librpc/idl: add winbind_GetForestTrustInformation()
[Samba.git] / source3 / winbindd / winbindd_pam.c
blob329db6276b5f454b20d57564f59042e417b86efe
1 /*
2 Unix SMB/CIFS implementation.
4 Winbind daemon - pam auth funcions
6 Copyright (C) Andrew Tridgell 2000
7 Copyright (C) Tim Potter 2001
8 Copyright (C) Andrew Bartlett 2001-2002
9 Copyright (C) Guenther Deschner 2005
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 3 of the License, or
14 (at your option) any later version.
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
21 You should have received a copy of the GNU General Public License
22 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 #include "includes.h"
26 #include "winbindd.h"
27 #include "../libcli/auth/libcli_auth.h"
28 #include "../librpc/gen_ndr/ndr_samr_c.h"
29 #include "rpc_client/cli_pipe.h"
30 #include "rpc_client/cli_samr.h"
31 #include "../librpc/gen_ndr/ndr_netlogon.h"
32 #include "rpc_client/cli_netlogon.h"
33 #include "smb_krb5.h"
34 #include "../lib/crypto/arcfour.h"
35 #include "../libcli/security/security.h"
36 #include "ads.h"
37 #include "../librpc/gen_ndr/krb5pac.h"
38 #include "passdb/machine_sid.h"
39 #include "auth.h"
40 #include "../lib/tsocket/tsocket.h"
41 #include "auth/kerberos/pac_utils.h"
42 #include "auth/gensec/gensec.h"
43 #include "librpc/crypto/gse_krb5.h"
44 #include "lib/afs/afs_funcs.h"
46 #undef DBGC_CLASS
47 #define DBGC_CLASS DBGC_WINBIND
49 #define LOGON_KRB5_FAIL_CLOCK_SKEW 0x02000000
51 static NTSTATUS append_info3_as_txt(TALLOC_CTX *mem_ctx,
52 struct winbindd_response *resp,
53 struct netr_SamInfo3 *info3)
55 char *ex;
56 uint32_t i;
58 resp->data.auth.info3.logon_time =
59 nt_time_to_unix(info3->base.logon_time);
60 resp->data.auth.info3.logoff_time =
61 nt_time_to_unix(info3->base.logoff_time);
62 resp->data.auth.info3.kickoff_time =
63 nt_time_to_unix(info3->base.kickoff_time);
64 resp->data.auth.info3.pass_last_set_time =
65 nt_time_to_unix(info3->base.last_password_change);
66 resp->data.auth.info3.pass_can_change_time =
67 nt_time_to_unix(info3->base.allow_password_change);
68 resp->data.auth.info3.pass_must_change_time =
69 nt_time_to_unix(info3->base.force_password_change);
71 resp->data.auth.info3.logon_count = info3->base.logon_count;
72 resp->data.auth.info3.bad_pw_count = info3->base.bad_password_count;
74 resp->data.auth.info3.user_rid = info3->base.rid;
75 resp->data.auth.info3.group_rid = info3->base.primary_gid;
76 sid_to_fstring(resp->data.auth.info3.dom_sid, info3->base.domain_sid);
78 resp->data.auth.info3.num_groups = info3->base.groups.count;
79 resp->data.auth.info3.user_flgs = info3->base.user_flags;
81 resp->data.auth.info3.acct_flags = info3->base.acct_flags;
82 resp->data.auth.info3.num_other_sids = info3->sidcount;
84 fstrcpy(resp->data.auth.info3.user_name,
85 info3->base.account_name.string);
86 fstrcpy(resp->data.auth.info3.full_name,
87 info3->base.full_name.string);
88 fstrcpy(resp->data.auth.info3.logon_script,
89 info3->base.logon_script.string);
90 fstrcpy(resp->data.auth.info3.profile_path,
91 info3->base.profile_path.string);
92 fstrcpy(resp->data.auth.info3.home_dir,
93 info3->base.home_directory.string);
94 fstrcpy(resp->data.auth.info3.dir_drive,
95 info3->base.home_drive.string);
97 fstrcpy(resp->data.auth.info3.logon_srv,
98 info3->base.logon_server.string);
99 fstrcpy(resp->data.auth.info3.logon_dom,
100 info3->base.logon_domain.string);
102 ex = talloc_strdup(mem_ctx, "");
103 NT_STATUS_HAVE_NO_MEMORY(ex);
105 for (i=0; i < info3->base.groups.count; i++) {
106 ex = talloc_asprintf_append_buffer(ex, "0x%08X:0x%08X\n",
107 info3->base.groups.rids[i].rid,
108 info3->base.groups.rids[i].attributes);
109 NT_STATUS_HAVE_NO_MEMORY(ex);
112 for (i=0; i < info3->sidcount; i++) {
113 char *sid;
115 sid = dom_sid_string(mem_ctx, info3->sids[i].sid);
116 NT_STATUS_HAVE_NO_MEMORY(sid);
118 ex = talloc_asprintf_append_buffer(ex, "%s:0x%08X\n",
119 sid,
120 info3->sids[i].attributes);
121 NT_STATUS_HAVE_NO_MEMORY(ex);
123 talloc_free(sid);
126 resp->extra_data.data = ex;
127 resp->length += talloc_get_size(ex);
129 return NT_STATUS_OK;
132 static NTSTATUS append_info3_as_ndr(TALLOC_CTX *mem_ctx,
133 struct winbindd_response *resp,
134 struct netr_SamInfo3 *info3)
136 DATA_BLOB blob;
137 enum ndr_err_code ndr_err;
139 ndr_err = ndr_push_struct_blob(&blob, mem_ctx, info3,
140 (ndr_push_flags_fn_t)ndr_push_netr_SamInfo3);
141 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
142 DEBUG(0,("append_info3_as_ndr: failed to append\n"));
143 return ndr_map_error2ntstatus(ndr_err);
146 resp->extra_data.data = blob.data;
147 resp->length += blob.length;
149 return NT_STATUS_OK;
152 static NTSTATUS append_unix_username(TALLOC_CTX *mem_ctx,
153 struct winbindd_response *resp,
154 const struct netr_SamInfo3 *info3,
155 const char *name_domain,
156 const char *name_user)
158 /* We've been asked to return the unix username, per
159 'winbind use default domain' settings and the like */
161 const char *nt_username, *nt_domain;
163 nt_domain = talloc_strdup(mem_ctx, info3->base.logon_domain.string);
164 if (!nt_domain) {
165 /* If the server didn't give us one, just use the one
166 * we sent them */
167 nt_domain = name_domain;
170 nt_username = talloc_strdup(mem_ctx, info3->base.account_name.string);
171 if (!nt_username) {
172 /* If the server didn't give us one, just use the one
173 * we sent them */
174 nt_username = name_user;
177 fill_domain_username(resp->data.auth.unix_username,
178 nt_domain, nt_username, true);
180 DEBUG(5, ("Setting unix username to [%s]\n",
181 resp->data.auth.unix_username));
183 return NT_STATUS_OK;
186 static NTSTATUS append_afs_token(TALLOC_CTX *mem_ctx,
187 struct winbindd_response *resp,
188 const struct netr_SamInfo3 *info3,
189 const char *name_domain,
190 const char *name_user)
192 char *afsname = NULL;
193 char *cell;
194 char *token;
196 afsname = talloc_strdup(mem_ctx, lp_afs_username_map());
197 if (afsname == NULL) {
198 return NT_STATUS_NO_MEMORY;
201 afsname = talloc_string_sub(mem_ctx,
202 lp_afs_username_map(),
203 "%D", name_domain);
204 afsname = talloc_string_sub(mem_ctx, afsname,
205 "%u", name_user);
206 afsname = talloc_string_sub(mem_ctx, afsname,
207 "%U", name_user);
210 struct dom_sid user_sid;
211 fstring sidstr;
213 sid_compose(&user_sid, info3->base.domain_sid,
214 info3->base.rid);
215 sid_to_fstring(sidstr, &user_sid);
216 afsname = talloc_string_sub(mem_ctx, afsname,
217 "%s", sidstr);
220 if (afsname == NULL) {
221 return NT_STATUS_NO_MEMORY;
224 if (!strlower_m(afsname)) {
225 return NT_STATUS_INVALID_PARAMETER;
228 DEBUG(10, ("Generating token for user %s\n", afsname));
230 cell = strchr(afsname, '@');
232 if (cell == NULL) {
233 return NT_STATUS_NO_MEMORY;
236 *cell = '\0';
237 cell += 1;
239 token = afs_createtoken_str(afsname, cell);
240 if (token == NULL) {
241 return NT_STATUS_OK;
243 resp->extra_data.data = talloc_strdup(mem_ctx, token);
244 if (resp->extra_data.data == NULL) {
245 return NT_STATUS_NO_MEMORY;
247 resp->length += strlen((const char *)resp->extra_data.data)+1;
249 return NT_STATUS_OK;
252 static NTSTATUS check_info3_in_group(struct netr_SamInfo3 *info3,
253 const char *group_sid)
255 * Check whether a user belongs to a group or list of groups.
257 * @param mem_ctx talloc memory context.
258 * @param info3 user information, including group membership info.
259 * @param group_sid One or more groups , separated by commas.
261 * @return NT_STATUS_OK on success,
262 * NT_STATUS_LOGON_FAILURE if the user does not belong,
263 * or other NT_STATUS_IS_ERR(status) for other kinds of failure.
266 struct dom_sid *require_membership_of_sid;
267 uint32_t num_require_membership_of_sid;
268 char *req_sid;
269 const char *p;
270 struct dom_sid sid;
271 size_t i;
272 struct security_token *token;
273 TALLOC_CTX *frame = talloc_stackframe();
274 NTSTATUS status;
276 /* Parse the 'required group' SID */
278 if (!group_sid || !group_sid[0]) {
279 /* NO sid supplied, all users may access */
280 TALLOC_FREE(frame);
281 return NT_STATUS_OK;
284 token = talloc_zero(talloc_tos(), struct security_token);
285 if (token == NULL) {
286 DEBUG(0, ("talloc failed\n"));
287 TALLOC_FREE(frame);
288 return NT_STATUS_NO_MEMORY;
291 num_require_membership_of_sid = 0;
292 require_membership_of_sid = NULL;
294 p = group_sid;
296 while (next_token_talloc(talloc_tos(), &p, &req_sid, ",")) {
297 if (!string_to_sid(&sid, req_sid)) {
298 DEBUG(0, ("check_info3_in_group: could not parse %s "
299 "as a SID!", req_sid));
300 TALLOC_FREE(frame);
301 return NT_STATUS_INVALID_PARAMETER;
304 status = add_sid_to_array(talloc_tos(), &sid,
305 &require_membership_of_sid,
306 &num_require_membership_of_sid);
307 if (!NT_STATUS_IS_OK(status)) {
308 DEBUG(0, ("add_sid_to_array failed\n"));
309 TALLOC_FREE(frame);
310 return status;
314 status = sid_array_from_info3(talloc_tos(), info3,
315 &token->sids,
316 &token->num_sids,
317 true);
318 if (!NT_STATUS_IS_OK(status)) {
319 TALLOC_FREE(frame);
320 return status;
323 if (!NT_STATUS_IS_OK(status = add_aliases(get_global_sam_sid(),
324 token))
325 || !NT_STATUS_IS_OK(status = add_aliases(&global_sid_Builtin,
326 token))) {
327 DEBUG(3, ("could not add aliases: %s\n",
328 nt_errstr(status)));
329 TALLOC_FREE(frame);
330 return status;
333 security_token_debug(DBGC_CLASS, 10, token);
335 for (i=0; i<num_require_membership_of_sid; i++) {
336 DEBUG(10, ("Checking SID %s\n", sid_string_dbg(
337 &require_membership_of_sid[i])));
338 if (nt_token_check_sid(&require_membership_of_sid[i],
339 token)) {
340 DEBUG(10, ("Access ok\n"));
341 TALLOC_FREE(frame);
342 return NT_STATUS_OK;
346 /* Do not distinguish this error from a wrong username/pw */
348 TALLOC_FREE(frame);
349 return NT_STATUS_LOGON_FAILURE;
352 struct winbindd_domain *find_auth_domain(uint8_t flags,
353 const char *domain_name)
355 struct winbindd_domain *domain;
357 if (IS_DC) {
358 domain = find_domain_from_name_noinit(domain_name);
359 if (domain == NULL) {
360 DEBUG(3, ("Authentication for domain [%s] refused "
361 "as it is not a trusted domain\n",
362 domain_name));
364 return domain;
367 if (strequal(domain_name, get_global_sam_name())) {
368 return find_domain_from_name_noinit(domain_name);
371 /* we can auth against trusted domains */
372 if (flags & WBFLAG_PAM_CONTACT_TRUSTDOM) {
373 domain = find_domain_from_name_noinit(domain_name);
374 if (domain == NULL) {
375 DEBUG(3, ("Authentication for domain [%s] skipped "
376 "as it is not a trusted domain\n",
377 domain_name));
378 } else {
379 return domain;
383 return find_our_domain();
386 static void fill_in_password_policy(struct winbindd_response *r,
387 const struct samr_DomInfo1 *p)
389 r->data.auth.policy.min_length_password =
390 p->min_password_length;
391 r->data.auth.policy.password_history =
392 p->password_history_length;
393 r->data.auth.policy.password_properties =
394 p->password_properties;
395 r->data.auth.policy.expire =
396 nt_time_to_unix_abs((const NTTIME *)&(p->max_password_age));
397 r->data.auth.policy.min_passwordage =
398 nt_time_to_unix_abs((const NTTIME *)&(p->min_password_age));
401 static NTSTATUS fillup_password_policy(struct winbindd_domain *domain,
402 struct winbindd_response *response)
404 TALLOC_CTX *frame = talloc_stackframe();
405 struct winbindd_methods *methods;
406 NTSTATUS status;
407 struct samr_DomInfo1 password_policy;
409 if ( !winbindd_can_contact_domain( domain ) ) {
410 DEBUG(5,("fillup_password_policy: No inbound trust to "
411 "contact domain %s\n", domain->name));
412 status = NT_STATUS_NOT_SUPPORTED;
413 goto done;
416 methods = domain->methods;
418 status = methods->password_policy(domain, talloc_tos(), &password_policy);
419 if (NT_STATUS_IS_ERR(status)) {
420 goto done;
423 fill_in_password_policy(response, &password_policy);
425 done:
426 TALLOC_FREE(frame);
427 return NT_STATUS_OK;
430 static NTSTATUS get_max_bad_attempts_from_lockout_policy(struct winbindd_domain *domain,
431 TALLOC_CTX *mem_ctx,
432 uint16_t *lockout_threshold)
434 struct winbindd_methods *methods;
435 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
436 struct samr_DomInfo12 lockout_policy;
438 *lockout_threshold = 0;
440 methods = domain->methods;
442 status = methods->lockout_policy(domain, mem_ctx, &lockout_policy);
443 if (NT_STATUS_IS_ERR(status)) {
444 return status;
447 *lockout_threshold = lockout_policy.lockout_threshold;
449 return NT_STATUS_OK;
452 static NTSTATUS get_pwd_properties(struct winbindd_domain *domain,
453 TALLOC_CTX *mem_ctx,
454 uint32_t *password_properties)
456 struct winbindd_methods *methods;
457 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
458 struct samr_DomInfo1 password_policy;
460 *password_properties = 0;
462 methods = domain->methods;
464 status = methods->password_policy(domain, mem_ctx, &password_policy);
465 if (NT_STATUS_IS_ERR(status)) {
466 return status;
469 *password_properties = password_policy.password_properties;
471 return NT_STATUS_OK;
474 #ifdef HAVE_KRB5
476 static const char *generate_krb5_ccache(TALLOC_CTX *mem_ctx,
477 const char *type,
478 uid_t uid,
479 const char **user_ccache_file)
481 /* accept FILE and WRFILE as krb5_cc_type from the client and then
482 * build the full ccname string based on the user's uid here -
483 * Guenther*/
485 const char *gen_cc = NULL;
487 if (uid != -1) {
488 if (strequal(type, "FILE")) {
489 gen_cc = talloc_asprintf(
490 mem_ctx, "FILE:/tmp/krb5cc_%d", uid);
492 if (strequal(type, "WRFILE")) {
493 gen_cc = talloc_asprintf(
494 mem_ctx, "WRFILE:/tmp/krb5cc_%d", uid);
496 if (strequal(type, "KEYRING")) {
497 gen_cc = talloc_asprintf(
498 mem_ctx, "KEYRING:persistent:%d", uid);
501 if (strnequal(type, "FILE:/", 6) ||
502 strnequal(type, "WRFILE:/", 8) ||
503 strnequal(type, "DIR:/", 5)) {
505 /* we allow only one "%u" substitution */
507 char *p;
509 p = strchr(type, '%');
510 if (p != NULL) {
512 p++;
514 if (p != NULL && *p == 'u' && strchr(p, '%') == NULL) {
515 char uid_str[sizeof("18446744073709551615")];
517 snprintf(uid_str, sizeof(uid_str), "%u", uid);
519 gen_cc = talloc_string_sub2(mem_ctx,
520 type,
521 "%u",
522 uid_str,
523 /* remove_unsafe_characters */
524 false,
525 /* replace_once */
526 true,
527 /* allow_trailing_dollar */
528 false);
534 *user_ccache_file = gen_cc;
536 if (gen_cc == NULL) {
537 gen_cc = talloc_strdup(mem_ctx, "MEMORY:winbindd_pam_ccache");
539 if (gen_cc == NULL) {
540 DEBUG(0,("out of memory\n"));
541 return NULL;
544 DEBUG(10, ("using ccache: %s%s\n", gen_cc,
545 (*user_ccache_file == NULL) ? " (internal)":""));
547 return gen_cc;
550 #endif
552 uid_t get_uid_from_request(struct winbindd_request *request)
554 uid_t uid;
556 uid = request->data.auth.uid;
558 if (uid < 0) {
559 DEBUG(1,("invalid uid: '%u'\n", (unsigned int)uid));
560 return -1;
562 return uid;
565 /**********************************************************************
566 Authenticate a user with a clear text password using Kerberos and fill up
567 ccache if required
568 **********************************************************************/
570 static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
571 struct winbindd_domain *domain,
572 const char *user,
573 const char *pass,
574 const char *krb5_cc_type,
575 uid_t uid,
576 struct netr_SamInfo3 **info3,
577 fstring krb5ccname)
579 #ifdef HAVE_KRB5
580 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
581 krb5_error_code krb5_ret;
582 const char *cc = NULL;
583 const char *principal_s = NULL;
584 const char *service = NULL;
585 char *realm = NULL;
586 fstring name_domain, name_user;
587 time_t ticket_lifetime = 0;
588 time_t renewal_until = 0;
589 ADS_STRUCT *ads;
590 time_t time_offset = 0;
591 const char *user_ccache_file;
592 struct PAC_LOGON_INFO *logon_info = NULL;
593 struct PAC_DATA *pac_data = NULL;
594 struct PAC_DATA_CTR *pac_data_ctr = NULL;
595 const char *local_service;
596 int i;
597 struct netr_SamInfo3 *info3_copy = NULL;
599 *info3 = NULL;
601 if (domain->alt_name == NULL) {
602 return NT_STATUS_INVALID_PARAMETER;
605 /* 1st step:
606 * prepare a krb5_cc_cache string for the user */
608 if (uid == -1) {
609 DEBUG(0,("no valid uid\n"));
612 cc = generate_krb5_ccache(mem_ctx,
613 krb5_cc_type,
614 uid,
615 &user_ccache_file);
616 if (cc == NULL) {
617 return NT_STATUS_NO_MEMORY;
621 /* 2nd step:
622 * get kerberos properties */
624 if (domain->private_data) {
625 ads = (ADS_STRUCT *)domain->private_data;
626 time_offset = ads->auth.time_offset;
630 /* 3rd step:
631 * do kerberos auth and setup ccache as the user */
633 parse_domain_user(user, name_domain, name_user);
635 realm = talloc_strdup(mem_ctx, domain->alt_name);
636 if (realm == NULL) {
637 return NT_STATUS_NO_MEMORY;
640 if (!strupper_m(realm)) {
641 return NT_STATUS_INVALID_PARAMETER;
644 principal_s = talloc_asprintf(mem_ctx, "%s@%s", name_user, realm);
645 if (principal_s == NULL) {
646 return NT_STATUS_NO_MEMORY;
649 service = talloc_asprintf(mem_ctx, "%s/%s@%s", KRB5_TGS_NAME, realm, realm);
650 if (service == NULL) {
651 return NT_STATUS_NO_MEMORY;
654 local_service = talloc_asprintf(mem_ctx, "%s$@%s",
655 lp_netbios_name(), lp_realm());
656 if (local_service == NULL) {
657 return NT_STATUS_NO_MEMORY;
661 /* if this is a user ccache, we need to act as the user to let the krb5
662 * library handle the chown, etc. */
664 /************************ ENTERING NON-ROOT **********************/
666 if (user_ccache_file != NULL) {
667 set_effective_uid(uid);
668 DEBUG(10,("winbindd_raw_kerberos_login: uid is %d\n", uid));
671 result = kerberos_return_pac(mem_ctx,
672 principal_s,
673 pass,
674 time_offset,
675 &ticket_lifetime,
676 &renewal_until,
678 true,
679 true,
680 WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
681 NULL,
682 local_service,
683 &pac_data_ctr);
684 if (user_ccache_file != NULL) {
685 gain_root_privilege();
688 /************************ RETURNED TO ROOT **********************/
690 if (!NT_STATUS_IS_OK(result)) {
691 goto failed;
694 if (pac_data_ctr == NULL) {
695 goto failed;
698 pac_data = pac_data_ctr->pac_data;
699 if (pac_data == NULL) {
700 goto failed;
703 for (i=0; i < pac_data->num_buffers; i++) {
705 if (pac_data->buffers[i].type != PAC_TYPE_LOGON_INFO) {
706 continue;
709 logon_info = pac_data->buffers[i].info->logon_info.info;
710 if (!logon_info) {
711 return NT_STATUS_INVALID_PARAMETER;
714 break;
717 if (logon_info == NULL) {
718 DEBUG(10,("Missing logon_info in ticket of %s\n",
719 principal_s));
720 return NT_STATUS_INVALID_PARAMETER;
723 DEBUG(10,("winbindd_raw_kerberos_login: winbindd validated ticket of %s\n",
724 principal_s));
726 result = create_info3_from_pac_logon_info(mem_ctx, logon_info, &info3_copy);
727 if (!NT_STATUS_IS_OK(result)) {
728 goto failed;
731 /* if we had a user's ccache then return that string for the pam
732 * environment */
734 if (user_ccache_file != NULL) {
736 fstrcpy(krb5ccname, user_ccache_file);
738 result = add_ccache_to_list(principal_s,
740 service,
741 user,
742 pass,
743 realm,
744 uid,
745 time(NULL),
746 ticket_lifetime,
747 renewal_until,
748 false);
750 if (!NT_STATUS_IS_OK(result)) {
751 DEBUG(10,("winbindd_raw_kerberos_login: failed to add ccache to list: %s\n",
752 nt_errstr(result)));
754 } else {
756 /* need to delete the memory cred cache, it is not used anymore */
758 krb5_ret = ads_kdestroy(cc);
759 if (krb5_ret) {
760 DEBUG(3,("winbindd_raw_kerberos_login: "
761 "could not destroy krb5 credential cache: "
762 "%s\n", error_message(krb5_ret)));
766 *info3 = info3_copy;
767 return NT_STATUS_OK;
769 failed:
771 * Do not delete an existing valid credential cache, if the user
772 * e.g. enters a wrong password
774 if ((strequal(krb5_cc_type, "FILE") || strequal(krb5_cc_type, "WRFILE"))
775 && user_ccache_file != NULL) {
776 return result;
779 /* we could have created a new credential cache with a valid tgt in it
780 * but we werent able to get or verify the service ticket for this
781 * local host and therefor didn't get the PAC, we need to remove that
782 * cache entirely now */
784 krb5_ret = ads_kdestroy(cc);
785 if (krb5_ret) {
786 DEBUG(3,("winbindd_raw_kerberos_login: "
787 "could not destroy krb5 credential cache: "
788 "%s\n", error_message(krb5_ret)));
791 if (!NT_STATUS_IS_OK(remove_ccache(user))) {
792 DEBUG(3,("winbindd_raw_kerberos_login: "
793 "could not remove ccache for user %s\n",
794 user));
797 return result;
798 #else
799 return NT_STATUS_NOT_SUPPORTED;
800 #endif /* HAVE_KRB5 */
803 /****************************************************************
804 ****************************************************************/
806 bool check_request_flags(uint32_t flags)
808 uint32_t flags_edata = WBFLAG_PAM_AFS_TOKEN |
809 WBFLAG_PAM_INFO3_TEXT |
810 WBFLAG_PAM_INFO3_NDR;
812 if ( ( (flags & flags_edata) == WBFLAG_PAM_AFS_TOKEN) ||
813 ( (flags & flags_edata) == WBFLAG_PAM_INFO3_NDR) ||
814 ( (flags & flags_edata) == WBFLAG_PAM_INFO3_TEXT)||
815 !(flags & flags_edata) ) {
816 return true;
819 DEBUG(1, ("check_request_flags: invalid request flags[0x%08X]\n",
820 flags));
822 return false;
825 /****************************************************************
826 ****************************************************************/
828 NTSTATUS append_auth_data(TALLOC_CTX *mem_ctx,
829 struct winbindd_response *resp,
830 uint32_t request_flags,
831 struct netr_SamInfo3 *info3,
832 const char *name_domain,
833 const char *name_user)
835 NTSTATUS result;
837 if (request_flags & WBFLAG_PAM_USER_SESSION_KEY) {
838 memcpy(resp->data.auth.user_session_key,
839 info3->base.key.key,
840 sizeof(resp->data.auth.user_session_key)
841 /* 16 */);
844 if (request_flags & WBFLAG_PAM_LMKEY) {
845 memcpy(resp->data.auth.first_8_lm_hash,
846 info3->base.LMSessKey.key,
847 sizeof(resp->data.auth.first_8_lm_hash)
848 /* 8 */);
851 if (request_flags & WBFLAG_PAM_UNIX_NAME) {
852 result = append_unix_username(mem_ctx, resp,
853 info3, name_domain, name_user);
854 if (!NT_STATUS_IS_OK(result)) {
855 DEBUG(10,("Failed to append Unix Username: %s\n",
856 nt_errstr(result)));
857 return result;
861 /* currently, anything from here on potentially overwrites extra_data. */
863 if (request_flags & WBFLAG_PAM_INFO3_NDR) {
864 result = append_info3_as_ndr(mem_ctx, resp, info3);
865 if (!NT_STATUS_IS_OK(result)) {
866 DEBUG(10,("Failed to append INFO3 (NDR): %s\n",
867 nt_errstr(result)));
868 return result;
872 if (request_flags & WBFLAG_PAM_INFO3_TEXT) {
873 result = append_info3_as_txt(mem_ctx, resp, info3);
874 if (!NT_STATUS_IS_OK(result)) {
875 DEBUG(10,("Failed to append INFO3 (TXT): %s\n",
876 nt_errstr(result)));
877 return result;
881 if (request_flags & WBFLAG_PAM_AFS_TOKEN) {
882 result = append_afs_token(mem_ctx, resp,
883 info3, name_domain, name_user);
884 if (!NT_STATUS_IS_OK(result)) {
885 DEBUG(10,("Failed to append AFS token: %s\n",
886 nt_errstr(result)));
887 return result;
891 return NT_STATUS_OK;
894 static NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain,
895 struct winbindd_cli_state *state,
896 struct netr_SamInfo3 **info3)
898 NTSTATUS result = NT_STATUS_LOGON_FAILURE;
899 uint16_t max_allowed_bad_attempts;
900 fstring name_domain, name_user;
901 struct dom_sid sid;
902 enum lsa_SidType type;
903 uchar new_nt_pass[NT_HASH_LEN];
904 const uint8_t *cached_nt_pass;
905 const uint8_t *cached_salt;
906 struct netr_SamInfo3 *my_info3;
907 time_t kickoff_time, must_change_time;
908 bool password_good = false;
909 #ifdef HAVE_KRB5
910 struct winbindd_tdc_domain *tdc_domain = NULL;
911 #endif
913 *info3 = NULL;
915 ZERO_STRUCTP(info3);
917 DEBUG(10,("winbindd_dual_pam_auth_cached\n"));
919 /* Parse domain and username */
921 parse_domain_user(state->request->data.auth.user, name_domain, name_user);
924 if (!lookup_cached_name(name_domain,
925 name_user,
926 &sid,
927 &type)) {
928 DEBUG(10,("winbindd_dual_pam_auth_cached: no such user in the cache\n"));
929 return NT_STATUS_NO_SUCH_USER;
932 if (type != SID_NAME_USER) {
933 DEBUG(10,("winbindd_dual_pam_auth_cached: not a user (%s)\n", sid_type_lookup(type)));
934 return NT_STATUS_LOGON_FAILURE;
937 result = winbindd_get_creds(domain,
938 state->mem_ctx,
939 &sid,
940 &my_info3,
941 &cached_nt_pass,
942 &cached_salt);
943 if (!NT_STATUS_IS_OK(result)) {
944 DEBUG(10,("winbindd_dual_pam_auth_cached: failed to get creds: %s\n", nt_errstr(result)));
945 return result;
948 *info3 = my_info3;
950 E_md4hash(state->request->data.auth.pass, new_nt_pass);
952 dump_data_pw("new_nt_pass", new_nt_pass, NT_HASH_LEN);
953 dump_data_pw("cached_nt_pass", cached_nt_pass, NT_HASH_LEN);
954 if (cached_salt) {
955 dump_data_pw("cached_salt", cached_salt, NT_HASH_LEN);
958 if (cached_salt) {
959 /* In this case we didn't store the nt_hash itself,
960 but the MD5 combination of salt + nt_hash. */
961 uchar salted_hash[NT_HASH_LEN];
962 E_md5hash(cached_salt, new_nt_pass, salted_hash);
964 password_good = (memcmp(cached_nt_pass, salted_hash,
965 NT_HASH_LEN) == 0);
966 } else {
967 /* Old cached cred - direct store of nt_hash (bad bad bad !). */
968 password_good = (memcmp(cached_nt_pass, new_nt_pass,
969 NT_HASH_LEN) == 0);
972 if (password_good) {
974 /* User *DOES* know the password, update logon_time and reset
975 * bad_pw_count */
977 my_info3->base.user_flags |= NETLOGON_CACHED_ACCOUNT;
979 if (my_info3->base.acct_flags & ACB_AUTOLOCK) {
980 return NT_STATUS_ACCOUNT_LOCKED_OUT;
983 if (my_info3->base.acct_flags & ACB_DISABLED) {
984 return NT_STATUS_ACCOUNT_DISABLED;
987 if (my_info3->base.acct_flags & ACB_WSTRUST) {
988 return NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT;
991 if (my_info3->base.acct_flags & ACB_SVRTRUST) {
992 return NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT;
995 if (my_info3->base.acct_flags & ACB_DOMTRUST) {
996 return NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT;
999 if (!(my_info3->base.acct_flags & ACB_NORMAL)) {
1000 DEBUG(0,("winbindd_dual_pam_auth_cached: whats wrong with that one?: 0x%08x\n",
1001 my_info3->base.acct_flags));
1002 return NT_STATUS_LOGON_FAILURE;
1005 kickoff_time = nt_time_to_unix(my_info3->base.kickoff_time);
1006 if (kickoff_time != 0 && time(NULL) > kickoff_time) {
1007 return NT_STATUS_ACCOUNT_EXPIRED;
1010 must_change_time = nt_time_to_unix(my_info3->base.force_password_change);
1011 if (must_change_time != 0 && must_change_time < time(NULL)) {
1012 /* we allow grace logons when the password has expired */
1013 my_info3->base.user_flags |= NETLOGON_GRACE_LOGON;
1014 /* return NT_STATUS_PASSWORD_EXPIRED; */
1015 goto success;
1018 #ifdef HAVE_KRB5
1019 if ((state->request->flags & WBFLAG_PAM_KRB5) &&
1020 ((tdc_domain = wcache_tdc_fetch_domain(state->mem_ctx, name_domain)) != NULL) &&
1021 ((tdc_domain->trust_type & LSA_TRUST_TYPE_UPLEVEL) ||
1022 /* used to cope with the case winbindd starting without network. */
1023 !strequal(tdc_domain->domain_name, tdc_domain->dns_name))) {
1025 uid_t uid = -1;
1026 const char *cc = NULL;
1027 char *realm = NULL;
1028 const char *principal_s = NULL;
1029 const char *service = NULL;
1030 const char *user_ccache_file;
1032 if (domain->alt_name == NULL) {
1033 return NT_STATUS_INVALID_PARAMETER;
1036 uid = get_uid_from_request(state->request);
1037 if (uid == -1) {
1038 DEBUG(0,("winbindd_dual_pam_auth_cached: invalid uid\n"));
1039 return NT_STATUS_INVALID_PARAMETER;
1042 cc = generate_krb5_ccache(state->mem_ctx,
1043 state->request->data.auth.krb5_cc_type,
1044 state->request->data.auth.uid,
1045 &user_ccache_file);
1046 if (cc == NULL) {
1047 return NT_STATUS_NO_MEMORY;
1050 realm = talloc_strdup(state->mem_ctx, domain->alt_name);
1051 if (realm == NULL) {
1052 return NT_STATUS_NO_MEMORY;
1055 if (!strupper_m(realm)) {
1056 return NT_STATUS_INVALID_PARAMETER;
1059 principal_s = talloc_asprintf(state->mem_ctx, "%s@%s", name_user, realm);
1060 if (principal_s == NULL) {
1061 return NT_STATUS_NO_MEMORY;
1064 service = talloc_asprintf(state->mem_ctx, "%s/%s@%s", KRB5_TGS_NAME, realm, realm);
1065 if (service == NULL) {
1066 return NT_STATUS_NO_MEMORY;
1069 if (user_ccache_file != NULL) {
1071 fstrcpy(state->response->data.auth.krb5ccname,
1072 user_ccache_file);
1074 result = add_ccache_to_list(principal_s,
1076 service,
1077 state->request->data.auth.user,
1078 state->request->data.auth.pass,
1079 realm,
1080 uid,
1081 time(NULL),
1082 time(NULL) + lp_winbind_cache_time(),
1083 time(NULL) + WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
1084 true);
1086 if (!NT_STATUS_IS_OK(result)) {
1087 DEBUG(10,("winbindd_dual_pam_auth_cached: failed "
1088 "to add ccache to list: %s\n",
1089 nt_errstr(result)));
1093 #endif /* HAVE_KRB5 */
1094 success:
1095 /* FIXME: we possibly should handle logon hours as well (does xp when
1096 * offline?) see auth/auth_sam.c:sam_account_ok for details */
1098 unix_to_nt_time(&my_info3->base.logon_time, time(NULL));
1099 my_info3->base.bad_password_count = 0;
1101 result = winbindd_update_creds_by_info3(domain,
1102 state->request->data.auth.user,
1103 state->request->data.auth.pass,
1104 my_info3);
1105 if (!NT_STATUS_IS_OK(result)) {
1106 DEBUG(1,("winbindd_dual_pam_auth_cached: failed to update creds: %s\n",
1107 nt_errstr(result)));
1108 return result;
1111 return NT_STATUS_OK;
1115 /* User does *NOT* know the correct password, modify info3 accordingly, but only if online */
1116 if (domain->online == false) {
1117 goto failed;
1120 /* failure of this is not critical */
1121 result = get_max_bad_attempts_from_lockout_policy(domain, state->mem_ctx, &max_allowed_bad_attempts);
1122 if (!NT_STATUS_IS_OK(result)) {
1123 DEBUG(10,("winbindd_dual_pam_auth_cached: failed to get max_allowed_bad_attempts. "
1124 "Won't be able to honour account lockout policies\n"));
1127 /* increase counter */
1128 my_info3->base.bad_password_count++;
1130 if (max_allowed_bad_attempts == 0) {
1131 goto failed;
1134 /* lockout user */
1135 if (my_info3->base.bad_password_count >= max_allowed_bad_attempts) {
1137 uint32_t password_properties;
1139 result = get_pwd_properties(domain, state->mem_ctx, &password_properties);
1140 if (!NT_STATUS_IS_OK(result)) {
1141 DEBUG(10,("winbindd_dual_pam_auth_cached: failed to get password properties.\n"));
1144 if ((my_info3->base.rid != DOMAIN_RID_ADMINISTRATOR) ||
1145 (password_properties & DOMAIN_PASSWORD_LOCKOUT_ADMINS)) {
1146 my_info3->base.acct_flags |= ACB_AUTOLOCK;
1150 failed:
1151 result = winbindd_update_creds_by_info3(domain,
1152 state->request->data.auth.user,
1153 NULL,
1154 my_info3);
1156 if (!NT_STATUS_IS_OK(result)) {
1157 DEBUG(0,("winbindd_dual_pam_auth_cached: failed to update creds %s\n",
1158 nt_errstr(result)));
1161 return NT_STATUS_LOGON_FAILURE;
1164 static NTSTATUS winbindd_dual_pam_auth_kerberos(struct winbindd_domain *domain,
1165 struct winbindd_cli_state *state,
1166 struct netr_SamInfo3 **info3)
1168 struct winbindd_domain *contact_domain;
1169 fstring name_domain, name_user;
1170 NTSTATUS result;
1172 DEBUG(10,("winbindd_dual_pam_auth_kerberos\n"));
1174 /* Parse domain and username */
1176 parse_domain_user(state->request->data.auth.user, name_domain, name_user);
1178 /* what domain should we contact? */
1180 if ( IS_DC ) {
1181 if (!(contact_domain = find_domain_from_name(name_domain))) {
1182 DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
1183 state->request->data.auth.user, name_domain, name_user, name_domain));
1184 result = NT_STATUS_NO_SUCH_USER;
1185 goto done;
1188 } else {
1189 if (is_myname(name_domain)) {
1190 DEBUG(3, ("Authentication for domain %s (local domain to this server) not supported at this stage\n", name_domain));
1191 result = NT_STATUS_NO_SUCH_USER;
1192 goto done;
1195 contact_domain = find_domain_from_name(name_domain);
1196 if (contact_domain == NULL) {
1197 DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
1198 state->request->data.auth.user, name_domain, name_user, name_domain));
1200 result = NT_STATUS_NO_SUCH_USER;
1201 goto done;
1205 if (contact_domain->initialized &&
1206 contact_domain->active_directory) {
1207 goto try_login;
1210 if (!contact_domain->initialized) {
1211 init_dc_connection(contact_domain, false);
1214 if (!contact_domain->active_directory) {
1215 DEBUG(3,("krb5 auth requested but domain is not Active Directory\n"));
1216 return NT_STATUS_INVALID_LOGON_TYPE;
1218 try_login:
1219 result = winbindd_raw_kerberos_login(
1220 state->mem_ctx, contact_domain,
1221 state->request->data.auth.user,
1222 state->request->data.auth.pass,
1223 state->request->data.auth.krb5_cc_type,
1224 get_uid_from_request(state->request),
1225 info3, state->response->data.auth.krb5ccname);
1226 done:
1227 return result;
1230 static NTSTATUS winbindd_dual_auth_passdb(TALLOC_CTX *mem_ctx,
1231 uint32_t logon_parameters,
1232 const char *domain, const char *user,
1233 const DATA_BLOB *challenge,
1234 const DATA_BLOB *lm_resp,
1235 const DATA_BLOB *nt_resp,
1236 struct netr_SamInfo3 **pinfo3)
1238 struct auth_context *auth_context;
1239 struct auth_serversupplied_info *server_info;
1240 struct auth_usersupplied_info *user_info = NULL;
1241 struct tsocket_address *local;
1242 struct netr_SamInfo3 *info3;
1243 NTSTATUS status;
1244 int rc;
1245 TALLOC_CTX *frame = talloc_stackframe();
1247 rc = tsocket_address_inet_from_strings(frame,
1248 "ip",
1249 "127.0.0.1",
1251 &local);
1252 if (rc < 0) {
1253 TALLOC_FREE(frame);
1254 return NT_STATUS_NO_MEMORY;
1256 status = make_user_info(frame, &user_info, user, user, domain, domain,
1257 lp_netbios_name(), local, lm_resp, nt_resp, NULL, NULL,
1258 NULL, AUTH_PASSWORD_RESPONSE);
1259 if (!NT_STATUS_IS_OK(status)) {
1260 DEBUG(10, ("make_user_info failed: %s\n", nt_errstr(status)));
1261 TALLOC_FREE(frame);
1262 return status;
1265 user_info->logon_parameters = logon_parameters;
1267 /* We don't want any more mapping of the username */
1268 user_info->mapped_state = True;
1270 /* We don't want to come back to winbindd or to do PAM account checks */
1271 user_info->flags |= USER_INFO_LOCAL_SAM_ONLY | USER_INFO_INFO3_AND_NO_AUTHZ;
1273 status = make_auth_context_fixed(frame, &auth_context, challenge->data);
1275 if (!NT_STATUS_IS_OK(status)) {
1276 DEBUG(0, ("Failed to test authentication with check_sam_security_info3: %s\n", nt_errstr(status)));
1277 TALLOC_FREE(frame);
1278 return status;
1281 status = auth_check_ntlm_password(mem_ctx,
1282 auth_context,
1283 user_info,
1284 &server_info);
1286 if (!NT_STATUS_IS_OK(status)) {
1287 TALLOC_FREE(frame);
1288 return status;
1291 info3 = talloc_zero(mem_ctx, struct netr_SamInfo3);
1292 if (info3 == NULL) {
1293 TALLOC_FREE(frame);
1294 return NT_STATUS_NO_MEMORY;
1297 status = serverinfo_to_SamInfo3(server_info, info3);
1298 if (!NT_STATUS_IS_OK(status)) {
1299 TALLOC_FREE(frame);
1300 TALLOC_FREE(info3);
1301 DEBUG(0, ("serverinfo_to_SamInfo3 failed: %s\n",
1302 nt_errstr(status)));
1303 return status;
1306 *pinfo3 = info3;
1307 DEBUG(10, ("Authenticaticating user %s\\%s returned %s\n", domain,
1308 user, nt_errstr(status)));
1309 TALLOC_FREE(frame);
1310 return status;
1313 static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
1314 TALLOC_CTX *mem_ctx,
1315 uint32_t logon_parameters,
1316 const char *username,
1317 const char *password,
1318 const char *domainname,
1319 const char *workstation,
1320 const uint8_t chal[8],
1321 DATA_BLOB lm_response,
1322 DATA_BLOB nt_response,
1323 bool interactive,
1324 struct netr_SamInfo3 **info3)
1326 int attempts = 0;
1327 int netr_attempts = 0;
1328 bool retry = false;
1329 NTSTATUS result;
1331 do {
1332 struct rpc_pipe_client *netlogon_pipe;
1333 uint8_t authoritative = 0;
1334 uint32_t flags = 0;
1336 ZERO_STRUCTP(info3);
1337 retry = false;
1339 result = cm_connect_netlogon(domain, &netlogon_pipe);
1341 if (!NT_STATUS_IS_OK(result)) {
1342 DEBUG(3,("Could not open handle to NETLOGON pipe "
1343 "(error: %s, attempts: %d)\n",
1344 nt_errstr(result), netr_attempts));
1346 /* After the first retry always close the connection */
1347 if (netr_attempts > 0) {
1348 DEBUG(3, ("This is again a problem for this "
1349 "particular call, forcing the close "
1350 "of this connection\n"));
1351 invalidate_cm_connection(domain);
1354 /* After the second retry failover to the next DC */
1355 if (netr_attempts > 1) {
1357 * If the netlogon server is not reachable then
1358 * it is possible that the DC is rebuilding
1359 * sysvol and shutdown netlogon for that time.
1360 * We should failover to the next dc.
1362 DEBUG(3, ("This is the third problem for this "
1363 "particular call, adding DC to the "
1364 "negative cache list\n"));
1365 add_failed_connection_entry(domain->name,
1366 domain->dcname,
1367 result);
1368 saf_delete(domain->name);
1371 /* Only allow 3 retries */
1372 if (netr_attempts < 3) {
1373 DEBUG(3, ("The connection to netlogon "
1374 "failed, retrying\n"));
1375 netr_attempts++;
1376 retry = true;
1377 continue;
1379 return result;
1381 netr_attempts = 0;
1383 if (interactive && username != NULL && password != NULL) {
1384 result = rpccli_netlogon_password_logon(domain->conn.netlogon_creds,
1385 netlogon_pipe->binding_handle,
1386 mem_ctx,
1387 logon_parameters,
1388 domainname,
1389 username,
1390 password,
1391 workstation,
1392 NetlogonInteractiveInformation,
1393 info3);
1394 } else {
1395 result = rpccli_netlogon_network_logon(domain->conn.netlogon_creds,
1396 netlogon_pipe->binding_handle,
1397 mem_ctx,
1398 logon_parameters,
1399 username,
1400 domainname,
1401 workstation,
1402 chal,
1403 lm_response,
1404 nt_response,
1405 &authoritative,
1406 &flags,
1407 info3);
1411 * we increment this after the "feature negotiation"
1412 * for can_do_samlogon_ex and can_do_validation6
1414 attempts += 1;
1416 /* We have to try a second time as cm_connect_netlogon
1417 might not yet have noticed that the DC has killed
1418 our connection. */
1420 if (!rpccli_is_connected(netlogon_pipe)) {
1421 retry = true;
1422 continue;
1425 /* if we get access denied, a possible cause was that we had
1426 and open connection to the DC, but someone changed our
1427 machine account password out from underneath us using 'net
1428 rpc changetrustpw' */
1430 if ( NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) ) {
1431 DEBUG(3,("winbind_samlogon_retry_loop: sam_logon returned "
1432 "ACCESS_DENIED. Maybe the trust account "
1433 "password was changed and we didn't know it. "
1434 "Killing connections to domain %s\n",
1435 domainname));
1436 invalidate_cm_connection(domain);
1437 retry = true;
1440 if (NT_STATUS_EQUAL(result, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
1442 * Got DCERPC_FAULT_OP_RNG_ERROR for SamLogon
1443 * (no Ex). This happens against old Samba
1444 * DCs, if LogonSamLogonEx() fails with an error
1445 * e.g. NT_STATUS_NO_SUCH_USER or NT_STATUS_WRONG_PASSWORD.
1447 * The server will log something like this:
1448 * api_net_sam_logon_ex: Failed to marshall NET_R_SAM_LOGON_EX.
1450 * This sets the whole connection into a fault_state mode
1451 * and all following request get NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE.
1453 * This also happens to our retry with LogonSamLogonWithFlags()
1454 * and LogonSamLogon().
1456 * In order to recover from this situation, we need to
1457 * drop the connection.
1459 invalidate_cm_connection(domain);
1460 result = NT_STATUS_LOGON_FAILURE;
1461 break;
1464 } while ( (attempts < 2) && retry );
1466 if (NT_STATUS_EQUAL(result, NT_STATUS_IO_TIMEOUT)) {
1467 DEBUG(3,("winbind_samlogon_retry_loop: sam_network_logon(ex) "
1468 "returned NT_STATUS_IO_TIMEOUT after the retry."
1469 "Killing connections to domain %s\n",
1470 domainname));
1471 invalidate_cm_connection(domain);
1473 return result;
1476 static NTSTATUS winbindd_dual_pam_auth_samlogon(TALLOC_CTX *mem_ctx,
1477 struct winbindd_domain *domain,
1478 const char *user,
1479 const char *pass,
1480 uint32_t request_flags,
1481 struct netr_SamInfo3 **info3)
1484 uchar chal[8];
1485 DATA_BLOB lm_resp;
1486 DATA_BLOB nt_resp;
1487 unsigned char local_nt_response[24];
1488 fstring name_domain, name_user;
1489 NTSTATUS result;
1490 struct netr_SamInfo3 *my_info3 = NULL;
1492 *info3 = NULL;
1494 DEBUG(10,("winbindd_dual_pam_auth_samlogon\n"));
1496 /* Parse domain and username */
1498 parse_domain_user(user, name_domain, name_user);
1500 /* do password magic */
1502 generate_random_buffer(chal, sizeof(chal));
1504 if (lp_client_ntlmv2_auth()) {
1505 DATA_BLOB server_chal;
1506 DATA_BLOB names_blob;
1507 server_chal = data_blob_const(chal, 8);
1509 /* note that the 'workgroup' here is for the local
1510 machine. The 'server name' must match the
1511 'workstation' passed to the actual SamLogon call.
1513 names_blob = NTLMv2_generate_names_blob(
1514 mem_ctx, lp_netbios_name(), lp_workgroup());
1516 if (!SMBNTLMv2encrypt(mem_ctx, name_user, name_domain,
1517 pass,
1518 &server_chal,
1519 &names_blob,
1520 &lm_resp, &nt_resp, NULL, NULL)) {
1521 data_blob_free(&names_blob);
1522 DEBUG(0, ("winbindd_pam_auth: SMBNTLMv2encrypt() failed!\n"));
1523 result = NT_STATUS_NO_MEMORY;
1524 goto done;
1526 data_blob_free(&names_blob);
1527 } else {
1528 lm_resp = data_blob_null;
1529 SMBNTencrypt(pass, chal, local_nt_response);
1531 nt_resp = data_blob_talloc(mem_ctx, local_nt_response,
1532 sizeof(local_nt_response));
1535 if (strequal(name_domain, get_global_sam_name())) {
1536 DATA_BLOB chal_blob = data_blob_const(chal, sizeof(chal));
1538 result = winbindd_dual_auth_passdb(
1539 mem_ctx, 0, name_domain, name_user,
1540 &chal_blob, &lm_resp, &nt_resp, info3);
1543 * We need to try the remote NETLOGON server if this is NOT_IMPLEMENTED
1545 if (!NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) {
1546 goto done;
1550 /* check authentication loop */
1552 result = winbind_samlogon_retry_loop(domain,
1553 mem_ctx,
1555 name_user,
1556 pass,
1557 name_domain,
1558 lp_netbios_name(),
1559 chal,
1560 lm_resp,
1561 nt_resp,
1562 true, /* interactive */
1563 &my_info3);
1564 if (!NT_STATUS_IS_OK(result)) {
1565 goto done;
1568 /* handle the case where a NT4 DC does not fill in the acct_flags in
1569 * the samlogon reply info3. When accurate info3 is required by the
1570 * caller, we look up the account flags ourselve - gd */
1572 if ((request_flags & WBFLAG_PAM_INFO3_TEXT) &&
1573 NT_STATUS_IS_OK(result) && (my_info3->base.acct_flags == 0)) {
1575 struct rpc_pipe_client *samr_pipe;
1576 struct policy_handle samr_domain_handle, user_pol;
1577 union samr_UserInfo *info = NULL;
1578 NTSTATUS status_tmp, result_tmp;
1579 uint32_t acct_flags;
1580 struct dcerpc_binding_handle *b;
1582 status_tmp = cm_connect_sam(domain, mem_ctx, false,
1583 &samr_pipe, &samr_domain_handle);
1585 if (!NT_STATUS_IS_OK(status_tmp)) {
1586 DEBUG(3, ("could not open handle to SAMR pipe: %s\n",
1587 nt_errstr(status_tmp)));
1588 goto done;
1591 b = samr_pipe->binding_handle;
1593 status_tmp = dcerpc_samr_OpenUser(b, mem_ctx,
1594 &samr_domain_handle,
1595 MAXIMUM_ALLOWED_ACCESS,
1596 my_info3->base.rid,
1597 &user_pol,
1598 &result_tmp);
1600 if (!NT_STATUS_IS_OK(status_tmp)) {
1601 DEBUG(3, ("could not open user handle on SAMR pipe: %s\n",
1602 nt_errstr(status_tmp)));
1603 goto done;
1605 if (!NT_STATUS_IS_OK(result_tmp)) {
1606 DEBUG(3, ("could not open user handle on SAMR pipe: %s\n",
1607 nt_errstr(result_tmp)));
1608 goto done;
1611 status_tmp = dcerpc_samr_QueryUserInfo(b, mem_ctx,
1612 &user_pol,
1614 &info,
1615 &result_tmp);
1617 if (!NT_STATUS_IS_OK(status_tmp)) {
1618 DEBUG(3, ("could not query user info on SAMR pipe: %s\n",
1619 nt_errstr(status_tmp)));
1620 dcerpc_samr_Close(b, mem_ctx, &user_pol, &result_tmp);
1621 goto done;
1623 if (!NT_STATUS_IS_OK(result_tmp)) {
1624 DEBUG(3, ("could not query user info on SAMR pipe: %s\n",
1625 nt_errstr(result_tmp)));
1626 dcerpc_samr_Close(b, mem_ctx, &user_pol, &result_tmp);
1627 goto done;
1630 acct_flags = info->info16.acct_flags;
1632 if (acct_flags == 0) {
1633 dcerpc_samr_Close(b, mem_ctx, &user_pol, &result_tmp);
1634 goto done;
1637 my_info3->base.acct_flags = acct_flags;
1639 DEBUG(10,("successfully retrieved acct_flags 0x%x\n", acct_flags));
1641 dcerpc_samr_Close(b, mem_ctx, &user_pol, &result_tmp);
1644 *info3 = my_info3;
1645 done:
1646 return result;
1649 enum winbindd_result winbindd_dual_pam_auth(struct winbindd_domain *domain,
1650 struct winbindd_cli_state *state)
1652 NTSTATUS result = NT_STATUS_LOGON_FAILURE;
1653 NTSTATUS krb5_result = NT_STATUS_OK;
1654 fstring name_domain, name_user;
1655 char *mapped_user;
1656 fstring domain_user;
1657 struct netr_SamInfo3 *info3 = NULL;
1658 NTSTATUS name_map_status = NT_STATUS_UNSUCCESSFUL;
1660 /* Ensure null termination */
1661 state->request->data.auth.user[sizeof(state->request->data.auth.user)-1]='\0';
1663 /* Ensure null termination */
1664 state->request->data.auth.pass[sizeof(state->request->data.auth.pass)-1]='\0';
1666 DEBUG(3, ("[%5lu]: dual pam auth %s\n", (unsigned long)state->pid,
1667 state->request->data.auth.user));
1669 /* Parse domain and username */
1671 name_map_status = normalize_name_unmap(state->mem_ctx,
1672 state->request->data.auth.user,
1673 &mapped_user);
1675 /* If the name normalization didnt' actually do anything,
1676 just use the original name */
1678 if (!NT_STATUS_IS_OK(name_map_status) &&
1679 !NT_STATUS_EQUAL(name_map_status, NT_STATUS_FILE_RENAMED))
1681 mapped_user = state->request->data.auth.user;
1684 parse_domain_user(mapped_user, name_domain, name_user);
1686 if ( mapped_user != state->request->data.auth.user ) {
1687 fstr_sprintf( domain_user, "%s%c%s", name_domain,
1688 *lp_winbind_separator(),
1689 name_user );
1690 strlcpy( state->request->data.auth.user, domain_user,
1691 sizeof(state->request->data.auth.user));
1694 if (!domain->online) {
1695 result = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
1696 if (domain->startup) {
1697 /* Logons are very important to users. If we're offline and
1698 we get a request within the first 30 seconds of startup,
1699 try very hard to find a DC and go online. */
1701 DEBUG(10,("winbindd_dual_pam_auth: domain: %s offline and auth "
1702 "request in startup mode.\n", domain->name ));
1704 winbindd_flush_negative_conn_cache(domain);
1705 result = init_dc_connection(domain, false);
1709 DEBUG(10,("winbindd_dual_pam_auth: domain: %s last was %s\n", domain->name, domain->online ? "online":"offline"));
1711 /* Check for Kerberos authentication */
1712 if (domain->online && (state->request->flags & WBFLAG_PAM_KRB5)) {
1714 result = winbindd_dual_pam_auth_kerberos(domain, state, &info3);
1715 /* save for later */
1716 krb5_result = result;
1719 if (NT_STATUS_IS_OK(result)) {
1720 DEBUG(10,("winbindd_dual_pam_auth_kerberos succeeded\n"));
1721 goto process_result;
1722 } else {
1723 DEBUG(10,("winbindd_dual_pam_auth_kerberos failed: %s\n", nt_errstr(result)));
1726 if (NT_STATUS_EQUAL(result, NT_STATUS_NO_LOGON_SERVERS) ||
1727 NT_STATUS_EQUAL(result, NT_STATUS_IO_TIMEOUT) ||
1728 NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
1729 DEBUG(10,("winbindd_dual_pam_auth_kerberos setting domain to offline\n"));
1730 set_domain_offline( domain );
1731 goto cached_logon;
1734 /* there are quite some NT_STATUS errors where there is no
1735 * point in retrying with a samlogon, we explictly have to take
1736 * care not to increase the bad logon counter on the DC */
1738 if (NT_STATUS_EQUAL(result, NT_STATUS_ACCOUNT_DISABLED) ||
1739 NT_STATUS_EQUAL(result, NT_STATUS_ACCOUNT_EXPIRED) ||
1740 NT_STATUS_EQUAL(result, NT_STATUS_ACCOUNT_LOCKED_OUT) ||
1741 NT_STATUS_EQUAL(result, NT_STATUS_INVALID_LOGON_HOURS) ||
1742 NT_STATUS_EQUAL(result, NT_STATUS_INVALID_WORKSTATION) ||
1743 NT_STATUS_EQUAL(result, NT_STATUS_LOGON_FAILURE) ||
1744 NT_STATUS_EQUAL(result, NT_STATUS_NO_SUCH_USER) ||
1745 NT_STATUS_EQUAL(result, NT_STATUS_PASSWORD_EXPIRED) ||
1746 NT_STATUS_EQUAL(result, NT_STATUS_PASSWORD_MUST_CHANGE) ||
1747 NT_STATUS_EQUAL(result, NT_STATUS_WRONG_PASSWORD)) {
1748 goto done;
1751 if (state->request->flags & WBFLAG_PAM_FALLBACK_AFTER_KRB5) {
1752 DEBUG(3,("falling back to samlogon\n"));
1753 goto sam_logon;
1754 } else {
1755 goto cached_logon;
1759 sam_logon:
1760 /* Check for Samlogon authentication */
1761 if (domain->online) {
1762 result = winbindd_dual_pam_auth_samlogon(
1763 state->mem_ctx, domain,
1764 state->request->data.auth.user,
1765 state->request->data.auth.pass,
1766 state->request->flags,
1767 &info3);
1769 if (NT_STATUS_IS_OK(result)) {
1770 DEBUG(10,("winbindd_dual_pam_auth_samlogon succeeded\n"));
1771 /* add the Krb5 err if we have one */
1772 if ( NT_STATUS_EQUAL(krb5_result, NT_STATUS_TIME_DIFFERENCE_AT_DC ) ) {
1773 info3->base.user_flags |= LOGON_KRB5_FAIL_CLOCK_SKEW;
1775 goto process_result;
1778 DEBUG(10,("winbindd_dual_pam_auth_samlogon failed: %s\n",
1779 nt_errstr(result)));
1781 if (NT_STATUS_EQUAL(result, NT_STATUS_NO_LOGON_SERVERS) ||
1782 NT_STATUS_EQUAL(result, NT_STATUS_IO_TIMEOUT) ||
1783 NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND))
1785 DEBUG(10,("winbindd_dual_pam_auth_samlogon setting domain to offline\n"));
1786 set_domain_offline( domain );
1787 goto cached_logon;
1790 if (domain->online) {
1791 /* We're still online - fail. */
1792 goto done;
1796 cached_logon:
1797 /* Check for Cached logons */
1798 if (!domain->online && (state->request->flags & WBFLAG_PAM_CACHED_LOGIN) &&
1799 lp_winbind_offline_logon()) {
1801 result = winbindd_dual_pam_auth_cached(domain, state, &info3);
1803 if (NT_STATUS_IS_OK(result)) {
1804 DEBUG(10,("winbindd_dual_pam_auth_cached succeeded\n"));
1805 goto process_result;
1806 } else {
1807 DEBUG(10,("winbindd_dual_pam_auth_cached failed: %s\n", nt_errstr(result)));
1808 goto done;
1812 process_result:
1814 if (NT_STATUS_IS_OK(result)) {
1816 struct dom_sid user_sid;
1818 /* In all codepaths where result == NT_STATUS_OK info3 must have
1819 been initialized. */
1820 if (!info3) {
1821 result = NT_STATUS_INTERNAL_ERROR;
1822 goto done;
1825 sid_compose(&user_sid, info3->base.domain_sid,
1826 info3->base.rid);
1828 if (info3->base.full_name.string == NULL) {
1829 struct netr_SamInfo3 *cached_info3;
1831 cached_info3 = netsamlogon_cache_get(state->mem_ctx,
1832 &user_sid);
1833 if (cached_info3 != NULL &&
1834 cached_info3->base.full_name.string != NULL) {
1835 info3->base.full_name.string =
1836 talloc_strdup(info3,
1837 cached_info3->base.full_name.string);
1838 } else {
1840 /* this might fail so we dont check the return code */
1841 wcache_query_user_fullname(domain,
1842 info3,
1843 &user_sid,
1844 &info3->base.full_name.string);
1848 wcache_invalidate_samlogon(find_domain_from_name(name_domain),
1849 &user_sid);
1850 netsamlogon_cache_store(name_user, info3);
1852 /* save name_to_sid info as early as possible (only if
1853 this is our primary domain so we don't invalidate
1854 the cache entry by storing the seq_num for the wrong
1855 domain). */
1856 if ( domain->primary ) {
1857 cache_name2sid(domain, name_domain, name_user,
1858 SID_NAME_USER, &user_sid);
1861 /* Check if the user is in the right group */
1863 result = check_info3_in_group(
1864 info3,
1865 state->request->data.auth.require_membership_of_sid);
1866 if (!NT_STATUS_IS_OK(result)) {
1867 DEBUG(3, ("User %s is not in the required group (%s), so plaintext authentication is rejected\n",
1868 state->request->data.auth.user,
1869 state->request->data.auth.require_membership_of_sid));
1870 goto done;
1873 result = append_auth_data(state->mem_ctx, state->response,
1874 state->request->flags, info3,
1875 name_domain, name_user);
1876 if (!NT_STATUS_IS_OK(result)) {
1877 goto done;
1880 if ((state->request->flags & WBFLAG_PAM_CACHED_LOGIN)
1881 && lp_winbind_offline_logon()) {
1883 result = winbindd_store_creds(domain,
1884 state->request->data.auth.user,
1885 state->request->data.auth.pass,
1886 info3);
1889 if (state->request->flags & WBFLAG_PAM_GET_PWD_POLICY) {
1890 struct winbindd_domain *our_domain = find_our_domain();
1892 /* This is not entirely correct I believe, but it is
1893 consistent. Only apply the password policy settings
1894 too warn users for our own domain. Cannot obtain these
1895 from trusted DCs all the time so don't do it at all.
1896 -- jerry */
1898 result = NT_STATUS_NOT_SUPPORTED;
1899 if (our_domain == domain ) {
1900 result = fillup_password_policy(
1901 our_domain, state->response);
1904 if (!NT_STATUS_IS_OK(result)
1905 && !NT_STATUS_EQUAL(result, NT_STATUS_NOT_SUPPORTED) )
1907 DEBUG(10,("Failed to get password policies for domain %s: %s\n",
1908 domain->name, nt_errstr(result)));
1909 goto done;
1913 result = NT_STATUS_OK;
1916 done:
1917 /* give us a more useful (more correct?) error code */
1918 if ((NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) ||
1919 (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)))) {
1920 result = NT_STATUS_NO_LOGON_SERVERS;
1923 set_auth_errors(state->response, result);
1925 DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2, ("Plain-text authentication for user %s returned %s (PAM: %d)\n",
1926 state->request->data.auth.user,
1927 state->response->data.auth.nt_status_string,
1928 state->response->data.auth.pam_error));
1930 return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
1933 NTSTATUS winbind_dual_SamLogon(struct winbindd_domain *domain,
1934 TALLOC_CTX *mem_ctx,
1935 uint32_t logon_parameters,
1936 const char *name_user,
1937 const char *name_domain,
1938 const char *workstation,
1939 const uint8_t chal[8],
1940 DATA_BLOB lm_response,
1941 DATA_BLOB nt_response,
1942 struct netr_SamInfo3 **info3)
1944 NTSTATUS result;
1946 if (strequal(name_domain, get_global_sam_name())) {
1947 DATA_BLOB chal_blob = data_blob_const(
1948 chal, 8);
1950 result = winbindd_dual_auth_passdb(
1951 mem_ctx,
1952 logon_parameters,
1953 name_domain, name_user,
1954 &chal_blob, &lm_response, &nt_response, info3);
1957 * We need to try the remote NETLOGON server if this is NOT_IMPLEMENTED
1959 if (!NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) {
1960 goto process_result;
1964 result = winbind_samlogon_retry_loop(domain,
1965 mem_ctx,
1966 logon_parameters,
1967 name_user,
1968 NULL, /* password */
1969 name_domain,
1970 /* Bug #3248 - found by Stefan Burkei. */
1971 workstation, /* We carefully set this above so use it... */
1972 chal,
1973 lm_response,
1974 nt_response,
1975 false, /* interactive */
1976 info3);
1977 if (!NT_STATUS_IS_OK(result)) {
1978 goto done;
1981 process_result:
1983 if (NT_STATUS_IS_OK(result)) {
1984 struct dom_sid user_sid;
1986 sid_compose(&user_sid, (*info3)->base.domain_sid,
1987 (*info3)->base.rid);
1989 if ((*info3)->base.full_name.string == NULL) {
1990 struct netr_SamInfo3 *cached_info3;
1992 cached_info3 = netsamlogon_cache_get(mem_ctx,
1993 &user_sid);
1994 if (cached_info3 != NULL &&
1995 cached_info3->base.full_name.string != NULL) {
1996 (*info3)->base.full_name.string =
1997 talloc_strdup(*info3,
1998 cached_info3->base.full_name.string);
1999 } else {
2001 /* this might fail so we dont check the return code */
2002 wcache_query_user_fullname(domain,
2003 *info3,
2004 &user_sid,
2005 &(*info3)->base.full_name.string);
2009 wcache_invalidate_samlogon(find_domain_from_name(name_domain),
2010 &user_sid);
2011 netsamlogon_cache_store(name_user, *info3);
2014 done:
2016 /* give us a more useful (more correct?) error code */
2017 if ((NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) ||
2018 (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)))) {
2019 result = NT_STATUS_NO_LOGON_SERVERS;
2022 DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2,
2023 ("NTLM CRAP authentication for user [%s]\\[%s] returned %s\n",
2024 name_domain,
2025 name_user,
2026 nt_errstr(result)));
2028 return result;
2031 enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
2032 struct winbindd_cli_state *state)
2034 NTSTATUS result;
2035 struct netr_SamInfo3 *info3 = NULL;
2036 const char *name_user = NULL;
2037 const char *name_domain = NULL;
2038 const char *workstation;
2040 DATA_BLOB lm_resp, nt_resp;
2042 /* This is child-only, so no check for privileged access is needed
2043 anymore */
2045 /* Ensure null termination */
2046 state->request->data.auth_crap.user[sizeof(state->request->data.auth_crap.user)-1]=0;
2047 state->request->data.auth_crap.domain[sizeof(state->request->data.auth_crap.domain)-1]=0;
2049 name_user = state->request->data.auth_crap.user;
2050 name_domain = state->request->data.auth_crap.domain;
2051 workstation = state->request->data.auth_crap.workstation;
2053 DEBUG(3, ("[%5lu]: pam auth crap domain: %s user: %s\n", (unsigned long)state->pid,
2054 name_domain, name_user));
2056 if (state->request->data.auth_crap.lm_resp_len > sizeof(state->request->data.auth_crap.lm_resp)
2057 || state->request->data.auth_crap.nt_resp_len > sizeof(state->request->data.auth_crap.nt_resp)) {
2058 if (!(state->request->flags & WBFLAG_BIG_NTLMV2_BLOB) ||
2059 state->request->extra_len != state->request->data.auth_crap.nt_resp_len) {
2060 DEBUG(0, ("winbindd_pam_auth_crap: invalid password length %u/%u\n",
2061 state->request->data.auth_crap.lm_resp_len,
2062 state->request->data.auth_crap.nt_resp_len));
2063 result = NT_STATUS_INVALID_PARAMETER;
2064 goto done;
2068 lm_resp = data_blob_talloc(state->mem_ctx, state->request->data.auth_crap.lm_resp,
2069 state->request->data.auth_crap.lm_resp_len);
2071 if (state->request->flags & WBFLAG_BIG_NTLMV2_BLOB) {
2072 nt_resp = data_blob_talloc(state->mem_ctx,
2073 state->request->extra_data.data,
2074 state->request->data.auth_crap.nt_resp_len);
2075 } else {
2076 nt_resp = data_blob_talloc(state->mem_ctx,
2077 state->request->data.auth_crap.nt_resp,
2078 state->request->data.auth_crap.nt_resp_len);
2081 result = winbind_dual_SamLogon(domain,
2082 state->mem_ctx,
2083 state->request->data.auth_crap.logon_parameters,
2084 name_user,
2085 name_domain,
2086 /* Bug #3248 - found by Stefan Burkei. */
2087 workstation, /* We carefully set this above so use it... */
2088 state->request->data.auth_crap.chal,
2089 lm_resp,
2090 nt_resp,
2091 &info3);
2092 if (!NT_STATUS_IS_OK(result)) {
2093 goto done;
2096 if (NT_STATUS_IS_OK(result)) {
2097 /* Check if the user is in the right group */
2099 result = check_info3_in_group(
2100 info3,
2101 state->request->data.auth_crap.require_membership_of_sid);
2102 if (!NT_STATUS_IS_OK(result)) {
2103 DEBUG(3, ("User %s is not in the required group (%s), so "
2104 "crap authentication is rejected\n",
2105 state->request->data.auth_crap.user,
2106 state->request->data.auth_crap.require_membership_of_sid));
2107 goto done;
2110 result = append_auth_data(state->mem_ctx, state->response,
2111 state->request->flags, info3,
2112 name_domain, name_user);
2113 if (!NT_STATUS_IS_OK(result)) {
2114 goto done;
2118 done:
2120 if (state->request->flags & WBFLAG_PAM_NT_STATUS_SQUASH) {
2121 result = nt_status_squash(result);
2124 set_auth_errors(state->response, result);
2126 return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
2129 enum winbindd_result winbindd_dual_pam_chauthtok(struct winbindd_domain *contact_domain,
2130 struct winbindd_cli_state *state)
2132 char *oldpass;
2133 char *newpass = NULL;
2134 struct policy_handle dom_pol;
2135 struct rpc_pipe_client *cli = NULL;
2136 bool got_info = false;
2137 struct samr_DomInfo1 *info = NULL;
2138 struct userPwdChangeFailureInformation *reject = NULL;
2139 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
2140 fstring domain, user;
2141 struct dcerpc_binding_handle *b = NULL;
2143 ZERO_STRUCT(dom_pol);
2145 DEBUG(3, ("[%5lu]: dual pam chauthtok %s\n", (unsigned long)state->pid,
2146 state->request->data.auth.user));
2148 if (!parse_domain_user(state->request->data.chauthtok.user, domain, user)) {
2149 goto done;
2152 /* Change password */
2154 oldpass = state->request->data.chauthtok.oldpass;
2155 newpass = state->request->data.chauthtok.newpass;
2157 /* Initialize reject reason */
2158 state->response->data.auth.reject_reason = Undefined;
2160 /* Get sam handle */
2162 result = cm_connect_sam(contact_domain, state->mem_ctx, true, &cli,
2163 &dom_pol);
2164 if (!NT_STATUS_IS_OK(result)) {
2165 DEBUG(1, ("could not get SAM handle on DC for %s\n", domain));
2166 goto done;
2169 b = cli->binding_handle;
2171 result = rpccli_samr_chgpasswd_user3(cli, state->mem_ctx,
2172 user,
2173 newpass,
2174 oldpass,
2175 &info,
2176 &reject);
2178 /* Windows 2003 returns NT_STATUS_PASSWORD_RESTRICTION */
2180 if (NT_STATUS_EQUAL(result, NT_STATUS_PASSWORD_RESTRICTION) ) {
2182 fill_in_password_policy(state->response, info);
2184 state->response->data.auth.reject_reason =
2185 reject->extendedFailureReason;
2187 got_info = true;
2190 /* atm the pidl generated rpccli_samr_ChangePasswordUser3 function will
2191 * return with NT_STATUS_BUFFER_TOO_SMALL for w2k dcs as w2k just
2192 * returns with 4byte error code (NT_STATUS_NOT_SUPPORTED) which is too
2193 * short to comply with the samr_ChangePasswordUser3 idl - gd */
2195 /* only fallback when the chgpasswd_user3 call is not supported */
2196 if (NT_STATUS_EQUAL(result, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE) ||
2197 NT_STATUS_EQUAL(result, NT_STATUS_NOT_SUPPORTED) ||
2198 NT_STATUS_EQUAL(result, NT_STATUS_BUFFER_TOO_SMALL) ||
2199 NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) {
2201 DEBUG(10,("Password change with chgpasswd_user3 failed with: %s, retrying chgpasswd_user2\n",
2202 nt_errstr(result)));
2204 result = rpccli_samr_chgpasswd_user2(cli, state->mem_ctx, user, newpass, oldpass);
2206 /* Windows 2000 returns NT_STATUS_ACCOUNT_RESTRICTION.
2207 Map to the same status code as Windows 2003. */
2209 if ( NT_STATUS_EQUAL(NT_STATUS_ACCOUNT_RESTRICTION, result ) ) {
2210 result = NT_STATUS_PASSWORD_RESTRICTION;
2214 done:
2216 if (NT_STATUS_IS_OK(result)
2217 && (state->request->flags & WBFLAG_PAM_CACHED_LOGIN)
2218 && lp_winbind_offline_logon()) {
2219 result = winbindd_update_creds_by_name(contact_domain, user,
2220 newpass);
2221 /* Again, this happens when we login from gdm or xdm
2222 * and the password expires, *BUT* cached crendentials
2223 * doesn't exist. winbindd_update_creds_by_name()
2224 * returns NT_STATUS_NO_SUCH_USER.
2225 * This is not a failure.
2226 * --- BoYang
2227 * */
2228 if (NT_STATUS_EQUAL(result, NT_STATUS_NO_SUCH_USER)) {
2229 result = NT_STATUS_OK;
2232 if (!NT_STATUS_IS_OK(result)) {
2233 DEBUG(10, ("Failed to store creds: %s\n",
2234 nt_errstr(result)));
2235 goto process_result;
2239 if (!NT_STATUS_IS_OK(result) && !got_info && contact_domain) {
2241 NTSTATUS policy_ret;
2243 policy_ret = fillup_password_policy(
2244 contact_domain, state->response);
2246 /* failure of this is non critical, it will just provide no
2247 * additional information to the client why the change has
2248 * failed - Guenther */
2250 if (!NT_STATUS_IS_OK(policy_ret)) {
2251 DEBUG(10,("Failed to get password policies: %s\n", nt_errstr(policy_ret)));
2252 goto process_result;
2256 process_result:
2258 if (strequal(contact_domain->name, get_global_sam_name())) {
2259 /* FIXME: internal rpc pipe does not cache handles yet */
2260 if (b) {
2261 if (is_valid_policy_hnd(&dom_pol)) {
2262 NTSTATUS _result;
2263 dcerpc_samr_Close(b, state->mem_ctx, &dom_pol, &_result);
2265 TALLOC_FREE(cli);
2269 set_auth_errors(state->response, result);
2271 DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2,
2272 ("Password change for user [%s]\\[%s] returned %s (PAM: %d)\n",
2273 domain,
2274 user,
2275 state->response->data.auth.nt_status_string,
2276 state->response->data.auth.pam_error));
2278 return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
2281 enum winbindd_result winbindd_dual_pam_logoff(struct winbindd_domain *domain,
2282 struct winbindd_cli_state *state)
2284 NTSTATUS result = NT_STATUS_NOT_SUPPORTED;
2286 DEBUG(3, ("[%5lu]: pam dual logoff %s\n", (unsigned long)state->pid,
2287 state->request->data.logoff.user));
2289 if (!(state->request->flags & WBFLAG_PAM_KRB5)) {
2290 result = NT_STATUS_OK;
2291 goto process_result;
2294 if (state->request->data.logoff.krb5ccname[0] == '\0') {
2295 result = NT_STATUS_OK;
2296 goto process_result;
2299 #ifdef HAVE_KRB5
2301 if (state->request->data.logoff.uid < 0) {
2302 DEBUG(0,("winbindd_pam_logoff: invalid uid\n"));
2303 goto process_result;
2306 /* what we need here is to find the corresponding krb5 ccache name *we*
2307 * created for a given username and destroy it */
2309 if (!ccache_entry_exists(state->request->data.logoff.user)) {
2310 result = NT_STATUS_OK;
2311 DEBUG(10,("winbindd_pam_logoff: no entry found.\n"));
2312 goto process_result;
2315 if (!ccache_entry_identical(state->request->data.logoff.user,
2316 state->request->data.logoff.uid,
2317 state->request->data.logoff.krb5ccname)) {
2318 DEBUG(0,("winbindd_pam_logoff: cached entry differs.\n"));
2319 goto process_result;
2322 result = remove_ccache(state->request->data.logoff.user);
2323 if (!NT_STATUS_IS_OK(result)) {
2324 DEBUG(0,("winbindd_pam_logoff: failed to remove ccache: %s\n",
2325 nt_errstr(result)));
2326 goto process_result;
2330 * Remove any mlock'ed memory creds in the child
2331 * we might be using for krb5 ticket renewal.
2334 winbindd_delete_memory_creds(state->request->data.logoff.user);
2336 #else
2337 result = NT_STATUS_NOT_SUPPORTED;
2338 #endif
2340 process_result:
2343 set_auth_errors(state->response, result);
2345 return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
2348 /* Change user password with auth crap*/
2350 enum winbindd_result winbindd_dual_pam_chng_pswd_auth_crap(struct winbindd_domain *domainSt, struct winbindd_cli_state *state)
2352 NTSTATUS result;
2353 DATA_BLOB new_nt_password;
2354 DATA_BLOB old_nt_hash_enc;
2355 DATA_BLOB new_lm_password;
2356 DATA_BLOB old_lm_hash_enc;
2357 fstring domain,user;
2358 struct policy_handle dom_pol;
2359 struct winbindd_domain *contact_domain = domainSt;
2360 struct rpc_pipe_client *cli = NULL;
2361 struct dcerpc_binding_handle *b = NULL;
2363 ZERO_STRUCT(dom_pol);
2365 /* Ensure null termination */
2366 state->request->data.chng_pswd_auth_crap.user[
2367 sizeof(state->request->data.chng_pswd_auth_crap.user)-1]=0;
2368 state->request->data.chng_pswd_auth_crap.domain[
2369 sizeof(state->request->data.chng_pswd_auth_crap.domain)-1]=0;
2370 *domain = 0;
2371 *user = 0;
2373 DEBUG(3, ("[%5lu]: pam change pswd auth crap domain: %s user: %s\n",
2374 (unsigned long)state->pid,
2375 state->request->data.chng_pswd_auth_crap.domain,
2376 state->request->data.chng_pswd_auth_crap.user));
2378 if (lp_winbind_offline_logon()) {
2379 DEBUG(0,("Refusing password change as winbind offline logons are enabled. "));
2380 DEBUGADD(0,("Changing passwords here would risk inconsistent logons\n"));
2381 result = NT_STATUS_ACCESS_DENIED;
2382 goto done;
2385 if (*state->request->data.chng_pswd_auth_crap.domain) {
2386 fstrcpy(domain,state->request->data.chng_pswd_auth_crap.domain);
2387 } else {
2388 parse_domain_user(state->request->data.chng_pswd_auth_crap.user,
2389 domain, user);
2391 if(!*domain) {
2392 DEBUG(3,("no domain specified with username (%s) - "
2393 "failing auth\n",
2394 state->request->data.chng_pswd_auth_crap.user));
2395 result = NT_STATUS_NO_SUCH_USER;
2396 goto done;
2400 if (!*domain && lp_winbind_use_default_domain()) {
2401 fstrcpy(domain,lp_workgroup());
2404 if(!*user) {
2405 fstrcpy(user, state->request->data.chng_pswd_auth_crap.user);
2408 DEBUG(3, ("[%5lu]: pam auth crap domain: %s user: %s\n",
2409 (unsigned long)state->pid, domain, user));
2411 /* Change password */
2412 new_nt_password = data_blob_const(
2413 state->request->data.chng_pswd_auth_crap.new_nt_pswd,
2414 state->request->data.chng_pswd_auth_crap.new_nt_pswd_len);
2416 old_nt_hash_enc = data_blob_const(
2417 state->request->data.chng_pswd_auth_crap.old_nt_hash_enc,
2418 state->request->data.chng_pswd_auth_crap.old_nt_hash_enc_len);
2420 if(state->request->data.chng_pswd_auth_crap.new_lm_pswd_len > 0) {
2421 new_lm_password = data_blob_const(
2422 state->request->data.chng_pswd_auth_crap.new_lm_pswd,
2423 state->request->data.chng_pswd_auth_crap.new_lm_pswd_len);
2425 old_lm_hash_enc = data_blob_const(
2426 state->request->data.chng_pswd_auth_crap.old_lm_hash_enc,
2427 state->request->data.chng_pswd_auth_crap.old_lm_hash_enc_len);
2428 } else {
2429 new_lm_password = data_blob_null;
2430 old_lm_hash_enc = data_blob_null;
2433 /* Get sam handle */
2435 result = cm_connect_sam(contact_domain, state->mem_ctx, true, &cli, &dom_pol);
2436 if (!NT_STATUS_IS_OK(result)) {
2437 DEBUG(1, ("could not get SAM handle on DC for %s\n", domain));
2438 goto done;
2441 b = cli->binding_handle;
2443 result = rpccli_samr_chng_pswd_auth_crap(
2444 cli, state->mem_ctx, user, new_nt_password, old_nt_hash_enc,
2445 new_lm_password, old_lm_hash_enc);
2447 done:
2449 if (strequal(contact_domain->name, get_global_sam_name())) {
2450 /* FIXME: internal rpc pipe does not cache handles yet */
2451 if (b) {
2452 if (is_valid_policy_hnd(&dom_pol)) {
2453 NTSTATUS _result;
2454 dcerpc_samr_Close(b, state->mem_ctx, &dom_pol, &_result);
2456 TALLOC_FREE(cli);
2460 set_auth_errors(state->response, result);
2462 DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2,
2463 ("Password change for user [%s]\\[%s] returned %s (PAM: %d)\n",
2464 domain, user,
2465 state->response->data.auth.nt_status_string,
2466 state->response->data.auth.pam_error));
2468 return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
2471 #ifdef HAVE_KRB5
2472 static NTSTATUS extract_pac_vrfy_sigs(TALLOC_CTX *mem_ctx, DATA_BLOB pac_blob,
2473 struct PAC_LOGON_INFO **logon_info)
2475 krb5_context krbctx = NULL;
2476 krb5_error_code k5ret;
2477 krb5_keytab keytab;
2478 krb5_kt_cursor cursor;
2479 krb5_keytab_entry entry;
2480 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
2482 ZERO_STRUCT(entry);
2483 ZERO_STRUCT(cursor);
2485 k5ret = krb5_init_context(&krbctx);
2486 if (k5ret) {
2487 DEBUG(1, ("Failed to initialize kerberos context: %s\n",
2488 error_message(k5ret)));
2489 status = krb5_to_nt_status(k5ret);
2490 goto out;
2493 k5ret = gse_krb5_get_server_keytab(krbctx, &keytab);
2494 if (k5ret) {
2495 DEBUG(1, ("Failed to get keytab: %s\n",
2496 error_message(k5ret)));
2497 status = krb5_to_nt_status(k5ret);
2498 goto out_free;
2501 k5ret = krb5_kt_start_seq_get(krbctx, keytab, &cursor);
2502 if (k5ret) {
2503 DEBUG(1, ("Failed to start seq: %s\n",
2504 error_message(k5ret)));
2505 status = krb5_to_nt_status(k5ret);
2506 goto out_keytab;
2509 k5ret = krb5_kt_next_entry(krbctx, keytab, &entry, &cursor);
2510 while (k5ret == 0) {
2511 status = kerberos_pac_logon_info(mem_ctx, pac_blob,
2512 krbctx, NULL,
2513 KRB5_KT_KEY(&entry), NULL, 0,
2514 logon_info);
2515 if (NT_STATUS_IS_OK(status)) {
2516 break;
2518 k5ret = smb_krb5_kt_free_entry(krbctx, &entry);
2519 k5ret = krb5_kt_next_entry(krbctx, keytab, &entry, &cursor);
2522 k5ret = krb5_kt_end_seq_get(krbctx, keytab, &cursor);
2523 if (k5ret) {
2524 DEBUG(1, ("Failed to end seq: %s\n",
2525 error_message(k5ret)));
2527 out_keytab:
2528 k5ret = krb5_kt_close(krbctx, keytab);
2529 if (k5ret) {
2530 DEBUG(1, ("Failed to close keytab: %s\n",
2531 error_message(k5ret)));
2533 out_free:
2534 krb5_free_context(krbctx);
2535 out:
2536 return status;
2539 NTSTATUS winbindd_pam_auth_pac_send(struct winbindd_cli_state *state,
2540 struct netr_SamInfo3 **info3)
2542 struct winbindd_request *req = state->request;
2543 DATA_BLOB pac_blob;
2544 struct PAC_LOGON_INFO *logon_info = NULL;
2545 struct netr_SamInfo3 *info3_copy = NULL;
2546 NTSTATUS result;
2548 pac_blob = data_blob_const(req->extra_data.data, req->extra_len);
2549 result = extract_pac_vrfy_sigs(state->mem_ctx, pac_blob, &logon_info);
2550 if (!NT_STATUS_IS_OK(result) &&
2551 !NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED)) {
2552 DEBUG(1, ("Error during PAC signature verification: %s\n",
2553 nt_errstr(result)));
2554 return result;
2557 if (logon_info) {
2558 /* Signature verification succeeded, trust the PAC */
2559 result = create_info3_from_pac_logon_info(state->mem_ctx,
2560 logon_info,
2561 &info3_copy);
2562 if (!NT_STATUS_IS_OK(result)) {
2563 return result;
2565 netsamlogon_cache_store(NULL, info3_copy);
2567 } else {
2568 /* Try without signature verification */
2569 result = kerberos_pac_logon_info(state->mem_ctx, pac_blob, NULL,
2570 NULL, NULL, NULL, 0,
2571 &logon_info);
2572 if (!NT_STATUS_IS_OK(result)) {
2573 DEBUG(10, ("Could not extract PAC: %s\n",
2574 nt_errstr(result)));
2575 return result;
2577 if (logon_info) {
2579 * Don't strictly need to copy here,
2580 * but it makes it explicit we're
2581 * returning a copy talloc'ed off
2582 * the state->mem_ctx.
2584 info3_copy = copy_netr_SamInfo3(state->mem_ctx,
2585 &logon_info->info3);
2586 if (info3_copy == NULL) {
2587 return NT_STATUS_NO_MEMORY;
2592 *info3 = info3_copy;
2594 return NT_STATUS_OK;
2596 #else /* HAVE_KRB5 */
2597 NTSTATUS winbindd_pam_auth_pac_send(struct winbindd_cli_state *state,
2598 struct netr_SamInfo3 **info3)
2600 return NT_STATUS_NO_SUCH_USER;
2602 #endif /* HAVE_KRB5 */