2 Unix SMB/CIFS implementation.
4 Winbind daemon - pam auth functions
6 Copyright (C) Andrew Tridgell 2000
7 Copyright (C) Tim Potter 2001
8 Copyright (C) Andrew Bartlett 2001-2002
9 Copyright (C) Guenther Deschner 2005
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 3 of the License, or
14 (at your option) any later version.
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
21 You should have received a copy of the GNU General Public License
22 along with this program. If not, see <http://www.gnu.org/licenses/>.
28 #include "libsmb/namequery.h"
29 #include "../libcli/auth/libcli_auth.h"
30 #include "libcli/auth/pam_errors.h"
31 #include "../librpc/gen_ndr/ndr_samr_c.h"
32 #include "librpc/rpc/dcesrv_core.h"
33 #include "librpc/gen_ndr/ndr_winbind.h"
34 #include "rpc_client/cli_pipe.h"
35 #include "rpc_client/cli_samr.h"
36 #include "../librpc/gen_ndr/ndr_netlogon.h"
37 #include "rpc_client/cli_netlogon.h"
39 #include "../libcli/security/security.h"
41 #include "../librpc/gen_ndr/krb5pac.h"
42 #include "passdb/machine_sid.h"
44 #include "../lib/tsocket/tsocket.h"
45 #include "auth/kerberos/pac_utils.h"
46 #include "auth/gensec/gensec.h"
47 #include "librpc/crypto/gse_krb5.h"
48 #include "lib/afs/afs_funcs.h"
49 #include "libsmb/samlogon_cache.h"
50 #include "rpc_client/util_netlogon.h"
51 #include "param/param.h"
52 #include "messaging/messaging.h"
53 #include "lib/util/string_wrappers.h"
54 #include "lib/crypto/gnutls_helpers.h"
56 #include "lib/crypto/gnutls_helpers.h"
57 #include <gnutls/crypto.h>
58 #include "lib/global_contexts.h"
61 #define DBGC_CLASS DBGC_WINBIND
63 #define LOGON_KRB5_FAIL_CLOCK_SKEW 0x02000000
65 static NTSTATUS
append_info3_as_txt(TALLOC_CTX
*mem_ctx
,
66 struct winbindd_response
*resp
,
67 uint16_t validation_level
,
68 union netr_Validation
*validation
)
70 struct netr_SamInfo3
*info3
= NULL
;
73 NTSTATUS status
= NT_STATUS_UNSUCCESSFUL
;
74 TALLOC_CTX
*frame
= talloc_stackframe();
76 status
= map_validation_to_info3(frame
,
80 if (!NT_STATUS_IS_OK(status
)) {
84 resp
->data
.auth
.info3
.logon_time
=
85 nt_time_to_unix(info3
->base
.logon_time
);
86 resp
->data
.auth
.info3
.logoff_time
=
87 nt_time_to_unix(info3
->base
.logoff_time
);
88 resp
->data
.auth
.info3
.kickoff_time
=
89 nt_time_to_unix(info3
->base
.kickoff_time
);
90 resp
->data
.auth
.info3
.pass_last_set_time
=
91 nt_time_to_unix(info3
->base
.last_password_change
);
92 resp
->data
.auth
.info3
.pass_can_change_time
=
93 nt_time_to_unix(info3
->base
.allow_password_change
);
94 resp
->data
.auth
.info3
.pass_must_change_time
=
95 nt_time_to_unix(info3
->base
.force_password_change
);
97 resp
->data
.auth
.info3
.logon_count
= info3
->base
.logon_count
;
98 resp
->data
.auth
.info3
.bad_pw_count
= info3
->base
.bad_password_count
;
100 resp
->data
.auth
.info3
.user_rid
= info3
->base
.rid
;
101 resp
->data
.auth
.info3
.group_rid
= info3
->base
.primary_gid
;
102 sid_to_fstring(resp
->data
.auth
.info3
.dom_sid
, info3
->base
.domain_sid
);
104 resp
->data
.auth
.info3
.num_groups
= info3
->base
.groups
.count
;
105 resp
->data
.auth
.info3
.user_flgs
= info3
->base
.user_flags
;
107 resp
->data
.auth
.info3
.acct_flags
= info3
->base
.acct_flags
;
108 resp
->data
.auth
.info3
.num_other_sids
= info3
->sidcount
;
110 fstrcpy(resp
->data
.auth
.info3
.user_name
,
111 info3
->base
.account_name
.string
);
112 fstrcpy(resp
->data
.auth
.info3
.full_name
,
113 info3
->base
.full_name
.string
);
114 fstrcpy(resp
->data
.auth
.info3
.logon_script
,
115 info3
->base
.logon_script
.string
);
116 fstrcpy(resp
->data
.auth
.info3
.profile_path
,
117 info3
->base
.profile_path
.string
);
118 fstrcpy(resp
->data
.auth
.info3
.home_dir
,
119 info3
->base
.home_directory
.string
);
120 fstrcpy(resp
->data
.auth
.info3
.dir_drive
,
121 info3
->base
.home_drive
.string
);
123 fstrcpy(resp
->data
.auth
.info3
.logon_srv
,
124 info3
->base
.logon_server
.string
);
125 fstrcpy(resp
->data
.auth
.info3
.logon_dom
,
126 info3
->base
.logon_domain
.string
);
128 resp
->data
.auth
.validation_level
= validation_level
;
129 if (validation_level
== 6) {
130 fstrcpy(resp
->data
.auth
.info6
.dns_domainname
,
131 validation
->sam6
->dns_domainname
.string
);
132 fstrcpy(resp
->data
.auth
.info6
.principal_name
,
133 validation
->sam6
->principal_name
.string
);
136 ex
= talloc_strdup(frame
, "");
138 status
= NT_STATUS_NO_MEMORY
;
142 for (i
=0; i
< info3
->base
.groups
.count
; i
++) {
143 ex
= talloc_asprintf_append_buffer(ex
, "0x%08X:0x%08X\n",
144 info3
->base
.groups
.rids
[i
].rid
,
145 info3
->base
.groups
.rids
[i
].attributes
);
147 status
= NT_STATUS_NO_MEMORY
;
152 for (i
=0; i
< info3
->sidcount
; i
++) {
153 struct dom_sid_buf sidbuf
;
155 ex
= talloc_asprintf_append_buffer(
158 dom_sid_str_buf(info3
->sids
[i
].sid
, &sidbuf
),
159 info3
->sids
[i
].attributes
);
161 status
= NT_STATUS_NO_MEMORY
;
166 resp
->length
+= talloc_get_size(ex
);
167 resp
->extra_data
.data
= talloc_move(mem_ctx
, &ex
);
169 status
= NT_STATUS_OK
;
175 static NTSTATUS
append_info3_as_ndr(TALLOC_CTX
*mem_ctx
,
176 struct winbindd_response
*resp
,
177 struct netr_SamInfo3
*info3
)
180 enum ndr_err_code ndr_err
;
182 ndr_err
= ndr_push_struct_blob(&blob
, mem_ctx
, info3
,
183 (ndr_push_flags_fn_t
)ndr_push_netr_SamInfo3
);
184 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
185 DEBUG(0,("append_info3_as_ndr: failed to append\n"));
186 return ndr_map_error2ntstatus(ndr_err
);
189 resp
->extra_data
.data
= blob
.data
;
190 resp
->length
+= blob
.length
;
195 static NTSTATUS
append_unix_username(uint16_t validation_level
,
196 union netr_Validation
*validation
,
197 const char *name_domain
,
198 const char *name_user
,
200 char **_unix_username
)
202 TALLOC_CTX
*tmp_ctx
= NULL
;
203 const char *nt_username
= NULL
;
204 const char *nt_domain
= NULL
;
205 char *unix_username
= NULL
;
206 struct netr_SamBaseInfo
*base_info
= NULL
;
209 tmp_ctx
= talloc_new(mem_ctx
);
210 if (tmp_ctx
== NULL
) {
211 return NT_STATUS_NO_MEMORY
;
214 /* We've been asked to return the unix username, per
215 'winbind use default domain' settings and the like */
217 switch (validation_level
) {
219 base_info
= &validation
->sam3
->base
;
222 base_info
= &validation
->sam6
->base
;
225 DBG_ERR("Invalid validation level %d\n", validation_level
);
226 status
= NT_STATUS_INTERNAL_ERROR
;
230 nt_domain
= talloc_strdup(tmp_ctx
, base_info
->logon_domain
.string
);
232 /* If the server didn't give us one, just use the one
234 nt_domain
= name_domain
;
237 nt_username
= talloc_strdup(tmp_ctx
, base_info
->account_name
.string
);
239 /* If the server didn't give us one, just use the one
241 nt_username
= name_user
;
244 unix_username
= fill_domain_username_talloc(tmp_ctx
,
248 if (unix_username
== NULL
) {
249 status
= NT_STATUS_NO_MEMORY
;
253 DBG_INFO("Setting unix username to [%s]\n", unix_username
);
255 *_unix_username
= talloc_move(mem_ctx
, &unix_username
);
257 status
= NT_STATUS_OK
;
259 TALLOC_FREE(tmp_ctx
);
264 static NTSTATUS
append_afs_token(uint16_t validation_level
,
265 union netr_Validation
*validation
,
266 const char *name_domain
,
267 const char *name_user
,
271 TALLOC_CTX
*tmp_ctx
= NULL
;
272 char *afsname
= NULL
;
275 struct netr_SamBaseInfo
*base_info
= NULL
;
278 tmp_ctx
= talloc_new(mem_ctx
);
279 if (tmp_ctx
== NULL
) {
280 return NT_STATUS_NO_MEMORY
;
283 switch (validation_level
) {
285 base_info
= &validation
->sam3
->base
;
288 base_info
= &validation
->sam6
->base
;
291 DBG_ERR("Invalid validation level %d\n", validation_level
);
292 status
= NT_STATUS_INTERNAL_ERROR
;
296 afsname
= talloc_strdup(tmp_ctx
, lp_afs_username_map());
297 if (afsname
== NULL
) {
298 status
= NT_STATUS_NO_MEMORY
;
302 afsname
= talloc_string_sub(tmp_ctx
,
303 lp_afs_username_map(),
305 afsname
= talloc_string_sub(tmp_ctx
, afsname
,
307 afsname
= talloc_string_sub(tmp_ctx
, afsname
,
311 struct dom_sid user_sid
;
312 struct dom_sid_buf sidstr
;
314 sid_compose(&user_sid
, base_info
->domain_sid
, base_info
->rid
);
315 afsname
= talloc_string_sub(
319 dom_sid_str_buf(&user_sid
, &sidstr
));
322 if (afsname
== NULL
) {
323 status
= NT_STATUS_NO_MEMORY
;
327 if (!strlower_m(afsname
)) {
328 status
= NT_STATUS_INVALID_PARAMETER
;
332 DEBUG(10, ("Generating token for user %s\n", afsname
));
334 cell
= strchr(afsname
, '@');
337 status
= NT_STATUS_NO_MEMORY
;
344 token
= afs_createtoken_str(afsname
, cell
);
346 status
= NT_STATUS_OK
;
350 talloc_steal(mem_ctx
, token
);
351 *_blob
= data_blob_string_const_null(token
);
353 status
= NT_STATUS_OK
;
355 TALLOC_FREE(tmp_ctx
);
360 NTSTATUS
extra_data_to_sid_array(const char *group_sid
,
362 struct wbint_SidArray
**_sid_array
)
364 TALLOC_CTX
*tmp_ctx
= NULL
;
365 struct wbint_SidArray
*sid_array
= NULL
;
366 struct dom_sid
*require_membership_of_sid
= NULL
;
367 uint32_t num_require_membership_of_sid
= 0;
368 char *req_sid
= NULL
;
369 const char *p
= NULL
;
372 if (_sid_array
== NULL
) {
373 return NT_STATUS_INVALID_PARAMETER
;
378 tmp_ctx
= talloc_new(mem_ctx
);
379 if (tmp_ctx
== NULL
) {
380 return NT_STATUS_NO_MEMORY
;
383 sid_array
= talloc_zero(tmp_ctx
, struct wbint_SidArray
);
384 if (sid_array
== NULL
) {
385 status
= NT_STATUS_NO_MEMORY
;
389 if (!group_sid
|| !group_sid
[0]) {
390 /* NO sid supplied, all users may access */
391 status
= NT_STATUS_OK
;
393 * Always return an allocated wbint_SidArray,
394 * even if the array is empty.
399 num_require_membership_of_sid
= 0;
400 require_membership_of_sid
= NULL
;
403 while (next_token_talloc(tmp_ctx
, &p
, &req_sid
, ",")) {
406 if (!string_to_sid(&sid
, req_sid
)) {
407 DBG_ERR("check_info3_in_group: could not parse %s "
408 "as a SID!\n", req_sid
);
409 status
= NT_STATUS_INVALID_PARAMETER
;
413 status
= add_sid_to_array(tmp_ctx
, &sid
,
414 &require_membership_of_sid
,
415 &num_require_membership_of_sid
);
416 if (!NT_STATUS_IS_OK(status
)) {
417 DBG_ERR("add_sid_to_array failed\n");
422 sid_array
->num_sids
= num_require_membership_of_sid
;
423 sid_array
->sids
= talloc_move(sid_array
, &require_membership_of_sid
);
425 status
= NT_STATUS_OK
;
427 *_sid_array
= talloc_move(mem_ctx
, &sid_array
);
430 TALLOC_FREE(tmp_ctx
);
435 static NTSTATUS
check_info3_in_group(struct netr_SamInfo3
*info3
,
436 struct wbint_SidArray
*sid_array
)
438 * Check whether a user belongs to a group or list of groups.
440 * @param mem_ctx talloc memory context.
441 * @param info3 user information, including group membership info.
442 * @param group_sid One or more groups , separated by commas.
444 * @return NT_STATUS_OK on success,
445 * NT_STATUS_LOGON_FAILURE if the user does not belong,
446 * or other NT_STATUS_IS_ERR(status) for other kinds of failure.
450 struct security_token
*token
;
453 /* Parse the 'required group' SID */
455 if (sid_array
== NULL
|| sid_array
->num_sids
== 0) {
456 /* NO sid supplied, all users may access */
461 * This is a limited-use security_token for the purpose of
462 * checking the SID list below, so no claims need to be added
463 * and se_access_check() will never run.
465 token
= security_token_initialise(talloc_tos(),
466 CLAIMS_EVALUATION_INVALID_STATE
);
468 DEBUG(0, ("talloc failed\n"));
469 return NT_STATUS_NO_MEMORY
;
472 status
= sid_array_from_info3(token
, info3
,
476 if (!NT_STATUS_IS_OK(status
)) {
480 if (!NT_STATUS_IS_OK(status
= add_aliases(get_global_sam_sid(),
482 || !NT_STATUS_IS_OK(status
= add_aliases(&global_sid_Builtin
,
484 DEBUG(3, ("could not add aliases: %s\n",
489 security_token_debug(DBGC_CLASS
, 10, token
);
491 for (i
=0; i
<sid_array
->num_sids
; i
++) {
492 struct dom_sid_buf buf
;
493 DEBUG(10, ("Checking SID %s\n",
494 dom_sid_str_buf(&sid_array
->sids
[i
],
496 if (nt_token_check_sid(&sid_array
->sids
[i
],
498 DEBUG(10, ("Access ok\n"));
503 /* Do not distinguish this error from a wrong username/pw */
505 return NT_STATUS_LOGON_FAILURE
;
508 struct winbindd_domain
*find_auth_domain(uint8_t flags
,
509 const char *domain_name
)
511 struct winbindd_domain
*domain
;
514 domain
= find_domain_from_name_noinit(domain_name
);
515 if (domain
== NULL
) {
516 DEBUG(3, ("Authentication for domain [%s] refused "
517 "as it is not a trusted domain\n",
522 if (domain
->secure_channel_type
!= SEC_CHAN_NULL
) {
526 return domain
->routing_domain
;
529 if (strequal(domain_name
, get_global_sam_name())) {
530 return find_domain_from_name_noinit(domain_name
);
533 if (lp_winbind_use_krb5_enterprise_principals()) {
535 * If we use enterprise principals
536 * we always go through our primary domain
537 * and follow the WRONG_REALM replies.
539 flags
&= ~WBFLAG_PAM_CONTACT_TRUSTDOM
;
542 /* we can auth against trusted domains */
543 if (flags
& WBFLAG_PAM_CONTACT_TRUSTDOM
) {
544 domain
= find_domain_from_name_noinit(domain_name
);
545 if (domain
== NULL
) {
546 DEBUG(3, ("Authentication for domain [%s] skipped "
547 "as it is not a trusted domain\n",
554 return find_our_domain();
557 static NTSTATUS
get_password_policy(struct winbindd_domain
*domain
,
559 struct samr_DomInfo1
**_policy
)
562 struct samr_DomInfo1
*policy
= NULL
;
564 if ( !winbindd_can_contact_domain( domain
) ) {
565 DBG_INFO("No inbound trust to contact domain %s\n",
567 return NT_STATUS_NOT_SUPPORTED
;
570 policy
= talloc_zero(mem_ctx
, struct samr_DomInfo1
);
571 if (policy
== NULL
) {
572 return NT_STATUS_NO_MEMORY
;
575 status
= wb_cache_password_policy(domain
, mem_ctx
, policy
);
576 if (NT_STATUS_IS_ERR(status
)) {
581 *_policy
= talloc_move(mem_ctx
, &policy
);
586 static NTSTATUS
get_max_bad_attempts_from_lockout_policy(struct winbindd_domain
*domain
,
588 uint16_t *lockout_threshold
)
590 NTSTATUS status
= NT_STATUS_UNSUCCESSFUL
;
591 struct samr_DomInfo12 lockout_policy
;
593 *lockout_threshold
= 0;
595 status
= wb_cache_lockout_policy(domain
, mem_ctx
, &lockout_policy
);
596 if (NT_STATUS_IS_ERR(status
)) {
600 *lockout_threshold
= lockout_policy
.lockout_threshold
;
605 static NTSTATUS
get_pwd_properties(struct winbindd_domain
*domain
,
607 uint32_t *password_properties
)
609 NTSTATUS status
= NT_STATUS_UNSUCCESSFUL
;
610 struct samr_DomInfo1 password_policy
;
612 *password_properties
= 0;
614 status
= wb_cache_password_policy(domain
, mem_ctx
, &password_policy
);
615 if (NT_STATUS_IS_ERR(status
)) {
619 *password_properties
= password_policy
.password_properties
;
626 static const char *generate_krb5_ccache(TALLOC_CTX
*mem_ctx
,
629 const char **user_ccache_file
)
631 /* accept FILE and WRFILE as krb5_cc_type from the client and then
632 * build the full ccname string based on the user's uid here -
635 const char *gen_cc
= NULL
;
638 if (strequal(type
, "FILE")) {
639 gen_cc
= talloc_asprintf(
640 mem_ctx
, "FILE:/tmp/krb5cc_%d", uid
);
642 if (strequal(type
, "WRFILE")) {
643 gen_cc
= talloc_asprintf(
644 mem_ctx
, "WRFILE:/tmp/krb5cc_%d", uid
);
646 if (strequal(type
, "KEYRING")) {
647 gen_cc
= talloc_asprintf(
648 mem_ctx
, "KEYRING:persistent:%d", uid
);
650 if (strequal(type
, "KCM")) {
651 gen_cc
= talloc_asprintf(mem_ctx
,
656 if (strnequal(type
, "FILE:/", 6) ||
657 strnequal(type
, "WRFILE:/", 8) ||
658 strnequal(type
, "DIR:/", 5)) {
660 /* we allow only one "%u" substitution */
664 p
= strchr(type
, '%');
669 if (p
!= NULL
&& *p
== 'u' && strchr(p
, '%') == NULL
) {
670 char uid_str
[sizeof("18446744073709551615")];
672 snprintf(uid_str
, sizeof(uid_str
), "%u", uid
);
674 gen_cc
= talloc_string_sub2(mem_ctx
,
678 /* remove_unsafe_characters */
682 /* allow_trailing_dollar */
689 *user_ccache_file
= gen_cc
;
691 if (gen_cc
== NULL
) {
692 gen_cc
= talloc_strdup(mem_ctx
, "MEMORY:winbindd_pam_ccache");
694 if (gen_cc
== NULL
) {
695 DEBUG(0,("out of memory\n"));
699 DEBUG(10, ("using ccache: %s%s\n", gen_cc
,
700 (*user_ccache_file
== NULL
) ? " (internal)":""));
707 uid_t
get_uid_from_request(struct winbindd_request
*request
)
711 uid
= request
->data
.auth
.uid
;
713 if (uid
== (uid_t
)-1) {
714 DEBUG(1,("invalid uid: '%u'\n", (unsigned int)uid
));
720 /**********************************************************************
721 Authenticate a user with a clear text password using Kerberos and fill up
723 **********************************************************************/
725 static NTSTATUS
winbindd_raw_kerberos_login(TALLOC_CTX
*mem_ctx
,
726 struct winbindd_domain
*domain
,
729 const char *krb5_cc_type
,
731 struct netr_SamInfo6
**info6
,
732 const char **_krb5ccname
)
735 NTSTATUS result
= NT_STATUS_UNSUCCESSFUL
;
736 krb5_error_code krb5_ret
;
737 const char *cc
= NULL
;
738 const char *principal_s
= NULL
;
740 char *name_namespace
= NULL
;
741 char *name_domain
= NULL
;
742 char *name_user
= NULL
;
743 time_t ticket_lifetime
= 0;
744 time_t renewal_until
= 0;
745 time_t time_offset
= 0;
746 const char *user_ccache_file
;
747 struct PAC_LOGON_INFO
*logon_info
= NULL
;
748 struct PAC_UPN_DNS_INFO
*upn_dns_info
= NULL
;
749 struct PAC_DATA
*pac_data
= NULL
;
750 struct PAC_DATA_CTR
*pac_data_ctr
= NULL
;
751 const char *local_service
;
753 struct netr_SamInfo6
*info6_copy
= NULL
;
754 char *canon_principal
= NULL
;
755 char *canon_realm
= NULL
;
760 if (domain
->alt_name
== NULL
) {
761 return NT_STATUS_INVALID_PARAMETER
;
764 if (_krb5ccname
!= NULL
) {
769 * prepare a krb5_cc_cache string for the user */
772 DEBUG(0,("no valid uid\n"));
775 cc
= generate_krb5_ccache(mem_ctx
,
780 return NT_STATUS_NO_MEMORY
;
785 * get kerberos properties */
787 if (domain
->backend_data
.ads_conn
!= NULL
) {
788 time_offset
= domain
->backend_data
.ads_conn
->auth
.time_offset
;
793 * do kerberos auth and setup ccache as the user */
795 ok
= parse_domain_user(mem_ctx
,
801 return NT_STATUS_INVALID_PARAMETER
;
804 realm
= talloc_strdup(mem_ctx
, domain
->alt_name
);
806 return NT_STATUS_NO_MEMORY
;
809 if (!strupper_m(realm
)) {
810 return NT_STATUS_INVALID_PARAMETER
;
813 if (lp_winbind_use_krb5_enterprise_principals() &&
814 name_namespace
[0] != '\0')
816 principal_s
= talloc_asprintf(mem_ctx
,
822 principal_s
= talloc_asprintf(mem_ctx
,
827 if (principal_s
== NULL
) {
828 return NT_STATUS_NO_MEMORY
;
831 local_service
= talloc_asprintf(mem_ctx
, "%s$@%s",
832 lp_netbios_name(), lp_realm());
833 if (local_service
== NULL
) {
834 return NT_STATUS_NO_MEMORY
;
838 /* if this is a user ccache, we need to act as the user to let the krb5
839 * library handle the chown, etc. */
841 /************************ ENTERING NON-ROOT **********************/
843 if (user_ccache_file
!= NULL
) {
844 set_effective_uid(uid
);
845 DEBUG(10,("winbindd_raw_kerberos_login: uid is %d\n", uid
));
848 result
= kerberos_return_pac(mem_ctx
,
857 WINBINDD_PAM_AUTH_KRB5_RENEW_TIME
,
863 if (user_ccache_file
!= NULL
) {
864 gain_root_privilege();
867 /************************ RETURNED TO ROOT **********************/
869 if (!NT_STATUS_IS_OK(result
)) {
873 if (pac_data_ctr
== NULL
) {
877 pac_data
= pac_data_ctr
->pac_data
;
878 if (pac_data
== NULL
) {
882 for (i
=0; i
< pac_data
->num_buffers
; i
++) {
884 if (pac_data
->buffers
[i
].type
== PAC_TYPE_LOGON_INFO
) {
885 logon_info
= pac_data
->buffers
[i
].info
->logon_info
.info
;
889 if (pac_data
->buffers
[i
].type
== PAC_TYPE_UPN_DNS_INFO
) {
890 upn_dns_info
= &pac_data
->buffers
[i
].info
->upn_dns_info
;
895 if (logon_info
== NULL
) {
896 DEBUG(10,("Missing logon_info in ticket of %s\n",
898 return NT_STATUS_INVALID_PARAMETER
;
901 DEBUG(10,("winbindd_raw_kerberos_login: winbindd validated ticket of %s\n",
904 result
= create_info6_from_pac(mem_ctx
, logon_info
,
905 upn_dns_info
, &info6_copy
);
906 if (!NT_STATUS_IS_OK(result
)) {
910 /* if we had a user's ccache then return that string for the pam
913 if (user_ccache_file
!= NULL
) {
915 if (_krb5ccname
!= NULL
) {
916 *_krb5ccname
= talloc_steal(mem_ctx
, user_ccache_file
);
919 result
= add_ccache_to_list(principal_s
,
932 if (!NT_STATUS_IS_OK(result
)) {
933 DEBUG(10,("winbindd_raw_kerberos_login: failed to add ccache to list: %s\n",
938 /* need to delete the memory cred cache, it is not used anymore */
940 krb5_ret
= ads_kdestroy(cc
);
942 DEBUG(3,("winbindd_raw_kerberos_login: "
943 "could not destroy krb5 credential cache: "
944 "%s\n", error_message(krb5_ret
)));
953 * Do not delete an existing valid credential cache, if the user
954 * e.g. enters a wrong password
956 if ((strequal(krb5_cc_type
, "FILE") || strequal(krb5_cc_type
, "WRFILE"))
957 && user_ccache_file
!= NULL
) {
961 /* we could have created a new credential cache with a valid tgt in it
962 * but we weren't able to get or verify the service ticket for this
963 * local host and therefore didn't get the PAC, we need to remove that
964 * cache entirely now */
966 krb5_ret
= ads_kdestroy(cc
);
968 DEBUG(3,("winbindd_raw_kerberos_login: "
969 "could not destroy krb5 credential cache: "
970 "%s\n", error_message(krb5_ret
)));
973 if (!NT_STATUS_IS_OK(remove_ccache(user
))) {
974 DEBUG(3,("winbindd_raw_kerberos_login: "
975 "could not remove ccache for user %s\n",
981 return NT_STATUS_NOT_SUPPORTED
;
982 #endif /* HAVE_KRB5 */
985 /****************************************************************
986 ****************************************************************/
988 bool check_request_flags(uint32_t flags
)
990 uint32_t flags_edata
= WBFLAG_PAM_AFS_TOKEN
|
991 WBFLAG_PAM_INFO3_TEXT
|
992 WBFLAG_PAM_INFO3_NDR
;
994 if ( ( (flags
& flags_edata
) == WBFLAG_PAM_AFS_TOKEN
) ||
995 ( (flags
& flags_edata
) == WBFLAG_PAM_INFO3_NDR
) ||
996 ( (flags
& flags_edata
) == WBFLAG_PAM_INFO3_TEXT
)||
997 !(flags
& flags_edata
) ) {
1001 DEBUG(1, ("check_request_flags: invalid request flags[0x%08X]\n",
1007 /****************************************************************
1008 ****************************************************************/
1010 NTSTATUS
append_auth_data(TALLOC_CTX
*mem_ctx
,
1011 struct winbindd_response
*resp
,
1012 uint32_t request_flags
,
1013 uint16_t validation_level
,
1014 union netr_Validation
*validation
,
1015 const char *name_domain
,
1016 const char *name_user
)
1018 struct netr_SamInfo3
*info3
= NULL
;
1019 NTSTATUS result
= NT_STATUS_UNSUCCESSFUL
;
1021 result
= map_validation_to_info3(talloc_tos(),
1025 if (!NT_STATUS_IS_OK(result
)) {
1029 if (request_flags
& WBFLAG_PAM_USER_SESSION_KEY
) {
1030 memcpy(resp
->data
.auth
.user_session_key
,
1031 info3
->base
.key
.key
,
1032 sizeof(resp
->data
.auth
.user_session_key
)
1036 if (request_flags
& WBFLAG_PAM_LMKEY
) {
1037 memcpy(resp
->data
.auth
.first_8_lm_hash
,
1038 info3
->base
.LMSessKey
.key
,
1039 sizeof(resp
->data
.auth
.first_8_lm_hash
)
1043 if (request_flags
& WBFLAG_PAM_UNIX_NAME
) {
1044 char *unix_username
= NULL
;
1045 result
= append_unix_username(validation_level
,
1051 if (!NT_STATUS_IS_OK(result
)) {
1052 DEBUG(10,("Failed to append Unix Username: %s\n",
1053 nt_errstr(result
)));
1056 fstrcpy(resp
->data
.auth
.unix_username
, unix_username
);
1057 TALLOC_FREE(unix_username
);
1060 /* currently, anything from here on potentially overwrites extra_data. */
1062 if (request_flags
& WBFLAG_PAM_INFO3_NDR
) {
1063 result
= append_info3_as_ndr(mem_ctx
, resp
, info3
);
1064 if (!NT_STATUS_IS_OK(result
)) {
1065 DEBUG(10,("Failed to append INFO3 (NDR): %s\n",
1066 nt_errstr(result
)));
1071 if (request_flags
& WBFLAG_PAM_INFO3_TEXT
) {
1072 result
= append_info3_as_txt(mem_ctx
, resp
,
1075 if (!NT_STATUS_IS_OK(result
)) {
1076 DEBUG(10,("Failed to append INFO3 (TXT): %s\n",
1077 nt_errstr(result
)));
1082 if (request_flags
& WBFLAG_PAM_AFS_TOKEN
) {
1083 DATA_BLOB blob
= data_blob_null
;
1084 result
= append_afs_token(validation_level
,
1090 if (!NT_STATUS_IS_OK(result
)) {
1091 DEBUG(10,("Failed to append AFS token: %s\n",
1092 nt_errstr(result
)));
1095 resp
->extra_data
.data
= blob
.data
;
1096 resp
->length
+= blob
.length
;
1099 result
= NT_STATUS_OK
;
1105 static NTSTATUS
winbindd_dual_pam_auth_cached(struct winbindd_domain
*domain
,
1109 const char *krb5_cc_type
,
1111 TALLOC_CTX
*mem_ctx
,
1112 uint16_t *_validation_level
,
1113 union netr_Validation
**_validation
,
1114 const char **_krb5ccname
)
1116 TALLOC_CTX
*tmp_ctx
= NULL
;
1117 NTSTATUS result
= NT_STATUS_LOGON_FAILURE
;
1118 uint16_t max_allowed_bad_attempts
;
1119 char *name_namespace
= NULL
;
1120 char *name_domain
= NULL
;
1121 char *name_user
= NULL
;
1123 enum lsa_SidType type
;
1124 uchar new_nt_pass
[NT_HASH_LEN
];
1125 const uint8_t *cached_nt_pass
;
1126 const uint8_t *cached_salt
;
1127 struct netr_SamInfo3
*my_info3
;
1128 time_t kickoff_time
, must_change_time
;
1129 bool password_good
= false;
1132 struct winbindd_tdc_domain
*tdc_domain
= NULL
;
1135 if (_validation
== NULL
) {
1136 return NT_STATUS_INVALID_PARAMETER
;
1138 *_validation
= NULL
;
1140 if (_krb5ccname
!= NULL
) {
1141 *_krb5ccname
= NULL
;
1144 DEBUG(10,("winbindd_dual_pam_auth_cached\n"));
1146 tmp_ctx
= talloc_new(mem_ctx
);
1147 if (tmp_ctx
== NULL
) {
1148 return NT_STATUS_NO_MEMORY
;
1151 /* Parse domain and username */
1153 ok
= parse_domain_user(tmp_ctx
,
1159 DBG_DEBUG("parse_domain_user failed\n");
1160 result
= NT_STATUS_NO_SUCH_USER
;
1164 if (!lookup_cached_name(name_namespace
,
1169 DEBUG(10,("winbindd_dual_pam_auth_cached: no such user in the cache\n"));
1170 result
= NT_STATUS_NO_SUCH_USER
;
1174 if (type
!= SID_NAME_USER
) {
1175 DEBUG(10,("winbindd_dual_pam_auth_cached: not a user (%s)\n", sid_type_lookup(type
)));
1176 result
= NT_STATUS_LOGON_FAILURE
;
1180 result
= winbindd_get_creds(domain
,
1186 if (!NT_STATUS_IS_OK(result
)) {
1187 DEBUG(10,("winbindd_dual_pam_auth_cached: failed to get creds: %s\n", nt_errstr(result
)));
1191 E_md4hash(pass
, new_nt_pass
);
1193 dump_data_pw("new_nt_pass", new_nt_pass
, NT_HASH_LEN
);
1194 dump_data_pw("cached_nt_pass", cached_nt_pass
, NT_HASH_LEN
);
1196 dump_data_pw("cached_salt", cached_salt
, NT_HASH_LEN
);
1200 /* In this case we didn't store the nt_hash itself,
1201 but the MD5 combination of salt + nt_hash. */
1202 uchar salted_hash
[NT_HASH_LEN
];
1203 gnutls_hash_hd_t hash_hnd
= NULL
;
1206 rc
= gnutls_hash_init(&hash_hnd
, GNUTLS_DIG_MD5
);
1208 result
= gnutls_error_to_ntstatus(
1209 rc
, NT_STATUS_HASH_NOT_SUPPORTED
);
1213 rc
= gnutls_hash(hash_hnd
, cached_salt
, 16);
1215 gnutls_hash_deinit(hash_hnd
, NULL
);
1216 result
= gnutls_error_to_ntstatus(
1217 rc
, NT_STATUS_HASH_NOT_SUPPORTED
);
1220 rc
= gnutls_hash(hash_hnd
, new_nt_pass
, 16);
1222 gnutls_hash_deinit(hash_hnd
, NULL
);
1223 result
= gnutls_error_to_ntstatus(
1224 rc
, NT_STATUS_HASH_NOT_SUPPORTED
);
1227 gnutls_hash_deinit(hash_hnd
, salted_hash
);
1229 password_good
= mem_equal_const_time(cached_nt_pass
, salted_hash
,
1232 /* Old cached cred - direct store of nt_hash (bad bad bad !). */
1233 password_good
= mem_equal_const_time(cached_nt_pass
, new_nt_pass
,
1237 if (password_good
) {
1239 /* User *DOES* know the password, update logon_time and reset
1242 my_info3
->base
.user_flags
|= NETLOGON_CACHED_ACCOUNT
;
1244 if (my_info3
->base
.acct_flags
& ACB_AUTOLOCK
) {
1245 result
= NT_STATUS_ACCOUNT_LOCKED_OUT
;
1249 if (my_info3
->base
.acct_flags
& ACB_DISABLED
) {
1250 result
= NT_STATUS_ACCOUNT_DISABLED
;
1254 if (my_info3
->base
.acct_flags
& ACB_WSTRUST
) {
1255 result
= NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT
;
1259 if (my_info3
->base
.acct_flags
& ACB_SVRTRUST
) {
1260 result
= NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT
;
1264 if (my_info3
->base
.acct_flags
& ACB_DOMTRUST
) {
1265 result
= NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT
;
1269 if (!(my_info3
->base
.acct_flags
& ACB_NORMAL
)) {
1270 DEBUG(0,("winbindd_dual_pam_auth_cached: what's wrong with that one?: 0x%08x\n",
1271 my_info3
->base
.acct_flags
));
1272 result
= NT_STATUS_LOGON_FAILURE
;
1276 kickoff_time
= nt_time_to_unix(my_info3
->base
.kickoff_time
);
1277 if (kickoff_time
!= 0 && time(NULL
) > kickoff_time
) {
1278 result
= NT_STATUS_ACCOUNT_EXPIRED
;
1282 must_change_time
= nt_time_to_unix(my_info3
->base
.force_password_change
);
1283 if (must_change_time
!= 0 && must_change_time
< time(NULL
)) {
1284 /* we allow grace logons when the password has expired */
1285 my_info3
->base
.user_flags
|= NETLOGON_GRACE_LOGON
;
1286 /* return NT_STATUS_PASSWORD_EXPIRED; */
1292 ((tdc_domain
= wcache_tdc_fetch_domain(tmp_ctx
, name_domain
)) != NULL
) &&
1293 ((tdc_domain
->trust_type
& LSA_TRUST_TYPE_UPLEVEL
) ||
1294 /* used to cope with the case winbindd starting without network. */
1295 !strequal(tdc_domain
->domain_name
, tdc_domain
->dns_name
))) {
1296 const char *cc
= NULL
;
1298 const char *principal_s
= NULL
;
1299 const char *user_ccache_file
;
1301 if (domain
->alt_name
== NULL
) {
1302 result
= NT_STATUS_INVALID_PARAMETER
;
1307 DEBUG(0,("winbindd_dual_pam_auth_cached: invalid uid\n"));
1308 result
= NT_STATUS_INVALID_PARAMETER
;
1312 cc
= generate_krb5_ccache(tmp_ctx
,
1317 result
= NT_STATUS_NO_MEMORY
;
1321 realm
= talloc_strdup(tmp_ctx
, domain
->alt_name
);
1322 if (realm
== NULL
) {
1323 result
= NT_STATUS_NO_MEMORY
;
1327 if (!strupper_m(realm
)) {
1328 result
= NT_STATUS_INVALID_PARAMETER
;
1332 principal_s
= talloc_asprintf(tmp_ctx
, "%s@%s", name_user
, realm
);
1333 if (principal_s
== NULL
) {
1334 result
= NT_STATUS_NO_MEMORY
;
1338 if (user_ccache_file
!= NULL
) {
1340 if (_krb5ccname
!= NULL
) {
1341 *_krb5ccname
= talloc_move(mem_ctx
,
1345 result
= add_ccache_to_list(principal_s
,
1352 time(NULL
) + lp_winbind_cache_time(),
1353 time(NULL
) + WINBINDD_PAM_AUTH_KRB5_RENEW_TIME
,
1358 if (!NT_STATUS_IS_OK(result
)) {
1359 DEBUG(10,("winbindd_dual_pam_auth_cached: failed "
1360 "to add ccache to list: %s\n",
1361 nt_errstr(result
)));
1365 #endif /* HAVE_KRB5 */
1367 /* FIXME: we possibly should handle logon hours as well (does xp when
1368 * offline?) see auth/auth_sam.c:sam_account_ok for details */
1370 unix_to_nt_time(&my_info3
->base
.logon_time
, time(NULL
));
1371 my_info3
->base
.bad_password_count
= 0;
1373 result
= winbindd_update_creds_by_info3(domain
,
1377 if (!NT_STATUS_IS_OK(result
)) {
1378 DEBUG(1,("winbindd_dual_pam_auth_cached: failed to update creds: %s\n",
1379 nt_errstr(result
)));
1383 result
= map_info3_to_validation(mem_ctx
,
1387 if (!NT_STATUS_IS_OK(result
)) {
1388 DBG_ERR("map_info3_to_validation failed: %s\n",
1393 result
= NT_STATUS_OK
;
1397 /* User does *NOT* know the correct password, modify info3 accordingly, but only if online */
1398 if (domain
->online
== false) {
1402 /* failure of this is not critical */
1403 result
= get_max_bad_attempts_from_lockout_policy(domain
, tmp_ctx
, &max_allowed_bad_attempts
);
1404 if (!NT_STATUS_IS_OK(result
)) {
1405 DEBUG(10,("winbindd_dual_pam_auth_cached: failed to get max_allowed_bad_attempts. "
1406 "Won't be able to honour account lockout policies\n"));
1409 /* increase counter */
1410 my_info3
->base
.bad_password_count
++;
1412 if (max_allowed_bad_attempts
== 0) {
1417 if (my_info3
->base
.bad_password_count
>= max_allowed_bad_attempts
) {
1419 uint32_t password_properties
;
1421 result
= get_pwd_properties(domain
, tmp_ctx
, &password_properties
);
1422 if (!NT_STATUS_IS_OK(result
)) {
1423 DEBUG(10,("winbindd_dual_pam_auth_cached: failed to get password properties.\n"));
1426 if ((my_info3
->base
.rid
!= DOMAIN_RID_ADMINISTRATOR
) ||
1427 (password_properties
& DOMAIN_PASSWORD_LOCKOUT_ADMINS
)) {
1428 my_info3
->base
.acct_flags
|= ACB_AUTOLOCK
;
1433 result
= winbindd_update_creds_by_info3(domain
, user
, NULL
, my_info3
);
1434 if (!NT_STATUS_IS_OK(result
)) {
1435 DEBUG(0,("winbindd_dual_pam_auth_cached: failed to update creds %s\n",
1436 nt_errstr(result
)));
1439 result
= NT_STATUS_LOGON_FAILURE
;
1442 TALLOC_FREE(tmp_ctx
);
1447 static NTSTATUS
winbindd_dual_pam_auth_kerberos(struct winbindd_domain
*domain
,
1450 const char *krb5_cc_type
,
1452 TALLOC_CTX
*mem_ctx
,
1453 uint16_t *_validation_level
,
1454 union netr_Validation
**_validation
,
1455 const char **_krb5ccname
)
1457 struct netr_SamInfo6
*info6
= NULL
;
1458 struct winbindd_domain
*contact_domain
;
1459 char *name_namespace
= NULL
;
1460 char *name_domain
= NULL
;
1461 char *name_user
= NULL
;
1465 DEBUG(10,("winbindd_dual_pam_auth_kerberos\n"));
1467 /* Parse domain and username */
1469 ok
= parse_domain_user(mem_ctx
,
1475 result
= NT_STATUS_INVALID_PARAMETER
;
1479 /* what domain should we contact? */
1481 if (lp_winbind_use_krb5_enterprise_principals()) {
1482 contact_domain
= find_auth_domain(0, name_namespace
);
1484 contact_domain
= find_domain_from_name(name_namespace
);
1486 if (contact_domain
== NULL
) {
1487 DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
1488 user
, name_domain
, name_user
, name_namespace
));
1489 result
= NT_STATUS_NO_SUCH_USER
;
1493 if (contact_domain
->initialized
&&
1494 contact_domain
->active_directory
) {
1498 if (!contact_domain
->initialized
) {
1499 init_dc_connection(contact_domain
, false);
1502 if (!contact_domain
->active_directory
) {
1503 DEBUG(3,("krb5 auth requested but domain (%s) is not Active Directory\n",
1504 contact_domain
->name
));
1505 return NT_STATUS_INVALID_LOGON_TYPE
;
1508 result
= winbindd_raw_kerberos_login(
1517 if (!NT_STATUS_IS_OK(result
)) {
1521 result
= map_info6_to_validation(mem_ctx
,
1526 if (!NT_STATUS_IS_OK(result
)) {
1527 DBG_ERR("map_info6_to_validation failed: %s\n",
1535 static NTSTATUS
winbindd_dual_auth_passdb(TALLOC_CTX
*mem_ctx
,
1536 uint32_t logon_parameters
,
1539 const uint64_t logon_id
,
1540 const char *client_name
,
1541 const int client_pid
,
1542 const DATA_BLOB
*challenge
,
1543 const DATA_BLOB
*lm_resp
,
1544 const DATA_BLOB
*nt_resp
,
1545 const struct tsocket_address
*remote
,
1546 const struct tsocket_address
*local
,
1548 uint8_t *pauthoritative
,
1549 struct netr_SamInfo3
**pinfo3
)
1551 struct auth_context
*auth_context
;
1552 struct auth_serversupplied_info
*server_info
;
1553 struct auth_usersupplied_info
*user_info
= NULL
;
1554 struct netr_SamInfo3
*info3
;
1557 TALLOC_CTX
*frame
= talloc_stackframe();
1560 * We are authoritative by default
1562 *pauthoritative
= 1;
1564 status
= make_user_info(frame
, &user_info
, user
, user
, domain
, domain
,
1565 lp_netbios_name(), remote
, local
,
1567 lm_resp
, nt_resp
, NULL
, NULL
,
1568 NULL
, AUTH_PASSWORD_RESPONSE
);
1569 if (!NT_STATUS_IS_OK(status
)) {
1570 DEBUG(10, ("make_user_info failed: %s\n", nt_errstr(status
)));
1575 user_info
->logon_parameters
= logon_parameters
;
1576 user_info
->logon_id
= logon_id
;
1577 user_info
->auth_description
= talloc_asprintf(
1578 frame
, "PASSDB, %s, %d", client_name
, client_pid
);
1579 if (user_info
->auth_description
== NULL
) {
1581 return NT_STATUS_NO_MEMORY
;
1584 /* We don't want to come back to winbindd or to do PAM account checks */
1585 user_info
->flags
|= USER_INFO_INFO3_AND_NO_AUTHZ
;
1588 user_info
->flags
|= USER_INFO_INTERACTIVE_LOGON
;
1591 status
= make_auth3_context_for_winbind(frame
, &auth_context
);
1592 if (!NT_STATUS_IS_OK(status
)) {
1593 DBG_ERR("make_auth3_context_for_winbind failed: %s\n",
1599 ok
= auth3_context_set_challenge(auth_context
,
1600 challenge
->data
, "fixed");
1603 return NT_STATUS_NO_MEMORY
;
1606 status
= auth_check_ntlm_password(mem_ctx
,
1611 if (!NT_STATUS_IS_OK(status
)) {
1616 info3
= talloc_zero(mem_ctx
, struct netr_SamInfo3
);
1617 if (info3
== NULL
) {
1619 return NT_STATUS_NO_MEMORY
;
1622 status
= serverinfo_to_SamInfo3(server_info
, info3
);
1623 if (!NT_STATUS_IS_OK(status
)) {
1626 DEBUG(0, ("serverinfo_to_SamInfo3 failed: %s\n",
1627 nt_errstr(status
)));
1632 DBG_DEBUG("Authenticating user %s\\%s returned %s\n",
1640 static NTSTATUS
winbind_samlogon_retry_loop(struct winbindd_domain
*domain
,
1641 TALLOC_CTX
*mem_ctx
,
1642 uint32_t logon_parameters
,
1643 const char *username
,
1644 const char *password
,
1645 const char *domainname
,
1646 const char *workstation
,
1647 const uint64_t logon_id
,
1648 bool plaintext_given
,
1650 DATA_BLOB lm_response
,
1651 DATA_BLOB nt_response
,
1653 uint8_t *authoritative
,
1655 uint16_t *_validation_level
,
1656 union netr_Validation
**_validation
)
1659 int netr_attempts
= 0;
1661 bool valid_result
= false;
1663 enum netr_LogonInfoClass logon_type_i
;
1664 enum netr_LogonInfoClass logon_type_n
;
1665 uint16_t validation_level
= UINT16_MAX
;
1666 union netr_Validation
*validation
= NULL
;
1667 TALLOC_CTX
*base_ctx
= NULL
;
1668 struct netr_SamBaseInfo
*base_info
= NULL
;
1671 struct rpc_pipe_client
*netlogon_pipe
;
1672 struct netlogon_creds_cli_context
*netlogon_creds_ctx
= NULL
;
1675 * We should always reset authoritative to 1
1676 * before calling a server again.
1678 * Otherwise we could treat a local problem as
1679 * non-authoritative.
1685 D_DEBUG("Creating a DCERPC netlogon connection for SAM logon. "
1686 "netlogon attempt: %d, samlogon attempt: %d.\n",
1689 result
= cm_connect_netlogon_secure(domain
, &netlogon_pipe
,
1690 &netlogon_creds_ctx
);
1692 if (NT_STATUS_EQUAL(result
,
1693 NT_STATUS_CANT_ACCESS_DOMAIN_INFO
)) {
1695 * This means we don't have a trust account.
1698 result
= NT_STATUS_NO_SUCH_USER
;
1702 if (!NT_STATUS_IS_OK(result
)) {
1703 DEBUG(3,("Could not open handle to NETLOGON pipe "
1704 "(error: %s, attempts: %d)\n",
1705 nt_errstr(result
), netr_attempts
));
1707 reset_cm_connection_on_error(domain
, NULL
, result
);
1709 /* After the first retry always close the connection */
1710 if (netr_attempts
> 0) {
1711 DEBUG(3, ("This is again a problem for this "
1712 "particular call, forcing the close "
1713 "of this connection\n"));
1714 invalidate_cm_connection(domain
);
1717 /* After the second retry failover to the next DC */
1718 if (netr_attempts
> 1) {
1720 * If the netlogon server is not reachable then
1721 * it is possible that the DC is rebuilding
1722 * sysvol and shutdown netlogon for that time.
1723 * We should failover to the next dc.
1725 DEBUG(3, ("This is the third problem for this "
1726 "particular call, adding DC to the "
1727 "negative cache list: %s %s\n", domain
->name
, domain
->dcname
));
1728 add_failed_connection_entry(domain
->name
,
1731 saf_delete(domain
->name
);
1734 /* Only allow 3 retries */
1735 if (netr_attempts
< 3) {
1736 DEBUG(3, ("The connection to netlogon "
1737 "failed, retrying\n"));
1745 logon_type_i
= NetlogonInteractiveInformation
;
1746 logon_type_n
= NetlogonNetworkInformation
;
1747 if (domain
->domain_trust_attribs
& LSA_TRUST_ATTRIBUTE_WITHIN_FOREST
) {
1748 logon_type_i
= NetlogonInteractiveTransitiveInformation
;
1749 logon_type_n
= NetlogonNetworkTransitiveInformation
;
1752 if (domain
->domain_trust_attribs
& LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE
) {
1753 logon_type_i
= NetlogonInteractiveTransitiveInformation
;
1754 logon_type_n
= NetlogonNetworkTransitiveInformation
;
1757 if (domain
->domain_trust_attribs
& LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE
) {
1758 logon_type_i
= NetlogonInteractiveInformation
;
1759 logon_type_n
= NetlogonNetworkInformation
;
1762 if (domain
->domain_trust_attribs
& LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN
) {
1763 logon_type_i
= NetlogonInteractiveInformation
;
1764 logon_type_n
= NetlogonNetworkInformation
;
1768 if (plaintext_given
) {
1769 result
= rpccli_netlogon_password_logon(
1771 netlogon_pipe
->binding_handle
,
1784 } else if (interactive
) {
1785 result
= rpccli_netlogon_interactive_logon(
1787 netlogon_pipe
->binding_handle
,
1802 result
= rpccli_netlogon_network_logon(
1804 netlogon_pipe
->binding_handle
,
1822 * we increment this after the "feature negotiation"
1823 * for can_do_samlogon_ex and can_do_validation6
1827 /* We have to try a second time as cm_connect_netlogon
1828 might not yet have noticed that the DC has killed
1831 retry
= reset_cm_connection_on_error(domain
,
1832 netlogon_pipe
->binding_handle
,
1835 DBG_PREFIX(attempts
> 1 ? DBGLVL_NOTICE
: DBGLVL_INFO
, (
1836 "This is problem %d for this "
1838 "DOMAIN[%s] DC[%s] - %s\n",
1842 nt_errstr(result
)));
1846 valid_result
= true;
1848 if (NT_STATUS_EQUAL(result
, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE
)) {
1850 * Got DCERPC_FAULT_OP_RNG_ERROR for SamLogon
1851 * (no Ex). This happens against old Samba
1852 * DCs, if LogonSamLogonEx() fails with an error
1853 * e.g. NT_STATUS_NO_SUCH_USER or NT_STATUS_WRONG_PASSWORD.
1855 * The server will log something like this:
1856 * api_net_sam_logon_ex: Failed to marshall NET_R_SAM_LOGON_EX.
1858 * This sets the whole connection into a fault_state mode
1859 * and all following request get NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE.
1861 * This also happens to our retry with LogonSamLogonWithFlags()
1862 * and LogonSamLogon().
1864 * In order to recover from this situation, we need to
1865 * drop the connection.
1867 invalidate_cm_connection(domain
);
1868 result
= NT_STATUS_LOGON_FAILURE
;
1872 } while ( (attempts
< 3) && retry
);
1874 if (!valid_result
) {
1876 * This matches what windows does. In a chain of transitive
1877 * trusts the ACCESS_DENIED/authoritative=0 is not propagated
1878 * instead of NT_STATUS_NO_LOGON_SERVERS/authoritative=1 is
1879 * passed along the chain if there's no other DC is available.
1881 DBG_WARNING("Mapping %s/authoritative=%u to "
1882 "NT_STATUS_NO_LOGON_SERVERS/authoritative=1 for"
1883 "USERNAME[%s] USERDOMAIN[%s] REMOTE-DOMAIN[%s] \n",
1890 return NT_STATUS_NO_LOGON_SERVERS
;
1893 if (!NT_STATUS_IS_OK(result
)) {
1897 switch (validation_level
) {
1899 base_ctx
= validation
->sam3
;
1900 base_info
= &validation
->sam3
->base
;
1903 base_ctx
= validation
->sam6
;
1904 base_info
= &validation
->sam6
->base
;
1907 smb_panic(__location__
);
1910 if (base_info
->acct_flags
== 0 || base_info
->account_name
.string
== NULL
) {
1911 struct dom_sid user_sid
;
1912 struct dom_sid_buf sid_buf
;
1913 const char *acct_flags_src
= "server";
1914 const char *acct_name_src
= "server";
1917 * Handle the case where a NT4 DC does not fill in the acct_flags in
1918 * the samlogon reply info3. Yes, in 2021, there are still admins
1919 * around with real NT4 DCs.
1921 * We used to call dcerpc_samr_QueryUserInfo(level=16) to fetch
1922 * acct_flags, but as NT4 DCs reject authentication with workstation
1923 * accounts with NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT, even if
1924 * MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT is specified, we only ever got
1925 * ACB_NORMAL back (maybe with ACB_PWNOEXP in addition).
1927 * For network logons NT4 DCs also skip the
1928 * account_name, so we have to fallback to the
1929 * one given by the client.
1932 if (base_info
->acct_flags
== 0) {
1933 base_info
->acct_flags
= ACB_NORMAL
;
1934 if (base_info
->force_password_change
== NTTIME_MAX
) {
1935 base_info
->acct_flags
|= ACB_PWNOEXP
;
1937 acct_flags_src
= "calculated";
1940 if (base_info
->account_name
.string
== NULL
) {
1941 base_info
->account_name
.string
= talloc_strdup(base_ctx
,
1943 if (base_info
->account_name
.string
== NULL
) {
1944 TALLOC_FREE(validation
);
1945 return NT_STATUS_NO_MEMORY
;
1947 acct_name_src
= "client";
1950 sid_compose(&user_sid
, base_info
->domain_sid
, base_info
->rid
);
1952 DBG_DEBUG("Fallback to %s_acct_flags[0x%x] %s_acct_name[%s] for %s\n",
1954 base_info
->acct_flags
,
1956 base_info
->account_name
.string
,
1957 dom_sid_str_buf(&user_sid
, &sid_buf
));
1960 *_validation_level
= validation_level
;
1961 *_validation
= validation
;
1962 return NT_STATUS_OK
;
1965 static NTSTATUS
nt_dual_auth_passdb(TALLOC_CTX
*mem_ctx
,
1967 fstring name_domain
,
1970 const char *client_name
,
1971 const int client_pid
,
1972 const struct tsocket_address
*remote
,
1973 const struct tsocket_address
*local
,
1974 uint8_t *authoritative
,
1975 struct netr_SamInfo3
**info3
)
1977 unsigned char local_nt_response
[24];
1979 DATA_BLOB chal_blob
;
1983 /* do password magic */
1985 generate_random_buffer(chal
, sizeof(chal
));
1986 chal_blob
= data_blob_const(chal
, sizeof(chal
));
1988 if (lp_client_ntlmv2_auth()) {
1989 DATA_BLOB server_chal
;
1990 DATA_BLOB names_blob
;
1991 server_chal
= data_blob_const(chal
, 8);
1993 /* note that the 'workgroup' here is for the local
1994 machine. The 'server name' must match the
1995 'workstation' passed to the actual SamLogon call.
1997 names_blob
= NTLMv2_generate_names_blob(mem_ctx
,
2001 if (!SMBNTLMv2encrypt(mem_ctx
, name_user
, name_domain
,
2002 pass
, &server_chal
, &names_blob
,
2003 &lm_resp
, &nt_resp
, NULL
, NULL
)) {
2004 data_blob_free(&names_blob
);
2005 DEBUG(0, ("SMBNTLMv2encrypt() failed!\n"));
2006 return NT_STATUS_NO_MEMORY
;
2008 data_blob_free(&names_blob
);
2011 lm_resp
= data_blob_null
;
2013 rc
= SMBNTencrypt(pass
, chal
, local_nt_response
);
2015 DEBUG(0, ("SMBNTencrypt() failed!\n"));
2016 return gnutls_error_to_ntstatus(rc
,
2017 NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER
);
2020 nt_resp
= data_blob_talloc(mem_ctx
, local_nt_response
,
2021 sizeof(local_nt_response
));
2024 return winbindd_dual_auth_passdb(talloc_tos(), 0, name_domain
,
2025 name_user
, logon_id
, client_name
,
2026 client_pid
, &chal_blob
, &lm_resp
,
2027 &nt_resp
, remote
, local
,
2028 true, /* interactive */
2029 authoritative
, info3
);
2032 static NTSTATUS
winbindd_dual_pam_auth_samlogon(
2033 TALLOC_CTX
*mem_ctx
,
2034 struct winbindd_domain
*domain
,
2038 const char *client_name
,
2039 const int client_pid
,
2040 uint32_t request_flags
,
2041 const struct tsocket_address
*remote
,
2042 const struct tsocket_address
*local
,
2043 uint16_t *_validation_level
,
2044 union netr_Validation
**_validation
)
2046 char *name_namespace
= NULL
;
2047 char *name_domain
= NULL
;
2048 char *name_user
= NULL
;
2050 uint8_t authoritative
= 1;
2052 uint16_t validation_level
= 0;
2053 union netr_Validation
*validation
= NULL
;
2056 DEBUG(10,("winbindd_dual_pam_auth_samlogon\n"));
2058 /* Parse domain and username */
2060 ok
= parse_domain_user(mem_ctx
,
2066 return NT_STATUS_INVALID_PARAMETER
;
2070 * We check against domain->name instead of
2071 * name_domain, as find_auth_domain() ->
2072 * find_domain_from_name_noinit() already decided
2073 * that we are in a child for the correct domain.
2075 * name_domain can also be lp_realm()
2076 * we need to check against domain->name.
2078 if (strequal(domain
->name
, get_global_sam_name())) {
2079 struct netr_SamInfo3
*info3
= NULL
;
2081 result
= nt_dual_auth_passdb(mem_ctx
, name_user
, name_domain
,
2082 pass
, logon_id
, client_name
,
2083 client_pid
, remote
, local
,
2084 &authoritative
, &info3
);
2087 * We need to try the remote NETLOGON server if this is
2088 * not authoritative (for example on the RODC).
2090 if (authoritative
!= 0) {
2091 if (!NT_STATUS_IS_OK(result
)) {
2094 result
= map_info3_to_validation(mem_ctx
,
2099 if (!NT_STATUS_IS_OK(result
)) {
2107 /* check authentication loop */
2109 result
= winbind_samlogon_retry_loop(domain
,
2117 true, /* plaintext_given */
2119 data_blob_null
, data_blob_null
,
2120 true, /* interactive */
2125 if (!NT_STATUS_IS_OK(result
)) {
2130 *_validation_level
= validation_level
;
2131 *_validation
= validation
;
2133 return NT_STATUS_OK
;
2137 * @brief generate an authentication message in the logs.
2140 static void log_authentication(
2141 TALLOC_CTX
*mem_ctx
,
2142 const struct winbindd_domain
*domain
,
2143 const char *client_name
,
2145 uint16_t validation_level
,
2146 union netr_Validation
*validation
,
2147 const struct timeval start_time
,
2148 const uint64_t logon_id
,
2149 const char *command
,
2150 const char *user_name
,
2151 const char *domain_name
,
2152 const char *workstation
,
2153 const DATA_BLOB lm_resp
,
2154 const DATA_BLOB nt_resp
,
2155 const struct tsocket_address
*remote
,
2156 const struct tsocket_address
*local
,
2159 struct auth_usersupplied_info
*ui
= NULL
;
2160 struct dom_sid
*sid
= NULL
;
2161 struct loadparm_context
*lp_ctx
= NULL
;
2162 struct imessaging_context
*msg_ctx
= NULL
;
2163 struct netr_SamBaseInfo
*base_info
= NULL
;
2165 if (validation
!= NULL
) {
2166 switch (validation_level
) {
2168 base_info
= &validation
->sam3
->base
;
2171 base_info
= &validation
->sam6
->base
;
2174 DBG_WARNING("Unexpected validation level '%d'\n",
2180 ui
= talloc_zero(mem_ctx
, struct auth_usersupplied_info
);
2181 ui
->logon_id
= logon_id
;
2182 ui
->service_description
= "winbind";
2183 ui
->password
.response
.nt
.length
= nt_resp
.length
;
2184 ui
->password
.response
.nt
.data
= nt_resp
.data
;
2185 ui
->password
.response
.lanman
.length
= lm_resp
.length
;
2186 ui
->password
.response
.lanman
.data
= lm_resp
.data
;
2187 if (nt_resp
.length
== 0 && lm_resp
.length
== 0) {
2188 ui
->password_state
= AUTH_PASSWORD_PLAIN
;
2190 ui
->password_state
= AUTH_PASSWORD_RESPONSE
;
2193 * In the event of a failure ui->auth_description will be null,
2194 * the logging code handles this correctly so it can be ignored.
2196 ui
->auth_description
= talloc_asprintf(
2202 if (ui
->auth_description
== NULL
) {
2203 DBG_ERR("OOM Unable to create auth_description\n");
2205 ui
->client
.account_name
= user_name
;
2206 ui
->client
.domain_name
= domain_name
;
2207 ui
->workstation_name
= workstation
;
2208 ui
->remote_host
= remote
;
2209 ui
->local_host
= local
;
2211 if (base_info
!= NULL
) {
2212 sid
= dom_sid_dup(ui
, base_info
->domain_sid
);
2214 sid_append_rid(sid
, base_info
->rid
);
2218 if (lp_auth_event_notification()) {
2219 lp_ctx
= loadparm_init_s3(ui
, loadparm_s3_helpers());
2220 msg_ctx
= imessaging_client_init(
2221 ui
, lp_ctx
, global_event_context());
2223 log_authentication_event(
2229 base_info
!= NULL
? base_info
->logon_domain
.string
: "",
2230 base_info
!= NULL
? base_info
->account_name
.string
: "",
2232 NULL
/* client_audit_info */,
2233 NULL
/* server_audit_info */);
2237 NTSTATUS
_wbint_PamAuth(struct pipes_struct
*p
,
2238 struct wbint_PamAuth
*r
)
2240 struct winbindd_domain
*domain
= wb_child_domain();
2241 NTSTATUS result
= NT_STATUS_LOGON_FAILURE
;
2242 NTSTATUS krb5_result
= NT_STATUS_OK
;
2243 char *name_namespace
= NULL
;
2244 char *name_domain
= NULL
;
2245 char *name_user
= NULL
;
2246 char *mapped_user
= NULL
;
2247 const char *domain_user
= NULL
;
2248 uint16_t validation_level
= UINT16_MAX
;
2249 union netr_Validation
*validation
= NULL
;
2250 struct netr_SamBaseInfo
*base_info
= NULL
;
2251 NTSTATUS name_map_status
= NT_STATUS_UNSUCCESSFUL
;
2253 uint64_t logon_id
= 0;
2254 const struct timeval start_time
= timeval_current();
2255 const struct tsocket_address
*remote
= NULL
;
2256 const struct tsocket_address
*local
= NULL
;
2257 const char *krb5ccname
= NULL
;
2261 if (domain
== NULL
) {
2262 return NT_STATUS_REQUEST_NOT_ACCEPTED
;
2265 /* Cut client_pid to 32bit */
2266 client_pid
= r
->in
.client_pid
;
2267 if ((uint64_t)client_pid
!= r
->in
.client_pid
) {
2268 DBG_DEBUG("pid out of range\n");
2269 return NT_STATUS_INVALID_PARAMETER
;
2272 /* Cut uid to 32bit */
2273 uid
= r
->in
.info
->uid
;
2274 if ((uint64_t)uid
!= r
->in
.info
->uid
) {
2275 DBG_DEBUG("uid out of range\n");
2276 return NT_STATUS_INVALID_PARAMETER
;
2280 * Generate a logon_id for this session.
2282 logon_id
= generate_random_u64();
2283 remote
= dcesrv_connection_get_remote_address(p
->dce_call
->conn
);
2284 local
= dcesrv_connection_get_local_address(p
->dce_call
->conn
);
2285 DEBUG(3, ("[%"PRIu32
"]: dual pam auth %s\n", client_pid
,
2286 r
->in
.info
->username
));
2288 /* Parse domain and username */
2290 name_map_status
= normalize_name_unmap(p
->mem_ctx
,
2291 r
->in
.info
->username
,
2294 /* If the name normalization didn't actually do anything,
2295 just use the original name */
2297 if (!NT_STATUS_IS_OK(name_map_status
) &&
2298 !NT_STATUS_EQUAL(name_map_status
, NT_STATUS_FILE_RENAMED
))
2300 mapped_user
= discard_const(r
->in
.info
->username
);
2303 ok
= parse_domain_user(p
->mem_ctx
,
2309 result
= NT_STATUS_INVALID_PARAMETER
;
2313 if (mapped_user
!= r
->in
.info
->username
) {
2314 domain_user
= talloc_asprintf(talloc_tos(),
2317 *lp_winbind_separator(),
2319 if (domain_user
== NULL
) {
2320 result
= NT_STATUS_NO_MEMORY
;
2323 r
->in
.info
->username
= domain_user
;
2326 if (!domain
->online
) {
2327 result
= NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND
;
2328 if (domain
->startup
) {
2329 /* Logons are very important to users. If we're offline and
2330 we get a request within the first 30 seconds of startup,
2331 try very hard to find a DC and go online. */
2333 DEBUG(10,("winbindd_dual_pam_auth: domain: %s offline and auth "
2334 "request in startup mode.\n", domain
->name
));
2336 winbindd_flush_negative_conn_cache(domain
);
2337 result
= init_dc_connection(domain
, false);
2341 DEBUG(10,("winbindd_dual_pam_auth: domain: %s last was %s\n", domain
->name
, domain
->online
? "online":"offline"));
2343 /* Check for Kerberos authentication */
2344 if (domain
->online
&& (r
->in
.flags
& WBFLAG_PAM_KRB5
)) {
2345 result
= winbindd_dual_pam_auth_kerberos(
2347 r
->in
.info
->username
,
2348 r
->in
.info
->password
,
2349 r
->in
.info
->krb5_cc_type
,
2356 /* save for later */
2357 krb5_result
= result
;
2359 if (NT_STATUS_IS_OK(result
)) {
2360 DEBUG(10,("winbindd_dual_pam_auth_kerberos succeeded\n"));
2361 goto process_result
;
2364 DBG_DEBUG("winbindd_dual_pam_auth_kerberos failed: %s\n",
2367 if (NT_STATUS_EQUAL(result
, NT_STATUS_NO_LOGON_SERVERS
) ||
2368 NT_STATUS_EQUAL(result
, NT_STATUS_IO_TIMEOUT
) ||
2369 NT_STATUS_EQUAL(result
, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND
)) {
2370 DEBUG(10,("winbindd_dual_pam_auth_kerberos setting domain to offline\n"));
2371 set_domain_offline( domain
);
2375 /* there are quite some NT_STATUS errors where there is no
2376 * point in retrying with a samlogon, we explicitly have to take
2377 * care not to increase the bad logon counter on the DC */
2379 if (NT_STATUS_EQUAL(result
, NT_STATUS_ACCOUNT_DISABLED
) ||
2380 NT_STATUS_EQUAL(result
, NT_STATUS_ACCOUNT_EXPIRED
) ||
2381 NT_STATUS_EQUAL(result
, NT_STATUS_ACCOUNT_LOCKED_OUT
) ||
2382 NT_STATUS_EQUAL(result
, NT_STATUS_INVALID_LOGON_HOURS
) ||
2383 NT_STATUS_EQUAL(result
, NT_STATUS_INVALID_WORKSTATION
) ||
2384 NT_STATUS_EQUAL(result
, NT_STATUS_LOGON_FAILURE
) ||
2385 NT_STATUS_EQUAL(result
, NT_STATUS_NO_SUCH_USER
) ||
2386 NT_STATUS_EQUAL(result
, NT_STATUS_PASSWORD_EXPIRED
) ||
2387 NT_STATUS_EQUAL(result
, NT_STATUS_PASSWORD_MUST_CHANGE
) ||
2388 NT_STATUS_EQUAL(result
, NT_STATUS_WRONG_PASSWORD
)) {
2392 if (r
->in
.flags
& WBFLAG_PAM_FALLBACK_AFTER_KRB5
) {
2393 DEBUG(3,("falling back to samlogon\n"));
2401 /* Check for Samlogon authentication */
2402 if (domain
->online
) {
2403 result
= winbindd_dual_pam_auth_samlogon(
2406 r
->in
.info
->username
,
2407 r
->in
.info
->password
,
2417 if (NT_STATUS_IS_OK(result
)) {
2418 DEBUG(10,("winbindd_dual_pam_auth_samlogon succeeded\n"));
2420 switch (validation_level
) {
2422 base_info
= &validation
->sam3
->base
;
2425 base_info
= &validation
->sam6
->base
;
2428 DBG_ERR("Bad validation level %d\n",
2430 result
= NT_STATUS_INTERNAL_ERROR
;
2434 /* add the Krb5 err if we have one */
2435 if ( NT_STATUS_EQUAL(krb5_result
, NT_STATUS_TIME_DIFFERENCE_AT_DC
) ) {
2436 base_info
->user_flags
|= LOGON_KRB5_FAIL_CLOCK_SKEW
;
2439 goto process_result
;
2442 DEBUG(10,("winbindd_dual_pam_auth_samlogon failed: %s\n",
2443 nt_errstr(result
)));
2445 if (NT_STATUS_EQUAL(result
, NT_STATUS_NO_LOGON_SERVERS
) ||
2446 NT_STATUS_EQUAL(result
, NT_STATUS_IO_TIMEOUT
) ||
2447 NT_STATUS_EQUAL(result
, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND
))
2449 DEBUG(10,("winbindd_dual_pam_auth_samlogon setting domain to offline\n"));
2450 set_domain_offline( domain
);
2454 if (domain
->online
) {
2455 /* We're still online - fail. */
2461 /* Check for Cached logons */
2462 if (!domain
->online
&& (r
->in
.flags
& WBFLAG_PAM_CACHED_LOGIN
) &&
2463 lp_winbind_offline_logon()) {
2464 result
= winbindd_dual_pam_auth_cached(domain
,
2465 (r
->in
.flags
& WBFLAG_PAM_KRB5
),
2466 r
->in
.info
->username
,
2467 r
->in
.info
->password
,
2468 r
->in
.info
->krb5_cc_type
,
2475 if (!NT_STATUS_IS_OK(result
)) {
2476 DEBUG(10,("winbindd_dual_pam_auth_cached failed: %s\n", nt_errstr(result
)));
2479 DEBUG(10,("winbindd_dual_pam_auth_cached succeeded\n"));
2484 if (NT_STATUS_IS_OK(result
)) {
2485 struct dom_sid user_sid
;
2486 TALLOC_CTX
*base_ctx
= NULL
;
2487 struct netr_SamInfo3
*info3
= NULL
;
2489 switch (validation_level
) {
2491 base_ctx
= validation
->sam3
;
2492 base_info
= &validation
->sam3
->base
;
2495 base_ctx
= validation
->sam6
;
2496 base_info
= &validation
->sam6
->base
;
2499 DBG_ERR("Bad validation level %d\n", validation_level
);
2500 result
= NT_STATUS_INTERNAL_ERROR
;
2504 sid_compose(&user_sid
, base_info
->domain_sid
, base_info
->rid
);
2506 if (base_info
->full_name
.string
== NULL
) {
2507 struct netr_SamInfo3
*cached_info3
;
2509 cached_info3
= netsamlogon_cache_get(p
->mem_ctx
,
2511 if (cached_info3
!= NULL
&&
2512 cached_info3
->base
.full_name
.string
!= NULL
) {
2513 base_info
->full_name
.string
= talloc_strdup(
2515 cached_info3
->base
.full_name
.string
);
2516 if (base_info
->full_name
.string
== NULL
) {
2517 result
= NT_STATUS_NO_MEMORY
;
2522 /* this might fail so we don't check the return code */
2523 wcache_query_user_fullname(domain
,
2526 &base_info
->full_name
.string
);
2530 result
= map_validation_to_info3(talloc_tos(),
2534 if (!NT_STATUS_IS_OK(result
)) {
2538 wcache_invalidate_samlogon(find_domain_from_name(name_domain
),
2540 netsamlogon_cache_store(name_user
, info3
);
2542 /* save name_to_sid info as early as possible (only if
2543 this is our primary domain so we don't invalidate
2544 the cache entry by storing the seq_num for the wrong
2546 if ( domain
->primary
) {
2547 cache_name2sid(domain
, name_domain
, name_user
,
2548 SID_NAME_USER
, &user_sid
);
2551 /* Check if the user is in the right group */
2553 result
= check_info3_in_group(info3
,
2554 r
->in
.require_membership_of_sid
);
2555 if (!NT_STATUS_IS_OK(result
)) {
2556 char *s
= NDR_PRINT_STRUCT_STRING(p
->mem_ctx
,
2558 r
->in
.require_membership_of_sid
);
2559 DBG_NOTICE("User %s is not in the required groups:\n",
2560 r
->in
.info
->username
);
2561 DEBUGADD(DBGLVL_NOTICE
, ("%s", s
));
2562 DEBUGADD(DBGLVL_NOTICE
,
2563 ("Plaintext authentication is rejected\n"));
2567 if (!is_allowed_domain(info3
->base
.logon_domain
.string
)) {
2568 DBG_NOTICE("Authentication failed for user [%s] "
2569 "from firewalled domain [%s]\n",
2570 info3
->base
.account_name
.string
,
2571 info3
->base
.logon_domain
.string
);
2572 result
= NT_STATUS_AUTHENTICATION_FIREWALL_FAILED
;
2576 r
->out
.validation
= talloc_zero(p
->mem_ctx
,
2577 struct wbint_Validation
);
2578 if (r
->out
.validation
== NULL
) {
2579 result
= NT_STATUS_NO_MEMORY
;
2583 r
->out
.validation
->level
= validation_level
;
2584 r
->out
.validation
->validation
= talloc_steal(r
->out
.validation
,
2586 r
->out
.validation
->krb5ccname
= talloc_steal(r
->out
.validation
,
2588 if ((r
->in
.flags
& WBFLAG_PAM_CACHED_LOGIN
)
2589 && lp_winbind_offline_logon()) {
2591 result
= winbindd_store_creds(domain
,
2592 r
->in
.info
->username
,
2593 r
->in
.info
->password
,
2597 result
= NT_STATUS_OK
;
2601 /* give us a more useful (more correct?) error code */
2602 if ((NT_STATUS_EQUAL(result
, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND
) ||
2603 (NT_STATUS_EQUAL(result
, NT_STATUS_UNSUCCESSFUL
)))) {
2604 result
= NT_STATUS_NO_LOGON_SERVERS
;
2607 DBG_PREFIX(NT_STATUS_IS_OK(result
) ? 5 : 2,
2608 ("Plain-text authentication for user %s returned %s"
2610 r
->in
.info
->username
,
2612 nt_status_to_pam(result
)));
2615 * Log the winbind pam authentication, the logon_id will tie this to
2616 * any of the logons invoked from this request.
2638 if (NT_STATUS_IS_OK(result
)) {
2639 gpupdate_user_init(r
->in
.info
->username
);
2645 NTSTATUS
winbind_dual_SamLogon(struct winbindd_domain
*domain
,
2646 TALLOC_CTX
*mem_ctx
,
2648 uint32_t logon_parameters
,
2649 const char *name_user
,
2650 const char *name_domain
,
2651 const char *workstation
,
2652 const uint64_t logon_id
,
2653 const char* client_name
,
2654 const int client_pid
,
2655 DATA_BLOB chal_blob
,
2656 DATA_BLOB lm_response
,
2657 DATA_BLOB nt_response
,
2658 const struct tsocket_address
*remote
,
2659 const struct tsocket_address
*local
,
2660 uint8_t *authoritative
,
2663 uint16_t *_validation_level
,
2664 union netr_Validation
**_validation
)
2666 uint16_t validation_level
= 0;
2667 union netr_Validation
*validation
= NULL
;
2671 * We check against domain->name instead of
2672 * name_domain, as find_auth_domain() ->
2673 * find_domain_from_name_noinit() already decided
2674 * that we are in a child for the correct domain.
2676 * name_domain can also be lp_realm()
2677 * we need to check against domain->name.
2679 if (!skip_sam
&& strequal(domain
->name
, get_global_sam_name())) {
2680 struct netr_SamInfo3
*info3
= NULL
;
2682 result
= winbindd_dual_auth_passdb(
2685 name_domain
, name_user
,
2689 &chal_blob
, &lm_response
, &nt_response
,
2695 if (NT_STATUS_IS_OK(result
)) {
2696 result
= map_info3_to_validation(mem_ctx
,
2701 if (!NT_STATUS_IS_OK(result
)) {
2707 * We need to try the remote NETLOGON server if this is
2708 * not authoritative.
2710 if (*authoritative
!= 0) {
2712 goto process_result
;
2716 result
= winbind_samlogon_retry_loop(domain
,
2720 NULL
, /* password */
2722 /* Bug #3248 - found by Stefan Burkei. */
2723 workstation
, /* We carefully set this above so use it... */
2725 false, /* plaintext_given */
2734 if (!NT_STATUS_IS_OK(result
)) {
2740 if (NT_STATUS_IS_OK(result
)) {
2741 struct dom_sid user_sid
;
2742 TALLOC_CTX
*base_ctx
= NULL
;
2743 struct netr_SamBaseInfo
*base_info
= NULL
;
2744 struct netr_SamInfo3
*info3
= NULL
;
2746 switch (validation_level
) {
2748 base_ctx
= validation
->sam3
;
2749 base_info
= &validation
->sam3
->base
;
2752 base_ctx
= validation
->sam6
;
2753 base_info
= &validation
->sam6
->base
;
2756 result
= NT_STATUS_INTERNAL_ERROR
;
2760 sid_compose(&user_sid
, base_info
->domain_sid
, base_info
->rid
);
2762 if (base_info
->full_name
.string
== NULL
) {
2763 struct netr_SamInfo3
*cached_info3
;
2765 cached_info3
= netsamlogon_cache_get(mem_ctx
,
2767 if (cached_info3
!= NULL
&&
2768 cached_info3
->base
.full_name
.string
!= NULL
)
2770 base_info
->full_name
.string
= talloc_strdup(
2772 cached_info3
->base
.full_name
.string
);
2775 /* this might fail so we don't check the return code */
2776 wcache_query_user_fullname(domain
,
2779 &base_info
->full_name
.string
);
2783 result
= map_validation_to_info3(talloc_tos(),
2787 if (!NT_STATUS_IS_OK(result
)) {
2790 wcache_invalidate_samlogon(find_domain_from_name(name_domain
),
2792 netsamlogon_cache_store(name_user
, info3
);
2798 /* give us a more useful (more correct?) error code */
2799 if ((NT_STATUS_EQUAL(result
, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND
) ||
2800 (NT_STATUS_EQUAL(result
, NT_STATUS_UNSUCCESSFUL
)))) {
2801 result
= NT_STATUS_NO_LOGON_SERVERS
;
2804 DEBUG(NT_STATUS_IS_OK(result
) ? 5 : 2,
2805 ("NTLM CRAP authentication for user [%s]\\[%s] returned %s\n",
2808 nt_errstr(result
)));
2810 if (!NT_STATUS_IS_OK(result
)) {
2814 *_validation_level
= validation_level
;
2815 *_validation
= validation
;
2816 return NT_STATUS_OK
;
2819 NTSTATUS
_wbint_PamAuthCrap(struct pipes_struct
*p
, struct wbint_PamAuthCrap
*r
)
2821 struct winbindd_domain
*domain
= wb_child_domain();
2823 uint64_t logon_id
= 0;
2824 uint8_t authoritative
= 1;
2826 uint16_t validation_level
= UINT16_MAX
;
2827 union netr_Validation
*validation
= NULL
;
2828 const struct timeval start_time
= timeval_current();
2829 const struct tsocket_address
*remote
= NULL
;
2830 const struct tsocket_address
*local
= NULL
;
2831 struct netr_SamInfo3
*info3
= NULL
;
2834 if (domain
== NULL
) {
2835 return NT_STATUS_REQUEST_NOT_ACCEPTED
;
2838 /* Cut client_pid to 32bit */
2839 client_pid
= r
->in
.client_pid
;
2840 if ((uint64_t)client_pid
!= r
->in
.client_pid
) {
2841 DBG_DEBUG("pid out of range\n");
2842 return NT_STATUS_INVALID_PARAMETER
;
2845 logon_id
= generate_random_u64();
2846 remote
= dcesrv_connection_get_remote_address(p
->dce_call
->conn
);
2847 local
= dcesrv_connection_get_local_address(p
->dce_call
->conn
);
2849 DBG_NOTICE("[%"PRIu32
"]: pam auth crap domain: %s user: %s\n",
2850 client_pid
, r
->in
.domain
, r
->in
.user
);
2852 result
= winbind_dual_SamLogon(domain
,
2854 false, /* interactive */
2855 r
->in
.logon_parameters
,
2872 if (!NT_STATUS_IS_OK(result
)) {
2876 result
= map_validation_to_info3(p
->mem_ctx
,
2880 if (!NT_STATUS_IS_OK(result
)) {
2884 /* Check if the user is in the right group */
2885 result
= check_info3_in_group(info3
, r
->in
.require_membership_of_sid
);
2886 if (!NT_STATUS_IS_OK(result
)) {
2887 char *s
= NDR_PRINT_STRUCT_STRING(p
->mem_ctx
,
2889 r
->in
.require_membership_of_sid
);
2890 DBG_NOTICE("User %s is not in the required groups:\n",
2892 DEBUGADD(DBGLVL_NOTICE
, ("%s", s
));
2893 DEBUGADD(DBGLVL_NOTICE
,
2894 ("CRAP authentication is rejected\n"));
2898 if (!is_allowed_domain(info3
->base
.logon_domain
.string
)) {
2899 DBG_NOTICE("Authentication failed for user [%s] "
2900 "from firewalled domain [%s]\n",
2901 info3
->base
.account_name
.string
,
2902 info3
->base
.logon_domain
.string
);
2903 result
= NT_STATUS_AUTHENTICATION_FIREWALL_FAILED
;
2907 r
->out
.validation
= talloc_zero(p
->mem_ctx
,
2908 struct wbint_PamAuthCrapValidation
);
2909 if (r
->out
.validation
== NULL
) {
2910 result
= NT_STATUS_NO_MEMORY
;
2914 r
->out
.validation
->level
= validation_level
;
2915 r
->out
.validation
->validation
= talloc_move(r
->out
.validation
,
2919 if (r
->in
.flags
& WBFLAG_PAM_NT_STATUS_SQUASH
) {
2920 result
= nt_status_squash(result
);
2923 *r
->out
.authoritative
= authoritative
;
2926 * Log the winbind pam authentication, the logon_id will tie this to
2927 * any of the logons invoked from this request.
2934 r
->out
.validation
->level
,
2935 r
->out
.validation
->validation
,
2951 NTSTATUS
_wbint_PamAuthChangePassword(struct pipes_struct
*p
,
2952 struct wbint_PamAuthChangePassword
*r
)
2954 struct winbindd_domain
*contact_domain
= wb_child_domain();
2955 struct policy_handle dom_pol
;
2956 struct rpc_pipe_client
*cli
= NULL
;
2957 bool got_info
= false;
2958 struct samr_DomInfo1
*info
= NULL
;
2959 struct userPwdChangeFailureInformation
*reject
= NULL
;
2960 NTSTATUS status
= NT_STATUS_UNSUCCESSFUL
;
2961 NTSTATUS result
= NT_STATUS_UNSUCCESSFUL
;
2962 char *namespace = NULL
;
2963 char *domain
= NULL
;
2965 struct dcerpc_binding_handle
*b
= NULL
;
2969 ZERO_STRUCT(dom_pol
);
2971 if (contact_domain
== NULL
) {
2972 return NT_STATUS_REQUEST_NOT_ACCEPTED
;
2975 /* Cut client_pid to 32bit */
2976 client_pid
= r
->in
.client_pid
;
2977 if ((uint64_t)client_pid
!= r
->in
.client_pid
) {
2978 DBG_DEBUG("pid out of range\n");
2979 return NT_STATUS_INVALID_PARAMETER
;
2982 DBG_NOTICE("[%"PRIu32
"]: dual pam chauthtok %s\n",
2983 client_pid
, r
->in
.user
);
2985 ok
= parse_domain_user(p
->mem_ctx
,
2994 if (!is_allowed_domain(domain
)) {
2995 DBG_NOTICE("Authentication failed for user [%s] "
2996 "from firewalled domain [%s]\n",
2998 result
= NT_STATUS_AUTHENTICATION_FIREWALL_FAILED
;
3002 /* Initialize reject reason */
3003 *r
->out
.reject_reason
= Undefined
;
3005 /* Get sam handle */
3007 result
= cm_connect_sam(contact_domain
,
3012 if (!NT_STATUS_IS_OK(result
)) {
3013 DEBUG(1, ("could not get SAM handle on DC for %s\n", domain
));
3017 b
= cli
->binding_handle
;
3019 status
= dcerpc_samr_chgpasswd_user4(cli
->binding_handle
,
3021 cli
->srv_name_slash
,
3026 if (NT_STATUS_IS_OK(status
) && NT_STATUS_IS_OK(result
)) {
3027 /* Password successfully changed. */
3030 if (!NT_STATUS_IS_OK(status
)) {
3031 if (NT_STATUS_EQUAL(status
, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE
) ||
3032 NT_STATUS_EQUAL(status
, NT_STATUS_NOT_SUPPORTED
) ||
3033 NT_STATUS_EQUAL(status
, NT_STATUS_NOT_IMPLEMENTED
)) {
3034 /* DO NOT FALLBACK TO RC4 */
3035 if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED
) {
3036 result
= NT_STATUS_STRONG_CRYPTO_NOT_SUPPORTED
;
3037 goto process_result
;
3041 /* Password change was unsuccessful. */
3042 if (!NT_STATUS_IS_OK(result
)) {
3047 result
= rpccli_samr_chgpasswd_user3(cli
,
3055 /* Windows 2003 returns NT_STATUS_PASSWORD_RESTRICTION */
3057 if (NT_STATUS_EQUAL(result
, NT_STATUS_PASSWORD_RESTRICTION
) ) {
3059 *r
->out
.dominfo
= talloc_steal(p
->mem_ctx
, info
);
3060 *r
->out
.reject_reason
= reject
->extendedFailureReason
;
3065 /* atm the pidl generated rpccli_samr_ChangePasswordUser3 function will
3066 * return with NT_STATUS_BUFFER_TOO_SMALL for w2k dcs as w2k just
3067 * returns with 4byte error code (NT_STATUS_NOT_SUPPORTED) which is too
3068 * short to comply with the samr_ChangePasswordUser3 idl - gd */
3070 /* only fallback when the chgpasswd_user3 call is not supported */
3071 if (NT_STATUS_EQUAL(result
, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE
) ||
3072 NT_STATUS_EQUAL(result
, NT_STATUS_NOT_SUPPORTED
) ||
3073 NT_STATUS_EQUAL(result
, NT_STATUS_BUFFER_TOO_SMALL
) ||
3074 NT_STATUS_EQUAL(result
, NT_STATUS_NOT_IMPLEMENTED
)) {
3076 DEBUG(10,("Password change with chgpasswd_user3 failed with: %s, retrying chgpasswd_user2\n",
3077 nt_errstr(result
)));
3079 result
= rpccli_samr_chgpasswd_user2(cli
,
3083 r
->in
.old_password
);
3085 /* Windows 2000 returns NT_STATUS_ACCOUNT_RESTRICTION.
3086 Map to the same status code as Windows 2003. */
3088 if ( NT_STATUS_EQUAL(NT_STATUS_ACCOUNT_RESTRICTION
, result
) ) {
3089 result
= NT_STATUS_PASSWORD_RESTRICTION
;
3095 if (NT_STATUS_IS_OK(result
)
3096 && (r
->in
.flags
& WBFLAG_PAM_CACHED_LOGIN
)
3097 && lp_winbind_offline_logon()) {
3098 result
= winbindd_update_creds_by_name(contact_domain
, user
,
3099 r
->in
.new_password
);
3100 /* Again, this happens when we login from gdm or xdm
3101 * and the password expires, *BUT* cached credentials
3102 * don't exist. winbindd_update_creds_by_name()
3103 * returns NT_STATUS_NO_SUCH_USER.
3104 * This is not a failure.
3107 if (NT_STATUS_EQUAL(result
, NT_STATUS_NO_SUCH_USER
)) {
3108 result
= NT_STATUS_OK
;
3111 if (!NT_STATUS_IS_OK(result
)) {
3112 DEBUG(10, ("Failed to store creds: %s\n",
3113 nt_errstr(result
)));
3114 goto process_result
;
3118 if (!NT_STATUS_IS_OK(result
) && !got_info
&& contact_domain
) {
3120 NTSTATUS policy_ret
;
3122 policy_ret
= get_password_policy(contact_domain
,
3126 /* failure of this is non critical, it will just provide no
3127 * additional information to the client why the change has
3128 * failed - Guenther */
3130 if (!NT_STATUS_IS_OK(policy_ret
)) {
3131 DEBUG(10,("Failed to get password policies: %s\n", nt_errstr(policy_ret
)));
3132 goto process_result
;
3135 *r
->out
.dominfo
= talloc_steal(p
->mem_ctx
, info
);
3140 if (strequal(contact_domain
->name
, get_global_sam_name())) {
3141 /* FIXME: internal rpc pipe does not cache handles yet */
3143 if (is_valid_policy_hnd(&dom_pol
)) {
3145 dcerpc_samr_Close(b
,
3154 DEBUG(NT_STATUS_IS_OK(result
) ? 5 : 2,
3155 ("Password change for user [%s]\\[%s] returned %s (PAM: %d)\n",
3159 nt_status_to_pam(result
)));
3164 NTSTATUS
_wbint_PamLogOff(struct pipes_struct
*p
, struct wbint_PamLogOff
*r
)
3166 struct winbindd_domain
*domain
= wb_child_domain();
3167 NTSTATUS result
= NT_STATUS_NOT_SUPPORTED
;
3171 if (domain
== NULL
) {
3172 return NT_STATUS_REQUEST_NOT_ACCEPTED
;
3175 /* Cut client_pid to 32bit */
3176 client_pid
= r
->in
.client_pid
;
3177 if ((uint64_t)client_pid
!= r
->in
.client_pid
) {
3178 DBG_DEBUG("pid out of range\n");
3179 return NT_STATUS_INVALID_PARAMETER
;
3182 /* Cut uid to 32bit */
3183 user_uid
= r
->in
.uid
;
3184 if ((uint64_t)user_uid
!= r
->in
.uid
) {
3185 DBG_DEBUG("uid out of range\n");
3186 return NT_STATUS_INVALID_PARAMETER
;
3189 DBG_NOTICE("[%"PRIu32
"]: pam dual logoff %s\n", client_pid
, r
->in
.user
);
3191 if (!(r
->in
.flags
& WBFLAG_PAM_KRB5
)) {
3192 result
= NT_STATUS_OK
;
3193 goto process_result
;
3196 if ((r
->in
.krb5ccname
== NULL
) || (strlen(r
->in
.krb5ccname
) == 0)) {
3197 result
= NT_STATUS_OK
;
3198 goto process_result
;
3203 if (user_uid
== (uid_t
)-1) {
3204 DBG_DEBUG("Invalid uid for user '%s'\n", r
->in
.user
);
3205 goto process_result
;
3208 /* what we need here is to find the corresponding krb5 ccache name *we*
3209 * created for a given username and destroy it */
3211 if (!ccache_entry_exists(r
->in
.user
)) {
3212 result
= NT_STATUS_OK
;
3213 DBG_DEBUG("No entry found for user '%s'.\n", r
->in
.user
);
3214 goto process_result
;
3217 if (!ccache_entry_identical(r
->in
.user
, user_uid
, r
->in
.krb5ccname
)) {
3218 DBG_DEBUG("Cached entry differs for user '%s'\n", r
->in
.user
);
3219 goto process_result
;
3222 result
= remove_ccache(r
->in
.user
);
3223 if (!NT_STATUS_IS_OK(result
)) {
3224 DBG_DEBUG("Failed to remove ccache for user '%s': %s\n",
3225 r
->in
.user
, nt_errstr(result
));
3226 goto process_result
;
3230 * Remove any mlock'ed memory creds in the child
3231 * we might be using for krb5 ticket renewal.
3234 winbindd_delete_memory_creds(r
->in
.user
);
3237 result
= NT_STATUS_NOT_SUPPORTED
;
3245 /* Change user password with auth crap*/
3247 NTSTATUS
_wbint_PamAuthCrapChangePassword(struct pipes_struct
*p
,
3248 struct wbint_PamAuthCrapChangePassword
*r
)
3251 char *namespace = NULL
;
3252 char *domain
= NULL
;
3254 struct policy_handle dom_pol
;
3255 struct winbindd_domain
*contact_domain
= wb_child_domain();
3256 struct rpc_pipe_client
*cli
= NULL
;
3257 struct dcerpc_binding_handle
*b
= NULL
;
3258 TALLOC_CTX
*frame
= talloc_stackframe();
3261 ZERO_STRUCT(dom_pol
);
3263 if (contact_domain
== NULL
) {
3264 return NT_STATUS_REQUEST_NOT_ACCEPTED
;
3267 /* Cut client_pid to 32bit */
3268 client_pid
= r
->in
.client_pid
;
3269 if ((uint64_t)client_pid
!= r
->in
.client_pid
) {
3270 DBG_DEBUG("pid out of range\n");
3271 return NT_STATUS_INVALID_PARAMETER
;
3274 DBG_NOTICE("[%"PRIu32
"]: pam change pswd auth crap domain: %s "
3275 "user: %s\n", client_pid
, r
->in
.domain
, r
->in
.user
);
3277 if (lp_winbind_offline_logon()) {
3278 DEBUG(0,("Refusing password change as winbind offline logons are enabled. "));
3279 DEBUGADD(0,("Changing passwords here would risk inconsistent logons\n"));
3280 result
= NT_STATUS_ACCESS_DENIED
;
3284 if (r
->in
.domain
!= NULL
&& strlen(r
->in
.domain
) > 0) {
3285 user
= talloc_strdup(frame
, "");
3286 namespace = talloc_strdup(frame
, "");
3287 domain
= talloc_strdup(frame
, r
->in
.domain
);
3288 if (domain
== NULL
|| user
== NULL
|| namespace == NULL
) {
3289 result
= NT_STATUS_NO_MEMORY
;
3296 ok
= parse_domain_user(frame
,
3302 result
= NT_STATUS_INVALID_PARAMETER
;
3306 if (strlen(domain
) == 0) {
3307 DBG_NOTICE("no domain specified with username (%s) - "
3308 "failing auth\n", r
->in
.user
);
3309 result
= NT_STATUS_NO_SUCH_USER
;
3314 if (!*domain
&& lp_winbind_use_default_domain()) {
3315 TALLOC_FREE(domain
);
3316 domain
= talloc_strdup(frame
, lp_workgroup());
3317 if (domain
== NULL
) {
3318 result
= NT_STATUS_NO_MEMORY
;
3323 if (!is_allowed_domain(domain
)) {
3324 DBG_NOTICE("Authentication failed for user [%s] "
3325 "from firewalled domain [%s]\n",
3328 result
= NT_STATUS_AUTHENTICATION_FIREWALL_FAILED
;
3334 user
= talloc_strdup(frame
, r
->in
.user
);
3336 result
= NT_STATUS_NO_SUCH_USER
;
3341 /* Get sam handle */
3343 result
= cm_connect_sam(contact_domain
,
3348 if (!NT_STATUS_IS_OK(result
)) {
3349 DEBUG(1, ("could not get SAM handle on DC for %s\n", domain
));
3353 b
= cli
->binding_handle
;
3355 result
= rpccli_samr_chng_pswd_auth_crap(cli
,
3359 r
->in
.old_nt_hash_enc
,
3361 r
->in
.old_lm_hash_enc
);
3365 if (strequal(contact_domain
->name
, get_global_sam_name())) {
3366 /* FIXME: internal rpc pipe does not cache handles yet */
3368 if (is_valid_policy_hnd(&dom_pol
)) {
3370 dcerpc_samr_Close(b
,
3379 DEBUG(NT_STATUS_IS_OK(result
) ? 5 : 2,
3380 ("Password change for user [%s]\\[%s] returned %s (PAM: %d)\n",
3383 nt_status_to_pam(result
)));
3389 static NTSTATUS
extract_pac_vrfy_sigs(TALLOC_CTX
*mem_ctx
, DATA_BLOB pac_blob
,
3390 struct PAC_DATA
**p_pac_data
)
3392 krb5_context krbctx
= NULL
;
3393 krb5_error_code k5ret
;
3395 krb5_kt_cursor cursor
;
3396 krb5_keytab_entry entry
;
3397 NTSTATUS status
= NT_STATUS_UNSUCCESSFUL
;
3400 ZERO_STRUCT(cursor
);
3402 k5ret
= smb_krb5_init_context_common(&krbctx
);
3404 DBG_ERR("kerberos init context failed (%s)\n",
3405 error_message(k5ret
));
3406 status
= krb5_to_nt_status(k5ret
);
3410 k5ret
= gse_krb5_get_server_keytab(krbctx
, &keytab
);
3412 DEBUG(1, ("Failed to get keytab: %s\n",
3413 error_message(k5ret
)));
3414 status
= krb5_to_nt_status(k5ret
);
3418 k5ret
= krb5_kt_start_seq_get(krbctx
, keytab
, &cursor
);
3420 DEBUG(1, ("Failed to start seq: %s\n",
3421 error_message(k5ret
)));
3422 status
= krb5_to_nt_status(k5ret
);
3426 k5ret
= krb5_kt_next_entry(krbctx
, keytab
, &entry
, &cursor
);
3427 while (k5ret
== 0) {
3428 status
= kerberos_decode_pac(mem_ctx
,
3431 NULL
, /* krbtgt_keyblock */
3432 KRB5_KT_KEY(&entry
), /* service_keyblock */
3433 NULL
, /* client_principal */
3434 0, /* tgs_authtime */
3436 if (NT_STATUS_IS_OK(status
)) {
3439 k5ret
= smb_krb5_kt_free_entry(krbctx
, &entry
);
3440 k5ret
= krb5_kt_next_entry(krbctx
, keytab
, &entry
, &cursor
);
3443 k5ret
= krb5_kt_end_seq_get(krbctx
, keytab
, &cursor
);
3445 DEBUG(1, ("Failed to end seq: %s\n",
3446 error_message(k5ret
)));
3449 k5ret
= krb5_kt_close(krbctx
, keytab
);
3451 DEBUG(1, ("Failed to close keytab: %s\n",
3452 error_message(k5ret
)));
3455 krb5_free_context(krbctx
);
3460 NTSTATUS
winbindd_pam_auth_pac_verify(struct winbindd_cli_state
*state
,
3461 TALLOC_CTX
*mem_ctx
,
3463 uint16_t *p_validation_level
,
3464 union netr_Validation
**p_validation
)
3466 struct winbindd_request
*req
= state
->request
;
3468 struct PAC_DATA
*pac_data
= NULL
;
3469 struct PAC_LOGON_INFO
*logon_info
= NULL
;
3470 struct PAC_UPN_DNS_INFO
*upn_dns_info
= NULL
;
3471 struct netr_SamInfo6
*info6
= NULL
;
3472 uint16_t validation_level
= 0;
3473 union netr_Validation
*validation
= NULL
;
3474 struct netr_SamInfo3
*info3_copy
= NULL
;
3476 bool is_trusted
= false;
3478 TALLOC_CTX
*tmp_ctx
= NULL
;
3480 tmp_ctx
= talloc_new(mem_ctx
);
3481 if (tmp_ctx
== NULL
) {
3482 return NT_STATUS_NO_MEMORY
;
3485 *p_is_trusted
= false;
3486 *p_validation_level
= 0;
3487 *p_validation
= NULL
;
3489 pac_blob
= data_blob_const(req
->extra_data
.data
, req
->extra_len
);
3490 result
= extract_pac_vrfy_sigs(tmp_ctx
, pac_blob
, &pac_data
);
3491 if (NT_STATUS_IS_OK(result
)) {
3494 if (NT_STATUS_EQUAL(result
, NT_STATUS_ACCESS_DENIED
)) {
3495 /* Try without signature verification */
3496 result
= kerberos_decode_pac(tmp_ctx
,
3498 NULL
, /* krb5_context */
3499 NULL
, /* krbtgt_keyblock */
3500 NULL
, /* service_keyblock */
3501 NULL
, /* client_principal */
3502 0, /* tgs_authtime */
3505 if (!NT_STATUS_IS_OK(result
)) {
3506 DEBUG(1, ("Error during PAC signature verification: %s\n",
3507 nt_errstr(result
)));
3511 for (i
=0; i
< pac_data
->num_buffers
; i
++) {
3512 if (pac_data
->buffers
[i
].type
== PAC_TYPE_LOGON_INFO
) {
3513 logon_info
= pac_data
->buffers
[i
].info
->logon_info
.info
;
3516 if (pac_data
->buffers
[i
].type
== PAC_TYPE_UPN_DNS_INFO
) {
3517 upn_dns_info
= &pac_data
->buffers
[i
].info
->upn_dns_info
;
3522 result
= create_info6_from_pac(tmp_ctx
,
3526 if (!NT_STATUS_IS_OK(result
)) {
3530 if (!is_allowed_domain(info6
->base
.logon_domain
.string
)) {
3531 DBG_NOTICE("Authentication failed for user [%s] "
3532 "from firewalled domain [%s]\n",
3533 info6
->base
.account_name
.string
,
3534 info6
->base
.logon_domain
.string
);
3535 result
= NT_STATUS_AUTHENTICATION_FIREWALL_FAILED
;
3539 result
= map_info6_to_validation(tmp_ctx
,
3543 if (!NT_STATUS_IS_OK(result
)) {
3547 result
= map_validation_to_info3(tmp_ctx
,
3551 if (!NT_STATUS_IS_OK(result
)) {
3557 * Signature verification succeeded, we can
3558 * trust the PAC and prime the netsamlogon
3559 * and name2sid caches. DO NOT DO THIS
3560 * in the signature verification failed
3563 struct winbindd_domain
*domain
= NULL
;
3565 netsamlogon_cache_store(NULL
, info3_copy
);
3568 * We're in the parent here, so find the child
3569 * pointer from the PAC domain name.
3571 domain
= find_lookup_domain_from_name(
3572 info3_copy
->base
.logon_domain
.string
);
3573 if (domain
&& domain
->primary
) {
3574 struct dom_sid user_sid
;
3575 struct dom_sid_buf buf
;
3577 sid_compose(&user_sid
,
3578 info3_copy
->base
.domain_sid
,
3579 info3_copy
->base
.rid
);
3581 cache_name2sid_trusted(domain
,
3582 info3_copy
->base
.logon_domain
.string
,
3583 info3_copy
->base
.account_name
.string
,
3587 DBG_INFO("PAC for user %s\\%s SID %s primed cache\n",
3588 info3_copy
->base
.logon_domain
.string
,
3589 info3_copy
->base
.account_name
.string
,
3590 dom_sid_str_buf(&user_sid
, &buf
));
3594 *p_is_trusted
= is_trusted
;
3595 *p_validation_level
= validation_level
;
3596 *p_validation
= talloc_move(mem_ctx
, &validation
);
3598 result
= NT_STATUS_OK
;
3600 TALLOC_FREE(tmp_ctx
);
3603 #else /* HAVE_KRB5 */
3604 NTSTATUS
winbindd_pam_auth_pac_verify(struct winbindd_cli_state
*state
,
3605 TALLOC_CTX
*mem_ctx
,
3607 uint16_t *p_validation_level
,
3608 union netr_Validation
**p_validation
);
3611 *p_is_trusted
= false;
3612 *p_validation_level
= 0;
3613 *p_validation
= NULL
;
3614 return NT_STATUS_NO_SUCH_USER
;
3616 #endif /* HAVE_KRB5 */