search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
ctdbd_conn: Add deregister_from_ctdbd()
[Samba.git] / source3 / auth / auth_sam.c
bloba2ce1013975014c8abbc518e18e86825b780c17d
1 /*
2 Unix SMB/CIFS implementation.
3 Password and authentication handling
4 Copyright (C) Andrew Tridgell 1992-2000
5 Copyright (C) Luke Kenneth Casson Leighton 1996-2000
6 Copyright (C) Andrew Bartlett 2001-2003
7 Copyright (C) Gerald Carter 2003
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 */
22
23 #include "includes.h"
24 #include "auth.h"
25 #include "passdb.h"
26
27 #undef DBGC_CLASS
28 #define DBGC_CLASS DBGC_AUTH
29
30 static NTSTATUS auth_sam_ignoredomain_auth(const struct auth_context *auth_context,
31 void *my_private_data,
32 TALLOC_CTX *mem_ctx,
33 const struct auth_usersupplied_info *user_info,
34 struct auth_serversupplied_info **server_info)
35 {
36 if (!user_info || !auth_context) {
37 return NT_STATUS_UNSUCCESSFUL;
38 }
39
40 if (user_info->mapped.account_name == NULL ||
41 user_info->mapped.account_name[0] == '\0')
42 {
43 return NT_STATUS_NOT_IMPLEMENTED;
44 }
45
46 DBG_DEBUG("Check auth for: [%s]\\[%s]\n",
47 user_info->mapped.domain_name,
48 user_info->mapped.account_name);
49
50 return check_sam_security(&auth_context->challenge, mem_ctx,
51 user_info, server_info);
52 }
53
54 /* module initialisation */
55 static NTSTATUS auth_init_sam_ignoredomain(
56 struct auth_context *auth_context,
57 const char *param,
58 struct auth_methods **auth_method)
59 {
60 struct auth_methods *result;
61
62 result = talloc_zero(auth_context, struct auth_methods);
63 if (result == NULL) {
64 return NT_STATUS_NO_MEMORY;
65 }
66 result->auth = auth_sam_ignoredomain_auth;
67 result->name = "sam_ignoredomain";
68
69 *auth_method = result;
70 return NT_STATUS_OK;
71 }
72
73
74 /****************************************************************************
75 Check SAM security (above) but with a few extra checks.
76 ****************************************************************************/
77
78 static NTSTATUS auth_samstrict_auth(const struct auth_context *auth_context,
79 void *my_private_data,
80 TALLOC_CTX *mem_ctx,
81 const struct auth_usersupplied_info *user_info,
82 struct auth_serversupplied_info **server_info)
83 {
84 const char *effective_domain = NULL;
85 bool is_local_name, is_my_domain;
86
87 if (!user_info || !auth_context) {
88 return NT_STATUS_LOGON_FAILURE;
89 }
90 effective_domain = user_info->mapped.domain_name;
91
92 if (user_info->mapped.account_name == NULL ||
93 user_info->mapped.account_name[0] == '\0')
94 {
95 return NT_STATUS_NOT_IMPLEMENTED;
96 }
97
98 if (lp_server_role() == ROLE_DOMAIN_MEMBER) {
99 const char *p = NULL;
100
101 p = strchr_m(user_info->mapped.account_name, '@');
102 if (p != NULL) {
103 /*
104 * This needs to go to the DC,
105 * even if @ is the last character
106 */
107 return NT_STATUS_NOT_IMPLEMENTED;
108 }
109 }
110
111 if (effective_domain == NULL) {
112 effective_domain = "";
113 }
114
115 DBG_DEBUG("Check auth for: [%s]\\[%s]\n",
116 effective_domain,
117 user_info->mapped.account_name);
118
119
120 if (strequal(effective_domain, "") || strequal(effective_domain, ".")) {
121 /*
122 * An empty domain name or '.' should be handled
123 * as the local SAM name.
124 */
125 effective_domain = lp_netbios_name();
126 }
127
128 is_local_name = is_myname(effective_domain);
129 is_my_domain = strequal(effective_domain, lp_workgroup());
130
131 /* check whether or not we service this domain/workgroup name */
132
133 switch ( lp_server_role() ) {
134 case ROLE_STANDALONE:
135 case ROLE_DOMAIN_MEMBER:
136 if ( !is_local_name ) {
137 DEBUG(6,("check_samstrict_security: %s is not one of my local names (%s)\n",
138 effective_domain, (lp_server_role() == ROLE_DOMAIN_MEMBER
139 ? "ROLE_DOMAIN_MEMBER" : "ROLE_STANDALONE") ));
140 return NT_STATUS_NOT_IMPLEMENTED;
141 }
142
143 break;
144 case ROLE_DOMAIN_PDC:
145 case ROLE_DOMAIN_BDC:
146 case ROLE_IPA_DC:
147 if (!is_local_name && !is_my_domain) {
148 /* If we are running on a DC that has PASSDB module with domain
149 * information, check if DNS forest name is matching the domain
150 * name. This is the case of IPA domain controller when
151 * trusted AD DCs attempt to authenticate IPA users using
152 * the forest root domain (which is the only domain in IPA).
153 */
154 struct pdb_domain_info *dom_info = NULL;
155
156 dom_info = pdb_get_domain_info(mem_ctx);
157 if ((dom_info != NULL) && (dom_info->dns_forest != NULL)) {
158 is_my_domain = strequal(user_info->mapped.domain_name,
159 dom_info->dns_forest);
160 }
161
162 TALLOC_FREE(dom_info);
163 if (!is_my_domain) {
164 DEBUG(6,("check_samstrict_security: %s is not one "
165 "of my local names or domain name (DC)\n",
166 effective_domain));
167 return NT_STATUS_NOT_IMPLEMENTED;
168 }
169 }
170
171 break;
172 default: /* name is ok */
173 break;
174 }
175
176 return check_sam_security(&auth_context->challenge, mem_ctx,
177 user_info, server_info);
178 }
179
180 /* module initialisation */
181 static NTSTATUS auth_init_sam(
182 struct auth_context *auth_context,
183 const char *param,
184 struct auth_methods **auth_method)
185 {
186 struct auth_methods *result;
187
188 if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC
189 && !lp_parm_bool(-1, "server role check", "inhibit", false)) {
190 DEBUG(0, ("server role = 'active directory domain controller' not compatible with running the auth_sam module. \n"));
191 DEBUGADD(0, ("You should not set 'auth methods' when running the AD DC.\n"));
192 exit(1);
193 }
194
195 result = talloc_zero(auth_context, struct auth_methods);
196 if (result == NULL) {
197 return NT_STATUS_NO_MEMORY;
198 }
199 result->auth = auth_samstrict_auth;
200 result->name = "sam";
201 *auth_method = result;
202 return NT_STATUS_OK;
203 }
204
205 static NTSTATUS auth_sam_netlogon3_auth(const struct auth_context *auth_context,
206 void *my_private_data,
207 TALLOC_CTX *mem_ctx,
208 const struct auth_usersupplied_info *user_info,
209 struct auth_serversupplied_info **server_info)
210 {
211 const char *effective_domain = NULL;
212 bool is_my_domain;
213
214 if (!user_info || !auth_context) {
215 return NT_STATUS_LOGON_FAILURE;
216 }
217 effective_domain = user_info->mapped.domain_name;
218
219 if (user_info->mapped.account_name == NULL ||
220 user_info->mapped.account_name[0] == '\0')
221 {
222 return NT_STATUS_NOT_IMPLEMENTED;
223 }
224
225 if (effective_domain == NULL) {
226 effective_domain = "";
227 }
228
229 DBG_DEBUG("Check auth for: [%s]\\[%s]\n",
230 effective_domain,
231 user_info->mapped.account_name);
232
233 /* check whether or not we service this domain/workgroup name */
234
235 switch (lp_server_role()) {
236 case ROLE_DOMAIN_PDC:
237 case ROLE_DOMAIN_BDC:
238 case ROLE_IPA_DC:
239 break;
240 default:
241 DBG_ERR("Invalid server role\n");
242 return NT_STATUS_INVALID_SERVER_STATE;
243 }
244
245 if (strequal(effective_domain, "") || strequal(effective_domain, ".")) {
246 /*
247 * An empty domain name or '.' should be handled
248 * as the local SAM name.
249 */
250 effective_domain = lp_workgroup();
251 }
252
253 is_my_domain = strequal(user_info->mapped.domain_name, lp_workgroup());
254 if (!is_my_domain) {
255 /* If we are running on a DC that has PASSDB module with domain
256 * information, check if DNS forest name is matching the domain
257 * name. This is the case of IPA domain controller when
258 * trusted AD DCs attempt to authenticate IPA users using
259 * the forest root domain (which is the only domain in IPA).
260 */
261 struct pdb_domain_info *dom_info = NULL;
262 dom_info = pdb_get_domain_info(mem_ctx);
263
264 if ((dom_info != NULL) && (dom_info->dns_forest != NULL)) {
265 is_my_domain = strequal(user_info->mapped.domain_name,
266 dom_info->dns_forest);
267 }
268
269 TALLOC_FREE(dom_info);
270 }
271
272 if (!is_my_domain) {
273 DBG_INFO("%s is not our domain name (DC for %s)\n",
274 effective_domain, lp_workgroup());
275 return NT_STATUS_NOT_IMPLEMENTED;
276 }
277
278 return check_sam_security(&auth_context->challenge, mem_ctx,
279 user_info, server_info);
280 }
281
282 /* module initialisation */
283 static NTSTATUS auth_init_sam_netlogon3(
284 struct auth_context *auth_context,
285 const char *param,
286 struct auth_methods **auth_method)
287 {
288 struct auth_methods *result;
289
290 if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC
291 && !lp_parm_bool(-1, "server role check", "inhibit", false)) {
292 DEBUG(0, ("server role = 'active directory domain controller' "
293 "not compatible with running the auth_sam module.\n"));
294 DEBUGADD(0, ("You should not set 'auth methods' when "
295 "running the AD DC.\n"));
296 exit(1);
297 }
298
299 result = talloc_zero(auth_context, struct auth_methods);
300 if (result == NULL) {
301 return NT_STATUS_NO_MEMORY;
302 }
303 result->auth = auth_sam_netlogon3_auth;
304 result->name = "sam_netlogon3";
305 *auth_method = result;
306 return NT_STATUS_OK;
307 }
308
309 NTSTATUS auth_sam_init(TALLOC_CTX *mem_ctx)
310 {
311 smb_register_auth(AUTH_INTERFACE_VERSION, "sam", auth_init_sam);
312 smb_register_auth(AUTH_INTERFACE_VERSION, "sam_ignoredomain", auth_init_sam_ignoredomain);
313 smb_register_auth(AUTH_INTERFACE_VERSION, "sam_netlogon3", auth_init_sam_netlogon3);
314 return NT_STATUS_OK;
315 }
Samba GIT mirror