {
926 DEBUG(0,("winbindd_dual_pam_auth_cached: invalid uid\n"));
927 return NT_STATUS_INVALID_PARAMETER;
930 cc = generate_krb5_ccache(state->mem_ctx,
931 state->request->data.auth.krb5_cc_type,
932 state->request->data.auth.uid,
933 &user_ccache_file);
934 if (cc == NULL) {
935 return NT_STATUS_NO_MEMORY;
938 realm = domain->alt_name;
939 strupper_m(realm);
941 principal_s = talloc_asprintf(state->mem_ctx, "%s@%s", name_user, realm);
942 if (principal_s == NULL) {
943 return NT_STATUS_NO_MEMORY;
946 service = talloc_asprintf(state->mem_ctx, "%s/%s@%s", KRB5_TGS_NAME, realm, realm);
947 if (service == NULL) {
948 return NT_STATUS_NO_MEMORY;
951 if (user_ccache_file != NULL) {
953 fstrcpy(state->response->data.auth.krb5ccname,
954 user_ccache_file);
956 result = add_ccache_to_list(principal_s,
958 service,
959 state->request->data.auth.user,
960 domain->alt_name,
961 uid,
962 time(NULL),
963 time(NULL) + lp_winbind_cache_time(),
964 time(NULL) + WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
965 true);
967 if (!NT_STATUS_IS_OK(result)) {
968 DEBUG(10,("winbindd_dual_pam_auth_cached: failed "
969 "to add ccache to list: %s\n",
970 nt_errstr(result)));
974 #endif /* HAVE_KRB5 */
975 success:
976 /* FIXME: we possibly should handle logon hours as well (does xp when
977 * offline?) see auth/auth_sam.c:sam_account_ok for details */
979 unix_to_nt_time(&my_info3->base.last_logon, time(NULL));
980 my_info3->base.bad_password_count = 0;
982 result = winbindd_update_creds_by_info3(domain,
983 state->request->data.auth.user,
984 state->request->data.auth.pass,
985 my_info3);
986 if (!NT_STATUS_IS_OK(result)) {
987 DEBUG(1,("winbindd_dual_pam_auth_cached: failed to update creds: %s\n",
988 nt_errstr(result)));
989 return result;
992 return NT_STATUS_OK;
996 /* User does *NOT* know the correct password, modify info3 accordingly, but only if online */
997 if (domain->online == false) {
998 goto failed;
1001 /* failure of this is not critical */
1002 result = get_max_bad_attempts_from_lockout_policy(domain, state->mem_ctx, &max_allowed_bad_attempts);
1003 if (!NT_STATUS_IS_OK(result)) {
1004 DEBUG(10,("winbindd_dual_pam_auth_cached: failed to get max_allowed_bad_attempts. "
1005 "Won't be able to honour account lockout policies\n"));
1008 /* increase counter */
1009 my_info3->base.bad_password_count++;
1011 if (max_allowed_bad_attempts == 0) {
1012 goto failed;
1015 /* lockout user */
1016 if (my_info3->base.bad_password_count >= max_allowed_bad_attempts) {
1018 uint32 password_properties;
1020 result = get_pwd_properties(domain, state->mem_ctx, &password_properties);
1021 if (!NT_STATUS_IS_OK(result)) {
1022 DEBUG(10,("winbindd_dual_pam_auth_cached: failed to get password properties.\n"));
1025 if ((my_info3->base.rid != DOMAIN_RID_ADMINISTRATOR) ||
1026 (password_properties & DOMAIN_PASSWORD_LOCKOUT_ADMINS)) {
1027 my_info3->base.acct_flags |= ACB_AUTOLOCK;
1031 failed:
1032 result = winbindd_update_creds_by_info3(domain,
1033 state->request->data.auth.user,
1034 NULL,
1035 my_info3);
1037 if (!NT_STATUS_IS_OK(result)) {
1038 DEBUG(0,("winbindd_dual_pam_auth_cached: failed to update creds %s\n",
1039 nt_errstr(result)));
1042 return NT_STATUS_LOGON_FAILURE;
1045 static NTSTATUS winbindd_dual_pam_auth_kerberos(struct winbindd_domain *domain,
1046 struct winbindd_cli_state *state,
1047 struct netr_SamInfo3 **info3)
1049 struct winbindd_domain *contact_domain;
1050 fstring name_domain, name_user;
1051 NTSTATUS result;
1053 DEBUG(10,("winbindd_dual_pam_auth_kerberos\n"));
1055 /* Parse domain and username */
1057 parse_domain_user(state->request->data.auth.user, name_domain, name_user);
1059 /* what domain should we contact? */
1061 if ( IS_DC ) {
1062 if (!(contact_domain = find_domain_from_name(name_domain))) {
1063 DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
1064 state->request->data.auth.user, name_domain, name_user, name_domain));
1065 result = NT_STATUS_NO_SUCH_USER;
1066 goto done;
1069 } else {
1070 if (is_myname(name_domain)) {
1071 DEBUG(3, ("Authentication for domain %s (local domain to this server) not supported at this stage\n", name_domain));
1072 result = NT_STATUS_NO_SUCH_USER;
1073 goto done;
1076 contact_domain = find_domain_from_name(name_domain);
1077 if (contact_domain == NULL) {
1078 DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
1079 state->request->data.auth.user, name_domain, name_user, name_domain));
1081 result = NT_STATUS_NO_SUCH_USER;
1082 goto done;
1086 if (contact_domain->initialized &&
1087 contact_domain->active_directory) {
1088 goto try_login;
1091 if (!contact_domain->initialized) {
1092 init_dc_connection(contact_domain);
1095 if (!contact_domain->active_directory) {
1096 DEBUG(3,("krb5 auth requested but domain is not Active Directory\n"));
1097 return NT_STATUS_INVALID_LOGON_TYPE;
1099 try_login:
1100 result = winbindd_raw_kerberos_login(
1101 state->mem_ctx, contact_domain,
1102 state->request->data.auth.user,
1103 state->request->data.auth.pass,
1104 state->request->data.auth.krb5_cc_type,
1105 get_uid_from_request(state->request),
1106 info3, state->response->data.auth.krb5ccname);
1107 done:
1108 return result;
1111 static NTSTATUS winbindd_dual_auth_passdb(TALLOC_CTX *mem_ctx,
1112 const char *domain, const char *user,
1113 const DATA_BLOB *challenge,
1114 const DATA_BLOB *lm_resp,
1115 const DATA_BLOB *nt_resp,
1116 struct netr_SamInfo3 **pinfo3)
1118 struct auth_usersupplied_info *user_info = NULL;
1119 NTSTATUS status;
1121 status = make_user_info(&user_info, user, user, domain, domain,
1122 global_myname(), lm_resp, nt_resp, NULL, NULL,
1123 NULL, AUTH_PASSWORD_RESPONSE);
1124 if (!NT_STATUS_IS_OK(status)) {
1125 DEBUG(10, ("make_user_info failed: %s\n", nt_errstr(status)));
1126 return status;
1129 /* We don't want any more mapping of the username */
1130 user_info->mapped_state = True;
1132 status = check_sam_security_info3(challenge, talloc_tos(), user_info,
1133 pinfo3);
1134 free_user_info(&user_info);
1135 DEBUG(10, ("Authenticaticating user %s\\%s returned %s\n", domain,
1136 user, nt_errstr(status)));
1137 return status;
1140 static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
1141 TALLOC_CTX *mem_ctx,
1142 uint32_t logon_parameters,
1143 const char *server,
1144 const char *username,
1145 const char *domainname,
1146 const char *workstation,
1147 const uint8_t chal[8],
1148 DATA_BLOB lm_response,
1149 DATA_BLOB nt_response,
1150 struct netr_SamInfo3 **info3)
1152 int attempts = 0;
1153 bool retry = false;
1154 NTSTATUS result;
1156 do {
1157 struct rpc_pipe_client *netlogon_pipe;
1158 const struct pipe_auth_data *auth;
1159 uint32_t neg_flags = 0;
1161 ZERO_STRUCTP(info3);
1162 retry = false;
1164 result = cm_connect_netlogon(domain, &netlogon_pipe);
1166 if (!NT_STATUS_IS_OK(result)) {
1167 DEBUG(3,("could not open handle to NETLOGON pipe (error: %s)\n",
1168 nt_errstr(result)));
1169 if (NT_STATUS_EQUAL(result, NT_STATUS_IO_TIMEOUT)) {
1170 if (attempts > 0) {
1171 DEBUG(3, ("This is the second problem for this "
1172 "particular call, forcing the close of "
1173 "this connection\n"));
1174 invalidate_cm_connection(&domain->conn);
1175 } else {
1176 DEBUG(3, ("First call to cm_connect_netlogon "
1177 "has timed out, retrying\n"));
1178 continue;
1181 return result;
1183 auth = netlogon_pipe->auth;
1184 if (netlogon_pipe->dc) {
1185 neg_flags = netlogon_pipe->dc->negotiate_flags;
1188 /* It is really important to try SamLogonEx here,
1189 * because in a clustered environment, we want to use
1190 * one machine account from multiple physical
1191 * computers.
1193 * With a normal SamLogon call, we must keep the
1194 * credentials chain updated and intact between all
1195 * users of the machine account (which would imply
1196 * cross-node communication for every NTLM logon).
1198 * (The credentials chain is not per NETLOGON pipe
1199 * connection, but globally on the server/client pair
1200 * by machine name).
1202 * When using SamLogonEx, the credentials are not
1203 * supplied, but the session key is implied by the
1204 * wrapping SamLogon context.
1206 * -- abartlet 21 April 2008
1208 * It's also important to use NetlogonValidationSamInfo4 (6),
1209 * because it relies on the rpc transport encryption
1210 * and avoids using the global netlogon schannel
1211 * session key to en/decrypt secret information
1212 * like the user_session_key for network logons.
1214 * [MS-APDS] 3.1.5.2 NTLM Network Logon
1215 * says NETLOGON_NEG_CROSS_FOREST_TRUSTS and
1216 * NETLOGON_NEG_AUTHENTICATED_RPC set together
1217 * are the indication that the server supports
1218 * NetlogonValidationSamInfo4 (6). And it must only
1219 * be used if "SealSecureChannel" is used.
1221 * -- metze 4 February 2011
1224 if (auth == NULL) {
1225 domain->can_do_validation6 = false;
1226 } else if (auth->auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
1227 domain->can_do_validation6 = false;
1228 } else if (auth->auth_level != DCERPC_AUTH_LEVEL_PRIVACY) {
1229 domain->can_do_validation6 = false;
1230 } else if (!(neg_flags & NETLOGON_NEG_CROSS_FOREST_TRUSTS)) {
1231 domain->can_do_validation6 = false;
1232 } else if (!(neg_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
1233 domain->can_do_validation6 = false;
1236 if (domain->can_do_samlogon_ex && domain->can_do_validation6) {
1237 result = rpccli_netlogon_sam_network_logon_ex(
1238 netlogon_pipe,
1239 mem_ctx,
1240 logon_parameters,
1241 server, /* server name */
1242 username, /* user name */
1243 domainname, /* target domain */
1244 workstation, /* workstation */
1245 chal,
1247 lm_response,
1248 nt_response,
1249 info3);
1250 } else {
1251 result = rpccli_netlogon_sam_network_logon(
1252 netlogon_pipe,
1253 mem_ctx,
1254 logon_parameters,
1255 server, /* server name */
1256 username, /* user name */
1257 domainname, /* target domain */
1258 workstation, /* workstation */
1259 chal,
1260 domain->can_do_validation6 ? 6 : 3,
1261 lm_response,
1262 nt_response,
1263 info3);
1266 if (NT_STATUS_EQUAL(result, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
1269 * It's likely that the server also does not support
1270 * validation level 6
1272 domain->can_do_validation6 = false;
1274 if (domain->can_do_samlogon_ex) {
1275 DEBUG(3, ("Got a DC that can not do NetSamLogonEx, "
1276 "retrying with NetSamLogon\n"));
1277 domain->can_do_samlogon_ex = false;
1278 retry = true;
1279 continue;
1283 /* Got DCERPC_FAULT_OP_RNG_ERROR for SamLogon
1284 * (no Ex). This happens against old Samba
1285 * DCs. Drop the connection.
1287 invalidate_cm_connection(&domain->conn);
1288 result = NT_STATUS_LOGON_FAILURE;
1289 break;
1292 if (domain->can_do_validation6 &&
1293 (NT_STATUS_EQUAL(result, NT_STATUS_INVALID_INFO_CLASS) ||
1294 NT_STATUS_EQUAL(result, NT_STATUS_INVALID_PARAMETER) ||
1295 NT_STATUS_EQUAL(result, NT_STATUS_BUFFER_TOO_SMALL))) {
1296 DEBUG(3,("Got a DC that can not do validation level 6, "
1297 "retrying with level 3\n"));
1298 domain->can_do_validation6 = false;
1299 retry = true;
1300 continue;
1304 * we increment this after the "feature negotiation"
1305 * for can_do_samlogon_ex and can_do_validation6
1307 attempts += 1;
1309 /* We have to try a second time as cm_connect_netlogon
1310 might not yet have noticed that the DC has killed
1311 our connection. */
1313 if (!rpccli_is_connected(netlogon_pipe)) {
1314 retry = true;
1315 continue;
1318 /* if we get access denied, a possible cause was that we had
1319 and open connection to the DC, but someone changed our
1320 machine account password out from underneath us using 'net
1321 rpc changetrustpw' */
1323 if ( NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) ) {
1324 DEBUG(3,("winbind_samlogon_retry_loop: sam_logon returned "
1325 "ACCESS_DENIED. Maybe the trust account "
1326 "password was changed and we didn't know it. "
1327 "Killing connections to domain %s\n",
1328 domainname));
1329 invalidate_cm_connection(&domain->conn);
1330 retry = true;
1333 } while ( (attempts < 2) && retry );
1335 if (NT_STATUS_EQUAL(result, NT_STATUS_IO_TIMEOUT)) {
1336 DEBUG(3,("winbind_samlogon_retry_loop: sam_network_logon(ex) "
1337 "returned NT_STATUS_IO_TIMEOUT after the retry."
1338 "Killing connections to domain %s\n",
1339 domainname));
1340 invalidate_cm_connection(&domain->conn);
1342 return result;
1345 static NTSTATUS winbindd_dual_pam_auth_samlogon(TALLOC_CTX *mem_ctx,
1346 struct winbindd_domain *domain,
1347 const char *user,
1348 const char *pass,
1349 uint32_t request_flags,
1350 struct netr_SamInfo3 **info3)
1353 uchar chal[8];
1354 DATA_BLOB lm_resp;
1355 DATA_BLOB nt_resp;
1356 unsigned char local_nt_response[24];
1357 fstring name_domain, name_user;
1358 NTSTATUS result;
1359 struct netr_SamInfo3 *my_info3 = NULL;
1361 *info3 = NULL;
1363 DEBUG(10,("winbindd_dual_pam_auth_samlogon\n"));
1365 /* Parse domain and username */
1367 parse_domain_user(user, name_domain, name_user);
1369 /* do password magic */
1371 generate_random_buffer(chal, sizeof(chal));
1373 if (lp_client_ntlmv2_auth()) {
1374 DATA_BLOB server_chal;
1375 DATA_BLOB names_blob;
1376 server_chal = data_blob_const(chal, 8);
1378 /* note that the 'workgroup' here is for the local
1379 machine. The 'server name' must match the
1380 'workstation' passed to the actual SamLogon call.
1382 names_blob = NTLMv2_generate_names_blob(
1383 mem_ctx, global_myname(), lp_workgroup());
1385 if (!SMBNTLMv2encrypt(mem_ctx, name_user, name_domain,
1386 pass,
1387 &server_chal,
1388 &names_blob,
1389 &lm_resp, &nt_resp, NULL, NULL)) {
1390 data_blob_free(&names_blob);
1391 DEBUG(0, ("winbindd_pam_auth: SMBNTLMv2encrypt() failed!\n"));
1392 result = NT_STATUS_NO_MEMORY;
1393 goto done;
1395 data_blob_free(&names_blob);
1396 } else {
1397 lm_resp = data_blob_null;
1398 SMBNTencrypt(pass, chal, local_nt_response);
1400 nt_resp = data_blob_talloc(mem_ctx, local_nt_response,
1401 sizeof(local_nt_response));
1404 if (strequal(name_domain, get_global_sam_name())) {
1405 DATA_BLOB chal_blob = data_blob_const(chal, sizeof(chal));
1407 result = winbindd_dual_auth_passdb(
1408 mem_ctx, name_domain, name_user,
1409 &chal_blob, &lm_resp, &nt_resp, info3);
1410 goto done;
1413 /* check authentication loop */
1415 result = winbind_samlogon_retry_loop(domain,
1416 mem_ctx,
1418 domain->dcname,
1419 name_user,
1420 name_domain,
1421 global_myname(),
1422 chal,
1423 lm_resp,
1424 nt_resp,
1425 &my_info3);
1426 if (!NT_STATUS_IS_OK(result)) {
1427 goto done;
1430 /* handle the case where a NT4 DC does not fill in the acct_flags in
1431 * the samlogon reply info3. When accurate info3 is required by the
1432 * caller, we look up the account flags ourselve - gd */
1434 if ((request_flags & WBFLAG_PAM_INFO3_TEXT) &&
1435 NT_STATUS_IS_OK(result) && (my_info3->base.acct_flags == 0)) {
1437 struct rpc_pipe_client *samr_pipe;
1438 struct policy_handle samr_domain_handle, user_pol;
1439 union samr_UserInfo *info = NULL;
1440 NTSTATUS status_tmp, result_tmp;
1441 uint32 acct_flags;
1442 struct dcerpc_binding_handle *b;
1444 status_tmp = cm_connect_sam(domain, mem_ctx,
1445 &samr_pipe, &samr_domain_handle);
1447 if (!NT_STATUS_IS_OK(status_tmp)) {
1448 DEBUG(3, ("could not open handle to SAMR pipe: %s\n",
1449 nt_errstr(status_tmp)));
1450 goto done;
1453 b = samr_pipe->binding_handle;
1455 status_tmp = dcerpc_samr_OpenUser(b, mem_ctx,
1456 &samr_domain_handle,
1457 MAXIMUM_ALLOWED_ACCESS,
1458 my_info3->base.rid,
1459 &user_pol,
1460 &result_tmp);
1462 if (!NT_STATUS_IS_OK(status_tmp)) {
1463 DEBUG(3, ("could not open user handle on SAMR pipe: %s\n",
1464 nt_errstr(status_tmp)));
1465 goto done;
1467 if (!NT_STATUS_IS_OK(result_tmp)) {
1468 DEBUG(3, ("could not open user handle on SAMR pipe: %s\n",
1469 nt_errstr(result_tmp)));
1470 goto done;
1473 status_tmp = dcerpc_samr_QueryUserInfo(b, mem_ctx,
1474 &user_pol,
1476 &info,
1477 &result_tmp);
1479 if (!NT_STATUS_IS_OK(status_tmp)) {
1480 DEBUG(3, ("could not query user info on SAMR pipe: %s\n",
1481 nt_errstr(status_tmp)));
1482 dcerpc_samr_Close(b, mem_ctx, &user_pol, &result_tmp);
1483 goto done;
1485 if (!NT_STATUS_IS_OK(result_tmp)) {
1486 DEBUG(3, ("could not query user info on SAMR pipe: %s\n",
1487 nt_errstr(result_tmp)));
1488 dcerpc_samr_Close(b, mem_ctx, &user_pol, &result_tmp);
1489 goto done;
1492 acct_flags = info->info16.acct_flags;
1494 if (acct_flags == 0) {
1495 dcerpc_samr_Close(b, mem_ctx, &user_pol, &result_tmp);
1496 goto done;
1499 my_info3->base.acct_flags = acct_flags;
1501 DEBUG(10,("successfully retrieved acct_flags 0x%x\n", acct_flags));
1503 dcerpc_samr_Close(b, mem_ctx, &user_pol, &result_tmp);
1506 *info3 = my_info3;
1507 done:
1508 return result;
1511 enum winbindd_result winbindd_dual_pam_auth(struct winbindd_domain *domain,
1512 struct winbindd_cli_state *state)
1514 NTSTATUS result = NT_STATUS_LOGON_FAILURE;
1515 NTSTATUS krb5_result = NT_STATUS_OK;
1516 fstring name_domain, name_user;
1517 char *mapped_user;
1518 fstring domain_user;
1519 struct netr_SamInfo3 *info3 = NULL;
1520 NTSTATUS name_map_status = NT_STATUS_UNSUCCESSFUL;
1522 /* Ensure null termination */
1523 state->request->data.auth.user[sizeof(state->request->data.auth.user)-1]='\0';
1525 /* Ensure null termination */
1526 state->request->data.auth.pass[sizeof(state->request->data.auth.pass)-1]='\0';
1528 DEBUG(3, ("[%5lu]: dual pam auth %s\n", (unsigned long)state->pid,
1529 state->request->data.auth.user));
1531 /* Parse domain and username */
1533 name_map_status = normalize_name_unmap(state->mem_ctx,
1534 state->request->data.auth.user,
1535 &mapped_user);
1537 /* If the name normalization didnt' actually do anything,
1538 just use the original name */
1540 if (!NT_STATUS_IS_OK(name_map_status) &&
1541 !NT_STATUS_EQUAL(name_map_status, NT_STATUS_FILE_RENAMED))
1543 mapped_user = state->request->data.auth.user;
1546 parse_domain_user(mapped_user, name_domain, name_user);
1548 if ( mapped_user != state->request->data.auth.user ) {
1549 fstr_sprintf( domain_user, "%s%c%s", name_domain,
1550 *lp_winbind_separator(),
1551 name_user );
1552 safe_strcpy( state->request->data.auth.user, domain_user,
1553 sizeof(state->request->data.auth.user)-1 );
1556 if (!domain->online) {
1557 result = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
1558 if (domain->startup) {
1559 /* Logons are very important to users. If we're offline and
1560 we get a request within the first 30 seconds of startup,
1561 try very hard to find a DC and go online. */
1563 DEBUG(10,("winbindd_dual_pam_auth: domain: %s offline and auth "
1564 "request in startup mode.\n", domain->name ));
1566 winbindd_flush_negative_conn_cache(domain);
1567 result = init_dc_connection(domain);
1571 DEBUG(10,("winbindd_dual_pam_auth: domain: %s last was %s\n", domain->name, domain->online ? "online":"offline"));
1573 /* Check for Kerberos authentication */
1574 if (domain->online && (state->request->flags & WBFLAG_PAM_KRB5)) {
1576 result = winbindd_dual_pam_auth_kerberos(domain, state, &info3);
1577 /* save for later */
1578 krb5_result = result;
1581 if (NT_STATUS_IS_OK(result)) {
1582 DEBUG(10,("winbindd_dual_pam_auth_kerberos succeeded\n"));
1583 goto process_result;
1584 } else {
1585 DEBUG(10,("winbindd_dual_pam_auth_kerberos failed: %s\n", nt_errstr(result)));
1588 if (NT_STATUS_EQUAL(result, NT_STATUS_NO_LOGON_SERVERS) ||
1589 NT_STATUS_EQUAL(result, NT_STATUS_IO_TIMEOUT) ||
1590 NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
1591 DEBUG(10,("winbindd_dual_pam_auth_kerberos setting domain to offline\n"));
1592 set_domain_offline( domain );
1593 goto cached_logon;
1596 /* there are quite some NT_STATUS errors where there is no
1597 * point in retrying with a samlogon, we explictly have to take
1598 * care not to increase the bad logon counter on the DC */
1600 if (NT_STATUS_EQUAL(result, NT_STATUS_ACCOUNT_DISABLED) ||
1601 NT_STATUS_EQUAL(result, NT_STATUS_ACCOUNT_EXPIRED) ||
1602 NT_STATUS_EQUAL(result, NT_STATUS_ACCOUNT_LOCKED_OUT) ||
1603 NT_STATUS_EQUAL(result, NT_STATUS_INVALID_LOGON_HOURS) ||
1604 NT_STATUS_EQUAL(result, NT_STATUS_INVALID_WORKSTATION) ||
1605 NT_STATUS_EQUAL(result, NT_STATUS_LOGON_FAILURE) ||
1606 NT_STATUS_EQUAL(result, NT_STATUS_NO_SUCH_USER) ||
1607 NT_STATUS_EQUAL(result, NT_STATUS_PASSWORD_EXPIRED) ||
1608 NT_STATUS_EQUAL(result, NT_STATUS_PASSWORD_MUST_CHANGE) ||
1609 NT_STATUS_EQUAL(result, NT_STATUS_WRONG_PASSWORD)) {
1610 goto done;
1613 if (state->request->flags & WBFLAG_PAM_FALLBACK_AFTER_KRB5) {
1614 DEBUG(3,("falling back to samlogon\n"));
1615 goto sam_logon;
1616 } else {
1617 goto cached_logon;
1621 sam_logon:
1622 /* Check for Samlogon authentication */
1623 if (domain->online) {
1624 result = winbindd_dual_pam_auth_samlogon(
1625 state->mem_ctx, domain,
1626 state->request->data.auth.user,
1627 state->request->data.auth.pass,
1628 state->request->flags,
1629 &info3);
1631 if (NT_STATUS_IS_OK(result)) {
1632 DEBUG(10,("winbindd_dual_pam_auth_samlogon succeeded\n"));
1633 /* add the Krb5 err if we have one */
1634 if ( NT_STATUS_EQUAL(krb5_result, NT_STATUS_TIME_DIFFERENCE_AT_DC ) ) {
1635 info3->base.user_flags |= LOGON_KRB5_FAIL_CLOCK_SKEW;
1637 goto process_result;
1640 DEBUG(10,("winbindd_dual_pam_auth_samlogon failed: %s\n",
1641 nt_errstr(result)));
1643 if (NT_STATUS_EQUAL(result, NT_STATUS_NO_LOGON_SERVERS) ||
1644 NT_STATUS_EQUAL(result, NT_STATUS_IO_TIMEOUT) ||
1645 NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND))
1647 DEBUG(10,("winbindd_dual_pam_auth_samlogon setting domain to offline\n"));
1648 set_domain_offline( domain );
1649 goto cached_logon;
1652 if (domain->online) {
1653 /* We're still online - fail. */
1654 goto done;
1658 cached_logon:
1659 /* Check for Cached logons */
1660 if (!domain->online && (state->request->flags & WBFLAG_PAM_CACHED_LOGIN) &&
1661 lp_winbind_offline_logon()) {
1663 result = winbindd_dual_pam_auth_cached(domain, state, &info3);
1665 if (NT_STATUS_IS_OK(result)) {
1666 DEBUG(10,("winbindd_dual_pam_auth_cached succeeded\n"));
1667 goto process_result;
1668 } else {
1669 DEBUG(10,("winbindd_dual_pam_auth_cached failed: %s\n", nt_errstr(result)));
1670 goto done;
1674 process_result:
1676 if (NT_STATUS_IS_OK(result)) {
1678 struct dom_sid user_sid;
1680 /* In all codepaths where result == NT_STATUS_OK info3 must have
1681 been initialized. */
1682 if (!info3) {
1683 result = NT_STATUS_INTERNAL_ERROR;
1684 goto done;
1687 sid_compose(&user_sid, info3->base.domain_sid,
1688 info3->base.rid);
1690 wcache_invalidate_samlogon(find_domain_from_name(name_domain),
1691 &user_sid);
1692 netsamlogon_cache_store(name_user, info3);
1694 /* save name_to_sid info as early as possible (only if
1695 this is our primary domain so we don't invalidate
1696 the cache entry by storing the seq_num for the wrong
1697 domain). */
1698 if ( domain->primary ) {
1699 cache_name2sid(domain, name_domain, name_user,
1700 SID_NAME_USER, &user_sid);
1703 /* Check if the user is in the right group */
1705 result = check_info3_in_group(
1706 info3,
1707 state->request->data.auth.require_membership_of_sid);
1708 if (!NT_STATUS_IS_OK(result)) {
1709 DEBUG(3, ("User %s is not in the required group (%s), so plaintext authentication is rejected\n",
1710 state->request->data.auth.user,
1711 state->request->data.auth.require_membership_of_sid));
1712 goto done;
1715 result = append_auth_data(state->mem_ctx, state->response,
1716 state->request->flags, info3,
1717 name_domain, name_user);
1718 if (!NT_STATUS_IS_OK(result)) {
1719 goto done;
1722 if ((state->request->flags & WBFLAG_PAM_CACHED_LOGIN)
1723 && lp_winbind_offline_logon()) {
1725 result = winbindd_store_creds(domain,
1726 state->request->data.auth.user,
1727 state->request->data.auth.pass,
1728 info3);
1731 if (state->request->flags & WBFLAG_PAM_GET_PWD_POLICY) {
1732 struct winbindd_domain *our_domain = find_our_domain();
1734 /* This is not entirely correct I believe, but it is
1735 consistent. Only apply the password policy settings
1736 too warn users for our own domain. Cannot obtain these
1737 from trusted DCs all the time so don't do it at all.
1738 -- jerry */
1740 result = NT_STATUS_NOT_SUPPORTED;
1741 if (our_domain == domain ) {
1742 result = fillup_password_policy(
1743 our_domain, state->response);
1746 if (!NT_STATUS_IS_OK(result)
1747 && !NT_STATUS_EQUAL(result, NT_STATUS_NOT_SUPPORTED) )
1749 DEBUG(10,("Failed to get password policies for domain %s: %s\n",
1750 domain->name, nt_errstr(result)));
1751 goto done;
1755 result = NT_STATUS_OK;
1758 done:
1759 /* give us a more useful (more correct?) error code */
1760 if ((NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) ||
1761 (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)))) {
1762 result = NT_STATUS_NO_LOGON_SERVERS;
1765 set_auth_errors(state->response, result);
1767 DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2, ("Plain-text authentication for user %s returned %s (PAM: %d)\n",
1768 state->request->data.auth.user,
1769 state->response->data.auth.nt_status_string,
1770 state->response->data.auth.pam_error));
1772 return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
1775 enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
1776 struct winbindd_cli_state *state)
1778 NTSTATUS result;
1779 struct netr_SamInfo3 *info3 = NULL;
1780 const char *name_user = NULL;
1781 const char *name_domain = NULL;
1782 const char *workstation;
1784 DATA_BLOB lm_resp, nt_resp;
1786 /* This is child-only, so no check for privileged access is needed
1787 anymore */
1789 /* Ensure null termination */
1790 state->request->data.auth_crap.user[sizeof(state->request->data.auth_crap.user)-1]=0;
1791 state->request->data.auth_crap.domain[sizeof(state->request->data.auth_crap.domain)-1]=0;
1793 name_user = state->request->data.auth_crap.user;
1794 name_domain = state->request->data.auth_crap.domain;
1795 workstation = state->request->data.auth_crap.workstation;
1797 DEBUG(3, ("[%5lu]: pam auth crap domain: %s user: %s\n", (unsigned long)state->pid,
1798 name_domain, name_user));
1800 if (state->request->data.auth_crap.lm_resp_len > sizeof(state->request->data.auth_crap.lm_resp)
1801 || state->request->data.auth_crap.nt_resp_len > sizeof(state->request->data.auth_crap.nt_resp)) {
1802 if (!(state->request->flags & WBFLAG_BIG_NTLMV2_BLOB) ||
1803 state->request->extra_len != state->request->data.auth_crap.nt_resp_len) {
1804 DEBUG(0, ("winbindd_pam_auth_crap: invalid password length %u/%u\n",
1805 state->request->data.auth_crap.lm_resp_len,
1806 state->request->data.auth_crap.nt_resp_len));
1807 result = NT_STATUS_INVALID_PARAMETER;
1808 goto done;
1812 lm_resp = data_blob_talloc(state->mem_ctx, state->request->data.auth_crap.lm_resp,
1813 state->request->data.auth_crap.lm_resp_len);
1815 if (state->request->flags & WBFLAG_BIG_NTLMV2_BLOB) {
1816 nt_resp = data_blob_talloc(state->mem_ctx,
1817 state->request->extra_data.data,
1818 state->request->data.auth_crap.nt_resp_len);
1819 } else {
1820 nt_resp = data_blob_talloc(state->mem_ctx,
1821 state->request->data.auth_crap.nt_resp,
1822 state->request->data.auth_crap.nt_resp_len);
1825 if (strequal(name_domain, get_global_sam_name())) {
1826 DATA_BLOB chal_blob = data_blob_const(
1827 state->request->data.auth_crap.chal,
1828 sizeof(state->request->data.auth_crap.chal));
1830 result = winbindd_dual_auth_passdb(
1831 state->mem_ctx, name_domain, name_user,
1832 &chal_blob, &lm_resp, &nt_resp, &info3);
1833 goto process_result;
1836 result = winbind_samlogon_retry_loop(domain,
1837 state->mem_ctx,
1838 state->request->data.auth_crap.logon_parameters,
1839 domain->dcname,
1840 name_user,
1841 name_domain,
1842 /* Bug #3248 - found by Stefan Burkei. */
1843 workstation, /* We carefully set this above so use it... */
1844 state->request->data.auth_crap.chal,
1845 lm_resp,
1846 nt_resp,
1847 &info3);
1848 if (!NT_STATUS_IS_OK(result)) {
1849 goto done;
1852 process_result:
1854 if (NT_STATUS_IS_OK(result)) {
1855 struct dom_sid user_sid;
1857 sid_compose(&user_sid, info3->base.domain_sid,
1858 info3->base.rid);
1859 wcache_invalidate_samlogon(find_domain_from_name(name_domain),
1860 &user_sid);
1861 netsamlogon_cache_store(name_user, info3);
1863 /* Check if the user is in the right group */
1865 result = check_info3_in_group(
1866 info3,
1867 state->request->data.auth_crap.require_membership_of_sid);
1868 if (!NT_STATUS_IS_OK(result)) {
1869 DEBUG(3, ("User %s is not in the required group (%s), so "
1870 "crap authentication is rejected\n",
1871 state->request->data.auth_crap.user,
1872 state->request->data.auth_crap.require_membership_of_sid));
1873 goto done;
1876 result = append_auth_data(state->mem_ctx, state->response,
1877 state->request->flags, info3,
1878 name_domain, name_user);
1879 if (!NT_STATUS_IS_OK(result)) {
1880 goto done;
1884 done:
1886 /* give us a more useful (more correct?) error code */
1887 if ((NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) ||
1888 (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)))) {
1889 result = NT_STATUS_NO_LOGON_SERVERS;
1892 if (state->request->flags & WBFLAG_PAM_NT_STATUS_SQUASH) {
1893 result = nt_status_squash(result);
1896 set_auth_errors(state->response, result);
1898 DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2,
1899 ("NTLM CRAP authentication for user [%s]\\[%s] returned %s (PAM: %d)\n",
1900 name_domain,
1901 name_user,
1902 state->response->data.auth.nt_status_string,
1903 state->response->data.auth.pam_error));
1905 return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
1908 enum winbindd_result winbindd_dual_pam_chauthtok(struct winbindd_domain *contact_domain,
1909 struct winbindd_cli_state *state)
1911 char *oldpass;
1912 char *newpass = NULL;
1913 struct policy_handle dom_pol;
1914 struct rpc_pipe_client *cli = NULL;
1915 bool got_info = false;
1916 struct samr_DomInfo1 *info = NULL;
1917 struct userPwdChangeFailureInformation *reject = NULL;
1918 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1919 fstring domain, user;
1920 struct dcerpc_binding_handle *b = NULL;
1922 ZERO_STRUCT(dom_pol);
1924 DEBUG(3, ("[%5lu]: dual pam chauthtok %s\n", (unsigned long)state->pid,
1925 state->request->data.auth.user));
1927 if (!parse_domain_user(state->request->data.chauthtok.user, domain, user)) {
1928 goto done;
1931 /* Change password */
1933 oldpass = state->request->data.chauthtok.oldpass;
1934 newpass = state->request->data.chauthtok.newpass;
1936 /* Initialize reject reason */
1937 state->response->data.auth.reject_reason = Undefined;
1939 /* Get sam handle */
1941 result = cm_connect_sam(contact_domain, state->mem_ctx, &cli,
1942 &dom_pol);
1943 if (!NT_STATUS_IS_OK(result)) {
1944 DEBUG(1, ("could not get SAM handle on DC for %s\n", domain));
1945 goto done;
1948 b = cli->binding_handle;
1950 result = rpccli_samr_chgpasswd_user3(cli, state->mem_ctx,
1951 user,
1952 newpass,
1953 oldpass,
1954 &info,
1955 &reject);
1957 /* Windows 2003 returns NT_STATUS_PASSWORD_RESTRICTION */
1959 if (NT_STATUS_EQUAL(result, NT_STATUS_PASSWORD_RESTRICTION) ) {
1961 fill_in_password_policy(state->response, info);
1963 state->response->data.auth.reject_reason =
1964 reject->extendedFailureReason;
1966 got_info = true;
1969 /* atm the pidl generated rpccli_samr_ChangePasswordUser3 function will
1970 * return with NT_STATUS_BUFFER_TOO_SMALL for w2k dcs as w2k just
1971 * returns with 4byte error code (NT_STATUS_NOT_SUPPORTED) which is too
1972 * short to comply with the samr_ChangePasswordUser3 idl - gd */
1974 /* only fallback when the chgpasswd_user3 call is not supported */
1975 if (NT_STATUS_EQUAL(result, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE) ||
1976 NT_STATUS_EQUAL(result, NT_STATUS_NOT_SUPPORTED) ||
1977 NT_STATUS_EQUAL(result, NT_STATUS_BUFFER_TOO_SMALL) ||
1978 NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) {
1980 DEBUG(10,("Password change with chgpasswd_user3 failed with: %s, retrying chgpasswd_user2\n",
1981 nt_errstr(result)));
1983 result = rpccli_samr_chgpasswd_user2(cli, state->mem_ctx, user, newpass, oldpass);
1985 /* Windows 2000 returns NT_STATUS_ACCOUNT_RESTRICTION.
1986 Map to the same status code as Windows 2003. */
1988 if ( NT_STATUS_EQUAL(NT_STATUS_ACCOUNT_RESTRICTION, result ) ) {
1989 result = NT_STATUS_PASSWORD_RESTRICTION;
1993 done:
1995 if (NT_STATUS_IS_OK(result)
1996 && (state->request->flags & WBFLAG_PAM_CACHED_LOGIN)
1997 && lp_winbind_offline_logon()) {
1998 result = winbindd_update_creds_by_name(contact_domain, user,
1999 newpass);
2000 /* Again, this happens when we login from gdm or xdm
2001 * and the password expires, *BUT* cached crendentials
2002 * doesn't exist. winbindd_update_creds_by_name()
2003 * returns NT_STATUS_NO_SUCH_USER.
2004 * This is not a failure.
2005 * --- BoYang
2006 * */
2007 if (NT_STATUS_EQUAL(result, NT_STATUS_NO_SUCH_USER)) {
2008 result = NT_STATUS_OK;
2011 if (!NT_STATUS_IS_OK(result)) {
2012 DEBUG(10, ("Failed to store creds: %s\n",
2013 nt_errstr(result)));
2014 goto process_result;
2018 if (!NT_STATUS_IS_OK(result) && !got_info && contact_domain) {
2020 NTSTATUS policy_ret;
2022 policy_ret = fillup_password_policy(
2023 contact_domain, state->response);
2025 /* failure of this is non critical, it will just provide no
2026 * additional information to the client why the change has
2027 * failed - Guenther */
2029 if (!NT_STATUS_IS_OK(policy_ret)) {
2030 DEBUG(10,("Failed to get password policies: %s\n", nt_errstr(policy_ret)));
2031 goto process_result;
2035 process_result:
2037 if (strequal(contact_domain->name, get_global_sam_name())) {
2038 /* FIXME: internal rpc pipe does not cache handles yet */
2039 if (b) {
2040 if (is_valid_policy_hnd(&dom_pol)) {
2041 NTSTATUS _result;
2042 dcerpc_samr_Close(b, state->mem_ctx, &dom_pol, &_result);
2044 TALLOC_FREE(cli);
2048 set_auth_errors(state->response, result);
2050 DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2,
2051 ("Password change for user [%s]\\[%s] returned %s (PAM: %d)\n",
2052 domain,
2053 user,
2054 state->response->data.auth.nt_status_string,
2055 state->response->data.auth.pam_error));
2057 return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
2060 enum winbindd_result winbindd_dual_pam_logoff(struct winbindd_domain *domain,
2061 struct winbindd_cli_state *state)
2063 NTSTATUS result = NT_STATUS_NOT_SUPPORTED;
2065 DEBUG(3, ("[%5lu]: pam dual logoff %s\n", (unsigned long)state->pid,
2066 state->request->data.logoff.user));
2068 if (!(state->request->flags & WBFLAG_PAM_KRB5)) {
2069 result = NT_STATUS_OK;
2070 goto process_result;
2073 if (state->request->data.logoff.krb5ccname[0] == '\0') {
2074 result = NT_STATUS_OK;
2075 goto process_result;
2078 #ifdef HAVE_KRB5
2080 if (state->request->data.logoff.uid < 0) {
2081 DEBUG(0,("winbindd_pam_logoff: invalid uid\n"));
2082 goto process_result;
2085 /* what we need here is to find the corresponding krb5 ccache name *we*
2086 * created for a given username and destroy it */
2088 if (!ccache_entry_exists(state->request->data.logoff.user)) {
2089 result = NT_STATUS_OK;
2090 DEBUG(10,("winbindd_pam_logoff: no entry found.\n"));
2091 goto process_result;
2094 if (!ccache_entry_identical(state->request->data.logoff.user,
2095 state->request->data.logoff.uid,
2096 state->request->data.logoff.krb5ccname)) {
2097 DEBUG(0,("winbindd_pam_logoff: cached entry differs.\n"));
2098 goto process_result;
2101 result = remove_ccache(state->request->data.logoff.user);
2102 if (!NT_STATUS_IS_OK(result)) {
2103 DEBUG(0,("winbindd_pam_logoff: failed to remove ccache: %s\n",
2104 nt_errstr(result)));
2105 goto process_result;
2108 #else
2109 result = NT_STATUS_NOT_SUPPORTED;
2110 #endif
2112 process_result:
2115 set_auth_errors(state->response, result);
2117 return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
2120 /* Change user password with auth crap*/
2122 enum winbindd_result winbindd_dual_pam_chng_pswd_auth_crap(struct winbindd_domain *domainSt, struct winbindd_cli_state *state)
2124 NTSTATUS result;
2125 DATA_BLOB new_nt_password;
2126 DATA_BLOB old_nt_hash_enc;
2127 DATA_BLOB new_lm_password;
2128 DATA_BLOB old_lm_hash_enc;
2129 fstring domain,user;
2130 struct policy_handle dom_pol;
2131 struct winbindd_domain *contact_domain = domainSt;
2132 struct rpc_pipe_client *cli = NULL;
2133 struct dcerpc_binding_handle *b = NULL;
2135 ZERO_STRUCT(dom_pol);
2137 /* Ensure null termination */
2138 state->request->data.chng_pswd_auth_crap.user[
2139 sizeof(state->request->data.chng_pswd_auth_crap.user)-1]=0;
2140 state->request->data.chng_pswd_auth_crap.domain[
2141 sizeof(state->request->data.chng_pswd_auth_crap.domain)-1]=0;
2142 *domain = 0;
2143 *user = 0;
2145 DEBUG(3, ("[%5lu]: pam change pswd auth crap domain: %s user: %s\n",
2146 (unsigned long)state->pid,
2147 state->request->data.chng_pswd_auth_crap.domain,
2148 state->request->data.chng_pswd_auth_crap.user));
2150 if (lp_winbind_offline_logon()) {
2151 DEBUG(0,("Refusing password change as winbind offline logons are enabled. "));
2152 DEBUGADD(0,("Changing passwords here would risk inconsistent logons\n"));
2153 result = NT_STATUS_ACCESS_DENIED;
2154 goto done;
2157 if (*state->request->data.chng_pswd_auth_crap.domain) {
2158 fstrcpy(domain,state->request->data.chng_pswd_auth_crap.domain);
2159 } else {
2160 parse_domain_user(state->request->data.chng_pswd_auth_crap.user,
2161 domain, user);
2163 if(!*domain) {
2164 DEBUG(3,("no domain specified with username (%s) - "
2165 "failing auth\n",
2166 state->request->data.chng_pswd_auth_crap.user));
2167 result = NT_STATUS_NO_SUCH_USER;
2168 goto done;
2172 if (!*domain && lp_winbind_use_default_domain()) {
2173 fstrcpy(domain,(char *)lp_workgroup());
2176 if(!*user) {
2177 fstrcpy(user, state->request->data.chng_pswd_auth_crap.user);
2180 DEBUG(3, ("[%5lu]: pam auth crap domain: %s user: %s\n",
2181 (unsigned long)state->pid, domain, user));
2183 /* Change password */
2184 new_nt_password = data_blob_const(
2185 state->request->data.chng_pswd_auth_crap.new_nt_pswd,
2186 state->request->data.chng_pswd_auth_crap.new_nt_pswd_len);
2188 old_nt_hash_enc = data_blob_const(
2189 state->request->data.chng_pswd_auth_crap.old_nt_hash_enc,
2190 state->request->data.chng_pswd_auth_crap.old_nt_hash_enc_len);
2192 if(state->request->data.chng_pswd_auth_crap.new_lm_pswd_len > 0) {
2193 new_lm_password = data_blob_const(
2194 state->request->data.chng_pswd_auth_crap.new_lm_pswd,
2195 state->request->data.chng_pswd_auth_crap.new_lm_pswd_len);
2197 old_lm_hash_enc = data_blob_const(
2198 state->request->data.chng_pswd_auth_crap.old_lm_hash_enc,
2199 state->request->data.chng_pswd_auth_crap.old_lm_hash_enc_len);
2200 } else {
2201 new_lm_password.length = 0;
2202 old_lm_hash_enc.length = 0;
2205 /* Get sam handle */
2207 result = cm_connect_sam(contact_domain, state->mem_ctx, &cli, &dom_pol);
2208 if (!NT_STATUS_IS_OK(result)) {
2209 DEBUG(1, ("could not get SAM handle on DC for %s\n", domain));
2210 goto done;
2213 b = cli->binding_handle;
2215 result = rpccli_samr_chng_pswd_auth_crap(
2216 cli, state->mem_ctx, user, new_nt_password, old_nt_hash_enc,
2217 new_lm_password, old_lm_hash_enc);
2219 done:
2221 if (strequal(contact_domain->name, get_global_sam_name())) {
2222 /* FIXME: internal rpc pipe does not cache handles yet */
2223 if (b) {
2224 if (is_valid_policy_hnd(&dom_pol)) {
2225 NTSTATUS _result;
2226 dcerpc_samr_Close(b, state->mem_ctx, &dom_pol, &_result);
2228 TALLOC_FREE(cli);
2232 set_auth_errors(state->response, result);
2234 DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2,
2235 ("Password change for user [%s]\\[%s] returned %s (PAM: %d)\n",
2236 domain, user,
2237 state->response->data.auth.nt_status_string,
2238 state->response->data.auth.pam_error));
2240 return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;