2 Unix SMB/CIFS implementation.
4 Winbind authentication mechnism
6 Copyright (C) Tim Potter 2000
7 Copyright (C) Andrew Bartlett 2001 - 2002
8 Copyright (C) Stefan Metzmacher 2005
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 2 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program; if not, write to the Free Software
22 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
26 #include "auth/auth.h"
27 #include "nsswitch/winbind_client.h"
28 #include "librpc/gen_ndr/ndr_netlogon.h"
29 #include "librpc/gen_ndr/ndr_winbind.h"
30 #include "lib/messaging/irpc.h"
32 static NTSTATUS
get_info3_from_ndr(TALLOC_CTX
*mem_ctx
, struct winbindd_response
*response
, struct netr_SamInfo3
*info3
)
34 size_t len
= response
->length
- sizeof(struct winbindd_response
);
38 blob
.length
= len
- 4;
39 blob
.data
= (uint8_t *)(((char *)response
->extra_data
) + 4);
41 status
= ndr_pull_struct_blob(&blob
, mem_ctx
, info3
,
42 (ndr_pull_flags_fn_t
)ndr_pull_netr_SamInfo3
);
46 DEBUG(2, ("get_info3_from_ndr: No info3 struct found!\n"));
47 return NT_STATUS_UNSUCCESSFUL
;
51 static NTSTATUS
winbind_want_check(struct auth_method_context
*ctx
,
53 const struct auth_usersupplied_info
*user_info
)
55 if (!user_info
->mapped
.account_name
|| !*user_info
->mapped
.account_name
) {
56 return NT_STATUS_NOT_IMPLEMENTED
;
59 /* TODO: maybe limit the user scope to remote users only */
64 Authenticate a user with a challenge/response
65 using the samba3 winbind protocol
67 static NTSTATUS
winbind_check_password_samba3(struct auth_method_context
*ctx
,
69 const struct auth_usersupplied_info
*user_info
,
70 struct auth_serversupplied_info
**server_info
)
72 struct winbindd_request request
;
73 struct winbindd_response response
;
76 struct netr_SamInfo3 info3
;
78 /* Send off request */
79 const struct auth_usersupplied_info
*user_info_temp
;
80 nt_status
= encrypt_user_info(mem_ctx
, ctx
->auth_ctx
,
81 AUTH_PASSWORD_RESPONSE
,
82 user_info
, &user_info_temp
);
83 if (!NT_STATUS_IS_OK(nt_status
)) {
86 user_info
= user_info_temp
;
89 ZERO_STRUCT(response
);
90 request
.flags
= WBFLAG_PAM_INFO3_NDR
;
92 request
.data
.auth_crap
.logon_parameters
= user_info
->logon_parameters
;
94 winbind_strcpy(request
.data
.auth_crap
.user
,
95 user_info
->client
.account_name
);
96 winbind_strcpy(request
.data
.auth_crap
.domain
,
97 user_info
->client
.domain_name
);
98 winbind_strcpy(request
.data
.auth_crap
.workstation
,
99 user_info
->workstation_name
);
101 memcpy(request
.data
.auth_crap
.chal
, ctx
->auth_ctx
->challenge
.data
.data
, sizeof(request
.data
.auth_crap
.chal
));
103 request
.data
.auth_crap
.lm_resp_len
= MIN(user_info
->password
.response
.lanman
.length
,
104 sizeof(request
.data
.auth_crap
.lm_resp
));
105 request
.data
.auth_crap
.nt_resp_len
= MIN(user_info
->password
.response
.nt
.length
,
106 sizeof(request
.data
.auth_crap
.nt_resp
));
108 memcpy(request
.data
.auth_crap
.lm_resp
, user_info
->password
.response
.lanman
.data
,
109 request
.data
.auth_crap
.lm_resp_len
);
110 memcpy(request
.data
.auth_crap
.nt_resp
, user_info
->password
.response
.nt
.data
,
111 request
.data
.auth_crap
.nt_resp_len
);
113 result
= winbindd_request(WINBINDD_PAM_AUTH_CRAP
, &request
, &response
);
115 nt_status
= NT_STATUS(response
.data
.auth
.nt_status
);
116 NT_STATUS_NOT_OK_RETURN(nt_status
);
118 if (result
== NSS_STATUS_SUCCESS
&& response
.extra_data
) {
119 union netr_Validation validation
;
121 nt_status
= get_info3_from_ndr(mem_ctx
, &response
, &info3
);
122 SAFE_FREE(response
.extra_data
);
123 NT_STATUS_NOT_OK_RETURN(nt_status
);
125 validation
.sam3
= &info3
;
126 nt_status
= make_server_info_netlogon_validation(mem_ctx
,
127 user_info
->client
.account_name
,
131 } else if (result
== NSS_STATUS_SUCCESS
&& !response
.extra_data
) {
132 DEBUG(0, ("Winbindd authenticated the user [%s]\\[%s], "
133 "but did not include the required info3 reply!\n",
134 user_info
->client
.domain_name
, user_info
->client
.account_name
));
135 return NT_STATUS_INSUFFICIENT_LOGON_INFO
;
136 } else if (NT_STATUS_IS_OK(nt_status
)) {
137 DEBUG(1, ("Winbindd authentication for [%s]\\[%s] failed, "
138 "but no error code is available!\n",
139 user_info
->client
.domain_name
, user_info
->client
.account_name
));
140 return NT_STATUS_NO_LOGON_SERVERS
;
146 struct winbind_check_password_state
{
147 struct winbind_SamLogon req
;
151 Authenticate a user with a challenge/response
152 using IRPC to the winbind task
154 static NTSTATUS
winbind_check_password(struct auth_method_context
*ctx
,
156 const struct auth_usersupplied_info
*user_info
,
157 struct auth_serversupplied_info
**server_info
)
160 struct server_id
*winbind_servers
;
161 struct winbind_check_password_state
*s
;
162 const struct auth_usersupplied_info
*user_info_new
;
163 struct netr_IdentityInfo
*identity_info
;
165 s
= talloc(mem_ctx
, struct winbind_check_password_state
);
166 NT_STATUS_HAVE_NO_MEMORY(s
);
168 winbind_servers
= irpc_servers_byname(ctx
->auth_ctx
->msg_ctx
, s
, "winbind_server");
169 if ((winbind_servers
== NULL
) || (winbind_servers
[0].id
== 0)) {
170 DEBUG(0, ("Winbind authentication for [%s]\\[%s] failed, "
171 "no winbind_server running!\n",
172 user_info
->client
.domain_name
, user_info
->client
.account_name
));
173 return NT_STATUS_NO_LOGON_SERVERS
;
176 if (user_info
->flags
& USER_INFO_INTERACTIVE_LOGON
) {
177 struct netr_PasswordInfo
*password_info
;
179 status
= encrypt_user_info(s
, ctx
->auth_ctx
, AUTH_PASSWORD_HASH
,
180 user_info
, &user_info_new
);
181 NT_STATUS_NOT_OK_RETURN(status
);
182 user_info
= user_info_new
;
184 password_info
= talloc(s
, struct netr_PasswordInfo
);
185 NT_STATUS_HAVE_NO_MEMORY(password_info
);
187 password_info
->lmpassword
= *user_info
->password
.hash
.lanman
;
188 password_info
->ntpassword
= *user_info
->password
.hash
.nt
;
190 identity_info
= &password_info
->identity_info
;
191 s
->req
.in
.logon_level
= 1;
192 s
->req
.in
.logon
.password
= password_info
;
194 struct netr_NetworkInfo
*network_info
;
195 const uint8_t *challenge
;
197 status
= encrypt_user_info(s
, ctx
->auth_ctx
, AUTH_PASSWORD_RESPONSE
,
198 user_info
, &user_info_new
);
199 NT_STATUS_NOT_OK_RETURN(status
);
200 user_info
= user_info_new
;
202 network_info
= talloc(s
, struct netr_NetworkInfo
);
203 NT_STATUS_HAVE_NO_MEMORY(network_info
);
205 status
= auth_get_challenge(ctx
->auth_ctx
, &challenge
);
206 NT_STATUS_NOT_OK_RETURN(status
);
208 memcpy(network_info
->challenge
, challenge
, sizeof(network_info
->challenge
));
210 network_info
->nt
.length
= user_info
->password
.response
.nt
.length
;
211 network_info
->nt
.data
= user_info
->password
.response
.nt
.data
;
213 network_info
->lm
.length
= user_info
->password
.response
.lanman
.length
;
214 network_info
->lm
.data
= user_info
->password
.response
.lanman
.data
;
216 identity_info
= &network_info
->identity_info
;
217 s
->req
.in
.logon_level
= 2;
218 s
->req
.in
.logon
.network
= network_info
;
221 identity_info
->domain_name
.string
= user_info
->client
.domain_name
;
222 identity_info
->parameter_control
= user_info
->logon_parameters
; /* see MSV1_0_* */
223 identity_info
->logon_id_low
= 0;
224 identity_info
->logon_id_high
= 0;
225 identity_info
->account_name
.string
= user_info
->client
.account_name
;
226 identity_info
->workstation
.string
= user_info
->workstation_name
;
228 s
->req
.in
.validation_level
= 3;
230 status
= IRPC_CALL(ctx
->auth_ctx
->msg_ctx
, winbind_servers
[0],
231 winbind
, WINBIND_SAMLOGON
,
233 NT_STATUS_NOT_OK_RETURN(status
);
235 status
= make_server_info_netlogon_validation(mem_ctx
,
236 user_info
->client
.account_name
,
237 s
->req
.in
.validation_level
,
238 &s
->req
.out
.validation
,
240 NT_STATUS_NOT_OK_RETURN(status
);
245 static const struct auth_operations winbind_samba3_ops
= {
246 .name
= "winbind_samba3",
247 .get_challenge
= auth_get_challenge_not_implemented
,
248 .want_check
= winbind_want_check
,
249 .check_password
= winbind_check_password_samba3
252 static const struct auth_operations winbind_ops
= {
254 .get_challenge
= auth_get_challenge_not_implemented
,
255 .want_check
= winbind_want_check
,
256 .check_password
= winbind_check_password
259 NTSTATUS
auth_winbind_init(void)
263 ret
= auth_register(&winbind_samba3_ops
);
264 if (!NT_STATUS_IS_OK(ret
)) {
265 DEBUG(0,("Failed to register 'winbind_samba3' auth backend!\n"));
269 ret
= auth_register(&winbind_ops
);
270 if (!NT_STATUS_IS_OK(ret
)) {
271 DEBUG(0,("Failed to register 'winbind' auth backend!\n"));