search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Fix bug 5691: SIGBUS on Solaris
[Samba.git] / source / auth / auth_util.c
bloba183afbe1a3e7a794490dd3db5a2998b42226a8e
1 /*
2 Unix SMB/CIFS implementation.
3 Authentication utility functions
4 Copyright (C) Andrew Tridgell 1992-1998
5 Copyright (C) Andrew Bartlett 2001
6 Copyright (C) Jeremy Allison 2000-2001
7 Copyright (C) Rafal Szczesniak 2002
8 Copyright (C) Volker Lendecke 2006
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25
26 #undef DBGC_CLASS
27 #define DBGC_CLASS DBGC_AUTH
28
29 /****************************************************************************
30 Ensure primary group SID is always at position 0 in a
31 auth_serversupplied_info struct.
32 ****************************************************************************/
33
34 static void sort_sid_array_for_smbd(auth_serversupplied_info *result,
35 const DOM_SID *pgroup_sid)
36 {
37 unsigned int i;
38
39 if (!result->sids) {
40 return;
41 }
42
43 if (sid_compare(&result->sids[0], pgroup_sid)==0) {
44 return;
45 }
46
47 for (i = 1; i < result->num_sids; i++) {
48 if (sid_compare(pgroup_sid,
49 &result->sids[i]) == 0) {
50 sid_copy(&result->sids[i], &result->sids[0]);
51 sid_copy(&result->sids[0], pgroup_sid);
52 return;
53 }
54 }
55 }
56
57 /****************************************************************************
58 Create a UNIX user on demand.
59 ****************************************************************************/
60
61 static int smb_create_user(const char *domain, const char *unix_username, const char *homedir)
62 {
63 TALLOC_CTX *ctx = talloc_tos();
64 char *add_script;
65 int ret;
66
67 add_script = talloc_strdup(ctx, lp_adduser_script());
68 if (!add_script || !*add_script) {
69 return -1;
70 }
71 add_script = talloc_all_string_sub(ctx,
72 add_script,
73 "%u",
74 unix_username);
75 if (!add_script) {
76 return -1;
77 }
78 if (domain) {
79 add_script = talloc_all_string_sub(ctx,
80 add_script,
81 "%D",
82 domain);
83 if (!add_script) {
84 return -1;
85 }
86 }
87 if (homedir) {
88 add_script = talloc_all_string_sub(ctx,
89 add_script,
90 "%H",
91 homedir);
92 if (!add_script) {
93 return -1;
94 }
95 }
96 ret = smbrun(add_script,NULL);
97 flush_pwnam_cache();
98 DEBUG(ret ? 0 : 3,
99 ("smb_create_user: Running the command `%s' gave %d\n",
100 add_script,ret));
101 return ret;
102 }
103
104 /****************************************************************************
105 Create an auth_usersupplied_data structure
106 ****************************************************************************/
107
108 static NTSTATUS make_user_info(auth_usersupplied_info **user_info,
109 const char *smb_name,
110 const char *internal_username,
111 const char *client_domain,
112 const char *domain,
113 const char *wksta_name,
114 DATA_BLOB *lm_pwd, DATA_BLOB *nt_pwd,
115 DATA_BLOB *lm_interactive_pwd, DATA_BLOB *nt_interactive_pwd,
116 DATA_BLOB *plaintext,
117 bool encrypted)
118 {
119
120 DEBUG(5,("attempting to make a user_info for %s (%s)\n", internal_username, smb_name));
121
122 *user_info = SMB_MALLOC_P(auth_usersupplied_info);
123 if (*user_info == NULL) {
124 DEBUG(0,("malloc failed for user_info (size %lu)\n", (unsigned long)sizeof(*user_info)));
125 return NT_STATUS_NO_MEMORY;
126 }
127
128 ZERO_STRUCTP(*user_info);
129
130 DEBUG(5,("making strings for %s's user_info struct\n", internal_username));
131
132 (*user_info)->smb_name = SMB_STRDUP(smb_name);
133 if ((*user_info)->smb_name == NULL) {
134 free_user_info(user_info);
135 return NT_STATUS_NO_MEMORY;
136 }
137
138 (*user_info)->internal_username = SMB_STRDUP(internal_username);
139 if ((*user_info)->internal_username == NULL) {
140 free_user_info(user_info);
141 return NT_STATUS_NO_MEMORY;
142 }
143
144 (*user_info)->domain = SMB_STRDUP(domain);
145 if ((*user_info)->domain == NULL) {
146 free_user_info(user_info);
147 return NT_STATUS_NO_MEMORY;
148 }
149
150 (*user_info)->client_domain = SMB_STRDUP(client_domain);
151 if ((*user_info)->client_domain == NULL) {
152 free_user_info(user_info);
153 return NT_STATUS_NO_MEMORY;
154 }
155
156 (*user_info)->wksta_name = SMB_STRDUP(wksta_name);
157 if ((*user_info)->wksta_name == NULL) {
158 free_user_info(user_info);
159 return NT_STATUS_NO_MEMORY;
160 }
161
162 DEBUG(5,("making blobs for %s's user_info struct\n", internal_username));
163
164 if (lm_pwd)
165 (*user_info)->lm_resp = data_blob(lm_pwd->data, lm_pwd->length);
166 if (nt_pwd)
167 (*user_info)->nt_resp = data_blob(nt_pwd->data, nt_pwd->length);
168 if (lm_interactive_pwd)
169 (*user_info)->lm_interactive_pwd = data_blob(lm_interactive_pwd->data, lm_interactive_pwd->length);
170 if (nt_interactive_pwd)
171 (*user_info)->nt_interactive_pwd = data_blob(nt_interactive_pwd->data, nt_interactive_pwd->length);
172
173 if (plaintext)
174 (*user_info)->plaintext_password = data_blob(plaintext->data, plaintext->length);
175
176 (*user_info)->encrypted = encrypted;
177
178 (*user_info)->logon_parameters = 0;
179
180 DEBUG(10,("made an %sencrypted user_info for %s (%s)\n", encrypted ? "":"un" , internal_username, smb_name));
181
182 return NT_STATUS_OK;
183 }
184
185 /****************************************************************************
186 Create an auth_usersupplied_data structure after appropriate mapping.
187 ****************************************************************************/
188
189 NTSTATUS make_user_info_map(auth_usersupplied_info **user_info,
190 const char *smb_name,
191 const char *client_domain,
192 const char *wksta_name,
193 DATA_BLOB *lm_pwd, DATA_BLOB *nt_pwd,
194 DATA_BLOB *lm_interactive_pwd, DATA_BLOB *nt_interactive_pwd,
195 DATA_BLOB *plaintext,
196 bool encrypted)
197 {
198 const char *domain;
199 NTSTATUS result;
200 bool was_mapped;
201 fstring internal_username;
202 fstrcpy(internal_username, smb_name);
203 was_mapped = map_username(internal_username);
204
205 DEBUG(5, ("make_user_info_map: Mapping user [%s]\\[%s] from workstation [%s]\n",
206 client_domain, smb_name, wksta_name));
207
208 /* don't allow "" as a domain, fixes a Win9X bug
209 where it doens't supply a domain for logon script
210 'net use' commands. */
211
212 if ( *client_domain )
213 domain = client_domain;
214 else
215 domain = lp_workgroup();
216
217 /* do what win2k does. Always map unknown domains to our own
218 and let the "passdb backend" handle unknown users. */
219
220 if ( !is_trusted_domain(domain) && !strequal(domain, get_global_sam_name()) )
221 domain = my_sam_name();
222
223 /* we know that it is a trusted domain (and we are allowing them) or it is our domain */
224
225 result = make_user_info(user_info, smb_name, internal_username,
226 client_domain, domain, wksta_name,
227 lm_pwd, nt_pwd,
228 lm_interactive_pwd, nt_interactive_pwd,
229 plaintext, encrypted);
230 if (NT_STATUS_IS_OK(result)) {
231 (*user_info)->was_mapped = was_mapped;
232 }
233 return result;
234 }
235
236 /****************************************************************************
237 Create an auth_usersupplied_data, making the DATA_BLOBs here.
238 Decrypt and encrypt the passwords.
239 ****************************************************************************/
240
241 bool make_user_info_netlogon_network(auth_usersupplied_info **user_info,
242 const char *smb_name,
243 const char *client_domain,
244 const char *wksta_name,
245 uint32 logon_parameters,
246 const uchar *lm_network_pwd,
247 int lm_pwd_len,
248 const uchar *nt_network_pwd,
249 int nt_pwd_len)
250 {
251 bool ret;
252 NTSTATUS status;
253 DATA_BLOB lm_blob = data_blob(lm_network_pwd, lm_pwd_len);
254 DATA_BLOB nt_blob = data_blob(nt_network_pwd, nt_pwd_len);
255
256 status = make_user_info_map(user_info,
257 smb_name, client_domain,
258 wksta_name,
259 lm_pwd_len ? &lm_blob : NULL,
260 nt_pwd_len ? &nt_blob : NULL,
261 NULL, NULL, NULL,
262 True);
263
264 if (NT_STATUS_IS_OK(status)) {
265 (*user_info)->logon_parameters = logon_parameters;
266 }
267 ret = NT_STATUS_IS_OK(status) ? True : False;
268
269 data_blob_free(&lm_blob);
270 data_blob_free(&nt_blob);
271 return ret;
272 }
273
274 /****************************************************************************
275 Create an auth_usersupplied_data, making the DATA_BLOBs here.
276 Decrypt and encrypt the passwords.
277 ****************************************************************************/
278
279 bool make_user_info_netlogon_interactive(auth_usersupplied_info **user_info,
280 const char *smb_name,
281 const char *client_domain,
282 const char *wksta_name,
283 uint32 logon_parameters,
284 const uchar chal[8],
285 const uchar lm_interactive_pwd[16],
286 const uchar nt_interactive_pwd[16],
287 const uchar *dc_sess_key)
288 {
289 unsigned char lm_pwd[16];
290 unsigned char nt_pwd[16];
291 unsigned char local_lm_response[24];
292 unsigned char local_nt_response[24];
293 unsigned char key[16];
294
295 ZERO_STRUCT(key);
296 memcpy(key, dc_sess_key, 8);
297
298 if (lm_interactive_pwd)
299 memcpy(lm_pwd, lm_interactive_pwd, sizeof(lm_pwd));
300
301 if (nt_interactive_pwd)
302 memcpy(nt_pwd, nt_interactive_pwd, sizeof(nt_pwd));
303
304 #ifdef DEBUG_PASSWORD
305 DEBUG(100,("key:"));
306 dump_data(100, key, sizeof(key));
307
308 DEBUG(100,("lm owf password:"));
309 dump_data(100, lm_pwd, sizeof(lm_pwd));
310
311 DEBUG(100,("nt owf password:"));
312 dump_data(100, nt_pwd, sizeof(nt_pwd));
313 #endif
314
315 if (lm_interactive_pwd)
316 SamOEMhash(lm_pwd, key, sizeof(lm_pwd));
317
318 if (nt_interactive_pwd)
319 SamOEMhash(nt_pwd, key, sizeof(nt_pwd));
320
321 #ifdef DEBUG_PASSWORD
322 DEBUG(100,("decrypt of lm owf password:"));
323 dump_data(100, lm_pwd, sizeof(lm_pwd));
324
325 DEBUG(100,("decrypt of nt owf password:"));
326 dump_data(100, nt_pwd, sizeof(nt_pwd));
327 #endif
328
329 if (lm_interactive_pwd)
330 SMBOWFencrypt(lm_pwd, chal,
331 local_lm_response);
332
333 if (nt_interactive_pwd)
334 SMBOWFencrypt(nt_pwd, chal,
335 local_nt_response);
336
337 /* Password info paranoia */
338 ZERO_STRUCT(key);
339
340 {
341 bool ret;
342 NTSTATUS nt_status;
343 DATA_BLOB local_lm_blob;
344 DATA_BLOB local_nt_blob;
345
346 DATA_BLOB lm_interactive_blob;
347 DATA_BLOB nt_interactive_blob;
348
349 if (lm_interactive_pwd) {
350 local_lm_blob = data_blob(local_lm_response,
351 sizeof(local_lm_response));
352 lm_interactive_blob = data_blob(lm_pwd,
353 sizeof(lm_pwd));
354 ZERO_STRUCT(lm_pwd);
355 }
356
357 if (nt_interactive_pwd) {
358 local_nt_blob = data_blob(local_nt_response,
359 sizeof(local_nt_response));
360 nt_interactive_blob = data_blob(nt_pwd,
361 sizeof(nt_pwd));
362 ZERO_STRUCT(nt_pwd);
363 }
364
365 nt_status = make_user_info_map(
366 user_info,
367 smb_name, client_domain, wksta_name,
368 lm_interactive_pwd ? &local_lm_blob : NULL,
369 nt_interactive_pwd ? &local_nt_blob : NULL,
370 lm_interactive_pwd ? &lm_interactive_blob : NULL,
371 nt_interactive_pwd ? &nt_interactive_blob : NULL,
372 NULL, True);
373
374 if (NT_STATUS_IS_OK(nt_status)) {
375 (*user_info)->logon_parameters = logon_parameters;
376 }
377
378 ret = NT_STATUS_IS_OK(nt_status) ? True : False;
379 data_blob_free(&local_lm_blob);
380 data_blob_free(&local_nt_blob);
381 data_blob_free(&lm_interactive_blob);
382 data_blob_free(&nt_interactive_blob);
383 return ret;
384 }
385 }
386
387
388 /****************************************************************************
389 Create an auth_usersupplied_data structure
390 ****************************************************************************/
391
392 bool make_user_info_for_reply(auth_usersupplied_info **user_info,
393 const char *smb_name,
394 const char *client_domain,
395 const uint8 chal[8],
396 DATA_BLOB plaintext_password)
397 {
398
399 DATA_BLOB local_lm_blob;
400 DATA_BLOB local_nt_blob;
401 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
402
403 /*
404 * Not encrypted - do so.
405 */
406
407 DEBUG(5,("make_user_info_for_reply: User passwords not in encrypted "
408 "format.\n"));
409
410 if (plaintext_password.data) {
411 unsigned char local_lm_response[24];
412
413 #ifdef DEBUG_PASSWORD
414 DEBUG(10,("Unencrypted password (len %d):\n",
415 (int)plaintext_password.length));
416 dump_data(100, plaintext_password.data,
417 plaintext_password.length);
418 #endif
419
420 SMBencrypt( (const char *)plaintext_password.data,
421 (const uchar*)chal, local_lm_response);
422 local_lm_blob = data_blob(local_lm_response, 24);
423
424 /* We can't do an NT hash here, as the password needs to be
425 case insensitive */
426 local_nt_blob = data_blob_null;
427
428 } else {
429 local_lm_blob = data_blob_null;
430 local_nt_blob = data_blob_null;
431 }
432
433 ret = make_user_info_map(
434 user_info, smb_name, client_domain,
435 get_remote_machine_name(),
436 local_lm_blob.data ? &local_lm_blob : NULL,
437 local_nt_blob.data ? &local_nt_blob : NULL,
438 NULL, NULL,
439 plaintext_password.data ? &plaintext_password : NULL,
440 False);
441
442 data_blob_free(&local_lm_blob);
443 return NT_STATUS_IS_OK(ret) ? True : False;
444 }
445
446 /****************************************************************************
447 Create an auth_usersupplied_data structure
448 ****************************************************************************/
449
450 NTSTATUS make_user_info_for_reply_enc(auth_usersupplied_info **user_info,
451 const char *smb_name,
452 const char *client_domain,
453 DATA_BLOB lm_resp, DATA_BLOB nt_resp)
454 {
455 return make_user_info_map(user_info, smb_name,
456 client_domain,
457 get_remote_machine_name(),
458 lm_resp.data ? &lm_resp : NULL,
459 nt_resp.data ? &nt_resp : NULL,
460 NULL, NULL, NULL,
461 True);
462 }
463
464 /****************************************************************************
465 Create a guest user_info blob, for anonymous authenticaion.
466 ****************************************************************************/
467
468 bool make_user_info_guest(auth_usersupplied_info **user_info)
469 {
470 NTSTATUS nt_status;
471
472 nt_status = make_user_info(user_info,
473 "","",
474 "","",
475 "",
476 NULL, NULL,
477 NULL, NULL,
478 NULL,
479 True);
480
481 return NT_STATUS_IS_OK(nt_status) ? True : False;
482 }
483
484 static int server_info_dtor(auth_serversupplied_info *server_info)
485 {
486 TALLOC_FREE(server_info->sam_account);
487 ZERO_STRUCTP(server_info);
488 return 0;
489 }
490
491 /***************************************************************************
492 Make a server_info struct. Free with TALLOC_FREE().
493 ***************************************************************************/
494
495 static auth_serversupplied_info *make_server_info(TALLOC_CTX *mem_ctx)
496 {
497 struct auth_serversupplied_info *result;
498
499 result = TALLOC_ZERO_P(mem_ctx, auth_serversupplied_info);
500 if (result == NULL) {
501 DEBUG(0, ("talloc failed\n"));
502 return NULL;
503 }
504
505 talloc_set_destructor(result, server_info_dtor);
506
507 /* Initialise the uid and gid values to something non-zero
508 which may save us from giving away root access if there
509 is a bug in allocating these fields. */
510
511 result->uid = -1;
512 result->gid = -1;
513 return result;
514 }
515
516 /***************************************************************************
517 Is the incoming username our own machine account ?
518 If so, the connection is almost certainly from winbindd.
519 ***************************************************************************/
520
521 static bool is_our_machine_account(const char *username)
522 {
523 bool ret;
524 char *truncname = NULL;
525 size_t ulen = strlen(username);
526
527 if (ulen == 0 || username[ulen-1] != '$') {
528 return false;
529 }
530 truncname = SMB_STRDUP(username);
531 if (!truncname) {
532 return false;
533 }
534 truncname[ulen-1] = '\0';
535 ret = strequal(truncname, global_myname());
536 SAFE_FREE(truncname);
537 return ret;
538 }
539
540 /***************************************************************************
541 Make (and fill) a user_info struct from a struct samu
542 ***************************************************************************/
543
544 NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info,
545 struct samu *sampass)
546 {
547 struct passwd *pwd;
548 gid_t *gids;
549 auth_serversupplied_info *result;
550 int i;
551 size_t num_gids;
552 DOM_SID unix_group_sid;
553 const char *username = pdb_get_username(sampass);
554 NTSTATUS status;
555
556 if ( !(result = make_server_info(NULL)) ) {
557 return NT_STATUS_NO_MEMORY;
558 }
559
560 if ( !(pwd = getpwnam_alloc(result, username)) ) {
561 DEBUG(1, ("User %s in passdb, but getpwnam() fails!\n",
562 pdb_get_username(sampass)));
563 TALLOC_FREE(result);
564 return NT_STATUS_NO_SUCH_USER;
565 }
566
567 result->sam_account = sampass;
568 /* Ensure thaat the sampass will be freed with the result */
569 talloc_steal(result, sampass);
570 result->unix_name = pwd->pw_name;
571 /* Ensure that we keep pwd->pw_name, because we will free pwd below */
572 talloc_steal(result, pwd->pw_name);
573 result->gid = pwd->pw_gid;
574 result->uid = pwd->pw_uid;
575
576 TALLOC_FREE(pwd);
577
578 if (IS_DC && is_our_machine_account(username)) {
579 /*
580 * Ensure for a connection from our own
581 * machine account (from winbindd on a DC)
582 * there are no supplementary groups.
583 * Prevents loops in calling gid_to_sid().
584 */
585 result->sids = NULL;
586 gids = NULL;
587 result->num_sids = 0;
588
589 /*
590 * This is a hack of monstrous proportions.
591 * If we know it's winbindd talking to us,
592 * we know we must never recurse into it,
593 * so turn off contacting winbindd for this
594 * entire process. This will get fixed when
595 * winbindd doesn't need to talk to smbd on
596 * a PDC. JRA.
597 */
598
599 (void)winbind_off();
600
601 DEBUG(10, ("make_server_info_sam: our machine account %s "
602 "setting supplementary group list empty and "
603 "turning off winbindd requests.\n",
604 username));
605 } else {
606 status = pdb_enum_group_memberships(result, sampass,
607 &result->sids, &gids,
608 &result->num_sids);
609
610 if (!NT_STATUS_IS_OK(status)) {
611 DEBUG(10, ("pdb_enum_group_memberships failed: %s\n",
612 nt_errstr(status)));
613 result->sam_account = NULL; /* Don't free on error exit. */
614 TALLOC_FREE(result);
615 return status;
616 }
617 }
618
619 /* Add the "Unix Group" SID for each gid to catch mapped groups
620 and their Unix equivalent. This is to solve the backwards
621 compatibility problem of 'valid users = +ntadmin' where
622 ntadmin has been paired with "Domain Admins" in the group
623 mapping table. Otherwise smb.conf would need to be changed
624 to 'valid user = "Domain Admins"'. --jerry */
625
626 num_gids = result->num_sids;
627 for ( i=0; i<num_gids; i++ ) {
628 if ( !gid_to_unix_groups_sid( gids[i], &unix_group_sid ) ) {
629 DEBUG(1,("make_server_info_sam: Failed to create SID "
630 "for gid %d!\n", gids[i]));
631 continue;
632 }
633 status = add_sid_to_array_unique(result, &unix_group_sid,
634 &result->sids,
635 &result->num_sids);
636 if (!NT_STATUS_IS_OK(status)) {
637 result->sam_account = NULL; /* Don't free on error exit. */
638 TALLOC_FREE(result);
639 return status;
640 }
641 }
642
643 /* For now we throw away the gids and convert via sid_to_gid
644 * later. This needs fixing, but I'd like to get the code straight and
645 * simple first. */
646
647 TALLOC_FREE(gids);
648
649 DEBUG(5,("make_server_info_sam: made server info for user %s -> %s\n",
650 pdb_get_username(sampass), result->unix_name));
651
652 *server_info = result;
653
654 return NT_STATUS_OK;
655 }
656
657 static NTSTATUS log_nt_token(TALLOC_CTX *tmp_ctx, NT_USER_TOKEN *token)
658 {
659 char *command;
660 char *group_sidstr;
661 size_t i;
662
663 if ((lp_log_nt_token_command() == NULL) ||
664 (strlen(lp_log_nt_token_command()) == 0)) {
665 return NT_STATUS_OK;
666 }
667
668 group_sidstr = talloc_strdup(tmp_ctx, "");
669 for (i=1; i<token->num_sids; i++) {
670 group_sidstr = talloc_asprintf(
671 tmp_ctx, "%s %s", group_sidstr,
672 sid_string_talloc(tmp_ctx, &token->user_sids[i]));
673 }
674
675 command = talloc_string_sub(
676 tmp_ctx, lp_log_nt_token_command(),
677 "%s", sid_string_talloc(tmp_ctx, &token->user_sids[0]));
678 command = talloc_string_sub(tmp_ctx, command, "%t", group_sidstr);
679
680 if (command == NULL) {
681 return NT_STATUS_NO_MEMORY;
682 }
683
684 DEBUG(8, ("running command: [%s]\n", command));
685 if (smbrun(command, NULL) != 0) {
686 DEBUG(0, ("Could not log NT token\n"));
687 return NT_STATUS_ACCESS_DENIED;
688 }
689
690 return NT_STATUS_OK;
691 }
692
693 /*
694 * Create the token to use from server_info->sam_account and
695 * server_info->sids (the info3/sam groups). Find the unix gids.
696 */
697
698 NTSTATUS create_local_token(auth_serversupplied_info *server_info)
699 {
700 TALLOC_CTX *mem_ctx;
701 NTSTATUS status;
702 size_t i;
703
704
705 mem_ctx = talloc_new(NULL);
706 if (mem_ctx == NULL) {
707 DEBUG(0, ("talloc_new failed\n"));
708 return NT_STATUS_NO_MEMORY;
709 }
710
711 /*
712 * If winbind is not around, we can not make much use of the SIDs the
713 * domain controller provided us with. Likewise if the user name was
714 * mapped to some local unix user.
715 */
716
717 if (((lp_server_role() == ROLE_DOMAIN_MEMBER) && !winbind_ping()) ||
718 (server_info->was_mapped)) {
719 status = create_token_from_username(server_info,
720 server_info->unix_name,
721 server_info->guest,
722 &server_info->uid,
723 &server_info->gid,
724 &server_info->unix_name,
725 &server_info->ptok);
726
727 } else {
728 server_info->ptok = create_local_nt_token(
729 server_info,
730 pdb_get_user_sid(server_info->sam_account),
731 server_info->guest,
732 server_info->num_sids, server_info->sids);
733 status = server_info->ptok ?
734 NT_STATUS_OK : NT_STATUS_NO_SUCH_USER;
735 }
736
737 if (!NT_STATUS_IS_OK(status)) {
738 TALLOC_FREE(mem_ctx);
739 return status;
740 }
741
742 /* Convert the SIDs to gids. */
743
744 server_info->n_groups = 0;
745 server_info->groups = NULL;
746
747 /* Start at index 1, where the groups start. */
748
749 for (i=1; i<server_info->ptok->num_sids; i++) {
750 gid_t gid;
751 DOM_SID *sid = &server_info->ptok->user_sids[i];
752
753 if (!sid_to_gid(sid, &gid)) {
754 DEBUG(10, ("Could not convert SID %s to gid, "
755 "ignoring it\n", sid_string_dbg(sid)));
756 continue;
757 }
758 add_gid_to_array_unique(server_info, gid, &server_info->groups,
759 &server_info->n_groups);
760 }
761
762 debug_nt_user_token(DBGC_AUTH, 10, server_info->ptok);
763
764 status = log_nt_token(mem_ctx, server_info->ptok);
765
766 TALLOC_FREE(mem_ctx);
767 return status;
768 }
769
770 /*
771 * Create an artificial NT token given just a username. (Initially indended
772 * for force user)
773 *
774 * We go through lookup_name() to avoid problems we had with 'winbind use
775 * default domain'.
776 *
777 * We have 3 cases:
778 *
779 * unmapped unix users: Go directly to nss to find the user's group.
780 *
781 * A passdb user: The list of groups is provided by pdb_enum_group_memberships.
782 *
783 * If the user is provided by winbind, the primary gid is set to "domain
784 * users" of the user's domain. For an explanation why this is necessary, see
785 * the thread starting at
786 * http://lists.samba.org/archive/samba-technical/2006-January/044803.html.
787 */
788
789 NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username,
790 bool is_guest,
791 uid_t *uid, gid_t *gid,
792 char **found_username,
793 struct nt_user_token **token)
794 {
795 NTSTATUS result = NT_STATUS_NO_SUCH_USER;
796 TALLOC_CTX *tmp_ctx;
797 DOM_SID user_sid;
798 enum lsa_SidType type;
799 gid_t *gids;
800 DOM_SID *group_sids;
801 DOM_SID unix_group_sid;
802 size_t num_group_sids;
803 size_t num_gids;
804 size_t i;
805
806 tmp_ctx = talloc_new(NULL);
807 if (tmp_ctx == NULL) {
808 DEBUG(0, ("talloc_new failed\n"));
809 return NT_STATUS_NO_MEMORY;
810 }
811
812 if (!lookup_name_smbconf(tmp_ctx, username, LOOKUP_NAME_ALL,
813 NULL, NULL, &user_sid, &type)) {
814 DEBUG(1, ("lookup_name_smbconf for %s failed\n", username));
815 goto done;
816 }
817
818 if (type != SID_NAME_USER) {
819 DEBUG(1, ("%s is a %s, not a user\n", username,
820 sid_type_lookup(type)));
821 goto done;
822 }
823
824 if (!sid_to_uid(&user_sid, uid)) {
825 DEBUG(1, ("sid_to_uid for %s (%s) failed\n",
826 username, sid_string_dbg(&user_sid)));
827 goto done;
828 }
829
830 if (sid_check_is_in_our_domain(&user_sid)) {
831 bool ret;
832
833 /* This is a passdb user, so ask passdb */
834
835 struct samu *sam_acct = NULL;
836
837 if ( !(sam_acct = samu_new( tmp_ctx )) ) {
838 result = NT_STATUS_NO_MEMORY;
839 goto done;
840 }
841
842 become_root();
843 ret = pdb_getsampwsid(sam_acct, &user_sid);
844 unbecome_root();
845
846 if (!ret) {
847 DEBUG(1, ("pdb_getsampwsid(%s) for user %s failed\n",
848 sid_string_dbg(&user_sid), username));
849 DEBUGADD(1, ("Fall back to unix user %s\n", username));
850 goto unix_user;
851 }
852
853 result = pdb_enum_group_memberships(tmp_ctx, sam_acct,
854 &group_sids, &gids,
855 &num_group_sids);
856 if (!NT_STATUS_IS_OK(result)) {
857 DEBUG(10, ("enum_group_memberships failed for %s\n",
858 username));
859 DEBUGADD(1, ("Fall back to unix user %s\n", username));
860 goto unix_user;
861 }
862
863 /* see the smb_panic() in pdb_default_enum_group_memberships */
864 SMB_ASSERT(num_group_sids > 0);
865
866 *gid = gids[0];
867
868 /* Ensure we're returning the found_username on the right context. */
869 *found_username = talloc_strdup(mem_ctx,
870 pdb_get_username(sam_acct));
871
872 } else if (sid_check_is_in_unix_users(&user_sid)) {
873
874 /* This is a unix user not in passdb. We need to ask nss
875 * directly, without consulting passdb */
876
877 struct passwd *pass;
878
879 /*
880 * This goto target is used as a fallback for the passdb
881 * case. The concrete bug report is when passdb gave us an
882 * unmapped gid.
883 */
884
885 unix_user:
886
887 uid_to_unix_users_sid(*uid, &user_sid);
888
889 pass = getpwuid_alloc(tmp_ctx, *uid);
890 if (pass == NULL) {
891 DEBUG(1, ("getpwuid(%d) for user %s failed\n",
892 *uid, username));
893 goto done;
894 }
895
896 if (!getgroups_unix_user(tmp_ctx, username, pass->pw_gid,
897 &gids, &num_group_sids)) {
898 DEBUG(1, ("getgroups_unix_user for user %s failed\n",
899 username));
900 goto done;
901 }
902
903 if (num_group_sids) {
904 group_sids = TALLOC_ARRAY(tmp_ctx, DOM_SID, num_group_sids);
905 if (group_sids == NULL) {
906 DEBUG(1, ("TALLOC_ARRAY failed\n"));
907 result = NT_STATUS_NO_MEMORY;
908 goto done;
909 }
910 } else {
911 group_sids = NULL;
912 }
913
914 for (i=0; i<num_group_sids; i++) {
915 gid_to_sid(&group_sids[i], gids[i]);
916 }
917
918 /* In getgroups_unix_user we always set the primary gid */
919 SMB_ASSERT(num_group_sids > 0);
920
921 *gid = gids[0];
922
923 /* Ensure we're returning the found_username on the right context. */
924 *found_username = talloc_strdup(mem_ctx, pass->pw_name);
925 } else {
926
927 /* This user is from winbind, force the primary gid to the
928 * user's "domain users" group. Under certain circumstances
929 * (user comes from NT4), this might be a loss of
930 * information. But we can not rely on winbind getting the
931 * correct info. AD might prohibit winbind looking up that
932 * information. */
933
934 uint32 dummy;
935
936 num_group_sids = 1;
937 group_sids = TALLOC_ARRAY(tmp_ctx, DOM_SID, num_group_sids);
938 if (group_sids == NULL) {
939 DEBUG(1, ("TALLOC_ARRAY failed\n"));
940 result = NT_STATUS_NO_MEMORY;
941 goto done;
942 }
943
944 sid_copy(&group_sids[0], &user_sid);
945 sid_split_rid(&group_sids[0], &dummy);
946 sid_append_rid(&group_sids[0], DOMAIN_GROUP_RID_USERS);
947
948 if (!sid_to_gid(&group_sids[0], gid)) {
949 DEBUG(1, ("sid_to_gid(%s) failed\n",
950 sid_string_dbg(&group_sids[0])));
951 goto done;
952 }
953
954 gids = gid;
955
956 /* Ensure we're returning the found_username on the right context. */
957 *found_username = talloc_strdup(mem_ctx, username);
958 }
959
960 /* Add the "Unix Group" SID for each gid to catch mapped groups
961 and their Unix equivalent. This is to solve the backwards
962 compatibility problem of 'valid users = +ntadmin' where
963 ntadmin has been paired with "Domain Admins" in the group
964 mapping table. Otherwise smb.conf would need to be changed
965 to 'valid user = "Domain Admins"'. --jerry */
966
967 num_gids = num_group_sids;
968 for ( i=0; i<num_gids; i++ ) {
969 gid_t high, low;
970
971 /* don't pickup anything managed by Winbind */
972
973 if ( lp_idmap_gid(&low, &high) && (gids[i] >= low) && (gids[i] <= high) )
974 continue;
975
976 if ( !gid_to_unix_groups_sid( gids[i], &unix_group_sid ) ) {
977 DEBUG(1,("create_token_from_username: Failed to create SID "
978 "for gid %d!\n", gids[i]));
979 continue;
980 }
981 result = add_sid_to_array_unique(tmp_ctx, &unix_group_sid,
982 &group_sids, &num_group_sids);
983 if (!NT_STATUS_IS_OK(result)) {
984 goto done;
985 }
986 }
987
988 /* Ensure we're creating the nt_token on the right context. */
989 *token = create_local_nt_token(mem_ctx, &user_sid,
990 is_guest, num_group_sids, group_sids);
991
992 if ((*token == NULL) || (*found_username == NULL)) {
993 result = NT_STATUS_NO_MEMORY;
994 goto done;
995 }
996
997 result = NT_STATUS_OK;
998 done:
999 TALLOC_FREE(tmp_ctx);
1000 return result;
1001 }
1002
1003 /***************************************************************************
1004 Build upon create_token_from_username:
1005
1006 Expensive helper function to figure out whether a user given its name is
1007 member of a particular group.
1008 ***************************************************************************/
1009
1010 bool user_in_group_sid(const char *username, const DOM_SID *group_sid)
1011 {
1012 NTSTATUS status;
1013 uid_t uid;
1014 gid_t gid;
1015 char *found_username;
1016 struct nt_user_token *token;
1017 bool result;
1018
1019 TALLOC_CTX *mem_ctx;
1020
1021 mem_ctx = talloc_new(NULL);
1022 if (mem_ctx == NULL) {
1023 DEBUG(0, ("talloc_new failed\n"));
1024 return False;
1025 }
1026
1027 status = create_token_from_username(mem_ctx, username, False,
1028 &uid, &gid, &found_username,
1029 &token);
1030
1031 if (!NT_STATUS_IS_OK(status)) {
1032 DEBUG(10, ("could not create token for %s\n", username));
1033 return False;
1034 }
1035
1036 result = nt_token_check_sid(group_sid, token);
1037
1038 TALLOC_FREE(mem_ctx);
1039 return result;
1040
1041 }
1042
1043 bool user_in_group(const char *username, const char *groupname)
1044 {
1045 TALLOC_CTX *mem_ctx;
1046 DOM_SID group_sid;
1047 bool ret;
1048
1049 mem_ctx = talloc_new(NULL);
1050 if (mem_ctx == NULL) {
1051 DEBUG(0, ("talloc_new failed\n"));
1052 return False;
1053 }
1054
1055 ret = lookup_name(mem_ctx, groupname, LOOKUP_NAME_ALL,
1056 NULL, NULL, &group_sid, NULL);
1057 TALLOC_FREE(mem_ctx);
1058
1059 if (!ret) {
1060 DEBUG(10, ("lookup_name for (%s) failed.\n", groupname));
1061 return False;
1062 }
1063
1064 return user_in_group_sid(username, &group_sid);
1065 }
1066
1067
1068 /***************************************************************************
1069 Make (and fill) a user_info struct from a 'struct passwd' by conversion
1070 to a struct samu
1071 ***************************************************************************/
1072
1073 NTSTATUS make_server_info_pw(auth_serversupplied_info **server_info,
1074 char *unix_username,
1075 struct passwd *pwd)
1076 {
1077 NTSTATUS status;
1078 struct samu *sampass = NULL;
1079 gid_t *gids;
1080 char *qualified_name = NULL;
1081 TALLOC_CTX *mem_ctx = NULL;
1082 DOM_SID u_sid;
1083 enum lsa_SidType type;
1084 auth_serversupplied_info *result;
1085
1086 if ( !(sampass = samu_new( NULL )) ) {
1087 return NT_STATUS_NO_MEMORY;
1088 }
1089
1090 status = samu_set_unix( sampass, pwd );
1091 if (!NT_STATUS_IS_OK(status)) {
1092 return status;
1093 }
1094
1095 result = make_server_info(NULL);
1096 if (result == NULL) {
1097 TALLOC_FREE(sampass);
1098 return NT_STATUS_NO_MEMORY;
1099 }
1100
1101 result->sam_account = sampass;
1102 result->unix_name = talloc_strdup(result, unix_username);
1103 result->uid = pwd->pw_uid;
1104 result->gid = pwd->pw_gid;
1105
1106 status = pdb_enum_group_memberships(result, sampass,
1107 &result->sids, &gids,
1108 &result->num_sids);
1109
1110 if (!NT_STATUS_IS_OK(status)) {
1111 DEBUG(10, ("pdb_enum_group_memberships failed: %s\n",
1112 nt_errstr(status)));
1113 TALLOC_FREE(result);
1114 return status;
1115 }
1116
1117 /*
1118 * The SID returned in server_info->sam_account is based
1119 * on our SAM sid even though for a pure UNIX account this should
1120 * not be the case as it doesn't really exist in the SAM db.
1121 * This causes lookups on "[in]valid users" to fail as they
1122 * will lookup this name as a "Unix User" SID to check against
1123 * the user token. Fix this by adding the "Unix User"\unix_username
1124 * SID to the sid array. The correct fix should probably be
1125 * changing the server_info->sam_account user SID to be a
1126 * S-1-22 Unix SID, but this might break old configs where
1127 * plaintext passwords were used with no SAM backend.
1128 */
1129
1130 mem_ctx = talloc_init("make_server_info_pw_tmp");
1131 if (!mem_ctx) {
1132 TALLOC_FREE(result);
1133 return NT_STATUS_NO_MEMORY;
1134 }
1135
1136 qualified_name = talloc_asprintf(mem_ctx, "%s\\%s",
1137 unix_users_domain_name(),
1138 unix_username );
1139 if (!qualified_name) {
1140 TALLOC_FREE(result);
1141 TALLOC_FREE(mem_ctx);
1142 return NT_STATUS_NO_MEMORY;
1143 }
1144
1145 if (!lookup_name(mem_ctx, qualified_name, LOOKUP_NAME_ALL,
1146 NULL, NULL,
1147 &u_sid, &type)) {
1148 TALLOC_FREE(result);
1149 TALLOC_FREE(mem_ctx);
1150 return NT_STATUS_NO_SUCH_USER;
1151 }
1152
1153 TALLOC_FREE(mem_ctx);
1154
1155 if (type != SID_NAME_USER) {
1156 TALLOC_FREE(result);
1157 return NT_STATUS_NO_SUCH_USER;
1158 }
1159
1160 status = add_sid_to_array_unique(result, &u_sid,
1161 &result->sids,
1162 &result->num_sids);
1163 if (!NT_STATUS_IS_OK(status)) {
1164 TALLOC_FREE(result);
1165 return status;
1166 }
1167
1168 /* For now we throw away the gids and convert via sid_to_gid
1169 * later. This needs fixing, but I'd like to get the code straight and
1170 * simple first. */
1171 TALLOC_FREE(gids);
1172
1173 *server_info = result;
1174
1175 return NT_STATUS_OK;
1176 }
1177
1178 /***************************************************************************
1179 Make (and fill) a user_info struct for a guest login.
1180 This *must* succeed for smbd to start. If there is no mapping entry for
1181 the guest gid, then create one.
1182 ***************************************************************************/
1183
1184 static NTSTATUS make_new_server_info_guest(auth_serversupplied_info **server_info)
1185 {
1186 NTSTATUS status;
1187 struct samu *sampass = NULL;
1188 DOM_SID guest_sid;
1189 bool ret;
1190 char zeros[16];
1191
1192 if ( !(sampass = samu_new( NULL )) ) {
1193 return NT_STATUS_NO_MEMORY;
1194 }
1195
1196 sid_copy(&guest_sid, get_global_sam_sid());
1197 sid_append_rid(&guest_sid, DOMAIN_USER_RID_GUEST);
1198
1199 become_root();
1200 ret = pdb_getsampwsid(sampass, &guest_sid);
1201 unbecome_root();
1202
1203 if (!ret) {
1204 TALLOC_FREE(sampass);
1205 return NT_STATUS_NO_SUCH_USER;
1206 }
1207
1208 status = make_server_info_sam(server_info, sampass);
1209 if (!NT_STATUS_IS_OK(status)) {
1210 TALLOC_FREE(sampass);
1211 return status;
1212 }
1213
1214 (*server_info)->guest = True;
1215
1216 status = create_local_token(*server_info);
1217 if (!NT_STATUS_IS_OK(status)) {
1218 DEBUG(10, ("create_local_token failed: %s\n",
1219 nt_errstr(status)));
1220 return status;
1221 }
1222
1223 /* annoying, but the Guest really does have a session key, and it is
1224 all zeros! */
1225 ZERO_STRUCT(zeros);
1226 (*server_info)->user_session_key = data_blob(zeros, sizeof(zeros));
1227 (*server_info)->lm_session_key = data_blob(zeros, sizeof(zeros));
1228
1229 return NT_STATUS_OK;
1230 }
1231
1232 static auth_serversupplied_info *copy_serverinfo(auth_serversupplied_info *src)
1233 {
1234 auth_serversupplied_info *dst;
1235
1236 dst = make_server_info(NULL);
1237 if (dst == NULL) {
1238 return NULL;
1239 }
1240
1241 dst->guest = src->guest;
1242 dst->uid = src->uid;
1243 dst->gid = src->gid;
1244 dst->n_groups = src->n_groups;
1245 if (src->n_groups != 0) {
1246 dst->groups = (gid_t *)TALLOC_MEMDUP(
1247 dst, src->groups, sizeof(gid_t)*dst->n_groups);
1248 } else {
1249 dst->groups = NULL;
1250 }
1251
1252 if (src->ptok) {
1253 dst->ptok = dup_nt_token(dst, src->ptok);
1254 if (!dst->ptok) {
1255 TALLOC_FREE(dst);
1256 return NULL;
1257 }
1258 }
1259
1260 dst->user_session_key = data_blob_talloc( dst, src->user_session_key.data,
1261 src->user_session_key.length);
1262
1263 dst->lm_session_key = data_blob_talloc(dst, src->lm_session_key.data,
1264 src->lm_session_key.length);
1265
1266 dst->sam_account = samu_new(NULL);
1267 if (!dst->sam_account) {
1268 TALLOC_FREE(dst);
1269 return NULL;
1270 }
1271
1272 if (!pdb_copy_sam_account(dst->sam_account, src->sam_account)) {
1273 TALLOC_FREE(dst);
1274 return NULL;
1275 }
1276
1277 dst->pam_handle = NULL;
1278 dst->unix_name = talloc_strdup(dst, src->unix_name);
1279 if (!dst->unix_name) {
1280 TALLOC_FREE(dst);
1281 return NULL;
1282 }
1283
1284 return dst;
1285 }
1286
1287 static auth_serversupplied_info *guest_info = NULL;
1288
1289 bool init_guest_info(void)
1290 {
1291 if (guest_info != NULL)
1292 return True;
1293
1294 return NT_STATUS_IS_OK(make_new_server_info_guest(&guest_info));
1295 }
1296
1297 NTSTATUS make_server_info_guest(auth_serversupplied_info **server_info)
1298 {
1299 *server_info = copy_serverinfo(guest_info);
1300 return (*server_info != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
1301 }
1302
1303 bool copy_current_user(struct current_user *dst, struct current_user *src)
1304 {
1305 gid_t *groups;
1306 NT_USER_TOKEN *nt_token;
1307
1308 groups = (gid_t *)memdup(src->ut.groups,
1309 sizeof(gid_t) * src->ut.ngroups);
1310 if ((src->ut.ngroups != 0) && (groups == NULL)) {
1311 return False;
1312 }
1313
1314 nt_token = dup_nt_token(NULL, src->nt_user_token);
1315 if (nt_token == NULL) {
1316 SAFE_FREE(groups);
1317 return False;
1318 }
1319
1320 dst->conn = src->conn;
1321 dst->vuid = src->vuid;
1322 dst->ut.uid = src->ut.uid;
1323 dst->ut.gid = src->ut.gid;
1324 dst->ut.ngroups = src->ut.ngroups;
1325 dst->ut.groups = groups;
1326 dst->nt_user_token = nt_token;
1327 return True;
1328 }
1329
1330 bool set_current_user_guest(struct current_user *dst)
1331 {
1332 gid_t *groups;
1333 NT_USER_TOKEN *nt_token;
1334
1335 groups = (gid_t *)memdup(guest_info->groups,
1336 sizeof(gid_t) * guest_info->n_groups);
1337 if (groups == NULL) {
1338 return False;
1339 }
1340
1341 nt_token = dup_nt_token(NULL, guest_info->ptok);
1342 if (nt_token == NULL) {
1343 SAFE_FREE(groups);
1344 return False;
1345 }
1346
1347 TALLOC_FREE(dst->nt_user_token);
1348 SAFE_FREE(dst->ut.groups);
1349
1350 /* dst->conn is never really dereferenced, it's only tested for
1351 * equality in uid.c */
1352 dst->conn = NULL;
1353
1354 dst->vuid = UID_FIELD_INVALID;
1355 dst->ut.uid = guest_info->uid;
1356 dst->ut.gid = guest_info->gid;
1357 dst->ut.ngroups = guest_info->n_groups;
1358 dst->ut.groups = groups;
1359 dst->nt_user_token = nt_token;
1360 return True;
1361 }
1362
1363 /***************************************************************************
1364 Purely internal function for make_server_info_info3
1365 Fill the sam account from getpwnam
1366 ***************************************************************************/
1367 static NTSTATUS fill_sam_account(TALLOC_CTX *mem_ctx,
1368 const char *domain,
1369 const char *username,
1370 char **found_username,
1371 uid_t *uid, gid_t *gid,
1372 struct samu *account,
1373 bool *username_was_mapped)
1374 {
1375 NTSTATUS nt_status;
1376 fstring dom_user, lower_username;
1377 fstring real_username;
1378 struct passwd *passwd;
1379
1380 fstrcpy( lower_username, username );
1381 strlower_m( lower_username );
1382
1383 fstr_sprintf(dom_user, "%s%c%s", domain, *lp_winbind_separator(),
1384 lower_username);
1385
1386 /* Get the passwd struct. Try to create the account is necessary. */
1387
1388 *username_was_mapped = map_username( dom_user );
1389
1390 if ( !(passwd = smb_getpwnam( NULL, dom_user, real_username, True )) )
1391 return NT_STATUS_NO_SUCH_USER;
1392
1393 *uid = passwd->pw_uid;
1394 *gid = passwd->pw_gid;
1395
1396 /* This is pointless -- there is no suport for differing
1397 unix and windows names. Make sure to always store the
1398 one we actually looked up and succeeded. Have I mentioned
1399 why I hate the 'winbind use default domain' parameter?
1400 --jerry */
1401
1402 *found_username = talloc_strdup( mem_ctx, real_username );
1403
1404 DEBUG(5,("fill_sam_account: located username was [%s]\n", *found_username));
1405
1406 nt_status = samu_set_unix( account, passwd );
1407
1408 TALLOC_FREE(passwd);
1409
1410 return nt_status;
1411 }
1412
1413 /****************************************************************************
1414 Wrapper to allow the getpwnam() call to strip the domain name and
1415 try again in case a local UNIX user is already there. Also run through
1416 the username if we fallback to the username only.
1417 ****************************************************************************/
1418
1419 struct passwd *smb_getpwnam( TALLOC_CTX *mem_ctx, char *domuser,
1420 fstring save_username, bool create )
1421 {
1422 struct passwd *pw = NULL;
1423 char *p;
1424 fstring username;
1425
1426 /* we only save a copy of the username it has been mangled
1427 by winbindd use default domain */
1428
1429 save_username[0] = '\0';
1430
1431 /* don't call map_username() here since it has to be done higher
1432 up the stack so we don't call it mutliple times */
1433
1434 fstrcpy( username, domuser );
1435
1436 p = strchr_m( username, *lp_winbind_separator() );
1437
1438 /* code for a DOMAIN\user string */
1439
1440 if ( p ) {
1441 fstring strip_username;
1442
1443 pw = Get_Pwnam_alloc( mem_ctx, domuser );
1444 if ( pw ) {
1445 /* make sure we get the case of the username correct */
1446 /* work around 'winbind use default domain = yes' */
1447
1448 if ( !strchr_m( pw->pw_name, *lp_winbind_separator() ) ) {
1449 char *domain;
1450
1451 /* split the domain and username into 2 strings */
1452 *p = '\0';
1453 domain = username;
1454
1455 fstr_sprintf(save_username, "%s%c%s", domain, *lp_winbind_separator(), pw->pw_name);
1456 }
1457 else
1458 fstrcpy( save_username, pw->pw_name );
1459
1460 /* whew -- done! */
1461 return pw;
1462 }
1463
1464 /* setup for lookup of just the username */
1465 /* remember that p and username are overlapping memory */
1466
1467 p++;
1468 fstrcpy( strip_username, p );
1469 fstrcpy( username, strip_username );
1470 }
1471
1472 /* just lookup a plain username */
1473
1474 pw = Get_Pwnam_alloc(mem_ctx, username);
1475
1476 /* Create local user if requested but only if winbindd
1477 is not running. We need to protect against cases
1478 where winbindd is failing and then prematurely
1479 creating users in /etc/passwd */
1480
1481 if ( !pw && create && !winbind_ping() ) {
1482 /* Don't add a machine account. */
1483 if (username[strlen(username)-1] == '$')
1484 return NULL;
1485
1486 smb_create_user(NULL, username, NULL);
1487 pw = Get_Pwnam_alloc(mem_ctx, username);
1488 }
1489
1490 /* one last check for a valid passwd struct */
1491
1492 if ( pw )
1493 fstrcpy( save_username, pw->pw_name );
1494
1495 return pw;
1496 }
1497
1498 /***************************************************************************
1499 Make a server_info struct from the info3 returned by a domain logon
1500 ***************************************************************************/
1501
1502 NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
1503 const char *sent_nt_username,
1504 const char *domain,
1505 auth_serversupplied_info **server_info,
1506 struct netr_SamInfo3 *info3)
1507 {
1508 char zeros[16];
1509
1510 NTSTATUS nt_status = NT_STATUS_OK;
1511 char *found_username = NULL;
1512 const char *nt_domain;
1513 const char *nt_username;
1514 struct samu *sam_account = NULL;
1515 DOM_SID user_sid;
1516 DOM_SID group_sid;
1517 bool username_was_mapped;
1518
1519 uid_t uid = (uid_t)-1;
1520 gid_t gid = (gid_t)-1;
1521
1522 auth_serversupplied_info *result;
1523
1524 /*
1525 Here is where we should check the list of
1526 trusted domains, and verify that the SID
1527 matches.
1528 */
1529
1530 sid_copy(&user_sid, info3->base.domain_sid);
1531 if (!sid_append_rid(&user_sid, info3->base.rid)) {
1532 return NT_STATUS_INVALID_PARAMETER;
1533 }
1534
1535 sid_copy(&group_sid, info3->base.domain_sid);
1536 if (!sid_append_rid(&group_sid, info3->base.primary_gid)) {
1537 return NT_STATUS_INVALID_PARAMETER;
1538 }
1539
1540 nt_username = talloc_strdup(mem_ctx, info3->base.account_name.string);
1541 if (!nt_username) {
1542 /* If the server didn't give us one, just use the one we sent
1543 * them */
1544 nt_username = sent_nt_username;
1545 }
1546
1547 nt_domain = talloc_strdup(mem_ctx, info3->base.domain.string);
1548 if (!nt_domain) {
1549 /* If the server didn't give us one, just use the one we sent
1550 * them */
1551 nt_domain = domain;
1552 }
1553
1554 /* try to fill the SAM account.. If getpwnam() fails, then try the
1555 add user script (2.2.x behavior).
1556
1557 We use the _unmapped_ username here in an attempt to provide
1558 consistent username mapping behavior between kerberos and NTLM[SSP]
1559 authentication in domain mode security. I.E. Username mapping
1560 should be applied to the fully qualified username
1561 (e.g. DOMAIN\user) and not just the login name. Yes this means we
1562 called map_username() unnecessarily in make_user_info_map() but
1563 that is how the current code is designed. Making the change here
1564 is the least disruptive place. -- jerry */
1565
1566 if ( !(sam_account = samu_new( NULL )) ) {
1567 return NT_STATUS_NO_MEMORY;
1568 }
1569
1570 /* this call will try to create the user if necessary */
1571
1572 nt_status = fill_sam_account(mem_ctx, nt_domain, sent_nt_username,
1573 &found_username, &uid, &gid, sam_account,
1574 &username_was_mapped);
1575
1576
1577 /* if we still don't have a valid unix account check for
1578 'map to guest = bad uid' */
1579
1580 if (!NT_STATUS_IS_OK(nt_status)) {
1581 TALLOC_FREE( sam_account );
1582 if ( lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_UID ) {
1583 make_server_info_guest(server_info);
1584 return NT_STATUS_OK;
1585 }
1586 return nt_status;
1587 }
1588
1589 if (!pdb_set_nt_username(sam_account, nt_username, PDB_CHANGED)) {
1590 TALLOC_FREE(sam_account);
1591 return NT_STATUS_NO_MEMORY;
1592 }
1593
1594 if (!pdb_set_username(sam_account, nt_username, PDB_CHANGED)) {
1595 TALLOC_FREE(sam_account);
1596 return NT_STATUS_NO_MEMORY;
1597 }
1598
1599 if (!pdb_set_domain(sam_account, nt_domain, PDB_CHANGED)) {
1600 TALLOC_FREE(sam_account);
1601 return NT_STATUS_NO_MEMORY;
1602 }
1603
1604 if (!pdb_set_user_sid(sam_account, &user_sid, PDB_CHANGED)) {
1605 TALLOC_FREE(sam_account);
1606 return NT_STATUS_UNSUCCESSFUL;
1607 }
1608
1609 if (!pdb_set_group_sid(sam_account, &group_sid, PDB_CHANGED)) {
1610 TALLOC_FREE(sam_account);
1611 return NT_STATUS_UNSUCCESSFUL;
1612 }
1613
1614 if (!pdb_set_fullname(sam_account,
1615 info3->base.full_name.string,
1616 PDB_CHANGED)) {
1617 TALLOC_FREE(sam_account);
1618 return NT_STATUS_NO_MEMORY;
1619 }
1620
1621 if (!pdb_set_logon_script(sam_account,
1622 info3->base.logon_script.string,
1623 PDB_CHANGED)) {
1624 TALLOC_FREE(sam_account);
1625 return NT_STATUS_NO_MEMORY;
1626 }
1627
1628 if (!pdb_set_profile_path(sam_account,
1629 info3->base.profile_path.string,
1630 PDB_CHANGED)) {
1631 TALLOC_FREE(sam_account);
1632 return NT_STATUS_NO_MEMORY;
1633 }
1634
1635 if (!pdb_set_homedir(sam_account,
1636 info3->base.home_directory.string,
1637 PDB_CHANGED)) {
1638 TALLOC_FREE(sam_account);
1639 return NT_STATUS_NO_MEMORY;
1640 }
1641
1642 if (!pdb_set_dir_drive(sam_account,
1643 info3->base.home_drive.string,
1644 PDB_CHANGED)) {
1645 TALLOC_FREE(sam_account);
1646 return NT_STATUS_NO_MEMORY;
1647 }
1648
1649 if (!pdb_set_acct_ctrl(sam_account, info3->base.acct_flags, PDB_CHANGED)) {
1650 TALLOC_FREE(sam_account);
1651 return NT_STATUS_NO_MEMORY;
1652 }
1653
1654 if (!pdb_set_pass_last_set_time(
1655 sam_account,
1656 nt_time_to_unix(info3->base.last_password_change),
1657 PDB_CHANGED)) {
1658 TALLOC_FREE(sam_account);
1659 return NT_STATUS_NO_MEMORY;
1660 }
1661
1662 if (!pdb_set_pass_can_change_time(
1663 sam_account,
1664 nt_time_to_unix(info3->base.allow_password_change),
1665 PDB_CHANGED)) {
1666 TALLOC_FREE(sam_account);
1667 return NT_STATUS_NO_MEMORY;
1668 }
1669
1670 if (!pdb_set_pass_must_change_time(
1671 sam_account,
1672 nt_time_to_unix(info3->base.force_password_change),
1673 PDB_CHANGED)) {
1674 TALLOC_FREE(sam_account);
1675 return NT_STATUS_NO_MEMORY;
1676 }
1677
1678 result = make_server_info(NULL);
1679 if (result == NULL) {
1680 DEBUG(4, ("make_server_info failed!\n"));
1681 TALLOC_FREE(sam_account);
1682 return NT_STATUS_NO_MEMORY;
1683 }
1684
1685 /* save this here to _net_sam_logon() doesn't fail (it assumes a
1686 valid struct samu) */
1687
1688 result->sam_account = sam_account;
1689 result->unix_name = talloc_strdup(result, found_username);
1690
1691 /* Fill in the unix info we found on the way */
1692
1693 result->uid = uid;
1694 result->gid = gid;
1695
1696 /* Create a 'combined' list of all SIDs we might want in the SD */
1697
1698 result->num_sids = 0;
1699 result->sids = NULL;
1700
1701 nt_status = sid_array_from_info3(result, info3,
1702 &result->sids,
1703 &result->num_sids,
1704 false, false);
1705 if (!NT_STATUS_IS_OK(nt_status)) {
1706 TALLOC_FREE(result);
1707 return nt_status;
1708 }
1709
1710 /* Ensure the primary group sid is at position 0. */
1711 sort_sid_array_for_smbd(result, &group_sid);
1712
1713 result->login_server = talloc_strdup(result,
1714 info3->base.logon_server.string);
1715
1716 /* ensure we are never given NULL session keys */
1717
1718 ZERO_STRUCT(zeros);
1719
1720 if (memcmp(info3->base.key.key, zeros, sizeof(zeros)) == 0) {
1721 result->user_session_key = data_blob_null;
1722 } else {
1723 result->user_session_key = data_blob_talloc(
1724 result, info3->base.key.key,
1725 sizeof(info3->base.key.key));
1726 }
1727
1728 if (memcmp(info3->base.LMSessKey.key, zeros, 8) == 0) {
1729 result->lm_session_key = data_blob_null;
1730 } else {
1731 result->lm_session_key = data_blob_talloc(
1732 result, info3->base.LMSessKey.key,
1733 sizeof(info3->base.LMSessKey.key));
1734 }
1735
1736 result->was_mapped = username_was_mapped;
1737
1738 *server_info = result;
1739
1740 return NT_STATUS_OK;
1741 }
1742
1743 /*****************************************************************************
1744 Make a server_info struct from the wbcAuthUserInfo returned by a domain logon
1745 ******************************************************************************/
1746
1747 NTSTATUS make_server_info_wbcAuthUserInfo(TALLOC_CTX *mem_ctx,
1748 const char *sent_nt_username,
1749 const char *domain,
1750 const struct wbcAuthUserInfo *info,
1751 auth_serversupplied_info **server_info)
1752 {
1753 char zeros[16];
1754
1755 NTSTATUS nt_status = NT_STATUS_OK;
1756 char *found_username = NULL;
1757 const char *nt_domain;
1758 const char *nt_username;
1759 struct samu *sam_account = NULL;
1760 DOM_SID user_sid;
1761 DOM_SID group_sid;
1762 bool username_was_mapped;
1763 uint32_t i;
1764
1765 uid_t uid = (uid_t)-1;
1766 gid_t gid = (gid_t)-1;
1767
1768 auth_serversupplied_info *result;
1769
1770 result = make_server_info(NULL);
1771 if (result == NULL) {
1772 DEBUG(4, ("make_server_info failed!\n"));
1773 return NT_STATUS_NO_MEMORY;
1774 }
1775
1776 /*
1777 Here is where we should check the list of
1778 trusted domains, and verify that the SID
1779 matches.
1780 */
1781
1782 memcpy(&user_sid, &info->sids[0].sid, sizeof(user_sid));
1783 memcpy(&group_sid, &info->sids[1].sid, sizeof(group_sid));
1784
1785 if (info->account_name) {
1786 nt_username = talloc_strdup(result, info->account_name);
1787 } else {
1788 /* If the server didn't give us one, just use the one we sent
1789 * them */
1790 nt_username = talloc_strdup(result, sent_nt_username);
1791 }
1792 if (!nt_username) {
1793 TALLOC_FREE(result);
1794 return NT_STATUS_NO_MEMORY;
1795 }
1796
1797 if (info->domain_name) {
1798 nt_domain = talloc_strdup(result, info->domain_name);
1799 } else {
1800 /* If the server didn't give us one, just use the one we sent
1801 * them */
1802 nt_domain = talloc_strdup(result, domain);
1803 }
1804 if (!nt_domain) {
1805 TALLOC_FREE(result);
1806 return NT_STATUS_NO_MEMORY;
1807 }
1808
1809 /* try to fill the SAM account.. If getpwnam() fails, then try the
1810 add user script (2.2.x behavior).
1811
1812 We use the _unmapped_ username here in an attempt to provide
1813 consistent username mapping behavior between kerberos and NTLM[SSP]
1814 authentication in domain mode security. I.E. Username mapping
1815 should be applied to the fully qualified username
1816 (e.g. DOMAIN\user) and not just the login name. Yes this means we
1817 called map_username() unnecessarily in make_user_info_map() but
1818 that is how the current code is designed. Making the change here
1819 is the least disruptive place. -- jerry */
1820
1821 if ( !(sam_account = samu_new( result )) ) {
1822 TALLOC_FREE(result);
1823 return NT_STATUS_NO_MEMORY;
1824 }
1825
1826 /* this call will try to create the user if necessary */
1827
1828 nt_status = fill_sam_account(result, nt_domain, sent_nt_username,
1829 &found_username, &uid, &gid, sam_account,
1830 &username_was_mapped);
1831
1832 /* if we still don't have a valid unix account check for
1833 'map to guest = bad uid' */
1834
1835 if (!NT_STATUS_IS_OK(nt_status)) {
1836 TALLOC_FREE( result );
1837 if ( lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_UID ) {
1838 make_server_info_guest(server_info);
1839 return NT_STATUS_OK;
1840 }
1841 return nt_status;
1842 }
1843
1844 if (!pdb_set_nt_username(sam_account, nt_username, PDB_CHANGED)) {
1845 TALLOC_FREE(result);
1846 return NT_STATUS_NO_MEMORY;
1847 }
1848
1849 if (!pdb_set_username(sam_account, nt_username, PDB_CHANGED)) {
1850 TALLOC_FREE(result);
1851 return NT_STATUS_NO_MEMORY;
1852 }
1853
1854 if (!pdb_set_domain(sam_account, nt_domain, PDB_CHANGED)) {
1855 TALLOC_FREE(result);
1856 return NT_STATUS_NO_MEMORY;
1857 }
1858
1859 if (!pdb_set_user_sid(sam_account, &user_sid, PDB_CHANGED)) {
1860 TALLOC_FREE(result);
1861 return NT_STATUS_UNSUCCESSFUL;
1862 }
1863
1864 if (!pdb_set_group_sid(sam_account, &group_sid, PDB_CHANGED)) {
1865 TALLOC_FREE(result);
1866 return NT_STATUS_UNSUCCESSFUL;
1867 }
1868
1869 if (!pdb_set_fullname(sam_account, info->full_name, PDB_CHANGED)) {
1870 TALLOC_FREE(result);
1871 return NT_STATUS_NO_MEMORY;
1872 }
1873
1874 if (!pdb_set_logon_script(sam_account, info->logon_script, PDB_CHANGED)) {
1875 TALLOC_FREE(result);
1876 return NT_STATUS_NO_MEMORY;
1877 }
1878
1879 if (!pdb_set_profile_path(sam_account, info->profile_path, PDB_CHANGED)) {
1880 TALLOC_FREE(result);
1881 return NT_STATUS_NO_MEMORY;
1882 }
1883
1884 if (!pdb_set_homedir(sam_account, info->home_directory, PDB_CHANGED)) {
1885 TALLOC_FREE(result);
1886 return NT_STATUS_NO_MEMORY;
1887 }
1888
1889 if (!pdb_set_dir_drive(sam_account, info->home_drive, PDB_CHANGED)) {
1890 TALLOC_FREE(result);
1891 return NT_STATUS_NO_MEMORY;
1892 }
1893
1894 if (!pdb_set_acct_ctrl(sam_account, info->acct_flags, PDB_CHANGED)) {
1895 TALLOC_FREE(result);
1896 return NT_STATUS_NO_MEMORY;
1897 }
1898
1899 if (!pdb_set_pass_last_set_time(
1900 sam_account,
1901 nt_time_to_unix(info->pass_last_set_time),
1902 PDB_CHANGED)) {
1903 TALLOC_FREE(result);
1904 return NT_STATUS_NO_MEMORY;
1905 }
1906
1907 if (!pdb_set_pass_can_change_time(
1908 sam_account,
1909 nt_time_to_unix(info->pass_can_change_time),
1910 PDB_CHANGED)) {
1911 TALLOC_FREE(result);
1912 return NT_STATUS_NO_MEMORY;
1913 }
1914
1915 if (!pdb_set_pass_must_change_time(
1916 sam_account,
1917 nt_time_to_unix(info->pass_must_change_time),
1918 PDB_CHANGED)) {
1919 TALLOC_FREE(result);
1920 return NT_STATUS_NO_MEMORY;
1921 }
1922
1923 /* save this here to _net_sam_logon() doesn't fail (it assumes a
1924 valid struct samu) */
1925
1926 result->sam_account = sam_account;
1927 result->unix_name = talloc_strdup(result, found_username);
1928
1929 result->login_server = talloc_strdup(result, info->logon_server);
1930
1931 /* Fill in the unix info we found on the way */
1932
1933 result->uid = uid;
1934 result->gid = gid;
1935
1936 /* Create a 'combined' list of all SIDs we might want in the SD */
1937
1938 result->num_sids = info->num_sids - 2;
1939 result->sids = talloc_array(result, DOM_SID, result->num_sids);
1940 if (result->sids == NULL) {
1941 TALLOC_FREE(result);
1942 return NT_STATUS_NO_MEMORY;
1943 }
1944
1945 for (i=0; i < result->num_sids; i++) {
1946 memcpy(&result->sids[i], &info->sids[i+2].sid, sizeof(result->sids[i]));
1947 }
1948
1949 /* Ensure the primary group sid is at position 0. */
1950 sort_sid_array_for_smbd(result, &group_sid);
1951
1952 /* ensure we are never given NULL session keys */
1953
1954 ZERO_STRUCT(zeros);
1955
1956 if (memcmp(info->user_session_key, zeros, sizeof(zeros)) == 0) {
1957 result->user_session_key = data_blob_null;
1958 } else {
1959 result->user_session_key = data_blob_talloc(
1960 result, info->user_session_key,
1961 sizeof(info->user_session_key));
1962 }
1963
1964 if (memcmp(info->lm_session_key, zeros, 8) == 0) {
1965 result->lm_session_key = data_blob_null;
1966 } else {
1967 result->lm_session_key = data_blob_talloc(
1968 result, info->lm_session_key,
1969 sizeof(info->lm_session_key));
1970 }
1971
1972 result->was_mapped = username_was_mapped;
1973
1974 *server_info = result;
1975
1976 return NT_STATUS_OK;
1977 }
1978
1979 /***************************************************************************
1980 Free a user_info struct
1981 ***************************************************************************/
1982
1983 void free_user_info(auth_usersupplied_info **user_info)
1984 {
1985 DEBUG(5,("attempting to free (and zero) a user_info structure\n"));
1986 if (*user_info != NULL) {
1987 if ((*user_info)->smb_name) {
1988 DEBUG(10,("structure was created for %s\n",
1989 (*user_info)->smb_name));
1990 }
1991 SAFE_FREE((*user_info)->smb_name);
1992 SAFE_FREE((*user_info)->internal_username);
1993 SAFE_FREE((*user_info)->client_domain);
1994 SAFE_FREE((*user_info)->domain);
1995 SAFE_FREE((*user_info)->wksta_name);
1996 data_blob_free(&(*user_info)->lm_resp);
1997 data_blob_free(&(*user_info)->nt_resp);
1998 data_blob_clear_free(&(*user_info)->lm_interactive_pwd);
1999 data_blob_clear_free(&(*user_info)->nt_interactive_pwd);
2000 data_blob_clear_free(&(*user_info)->plaintext_password);
2001 ZERO_STRUCT(**user_info);
2002 }
2003 SAFE_FREE(*user_info);
2004 }
2005
2006 /***************************************************************************
2007 Make an auth_methods struct
2008 ***************************************************************************/
2009
2010 bool make_auth_methods(struct auth_context *auth_context, auth_methods **auth_method)
2011 {
2012 if (!auth_context) {
2013 smb_panic("no auth_context supplied to "
2014 "make_auth_methods()!\n");
2015 }
2016
2017 if (!auth_method) {
2018 smb_panic("make_auth_methods: pointer to auth_method pointer "
2019 "is NULL!\n");
2020 }
2021
2022 *auth_method = TALLOC_P(auth_context->mem_ctx, auth_methods);
2023 if (!*auth_method) {
2024 DEBUG(0,("make_auth_method: malloc failed!\n"));
2025 return False;
2026 }
2027 ZERO_STRUCTP(*auth_method);
2028
2029 return True;
2030 }
2031
2032 /**
2033 * Verify whether or not given domain is trusted.
2034 *
2035 * @param domain_name name of the domain to be verified
2036 * @return true if domain is one of the trusted once or
2037 * false if otherwise
2038 **/
2039
2040 bool is_trusted_domain(const char* dom_name)
2041 {
2042 DOM_SID trustdom_sid;
2043 bool ret;
2044
2045 /* no trusted domains for a standalone server */
2046
2047 if ( lp_server_role() == ROLE_STANDALONE )
2048 return False;
2049
2050 /* if we are a DC, then check for a direct trust relationships */
2051
2052 if ( IS_DC ) {
2053 become_root();
2054 DEBUG (5,("is_trusted_domain: Checking for domain trust with "
2055 "[%s]\n", dom_name ));
2056 ret = pdb_get_trusteddom_pw(dom_name, NULL, NULL, NULL);
2057 unbecome_root();
2058 if (ret)
2059 return True;
2060 }
2061 else {
2062 wbcErr result;
2063
2064 /* If winbind is around, ask it */
2065
2066 result = wb_is_trusted_domain(dom_name);
2067
2068 if (result == WBC_ERR_SUCCESS) {
2069 return True;
2070 }
2071
2072 if (result == WBC_ERR_DOMAIN_NOT_FOUND) {
2073 /* winbind could not find the domain */
2074 return False;
2075 }
2076
2077 /* The only other possible result is that winbind is not up
2078 and running. We need to update the trustdom_cache
2079 ourselves */
2080
2081 update_trustdom_cache();
2082 }
2083
2084 /* now the trustdom cache should be available a DC could still
2085 * have a transitive trust so fall back to the cache of trusted
2086 * domains (like a domain member would use */
2087
2088 if ( trustdom_cache_fetch(dom_name, &trustdom_sid) ) {
2089 return True;
2090 }
2091
2092 return False;
2093 }
2094
Samba GIT mirror