2 Unix SMB/CIFS implementation.
4 Winbind authentication mechnism
6 Copyright (C) Tim Potter 2000
7 Copyright (C) Andrew Bartlett 2001 - 2002
8 Copyright (C) Stefan Metzmacher 2005
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
26 #include "../lib/util/tevent_ntstatus.h"
27 #include "auth/auth.h"
28 #include "auth/ntlm/auth_proto.h"
29 #include "librpc/gen_ndr/ndr_winbind_c.h"
30 #include "lib/messaging/irpc.h"
31 #include "param/param.h"
32 #include "nsswitch/libwbclient/wbclient.h"
33 #include "auth/auth_sam_reply.h"
34 #include "libcli/security/security.h"
35 #include "dsdb/samdb/samdb.h"
36 #include "auth/auth_sam.h"
38 _PUBLIC_ NTSTATUS
auth4_winbind_init(TALLOC_CTX
*);
40 static NTSTATUS
winbind_want_check(struct auth_method_context
*ctx
,
42 const struct auth_usersupplied_info
*user_info
)
44 if (!user_info
->mapped
.account_name
|| !*user_info
->mapped
.account_name
) {
45 return NT_STATUS_NOT_IMPLEMENTED
;
48 /* TODO: maybe limit the user scope to remote users only */
52 struct winbind_check_password_state
{
53 struct auth_method_context
*ctx
;
54 const struct auth_usersupplied_info
*user_info
;
55 struct winbind_SamLogon req
;
56 struct auth_user_info_dc
*user_info_dc
;
60 static void winbind_check_password_done(struct tevent_req
*subreq
);
63 Authenticate a user with a challenge/response
64 using IRPC to the winbind task
66 static struct tevent_req
*winbind_check_password_send(TALLOC_CTX
*mem_ctx
,
67 struct tevent_context
*ev
,
68 struct auth_method_context
*ctx
,
69 const struct auth_usersupplied_info
*user_info
)
71 struct tevent_req
*req
= NULL
;
72 struct winbind_check_password_state
*state
= NULL
;
74 struct dcerpc_binding_handle
*irpc_handle
;
75 const struct auth_usersupplied_info
*user_info_new
;
76 struct netr_IdentityInfo
*identity_info
;
77 struct imessaging_context
*msg_ctx
;
78 struct tevent_req
*subreq
= NULL
;
80 req
= tevent_req_create(mem_ctx
, &state
,
81 struct winbind_check_password_state
);
86 state
->user_info
= user_info
;
87 state
->authoritative
= true;
89 msg_ctx
= imessaging_client_init(state
, ctx
->auth_ctx
->lp_ctx
, ev
);
90 if (msg_ctx
== NULL
) {
91 DEBUG(1, ("imessaging_init failed\n"));
92 tevent_req_nterror(req
, NT_STATUS_INVALID_SERVER_STATE
);
93 return tevent_req_post(req
, ev
);
96 irpc_handle
= irpc_binding_handle_by_name(state
, msg_ctx
,
99 if (irpc_handle
== NULL
) {
100 DEBUG(0, ("Winbind authentication for [%s]\\[%s] failed, "
101 "no winbind_server running!\n",
102 user_info
->client
.domain_name
, user_info
->client
.account_name
));
103 tevent_req_nterror(req
, NT_STATUS_NO_LOGON_SERVERS
);
104 return tevent_req_post(req
, ev
);
108 * 120 seconds should be enough even for trusted domains.
110 * Currently winbindd has a much lower limit.
111 * And tests with Windows RODCs show that it
112 * returns NO_LOGON_SERVERS after 90-100 seconds
113 * if it can't reach any RWDC.
115 dcerpc_binding_handle_set_timeout(irpc_handle
, 120);
117 if (user_info
->flags
& USER_INFO_INTERACTIVE_LOGON
) {
118 struct netr_PasswordInfo
*password_info
;
120 status
= encrypt_user_info(state
, ctx
->auth_ctx
, AUTH_PASSWORD_HASH
,
121 user_info
, &user_info_new
);
122 if (tevent_req_nterror(req
, status
)) {
123 return tevent_req_post(req
, ev
);
125 user_info
= user_info_new
;
127 password_info
= talloc_zero(state
, struct netr_PasswordInfo
);
128 if (tevent_req_nomem(password_info
, req
)) {
129 return tevent_req_post(req
, ev
);
132 password_info
->lmpassword
= *user_info
->password
.hash
.lanman
;
133 password_info
->ntpassword
= *user_info
->password
.hash
.nt
;
135 identity_info
= &password_info
->identity_info
;
136 state
->req
.in
.logon_level
= 1;
137 state
->req
.in
.logon
.password
= password_info
;
139 struct netr_NetworkInfo
*network_info
;
142 status
= encrypt_user_info(state
, ctx
->auth_ctx
, AUTH_PASSWORD_RESPONSE
,
143 user_info
, &user_info_new
);
144 if (tevent_req_nterror(req
, status
)) {
145 return tevent_req_post(req
, ev
);
147 user_info
= user_info_new
;
149 network_info
= talloc_zero(state
, struct netr_NetworkInfo
);
150 if (tevent_req_nomem(network_info
, req
)) {
151 return tevent_req_post(req
, ev
);
154 status
= auth_get_challenge(ctx
->auth_ctx
, chal
);
155 if (tevent_req_nterror(req
, status
)) {
156 return tevent_req_post(req
, ev
);
159 memcpy(network_info
->challenge
, chal
, sizeof(network_info
->challenge
));
161 network_info
->nt
.length
= user_info
->password
.response
.nt
.length
;
162 network_info
->nt
.data
= user_info
->password
.response
.nt
.data
;
164 network_info
->lm
.length
= user_info
->password
.response
.lanman
.length
;
165 network_info
->lm
.data
= user_info
->password
.response
.lanman
.data
;
167 identity_info
= &network_info
->identity_info
;
168 state
->req
.in
.logon_level
= 2;
169 state
->req
.in
.logon
.network
= network_info
;
172 identity_info
->domain_name
.string
= user_info
->client
.domain_name
;
173 identity_info
->parameter_control
= user_info
->logon_parameters
; /* see MSV1_0_* */
174 identity_info
->logon_id_low
= 0;
175 identity_info
->logon_id_high
= 0;
176 identity_info
->account_name
.string
= user_info
->client
.account_name
;
177 identity_info
->workstation
.string
= user_info
->workstation_name
;
179 state
->req
.in
.validation_level
= 3;
181 subreq
= dcerpc_winbind_SamLogon_r_send(state
, ev
, irpc_handle
,
183 if (tevent_req_nomem(subreq
, req
)) {
184 return tevent_req_post(req
, ev
);
186 tevent_req_set_callback(subreq
,
187 winbind_check_password_done
,
193 static void winbind_check_password_done(struct tevent_req
*subreq
)
195 struct tevent_req
*req
=
196 tevent_req_callback_data(subreq
,
198 struct winbind_check_password_state
*state
=
200 struct winbind_check_password_state
);
201 struct auth_method_context
*ctx
= state
->ctx
;
202 const struct auth_usersupplied_info
*user_info
= state
->user_info
;
203 const char *account_name
= user_info
->mapped
.account_name
;
204 struct ldb_dn
*domain_dn
= NULL
;
205 struct ldb_message
*msg
= NULL
;
206 const char *p
= NULL
;
209 status
= dcerpc_winbind_SamLogon_r_recv(subreq
, state
);
210 if (NT_STATUS_EQUAL(status
, NT_STATUS_IO_TIMEOUT
)) {
211 status
= NT_STATUS_NO_LOGON_SERVERS
;
214 if (tevent_req_nterror(req
, status
)) {
218 status
= state
->req
.out
.result
;
219 if (!NT_STATUS_IS_OK(status
)) {
220 if (!state
->req
.out
.authoritative
) {
221 state
->authoritative
= false;
223 tevent_req_nterror(req
, status
);
228 * At best, reset the badPwdCount to 0 if the account exists.
229 * This means that lockouts happen at a badPwdCount earlier than
230 * normal, but makes it more fault tolerant.
232 p
= strchr_m(account_name
, '@');
234 const char *nt4_domain
= NULL
;
235 const char *nt4_account
= NULL
;
237 status
= crack_name_to_nt4_name(state
,
238 ctx
->auth_ctx
->sam_ctx
,
239 DRSUAPI_DS_NAME_FORMAT_USER_PRINCIPAL
,
241 &nt4_domain
, &nt4_account
);
242 if (NT_STATUS_IS_OK(status
) &&
243 lpcfg_is_mydomain(ctx
->auth_ctx
->lp_ctx
, nt4_domain
))
245 account_name
= nt4_account
;
249 domain_dn
= ldb_get_default_basedn(ctx
->auth_ctx
->sam_ctx
);
250 if (domain_dn
!= NULL
) {
251 status
= authsam_search_account(state
, ctx
->auth_ctx
->sam_ctx
,
252 account_name
, domain_dn
, &msg
);
253 if (NT_STATUS_IS_OK(status
)) {
254 authsam_logon_success_accounting(
255 ctx
->auth_ctx
->sam_ctx
, msg
,
257 user_info
->flags
& USER_INFO_INTERACTIVE_LOGON
,
262 status
= make_user_info_dc_netlogon_validation(state
,
263 user_info
->client
.account_name
,
264 state
->req
.in
.validation_level
,
265 &state
->req
.out
.validation
,
266 true, /* This user was authenticated */
267 &state
->user_info_dc
);
268 if (tevent_req_nterror(req
, status
)) {
272 tevent_req_done(req
);
275 static NTSTATUS
winbind_check_password_recv(struct tevent_req
*req
,
277 struct auth_user_info_dc
**user_info_dc
,
278 bool *pauthoritative
)
280 struct winbind_check_password_state
*state
=
282 struct winbind_check_password_state
);
283 NTSTATUS status
= NT_STATUS_OK
;
285 *pauthoritative
= state
->authoritative
;
287 if (tevent_req_is_nterror(req
, &status
)) {
288 tevent_req_received(req
);
292 *user_info_dc
= talloc_move(mem_ctx
, &state
->user_info_dc
);
294 tevent_req_received(req
);
298 static const struct auth_operations winbind_ops
= {
300 .want_check
= winbind_want_check
,
301 .check_password_send
= winbind_check_password_send
,
302 .check_password_recv
= winbind_check_password_recv
305 _PUBLIC_ NTSTATUS
auth4_winbind_init(TALLOC_CTX
*ctx
)
309 ret
= auth_register(ctx
, &winbind_ops
);
310 if (!NT_STATUS_IS_OK(ret
)) {
311 DEBUG(0,("Failed to register 'winbind' auth backend!\n"));