smbd: squash check_path_syntax() variants
[Samba.git] / source3 / auth / auth_sam.c
bloba2ce1013975014c8abbc518e18e86825b780c17d
1 /*
2 Unix SMB/CIFS implementation.
3 Password and authentication handling
4 Copyright (C) Andrew Tridgell 1992-2000
5 Copyright (C) Luke Kenneth Casson Leighton 1996-2000
6 Copyright (C) Andrew Bartlett 2001-2003
7 Copyright (C) Gerald Carter 2003
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 #include "includes.h"
24 #include "auth.h"
25 #include "passdb.h"
27 #undef DBGC_CLASS
28 #define DBGC_CLASS DBGC_AUTH
30 static NTSTATUS auth_sam_ignoredomain_auth(const struct auth_context *auth_context,
31 void *my_private_data,
32 TALLOC_CTX *mem_ctx,
33 const struct auth_usersupplied_info *user_info,
34 struct auth_serversupplied_info **server_info)
36 if (!user_info || !auth_context) {
37 return NT_STATUS_UNSUCCESSFUL;
40 if (user_info->mapped.account_name == NULL ||
41 user_info->mapped.account_name[0] == '\0')
43 return NT_STATUS_NOT_IMPLEMENTED;
46 DBG_DEBUG("Check auth for: [%s]\\[%s]\n",
47 user_info->mapped.domain_name,
48 user_info->mapped.account_name);
50 return check_sam_security(&auth_context->challenge, mem_ctx,
51 user_info, server_info);
54 /* module initialisation */
55 static NTSTATUS auth_init_sam_ignoredomain(
56 struct auth_context *auth_context,
57 const char *param,
58 struct auth_methods **auth_method)
60 struct auth_methods *result;
62 result = talloc_zero(auth_context, struct auth_methods);
63 if (result == NULL) {
64 return NT_STATUS_NO_MEMORY;
66 result->auth = auth_sam_ignoredomain_auth;
67 result->name = "sam_ignoredomain";
69 *auth_method = result;
70 return NT_STATUS_OK;
74 /****************************************************************************
75 Check SAM security (above) but with a few extra checks.
76 ****************************************************************************/
78 static NTSTATUS auth_samstrict_auth(const struct auth_context *auth_context,
79 void *my_private_data,
80 TALLOC_CTX *mem_ctx,
81 const struct auth_usersupplied_info *user_info,
82 struct auth_serversupplied_info **server_info)
84 const char *effective_domain = NULL;
85 bool is_local_name, is_my_domain;
87 if (!user_info || !auth_context) {
88 return NT_STATUS_LOGON_FAILURE;
90 effective_domain = user_info->mapped.domain_name;
92 if (user_info->mapped.account_name == NULL ||
93 user_info->mapped.account_name[0] == '\0')
95 return NT_STATUS_NOT_IMPLEMENTED;
98 if (lp_server_role() == ROLE_DOMAIN_MEMBER) {
99 const char *p = NULL;
101 p = strchr_m(user_info->mapped.account_name, '@');
102 if (p != NULL) {
104 * This needs to go to the DC,
105 * even if @ is the last character
107 return NT_STATUS_NOT_IMPLEMENTED;
111 if (effective_domain == NULL) {
112 effective_domain = "";
115 DBG_DEBUG("Check auth for: [%s]\\[%s]\n",
116 effective_domain,
117 user_info->mapped.account_name);
120 if (strequal(effective_domain, "") || strequal(effective_domain, ".")) {
122 * An empty domain name or '.' should be handled
123 * as the local SAM name.
125 effective_domain = lp_netbios_name();
128 is_local_name = is_myname(effective_domain);
129 is_my_domain = strequal(effective_domain, lp_workgroup());
131 /* check whether or not we service this domain/workgroup name */
133 switch ( lp_server_role() ) {
134 case ROLE_STANDALONE:
135 case ROLE_DOMAIN_MEMBER:
136 if ( !is_local_name ) {
137 DEBUG(6,("check_samstrict_security: %s is not one of my local names (%s)\n",
138 effective_domain, (lp_server_role() == ROLE_DOMAIN_MEMBER
139 ? "ROLE_DOMAIN_MEMBER" : "ROLE_STANDALONE") ));
140 return NT_STATUS_NOT_IMPLEMENTED;
143 break;
144 case ROLE_DOMAIN_PDC:
145 case ROLE_DOMAIN_BDC:
146 case ROLE_IPA_DC:
147 if (!is_local_name && !is_my_domain) {
148 /* If we are running on a DC that has PASSDB module with domain
149 * information, check if DNS forest name is matching the domain
150 * name. This is the case of IPA domain controller when
151 * trusted AD DCs attempt to authenticate IPA users using
152 * the forest root domain (which is the only domain in IPA).
154 struct pdb_domain_info *dom_info = NULL;
156 dom_info = pdb_get_domain_info(mem_ctx);
157 if ((dom_info != NULL) && (dom_info->dns_forest != NULL)) {
158 is_my_domain = strequal(user_info->mapped.domain_name,
159 dom_info->dns_forest);
162 TALLOC_FREE(dom_info);
163 if (!is_my_domain) {
164 DEBUG(6,("check_samstrict_security: %s is not one "
165 "of my local names or domain name (DC)\n",
166 effective_domain));
167 return NT_STATUS_NOT_IMPLEMENTED;
171 break;
172 default: /* name is ok */
173 break;
176 return check_sam_security(&auth_context->challenge, mem_ctx,
177 user_info, server_info);
180 /* module initialisation */
181 static NTSTATUS auth_init_sam(
182 struct auth_context *auth_context,
183 const char *param,
184 struct auth_methods **auth_method)
186 struct auth_methods *result;
188 if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC
189 && !lp_parm_bool(-1, "server role check", "inhibit", false)) {
190 DEBUG(0, ("server role = 'active directory domain controller' not compatible with running the auth_sam module. \n"));
191 DEBUGADD(0, ("You should not set 'auth methods' when running the AD DC.\n"));
192 exit(1);
195 result = talloc_zero(auth_context, struct auth_methods);
196 if (result == NULL) {
197 return NT_STATUS_NO_MEMORY;
199 result->auth = auth_samstrict_auth;
200 result->name = "sam";
201 *auth_method = result;
202 return NT_STATUS_OK;
205 static NTSTATUS auth_sam_netlogon3_auth(const struct auth_context *auth_context,
206 void *my_private_data,
207 TALLOC_CTX *mem_ctx,
208 const struct auth_usersupplied_info *user_info,
209 struct auth_serversupplied_info **server_info)
211 const char *effective_domain = NULL;
212 bool is_my_domain;
214 if (!user_info || !auth_context) {
215 return NT_STATUS_LOGON_FAILURE;
217 effective_domain = user_info->mapped.domain_name;
219 if (user_info->mapped.account_name == NULL ||
220 user_info->mapped.account_name[0] == '\0')
222 return NT_STATUS_NOT_IMPLEMENTED;
225 if (effective_domain == NULL) {
226 effective_domain = "";
229 DBG_DEBUG("Check auth for: [%s]\\[%s]\n",
230 effective_domain,
231 user_info->mapped.account_name);
233 /* check whether or not we service this domain/workgroup name */
235 switch (lp_server_role()) {
236 case ROLE_DOMAIN_PDC:
237 case ROLE_DOMAIN_BDC:
238 case ROLE_IPA_DC:
239 break;
240 default:
241 DBG_ERR("Invalid server role\n");
242 return NT_STATUS_INVALID_SERVER_STATE;
245 if (strequal(effective_domain, "") || strequal(effective_domain, ".")) {
247 * An empty domain name or '.' should be handled
248 * as the local SAM name.
250 effective_domain = lp_workgroup();
253 is_my_domain = strequal(user_info->mapped.domain_name, lp_workgroup());
254 if (!is_my_domain) {
255 /* If we are running on a DC that has PASSDB module with domain
256 * information, check if DNS forest name is matching the domain
257 * name. This is the case of IPA domain controller when
258 * trusted AD DCs attempt to authenticate IPA users using
259 * the forest root domain (which is the only domain in IPA).
261 struct pdb_domain_info *dom_info = NULL;
262 dom_info = pdb_get_domain_info(mem_ctx);
264 if ((dom_info != NULL) && (dom_info->dns_forest != NULL)) {
265 is_my_domain = strequal(user_info->mapped.domain_name,
266 dom_info->dns_forest);
269 TALLOC_FREE(dom_info);
272 if (!is_my_domain) {
273 DBG_INFO("%s is not our domain name (DC for %s)\n",
274 effective_domain, lp_workgroup());
275 return NT_STATUS_NOT_IMPLEMENTED;
278 return check_sam_security(&auth_context->challenge, mem_ctx,
279 user_info, server_info);
282 /* module initialisation */
283 static NTSTATUS auth_init_sam_netlogon3(
284 struct auth_context *auth_context,
285 const char *param,
286 struct auth_methods **auth_method)
288 struct auth_methods *result;
290 if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC
291 && !lp_parm_bool(-1, "server role check", "inhibit", false)) {
292 DEBUG(0, ("server role = 'active directory domain controller' "
293 "not compatible with running the auth_sam module.\n"));
294 DEBUGADD(0, ("You should not set 'auth methods' when "
295 "running the AD DC.\n"));
296 exit(1);
299 result = talloc_zero(auth_context, struct auth_methods);
300 if (result == NULL) {
301 return NT_STATUS_NO_MEMORY;
303 result->auth = auth_sam_netlogon3_auth;
304 result->name = "sam_netlogon3";
305 *auth_method = result;
306 return NT_STATUS_OK;
309 NTSTATUS auth_sam_init(TALLOC_CTX *mem_ctx)
311 smb_register_auth(AUTH_INTERFACE_VERSION, "sam", auth_init_sam);
312 smb_register_auth(AUTH_INTERFACE_VERSION, "sam_ignoredomain", auth_init_sam_ignoredomain);
313 smb_register_auth(AUTH_INTERFACE_VERSION, "sam_netlogon3", auth_init_sam_netlogon3);
314 return NT_STATUS_OK;