2 Unix SMB/Netbios implementation.
4 Password and authentication handling
5 Copyright (C) Andrew Tridgell 1992-1998
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 2 of the License, or
10 (at your option) any later version.
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with this program; if not, write to the Free Software
19 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
24 extern int DEBUGLEVEL
;
25 extern struct in_addr ipzero
;
27 /* users from session setup */
28 static pstring session_users
="";
30 /* this holds info on user ids that are already validated for this VC */
31 static user_struct
*validated_users
;
32 static int next_vuid
= VUID_OFFSET
;
33 static int num_validated_vuids
;
35 /****************************************************************************
36 check if a uid has been validated, and return an pointer to the user_struct
37 if it has. NULL if not. vuid is biased by an offset. This allows us to
38 tell random client vuid's (normally zero) from valid vuids.
39 ****************************************************************************/
40 user_struct
*get_valid_user_struct(uint16 vuid
)
45 if (vuid
== UID_FIELD_INVALID
)
48 for (usp
=validated_users
;usp
;usp
=usp
->next
,count
++) {
49 if (vuid
== usp
->vuid
) {
51 DLIST_PROMOTE(validated_users
, usp
);
60 /****************************************************************************
62 ****************************************************************************/
63 void invalidate_vuid(uint16 vuid
)
65 user_struct
*vuser
= get_valid_user_struct(vuid
);
72 DLIST_REMOVE(validated_users
, vuser
);
74 SAFE_FREE(vuser
->groups
);
75 delete_nt_token(&vuser
->nt_user_token
);
77 num_validated_vuids
--;
80 /****************************************************************************
81 invalidate all vuid entries for this process
82 ****************************************************************************/
83 void invalidate_all_vuids(void)
85 user_struct
*usp
, *next
=NULL
;
87 for (usp
=validated_users
;usp
;usp
=next
) {
90 invalidate_vuid(usp
->vuid
);
94 /****************************************************************************
95 return a validated username
96 ****************************************************************************/
97 char *validated_username(uint16 vuid
)
99 user_struct
*vuser
= get_valid_user_struct(vuid
);
102 return(vuser
->user
.unix_name
);
105 /****************************************************************************
106 return a validated domain
107 ****************************************************************************/
108 char *validated_domain(uint16 vuid
)
110 user_struct
*vuser
= get_valid_user_struct(vuid
);
113 return(vuser
->user
.domain
);
117 /****************************************************************************
118 Create the SID list for this user.
119 ****************************************************************************/
121 NT_USER_TOKEN
*create_nt_token(uid_t uid
, gid_t gid
, int ngroups
, gid_t
*groups
, BOOL is_guest
)
123 extern DOM_SID global_sid_World
;
124 extern DOM_SID global_sid_Network
;
125 extern DOM_SID global_sid_Builtin_Guests
;
126 extern DOM_SID global_sid_Authenticated_Users
;
127 NT_USER_TOKEN
*token
;
133 if ((token
= (NT_USER_TOKEN
*)malloc( sizeof(NT_USER_TOKEN
) ) ) == NULL
)
138 /* We always have uid/gid plus World and Network and Authenticated Users or Guest SIDs. */
139 num_sids
= 5 + ngroups
;
141 if ((token
->user_sids
= (DOM_SID
*)malloc( num_sids
*sizeof(DOM_SID
))) == NULL
) {
146 psids
= token
->user_sids
;
149 * Note - user SID *MUST* be first in token !
150 * se_access_check depends on this.
153 uid_to_sid( &psids
[psid_ndx
++], uid
);
156 * Primary group SID is second in token. Convention.
159 gid_to_sid( &psids
[psid_ndx
++], gid
);
161 /* Now add the group SIDs. */
163 for (i
= 0; i
< ngroups
; i
++) {
164 if (groups
[i
] != gid
) {
165 gid_to_sid( &psids
[psid_ndx
++], groups
[i
]);
170 * Finally add the "standard" SIDs.
171 * The only difference between guest and "anonymous" (which we
172 * don't really support) is the addition of Authenticated_Users.
175 sid_copy( &psids
[psid_ndx
++], &global_sid_World
);
176 sid_copy( &psids
[psid_ndx
++], &global_sid_Network
);
179 sid_copy( &psids
[psid_ndx
++], &global_sid_Builtin_Guests
);
181 sid_copy( &psids
[psid_ndx
++], &global_sid_Authenticated_Users
);
183 token
->num_sids
= psid_ndx
;
185 /* Dump list of sids in token */
187 for (i
= 0; i
< token
->num_sids
; i
++) {
188 DEBUG(5, ("user token sid %s\n",
189 sid_to_string(sid_str
, &token
->user_sids
[i
])));
195 /****************************************************************************
196 register a uid/name pair as being valid and that a valid password
197 has been given. vuid is biased by an offset. This allows us to
198 tell random client vuid's (normally zero) from valid vuids.
199 ****************************************************************************/
201 int register_vuid(uid_t uid
,gid_t gid
, char *unix_name
, char *requested_name
,
202 char *domain
,BOOL guest
, char *full_name
)
204 user_struct
*vuser
= NULL
;
206 /* Ensure no vuid gets registered in share level security. */
207 if(lp_security() == SEC_SHARE
)
208 return UID_FIELD_INVALID
;
210 /* Limit allowed vuids to 16bits - VUID_OFFSET. */
211 if (num_validated_vuids
>= 0xFFFF-VUID_OFFSET
)
212 return UID_FIELD_INVALID
;
214 if((vuser
= (user_struct
*)malloc( sizeof(user_struct
) )) == NULL
) {
215 DEBUG(0,("Failed to malloc users struct!\n"));
216 return UID_FIELD_INVALID
;
221 DEBUG(10,("register_vuid: (%u,%u) %s %s %s guest=%d\n", (unsigned int)uid
, (unsigned int)gid
,
222 unix_name
, requested_name
, domain
, guest
));
224 /* Allocate a free vuid. Yes this is a linear search... :-) */
225 while( get_valid_user_struct(next_vuid
) != NULL
) {
227 /* Check for vuid wrap. */
228 if (next_vuid
== UID_FIELD_INVALID
)
229 next_vuid
= VUID_OFFSET
;
232 DEBUG(10,("register_vuid: allocated vuid = %u\n", (unsigned int)next_vuid
));
234 vuser
->vuid
= next_vuid
;
237 vuser
->guest
= guest
;
238 fstrcpy(vuser
->user
.unix_name
,unix_name
);
239 fstrcpy(vuser
->user
.smb_name
,requested_name
);
240 fstrcpy(vuser
->user
.domain
,domain
);
241 fstrcpy(vuser
->user
.full_name
, full_name
);
242 DEBUG(3, ("User name: %s\tReal name: %s\n",vuser
->user
.unix_name
,vuser
->user
.full_name
));
245 vuser
->groups
= NULL
;
247 /* Find all the groups this uid is in and store them.
248 Used by become_user() */
249 initialise_groups(unix_name
, uid
, gid
);
250 get_current_groups( &vuser
->n_groups
, &vuser
->groups
);
252 /* Create an NT_USER_TOKEN struct for this user. */
253 vuser
->nt_user_token
= create_nt_token(uid
,gid
, vuser
->n_groups
, vuser
->groups
, guest
);
255 DEBUG(3,("uid %d registered to name %s\n",(int)uid
,unix_name
));
258 num_validated_vuids
++;
260 DLIST_ADD(validated_users
, vuser
);
262 if (!session_claim(vuser
->vuid
)) {
263 DEBUG(1,("Failed to claim session for vuid=%d\n", vuser
->vuid
));
264 invalidate_vuid(vuser
->vuid
);
272 /****************************************************************************
273 add a name to the session users list
274 ****************************************************************************/
275 void add_session_user(char *user
)
278 StrnCpy(suser
,user
,sizeof(suser
)-1);
280 if (!Get_Pwnam(suser
,True
)) return;
282 if (suser
&& *suser
&& !in_list(suser
,session_users
,False
))
284 if (strlen(suser
) + strlen(session_users
) + 2 >= sizeof(pstring
))
285 DEBUG(1,("Too many session users??\n"));
288 pstrcat(session_users
," ");
289 pstrcat(session_users
,suser
);
295 /****************************************************************************
296 check if a username is valid
297 ****************************************************************************/
298 BOOL
user_ok(char *user
,int snum
)
300 char **valid
, **invalid
;
303 valid
= invalid
= NULL
;
306 if (lp_invalid_users(snum
)) {
307 lp_list_copy(&invalid
, lp_invalid_users(snum
));
308 if (invalid
&& lp_list_substitute(invalid
, "%S", lp_servicename(snum
))) {
309 ret
= !user_in_list(user
, invalid
);
312 if (invalid
) lp_list_free (&invalid
);
314 if (ret
&& lp_valid_users(snum
)) {
315 lp_list_copy(&valid
, lp_valid_users(snum
));
316 if (valid
&& lp_list_substitute(valid
, "%S", lp_servicename(snum
))) {
317 ret
= user_in_list(user
,valid
);
320 if (valid
) lp_list_free (&valid
);
322 if (ret
&& lp_onlyuser(snum
)) {
323 char **user_list
= lp_list_make (lp_username(snum
));
324 if (user_list
&& lp_list_substitute(user_list
, "%S", lp_servicename(snum
))) {
325 ret
= user_in_list(user
, user_list
);
327 if (user_list
) lp_list_free (&user_list
);
333 /****************************************************************************
334 validate a group username entry. Return the username or NULL
335 ****************************************************************************/
336 static char *validate_group(char *group
,char *password
,int pwlen
,int snum
)
340 char *host
, *user
, *domain
;
342 while (getnetgrent(&host
, &user
, &domain
)) {
344 if (user_ok(user
, snum
) &&
345 password_ok(user
,password
,pwlen
)) {
359 while ((gptr
= (struct group
*)getgrent())) {
360 if (strequal(gptr
->gr_name
,group
))
365 * As user_ok can recurse doing a getgrent(), we must
366 * copy the member list into a pstring on the stack before
367 * use. Bug pointed out by leon@eatworms.swmed.edu.
373 size_t copied_len
= 0;
377 member
= member_list
;
379 for(i
= 0; gptr
->gr_mem
&& gptr
->gr_mem
[i
]; i
++) {
380 size_t member_len
= strlen(gptr
->gr_mem
[i
]) + 1;
381 if( copied_len
+ member_len
< sizeof(pstring
)) {
383 DEBUG(10,("validate_group: = gr_mem = %s\n", gptr
->gr_mem
[i
]));
385 safe_strcpy(member
, gptr
->gr_mem
[i
], sizeof(pstring
) - copied_len
- 1);
386 copied_len
+= member_len
;
387 member
+= copied_len
;
395 member
= member_list
;
398 fstrcpy(name
,member
);
399 if (user_ok(name
,snum
) &&
400 password_ok(name
,password
,pwlen
)) {
405 DEBUG(10,("validate_group = member = %s\n", member
));
407 member
+= strlen(member
) + 1;
418 /****************************************************************************
419 Check for authority to login to a service with a given username/password.
420 Note this is *NOT* used when logging on using sessionsetup_and_X.
421 ****************************************************************************/
423 BOOL
authorise_login(int snum
,char *user
,char *password
, int pwlen
,
424 BOOL
*guest
,BOOL
*force
,uint16 vuid
)
427 user_struct
*vuser
= get_valid_user_struct(vuid
);
430 DEBUG(100,("authorise_login: checking authorisation on user=%s pass=%s\n",
436 if (GUEST_ONLY(snum
))
439 if (!GUEST_ONLY(snum
) && (lp_security() > SEC_SHARE
)) {
442 * We should just use the given vuid from a sessionsetup_and_X.
446 DEBUG(1,("authorise_login: refusing user %s with no session setup\n",
451 if (!vuser
->guest
&& user_ok(vuser
->user
.unix_name
,snum
)) {
452 fstrcpy(user
,vuser
->user
.unix_name
);
454 DEBUG(3,("authorise_login: ACCEPTED: validated uid ok as non-guest \
455 (user=%s)\n", user
));
460 /* there are several possibilities:
461 1) login as the given user with given password
462 2) login as a previously registered username with the given password
463 3) login as a session list username with the given password
464 4) login as a previously validated user/password pair
465 5) login as the "user =" user with given password
466 6) login as the "user =" user with no password (guest connection)
467 7) login as guest user with no password
469 if the service is guest_only then steps 1 to 5 are skipped
472 if (!(GUEST_ONLY(snum
) && GUEST_OK(snum
))) {
473 /* check for a previously registered guest username */
474 if (!ok
&& (vuser
!= 0) && vuser
->guest
) {
475 if (user_ok(vuser
->user
.unix_name
,snum
) &&
476 password_ok(vuser
->user
.unix_name
, password
, pwlen
)) {
477 fstrcpy(user
, vuser
->user
.unix_name
);
478 vuser
->guest
= False
;
479 DEBUG(3,("authorise_login: ACCEPTED: given password with registered user %s\n", user
));
484 /* now check the list of session users */
487 char *user_list
= strdup(session_users
);
491 for (auser
=strtok(user_list
,LIST_SEP
); !ok
&& auser
;
492 auser
= strtok(NULL
,LIST_SEP
)) {
494 fstrcpy(user2
,auser
);
495 if (!user_ok(user2
,snum
))
498 if (password_ok(user2
,password
, pwlen
)) {
501 DEBUG(3,("authorise_login: ACCEPTED: session list username (%s) \
502 and given password ok\n", user
));
506 SAFE_FREE(user_list
);
509 /* check for a previously validated username/password pair */
510 if (!ok
&& (lp_security() > SEC_SHARE
) && (vuser
!= 0) && !vuser
->guest
&&
511 user_ok(vuser
->user
.unix_name
,snum
)) {
512 fstrcpy(user
,vuser
->user
.unix_name
);
514 DEBUG(3,("authorise_login: ACCEPTED: validated uid (%s) as non-guest\n",
519 /* check the user= fields and the given password */
520 if (!ok
&& lp_username(snum
)) {
523 StrnCpy(user_list
,lp_username(snum
),sizeof(pstring
));
525 pstring_sub(user_list
,"%S",lp_servicename(snum
));
527 for (auser
=strtok(user_list
,LIST_SEP
); auser
&& !ok
;
528 auser
= strtok(NULL
,LIST_SEP
)) {
530 auser
= validate_group(auser
+1,password
,pwlen
,snum
);
534 DEBUG(3,("authorise_login: ACCEPTED: group username \
535 and given password ok (%s)\n", user
));
539 fstrcpy(user2
,auser
);
540 if (user_ok(user2
,snum
) && password_ok(user2
,password
,pwlen
)) {
543 DEBUG(3,("authorise_login: ACCEPTED: user list username \
544 and given password ok (%s)\n", user
));
549 } /* not guest only */
551 /* check for a normal guest connection */
552 if (!ok
&& GUEST_OK(snum
)) {
554 StrnCpy(guestname
,lp_guestaccount(snum
),sizeof(guestname
)-1);
555 if (Get_Pwnam(guestname
,True
)) {
556 fstrcpy(user
,guestname
);
558 DEBUG(3,("authorise_login: ACCEPTED: guest account and guest ok (%s)\n",
561 DEBUG(0,("authorise_login: Invalid guest account %s??\n",guestname
));
566 if (ok
&& !user_ok(user
,snum
)) {
567 DEBUG(0,("authorise_login: rejected invalid user %s\n",user
));