2 Unix SMB/CIFS implementation.
3 Password and authentication handling
4 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2001-2004
5 Copyright (C) Gerald Carter 2003
6 Copyright (C) Stefan Metzmacher 2005
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program; if not, write to the Free Software
20 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
24 #include "librpc/gen_ndr/ndr_samr.h"
25 #include "system/time.h"
26 #include "auth/auth.h"
27 #include "lib/ldb/include/ldb.h"
30 /****************************************************************************
31 Do a specific test for an smb password being correct, given a smb_password and
32 the lanman and NT responses.
33 ****************************************************************************/
34 static NTSTATUS
authsam_password_ok(const struct auth_context
*auth_context
,
37 const struct samr_Password
*lm_pwd
,
38 const struct samr_Password
*nt_pwd
,
39 const struct auth_usersupplied_info
*user_info
,
40 DATA_BLOB
*user_sess_key
,
41 DATA_BLOB
*lm_sess_key
)
45 if (acct_flags
& ACB_PWNOTREQ
) {
46 if (lp_null_passwords()) {
47 DEBUG(3,("Account for user '%s' has no password and null passwords are allowed.\n",
48 user_info
->account_name
));
51 DEBUG(3,("Account for user '%s' has no password and null passwords are NOT allowed.\n",
52 user_info
->account_name
));
53 return NT_STATUS_LOGON_FAILURE
;
57 status
= ntlm_password_check(mem_ctx
, &auth_context
->challenge
.data
,
58 &user_info
->lm_resp
, &user_info
->nt_resp
,
59 &user_info
->lm_interactive_password
,
60 &user_info
->nt_interactive_password
,
61 user_info
->account_name
,
62 user_info
->client
.account_name
,
63 user_info
->client
.domain_name
,
64 lm_pwd
->hash
, nt_pwd
->hash
,
65 user_sess_key
, lm_sess_key
);
66 NT_STATUS_NOT_OK_RETURN(status
);
68 if (user_sess_key
&& user_sess_key
->data
) {
69 talloc_steal(auth_context
, user_sess_key
->data
);
71 if (lm_sess_key
&& lm_sess_key
->data
) {
72 talloc_steal(auth_context
, lm_sess_key
->data
);
79 /****************************************************************************
80 Do a specific test for a SAM_ACCOUNT being vaild for this connection
81 (ie not disabled, expired and the like).
82 ****************************************************************************/
83 static NTSTATUS
authsam_account_ok(TALLOC_CTX
*mem_ctx
,
86 NTTIME must_change_time
,
88 const char *workstation_list
,
89 const struct auth_usersupplied_info
*user_info
)
91 DEBUG(4,("authsam_account_ok: Checking SMB password for user %s\n", user_info
->account_name
));
93 /* Quit if the account was disabled. */
94 if (acct_flags
& ACB_DISABLED
) {
95 DEBUG(1,("authsam_account_ok: Account for user '%s' was disabled.\n", user_info
->account_name
));
96 return NT_STATUS_ACCOUNT_DISABLED
;
99 /* Quit if the account was locked out. */
100 if (acct_flags
& ACB_AUTOLOCK
) {
101 DEBUG(1,("authsam_account_ok: Account for user %s was locked out.\n", user_info
->account_name
));
102 return NT_STATUS_ACCOUNT_LOCKED_OUT
;
105 /* Test account expire time */
106 if ((acct_expiry
) != -1 && time(NULL
) > nt_time_to_unix(acct_expiry
)) {
107 DEBUG(1,("authsam_account_ok: Account for user '%s' has expired.\n", user_info
->account_name
));
108 DEBUG(3,("authsam_account_ok: Account expired at '%s'.\n",
109 nt_time_string(mem_ctx
, acct_expiry
)));
110 return NT_STATUS_ACCOUNT_EXPIRED
;
113 if (!(acct_flags
& ACB_PWNOEXP
)) {
114 /* check for immediate expiry "must change at next logon" */
115 if (must_change_time
== 0 && last_set_time
!= 0) {
116 DEBUG(1,("sam_account_ok: Account for user '%s' password must change!.\n",
117 user_info
->account_name
));
118 return NT_STATUS_PASSWORD_MUST_CHANGE
;
121 /* check for expired password */
122 if ((must_change_time
) != 0 && nt_time_to_unix(must_change_time
) < time(NULL
)) {
123 DEBUG(1,("sam_account_ok: Account for user '%s' password expired!.\n",
124 user_info
->account_name
));
125 DEBUG(1,("sam_account_ok: Password expired at '%s' unix time.\n",
126 nt_time_string(mem_ctx
, must_change_time
)));
127 return NT_STATUS_PASSWORD_EXPIRED
;
131 /* Test workstation. Workstation list is comma separated. */
132 if (workstation_list
&& *workstation_list
) {
133 BOOL invalid_ws
= True
;
134 const char *s
= workstation_list
;
138 while (next_token(&s
, tok
, ",", sizeof(tok
))) {
139 DEBUG(10,("sam_account_ok: checking for workstation match '%s' and '%s'\n",
140 tok
, user_info
->workstation_name
));
142 if (strequal(tok
, user_info
->workstation_name
)) {
150 return NT_STATUS_INVALID_WORKSTATION
;
154 if (acct_flags
& ACB_DOMTRUST
) {
155 DEBUG(2,("sam_account_ok: Domain trust account %s denied by server\n", user_info
->account_name
));
156 return NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT
;
159 if (acct_flags
& ACB_SVRTRUST
) {
160 DEBUG(2,("sam_account_ok: Server trust account %s denied by server\n", user_info
->account_name
));
161 return NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT
;
164 if (acct_flags
& ACB_WSTRUST
) {
165 DEBUG(4,("sam_account_ok: Wksta trust account %s denied by server\n", user_info
->account_name
));
166 return NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT
;
172 /****************************************************************************
173 Look for the specified user in the sam, return ldb result structures
174 ****************************************************************************/
176 static NTSTATUS
authsam_search_account(TALLOC_CTX
*mem_ctx
, void *sam_ctx
,
177 const char *account_name
,
178 const char *domain_name
,
179 struct ldb_message
***ret_msgs
,
180 struct ldb_message
***ret_msgs_domain
)
182 struct ldb_message
**msgs
;
183 struct ldb_message
**msgs_domain
;
188 const char *domain_dn
= NULL
;
190 const char *attrs
[] = {"unicodePwd", "lmPwdHash", "ntPwdHash",
191 "userAccountControl",
197 /* required for server_info, not access control: */
213 const char *domain_attrs
[] = {"name", "objectSid"};
216 /* find the domain's DN */
217 ret_domain
= gendb_search(sam_ctx
, mem_ctx
, NULL
, &msgs_domain
, domain_attrs
,
218 "(&(|(realm=%s)(name=%s))(objectclass=domain))",
219 domain_name
, domain_name
);
220 if (ret_domain
== -1) {
221 return NT_STATUS_INTERNAL_DB_CORRUPTION
;
224 if (ret_domain
== 0) {
225 DEBUG(3,("sam_search_user: Couldn't find domain [%s] in samdb.\n",
227 return NT_STATUS_NO_SUCH_USER
;
230 if (ret_domain
> 1) {
231 DEBUG(0,("Found %d records matching domain [%s]\n",
232 ret_domain
, domain_name
));
233 return NT_STATUS_INTERNAL_DB_CORRUPTION
;
236 domain_dn
= msgs_domain
[0]->dn
;
239 /* pull the user attributes */
240 ret
= gendb_search(sam_ctx
, mem_ctx
, domain_dn
, &msgs
, attrs
,
241 "(&(sAMAccountName=%s)(objectclass=user))",
244 return NT_STATUS_INTERNAL_DB_CORRUPTION
;
248 DEBUG(3,("sam_search_user: Couldn't find user [%s] in samdb.\n",
250 return NT_STATUS_NO_SUCH_USER
;
254 DEBUG(0,("Found %d records matching user [%s]\n", ret
, account_name
));
255 return NT_STATUS_INTERNAL_DB_CORRUPTION
;
259 const char *domain_sid
;
261 domain_sid
= samdb_result_sid_prefix(mem_ctx
, msgs
[0], "objectSid");
263 return NT_STATUS_INTERNAL_DB_CORRUPTION
;
266 /* find the domain's DN */
267 ret_domain
= gendb_search(sam_ctx
, mem_ctx
, NULL
, &msgs_domain
, domain_attrs
,
268 "(&(objectSid=%s)(objectclass=domain))",
270 if (ret_domain
== -1) {
271 return NT_STATUS_INTERNAL_DB_CORRUPTION
;
274 if (ret_domain
== 0) {
275 DEBUG(3,("check_sam_security: Couldn't find domain [%s] in passdb file.\n",
277 return NT_STATUS_NO_SUCH_USER
;
280 if (ret_domain
> 1) {
281 DEBUG(0,("Found %d records matching domain [%s]\n",
282 ret_domain
, domain_sid
));
283 return NT_STATUS_INTERNAL_DB_CORRUPTION
;
288 *ret_msgs_domain
= msgs_domain
;
293 static NTSTATUS
authsam_authenticate(const struct auth_context
*auth_context
,
294 TALLOC_CTX
*mem_ctx
, void *sam_ctx
,
295 struct ldb_message
**msgs
,
296 struct ldb_message
**msgs_domain
,
297 const struct auth_usersupplied_info
*user_info
,
298 DATA_BLOB
*user_sess_key
, DATA_BLOB
*lm_sess_key
)
301 const char *workstation_list
;
303 NTTIME must_change_time
;
304 NTTIME last_set_time
;
305 struct samr_Password
*lm_pwd
, *nt_pwd
;
307 const char *domain_dn
= msgs_domain
[0]->dn
;
309 acct_flags
= samdb_result_acct_flags(msgs
[0], "sAMAcctFlags");
311 /* Quit if the account was locked out. */
312 if (acct_flags
& ACB_AUTOLOCK
) {
313 DEBUG(3,("check_sam_security: Account for user %s was locked out.\n",
314 user_info
->account_name
));
315 return NT_STATUS_ACCOUNT_LOCKED_OUT
;
318 nt_status
= samdb_result_passwords(mem_ctx
, msgs
[0], &lm_pwd
, &nt_pwd
);
319 NT_STATUS_NOT_OK_RETURN(nt_status
);
321 nt_status
= authsam_password_ok(auth_context
, mem_ctx
,
322 acct_flags
, lm_pwd
, nt_pwd
,
323 user_info
, user_sess_key
, lm_sess_key
);
324 NT_STATUS_NOT_OK_RETURN(nt_status
);
326 acct_expiry
= samdb_result_nttime(msgs
[0], "accountExpires", 0);
327 must_change_time
= samdb_result_force_password_change(sam_ctx
, mem_ctx
,
330 last_set_time
= samdb_result_nttime(msgs
[0], "pwdLastSet", 0);
332 workstation_list
= samdb_result_string(msgs
[0], "userWorkstations", NULL
);
334 nt_status
= authsam_account_ok(mem_ctx
, acct_flags
,
344 static NTSTATUS
authsam_make_server_info(TALLOC_CTX
*mem_ctx
, void *sam_ctx
,
345 struct ldb_message
**msgs
,
346 struct ldb_message
**msgs_domain
,
347 DATA_BLOB user_sess_key
, DATA_BLOB lm_sess_key
,
348 struct auth_serversupplied_info
**_server_info
)
350 struct auth_serversupplied_info
*server_info
;
351 struct ldb_message
**group_msgs
;
353 const char *group_attrs
[3] = { "sAMAccountType", "objectSid", NULL
};
354 /* find list of sids */
355 struct dom_sid
**groupSIDs
= NULL
;
356 struct dom_sid
*account_sid
;
357 struct dom_sid
*primary_group_sid
;
361 TALLOC_CTX
*tmp_ctx
= talloc_new(mem_ctx
);
363 group_ret
= gendb_search(sam_ctx
,
364 tmp_ctx
, NULL
, &group_msgs
, group_attrs
,
365 "(&(member=%s)(sAMAccountType=*))",
367 if (group_ret
== -1) {
368 talloc_free(tmp_ctx
);
369 return NT_STATUS_INTERNAL_DB_CORRUPTION
;
372 server_info
= talloc(mem_ctx
, struct auth_serversupplied_info
);
373 NT_STATUS_HAVE_NO_MEMORY(server_info
);
376 groupSIDs
= talloc_array(server_info
, struct dom_sid
*, group_ret
);
377 NT_STATUS_HAVE_NO_MEMORY(groupSIDs
);
380 /* Need to unroll some nested groups, but not aliases */
381 for (i
= 0; i
< group_ret
; i
++) {
382 str
= ldb_msg_find_string(group_msgs
[i
], "objectSid", NULL
);
383 groupSIDs
[i
] = dom_sid_parse_talloc(groupSIDs
, str
);
384 NT_STATUS_HAVE_NO_MEMORY(groupSIDs
[i
]);
387 talloc_free(tmp_ctx
);
389 str
= ldb_msg_find_string(msgs
[0], "objectSid", NULL
);
390 account_sid
= dom_sid_parse_talloc(server_info
, str
);
391 NT_STATUS_HAVE_NO_MEMORY(account_sid
);
393 primary_group_sid
= dom_sid_dup(server_info
, account_sid
);
394 NT_STATUS_HAVE_NO_MEMORY(primary_group_sid
);
396 rid
= samdb_result_uint(msgs
[0], "primaryGroupID", ~0);
399 primary_group_sid
= groupSIDs
[0];
401 primary_group_sid
= NULL
;
404 primary_group_sid
->sub_auths
[primary_group_sid
->num_auths
-1] = rid
;
407 server_info
->account_sid
= account_sid
;
408 server_info
->primary_group_sid
= primary_group_sid
;
410 server_info
->n_domain_groups
= group_ret
;
411 server_info
->domain_groups
= groupSIDs
;
413 str
= samdb_result_string(msgs
[0], "sAMAccountName", "");
414 server_info
->account_name
= talloc_strdup(server_info
, str
);
415 NT_STATUS_HAVE_NO_MEMORY(server_info
->account_name
);
417 str
= samdb_result_string(msgs_domain
[0], "name", "");
418 server_info
->domain_name
= talloc_strdup(server_info
, str
);
419 NT_STATUS_HAVE_NO_MEMORY(server_info
->domain_name
);
421 str
= samdb_result_string(msgs
[0], "displayName", "");
422 server_info
->full_name
= talloc_strdup(server_info
, str
);
423 NT_STATUS_HAVE_NO_MEMORY(server_info
->full_name
);
425 str
= samdb_result_string(msgs
[0], "scriptPath", "");
426 server_info
->logon_script
= talloc_strdup(server_info
, str
);
427 NT_STATUS_HAVE_NO_MEMORY(server_info
->logon_script
);
429 str
= samdb_result_string(msgs
[0], "profilePath", "");
430 server_info
->profile_path
= talloc_strdup(server_info
, str
);
431 NT_STATUS_HAVE_NO_MEMORY(server_info
->profile_path
);
433 str
= samdb_result_string(msgs
[0], "homeDirectory", "");
434 server_info
->home_directory
= talloc_strdup(server_info
, str
);
435 NT_STATUS_HAVE_NO_MEMORY(server_info
->home_directory
);
437 str
= samdb_result_string(msgs
[0], "homeDrive", "");
438 server_info
->home_drive
= talloc_strdup(server_info
, str
);
439 NT_STATUS_HAVE_NO_MEMORY(server_info
->home_drive
);
441 server_info
->last_logon
= samdb_result_nttime(msgs
[0], "lastLogon", 0);
442 server_info
->last_logoff
= samdb_result_nttime(msgs
[0], "lastLogoff", 0);
443 server_info
->acct_expiry
= samdb_result_nttime(msgs
[0], "accountExpires", 0);
444 server_info
->last_password_change
= samdb_result_nttime(msgs
[0], "pwdLastSet", 0);
446 server_info
->allow_password_change
= samdb_result_allow_password_change(sam_ctx
, mem_ctx
,
447 msgs_domain
[0]->dn
, msgs
[0], "pwdLastSet");
448 server_info
->force_password_change
= samdb_result_force_password_change(sam_ctx
, mem_ctx
,
449 msgs_domain
[0]->dn
, msgs
[0], "pwdLastSet");
451 server_info
->logon_count
= samdb_result_uint(msgs
[0], "logonCount", 0);
452 server_info
->bad_password_count
= samdb_result_uint(msgs
[0], "badPwdCount", 0);
454 server_info
->acct_flags
= samdb_result_acct_flags(msgs
[0], "userAccountControl");
456 server_info
->user_session_key
= user_sess_key
;
457 server_info
->lm_session_key
= lm_sess_key
;
459 server_info
->authenticated
= True
;
461 *_server_info
= server_info
;
466 NTSTATUS
sam_get_server_info(TALLOC_CTX
*mem_ctx
, const char *account_name
, const char *domain_name
,
467 DATA_BLOB user_sess_key
, DATA_BLOB lm_sess_key
,
468 struct auth_serversupplied_info
**server_info
)
472 struct ldb_message
**msgs
;
473 struct ldb_message
**domain_msgs
;
476 sam_ctx
= samdb_connect(mem_ctx
);
477 if (sam_ctx
== NULL
) {
478 return NT_STATUS_INVALID_SYSTEM_SERVICE
;
481 nt_status
= authsam_search_account(mem_ctx
, sam_ctx
, account_name
, domain_name
, &msgs
, &domain_msgs
);
482 NT_STATUS_NOT_OK_RETURN(nt_status
);
484 nt_status
= authsam_make_server_info(mem_ctx
, sam_ctx
, msgs
, domain_msgs
,
485 user_sess_key
, lm_sess_key
,
487 NT_STATUS_NOT_OK_RETURN(nt_status
);
490 talloc_free(domain_msgs
);
495 static NTSTATUS
authsam_check_password_internals(struct auth_method_context
*ctx
,
498 const struct auth_usersupplied_info
*user_info
,
499 struct auth_serversupplied_info
**server_info
)
502 const char *account_name
= user_info
->account_name
;
503 struct ldb_message
**msgs
;
504 struct ldb_message
**domain_msgs
;
506 DATA_BLOB user_sess_key
, lm_sess_key
;
508 if (!account_name
|| !*account_name
) {
510 return NT_STATUS_NOT_IMPLEMENTED
;
513 sam_ctx
= samdb_connect(mem_ctx
);
514 if (sam_ctx
== NULL
) {
515 return NT_STATUS_INVALID_SYSTEM_SERVICE
;
518 nt_status
= authsam_search_account(mem_ctx
, sam_ctx
, account_name
, domain
, &msgs
, &domain_msgs
);
519 NT_STATUS_NOT_OK_RETURN(nt_status
);
521 nt_status
= authsam_authenticate(ctx
->auth_ctx
, mem_ctx
, sam_ctx
, msgs
, domain_msgs
, user_info
,
522 &user_sess_key
, &lm_sess_key
);
523 NT_STATUS_NOT_OK_RETURN(nt_status
);
525 nt_status
= authsam_make_server_info(mem_ctx
, sam_ctx
, msgs
, domain_msgs
,
526 user_sess_key
, lm_sess_key
,
528 NT_STATUS_NOT_OK_RETURN(nt_status
);
531 talloc_free(domain_msgs
);
536 static NTSTATUS
authsam_ignoredomain_check_password(struct auth_method_context
*ctx
,
538 const struct auth_usersupplied_info
*user_info
,
539 struct auth_serversupplied_info
**server_info
)
541 return authsam_check_password_internals(ctx
, mem_ctx
, NULL
, user_info
, server_info
);
544 /****************************************************************************
545 Check SAM security (above) but with a few extra checks.
546 ****************************************************************************/
547 static NTSTATUS
authsam_check_password(struct auth_method_context
*ctx
,
549 const struct auth_usersupplied_info
*user_info
,
550 struct auth_serversupplied_info
**server_info
)
553 BOOL is_local_name
, is_my_domain
;
555 is_local_name
= is_myname(user_info
->domain_name
);
556 is_my_domain
= strequal(user_info
->domain_name
, lp_workgroup());
558 /* check whether or not we service this domain/workgroup name */
559 switch (lp_server_role()) {
560 case ROLE_STANDALONE
:
561 domain
= lp_netbios_name();
563 case ROLE_DOMAIN_MEMBER
:
564 if (!is_local_name
) {
565 DEBUG(6,("authsam_check_password: %s is not one of my local names (%s)\n",
566 user_info
->domain_name
, (lp_server_role() == ROLE_DOMAIN_MEMBER
567 ? "ROLE_DOMAIN_MEMBER" : "ROLE_STANDALONE") ));
568 return NT_STATUS_NOT_IMPLEMENTED
;
570 domain
= lp_netbios_name();
572 case ROLE_DOMAIN_PDC
:
573 case ROLE_DOMAIN_BDC
:
574 if (!is_local_name
&& !is_my_domain
) {
575 DEBUG(6,("authsam_check_password: %s is not one of my local names or domain name (DC)\n",
576 user_info
->domain_name
));
577 return NT_STATUS_NOT_IMPLEMENTED
;
579 domain
= lp_workgroup();
582 DEBUG(6,("authsam_check_password: lp_server_role() has an undefined value\n"));
583 return NT_STATUS_NOT_IMPLEMENTED
;
586 return authsam_check_password_internals(ctx
, mem_ctx
, domain
, user_info
, server_info
);
589 static const struct auth_operations sam_ignoredomain_ops
= {
590 .name
= "sam_ignoredomain",
591 .get_challenge
= auth_get_challenge_not_implemented
,
592 .check_password
= authsam_ignoredomain_check_password
595 static const struct auth_operations sam_ops
= {
597 .get_challenge
= auth_get_challenge_not_implemented
,
598 .check_password
= authsam_check_password
601 NTSTATUS
auth_sam_init(void)
605 ret
= auth_register(&sam_ops
);
606 if (!NT_STATUS_IS_OK(ret
)) {
607 DEBUG(0,("Failed to register 'sam' auth backend!\n"));
611 ret
= auth_register(&sam_ignoredomain_ops
);
612 if (!NT_STATUS_IS_OK(ret
)) {
613 DEBUG(0,("Failed to register 'sam_ignoredomain' auth backend!\n"));