search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
tests/krb5: Don't create PAC request or options manually in fast_tests
[Samba.git] / source3 / auth / auth.c
blobce6bf6c56219d5c644803587bcc7a25b14fec9e1
1 /*
2 Unix SMB/CIFS implementation.
3 Password and authentication handling
4 Copyright (C) Andrew Bartlett 2001-2002
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
10
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
15
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
18 */
19
20 #include "includes.h"
21 #include "auth.h"
22 #include "../lib/tsocket/tsocket.h"
23
24 #include "param/param.h"
25 #include "../lib/messaging/messaging.h"
26 #include "lib/global_contexts.h"
27
28 #undef DBGC_CLASS
29 #define DBGC_CLASS DBGC_AUTH
30
31 static_decl_auth;
32
33 static struct auth_init_function_entry *auth_backends = NULL;
34
35 static struct auth_init_function_entry *auth_find_backend_entry(const char *name);
36
37 NTSTATUS smb_register_auth(int version, const char *name, auth_init_function init)
38 {
39 struct auth_init_function_entry *entry = NULL;
40
41 if (version != AUTH_INTERFACE_VERSION) {
42 DEBUG(0,("Can't register auth_method!\n"
43 "You tried to register an auth module with AUTH_INTERFACE_VERSION %d, while this version of samba uses %d\n",
44 version,AUTH_INTERFACE_VERSION));
45 return NT_STATUS_OBJECT_TYPE_MISMATCH;
46 }
47
48 if (!name || !init) {
49 return NT_STATUS_INVALID_PARAMETER;
50 }
51
52 DEBUG(5,("Attempting to register auth backend %s\n", name));
53
54 if (auth_find_backend_entry(name)) {
55 DEBUG(0,("There already is an auth method registered with the name %s!\n", name));
56 return NT_STATUS_OBJECT_NAME_COLLISION;
57 }
58
59 entry = SMB_XMALLOC_P(struct auth_init_function_entry);
60 entry->name = smb_xstrdup(name);
61 entry->init = init;
62
63 DLIST_ADD(auth_backends, entry);
64 DEBUG(5,("Successfully added auth method '%s'\n", name));
65 return NT_STATUS_OK;
66 }
67
68 static struct auth_init_function_entry *auth_find_backend_entry(const char *name)
69 {
70 struct auth_init_function_entry *entry = auth_backends;
71
72 while(entry) {
73 if (strcmp(entry->name, name)==0) return entry;
74 entry = entry->next;
75 }
76
77 return NULL;
78 }
79
80 /****************************************************************************
81 Try to get a challenge out of the various authentication modules.
82 Returns a const char of length 8 bytes.
83 ****************************************************************************/
84
85 NTSTATUS auth_get_ntlm_challenge(struct auth_context *auth_context,
86 uint8_t chal[8])
87 {
88 if (auth_context->challenge.length) {
89 DEBUG(5, ("get_ntlm_challenge (auth subsystem): returning previous challenge by module %s (normal)\n",
90 auth_context->challenge_set_by));
91 memcpy(chal, auth_context->challenge.data, 8);
92 return NT_STATUS_OK;
93 }
94
95 auth_context->challenge = data_blob_talloc(auth_context, NULL, 8);
96 if (auth_context->challenge.data == NULL) {
97 DBG_WARNING("data_blob_talloc failed\n");
98 return NT_STATUS_NO_MEMORY;
99 }
100 generate_random_buffer(
101 auth_context->challenge.data, auth_context->challenge.length);
102
103 auth_context->challenge_set_by = "random";
104
105 memcpy(chal, auth_context->challenge.data, 8);
106 return NT_STATUS_OK;
107 }
108
109
110 /**
111 * Check user is in correct domain (if required)
112 *
113 * @param user Only used to fill in the debug message
114 *
115 * @param domain The domain to be verified
116 *
117 * @return True if the user can connect with that domain,
118 * False otherwise.
119 **/
120
121 static bool check_domain_match(const char *user, const char *domain)
122 {
123 /*
124 * If we aren't serving to trusted domains, we must make sure that
125 * the validation request comes from an account in the same domain
126 * as the Samba server
127 */
128
129 if (!lp_allow_trusted_domains() &&
130 !(strequal("", domain) ||
131 strequal(lp_workgroup(), domain) ||
132 is_myname(domain))) {
133 DEBUG(1, ("check_domain_match: Attempt to connect as user %s from domain %s denied.\n", user, domain));
134 return False;
135 } else {
136 return True;
137 }
138 }
139
140 /**
141 * Check a user's Plaintext, LM or NTLM password.
142 *
143 * Check a user's password, as given in the user_info struct and return various
144 * interesting details in the server_info struct.
145 *
146 * This function does NOT need to be in a become_root()/unbecome_root() pair
147 * as it makes the calls itself when needed.
148 *
149 * The return value takes precedence over the contents of the server_info
150 * struct. When the return is other than NT_STATUS_OK the contents
151 * of that structure is undefined.
152 *
153 * @param user_info Contains the user supplied components, including the passwords.
154 * Must be created with make_user_info() or one of its wrappers.
155 *
156 * @param auth_context Supplies the challenges and some other data.
157 * Must be created with make_auth_context(), and the challenges should be
158 * filled in, either at creation or by calling the challenge geneation
159 * function auth_get_challenge().
160 *
161 * @param pserver_info If successful, contains information about the authentication,
162 * including a struct samu struct describing the user.
163 *
164 * @param pauthoritative Indicates if the result should be treated as final
165 * result.
166 *
167 * @return An NTSTATUS with NT_STATUS_OK or an appropriate error.
168 *
169 **/
170 NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx,
171 const struct auth_context *auth_context,
172 const struct auth_usersupplied_info *user_info,
173 struct auth_serversupplied_info **pserver_info,
174 uint8_t *pauthoritative)
175 {
176 TALLOC_CTX *frame;
177 const char *auth_method_name = "";
178 /* if all the modules say 'not for me' this is reasonable */
179 NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED;
180 const char *unix_username;
181 struct auth_methods *auth_method;
182 struct auth_serversupplied_info *server_info = NULL;
183 struct dom_sid sid = {0};
184 struct imessaging_context *msg_ctx = NULL;
185 struct loadparm_context *lp_ctx = NULL;
186
187 if (user_info == NULL || auth_context == NULL || pserver_info == NULL) {
188 return NT_STATUS_LOGON_FAILURE;
189 }
190
191 frame = talloc_stackframe();
192
193 if (lp_auth_event_notification()) {
194 lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers());
195 msg_ctx = imessaging_client_init(
196 frame, lp_ctx, global_event_context());
197 }
198
199 *pauthoritative = 1;
200
201 DEBUG(3, ("check_ntlm_password: Checking password for unmapped user [%s]\\[%s]@[%s] with the new password interface\n",
202 user_info->client.domain_name, user_info->client.account_name, user_info->workstation_name));
203
204 DEBUG(3, ("check_ntlm_password: mapped user is: [%s]\\[%s]@[%s]\n",
205 user_info->mapped.domain_name, user_info->mapped.account_name, user_info->workstation_name));
206
207 if (auth_context->challenge.length != 8) {
208 DEBUG(0, ("check_ntlm_password: Invalid challenge stored for this auth context - cannot continue\n"));
209 nt_status = NT_STATUS_LOGON_FAILURE;
210 goto fail;
211 }
212
213 if (auth_context->challenge_set_by)
214 DEBUG(10, ("check_ntlm_password: auth_context challenge created by %s\n",
215 auth_context->challenge_set_by));
216
217 DEBUG(10, ("challenge is: \n"));
218 dump_data(5, auth_context->challenge.data, auth_context->challenge.length);
219
220 #ifdef DEBUG_PASSWORD
221 DEBUG(100, ("user_info has passwords of length %d and %d\n",
222 (int)user_info->password.response.lanman.length, (int)user_info->password.response.nt.length));
223 DEBUG(100, ("lm:\n"));
224 dump_data(100, user_info->password.response.lanman.data, user_info->password.response.lanman.length);
225 DEBUG(100, ("nt:\n"));
226 dump_data(100, user_info->password.response.nt.data, user_info->password.response.nt.length);
227 #endif
228
229 /* This needs to be sorted: If it doesn't match, what should we do? */
230 if (!check_domain_match(user_info->client.account_name,
231 user_info->mapped.domain_name)) {
232 nt_status = NT_STATUS_LOGON_FAILURE;
233 goto fail;
234 }
235
236 for (auth_method = auth_context->auth_method_list;auth_method; auth_method = auth_method->next) {
237
238 auth_method_name = auth_method->name;
239
240 nt_status = auth_method->auth(auth_context,
241 auth_method->private_data,
242 talloc_tos(),
243 user_info,
244 &server_info);
245
246 if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_NOT_IMPLEMENTED)) {
247 break;
248 }
249
250 DBG_DEBUG("%s had nothing to say\n", auth_method->name);
251 }
252
253 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NOT_IMPLEMENTED)) {
254 *pauthoritative = 0;
255 nt_status = NT_STATUS_NO_SUCH_USER;
256 }
257
258 if (!NT_STATUS_IS_OK(nt_status)) {
259 DBG_INFO("%s authentication for user [%s] FAILED with "
260 "error %s, authoritative=%u\n",
261 auth_method_name,
262 user_info->client.account_name,
263 nt_errstr(nt_status),
264 *pauthoritative);
265 goto fail;
266 }
267
268 DBG_NOTICE("%s authentication for user [%s] succeeded\n",
269 auth_method_name, user_info->client.account_name);
270
271 unix_username = server_info->unix_name;
272
273 /* We skip doing this step if the caller asked us not to */
274 if (!(user_info->flags & USER_INFO_INFO3_AND_NO_AUTHZ)
275 && !(server_info->guest)) {
276 const char *rhost;
277
278 if (tsocket_address_is_inet(user_info->remote_host, "ip")) {
279 rhost = tsocket_address_inet_addr_string(
280 user_info->remote_host, talloc_tos());
281 if (rhost == NULL) {
282 nt_status = NT_STATUS_NO_MEMORY;
283 goto fail;
284 }
285 } else {
286 rhost = "127.0.0.1";
287 }
288
289 /* We might not be root if we are an RPC call */
290 become_root();
291 nt_status = smb_pam_accountcheck(unix_username, rhost);
292 unbecome_root();
293
294 if (NT_STATUS_IS_OK(nt_status)) {
295 DEBUG(5, ("check_ntlm_password: PAM Account for user [%s] "
296 "succeeded\n", unix_username));
297 } else {
298 DEBUG(3, ("check_ntlm_password: PAM Account for user [%s] "
299 "FAILED with error %s\n",
300 unix_username, nt_errstr(nt_status)));
301 }
302 }
303
304 if (!NT_STATUS_IS_OK(nt_status)) {
305 goto fail;
306 }
307
308 nt_status = get_user_sid_info3_and_extra(server_info->info3,
309 &server_info->extra,
310 &sid);
311 if (!NT_STATUS_IS_OK(nt_status)) {
312 sid = (struct dom_sid) {0};
313 }
314
315 log_authentication_event(msg_ctx,
316 lp_ctx,
317 &auth_context->start_time,
318 user_info,
319 nt_status,
320 server_info->info3->base.logon_domain.string,
321 server_info->info3->base.account_name.string,
322 &sid);
323
324 DEBUG(server_info->guest ? 5 : 2,
325 ("check_ntlm_password: %sauthentication for user "
326 "[%s] -> [%s] -> [%s] succeeded\n",
327 server_info->guest ? "guest " : "",
328 user_info->client.account_name,
329 user_info->mapped.account_name,
330 unix_username));
331
332 *pserver_info = talloc_move(mem_ctx, &server_info);
333
334 TALLOC_FREE(frame);
335 return NT_STATUS_OK;
336
337 fail:
338
339 /* failed authentication; check for guest lapping */
340
341 /*
342 * Please try not to change this string, it is probably in use
343 * in audit logging tools
344 */
345 DEBUG(2, ("check_ntlm_password: Authentication for user "
346 "[%s] -> [%s] FAILED with error %s, authoritative=%u\n",
347 user_info->client.account_name, user_info->mapped.account_name,
348 nt_errstr(nt_status), *pauthoritative));
349
350 log_authentication_event(msg_ctx,
351 lp_ctx,
352 &auth_context->start_time,
353 user_info,
354 nt_status,
355 NULL,
356 NULL,
357 NULL);
358
359 ZERO_STRUCTP(pserver_info);
360
361 TALLOC_FREE(frame);
362
363 return nt_status;
364 }
365
366 /***************************************************************************
367 Clear out a auth_context, and destroy the attached TALLOC_CTX
368 ***************************************************************************/
369
370 static int auth_context_destructor(void *ptr)
371 {
372 struct auth_context *ctx = talloc_get_type(ptr, struct auth_context);
373 struct auth_methods *am;
374
375
376 /* Free private data of context's authentication methods */
377 for (am = ctx->auth_method_list; am; am = am->next) {
378 TALLOC_FREE(am->private_data);
379 }
380
381 return 0;
382 }
383
384 /***************************************************************************
385 Make a auth_info struct
386 ***************************************************************************/
387
388 static NTSTATUS make_auth_context(TALLOC_CTX *mem_ctx,
389 struct auth_context **auth_context)
390 {
391 struct auth_context *ctx;
392
393 ctx = talloc_zero(mem_ctx, struct auth_context);
394 if (!ctx) {
395 DEBUG(0,("make_auth_context: talloc failed!\n"));
396 return NT_STATUS_NO_MEMORY;
397 }
398
399 ctx->start_time = timeval_current();
400
401 talloc_set_destructor((TALLOC_CTX *)ctx, auth_context_destructor);
402
403 *auth_context = ctx;
404 return NT_STATUS_OK;
405 }
406
407 static bool load_auth_module(
408 struct auth_context *auth_context,
409 const char *module,
410 struct auth_methods **ret)
411 {
412 static bool initialised_static_modules = False;
413
414 struct auth_init_function_entry *entry;
415 char *module_name = smb_xstrdup(module);
416 char *module_params = NULL;
417 char *p;
418 bool good = False;
419
420 /* Initialise static modules if not done so yet */
421 if(!initialised_static_modules) {
422 static_init_auth(NULL);
423 initialised_static_modules = True;
424 }
425
426 DEBUG(5,("load_auth_module: Attempting to find an auth method to match %s\n",
427 module));
428
429 p = strchr(module_name, ':');
430 if (p) {
431 *p = 0;
432 module_params = p+1;
433 trim_char(module_params, ' ', ' ');
434 }
435
436 trim_char(module_name, ' ', ' ');
437
438 entry = auth_find_backend_entry(module_name);
439
440 if (entry == NULL) {
441 if (NT_STATUS_IS_OK(smb_probe_module("auth", module_name))) {
442 entry = auth_find_backend_entry(module_name);
443 }
444 }
445
446 if (entry != NULL) {
447 if (!NT_STATUS_IS_OK(entry->init(auth_context, module_params, ret))) {
448 DEBUG(0,("load_auth_module: auth method %s did not correctly init\n",
449 module_name));
450 } else {
451 DEBUG(5,("load_auth_module: auth method %s has a valid init\n",
452 module_name));
453 good = True;
454 }
455 } else {
456 DEBUG(0,("load_auth_module: can't find auth method %s!\n", module_name));
457 }
458
459 SAFE_FREE(module_name);
460 return good;
461 }
462
463 /***************************************************************************
464 Make a auth_info struct for the auth subsystem
465 ***************************************************************************/
466
467 static NTSTATUS make_auth_context_text_list(TALLOC_CTX *mem_ctx,
468 struct auth_context **auth_context,
469 char **text_list)
470 {
471 struct auth_methods *list = NULL;
472 struct auth_methods *t, *method = NULL;
473 NTSTATUS nt_status;
474
475 if (!text_list) {
476 DEBUG(2,("make_auth_context_text_list: No auth method list!?\n"));
477 return NT_STATUS_UNSUCCESSFUL;
478 }
479
480 nt_status = make_auth_context(mem_ctx, auth_context);
481
482 if (!NT_STATUS_IS_OK(nt_status)) {
483 return nt_status;
484 }
485
486 for (;*text_list; text_list++) {
487 if (load_auth_module(*auth_context, *text_list, &t)) {
488 DLIST_ADD_END(list, t);
489 }
490 }
491
492 (*auth_context)->auth_method_list = list;
493
494 /* Look for the first module to provide a prepare_gensec and
495 * make_auth4_context hook, and set that if provided */
496 for (method = (*auth_context)->auth_method_list; method; method = method->next) {
497 if (method->prepare_gensec && method->make_auth4_context) {
498 (*auth_context)->prepare_gensec = method->prepare_gensec;
499 (*auth_context)->make_auth4_context = method->make_auth4_context;
500 break;
501 }
502 }
503 return NT_STATUS_OK;
504 }
505
506 static NTSTATUS make_auth_context_specific(TALLOC_CTX *mem_ctx,
507 struct auth_context **auth_context,
508 const char *methods)
509 {
510 char **method_list;
511 NTSTATUS status;
512
513 method_list = str_list_make_v3(talloc_tos(), methods, NULL);
514 if (method_list == NULL) {
515 return NT_STATUS_NO_MEMORY;
516 }
517
518 status = make_auth_context_text_list(
519 mem_ctx, auth_context, method_list);
520
521 TALLOC_FREE(method_list);
522
523 return status;
524 }
525
526 /***************************************************************************
527 Make a auth_context struct for the auth subsystem
528 ***************************************************************************/
529
530 NTSTATUS make_auth3_context_for_ntlm(TALLOC_CTX *mem_ctx,
531 struct auth_context **auth_context)
532 {
533 const char *methods = NULL;
534 const char *role = NULL;
535
536 switch (lp_server_role()) {
537 case ROLE_ACTIVE_DIRECTORY_DC:
538 role = "'active directory domain controller'";
539 methods = "samba4";
540 break;
541 case ROLE_DOMAIN_MEMBER:
542 role = "'domain member'";
543 methods = "anonymous sam winbind sam_ignoredomain";
544 break;
545 case ROLE_DOMAIN_BDC:
546 case ROLE_DOMAIN_PDC:
547 role = "'DC'";
548 methods = "anonymous sam winbind sam_ignoredomain";
549 break;
550 case ROLE_STANDALONE:
551 if (lp_encrypt_passwords()) {
552 role = "'standalone server', encrypt passwords = yes";
553 methods = "anonymous sam_ignoredomain";
554 } else {
555 role = "'standalone server', encrypt passwords = no";
556 methods = "anonymous unix";
557 }
558 break;
559 default:
560 DEBUG(5,("Unknown auth method!\n"));
561 return NT_STATUS_UNSUCCESSFUL;
562 }
563
564 DBG_INFO("Making default auth method list for server role = %s\n",
565 role);
566
567 return make_auth_context_specific(mem_ctx, auth_context, methods);
568 }
569
570 NTSTATUS make_auth3_context_for_netlogon(TALLOC_CTX *mem_ctx,
571 struct auth_context **auth_context)
572 {
573 const char *methods = NULL;
574
575 switch (lp_server_role()) {
576 case ROLE_DOMAIN_BDC:
577 case ROLE_DOMAIN_PDC:
578 methods = "sam_netlogon3 winbind";
579 break;
580
581 default:
582 DBG_ERR("Invalid server role!\n");
583 return NT_STATUS_INVALID_SERVER_STATE;
584 }
585
586 return make_auth_context_specific(mem_ctx, auth_context, methods);
587 }
588
589 NTSTATUS make_auth3_context_for_winbind(TALLOC_CTX *mem_ctx,
590 struct auth_context **auth_context)
591 {
592 const char *methods = NULL;
593
594 switch (lp_server_role()) {
595 case ROLE_STANDALONE:
596 case ROLE_DOMAIN_MEMBER:
597 case ROLE_DOMAIN_BDC:
598 case ROLE_DOMAIN_PDC:
599 methods = "sam";
600 break;
601 case ROLE_ACTIVE_DIRECTORY_DC:
602 methods = "samba4:sam";
603 break;
604 default:
605 DEBUG(5,("Unknown auth method!\n"));
606 return NT_STATUS_UNSUCCESSFUL;
607 }
608
609 return make_auth_context_specific(mem_ctx, auth_context, methods);
610 }
611
612 bool auth3_context_set_challenge(
613 struct auth_context *ctx,
614 const uint8_t chal[8],
615 const char *challenge_set_by)
616 {
617 ctx->challenge = data_blob_talloc(ctx, chal, 8);
618 if (ctx->challenge.data == NULL) {
619 return false;
620 }
621 ctx->challenge_set_by = talloc_strdup(ctx, challenge_set_by);
622 if (ctx->challenge_set_by == NULL) {
623 return false;
624 }
625 return true;
626 }
Samba GIT mirror