search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
r12018: more 3.0.21 changes. This is a full sync except for changes to rpc-server...
[Samba.git] / source / auth / auth_util.c
blob61cb7f31cc759e934a86fc52ed2db92f5937fe4d
1 /*
2 Unix SMB/CIFS implementation.
3 Authentication utility functions
4 Copyright (C) Andrew Tridgell 1992-1998
5 Copyright (C) Andrew Bartlett 2001
6 Copyright (C) Jeremy Allison 2000-2001
7 Copyright (C) Rafal Szczesniak 2002
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 2 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19 You should have received a copy of the GNU General Public License
20 along with this program; if not, write to the Free Software
21 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
22 */
23
24 #include "includes.h"
25
26 #undef DBGC_CLASS
27 #define DBGC_CLASS DBGC_AUTH
28
29
30 /****************************************************************************
31 Create a UNIX user on demand.
32 ****************************************************************************/
33
34 static int smb_create_user(const char *domain, const char *unix_username, const char *homedir)
35 {
36 pstring add_script;
37 int ret;
38
39 pstrcpy(add_script, lp_adduser_script());
40 if (! *add_script)
41 return -1;
42 all_string_sub(add_script, "%u", unix_username, sizeof(pstring));
43 if (domain)
44 all_string_sub(add_script, "%D", domain, sizeof(pstring));
45 if (homedir)
46 all_string_sub(add_script, "%H", homedir, sizeof(pstring));
47 ret = smbrun(add_script,NULL);
48 flush_pwnam_cache();
49 DEBUG(ret ? 0 : 3,("smb_create_user: Running the command `%s' gave %d\n",add_script,ret));
50 return ret;
51 }
52
53 /****************************************************************************
54 Create an auth_usersupplied_data structure
55 ****************************************************************************/
56
57 static NTSTATUS make_user_info(auth_usersupplied_info **user_info,
58 const char *smb_name,
59 const char *internal_username,
60 const char *client_domain,
61 const char *domain,
62 const char *wksta_name,
63 DATA_BLOB *lm_pwd, DATA_BLOB *nt_pwd,
64 DATA_BLOB *lm_interactive_pwd, DATA_BLOB *nt_interactive_pwd,
65 DATA_BLOB *plaintext,
66 BOOL encrypted)
67 {
68
69 DEBUG(5,("attempting to make a user_info for %s (%s)\n", internal_username, smb_name));
70
71 *user_info = SMB_MALLOC_P(auth_usersupplied_info);
72 if (!user_info) {
73 DEBUG(0,("malloc failed for user_info (size %lu)\n", (unsigned long)sizeof(*user_info)));
74 return NT_STATUS_NO_MEMORY;
75 }
76
77 ZERO_STRUCTP(*user_info);
78
79 DEBUG(5,("making strings for %s's user_info struct\n", internal_username));
80
81 (*user_info)->smb_name.str = SMB_STRDUP(smb_name);
82 if ((*user_info)->smb_name.str) {
83 (*user_info)->smb_name.len = strlen(smb_name);
84 } else {
85 free_user_info(user_info);
86 return NT_STATUS_NO_MEMORY;
87 }
88
89 (*user_info)->internal_username.str = SMB_STRDUP(internal_username);
90 if ((*user_info)->internal_username.str) {
91 (*user_info)->internal_username.len = strlen(internal_username);
92 } else {
93 free_user_info(user_info);
94 return NT_STATUS_NO_MEMORY;
95 }
96
97 (*user_info)->domain.str = SMB_STRDUP(domain);
98 if ((*user_info)->domain.str) {
99 (*user_info)->domain.len = strlen(domain);
100 } else {
101 free_user_info(user_info);
102 return NT_STATUS_NO_MEMORY;
103 }
104
105 (*user_info)->client_domain.str = SMB_STRDUP(client_domain);
106 if ((*user_info)->client_domain.str) {
107 (*user_info)->client_domain.len = strlen(client_domain);
108 } else {
109 free_user_info(user_info);
110 return NT_STATUS_NO_MEMORY;
111 }
112
113 (*user_info)->wksta_name.str = SMB_STRDUP(wksta_name);
114 if ((*user_info)->wksta_name.str) {
115 (*user_info)->wksta_name.len = strlen(wksta_name);
116 } else {
117 free_user_info(user_info);
118 return NT_STATUS_NO_MEMORY;
119 }
120
121 DEBUG(5,("making blobs for %s's user_info struct\n", internal_username));
122
123 if (lm_pwd)
124 (*user_info)->lm_resp = data_blob(lm_pwd->data, lm_pwd->length);
125 if (nt_pwd)
126 (*user_info)->nt_resp = data_blob(nt_pwd->data, nt_pwd->length);
127 if (lm_interactive_pwd)
128 (*user_info)->lm_interactive_pwd = data_blob(lm_interactive_pwd->data, lm_interactive_pwd->length);
129 if (nt_interactive_pwd)
130 (*user_info)->nt_interactive_pwd = data_blob(nt_interactive_pwd->data, nt_interactive_pwd->length);
131
132 if (plaintext)
133 (*user_info)->plaintext_password = data_blob(plaintext->data, plaintext->length);
134
135 (*user_info)->encrypted = encrypted;
136
137 (*user_info)->logon_parameters = 0;
138
139 DEBUG(10,("made an %sencrypted user_info for %s (%s)\n", encrypted ? "":"un" , internal_username, smb_name));
140
141 return NT_STATUS_OK;
142 }
143
144 /****************************************************************************
145 Create an auth_usersupplied_data structure after appropriate mapping.
146 ****************************************************************************/
147
148 NTSTATUS make_user_info_map(auth_usersupplied_info **user_info,
149 const char *smb_name,
150 const char *client_domain,
151 const char *wksta_name,
152 DATA_BLOB *lm_pwd, DATA_BLOB *nt_pwd,
153 DATA_BLOB *lm_interactive_pwd, DATA_BLOB *nt_interactive_pwd,
154 DATA_BLOB *plaintext,
155 BOOL encrypted)
156 {
157 const char *domain;
158 fstring internal_username;
159 fstrcpy(internal_username, smb_name);
160 map_username(internal_username);
161
162 DEBUG(5, ("make_user_info_map: Mapping user [%s]\\[%s] from workstation [%s]\n",
163 client_domain, smb_name, wksta_name));
164
165 /* don't allow "" as a domain, fixes a Win9X bug
166 where it doens't supply a domain for logon script
167 'net use' commands. */
168
169 if ( *client_domain )
170 domain = client_domain;
171 else
172 domain = lp_workgroup();
173
174 /* do what win2k does. Always map unknown domains to our own
175 and let the "passdb backend" handle unknown users. */
176
177 if ( !is_trusted_domain(domain) && !strequal(domain, get_global_sam_name()) )
178 domain = get_default_sam_name();
179
180 /* we know that it is a trusted domain (and we are allowing them) or it is our domain */
181
182 return make_user_info(user_info, smb_name, internal_username,
183 client_domain, domain, wksta_name,
184 lm_pwd, nt_pwd,
185 lm_interactive_pwd, nt_interactive_pwd,
186 plaintext, encrypted);
187 }
188
189 /****************************************************************************
190 Create an auth_usersupplied_data, making the DATA_BLOBs here.
191 Decrypt and encrypt the passwords.
192 ****************************************************************************/
193
194 BOOL make_user_info_netlogon_network(auth_usersupplied_info **user_info,
195 const char *smb_name,
196 const char *client_domain,
197 const char *wksta_name,
198 uint32 logon_parameters,
199 const uchar *lm_network_pwd, int lm_pwd_len,
200 const uchar *nt_network_pwd, int nt_pwd_len)
201 {
202 BOOL ret;
203 NTSTATUS nt_status;
204 DATA_BLOB lm_blob = data_blob(lm_network_pwd, lm_pwd_len);
205 DATA_BLOB nt_blob = data_blob(nt_network_pwd, nt_pwd_len);
206
207 nt_status = make_user_info_map(user_info,
208 smb_name, client_domain,
209 wksta_name,
210 lm_pwd_len ? &lm_blob : NULL,
211 nt_pwd_len ? &nt_blob : NULL,
212 NULL, NULL, NULL,
213 True);
214
215 if (NT_STATUS_IS_OK(nt_status)) {
216 (*user_info)->logon_parameters = logon_parameters;
217 }
218 ret = NT_STATUS_IS_OK(nt_status) ? True : False;
219
220 data_blob_free(&lm_blob);
221 data_blob_free(&nt_blob);
222 return ret;
223 }
224
225 /****************************************************************************
226 Create an auth_usersupplied_data, making the DATA_BLOBs here.
227 Decrypt and encrypt the passwords.
228 ****************************************************************************/
229
230 BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info,
231 const char *smb_name,
232 const char *client_domain,
233 const char *wksta_name,
234 uint32 logon_parameters,
235 const uchar chal[8],
236 const uchar lm_interactive_pwd[16],
237 const uchar nt_interactive_pwd[16],
238 const uchar *dc_sess_key)
239 {
240 char lm_pwd[16];
241 char nt_pwd[16];
242 unsigned char local_lm_response[24];
243 unsigned char local_nt_response[24];
244 unsigned char key[16];
245
246 ZERO_STRUCT(key);
247 memcpy(key, dc_sess_key, 8);
248
249 if (lm_interactive_pwd) memcpy(lm_pwd, lm_interactive_pwd, sizeof(lm_pwd));
250 if (nt_interactive_pwd) memcpy(nt_pwd, nt_interactive_pwd, sizeof(nt_pwd));
251
252 #ifdef DEBUG_PASSWORD
253 DEBUG(100,("key:"));
254 dump_data(100, (char *)key, sizeof(key));
255
256 DEBUG(100,("lm owf password:"));
257 dump_data(100, lm_pwd, sizeof(lm_pwd));
258
259 DEBUG(100,("nt owf password:"));
260 dump_data(100, nt_pwd, sizeof(nt_pwd));
261 #endif
262
263 if (lm_interactive_pwd)
264 SamOEMhash((uchar *)lm_pwd, key, sizeof(lm_pwd));
265
266 if (nt_interactive_pwd)
267 SamOEMhash((uchar *)nt_pwd, key, sizeof(nt_pwd));
268
269 #ifdef DEBUG_PASSWORD
270 DEBUG(100,("decrypt of lm owf password:"));
271 dump_data(100, lm_pwd, sizeof(lm_pwd));
272
273 DEBUG(100,("decrypt of nt owf password:"));
274 dump_data(100, nt_pwd, sizeof(nt_pwd));
275 #endif
276
277 if (lm_interactive_pwd)
278 SMBOWFencrypt((const unsigned char *)lm_pwd, chal, local_lm_response);
279
280 if (nt_interactive_pwd)
281 SMBOWFencrypt((const unsigned char *)nt_pwd, chal, local_nt_response);
282
283 /* Password info paranoia */
284 ZERO_STRUCT(key);
285
286 {
287 BOOL ret;
288 NTSTATUS nt_status;
289 DATA_BLOB local_lm_blob;
290 DATA_BLOB local_nt_blob;
291
292 DATA_BLOB lm_interactive_blob;
293 DATA_BLOB nt_interactive_blob;
294
295 if (lm_interactive_pwd) {
296 local_lm_blob = data_blob(local_lm_response, sizeof(local_lm_response));
297 lm_interactive_blob = data_blob(lm_pwd, sizeof(lm_pwd));
298 ZERO_STRUCT(lm_pwd);
299 }
300
301 if (nt_interactive_pwd) {
302 local_nt_blob = data_blob(local_nt_response, sizeof(local_nt_response));
303 nt_interactive_blob = data_blob(nt_pwd, sizeof(nt_pwd));
304 ZERO_STRUCT(nt_pwd);
305 }
306
307 nt_status = make_user_info_map(user_info,
308 smb_name, client_domain,
309 wksta_name,
310 lm_interactive_pwd ? &local_lm_blob : NULL,
311 nt_interactive_pwd ? &local_nt_blob : NULL,
312 lm_interactive_pwd ? &lm_interactive_blob : NULL,
313 nt_interactive_pwd ? &nt_interactive_blob : NULL,
314 NULL,
315 True);
316
317 if (NT_STATUS_IS_OK(nt_status)) {
318 (*user_info)->logon_parameters = logon_parameters;
319 }
320
321 ret = NT_STATUS_IS_OK(nt_status) ? True : False;
322 data_blob_free(&local_lm_blob);
323 data_blob_free(&local_nt_blob);
324 data_blob_free(&lm_interactive_blob);
325 data_blob_free(&nt_interactive_blob);
326 return ret;
327 }
328 }
329
330
331 /****************************************************************************
332 Create an auth_usersupplied_data structure
333 ****************************************************************************/
334
335 BOOL make_user_info_for_reply(auth_usersupplied_info **user_info,
336 const char *smb_name,
337 const char *client_domain,
338 const uint8 chal[8],
339 DATA_BLOB plaintext_password)
340 {
341
342 DATA_BLOB local_lm_blob;
343 DATA_BLOB local_nt_blob;
344 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
345
346 /*
347 * Not encrypted - do so.
348 */
349
350 DEBUG(5,("make_user_info_for_reply: User passwords not in encrypted format.\n"));
351
352 if (plaintext_password.data) {
353 unsigned char local_lm_response[24];
354
355 #ifdef DEBUG_PASSWORD
356 DEBUG(10,("Unencrypted password (len %d):\n",(int)plaintext_password.length));
357 dump_data(100, (const char *)plaintext_password.data, plaintext_password.length);
358 #endif
359
360 SMBencrypt( (const char *)plaintext_password.data, (const uchar*)chal, local_lm_response);
361 local_lm_blob = data_blob(local_lm_response, 24);
362
363 /* We can't do an NT hash here, as the password needs to be
364 case insensitive */
365 local_nt_blob = data_blob(NULL, 0);
366
367 } else {
368 local_lm_blob = data_blob(NULL, 0);
369 local_nt_blob = data_blob(NULL, 0);
370 }
371
372 ret = make_user_info_map(user_info, smb_name,
373 client_domain,
374 get_remote_machine_name(),
375 local_lm_blob.data ? &local_lm_blob : NULL,
376 local_nt_blob.data ? &local_nt_blob : NULL,
377 NULL, NULL,
378 plaintext_password.data ? &plaintext_password : NULL,
379 False);
380
381 data_blob_free(&local_lm_blob);
382 return NT_STATUS_IS_OK(ret) ? True : False;
383 }
384
385 /****************************************************************************
386 Create an auth_usersupplied_data structure
387 ****************************************************************************/
388
389 NTSTATUS make_user_info_for_reply_enc(auth_usersupplied_info **user_info,
390 const char *smb_name,
391 const char *client_domain,
392 DATA_BLOB lm_resp, DATA_BLOB nt_resp)
393 {
394 return make_user_info_map(user_info, smb_name,
395 client_domain,
396 get_remote_machine_name(),
397 lm_resp.data ? &lm_resp : NULL,
398 nt_resp.data ? &nt_resp : NULL,
399 NULL, NULL, NULL,
400 True);
401 }
402
403 /****************************************************************************
404 Create a guest user_info blob, for anonymous authenticaion.
405 ****************************************************************************/
406
407 BOOL make_user_info_guest(auth_usersupplied_info **user_info)
408 {
409 NTSTATUS nt_status;
410
411 nt_status = make_user_info(user_info,
412 "","",
413 "","",
414 "",
415 NULL, NULL,
416 NULL, NULL,
417 NULL,
418 True);
419
420 return NT_STATUS_IS_OK(nt_status) ? True : False;
421 }
422
423 /****************************************************************************
424 prints a NT_USER_TOKEN to debug output.
425 ****************************************************************************/
426
427 void debug_nt_user_token(int dbg_class, int dbg_lev, NT_USER_TOKEN *token)
428 {
429 fstring sid_str;
430 size_t i;
431
432 if (!token) {
433 DEBUGC(dbg_class, dbg_lev, ("NT user token: (NULL)\n"));
434 return;
435 }
436
437 DEBUGC(dbg_class, dbg_lev, ("NT user token of user %s\n",
438 sid_to_string(sid_str, &token->user_sids[0]) ));
439 DEBUGADDC(dbg_class, dbg_lev, ("contains %lu SIDs\n", (unsigned long)token->num_sids));
440 for (i = 0; i < token->num_sids; i++)
441 DEBUGADDC(dbg_class, dbg_lev, ("SID[%3lu]: %s\n", (unsigned long)i,
442 sid_to_string(sid_str, &token->user_sids[i])));
443
444 dump_se_priv( dbg_class, dbg_lev, &token->privileges );
445 }
446
447 /****************************************************************************
448 prints a UNIX 'token' to debug output.
449 ****************************************************************************/
450
451 void debug_unix_user_token(int dbg_class, int dbg_lev, uid_t uid, gid_t gid, int n_groups, gid_t *groups)
452 {
453 int i;
454 DEBUGC(dbg_class, dbg_lev, ("UNIX token of user %ld\n", (long int)uid));
455
456 DEBUGADDC(dbg_class, dbg_lev, ("Primary group is %ld and contains %i supplementary groups\n", (long int)gid, n_groups));
457 for (i = 0; i < n_groups; i++)
458 DEBUGADDC(dbg_class, dbg_lev, ("Group[%3i]: %ld\n", i,
459 (long int)groups[i]));
460 }
461
462 /****************************************************************************
463 Create the SID list for this user.
464 ****************************************************************************/
465
466 static NTSTATUS create_nt_user_token(const DOM_SID *user_sid, const DOM_SID *group_sid,
467 int n_groupSIDs, DOM_SID *groupSIDs,
468 BOOL is_guest, NT_USER_TOKEN **token)
469 {
470 NTSTATUS nt_status = NT_STATUS_OK;
471 NT_USER_TOKEN *ptoken;
472 int i;
473 int sid_ndx;
474
475 if ((ptoken = SMB_MALLOC_P(NT_USER_TOKEN)) == NULL) {
476 DEBUG(0, ("create_nt_token: Out of memory allocating token\n"));
477 nt_status = NT_STATUS_NO_MEMORY;
478 return nt_status;
479 }
480
481 ZERO_STRUCTP(ptoken);
482
483 ptoken->num_sids = n_groupSIDs + 5;
484
485 if ((ptoken->user_sids = SMB_MALLOC_ARRAY( DOM_SID, ptoken->num_sids )) == NULL) {
486 DEBUG(0, ("create_nt_token: Out of memory allocating SIDs\n"));
487 nt_status = NT_STATUS_NO_MEMORY;
488 return nt_status;
489 }
490
491 memset((char*)ptoken->user_sids,0,sizeof(DOM_SID) * ptoken->num_sids);
492
493 /*
494 * Note - user SID *MUST* be first in token !
495 * se_access_check depends on this.
496 *
497 * Primary group SID is second in token. Convention.
498 */
499
500 sid_copy(&ptoken->user_sids[PRIMARY_USER_SID_INDEX], user_sid);
501 if (group_sid)
502 sid_copy(&ptoken->user_sids[PRIMARY_GROUP_SID_INDEX], group_sid);
503
504 /*
505 * Finally add the "standard" SIDs.
506 * The only difference between guest and "anonymous" (which we
507 * don't really support) is the addition of Authenticated_Users.
508 */
509
510 sid_copy(&ptoken->user_sids[2], &global_sid_World);
511 sid_copy(&ptoken->user_sids[3], &global_sid_Network);
512
513 if (is_guest)
514 sid_copy(&ptoken->user_sids[4], &global_sid_Builtin_Guests);
515 else
516 sid_copy(&ptoken->user_sids[4], &global_sid_Authenticated_Users);
517
518 sid_ndx = 5; /* next available spot */
519
520 for (i = 0; i < n_groupSIDs; i++) {
521 size_t check_sid_idx;
522 for (check_sid_idx = 1; check_sid_idx < ptoken->num_sids; check_sid_idx++) {
523 if (sid_equal(&ptoken->user_sids[check_sid_idx],
524 &groupSIDs[i])) {
525 break;
526 }
527 }
528
529 if (check_sid_idx >= ptoken->num_sids) /* Not found already */ {
530 sid_copy(&ptoken->user_sids[sid_ndx++], &groupSIDs[i]);
531 } else {
532 ptoken->num_sids--;
533 }
534 }
535
536 /* add privileges assigned to this user */
537
538 get_privileges_for_sids( &ptoken->privileges, ptoken->user_sids, ptoken->num_sids );
539
540 debug_nt_user_token(DBGC_AUTH, 10, ptoken);
541
542 if ((lp_log_nt_token_command() != NULL) &&
543 (strlen(lp_log_nt_token_command()) > 0)) {
544 TALLOC_CTX *mem_ctx;
545 char *command;
546 fstring sidstr;
547 char *user_sidstr, *group_sidstr;
548
549 mem_ctx = talloc_init("setnttoken");
550 if (mem_ctx == NULL)
551 return NT_STATUS_NO_MEMORY;
552
553 sid_to_string(sidstr, &ptoken->user_sids[0]);
554 user_sidstr = talloc_strdup(mem_ctx, sidstr);
555
556 group_sidstr = talloc_strdup(mem_ctx, "");
557 for (i=1; i<ptoken->num_sids; i++) {
558 sid_to_string(sidstr, &ptoken->user_sids[i]);
559 group_sidstr = talloc_asprintf(mem_ctx, "%s %s",
560 group_sidstr, sidstr);
561 }
562
563 command = SMB_STRDUP(lp_log_nt_token_command());
564 command = realloc_string_sub(command, "%s", user_sidstr);
565 command = realloc_string_sub(command, "%t", group_sidstr);
566 DEBUG(8, ("running command: [%s]\n", command));
567 if (smbrun(command, NULL) != 0) {
568 DEBUG(0, ("Could not log NT token\n"));
569 nt_status = NT_STATUS_ACCESS_DENIED;
570 }
571 talloc_destroy(mem_ctx);
572 SAFE_FREE(command);
573 }
574
575 *token = ptoken;
576
577 return nt_status;
578 }
579
580 /****************************************************************************
581 Create the SID list for this user.
582 ****************************************************************************/
583
584 NT_USER_TOKEN *create_nt_token(uid_t uid, gid_t gid, int ngroups, gid_t *groups, BOOL is_guest)
585 {
586 DOM_SID user_sid;
587 DOM_SID group_sid;
588 DOM_SID *group_sids;
589 NT_USER_TOKEN *token;
590 int i;
591
592 if (!NT_STATUS_IS_OK(uid_to_sid(&user_sid, uid))) {
593 return NULL;
594 }
595 if (!NT_STATUS_IS_OK(gid_to_sid(&group_sid, gid))) {
596 return NULL;
597 }
598
599 group_sids = SMB_MALLOC_ARRAY(DOM_SID, ngroups);
600 if (!group_sids) {
601 DEBUG(0, ("create_nt_token: malloc() failed for DOM_SID list!\n"));
602 return NULL;
603 }
604
605 for (i = 0; i < ngroups; i++) {
606 if (!NT_STATUS_IS_OK(gid_to_sid(&(group_sids)[i], (groups)[i]))) {
607 DEBUG(1, ("create_nt_token: failed to convert gid %ld to a sid!\n", (long int)groups[i]));
608 SAFE_FREE(group_sids);
609 return NULL;
610 }
611 }
612
613 if (!NT_STATUS_IS_OK(create_nt_user_token(&user_sid, &group_sid,
614 ngroups, group_sids, is_guest, &token))) {
615 SAFE_FREE(group_sids);
616 return NULL;
617 }
618
619 SAFE_FREE(group_sids);
620
621 return token;
622 }
623
624 /******************************************************************************
625 Create a token for the root user to be used internally by smbd.
626 This is similar to running under the context of the LOCAL_SYSTEM account
627 in Windows. This is a read-only token. Do not modify it or free() it.
628 Create a copy if your need to change it.
629 ******************************************************************************/
630
631 NT_USER_TOKEN *get_root_nt_token( void )
632 {
633 static NT_USER_TOKEN *token = NULL;
634 DOM_SID u_sid, g_sid;
635 DOM_SID g_sids[1];
636 struct passwd *pw;
637 NTSTATUS result;
638
639 if ( token )
640 return token;
641
642 if ( !(pw = getpwnam( "root" )) ) {
643 DEBUG(0,("create_root_nt_token: getpwnam\"root\") failed!\n"));
644 return NULL;
645 }
646
647 /* get the user and primary group SIDs; although the
648 BUILTIN\Administrators SId is really the one that matters here */
649
650 if ( !NT_STATUS_IS_OK(uid_to_sid(&u_sid, pw->pw_uid)) )
651 return NULL;
652 if ( !NT_STATUS_IS_OK(gid_to_sid(&g_sid, pw->pw_gid)) )
653 return NULL;
654
655 sid_copy( &g_sids[0], &global_sid_Builtin_Administrators );
656
657 result = create_nt_user_token( &u_sid, &g_sid, 1, g_sids, False, &token);
658
659 return NT_STATUS_IS_OK(result) ? token : NULL;
660 }
661
662 /******************************************************************************
663 * this function returns the groups (SIDs) of the local SAM the user is in.
664 * If this samba server is a DC of the domain the user belongs to, it returns
665 * both domain groups and local / builtin groups. If the user is in a trusted
666 * domain, or samba is a member server of a domain, then this function returns
667 * local and builtin groups the user is a member of.
668 *
669 * currently this is a hack, as there is no sam implementation that is capable
670 * of groups.
671 *
672 * NOTE!! This function will fail if you pass in a winbind user without
673 * the domain --jerry
674 ******************************************************************************/
675
676 static NTSTATUS get_user_groups(const char *username, uid_t uid, gid_t gid,
677 size_t *n_groups, DOM_SID **groups, gid_t **unix_groups)
678 {
679 int n_unix_groups;
680 int i;
681
682 *n_groups = 0;
683 *groups = NULL;
684
685 if (strchr(username, *lp_winbind_separator()) == NULL) {
686 NTSTATUS result;
687
688 become_root();
689 result = pdb_enum_group_memberships(username, gid, groups,
690 unix_groups, n_groups);
691 unbecome_root();
692 return result;
693 }
694
695 /* We have the separator, this must be winbind */
696
697 n_unix_groups = winbind_getgroups( username, unix_groups );
698
699 DEBUG(10,("get_user_groups: winbind_getgroups(%s): result = %s\n",
700 username, n_unix_groups == -1 ? "FAIL" : "SUCCESS"));
701
702 if ( n_unix_groups == -1 )
703 return NT_STATUS_NO_SUCH_USER; /* what should this return
704 * value be? */
705
706 debug_unix_user_token(DBGC_CLASS, 5, uid, gid, n_unix_groups, *unix_groups);
707
708 /* now setup the space for storing the SIDS */
709
710 if (n_unix_groups > 0) {
711
712 *groups = SMB_MALLOC_ARRAY(DOM_SID, n_unix_groups);
713
714 if (!*groups) {
715 DEBUG(0, ("get_user_group: malloc() failed for DOM_SID list!\n"));
716 SAFE_FREE(*unix_groups);
717 return NT_STATUS_NO_MEMORY;
718 }
719 }
720
721 *n_groups = n_unix_groups;
722
723 for (i = 0; i < *n_groups; i++) {
724 if (!NT_STATUS_IS_OK(gid_to_sid(&(*groups)[i], (*unix_groups)[i]))) {
725 DEBUG(1, ("get_user_groups: failed to convert gid %ld to a sid!\n",
726 (long int)(*unix_groups)[i+1]));
727 SAFE_FREE(*groups);
728 SAFE_FREE(*unix_groups);
729 return NT_STATUS_NO_SUCH_USER;
730 }
731 }
732
733 return NT_STATUS_OK;
734 }
735
736 /***************************************************************************
737 Make a user_info struct
738 ***************************************************************************/
739
740 static NTSTATUS make_server_info(auth_serversupplied_info **server_info)
741 {
742 *server_info = SMB_MALLOC_P(auth_serversupplied_info);
743 if (!*server_info) {
744 DEBUG(0,("make_server_info: malloc failed!\n"));
745 return NT_STATUS_NO_MEMORY;
746 }
747 ZERO_STRUCTP(*server_info);
748
749 /* Initialise the uid and gid values to something non-zero
750 which may save us from giving away root access if there
751 is a bug in allocating these fields. */
752
753 (*server_info)->uid = -1;
754 (*server_info)->gid = -1;
755
756 return NT_STATUS_OK;
757 }
758
759 /***************************************************************************
760 Fill a server_info struct from a SAM_ACCOUNT with their groups
761 ***************************************************************************/
762
763 static NTSTATUS add_user_groups(auth_serversupplied_info **server_info,
764 const char * unix_username,
765 SAM_ACCOUNT *sampass,
766 uid_t uid, gid_t gid)
767 {
768 NTSTATUS nt_status;
769 const DOM_SID *user_sid = pdb_get_user_sid(sampass);
770 const DOM_SID *group_sid = pdb_get_group_sid(sampass);
771 size_t n_groupSIDs = 0;
772 DOM_SID *groupSIDs = NULL;
773 gid_t *unix_groups = NULL;
774 NT_USER_TOKEN *token;
775 BOOL is_guest;
776 uint32 rid;
777
778 nt_status = get_user_groups(unix_username, uid, gid,
779 &n_groupSIDs, &groupSIDs, &unix_groups);
780
781 if (!NT_STATUS_IS_OK(nt_status)) {
782 DEBUG(4,("get_user_groups_from_local_sam failed\n"));
783 free_server_info(server_info);
784 return nt_status;
785 }
786
787 is_guest = (sid_peek_rid(user_sid, &rid) && rid == DOMAIN_USER_RID_GUEST);
788
789 if (!NT_STATUS_IS_OK(nt_status = create_nt_user_token(user_sid, group_sid,
790 n_groupSIDs, groupSIDs, is_guest,
791 &token)))
792 {
793 DEBUG(4,("create_nt_user_token failed\n"));
794 SAFE_FREE(groupSIDs);
795 SAFE_FREE(unix_groups);
796 free_server_info(server_info);
797 return nt_status;
798 }
799
800 SAFE_FREE(groupSIDs);
801
802 (*server_info)->n_groups = n_groupSIDs;
803 (*server_info)->groups = unix_groups;
804 (*server_info)->ptok = token;
805
806 return nt_status;
807 }
808
809 /***************************************************************************
810 Make (and fill) a user_info struct from a SAM_ACCOUNT
811 ***************************************************************************/
812
813 NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info,
814 SAM_ACCOUNT *sampass)
815 {
816 NTSTATUS nt_status;
817 struct passwd *pwd;
818
819 if (!NT_STATUS_IS_OK(nt_status = make_server_info(server_info)))
820 return nt_status;
821
822 (*server_info)->sam_account = sampass;
823
824 if ( !(pwd = getpwnam_alloc(pdb_get_username(sampass))) ) {
825 DEBUG(1, ("User %s in passdb, but getpwnam() fails!\n",
826 pdb_get_username(sampass)));
827 free_server_info(server_info);
828 return NT_STATUS_NO_SUCH_USER;
829 }
830 (*server_info)->unix_name = smb_xstrdup(pwd->pw_name);
831 (*server_info)->gid = pwd->pw_gid;
832 (*server_info)->uid = pwd->pw_uid;
833
834 passwd_free(&pwd);
835
836 if (!NT_STATUS_IS_OK(nt_status = add_user_groups(server_info, pdb_get_username(sampass),
837 sampass,
838 (*server_info)->uid,
839 (*server_info)->gid)))
840 {
841 free_server_info(server_info);
842 return nt_status;
843 }
844
845 (*server_info)->sam_fill_level = SAM_FILL_ALL;
846 DEBUG(5,("make_server_info_sam: made server info for user %s -> %s\n",
847 pdb_get_username(sampass),
848 (*server_info)->unix_name));
849
850 return nt_status;
851 }
852
853 /***************************************************************************
854 Make (and fill) a user_info struct from a Kerberos PAC logon_info by conversion
855 to a SAM_ACCOUNT
856 ***************************************************************************/
857
858 NTSTATUS make_server_info_pac(auth_serversupplied_info **server_info,
859 char *unix_username,
860 struct passwd *pwd,
861 PAC_LOGON_INFO *logon_info)
862 {
863 NTSTATUS nt_status;
864 SAM_ACCOUNT *sampass = NULL;
865 DOM_SID user_sid, group_sid;
866 fstring dom_name;
867
868 if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam_pw(&sampass, pwd))) {
869 return nt_status;
870 }
871 if (!NT_STATUS_IS_OK(nt_status = make_server_info(server_info))) {
872 return nt_status;
873 }
874
875 /* only copy user_sid, group_sid and domain name out of the PAC for
876 * now, we will benefit from more later - Guenther */
877
878 sid_copy(&user_sid, &logon_info->info3.dom_sid.sid);
879 sid_append_rid(&user_sid, logon_info->info3.user_rid);
880 pdb_set_user_sid(sampass, &user_sid, PDB_SET);
881
882 sid_copy(&group_sid, &logon_info->info3.dom_sid.sid);
883 sid_append_rid(&group_sid, logon_info->info3.group_rid);
884 pdb_set_group_sid(sampass, &group_sid, PDB_SET);
885
886 unistr2_to_ascii(dom_name, &logon_info->info3.uni_logon_dom, -1);
887 pdb_set_domain(sampass, dom_name, PDB_SET);
888
889 pdb_set_logon_count(sampass, logon_info->info3.logon_count, PDB_SET);
890
891 (*server_info)->sam_account = sampass;
892
893 if (!NT_STATUS_IS_OK(nt_status = add_user_groups(server_info, unix_username,
894 sampass, pwd->pw_uid, pwd->pw_gid)))
895 {
896 return nt_status;
897 }
898
899 (*server_info)->unix_name = smb_xstrdup(unix_username);
900
901 (*server_info)->sam_fill_level = SAM_FILL_ALL;
902 (*server_info)->uid = pwd->pw_uid;
903 (*server_info)->gid = pwd->pw_gid;
904 return nt_status;
905 }
906
907
908 /***************************************************************************
909 Make (and fill) a user_info struct from a 'struct passwd' by conversion
910 to a SAM_ACCOUNT
911 ***************************************************************************/
912
913 NTSTATUS make_server_info_pw(auth_serversupplied_info **server_info,
914 char *unix_username,
915 struct passwd *pwd)
916 {
917 NTSTATUS nt_status;
918 SAM_ACCOUNT *sampass = NULL;
919 if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam_pw(&sampass, pwd))) {
920 return nt_status;
921 }
922 if (!NT_STATUS_IS_OK(nt_status = make_server_info(server_info))) {
923 return nt_status;
924 }
925
926 (*server_info)->sam_account = sampass;
927
928 if (!NT_STATUS_IS_OK(nt_status = add_user_groups(server_info, unix_username,
929 sampass, pwd->pw_uid, pwd->pw_gid)))
930 {
931 return nt_status;
932 }
933
934 (*server_info)->unix_name = smb_xstrdup(unix_username);
935
936 (*server_info)->sam_fill_level = SAM_FILL_ALL;
937 (*server_info)->uid = pwd->pw_uid;
938 (*server_info)->gid = pwd->pw_gid;
939 return nt_status;
940 }
941
942 /***************************************************************************
943 Make (and fill) a user_info struct for a guest login.
944 ***************************************************************************/
945
946 static NTSTATUS make_new_server_info_guest(auth_serversupplied_info **server_info)
947 {
948 NTSTATUS nt_status;
949 SAM_ACCOUNT *sampass = NULL;
950 DOM_SID guest_sid;
951
952 if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam(&sampass))) {
953 return nt_status;
954 }
955
956 sid_copy(&guest_sid, get_global_sam_sid());
957 sid_append_rid(&guest_sid, DOMAIN_USER_RID_GUEST);
958
959 become_root();
960 if (!pdb_getsampwsid(sampass, &guest_sid)) {
961 unbecome_root();
962 return NT_STATUS_NO_SUCH_USER;
963 }
964 unbecome_root();
965
966 nt_status = make_server_info_sam(server_info, sampass);
967
968 if (NT_STATUS_IS_OK(nt_status)) {
969 static const char zeros[16];
970 (*server_info)->guest = True;
971
972 /* annoying, but the Guest really does have a session key,
973 and it is all zeros! */
974 (*server_info)->user_session_key = data_blob(zeros, sizeof(zeros));
975 (*server_info)->lm_session_key = data_blob(zeros, sizeof(zeros));
976 }
977
978 return nt_status;
979 }
980
981 static auth_serversupplied_info *copy_serverinfo(auth_serversupplied_info *src)
982 {
983 auth_serversupplied_info *dst;
984
985 if (!NT_STATUS_IS_OK(make_server_info(&dst)))
986 return NULL;
987
988 dst->guest = src->guest;
989 dst->uid = src->uid;
990 dst->gid = src->gid;
991 dst->n_groups = src->n_groups;
992 if (src->n_groups != 0)
993 dst->groups = memdup(src->groups, sizeof(gid_t)*dst->n_groups);
994 else
995 dst->groups = NULL;
996 dst->ptok = dup_nt_token(src->ptok);
997 dst->user_session_key = data_blob(src->user_session_key.data,
998 src->user_session_key.length);
999 dst->lm_session_key = data_blob(src->lm_session_key.data,
1000 src->lm_session_key.length);
1001 pdb_copy_sam_account(src->sam_account, &dst->sam_account);
1002 dst->pam_handle = NULL;
1003 dst->unix_name = smb_xstrdup(src->unix_name);
1004
1005 return dst;
1006 }
1007
1008 static auth_serversupplied_info *guest_info = NULL;
1009
1010 BOOL init_guest_info(void)
1011 {
1012 if (guest_info != NULL)
1013 return True;
1014
1015 return NT_STATUS_IS_OK(make_new_server_info_guest(&guest_info));
1016 }
1017
1018 NTSTATUS make_server_info_guest(auth_serversupplied_info **server_info)
1019 {
1020 *server_info = copy_serverinfo(guest_info);
1021 return (*server_info != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
1022 }
1023
1024 /***************************************************************************
1025 Purely internal function for make_server_info_info3
1026 Fill the sam account from getpwnam
1027 ***************************************************************************/
1028 static NTSTATUS fill_sam_account(TALLOC_CTX *mem_ctx,
1029 const char *domain,
1030 const char *username,
1031 char **found_username,
1032 uid_t *uid, gid_t *gid,
1033 SAM_ACCOUNT **sam_account)
1034 {
1035 NTSTATUS nt_status;
1036 fstring dom_user, lower_username;
1037 fstring real_username;
1038 struct passwd *passwd;
1039
1040 fstrcpy( lower_username, username );
1041 strlower_m( lower_username );
1042
1043 fstr_sprintf(dom_user, "%s%c%s", domain, *lp_winbind_separator(),
1044 lower_username);
1045
1046 /* get the passwd struct but don't create the user if he/she
1047 does not exist. We were explicitly called from a following
1048 a winbindd authentication request so we should assume that
1049 nss_winbindd is working */
1050
1051 map_username( dom_user );
1052
1053 if ( !(passwd = smb_getpwnam( dom_user, real_username, True )) )
1054 return NT_STATUS_NO_SUCH_USER;
1055
1056 *uid = passwd->pw_uid;
1057 *gid = passwd->pw_gid;
1058
1059 /* This is pointless -- there is no suport for differing
1060 unix and windows names. Make sure to always store the
1061 one we actually looked up and succeeded. Have I mentioned
1062 why I hate the 'winbind use default domain' parameter?
1063 --jerry */
1064
1065 *found_username = talloc_strdup( mem_ctx, real_username );
1066
1067 DEBUG(5,("fill_sam_account: located username was [%s]\n",
1068 *found_username));
1069
1070 nt_status = pdb_init_sam_pw(sam_account, passwd);
1071 passwd_free(&passwd);
1072 return nt_status;
1073 }
1074
1075 /****************************************************************************
1076 Wrapper to allow the getpwnam() call to strip the domain name and
1077 try again in case a local UNIX user is already there. Also run through
1078 the username if we fallback to the username only.
1079 ****************************************************************************/
1080
1081 struct passwd *smb_getpwnam( char *domuser, fstring save_username, BOOL create )
1082 {
1083 struct passwd *pw = NULL;
1084 char *p;
1085 fstring username;
1086
1087 /* we only save a copy of the username it has been mangled
1088 by winbindd use default domain */
1089
1090 save_username[0] = '\0';
1091
1092 /* don't call map_username() here since it has to be done higher
1093 up the stack so we don't call it mutliple times */
1094
1095 fstrcpy( username, domuser );
1096
1097 p = strchr_m( username, *lp_winbind_separator() );
1098
1099 /* code for a DOMAIN\user string */
1100
1101 if ( p ) {
1102 fstring strip_username;
1103
1104 pw = Get_Pwnam_alloc( domuser );
1105 if ( pw ) {
1106 /* make sure we get the case of the username correct */
1107 /* work around 'winbind use default domain = yes' */
1108
1109 if ( !strchr_m( pw->pw_name, *lp_winbind_separator() ) ) {
1110 char *domain;
1111
1112 /* split the domain and username into 2 strings */
1113 *p = '\0';
1114 domain = username;
1115
1116 fstr_sprintf(save_username, "%s%c%s", domain, *lp_winbind_separator(), pw->pw_name);
1117 }
1118 else
1119 fstrcpy( save_username, pw->pw_name );
1120
1121 /* whew -- done! */
1122 return pw;
1123 }
1124
1125 /* setup for lookup of just the username */
1126 /* remember that p and username are overlapping memory */
1127
1128 p++;
1129 fstrcpy( strip_username, p );
1130 fstrcpy( username, strip_username );
1131 }
1132
1133 /* just lookup a plain username */
1134
1135 pw = Get_Pwnam_alloc(username);
1136
1137 /* Create local user if requested. */
1138
1139 if ( !pw && create ) {
1140 /* Don't add a machine account. */
1141 if (username[strlen(username)-1] == '$')
1142 return NULL;
1143
1144 smb_create_user(NULL, username, NULL);
1145 pw = Get_Pwnam_alloc(username);
1146 }
1147
1148 /* one last check for a valid passwd struct */
1149
1150 if ( pw )
1151 fstrcpy( save_username, pw->pw_name );
1152
1153 return pw;
1154 }
1155
1156 /***************************************************************************
1157 Make a server_info struct from the info3 returned by a domain logon
1158 ***************************************************************************/
1159
1160 NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
1161 const char *internal_username,
1162 const char *sent_nt_username,
1163 const char *domain,
1164 auth_serversupplied_info **server_info,
1165 NET_USER_INFO_3 *info3)
1166 {
1167 static const char zeros[16];
1168
1169 NTSTATUS nt_status = NT_STATUS_OK;
1170 char *found_username;
1171 const char *nt_domain;
1172 const char *nt_username;
1173
1174 SAM_ACCOUNT *sam_account = NULL;
1175 DOM_SID user_sid;
1176 DOM_SID group_sid;
1177
1178 uid_t uid;
1179 gid_t gid;
1180
1181 size_t n_lgroupSIDs;
1182 DOM_SID *lgroupSIDs = NULL;
1183
1184 gid_t *unix_groups = NULL;
1185 NT_USER_TOKEN *token;
1186
1187 DOM_SID *all_group_SIDs;
1188 size_t i;
1189
1190 /*
1191 Here is where we should check the list of
1192 trusted domains, and verify that the SID
1193 matches.
1194 */
1195
1196 sid_copy(&user_sid, &info3->dom_sid.sid);
1197 if (!sid_append_rid(&user_sid, info3->user_rid)) {
1198 return NT_STATUS_INVALID_PARAMETER;
1199 }
1200
1201 sid_copy(&group_sid, &info3->dom_sid.sid);
1202 if (!sid_append_rid(&group_sid, info3->group_rid)) {
1203 return NT_STATUS_INVALID_PARAMETER;
1204 }
1205
1206 if (!(nt_username = unistr2_tdup(mem_ctx, &(info3->uni_user_name)))) {
1207 /* If the server didn't give us one, just use the one we sent them */
1208 nt_username = sent_nt_username;
1209 }
1210
1211 if (!(nt_domain = unistr2_tdup(mem_ctx, &(info3->uni_logon_dom)))) {
1212 /* If the server didn't give us one, just use the one we sent them */
1213 nt_domain = domain;
1214 }
1215
1216 /* try to fill the SAM account.. If getpwnam() fails, then try the
1217 add user script (2.2.x behavior).
1218
1219 We use the _unmapped_ username here in an attempt to provide
1220 consistent username mapping behavior between kerberos and NTLM[SSP]
1221 authentication in domain mode security. I.E. Username mapping should
1222 be applied to the fully qualified username (e.g. DOMAIN\user) and
1223 no just the login name. Yes this mean swe called map_username()
1224 unnecessarily in make_user_info_map() but that is how the current
1225 code is designed. Making the change here is the least disruptive
1226 place. -- jerry */
1227
1228 nt_status = fill_sam_account(mem_ctx, nt_domain, sent_nt_username,
1229 &found_username, &uid, &gid, &sam_account);
1230
1231 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER)) {
1232 DEBUG(3,("User %s does not exist, trying to add it\n", internal_username));
1233 smb_create_user( nt_domain, sent_nt_username, NULL);
1234 nt_status = fill_sam_account( mem_ctx, nt_domain, sent_nt_username,
1235 &found_username, &uid, &gid, &sam_account );
1236 }
1237
1238 /* if we still don't have a valid unix account check for
1239 'map to gues = bad uid' */
1240
1241 if (!NT_STATUS_IS_OK(nt_status)) {
1242 if ( lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_UID ) {
1243 make_server_info_guest(server_info);
1244 return NT_STATUS_OK;
1245 }
1246
1247 DEBUG(0, ("make_server_info_info3: pdb_init_sam failed!\n"));
1248 return nt_status;
1249 }
1250
1251 if (!pdb_set_nt_username(sam_account, nt_username, PDB_CHANGED)) {
1252 pdb_free_sam(&sam_account);
1253 return NT_STATUS_NO_MEMORY;
1254 }
1255
1256 if (!pdb_set_username(sam_account, nt_username, PDB_CHANGED)) {
1257 pdb_free_sam(&sam_account);
1258 return NT_STATUS_NO_MEMORY;
1259 }
1260
1261 if (!pdb_set_domain(sam_account, nt_domain, PDB_CHANGED)) {
1262 pdb_free_sam(&sam_account);
1263 return NT_STATUS_NO_MEMORY;
1264 }
1265
1266 if (!pdb_set_user_sid(sam_account, &user_sid, PDB_CHANGED)) {
1267 pdb_free_sam(&sam_account);
1268 return NT_STATUS_UNSUCCESSFUL;
1269 }
1270
1271 if (!pdb_set_group_sid(sam_account, &group_sid, PDB_CHANGED)) {
1272 pdb_free_sam(&sam_account);
1273 return NT_STATUS_UNSUCCESSFUL;
1274 }
1275
1276 if (!pdb_set_fullname(sam_account, unistr2_static(&(info3->uni_full_name)),
1277 PDB_CHANGED)) {
1278 pdb_free_sam(&sam_account);
1279 return NT_STATUS_NO_MEMORY;
1280 }
1281
1282 if (!pdb_set_logon_script(sam_account, unistr2_static(&(info3->uni_logon_script)), PDB_CHANGED)) {
1283 pdb_free_sam(&sam_account);
1284 return NT_STATUS_NO_MEMORY;
1285 }
1286
1287 if (!pdb_set_profile_path(sam_account, unistr2_static(&(info3->uni_profile_path)), PDB_CHANGED)) {
1288 pdb_free_sam(&sam_account);
1289 return NT_STATUS_NO_MEMORY;
1290 }
1291
1292 if (!pdb_set_homedir(sam_account, unistr2_static(&(info3->uni_home_dir)), PDB_CHANGED)) {
1293 pdb_free_sam(&sam_account);
1294 return NT_STATUS_NO_MEMORY;
1295 }
1296
1297 if (!pdb_set_dir_drive(sam_account, unistr2_static(&(info3->uni_dir_drive)), PDB_CHANGED)) {
1298 pdb_free_sam(&sam_account);
1299 return NT_STATUS_NO_MEMORY;
1300 }
1301
1302 if (!NT_STATUS_IS_OK(nt_status = make_server_info(server_info))) {
1303 DEBUG(4, ("make_server_info failed!\n"));
1304 pdb_free_sam(&sam_account);
1305 return nt_status;
1306 }
1307
1308 /* save this here to _net_sam_logon() doesn't fail (it assumes a
1309 valid SAM_ACCOUNT) */
1310
1311 (*server_info)->sam_account = sam_account;
1312
1313 (*server_info)->unix_name = smb_xstrdup(found_username);
1314
1315 /* Fill in the unix info we found on the way */
1316
1317 (*server_info)->sam_fill_level = SAM_FILL_ALL;
1318 (*server_info)->uid = uid;
1319 (*server_info)->gid = gid;
1320
1321 /* Store the user group information in the server_info
1322 returned to the caller. */
1323
1324 nt_status = get_user_groups((*server_info)->unix_name,
1325 uid, gid, &n_lgroupSIDs, &lgroupSIDs, &unix_groups);
1326
1327 if ( !NT_STATUS_IS_OK(nt_status) ) {
1328 DEBUG(4,("get_user_groups failed\n"));
1329 return nt_status;
1330 }
1331
1332 (*server_info)->groups = unix_groups;
1333 (*server_info)->n_groups = n_lgroupSIDs;
1334
1335 /* Create a 'combined' list of all SIDs we might want in the SD */
1336
1337 all_group_SIDs = SMB_MALLOC_ARRAY(DOM_SID,info3->num_groups2 + info3->num_other_sids + n_lgroupSIDs);
1338
1339 if (!all_group_SIDs) {
1340 DEBUG(0, ("malloc() failed for DOM_SID list!\n"));
1341 SAFE_FREE(lgroupSIDs);
1342 free_server_info(server_info);
1343 return NT_STATUS_NO_MEMORY;
1344 }
1345
1346 /* and create (by appending rids) the 'domain' sids */
1347
1348 for (i = 0; i < info3->num_groups2; i++) {
1349
1350 sid_copy(&all_group_SIDs[i], &(info3->dom_sid.sid));
1351
1352 if (!sid_append_rid(&all_group_SIDs[i], info3->gids[i].g_rid)) {
1353
1354 nt_status = NT_STATUS_INVALID_PARAMETER;
1355
1356 DEBUG(3,("could not append additional group rid 0x%x\n",
1357 info3->gids[i].g_rid));
1358
1359 SAFE_FREE(lgroupSIDs);
1360 SAFE_FREE(all_group_SIDs);
1361 free_server_info(server_info);
1362
1363 return nt_status;
1364
1365 }
1366 }
1367
1368 /* Copy 'other' sids. We need to do sid filtering here to
1369 prevent possible elevation of privileges. See:
1370
1371 http://www.microsoft.com/windows2000/techinfo/administration/security/sidfilter.asp
1372 */
1373
1374 for (i = 0; i < info3->num_other_sids; i++) {
1375 sid_copy(&all_group_SIDs[info3->num_groups2 + i],
1376 &info3->other_sids[i].sid);
1377 }
1378
1379
1380 /* add local alias sids */
1381
1382 for (i = 0; i < n_lgroupSIDs; i++) {
1383 sid_copy(&all_group_SIDs[info3->num_groups2 +
1384 info3->num_other_sids + i],
1385 &lgroupSIDs[i]);
1386 }
1387
1388 /* Where are the 'global' sids... */
1389
1390 /* can the user be guest? if yes, where is it stored? */
1391
1392 nt_status = create_nt_user_token(&user_sid, &group_sid,
1393 info3->num_groups2 + info3->num_other_sids + n_lgroupSIDs,
1394 all_group_SIDs, False, &token);
1395
1396 if ( !NT_STATUS_IS_OK(nt_status) ) {
1397 DEBUG(4,("create_nt_user_token failed\n"));
1398 SAFE_FREE(lgroupSIDs);
1399 SAFE_FREE(all_group_SIDs);
1400 free_server_info(server_info);
1401 return nt_status;
1402 }
1403
1404 (*server_info)->login_server = unistr2_tdup(mem_ctx,
1405 &(info3->uni_logon_srv));
1406
1407 (*server_info)->ptok = token;
1408
1409 SAFE_FREE(lgroupSIDs);
1410 SAFE_FREE(all_group_SIDs);
1411
1412 /* ensure we are never given NULL session keys */
1413
1414 if (memcmp(info3->user_sess_key, zeros, sizeof(zeros)) == 0) {
1415 (*server_info)->user_session_key = data_blob(NULL, 0);
1416 } else {
1417 (*server_info)->user_session_key = data_blob(info3->user_sess_key, sizeof(info3->user_sess_key));
1418 }
1419
1420 if (memcmp(info3->lm_sess_key, zeros, 8) == 0) {
1421 (*server_info)->lm_session_key = data_blob(NULL, 0);
1422 } else {
1423 (*server_info)->lm_session_key = data_blob(info3->lm_sess_key, sizeof(info3->lm_sess_key));
1424 }
1425
1426 return NT_STATUS_OK;
1427 }
1428
1429 /***************************************************************************
1430 Free a user_info struct
1431 ***************************************************************************/
1432
1433 void free_user_info(auth_usersupplied_info **user_info)
1434 {
1435 DEBUG(5,("attempting to free (and zero) a user_info structure\n"));
1436 if (*user_info != NULL) {
1437 if ((*user_info)->smb_name.str) {
1438 DEBUG(10,("structure was created for %s\n", (*user_info)->smb_name.str));
1439 }
1440 SAFE_FREE((*user_info)->smb_name.str);
1441 SAFE_FREE((*user_info)->internal_username.str);
1442 SAFE_FREE((*user_info)->client_domain.str);
1443 SAFE_FREE((*user_info)->domain.str);
1444 SAFE_FREE((*user_info)->wksta_name.str);
1445 data_blob_free(&(*user_info)->lm_resp);
1446 data_blob_free(&(*user_info)->nt_resp);
1447 data_blob_clear_free(&(*user_info)->lm_interactive_pwd);
1448 data_blob_clear_free(&(*user_info)->nt_interactive_pwd);
1449 data_blob_clear_free(&(*user_info)->plaintext_password);
1450 ZERO_STRUCT(**user_info);
1451 }
1452 SAFE_FREE(*user_info);
1453 }
1454
1455 /***************************************************************************
1456 Clear out a server_info struct that has been allocated
1457 ***************************************************************************/
1458
1459 void free_server_info(auth_serversupplied_info **server_info)
1460 {
1461 DEBUG(5,("attempting to free (and zero) a server_info structure\n"));
1462 if (*server_info != NULL) {
1463 pdb_free_sam(&(*server_info)->sam_account);
1464
1465 /* call pam_end here, unless we know we are keeping it */
1466 delete_nt_token( &(*server_info)->ptok );
1467 SAFE_FREE((*server_info)->groups);
1468 SAFE_FREE((*server_info)->unix_name);
1469 data_blob_free(&(*server_info)->lm_session_key);
1470 data_blob_free(&(*server_info)->user_session_key);
1471 ZERO_STRUCT(**server_info);
1472 }
1473 SAFE_FREE(*server_info);
1474 }
1475
1476 /***************************************************************************
1477 Make an auth_methods struct
1478 ***************************************************************************/
1479
1480 BOOL make_auth_methods(struct auth_context *auth_context, auth_methods **auth_method)
1481 {
1482 if (!auth_context) {
1483 smb_panic("no auth_context supplied to make_auth_methods()!\n");
1484 }
1485
1486 if (!auth_method) {
1487 smb_panic("make_auth_methods: pointer to auth_method pointer is NULL!\n");
1488 }
1489
1490 *auth_method = TALLOC_P(auth_context->mem_ctx, auth_methods);
1491 if (!*auth_method) {
1492 DEBUG(0,("make_auth_method: malloc failed!\n"));
1493 return False;
1494 }
1495 ZERO_STRUCTP(*auth_method);
1496
1497 return True;
1498 }
1499
1500 /****************************************************************************
1501 Delete a SID token.
1502 ****************************************************************************/
1503
1504 void delete_nt_token(NT_USER_TOKEN **pptoken)
1505 {
1506 if (*pptoken) {
1507 NT_USER_TOKEN *ptoken = *pptoken;
1508
1509 SAFE_FREE( ptoken->user_sids );
1510 ZERO_STRUCTP(ptoken);
1511 }
1512 SAFE_FREE(*pptoken);
1513 }
1514
1515 /****************************************************************************
1516 Duplicate a SID token.
1517 ****************************************************************************/
1518
1519 NT_USER_TOKEN *dup_nt_token(NT_USER_TOKEN *ptoken)
1520 {
1521 NT_USER_TOKEN *token;
1522
1523 if (!ptoken)
1524 return NULL;
1525
1526 if ((token = SMB_MALLOC_P(NT_USER_TOKEN)) == NULL)
1527 return NULL;
1528
1529 ZERO_STRUCTP(token);
1530
1531 token->user_sids = (DOM_SID *)memdup( ptoken->user_sids, sizeof(DOM_SID) * ptoken->num_sids );
1532
1533 if ( !token ) {
1534 SAFE_FREE(token);
1535 return NULL;
1536 }
1537
1538 token->num_sids = ptoken->num_sids;
1539
1540 /* copy the privileges; don't consider failure to be critical here */
1541
1542 if ( !se_priv_copy( &token->privileges, &ptoken->privileges ) ) {
1543 DEBUG(0,("dup_nt_token: Failure to copy SE_PRIV!. Continuing with 0 privileges assigned.\n"));
1544 }
1545
1546 return token;
1547 }
1548
1549 /****************************************************************************
1550 Check for a SID in an NT_USER_TOKEN
1551 ****************************************************************************/
1552
1553 BOOL nt_token_check_sid ( DOM_SID *sid, NT_USER_TOKEN *token )
1554 {
1555 int i;
1556
1557 if ( !sid || !token )
1558 return False;
1559
1560 for ( i=0; i<token->num_sids; i++ ) {
1561 if ( sid_equal( sid, &token->user_sids[i] ) )
1562 return True;
1563 }
1564
1565 return False;
1566 }
1567
1568 BOOL nt_token_check_domain_rid( NT_USER_TOKEN *token, uint32 rid )
1569 {
1570 DOM_SID domain_sid;
1571
1572 /* if we are a domain member, the get the domain SID, else for
1573 a DC or standalone server, use our own SID */
1574
1575 if ( lp_server_role() == ROLE_DOMAIN_MEMBER ) {
1576 if ( !secrets_fetch_domain_sid( lp_workgroup(), &domain_sid ) ) {
1577 DEBUG(1,("nt_token_check_domain_rid: Cannot lookup SID for domain [%s]\n",
1578 lp_workgroup()));
1579 return False;
1580 }
1581 }
1582 else
1583 sid_copy( &domain_sid, get_global_sam_sid() );
1584
1585 sid_append_rid( &domain_sid, rid );
1586
1587 return nt_token_check_sid( &domain_sid, token );\
1588 }
1589
1590 /**
1591 * Verify whether or not given domain is trusted.
1592 *
1593 * @param domain_name name of the domain to be verified
1594 * @return true if domain is one of the trusted once or
1595 * false if otherwise
1596 **/
1597
1598 BOOL is_trusted_domain(const char* dom_name)
1599 {
1600 DOM_SID trustdom_sid;
1601 char *pass = NULL;
1602 time_t lct;
1603 BOOL ret;
1604
1605 /* no trusted domains for a standalone server */
1606
1607 if ( lp_server_role() == ROLE_STANDALONE )
1608 return False;
1609
1610 /* if we are a DC, then check for a direct trust relationships */
1611
1612 if ( IS_DC ) {
1613 become_root();
1614 DEBUG (5,("is_trusted_domain: Checking for domain trust with [%s]\n",
1615 dom_name ));
1616 ret = secrets_fetch_trusted_domain_password(dom_name, &pass, &trustdom_sid, &lct);
1617 unbecome_root();
1618 SAFE_FREE(pass);
1619 if (ret)
1620 return True;
1621 }
1622 else {
1623 NSS_STATUS result;
1624
1625 /* If winbind is around, ask it */
1626
1627 result = wb_is_trusted_domain(dom_name);
1628
1629 if (result == NSS_STATUS_SUCCESS) {
1630 return True;
1631 }
1632
1633 if (result == NSS_STATUS_NOTFOUND) {
1634 /* winbind could not find the domain */
1635 return False;
1636 }
1637
1638 /* The only other possible result is that winbind is not up
1639 and running. We need to update the trustdom_cache
1640 ourselves */
1641
1642 update_trustdom_cache();
1643 }
1644
1645 /* now the trustdom cache should be available a DC could still
1646 * have a transitive trust so fall back to the cache of trusted
1647 * domains (like a domain member would use */
1648
1649 if ( trustdom_cache_fetch(dom_name, &trustdom_sid) ) {
1650 return True;
1651 }
1652
1653 return False;
1654 }
1655
Samba GIT mirror