search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
VERSION: Disable GIT_SNAPSHOT for the Samba 4.17.0rc1 release.
[Samba.git] / nsswitch / libwbclient / wbc_pam.c
blobb4bb2678ad0d16aa97e0bcc8e8c6af6c9ff1c573
1 /*
2 Unix SMB/CIFS implementation.
3
4 Winbind client API
5
6 Copyright (C) Gerald (Jerry) Carter 2007
7 Copyright (C) Guenther Deschner 2008
8 Copyright (C) Volker Lendecke 2009
9
10 This library is free software; you can redistribute it and/or
11 modify it under the terms of the GNU Lesser General Public
12 License as published by the Free Software Foundation; either
13 version 3 of the License, or (at your option) any later version.
14
15 This library is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
18 Library General Public License for more details.
19
20 You should have received a copy of the GNU Lesser General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 /* Required Headers */
25
26 #include "replace.h"
27 #include "libwbclient.h"
28 #include "../winbind_client.h"
29
30 /* Authenticate a username/password pair */
31 _PUBLIC_
32 wbcErr wbcCtxAuthenticateUser(struct wbcContext *ctx,
33 const char *username, const char *password)
34 {
35 wbcErr wbc_status = WBC_ERR_SUCCESS;
36 struct wbcAuthUserParams params;
37
38 ZERO_STRUCT(params);
39
40 params.account_name = username;
41 params.level = WBC_AUTH_USER_LEVEL_PLAIN;
42 params.password.plaintext = password;
43
44 wbc_status = wbcCtxAuthenticateUserEx(ctx, &params, NULL, NULL);
45 BAIL_ON_WBC_ERROR(wbc_status);
46
47 done:
48 return wbc_status;
49 }
50
51 _PUBLIC_
52 wbcErr wbcAuthenticateUser(const char *username, const char *password)
53 {
54 return wbcCtxAuthenticateUser(NULL, username, password);
55 }
56
57 static bool sid_attr_compose(struct wbcSidWithAttr *s,
58 const struct wbcDomainSid *d,
59 uint32_t rid, uint32_t attr)
60 {
61 if (d->num_auths >= WBC_MAXSUBAUTHS) {
62 return false;
63 }
64 s->sid = *d;
65 s->sid.sub_auths[s->sid.num_auths++] = rid;
66 s->attributes = attr;
67 return true;
68 }
69
70 static void wbcAuthUserInfoDestructor(void *ptr)
71 {
72 struct wbcAuthUserInfo *i = (struct wbcAuthUserInfo *)ptr;
73 free(i->account_name);
74 free(i->user_principal);
75 free(i->full_name);
76 free(i->domain_name);
77 free(i->dns_domain_name);
78 free(i->logon_server);
79 free(i->logon_script);
80 free(i->profile_path);
81 free(i->home_directory);
82 free(i->home_drive);
83 free(i->sids);
84 }
85
86 static wbcErr wbc_create_auth_info(const struct winbindd_response *resp,
87 struct wbcAuthUserInfo **_i)
88 {
89 wbcErr wbc_status = WBC_ERR_SUCCESS;
90 struct wbcAuthUserInfo *i;
91 struct wbcDomainSid domain_sid;
92 char *p;
93 uint32_t sn = 0;
94 uint32_t j;
95
96 i = (struct wbcAuthUserInfo *)wbcAllocateMemory(
97 1, sizeof(struct wbcAuthUserInfo),
98 wbcAuthUserInfoDestructor);
99 BAIL_ON_PTR_ERROR(i, wbc_status);
100
101 i->user_flags = resp->data.auth.info3.user_flgs;
102
103 i->account_name = strdup(resp->data.auth.info3.user_name);
104 BAIL_ON_PTR_ERROR(i->account_name, wbc_status);
105 if (resp->data.auth.validation_level == 6) {
106 i->user_principal = strdup(resp->data.auth.info6.principal_name);
107 BAIL_ON_PTR_ERROR(i->user_principal, wbc_status);
108 } else {
109 i->user_principal = NULL;
110 }
111 i->full_name = strdup(resp->data.auth.info3.full_name);
112 BAIL_ON_PTR_ERROR(i->full_name, wbc_status);
113 i->domain_name = strdup(resp->data.auth.info3.logon_dom);
114 BAIL_ON_PTR_ERROR(i->domain_name, wbc_status);
115 if (resp->data.auth.validation_level == 6) {
116 i->dns_domain_name = strdup(resp->data.auth.info6.dns_domainname);
117 BAIL_ON_PTR_ERROR(i->dns_domain_name, wbc_status);
118 } else {
119 i->dns_domain_name = NULL;
120 }
121
122 i->acct_flags = resp->data.auth.info3.acct_flags;
123 memcpy(i->user_session_key,
124 resp->data.auth.user_session_key,
125 sizeof(i->user_session_key));
126 memcpy(i->lm_session_key,
127 resp->data.auth.first_8_lm_hash,
128 sizeof(i->lm_session_key));
129
130 i->logon_count = resp->data.auth.info3.logon_count;
131 i->bad_password_count = resp->data.auth.info3.bad_pw_count;
132
133 i->logon_time = resp->data.auth.info3.logon_time;
134 i->logoff_time = resp->data.auth.info3.logoff_time;
135 i->kickoff_time = resp->data.auth.info3.kickoff_time;
136 i->pass_last_set_time = resp->data.auth.info3.pass_last_set_time;
137 i->pass_can_change_time = resp->data.auth.info3.pass_can_change_time;
138 i->pass_must_change_time= resp->data.auth.info3.pass_must_change_time;
139
140 i->logon_server = strdup(resp->data.auth.info3.logon_srv);
141 BAIL_ON_PTR_ERROR(i->logon_server, wbc_status);
142 i->logon_script = strdup(resp->data.auth.info3.logon_script);
143 BAIL_ON_PTR_ERROR(i->logon_script, wbc_status);
144 i->profile_path = strdup(resp->data.auth.info3.profile_path);
145 BAIL_ON_PTR_ERROR(i->profile_path, wbc_status);
146 i->home_directory= strdup(resp->data.auth.info3.home_dir);
147 BAIL_ON_PTR_ERROR(i->home_directory, wbc_status);
148 i->home_drive = strdup(resp->data.auth.info3.dir_drive);
149 BAIL_ON_PTR_ERROR(i->home_drive, wbc_status);
150
151 i->num_sids = 2;
152 i->num_sids += resp->data.auth.info3.num_groups;
153 i->num_sids += resp->data.auth.info3.num_other_sids;
154
155 i->sids = (struct wbcSidWithAttr *)calloc(
156 sizeof(struct wbcSidWithAttr), i->num_sids);
157 BAIL_ON_PTR_ERROR(i->sids, wbc_status);
158
159 wbc_status = wbcStringToSid(resp->data.auth.info3.dom_sid,
160 &domain_sid);
161 BAIL_ON_WBC_ERROR(wbc_status);
162
163 sn = 0;
164 if (!sid_attr_compose(&i->sids[sn], &domain_sid,
165 resp->data.auth.info3.user_rid, 0)) {
166 wbc_status = WBC_ERR_INVALID_SID;
167 goto done;
168 }
169 sn++;
170 if (!sid_attr_compose(&i->sids[sn], &domain_sid,
171 resp->data.auth.info3.group_rid, 0)) {
172 wbc_status = WBC_ERR_INVALID_SID;
173 goto done;
174 }
175 sn++;
176
177 p = (char *)resp->extra_data.data;
178 if (!p) {
179 wbc_status = WBC_ERR_INVALID_RESPONSE;
180 BAIL_ON_WBC_ERROR(wbc_status);
181 }
182
183 for (j=0; j < resp->data.auth.info3.num_groups; j++) {
184 uint32_t rid;
185 uint32_t attrs;
186 int ret;
187 char *s = p;
188 char *e = strchr(p, '\n');
189 if (!e) {
190 wbc_status = WBC_ERR_INVALID_RESPONSE;
191 BAIL_ON_WBC_ERROR(wbc_status);
192 }
193 e[0] = '\0';
194 p = &e[1];
195
196 ret = sscanf(s, "0x%08X:0x%08X", &rid, &attrs);
197 if (ret != 2) {
198 wbc_status = WBC_ERR_INVALID_RESPONSE;
199 BAIL_ON_WBC_ERROR(wbc_status);
200 }
201
202 if (!sid_attr_compose(&i->sids[sn], &domain_sid,
203 rid, attrs)) {
204 wbc_status = WBC_ERR_INVALID_SID;
205 goto done;
206 }
207 sn++;
208 }
209
210 for (j=0; j < resp->data.auth.info3.num_other_sids; j++) {
211 uint32_t attrs;
212 int ret;
213 char *s = p;
214 char *a;
215 char *e = strchr(p, '\n');
216 if (!e) {
217 wbc_status = WBC_ERR_INVALID_RESPONSE;
218 BAIL_ON_WBC_ERROR(wbc_status);
219 }
220 e[0] = '\0';
221 p = &e[1];
222
223 e = strchr(s, ':');
224 if (!e) {
225 wbc_status = WBC_ERR_INVALID_RESPONSE;
226 BAIL_ON_WBC_ERROR(wbc_status);
227 }
228 e[0] = '\0';
229 a = &e[1];
230
231 ret = sscanf(a, "0x%08X",
232 &attrs);
233 if (ret != 1) {
234 wbc_status = WBC_ERR_INVALID_RESPONSE;
235 BAIL_ON_WBC_ERROR(wbc_status);
236 }
237
238 wbc_status = wbcStringToSid(s, &i->sids[sn].sid);
239 BAIL_ON_WBC_ERROR(wbc_status);
240
241 i->sids[sn].attributes = attrs;
242 sn++;
243 }
244
245 i->num_sids = sn;
246
247 *_i = i;
248 i = NULL;
249 done:
250 wbcFreeMemory(i);
251 return wbc_status;
252 }
253
254 static void wbcAuthErrorInfoDestructor(void *ptr)
255 {
256 struct wbcAuthErrorInfo *e = (struct wbcAuthErrorInfo *)ptr;
257 free(e->nt_string);
258 free(e->display_string);
259 }
260
261 static wbcErr wbc_create_error_info(const struct winbindd_response *resp,
262 struct wbcAuthErrorInfo **_e)
263 {
264 wbcErr wbc_status = WBC_ERR_SUCCESS;
265 struct wbcAuthErrorInfo *e;
266
267 e = (struct wbcAuthErrorInfo *)wbcAllocateMemory(
268 1, sizeof(struct wbcAuthErrorInfo),
269 wbcAuthErrorInfoDestructor);
270 BAIL_ON_PTR_ERROR(e, wbc_status);
271
272 e->nt_status = resp->data.auth.nt_status;
273 e->pam_error = resp->data.auth.pam_error;
274 e->authoritative = resp->data.auth.authoritative;
275 e->nt_string = strdup(resp->data.auth.nt_status_string);
276 BAIL_ON_PTR_ERROR(e->nt_string, wbc_status);
277
278 e->display_string = strdup(resp->data.auth.error_string);
279 BAIL_ON_PTR_ERROR(e->display_string, wbc_status);
280
281 *_e = e;
282 e = NULL;
283
284 done:
285 wbcFreeMemory(e);
286 return wbc_status;
287 }
288
289 static wbcErr wbc_create_password_policy_info(const struct winbindd_response *resp,
290 struct wbcUserPasswordPolicyInfo **_i)
291 {
292 wbcErr wbc_status = WBC_ERR_SUCCESS;
293 struct wbcUserPasswordPolicyInfo *i;
294
295 i = (struct wbcUserPasswordPolicyInfo *)wbcAllocateMemory(
296 1, sizeof(struct wbcUserPasswordPolicyInfo), NULL);
297 BAIL_ON_PTR_ERROR(i, wbc_status);
298
299 i->min_passwordage = resp->data.auth.policy.min_passwordage;
300 i->min_length_password = resp->data.auth.policy.min_length_password;
301 i->password_history = resp->data.auth.policy.password_history;
302 i->password_properties = resp->data.auth.policy.password_properties;
303 i->expire = resp->data.auth.policy.expire;
304
305 *_i = i;
306 i = NULL;
307
308 done:
309 wbcFreeMemory(i);
310 return wbc_status;
311 }
312
313 static void wbcLogonUserInfoDestructor(void *ptr)
314 {
315 struct wbcLogonUserInfo *i = (struct wbcLogonUserInfo *)ptr;
316 wbcFreeMemory(i->info);
317 wbcFreeMemory(i->blobs);
318 }
319
320 static wbcErr wbc_create_logon_info(struct winbindd_response *resp,
321 struct wbcLogonUserInfo **_i)
322 {
323 wbcErr wbc_status = WBC_ERR_SUCCESS;
324 struct wbcLogonUserInfo *i;
325
326 i = (struct wbcLogonUserInfo *)wbcAllocateMemory(
327 1, sizeof(struct wbcLogonUserInfo),
328 wbcLogonUserInfoDestructor);
329 BAIL_ON_PTR_ERROR(i, wbc_status);
330
331 wbc_status = wbc_create_auth_info(resp, &i->info);
332 BAIL_ON_WBC_ERROR(wbc_status);
333
334 if (resp->data.auth.krb5ccname[0] != '\0') {
335 wbc_status = wbcAddNamedBlob(&i->num_blobs,
336 &i->blobs,
337 "krb5ccname",
338 0,
339 (uint8_t *)resp->data.auth.krb5ccname,
340 strlen(resp->data.auth.krb5ccname)+1);
341 BAIL_ON_WBC_ERROR(wbc_status);
342 }
343
344 if (resp->data.auth.unix_username[0] != '\0') {
345 wbc_status = wbcAddNamedBlob(&i->num_blobs,
346 &i->blobs,
347 "unix_username",
348 0,
349 (uint8_t *)resp->data.auth.unix_username,
350 strlen(resp->data.auth.unix_username)+1);
351 BAIL_ON_WBC_ERROR(wbc_status);
352 }
353
354 *_i = i;
355 i = NULL;
356 done:
357 wbcFreeMemory(i);
358 return wbc_status;
359 }
360
361
362 /* Authenticate with more detailed information */
363 _PUBLIC_
364 wbcErr wbcCtxAuthenticateUserEx(struct wbcContext *ctx,
365 const struct wbcAuthUserParams *params,
366 struct wbcAuthUserInfo **info,
367 struct wbcAuthErrorInfo **error)
368 {
369 wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE;
370 int cmd = 0;
371 struct winbindd_request request;
372 struct winbindd_response response;
373
374 ZERO_STRUCT(request);
375 ZERO_STRUCT(response);
376
377 if (error) {
378 *error = NULL;
379 }
380
381 if (!params) {
382 wbc_status = WBC_ERR_INVALID_PARAM;
383 BAIL_ON_WBC_ERROR(wbc_status);
384 }
385
386 if (params->level != WBC_AUTH_USER_LEVEL_PAC && !params->account_name) {
387 wbc_status = WBC_ERR_INVALID_PARAM;
388 BAIL_ON_WBC_ERROR(wbc_status);
389 }
390
391 /* Initialize request */
392
393 switch (params->level) {
394 case WBC_AUTH_USER_LEVEL_PLAIN:
395 cmd = WINBINDD_PAM_AUTH;
396 request.flags = WBFLAG_PAM_INFO3_TEXT |
397 WBFLAG_PAM_USER_SESSION_KEY |
398 WBFLAG_PAM_LMKEY;
399
400 if (!params->password.plaintext) {
401 wbc_status = WBC_ERR_INVALID_PARAM;
402 BAIL_ON_WBC_ERROR(wbc_status);
403 }
404
405 if (params->domain_name && params->domain_name[0]) {
406 /* We need to get the winbind separator :-( */
407 struct winbindd_response sep_response;
408
409 ZERO_STRUCT(sep_response);
410
411 wbc_status = wbcRequestResponse(ctx, WINBINDD_INFO,
412 NULL, &sep_response);
413 BAIL_ON_WBC_ERROR(wbc_status);
414
415 snprintf(request.data.auth.user,
416 sizeof(request.data.auth.user)-1,
417 "%s%c%s",
418 params->domain_name,
419 sep_response.data.info.winbind_separator,
420 params->account_name);
421 } else {
422 strncpy(request.data.auth.user,
423 params->account_name,
424 sizeof(request.data.auth.user)-1);
425 }
426
427 strncpy(request.data.auth.pass,
428 params->password.plaintext,
429 sizeof(request.data.auth.pass)-1);
430 break;
431
432 case WBC_AUTH_USER_LEVEL_HASH:
433 wbc_status = WBC_ERR_NOT_IMPLEMENTED;
434 BAIL_ON_WBC_ERROR(wbc_status);
435 break;
436
437 case WBC_AUTH_USER_LEVEL_RESPONSE:
438 cmd = WINBINDD_PAM_AUTH_CRAP;
439 request.flags = WBFLAG_PAM_INFO3_TEXT |
440 WBFLAG_PAM_USER_SESSION_KEY |
441 WBFLAG_PAM_LMKEY;
442
443 if (params->password.response.lm_length &&
444 !params->password.response.lm_data) {
445 wbc_status = WBC_ERR_INVALID_PARAM;
446 BAIL_ON_WBC_ERROR(wbc_status);
447 }
448 if (params->password.response.lm_length == 0 &&
449 params->password.response.lm_data) {
450 wbc_status = WBC_ERR_INVALID_PARAM;
451 BAIL_ON_WBC_ERROR(wbc_status);
452 }
453
454 if (params->password.response.nt_length &&
455 !params->password.response.nt_data) {
456 wbc_status = WBC_ERR_INVALID_PARAM;
457 BAIL_ON_WBC_ERROR(wbc_status);
458 }
459 if (params->password.response.nt_length == 0&&
460 params->password.response.nt_data) {
461 wbc_status = WBC_ERR_INVALID_PARAM;
462 BAIL_ON_WBC_ERROR(wbc_status);
463 }
464
465 strncpy(request.data.auth_crap.user,
466 params->account_name,
467 sizeof(request.data.auth_crap.user)-1);
468 if (params->domain_name) {
469 strncpy(request.data.auth_crap.domain,
470 params->domain_name,
471 sizeof(request.data.auth_crap.domain)-1);
472 }
473 if (params->workstation_name) {
474 strncpy(request.data.auth_crap.workstation,
475 params->workstation_name,
476 sizeof(request.data.auth_crap.workstation)-1);
477 }
478
479 request.data.auth_crap.logon_parameters =
480 params->parameter_control;
481
482 memcpy(request.data.auth_crap.chal,
483 params->password.response.challenge,
484 sizeof(request.data.auth_crap.chal));
485
486 request.data.auth_crap.lm_resp_len =
487 MIN(params->password.response.lm_length,
488 sizeof(request.data.auth_crap.lm_resp));
489 if (params->password.response.lm_data) {
490 memcpy(request.data.auth_crap.lm_resp,
491 params->password.response.lm_data,
492 request.data.auth_crap.lm_resp_len);
493 }
494 request.data.auth_crap.nt_resp_len = params->password.response.nt_length;
495 if (params->password.response.nt_length > sizeof(request.data.auth_crap.nt_resp)) {
496 request.flags |= WBFLAG_BIG_NTLMV2_BLOB;
497 request.extra_len = params->password.response.nt_length;
498 request.extra_data.data = (char *)malloc(
499 request.extra_len);
500 if (request.extra_data.data == NULL) {
501 wbc_status = WBC_ERR_NO_MEMORY;
502 BAIL_ON_WBC_ERROR(wbc_status);
503 }
504 memcpy(request.extra_data.data,
505 params->password.response.nt_data,
506 request.data.auth_crap.nt_resp_len);
507 } else if (params->password.response.nt_data) {
508 memcpy(request.data.auth_crap.nt_resp,
509 params->password.response.nt_data,
510 request.data.auth_crap.nt_resp_len);
511 }
512 break;
513
514 case WBC_AUTH_USER_LEVEL_PAC:
515 cmd = WINBINDD_PAM_AUTH_CRAP;
516 request.flags = WBFLAG_PAM_AUTH_PAC | WBFLAG_PAM_INFO3_TEXT;
517 request.extra_data.data = malloc(params->password.pac.length);
518 if (request.extra_data.data == NULL) {
519 wbc_status = WBC_ERR_NO_MEMORY;
520 BAIL_ON_WBC_ERROR(wbc_status);
521 }
522 memcpy(request.extra_data.data, params->password.pac.data,
523 params->password.pac.length);
524 request.extra_len = params->password.pac.length;
525 break;
526
527 default:
528 break;
529 }
530
531 if (cmd == 0) {
532 wbc_status = WBC_ERR_INVALID_PARAM;
533 BAIL_ON_WBC_ERROR(wbc_status);
534 }
535
536 if (params->flags) {
537 request.flags |= params->flags;
538 }
539
540 if (cmd == WINBINDD_PAM_AUTH_CRAP) {
541 wbc_status = wbcRequestResponsePriv(ctx, cmd,
542 &request, &response);
543 } else {
544 wbc_status = wbcRequestResponse(ctx, cmd,
545 &request, &response);
546 }
547 if (response.data.auth.nt_status != 0) {
548 if (error) {
549 wbc_status = wbc_create_error_info(&response,
550 error);
551 BAIL_ON_WBC_ERROR(wbc_status);
552 }
553
554 wbc_status = WBC_ERR_AUTH_ERROR;
555 BAIL_ON_WBC_ERROR(wbc_status);
556 }
557 BAIL_ON_WBC_ERROR(wbc_status);
558
559 if (info) {
560 wbc_status = wbc_create_auth_info(&response, info);
561 BAIL_ON_WBC_ERROR(wbc_status);
562 }
563
564 done:
565 winbindd_free_response(&response);
566
567 free(request.extra_data.data);
568
569 return wbc_status;
570 }
571
572 _PUBLIC_
573 wbcErr wbcAuthenticateUserEx(const struct wbcAuthUserParams *params,
574 struct wbcAuthUserInfo **info,
575 struct wbcAuthErrorInfo **error)
576 {
577 return wbcCtxAuthenticateUserEx(NULL, params, info, error);
578 }
579
580 /* Trigger a verification of the trust credentials of a specific domain */
581 _PUBLIC_
582 wbcErr wbcCtxCheckTrustCredentials(struct wbcContext *ctx, const char *domain,
583 struct wbcAuthErrorInfo **error)
584 {
585 struct winbindd_request request;
586 struct winbindd_response response;
587 wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE;
588
589 ZERO_STRUCT(request);
590 ZERO_STRUCT(response);
591
592 if (domain) {
593 strncpy(request.domain_name, domain,
594 sizeof(request.domain_name)-1);
595 }
596
597 /* Send request */
598
599 wbc_status = wbcRequestResponsePriv(ctx, WINBINDD_CHECK_MACHACC,
600 &request, &response);
601 if (response.data.auth.nt_status != 0) {
602 if (error) {
603 wbc_status = wbc_create_error_info(&response,
604 error);
605 BAIL_ON_WBC_ERROR(wbc_status);
606 }
607
608 wbc_status = WBC_ERR_AUTH_ERROR;
609 BAIL_ON_WBC_ERROR(wbc_status);
610 }
611 BAIL_ON_WBC_ERROR(wbc_status);
612
613 done:
614 return wbc_status;
615 }
616
617 _PUBLIC_
618 wbcErr wbcCheckTrustCredentials(const char *domain,
619 struct wbcAuthErrorInfo **error)
620 {
621 return wbcCtxCheckTrustCredentials(NULL, domain, error);
622 }
623
624 /* Trigger a change of the trust credentials for a specific domain */
625 _PUBLIC_
626 wbcErr wbcCtxChangeTrustCredentials(struct wbcContext *ctx, const char *domain,
627 struct wbcAuthErrorInfo **error)
628 {
629 struct winbindd_request request;
630 struct winbindd_response response;
631 wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE;
632
633 ZERO_STRUCT(request);
634 ZERO_STRUCT(response);
635
636 if (domain) {
637 strncpy(request.domain_name, domain,
638 sizeof(request.domain_name)-1);
639 }
640
641 /* Send request */
642
643 wbc_status = wbcRequestResponsePriv(ctx, WINBINDD_CHANGE_MACHACC,
644 &request, &response);
645 if (response.data.auth.nt_status != 0) {
646 if (error) {
647 wbc_status = wbc_create_error_info(&response,
648 error);
649 BAIL_ON_WBC_ERROR(wbc_status);
650 }
651
652 wbc_status = WBC_ERR_AUTH_ERROR;
653 BAIL_ON_WBC_ERROR(wbc_status);
654 }
655 BAIL_ON_WBC_ERROR(wbc_status);
656
657 done:
658 return wbc_status;
659 }
660
661 _PUBLIC_
662 wbcErr wbcChangeTrustCredentials(const char *domain,
663 struct wbcAuthErrorInfo **error)
664 {
665 return wbcCtxChangeTrustCredentials(NULL, domain, error);
666 }
667
668 /*
669 * Trigger a no-op NETLOGON call. Lightweight version of
670 * wbcCheckTrustCredentials
671 */
672 _PUBLIC_
673 wbcErr wbcCtxPingDc(struct wbcContext *ctx, const char *domain,
674 struct wbcAuthErrorInfo **error)
675 {
676 return wbcCtxPingDc2(ctx, domain, error, NULL);
677 }
678
679 _PUBLIC_
680 wbcErr wbcPingDc(const char *domain, struct wbcAuthErrorInfo **error)
681 {
682 return wbcPingDc2(domain, error, NULL);
683 }
684
685 /*
686 * Trigger a no-op NETLOGON call. Lightweight version of
687 * wbcCheckTrustCredentials, optionally return attempted DC
688 */
689 _PUBLIC_
690 wbcErr wbcCtxPingDc2(struct wbcContext *ctx, const char *domain,
691 struct wbcAuthErrorInfo **error, char **dcname)
692 {
693 struct winbindd_request request;
694 struct winbindd_response response;
695 wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE;
696
697 ZERO_STRUCT(request);
698 ZERO_STRUCT(response);
699
700 if (domain) {
701 strncpy(request.domain_name, domain,
702 sizeof(request.domain_name)-1);
703 }
704
705 /* Send request */
706
707 wbc_status = wbcRequestResponse(ctx, WINBINDD_PING_DC,
708 &request,
709 &response);
710
711 if (dcname && response.extra_data.data) {
712 size_t len;
713
714 len = response.length - sizeof(struct winbindd_response);
715 *dcname = wbcAllocateMemory(1, len, NULL);
716 BAIL_ON_PTR_ERROR(*dcname, wbc_status);
717
718 strlcpy(*dcname, response.extra_data.data, len);
719 }
720
721 if (response.data.auth.nt_status != 0) {
722 if (error) {
723 wbc_status = wbc_create_error_info(&response,
724 error);
725 BAIL_ON_WBC_ERROR(wbc_status);
726 }
727
728 wbc_status = WBC_ERR_AUTH_ERROR;
729 BAIL_ON_WBC_ERROR(wbc_status);
730 }
731 BAIL_ON_WBC_ERROR(wbc_status);
732
733 done:
734 return wbc_status;
735 }
736
737 _PUBLIC_
738 wbcErr wbcPingDc2(const char *domain, struct wbcAuthErrorInfo **error,
739 char **dcname)
740 {
741 return wbcCtxPingDc2(NULL, domain, error, dcname);
742 }
743
744 /* Trigger an extended logoff notification to Winbind for a specific user */
745 _PUBLIC_
746 wbcErr wbcCtxLogoffUserEx(struct wbcContext *ctx,
747 const struct wbcLogoffUserParams *params,
748 struct wbcAuthErrorInfo **error)
749 {
750 struct winbindd_request request;
751 struct winbindd_response response;
752 wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE;
753 size_t i;
754
755 /* validate input */
756
757 if (!params || !params->username) {
758 wbc_status = WBC_ERR_INVALID_PARAM;
759 BAIL_ON_WBC_ERROR(wbc_status);
760 }
761
762 if ((params->num_blobs > 0) && (params->blobs == NULL)) {
763 wbc_status = WBC_ERR_INVALID_PARAM;
764 BAIL_ON_WBC_ERROR(wbc_status);
765 }
766 if ((params->num_blobs == 0) && (params->blobs != NULL)) {
767 wbc_status = WBC_ERR_INVALID_PARAM;
768 BAIL_ON_WBC_ERROR(wbc_status);
769 }
770
771 ZERO_STRUCT(request);
772 ZERO_STRUCT(response);
773
774 strncpy(request.data.logoff.user, params->username,
775 sizeof(request.data.logoff.user)-1);
776
777 for (i=0; i<params->num_blobs; i++) {
778
779 if (strcasecmp(params->blobs[i].name, "ccfilename") == 0) {
780 if (params->blobs[i].blob.data) {
781 strncpy(request.data.logoff.krb5ccname,
782 (const char *)params->blobs[i].blob.data,
783 sizeof(request.data.logoff.krb5ccname) - 1);
784 }
785 continue;
786 }
787
788 if (strcasecmp(params->blobs[i].name, "user_uid") == 0) {
789 if (params->blobs[i].blob.data) {
790 memcpy(&request.data.logoff.uid,
791 params->blobs[i].blob.data,
792 MIN(params->blobs[i].blob.length,
793 sizeof(request.data.logoff.uid)));
794 }
795 continue;
796 }
797
798 if (strcasecmp(params->blobs[i].name, "flags") == 0) {
799 if (params->blobs[i].blob.data) {
800 memcpy(&request.flags,
801 params->blobs[i].blob.data,
802 MIN(params->blobs[i].blob.length,
803 sizeof(request.flags)));
804 }
805 continue;
806 }
807 }
808
809 /* Send request */
810
811 wbc_status = wbcRequestResponse(ctx, WINBINDD_PAM_LOGOFF,
812 &request,
813 &response);
814
815 /* Take the response above and return it to the caller */
816 if (response.data.auth.nt_status != 0) {
817 if (error) {
818 wbc_status = wbc_create_error_info(&response,
819 error);
820 BAIL_ON_WBC_ERROR(wbc_status);
821 }
822
823 wbc_status = WBC_ERR_AUTH_ERROR;
824 BAIL_ON_WBC_ERROR(wbc_status);
825 }
826 BAIL_ON_WBC_ERROR(wbc_status);
827
828 done:
829 return wbc_status;
830 }
831
832 _PUBLIC_
833 wbcErr wbcLogoffUserEx(const struct wbcLogoffUserParams *params,
834 struct wbcAuthErrorInfo **error)
835 {
836 return wbcCtxLogoffUserEx(NULL, params, error);
837 }
838
839 /* Trigger a logoff notification to Winbind for a specific user */
840 _PUBLIC_
841 wbcErr wbcCtxLogoffUser(struct wbcContext *ctx,
842 const char *username, uid_t uid,
843 const char *ccfilename)
844 {
845 struct winbindd_request request;
846 struct winbindd_response response;
847 wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE;
848
849 /* validate input */
850
851 if (!username) {
852 wbc_status = WBC_ERR_INVALID_PARAM;
853 BAIL_ON_WBC_ERROR(wbc_status);
854 }
855
856 ZERO_STRUCT(request);
857 ZERO_STRUCT(response);
858
859 strncpy(request.data.logoff.user, username,
860 sizeof(request.data.logoff.user)-1);
861 request.data.logoff.uid = uid;
862
863 if (ccfilename) {
864 strncpy(request.data.logoff.krb5ccname, ccfilename,
865 sizeof(request.data.logoff.krb5ccname)-1);
866 }
867
868 /* Send request */
869
870 wbc_status = wbcRequestResponse(ctx, WINBINDD_PAM_LOGOFF,
871 &request,
872 &response);
873
874 /* Take the response above and return it to the caller */
875
876 done:
877 return wbc_status;
878 }
879
880 _PUBLIC_
881 wbcErr wbcLogoffUser(const char *username,
882 uid_t uid,
883 const char *ccfilename)
884 {
885 return wbcCtxLogoffUser(NULL, username, uid, ccfilename);
886 }
887
888 /* Change a password for a user with more detailed information upon failure */
889 _PUBLIC_
890 wbcErr wbcCtxChangeUserPasswordEx(struct wbcContext *ctx,
891 const struct wbcChangePasswordParams *params,
892 struct wbcAuthErrorInfo **error,
893 enum wbcPasswordChangeRejectReason *reject_reason,
894 struct wbcUserPasswordPolicyInfo **policy)
895 {
896 struct winbindd_request request;
897 struct winbindd_response response;
898 wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE;
899 int cmd = 0;
900
901 /* validate input */
902
903 if (!params->account_name) {
904 wbc_status = WBC_ERR_INVALID_PARAM;
905 goto done;
906 }
907
908 if (error) {
909 *error = NULL;
910 }
911
912 if (policy) {
913 *policy = NULL;
914 }
915
916 if (reject_reason) {
917 *reject_reason = -1;
918 }
919
920 ZERO_STRUCT(request);
921 ZERO_STRUCT(response);
922
923 switch (params->level) {
924 case WBC_CHANGE_PASSWORD_LEVEL_PLAIN:
925 cmd = WINBINDD_PAM_CHAUTHTOK;
926
927 if (!params->account_name) {
928 wbc_status = WBC_ERR_INVALID_PARAM;
929 goto done;
930 }
931
932 strncpy(request.data.chauthtok.user, params->account_name,
933 sizeof(request.data.chauthtok.user) - 1);
934
935 if (params->old_password.plaintext) {
936 strncpy(request.data.chauthtok.oldpass,
937 params->old_password.plaintext,
938 sizeof(request.data.chauthtok.oldpass) - 1);
939 }
940
941 if (params->new_password.plaintext) {
942 strncpy(request.data.chauthtok.newpass,
943 params->new_password.plaintext,
944 sizeof(request.data.chauthtok.newpass) - 1);
945 }
946 break;
947
948 case WBC_CHANGE_PASSWORD_LEVEL_RESPONSE:
949 cmd = WINBINDD_PAM_CHNG_PSWD_AUTH_CRAP;
950
951 if (!params->account_name || !params->domain_name) {
952 wbc_status = WBC_ERR_INVALID_PARAM;
953 goto done;
954 }
955
956 if (params->old_password.response.old_lm_hash_enc_length &&
957 !params->old_password.response.old_lm_hash_enc_data) {
958 wbc_status = WBC_ERR_INVALID_PARAM;
959 goto done;
960 }
961
962 if (params->old_password.response.old_lm_hash_enc_length == 0 &&
963 params->old_password.response.old_lm_hash_enc_data) {
964 wbc_status = WBC_ERR_INVALID_PARAM;
965 goto done;
966 }
967
968 if (params->old_password.response.old_nt_hash_enc_length &&
969 !params->old_password.response.old_nt_hash_enc_data) {
970 wbc_status = WBC_ERR_INVALID_PARAM;
971 goto done;
972 }
973
974 if (params->old_password.response.old_nt_hash_enc_length == 0 &&
975 params->old_password.response.old_nt_hash_enc_data) {
976 wbc_status = WBC_ERR_INVALID_PARAM;
977 goto done;
978 }
979
980 if (params->new_password.response.lm_length &&
981 !params->new_password.response.lm_data) {
982 wbc_status = WBC_ERR_INVALID_PARAM;
983 goto done;
984 }
985
986 if (params->new_password.response.lm_length == 0 &&
987 params->new_password.response.lm_data) {
988 wbc_status = WBC_ERR_INVALID_PARAM;
989 goto done;
990 }
991
992 if (params->new_password.response.nt_length &&
993 !params->new_password.response.nt_data) {
994 wbc_status = WBC_ERR_INVALID_PARAM;
995 goto done;
996 }
997
998 if (params->new_password.response.nt_length == 0 &&
999 params->new_password.response.nt_data) {
1000 wbc_status = WBC_ERR_INVALID_PARAM;
1001 goto done;
1002 }
1003
1004 strncpy(request.data.chng_pswd_auth_crap.user,
1005 params->account_name,
1006 sizeof(request.data.chng_pswd_auth_crap.user) - 1);
1007
1008 strncpy(request.data.chng_pswd_auth_crap.domain,
1009 params->domain_name,
1010 sizeof(request.data.chng_pswd_auth_crap.domain) - 1);
1011
1012 if (params->new_password.response.nt_data) {
1013 request.data.chng_pswd_auth_crap.new_nt_pswd_len =
1014 params->new_password.response.nt_length;
1015 memcpy(request.data.chng_pswd_auth_crap.new_nt_pswd,
1016 params->new_password.response.nt_data,
1017 request.data.chng_pswd_auth_crap.new_nt_pswd_len);
1018 }
1019
1020 if (params->new_password.response.lm_data) {
1021 request.data.chng_pswd_auth_crap.new_lm_pswd_len =
1022 params->new_password.response.lm_length;
1023 memcpy(request.data.chng_pswd_auth_crap.new_lm_pswd,
1024 params->new_password.response.lm_data,
1025 request.data.chng_pswd_auth_crap.new_lm_pswd_len);
1026 }
1027
1028 if (params->old_password.response.old_nt_hash_enc_data) {
1029 request.data.chng_pswd_auth_crap.old_nt_hash_enc_len =
1030 params->old_password.response.old_nt_hash_enc_length;
1031 memcpy(request.data.chng_pswd_auth_crap.old_nt_hash_enc,
1032 params->old_password.response.old_nt_hash_enc_data,
1033 request.data.chng_pswd_auth_crap.old_nt_hash_enc_len);
1034 }
1035
1036 if (params->old_password.response.old_lm_hash_enc_data) {
1037 request.data.chng_pswd_auth_crap.old_lm_hash_enc_len =
1038 params->old_password.response.old_lm_hash_enc_length;
1039 memcpy(request.data.chng_pswd_auth_crap.old_lm_hash_enc,
1040 params->old_password.response.old_lm_hash_enc_data,
1041 request.data.chng_pswd_auth_crap.old_lm_hash_enc_len);
1042 }
1043
1044 break;
1045 default:
1046 wbc_status = WBC_ERR_INVALID_PARAM;
1047 goto done;
1048 break;
1049 }
1050
1051 /* Send request */
1052
1053 wbc_status = wbcRequestResponse(ctx, cmd,
1054 &request,
1055 &response);
1056 if (WBC_ERROR_IS_OK(wbc_status)) {
1057 goto done;
1058 }
1059
1060 /* Take the response above and return it to the caller */
1061
1062 if (response.data.auth.nt_status != 0) {
1063 if (error) {
1064 wbc_status = wbc_create_error_info(&response,
1065 error);
1066 BAIL_ON_WBC_ERROR(wbc_status);
1067 }
1068
1069 }
1070
1071 if (policy) {
1072 wbc_status = wbc_create_password_policy_info(&response,
1073 policy);
1074 BAIL_ON_WBC_ERROR(wbc_status);
1075 }
1076
1077 if (reject_reason) {
1078 *reject_reason = response.data.auth.reject_reason;
1079 }
1080
1081 wbc_status = WBC_ERR_PWD_CHANGE_FAILED;
1082 BAIL_ON_WBC_ERROR(wbc_status);
1083
1084 done:
1085 return wbc_status;
1086 }
1087
1088 _PUBLIC_
1089 wbcErr wbcChangeUserPasswordEx(const struct wbcChangePasswordParams *params,
1090 struct wbcAuthErrorInfo **error,
1091 enum wbcPasswordChangeRejectReason *reject_reason,
1092 struct wbcUserPasswordPolicyInfo **policy)
1093 {
1094 return wbcCtxChangeUserPasswordEx(NULL, params, error,
1095 reject_reason, policy);
1096 }
1097
1098 /* Change a password for a user */
1099 _PUBLIC_
1100 wbcErr wbcCtxChangeUserPassword(struct wbcContext *ctx,
1101 const char *username,
1102 const char *old_password,
1103 const char *new_password)
1104 {
1105 wbcErr wbc_status = WBC_ERR_SUCCESS;
1106 struct wbcChangePasswordParams params;
1107
1108 ZERO_STRUCT(params);
1109
1110 params.account_name = username;
1111 params.level = WBC_CHANGE_PASSWORD_LEVEL_PLAIN;
1112 params.old_password.plaintext = old_password;
1113 params.new_password.plaintext = new_password;
1114
1115 wbc_status = wbcCtxChangeUserPasswordEx(ctx, &params,
1116 NULL,
1117 NULL,
1118 NULL);
1119 BAIL_ON_WBC_ERROR(wbc_status);
1120
1121 done:
1122 return wbc_status;
1123 }
1124
1125 _PUBLIC_
1126 wbcErr wbcChangeUserPassword(const char *username,
1127 const char *old_password,
1128 const char *new_password)
1129 {
1130 return wbcCtxChangeUserPassword(NULL, username,
1131 old_password, new_password);
1132 }
1133
1134 /* Logon a User */
1135 _PUBLIC_
1136 wbcErr wbcCtxLogonUser(struct wbcContext *ctx,
1137 const struct wbcLogonUserParams *params,
1138 struct wbcLogonUserInfo **info,
1139 struct wbcAuthErrorInfo **error,
1140 struct wbcUserPasswordPolicyInfo **policy)
1141 {
1142 wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE;
1143 struct winbindd_request request;
1144 struct winbindd_response response;
1145 uint32_t i;
1146
1147 ZERO_STRUCT(request);
1148 ZERO_STRUCT(response);
1149
1150 if (info) {
1151 *info = NULL;
1152 }
1153 if (error) {
1154 *error = NULL;
1155 }
1156 if (policy) {
1157 *policy = NULL;
1158 }
1159
1160 if (!params) {
1161 wbc_status = WBC_ERR_INVALID_PARAM;
1162 BAIL_ON_WBC_ERROR(wbc_status);
1163 }
1164
1165 if (!params->username) {
1166 wbc_status = WBC_ERR_INVALID_PARAM;
1167 BAIL_ON_WBC_ERROR(wbc_status);
1168 }
1169
1170 if ((params->num_blobs > 0) && (params->blobs == NULL)) {
1171 wbc_status = WBC_ERR_INVALID_PARAM;
1172 BAIL_ON_WBC_ERROR(wbc_status);
1173 }
1174 if ((params->num_blobs == 0) && (params->blobs != NULL)) {
1175 wbc_status = WBC_ERR_INVALID_PARAM;
1176 BAIL_ON_WBC_ERROR(wbc_status);
1177 }
1178
1179 /* Initialize request */
1180
1181 request.flags = WBFLAG_PAM_INFO3_TEXT |
1182 WBFLAG_PAM_USER_SESSION_KEY |
1183 WBFLAG_PAM_LMKEY;
1184
1185 if (!params->password) {
1186 wbc_status = WBC_ERR_INVALID_PARAM;
1187 BAIL_ON_WBC_ERROR(wbc_status);
1188 }
1189
1190 strncpy(request.data.auth.user,
1191 params->username,
1192 sizeof(request.data.auth.user)-1);
1193
1194 strncpy(request.data.auth.pass,
1195 params->password,
1196 sizeof(request.data.auth.pass)-1);
1197
1198 for (i=0; i<params->num_blobs; i++) {
1199
1200 if (strcasecmp(params->blobs[i].name, "krb5_cc_type") == 0) {
1201 if (params->blobs[i].blob.data) {
1202 strncpy(request.data.auth.krb5_cc_type,
1203 (const char *)params->blobs[i].blob.data,
1204 sizeof(request.data.auth.krb5_cc_type) - 1);
1205 }
1206 continue;
1207 }
1208
1209 if (strcasecmp(params->blobs[i].name, "user_uid") == 0) {
1210 if (params->blobs[i].blob.data) {
1211 memcpy(&request.data.auth.uid,
1212 params->blobs[i].blob.data,
1213 MIN(sizeof(request.data.auth.uid),
1214 params->blobs[i].blob.length));
1215 }
1216 continue;
1217 }
1218
1219 if (strcasecmp(params->blobs[i].name, "flags") == 0) {
1220 if (params->blobs[i].blob.data) {
1221 uint32_t flags;
1222 memcpy(&flags,
1223 params->blobs[i].blob.data,
1224 MIN(sizeof(flags),
1225 params->blobs[i].blob.length));
1226 request.flags |= flags;
1227 }
1228 continue;
1229 }
1230
1231 if (strcasecmp(params->blobs[i].name, "membership_of") == 0) {
1232 if (params->blobs[i].blob.data &&
1233 params->blobs[i].blob.data[0] > 0) {
1234 strncpy(request.data.auth.require_membership_of_sid,
1235 (const char *)params->blobs[i].blob.data,
1236 sizeof(request.data.auth.require_membership_of_sid) - 1);
1237 }
1238 continue;
1239 }
1240 }
1241
1242 wbc_status = wbcRequestResponse(ctx, WINBINDD_PAM_AUTH,
1243 &request,
1244 &response);
1245
1246 if (response.data.auth.nt_status != 0) {
1247 if (error) {
1248 wbc_status = wbc_create_error_info(&response,
1249 error);
1250 BAIL_ON_WBC_ERROR(wbc_status);
1251 }
1252
1253 wbc_status = WBC_ERR_AUTH_ERROR;
1254 BAIL_ON_WBC_ERROR(wbc_status);
1255 }
1256 BAIL_ON_WBC_ERROR(wbc_status);
1257
1258 if (info) {
1259 wbc_status = wbc_create_logon_info(&response,
1260 info);
1261 BAIL_ON_WBC_ERROR(wbc_status);
1262 }
1263
1264 if (policy) {
1265 wbc_status = wbc_create_password_policy_info(&response,
1266 policy);
1267 BAIL_ON_WBC_ERROR(wbc_status);
1268 }
1269
1270 done:
1271 winbindd_free_response(&response);
1272
1273 return wbc_status;
1274 }
1275
1276 _PUBLIC_
1277 wbcErr wbcLogonUser(const struct wbcLogonUserParams *params,
1278 struct wbcLogonUserInfo **info,
1279 struct wbcAuthErrorInfo **error,
1280 struct wbcUserPasswordPolicyInfo **policy)
1281 {
1282 return wbcCtxLogonUser(NULL, params, info, error, policy);
1283 }
1284
1285 static void wbcCredentialCacheInfoDestructor(void *ptr)
1286 {
1287 struct wbcCredentialCacheInfo *i =
1288 (struct wbcCredentialCacheInfo *)ptr;
1289 wbcFreeMemory(i->blobs);
1290 }
1291
1292 /* Authenticate a user with cached credentials */
1293 _PUBLIC_
1294 wbcErr wbcCtxCredentialCache(struct wbcContext *ctx,
1295 struct wbcCredentialCacheParams *params,
1296 struct wbcCredentialCacheInfo **info,
1297 struct wbcAuthErrorInfo **error)
1298 {
1299 wbcErr status = WBC_ERR_UNKNOWN_FAILURE;
1300 struct wbcCredentialCacheInfo *result = NULL;
1301 struct winbindd_request request;
1302 struct winbindd_response response;
1303 struct wbcNamedBlob *initial_blob = NULL;
1304 struct wbcNamedBlob *challenge_blob = NULL;
1305 size_t i;
1306
1307 ZERO_STRUCT(request);
1308 ZERO_STRUCT(response);
1309
1310 *info = NULL;
1311
1312 if (error != NULL) {
1313 *error = NULL;
1314 }
1315 if ((params == NULL)
1316 || (params->account_name == NULL)
1317 || (params->level != WBC_CREDENTIAL_CACHE_LEVEL_NTLMSSP)) {
1318 status = WBC_ERR_INVALID_PARAM;
1319 goto fail;
1320 }
1321
1322 for (i=0; i<params->num_blobs; i++) {
1323 /*
1324 * Older callers may used to provide the NEGOTIATE request
1325 * as "initial_blob", but it was completely ignored by winbindd.
1326 *
1327 * So we keep ignoring it.
1328 *
1329 * A new callers that is capable to support "new_spnego",
1330 * will provide the NEGOTIATE request as "negotiate_blob"
1331 * instead.
1332 */
1333 if (strcasecmp(params->blobs[i].name, "negotiate_blob") == 0) {
1334 if (initial_blob != NULL) {
1335 status = WBC_ERR_INVALID_PARAM;
1336 goto fail;
1337 }
1338 initial_blob = &params->blobs[i];
1339 continue;
1340 }
1341 if (strcasecmp(params->blobs[i].name, "challenge_blob") == 0) {
1342 if (challenge_blob != NULL) {
1343 status = WBC_ERR_INVALID_PARAM;
1344 goto fail;
1345 }
1346 challenge_blob = &params->blobs[i];
1347 continue;
1348 }
1349 }
1350
1351 if (params->domain_name != NULL) {
1352 status = wbcRequestResponse(ctx, WINBINDD_INFO,
1353 NULL, &response);
1354 if (!WBC_ERROR_IS_OK(status)) {
1355 goto fail;
1356 }
1357 snprintf(request.data.ccache_ntlm_auth.user,
1358 sizeof(request.data.ccache_ntlm_auth.user)-1,
1359 "%s%c%s", params->domain_name,
1360 response.data.info.winbind_separator,
1361 params->account_name);
1362 } else {
1363 strncpy(request.data.ccache_ntlm_auth.user,
1364 params->account_name,
1365 sizeof(request.data.ccache_ntlm_auth.user)-1);
1366 }
1367 request.data.ccache_ntlm_auth.uid = getuid();
1368
1369 request.data.ccache_ntlm_auth.initial_blob_len = 0;
1370 request.data.ccache_ntlm_auth.challenge_blob_len = 0;
1371 request.extra_len = 0;
1372
1373 if (initial_blob != NULL) {
1374 request.data.ccache_ntlm_auth.initial_blob_len =
1375 initial_blob->blob.length;
1376 request.extra_len += initial_blob->blob.length;
1377 }
1378 if (challenge_blob != NULL) {
1379 request.data.ccache_ntlm_auth.challenge_blob_len =
1380 challenge_blob->blob.length;
1381 request.extra_len += challenge_blob->blob.length;
1382 }
1383
1384 if (request.extra_len != 0) {
1385 request.extra_data.data = (char *)malloc(request.extra_len);
1386 if (request.extra_data.data == NULL) {
1387 status = WBC_ERR_NO_MEMORY;
1388 goto fail;
1389 }
1390 }
1391 if (initial_blob != NULL) {
1392 memcpy(request.extra_data.data,
1393 initial_blob->blob.data, initial_blob->blob.length);
1394 }
1395 if (challenge_blob != NULL) {
1396 memcpy(request.extra_data.data
1397 + request.data.ccache_ntlm_auth.initial_blob_len,
1398 challenge_blob->blob.data,
1399 challenge_blob->blob.length);
1400 }
1401
1402 status = wbcRequestResponse(ctx, WINBINDD_CCACHE_NTLMAUTH,
1403 &request, &response);
1404 if (!WBC_ERROR_IS_OK(status)) {
1405 goto fail;
1406 }
1407
1408 result = (struct wbcCredentialCacheInfo *)wbcAllocateMemory(
1409 1, sizeof(struct wbcCredentialCacheInfo),
1410 wbcCredentialCacheInfoDestructor);
1411 if (result == NULL) {
1412 status = WBC_ERR_NO_MEMORY;
1413 goto fail;
1414 }
1415 result->num_blobs = 0;
1416 result->blobs = NULL;
1417 status = wbcAddNamedBlob(&result->num_blobs, &result->blobs,
1418 "auth_blob", 0,
1419 (uint8_t *)response.extra_data.data,
1420 response.data.ccache_ntlm_auth.auth_blob_len);
1421 if (!WBC_ERROR_IS_OK(status)) {
1422 goto fail;
1423 }
1424 status = wbcAddNamedBlob(
1425 &result->num_blobs, &result->blobs, "session_key", 0,
1426 response.data.ccache_ntlm_auth.session_key,
1427 sizeof(response.data.ccache_ntlm_auth.session_key));
1428 if (!WBC_ERROR_IS_OK(status)) {
1429 goto fail;
1430 }
1431 if (response.data.ccache_ntlm_auth.new_spnego) {
1432 status = wbcAddNamedBlob(
1433 &result->num_blobs, &result->blobs, "new_spnego", 0,
1434 &response.data.ccache_ntlm_auth.new_spnego,
1435 sizeof(response.data.ccache_ntlm_auth.new_spnego));
1436 if (!WBC_ERROR_IS_OK(status)) {
1437 goto fail;
1438 }
1439 }
1440
1441 *info = result;
1442 result = NULL;
1443 status = WBC_ERR_SUCCESS;
1444 fail:
1445 free(request.extra_data.data);
1446 winbindd_free_response(&response);
1447 wbcFreeMemory(result);
1448 return status;
1449 }
1450
1451 _PUBLIC_
1452 wbcErr wbcCredentialCache(struct wbcCredentialCacheParams *params,
1453 struct wbcCredentialCacheInfo **info,
1454 struct wbcAuthErrorInfo **error)
1455 {
1456 return wbcCtxCredentialCache(NULL, params, info, error);
1457 }
1458
1459 /* Authenticate a user with cached credentials */
1460 _PUBLIC_
1461 wbcErr wbcCtxCredentialSave(struct wbcContext *ctx,
1462 const char *user, const char *password)
1463 {
1464 struct winbindd_request request;
1465 struct winbindd_response response;
1466
1467 ZERO_STRUCT(request);
1468 ZERO_STRUCT(response);
1469
1470 strncpy(request.data.ccache_save.user, user,
1471 sizeof(request.data.ccache_save.user)-1);
1472 strncpy(request.data.ccache_save.pass, password,
1473 sizeof(request.data.ccache_save.pass)-1);
1474 request.data.ccache_save.uid = getuid();
1475
1476 return wbcRequestResponse(ctx, WINBINDD_CCACHE_SAVE, &request, &response);
1477 }
1478
1479 _PUBLIC_
1480 wbcErr wbcCredentialSave(const char *user, const char *password)
1481 {
1482 return wbcCtxCredentialSave(NULL, user, password);
1483 }
Samba GIT mirror