search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3:winbind: Refactor winbindd_dual_pam_auth_kerberos(), do not take winbindd_cli_stat...
[Samba.git] / source3 / winbindd / winbindd_pam.c
blobc9a7ce8c8bd14afd1a5a47bf86910cb559ffca88
1 /*
2 Unix SMB/CIFS implementation.
3
4 Winbind daemon - pam auth funcions
5
6 Copyright (C) Andrew Tridgell 2000
7 Copyright (C) Tim Potter 2001
8 Copyright (C) Andrew Bartlett 2001-2002
9 Copyright (C) Guenther Deschner 2005
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 3 of the License, or
14 (at your option) any later version.
15
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
20
21 You should have received a copy of the GNU General Public License
22 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 */
24
25 #include "includes.h"
26 #include "winbindd.h"
27 #include "libsmb/namequery.h"
28 #include "../libcli/auth/libcli_auth.h"
29 #include "../librpc/gen_ndr/ndr_samr_c.h"
30 #include "librpc/gen_ndr/ndr_winbind.h"
31 #include "rpc_client/cli_pipe.h"
32 #include "rpc_client/cli_samr.h"
33 #include "../librpc/gen_ndr/ndr_netlogon.h"
34 #include "rpc_client/cli_netlogon.h"
35 #include "smb_krb5.h"
36 #include "../libcli/security/security.h"
37 #include "ads.h"
38 #include "../librpc/gen_ndr/krb5pac.h"
39 #include "passdb/machine_sid.h"
40 #include "auth.h"
41 #include "../lib/tsocket/tsocket.h"
42 #include "auth/kerberos/pac_utils.h"
43 #include "auth/gensec/gensec.h"
44 #include "librpc/crypto/gse_krb5.h"
45 #include "lib/afs/afs_funcs.h"
46 #include "libsmb/samlogon_cache.h"
47 #include "rpc_client/util_netlogon.h"
48 #include "param/param.h"
49 #include "messaging/messaging.h"
50 #include "lib/util/string_wrappers.h"
51 #include "lib/crypto/gnutls_helpers.h"
52
53 #include "lib/crypto/gnutls_helpers.h"
54 #include <gnutls/crypto.h>
55 #include "lib/global_contexts.h"
56
57 #undef DBGC_CLASS
58 #define DBGC_CLASS DBGC_WINBIND
59
60 #define LOGON_KRB5_FAIL_CLOCK_SKEW 0x02000000
61
62 static NTSTATUS append_info3_as_txt(TALLOC_CTX *mem_ctx,
63 struct winbindd_response *resp,
64 uint16_t validation_level,
65 union netr_Validation *validation)
66 {
67 struct netr_SamInfo3 *info3 = NULL;
68 char *ex = NULL;
69 uint32_t i;
70 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
71 TALLOC_CTX *frame = talloc_stackframe();
72
73 status = map_validation_to_info3(frame,
74 validation_level,
75 validation,
76 &info3);
77 if (!NT_STATUS_IS_OK(status)) {
78 goto out;
79 }
80
81 resp->data.auth.info3.logon_time =
82 nt_time_to_unix(info3->base.logon_time);
83 resp->data.auth.info3.logoff_time =
84 nt_time_to_unix(info3->base.logoff_time);
85 resp->data.auth.info3.kickoff_time =
86 nt_time_to_unix(info3->base.kickoff_time);
87 resp->data.auth.info3.pass_last_set_time =
88 nt_time_to_unix(info3->base.last_password_change);
89 resp->data.auth.info3.pass_can_change_time =
90 nt_time_to_unix(info3->base.allow_password_change);
91 resp->data.auth.info3.pass_must_change_time =
92 nt_time_to_unix(info3->base.force_password_change);
93
94 resp->data.auth.info3.logon_count = info3->base.logon_count;
95 resp->data.auth.info3.bad_pw_count = info3->base.bad_password_count;
96
97 resp->data.auth.info3.user_rid = info3->base.rid;
98 resp->data.auth.info3.group_rid = info3->base.primary_gid;
99 sid_to_fstring(resp->data.auth.info3.dom_sid, info3->base.domain_sid);
100
101 resp->data.auth.info3.num_groups = info3->base.groups.count;
102 resp->data.auth.info3.user_flgs = info3->base.user_flags;
103
104 resp->data.auth.info3.acct_flags = info3->base.acct_flags;
105 resp->data.auth.info3.num_other_sids = info3->sidcount;
106
107 fstrcpy(resp->data.auth.info3.user_name,
108 info3->base.account_name.string);
109 fstrcpy(resp->data.auth.info3.full_name,
110 info3->base.full_name.string);
111 fstrcpy(resp->data.auth.info3.logon_script,
112 info3->base.logon_script.string);
113 fstrcpy(resp->data.auth.info3.profile_path,
114 info3->base.profile_path.string);
115 fstrcpy(resp->data.auth.info3.home_dir,
116 info3->base.home_directory.string);
117 fstrcpy(resp->data.auth.info3.dir_drive,
118 info3->base.home_drive.string);
119
120 fstrcpy(resp->data.auth.info3.logon_srv,
121 info3->base.logon_server.string);
122 fstrcpy(resp->data.auth.info3.logon_dom,
123 info3->base.logon_domain.string);
124
125 resp->data.auth.validation_level = validation_level;
126 if (validation_level == 6) {
127 fstrcpy(resp->data.auth.info6.dns_domainname,
128 validation->sam6->dns_domainname.string);
129 fstrcpy(resp->data.auth.info6.principal_name,
130 validation->sam6->principal_name.string);
131 }
132
133 ex = talloc_strdup(frame, "");
134 if (ex == NULL) {
135 status = NT_STATUS_NO_MEMORY;
136 goto out;
137 }
138
139 for (i=0; i < info3->base.groups.count; i++) {
140 ex = talloc_asprintf_append_buffer(ex, "0x%08X:0x%08X\n",
141 info3->base.groups.rids[i].rid,
142 info3->base.groups.rids[i].attributes);
143 if (ex == NULL) {
144 status = NT_STATUS_NO_MEMORY;
145 goto out;
146 }
147 }
148
149 for (i=0; i < info3->sidcount; i++) {
150 struct dom_sid_buf sidbuf;
151
152 ex = talloc_asprintf_append_buffer(
153 ex,
154 "%s:0x%08X\n",
155 dom_sid_str_buf(info3->sids[i].sid, &sidbuf),
156 info3->sids[i].attributes);
157 if (ex == NULL) {
158 status = NT_STATUS_NO_MEMORY;
159 goto out;
160 }
161 }
162
163 resp->length += talloc_get_size(ex);
164 resp->extra_data.data = talloc_move(mem_ctx, &ex);
165
166 status = NT_STATUS_OK;
167 out:
168 TALLOC_FREE(frame);
169 return status;
170 }
171
172 static NTSTATUS append_info3_as_ndr(TALLOC_CTX *mem_ctx,
173 struct winbindd_response *resp,
174 struct netr_SamInfo3 *info3)
175 {
176 DATA_BLOB blob;
177 enum ndr_err_code ndr_err;
178
179 ndr_err = ndr_push_struct_blob(&blob, mem_ctx, info3,
180 (ndr_push_flags_fn_t)ndr_push_netr_SamInfo3);
181 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
182 DEBUG(0,("append_info3_as_ndr: failed to append\n"));
183 return ndr_map_error2ntstatus(ndr_err);
184 }
185
186 resp->extra_data.data = blob.data;
187 resp->length += blob.length;
188
189 return NT_STATUS_OK;
190 }
191
192 static NTSTATUS append_unix_username(uint16_t validation_level,
193 union netr_Validation *validation,
194 const char *name_domain,
195 const char *name_user,
196 TALLOC_CTX *mem_ctx,
197 char **_unix_username)
198 {
199 TALLOC_CTX *tmp_ctx = NULL;
200 const char *nt_username = NULL;
201 const char *nt_domain = NULL;
202 char *unix_username = NULL;
203 struct netr_SamBaseInfo *base_info = NULL;
204 NTSTATUS status;
205
206 tmp_ctx = talloc_new(mem_ctx);
207 if (tmp_ctx == NULL) {
208 return NT_STATUS_NO_MEMORY;
209 }
210
211 /* We've been asked to return the unix username, per
212 'winbind use default domain' settings and the like */
213
214 switch (validation_level) {
215 case 3:
216 base_info = &validation->sam3->base;
217 break;
218 case 6:
219 base_info = &validation->sam6->base;
220 break;
221 default:
222 DBG_ERR("Invalid validation level %d\n", validation_level);
223 status = NT_STATUS_INTERNAL_ERROR;
224 goto out;
225 }
226
227 nt_domain = talloc_strdup(tmp_ctx, base_info->logon_domain.string);
228 if (!nt_domain) {
229 /* If the server didn't give us one, just use the one
230 * we sent them */
231 nt_domain = name_domain;
232 }
233
234 nt_username = talloc_strdup(tmp_ctx, base_info->account_name.string);
235 if (!nt_username) {
236 /* If the server didn't give us one, just use the one
237 * we sent them */
238 nt_username = name_user;
239 }
240
241 unix_username = fill_domain_username_talloc(tmp_ctx,
242 nt_domain,
243 nt_username,
244 true);
245 if (unix_username == NULL) {
246 status = NT_STATUS_NO_MEMORY;
247 goto out;
248 }
249
250 DBG_INFO("Setting unix username to [%s]\n", unix_username);
251
252 *_unix_username = talloc_move(mem_ctx, &unix_username);
253
254 status = NT_STATUS_OK;
255 out:
256 TALLOC_FREE(tmp_ctx);
257
258 return status;
259 }
260
261 static NTSTATUS append_afs_token(uint16_t validation_level,
262 union netr_Validation *validation,
263 const char *name_domain,
264 const char *name_user,
265 TALLOC_CTX *mem_ctx,
266 DATA_BLOB *_blob)
267 {
268 TALLOC_CTX *tmp_ctx = NULL;
269 char *afsname = NULL;
270 char *cell;
271 char *token;
272 struct netr_SamBaseInfo *base_info = NULL;
273 NTSTATUS status;
274
275 tmp_ctx = talloc_new(mem_ctx);
276 if (tmp_ctx == NULL) {
277 return NT_STATUS_NO_MEMORY;
278 }
279
280 switch (validation_level) {
281 case 3:
282 base_info = &validation->sam3->base;
283 break;
284 case 6:
285 base_info = &validation->sam6->base;
286 break;
287 default:
288 DBG_ERR("Invalid validation level %d\n", validation_level);
289 status = NT_STATUS_INTERNAL_ERROR;
290 goto out;
291 }
292
293 afsname = talloc_strdup(tmp_ctx, lp_afs_username_map());
294 if (afsname == NULL) {
295 status = NT_STATUS_NO_MEMORY;
296 goto out;
297 }
298
299 afsname = talloc_string_sub(tmp_ctx,
300 lp_afs_username_map(),
301 "%D", name_domain);
302 afsname = talloc_string_sub(tmp_ctx, afsname,
303 "%u", name_user);
304 afsname = talloc_string_sub(tmp_ctx, afsname,
305 "%U", name_user);
306
307 {
308 struct dom_sid user_sid;
309 struct dom_sid_buf sidstr;
310
311 sid_compose(&user_sid, base_info->domain_sid, base_info->rid);
312 afsname = talloc_string_sub(
313 tmp_ctx,
314 afsname,
315 "%s",
316 dom_sid_str_buf(&user_sid, &sidstr));
317 }
318
319 if (afsname == NULL) {
320 status = NT_STATUS_NO_MEMORY;
321 goto out;
322 }
323
324 if (!strlower_m(afsname)) {
325 status = NT_STATUS_INVALID_PARAMETER;
326 goto out;
327 }
328
329 DEBUG(10, ("Generating token for user %s\n", afsname));
330
331 cell = strchr(afsname, '@');
332
333 if (cell == NULL) {
334 status = NT_STATUS_NO_MEMORY;
335 goto out;
336 }
337
338 *cell = '\0';
339 cell += 1;
340
341 token = afs_createtoken_str(afsname, cell);
342 if (token == NULL) {
343 status = NT_STATUS_OK;
344 goto out;
345 }
346
347 talloc_steal(mem_ctx, token);
348 *_blob = data_blob_string_const_null(token);
349
350 status = NT_STATUS_OK;
351 out:
352 TALLOC_FREE(tmp_ctx);
353
354 return status;
355 }
356
357 static NTSTATUS extra_data_to_sid_array(const char *group_sid,
358 TALLOC_CTX *mem_ctx,
359 struct wbint_SidArray **_sid_array)
360 {
361 TALLOC_CTX *tmp_ctx = NULL;
362 struct wbint_SidArray *sid_array = NULL;
363 struct dom_sid *require_membership_of_sid = NULL;
364 uint32_t num_require_membership_of_sid = 0;
365 char *req_sid = NULL;
366 const char *p = NULL;
367 NTSTATUS status;
368
369 if (_sid_array == NULL) {
370 return NT_STATUS_INVALID_PARAMETER;
371 }
372
373 *_sid_array = NULL;
374
375 tmp_ctx = talloc_new(mem_ctx);
376 if (tmp_ctx == NULL) {
377 return NT_STATUS_NO_MEMORY;
378 }
379
380 sid_array = talloc_zero(tmp_ctx, struct wbint_SidArray);
381 if (sid_array == NULL) {
382 status = NT_STATUS_NO_MEMORY;
383 goto fail;
384 }
385
386 if (!group_sid || !group_sid[0]) {
387 /* NO sid supplied, all users may access */
388 status = NT_STATUS_OK;
389 /*
390 * Always return an allocated wbint_SidArray,
391 * even if the array is empty.
392 */
393 goto out;
394 }
395
396 num_require_membership_of_sid = 0;
397 require_membership_of_sid = NULL;
398 p = group_sid;
399
400 while (next_token_talloc(tmp_ctx, &p, &req_sid, ",")) {
401 struct dom_sid sid;
402
403 if (!string_to_sid(&sid, req_sid)) {
404 DBG_ERR("check_info3_in_group: could not parse %s "
405 "as a SID!\n", req_sid);
406 status = NT_STATUS_INVALID_PARAMETER;
407 goto fail;
408 }
409
410 status = add_sid_to_array(tmp_ctx, &sid,
411 &require_membership_of_sid,
412 &num_require_membership_of_sid);
413 if (!NT_STATUS_IS_OK(status)) {
414 DBG_ERR("add_sid_to_array failed\n");
415 goto fail;
416 }
417 }
418
419 sid_array->num_sids = num_require_membership_of_sid;
420 sid_array->sids = talloc_move(sid_array, &require_membership_of_sid);
421
422 status = NT_STATUS_OK;
423 out:
424 *_sid_array = talloc_move(mem_ctx, &sid_array);
425
426 fail:
427 TALLOC_FREE(tmp_ctx);
428
429 return status;
430 }
431
432 static NTSTATUS check_info3_in_group(struct netr_SamInfo3 *info3,
433 struct wbint_SidArray *sid_array)
434 /**
435 * Check whether a user belongs to a group or list of groups.
436 *
437 * @param mem_ctx talloc memory context.
438 * @param info3 user information, including group membership info.
439 * @param group_sid One or more groups , separated by commas.
440 *
441 * @return NT_STATUS_OK on success,
442 * NT_STATUS_LOGON_FAILURE if the user does not belong,
443 * or other NT_STATUS_IS_ERR(status) for other kinds of failure.
444 */
445 {
446 size_t i;
447 struct security_token *token;
448 NTSTATUS status;
449
450 /* Parse the 'required group' SID */
451
452 if (sid_array == NULL || sid_array->num_sids == 0) {
453 /* NO sid supplied, all users may access */
454 return NT_STATUS_OK;
455 }
456
457 token = talloc_zero(talloc_tos(), struct security_token);
458 if (token == NULL) {
459 DEBUG(0, ("talloc failed\n"));
460 return NT_STATUS_NO_MEMORY;
461 }
462
463 status = sid_array_from_info3(talloc_tos(), info3,
464 &token->sids,
465 &token->num_sids,
466 true);
467 if (!NT_STATUS_IS_OK(status)) {
468 return status;
469 }
470
471 if (!NT_STATUS_IS_OK(status = add_aliases(get_global_sam_sid(),
472 token))
473 || !NT_STATUS_IS_OK(status = add_aliases(&global_sid_Builtin,
474 token))) {
475 DEBUG(3, ("could not add aliases: %s\n",
476 nt_errstr(status)));
477 return status;
478 }
479
480 security_token_debug(DBGC_CLASS, 10, token);
481
482 for (i=0; i<sid_array->num_sids; i++) {
483 struct dom_sid_buf buf;
484 DEBUG(10, ("Checking SID %s\n",
485 dom_sid_str_buf(&sid_array->sids[i],
486 &buf)));
487 if (nt_token_check_sid(&sid_array->sids[i],
488 token)) {
489 DEBUG(10, ("Access ok\n"));
490 return NT_STATUS_OK;
491 }
492 }
493
494 /* Do not distinguish this error from a wrong username/pw */
495
496 return NT_STATUS_LOGON_FAILURE;
497 }
498
499 struct winbindd_domain *find_auth_domain(uint8_t flags,
500 const char *domain_name)
501 {
502 struct winbindd_domain *domain;
503
504 if (IS_DC) {
505 domain = find_domain_from_name_noinit(domain_name);
506 if (domain == NULL) {
507 DEBUG(3, ("Authentication for domain [%s] refused "
508 "as it is not a trusted domain\n",
509 domain_name));
510 return NULL;
511 }
512
513 if (domain->secure_channel_type != SEC_CHAN_NULL) {
514 return domain;
515 }
516
517 return domain->routing_domain;
518 }
519
520 if (strequal(domain_name, get_global_sam_name())) {
521 return find_domain_from_name_noinit(domain_name);
522 }
523
524 if (lp_winbind_use_krb5_enterprise_principals()) {
525 /*
526 * If we use enterprise principals
527 * we always go trough our primary domain
528 * and follow the WRONG_REALM replies.
529 */
530 flags &= ~WBFLAG_PAM_CONTACT_TRUSTDOM;
531 }
532
533 /* we can auth against trusted domains */
534 if (flags & WBFLAG_PAM_CONTACT_TRUSTDOM) {
535 domain = find_domain_from_name_noinit(domain_name);
536 if (domain == NULL) {
537 DEBUG(3, ("Authentication for domain [%s] skipped "
538 "as it is not a trusted domain\n",
539 domain_name));
540 } else {
541 return domain;
542 }
543 }
544
545 return find_our_domain();
546 }
547
548 static void fake_password_policy(struct winbindd_response *r,
549 const struct netr_SamBaseInfo *bi)
550 {
551 NTTIME min_password_age;
552 NTTIME max_password_age;
553
554 if (bi->allow_password_change > bi->last_password_change) {
555 min_password_age = bi->allow_password_change -
556 bi->last_password_change;
557 } else {
558 min_password_age = 0;
559 }
560
561 if (bi->force_password_change > bi->last_password_change) {
562 max_password_age = bi->force_password_change -
563 bi->last_password_change;
564 } else {
565 max_password_age = 0;
566 }
567
568 r->data.auth.policy.min_length_password = 0;
569 r->data.auth.policy.password_history = 0;
570 r->data.auth.policy.password_properties = 0;
571 r->data.auth.policy.expire =
572 nt_time_to_unix_abs(&max_password_age);
573 r->data.auth.policy.min_passwordage =
574 nt_time_to_unix_abs(&min_password_age);
575 }
576
577 static void fill_in_password_policy(struct winbindd_response *r,
578 const struct samr_DomInfo1 *p)
579 {
580 r->data.auth.policy.min_length_password =
581 p->min_password_length;
582 r->data.auth.policy.password_history =
583 p->password_history_length;
584 r->data.auth.policy.password_properties =
585 p->password_properties;
586 r->data.auth.policy.expire =
587 nt_time_to_unix_abs((const NTTIME *)&(p->max_password_age));
588 r->data.auth.policy.min_passwordage =
589 nt_time_to_unix_abs((const NTTIME *)&(p->min_password_age));
590 }
591
592 static NTSTATUS fillup_password_policy(struct winbindd_domain *domain,
593 struct winbindd_response *response)
594 {
595 TALLOC_CTX *frame = talloc_stackframe();
596 NTSTATUS status;
597 struct samr_DomInfo1 password_policy;
598
599 if ( !winbindd_can_contact_domain( domain ) ) {
600 DEBUG(5,("fillup_password_policy: No inbound trust to "
601 "contact domain %s\n", domain->name));
602 status = NT_STATUS_NOT_SUPPORTED;
603 goto done;
604 }
605
606 status = wb_cache_password_policy(domain, talloc_tos(),
607 &password_policy);
608 if (NT_STATUS_IS_ERR(status)) {
609 goto done;
610 }
611
612 fill_in_password_policy(response, &password_policy);
613
614 done:
615 TALLOC_FREE(frame);
616 return NT_STATUS_OK;
617 }
618
619 static NTSTATUS get_max_bad_attempts_from_lockout_policy(struct winbindd_domain *domain,
620 TALLOC_CTX *mem_ctx,
621 uint16_t *lockout_threshold)
622 {
623 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
624 struct samr_DomInfo12 lockout_policy;
625
626 *lockout_threshold = 0;
627
628 status = wb_cache_lockout_policy(domain, mem_ctx, &lockout_policy);
629 if (NT_STATUS_IS_ERR(status)) {
630 return status;
631 }
632
633 *lockout_threshold = lockout_policy.lockout_threshold;
634
635 return NT_STATUS_OK;
636 }
637
638 static NTSTATUS get_pwd_properties(struct winbindd_domain *domain,
639 TALLOC_CTX *mem_ctx,
640 uint32_t *password_properties)
641 {
642 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
643 struct samr_DomInfo1 password_policy;
644
645 *password_properties = 0;
646
647 status = wb_cache_password_policy(domain, mem_ctx, &password_policy);
648 if (NT_STATUS_IS_ERR(status)) {
649 return status;
650 }
651
652 *password_properties = password_policy.password_properties;
653
654 return NT_STATUS_OK;
655 }
656
657 #ifdef HAVE_KRB5
658
659 static const char *generate_krb5_ccache(TALLOC_CTX *mem_ctx,
660 const char *type,
661 uid_t uid,
662 const char **user_ccache_file)
663 {
664 /* accept FILE and WRFILE as krb5_cc_type from the client and then
665 * build the full ccname string based on the user's uid here -
666 * Guenther*/
667
668 const char *gen_cc = NULL;
669
670 if (uid != -1) {
671 if (strequal(type, "FILE")) {
672 gen_cc = talloc_asprintf(
673 mem_ctx, "FILE:/tmp/krb5cc_%d", uid);
674 }
675 if (strequal(type, "WRFILE")) {
676 gen_cc = talloc_asprintf(
677 mem_ctx, "WRFILE:/tmp/krb5cc_%d", uid);
678 }
679 if (strequal(type, "KEYRING")) {
680 gen_cc = talloc_asprintf(
681 mem_ctx, "KEYRING:persistent:%d", uid);
682 }
683 if (strequal(type, "KCM")) {
684 gen_cc = talloc_asprintf(mem_ctx,
685 "KCM:%d",
686 uid);
687 }
688
689 if (strnequal(type, "FILE:/", 6) ||
690 strnequal(type, "WRFILE:/", 8) ||
691 strnequal(type, "DIR:/", 5)) {
692
693 /* we allow only one "%u" substitution */
694
695 char *p;
696
697 p = strchr(type, '%');
698 if (p != NULL) {
699
700 p++;
701
702 if (p != NULL && *p == 'u' && strchr(p, '%') == NULL) {
703 char uid_str[sizeof("18446744073709551615")];
704
705 snprintf(uid_str, sizeof(uid_str), "%u", uid);
706
707 gen_cc = talloc_string_sub2(mem_ctx,
708 type,
709 "%u",
710 uid_str,
711 /* remove_unsafe_characters */
712 false,
713 /* replace_once */
714 true,
715 /* allow_trailing_dollar */
716 false);
717 }
718 }
719 }
720 }
721
722 *user_ccache_file = gen_cc;
723
724 if (gen_cc == NULL) {
725 gen_cc = talloc_strdup(mem_ctx, "MEMORY:winbindd_pam_ccache");
726 }
727 if (gen_cc == NULL) {
728 DEBUG(0,("out of memory\n"));
729 return NULL;
730 }
731
732 DEBUG(10, ("using ccache: %s%s\n", gen_cc,
733 (*user_ccache_file == NULL) ? " (internal)":""));
734
735 return gen_cc;
736 }
737
738 #endif
739
740 uid_t get_uid_from_request(struct winbindd_request *request)
741 {
742 uid_t uid;
743
744 uid = request->data.auth.uid;
745
746 if (uid == (uid_t)-1) {
747 DEBUG(1,("invalid uid: '%u'\n", (unsigned int)uid));
748 return -1;
749 }
750 return uid;
751 }
752
753 /**********************************************************************
754 Authenticate a user with a clear text password using Kerberos and fill up
755 ccache if required
756 **********************************************************************/
757
758 static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
759 struct winbindd_domain *domain,
760 const char *user,
761 const char *pass,
762 const char *krb5_cc_type,
763 uid_t uid,
764 struct netr_SamInfo6 **info6,
765 const char **_krb5ccname)
766 {
767 #ifdef HAVE_KRB5
768 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
769 krb5_error_code krb5_ret;
770 const char *cc = NULL;
771 const char *principal_s = NULL;
772 const char *service = NULL;
773 char *realm = NULL;
774 fstring name_namespace, name_domain, name_user;
775 time_t ticket_lifetime = 0;
776 time_t renewal_until = 0;
777 ADS_STRUCT *ads;
778 time_t time_offset = 0;
779 const char *user_ccache_file;
780 struct PAC_LOGON_INFO *logon_info = NULL;
781 struct PAC_UPN_DNS_INFO *upn_dns_info = NULL;
782 struct PAC_DATA *pac_data = NULL;
783 struct PAC_DATA_CTR *pac_data_ctr = NULL;
784 const char *local_service;
785 uint32_t i;
786 struct netr_SamInfo6 *info6_copy = NULL;
787 char *canon_principal = NULL;
788 char *canon_realm = NULL;
789 bool ok;
790
791 *info6 = NULL;
792
793 if (domain->alt_name == NULL) {
794 return NT_STATUS_INVALID_PARAMETER;
795 }
796
797 if (_krb5ccname != NULL) {
798 *_krb5ccname = NULL;
799 }
800
801 /* 1st step:
802 * prepare a krb5_cc_cache string for the user */
803
804 if (uid == -1) {
805 DEBUG(0,("no valid uid\n"));
806 }
807
808 cc = generate_krb5_ccache(mem_ctx,
809 krb5_cc_type,
810 uid,
811 &user_ccache_file);
812 if (cc == NULL) {
813 return NT_STATUS_NO_MEMORY;
814 }
815
816
817 /* 2nd step:
818 * get kerberos properties */
819
820 if (domain->private_data) {
821 ads = (ADS_STRUCT *)domain->private_data;
822 time_offset = ads->auth.time_offset;
823 }
824
825
826 /* 3rd step:
827 * do kerberos auth and setup ccache as the user */
828
829 ok = parse_domain_user(user, name_namespace, name_domain, name_user);
830 if (!ok) {
831 return NT_STATUS_INVALID_PARAMETER;
832 }
833
834 realm = talloc_strdup(mem_ctx, domain->alt_name);
835 if (realm == NULL) {
836 return NT_STATUS_NO_MEMORY;
837 }
838
839 if (!strupper_m(realm)) {
840 return NT_STATUS_INVALID_PARAMETER;
841 }
842
843 if (lp_winbind_use_krb5_enterprise_principals() &&
844 name_namespace[0] != '\0')
845 {
846 principal_s = talloc_asprintf(mem_ctx,
847 "%s@%s@%s",
848 name_user,
849 name_namespace,
850 realm);
851 } else {
852 principal_s = talloc_asprintf(mem_ctx,
853 "%s@%s",
854 name_user,
855 realm);
856 }
857 if (principal_s == NULL) {
858 return NT_STATUS_NO_MEMORY;
859 }
860
861 service = talloc_asprintf(mem_ctx, "%s/%s@%s", KRB5_TGS_NAME, realm, realm);
862 if (service == NULL) {
863 return NT_STATUS_NO_MEMORY;
864 }
865
866 local_service = talloc_asprintf(mem_ctx, "%s$@%s",
867 lp_netbios_name(), lp_realm());
868 if (local_service == NULL) {
869 return NT_STATUS_NO_MEMORY;
870 }
871
872
873 /* if this is a user ccache, we need to act as the user to let the krb5
874 * library handle the chown, etc. */
875
876 /************************ ENTERING NON-ROOT **********************/
877
878 if (user_ccache_file != NULL) {
879 set_effective_uid(uid);
880 DEBUG(10,("winbindd_raw_kerberos_login: uid is %d\n", uid));
881 }
882
883 result = kerberos_return_pac(mem_ctx,
884 principal_s,
885 pass,
886 time_offset,
887 &ticket_lifetime,
888 &renewal_until,
889 cc,
890 true,
891 true,
892 WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
893 NULL,
894 local_service,
895 &canon_principal,
896 &canon_realm,
897 &pac_data_ctr);
898 if (user_ccache_file != NULL) {
899 gain_root_privilege();
900 }
901
902 /************************ RETURNED TO ROOT **********************/
903
904 if (!NT_STATUS_IS_OK(result)) {
905 goto failed;
906 }
907
908 if (pac_data_ctr == NULL) {
909 goto failed;
910 }
911
912 pac_data = pac_data_ctr->pac_data;
913 if (pac_data == NULL) {
914 goto failed;
915 }
916
917 for (i=0; i < pac_data->num_buffers; i++) {
918
919 if (pac_data->buffers[i].type == PAC_TYPE_LOGON_INFO) {
920 logon_info = pac_data->buffers[i].info->logon_info.info;
921 continue;
922 }
923
924 if (pac_data->buffers[i].type == PAC_TYPE_UPN_DNS_INFO) {
925 upn_dns_info = &pac_data->buffers[i].info->upn_dns_info;
926 continue;
927 }
928 }
929
930 if (logon_info == NULL) {
931 DEBUG(10,("Missing logon_info in ticket of %s\n",
932 principal_s));
933 return NT_STATUS_INVALID_PARAMETER;
934 }
935
936 DEBUG(10,("winbindd_raw_kerberos_login: winbindd validated ticket of %s\n",
937 principal_s));
938
939 result = create_info6_from_pac(mem_ctx, logon_info,
940 upn_dns_info, &info6_copy);
941 if (!NT_STATUS_IS_OK(result)) {
942 goto failed;
943 }
944
945 /* if we had a user's ccache then return that string for the pam
946 * environment */
947
948 if (user_ccache_file != NULL) {
949
950 if (_krb5ccname != NULL) {
951 *_krb5ccname = talloc_steal(mem_ctx, user_ccache_file);
952 }
953
954 result = add_ccache_to_list(principal_s,
955 cc,
956 service,
957 user,
958 pass,
959 realm,
960 uid,
961 time(NULL),
962 ticket_lifetime,
963 renewal_until,
964 false,
965 canon_principal,
966 canon_realm);
967
968 if (!NT_STATUS_IS_OK(result)) {
969 DEBUG(10,("winbindd_raw_kerberos_login: failed to add ccache to list: %s\n",
970 nt_errstr(result)));
971 }
972 } else {
973
974 /* need to delete the memory cred cache, it is not used anymore */
975
976 krb5_ret = ads_kdestroy(cc);
977 if (krb5_ret) {
978 DEBUG(3,("winbindd_raw_kerberos_login: "
979 "could not destroy krb5 credential cache: "
980 "%s\n", error_message(krb5_ret)));
981 }
982
983 }
984 *info6 = info6_copy;
985 return NT_STATUS_OK;
986
987 failed:
988 /*
989 * Do not delete an existing valid credential cache, if the user
990 * e.g. enters a wrong password
991 */
992 if ((strequal(krb5_cc_type, "FILE") || strequal(krb5_cc_type, "WRFILE"))
993 && user_ccache_file != NULL) {
994 return result;
995 }
996
997 /* we could have created a new credential cache with a valid tgt in it
998 * but we werent able to get or verify the service ticket for this
999 * local host and therefor didn't get the PAC, we need to remove that
1000 * cache entirely now */
1001
1002 krb5_ret = ads_kdestroy(cc);
1003 if (krb5_ret) {
1004 DEBUG(3,("winbindd_raw_kerberos_login: "
1005 "could not destroy krb5 credential cache: "
1006 "%s\n", error_message(krb5_ret)));
1007 }
1008
1009 if (!NT_STATUS_IS_OK(remove_ccache(user))) {
1010 DEBUG(3,("winbindd_raw_kerberos_login: "
1011 "could not remove ccache for user %s\n",
1012 user));
1013 }
1014
1015 return result;
1016 #else
1017 return NT_STATUS_NOT_SUPPORTED;
1018 #endif /* HAVE_KRB5 */
1019 }
1020
1021 /****************************************************************
1022 ****************************************************************/
1023
1024 bool check_request_flags(uint32_t flags)
1025 {
1026 uint32_t flags_edata = WBFLAG_PAM_AFS_TOKEN |
1027 WBFLAG_PAM_INFO3_TEXT |
1028 WBFLAG_PAM_INFO3_NDR;
1029
1030 if ( ( (flags & flags_edata) == WBFLAG_PAM_AFS_TOKEN) ||
1031 ( (flags & flags_edata) == WBFLAG_PAM_INFO3_NDR) ||
1032 ( (flags & flags_edata) == WBFLAG_PAM_INFO3_TEXT)||
1033 !(flags & flags_edata) ) {
1034 return true;
1035 }
1036
1037 DEBUG(1, ("check_request_flags: invalid request flags[0x%08X]\n",
1038 flags));
1039
1040 return false;
1041 }
1042
1043 /****************************************************************
1044 ****************************************************************/
1045
1046 NTSTATUS append_auth_data(TALLOC_CTX *mem_ctx,
1047 struct winbindd_response *resp,
1048 uint32_t request_flags,
1049 uint16_t validation_level,
1050 union netr_Validation *validation,
1051 const char *name_domain,
1052 const char *name_user)
1053 {
1054 struct netr_SamInfo3 *info3 = NULL;
1055 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1056
1057 result = map_validation_to_info3(talloc_tos(),
1058 validation_level,
1059 validation,
1060 &info3);
1061 if (!NT_STATUS_IS_OK(result)) {
1062 goto out;
1063 }
1064
1065 if (request_flags & WBFLAG_PAM_USER_SESSION_KEY) {
1066 memcpy(resp->data.auth.user_session_key,
1067 info3->base.key.key,
1068 sizeof(resp->data.auth.user_session_key)
1069 /* 16 */);
1070 }
1071
1072 if (request_flags & WBFLAG_PAM_LMKEY) {
1073 memcpy(resp->data.auth.first_8_lm_hash,
1074 info3->base.LMSessKey.key,
1075 sizeof(resp->data.auth.first_8_lm_hash)
1076 /* 8 */);
1077 }
1078
1079 if (request_flags & WBFLAG_PAM_UNIX_NAME) {
1080 char *unix_username = NULL;
1081 result = append_unix_username(validation_level,
1082 validation,
1083 name_domain,
1084 name_user,
1085 mem_ctx,
1086 &unix_username);
1087 if (!NT_STATUS_IS_OK(result)) {
1088 DEBUG(10,("Failed to append Unix Username: %s\n",
1089 nt_errstr(result)));
1090 goto out;
1091 }
1092 fstrcpy(resp->data.auth.unix_username, unix_username);
1093 TALLOC_FREE(unix_username);
1094 }
1095
1096 /* currently, anything from here on potentially overwrites extra_data. */
1097
1098 if (request_flags & WBFLAG_PAM_INFO3_NDR) {
1099 result = append_info3_as_ndr(mem_ctx, resp, info3);
1100 if (!NT_STATUS_IS_OK(result)) {
1101 DEBUG(10,("Failed to append INFO3 (NDR): %s\n",
1102 nt_errstr(result)));
1103 goto out;
1104 }
1105 }
1106
1107 if (request_flags & WBFLAG_PAM_INFO3_TEXT) {
1108 result = append_info3_as_txt(mem_ctx, resp,
1109 validation_level,
1110 validation);
1111 if (!NT_STATUS_IS_OK(result)) {
1112 DEBUG(10,("Failed to append INFO3 (TXT): %s\n",
1113 nt_errstr(result)));
1114 goto out;
1115 }
1116 }
1117
1118 if (request_flags & WBFLAG_PAM_AFS_TOKEN) {
1119 DATA_BLOB blob = data_blob_null;
1120 result = append_afs_token(validation_level,
1121 validation,
1122 name_domain,
1123 name_user,
1124 mem_ctx,
1125 &blob);
1126 if (!NT_STATUS_IS_OK(result)) {
1127 DEBUG(10,("Failed to append AFS token: %s\n",
1128 nt_errstr(result)));
1129 goto out;
1130 }
1131 resp->extra_data.data = blob.data;
1132 resp->length += blob.length;
1133 }
1134
1135 result = NT_STATUS_OK;
1136 out:
1137 TALLOC_FREE(info3);
1138 return result;
1139 }
1140
1141 static NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain,
1142 struct winbindd_cli_state *state,
1143 struct netr_SamInfo3 **info3)
1144 {
1145 NTSTATUS result = NT_STATUS_LOGON_FAILURE;
1146 uint16_t max_allowed_bad_attempts;
1147 fstring name_namespace, name_domain, name_user;
1148 struct dom_sid sid;
1149 enum lsa_SidType type;
1150 uchar new_nt_pass[NT_HASH_LEN];
1151 const uint8_t *cached_nt_pass;
1152 const uint8_t *cached_salt;
1153 struct netr_SamInfo3 *my_info3;
1154 time_t kickoff_time, must_change_time;
1155 bool password_good = false;
1156 bool ok;
1157 #ifdef HAVE_KRB5
1158 struct winbindd_tdc_domain *tdc_domain = NULL;
1159 #endif
1160
1161 *info3 = NULL;
1162
1163 ZERO_STRUCTP(info3);
1164
1165 DEBUG(10,("winbindd_dual_pam_auth_cached\n"));
1166
1167 /* Parse domain and username */
1168
1169 ok = parse_domain_user(state->request->data.auth.user,
1170 name_namespace,
1171 name_domain,
1172 name_user);
1173 if (!ok) {
1174 DBG_DEBUG("parse_domain_user failed\n");
1175 return NT_STATUS_NO_SUCH_USER;
1176 }
1177
1178 if (!lookup_cached_name(name_namespace,
1179 name_domain,
1180 name_user,
1181 &sid,
1182 &type)) {
1183 DEBUG(10,("winbindd_dual_pam_auth_cached: no such user in the cache\n"));
1184 return NT_STATUS_NO_SUCH_USER;
1185 }
1186
1187 if (type != SID_NAME_USER) {
1188 DEBUG(10,("winbindd_dual_pam_auth_cached: not a user (%s)\n", sid_type_lookup(type)));
1189 return NT_STATUS_LOGON_FAILURE;
1190 }
1191
1192 result = winbindd_get_creds(domain,
1193 state->mem_ctx,
1194 &sid,
1195 &my_info3,
1196 &cached_nt_pass,
1197 &cached_salt);
1198 if (!NT_STATUS_IS_OK(result)) {
1199 DEBUG(10,("winbindd_dual_pam_auth_cached: failed to get creds: %s\n", nt_errstr(result)));
1200 return result;
1201 }
1202
1203 *info3 = my_info3;
1204
1205 E_md4hash(state->request->data.auth.pass, new_nt_pass);
1206
1207 dump_data_pw("new_nt_pass", new_nt_pass, NT_HASH_LEN);
1208 dump_data_pw("cached_nt_pass", cached_nt_pass, NT_HASH_LEN);
1209 if (cached_salt) {
1210 dump_data_pw("cached_salt", cached_salt, NT_HASH_LEN);
1211 }
1212
1213 if (cached_salt) {
1214 /* In this case we didn't store the nt_hash itself,
1215 but the MD5 combination of salt + nt_hash. */
1216 uchar salted_hash[NT_HASH_LEN];
1217 gnutls_hash_hd_t hash_hnd = NULL;
1218 int rc;
1219
1220 rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5);
1221 if (rc < 0) {
1222 return gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED);
1223 }
1224
1225 rc = gnutls_hash(hash_hnd, cached_salt, 16);
1226 if (rc < 0) {
1227 gnutls_hash_deinit(hash_hnd, NULL);
1228 return gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED);
1229 }
1230 rc = gnutls_hash(hash_hnd, new_nt_pass, 16);
1231 if (rc < 0) {
1232 gnutls_hash_deinit(hash_hnd, NULL);
1233 return gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED);
1234 }
1235 gnutls_hash_deinit(hash_hnd, salted_hash);
1236
1237 password_good = (memcmp(cached_nt_pass, salted_hash,
1238 NT_HASH_LEN) == 0);
1239 } else {
1240 /* Old cached cred - direct store of nt_hash (bad bad bad !). */
1241 password_good = (memcmp(cached_nt_pass, new_nt_pass,
1242 NT_HASH_LEN) == 0);
1243 }
1244
1245 if (password_good) {
1246
1247 /* User *DOES* know the password, update logon_time and reset
1248 * bad_pw_count */
1249
1250 my_info3->base.user_flags |= NETLOGON_CACHED_ACCOUNT;
1251
1252 if (my_info3->base.acct_flags & ACB_AUTOLOCK) {
1253 return NT_STATUS_ACCOUNT_LOCKED_OUT;
1254 }
1255
1256 if (my_info3->base.acct_flags & ACB_DISABLED) {
1257 return NT_STATUS_ACCOUNT_DISABLED;
1258 }
1259
1260 if (my_info3->base.acct_flags & ACB_WSTRUST) {
1261 return NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT;
1262 }
1263
1264 if (my_info3->base.acct_flags & ACB_SVRTRUST) {
1265 return NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT;
1266 }
1267
1268 if (my_info3->base.acct_flags & ACB_DOMTRUST) {
1269 return NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT;
1270 }
1271
1272 if (!(my_info3->base.acct_flags & ACB_NORMAL)) {
1273 DEBUG(0,("winbindd_dual_pam_auth_cached: whats wrong with that one?: 0x%08x\n",
1274 my_info3->base.acct_flags));
1275 return NT_STATUS_LOGON_FAILURE;
1276 }
1277
1278 kickoff_time = nt_time_to_unix(my_info3->base.kickoff_time);
1279 if (kickoff_time != 0 && time(NULL) > kickoff_time) {
1280 return NT_STATUS_ACCOUNT_EXPIRED;
1281 }
1282
1283 must_change_time = nt_time_to_unix(my_info3->base.force_password_change);
1284 if (must_change_time != 0 && must_change_time < time(NULL)) {
1285 /* we allow grace logons when the password has expired */
1286 my_info3->base.user_flags |= NETLOGON_GRACE_LOGON;
1287 /* return NT_STATUS_PASSWORD_EXPIRED; */
1288 goto success;
1289 }
1290
1291 #ifdef HAVE_KRB5
1292 if ((state->request->flags & WBFLAG_PAM_KRB5) &&
1293 ((tdc_domain = wcache_tdc_fetch_domain(state->mem_ctx, name_domain)) != NULL) &&
1294 ((tdc_domain->trust_type & LSA_TRUST_TYPE_UPLEVEL) ||
1295 /* used to cope with the case winbindd starting without network. */
1296 !strequal(tdc_domain->domain_name, tdc_domain->dns_name))) {
1297
1298 uid_t uid = -1;
1299 const char *cc = NULL;
1300 char *realm = NULL;
1301 const char *principal_s = NULL;
1302 const char *service = NULL;
1303 const char *user_ccache_file;
1304
1305 if (domain->alt_name == NULL) {
1306 return NT_STATUS_INVALID_PARAMETER;
1307 }
1308
1309 uid = get_uid_from_request(state->request);
1310 if (uid == -1) {
1311 DEBUG(0,("winbindd_dual_pam_auth_cached: invalid uid\n"));
1312 return NT_STATUS_INVALID_PARAMETER;
1313 }
1314
1315 cc = generate_krb5_ccache(state->mem_ctx,
1316 state->request->data.auth.krb5_cc_type,
1317 state->request->data.auth.uid,
1318 &user_ccache_file);
1319 if (cc == NULL) {
1320 return NT_STATUS_NO_MEMORY;
1321 }
1322
1323 realm = talloc_strdup(state->mem_ctx, domain->alt_name);
1324 if (realm == NULL) {
1325 return NT_STATUS_NO_MEMORY;
1326 }
1327
1328 if (!strupper_m(realm)) {
1329 return NT_STATUS_INVALID_PARAMETER;
1330 }
1331
1332 principal_s = talloc_asprintf(state->mem_ctx, "%s@%s", name_user, realm);
1333 if (principal_s == NULL) {
1334 return NT_STATUS_NO_MEMORY;
1335 }
1336
1337 service = talloc_asprintf(state->mem_ctx, "%s/%s@%s", KRB5_TGS_NAME, realm, realm);
1338 if (service == NULL) {
1339 return NT_STATUS_NO_MEMORY;
1340 }
1341
1342 if (user_ccache_file != NULL) {
1343
1344 fstrcpy(state->response->data.auth.krb5ccname,
1345 user_ccache_file);
1346
1347 result = add_ccache_to_list(principal_s,
1348 cc,
1349 service,
1350 state->request->data.auth.user,
1351 state->request->data.auth.pass,
1352 realm,
1353 uid,
1354 time(NULL),
1355 time(NULL) + lp_winbind_cache_time(),
1356 time(NULL) + WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
1357 true,
1358 principal_s,
1359 realm);
1360
1361 if (!NT_STATUS_IS_OK(result)) {
1362 DEBUG(10,("winbindd_dual_pam_auth_cached: failed "
1363 "to add ccache to list: %s\n",
1364 nt_errstr(result)));
1365 }
1366 }
1367 }
1368 #endif /* HAVE_KRB5 */
1369 success:
1370 /* FIXME: we possibly should handle logon hours as well (does xp when
1371 * offline?) see auth/auth_sam.c:sam_account_ok for details */
1372
1373 unix_to_nt_time(&my_info3->base.logon_time, time(NULL));
1374 my_info3->base.bad_password_count = 0;
1375
1376 result = winbindd_update_creds_by_info3(domain,
1377 state->request->data.auth.user,
1378 state->request->data.auth.pass,
1379 my_info3);
1380 if (!NT_STATUS_IS_OK(result)) {
1381 DEBUG(1,("winbindd_dual_pam_auth_cached: failed to update creds: %s\n",
1382 nt_errstr(result)));
1383 return result;
1384 }
1385
1386 return NT_STATUS_OK;
1387
1388 }
1389
1390 /* User does *NOT* know the correct password, modify info3 accordingly, but only if online */
1391 if (domain->online == false) {
1392 goto failed;
1393 }
1394
1395 /* failure of this is not critical */
1396 result = get_max_bad_attempts_from_lockout_policy(domain, state->mem_ctx, &max_allowed_bad_attempts);
1397 if (!NT_STATUS_IS_OK(result)) {
1398 DEBUG(10,("winbindd_dual_pam_auth_cached: failed to get max_allowed_bad_attempts. "
1399 "Won't be able to honour account lockout policies\n"));
1400 }
1401
1402 /* increase counter */
1403 my_info3->base.bad_password_count++;
1404
1405 if (max_allowed_bad_attempts == 0) {
1406 goto failed;
1407 }
1408
1409 /* lockout user */
1410 if (my_info3->base.bad_password_count >= max_allowed_bad_attempts) {
1411
1412 uint32_t password_properties;
1413
1414 result = get_pwd_properties(domain, state->mem_ctx, &password_properties);
1415 if (!NT_STATUS_IS_OK(result)) {
1416 DEBUG(10,("winbindd_dual_pam_auth_cached: failed to get password properties.\n"));
1417 }
1418
1419 if ((my_info3->base.rid != DOMAIN_RID_ADMINISTRATOR) ||
1420 (password_properties & DOMAIN_PASSWORD_LOCKOUT_ADMINS)) {
1421 my_info3->base.acct_flags |= ACB_AUTOLOCK;
1422 }
1423 }
1424
1425 failed:
1426 result = winbindd_update_creds_by_info3(domain,
1427 state->request->data.auth.user,
1428 NULL,
1429 my_info3);
1430
1431 if (!NT_STATUS_IS_OK(result)) {
1432 DEBUG(0,("winbindd_dual_pam_auth_cached: failed to update creds %s\n",
1433 nt_errstr(result)));
1434 }
1435
1436 return NT_STATUS_LOGON_FAILURE;
1437 }
1438
1439 static NTSTATUS winbindd_dual_pam_auth_kerberos(struct winbindd_domain *domain,
1440 const char *user,
1441 const char *pass,
1442 const char *krb5_cc_type,
1443 uid_t uid,
1444 TALLOC_CTX *mem_ctx,
1445 struct netr_SamInfo6 **info6,
1446 const char **_krb5ccname)
1447 {
1448 struct winbindd_domain *contact_domain;
1449 fstring name_namespace, name_domain, name_user;
1450 NTSTATUS result;
1451 bool ok;
1452
1453 DEBUG(10,("winbindd_dual_pam_auth_kerberos\n"));
1454
1455 /* Parse domain and username */
1456
1457 ok = parse_domain_user(user,
1458 name_namespace,
1459 name_domain,
1460 name_user);
1461 if (!ok) {
1462 result = NT_STATUS_INVALID_PARAMETER;
1463 goto done;
1464 }
1465
1466 /* what domain should we contact? */
1467
1468 if (lp_winbind_use_krb5_enterprise_principals()) {
1469 contact_domain = find_auth_domain(0, name_namespace);
1470 } else {
1471 contact_domain = find_domain_from_name(name_namespace);
1472 }
1473 if (contact_domain == NULL) {
1474 DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
1475 user, name_domain, name_user, name_namespace));
1476 result = NT_STATUS_NO_SUCH_USER;
1477 goto done;
1478 }
1479
1480 if (contact_domain->initialized &&
1481 contact_domain->active_directory) {
1482 goto try_login;
1483 }
1484
1485 if (!contact_domain->initialized) {
1486 init_dc_connection(contact_domain, false);
1487 }
1488
1489 if (!contact_domain->active_directory) {
1490 DEBUG(3,("krb5 auth requested but domain (%s) is not Active Directory\n",
1491 contact_domain->name));
1492 return NT_STATUS_INVALID_LOGON_TYPE;
1493 }
1494 try_login:
1495 result = winbindd_raw_kerberos_login(
1496 mem_ctx,
1497 contact_domain,
1498 user,
1499 pass,
1500 krb5_cc_type,
1501 uid,
1502 info6,
1503 _krb5ccname);
1504 done:
1505 return result;
1506 }
1507
1508 static NTSTATUS winbindd_dual_auth_passdb(TALLOC_CTX *mem_ctx,
1509 uint32_t logon_parameters,
1510 const char *domain,
1511 const char *user,
1512 const uint64_t logon_id,
1513 const char *client_name,
1514 const int client_pid,
1515 const DATA_BLOB *challenge,
1516 const DATA_BLOB *lm_resp,
1517 const DATA_BLOB *nt_resp,
1518 const struct tsocket_address *remote,
1519 const struct tsocket_address *local,
1520 bool interactive,
1521 uint8_t *pauthoritative,
1522 struct netr_SamInfo3 **pinfo3)
1523 {
1524 struct auth_context *auth_context;
1525 struct auth_serversupplied_info *server_info;
1526 struct auth_usersupplied_info *user_info = NULL;
1527 struct netr_SamInfo3 *info3;
1528 NTSTATUS status;
1529 bool ok;
1530 TALLOC_CTX *frame = talloc_stackframe();
1531
1532 /*
1533 * We are authoritative by default
1534 */
1535 *pauthoritative = 1;
1536
1537 status = make_user_info(frame, &user_info, user, user, domain, domain,
1538 lp_netbios_name(), remote, local,
1539 "winbind",
1540 lm_resp, nt_resp, NULL, NULL,
1541 NULL, AUTH_PASSWORD_RESPONSE);
1542 if (!NT_STATUS_IS_OK(status)) {
1543 DEBUG(10, ("make_user_info failed: %s\n", nt_errstr(status)));
1544 TALLOC_FREE(frame);
1545 return status;
1546 }
1547
1548 user_info->logon_parameters = logon_parameters;
1549 user_info->logon_id = logon_id;
1550 user_info->auth_description = talloc_asprintf(
1551 frame, "PASSDB, %s, %d", client_name, client_pid);
1552 if (user_info->auth_description == NULL) {
1553 TALLOC_FREE(frame);
1554 return NT_STATUS_NO_MEMORY;
1555 }
1556
1557 /* We don't want to come back to winbindd or to do PAM account checks */
1558 user_info->flags |= USER_INFO_INFO3_AND_NO_AUTHZ;
1559
1560 if (interactive) {
1561 user_info->flags |= USER_INFO_INTERACTIVE_LOGON;
1562 }
1563
1564 status = make_auth3_context_for_winbind(frame, &auth_context);
1565 if (!NT_STATUS_IS_OK(status)) {
1566 DBG_ERR("make_auth3_context_for_winbind failed: %s\n",
1567 nt_errstr(status));
1568 TALLOC_FREE(frame);
1569 return status;
1570 }
1571
1572 ok = auth3_context_set_challenge(auth_context,
1573 challenge->data, "fixed");
1574 if (!ok) {
1575 TALLOC_FREE(frame);
1576 return NT_STATUS_NO_MEMORY;
1577 }
1578
1579 status = auth_check_ntlm_password(mem_ctx,
1580 auth_context,
1581 user_info,
1582 &server_info,
1583 pauthoritative);
1584 if (!NT_STATUS_IS_OK(status)) {
1585 TALLOC_FREE(frame);
1586 return status;
1587 }
1588
1589 info3 = talloc_zero(mem_ctx, struct netr_SamInfo3);
1590 if (info3 == NULL) {
1591 TALLOC_FREE(frame);
1592 return NT_STATUS_NO_MEMORY;
1593 }
1594
1595 status = serverinfo_to_SamInfo3(server_info, info3);
1596 if (!NT_STATUS_IS_OK(status)) {
1597 TALLOC_FREE(frame);
1598 TALLOC_FREE(info3);
1599 DEBUG(0, ("serverinfo_to_SamInfo3 failed: %s\n",
1600 nt_errstr(status)));
1601 return status;
1602 }
1603
1604 *pinfo3 = info3;
1605 DBG_DEBUG("Authenticating user %s\\%s returned %s\n",
1606 domain,
1607 user,
1608 nt_errstr(status));
1609 TALLOC_FREE(frame);
1610 return status;
1611 }
1612
1613 static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
1614 TALLOC_CTX *mem_ctx,
1615 uint32_t logon_parameters,
1616 const char *username,
1617 const char *password,
1618 const char *domainname,
1619 const char *workstation,
1620 const uint64_t logon_id,
1621 bool plaintext_given,
1622 const uint8_t chal[8],
1623 DATA_BLOB lm_response,
1624 DATA_BLOB nt_response,
1625 bool interactive,
1626 uint8_t *authoritative,
1627 uint32_t *flags,
1628 uint16_t *_validation_level,
1629 union netr_Validation **_validation)
1630 {
1631 int attempts = 0;
1632 int netr_attempts = 0;
1633 bool retry = false;
1634 NTSTATUS result;
1635 enum netr_LogonInfoClass logon_type_i;
1636 enum netr_LogonInfoClass logon_type_n;
1637 uint16_t validation_level = UINT16_MAX;
1638 union netr_Validation *validation = NULL;
1639 TALLOC_CTX *base_ctx = NULL;
1640 struct netr_SamBaseInfo *base_info = NULL;
1641
1642 do {
1643 struct rpc_pipe_client *netlogon_pipe;
1644 struct netlogon_creds_cli_context *netlogon_creds_ctx = NULL;
1645
1646 retry = false;
1647
1648 result = cm_connect_netlogon_secure(domain, &netlogon_pipe,
1649 &netlogon_creds_ctx);
1650
1651 if (NT_STATUS_EQUAL(result,
1652 NT_STATUS_CANT_ACCESS_DOMAIN_INFO)) {
1653 /*
1654 * This means we don't have a trust account.
1655 */
1656 *authoritative = 0;
1657 result = NT_STATUS_NO_SUCH_USER;
1658 break;
1659 }
1660
1661 if (!NT_STATUS_IS_OK(result)) {
1662 DEBUG(3,("Could not open handle to NETLOGON pipe "
1663 "(error: %s, attempts: %d)\n",
1664 nt_errstr(result), netr_attempts));
1665
1666 /* After the first retry always close the connection */
1667 if (netr_attempts > 0) {
1668 DEBUG(3, ("This is again a problem for this "
1669 "particular call, forcing the close "
1670 "of this connection\n"));
1671 invalidate_cm_connection(domain);
1672 }
1673
1674 /* After the second retry failover to the next DC */
1675 if (netr_attempts > 1) {
1676 /*
1677 * If the netlogon server is not reachable then
1678 * it is possible that the DC is rebuilding
1679 * sysvol and shutdown netlogon for that time.
1680 * We should failover to the next dc.
1681 */
1682 DEBUG(3, ("This is the third problem for this "
1683 "particular call, adding DC to the "
1684 "negative cache list: %s %s\n", domain->name, domain->dcname));
1685 add_failed_connection_entry(domain->name,
1686 domain->dcname,
1687 result);
1688 saf_delete(domain->name);
1689 }
1690
1691 /* Only allow 3 retries */
1692 if (netr_attempts < 3) {
1693 DEBUG(3, ("The connection to netlogon "
1694 "failed, retrying\n"));
1695 netr_attempts++;
1696 retry = true;
1697 continue;
1698 }
1699 return result;
1700 }
1701
1702 logon_type_i = NetlogonInteractiveInformation;
1703 logon_type_n = NetlogonNetworkInformation;
1704 if (domain->domain_trust_attribs & LSA_TRUST_ATTRIBUTE_WITHIN_FOREST) {
1705 logon_type_i = NetlogonInteractiveTransitiveInformation;
1706 logon_type_n = NetlogonNetworkTransitiveInformation;
1707 }
1708
1709 if (domain->domain_trust_attribs & LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) {
1710 logon_type_i = NetlogonInteractiveTransitiveInformation;
1711 logon_type_n = NetlogonNetworkTransitiveInformation;
1712 }
1713
1714 if (domain->domain_trust_attribs & LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE) {
1715 logon_type_i = NetlogonInteractiveInformation;
1716 logon_type_n = NetlogonNetworkInformation;
1717 }
1718
1719 if (domain->domain_trust_attribs & LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN) {
1720 logon_type_i = NetlogonInteractiveInformation;
1721 logon_type_n = NetlogonNetworkInformation;
1722 }
1723
1724 netr_attempts = 0;
1725 if (plaintext_given) {
1726 result = rpccli_netlogon_password_logon(
1727 netlogon_creds_ctx,
1728 netlogon_pipe->binding_handle,
1729 mem_ctx,
1730 logon_parameters,
1731 domainname,
1732 username,
1733 password,
1734 workstation,
1735 logon_id,
1736 logon_type_i,
1737 authoritative,
1738 flags,
1739 &validation_level,
1740 &validation);
1741 } else if (interactive) {
1742 result = rpccli_netlogon_interactive_logon(
1743 netlogon_creds_ctx,
1744 netlogon_pipe->binding_handle,
1745 mem_ctx,
1746 logon_parameters,
1747 username,
1748 domainname,
1749 workstation,
1750 logon_id,
1751 lm_response,
1752 nt_response,
1753 logon_type_i,
1754 authoritative,
1755 flags,
1756 &validation_level,
1757 &validation);
1758 } else {
1759 result = rpccli_netlogon_network_logon(
1760 netlogon_creds_ctx,
1761 netlogon_pipe->binding_handle,
1762 mem_ctx,
1763 logon_parameters,
1764 username,
1765 domainname,
1766 workstation,
1767 logon_id,
1768 chal,
1769 lm_response,
1770 nt_response,
1771 logon_type_n,
1772 authoritative,
1773 flags,
1774 &validation_level,
1775 &validation);
1776 }
1777
1778 /*
1779 * we increment this after the "feature negotiation"
1780 * for can_do_samlogon_ex and can_do_validation6
1781 */
1782 attempts += 1;
1783
1784 /* We have to try a second time as cm_connect_netlogon
1785 might not yet have noticed that the DC has killed
1786 our connection. */
1787
1788 if (!rpccli_is_connected(netlogon_pipe)) {
1789 retry = true;
1790 continue;
1791 }
1792
1793 /* if we get access denied, a possible cause was that we had
1794 an open connection to the DC, but someone changed our
1795 machine account password out from underneath us using 'net
1796 rpc changetrustpw' */
1797
1798 if ( NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) ) {
1799 DEBUG(1,("winbind_samlogon_retry_loop: sam_logon returned "
1800 "ACCESS_DENIED. Maybe the DC has Restrict "
1801 "NTLM set or the trust account "
1802 "password was changed and we didn't know it. "
1803 "Killing connections to domain %s\n",
1804 domainname));
1805 invalidate_cm_connection(domain);
1806 retry = true;
1807 }
1808
1809 if (NT_STATUS_EQUAL(result, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
1810 /*
1811 * Got DCERPC_FAULT_OP_RNG_ERROR for SamLogon
1812 * (no Ex). This happens against old Samba
1813 * DCs, if LogonSamLogonEx() fails with an error
1814 * e.g. NT_STATUS_NO_SUCH_USER or NT_STATUS_WRONG_PASSWORD.
1815 *
1816 * The server will log something like this:
1817 * api_net_sam_logon_ex: Failed to marshall NET_R_SAM_LOGON_EX.
1818 *
1819 * This sets the whole connection into a fault_state mode
1820 * and all following request get NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE.
1821 *
1822 * This also happens to our retry with LogonSamLogonWithFlags()
1823 * and LogonSamLogon().
1824 *
1825 * In order to recover from this situation, we need to
1826 * drop the connection.
1827 */
1828 invalidate_cm_connection(domain);
1829 result = NT_STATUS_LOGON_FAILURE;
1830 break;
1831 }
1832
1833 } while ( (attempts < 2) && retry );
1834
1835 if (NT_STATUS_EQUAL(result, NT_STATUS_IO_TIMEOUT)) {
1836 DEBUG(3,("winbind_samlogon_retry_loop: sam_network_logon(ex) "
1837 "returned NT_STATUS_IO_TIMEOUT after the retry. "
1838 "Killing connections to domain %s\n",
1839 domainname));
1840 invalidate_cm_connection(domain);
1841 }
1842
1843 if (!NT_STATUS_IS_OK(result)) {
1844 return result;
1845 }
1846
1847 switch (validation_level) {
1848 case 3:
1849 base_ctx = validation->sam3;
1850 base_info = &validation->sam3->base;
1851 break;
1852 case 6:
1853 base_ctx = validation->sam6;
1854 base_info = &validation->sam6->base;
1855 break;
1856 default:
1857 smb_panic(__location__);
1858 }
1859
1860 if (base_info->acct_flags == 0 || base_info->account_name.string == NULL) {
1861 struct dom_sid user_sid;
1862 struct dom_sid_buf sid_buf;
1863 const char *acct_flags_src = "server";
1864 const char *acct_name_src = "server";
1865
1866 /*
1867 * Handle the case where a NT4 DC does not fill in the acct_flags in
1868 * the samlogon reply info3. Yes, in 2021, there are still admins
1869 * arround with real NT4 DCs.
1870 *
1871 * We used to call dcerpc_samr_QueryUserInfo(level=16) to fetch
1872 * acct_flags, but as NT4 DCs reject authentication with workstation
1873 * accounts with NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT, even if
1874 * MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT is specified, we only ever got
1875 * ACB_NORMAL back (maybe with ACB_PWNOEXP in addition).
1876 *
1877 * For network logons NT4 DCs also skip the
1878 * account_name, so we have to fallback to the
1879 * one given by the client.
1880 */
1881
1882 if (base_info->acct_flags == 0) {
1883 base_info->acct_flags = ACB_NORMAL;
1884 if (base_info->force_password_change == NTTIME_MAX) {
1885 base_info->acct_flags |= ACB_PWNOEXP;
1886 }
1887 acct_flags_src = "calculated";
1888 }
1889
1890 if (base_info->account_name.string == NULL) {
1891 base_info->account_name.string = talloc_strdup(base_ctx,
1892 username);
1893 if (base_info->account_name.string == NULL) {
1894 TALLOC_FREE(validation);
1895 return NT_STATUS_NO_MEMORY;
1896 }
1897 acct_name_src = "client";
1898 }
1899
1900 sid_compose(&user_sid, base_info->domain_sid, base_info->rid);
1901
1902 DBG_DEBUG("Fallback to %s_acct_flags[0x%x] %s_acct_name[%s] for %s\n",
1903 acct_flags_src,
1904 base_info->acct_flags,
1905 acct_name_src,
1906 base_info->account_name.string,
1907 dom_sid_str_buf(&user_sid, &sid_buf));
1908 }
1909
1910 *_validation_level = validation_level;
1911 *_validation = validation;
1912 return NT_STATUS_OK;
1913 }
1914
1915 static NTSTATUS nt_dual_auth_passdb(TALLOC_CTX *mem_ctx,
1916 fstring name_user,
1917 fstring name_domain,
1918 const char *pass,
1919 uint64_t logon_id,
1920 const char *client_name,
1921 const int client_pid,
1922 const struct tsocket_address *remote,
1923 const struct tsocket_address *local,
1924 uint8_t *authoritative,
1925 struct netr_SamInfo3 **info3)
1926 {
1927 unsigned char local_nt_response[24];
1928 uchar chal[8];
1929 DATA_BLOB chal_blob;
1930 DATA_BLOB lm_resp;
1931 DATA_BLOB nt_resp;
1932
1933 /* do password magic */
1934
1935 generate_random_buffer(chal, sizeof(chal));
1936 chal_blob = data_blob_const(chal, sizeof(chal));
1937
1938 if (lp_client_ntlmv2_auth()) {
1939 DATA_BLOB server_chal;
1940 DATA_BLOB names_blob;
1941 server_chal = data_blob_const(chal, 8);
1942
1943 /* note that the 'workgroup' here is for the local
1944 machine. The 'server name' must match the
1945 'workstation' passed to the actual SamLogon call.
1946 */
1947 names_blob = NTLMv2_generate_names_blob(mem_ctx,
1948 lp_netbios_name(),
1949 lp_workgroup());
1950
1951 if (!SMBNTLMv2encrypt(mem_ctx, name_user, name_domain,
1952 pass, &server_chal, &names_blob,
1953 &lm_resp, &nt_resp, NULL, NULL)) {
1954 data_blob_free(&names_blob);
1955 DEBUG(0, ("SMBNTLMv2encrypt() failed!\n"));
1956 return NT_STATUS_NO_MEMORY;
1957 }
1958 data_blob_free(&names_blob);
1959 } else {
1960 int rc;
1961 lm_resp = data_blob_null;
1962
1963 rc = SMBNTencrypt(pass, chal, local_nt_response);
1964 if (rc != 0) {
1965 DEBUG(0, ("SMBNTencrypt() failed!\n"));
1966 return gnutls_error_to_ntstatus(rc,
1967 NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
1968 }
1969
1970 nt_resp = data_blob_talloc(mem_ctx, local_nt_response,
1971 sizeof(local_nt_response));
1972 }
1973
1974 return winbindd_dual_auth_passdb(talloc_tos(), 0, name_domain,
1975 name_user, logon_id, client_name,
1976 client_pid, &chal_blob, &lm_resp,
1977 &nt_resp, remote, local,
1978 true, /* interactive */
1979 authoritative, info3);
1980 }
1981
1982 static NTSTATUS winbindd_dual_pam_auth_samlogon(
1983 TALLOC_CTX *mem_ctx,
1984 struct winbindd_domain *domain,
1985 const char *user,
1986 const char *pass,
1987 uint64_t logon_id,
1988 const char *client_name,
1989 const int client_pid,
1990 uint32_t request_flags,
1991 const struct tsocket_address *remote,
1992 const struct tsocket_address *local,
1993 uint16_t *_validation_level,
1994 union netr_Validation **_validation)
1995 {
1996 fstring name_namespace, name_domain, name_user;
1997 NTSTATUS result;
1998 uint8_t authoritative = 1;
1999 uint32_t flags = 0;
2000 uint16_t validation_level = 0;
2001 union netr_Validation *validation = NULL;
2002 bool ok;
2003
2004 DEBUG(10,("winbindd_dual_pam_auth_samlogon\n"));
2005
2006 /* Parse domain and username */
2007
2008 ok = parse_domain_user(user, name_namespace, name_domain, name_user);
2009 if (!ok) {
2010 return NT_STATUS_INVALID_PARAMETER;
2011 }
2012
2013 /*
2014 * We check against domain->name instead of
2015 * name_domain, as find_auth_domain() ->
2016 * find_domain_from_name_noinit() already decided
2017 * that we are in a child for the correct domain.
2018 *
2019 * name_domain can also be lp_realm()
2020 * we need to check against domain->name.
2021 */
2022 if (strequal(domain->name, get_global_sam_name())) {
2023 struct netr_SamInfo3 *info3 = NULL;
2024
2025 result = nt_dual_auth_passdb(mem_ctx, name_user, name_domain,
2026 pass, logon_id, client_name,
2027 client_pid, remote, local,
2028 &authoritative, &info3);
2029
2030 /*
2031 * We need to try the remote NETLOGON server if this is
2032 * not authoritative (for example on the RODC).
2033 */
2034 if (authoritative != 0) {
2035 if (!NT_STATUS_IS_OK(result)) {
2036 return result;
2037 }
2038 result = map_info3_to_validation(mem_ctx,
2039 info3,
2040 &validation_level,
2041 &validation);
2042 TALLOC_FREE(info3);
2043 if (!NT_STATUS_IS_OK(result)) {
2044 return result;
2045 }
2046
2047 goto done;
2048 }
2049 }
2050
2051 /* check authentication loop */
2052
2053 result = winbind_samlogon_retry_loop(domain,
2054 mem_ctx,
2055 0,
2056 name_user,
2057 pass,
2058 name_domain,
2059 lp_netbios_name(),
2060 logon_id,
2061 true, /* plaintext_given */
2062 NULL,
2063 data_blob_null, data_blob_null,
2064 true, /* interactive */
2065 &authoritative,
2066 &flags,
2067 &validation_level,
2068 &validation);
2069 if (!NT_STATUS_IS_OK(result)) {
2070 return result;
2071 }
2072
2073 done:
2074 *_validation_level = validation_level;
2075 *_validation = validation;
2076
2077 return NT_STATUS_OK;
2078 }
2079
2080 /*
2081 * @brief build a tsocket_address for the remote address of the supplied socket
2082 *
2083 */
2084 static struct tsocket_address *get_remote_address(TALLOC_CTX *mem_ctx, int sock)
2085 {
2086 struct sockaddr_storage st = {0};
2087 struct sockaddr *sar = (struct sockaddr *)&st;
2088 socklen_t sa_len = sizeof(st);
2089 struct tsocket_address *remote = NULL;
2090 int ret = 0;
2091
2092 ret = getpeername(sock, sar, &sa_len);
2093 if (ret != 0) {
2094 DBG_ERR("getpeername failed - %s", strerror(errno));
2095 return NULL;
2096 }
2097 ret = tsocket_address_bsd_from_sockaddr(mem_ctx, sar, sa_len, &remote);
2098 if (ret != 0) {
2099 DBG_ERR("tsocket_address_bsd_from_sockaddr failed - %s",
2100 strerror(errno));
2101 return NULL;
2102 }
2103 return remote;
2104 }
2105
2106 /*
2107 * @brief build a tsocket_address for the local address of the supplied socket
2108 *
2109 */
2110 static struct tsocket_address *get_local_address(TALLOC_CTX *mem_ctx, int sock)
2111 {
2112 struct sockaddr_storage st = {0};
2113 struct sockaddr *sar = (struct sockaddr *)&st;
2114 socklen_t sa_len = sizeof(st);
2115 struct tsocket_address *local = NULL;
2116 int ret = 0;
2117
2118 ret = getsockname(sock, sar, &sa_len);
2119 if (ret != 0) {
2120 DBG_ERR("getsockname failed - %s", strerror(errno));
2121 return NULL;
2122 }
2123 ret = tsocket_address_bsd_from_sockaddr(mem_ctx, sar, sa_len, &local);
2124 if (ret != 0) {
2125 DBG_ERR("tsocket_address_bsd_from_sockaddr failed - %s",
2126 strerror(errno));
2127 return NULL;
2128 }
2129 return local;
2130 }
2131
2132 /*
2133 * @brief generate an authentication message in the logs.
2134 *
2135 */
2136 static void log_authentication(
2137 TALLOC_CTX *mem_ctx,
2138 const struct winbindd_domain *domain,
2139 const struct winbindd_cli_state *state,
2140 const struct timeval start_time,
2141 const uint64_t logon_id,
2142 const char *command,
2143 const char *user_name,
2144 const char *domain_name,
2145 const char *workstation,
2146 const DATA_BLOB lm_resp,
2147 const DATA_BLOB nt_resp,
2148 const struct tsocket_address *remote,
2149 const struct tsocket_address *local,
2150 NTSTATUS result)
2151 {
2152
2153 struct auth_usersupplied_info *ui = NULL;
2154 struct dom_sid *sid = NULL;
2155 struct loadparm_context *lp_ctx = NULL;
2156 struct imessaging_context *msg_ctx = NULL;
2157
2158 ui = talloc_zero(mem_ctx, struct auth_usersupplied_info);
2159 ui->logon_id = logon_id;
2160 ui->service_description = "winbind";
2161 ui->password.response.nt.length = nt_resp.length;
2162 ui->password.response.nt.data = nt_resp.data;
2163 ui->password.response.lanman.length = lm_resp.length;
2164 ui->password.response.lanman.data = lm_resp.data;
2165 if (nt_resp.length == 0 && lm_resp.length == 0) {
2166 ui->password_state = AUTH_PASSWORD_PLAIN;
2167 } else {
2168 ui->password_state = AUTH_PASSWORD_RESPONSE;
2169 }
2170 /*
2171 * In the event of a failure ui->auth_description will be null,
2172 * the logging code handles this correctly so it can be ignored.
2173 */
2174 ui->auth_description = talloc_asprintf(
2175 ui,
2176 "%s, %s, %d",
2177 command,
2178 state->request->client_name,
2179 state->pid);
2180 if (ui->auth_description == NULL) {
2181 DBG_ERR("OOM Unable to create auth_description");
2182 }
2183 ui->client.account_name = user_name;
2184 ui->client.domain_name = domain_name;
2185 ui->workstation_name = workstation;
2186 ui->remote_host = remote;
2187 ui->local_host = local;
2188
2189 sid = dom_sid_parse_talloc(
2190 ui, state->response->data.auth.info3.dom_sid);
2191 if (sid != NULL) {
2192 sid_append_rid(sid, state->response->data.auth.info3.user_rid);
2193 }
2194
2195 if (lp_auth_event_notification()) {
2196 lp_ctx = loadparm_init_s3(ui, loadparm_s3_helpers());
2197 msg_ctx = imessaging_client_init(
2198 ui, lp_ctx, global_event_context());
2199 }
2200 log_authentication_event(
2201 msg_ctx,
2202 lp_ctx,
2203 &start_time,
2204 ui,
2205 result,
2206 state->response->data.auth.info3.logon_dom,
2207 state->response->data.auth.info3.user_name,
2208 sid);
2209 TALLOC_FREE(ui);
2210 }
2211
2212 enum winbindd_result winbindd_dual_pam_auth(struct winbindd_domain *domain,
2213 struct winbindd_cli_state *state)
2214 {
2215 NTSTATUS result = NT_STATUS_LOGON_FAILURE;
2216 NTSTATUS krb5_result = NT_STATUS_OK;
2217 fstring name_namespace, name_domain, name_user;
2218 char *mapped_user;
2219 fstring domain_user;
2220 uint16_t validation_level = UINT16_MAX;
2221 union netr_Validation *validation = NULL;
2222 NTSTATUS name_map_status = NT_STATUS_UNSUCCESSFUL;
2223 bool ok;
2224 uint64_t logon_id = 0;
2225 const struct timeval start_time = timeval_current();
2226 const struct tsocket_address *remote = NULL;
2227 const struct tsocket_address *local = NULL;
2228
2229 /* Ensure null termination */
2230 state->request->data.auth.user[sizeof(state->request->data.auth.user)-1]='\0';
2231
2232 /* Ensure null termination */
2233 state->request->data.auth.pass[sizeof(state->request->data.auth.pass)-1]='\0';
2234
2235 /*
2236 * Generate a logon_id for this session.
2237 */
2238 logon_id = generate_random_u64();
2239 remote = get_remote_address(state->mem_ctx, state->sock);
2240 local = get_local_address(state->mem_ctx, state->sock);
2241 DEBUG(3, ("[%5lu]: dual pam auth %s\n", (unsigned long)state->pid,
2242 state->request->data.auth.user));
2243
2244 /* Parse domain and username */
2245
2246 name_map_status = normalize_name_unmap(state->mem_ctx,
2247 state->request->data.auth.user,
2248 &mapped_user);
2249
2250 /* If the name normalization didn't actually do anything,
2251 just use the original name */
2252
2253 if (!NT_STATUS_IS_OK(name_map_status) &&
2254 !NT_STATUS_EQUAL(name_map_status, NT_STATUS_FILE_RENAMED))
2255 {
2256 mapped_user = state->request->data.auth.user;
2257 }
2258
2259 ok = parse_domain_user(mapped_user,
2260 name_namespace,
2261 name_domain,
2262 name_user);
2263 if (!ok) {
2264 result = NT_STATUS_INVALID_PARAMETER;
2265 goto process_result;
2266 }
2267
2268 if ( mapped_user != state->request->data.auth.user ) {
2269 fstr_sprintf( domain_user, "%s%c%s", name_domain,
2270 *lp_winbind_separator(),
2271 name_user );
2272 strlcpy( state->request->data.auth.user, domain_user,
2273 sizeof(state->request->data.auth.user));
2274 }
2275
2276 if (!domain->online) {
2277 result = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
2278 if (domain->startup) {
2279 /* Logons are very important to users. If we're offline and
2280 we get a request within the first 30 seconds of startup,
2281 try very hard to find a DC and go online. */
2282
2283 DEBUG(10,("winbindd_dual_pam_auth: domain: %s offline and auth "
2284 "request in startup mode.\n", domain->name ));
2285
2286 winbindd_flush_negative_conn_cache(domain);
2287 result = init_dc_connection(domain, false);
2288 }
2289 }
2290
2291 DEBUG(10,("winbindd_dual_pam_auth: domain: %s last was %s\n", domain->name, domain->online ? "online":"offline"));
2292
2293 /* Check for Kerberos authentication */
2294 if (domain->online && (state->request->flags & WBFLAG_PAM_KRB5)) {
2295 struct netr_SamInfo6 *info6 = NULL;
2296 const char *krb5ccname = NULL;
2297
2298 result = winbindd_dual_pam_auth_kerberos(
2299 domain,
2300 state->request->data.auth.user,
2301 state->request->data.auth.pass,
2302 state->request->data.auth.krb5_cc_type,
2303 get_uid_from_request(state->request),
2304 state->mem_ctx,
2305 &info6,
2306 &krb5ccname);
2307
2308 /* save for later */
2309 krb5_result = result;
2310
2311 if (NT_STATUS_IS_OK(result)) {
2312 DEBUG(10,("winbindd_dual_pam_auth_kerberos succeeded\n"));
2313
2314 fstrcpy(state->response->data.auth.krb5ccname,
2315 krb5ccname);
2316
2317 result = map_info6_to_validation(state->mem_ctx,
2318 info6,
2319 &validation_level,
2320 &validation);
2321 TALLOC_FREE(info6);
2322 if (!NT_STATUS_IS_OK(result)) {
2323 DBG_ERR("map_info6_to_validation failed\n");
2324 goto done;
2325 }
2326 goto process_result;
2327 }
2328
2329 DBG_DEBUG("winbindd_dual_pam_auth_kerberos failed: %s\n",
2330 nt_errstr(result));
2331
2332 if (NT_STATUS_EQUAL(result, NT_STATUS_NO_LOGON_SERVERS) ||
2333 NT_STATUS_EQUAL(result, NT_STATUS_IO_TIMEOUT) ||
2334 NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
2335 DEBUG(10,("winbindd_dual_pam_auth_kerberos setting domain to offline\n"));
2336 set_domain_offline( domain );
2337 goto cached_logon;
2338 }
2339
2340 /* there are quite some NT_STATUS errors where there is no
2341 * point in retrying with a samlogon, we explictly have to take
2342 * care not to increase the bad logon counter on the DC */
2343
2344 if (NT_STATUS_EQUAL(result, NT_STATUS_ACCOUNT_DISABLED) ||
2345 NT_STATUS_EQUAL(result, NT_STATUS_ACCOUNT_EXPIRED) ||
2346 NT_STATUS_EQUAL(result, NT_STATUS_ACCOUNT_LOCKED_OUT) ||
2347 NT_STATUS_EQUAL(result, NT_STATUS_INVALID_LOGON_HOURS) ||
2348 NT_STATUS_EQUAL(result, NT_STATUS_INVALID_WORKSTATION) ||
2349 NT_STATUS_EQUAL(result, NT_STATUS_LOGON_FAILURE) ||
2350 NT_STATUS_EQUAL(result, NT_STATUS_NO_SUCH_USER) ||
2351 NT_STATUS_EQUAL(result, NT_STATUS_PASSWORD_EXPIRED) ||
2352 NT_STATUS_EQUAL(result, NT_STATUS_PASSWORD_MUST_CHANGE) ||
2353 NT_STATUS_EQUAL(result, NT_STATUS_WRONG_PASSWORD)) {
2354 goto done;
2355 }
2356
2357 if (state->request->flags & WBFLAG_PAM_FALLBACK_AFTER_KRB5) {
2358 DEBUG(3,("falling back to samlogon\n"));
2359 goto sam_logon;
2360 } else {
2361 goto cached_logon;
2362 }
2363 }
2364
2365 sam_logon:
2366 /* Check for Samlogon authentication */
2367 if (domain->online) {
2368 struct netr_SamBaseInfo *base_info = NULL;
2369
2370 result = winbindd_dual_pam_auth_samlogon(
2371 state->mem_ctx, domain,
2372 state->request->data.auth.user,
2373 state->request->data.auth.pass,
2374 logon_id,
2375 state->request->client_name,
2376 state->pid,
2377 state->request->flags,
2378 remote,
2379 local,
2380 &validation_level,
2381 &validation);
2382
2383 if (NT_STATUS_IS_OK(result)) {
2384 DEBUG(10,("winbindd_dual_pam_auth_samlogon succeeded\n"));
2385
2386 switch (validation_level) {
2387 case 3:
2388 base_info = &validation->sam3->base;
2389 break;
2390 case 6:
2391 base_info = &validation->sam6->base;
2392 break;
2393 default:
2394 DBG_ERR("Bad validation level %d\n",
2395 validation_level);
2396 result = NT_STATUS_INTERNAL_ERROR;
2397 goto done;
2398 }
2399
2400 /* add the Krb5 err if we have one */
2401 if ( NT_STATUS_EQUAL(krb5_result, NT_STATUS_TIME_DIFFERENCE_AT_DC ) ) {
2402 base_info->user_flags |= LOGON_KRB5_FAIL_CLOCK_SKEW;
2403 }
2404
2405 goto process_result;
2406 }
2407
2408 DEBUG(10,("winbindd_dual_pam_auth_samlogon failed: %s\n",
2409 nt_errstr(result)));
2410
2411 if (NT_STATUS_EQUAL(result, NT_STATUS_NO_LOGON_SERVERS) ||
2412 NT_STATUS_EQUAL(result, NT_STATUS_IO_TIMEOUT) ||
2413 NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND))
2414 {
2415 DEBUG(10,("winbindd_dual_pam_auth_samlogon setting domain to offline\n"));
2416 set_domain_offline( domain );
2417 goto cached_logon;
2418 }
2419
2420 if (domain->online) {
2421 /* We're still online - fail. */
2422 goto done;
2423 }
2424 }
2425
2426 cached_logon:
2427 /* Check for Cached logons */
2428 if (!domain->online && (state->request->flags & WBFLAG_PAM_CACHED_LOGIN) &&
2429 lp_winbind_offline_logon()) {
2430 struct netr_SamInfo3 *info3 = NULL;
2431
2432 result = winbindd_dual_pam_auth_cached(domain, state, &info3);
2433
2434 if (!NT_STATUS_IS_OK(result)) {
2435 DEBUG(10,("winbindd_dual_pam_auth_cached failed: %s\n", nt_errstr(result)));
2436 goto done;
2437 }
2438 DEBUG(10,("winbindd_dual_pam_auth_cached succeeded\n"));
2439
2440 result = map_info3_to_validation(state->mem_ctx,
2441 info3,
2442 &validation_level,
2443 &validation);
2444 TALLOC_FREE(info3);
2445 if (!NT_STATUS_IS_OK(result)) {
2446 DBG_ERR("map_info3_to_validation failed\n");
2447 goto done;
2448 }
2449 }
2450
2451 process_result:
2452
2453 if (NT_STATUS_IS_OK(result)) {
2454 struct dom_sid user_sid;
2455 TALLOC_CTX *base_ctx = NULL;
2456 struct netr_SamBaseInfo *base_info = NULL;
2457 struct netr_SamInfo3 *info3 = NULL;
2458 struct wbint_SidArray *sid_array = NULL;
2459
2460 switch (validation_level) {
2461 case 3:
2462 base_ctx = validation->sam3;
2463 base_info = &validation->sam3->base;
2464 break;
2465 case 6:
2466 base_ctx = validation->sam6;
2467 base_info = &validation->sam6->base;
2468 break;
2469 default:
2470 result = NT_STATUS_INTERNAL_ERROR;
2471 goto done;
2472 }
2473
2474 sid_compose(&user_sid, base_info->domain_sid, base_info->rid);
2475
2476 if (base_info->full_name.string == NULL) {
2477 struct netr_SamInfo3 *cached_info3;
2478
2479 cached_info3 = netsamlogon_cache_get(state->mem_ctx,
2480 &user_sid);
2481 if (cached_info3 != NULL &&
2482 cached_info3->base.full_name.string != NULL) {
2483 base_info->full_name.string = talloc_strdup(
2484 base_ctx,
2485 cached_info3->base.full_name.string);
2486 if (base_info->full_name.string == NULL) {
2487 result = NT_STATUS_NO_MEMORY;
2488 goto done;
2489 }
2490 } else {
2491
2492 /* this might fail so we don't check the return code */
2493 wcache_query_user_fullname(domain,
2494 base_ctx,
2495 &user_sid,
2496 &base_info->full_name.string);
2497 }
2498 }
2499
2500 result = map_validation_to_info3(talloc_tos(),
2501 validation_level,
2502 validation,
2503 &info3);
2504 if (!NT_STATUS_IS_OK(result)) {
2505 goto done;
2506 }
2507
2508 wcache_invalidate_samlogon(find_domain_from_name(name_domain),
2509 &user_sid);
2510 netsamlogon_cache_store(name_user, info3);
2511
2512 /* save name_to_sid info as early as possible (only if
2513 this is our primary domain so we don't invalidate
2514 the cache entry by storing the seq_num for the wrong
2515 domain). */
2516 if ( domain->primary ) {
2517 cache_name2sid(domain, name_domain, name_user,
2518 SID_NAME_USER, &user_sid);
2519 }
2520
2521 /* Check if the user is in the right group */
2522
2523 result = extra_data_to_sid_array(
2524 state->request->data.auth.require_membership_of_sid,
2525 state->mem_ctx,
2526 &sid_array);
2527 if (!NT_STATUS_IS_OK(result)) {
2528 DBG_ERR("Failed to parse '%s' into a sid array: %s\n",
2529 state->request->data.auth.require_membership_of_sid,
2530 nt_errstr(result));
2531 goto done;
2532 }
2533
2534 result = check_info3_in_group(info3, sid_array);
2535 if (!NT_STATUS_IS_OK(result)) {
2536 char *s = NDR_PRINT_STRUCT_STRING(state->mem_ctx,
2537 wbint_SidArray,
2538 sid_array);
2539 DBG_NOTICE("User %s is not in the required groups:\n",
2540 state->request->data.auth.user);
2541 DEBUGADD(DBGLVL_NOTICE, ("%s", s));
2542 DEBUGADD(DBGLVL_NOTICE,
2543 ("Plaintext authentication is rejected\n"));
2544 TALLOC_FREE(sid_array);
2545 goto done;
2546 }
2547 TALLOC_FREE(sid_array);
2548
2549 if (!is_allowed_domain(info3->base.logon_domain.string)) {
2550 DBG_NOTICE("Authentication failed for user [%s] "
2551 "from firewalled domain [%s]\n",
2552 info3->base.account_name.string,
2553 info3->base.logon_domain.string);
2554 result = NT_STATUS_AUTHENTICATION_FIREWALL_FAILED;
2555 goto done;
2556 }
2557
2558 result = append_auth_data(state->mem_ctx, state->response,
2559 state->request->flags,
2560 validation_level,
2561 validation,
2562 name_domain, name_user);
2563 if (!NT_STATUS_IS_OK(result)) {
2564 goto done;
2565 }
2566
2567 if ((state->request->flags & WBFLAG_PAM_CACHED_LOGIN)
2568 && lp_winbind_offline_logon()) {
2569
2570 result = winbindd_store_creds(domain,
2571 state->request->data.auth.user,
2572 state->request->data.auth.pass,
2573 info3);
2574 }
2575
2576 if (state->request->flags & WBFLAG_PAM_GET_PWD_POLICY) {
2577 /*
2578 * WBFLAG_PAM_GET_PWD_POLICY is not used within
2579 * any Samba caller anymore.
2580 *
2581 * We just fake this based on the effective values
2582 * for the user, for legacy callers.
2583 */
2584 fake_password_policy(state->response, &info3->base);
2585 }
2586
2587 result = NT_STATUS_OK;
2588 }
2589
2590 done:
2591 /* give us a more useful (more correct?) error code */
2592 if ((NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) ||
2593 (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)))) {
2594 result = NT_STATUS_NO_LOGON_SERVERS;
2595 }
2596
2597 /*
2598 * Here we don't alter
2599 * state->response->data.auth.authoritative based
2600 * on the servers response
2601 * as we don't want a fallback to the local sam
2602 * for interactive PAM logons
2603 */
2604 set_auth_errors(state->response, result);
2605
2606 DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2, ("Plain-text authentication for user %s returned %s (PAM: %d)\n",
2607 state->request->data.auth.user,
2608 state->response->data.auth.nt_status_string,
2609 state->response->data.auth.pam_error));
2610
2611 /*
2612 * Log the winbind pam authentication, the logon_id will tie this to
2613 * any of the logons invoked from this request.
2614 */
2615 log_authentication(
2616 state->mem_ctx,
2617 domain,
2618 state,
2619 start_time,
2620 logon_id,
2621 "PAM_AUTH",
2622 name_user,
2623 name_domain,
2624 NULL,
2625 data_blob_null,
2626 data_blob_null,
2627 remote,
2628 local,
2629 result);
2630
2631 return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
2632 }
2633
2634 NTSTATUS winbind_dual_SamLogon(struct winbindd_domain *domain,
2635 TALLOC_CTX *mem_ctx,
2636 bool interactive,
2637 uint32_t logon_parameters,
2638 const char *name_user,
2639 const char *name_domain,
2640 const char *workstation,
2641 const uint64_t logon_id,
2642 const char* client_name,
2643 const int client_pid,
2644 const uint8_t chal[8],
2645 DATA_BLOB lm_response,
2646 DATA_BLOB nt_response,
2647 const struct tsocket_address *remote,
2648 const struct tsocket_address *local,
2649 uint8_t *authoritative,
2650 bool skip_sam,
2651 uint32_t *flags,
2652 uint16_t *_validation_level,
2653 union netr_Validation **_validation)
2654 {
2655 uint16_t validation_level = 0;
2656 union netr_Validation *validation = NULL;
2657 NTSTATUS result;
2658
2659 /*
2660 * We check against domain->name instead of
2661 * name_domain, as find_auth_domain() ->
2662 * find_domain_from_name_noinit() already decided
2663 * that we are in a child for the correct domain.
2664 *
2665 * name_domain can also be lp_realm()
2666 * we need to check against domain->name.
2667 */
2668 if (!skip_sam && strequal(domain->name, get_global_sam_name())) {
2669 DATA_BLOB chal_blob = data_blob_const(
2670 chal, 8);
2671 struct netr_SamInfo3 *info3 = NULL;
2672
2673 result = winbindd_dual_auth_passdb(
2674 talloc_tos(),
2675 logon_parameters,
2676 name_domain, name_user,
2677 logon_id,
2678 client_name,
2679 client_pid,
2680 &chal_blob, &lm_response, &nt_response,
2681 remote,
2682 local,
2683 interactive,
2684 authoritative,
2685 &info3);
2686 if (NT_STATUS_IS_OK(result)) {
2687 result = map_info3_to_validation(mem_ctx,
2688 info3,
2689 &validation_level,
2690 &validation);
2691 TALLOC_FREE(info3);
2692 if (!NT_STATUS_IS_OK(result)) {
2693 goto done;
2694 }
2695 }
2696
2697 /*
2698 * We need to try the remote NETLOGON server if this is
2699 * not authoritative.
2700 */
2701 if (*authoritative != 0) {
2702 *flags = 0;
2703 goto process_result;
2704 }
2705 }
2706
2707 result = winbind_samlogon_retry_loop(domain,
2708 mem_ctx,
2709 logon_parameters,
2710 name_user,
2711 NULL, /* password */
2712 name_domain,
2713 /* Bug #3248 - found by Stefan Burkei. */
2714 workstation, /* We carefully set this above so use it... */
2715 logon_id,
2716 false, /* plaintext_given */
2717 chal,
2718 lm_response,
2719 nt_response,
2720 interactive,
2721 authoritative,
2722 flags,
2723 &validation_level,
2724 &validation);
2725 if (!NT_STATUS_IS_OK(result)) {
2726 goto done;
2727 }
2728
2729 process_result:
2730
2731 if (NT_STATUS_IS_OK(result)) {
2732 struct dom_sid user_sid;
2733 TALLOC_CTX *base_ctx = NULL;
2734 struct netr_SamBaseInfo *base_info = NULL;
2735 struct netr_SamInfo3 *info3 = NULL;
2736
2737 switch (validation_level) {
2738 case 3:
2739 base_ctx = validation->sam3;
2740 base_info = &validation->sam3->base;
2741 break;
2742 case 6:
2743 base_ctx = validation->sam6;
2744 base_info = &validation->sam6->base;
2745 break;
2746 default:
2747 result = NT_STATUS_INTERNAL_ERROR;
2748 goto done;
2749 }
2750
2751 sid_compose(&user_sid, base_info->domain_sid, base_info->rid);
2752
2753 if (base_info->full_name.string == NULL) {
2754 struct netr_SamInfo3 *cached_info3;
2755
2756 cached_info3 = netsamlogon_cache_get(mem_ctx,
2757 &user_sid);
2758 if (cached_info3 != NULL &&
2759 cached_info3->base.full_name.string != NULL)
2760 {
2761 base_info->full_name.string = talloc_strdup(
2762 base_ctx,
2763 cached_info3->base.full_name.string);
2764 } else {
2765
2766 /* this might fail so we don't check the return code */
2767 wcache_query_user_fullname(domain,
2768 base_ctx,
2769 &user_sid,
2770 &base_info->full_name.string);
2771 }
2772 }
2773
2774 result = map_validation_to_info3(talloc_tos(),
2775 validation_level,
2776 validation,
2777 &info3);
2778 if (!NT_STATUS_IS_OK(result)) {
2779 goto done;
2780 }
2781 wcache_invalidate_samlogon(find_domain_from_name(name_domain),
2782 &user_sid);
2783 netsamlogon_cache_store(name_user, info3);
2784 TALLOC_FREE(info3);
2785 }
2786
2787 done:
2788
2789 /* give us a more useful (more correct?) error code */
2790 if ((NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) ||
2791 (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)))) {
2792 result = NT_STATUS_NO_LOGON_SERVERS;
2793 }
2794
2795 DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2,
2796 ("NTLM CRAP authentication for user [%s]\\[%s] returned %s\n",
2797 name_domain,
2798 name_user,
2799 nt_errstr(result)));
2800
2801 if (!NT_STATUS_IS_OK(result)) {
2802 return result;
2803 }
2804
2805 *_validation_level = validation_level;
2806 *_validation = validation;
2807 return NT_STATUS_OK;
2808 }
2809
2810 enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
2811 struct winbindd_cli_state *state)
2812 {
2813 NTSTATUS result;
2814 const char *name_user = NULL;
2815 const char *name_domain = NULL;
2816 const char *workstation;
2817 uint64_t logon_id = 0;
2818 uint8_t authoritative = 1;
2819 uint32_t flags = 0;
2820 uint16_t validation_level;
2821 union netr_Validation *validation = NULL;
2822 DATA_BLOB lm_resp = { 0 }, nt_resp = { 0 };
2823 const struct timeval start_time = timeval_current();
2824 const struct tsocket_address *remote = NULL;
2825 const struct tsocket_address *local = NULL;
2826
2827 /* This is child-only, so no check for privileged access is needed
2828 anymore */
2829
2830 /* Ensure null termination */
2831 state->request->data.auth_crap.user[sizeof(state->request->data.auth_crap.user)-1]=0;
2832 state->request->data.auth_crap.domain[sizeof(state->request->data.auth_crap.domain)-1]=0;
2833
2834 name_user = state->request->data.auth_crap.user;
2835 name_domain = state->request->data.auth_crap.domain;
2836 workstation = state->request->data.auth_crap.workstation;
2837 logon_id = generate_random_u64();
2838 remote = get_remote_address(state->mem_ctx, state->sock);
2839 local = get_local_address(state->mem_ctx, state->sock);
2840
2841 DEBUG(3, ("[%5lu]: pam auth crap domain: %s user: %s\n", (unsigned long)state->pid,
2842 name_domain, name_user));
2843
2844 if (state->request->data.auth_crap.lm_resp_len > sizeof(state->request->data.auth_crap.lm_resp)
2845 || state->request->data.auth_crap.nt_resp_len > sizeof(state->request->data.auth_crap.nt_resp)) {
2846 if (!(state->request->flags & WBFLAG_BIG_NTLMV2_BLOB) ||
2847 state->request->extra_len != state->request->data.auth_crap.nt_resp_len) {
2848 DEBUG(0, ("winbindd_pam_auth_crap: invalid password length %u/%u\n",
2849 state->request->data.auth_crap.lm_resp_len,
2850 state->request->data.auth_crap.nt_resp_len));
2851 result = NT_STATUS_INVALID_PARAMETER;
2852 goto done;
2853 }
2854 }
2855
2856 lm_resp = data_blob_talloc(state->mem_ctx, state->request->data.auth_crap.lm_resp,
2857 state->request->data.auth_crap.lm_resp_len);
2858
2859 if (state->request->flags & WBFLAG_BIG_NTLMV2_BLOB) {
2860 nt_resp = data_blob_talloc(state->mem_ctx,
2861 state->request->extra_data.data,
2862 state->request->data.auth_crap.nt_resp_len);
2863 } else {
2864 nt_resp = data_blob_talloc(state->mem_ctx,
2865 state->request->data.auth_crap.nt_resp,
2866 state->request->data.auth_crap.nt_resp_len);
2867 }
2868
2869 result = winbind_dual_SamLogon(domain,
2870 state->mem_ctx,
2871 false, /* interactive */
2872 state->request->data.auth_crap.logon_parameters,
2873 name_user,
2874 name_domain,
2875 /* Bug #3248 - found by Stefan Burkei. */
2876 workstation, /* We carefully set this above so use it... */
2877 logon_id,
2878 state->request->client_name,
2879 state->request->pid,
2880 state->request->data.auth_crap.chal,
2881 lm_resp,
2882 nt_resp,
2883 remote,
2884 local,
2885 &authoritative,
2886 false,
2887 &flags,
2888 &validation_level,
2889 &validation);
2890 if (!NT_STATUS_IS_OK(result)) {
2891 goto done;
2892 }
2893
2894 if (NT_STATUS_IS_OK(result)) {
2895 struct netr_SamInfo3 *info3 = NULL;
2896 struct wbint_SidArray *sid_array = NULL;
2897
2898 result = map_validation_to_info3(state->mem_ctx,
2899 validation_level,
2900 validation,
2901 &info3);
2902 if (!NT_STATUS_IS_OK(result)) {
2903 goto done;
2904 }
2905
2906 result = extra_data_to_sid_array(
2907 state->request->data.auth_crap.require_membership_of_sid,
2908 state->mem_ctx,
2909 &sid_array);
2910 if (!NT_STATUS_IS_OK(result)) {
2911 DBG_ERR("Failed to parse '%s' into a sid array: %s\n",
2912 state->request->data.auth_crap.require_membership_of_sid,
2913 nt_errstr(result));
2914 goto done;
2915 }
2916
2917 /* Check if the user is in the right group */
2918 result = check_info3_in_group(info3, sid_array);
2919 if (!NT_STATUS_IS_OK(result)) {
2920 char *s = NDR_PRINT_STRUCT_STRING(state->mem_ctx,
2921 wbint_SidArray,
2922 sid_array);
2923 DBG_NOTICE("User %s is not in the required groups:\n",
2924 state->request->data.auth_crap.user);
2925 DEBUGADD(DBGLVL_NOTICE, ("%s", s));
2926 DEBUGADD(DBGLVL_NOTICE,
2927 ("CRAP authentication is rejected\n"));
2928 TALLOC_FREE(sid_array);
2929 goto done;
2930 }
2931 TALLOC_FREE(sid_array);
2932
2933 if (!is_allowed_domain(info3->base.logon_domain.string)) {
2934 DBG_NOTICE("Authentication failed for user [%s] "
2935 "from firewalled domain [%s]\n",
2936 info3->base.account_name.string,
2937 info3->base.logon_domain.string);
2938 result = NT_STATUS_AUTHENTICATION_FIREWALL_FAILED;
2939 goto done;
2940 }
2941
2942 result = append_auth_data(state->mem_ctx, state->response,
2943 state->request->flags,
2944 validation_level,
2945 validation,
2946 name_domain, name_user);
2947 if (!NT_STATUS_IS_OK(result)) {
2948 goto done;
2949 }
2950 }
2951
2952 done:
2953
2954 if (state->request->flags & WBFLAG_PAM_NT_STATUS_SQUASH) {
2955 result = nt_status_squash(result);
2956 }
2957
2958 set_auth_errors(state->response, result);
2959 state->response->data.auth.authoritative = authoritative;
2960
2961 /*
2962 * Log the winbind pam authentication, the logon_id will tie this to
2963 * any of the logons invoked from this request.
2964 */
2965 log_authentication(
2966 state->mem_ctx,
2967 domain,
2968 state,
2969 start_time,
2970 logon_id,
2971 "NTLM_AUTH",
2972 name_user,
2973 name_domain,
2974 workstation,
2975 lm_resp,
2976 nt_resp,
2977 remote,
2978 local,
2979 result);
2980
2981 return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
2982 }
2983
2984 enum winbindd_result winbindd_dual_pam_chauthtok(struct winbindd_domain *contact_domain,
2985 struct winbindd_cli_state *state)
2986 {
2987 char *oldpass;
2988 char *newpass = NULL;
2989 struct policy_handle dom_pol;
2990 struct rpc_pipe_client *cli = NULL;
2991 bool got_info = false;
2992 struct samr_DomInfo1 *info = NULL;
2993 struct userPwdChangeFailureInformation *reject = NULL;
2994 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
2995 fstring namespace, domain, user;
2996 struct dcerpc_binding_handle *b = NULL;
2997 bool ok;
2998
2999 ZERO_STRUCT(dom_pol);
3000
3001 DEBUG(3, ("[%5lu]: dual pam chauthtok %s\n", (unsigned long)state->pid,
3002 state->request->data.auth.user));
3003
3004 ok = parse_domain_user(state->request->data.chauthtok.user,
3005 namespace,
3006 domain,
3007 user);
3008 if (!ok) {
3009 goto done;
3010 }
3011
3012 if (!is_allowed_domain(domain)) {
3013 DBG_NOTICE("Authentication failed for user [%s] "
3014 "from firewalled domain [%s]\n",
3015 user, domain);
3016 result = NT_STATUS_AUTHENTICATION_FIREWALL_FAILED;
3017 goto done;
3018 }
3019
3020 /* Change password */
3021
3022 oldpass = state->request->data.chauthtok.oldpass;
3023 newpass = state->request->data.chauthtok.newpass;
3024
3025 /* Initialize reject reason */
3026 state->response->data.auth.reject_reason = Undefined;
3027
3028 /* Get sam handle */
3029
3030 result = cm_connect_sam(contact_domain, state->mem_ctx, true, &cli,
3031 &dom_pol);
3032 if (!NT_STATUS_IS_OK(result)) {
3033 DEBUG(1, ("could not get SAM handle on DC for %s\n", domain));
3034 goto done;
3035 }
3036
3037 b = cli->binding_handle;
3038
3039 result = rpccli_samr_chgpasswd_user3(cli, state->mem_ctx,
3040 user,
3041 newpass,
3042 oldpass,
3043 &info,
3044 &reject);
3045
3046 /* Windows 2003 returns NT_STATUS_PASSWORD_RESTRICTION */
3047
3048 if (NT_STATUS_EQUAL(result, NT_STATUS_PASSWORD_RESTRICTION) ) {
3049
3050 fill_in_password_policy(state->response, info);
3051
3052 state->response->data.auth.reject_reason =
3053 reject->extendedFailureReason;
3054
3055 got_info = true;
3056 }
3057
3058 /* atm the pidl generated rpccli_samr_ChangePasswordUser3 function will
3059 * return with NT_STATUS_BUFFER_TOO_SMALL for w2k dcs as w2k just
3060 * returns with 4byte error code (NT_STATUS_NOT_SUPPORTED) which is too
3061 * short to comply with the samr_ChangePasswordUser3 idl - gd */
3062
3063 /* only fallback when the chgpasswd_user3 call is not supported */
3064 if (NT_STATUS_EQUAL(result, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE) ||
3065 NT_STATUS_EQUAL(result, NT_STATUS_NOT_SUPPORTED) ||
3066 NT_STATUS_EQUAL(result, NT_STATUS_BUFFER_TOO_SMALL) ||
3067 NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) {
3068
3069 DEBUG(10,("Password change with chgpasswd_user3 failed with: %s, retrying chgpasswd_user2\n",
3070 nt_errstr(result)));
3071
3072 result = rpccli_samr_chgpasswd_user2(cli, state->mem_ctx, user, newpass, oldpass);
3073
3074 /* Windows 2000 returns NT_STATUS_ACCOUNT_RESTRICTION.
3075 Map to the same status code as Windows 2003. */
3076
3077 if ( NT_STATUS_EQUAL(NT_STATUS_ACCOUNT_RESTRICTION, result ) ) {
3078 result = NT_STATUS_PASSWORD_RESTRICTION;
3079 }
3080 }
3081
3082 done:
3083
3084 if (NT_STATUS_IS_OK(result)
3085 && (state->request->flags & WBFLAG_PAM_CACHED_LOGIN)
3086 && lp_winbind_offline_logon()) {
3087 result = winbindd_update_creds_by_name(contact_domain, user,
3088 newpass);
3089 /* Again, this happens when we login from gdm or xdm
3090 * and the password expires, *BUT* cached crendentials
3091 * doesn't exist. winbindd_update_creds_by_name()
3092 * returns NT_STATUS_NO_SUCH_USER.
3093 * This is not a failure.
3094 * --- BoYang
3095 * */
3096 if (NT_STATUS_EQUAL(result, NT_STATUS_NO_SUCH_USER)) {
3097 result = NT_STATUS_OK;
3098 }
3099
3100 if (!NT_STATUS_IS_OK(result)) {
3101 DEBUG(10, ("Failed to store creds: %s\n",
3102 nt_errstr(result)));
3103 goto process_result;
3104 }
3105 }
3106
3107 if (!NT_STATUS_IS_OK(result) && !got_info && contact_domain) {
3108
3109 NTSTATUS policy_ret;
3110
3111 policy_ret = fillup_password_policy(
3112 contact_domain, state->response);
3113
3114 /* failure of this is non critical, it will just provide no
3115 * additional information to the client why the change has
3116 * failed - Guenther */
3117
3118 if (!NT_STATUS_IS_OK(policy_ret)) {
3119 DEBUG(10,("Failed to get password policies: %s\n", nt_errstr(policy_ret)));
3120 goto process_result;
3121 }
3122 }
3123
3124 process_result:
3125
3126 if (strequal(contact_domain->name, get_global_sam_name())) {
3127 /* FIXME: internal rpc pipe does not cache handles yet */
3128 if (b) {
3129 if (is_valid_policy_hnd(&dom_pol)) {
3130 NTSTATUS _result;
3131 dcerpc_samr_Close(b, state->mem_ctx, &dom_pol, &_result);
3132 }
3133 TALLOC_FREE(cli);
3134 }
3135 }
3136
3137 set_auth_errors(state->response, result);
3138
3139 DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2,
3140 ("Password change for user [%s]\\[%s] returned %s (PAM: %d)\n",
3141 domain,
3142 user,
3143 state->response->data.auth.nt_status_string,
3144 state->response->data.auth.pam_error));
3145
3146 return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
3147 }
3148
3149 enum winbindd_result winbindd_dual_pam_logoff(struct winbindd_domain *domain,
3150 struct winbindd_cli_state *state)
3151 {
3152 NTSTATUS result = NT_STATUS_NOT_SUPPORTED;
3153
3154 DEBUG(3, ("[%5lu]: pam dual logoff %s\n", (unsigned long)state->pid,
3155 state->request->data.logoff.user));
3156
3157 if (!(state->request->flags & WBFLAG_PAM_KRB5)) {
3158 result = NT_STATUS_OK;
3159 goto process_result;
3160 }
3161
3162 if (state->request->data.logoff.krb5ccname[0] == '\0') {
3163 result = NT_STATUS_OK;
3164 goto process_result;
3165 }
3166
3167 #ifdef HAVE_KRB5
3168
3169 if (state->request->data.logoff.uid == (uid_t)-1) {
3170 DEBUG(0,("winbindd_pam_logoff: invalid uid\n"));
3171 goto process_result;
3172 }
3173
3174 /* what we need here is to find the corresponding krb5 ccache name *we*
3175 * created for a given username and destroy it */
3176
3177 if (!ccache_entry_exists(state->request->data.logoff.user)) {
3178 result = NT_STATUS_OK;
3179 DEBUG(10,("winbindd_pam_logoff: no entry found.\n"));
3180 goto process_result;
3181 }
3182
3183 if (!ccache_entry_identical(state->request->data.logoff.user,
3184 state->request->data.logoff.uid,
3185 state->request->data.logoff.krb5ccname)) {
3186 DEBUG(0,("winbindd_pam_logoff: cached entry differs.\n"));
3187 goto process_result;
3188 }
3189
3190 result = remove_ccache(state->request->data.logoff.user);
3191 if (!NT_STATUS_IS_OK(result)) {
3192 DEBUG(0,("winbindd_pam_logoff: failed to remove ccache: %s\n",
3193 nt_errstr(result)));
3194 goto process_result;
3195 }
3196
3197 /*
3198 * Remove any mlock'ed memory creds in the child
3199 * we might be using for krb5 ticket renewal.
3200 */
3201
3202 winbindd_delete_memory_creds(state->request->data.logoff.user);
3203
3204 #else
3205 result = NT_STATUS_NOT_SUPPORTED;
3206 #endif
3207
3208 process_result:
3209
3210
3211 set_auth_errors(state->response, result);
3212
3213 return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
3214 }
3215
3216 /* Change user password with auth crap*/
3217
3218 enum winbindd_result winbindd_dual_pam_chng_pswd_auth_crap(struct winbindd_domain *domainSt, struct winbindd_cli_state *state)
3219 {
3220 NTSTATUS result;
3221 DATA_BLOB new_nt_password;
3222 DATA_BLOB old_nt_hash_enc;
3223 DATA_BLOB new_lm_password;
3224 DATA_BLOB old_lm_hash_enc;
3225 fstring namespace, domain, user;
3226 struct policy_handle dom_pol;
3227 struct winbindd_domain *contact_domain = domainSt;
3228 struct rpc_pipe_client *cli = NULL;
3229 struct dcerpc_binding_handle *b = NULL;
3230
3231 ZERO_STRUCT(dom_pol);
3232
3233 /* Ensure null termination */
3234 state->request->data.chng_pswd_auth_crap.user[
3235 sizeof(state->request->data.chng_pswd_auth_crap.user)-1]=0;
3236 state->request->data.chng_pswd_auth_crap.domain[
3237 sizeof(state->request->data.chng_pswd_auth_crap.domain)-1]=0;
3238 domain[0] = '\0';
3239 namespace[0] = '\0';
3240 user[0] = '\0';
3241
3242 DEBUG(3, ("[%5lu]: pam change pswd auth crap domain: %s user: %s\n",
3243 (unsigned long)state->pid,
3244 state->request->data.chng_pswd_auth_crap.domain,
3245 state->request->data.chng_pswd_auth_crap.user));
3246
3247 if (lp_winbind_offline_logon()) {
3248 DEBUG(0,("Refusing password change as winbind offline logons are enabled. "));
3249 DEBUGADD(0,("Changing passwords here would risk inconsistent logons\n"));
3250 result = NT_STATUS_ACCESS_DENIED;
3251 goto done;
3252 }
3253
3254 if (*state->request->data.chng_pswd_auth_crap.domain) {
3255 fstrcpy(domain,state->request->data.chng_pswd_auth_crap.domain);
3256 } else {
3257 bool ok;
3258
3259 ok = parse_domain_user(state->request->data.chng_pswd_auth_crap.user,
3260 namespace,
3261 domain,
3262 user);
3263 if (!ok) {
3264 result = NT_STATUS_INVALID_PARAMETER;
3265 goto done;
3266 }
3267
3268 if(!*domain) {
3269 DEBUG(3,("no domain specified with username (%s) - "
3270 "failing auth\n",
3271 state->request->data.chng_pswd_auth_crap.user));
3272 result = NT_STATUS_NO_SUCH_USER;
3273 goto done;
3274 }
3275 }
3276
3277 if (!*domain && lp_winbind_use_default_domain()) {
3278 fstrcpy(domain,lp_workgroup());
3279 }
3280
3281 if (!is_allowed_domain(domain)) {
3282 DBG_NOTICE("Authentication failed for user [%s] "
3283 "from firewalled domain [%s]\n",
3284 state->request->data.chng_pswd_auth_crap.user,
3285 domain);
3286 result = NT_STATUS_AUTHENTICATION_FIREWALL_FAILED;
3287 goto done;
3288 }
3289
3290 if(!*user) {
3291 fstrcpy(user, state->request->data.chng_pswd_auth_crap.user);
3292 }
3293
3294 DEBUG(3, ("[%5lu]: pam auth crap domain: %s user: %s\n",
3295 (unsigned long)state->pid, domain, user));
3296
3297 /* Change password */
3298 new_nt_password = data_blob_const(
3299 state->request->data.chng_pswd_auth_crap.new_nt_pswd,
3300 state->request->data.chng_pswd_auth_crap.new_nt_pswd_len);
3301
3302 old_nt_hash_enc = data_blob_const(
3303 state->request->data.chng_pswd_auth_crap.old_nt_hash_enc,
3304 state->request->data.chng_pswd_auth_crap.old_nt_hash_enc_len);
3305
3306 if(state->request->data.chng_pswd_auth_crap.new_lm_pswd_len > 0) {
3307 new_lm_password = data_blob_const(
3308 state->request->data.chng_pswd_auth_crap.new_lm_pswd,
3309 state->request->data.chng_pswd_auth_crap.new_lm_pswd_len);
3310
3311 old_lm_hash_enc = data_blob_const(
3312 state->request->data.chng_pswd_auth_crap.old_lm_hash_enc,
3313 state->request->data.chng_pswd_auth_crap.old_lm_hash_enc_len);
3314 } else {
3315 new_lm_password = data_blob_null;
3316 old_lm_hash_enc = data_blob_null;
3317 }
3318
3319 /* Get sam handle */
3320
3321 result = cm_connect_sam(contact_domain, state->mem_ctx, true, &cli, &dom_pol);
3322 if (!NT_STATUS_IS_OK(result)) {
3323 DEBUG(1, ("could not get SAM handle on DC for %s\n", domain));
3324 goto done;
3325 }
3326
3327 b = cli->binding_handle;
3328
3329 result = rpccli_samr_chng_pswd_auth_crap(
3330 cli, state->mem_ctx, user, new_nt_password, old_nt_hash_enc,
3331 new_lm_password, old_lm_hash_enc);
3332
3333 done:
3334
3335 if (strequal(contact_domain->name, get_global_sam_name())) {
3336 /* FIXME: internal rpc pipe does not cache handles yet */
3337 if (b) {
3338 if (is_valid_policy_hnd(&dom_pol)) {
3339 NTSTATUS _result;
3340 dcerpc_samr_Close(b, state->mem_ctx, &dom_pol, &_result);
3341 }
3342 TALLOC_FREE(cli);
3343 }
3344 }
3345
3346 set_auth_errors(state->response, result);
3347
3348 DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2,
3349 ("Password change for user [%s]\\[%s] returned %s (PAM: %d)\n",
3350 domain, user,
3351 state->response->data.auth.nt_status_string,
3352 state->response->data.auth.pam_error));
3353
3354 return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
3355 }
3356
3357 #ifdef HAVE_KRB5
3358 static NTSTATUS extract_pac_vrfy_sigs(TALLOC_CTX *mem_ctx, DATA_BLOB pac_blob,
3359 struct PAC_DATA **p_pac_data)
3360 {
3361 krb5_context krbctx = NULL;
3362 krb5_error_code k5ret;
3363 krb5_keytab keytab;
3364 krb5_kt_cursor cursor;
3365 krb5_keytab_entry entry;
3366 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
3367
3368 ZERO_STRUCT(entry);
3369 ZERO_STRUCT(cursor);
3370
3371 k5ret = smb_krb5_init_context_common(&krbctx);
3372 if (k5ret) {
3373 DBG_ERR("kerberos init context failed (%s)\n",
3374 error_message(k5ret));
3375 status = krb5_to_nt_status(k5ret);
3376 goto out;
3377 }
3378
3379 k5ret = gse_krb5_get_server_keytab(krbctx, &keytab);
3380 if (k5ret) {
3381 DEBUG(1, ("Failed to get keytab: %s\n",
3382 error_message(k5ret)));
3383 status = krb5_to_nt_status(k5ret);
3384 goto out_free;
3385 }
3386
3387 k5ret = krb5_kt_start_seq_get(krbctx, keytab, &cursor);
3388 if (k5ret) {
3389 DEBUG(1, ("Failed to start seq: %s\n",
3390 error_message(k5ret)));
3391 status = krb5_to_nt_status(k5ret);
3392 goto out_keytab;
3393 }
3394
3395 k5ret = krb5_kt_next_entry(krbctx, keytab, &entry, &cursor);
3396 while (k5ret == 0) {
3397 status = kerberos_decode_pac(mem_ctx,
3398 pac_blob,
3399 krbctx,
3400 NULL, /* krbtgt_keyblock */
3401 KRB5_KT_KEY(&entry), /* service_keyblock */
3402 NULL, /* client_principal */
3403 0, /* tgs_authtime */
3404 p_pac_data);
3405 if (NT_STATUS_IS_OK(status)) {
3406 break;
3407 }
3408 k5ret = smb_krb5_kt_free_entry(krbctx, &entry);
3409 k5ret = krb5_kt_next_entry(krbctx, keytab, &entry, &cursor);
3410 }
3411
3412 k5ret = krb5_kt_end_seq_get(krbctx, keytab, &cursor);
3413 if (k5ret) {
3414 DEBUG(1, ("Failed to end seq: %s\n",
3415 error_message(k5ret)));
3416 }
3417 out_keytab:
3418 k5ret = krb5_kt_close(krbctx, keytab);
3419 if (k5ret) {
3420 DEBUG(1, ("Failed to close keytab: %s\n",
3421 error_message(k5ret)));
3422 }
3423 out_free:
3424 krb5_free_context(krbctx);
3425 out:
3426 return status;
3427 }
3428
3429 NTSTATUS winbindd_pam_auth_pac_verify(struct winbindd_cli_state *state,
3430 bool *p_is_trusted,
3431 uint16_t *p_validation_level,
3432 union netr_Validation **p_validation)
3433 {
3434 struct winbindd_request *req = state->request;
3435 DATA_BLOB pac_blob;
3436 struct PAC_DATA *pac_data = NULL;
3437 struct PAC_LOGON_INFO *logon_info = NULL;
3438 struct PAC_UPN_DNS_INFO *upn_dns_info = NULL;
3439 struct netr_SamInfo6 *info6 = NULL;
3440 uint16_t validation_level = 0;
3441 union netr_Validation *validation = NULL;
3442 struct netr_SamInfo3 *info3_copy = NULL;
3443 NTSTATUS result;
3444 bool is_trusted = false;
3445 uint32_t i;
3446
3447 *p_is_trusted = false;
3448 *p_validation_level = 0;
3449 *p_validation = NULL;
3450
3451 pac_blob = data_blob_const(req->extra_data.data, req->extra_len);
3452 result = extract_pac_vrfy_sigs(state->mem_ctx, pac_blob, &pac_data);
3453 if (NT_STATUS_IS_OK(result)) {
3454 is_trusted = true;
3455 }
3456 if (NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED)) {
3457 /* Try without signature verification */
3458 result = kerberos_decode_pac(state->mem_ctx,
3459 pac_blob,
3460 NULL, /* krb5_context */
3461 NULL, /* krbtgt_keyblock */
3462 NULL, /* service_keyblock */
3463 NULL, /* client_principal */
3464 0, /* tgs_authtime */
3465 &pac_data);
3466 }
3467 if (!NT_STATUS_IS_OK(result)) {
3468 DEBUG(1, ("Error during PAC signature verification: %s\n",
3469 nt_errstr(result)));
3470 return result;
3471 }
3472
3473 for (i=0; i < pac_data->num_buffers; i++) {
3474 if (pac_data->buffers[i].type == PAC_TYPE_LOGON_INFO) {
3475 logon_info = pac_data->buffers[i].info->logon_info.info;
3476 continue;
3477 }
3478 if (pac_data->buffers[i].type == PAC_TYPE_UPN_DNS_INFO) {
3479 upn_dns_info = &pac_data->buffers[i].info->upn_dns_info;
3480 continue;
3481 }
3482 }
3483
3484 result = create_info6_from_pac(state->mem_ctx,
3485 logon_info,
3486 upn_dns_info,
3487 &info6);
3488 if (!NT_STATUS_IS_OK(result)) {
3489 return result;
3490 }
3491
3492 if (!is_allowed_domain(info6->base.logon_domain.string)) {
3493 DBG_NOTICE("Authentication failed for user [%s] "
3494 "from firewalled domain [%s]\n",
3495 info6->base.account_name.string,
3496 info6->base.logon_domain.string);
3497 return NT_STATUS_AUTHENTICATION_FIREWALL_FAILED;
3498 }
3499
3500 result = map_info6_to_validation(state->mem_ctx,
3501 info6,
3502 &validation_level,
3503 &validation);
3504 if (!NT_STATUS_IS_OK(result)) {
3505 return result;
3506 }
3507
3508 result = map_validation_to_info3(state->mem_ctx,
3509 validation_level,
3510 validation,
3511 &info3_copy);
3512 if (!NT_STATUS_IS_OK(result)) {
3513 return result;
3514 }
3515
3516 if (is_trusted) {
3517 /*
3518 * Signature verification succeeded, we can
3519 * trust the PAC and prime the netsamlogon
3520 * and name2sid caches. DO NOT DO THIS
3521 * in the signature verification failed
3522 * code path.
3523 */
3524 struct winbindd_domain *domain = NULL;
3525
3526 netsamlogon_cache_store(NULL, info3_copy);
3527
3528 /*
3529 * We're in the parent here, so find the child
3530 * pointer from the PAC domain name.
3531 */
3532 domain = find_lookup_domain_from_name(
3533 info3_copy->base.logon_domain.string);
3534 if (domain && domain->primary ) {
3535 struct dom_sid user_sid;
3536 struct dom_sid_buf buf;
3537
3538 sid_compose(&user_sid,
3539 info3_copy->base.domain_sid,
3540 info3_copy->base.rid);
3541
3542 cache_name2sid_trusted(domain,
3543 info3_copy->base.logon_domain.string,
3544 info3_copy->base.account_name.string,
3545 SID_NAME_USER,
3546 &user_sid);
3547
3548 DBG_INFO("PAC for user %s\\%s SID %s primed cache\n",
3549 info3_copy->base.logon_domain.string,
3550 info3_copy->base.account_name.string,
3551 dom_sid_str_buf(&user_sid, &buf));
3552 }
3553 }
3554
3555 *p_is_trusted = is_trusted;
3556 *p_validation_level = validation_level;
3557 *p_validation = validation;
3558 return NT_STATUS_OK;
3559 }
3560 #else /* HAVE_KRB5 */
3561 NTSTATUS winbindd_pam_auth_pac_verify(struct winbindd_cli_state *state,
3562 bool *p_is_trusted,
3563 uint16_t *p_validation_level,
3564 union netr_Validation **p_validation);
3565 {
3566
3567 *p_is_trusted = false;
3568 *p_validation_level = 0;
3569 *p_validation = NULL;
3570 return NT_STATUS_NO_SUCH_USER;
3571 }
3572 #endif /* HAVE_KRB5 */
Samba GIT mirror