2 Unix SMB/CIFS implementation.
3 Password and authentication handling
4 Copyright (C) Andrew Tridgell 1992-2000
5 Copyright (C) Luke Kenneth Casson Leighton 1996-2000
6 Copyright (C) Andrew Bartlett 2001-2003
7 Copyright (C) Gerald Carter 2003
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 #include "../libcli/auth/libcli_auth.h"
29 #define DBGC_CLASS DBGC_AUTH
31 /****************************************************************************
32 Do a specific test for an smb password being correct, given a smb_password and
33 the lanman and NT responses.
34 ****************************************************************************/
36 static NTSTATUS
sam_password_ok(TALLOC_CTX
*mem_ctx
,
39 const DATA_BLOB
*challenge
,
42 const struct auth_usersupplied_info
*user_info
,
43 DATA_BLOB
*user_sess_key
,
44 DATA_BLOB
*lm_sess_key
)
47 struct samr_Password _lm_hash
, _nt_hash
;
48 struct samr_Password
*lm_hash
= NULL
;
49 struct samr_Password
*nt_hash
= NULL
;
51 *user_sess_key
= data_blob_null
;
52 *lm_sess_key
= data_blob_null
;
54 if (acct_ctrl
& ACB_PWNOTREQ
) {
55 if (lp_null_passwords()) {
56 DEBUG(3,("Account for user '%s' has no password and null passwords are allowed.\n", username
));
59 DEBUG(3,("Account for user '%s' has no password and null passwords are NOT allowed.\n", username
));
60 return NT_STATUS_LOGON_FAILURE
;
65 memcpy(_lm_hash
.hash
, lm_pw
, sizeof(_lm_hash
.hash
));
69 memcpy(_nt_hash
.hash
, nt_pw
, sizeof(_nt_hash
.hash
));
72 switch (user_info
->password_state
) {
73 case AUTH_PASSWORD_HASH
:
74 status
= hash_password_check(mem_ctx
, lp_lanman_auth(),
75 user_info
->password
.hash
.lanman
,
76 user_info
->password
.hash
.nt
,
80 if (NT_STATUS_IS_OK(status
)) {
82 *user_sess_key
= data_blob_talloc(mem_ctx
, NULL
, 16);
83 if (!user_sess_key
->data
) {
84 return NT_STATUS_NO_MEMORY
;
86 SMBsesskeygen_ntv1(nt_pw
, user_sess_key
->data
);
91 /* Eventually we should test plaintext passwords in their own
92 * function, not assuming the caller has done a
94 case AUTH_PASSWORD_PLAIN
:
95 case AUTH_PASSWORD_RESPONSE
:
96 return ntlm_password_check(mem_ctx
, lp_lanman_auth(),
98 user_info
->logon_parameters
,
100 &user_info
->password
.response
.lanman
, &user_info
->password
.response
.nt
,
102 user_info
->client
.account_name
,
103 user_info
->client
.domain_name
,
106 user_sess_key
, lm_sess_key
);
108 DEBUG(0,("user_info constructed for user '%s' was invalid - password_state=%u invalid.\n", username
, user_info
->password_state
));
109 return NT_STATUS_INTERNAL_ERROR
;
113 /****************************************************************************
114 Check if a user is allowed to logon at this time. Note this is the
115 servers local time, as logon hours are just specified as a weekly
117 ****************************************************************************/
119 static bool logon_hours_ok(struct samu
*sampass
)
121 /* In logon hours first bit is Sunday from 12AM to 1AM */
122 const uint8_t *hours
;
126 uint8_t bitmask
, bitpos
;
128 hours
= pdb_get_hours(sampass
);
130 DEBUG(5,("logon_hours_ok: No hours restrictions for user %s\n",pdb_get_username(sampass
)));
134 lasttime
= time(NULL
);
135 utctime
= gmtime(&lasttime
);
137 DEBUG(1, ("logon_hours_ok: failed to get gmtime. Failing logon for user %s\n",
138 pdb_get_username(sampass
) ));
142 /* find the corresponding byte and bit */
143 bitpos
= (utctime
->tm_wday
* 24 + utctime
->tm_hour
) % 168;
144 bitmask
= 1 << (bitpos
% 8);
146 if (! (hours
[bitpos
/8] & bitmask
)) {
147 struct tm
*t
= localtime(&lasttime
);
149 asct
= "INVALID TIME";
153 asct
= "INVALID TIME";
157 DEBUG(1, ("logon_hours_ok: Account for user %s not allowed to "
158 "logon at this time (%s).\n",
159 pdb_get_username(sampass
), asct
));
163 asct
= asctime(utctime
);
164 DEBUG(5,("logon_hours_ok: user %s allowed to logon at this time (%s)\n",
165 pdb_get_username(sampass
), asct
? asct
: "UNKNOWN TIME" ));
170 /****************************************************************************
171 Do a specific test for a struct samu being valid for this connection
172 (ie not disabled, expired and the like).
173 ****************************************************************************/
175 static NTSTATUS
sam_account_ok(TALLOC_CTX
*mem_ctx
,
176 struct samu
*sampass
,
177 const struct auth_usersupplied_info
*user_info
)
179 uint32_t acct_ctrl
= pdb_get_acct_ctrl(sampass
);
180 char *workstation_list
;
183 DEBUG(4,("sam_account_ok: Checking SMB password for user %s\n",pdb_get_username(sampass
)));
185 /* Quit if the account was disabled. */
186 if (acct_ctrl
& ACB_DISABLED
) {
187 DEBUG(1,("sam_account_ok: Account for user '%s' was disabled.\n", pdb_get_username(sampass
)));
188 return NT_STATUS_ACCOUNT_DISABLED
;
191 /* Quit if the account was locked out. */
192 if (acct_ctrl
& ACB_AUTOLOCK
) {
193 DEBUG(1,("sam_account_ok: Account for user %s was locked out.\n", pdb_get_username(sampass
)));
194 return NT_STATUS_ACCOUNT_LOCKED_OUT
;
197 /* Quit if the account is not allowed to logon at this time. */
198 if (! logon_hours_ok(sampass
)) {
199 return NT_STATUS_INVALID_LOGON_HOURS
;
202 /* Test account expire time */
204 kickoff_time
= pdb_get_kickoff_time(sampass
);
205 if (kickoff_time
!= 0 && time(NULL
) > kickoff_time
) {
206 DEBUG(1,("sam_account_ok: Account for user '%s' has expired.\n", pdb_get_username(sampass
)));
207 DEBUG(3,("sam_account_ok: Account expired at '%ld' unix time.\n", (long)kickoff_time
));
208 return NT_STATUS_ACCOUNT_EXPIRED
;
211 if (!(pdb_get_acct_ctrl(sampass
) & ACB_PWNOEXP
) && !(pdb_get_acct_ctrl(sampass
) & ACB_PWNOTREQ
)) {
212 time_t must_change_time
= pdb_get_pass_must_change_time(sampass
);
213 time_t last_set_time
= pdb_get_pass_last_set_time(sampass
);
215 /* check for immediate expiry "must change at next logon"
216 * for a user account. */
217 if (((acct_ctrl
& (ACB_WSTRUST
|ACB_SVRTRUST
)) == 0) && (last_set_time
== 0)) {
218 DEBUG(1,("sam_account_ok: Account for user '%s' password must change!\n", pdb_get_username(sampass
)));
219 return NT_STATUS_PASSWORD_MUST_CHANGE
;
222 /* check for expired password */
223 if (must_change_time
< time(NULL
) && must_change_time
!= 0) {
224 DEBUG(1,("sam_account_ok: Account for user '%s' password expired!\n", pdb_get_username(sampass
)));
225 DEBUG(1,("sam_account_ok: Password expired at '%s' (%ld) unix time.\n", http_timestring(talloc_tos(), must_change_time
), (long)must_change_time
));
226 return NT_STATUS_PASSWORD_EXPIRED
;
230 /* Test workstation. Workstation list is comma separated. */
232 workstation_list
= talloc_strdup(mem_ctx
, pdb_get_workstations(sampass
));
233 if (!workstation_list
)
234 return NT_STATUS_NO_MEMORY
;
236 if (*workstation_list
) {
237 bool invalid_ws
= True
;
239 const char *s
= workstation_list
;
240 char *machine_name
= talloc_asprintf(mem_ctx
, "%s$", user_info
->workstation_name
);
242 if (machine_name
== NULL
)
243 return NT_STATUS_NO_MEMORY
;
245 while (next_token_talloc(mem_ctx
, &s
, &tok
, ",")) {
246 DEBUG(10,("sam_account_ok: checking for workstation match %s and %s\n",
247 tok
, user_info
->workstation_name
));
248 if(strequal(tok
, user_info
->workstation_name
)) {
253 DEBUG(10,("sam_account_ok: checking for workstation %s in group: %s\n",
254 machine_name
, tok
+ 1));
255 if (user_in_group(machine_name
, tok
+ 1)) {
263 TALLOC_FREE(machine_name
);
266 return NT_STATUS_INVALID_WORKSTATION
;
269 if (acct_ctrl
& ACB_DOMTRUST
) {
270 DEBUG(2,("sam_account_ok: Domain trust account %s denied by server\n", pdb_get_username(sampass
)));
271 return NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT
;
274 if (acct_ctrl
& ACB_SVRTRUST
) {
275 if (!(user_info
->logon_parameters
& MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT
)) {
276 DEBUG(2,("sam_account_ok: Server trust account %s denied by server\n", pdb_get_username(sampass
)));
277 return NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT
;
281 if (acct_ctrl
& ACB_WSTRUST
) {
282 if (!(user_info
->logon_parameters
& MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT
)) {
283 DEBUG(2,("sam_account_ok: Wksta trust account %s denied by server\n", pdb_get_username(sampass
)));
284 return NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT
;
291 * Check whether the given password is one of the last two
292 * password history entries. If so, the bad pwcount should
293 * not be incremented even thought the actual password check
296 static bool need_to_increment_bad_pw_count(
297 const DATA_BLOB
*challenge
,
298 struct samu
* sampass
,
299 const struct auth_usersupplied_info
*user_info
)
302 const uint8_t *pwhistory
;
303 uint32_t pwhistory_len
;
304 uint32_t policy_pwhistory_len
;
306 const char *username
;
307 TALLOC_CTX
*mem_ctx
= talloc_stackframe();
310 pdb_get_account_policy(PDB_POLICY_PASSWORD_HISTORY
,
311 &policy_pwhistory_len
);
312 if (policy_pwhistory_len
== 0) {
316 pwhistory
= pdb_get_pw_history(sampass
, &pwhistory_len
);
317 if (!pwhistory
|| pwhistory_len
== 0) {
321 acct_ctrl
= pdb_get_acct_ctrl(sampass
);
322 username
= pdb_get_username(sampass
);
324 for (i
=1; i
< MIN(MIN(3, policy_pwhistory_len
), pwhistory_len
); i
++) {
325 static const uint8_t zero16
[SALTED_MD5_HASH_LEN
];
327 const uint8_t *nt_pw
;
329 DATA_BLOB user_sess_key
= data_blob_null
;
330 DATA_BLOB lm_sess_key
= data_blob_null
;
332 salt
= &pwhistory
[i
*PW_HISTORY_ENTRY_LEN
];
333 nt_pw
= salt
+ PW_HISTORY_SALT_LEN
;
335 if (memcmp(zero16
, nt_pw
, NT_HASH_LEN
) == 0) {
336 /* skip zero password hash */
340 if (memcmp(zero16
, salt
, PW_HISTORY_SALT_LEN
) != 0) {
341 /* skip nonzero salt (old format entry) */
345 status
= sam_password_ok(mem_ctx
,
349 user_info
, &user_sess_key
, &lm_sess_key
);
350 if (NT_STATUS_IS_OK(status
)) {
357 TALLOC_FREE(mem_ctx
);
361 /****************************************************************************
362 check if a username/password is OK assuming the password is a 24 byte
363 SMB hash supplied in the user_info structure
364 return an NT_STATUS constant.
365 ****************************************************************************/
367 NTSTATUS
check_sam_security(const DATA_BLOB
*challenge
,
369 const struct auth_usersupplied_info
*user_info
,
370 struct auth_serversupplied_info
**server_info
)
372 struct samu
*sampass
=NULL
;
375 NTSTATUS update_login_attempts_status
;
376 DATA_BLOB user_sess_key
= data_blob_null
;
377 DATA_BLOB lm_sess_key
= data_blob_null
;
378 bool updated_badpw
= False
;
379 const char *username
;
380 const uint8_t *nt_pw
;
381 const uint8_t *lm_pw
;
384 /* the returned struct gets kept on the server_info, by means
385 of a steal further down */
387 sampass
= samu_new(mem_ctx
);
388 if (sampass
== NULL
) {
389 return NT_STATUS_NO_MEMORY
;
392 /* get the account information */
395 ret
= pdb_getsampwnam(sampass
, user_info
->mapped
.account_name
);
399 DEBUG(3,("check_sam_security: Couldn't find user '%s' in "
400 "passdb.\n", user_info
->mapped
.account_name
));
401 TALLOC_FREE(sampass
);
402 return NT_STATUS_NO_SUCH_USER
;
405 acct_ctrl
= pdb_get_acct_ctrl(sampass
);
406 username
= pdb_get_username(sampass
);
407 nt_pw
= pdb_get_nt_passwd(sampass
);
408 lm_pw
= pdb_get_lanman_passwd(sampass
);
410 /* Quit if the account was locked out. */
411 if (acct_ctrl
& ACB_AUTOLOCK
) {
412 DEBUG(3,("check_sam_security: Account for user %s was locked out.\n", username
));
413 TALLOC_FREE(sampass
);
414 return NT_STATUS_ACCOUNT_LOCKED_OUT
;
417 nt_status
= sam_password_ok(mem_ctx
,
419 challenge
, lm_pw
, nt_pw
,
420 user_info
, &user_sess_key
, &lm_sess_key
);
422 /* Notify passdb backend of login success/failure. If not
423 NT_STATUS_OK the backend doesn't like the login */
425 update_login_attempts_status
= pdb_update_login_attempts(sampass
, NT_STATUS_IS_OK(nt_status
));
427 if (!NT_STATUS_IS_OK(nt_status
)) {
428 bool increment_bad_pw_count
= false;
430 if (NT_STATUS_EQUAL(nt_status
,NT_STATUS_WRONG_PASSWORD
) &&
431 (acct_ctrl
& ACB_NORMAL
) &&
432 NT_STATUS_IS_OK(update_login_attempts_status
))
434 increment_bad_pw_count
=
435 need_to_increment_bad_pw_count(
436 challenge
, sampass
, user_info
);
439 if (increment_bad_pw_count
) {
440 pdb_increment_bad_password_count(sampass
);
441 updated_badpw
= True
;
443 pdb_update_bad_password_count(sampass
,
450 status
= pdb_update_sam_account(sampass
);
453 if (!NT_STATUS_IS_OK(status
)) {
454 DEBUG(1, ("Failed to modify entry: %s\n",
462 * We must only reset the bad password count if the login was
463 * successful, including checking account policies
465 nt_status
= sam_account_ok(mem_ctx
, sampass
, user_info
);
466 if (!NT_STATUS_IS_OK(nt_status
)) {
470 if ((acct_ctrl
& ACB_NORMAL
) &&
471 (pdb_get_bad_password_count(sampass
) > 0)){
474 pdb_set_bad_password_count(sampass
, 0, PDB_CHANGED
);
475 pdb_set_bad_password_time(sampass
, 0, PDB_CHANGED
);
478 status
= pdb_update_sam_account(sampass
);
481 if (!NT_STATUS_IS_OK(status
)) {
482 DEBUG(1, ("Failed to modify entry: %s\n",
488 nt_status
= make_server_info_sam(mem_ctx
, sampass
, server_info
);
491 TALLOC_FREE(sampass
);
493 if (!NT_STATUS_IS_OK(nt_status
)) {
494 DEBUG(0,("check_sam_security: make_server_info_sam() failed with '%s'\n", nt_errstr(nt_status
)));
498 (*server_info
)->session_key
=
499 data_blob_talloc(*server_info
, user_sess_key
.data
,
500 user_sess_key
.length
);
501 data_blob_free(&user_sess_key
);
503 (*server_info
)->lm_session_key
=
504 data_blob_talloc(*server_info
, lm_sess_key
.data
,
506 data_blob_free(&lm_sess_key
);
508 (*server_info
)->nss_token
|= user_info
->was_mapped
;
511 TALLOC_FREE(sampass
);
512 data_blob_free(&user_sess_key
);
513 data_blob_free(&lm_sess_key
);
517 /* This helper function for winbindd returns a very similar value to
518 * what a NETLOGON call would give, without the indirection */
519 NTSTATUS
check_sam_security_info3(const DATA_BLOB
*challenge
,
521 const struct auth_usersupplied_info
*user_info
,
522 struct netr_SamInfo3
**pinfo3
)
524 struct auth_serversupplied_info
*server_info
= NULL
;
525 struct netr_SamInfo3
*info3
;
527 TALLOC_CTX
*frame
= talloc_stackframe();
529 status
= check_sam_security(challenge
, talloc_tos(), user_info
,
531 if (!NT_STATUS_IS_OK(status
)) {
532 DEBUG(10, ("check_sam_security failed: %s\n",
537 info3
= talloc_zero(mem_ctx
, struct netr_SamInfo3
);
539 status
= NT_STATUS_NO_MEMORY
;
543 status
= serverinfo_to_SamInfo3(server_info
, info3
);
544 if (!NT_STATUS_IS_OK(status
)) {
545 DEBUG(10, ("serverinfo_to_SamInfo3 failed: %s\n",
550 status
= NT_STATUS_OK
;