2 Unix SMB/CIFS implementation.
3 Password and authentication handling
4 Copyright (C) Andrew Tridgell 1992-1998
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 2 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program; if not, write to the Free Software
18 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
23 /* users from session setup */
24 static pstring session_users
="";
26 /* this holds info on user ids that are already validated for this VC */
27 static user_struct
*validated_users
;
28 static int next_vuid
= VUID_OFFSET
;
29 static int num_validated_vuids
;
31 /****************************************************************************
32 check if a uid has been validated, and return an pointer to the user_struct
33 if it has. NULL if not. vuid is biased by an offset. This allows us to
34 tell random client vuid's (normally zero) from valid vuids.
35 ****************************************************************************/
36 user_struct
*get_valid_user_struct(uint16 vuid
)
41 if (vuid
== UID_FIELD_INVALID
)
44 for (usp
=validated_users
;usp
;usp
=usp
->next
,count
++) {
45 if (vuid
== usp
->vuid
) {
47 DLIST_PROMOTE(validated_users
, usp
);
56 /****************************************************************************
58 ****************************************************************************/
59 void invalidate_vuid(uint16 vuid
)
61 user_struct
*vuser
= get_valid_user_struct(vuid
);
66 SAFE_FREE(vuser
->homedir
);
70 DLIST_REMOVE(validated_users
, vuser
);
72 SAFE_FREE(vuser
->groups
);
73 delete_nt_token(&vuser
->nt_user_token
);
75 num_validated_vuids
--;
78 /****************************************************************************
79 invalidate all vuid entries for this process
80 ****************************************************************************/
81 void invalidate_all_vuids(void)
83 user_struct
*usp
, *next
=NULL
;
85 for (usp
=validated_users
;usp
;usp
=next
) {
88 invalidate_vuid(usp
->vuid
);
92 /****************************************************************************
93 Create the SID list for this user.
94 ****************************************************************************/
96 NT_USER_TOKEN
*create_nt_token(uid_t uid
, gid_t gid
, int ngroups
, gid_t
*groups
, BOOL is_guest
, NT_USER_TOKEN
*sup_tok
)
98 extern DOM_SID global_sid_World
;
99 extern DOM_SID global_sid_Network
;
100 extern DOM_SID global_sid_Builtin_Guests
;
101 extern DOM_SID global_sid_Authenticated_Users
;
102 NT_USER_TOKEN
*token
;
108 if ((token
= (NT_USER_TOKEN
*)malloc( sizeof(NT_USER_TOKEN
) ) ) == NULL
)
113 /* We always have uid/gid plus World and Network and Authenticated Users or Guest SIDs. */
114 num_sids
= 5 + ngroups
;
116 if (sup_tok
&& sup_tok
->num_sids
)
117 num_sids
+= sup_tok
->num_sids
;
119 if ((token
->user_sids
= (DOM_SID
*)malloc( num_sids
*sizeof(DOM_SID
))) == NULL
) {
124 psids
= token
->user_sids
;
127 * Note - user SID *MUST* be first in token !
128 * se_access_check depends on this.
131 uid_to_sid( &psids
[PRIMARY_USER_SID_INDEX
], uid
);
135 * Primary group SID is second in token. Convention.
138 gid_to_sid( &psids
[PRIMARY_GROUP_SID_INDEX
], gid
);
141 /* Now add the group SIDs. */
143 for (i
= 0; i
< ngroups
; i
++) {
144 if (groups
[i
] != gid
) {
145 gid_to_sid( &psids
[psid_ndx
++], groups
[i
]);
150 /* Now add the additional SIDs from the supplimentary token. */
151 for (i
= 0; i
< sup_tok
->num_sids
; i
++)
152 sid_copy( &psids
[psid_ndx
++], &sup_tok
->user_sids
[i
] );
156 * Finally add the "standard" SIDs.
157 * The only difference between guest and "anonymous" (which we
158 * don't really support) is the addition of Authenticated_Users.
161 sid_copy( &psids
[psid_ndx
++], &global_sid_World
);
162 sid_copy( &psids
[psid_ndx
++], &global_sid_Network
);
165 sid_copy( &psids
[psid_ndx
++], &global_sid_Builtin_Guests
);
167 sid_copy( &psids
[psid_ndx
++], &global_sid_Authenticated_Users
);
169 token
->num_sids
= psid_ndx
;
171 /* Dump list of sids in token */
173 for (i
= 0; i
< token
->num_sids
; i
++) {
174 DEBUG(5, ("user token sid %s\n",
175 sid_to_string(sid_str
, &token
->user_sids
[i
])));
181 /****************************************************************************
182 register a uid/name pair as being valid and that a valid password
183 has been given. vuid is biased by an offset. This allows us to
184 tell random client vuid's (normally zero) from valid vuids.
185 ****************************************************************************/
187 int register_vuid(auth_serversupplied_info
*server_info
, char *smb_name
)
189 user_struct
*vuser
= NULL
;
193 /* Ensure no vuid gets registered in share level security. */
194 if(lp_security() == SEC_SHARE
)
195 return UID_FIELD_INVALID
;
197 /* Limit allowed vuids to 16bits - VUID_OFFSET. */
198 if (num_validated_vuids
>= 0xFFFF-VUID_OFFSET
)
199 return UID_FIELD_INVALID
;
201 if((vuser
= (user_struct
*)malloc( sizeof(user_struct
) )) == NULL
) {
202 DEBUG(0,("Failed to malloc users struct!\n"));
203 return UID_FIELD_INVALID
;
208 if (!IS_SAM_UNIX_USER(server_info
->sam_account
)) {
209 DEBUG(0,("Attempted session setup with invalid user. No uid/gid in SAM_ACCOUNT (flags:%x)\n", pdb_get_init_flag(server_info
->sam_account
)));
211 return UID_FIELD_INVALID
;
214 uid
= pdb_get_uid(server_info
->sam_account
);
215 gid
= pdb_get_gid(server_info
->sam_account
);
217 /* Allocate a free vuid. Yes this is a linear search... :-) */
218 while( get_valid_user_struct(next_vuid
) != NULL
) {
220 /* Check for vuid wrap. */
221 if (next_vuid
== UID_FIELD_INVALID
)
222 next_vuid
= VUID_OFFSET
;
225 DEBUG(10,("register_vuid: allocated vuid = %u\n", (unsigned int)next_vuid
));
227 vuser
->vuid
= next_vuid
;
230 vuser
->guest
= server_info
->guest
;
231 fstrcpy(vuser
->user
.unix_name
, pdb_get_username(server_info
->sam_account
));
232 fstrcpy(vuser
->user
.smb_name
, smb_name
);
233 fstrcpy(vuser
->user
.domain
, pdb_get_domain(server_info
->sam_account
));
234 fstrcpy(vuser
->user
.full_name
, pdb_get_fullname(server_info
->sam_account
));
237 /* Keep the homedir handy */
238 const char *homedir
= pdb_get_homedir(server_info
->sam_account
);
239 const char *unix_homedir
= pdb_get_unix_homedir(server_info
->sam_account
);
240 const char *logon_script
= pdb_get_logon_script(server_info
->sam_account
);
242 vuser
->homedir
= smb_xstrdup(homedir
);
246 vuser
->unix_homedir
= smb_xstrdup(unix_homedir
);
250 vuser
->logon_script
= smb_xstrdup(logon_script
);
254 memcpy(vuser
->session_key
, server_info
->session_key
, sizeof(vuser
->session_key
));
256 DEBUG(10,("register_vuid: (%u,%u) %s %s %s guest=%d\n",
257 (unsigned int)vuser
->uid
,
258 (unsigned int)vuser
->gid
,
259 vuser
->user
.unix_name
, vuser
->user
.smb_name
, vuser
->user
.domain
, vuser
->guest
));
261 DEBUG(3, ("User name: %s\tReal name: %s\n",vuser
->user
.unix_name
,vuser
->user
.full_name
));
264 vuser
->groups
= NULL
;
266 /* Find all the groups this uid is in and store them.
267 Used by change_to_user() */
268 initialise_groups(vuser
->user
.unix_name
, vuser
->uid
, vuser
->gid
);
269 get_current_groups(vuser
->gid
, &vuser
->n_groups
, &vuser
->groups
);
271 if (server_info
->ptok
)
272 add_supplementary_nt_login_groups(&vuser
->n_groups
, &vuser
->groups
, &server_info
->ptok
);
274 /* Create an NT_USER_TOKEN struct for this user. */
275 vuser
->nt_user_token
= create_nt_token(vuser
->uid
, vuser
->gid
, vuser
->n_groups
, vuser
->groups
, vuser
->guest
, server_info
->ptok
);
277 DEBUG(3,("UNIX uid %d is UNIX user %s, and will be vuid %u\n",(int)vuser
->uid
,vuser
->user
.unix_name
, vuser
->vuid
));
280 num_validated_vuids
++;
282 DLIST_ADD(validated_users
, vuser
);
284 if (!session_claim(vuser
)) {
285 DEBUG(1,("Failed to claim session for vuid=%d\n", vuser
->vuid
));
286 invalidate_vuid(vuser
->vuid
);
290 /* Register a home dir service for this user */
291 if ((!vuser
->guest
) && vuser
->unix_homedir
&& *(vuser
->unix_homedir
)) {
292 DEBUG(3, ("Adding/updating homes service for user '%s' using home direcotry: '%s'\n",
293 vuser
->user
.unix_name
, vuser
->unix_homedir
));
294 vuser
->homes_snum
= add_home_service(vuser
->user
.unix_name
, vuser
->user
.unix_name
, vuser
->unix_homedir
);
296 vuser
->homes_snum
= -1;
303 /****************************************************************************
304 add a name to the session users list
305 ****************************************************************************/
306 void add_session_user(const char *user
)
309 StrnCpy(suser
,user
,sizeof(suser
)-1);
311 if (!Get_Pwnam_Modify(suser
)) return;
313 if (suser
&& *suser
&& !in_list(suser
,session_users
,False
))
315 if (strlen(suser
) + strlen(session_users
) + 2 >= sizeof(pstring
))
316 DEBUG(1,("Too many session users??\n"));
319 pstrcat(session_users
," ");
320 pstrcat(session_users
,suser
);
326 /****************************************************************************
327 check if a username is valid
328 ****************************************************************************/
329 BOOL
user_ok(const char *user
,int snum
)
331 char **valid
, **invalid
;
334 valid
= invalid
= NULL
;
337 if (lp_invalid_users(snum
)) {
338 str_list_copy(&invalid
, lp_invalid_users(snum
));
339 if (invalid
&& str_list_substitute(invalid
, "%S", lp_servicename(snum
))) {
340 ret
= !user_in_list(user
, invalid
);
343 if (invalid
) str_list_free (&invalid
);
345 if (ret
&& lp_valid_users(snum
)) {
346 str_list_copy(&valid
, lp_valid_users(snum
));
347 if (valid
&& str_list_substitute(valid
, "%S", lp_servicename(snum
))) {
348 ret
= user_in_list(user
,valid
);
351 if (valid
) str_list_free (&valid
);
353 if (ret
&& lp_onlyuser(snum
)) {
354 char **user_list
= str_list_make (lp_username(snum
), NULL
);
355 if (user_list
&& str_list_substitute(user_list
, "%S", lp_servicename(snum
))) {
356 ret
= user_in_list(user
, user_list
);
358 if (user_list
) str_list_free (&user_list
);
364 /****************************************************************************
365 validate a group username entry. Return the username or NULL
366 ****************************************************************************/
367 static char *validate_group(char *group
, DATA_BLOB password
,int snum
)
371 char *host
, *user
, *domain
;
373 while (getnetgrent(&host
, &user
, &domain
)) {
375 if (user_ok(user
, snum
) &&
376 password_ok(user
,password
)) {
390 while ((gptr
= (struct group
*)getgrent())) {
391 if (strequal(gptr
->gr_name
,group
))
396 * As user_ok can recurse doing a getgrent(), we must
397 * copy the member list into a pstring on the stack before
398 * use. Bug pointed out by leon@eatworms.swmed.edu.
404 size_t copied_len
= 0;
408 member
= member_list
;
410 for(i
= 0; gptr
->gr_mem
&& gptr
->gr_mem
[i
]; i
++) {
411 size_t member_len
= strlen(gptr
->gr_mem
[i
]) + 1;
412 if( copied_len
+ member_len
< sizeof(pstring
)) {
414 DEBUG(10,("validate_group: = gr_mem = %s\n", gptr
->gr_mem
[i
]));
416 safe_strcpy(member
, gptr
->gr_mem
[i
], sizeof(pstring
) - copied_len
- 1);
417 copied_len
+= member_len
;
418 member
+= copied_len
;
426 member
= member_list
;
429 fstrcpy(name
,member
);
430 if (user_ok(name
,snum
) &&
431 password_ok(name
,password
)) {
436 DEBUG(10,("validate_group = member = %s\n", member
));
438 member
+= strlen(member
) + 1;
449 /****************************************************************************
450 Check for authority to login to a service with a given username/password.
451 Note this is *NOT* used when logging on using sessionsetup_and_X.
452 ****************************************************************************/
454 BOOL
authorise_login(int snum
,char *user
, DATA_BLOB password
,
460 DEBUG(100,("authorise_login: checking authorisation on user=%s pass=%s\n",
461 user
,password
.data
));
466 /* there are several possibilities:
467 1) login as the given user with given password
468 2) login as a previously registered username with the given password
469 3) login as a session list username with the given password
470 4) login as a previously validated user/password pair
471 5) login as the "user =" user with given password
472 6) login as the "user =" user with no password (guest connection)
473 7) login as guest user with no password
475 if the service is guest_only then steps 1 to 5 are skipped
478 /* now check the list of session users */
481 char *user_list
= strdup(session_users
);
485 for (auser
=strtok(user_list
,LIST_SEP
); !ok
&& auser
;
486 auser
= strtok(NULL
,LIST_SEP
)) {
488 fstrcpy(user2
,auser
);
489 if (!user_ok(user2
,snum
))
492 if (password_ok(user2
,password
)) {
495 DEBUG(3,("authorise_login: ACCEPTED: session list username (%s) \
496 and given password ok\n", user
));
500 SAFE_FREE(user_list
);
503 /* check the user= fields and the given password */
504 if (!ok
&& lp_username(snum
)) {
507 StrnCpy(user_list
,lp_username(snum
),sizeof(pstring
));
509 pstring_sub(user_list
,"%S",lp_servicename(snum
));
511 for (auser
=strtok(user_list
,LIST_SEP
); auser
&& !ok
;
512 auser
= strtok(NULL
,LIST_SEP
)) {
514 auser
= validate_group(auser
+1,password
,snum
);
518 DEBUG(3,("authorise_login: ACCEPTED: group username \
519 and given password ok (%s)\n", user
));
523 fstrcpy(user2
,auser
);
524 if (user_ok(user2
,snum
) && password_ok(user2
,password
)) {
527 DEBUG(3,("authorise_login: ACCEPTED: user list username \
528 and given password ok (%s)\n", user
));
534 /* check for a normal guest connection */
535 if (!ok
&& GUEST_OK(snum
)) {
537 StrnCpy(guestname
,lp_guestaccount(),sizeof(guestname
)-1);
538 if (Get_Pwnam(guestname
)) {
539 fstrcpy(user
,guestname
);
541 DEBUG(3,("authorise_login: ACCEPTED: guest account and guest ok (%s)\n",
544 DEBUG(0,("authorise_login: Invalid guest account %s??\n",guestname
));
549 if (ok
&& !user_ok(user
,snum
)) {
550 DEBUG(0,("authorise_login: rejected invalid user %s\n",user
));