search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
r25272: Fix a bunch of callers of pull_ucs2 that passed -1 for dest_len.
[Samba.git] / source / winbindd / winbindd_pam.c
blobc4db691d052ea1b3f98fb809d05e3c85395f50cd
1 /*
2 Unix SMB/CIFS implementation.
3
4 Winbind daemon - pam auth funcions
5
6 Copyright (C) Andrew Tridgell 2000
7 Copyright (C) Tim Potter 2001
8 Copyright (C) Andrew Bartlett 2001-2002
9 Copyright (C) Guenther Deschner 2005
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 3 of the License, or
14 (at your option) any later version.
15
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
20
21 You should have received a copy of the GNU General Public License
22 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 */
24
25 #include "includes.h"
26 #include "winbindd.h"
27 #undef DBGC_CLASS
28 #define DBGC_CLASS DBGC_WINBIND
29
30 static NTSTATUS append_info3_as_txt(TALLOC_CTX *mem_ctx,
31 struct winbindd_cli_state *state,
32 NET_USER_INFO_3 *info3)
33 {
34 fstring str_sid;
35
36 state->response.data.auth.info3.logon_time =
37 nt_time_to_unix(info3->logon_time);
38 state->response.data.auth.info3.logoff_time =
39 nt_time_to_unix(info3->logoff_time);
40 state->response.data.auth.info3.kickoff_time =
41 nt_time_to_unix(info3->kickoff_time);
42 state->response.data.auth.info3.pass_last_set_time =
43 nt_time_to_unix(info3->pass_last_set_time);
44 state->response.data.auth.info3.pass_can_change_time =
45 nt_time_to_unix(info3->pass_can_change_time);
46 state->response.data.auth.info3.pass_must_change_time =
47 nt_time_to_unix(info3->pass_must_change_time);
48
49 state->response.data.auth.info3.logon_count = info3->logon_count;
50 state->response.data.auth.info3.bad_pw_count = info3->bad_pw_count;
51
52 state->response.data.auth.info3.user_rid = info3->user_rid;
53 state->response.data.auth.info3.group_rid = info3->group_rid;
54 sid_to_string(str_sid, &(info3->dom_sid.sid));
55 fstrcpy(state->response.data.auth.info3.dom_sid, str_sid);
56
57 state->response.data.auth.info3.num_groups = info3->num_groups;
58 state->response.data.auth.info3.user_flgs = info3->user_flgs;
59
60 state->response.data.auth.info3.acct_flags = info3->acct_flags;
61 state->response.data.auth.info3.num_other_sids = info3->num_other_sids;
62
63 unistr2_to_ascii(state->response.data.auth.info3.user_name,
64 &info3->uni_user_name, sizeof(fstring));
65 unistr2_to_ascii(state->response.data.auth.info3.full_name,
66 &info3->uni_full_name, sizeof(fstring));
67 unistr2_to_ascii(state->response.data.auth.info3.logon_script,
68 &info3->uni_logon_script, sizeof(fstring));
69 unistr2_to_ascii(state->response.data.auth.info3.profile_path,
70 &info3->uni_profile_path, sizeof(fstring));
71 unistr2_to_ascii(state->response.data.auth.info3.home_dir,
72 &info3->uni_home_dir, sizeof(fstring));
73 unistr2_to_ascii(state->response.data.auth.info3.dir_drive,
74 &info3->uni_dir_drive, sizeof(fstring));
75
76 unistr2_to_ascii(state->response.data.auth.info3.logon_srv,
77 &info3->uni_logon_srv, sizeof(fstring));
78 unistr2_to_ascii(state->response.data.auth.info3.logon_dom,
79 &info3->uni_logon_dom, sizeof(fstring));
80
81 return NT_STATUS_OK;
82 }
83
84 static NTSTATUS append_info3_as_ndr(TALLOC_CTX *mem_ctx,
85 struct winbindd_cli_state *state,
86 NET_USER_INFO_3 *info3)
87 {
88 prs_struct ps;
89 uint32 size;
90 if (!prs_init(&ps, 256 /* Random, non-zero number */, mem_ctx, MARSHALL)) {
91 return NT_STATUS_NO_MEMORY;
92 }
93 if (!net_io_user_info3("", info3, &ps, 1, 3, False)) {
94 prs_mem_free(&ps);
95 return NT_STATUS_UNSUCCESSFUL;
96 }
97
98 size = prs_data_size(&ps);
99 SAFE_FREE(state->response.extra_data.data);
100 state->response.extra_data.data = SMB_MALLOC(size);
101 if (!state->response.extra_data.data) {
102 prs_mem_free(&ps);
103 return NT_STATUS_NO_MEMORY;
104 }
105 memset( state->response.extra_data.data, '\0', size );
106 prs_copy_all_data_out((char *)state->response.extra_data.data, &ps);
107 state->response.length += size;
108 prs_mem_free(&ps);
109 return NT_STATUS_OK;
110 }
111
112 static NTSTATUS append_unix_username(TALLOC_CTX *mem_ctx,
113 struct winbindd_cli_state *state,
114 const NET_USER_INFO_3 *info3,
115 const char *name_domain,
116 const char *name_user)
117 {
118 /* We've been asked to return the unix username, per
119 'winbind use default domain' settings and the like */
120
121 fstring username_out;
122 const char *nt_username, *nt_domain;
123
124 if (!(nt_domain = unistr2_tdup(mem_ctx,
125 &info3->uni_logon_dom))) {
126 /* If the server didn't give us one, just use the one
127 * we sent them */
128 nt_domain = name_domain;
129 }
130
131 if (!(nt_username = unistr2_tdup(mem_ctx,
132 &info3->uni_user_name))) {
133 /* If the server didn't give us one, just use the one
134 * we sent them */
135 nt_username = name_user;
136 }
137
138 fill_domain_username(username_out, nt_domain, nt_username,
139 True);
140
141 DEBUG(5,("Setting unix username to [%s]\n", username_out));
142
143 SAFE_FREE(state->response.extra_data.data);
144 state->response.extra_data.data = SMB_STRDUP(username_out);
145 if (!state->response.extra_data.data) {
146 return NT_STATUS_NO_MEMORY;
147 }
148 state->response.length +=
149 strlen((const char *)state->response.extra_data.data)+1;
150
151 return NT_STATUS_OK;
152 }
153
154 static NTSTATUS append_afs_token(TALLOC_CTX *mem_ctx,
155 struct winbindd_cli_state *state,
156 const NET_USER_INFO_3 *info3,
157 const char *name_domain,
158 const char *name_user)
159 {
160 char *afsname = NULL;
161 char *cell;
162
163 afsname = talloc_strdup(mem_ctx, lp_afs_username_map());
164 if (afsname == NULL) {
165 return NT_STATUS_NO_MEMORY;
166 }
167
168 afsname = talloc_string_sub(mem_ctx,
169 lp_afs_username_map(),
170 "%D", name_domain);
171 afsname = talloc_string_sub(mem_ctx, afsname,
172 "%u", name_user);
173 afsname = talloc_string_sub(mem_ctx, afsname,
174 "%U", name_user);
175
176 {
177 DOM_SID user_sid;
178 fstring sidstr;
179
180 sid_copy(&user_sid, &info3->dom_sid.sid);
181 sid_append_rid(&user_sid, info3->user_rid);
182 sid_to_string(sidstr, &user_sid);
183 afsname = talloc_string_sub(mem_ctx, afsname,
184 "%s", sidstr);
185 }
186
187 if (afsname == NULL) {
188 return NT_STATUS_NO_MEMORY;
189 }
190
191 strlower_m(afsname);
192
193 DEBUG(10, ("Generating token for user %s\n", afsname));
194
195 cell = strchr(afsname, '@');
196
197 if (cell == NULL) {
198 return NT_STATUS_NO_MEMORY;
199 }
200
201 *cell = '\0';
202 cell += 1;
203
204 /* Append an AFS token string */
205 SAFE_FREE(state->response.extra_data.data);
206 state->response.extra_data.data =
207 afs_createtoken_str(afsname, cell);
208
209 if (state->response.extra_data.data != NULL) {
210 state->response.length +=
211 strlen((const char *)state->response.extra_data.data)+1;
212 }
213
214 return NT_STATUS_OK;
215 }
216
217 static NTSTATUS check_info3_in_group(TALLOC_CTX *mem_ctx,
218 NET_USER_INFO_3 *info3,
219 const char *group_sid)
220 /**
221 * Check whether a user belongs to a group or list of groups.
222 *
223 * @param mem_ctx talloc memory context.
224 * @param info3 user information, including group membership info.
225 * @param group_sid One or more groups , separated by commas.
226 *
227 * @return NT_STATUS_OK on success,
228 * NT_STATUS_LOGON_FAILURE if the user does not belong,
229 * or other NT_STATUS_IS_ERR(status) for other kinds of failure.
230 */
231 {
232 DOM_SID *require_membership_of_sid;
233 size_t num_require_membership_of_sid;
234 fstring req_sid;
235 const char *p;
236 DOM_SID sid;
237 size_t i;
238 struct nt_user_token *token;
239 NTSTATUS status;
240
241 /* Parse the 'required group' SID */
242
243 if (!group_sid || !group_sid[0]) {
244 /* NO sid supplied, all users may access */
245 return NT_STATUS_OK;
246 }
247
248 if (!(token = TALLOC_ZERO_P(mem_ctx, struct nt_user_token))) {
249 DEBUG(0, ("talloc failed\n"));
250 return NT_STATUS_NO_MEMORY;
251 }
252
253 num_require_membership_of_sid = 0;
254 require_membership_of_sid = NULL;
255
256 p = group_sid;
257
258 while (next_token(&p, req_sid, ",", sizeof(req_sid))) {
259 if (!string_to_sid(&sid, req_sid)) {
260 DEBUG(0, ("check_info3_in_group: could not parse %s "
261 "as a SID!", req_sid));
262 return NT_STATUS_INVALID_PARAMETER;
263 }
264
265 if (!add_sid_to_array(mem_ctx, &sid,
266 &require_membership_of_sid,
267 &num_require_membership_of_sid)) {
268 DEBUG(0, ("add_sid_to_array failed\n"));
269 return NT_STATUS_NO_MEMORY;
270 }
271 }
272
273 status = sid_array_from_info3(mem_ctx, info3,
274 &token->user_sids,
275 &token->num_sids,
276 True);
277 if (!NT_STATUS_IS_OK(status)) {
278 return status;
279 }
280
281 if (!NT_STATUS_IS_OK(status = add_aliases(get_global_sam_sid(),
282 token))
283 || !NT_STATUS_IS_OK(status = add_aliases(&global_sid_Builtin,
284 token))) {
285 DEBUG(3, ("could not add aliases: %s\n",
286 nt_errstr(status)));
287 return status;
288 }
289
290 debug_nt_user_token(DBGC_CLASS, 10, token);
291
292 for (i=0; i<num_require_membership_of_sid; i++) {
293 DEBUG(10, ("Checking SID %s\n", sid_string_static(
294 &require_membership_of_sid[i])));
295 if (nt_token_check_sid(&require_membership_of_sid[i],
296 token)) {
297 DEBUG(10, ("Access ok\n"));
298 return NT_STATUS_OK;
299 }
300 }
301
302 /* Do not distinguish this error from a wrong username/pw */
303
304 return NT_STATUS_LOGON_FAILURE;
305 }
306
307 struct winbindd_domain *find_auth_domain(struct winbindd_cli_state *state,
308 const char *domain_name)
309 {
310 struct winbindd_domain *domain;
311
312 if (IS_DC) {
313 domain = find_domain_from_name_noinit(domain_name);
314 if (domain == NULL) {
315 DEBUG(3, ("Authentication for domain [%s] refused"
316 "as it is not a trusted domain\n",
317 domain_name));
318 }
319 return domain;
320 }
321
322 if (is_myname(domain_name)) {
323 DEBUG(3, ("Authentication for domain %s (local domain "
324 "to this server) not supported at this "
325 "stage\n", domain_name));
326 return NULL;
327 }
328
329 /* we can auth against trusted domains */
330 if (state->request.flags & WBFLAG_PAM_CONTACT_TRUSTDOM) {
331 domain = find_domain_from_name_noinit(domain_name);
332 if (domain == NULL) {
333 DEBUG(3, ("Authentication for domain [%s] skipped "
334 "as it is not a trusted domain\n",
335 domain_name));
336 } else {
337 return domain;
338 }
339 }
340
341 return find_our_domain();
342 }
343
344 static void set_auth_errors(struct winbindd_response *resp, NTSTATUS result)
345 {
346 resp->data.auth.nt_status = NT_STATUS_V(result);
347 fstrcpy(resp->data.auth.nt_status_string, nt_errstr(result));
348
349 /* we might have given a more useful error above */
350 if (*resp->data.auth.error_string == '\0')
351 fstrcpy(resp->data.auth.error_string,
352 get_friendly_nt_error_msg(result));
353 resp->data.auth.pam_error = nt_status_to_pam(result);
354 }
355
356 static NTSTATUS fillup_password_policy(struct winbindd_domain *domain,
357 struct winbindd_cli_state *state)
358 {
359 struct winbindd_methods *methods;
360 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
361 SAM_UNK_INFO_1 password_policy;
362
363 if ( !winbindd_can_contact_domain( domain ) ) {
364 DEBUG(5,("fillup_password_policy: No inbound trust to "
365 "contact domain %s\n", domain->name));
366 return NT_STATUS_NOT_SUPPORTED;
367 }
368
369 methods = domain->methods;
370
371 status = methods->password_policy(domain, state->mem_ctx, &password_policy);
372 if (NT_STATUS_IS_ERR(status)) {
373 return status;
374 }
375
376 state->response.data.auth.policy.min_length_password =
377 password_policy.min_length_password;
378 state->response.data.auth.policy.password_history =
379 password_policy.password_history;
380 state->response.data.auth.policy.password_properties =
381 password_policy.password_properties;
382 state->response.data.auth.policy.expire =
383 nt_time_to_unix_abs(&(password_policy.expire));
384 state->response.data.auth.policy.min_passwordage =
385 nt_time_to_unix_abs(&(password_policy.min_passwordage));
386
387 return NT_STATUS_OK;
388 }
389
390 static NTSTATUS get_max_bad_attempts_from_lockout_policy(struct winbindd_domain *domain,
391 TALLOC_CTX *mem_ctx,
392 uint16 *max_allowed_bad_attempts)
393 {
394 struct winbindd_methods *methods;
395 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
396 SAM_UNK_INFO_12 lockout_policy;
397
398 *max_allowed_bad_attempts = 0;
399
400 methods = domain->methods;
401
402 status = methods->lockout_policy(domain, mem_ctx, &lockout_policy);
403 if (NT_STATUS_IS_ERR(status)) {
404 return status;
405 }
406
407 *max_allowed_bad_attempts = lockout_policy.bad_attempt_lockout;
408
409 return NT_STATUS_OK;
410 }
411
412 static NTSTATUS get_pwd_properties(struct winbindd_domain *domain,
413 TALLOC_CTX *mem_ctx,
414 uint32 *password_properties)
415 {
416 struct winbindd_methods *methods;
417 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
418 SAM_UNK_INFO_1 password_policy;
419
420 *password_properties = 0;
421
422 methods = domain->methods;
423
424 status = methods->password_policy(domain, mem_ctx, &password_policy);
425 if (NT_STATUS_IS_ERR(status)) {
426 return status;
427 }
428
429 *password_properties = password_policy.password_properties;
430
431 return NT_STATUS_OK;
432 }
433
434 #ifdef HAVE_KRB5
435
436 static const char *generate_krb5_ccache(TALLOC_CTX *mem_ctx,
437 const char *type,
438 uid_t uid,
439 BOOL *internal_ccache)
440 {
441 /* accept FILE and WRFILE as krb5_cc_type from the client and then
442 * build the full ccname string based on the user's uid here -
443 * Guenther*/
444
445 const char *gen_cc = NULL;
446
447 *internal_ccache = True;
448
449 if (uid == -1) {
450 goto memory_ccache;
451 }
452
453 if (!type || type[0] == '\0') {
454 goto memory_ccache;
455 }
456
457 if (strequal(type, "FILE")) {
458 gen_cc = talloc_asprintf(mem_ctx, "FILE:/tmp/krb5cc_%d", uid);
459 } else if (strequal(type, "WRFILE")) {
460 gen_cc = talloc_asprintf(mem_ctx, "WRFILE:/tmp/krb5cc_%d", uid);
461 } else {
462 DEBUG(10,("we don't allow to set a %s type ccache\n", type));
463 goto memory_ccache;
464 }
465
466 *internal_ccache = False;
467 goto done;
468
469 memory_ccache:
470 gen_cc = talloc_strdup(mem_ctx, "MEMORY:winbindd_pam_ccache");
471
472 done:
473 if (gen_cc == NULL) {
474 DEBUG(0,("out of memory\n"));
475 return NULL;
476 }
477
478 DEBUG(10,("using ccache: %s %s\n", gen_cc, *internal_ccache ? "(internal)":""));
479
480 return gen_cc;
481 }
482
483 static void setup_return_cc_name(struct winbindd_cli_state *state, const char *cc)
484 {
485 const char *type = state->request.data.auth.krb5_cc_type;
486
487 state->response.data.auth.krb5ccname[0] = '\0';
488
489 if (type[0] == '\0') {
490 return;
491 }
492
493 if (!strequal(type, "FILE") &&
494 !strequal(type, "WRFILE")) {
495 DEBUG(10,("won't return krbccname for a %s type ccache\n",
496 type));
497 return;
498 }
499
500 fstrcpy(state->response.data.auth.krb5ccname, cc);
501 }
502
503 #endif
504
505 static uid_t get_uid_from_state(struct winbindd_cli_state *state)
506 {
507 uid_t uid = -1;
508
509 uid = state->request.data.auth.uid;
510
511 if (uid < 0) {
512 DEBUG(1,("invalid uid: '%d'\n", uid));
513 return -1;
514 }
515 return uid;
516 }
517
518 /**********************************************************************
519 Authenticate a user with a clear text password using Kerberos and fill up
520 ccache if required
521 **********************************************************************/
522
523 static NTSTATUS winbindd_raw_kerberos_login(struct winbindd_domain *domain,
524 struct winbindd_cli_state *state,
525 NET_USER_INFO_3 **info3)
526 {
527 #ifdef HAVE_KRB5
528 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
529 krb5_error_code krb5_ret;
530 const char *cc = NULL;
531 const char *principal_s = NULL;
532 const char *service = NULL;
533 char *realm = NULL;
534 fstring name_domain, name_user;
535 time_t ticket_lifetime = 0;
536 time_t renewal_until = 0;
537 uid_t uid = -1;
538 ADS_STRUCT *ads;
539 time_t time_offset = 0;
540 BOOL internal_ccache = True;
541
542 ZERO_STRUCTP(info3);
543
544 *info3 = NULL;
545
546 /* 1st step:
547 * prepare a krb5_cc_cache string for the user */
548
549 uid = get_uid_from_state(state);
550 if (uid == -1) {
551 DEBUG(0,("no valid uid\n"));
552 }
553
554 cc = generate_krb5_ccache(state->mem_ctx,
555 state->request.data.auth.krb5_cc_type,
556 state->request.data.auth.uid,
557 &internal_ccache);
558 if (cc == NULL) {
559 return NT_STATUS_NO_MEMORY;
560 }
561
562
563 /* 2nd step:
564 * get kerberos properties */
565
566 if (domain->private_data) {
567 ads = (ADS_STRUCT *)domain->private_data;
568 time_offset = ads->auth.time_offset;
569 }
570
571
572 /* 3rd step:
573 * do kerberos auth and setup ccache as the user */
574
575 parse_domain_user(state->request.data.auth.user, name_domain, name_user);
576
577 realm = domain->alt_name;
578 strupper_m(realm);
579
580 principal_s = talloc_asprintf(state->mem_ctx, "%s@%s", name_user, realm);
581 if (principal_s == NULL) {
582 return NT_STATUS_NO_MEMORY;
583 }
584
585 service = talloc_asprintf(state->mem_ctx, "%s/%s@%s", KRB5_TGS_NAME, realm, realm);
586 if (service == NULL) {
587 return NT_STATUS_NO_MEMORY;
588 }
589
590 /* if this is a user ccache, we need to act as the user to let the krb5
591 * library handle the chown, etc. */
592
593 /************************ ENTERING NON-ROOT **********************/
594
595 if (!internal_ccache) {
596 set_effective_uid(uid);
597 DEBUG(10,("winbindd_raw_kerberos_login: uid is %d\n", uid));
598 }
599
600 result = kerberos_return_info3_from_pac(state->mem_ctx,
601 principal_s,
602 state->request.data.auth.pass,
603 time_offset,
604 &ticket_lifetime,
605 &renewal_until,
606 cc,
607 True,
608 True,
609 WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
610 info3);
611 if (!internal_ccache) {
612 gain_root_privilege();
613 }
614
615 /************************ RETURNED TO ROOT **********************/
616
617 if (!NT_STATUS_IS_OK(result)) {
618 goto failed;
619 }
620
621 DEBUG(10,("winbindd_raw_kerberos_login: winbindd validated ticket of %s\n",
622 principal_s));
623
624 /* if we had a user's ccache then return that string for the pam
625 * environment */
626
627 if (!internal_ccache) {
628
629 setup_return_cc_name(state, cc);
630
631 result = add_ccache_to_list(principal_s,
632 cc,
633 service,
634 state->request.data.auth.user,
635 realm,
636 uid,
637 time(NULL),
638 ticket_lifetime,
639 renewal_until,
640 False);
641
642 if (!NT_STATUS_IS_OK(result)) {
643 DEBUG(10,("winbindd_raw_kerberos_login: failed to add ccache to list: %s\n",
644 nt_errstr(result)));
645 }
646 } else {
647
648 /* need to delete the memory cred cache, it is not used anymore */
649
650 krb5_ret = ads_kdestroy(cc);
651 if (krb5_ret) {
652 DEBUG(3,("winbindd_raw_kerberos_login: "
653 "could not destroy krb5 credential cache: "
654 "%s\n", error_message(krb5_ret)));
655 }
656
657 }
658
659 return NT_STATUS_OK;
660
661 failed:
662
663 /* we could have created a new credential cache with a valid tgt in it
664 * but we werent able to get or verify the service ticket for this
665 * local host and therefor didn't get the PAC, we need to remove that
666 * cache entirely now */
667
668 krb5_ret = ads_kdestroy(cc);
669 if (krb5_ret) {
670 DEBUG(3,("winbindd_raw_kerberos_login: "
671 "could not destroy krb5 credential cache: "
672 "%s\n", error_message(krb5_ret)));
673 }
674
675 if (!NT_STATUS_IS_OK(remove_ccache(state->request.data.auth.user))) {
676 DEBUG(3,("winbindd_raw_kerberos_login: "
677 "could not remove ccache for user %s\n",
678 state->request.data.auth.user));
679 }
680
681 return result;
682 #else
683 return NT_STATUS_NOT_SUPPORTED;
684 #endif /* HAVE_KRB5 */
685 }
686
687 /****************************************************************
688 ****************************************************************/
689
690 static BOOL check_request_flags(uint32_t flags)
691 {
692 uint32_t flags_edata = WBFLAG_PAM_AFS_TOKEN |
693 WBFLAG_PAM_UNIX_NAME |
694 WBFLAG_PAM_INFO3_NDR;
695
696 if ( ( (flags & flags_edata) == WBFLAG_PAM_AFS_TOKEN) ||
697 ( (flags & flags_edata) == WBFLAG_PAM_INFO3_NDR) ||
698 ( (flags & flags_edata) == WBFLAG_PAM_UNIX_NAME) ||
699 !(flags & flags_edata) ) {
700 return True;
701 }
702
703 DEBUG(1,("check_request_flags: invalid request flags\n"));
704
705 return False;
706 }
707
708 /****************************************************************
709 ****************************************************************/
710
711 static NTSTATUS append_data(struct winbindd_cli_state *state,
712 NET_USER_INFO_3 *info3,
713 const char *name_domain,
714 const char *name_user)
715 {
716 NTSTATUS result;
717 uint32_t flags = state->request.flags;
718
719 if (flags & WBFLAG_PAM_USER_SESSION_KEY) {
720 memcpy(state->response.data.auth.user_session_key,
721 info3->user_sess_key,
722 sizeof(state->response.data.auth.user_session_key)
723 /* 16 */);
724 }
725
726 if (flags & WBFLAG_PAM_LMKEY) {
727 memcpy(state->response.data.auth.first_8_lm_hash,
728 info3->lm_sess_key,
729 sizeof(state->response.data.auth.first_8_lm_hash)
730 /* 8 */);
731 }
732
733 if (flags & WBFLAG_PAM_INFO3_TEXT) {
734 result = append_info3_as_txt(state->mem_ctx, state, info3);
735 if (!NT_STATUS_IS_OK(result)) {
736 DEBUG(10,("Failed to append INFO3 (TXT): %s\n",
737 nt_errstr(result)));
738 return result;
739 }
740 }
741
742 /* currently, anything from here on potentially overwrites extra_data. */
743
744 if (flags & WBFLAG_PAM_INFO3_NDR) {
745 result = append_info3_as_ndr(state->mem_ctx, state, info3);
746 if (!NT_STATUS_IS_OK(result)) {
747 DEBUG(10,("Failed to append INFO3 (NDR): %s\n",
748 nt_errstr(result)));
749 return result;
750 }
751 }
752
753 if (flags & WBFLAG_PAM_UNIX_NAME) {
754 result = append_unix_username(state->mem_ctx, state, info3,
755 name_domain, name_user);
756 if (!NT_STATUS_IS_OK(result)) {
757 DEBUG(10,("Failed to append Unix Username: %s\n",
758 nt_errstr(result)));
759 return result;
760 }
761 }
762
763 if (flags & WBFLAG_PAM_AFS_TOKEN) {
764 result = append_afs_token(state->mem_ctx, state, info3,
765 name_domain, name_user);
766 if (!NT_STATUS_IS_OK(result)) {
767 DEBUG(10,("Failed to append AFS token: %s\n",
768 nt_errstr(result)));
769 return result;
770 }
771 }
772
773 return NT_STATUS_OK;
774 }
775
776 void winbindd_pam_auth(struct winbindd_cli_state *state)
777 {
778 struct winbindd_domain *domain;
779 fstring name_domain, name_user;
780 NTSTATUS result;
781
782 /* Ensure null termination */
783 state->request.data.auth.user
784 [sizeof(state->request.data.auth.user)-1]='\0';
785
786 /* Ensure null termination */
787 state->request.data.auth.pass
788 [sizeof(state->request.data.auth.pass)-1]='\0';
789
790 DEBUG(3, ("[%5lu]: pam auth %s\n", (unsigned long)state->pid,
791 state->request.data.auth.user));
792
793 if (!check_request_flags(state->request.flags)) {
794 result = NT_STATUS_INVALID_PARAMETER_MIX;
795 goto done;
796 }
797
798 /* Parse domain and username */
799
800 ws_name_return( state->request.data.auth.user, WB_REPLACE_CHAR );
801
802 if (!canonicalize_username(state->request.data.auth.user,
803 name_domain, name_user)) {
804 result = NT_STATUS_NO_SUCH_USER;
805 goto done;
806 }
807
808 domain = find_auth_domain(state, name_domain);
809
810 if (domain == NULL) {
811 result = NT_STATUS_NO_SUCH_USER;
812 goto done;
813 }
814
815 sendto_domain(state, domain);
816 return;
817 done:
818 set_auth_errors(&state->response, result);
819 DEBUG(5, ("Plain text authentication for %s returned %s "
820 "(PAM: %d)\n",
821 state->request.data.auth.user,
822 state->response.data.auth.nt_status_string,
823 state->response.data.auth.pam_error));
824 request_error(state);
825 }
826
827 NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain,
828 struct winbindd_cli_state *state,
829 NET_USER_INFO_3 **info3)
830 {
831 NTSTATUS result = NT_STATUS_LOGON_FAILURE;
832 uint16 max_allowed_bad_attempts;
833 fstring name_domain, name_user;
834 DOM_SID sid;
835 enum lsa_SidType type;
836 uchar new_nt_pass[NT_HASH_LEN];
837 const uint8 *cached_nt_pass;
838 const uint8 *cached_salt;
839 NET_USER_INFO_3 *my_info3;
840 time_t kickoff_time, must_change_time;
841 BOOL password_good = False;
842 #ifdef HAVE_KRB5
843 struct winbindd_tdc_domain *tdc_domain = NULL;
844 #endif
845
846 *info3 = NULL;
847
848 ZERO_STRUCTP(info3);
849
850 DEBUG(10,("winbindd_dual_pam_auth_cached\n"));
851
852 /* Parse domain and username */
853
854 parse_domain_user(state->request.data.auth.user, name_domain, name_user);
855
856
857 if (!lookup_cached_name(state->mem_ctx,
858 name_domain,
859 name_user,
860 &sid,
861 &type)) {
862 DEBUG(10,("winbindd_dual_pam_auth_cached: no such user in the cache\n"));
863 return NT_STATUS_NO_SUCH_USER;
864 }
865
866 if (type != SID_NAME_USER) {
867 DEBUG(10,("winbindd_dual_pam_auth_cached: not a user (%s)\n", sid_type_lookup(type)));
868 return NT_STATUS_LOGON_FAILURE;
869 }
870
871 result = winbindd_get_creds(domain,
872 state->mem_ctx,
873 &sid,
874 &my_info3,
875 &cached_nt_pass,
876 &cached_salt);
877 if (!NT_STATUS_IS_OK(result)) {
878 DEBUG(10,("winbindd_dual_pam_auth_cached: failed to get creds: %s\n", nt_errstr(result)));
879 return result;
880 }
881
882 *info3 = my_info3;
883
884 E_md4hash(state->request.data.auth.pass, new_nt_pass);
885
886 dump_data_pw("new_nt_pass", new_nt_pass, NT_HASH_LEN);
887 dump_data_pw("cached_nt_pass", cached_nt_pass, NT_HASH_LEN);
888 if (cached_salt) {
889 dump_data_pw("cached_salt", cached_salt, NT_HASH_LEN);
890 }
891
892 if (cached_salt) {
893 /* In this case we didn't store the nt_hash itself,
894 but the MD5 combination of salt + nt_hash. */
895 uchar salted_hash[NT_HASH_LEN];
896 E_md5hash(cached_salt, new_nt_pass, salted_hash);
897
898 password_good = (memcmp(cached_nt_pass, salted_hash, NT_HASH_LEN) == 0) ?
899 True : False;
900 } else {
901 /* Old cached cred - direct store of nt_hash (bad bad bad !). */
902 password_good = (memcmp(cached_nt_pass, new_nt_pass, NT_HASH_LEN) == 0) ?
903 True : False;
904 }
905
906 if (password_good) {
907
908 /* User *DOES* know the password, update logon_time and reset
909 * bad_pw_count */
910
911 my_info3->user_flgs |= LOGON_CACHED_ACCOUNT;
912
913 if (my_info3->acct_flags & ACB_AUTOLOCK) {
914 return NT_STATUS_ACCOUNT_LOCKED_OUT;
915 }
916
917 if (my_info3->acct_flags & ACB_DISABLED) {
918 return NT_STATUS_ACCOUNT_DISABLED;
919 }
920
921 if (my_info3->acct_flags & ACB_WSTRUST) {
922 return NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT;
923 }
924
925 if (my_info3->acct_flags & ACB_SVRTRUST) {
926 return NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT;
927 }
928
929 if (my_info3->acct_flags & ACB_DOMTRUST) {
930 return NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT;
931 }
932
933 if (!(my_info3->acct_flags & ACB_NORMAL)) {
934 DEBUG(0,("winbindd_dual_pam_auth_cached: whats wrong with that one?: 0x%08x\n",
935 my_info3->acct_flags));
936 return NT_STATUS_LOGON_FAILURE;
937 }
938
939 kickoff_time = nt_time_to_unix(my_info3->kickoff_time);
940 if (kickoff_time != 0 && time(NULL) > kickoff_time) {
941 return NT_STATUS_ACCOUNT_EXPIRED;
942 }
943
944 must_change_time = nt_time_to_unix(my_info3->pass_must_change_time);
945 if (must_change_time != 0 && must_change_time < time(NULL)) {
946 /* we allow grace logons when the password has expired */
947 my_info3->user_flgs |= LOGON_GRACE_LOGON;
948 /* return NT_STATUS_PASSWORD_EXPIRED; */
949 goto success;
950 }
951
952 #ifdef HAVE_KRB5
953 if ((state->request.flags & WBFLAG_PAM_KRB5) &&
954 ((tdc_domain = wcache_tdc_fetch_domain(state->mem_ctx, name_domain)) != NULL) &&
955 (tdc_domain->trust_type & DS_DOMAIN_TRUST_TYPE_UPLEVEL)) {
956
957 uid_t uid = -1;
958 const char *cc = NULL;
959 char *realm = NULL;
960 const char *principal_s = NULL;
961 const char *service = NULL;
962 BOOL internal_ccache = False;
963
964 uid = get_uid_from_state(state);
965 if (uid == -1) {
966 DEBUG(0,("winbindd_dual_pam_auth_cached: invalid uid\n"));
967 return NT_STATUS_INVALID_PARAMETER;
968 }
969
970 cc = generate_krb5_ccache(state->mem_ctx,
971 state->request.data.auth.krb5_cc_type,
972 state->request.data.auth.uid,
973 &internal_ccache);
974 if (cc == NULL) {
975 return NT_STATUS_NO_MEMORY;
976 }
977
978 realm = domain->alt_name;
979 strupper_m(realm);
980
981 principal_s = talloc_asprintf(state->mem_ctx, "%s@%s", name_user, realm);
982 if (principal_s == NULL) {
983 return NT_STATUS_NO_MEMORY;
984 }
985
986 service = talloc_asprintf(state->mem_ctx, "%s/%s@%s", KRB5_TGS_NAME, realm, realm);
987 if (service == NULL) {
988 return NT_STATUS_NO_MEMORY;
989 }
990
991 if (!internal_ccache) {
992
993 setup_return_cc_name(state, cc);
994
995 result = add_ccache_to_list(principal_s,
996 cc,
997 service,
998 state->request.data.auth.user,
999 domain->alt_name,
1000 uid,
1001 time(NULL),
1002 time(NULL) + lp_winbind_cache_time(),
1003 time(NULL) + WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
1004 True);
1005
1006 if (!NT_STATUS_IS_OK(result)) {
1007 DEBUG(10,("winbindd_dual_pam_auth_cached: failed "
1008 "to add ccache to list: %s\n",
1009 nt_errstr(result)));
1010 }
1011 }
1012 }
1013 #endif /* HAVE_KRB5 */
1014 success:
1015 /* FIXME: we possibly should handle logon hours as well (does xp when
1016 * offline?) see auth/auth_sam.c:sam_account_ok for details */
1017
1018 unix_to_nt_time(&my_info3->logon_time, time(NULL));
1019 my_info3->bad_pw_count = 0;
1020
1021 result = winbindd_update_creds_by_info3(domain,
1022 state->mem_ctx,
1023 state->request.data.auth.user,
1024 state->request.data.auth.pass,
1025 my_info3);
1026 if (!NT_STATUS_IS_OK(result)) {
1027 DEBUG(1,("winbindd_dual_pam_auth_cached: failed to update creds: %s\n",
1028 nt_errstr(result)));
1029 return result;
1030 }
1031
1032 return NT_STATUS_OK;
1033
1034 }
1035
1036 /* User does *NOT* know the correct password, modify info3 accordingly */
1037
1038 /* failure of this is not critical */
1039 result = get_max_bad_attempts_from_lockout_policy(domain, state->mem_ctx, &max_allowed_bad_attempts);
1040 if (!NT_STATUS_IS_OK(result)) {
1041 DEBUG(10,("winbindd_dual_pam_auth_cached: failed to get max_allowed_bad_attempts. "
1042 "Won't be able to honour account lockout policies\n"));
1043 }
1044
1045 /* increase counter */
1046 my_info3->bad_pw_count++;
1047
1048 if (max_allowed_bad_attempts == 0) {
1049 goto failed;
1050 }
1051
1052 /* lockout user */
1053 if (my_info3->bad_pw_count >= max_allowed_bad_attempts) {
1054
1055 uint32 password_properties;
1056
1057 result = get_pwd_properties(domain, state->mem_ctx, &password_properties);
1058 if (!NT_STATUS_IS_OK(result)) {
1059 DEBUG(10,("winbindd_dual_pam_auth_cached: failed to get password properties.\n"));
1060 }
1061
1062 if ((my_info3->user_rid != DOMAIN_USER_RID_ADMIN) ||
1063 (password_properties & DOMAIN_LOCKOUT_ADMINS)) {
1064 my_info3->acct_flags |= ACB_AUTOLOCK;
1065 }
1066 }
1067
1068 failed:
1069 result = winbindd_update_creds_by_info3(domain,
1070 state->mem_ctx,
1071 state->request.data.auth.user,
1072 NULL,
1073 my_info3);
1074
1075 if (!NT_STATUS_IS_OK(result)) {
1076 DEBUG(0,("winbindd_dual_pam_auth_cached: failed to update creds %s\n",
1077 nt_errstr(result)));
1078 }
1079
1080 return NT_STATUS_LOGON_FAILURE;
1081 }
1082
1083 NTSTATUS winbindd_dual_pam_auth_kerberos(struct winbindd_domain *domain,
1084 struct winbindd_cli_state *state,
1085 NET_USER_INFO_3 **info3)
1086 {
1087 struct winbindd_domain *contact_domain;
1088 fstring name_domain, name_user;
1089 NTSTATUS result;
1090
1091 DEBUG(10,("winbindd_dual_pam_auth_kerberos\n"));
1092
1093 /* Parse domain and username */
1094
1095 parse_domain_user(state->request.data.auth.user, name_domain, name_user);
1096
1097 /* what domain should we contact? */
1098
1099 if ( IS_DC ) {
1100 if (!(contact_domain = find_domain_from_name(name_domain))) {
1101 DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
1102 state->request.data.auth.user, name_domain, name_user, name_domain));
1103 result = NT_STATUS_NO_SUCH_USER;
1104 goto done;
1105 }
1106
1107 } else {
1108 if (is_myname(name_domain)) {
1109 DEBUG(3, ("Authentication for domain %s (local domain to this server) not supported at this stage\n", name_domain));
1110 result = NT_STATUS_NO_SUCH_USER;
1111 goto done;
1112 }
1113
1114 contact_domain = find_domain_from_name(name_domain);
1115 if (contact_domain == NULL) {
1116 DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
1117 state->request.data.auth.user, name_domain, name_user, name_domain));
1118
1119 contact_domain = find_our_domain();
1120 }
1121 }
1122
1123 if (contact_domain->initialized &&
1124 contact_domain->active_directory) {
1125 goto try_login;
1126 }
1127
1128 if (!contact_domain->initialized) {
1129 init_dc_connection(contact_domain);
1130 }
1131
1132 if (!contact_domain->active_directory) {
1133 DEBUG(3,("krb5 auth requested but domain is not Active Directory\n"));
1134 return NT_STATUS_INVALID_LOGON_TYPE;
1135 }
1136 try_login:
1137 result = winbindd_raw_kerberos_login(contact_domain, state, info3);
1138 done:
1139 return result;
1140 }
1141
1142 NTSTATUS winbindd_dual_pam_auth_samlogon(struct winbindd_domain *domain,
1143 struct winbindd_cli_state *state,
1144 NET_USER_INFO_3 **info3)
1145 {
1146
1147 struct rpc_pipe_client *netlogon_pipe;
1148 uchar chal[8];
1149 DATA_BLOB lm_resp;
1150 DATA_BLOB nt_resp;
1151 int attempts = 0;
1152 unsigned char local_lm_response[24];
1153 unsigned char local_nt_response[24];
1154 struct winbindd_domain *contact_domain;
1155 fstring name_domain, name_user;
1156 BOOL retry;
1157 NTSTATUS result;
1158 NET_USER_INFO_3 *my_info3;
1159
1160 ZERO_STRUCTP(info3);
1161
1162 *info3 = NULL;
1163
1164 my_info3 = TALLOC_ZERO_P(state->mem_ctx, NET_USER_INFO_3);
1165 if (my_info3 == NULL) {
1166 return NT_STATUS_NO_MEMORY;
1167 }
1168
1169
1170 DEBUG(10,("winbindd_dual_pam_auth_samlogon\n"));
1171
1172 /* Parse domain and username */
1173
1174 parse_domain_user(state->request.data.auth.user, name_domain, name_user);
1175
1176 /* do password magic */
1177
1178
1179 generate_random_buffer(chal, 8);
1180 if (lp_client_ntlmv2_auth()) {
1181 DATA_BLOB server_chal;
1182 DATA_BLOB names_blob;
1183 DATA_BLOB nt_response;
1184 DATA_BLOB lm_response;
1185 server_chal = data_blob_talloc(state->mem_ctx, chal, 8);
1186
1187 /* note that the 'workgroup' here is a best guess - we don't know
1188 the server's domain at this point. The 'server name' is also
1189 dodgy...
1190 */
1191 names_blob = NTLMv2_generate_names_blob(global_myname(), lp_workgroup());
1192
1193 if (!SMBNTLMv2encrypt(name_user, name_domain,
1194 state->request.data.auth.pass,
1195 &server_chal,
1196 &names_blob,
1197 &lm_response, &nt_response, NULL)) {
1198 data_blob_free(&names_blob);
1199 data_blob_free(&server_chal);
1200 DEBUG(0, ("winbindd_pam_auth: SMBNTLMv2encrypt() failed!\n"));
1201 result = NT_STATUS_NO_MEMORY;
1202 goto done;
1203 }
1204 data_blob_free(&names_blob);
1205 data_blob_free(&server_chal);
1206 lm_resp = data_blob_talloc(state->mem_ctx, lm_response.data,
1207 lm_response.length);
1208 nt_resp = data_blob_talloc(state->mem_ctx, nt_response.data,
1209 nt_response.length);
1210 data_blob_free(&lm_response);
1211 data_blob_free(&nt_response);
1212
1213 } else {
1214 if (lp_client_lanman_auth()
1215 && SMBencrypt(state->request.data.auth.pass,
1216 chal,
1217 local_lm_response)) {
1218 lm_resp = data_blob_talloc(state->mem_ctx,
1219 local_lm_response,
1220 sizeof(local_lm_response));
1221 } else {
1222 lm_resp = data_blob_null;
1223 }
1224 SMBNTencrypt(state->request.data.auth.pass,
1225 chal,
1226 local_nt_response);
1227
1228 nt_resp = data_blob_talloc(state->mem_ctx,
1229 local_nt_response,
1230 sizeof(local_nt_response));
1231 }
1232
1233 /* what domain should we contact? */
1234
1235 if ( IS_DC ) {
1236 if (!(contact_domain = find_domain_from_name(name_domain))) {
1237 DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
1238 state->request.data.auth.user, name_domain, name_user, name_domain));
1239 result = NT_STATUS_NO_SUCH_USER;
1240 goto done;
1241 }
1242
1243 } else {
1244 if (is_myname(name_domain)) {
1245 DEBUG(3, ("Authentication for domain %s (local domain to this server) not supported at this stage\n", name_domain));
1246 result = NT_STATUS_NO_SUCH_USER;
1247 goto done;
1248 }
1249
1250 contact_domain = find_our_domain();
1251 }
1252
1253 /* check authentication loop */
1254
1255 do {
1256 NTSTATUS (*logon_fn)(struct rpc_pipe_client
1257 *cli, TALLOC_CTX *mem_ctx,
1258 uint32 logon_parameters,
1259 const char *server,
1260 const char *username,
1261 const char *domain,
1262 const char *workstation,
1263 const uint8 chal[8],
1264 DATA_BLOB lm_response,
1265 DATA_BLOB nt_response,
1266 NET_USER_INFO_3 *info3);
1267
1268 ZERO_STRUCTP(my_info3);
1269 retry = False;
1270
1271 result = cm_connect_netlogon(contact_domain, &netlogon_pipe);
1272
1273 if (!NT_STATUS_IS_OK(result)) {
1274 DEBUG(3, ("could not open handle to NETLOGON pipe\n"));
1275 goto done;
1276 }
1277
1278 logon_fn = contact_domain->can_do_samlogon_ex
1279 ? rpccli_netlogon_sam_network_logon_ex
1280 : rpccli_netlogon_sam_network_logon;
1281
1282 result = logon_fn(netlogon_pipe,
1283 state->mem_ctx,
1284 0,
1285 contact_domain->dcname, /* server name */
1286 name_user, /* user name */
1287 name_domain, /* target domain */
1288 global_myname(), /* workstation */
1289 chal,
1290 lm_resp,
1291 nt_resp,
1292 my_info3);
1293
1294 if ((NT_STATUS_V(result) == DCERPC_FAULT_OP_RNG_ERROR)
1295 && contact_domain->can_do_samlogon_ex) {
1296 DEBUG(3, ("Got a DC that can not do NetSamLogonEx, "
1297 "retrying with NetSamLogon\n"));
1298 contact_domain->can_do_samlogon_ex = False;
1299 retry = True;
1300 continue;
1301 }
1302
1303 attempts += 1;
1304
1305 /* We have to try a second time as cm_connect_netlogon
1306 might not yet have noticed that the DC has killed
1307 our connection. */
1308
1309 if (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)) {
1310 retry = True;
1311 continue;
1312 }
1313
1314 /* if we get access denied, a possible cause was that we had
1315 and open connection to the DC, but someone changed our
1316 machine account password out from underneath us using 'net
1317 rpc changetrustpw' */
1318
1319 if ( NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) ) {
1320 DEBUG(3,("winbindd_pam_auth: sam_logon returned "
1321 "ACCESS_DENIED. Maybe the trust account "
1322 "password was changed and we didn't know it. "
1323 "Killing connections to domain %s\n",
1324 name_domain));
1325 invalidate_cm_connection(&contact_domain->conn);
1326 retry = True;
1327 }
1328
1329 } while ( (attempts < 2) && retry );
1330
1331 /* handle the case where a NT4 DC does not fill in the acct_flags in
1332 * the samlogon reply info3. When accurate info3 is required by the
1333 * caller, we look up the account flags ourselve - gd */
1334
1335 if ((state->request.flags & WBFLAG_PAM_INFO3_TEXT) &&
1336 (my_info3->acct_flags == 0) && NT_STATUS_IS_OK(result)) {
1337
1338 struct rpc_pipe_client *samr_pipe;
1339 POLICY_HND samr_domain_handle, user_pol;
1340 SAM_USERINFO_CTR *user_ctr;
1341 NTSTATUS status_tmp;
1342 uint32 acct_flags;
1343
1344 ZERO_STRUCT(user_ctr);
1345
1346 status_tmp = cm_connect_sam(contact_domain, state->mem_ctx,
1347 &samr_pipe, &samr_domain_handle);
1348
1349 if (!NT_STATUS_IS_OK(status_tmp)) {
1350 DEBUG(3, ("could not open handle to SAMR pipe: %s\n",
1351 nt_errstr(status_tmp)));
1352 goto done;
1353 }
1354
1355 status_tmp = rpccli_samr_open_user(samr_pipe, state->mem_ctx,
1356 &samr_domain_handle,
1357 MAXIMUM_ALLOWED_ACCESS,
1358 my_info3->user_rid, &user_pol);
1359
1360 if (!NT_STATUS_IS_OK(status_tmp)) {
1361 DEBUG(3, ("could not open user handle on SAMR pipe: %s\n",
1362 nt_errstr(status_tmp)));
1363 goto done;
1364 }
1365
1366 status_tmp = rpccli_samr_query_userinfo(samr_pipe, state->mem_ctx,
1367 &user_pol, 16, &user_ctr);
1368
1369 if (!NT_STATUS_IS_OK(status_tmp)) {
1370 DEBUG(3, ("could not query user info on SAMR pipe: %s\n",
1371 nt_errstr(status_tmp)));
1372 rpccli_samr_close(samr_pipe, state->mem_ctx, &user_pol);
1373 goto done;
1374 }
1375
1376 acct_flags = user_ctr->info.id16->acb_info;
1377
1378 if (acct_flags == 0) {
1379 rpccli_samr_close(samr_pipe, state->mem_ctx, &user_pol);
1380 goto done;
1381 }
1382
1383 my_info3->acct_flags = acct_flags;
1384
1385 DEBUG(10,("successfully retrieved acct_flags 0x%x\n", acct_flags));
1386
1387 rpccli_samr_close(samr_pipe, state->mem_ctx, &user_pol);
1388 }
1389
1390 *info3 = my_info3;
1391 done:
1392 return result;
1393 }
1394
1395 enum winbindd_result winbindd_dual_pam_auth(struct winbindd_domain *domain,
1396 struct winbindd_cli_state *state)
1397 {
1398 NTSTATUS result = NT_STATUS_LOGON_FAILURE;
1399 NTSTATUS krb5_result = NT_STATUS_OK;
1400 fstring name_domain, name_user;
1401 NET_USER_INFO_3 *info3 = NULL;
1402
1403 /* Ensure null termination */
1404 state->request.data.auth.user[sizeof(state->request.data.auth.user)-1]='\0';
1405
1406 /* Ensure null termination */
1407 state->request.data.auth.pass[sizeof(state->request.data.auth.pass)-1]='\0';
1408
1409 DEBUG(3, ("[%5lu]: dual pam auth %s\n", (unsigned long)state->pid,
1410 state->request.data.auth.user));
1411
1412 if (!check_request_flags(state->request.flags)) {
1413 result = NT_STATUS_INVALID_PARAMETER_MIX;
1414 goto done;
1415 }
1416
1417 /* Parse domain and username */
1418
1419 ws_name_return( state->request.data.auth.user, WB_REPLACE_CHAR );
1420
1421 parse_domain_user(state->request.data.auth.user, name_domain, name_user);
1422
1423 if (domain->online == False) {
1424 result = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
1425 if (domain->startup) {
1426 /* Logons are very important to users. If we're offline and
1427 we get a request within the first 30 seconds of startup,
1428 try very hard to find a DC and go online. */
1429
1430 DEBUG(10,("winbindd_dual_pam_auth: domain: %s offline and auth "
1431 "request in startup mode.\n", domain->name ));
1432
1433 winbindd_flush_negative_conn_cache(domain);
1434 result = init_dc_connection(domain);
1435 }
1436 }
1437
1438 DEBUG(10,("winbindd_dual_pam_auth: domain: %s last was %s\n", domain->name, domain->online ? "online":"offline"));
1439
1440 /* Check for Kerberos authentication */
1441 if (domain->online && (state->request.flags & WBFLAG_PAM_KRB5)) {
1442
1443 result = winbindd_dual_pam_auth_kerberos(domain, state, &info3);
1444 /* save for later */
1445 krb5_result = result;
1446
1447
1448 if (NT_STATUS_IS_OK(result)) {
1449 DEBUG(10,("winbindd_dual_pam_auth_kerberos succeeded\n"));
1450 goto process_result;
1451 } else {
1452 DEBUG(10,("winbindd_dual_pam_auth_kerberos failed: %s\n", nt_errstr(result)));
1453 }
1454
1455 if (NT_STATUS_EQUAL(result, NT_STATUS_NO_LOGON_SERVERS) ||
1456 NT_STATUS_EQUAL(result, NT_STATUS_IO_TIMEOUT) ||
1457 NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
1458 DEBUG(10,("winbindd_dual_pam_auth_kerberos setting domain to offline\n"));
1459 set_domain_offline( domain );
1460 goto cached_logon;
1461 }
1462
1463 /* there are quite some NT_STATUS errors where there is no
1464 * point in retrying with a samlogon, we explictly have to take
1465 * care not to increase the bad logon counter on the DC */
1466
1467 if (NT_STATUS_EQUAL(result, NT_STATUS_ACCOUNT_DISABLED) ||
1468 NT_STATUS_EQUAL(result, NT_STATUS_ACCOUNT_EXPIRED) ||
1469 NT_STATUS_EQUAL(result, NT_STATUS_ACCOUNT_LOCKED_OUT) ||
1470 NT_STATUS_EQUAL(result, NT_STATUS_INVALID_LOGON_HOURS) ||
1471 NT_STATUS_EQUAL(result, NT_STATUS_INVALID_WORKSTATION) ||
1472 NT_STATUS_EQUAL(result, NT_STATUS_LOGON_FAILURE) ||
1473 NT_STATUS_EQUAL(result, NT_STATUS_NO_SUCH_USER) ||
1474 NT_STATUS_EQUAL(result, NT_STATUS_PASSWORD_EXPIRED) ||
1475 NT_STATUS_EQUAL(result, NT_STATUS_PASSWORD_MUST_CHANGE) ||
1476 NT_STATUS_EQUAL(result, NT_STATUS_WRONG_PASSWORD)) {
1477 goto process_result;
1478 }
1479
1480 if (state->request.flags & WBFLAG_PAM_FALLBACK_AFTER_KRB5) {
1481 DEBUG(3,("falling back to samlogon\n"));
1482 goto sam_logon;
1483 } else {
1484 goto cached_logon;
1485 }
1486 }
1487
1488 sam_logon:
1489 /* Check for Samlogon authentication */
1490 if (domain->online) {
1491 result = winbindd_dual_pam_auth_samlogon(domain, state, &info3);
1492
1493 if (NT_STATUS_IS_OK(result)) {
1494 DEBUG(10,("winbindd_dual_pam_auth_samlogon succeeded\n"));
1495 /* add the Krb5 err if we have one */
1496 if ( NT_STATUS_EQUAL(krb5_result, NT_STATUS_TIME_DIFFERENCE_AT_DC ) ) {
1497 info3->user_flgs |= LOGON_KRB5_FAIL_CLOCK_SKEW;
1498 }
1499 goto process_result;
1500 }
1501
1502 DEBUG(10,("winbindd_dual_pam_auth_samlogon failed: %s\n",
1503 nt_errstr(result)));
1504
1505 if (NT_STATUS_EQUAL(result, NT_STATUS_NO_LOGON_SERVERS) ||
1506 NT_STATUS_EQUAL(result, NT_STATUS_IO_TIMEOUT) ||
1507 NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND))
1508 {
1509 DEBUG(10,("winbindd_dual_pam_auth_samlogon setting domain to offline\n"));
1510 set_domain_offline( domain );
1511 goto cached_logon;
1512 }
1513
1514 if (domain->online) {
1515 /* We're still online - fail. */
1516 goto done;
1517 }
1518 }
1519
1520 cached_logon:
1521 /* Check for Cached logons */
1522 if (!domain->online && (state->request.flags & WBFLAG_PAM_CACHED_LOGIN) &&
1523 lp_winbind_offline_logon()) {
1524
1525 result = winbindd_dual_pam_auth_cached(domain, state, &info3);
1526
1527 if (NT_STATUS_IS_OK(result)) {
1528 DEBUG(10,("winbindd_dual_pam_auth_cached succeeded\n"));
1529 goto process_result;
1530 } else {
1531 DEBUG(10,("winbindd_dual_pam_auth_cached failed: %s\n", nt_errstr(result)));
1532 goto done;
1533 }
1534 }
1535
1536 process_result:
1537
1538 if (NT_STATUS_IS_OK(result)) {
1539
1540 DOM_SID user_sid;
1541
1542 /* In all codepaths where result == NT_STATUS_OK info3 must have
1543 been initialized. */
1544 if (!info3) {
1545 result = NT_STATUS_INTERNAL_ERROR;
1546 goto done;
1547 }
1548
1549 netsamlogon_cache_store(name_user, info3);
1550 wcache_invalidate_samlogon(find_domain_from_name(name_domain), info3);
1551
1552 /* save name_to_sid info as early as possible (only if
1553 this is our primary domain so we don't invalidate
1554 the cache entry by storing the seq_num for the wrong
1555 domain). */
1556 if ( domain->primary ) {
1557 sid_compose(&user_sid, &info3->dom_sid.sid,
1558 info3->user_rid);
1559 cache_name2sid(domain, name_domain, name_user,
1560 SID_NAME_USER, &user_sid);
1561 }
1562
1563 /* Check if the user is in the right group */
1564
1565 if (!NT_STATUS_IS_OK(result = check_info3_in_group(state->mem_ctx, info3,
1566 state->request.data.auth.require_membership_of_sid))) {
1567 DEBUG(3, ("User %s is not in the required group (%s), so plaintext authentication is rejected\n",
1568 state->request.data.auth.user,
1569 state->request.data.auth.require_membership_of_sid));
1570 goto done;
1571 }
1572
1573 result = append_data(state, info3, name_domain, name_user);
1574 if (!NT_STATUS_IS_OK(result)) {
1575 goto done;
1576 }
1577
1578 if ((state->request.flags & WBFLAG_PAM_CACHED_LOGIN)) {
1579
1580 /* Store in-memory creds for single-signon using ntlm_auth. */
1581 result = winbindd_add_memory_creds(state->request.data.auth.user,
1582 get_uid_from_state(state),
1583 state->request.data.auth.pass);
1584
1585 if (!NT_STATUS_IS_OK(result)) {
1586 DEBUG(10,("Failed to store memory creds: %s\n", nt_errstr(result)));
1587 goto done;
1588 }
1589
1590 if (lp_winbind_offline_logon()) {
1591 result = winbindd_store_creds(domain,
1592 state->mem_ctx,
1593 state->request.data.auth.user,
1594 state->request.data.auth.pass,
1595 info3, NULL);
1596 if (!NT_STATUS_IS_OK(result)) {
1597
1598 /* Release refcount. */
1599 winbindd_delete_memory_creds(state->request.data.auth.user);
1600
1601 DEBUG(10,("Failed to store creds: %s\n", nt_errstr(result)));
1602 goto done;
1603 }
1604 }
1605 }
1606
1607 result = fillup_password_policy(domain, state);
1608
1609 if (!NT_STATUS_IS_OK(result)
1610 && !NT_STATUS_EQUAL(result, NT_STATUS_NOT_SUPPORTED) )
1611 {
1612 DEBUG(10,("Failed to get password policies: %s\n", nt_errstr(result)));
1613 goto done;
1614 }
1615
1616 result = NT_STATUS_OK;
1617 }
1618
1619 done:
1620 /* give us a more useful (more correct?) error code */
1621 if ((NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) ||
1622 (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)))) {
1623 result = NT_STATUS_NO_LOGON_SERVERS;
1624 }
1625
1626 state->response.data.auth.nt_status = NT_STATUS_V(result);
1627 fstrcpy(state->response.data.auth.nt_status_string, nt_errstr(result));
1628
1629 /* we might have given a more useful error above */
1630 if (!*state->response.data.auth.error_string)
1631 fstrcpy(state->response.data.auth.error_string, get_friendly_nt_error_msg(result));
1632 state->response.data.auth.pam_error = nt_status_to_pam(result);
1633
1634 DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2, ("Plain-text authentication for user %s returned %s (PAM: %d)\n",
1635 state->request.data.auth.user,
1636 state->response.data.auth.nt_status_string,
1637 state->response.data.auth.pam_error));
1638
1639 return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
1640 }
1641
1642
1643 /**********************************************************************
1644 Challenge Response Authentication Protocol
1645 **********************************************************************/
1646
1647 void winbindd_pam_auth_crap(struct winbindd_cli_state *state)
1648 {
1649 struct winbindd_domain *domain = NULL;
1650 const char *domain_name = NULL;
1651 NTSTATUS result;
1652
1653 if (!check_request_flags(state->request.flags)) {
1654 result = NT_STATUS_INVALID_PARAMETER_MIX;
1655 goto done;
1656 }
1657
1658 if (!state->privileged) {
1659 char *error_string = NULL;
1660 DEBUG(2, ("winbindd_pam_auth_crap: non-privileged access "
1661 "denied. !\n"));
1662 DEBUGADD(2, ("winbindd_pam_auth_crap: Ensure permissions "
1663 "on %s are set correctly.\n",
1664 get_winbind_priv_pipe_dir()));
1665 /* send a better message than ACCESS_DENIED */
1666 error_string = talloc_asprintf(state->mem_ctx,
1667 "winbind client not authorized "
1668 "to use winbindd_pam_auth_crap."
1669 " Ensure permissions on %s "
1670 "are set correctly.",
1671 get_winbind_priv_pipe_dir());
1672 fstrcpy(state->response.data.auth.error_string, error_string);
1673 result = NT_STATUS_ACCESS_DENIED;
1674 goto done;
1675 }
1676
1677 /* Ensure null termination */
1678 state->request.data.auth_crap.user
1679 [sizeof(state->request.data.auth_crap.user)-1]=0;
1680 state->request.data.auth_crap.domain
1681 [sizeof(state->request.data.auth_crap.domain)-1]=0;
1682
1683 DEBUG(3, ("[%5lu]: pam auth crap domain: [%s] user: %s\n",
1684 (unsigned long)state->pid,
1685 state->request.data.auth_crap.domain,
1686 state->request.data.auth_crap.user));
1687
1688 if (*state->request.data.auth_crap.domain != '\0') {
1689 domain_name = state->request.data.auth_crap.domain;
1690 } else if (lp_winbind_use_default_domain()) {
1691 domain_name = lp_workgroup();
1692 }
1693
1694 if (domain_name != NULL)
1695 domain = find_auth_domain(state, domain_name);
1696
1697 if (domain != NULL) {
1698 sendto_domain(state, domain);
1699 return;
1700 }
1701
1702 result = NT_STATUS_NO_SUCH_USER;
1703
1704 done:
1705 set_auth_errors(&state->response, result);
1706 DEBUG(5, ("CRAP authentication for %s\\%s returned %s (PAM: %d)\n",
1707 state->request.data.auth_crap.domain,
1708 state->request.data.auth_crap.user,
1709 state->response.data.auth.nt_status_string,
1710 state->response.data.auth.pam_error));
1711 request_error(state);
1712 return;
1713 }
1714
1715
1716 enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
1717 struct winbindd_cli_state *state)
1718 {
1719 NTSTATUS result;
1720 NET_USER_INFO_3 info3;
1721 struct rpc_pipe_client *netlogon_pipe;
1722 const char *name_user = NULL;
1723 const char *name_domain = NULL;
1724 const char *workstation;
1725 struct winbindd_domain *contact_domain;
1726 int attempts = 0;
1727 BOOL retry;
1728
1729 DATA_BLOB lm_resp, nt_resp;
1730
1731 /* This is child-only, so no check for privileged access is needed
1732 anymore */
1733
1734 /* Ensure null termination */
1735 state->request.data.auth_crap.user[sizeof(state->request.data.auth_crap.user)-1]=0;
1736 state->request.data.auth_crap.domain[sizeof(state->request.data.auth_crap.domain)-1]=0;
1737
1738 if (!check_request_flags(state->request.flags)) {
1739 result = NT_STATUS_INVALID_PARAMETER_MIX;
1740 goto done;
1741 }
1742
1743 name_user = state->request.data.auth_crap.user;
1744
1745 if (*state->request.data.auth_crap.domain) {
1746 name_domain = state->request.data.auth_crap.domain;
1747 } else if (lp_winbind_use_default_domain()) {
1748 name_domain = lp_workgroup();
1749 } else {
1750 DEBUG(5,("no domain specified with username (%s) - failing auth\n",
1751 name_user));
1752 result = NT_STATUS_NO_SUCH_USER;
1753 goto done;
1754 }
1755
1756 DEBUG(3, ("[%5lu]: pam auth crap domain: %s user: %s\n", (unsigned long)state->pid,
1757 name_domain, name_user));
1758
1759 if (*state->request.data.auth_crap.workstation) {
1760 workstation = state->request.data.auth_crap.workstation;
1761 } else {
1762 workstation = global_myname();
1763 }
1764
1765 if (state->request.data.auth_crap.lm_resp_len > sizeof(state->request.data.auth_crap.lm_resp)
1766 || state->request.data.auth_crap.nt_resp_len > sizeof(state->request.data.auth_crap.nt_resp)) {
1767 DEBUG(0, ("winbindd_pam_auth_crap: invalid password length %u/%u\n",
1768 state->request.data.auth_crap.lm_resp_len,
1769 state->request.data.auth_crap.nt_resp_len));
1770 result = NT_STATUS_INVALID_PARAMETER;
1771 goto done;
1772 }
1773
1774 lm_resp = data_blob_talloc(state->mem_ctx, state->request.data.auth_crap.lm_resp,
1775 state->request.data.auth_crap.lm_resp_len);
1776 nt_resp = data_blob_talloc(state->mem_ctx, state->request.data.auth_crap.nt_resp,
1777 state->request.data.auth_crap.nt_resp_len);
1778
1779 /* what domain should we contact? */
1780
1781 if ( IS_DC ) {
1782 if (!(contact_domain = find_domain_from_name(name_domain))) {
1783 DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
1784 state->request.data.auth_crap.user, name_domain, name_user, name_domain));
1785 result = NT_STATUS_NO_SUCH_USER;
1786 goto done;
1787 }
1788 } else {
1789 if (is_myname(name_domain)) {
1790 DEBUG(3, ("Authentication for domain %s (local domain to this server) not supported at this stage\n", name_domain));
1791 result = NT_STATUS_NO_SUCH_USER;
1792 goto done;
1793 }
1794 contact_domain = find_our_domain();
1795 }
1796
1797 do {
1798 NTSTATUS (*logon_fn)(struct rpc_pipe_client
1799 *cli, TALLOC_CTX *mem_ctx,
1800 uint32 logon_parameters,
1801 const char *server,
1802 const char *username,
1803 const char *domain,
1804 const char *workstation,
1805 const uint8 chal[8],
1806 DATA_BLOB lm_response,
1807 DATA_BLOB nt_response,
1808 NET_USER_INFO_3 *info3);
1809
1810 ZERO_STRUCT(info3);
1811 retry = False;
1812
1813 netlogon_pipe = NULL;
1814 result = cm_connect_netlogon(contact_domain, &netlogon_pipe);
1815
1816 if (!NT_STATUS_IS_OK(result)) {
1817 DEBUG(3, ("could not open handle to NETLOGON pipe (error: %s)\n",
1818 nt_errstr(result)));
1819 goto done;
1820 }
1821
1822 logon_fn = contact_domain->can_do_samlogon_ex
1823 ? rpccli_netlogon_sam_network_logon_ex
1824 : rpccli_netlogon_sam_network_logon;
1825
1826 result = logon_fn(netlogon_pipe,
1827 state->mem_ctx,
1828 state->request.data.auth_crap.logon_parameters,
1829 contact_domain->dcname,
1830 name_user,
1831 name_domain,
1832 /* Bug #3248 - found by Stefan Burkei. */
1833 workstation, /* We carefully set this above so use it... */
1834 state->request.data.auth_crap.chal,
1835 lm_resp,
1836 nt_resp,
1837 &info3);
1838
1839 if ((NT_STATUS_V(result) == DCERPC_FAULT_OP_RNG_ERROR)
1840 && contact_domain->can_do_samlogon_ex) {
1841 DEBUG(3, ("Got a DC that can not do NetSamLogonEx, "
1842 "retrying with NetSamLogon\n"));
1843 contact_domain->can_do_samlogon_ex = False;
1844 retry = True;
1845 continue;
1846 }
1847
1848 attempts += 1;
1849
1850 /* We have to try a second time as cm_connect_netlogon
1851 might not yet have noticed that the DC has killed
1852 our connection. */
1853
1854 if (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)) {
1855 retry = True;
1856 continue;
1857 }
1858
1859 /* if we get access denied, a possible cause was that we had and open
1860 connection to the DC, but someone changed our machine account password
1861 out from underneath us using 'net rpc changetrustpw' */
1862
1863 if ( NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) ) {
1864 DEBUG(3,("winbindd_pam_auth: sam_logon returned "
1865 "ACCESS_DENIED. Maybe the trust account "
1866 "password was changed and we didn't know it. "
1867 "Killing connections to domain %s\n",
1868 name_domain));
1869 invalidate_cm_connection(&contact_domain->conn);
1870 retry = True;
1871 }
1872
1873 } while ( (attempts < 2) && retry );
1874
1875 if (NT_STATUS_IS_OK(result)) {
1876
1877 netsamlogon_cache_store(name_user, &info3);
1878 wcache_invalidate_samlogon(find_domain_from_name(name_domain), &info3);
1879
1880 /* Check if the user is in the right group */
1881
1882 if (!NT_STATUS_IS_OK(result = check_info3_in_group(state->mem_ctx, &info3,
1883 state->request.data.auth_crap.require_membership_of_sid))) {
1884 DEBUG(3, ("User %s is not in the required group (%s), so "
1885 "crap authentication is rejected\n",
1886 state->request.data.auth_crap.user,
1887 state->request.data.auth_crap.require_membership_of_sid));
1888 goto done;
1889 }
1890
1891 result = append_data(state, &info3, name_domain, name_user);
1892 if (!NT_STATUS_IS_OK(result)) {
1893 goto done;
1894 }
1895 }
1896
1897 done:
1898
1899 /* give us a more useful (more correct?) error code */
1900 if ((NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) ||
1901 (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)))) {
1902 result = NT_STATUS_NO_LOGON_SERVERS;
1903 }
1904
1905 if (state->request.flags & WBFLAG_PAM_NT_STATUS_SQUASH) {
1906 result = nt_status_squash(result);
1907 }
1908
1909 state->response.data.auth.nt_status = NT_STATUS_V(result);
1910 fstrcpy(state->response.data.auth.nt_status_string, nt_errstr(result));
1911
1912 /* we might have given a more useful error above */
1913 if (!*state->response.data.auth.error_string) {
1914 fstrcpy(state->response.data.auth.error_string, get_friendly_nt_error_msg(result));
1915 }
1916 state->response.data.auth.pam_error = nt_status_to_pam(result);
1917
1918 DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2,
1919 ("NTLM CRAP authentication for user [%s]\\[%s] returned %s (PAM: %d)\n",
1920 name_domain,
1921 name_user,
1922 state->response.data.auth.nt_status_string,
1923 state->response.data.auth.pam_error));
1924
1925 return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
1926 }
1927
1928 /* Change a user password */
1929
1930 void winbindd_pam_chauthtok(struct winbindd_cli_state *state)
1931 {
1932 fstring domain, user;
1933 struct winbindd_domain *contact_domain;
1934
1935 DEBUG(3, ("[%5lu]: pam chauthtok %s\n", (unsigned long)state->pid,
1936 state->request.data.chauthtok.user));
1937
1938 /* Setup crap */
1939
1940 ws_name_return( state->request.data.auth.user, WB_REPLACE_CHAR );
1941
1942 if (!canonicalize_username(state->request.data.chauthtok.user, domain, user)) {
1943 set_auth_errors(&state->response, NT_STATUS_NO_SUCH_USER);
1944 DEBUG(5, ("winbindd_pam_chauthtok: canonicalize_username %s failed with %s"
1945 "(PAM: %d)\n",
1946 state->request.data.auth.user,
1947 state->response.data.auth.nt_status_string,
1948 state->response.data.auth.pam_error));
1949 request_error(state);
1950 return;
1951 }
1952
1953 contact_domain = find_domain_from_name(domain);
1954 if (!contact_domain) {
1955 set_auth_errors(&state->response, NT_STATUS_NO_SUCH_USER);
1956 DEBUG(3, ("Cannot change password for [%s] -> [%s]\\[%s] as %s is not a trusted domain\n",
1957 state->request.data.chauthtok.user, domain, user, domain));
1958 request_error(state);
1959 return;
1960 }
1961
1962 sendto_domain(state, contact_domain);
1963 }
1964
1965 enum winbindd_result winbindd_dual_pam_chauthtok(struct winbindd_domain *contact_domain,
1966 struct winbindd_cli_state *state)
1967 {
1968 char *oldpass;
1969 char *newpass = NULL;
1970 POLICY_HND dom_pol;
1971 struct rpc_pipe_client *cli;
1972 BOOL got_info = False;
1973 SAM_UNK_INFO_1 info;
1974 SAMR_CHANGE_REJECT reject;
1975 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1976 fstring domain, user;
1977
1978 DEBUG(3, ("[%5lu]: dual pam chauthtok %s\n", (unsigned long)state->pid,
1979 state->request.data.auth.user));
1980
1981 if (!parse_domain_user(state->request.data.chauthtok.user, domain, user)) {
1982 goto done;
1983 }
1984
1985 /* Change password */
1986
1987 oldpass = state->request.data.chauthtok.oldpass;
1988 newpass = state->request.data.chauthtok.newpass;
1989
1990 /* Initialize reject reason */
1991 state->response.data.auth.reject_reason = Undefined;
1992
1993 /* Get sam handle */
1994
1995 result = cm_connect_sam(contact_domain, state->mem_ctx, &cli,
1996 &dom_pol);
1997 if (!NT_STATUS_IS_OK(result)) {
1998 DEBUG(1, ("could not get SAM handle on DC for %s\n", domain));
1999 goto done;
2000 }
2001
2002 result = rpccli_samr_chgpasswd3(cli, state->mem_ctx, user, newpass, oldpass, &info, &reject);
2003
2004 /* Windows 2003 returns NT_STATUS_PASSWORD_RESTRICTION */
2005
2006 if (NT_STATUS_EQUAL(result, NT_STATUS_PASSWORD_RESTRICTION) ) {
2007 state->response.data.auth.policy.min_length_password =
2008 info.min_length_password;
2009 state->response.data.auth.policy.password_history =
2010 info.password_history;
2011 state->response.data.auth.policy.password_properties =
2012 info.password_properties;
2013 state->response.data.auth.policy.expire =
2014 nt_time_to_unix_abs(&info.expire);
2015 state->response.data.auth.policy.min_passwordage =
2016 nt_time_to_unix_abs(&info.min_passwordage);
2017
2018 state->response.data.auth.reject_reason =
2019 reject.reject_reason;
2020
2021 got_info = True;
2022 }
2023
2024 /* only fallback when the chgpasswd3 call is not supported */
2025 if ((NT_STATUS_EQUAL(result, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR))) ||
2026 (NT_STATUS_EQUAL(result, NT_STATUS_NOT_SUPPORTED)) ||
2027 (NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED))) {
2028
2029 DEBUG(10,("Password change with chgpasswd3 failed with: %s, retrying chgpasswd_user\n",
2030 nt_errstr(result)));
2031
2032 result = rpccli_samr_chgpasswd_user(cli, state->mem_ctx, user, newpass, oldpass);
2033
2034 /* Windows 2000 returns NT_STATUS_ACCOUNT_RESTRICTION.
2035 Map to the same status code as Windows 2003. */
2036
2037 if ( NT_STATUS_EQUAL(NT_STATUS_ACCOUNT_RESTRICTION, result ) ) {
2038 result = NT_STATUS_PASSWORD_RESTRICTION;
2039 }
2040 }
2041
2042 done:
2043
2044 if (NT_STATUS_IS_OK(result) && (state->request.flags & WBFLAG_PAM_CACHED_LOGIN)) {
2045
2046 /* Update the single sign-on memory creds. */
2047 result = winbindd_replace_memory_creds(state->request.data.chauthtok.user,
2048 newpass);
2049
2050 if (!NT_STATUS_IS_OK(result)) {
2051 DEBUG(10,("Failed to replace memory creds: %s\n", nt_errstr(result)));
2052 goto process_result;
2053 }
2054
2055 if (lp_winbind_offline_logon()) {
2056 result = winbindd_update_creds_by_name(contact_domain,
2057 state->mem_ctx, user,
2058 newpass);
2059 if (!NT_STATUS_IS_OK(result)) {
2060 DEBUG(10,("Failed to store creds: %s\n", nt_errstr(result)));
2061 goto process_result;
2062 }
2063 }
2064 }
2065
2066 if (!NT_STATUS_IS_OK(result) && !got_info && contact_domain) {
2067
2068 NTSTATUS policy_ret;
2069
2070 policy_ret = fillup_password_policy(contact_domain, state);
2071
2072 /* failure of this is non critical, it will just provide no
2073 * additional information to the client why the change has
2074 * failed - Guenther */
2075
2076 if (!NT_STATUS_IS_OK(policy_ret)) {
2077 DEBUG(10,("Failed to get password policies: %s\n", nt_errstr(policy_ret)));
2078 goto process_result;
2079 }
2080 }
2081
2082 process_result:
2083
2084 state->response.data.auth.nt_status = NT_STATUS_V(result);
2085 fstrcpy(state->response.data.auth.nt_status_string, nt_errstr(result));
2086 fstrcpy(state->response.data.auth.error_string, get_friendly_nt_error_msg(result));
2087 state->response.data.auth.pam_error = nt_status_to_pam(result);
2088
2089 DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2,
2090 ("Password change for user [%s]\\[%s] returned %s (PAM: %d)\n",
2091 domain,
2092 user,
2093 state->response.data.auth.nt_status_string,
2094 state->response.data.auth.pam_error));
2095
2096 return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
2097 }
2098
2099 void winbindd_pam_logoff(struct winbindd_cli_state *state)
2100 {
2101 struct winbindd_domain *domain;
2102 fstring name_domain, user;
2103 uid_t caller_uid = (uid_t)-1;
2104 uid_t request_uid = state->request.data.logoff.uid;
2105
2106 DEBUG(3, ("[%5lu]: pam logoff %s\n", (unsigned long)state->pid,
2107 state->request.data.logoff.user));
2108
2109 /* Ensure null termination */
2110 state->request.data.logoff.user
2111 [sizeof(state->request.data.logoff.user)-1]='\0';
2112
2113 state->request.data.logoff.krb5ccname
2114 [sizeof(state->request.data.logoff.krb5ccname)-1]='\0';
2115
2116 if (request_uid == (gid_t)-1) {
2117 goto failed;
2118 }
2119
2120 if (!canonicalize_username(state->request.data.logoff.user, name_domain, user)) {
2121 goto failed;
2122 }
2123
2124 if ((domain = find_auth_domain(state, name_domain)) == NULL) {
2125 goto failed;
2126 }
2127
2128 if ((sys_getpeereid(state->sock, &caller_uid)) != 0) {
2129 DEBUG(1,("winbindd_pam_logoff: failed to check peerid: %s\n",
2130 strerror(errno)));
2131 goto failed;
2132 }
2133
2134 switch (caller_uid) {
2135 case -1:
2136 goto failed;
2137 case 0:
2138 /* root must be able to logoff any user - gd */
2139 state->request.data.logoff.uid = request_uid;
2140 break;
2141 default:
2142 if (caller_uid != request_uid) {
2143 DEBUG(1,("winbindd_pam_logoff: caller requested invalid uid\n"));
2144 goto failed;
2145 }
2146 state->request.data.logoff.uid = caller_uid;
2147 break;
2148 }
2149
2150 sendto_domain(state, domain);
2151 return;
2152
2153 failed:
2154 set_auth_errors(&state->response, NT_STATUS_NO_SUCH_USER);
2155 DEBUG(5, ("Pam Logoff for %s returned %s "
2156 "(PAM: %d)\n",
2157 state->request.data.logoff.user,
2158 state->response.data.auth.nt_status_string,
2159 state->response.data.auth.pam_error));
2160 request_error(state);
2161 return;
2162 }
2163
2164 enum winbindd_result winbindd_dual_pam_logoff(struct winbindd_domain *domain,
2165 struct winbindd_cli_state *state)
2166 {
2167 NTSTATUS result = NT_STATUS_NOT_SUPPORTED;
2168
2169 DEBUG(3, ("[%5lu]: pam dual logoff %s\n", (unsigned long)state->pid,
2170 state->request.data.logoff.user));
2171
2172 if (!(state->request.flags & WBFLAG_PAM_KRB5)) {
2173 result = NT_STATUS_OK;
2174 goto process_result;
2175 }
2176
2177 if (state->request.data.logoff.krb5ccname[0] == '\0') {
2178 result = NT_STATUS_OK;
2179 goto process_result;
2180 }
2181
2182 #ifdef HAVE_KRB5
2183
2184 if (state->request.data.logoff.uid < 0) {
2185 DEBUG(0,("winbindd_pam_logoff: invalid uid\n"));
2186 goto process_result;
2187 }
2188
2189 /* what we need here is to find the corresponding krb5 ccache name *we*
2190 * created for a given username and destroy it */
2191
2192 if (!ccache_entry_exists(state->request.data.logoff.user)) {
2193 result = NT_STATUS_OK;
2194 DEBUG(10,("winbindd_pam_logoff: no entry found.\n"));
2195 goto process_result;
2196 }
2197
2198 if (!ccache_entry_identical(state->request.data.logoff.user,
2199 state->request.data.logoff.uid,
2200 state->request.data.logoff.krb5ccname)) {
2201 DEBUG(0,("winbindd_pam_logoff: cached entry differs.\n"));
2202 goto process_result;
2203 }
2204
2205 result = remove_ccache(state->request.data.logoff.user);
2206 if (!NT_STATUS_IS_OK(result)) {
2207 DEBUG(0,("winbindd_pam_logoff: failed to remove ccache: %s\n",
2208 nt_errstr(result)));
2209 goto process_result;
2210 }
2211
2212 #else
2213 result = NT_STATUS_NOT_SUPPORTED;
2214 #endif
2215
2216 process_result:
2217
2218 winbindd_delete_memory_creds(state->request.data.logoff.user);
2219
2220 state->response.data.auth.nt_status = NT_STATUS_V(result);
2221 fstrcpy(state->response.data.auth.nt_status_string, nt_errstr(result));
2222 fstrcpy(state->response.data.auth.error_string, get_friendly_nt_error_msg(result));
2223 state->response.data.auth.pam_error = nt_status_to_pam(result);
2224
2225 return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
2226 }
2227
2228 /* Change user password with auth crap*/
2229
2230 void winbindd_pam_chng_pswd_auth_crap(struct winbindd_cli_state *state)
2231 {
2232 struct winbindd_domain *domain = NULL;
2233 const char *domain_name = NULL;
2234
2235 /* Ensure null termination */
2236 state->request.data.chng_pswd_auth_crap.user[
2237 sizeof(state->request.data.chng_pswd_auth_crap.user)-1]=0;
2238 state->request.data.chng_pswd_auth_crap.domain[
2239 sizeof(state->request.data.chng_pswd_auth_crap.domain)-1]=0;
2240
2241 DEBUG(3, ("[%5lu]: pam change pswd auth crap domain: %s user: %s\n",
2242 (unsigned long)state->pid,
2243 state->request.data.chng_pswd_auth_crap.domain,
2244 state->request.data.chng_pswd_auth_crap.user));
2245
2246 if (*state->request.data.chng_pswd_auth_crap.domain != '\0') {
2247 domain_name = state->request.data.chng_pswd_auth_crap.domain;
2248 } else if (lp_winbind_use_default_domain()) {
2249 domain_name = lp_workgroup();
2250 }
2251
2252 if (domain_name != NULL)
2253 domain = find_domain_from_name(domain_name);
2254
2255 if (domain != NULL) {
2256 DEBUG(7, ("[%5lu]: pam auth crap changing pswd in domain: "
2257 "%s\n", (unsigned long)state->pid,domain->name));
2258 sendto_domain(state, domain);
2259 return;
2260 }
2261
2262 set_auth_errors(&state->response, NT_STATUS_NO_SUCH_USER);
2263 DEBUG(5, ("CRAP change password for %s\\%s returned %s (PAM: %d)\n",
2264 state->request.data.chng_pswd_auth_crap.domain,
2265 state->request.data.chng_pswd_auth_crap.user,
2266 state->response.data.auth.nt_status_string,
2267 state->response.data.auth.pam_error));
2268 request_error(state);
2269 return;
2270 }
2271
2272 enum winbindd_result winbindd_dual_pam_chng_pswd_auth_crap(struct winbindd_domain *domainSt, struct winbindd_cli_state *state)
2273 {
2274 NTSTATUS result;
2275 DATA_BLOB new_nt_password;
2276 DATA_BLOB old_nt_hash_enc;
2277 DATA_BLOB new_lm_password;
2278 DATA_BLOB old_lm_hash_enc;
2279 fstring domain,user;
2280 POLICY_HND dom_pol;
2281 struct winbindd_domain *contact_domain = domainSt;
2282 struct rpc_pipe_client *cli;
2283
2284 /* Ensure null termination */
2285 state->request.data.chng_pswd_auth_crap.user[
2286 sizeof(state->request.data.chng_pswd_auth_crap.user)-1]=0;
2287 state->request.data.chng_pswd_auth_crap.domain[
2288 sizeof(state->request.data.chng_pswd_auth_crap.domain)-1]=0;
2289 *domain = 0;
2290 *user = 0;
2291
2292 DEBUG(3, ("[%5lu]: pam change pswd auth crap domain: %s user: %s\n",
2293 (unsigned long)state->pid,
2294 state->request.data.chng_pswd_auth_crap.domain,
2295 state->request.data.chng_pswd_auth_crap.user));
2296
2297 if (lp_winbind_offline_logon()) {
2298 DEBUG(0,("Refusing password change as winbind offline logons are enabled. "));
2299 DEBUGADD(0,("Changing passwords here would risk inconsistent logons\n"));
2300 result = NT_STATUS_ACCESS_DENIED;
2301 goto done;
2302 }
2303
2304 if (*state->request.data.chng_pswd_auth_crap.domain) {
2305 fstrcpy(domain,state->request.data.chng_pswd_auth_crap.domain);
2306 } else {
2307 parse_domain_user(state->request.data.chng_pswd_auth_crap.user,
2308 domain, user);
2309
2310 if(!*domain) {
2311 DEBUG(3,("no domain specified with username (%s) - "
2312 "failing auth\n",
2313 state->request.data.chng_pswd_auth_crap.user));
2314 result = NT_STATUS_NO_SUCH_USER;
2315 goto done;
2316 }
2317 }
2318
2319 if (!*domain && lp_winbind_use_default_domain()) {
2320 fstrcpy(domain,(char *)lp_workgroup());
2321 }
2322
2323 if(!*user) {
2324 fstrcpy(user, state->request.data.chng_pswd_auth_crap.user);
2325 }
2326
2327 DEBUG(3, ("[%5lu]: pam auth crap domain: %s user: %s\n",
2328 (unsigned long)state->pid, domain, user));
2329
2330 /* Change password */
2331 new_nt_password = data_blob_talloc(
2332 state->mem_ctx,
2333 state->request.data.chng_pswd_auth_crap.new_nt_pswd,
2334 state->request.data.chng_pswd_auth_crap.new_nt_pswd_len);
2335
2336 old_nt_hash_enc = data_blob_talloc(
2337 state->mem_ctx,
2338 state->request.data.chng_pswd_auth_crap.old_nt_hash_enc,
2339 state->request.data.chng_pswd_auth_crap.old_nt_hash_enc_len);
2340
2341 if(state->request.data.chng_pswd_auth_crap.new_lm_pswd_len > 0) {
2342 new_lm_password = data_blob_talloc(
2343 state->mem_ctx,
2344 state->request.data.chng_pswd_auth_crap.new_lm_pswd,
2345 state->request.data.chng_pswd_auth_crap.new_lm_pswd_len);
2346
2347 old_lm_hash_enc = data_blob_talloc(
2348 state->mem_ctx,
2349 state->request.data.chng_pswd_auth_crap.old_lm_hash_enc,
2350 state->request.data.chng_pswd_auth_crap.old_lm_hash_enc_len);
2351 } else {
2352 new_lm_password.length = 0;
2353 old_lm_hash_enc.length = 0;
2354 }
2355
2356 /* Get sam handle */
2357
2358 result = cm_connect_sam(contact_domain, state->mem_ctx, &cli, &dom_pol);
2359 if (!NT_STATUS_IS_OK(result)) {
2360 DEBUG(1, ("could not get SAM handle on DC for %s\n", domain));
2361 goto done;
2362 }
2363
2364 result = rpccli_samr_chng_pswd_auth_crap(
2365 cli, state->mem_ctx, user, new_nt_password, old_nt_hash_enc,
2366 new_lm_password, old_lm_hash_enc);
2367
2368 done:
2369 state->response.data.auth.nt_status = NT_STATUS_V(result);
2370 fstrcpy(state->response.data.auth.nt_status_string, nt_errstr(result));
2371 fstrcpy(state->response.data.auth.error_string,
2372 get_friendly_nt_error_msg(result));
2373 state->response.data.auth.pam_error = nt_status_to_pam(result);
2374
2375 DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2,
2376 ("Password change for user [%s]\\[%s] returned %s (PAM: %d)\n",
2377 domain, user,
2378 state->response.data.auth.nt_status_string,
2379 state->response.data.auth.pam_error));
2380
2381 return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
2382 }
Samba GIT mirror