source3/auth/auth_script.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    Call out to a shell script for an authentication check.
   5
   6    Copyright (C) Jeremy Allison 2005.
   7
   8    This program is free software; you can redistribute it and/or modify
   9    it under the terms of the GNU General Public License as published by
  10    the Free Software Foundation; either version 3 of the License, or
  11    (at your option) any later version.
  12
  13    This program is distributed in the hope that it will be useful,
  14    but WITHOUT ANY WARRANTY; without even the implied warranty of
  15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16    GNU General Public License for more details.
  17
  18    You should have received a copy of the GNU General Public License
  19    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  20 */
  21
  22 #include "includes.h"
  23
  24 #undef malloc
  25
  26 #undef DBGC_CLASS
  27 #define DBGC_CLASS DBGC_AUTH
  28
  29 /* Create a string containing the supplied :
  30  * domain\n
  31  * user\n
  32  * ascii hex challenge\n
  33  * ascii hex LM response\n
  34  * ascii hex NT response\n\0
  35  * and execute a shell script to check this.
  36  * Allows external programs to create users on demand.
  37  * Script returns zero on success, non-zero on fail.
  38  */
  39
  40 static NTSTATUS script_check_user_credentials(const struct auth_context *auth_context,
  41                                         void *my_private_data,
  42                                         TALLOC_CTX *mem_ctx,
  43                                         const auth_usersupplied_info *user_info,
  44                                         auth_serversupplied_info **server_info)
  45 {
  46         const char *script = lp_parm_const_string( GLOBAL_SECTION_SNUM, "auth_script", "script", NULL);
  47         char *secret_str;
  48         size_t secret_str_len;
  49         char hex_str[49];
  50         int ret, i;
  51
  52         if (!script) {
  53                 return NT_STATUS_INVALID_PARAMETER;
  54         }
  55
  56         if (!user_info) {
  57                 return NT_STATUS_INVALID_PARAMETER;
  58         }
  59
  60         if (!auth_context) {
  61                 DEBUG(3,("script_check_user_credentials: no auth_info !\n"));
  62                 return NT_STATUS_INVALID_PARAMETER;
  63         }
  64
  65         secret_str_len = strlen(user_info->domain) + 1 +
  66                         strlen(user_info->smb_name) + 1 +
  67                         16 + 1 + /* 8 bytes of challenge going to 16 */
  68                         48 + 1 + /* 24 bytes of challenge going to 48 */
  69                         48 + 1;
  70
  71         secret_str = (char *)malloc(secret_str_len);
  72         if (!secret_str) {
  73                 return NT_STATUS_NO_MEMORY;
  74         }
  75
  76         safe_strcpy( secret_str, user_info->domain, secret_str_len - 1);
  77         safe_strcat( secret_str, "\n", secret_str_len - 1);
  78         safe_strcat( secret_str, user_info->smb_name, secret_str_len - 1);
  79         safe_strcat( secret_str, "\n", secret_str_len - 1);
  80
  81         for (i = 0; i < 8; i++) {
  82                 slprintf(&hex_str[i*2], 3, "%02X", auth_context->challenge.data[i]);
  83         }
  84         safe_strcat( secret_str, hex_str, secret_str_len - 1);
  85         safe_strcat( secret_str, "\n", secret_str_len - 1);
  86
  87         if (user_info->lm_resp.data) {
  88                 for (i = 0; i < 24; i++) {
  89                         slprintf(&hex_str[i*2], 3, "%02X", user_info->lm_resp.data[i]);
  90                 }
  91                 safe_strcat( secret_str, hex_str, secret_str_len - 1);
  92         }
  93         safe_strcat( secret_str, "\n", secret_str_len - 1);
  94
  95         if (user_info->nt_resp.data) {
  96                 for (i = 0; i < 24; i++) {
  97                         slprintf(&hex_str[i*2], 3, "%02X", user_info->nt_resp.data[i]);
  98                 }
  99                 safe_strcat( secret_str, hex_str, secret_str_len - 1);
 100         }
 101         safe_strcat( secret_str, "\n", secret_str_len - 1);
 102
 103         DEBUG(10,("script_check_user_credentials: running %s with parameters:\n%s\n",
 104                 script, secret_str ));
 105
 106         ret = smbrunsecret( script, secret_str);
 107
 108         SAFE_FREE(secret_str);
 109
 110         if (ret) {
 111                 DEBUG(1,("script_check_user_credentials: failed to authenticate %s\\%s\n",
 112                         user_info->domain, user_info->smb_name ));
 113                 /* auth failed. */
 114                 return NT_STATUS_NO_SUCH_USER;
 115         }
 116
 117         /* Cause the auth system to keep going.... */
 118         return NT_STATUS_NOT_IMPLEMENTED;
 119 }
 120
 121 /* module initialisation */
 122 static NTSTATUS auth_init_script(struct auth_context *auth_context, const char *param, auth_methods **auth_method)
 123 {
 124         if (!make_auth_methods(auth_context, auth_method)) {
 125                 return NT_STATUS_NO_MEMORY;
 126         }
 127
 128         (*auth_method)->name = "script";
 129         (*auth_method)->auth = script_check_user_credentials;
 130
 131         if (param && *param) {
 132                 /* we load the 'fallback' module - if script isn't here, call this
 133                    module */
 134                 auth_methods *priv;
 135                 if (!load_auth_module(auth_context, param, &priv)) {
 136                         return NT_STATUS_UNSUCCESSFUL;
 137                 }
 138                 (*auth_method)->private_data = (void *)priv;
 139         }
 140         return NT_STATUS_OK;
 141 }
 142
 143 NTSTATUS auth_script_init(void);
 144 NTSTATUS auth_script_init(void)
 145 {
 146         return smb_register_auth(AUTH_INTERFACE_VERSION, "script", auth_init_script);
 147 }