search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3:lib/fncall: make use of tevent_req_set_cleanup_fn()
[Samba.git] / source3 / auth / auth_domain.c
blob937841c29cc1952bb78d3aa23a301d10392ea47b
1 /*
2 Unix SMB/CIFS implementation.
3 Authenticate against a remote domain
4 Copyright (C) Andrew Tridgell 1992-1998
5 Copyright (C) Andrew Bartlett 2001
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
11
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
16
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
19 */
20
21 #include "includes.h"
22 #include "auth.h"
23 #include "../libcli/auth/libcli_auth.h"
24 #include "../librpc/gen_ndr/ndr_netlogon.h"
25 #include "rpc_client/cli_pipe.h"
26 #include "rpc_client/cli_netlogon.h"
27 #include "secrets.h"
28 #include "passdb.h"
29 #include "libsmb/libsmb.h"
30 #include "libcli/auth/netlogon_creds_cli.h"
31
32 #undef DBGC_CLASS
33 #define DBGC_CLASS DBGC_AUTH
34
35 static struct named_mutex *mutex;
36
37 /**
38 * Connect to a remote server for (inter)domain security authenticaion.
39 *
40 * @param cli the cli to return containing the active connection
41 * @param server either a machine name or text IP address to
42 * connect to.
43 * @param setup_creds_as domain account to setup credentials as
44 * @param sec_chan a switch value to distinguish between domain
45 * member and interdomain authentication
46 * @param trust_passwd the trust password to establish the
47 * credentials with.
48 *
49 **/
50
51 static NTSTATUS connect_to_domain_password_server(struct cli_state **cli_ret,
52 const char *domain,
53 const char *dc_name,
54 const struct sockaddr_storage *dc_ss,
55 struct rpc_pipe_client **pipe_ret,
56 struct netlogon_creds_cli_context **creds_ret)
57 {
58 TALLOC_CTX *frame = talloc_stackframe();
59 struct messaging_context *msg_ctx = server_messaging_context();
60 NTSTATUS result;
61 struct cli_state *cli = NULL;
62 struct rpc_pipe_client *netlogon_pipe = NULL;
63 struct netlogon_creds_cli_context *netlogon_creds = NULL;
64 struct netlogon_creds_CredentialState *creds = NULL;
65 uint32_t netlogon_flags = 0;
66 enum netr_SchannelType sec_chan_type = 0;
67 const char *_account_name = NULL;
68 const char *account_name = NULL;
69 struct samr_Password current_nt_hash;
70 struct samr_Password *previous_nt_hash = NULL;
71 bool ok;
72
73 *cli_ret = NULL;
74
75 *pipe_ret = NULL;
76 *creds_ret = NULL;
77
78 /* TODO: Send a SAMLOGON request to determine whether this is a valid
79 logonserver. We can avoid a 30-second timeout if the DC is down
80 if the SAMLOGON request fails as it is only over UDP. */
81
82 /* we use a mutex to prevent two connections at once - when a
83 Win2k PDC get two connections where one hasn't completed a
84 session setup yet it will send a TCP reset to the first
85 connection (tridge) */
86
87 /*
88 * With NT4.x DC's *all* authentication must be serialized to avoid
89 * ACCESS_DENIED errors if 2 auths are done from the same machine. JRA.
90 */
91
92 mutex = grab_named_mutex(NULL, dc_name, 10);
93 if (mutex == NULL) {
94 TALLOC_FREE(frame);
95 return NT_STATUS_NO_LOGON_SERVERS;
96 }
97
98 /* Attempt connection */
99 result = cli_full_connection(&cli, lp_netbios_name(), dc_name, dc_ss, 0,
100 "IPC$", "IPC", "", "", "", 0, SMB_SIGNING_DEFAULT);
101
102 if (!NT_STATUS_IS_OK(result)) {
103 /* map to something more useful */
104 if (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)) {
105 result = NT_STATUS_NO_LOGON_SERVERS;
106 }
107
108 TALLOC_FREE(mutex);
109 TALLOC_FREE(frame);
110 return result;
111 }
112
113 /*
114 * We now have an anonymous connection to IPC$ on the domain password server.
115 */
116
117 ok = get_trust_pw_hash(domain,
118 current_nt_hash.hash,
119 &_account_name,
120 &sec_chan_type);
121 if (!ok) {
122 cli_shutdown(cli);
123 TALLOC_FREE(mutex);
124 TALLOC_FREE(frame);
125 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
126 }
127
128 account_name = talloc_asprintf(talloc_tos(), "%s$", _account_name);
129 if (account_name == NULL) {
130 cli_shutdown(cli);
131 TALLOC_FREE(mutex);
132 TALLOC_FREE(frame);
133 return NT_STATUS_NO_MEMORY;
134 }
135
136 result = rpccli_create_netlogon_creds(dc_name,
137 domain,
138 account_name,
139 sec_chan_type,
140 msg_ctx,
141 talloc_tos(),
142 &netlogon_creds);
143 if (!NT_STATUS_IS_OK(result)) {
144 cli_shutdown(cli);
145 TALLOC_FREE(mutex);
146 TALLOC_FREE(frame);
147 SAFE_FREE(previous_nt_hash);
148 return result;
149 }
150
151 result = rpccli_setup_netlogon_creds(cli,
152 netlogon_creds,
153 false, /* force_reauth */
154 current_nt_hash,
155 previous_nt_hash);
156 SAFE_FREE(previous_nt_hash);
157 if (!NT_STATUS_IS_OK(result)) {
158 cli_shutdown(cli);
159 TALLOC_FREE(mutex);
160 TALLOC_FREE(frame);
161 return result;
162 }
163
164 result = netlogon_creds_cli_get(netlogon_creds,
165 talloc_tos(),
166 &creds);
167 if (!NT_STATUS_IS_OK(result)) {
168 cli_shutdown(cli);
169 TALLOC_FREE(mutex);
170 TALLOC_FREE(frame);
171 return result;
172 }
173 netlogon_flags = creds->negotiate_flags;
174 TALLOC_FREE(creds);
175
176 if (netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC) {
177 result = cli_rpc_pipe_open_schannel_with_key(
178 cli, &ndr_table_netlogon, NCACN_NP,
179 domain, netlogon_creds, &netlogon_pipe);
180 } else {
181 result = cli_rpc_pipe_open_noauth(cli,
182 &ndr_table_netlogon,
183 &netlogon_pipe);
184 }
185
186 if (!NT_STATUS_IS_OK(result)) {
187 DEBUG(0,("connect_to_domain_password_server: "
188 "unable to open the domain client session to "
189 "machine %s. Flags[0x%08X] Error was : %s.\n",
190 dc_name, (unsigned)netlogon_flags,
191 nt_errstr(result)));
192 cli_shutdown(cli);
193 TALLOC_FREE(mutex);
194 TALLOC_FREE(frame);
195 return result;
196 }
197
198 if(!netlogon_pipe) {
199 DEBUG(0, ("connect_to_domain_password_server: unable to open "
200 "the domain client session to machine %s. Error "
201 "was : %s.\n", dc_name, nt_errstr(result)));
202 cli_shutdown(cli);
203 TALLOC_FREE(mutex);
204 TALLOC_FREE(frame);
205 return NT_STATUS_NO_LOGON_SERVERS;
206 }
207
208 /* We exit here with the mutex *locked*. JRA */
209
210 *cli_ret = cli;
211 *pipe_ret = netlogon_pipe;
212 *creds_ret = netlogon_creds;
213
214 TALLOC_FREE(frame);
215 return NT_STATUS_OK;
216 }
217
218 /***********************************************************************
219 Do the same as security=server, but using NT Domain calls and a session
220 key from the machine password. If the server parameter is specified
221 use it, otherwise figure out a server from the 'password server' param.
222 ************************************************************************/
223
224 static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx,
225 const struct auth_usersupplied_info *user_info,
226 const char *domain,
227 uchar chal[8],
228 struct auth_serversupplied_info **server_info,
229 const char *dc_name,
230 const struct sockaddr_storage *dc_ss)
231
232 {
233 struct netr_SamInfo3 *info3 = NULL;
234 struct cli_state *cli = NULL;
235 struct rpc_pipe_client *netlogon_pipe = NULL;
236 struct netlogon_creds_cli_context *netlogon_creds = NULL;
237 NTSTATUS nt_status = NT_STATUS_NO_LOGON_SERVERS;
238 int i;
239 uint8_t authoritative = 0;
240 uint32_t flags = 0;
241
242 /*
243 * At this point, smb_apasswd points to the lanman response to
244 * the challenge in local_challenge, and smb_ntpasswd points to
245 * the NT response to the challenge in local_challenge. Ship
246 * these over the secure channel to a domain controller and
247 * see if they were valid.
248 */
249
250 /* rety loop for robustness */
251
252 for (i = 0; !NT_STATUS_IS_OK(nt_status) && (i < 3); i++) {
253 nt_status = connect_to_domain_password_server(&cli,
254 domain,
255 dc_name,
256 dc_ss,
257 &netlogon_pipe,
258 &netlogon_creds);
259 }
260
261 if ( !NT_STATUS_IS_OK(nt_status) ) {
262 DEBUG(0,("domain_client_validate: Domain password server not available.\n"));
263 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCESS_DENIED)) {
264 return NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE;
265 }
266 return nt_status;
267 }
268
269 /* store a successful connection */
270
271 saf_store(domain, dc_name);
272
273 /*
274 * If this call succeeds, we now have lots of info about the user
275 * in the info3 structure.
276 */
277
278 nt_status = rpccli_netlogon_network_logon(netlogon_creds,
279 netlogon_pipe->binding_handle,
280 mem_ctx,
281 user_info->logon_parameters, /* flags such as 'allow workstation logon' */
282 user_info->client.account_name, /* user name logging on. */
283 user_info->client.domain_name, /* domain name */
284 user_info->workstation_name, /* workstation name */
285 chal, /* 8 byte challenge. */
286 user_info->password.response.lanman, /* lanman 24 byte response */
287 user_info->password.response.nt, /* nt 24 byte response */
288 &authoritative,
289 &flags,
290 &info3); /* info3 out */
291
292 /* Let go as soon as possible so we avoid any potential deadlocks
293 with winbind lookup up users or groups. */
294
295 TALLOC_FREE(mutex);
296
297 if (!NT_STATUS_IS_OK(nt_status)) {
298 DEBUG(0,("domain_client_validate: unable to validate password "
299 "for user %s in domain %s to Domain controller %s. "
300 "Error was %s.\n", user_info->client.account_name,
301 user_info->client.domain_name, dc_name,
302 nt_errstr(nt_status)));
303
304 /* map to something more useful */
305 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_UNSUCCESSFUL)) {
306 nt_status = NT_STATUS_NO_LOGON_SERVERS;
307 }
308 } else {
309 nt_status = make_server_info_info3(mem_ctx,
310 user_info->client.account_name,
311 domain,
312 server_info,
313 info3);
314
315 if (NT_STATUS_IS_OK(nt_status)) {
316 (*server_info)->nss_token |= user_info->was_mapped;
317 netsamlogon_cache_store(user_info->client.account_name, info3);
318 TALLOC_FREE(info3);
319 }
320 }
321
322 /* Note - once the cli stream is shutdown the mem_ctx used
323 to allocate the other_sids and gids structures has been deleted - so
324 these pointers are no longer valid..... */
325
326 cli_shutdown(cli);
327 return nt_status;
328 }
329
330 /****************************************************************************
331 Check for a valid username and password in security=domain mode.
332 ****************************************************************************/
333
334 static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context,
335 void *my_private_data,
336 TALLOC_CTX *mem_ctx,
337 const struct auth_usersupplied_info *user_info,
338 struct auth_serversupplied_info **server_info)
339 {
340 NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
341 const char *domain = lp_workgroup();
342 fstring dc_name;
343 struct sockaddr_storage dc_ss;
344
345 if ( lp_server_role() != ROLE_DOMAIN_MEMBER ) {
346 DEBUG(0,("check_ntdomain_security: Configuration error! Cannot use "
347 "ntdomain auth method when not a member of a domain.\n"));
348 return NT_STATUS_NOT_IMPLEMENTED;
349 }
350
351 if (!user_info || !server_info || !auth_context) {
352 DEBUG(1,("check_ntdomain_security: Critical variables not present. Failing.\n"));
353 return NT_STATUS_INVALID_PARAMETER;
354 }
355
356 DEBUG(10, ("Check auth for: [%s]\n", user_info->mapped.account_name));
357
358 /*
359 * Check that the requested domain is not our own machine name.
360 * If it is, we should never check the PDC here, we use our own local
361 * password file.
362 */
363
364 if(strequal(get_global_sam_name(), user_info->mapped.domain_name)) {
365 DEBUG(3,("check_ntdomain_security: Requested domain was for this machine.\n"));
366 return NT_STATUS_NOT_IMPLEMENTED;
367 }
368
369 /* we need our DC to send the net_sam_logon() request to */
370
371 if ( !get_dc_name(domain, NULL, dc_name, &dc_ss) ) {
372 DEBUG(5,("check_ntdomain_security: unable to locate a DC for domain %s\n",
373 user_info->mapped.domain_name));
374 return NT_STATUS_NO_LOGON_SERVERS;
375 }
376
377 nt_status = domain_client_validate(mem_ctx,
378 user_info,
379 domain,
380 (uchar *)auth_context->challenge.data,
381 server_info,
382 dc_name,
383 &dc_ss);
384
385 return nt_status;
386 }
387
388 /* module initialisation */
389 static NTSTATUS auth_init_ntdomain(struct auth_context *auth_context, const char* param, auth_methods **auth_method)
390 {
391 struct auth_methods *result;
392
393 result = talloc_zero(auth_context, struct auth_methods);
394 if (result == NULL) {
395 return NT_STATUS_NO_MEMORY;
396 }
397 result->name = "ntdomain";
398 result->auth = check_ntdomain_security;
399
400 *auth_method = result;
401 return NT_STATUS_OK;
402 }
403
404
405 /****************************************************************************
406 Check for a valid username and password in a trusted domain
407 ****************************************************************************/
408
409 static NTSTATUS check_trustdomain_security(const struct auth_context *auth_context,
410 void *my_private_data,
411 TALLOC_CTX *mem_ctx,
412 const struct auth_usersupplied_info *user_info,
413 struct auth_serversupplied_info **server_info)
414 {
415 NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
416 fstring dc_name;
417 struct sockaddr_storage dc_ss;
418
419 if (!user_info || !server_info || !auth_context) {
420 DEBUG(1,("check_trustdomain_security: Critical variables not present. Failing.\n"));
421 return NT_STATUS_INVALID_PARAMETER;
422 }
423
424 DEBUG(10, ("Check auth for: [%s]\n", user_info->mapped.account_name));
425
426 /*
427 * Check that the requested domain is not our own machine name or domain name.
428 */
429
430 if( strequal(get_global_sam_name(), user_info->mapped.domain_name)) {
431 DEBUG(3,("check_trustdomain_security: Requested domain [%s] was for this machine.\n",
432 user_info->mapped.domain_name));
433 return NT_STATUS_NOT_IMPLEMENTED;
434 }
435
436 /* No point is bothering if this is not a trusted domain.
437 This return makes "map to guest = bad user" work again.
438 The logic is that if we know nothing about the domain, that
439 user is not known to us and does not exist */
440
441 if ( !is_trusted_domain( user_info->mapped.domain_name ) )
442 return NT_STATUS_NOT_IMPLEMENTED;
443
444 /* use get_dc_name() for consistency even through we know that it will be
445 a netbios name */
446
447 if ( !get_dc_name(user_info->mapped.domain_name, NULL, dc_name, &dc_ss) ) {
448 DEBUG(5,("check_trustdomain_security: unable to locate a DC for domain %s\n",
449 user_info->mapped.domain_name));
450 return NT_STATUS_NO_LOGON_SERVERS;
451 }
452
453 nt_status = domain_client_validate(mem_ctx,
454 user_info,
455 user_info->mapped.domain_name,
456 (uchar *)auth_context->challenge.data,
457 server_info,
458 dc_name,
459 &dc_ss);
460
461 return nt_status;
462 }
463
464 /* module initialisation */
465 static NTSTATUS auth_init_trustdomain(struct auth_context *auth_context, const char* param, auth_methods **auth_method)
466 {
467 struct auth_methods *result;
468
469 result = talloc_zero(auth_context, struct auth_methods);
470 if (result == NULL) {
471 return NT_STATUS_NO_MEMORY;
472 }
473 result->name = "trustdomain";
474 result->auth = check_trustdomain_security;
475
476 *auth_method = result;
477 return NT_STATUS_OK;
478 }
479
480 NTSTATUS auth_domain_init(void)
481 {
482 smb_register_auth(AUTH_INTERFACE_VERSION, "trustdomain", auth_init_trustdomain);
483 smb_register_auth(AUTH_INTERFACE_VERSION, "ntdomain", auth_init_ntdomain);
484 return NT_STATUS_OK;
485 }
Samba GIT mirror