search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s4:torture: test setting EOF of a stream to 0 with enabled AAPL extensions
[Samba.git] / source3 / winbindd / winbindd_pam.c
blobbed5a940282157801729384ed288020911554e02
1 /*
2 Unix SMB/CIFS implementation.
3
4 Winbind daemon - pam auth funcions
5
6 Copyright (C) Andrew Tridgell 2000
7 Copyright (C) Tim Potter 2001
8 Copyright (C) Andrew Bartlett 2001-2002
9 Copyright (C) Guenther Deschner 2005
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 3 of the License, or
14 (at your option) any later version.
15
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
20
21 You should have received a copy of the GNU General Public License
22 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 */
24
25 #include "includes.h"
26 #include "winbindd.h"
27 #include "libsmb/namequery.h"
28 #include "../libcli/auth/libcli_auth.h"
29 #include "../librpc/gen_ndr/ndr_samr_c.h"
30 #include "rpc_client/cli_pipe.h"
31 #include "rpc_client/cli_samr.h"
32 #include "../librpc/gen_ndr/ndr_netlogon.h"
33 #include "rpc_client/cli_netlogon.h"
34 #include "smb_krb5.h"
35 #include "../lib/crypto/arcfour.h"
36 #include "../libcli/security/security.h"
37 #include "ads.h"
38 #include "../librpc/gen_ndr/krb5pac.h"
39 #include "passdb/machine_sid.h"
40 #include "auth.h"
41 #include "../lib/tsocket/tsocket.h"
42 #include "auth/kerberos/pac_utils.h"
43 #include "auth/gensec/gensec.h"
44 #include "librpc/crypto/gse_krb5.h"
45 #include "lib/afs/afs_funcs.h"
46 #include "libsmb/samlogon_cache.h"
47 #include "rpc_client/util_netlogon.h"
48
49 #undef DBGC_CLASS
50 #define DBGC_CLASS DBGC_WINBIND
51
52 #define LOGON_KRB5_FAIL_CLOCK_SKEW 0x02000000
53
54 static NTSTATUS append_info3_as_txt(TALLOC_CTX *mem_ctx,
55 struct winbindd_response *resp,
56 uint16_t validation_level,
57 union netr_Validation *validation)
58 {
59 struct netr_SamInfo3 *info3 = NULL;
60 char *ex = NULL;
61 uint32_t i;
62 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
63 TALLOC_CTX *frame = talloc_stackframe();
64
65 status = map_validation_to_info3(frame,
66 validation_level,
67 validation,
68 &info3);
69 if (!NT_STATUS_IS_OK(status)) {
70 goto out;
71 }
72
73 resp->data.auth.info3.logon_time =
74 nt_time_to_unix(info3->base.logon_time);
75 resp->data.auth.info3.logoff_time =
76 nt_time_to_unix(info3->base.logoff_time);
77 resp->data.auth.info3.kickoff_time =
78 nt_time_to_unix(info3->base.kickoff_time);
79 resp->data.auth.info3.pass_last_set_time =
80 nt_time_to_unix(info3->base.last_password_change);
81 resp->data.auth.info3.pass_can_change_time =
82 nt_time_to_unix(info3->base.allow_password_change);
83 resp->data.auth.info3.pass_must_change_time =
84 nt_time_to_unix(info3->base.force_password_change);
85
86 resp->data.auth.info3.logon_count = info3->base.logon_count;
87 resp->data.auth.info3.bad_pw_count = info3->base.bad_password_count;
88
89 resp->data.auth.info3.user_rid = info3->base.rid;
90 resp->data.auth.info3.group_rid = info3->base.primary_gid;
91 sid_to_fstring(resp->data.auth.info3.dom_sid, info3->base.domain_sid);
92
93 resp->data.auth.info3.num_groups = info3->base.groups.count;
94 resp->data.auth.info3.user_flgs = info3->base.user_flags;
95
96 resp->data.auth.info3.acct_flags = info3->base.acct_flags;
97 resp->data.auth.info3.num_other_sids = info3->sidcount;
98
99 fstrcpy(resp->data.auth.info3.user_name,
100 info3->base.account_name.string);
101 fstrcpy(resp->data.auth.info3.full_name,
102 info3->base.full_name.string);
103 fstrcpy(resp->data.auth.info3.logon_script,
104 info3->base.logon_script.string);
105 fstrcpy(resp->data.auth.info3.profile_path,
106 info3->base.profile_path.string);
107 fstrcpy(resp->data.auth.info3.home_dir,
108 info3->base.home_directory.string);
109 fstrcpy(resp->data.auth.info3.dir_drive,
110 info3->base.home_drive.string);
111
112 fstrcpy(resp->data.auth.info3.logon_srv,
113 info3->base.logon_server.string);
114 fstrcpy(resp->data.auth.info3.logon_dom,
115 info3->base.logon_domain.string);
116
117 resp->data.auth.validation_level = validation_level;
118 if (validation_level == 6) {
119 fstrcpy(resp->data.auth.info6.dns_domainname,
120 validation->sam6->dns_domainname.string);
121 fstrcpy(resp->data.auth.info6.principal_name,
122 validation->sam6->principal_name.string);
123 }
124
125 ex = talloc_strdup(frame, "");
126 if (ex == NULL) {
127 status = NT_STATUS_NO_MEMORY;
128 goto out;
129 }
130
131 for (i=0; i < info3->base.groups.count; i++) {
132 ex = talloc_asprintf_append_buffer(ex, "0x%08X:0x%08X\n",
133 info3->base.groups.rids[i].rid,
134 info3->base.groups.rids[i].attributes);
135 if (ex == NULL) {
136 status = NT_STATUS_NO_MEMORY;
137 goto out;
138 }
139 }
140
141 for (i=0; i < info3->sidcount; i++) {
142 char *sid;
143
144 sid = dom_sid_string(frame, info3->sids[i].sid);
145 if (sid == NULL) {
146 status = NT_STATUS_NO_MEMORY;
147 goto out;
148 }
149
150 ex = talloc_asprintf_append_buffer(ex, "%s:0x%08X\n",
151 sid,
152 info3->sids[i].attributes);
153 if (ex == NULL) {
154 status = NT_STATUS_NO_MEMORY;
155 goto out;
156 }
157 }
158
159 resp->length += talloc_get_size(ex);
160 resp->extra_data.data = talloc_move(mem_ctx, &ex);
161
162 status = NT_STATUS_OK;
163 out:
164 TALLOC_FREE(frame);
165 return status;
166 }
167
168 static NTSTATUS append_info3_as_ndr(TALLOC_CTX *mem_ctx,
169 struct winbindd_response *resp,
170 struct netr_SamInfo3 *info3)
171 {
172 DATA_BLOB blob;
173 enum ndr_err_code ndr_err;
174
175 ndr_err = ndr_push_struct_blob(&blob, mem_ctx, info3,
176 (ndr_push_flags_fn_t)ndr_push_netr_SamInfo3);
177 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
178 DEBUG(0,("append_info3_as_ndr: failed to append\n"));
179 return ndr_map_error2ntstatus(ndr_err);
180 }
181
182 resp->extra_data.data = blob.data;
183 resp->length += blob.length;
184
185 return NT_STATUS_OK;
186 }
187
188 static NTSTATUS append_unix_username(TALLOC_CTX *mem_ctx,
189 struct winbindd_response *resp,
190 const struct netr_SamInfo3 *info3,
191 const char *name_domain,
192 const char *name_user)
193 {
194 /* We've been asked to return the unix username, per
195 'winbind use default domain' settings and the like */
196
197 const char *nt_username, *nt_domain, *unix_username;
198
199 nt_domain = talloc_strdup(mem_ctx, info3->base.logon_domain.string);
200 if (!nt_domain) {
201 /* If the server didn't give us one, just use the one
202 * we sent them */
203 nt_domain = name_domain;
204 }
205
206 nt_username = talloc_strdup(mem_ctx, info3->base.account_name.string);
207 if (!nt_username) {
208 /* If the server didn't give us one, just use the one
209 * we sent them */
210 nt_username = name_user;
211 }
212
213 unix_username = fill_domain_username_talloc(mem_ctx,
214 nt_domain,
215 nt_username,
216 true);
217 if (unix_username == NULL) {
218 return NT_STATUS_NO_MEMORY;
219 }
220
221 fstrcpy(resp->data.auth.unix_username, unix_username);
222
223 DEBUG(5, ("Setting unix username to [%s]\n",
224 resp->data.auth.unix_username));
225
226 return NT_STATUS_OK;
227 }
228
229 static NTSTATUS append_afs_token(TALLOC_CTX *mem_ctx,
230 struct winbindd_response *resp,
231 const struct netr_SamInfo3 *info3,
232 const char *name_domain,
233 const char *name_user)
234 {
235 char *afsname = NULL;
236 char *cell;
237 char *token;
238
239 afsname = talloc_strdup(mem_ctx, lp_afs_username_map());
240 if (afsname == NULL) {
241 return NT_STATUS_NO_MEMORY;
242 }
243
244 afsname = talloc_string_sub(mem_ctx,
245 lp_afs_username_map(),
246 "%D", name_domain);
247 afsname = talloc_string_sub(mem_ctx, afsname,
248 "%u", name_user);
249 afsname = talloc_string_sub(mem_ctx, afsname,
250 "%U", name_user);
251
252 {
253 struct dom_sid user_sid;
254 fstring sidstr;
255
256 sid_compose(&user_sid, info3->base.domain_sid,
257 info3->base.rid);
258 sid_to_fstring(sidstr, &user_sid);
259 afsname = talloc_string_sub(mem_ctx, afsname,
260 "%s", sidstr);
261 }
262
263 if (afsname == NULL) {
264 return NT_STATUS_NO_MEMORY;
265 }
266
267 if (!strlower_m(afsname)) {
268 return NT_STATUS_INVALID_PARAMETER;
269 }
270
271 DEBUG(10, ("Generating token for user %s\n", afsname));
272
273 cell = strchr(afsname, '@');
274
275 if (cell == NULL) {
276 return NT_STATUS_NO_MEMORY;
277 }
278
279 *cell = '\0';
280 cell += 1;
281
282 token = afs_createtoken_str(afsname, cell);
283 if (token == NULL) {
284 return NT_STATUS_OK;
285 }
286 resp->extra_data.data = talloc_strdup(mem_ctx, token);
287 if (resp->extra_data.data == NULL) {
288 return NT_STATUS_NO_MEMORY;
289 }
290 resp->length += strlen((const char *)resp->extra_data.data)+1;
291
292 return NT_STATUS_OK;
293 }
294
295 static NTSTATUS check_info3_in_group(struct netr_SamInfo3 *info3,
296 const char *group_sid)
297 /**
298 * Check whether a user belongs to a group or list of groups.
299 *
300 * @param mem_ctx talloc memory context.
301 * @param info3 user information, including group membership info.
302 * @param group_sid One or more groups , separated by commas.
303 *
304 * @return NT_STATUS_OK on success,
305 * NT_STATUS_LOGON_FAILURE if the user does not belong,
306 * or other NT_STATUS_IS_ERR(status) for other kinds of failure.
307 */
308 {
309 struct dom_sid *require_membership_of_sid;
310 uint32_t num_require_membership_of_sid;
311 char *req_sid;
312 const char *p;
313 struct dom_sid sid;
314 size_t i;
315 struct security_token *token;
316 TALLOC_CTX *frame = talloc_stackframe();
317 NTSTATUS status;
318
319 /* Parse the 'required group' SID */
320
321 if (!group_sid || !group_sid[0]) {
322 /* NO sid supplied, all users may access */
323 TALLOC_FREE(frame);
324 return NT_STATUS_OK;
325 }
326
327 token = talloc_zero(talloc_tos(), struct security_token);
328 if (token == NULL) {
329 DEBUG(0, ("talloc failed\n"));
330 TALLOC_FREE(frame);
331 return NT_STATUS_NO_MEMORY;
332 }
333
334 num_require_membership_of_sid = 0;
335 require_membership_of_sid = NULL;
336
337 p = group_sid;
338
339 while (next_token_talloc(talloc_tos(), &p, &req_sid, ",")) {
340 if (!string_to_sid(&sid, req_sid)) {
341 DEBUG(0, ("check_info3_in_group: could not parse %s "
342 "as a SID!", req_sid));
343 TALLOC_FREE(frame);
344 return NT_STATUS_INVALID_PARAMETER;
345 }
346
347 status = add_sid_to_array(talloc_tos(), &sid,
348 &require_membership_of_sid,
349 &num_require_membership_of_sid);
350 if (!NT_STATUS_IS_OK(status)) {
351 DEBUG(0, ("add_sid_to_array failed\n"));
352 TALLOC_FREE(frame);
353 return status;
354 }
355 }
356
357 status = sid_array_from_info3(talloc_tos(), info3,
358 &token->sids,
359 &token->num_sids,
360 true);
361 if (!NT_STATUS_IS_OK(status)) {
362 TALLOC_FREE(frame);
363 return status;
364 }
365
366 if (!NT_STATUS_IS_OK(status = add_aliases(get_global_sam_sid(),
367 token))
368 || !NT_STATUS_IS_OK(status = add_aliases(&global_sid_Builtin,
369 token))) {
370 DEBUG(3, ("could not add aliases: %s\n",
371 nt_errstr(status)));
372 TALLOC_FREE(frame);
373 return status;
374 }
375
376 security_token_debug(DBGC_CLASS, 10, token);
377
378 for (i=0; i<num_require_membership_of_sid; i++) {
379 DEBUG(10, ("Checking SID %s\n", sid_string_dbg(
380 &require_membership_of_sid[i])));
381 if (nt_token_check_sid(&require_membership_of_sid[i],
382 token)) {
383 DEBUG(10, ("Access ok\n"));
384 TALLOC_FREE(frame);
385 return NT_STATUS_OK;
386 }
387 }
388
389 /* Do not distinguish this error from a wrong username/pw */
390
391 TALLOC_FREE(frame);
392 return NT_STATUS_LOGON_FAILURE;
393 }
394
395 struct winbindd_domain *find_auth_domain(uint8_t flags,
396 const char *domain_name)
397 {
398 struct winbindd_domain *domain;
399
400 if (IS_DC) {
401 domain = find_domain_from_name_noinit(domain_name);
402 if (domain == NULL) {
403 DEBUG(3, ("Authentication for domain [%s] refused "
404 "as it is not a trusted domain\n",
405 domain_name));
406 return NULL;
407 }
408
409 if (domain->secure_channel_type != SEC_CHAN_NULL) {
410 return domain;
411 }
412
413 return domain->routing_domain;
414 }
415
416 if (strequal(domain_name, get_global_sam_name())) {
417 return find_domain_from_name_noinit(domain_name);
418 }
419
420 /* we can auth against trusted domains */
421 if (flags & WBFLAG_PAM_CONTACT_TRUSTDOM) {
422 domain = find_domain_from_name_noinit(domain_name);
423 if (domain == NULL) {
424 DEBUG(3, ("Authentication for domain [%s] skipped "
425 "as it is not a trusted domain\n",
426 domain_name));
427 } else {
428 return domain;
429 }
430 }
431
432 return find_our_domain();
433 }
434
435 static void fake_password_policy(struct winbindd_response *r,
436 const struct netr_SamBaseInfo *bi)
437 {
438 NTTIME min_password_age;
439 NTTIME max_password_age;
440
441 if (bi->allow_password_change > bi->last_password_change) {
442 min_password_age = bi->allow_password_change -
443 bi->last_password_change;
444 } else {
445 min_password_age = 0;
446 }
447
448 if (bi->force_password_change > bi->last_password_change) {
449 max_password_age = bi->force_password_change -
450 bi->last_password_change;
451 } else {
452 max_password_age = 0;
453 }
454
455 r->data.auth.policy.min_length_password = 0;
456 r->data.auth.policy.password_history = 0;
457 r->data.auth.policy.password_properties = 0;
458 r->data.auth.policy.expire =
459 nt_time_to_unix_abs(&max_password_age);
460 r->data.auth.policy.min_passwordage =
461 nt_time_to_unix_abs(&min_password_age);
462 }
463
464 static void fill_in_password_policy(struct winbindd_response *r,
465 const struct samr_DomInfo1 *p)
466 {
467 r->data.auth.policy.min_length_password =
468 p->min_password_length;
469 r->data.auth.policy.password_history =
470 p->password_history_length;
471 r->data.auth.policy.password_properties =
472 p->password_properties;
473 r->data.auth.policy.expire =
474 nt_time_to_unix_abs((const NTTIME *)&(p->max_password_age));
475 r->data.auth.policy.min_passwordage =
476 nt_time_to_unix_abs((const NTTIME *)&(p->min_password_age));
477 }
478
479 static NTSTATUS fillup_password_policy(struct winbindd_domain *domain,
480 struct winbindd_response *response)
481 {
482 TALLOC_CTX *frame = talloc_stackframe();
483 NTSTATUS status;
484 struct samr_DomInfo1 password_policy;
485
486 if ( !winbindd_can_contact_domain( domain ) ) {
487 DEBUG(5,("fillup_password_policy: No inbound trust to "
488 "contact domain %s\n", domain->name));
489 status = NT_STATUS_NOT_SUPPORTED;
490 goto done;
491 }
492
493 status = wb_cache_password_policy(domain, talloc_tos(),
494 &password_policy);
495 if (NT_STATUS_IS_ERR(status)) {
496 goto done;
497 }
498
499 fill_in_password_policy(response, &password_policy);
500
501 done:
502 TALLOC_FREE(frame);
503 return NT_STATUS_OK;
504 }
505
506 static NTSTATUS get_max_bad_attempts_from_lockout_policy(struct winbindd_domain *domain,
507 TALLOC_CTX *mem_ctx,
508 uint16_t *lockout_threshold)
509 {
510 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
511 struct samr_DomInfo12 lockout_policy;
512
513 *lockout_threshold = 0;
514
515 status = wb_cache_lockout_policy(domain, mem_ctx, &lockout_policy);
516 if (NT_STATUS_IS_ERR(status)) {
517 return status;
518 }
519
520 *lockout_threshold = lockout_policy.lockout_threshold;
521
522 return NT_STATUS_OK;
523 }
524
525 static NTSTATUS get_pwd_properties(struct winbindd_domain *domain,
526 TALLOC_CTX *mem_ctx,
527 uint32_t *password_properties)
528 {
529 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
530 struct samr_DomInfo1 password_policy;
531
532 *password_properties = 0;
533
534 status = wb_cache_password_policy(domain, mem_ctx, &password_policy);
535 if (NT_STATUS_IS_ERR(status)) {
536 return status;
537 }
538
539 *password_properties = password_policy.password_properties;
540
541 return NT_STATUS_OK;
542 }
543
544 #ifdef HAVE_KRB5
545
546 static const char *generate_krb5_ccache(TALLOC_CTX *mem_ctx,
547 const char *type,
548 uid_t uid,
549 const char **user_ccache_file)
550 {
551 /* accept FILE and WRFILE as krb5_cc_type from the client and then
552 * build the full ccname string based on the user's uid here -
553 * Guenther*/
554
555 const char *gen_cc = NULL;
556
557 if (uid != -1) {
558 if (strequal(type, "FILE")) {
559 gen_cc = talloc_asprintf(
560 mem_ctx, "FILE:/tmp/krb5cc_%d", uid);
561 }
562 if (strequal(type, "WRFILE")) {
563 gen_cc = talloc_asprintf(
564 mem_ctx, "WRFILE:/tmp/krb5cc_%d", uid);
565 }
566 if (strequal(type, "KEYRING")) {
567 gen_cc = talloc_asprintf(
568 mem_ctx, "KEYRING:persistent:%d", uid);
569 }
570
571 if (strnequal(type, "FILE:/", 6) ||
572 strnequal(type, "WRFILE:/", 8) ||
573 strnequal(type, "DIR:/", 5)) {
574
575 /* we allow only one "%u" substitution */
576
577 char *p;
578
579 p = strchr(type, '%');
580 if (p != NULL) {
581
582 p++;
583
584 if (p != NULL && *p == 'u' && strchr(p, '%') == NULL) {
585 char uid_str[sizeof("18446744073709551615")];
586
587 snprintf(uid_str, sizeof(uid_str), "%u", uid);
588
589 gen_cc = talloc_string_sub2(mem_ctx,
590 type,
591 "%u",
592 uid_str,
593 /* remove_unsafe_characters */
594 false,
595 /* replace_once */
596 true,
597 /* allow_trailing_dollar */
598 false);
599 }
600 }
601 }
602 }
603
604 *user_ccache_file = gen_cc;
605
606 if (gen_cc == NULL) {
607 gen_cc = talloc_strdup(mem_ctx, "MEMORY:winbindd_pam_ccache");
608 }
609 if (gen_cc == NULL) {
610 DEBUG(0,("out of memory\n"));
611 return NULL;
612 }
613
614 DEBUG(10, ("using ccache: %s%s\n", gen_cc,
615 (*user_ccache_file == NULL) ? " (internal)":""));
616
617 return gen_cc;
618 }
619
620 #endif
621
622 uid_t get_uid_from_request(struct winbindd_request *request)
623 {
624 uid_t uid;
625
626 uid = request->data.auth.uid;
627
628 if (uid == (uid_t)-1) {
629 DEBUG(1,("invalid uid: '%u'\n", (unsigned int)uid));
630 return -1;
631 }
632 return uid;
633 }
634
635 /**********************************************************************
636 Authenticate a user with a clear text password using Kerberos and fill up
637 ccache if required
638 **********************************************************************/
639
640 static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
641 struct winbindd_domain *domain,
642 const char *user,
643 const char *pass,
644 const char *krb5_cc_type,
645 uid_t uid,
646 struct netr_SamInfo6 **info6,
647 fstring krb5ccname)
648 {
649 #ifdef HAVE_KRB5
650 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
651 krb5_error_code krb5_ret;
652 const char *cc = NULL;
653 const char *principal_s = NULL;
654 const char *service = NULL;
655 char *realm = NULL;
656 fstring name_namespace, name_domain, name_user;
657 time_t ticket_lifetime = 0;
658 time_t renewal_until = 0;
659 ADS_STRUCT *ads;
660 time_t time_offset = 0;
661 const char *user_ccache_file;
662 struct PAC_LOGON_INFO *logon_info = NULL;
663 struct PAC_UPN_DNS_INFO *upn_dns_info = NULL;
664 struct PAC_DATA *pac_data = NULL;
665 struct PAC_DATA_CTR *pac_data_ctr = NULL;
666 const char *local_service;
667 uint32_t i;
668 struct netr_SamInfo6 *info6_copy = NULL;
669 bool ok;
670
671 *info6 = NULL;
672
673 if (domain->alt_name == NULL) {
674 return NT_STATUS_INVALID_PARAMETER;
675 }
676
677 /* 1st step:
678 * prepare a krb5_cc_cache string for the user */
679
680 if (uid == -1) {
681 DEBUG(0,("no valid uid\n"));
682 }
683
684 cc = generate_krb5_ccache(mem_ctx,
685 krb5_cc_type,
686 uid,
687 &user_ccache_file);
688 if (cc == NULL) {
689 return NT_STATUS_NO_MEMORY;
690 }
691
692
693 /* 2nd step:
694 * get kerberos properties */
695
696 if (domain->private_data) {
697 ads = (ADS_STRUCT *)domain->private_data;
698 time_offset = ads->auth.time_offset;
699 }
700
701
702 /* 3rd step:
703 * do kerberos auth and setup ccache as the user */
704
705 ok = parse_domain_user(user, name_namespace, name_domain, name_user);
706 if (!ok) {
707 return NT_STATUS_INVALID_PARAMETER;
708 }
709
710 realm = talloc_strdup(mem_ctx, domain->alt_name);
711 if (realm == NULL) {
712 return NT_STATUS_NO_MEMORY;
713 }
714
715 if (!strupper_m(realm)) {
716 return NT_STATUS_INVALID_PARAMETER;
717 }
718
719 principal_s = talloc_asprintf(mem_ctx, "%s@%s", name_user, realm);
720 if (principal_s == NULL) {
721 return NT_STATUS_NO_MEMORY;
722 }
723
724 service = talloc_asprintf(mem_ctx, "%s/%s@%s", KRB5_TGS_NAME, realm, realm);
725 if (service == NULL) {
726 return NT_STATUS_NO_MEMORY;
727 }
728
729 local_service = talloc_asprintf(mem_ctx, "%s$@%s",
730 lp_netbios_name(), lp_realm());
731 if (local_service == NULL) {
732 return NT_STATUS_NO_MEMORY;
733 }
734
735
736 /* if this is a user ccache, we need to act as the user to let the krb5
737 * library handle the chown, etc. */
738
739 /************************ ENTERING NON-ROOT **********************/
740
741 if (user_ccache_file != NULL) {
742 set_effective_uid(uid);
743 DEBUG(10,("winbindd_raw_kerberos_login: uid is %d\n", uid));
744 }
745
746 result = kerberos_return_pac(mem_ctx,
747 principal_s,
748 pass,
749 time_offset,
750 &ticket_lifetime,
751 &renewal_until,
752 cc,
753 true,
754 true,
755 WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
756 NULL,
757 local_service,
758 &pac_data_ctr);
759 if (user_ccache_file != NULL) {
760 gain_root_privilege();
761 }
762
763 /************************ RETURNED TO ROOT **********************/
764
765 if (!NT_STATUS_IS_OK(result)) {
766 goto failed;
767 }
768
769 if (pac_data_ctr == NULL) {
770 goto failed;
771 }
772
773 pac_data = pac_data_ctr->pac_data;
774 if (pac_data == NULL) {
775 goto failed;
776 }
777
778 for (i=0; i < pac_data->num_buffers; i++) {
779
780 if (pac_data->buffers[i].type == PAC_TYPE_LOGON_INFO) {
781 logon_info = pac_data->buffers[i].info->logon_info.info;
782 continue;
783 }
784
785 if (pac_data->buffers[i].type == PAC_TYPE_UPN_DNS_INFO) {
786 upn_dns_info = &pac_data->buffers[i].info->upn_dns_info;
787 continue;
788 }
789 }
790
791 if (logon_info == NULL) {
792 DEBUG(10,("Missing logon_info in ticket of %s\n",
793 principal_s));
794 return NT_STATUS_INVALID_PARAMETER;
795 }
796
797 DEBUG(10,("winbindd_raw_kerberos_login: winbindd validated ticket of %s\n",
798 principal_s));
799
800 result = create_info6_from_pac(mem_ctx, logon_info,
801 upn_dns_info, &info6_copy);
802 if (!NT_STATUS_IS_OK(result)) {
803 goto failed;
804 }
805
806 /* if we had a user's ccache then return that string for the pam
807 * environment */
808
809 if (user_ccache_file != NULL) {
810
811 fstrcpy(krb5ccname, user_ccache_file);
812
813 result = add_ccache_to_list(principal_s,
814 cc,
815 service,
816 user,
817 pass,
818 realm,
819 uid,
820 time(NULL),
821 ticket_lifetime,
822 renewal_until,
823 false);
824
825 if (!NT_STATUS_IS_OK(result)) {
826 DEBUG(10,("winbindd_raw_kerberos_login: failed to add ccache to list: %s\n",
827 nt_errstr(result)));
828 }
829 } else {
830
831 /* need to delete the memory cred cache, it is not used anymore */
832
833 krb5_ret = ads_kdestroy(cc);
834 if (krb5_ret) {
835 DEBUG(3,("winbindd_raw_kerberos_login: "
836 "could not destroy krb5 credential cache: "
837 "%s\n", error_message(krb5_ret)));
838 }
839
840 }
841 *info6 = info6_copy;
842 return NT_STATUS_OK;
843
844 failed:
845 /*
846 * Do not delete an existing valid credential cache, if the user
847 * e.g. enters a wrong password
848 */
849 if ((strequal(krb5_cc_type, "FILE") || strequal(krb5_cc_type, "WRFILE"))
850 && user_ccache_file != NULL) {
851 return result;
852 }
853
854 /* we could have created a new credential cache with a valid tgt in it
855 * but we werent able to get or verify the service ticket for this
856 * local host and therefor didn't get the PAC, we need to remove that
857 * cache entirely now */
858
859 krb5_ret = ads_kdestroy(cc);
860 if (krb5_ret) {
861 DEBUG(3,("winbindd_raw_kerberos_login: "
862 "could not destroy krb5 credential cache: "
863 "%s\n", error_message(krb5_ret)));
864 }
865
866 if (!NT_STATUS_IS_OK(remove_ccache(user))) {
867 DEBUG(3,("winbindd_raw_kerberos_login: "
868 "could not remove ccache for user %s\n",
869 user));
870 }
871
872 return result;
873 #else
874 return NT_STATUS_NOT_SUPPORTED;
875 #endif /* HAVE_KRB5 */
876 }
877
878 /****************************************************************
879 ****************************************************************/
880
881 bool check_request_flags(uint32_t flags)
882 {
883 uint32_t flags_edata = WBFLAG_PAM_AFS_TOKEN |
884 WBFLAG_PAM_INFO3_TEXT |
885 WBFLAG_PAM_INFO3_NDR;
886
887 if ( ( (flags & flags_edata) == WBFLAG_PAM_AFS_TOKEN) ||
888 ( (flags & flags_edata) == WBFLAG_PAM_INFO3_NDR) ||
889 ( (flags & flags_edata) == WBFLAG_PAM_INFO3_TEXT)||
890 !(flags & flags_edata) ) {
891 return true;
892 }
893
894 DEBUG(1, ("check_request_flags: invalid request flags[0x%08X]\n",
895 flags));
896
897 return false;
898 }
899
900 /****************************************************************
901 ****************************************************************/
902
903 NTSTATUS append_auth_data(TALLOC_CTX *mem_ctx,
904 struct winbindd_response *resp,
905 uint32_t request_flags,
906 uint16_t validation_level,
907 union netr_Validation *validation,
908 const char *name_domain,
909 const char *name_user)
910 {
911 struct netr_SamInfo3 *info3 = NULL;
912 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
913
914 result = map_validation_to_info3(talloc_tos(),
915 validation_level,
916 validation,
917 &info3);
918 if (!NT_STATUS_IS_OK(result)) {
919 goto out;
920 }
921
922 if (request_flags & WBFLAG_PAM_USER_SESSION_KEY) {
923 memcpy(resp->data.auth.user_session_key,
924 info3->base.key.key,
925 sizeof(resp->data.auth.user_session_key)
926 /* 16 */);
927 }
928
929 if (request_flags & WBFLAG_PAM_LMKEY) {
930 memcpy(resp->data.auth.first_8_lm_hash,
931 info3->base.LMSessKey.key,
932 sizeof(resp->data.auth.first_8_lm_hash)
933 /* 8 */);
934 }
935
936 if (request_flags & WBFLAG_PAM_UNIX_NAME) {
937 result = append_unix_username(mem_ctx, resp,
938 info3, name_domain, name_user);
939 if (!NT_STATUS_IS_OK(result)) {
940 DEBUG(10,("Failed to append Unix Username: %s\n",
941 nt_errstr(result)));
942 goto out;
943 }
944 }
945
946 /* currently, anything from here on potentially overwrites extra_data. */
947
948 if (request_flags & WBFLAG_PAM_INFO3_NDR) {
949 result = append_info3_as_ndr(mem_ctx, resp, info3);
950 if (!NT_STATUS_IS_OK(result)) {
951 DEBUG(10,("Failed to append INFO3 (NDR): %s\n",
952 nt_errstr(result)));
953 goto out;
954 }
955 }
956
957 if (request_flags & WBFLAG_PAM_INFO3_TEXT) {
958 result = append_info3_as_txt(mem_ctx, resp,
959 validation_level,
960 validation);
961 if (!NT_STATUS_IS_OK(result)) {
962 DEBUG(10,("Failed to append INFO3 (TXT): %s\n",
963 nt_errstr(result)));
964 goto out;
965 }
966 }
967
968 if (request_flags & WBFLAG_PAM_AFS_TOKEN) {
969 result = append_afs_token(mem_ctx, resp,
970 info3, name_domain, name_user);
971 if (!NT_STATUS_IS_OK(result)) {
972 DEBUG(10,("Failed to append AFS token: %s\n",
973 nt_errstr(result)));
974 goto out;
975 }
976 }
977
978 result = NT_STATUS_OK;
979 out:
980 TALLOC_FREE(info3);
981 return result;
982 }
983
984 static NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain,
985 struct winbindd_cli_state *state,
986 struct netr_SamInfo3 **info3)
987 {
988 NTSTATUS result = NT_STATUS_LOGON_FAILURE;
989 uint16_t max_allowed_bad_attempts;
990 fstring name_namespace, name_domain, name_user;
991 struct dom_sid sid;
992 enum lsa_SidType type;
993 uchar new_nt_pass[NT_HASH_LEN];
994 const uint8_t *cached_nt_pass;
995 const uint8_t *cached_salt;
996 struct netr_SamInfo3 *my_info3;
997 time_t kickoff_time, must_change_time;
998 bool password_good = false;
999 bool ok;
1000 #ifdef HAVE_KRB5
1001 struct winbindd_tdc_domain *tdc_domain = NULL;
1002 #endif
1003
1004 *info3 = NULL;
1005
1006 ZERO_STRUCTP(info3);
1007
1008 DEBUG(10,("winbindd_dual_pam_auth_cached\n"));
1009
1010 /* Parse domain and username */
1011
1012 ok = parse_domain_user(state->request->data.auth.user,
1013 name_namespace,
1014 name_domain,
1015 name_user);
1016 if (!ok) {
1017 DBG_DEBUG("parse_domain_user failed\n");
1018 return NT_STATUS_NO_SUCH_USER;
1019 }
1020
1021 if (!lookup_cached_name(name_namespace,
1022 name_domain,
1023 name_user,
1024 &sid,
1025 &type)) {
1026 DEBUG(10,("winbindd_dual_pam_auth_cached: no such user in the cache\n"));
1027 return NT_STATUS_NO_SUCH_USER;
1028 }
1029
1030 if (type != SID_NAME_USER) {
1031 DEBUG(10,("winbindd_dual_pam_auth_cached: not a user (%s)\n", sid_type_lookup(type)));
1032 return NT_STATUS_LOGON_FAILURE;
1033 }
1034
1035 result = winbindd_get_creds(domain,
1036 state->mem_ctx,
1037 &sid,
1038 &my_info3,
1039 &cached_nt_pass,
1040 &cached_salt);
1041 if (!NT_STATUS_IS_OK(result)) {
1042 DEBUG(10,("winbindd_dual_pam_auth_cached: failed to get creds: %s\n", nt_errstr(result)));
1043 return result;
1044 }
1045
1046 *info3 = my_info3;
1047
1048 E_md4hash(state->request->data.auth.pass, new_nt_pass);
1049
1050 dump_data_pw("new_nt_pass", new_nt_pass, NT_HASH_LEN);
1051 dump_data_pw("cached_nt_pass", cached_nt_pass, NT_HASH_LEN);
1052 if (cached_salt) {
1053 dump_data_pw("cached_salt", cached_salt, NT_HASH_LEN);
1054 }
1055
1056 if (cached_salt) {
1057 /* In this case we didn't store the nt_hash itself,
1058 but the MD5 combination of salt + nt_hash. */
1059 uchar salted_hash[NT_HASH_LEN];
1060 E_md5hash(cached_salt, new_nt_pass, salted_hash);
1061
1062 password_good = (memcmp(cached_nt_pass, salted_hash,
1063 NT_HASH_LEN) == 0);
1064 } else {
1065 /* Old cached cred - direct store of nt_hash (bad bad bad !). */
1066 password_good = (memcmp(cached_nt_pass, new_nt_pass,
1067 NT_HASH_LEN) == 0);
1068 }
1069
1070 if (password_good) {
1071
1072 /* User *DOES* know the password, update logon_time and reset
1073 * bad_pw_count */
1074
1075 my_info3->base.user_flags |= NETLOGON_CACHED_ACCOUNT;
1076
1077 if (my_info3->base.acct_flags & ACB_AUTOLOCK) {
1078 return NT_STATUS_ACCOUNT_LOCKED_OUT;
1079 }
1080
1081 if (my_info3->base.acct_flags & ACB_DISABLED) {
1082 return NT_STATUS_ACCOUNT_DISABLED;
1083 }
1084
1085 if (my_info3->base.acct_flags & ACB_WSTRUST) {
1086 return NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT;
1087 }
1088
1089 if (my_info3->base.acct_flags & ACB_SVRTRUST) {
1090 return NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT;
1091 }
1092
1093 if (my_info3->base.acct_flags & ACB_DOMTRUST) {
1094 return NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT;
1095 }
1096
1097 if (!(my_info3->base.acct_flags & ACB_NORMAL)) {
1098 DEBUG(0,("winbindd_dual_pam_auth_cached: whats wrong with that one?: 0x%08x\n",
1099 my_info3->base.acct_flags));
1100 return NT_STATUS_LOGON_FAILURE;
1101 }
1102
1103 kickoff_time = nt_time_to_unix(my_info3->base.kickoff_time);
1104 if (kickoff_time != 0 && time(NULL) > kickoff_time) {
1105 return NT_STATUS_ACCOUNT_EXPIRED;
1106 }
1107
1108 must_change_time = nt_time_to_unix(my_info3->base.force_password_change);
1109 if (must_change_time != 0 && must_change_time < time(NULL)) {
1110 /* we allow grace logons when the password has expired */
1111 my_info3->base.user_flags |= NETLOGON_GRACE_LOGON;
1112 /* return NT_STATUS_PASSWORD_EXPIRED; */
1113 goto success;
1114 }
1115
1116 #ifdef HAVE_KRB5
1117 if ((state->request->flags & WBFLAG_PAM_KRB5) &&
1118 ((tdc_domain = wcache_tdc_fetch_domain(state->mem_ctx, name_domain)) != NULL) &&
1119 ((tdc_domain->trust_type & LSA_TRUST_TYPE_UPLEVEL) ||
1120 /* used to cope with the case winbindd starting without network. */
1121 !strequal(tdc_domain->domain_name, tdc_domain->dns_name))) {
1122
1123 uid_t uid = -1;
1124 const char *cc = NULL;
1125 char *realm = NULL;
1126 const char *principal_s = NULL;
1127 const char *service = NULL;
1128 const char *user_ccache_file;
1129
1130 if (domain->alt_name == NULL) {
1131 return NT_STATUS_INVALID_PARAMETER;
1132 }
1133
1134 uid = get_uid_from_request(state->request);
1135 if (uid == -1) {
1136 DEBUG(0,("winbindd_dual_pam_auth_cached: invalid uid\n"));
1137 return NT_STATUS_INVALID_PARAMETER;
1138 }
1139
1140 cc = generate_krb5_ccache(state->mem_ctx,
1141 state->request->data.auth.krb5_cc_type,
1142 state->request->data.auth.uid,
1143 &user_ccache_file);
1144 if (cc == NULL) {
1145 return NT_STATUS_NO_MEMORY;
1146 }
1147
1148 realm = talloc_strdup(state->mem_ctx, domain->alt_name);
1149 if (realm == NULL) {
1150 return NT_STATUS_NO_MEMORY;
1151 }
1152
1153 if (!strupper_m(realm)) {
1154 return NT_STATUS_INVALID_PARAMETER;
1155 }
1156
1157 principal_s = talloc_asprintf(state->mem_ctx, "%s@%s", name_user, realm);
1158 if (principal_s == NULL) {
1159 return NT_STATUS_NO_MEMORY;
1160 }
1161
1162 service = talloc_asprintf(state->mem_ctx, "%s/%s@%s", KRB5_TGS_NAME, realm, realm);
1163 if (service == NULL) {
1164 return NT_STATUS_NO_MEMORY;
1165 }
1166
1167 if (user_ccache_file != NULL) {
1168
1169 fstrcpy(state->response->data.auth.krb5ccname,
1170 user_ccache_file);
1171
1172 result = add_ccache_to_list(principal_s,
1173 cc,
1174 service,
1175 state->request->data.auth.user,
1176 state->request->data.auth.pass,
1177 realm,
1178 uid,
1179 time(NULL),
1180 time(NULL) + lp_winbind_cache_time(),
1181 time(NULL) + WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
1182 true);
1183
1184 if (!NT_STATUS_IS_OK(result)) {
1185 DEBUG(10,("winbindd_dual_pam_auth_cached: failed "
1186 "to add ccache to list: %s\n",
1187 nt_errstr(result)));
1188 }
1189 }
1190 }
1191 #endif /* HAVE_KRB5 */
1192 success:
1193 /* FIXME: we possibly should handle logon hours as well (does xp when
1194 * offline?) see auth/auth_sam.c:sam_account_ok for details */
1195
1196 unix_to_nt_time(&my_info3->base.logon_time, time(NULL));
1197 my_info3->base.bad_password_count = 0;
1198
1199 result = winbindd_update_creds_by_info3(domain,
1200 state->request->data.auth.user,
1201 state->request->data.auth.pass,
1202 my_info3);
1203 if (!NT_STATUS_IS_OK(result)) {
1204 DEBUG(1,("winbindd_dual_pam_auth_cached: failed to update creds: %s\n",
1205 nt_errstr(result)));
1206 return result;
1207 }
1208
1209 return NT_STATUS_OK;
1210
1211 }
1212
1213 /* User does *NOT* know the correct password, modify info3 accordingly, but only if online */
1214 if (domain->online == false) {
1215 goto failed;
1216 }
1217
1218 /* failure of this is not critical */
1219 result = get_max_bad_attempts_from_lockout_policy(domain, state->mem_ctx, &max_allowed_bad_attempts);
1220 if (!NT_STATUS_IS_OK(result)) {
1221 DEBUG(10,("winbindd_dual_pam_auth_cached: failed to get max_allowed_bad_attempts. "
1222 "Won't be able to honour account lockout policies\n"));
1223 }
1224
1225 /* increase counter */
1226 my_info3->base.bad_password_count++;
1227
1228 if (max_allowed_bad_attempts == 0) {
1229 goto failed;
1230 }
1231
1232 /* lockout user */
1233 if (my_info3->base.bad_password_count >= max_allowed_bad_attempts) {
1234
1235 uint32_t password_properties;
1236
1237 result = get_pwd_properties(domain, state->mem_ctx, &password_properties);
1238 if (!NT_STATUS_IS_OK(result)) {
1239 DEBUG(10,("winbindd_dual_pam_auth_cached: failed to get password properties.\n"));
1240 }
1241
1242 if ((my_info3->base.rid != DOMAIN_RID_ADMINISTRATOR) ||
1243 (password_properties & DOMAIN_PASSWORD_LOCKOUT_ADMINS)) {
1244 my_info3->base.acct_flags |= ACB_AUTOLOCK;
1245 }
1246 }
1247
1248 failed:
1249 result = winbindd_update_creds_by_info3(domain,
1250 state->request->data.auth.user,
1251 NULL,
1252 my_info3);
1253
1254 if (!NT_STATUS_IS_OK(result)) {
1255 DEBUG(0,("winbindd_dual_pam_auth_cached: failed to update creds %s\n",
1256 nt_errstr(result)));
1257 }
1258
1259 return NT_STATUS_LOGON_FAILURE;
1260 }
1261
1262 static NTSTATUS winbindd_dual_pam_auth_kerberos(struct winbindd_domain *domain,
1263 struct winbindd_cli_state *state,
1264 struct netr_SamInfo6 **info6)
1265 {
1266 struct winbindd_domain *contact_domain;
1267 fstring name_namespace, name_domain, name_user;
1268 NTSTATUS result;
1269 bool ok;
1270
1271 DEBUG(10,("winbindd_dual_pam_auth_kerberos\n"));
1272
1273 /* Parse domain and username */
1274
1275 ok = parse_domain_user(state->request->data.auth.user,
1276 name_namespace,
1277 name_domain,
1278 name_user);
1279 if (!ok) {
1280 result = NT_STATUS_INVALID_PARAMETER;
1281 goto done;
1282 }
1283
1284 /* what domain should we contact? */
1285
1286 if ( IS_DC ) {
1287 contact_domain = find_domain_from_name(name_namespace);
1288 if (contact_domain == NULL) {
1289 DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
1290 state->request->data.auth.user, name_domain, name_user, name_domain));
1291 result = NT_STATUS_NO_SUCH_USER;
1292 goto done;
1293 }
1294
1295 } else {
1296 if (is_myname(name_domain)) {
1297 DEBUG(3, ("Authentication for domain %s (local domain to this server) not supported at this stage\n", name_domain));
1298 result = NT_STATUS_NO_SUCH_USER;
1299 goto done;
1300 }
1301
1302 contact_domain = find_domain_from_name(name_namespace);
1303 if (contact_domain == NULL) {
1304 DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
1305 state->request->data.auth.user, name_domain, name_user, name_domain));
1306
1307 result = NT_STATUS_NO_SUCH_USER;
1308 goto done;
1309 }
1310 }
1311
1312 if (contact_domain->initialized &&
1313 contact_domain->active_directory) {
1314 goto try_login;
1315 }
1316
1317 if (!contact_domain->initialized) {
1318 init_dc_connection(contact_domain, false);
1319 }
1320
1321 if (!contact_domain->active_directory) {
1322 DEBUG(3,("krb5 auth requested but domain is not Active Directory\n"));
1323 return NT_STATUS_INVALID_LOGON_TYPE;
1324 }
1325 try_login:
1326 result = winbindd_raw_kerberos_login(
1327 state->mem_ctx, contact_domain,
1328 state->request->data.auth.user,
1329 state->request->data.auth.pass,
1330 state->request->data.auth.krb5_cc_type,
1331 get_uid_from_request(state->request),
1332 info6, state->response->data.auth.krb5ccname);
1333 done:
1334 return result;
1335 }
1336
1337 static NTSTATUS winbindd_dual_auth_passdb(TALLOC_CTX *mem_ctx,
1338 uint32_t logon_parameters,
1339 const char *domain, const char *user,
1340 const DATA_BLOB *challenge,
1341 const DATA_BLOB *lm_resp,
1342 const DATA_BLOB *nt_resp,
1343 bool interactive,
1344 uint8_t *pauthoritative,
1345 struct netr_SamInfo3 **pinfo3)
1346 {
1347 struct auth_context *auth_context;
1348 struct auth_serversupplied_info *server_info;
1349 struct auth_usersupplied_info *user_info = NULL;
1350 struct tsocket_address *local;
1351 struct netr_SamInfo3 *info3;
1352 NTSTATUS status;
1353 bool ok;
1354 int rc;
1355 TALLOC_CTX *frame = talloc_stackframe();
1356
1357 /*
1358 * We are authoritative by default
1359 */
1360 *pauthoritative = 1;
1361
1362 rc = tsocket_address_inet_from_strings(frame,
1363 "ip",
1364 "127.0.0.1",
1365 0,
1366 &local);
1367 if (rc < 0) {
1368 TALLOC_FREE(frame);
1369 return NT_STATUS_NO_MEMORY;
1370 }
1371
1372 /*
1373 * TODO: We should get the service description passed in from
1374 * the winbind client, so we can have "smb2", "squid" or "samr" logged
1375 * here.
1376 */
1377 status = make_user_info(frame, &user_info, user, user, domain, domain,
1378 lp_netbios_name(), local, local,
1379 "winbind",
1380 lm_resp, nt_resp, NULL, NULL,
1381 NULL, AUTH_PASSWORD_RESPONSE);
1382 if (!NT_STATUS_IS_OK(status)) {
1383 DEBUG(10, ("make_user_info failed: %s\n", nt_errstr(status)));
1384 TALLOC_FREE(frame);
1385 return status;
1386 }
1387
1388 user_info->logon_parameters = logon_parameters;
1389
1390 /* We don't want any more mapping of the username */
1391 user_info->mapped_state = True;
1392
1393 /* We don't want to come back to winbindd or to do PAM account checks */
1394 user_info->flags |= USER_INFO_INFO3_AND_NO_AUTHZ;
1395
1396 if (interactive) {
1397 user_info->flags |= USER_INFO_INTERACTIVE_LOGON;
1398 }
1399
1400 status = make_auth3_context_for_winbind(frame, &auth_context);
1401 if (!NT_STATUS_IS_OK(status)) {
1402 DBG_ERR("make_auth3_context_for_winbind failed: %s\n",
1403 nt_errstr(status));
1404 TALLOC_FREE(frame);
1405 return status;
1406 }
1407
1408 ok = auth3_context_set_challenge(auth_context,
1409 challenge->data, "fixed");
1410 if (!ok) {
1411 TALLOC_FREE(frame);
1412 return NT_STATUS_NO_MEMORY;
1413 }
1414
1415 status = auth_check_ntlm_password(mem_ctx,
1416 auth_context,
1417 user_info,
1418 &server_info,
1419 pauthoritative);
1420 if (!NT_STATUS_IS_OK(status)) {
1421 TALLOC_FREE(frame);
1422 return status;
1423 }
1424
1425 info3 = talloc_zero(mem_ctx, struct netr_SamInfo3);
1426 if (info3 == NULL) {
1427 TALLOC_FREE(frame);
1428 return NT_STATUS_NO_MEMORY;
1429 }
1430
1431 status = serverinfo_to_SamInfo3(server_info, info3);
1432 if (!NT_STATUS_IS_OK(status)) {
1433 TALLOC_FREE(frame);
1434 TALLOC_FREE(info3);
1435 DEBUG(0, ("serverinfo_to_SamInfo3 failed: %s\n",
1436 nt_errstr(status)));
1437 return status;
1438 }
1439
1440 *pinfo3 = info3;
1441 DEBUG(10, ("Authenticaticating user %s\\%s returned %s\n", domain,
1442 user, nt_errstr(status)));
1443 TALLOC_FREE(frame);
1444 return status;
1445 }
1446
1447 static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
1448 TALLOC_CTX *mem_ctx,
1449 uint32_t logon_parameters,
1450 const char *username,
1451 const char *password,
1452 const char *domainname,
1453 const char *workstation,
1454 bool plaintext_given,
1455 const uint8_t chal[8],
1456 DATA_BLOB lm_response,
1457 DATA_BLOB nt_response,
1458 bool interactive,
1459 uint8_t *authoritative,
1460 uint32_t *flags,
1461 uint16_t *_validation_level,
1462 union netr_Validation **_validation)
1463 {
1464 int attempts = 0;
1465 int netr_attempts = 0;
1466 bool retry = false;
1467 NTSTATUS result;
1468 enum netr_LogonInfoClass logon_type_i;
1469 enum netr_LogonInfoClass logon_type_n;
1470 uint16_t validation_level = UINT16_MAX;
1471 union netr_Validation *validation = NULL;
1472
1473 do {
1474 struct rpc_pipe_client *netlogon_pipe;
1475 struct netlogon_creds_cli_context *netlogon_creds_ctx = NULL;
1476
1477 retry = false;
1478
1479 result = cm_connect_netlogon_secure(domain, &netlogon_pipe,
1480 &netlogon_creds_ctx);
1481
1482 if (NT_STATUS_EQUAL(result,
1483 NT_STATUS_CANT_ACCESS_DOMAIN_INFO)) {
1484 /*
1485 * This means we don't have a trust account.
1486 */
1487 *authoritative = 0;
1488 result = NT_STATUS_NO_SUCH_USER;
1489 break;
1490 }
1491
1492 if (!NT_STATUS_IS_OK(result)) {
1493 DEBUG(3,("Could not open handle to NETLOGON pipe "
1494 "(error: %s, attempts: %d)\n",
1495 nt_errstr(result), netr_attempts));
1496
1497 /* After the first retry always close the connection */
1498 if (netr_attempts > 0) {
1499 DEBUG(3, ("This is again a problem for this "
1500 "particular call, forcing the close "
1501 "of this connection\n"));
1502 invalidate_cm_connection(domain);
1503 }
1504
1505 /* After the second retry failover to the next DC */
1506 if (netr_attempts > 1) {
1507 /*
1508 * If the netlogon server is not reachable then
1509 * it is possible that the DC is rebuilding
1510 * sysvol and shutdown netlogon for that time.
1511 * We should failover to the next dc.
1512 */
1513 DEBUG(3, ("This is the third problem for this "
1514 "particular call, adding DC to the "
1515 "negative cache list: %s %s\n", domain->name, domain->dcname));
1516 add_failed_connection_entry(domain->name,
1517 domain->dcname,
1518 result);
1519 saf_delete(domain->name);
1520 }
1521
1522 /* Only allow 3 retries */
1523 if (netr_attempts < 3) {
1524 DEBUG(3, ("The connection to netlogon "
1525 "failed, retrying\n"));
1526 netr_attempts++;
1527 retry = true;
1528 continue;
1529 }
1530 return result;
1531 }
1532
1533 logon_type_i = NetlogonInteractiveInformation;
1534 logon_type_n = NetlogonNetworkInformation;
1535 if (domain->domain_trust_attribs & LSA_TRUST_ATTRIBUTE_WITHIN_FOREST) {
1536 logon_type_i = NetlogonInteractiveTransitiveInformation;
1537 logon_type_n = NetlogonNetworkTransitiveInformation;
1538 }
1539
1540 if (domain->domain_trust_attribs & LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) {
1541 logon_type_i = NetlogonInteractiveTransitiveInformation;
1542 logon_type_n = NetlogonNetworkTransitiveInformation;
1543 }
1544
1545 if (domain->domain_trust_attribs & LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE) {
1546 logon_type_i = NetlogonInteractiveInformation;
1547 logon_type_n = NetlogonNetworkInformation;
1548 }
1549
1550 if (domain->domain_trust_attribs & LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN) {
1551 logon_type_i = NetlogonInteractiveInformation;
1552 logon_type_n = NetlogonNetworkInformation;
1553 }
1554
1555 netr_attempts = 0;
1556 if (plaintext_given) {
1557 result = rpccli_netlogon_password_logon(
1558 netlogon_creds_ctx,
1559 netlogon_pipe->binding_handle,
1560 mem_ctx,
1561 logon_parameters,
1562 domainname,
1563 username,
1564 password,
1565 workstation,
1566 logon_type_i,
1567 authoritative,
1568 flags,
1569 &validation_level,
1570 &validation);
1571 } else if (interactive) {
1572 result = rpccli_netlogon_interactive_logon(
1573 netlogon_creds_ctx,
1574 netlogon_pipe->binding_handle,
1575 mem_ctx,
1576 logon_parameters,
1577 username,
1578 domainname,
1579 workstation,
1580 lm_response,
1581 nt_response,
1582 logon_type_i,
1583 authoritative,
1584 flags,
1585 &validation_level,
1586 &validation);
1587 } else {
1588 result = rpccli_netlogon_network_logon(
1589 netlogon_creds_ctx,
1590 netlogon_pipe->binding_handle,
1591 mem_ctx,
1592 logon_parameters,
1593 username,
1594 domainname,
1595 workstation,
1596 chal,
1597 lm_response,
1598 nt_response,
1599 logon_type_n,
1600 authoritative,
1601 flags,
1602 &validation_level,
1603 &validation);
1604 }
1605
1606 /*
1607 * we increment this after the "feature negotiation"
1608 * for can_do_samlogon_ex and can_do_validation6
1609 */
1610 attempts += 1;
1611
1612 /* We have to try a second time as cm_connect_netlogon
1613 might not yet have noticed that the DC has killed
1614 our connection. */
1615
1616 if (!rpccli_is_connected(netlogon_pipe)) {
1617 retry = true;
1618 continue;
1619 }
1620
1621 /* if we get access denied, a possible cause was that we had
1622 and open connection to the DC, but someone changed our
1623 machine account password out from underneath us using 'net
1624 rpc changetrustpw' */
1625
1626 if ( NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) ) {
1627 DEBUG(1,("winbind_samlogon_retry_loop: sam_logon returned "
1628 "ACCESS_DENIED. Maybe the DC has Restrict "
1629 "NTLM set or the trust account "
1630 "password was changed and we didn't know it. "
1631 "Killing connections to domain %s\n",
1632 domainname));
1633 invalidate_cm_connection(domain);
1634 retry = true;
1635 }
1636
1637 if (NT_STATUS_EQUAL(result, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
1638 /*
1639 * Got DCERPC_FAULT_OP_RNG_ERROR for SamLogon
1640 * (no Ex). This happens against old Samba
1641 * DCs, if LogonSamLogonEx() fails with an error
1642 * e.g. NT_STATUS_NO_SUCH_USER or NT_STATUS_WRONG_PASSWORD.
1643 *
1644 * The server will log something like this:
1645 * api_net_sam_logon_ex: Failed to marshall NET_R_SAM_LOGON_EX.
1646 *
1647 * This sets the whole connection into a fault_state mode
1648 * and all following request get NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE.
1649 *
1650 * This also happens to our retry with LogonSamLogonWithFlags()
1651 * and LogonSamLogon().
1652 *
1653 * In order to recover from this situation, we need to
1654 * drop the connection.
1655 */
1656 invalidate_cm_connection(domain);
1657 result = NT_STATUS_LOGON_FAILURE;
1658 break;
1659 }
1660
1661 } while ( (attempts < 2) && retry );
1662
1663 if (NT_STATUS_EQUAL(result, NT_STATUS_IO_TIMEOUT)) {
1664 DEBUG(3,("winbind_samlogon_retry_loop: sam_network_logon(ex) "
1665 "returned NT_STATUS_IO_TIMEOUT after the retry. "
1666 "Killing connections to domain %s\n",
1667 domainname));
1668 invalidate_cm_connection(domain);
1669 }
1670
1671 if (!NT_STATUS_IS_OK(result)) {
1672 return result;
1673 }
1674
1675 *_validation_level = validation_level;
1676 *_validation = validation;
1677 return NT_STATUS_OK;
1678 }
1679
1680 static NTSTATUS winbindd_dual_pam_auth_samlogon(
1681 TALLOC_CTX *mem_ctx,
1682 struct winbindd_domain *domain,
1683 const char *user,
1684 const char *pass,
1685 uint32_t request_flags,
1686 uint16_t *_validation_level,
1687 union netr_Validation **_validation)
1688 {
1689
1690 uchar chal[8];
1691 DATA_BLOB lm_resp;
1692 DATA_BLOB nt_resp;
1693 unsigned char local_nt_response[24];
1694 fstring name_namespace, name_domain, name_user;
1695 NTSTATUS result;
1696 uint8_t authoritative = 0;
1697 uint32_t flags = 0;
1698 uint16_t validation_level;
1699 union netr_Validation *validation = NULL;
1700 struct netr_SamBaseInfo *base_info = NULL;
1701 bool ok;
1702
1703 DEBUG(10,("winbindd_dual_pam_auth_samlogon\n"));
1704
1705 /* Parse domain and username */
1706
1707 ok = parse_domain_user(user, name_namespace, name_domain, name_user);
1708 if (!ok) {
1709 return NT_STATUS_INVALID_PARAMETER;
1710 }
1711
1712 /*
1713 * We check against domain->name instead of
1714 * name_domain, as find_auth_domain() ->
1715 * find_domain_from_name_noinit() already decided
1716 * that we are in a child for the correct domain.
1717 *
1718 * name_domain can also be lp_realm()
1719 * we need to check against domain->name.
1720 */
1721 if (strequal(domain->name, get_global_sam_name())) {
1722 DATA_BLOB chal_blob = data_blob_const(chal, sizeof(chal));
1723 struct netr_SamInfo3 *info3 = NULL;
1724
1725 /* do password magic */
1726
1727 generate_random_buffer(chal, sizeof(chal));
1728
1729 if (lp_client_ntlmv2_auth()) {
1730 DATA_BLOB server_chal;
1731 DATA_BLOB names_blob;
1732 server_chal = data_blob_const(chal, 8);
1733
1734 /* note that the 'workgroup' here is for the local
1735 machine. The 'server name' must match the
1736 'workstation' passed to the actual SamLogon call.
1737 */
1738 names_blob = NTLMv2_generate_names_blob(
1739 mem_ctx, lp_netbios_name(), lp_workgroup());
1740
1741 if (!SMBNTLMv2encrypt(mem_ctx, name_user, name_domain,
1742 pass,
1743 &server_chal,
1744 &names_blob,
1745 &lm_resp, &nt_resp, NULL, NULL)) {
1746 data_blob_free(&names_blob);
1747 DEBUG(0, ("winbindd_pam_auth: SMBNTLMv2encrypt() failed!\n"));
1748 result = NT_STATUS_NO_MEMORY;
1749 goto done;
1750 }
1751 data_blob_free(&names_blob);
1752 } else {
1753 lm_resp = data_blob_null;
1754 SMBNTencrypt(pass, chal, local_nt_response);
1755
1756 nt_resp = data_blob_talloc(mem_ctx, local_nt_response,
1757 sizeof(local_nt_response));
1758 }
1759
1760 result = winbindd_dual_auth_passdb(
1761 talloc_tos(), 0, name_domain, name_user,
1762 &chal_blob, &lm_resp, &nt_resp,
1763 true, /* interactive */
1764 &authoritative,
1765 &info3);
1766
1767 /*
1768 * We need to try the remote NETLOGON server if this is
1769 * not authoritative (for example on the RODC).
1770 */
1771 if (authoritative != 0) {
1772 if (NT_STATUS_IS_OK(result)) {
1773 result = map_info3_to_validation(
1774 mem_ctx,
1775 info3,
1776 &validation_level,
1777 &validation);
1778 TALLOC_FREE(info3);
1779 if (!NT_STATUS_IS_OK(result)) {
1780 goto done;
1781 }
1782 }
1783
1784 goto done;
1785 }
1786 }
1787
1788 /* check authentication loop */
1789
1790 result = winbind_samlogon_retry_loop(domain,
1791 mem_ctx,
1792 0,
1793 name_user,
1794 pass,
1795 name_domain,
1796 lp_netbios_name(),
1797 true, /* plaintext_given */
1798 NULL,
1799 data_blob_null, data_blob_null,
1800 true, /* interactive */
1801 &authoritative,
1802 &flags,
1803 &validation_level,
1804 &validation);
1805 if (!NT_STATUS_IS_OK(result)) {
1806 goto done;
1807 }
1808
1809 /* handle the case where a NT4 DC does not fill in the acct_flags in
1810 * the samlogon reply info3. When accurate info3 is required by the
1811 * caller, we look up the account flags ourselves - gd */
1812
1813 switch (validation_level) {
1814 case 3:
1815 base_info = &validation->sam3->base;
1816 break;
1817 case 6:
1818 base_info = &validation->sam6->base;
1819 break;
1820 default:
1821 DBG_ERR("Bad validation level %d", (int)validation_level);
1822 result = NT_STATUS_INTERNAL_ERROR;
1823 goto done;
1824 }
1825 if ((request_flags & WBFLAG_PAM_INFO3_TEXT) &&
1826 (base_info->acct_flags == 0))
1827 {
1828 struct rpc_pipe_client *samr_pipe;
1829 struct policy_handle samr_domain_handle, user_pol;
1830 union samr_UserInfo *info = NULL;
1831 NTSTATUS status_tmp, result_tmp;
1832 uint32_t acct_flags;
1833 struct dcerpc_binding_handle *b;
1834
1835 status_tmp = cm_connect_sam(domain, mem_ctx, false,
1836 &samr_pipe, &samr_domain_handle);
1837
1838 if (!NT_STATUS_IS_OK(status_tmp)) {
1839 DEBUG(3, ("could not open handle to SAMR pipe: %s\n",
1840 nt_errstr(status_tmp)));
1841 goto done;
1842 }
1843
1844 b = samr_pipe->binding_handle;
1845
1846 status_tmp = dcerpc_samr_OpenUser(b, mem_ctx,
1847 &samr_domain_handle,
1848 MAXIMUM_ALLOWED_ACCESS,
1849 base_info->rid,
1850 &user_pol,
1851 &result_tmp);
1852
1853 if (!NT_STATUS_IS_OK(status_tmp)) {
1854 DEBUG(3, ("could not open user handle on SAMR pipe: %s\n",
1855 nt_errstr(status_tmp)));
1856 goto done;
1857 }
1858 if (!NT_STATUS_IS_OK(result_tmp)) {
1859 DEBUG(3, ("could not open user handle on SAMR pipe: %s\n",
1860 nt_errstr(result_tmp)));
1861 goto done;
1862 }
1863
1864 status_tmp = dcerpc_samr_QueryUserInfo(b, mem_ctx,
1865 &user_pol,
1866 16,
1867 &info,
1868 &result_tmp);
1869
1870 if (any_nt_status_not_ok(status_tmp, result_tmp,
1871 &status_tmp)) {
1872 DEBUG(3, ("could not query user info on SAMR pipe: %s\n",
1873 nt_errstr(status_tmp)));
1874 dcerpc_samr_Close(b, mem_ctx, &user_pol, &result_tmp);
1875 goto done;
1876 }
1877
1878 acct_flags = info->info16.acct_flags;
1879
1880 if (acct_flags == 0) {
1881 dcerpc_samr_Close(b, mem_ctx, &user_pol, &result_tmp);
1882 goto done;
1883 }
1884
1885 base_info->acct_flags = acct_flags;
1886
1887 DEBUG(10,("successfully retrieved acct_flags 0x%x\n", acct_flags));
1888
1889 dcerpc_samr_Close(b, mem_ctx, &user_pol, &result_tmp);
1890 }
1891
1892 done:
1893 if (NT_STATUS_IS_OK(result)) {
1894 *_validation_level = validation_level;
1895 *_validation = validation;
1896 }
1897 return result;
1898 }
1899
1900 enum winbindd_result winbindd_dual_pam_auth(struct winbindd_domain *domain,
1901 struct winbindd_cli_state *state)
1902 {
1903 NTSTATUS result = NT_STATUS_LOGON_FAILURE;
1904 NTSTATUS krb5_result = NT_STATUS_OK;
1905 fstring name_namespace, name_domain, name_user;
1906 char *mapped_user;
1907 fstring domain_user;
1908 uint16_t validation_level = UINT16_MAX;
1909 union netr_Validation *validation = NULL;
1910 NTSTATUS name_map_status = NT_STATUS_UNSUCCESSFUL;
1911 bool ok;
1912
1913 /* Ensure null termination */
1914 state->request->data.auth.user[sizeof(state->request->data.auth.user)-1]='\0';
1915
1916 /* Ensure null termination */
1917 state->request->data.auth.pass[sizeof(state->request->data.auth.pass)-1]='\0';
1918
1919 DEBUG(3, ("[%5lu]: dual pam auth %s\n", (unsigned long)state->pid,
1920 state->request->data.auth.user));
1921
1922 /* Parse domain and username */
1923
1924 name_map_status = normalize_name_unmap(state->mem_ctx,
1925 state->request->data.auth.user,
1926 &mapped_user);
1927
1928 /* If the name normalization didnt' actually do anything,
1929 just use the original name */
1930
1931 if (!NT_STATUS_IS_OK(name_map_status) &&
1932 !NT_STATUS_EQUAL(name_map_status, NT_STATUS_FILE_RENAMED))
1933 {
1934 mapped_user = state->request->data.auth.user;
1935 }
1936
1937 ok = parse_domain_user(mapped_user,
1938 name_namespace,
1939 name_domain,
1940 name_user);
1941 if (!ok) {
1942 result = NT_STATUS_INVALID_PARAMETER;
1943 goto process_result;
1944 }
1945
1946 if ( mapped_user != state->request->data.auth.user ) {
1947 fstr_sprintf( domain_user, "%s%c%s", name_domain,
1948 *lp_winbind_separator(),
1949 name_user );
1950 strlcpy( state->request->data.auth.user, domain_user,
1951 sizeof(state->request->data.auth.user));
1952 }
1953
1954 if (!domain->online) {
1955 result = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
1956 if (domain->startup) {
1957 /* Logons are very important to users. If we're offline and
1958 we get a request within the first 30 seconds of startup,
1959 try very hard to find a DC and go online. */
1960
1961 DEBUG(10,("winbindd_dual_pam_auth: domain: %s offline and auth "
1962 "request in startup mode.\n", domain->name ));
1963
1964 winbindd_flush_negative_conn_cache(domain);
1965 result = init_dc_connection(domain, false);
1966 }
1967 }
1968
1969 DEBUG(10,("winbindd_dual_pam_auth: domain: %s last was %s\n", domain->name, domain->online ? "online":"offline"));
1970
1971 /* Check for Kerberos authentication */
1972 if (domain->online && (state->request->flags & WBFLAG_PAM_KRB5)) {
1973 struct netr_SamInfo6 *info6 = NULL;
1974
1975 result = winbindd_dual_pam_auth_kerberos(domain, state, &info6);
1976 /* save for later */
1977 krb5_result = result;
1978
1979 if (NT_STATUS_IS_OK(result)) {
1980 DEBUG(10,("winbindd_dual_pam_auth_kerberos succeeded\n"));
1981
1982 result = map_info6_to_validation(state->mem_ctx,
1983 info6,
1984 &validation_level,
1985 &validation);
1986 TALLOC_FREE(info6);
1987 if (!NT_STATUS_IS_OK(result)) {
1988 DBG_ERR("map_info6_to_validation failed\n");
1989 goto done;
1990 }
1991 goto process_result;
1992 }
1993
1994 DBG_DEBUG("winbindd_dual_pam_auth_kerberos failed: %s\n",
1995 nt_errstr(result));
1996
1997 if (NT_STATUS_EQUAL(result, NT_STATUS_NO_LOGON_SERVERS) ||
1998 NT_STATUS_EQUAL(result, NT_STATUS_IO_TIMEOUT) ||
1999 NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
2000 DEBUG(10,("winbindd_dual_pam_auth_kerberos setting domain to offline\n"));
2001 set_domain_offline( domain );
2002 goto cached_logon;
2003 }
2004
2005 /* there are quite some NT_STATUS errors where there is no
2006 * point in retrying with a samlogon, we explictly have to take
2007 * care not to increase the bad logon counter on the DC */
2008
2009 if (NT_STATUS_EQUAL(result, NT_STATUS_ACCOUNT_DISABLED) ||
2010 NT_STATUS_EQUAL(result, NT_STATUS_ACCOUNT_EXPIRED) ||
2011 NT_STATUS_EQUAL(result, NT_STATUS_ACCOUNT_LOCKED_OUT) ||
2012 NT_STATUS_EQUAL(result, NT_STATUS_INVALID_LOGON_HOURS) ||
2013 NT_STATUS_EQUAL(result, NT_STATUS_INVALID_WORKSTATION) ||
2014 NT_STATUS_EQUAL(result, NT_STATUS_LOGON_FAILURE) ||
2015 NT_STATUS_EQUAL(result, NT_STATUS_NO_SUCH_USER) ||
2016 NT_STATUS_EQUAL(result, NT_STATUS_PASSWORD_EXPIRED) ||
2017 NT_STATUS_EQUAL(result, NT_STATUS_PASSWORD_MUST_CHANGE) ||
2018 NT_STATUS_EQUAL(result, NT_STATUS_WRONG_PASSWORD)) {
2019 goto done;
2020 }
2021
2022 if (state->request->flags & WBFLAG_PAM_FALLBACK_AFTER_KRB5) {
2023 DEBUG(3,("falling back to samlogon\n"));
2024 goto sam_logon;
2025 } else {
2026 goto cached_logon;
2027 }
2028 }
2029
2030 sam_logon:
2031 /* Check for Samlogon authentication */
2032 if (domain->online) {
2033 struct netr_SamBaseInfo *base_info = NULL;
2034
2035 result = winbindd_dual_pam_auth_samlogon(
2036 state->mem_ctx, domain,
2037 state->request->data.auth.user,
2038 state->request->data.auth.pass,
2039 state->request->flags,
2040 &validation_level,
2041 &validation);
2042
2043 if (NT_STATUS_IS_OK(result)) {
2044 DEBUG(10,("winbindd_dual_pam_auth_samlogon succeeded\n"));
2045
2046 switch (validation_level) {
2047 case 3:
2048 base_info = &validation->sam3->base;
2049 break;
2050 case 6:
2051 base_info = &validation->sam6->base;
2052 break;
2053 default:
2054 DBG_ERR("Bad validation level %d\n",
2055 validation_level);
2056 result = NT_STATUS_INTERNAL_ERROR;
2057 goto done;
2058 }
2059
2060 /* add the Krb5 err if we have one */
2061 if ( NT_STATUS_EQUAL(krb5_result, NT_STATUS_TIME_DIFFERENCE_AT_DC ) ) {
2062 base_info->user_flags |= LOGON_KRB5_FAIL_CLOCK_SKEW;
2063 }
2064
2065 goto process_result;
2066 }
2067
2068 DEBUG(10,("winbindd_dual_pam_auth_samlogon failed: %s\n",
2069 nt_errstr(result)));
2070
2071 if (NT_STATUS_EQUAL(result, NT_STATUS_NO_LOGON_SERVERS) ||
2072 NT_STATUS_EQUAL(result, NT_STATUS_IO_TIMEOUT) ||
2073 NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND))
2074 {
2075 DEBUG(10,("winbindd_dual_pam_auth_samlogon setting domain to offline\n"));
2076 set_domain_offline( domain );
2077 goto cached_logon;
2078 }
2079
2080 if (domain->online) {
2081 /* We're still online - fail. */
2082 goto done;
2083 }
2084 }
2085
2086 cached_logon:
2087 /* Check for Cached logons */
2088 if (!domain->online && (state->request->flags & WBFLAG_PAM_CACHED_LOGIN) &&
2089 lp_winbind_offline_logon()) {
2090 struct netr_SamInfo3 *info3 = NULL;
2091
2092 result = winbindd_dual_pam_auth_cached(domain, state, &info3);
2093
2094 if (!NT_STATUS_IS_OK(result)) {
2095 DEBUG(10,("winbindd_dual_pam_auth_cached failed: %s\n", nt_errstr(result)));
2096 goto done;
2097 }
2098 DEBUG(10,("winbindd_dual_pam_auth_cached succeeded\n"));
2099
2100 result = map_info3_to_validation(state->mem_ctx,
2101 info3,
2102 &validation_level,
2103 &validation);
2104 TALLOC_FREE(info3);
2105 if (!NT_STATUS_IS_OK(result)) {
2106 DBG_ERR("map_info3_to_validation failed\n");
2107 goto done;
2108 }
2109 }
2110
2111 process_result:
2112
2113 if (NT_STATUS_IS_OK(result)) {
2114 struct dom_sid user_sid;
2115 TALLOC_CTX *base_ctx = NULL;
2116 struct netr_SamBaseInfo *base_info = NULL;
2117 struct netr_SamInfo3 *info3 = NULL;
2118
2119 switch (validation_level) {
2120 case 3:
2121 base_ctx = validation->sam3;
2122 base_info = &validation->sam3->base;
2123 break;
2124 case 6:
2125 base_ctx = validation->sam6;
2126 base_info = &validation->sam6->base;
2127 break;
2128 default:
2129 result = NT_STATUS_INTERNAL_ERROR;
2130 goto done;
2131 }
2132
2133 sid_compose(&user_sid, base_info->domain_sid, base_info->rid);
2134
2135 if (base_info->full_name.string == NULL) {
2136 struct netr_SamInfo3 *cached_info3;
2137
2138 cached_info3 = netsamlogon_cache_get(state->mem_ctx,
2139 &user_sid);
2140 if (cached_info3 != NULL &&
2141 cached_info3->base.full_name.string != NULL) {
2142 base_info->full_name.string = talloc_strdup(
2143 base_ctx,
2144 cached_info3->base.full_name.string);
2145 if (base_info->full_name.string == NULL) {
2146 result = NT_STATUS_NO_MEMORY;
2147 goto done;
2148 }
2149 } else {
2150
2151 /* this might fail so we don't check the return code */
2152 wcache_query_user_fullname(domain,
2153 base_ctx,
2154 &user_sid,
2155 &base_info->full_name.string);
2156 }
2157 }
2158
2159 result = map_validation_to_info3(talloc_tos(),
2160 validation_level,
2161 validation,
2162 &info3);
2163 if (!NT_STATUS_IS_OK(result)) {
2164 goto done;
2165 }
2166
2167 wcache_invalidate_samlogon(find_domain_from_name(name_domain),
2168 &user_sid);
2169 netsamlogon_cache_store(name_user, info3);
2170
2171 /* save name_to_sid info as early as possible (only if
2172 this is our primary domain so we don't invalidate
2173 the cache entry by storing the seq_num for the wrong
2174 domain). */
2175 if ( domain->primary ) {
2176 cache_name2sid(domain, name_domain, name_user,
2177 SID_NAME_USER, &user_sid);
2178 }
2179
2180 /* Check if the user is in the right group */
2181
2182 result = check_info3_in_group(
2183 info3,
2184 state->request->data.auth.require_membership_of_sid);
2185 if (!NT_STATUS_IS_OK(result)) {
2186 DEBUG(3, ("User %s is not in the required group (%s), so plaintext authentication is rejected\n",
2187 state->request->data.auth.user,
2188 state->request->data.auth.require_membership_of_sid));
2189 goto done;
2190 }
2191
2192 result = append_auth_data(state->mem_ctx, state->response,
2193 state->request->flags,
2194 validation_level,
2195 validation,
2196 name_domain, name_user);
2197 if (!NT_STATUS_IS_OK(result)) {
2198 goto done;
2199 }
2200
2201 if ((state->request->flags & WBFLAG_PAM_CACHED_LOGIN)
2202 && lp_winbind_offline_logon()) {
2203
2204 result = winbindd_store_creds(domain,
2205 state->request->data.auth.user,
2206 state->request->data.auth.pass,
2207 info3);
2208 }
2209
2210 if (state->request->flags & WBFLAG_PAM_GET_PWD_POLICY) {
2211 /*
2212 * WBFLAG_PAM_GET_PWD_POLICY is not used within
2213 * any Samba caller anymore.
2214 *
2215 * We just fake this based on the effective values
2216 * for the user, for legacy callers.
2217 */
2218 fake_password_policy(state->response, &info3->base);
2219 }
2220
2221 result = NT_STATUS_OK;
2222 }
2223
2224 done:
2225 /* give us a more useful (more correct?) error code */
2226 if ((NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) ||
2227 (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)))) {
2228 result = NT_STATUS_NO_LOGON_SERVERS;
2229 }
2230
2231 set_auth_errors(state->response, result);
2232
2233 DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2, ("Plain-text authentication for user %s returned %s (PAM: %d)\n",
2234 state->request->data.auth.user,
2235 state->response->data.auth.nt_status_string,
2236 state->response->data.auth.pam_error));
2237
2238 return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
2239 }
2240
2241 NTSTATUS winbind_dual_SamLogon(struct winbindd_domain *domain,
2242 TALLOC_CTX *mem_ctx,
2243 bool interactive,
2244 uint32_t logon_parameters,
2245 const char *name_user,
2246 const char *name_domain,
2247 const char *workstation,
2248 const uint8_t chal[8],
2249 DATA_BLOB lm_response,
2250 DATA_BLOB nt_response,
2251 uint8_t *authoritative,
2252 bool skip_sam,
2253 uint32_t *flags,
2254 uint16_t *_validation_level,
2255 union netr_Validation **_validation)
2256 {
2257 uint16_t validation_level = 0;
2258 union netr_Validation *validation = NULL;
2259 NTSTATUS result;
2260
2261 /*
2262 * We check against domain->name instead of
2263 * name_domain, as find_auth_domain() ->
2264 * find_domain_from_name_noinit() already decided
2265 * that we are in a child for the correct domain.
2266 *
2267 * name_domain can also be lp_realm()
2268 * we need to check against domain->name.
2269 */
2270 if (!skip_sam && strequal(domain->name, get_global_sam_name())) {
2271 DATA_BLOB chal_blob = data_blob_const(
2272 chal, 8);
2273 struct netr_SamInfo3 *info3 = NULL;
2274
2275 result = winbindd_dual_auth_passdb(
2276 talloc_tos(),
2277 logon_parameters,
2278 name_domain, name_user,
2279 &chal_blob, &lm_response, &nt_response,
2280 interactive,
2281 authoritative,
2282 &info3);
2283 if (NT_STATUS_IS_OK(result)) {
2284 result = map_info3_to_validation(mem_ctx,
2285 info3,
2286 &validation_level,
2287 &validation);
2288 TALLOC_FREE(info3);
2289 if (!NT_STATUS_IS_OK(result)) {
2290 goto done;
2291 }
2292 }
2293
2294 /*
2295 * We need to try the remote NETLOGON server if this is
2296 * not authoritative.
2297 */
2298 if (*authoritative != 0) {
2299 *flags = 0;
2300 goto process_result;
2301 }
2302 }
2303
2304 result = winbind_samlogon_retry_loop(domain,
2305 mem_ctx,
2306 logon_parameters,
2307 name_user,
2308 NULL, /* password */
2309 name_domain,
2310 /* Bug #3248 - found by Stefan Burkei. */
2311 workstation, /* We carefully set this above so use it... */
2312 false, /* plaintext_given */
2313 chal,
2314 lm_response,
2315 nt_response,
2316 interactive,
2317 authoritative,
2318 flags,
2319 &validation_level,
2320 &validation);
2321 if (!NT_STATUS_IS_OK(result)) {
2322 goto done;
2323 }
2324
2325 process_result:
2326
2327 if (NT_STATUS_IS_OK(result)) {
2328 struct dom_sid user_sid;
2329 TALLOC_CTX *base_ctx = NULL;
2330 struct netr_SamBaseInfo *base_info = NULL;
2331 struct netr_SamInfo3 *info3 = NULL;
2332
2333 switch (validation_level) {
2334 case 3:
2335 base_ctx = validation->sam3;
2336 base_info = &validation->sam3->base;
2337 break;
2338 case 6:
2339 base_ctx = validation->sam6;
2340 base_info = &validation->sam6->base;
2341 break;
2342 default:
2343 result = NT_STATUS_INTERNAL_ERROR;
2344 goto done;
2345 }
2346
2347 sid_compose(&user_sid, base_info->domain_sid, base_info->rid);
2348
2349 if (base_info->full_name.string == NULL) {
2350 struct netr_SamInfo3 *cached_info3;
2351
2352 cached_info3 = netsamlogon_cache_get(mem_ctx,
2353 &user_sid);
2354 if (cached_info3 != NULL &&
2355 cached_info3->base.full_name.string != NULL)
2356 {
2357 base_info->full_name.string = talloc_strdup(
2358 base_ctx,
2359 cached_info3->base.full_name.string);
2360 } else {
2361
2362 /* this might fail so we don't check the return code */
2363 wcache_query_user_fullname(domain,
2364 base_ctx,
2365 &user_sid,
2366 &base_info->full_name.string);
2367 }
2368 }
2369
2370 result = map_validation_to_info3(talloc_tos(),
2371 validation_level,
2372 validation,
2373 &info3);
2374 if (!NT_STATUS_IS_OK(result)) {
2375 goto done;
2376 }
2377 wcache_invalidate_samlogon(find_domain_from_name(name_domain),
2378 &user_sid);
2379 netsamlogon_cache_store(name_user, info3);
2380 TALLOC_FREE(info3);
2381 }
2382
2383 done:
2384
2385 /* give us a more useful (more correct?) error code */
2386 if ((NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) ||
2387 (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)))) {
2388 result = NT_STATUS_NO_LOGON_SERVERS;
2389 }
2390
2391 DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2,
2392 ("NTLM CRAP authentication for user [%s]\\[%s] returned %s\n",
2393 name_domain,
2394 name_user,
2395 nt_errstr(result)));
2396
2397 if (!NT_STATUS_IS_OK(result)) {
2398 return result;
2399 }
2400
2401 *_validation_level = validation_level;
2402 *_validation = validation;
2403 return NT_STATUS_OK;
2404 }
2405
2406 enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
2407 struct winbindd_cli_state *state)
2408 {
2409 NTSTATUS result;
2410 const char *name_user = NULL;
2411 const char *name_domain = NULL;
2412 const char *workstation;
2413 uint8_t authoritative = 0;
2414 uint32_t flags = 0;
2415 uint16_t validation_level;
2416 union netr_Validation *validation = NULL;
2417 DATA_BLOB lm_resp, nt_resp;
2418
2419 /* This is child-only, so no check for privileged access is needed
2420 anymore */
2421
2422 /* Ensure null termination */
2423 state->request->data.auth_crap.user[sizeof(state->request->data.auth_crap.user)-1]=0;
2424 state->request->data.auth_crap.domain[sizeof(state->request->data.auth_crap.domain)-1]=0;
2425
2426 name_user = state->request->data.auth_crap.user;
2427 name_domain = state->request->data.auth_crap.domain;
2428 workstation = state->request->data.auth_crap.workstation;
2429
2430 DEBUG(3, ("[%5lu]: pam auth crap domain: %s user: %s\n", (unsigned long)state->pid,
2431 name_domain, name_user));
2432
2433 if (state->request->data.auth_crap.lm_resp_len > sizeof(state->request->data.auth_crap.lm_resp)
2434 || state->request->data.auth_crap.nt_resp_len > sizeof(state->request->data.auth_crap.nt_resp)) {
2435 if (!(state->request->flags & WBFLAG_BIG_NTLMV2_BLOB) ||
2436 state->request->extra_len != state->request->data.auth_crap.nt_resp_len) {
2437 DEBUG(0, ("winbindd_pam_auth_crap: invalid password length %u/%u\n",
2438 state->request->data.auth_crap.lm_resp_len,
2439 state->request->data.auth_crap.nt_resp_len));
2440 result = NT_STATUS_INVALID_PARAMETER;
2441 goto done;
2442 }
2443 }
2444
2445 lm_resp = data_blob_talloc(state->mem_ctx, state->request->data.auth_crap.lm_resp,
2446 state->request->data.auth_crap.lm_resp_len);
2447
2448 if (state->request->flags & WBFLAG_BIG_NTLMV2_BLOB) {
2449 nt_resp = data_blob_talloc(state->mem_ctx,
2450 state->request->extra_data.data,
2451 state->request->data.auth_crap.nt_resp_len);
2452 } else {
2453 nt_resp = data_blob_talloc(state->mem_ctx,
2454 state->request->data.auth_crap.nt_resp,
2455 state->request->data.auth_crap.nt_resp_len);
2456 }
2457
2458 result = winbind_dual_SamLogon(domain,
2459 state->mem_ctx,
2460 false, /* interactive */
2461 state->request->data.auth_crap.logon_parameters,
2462 name_user,
2463 name_domain,
2464 /* Bug #3248 - found by Stefan Burkei. */
2465 workstation, /* We carefully set this above so use it... */
2466 state->request->data.auth_crap.chal,
2467 lm_resp,
2468 nt_resp,
2469 &authoritative,
2470 false,
2471 &flags,
2472 &validation_level,
2473 &validation);
2474 if (!NT_STATUS_IS_OK(result)) {
2475 state->response->data.auth.authoritative = authoritative;
2476 goto done;
2477 }
2478
2479 if (NT_STATUS_IS_OK(result)) {
2480 struct netr_SamInfo3 *info3 = NULL;
2481
2482 result = map_validation_to_info3(state->mem_ctx,
2483 validation_level,
2484 validation,
2485 &info3);
2486 if (!NT_STATUS_IS_OK(result)) {
2487 goto done;
2488 }
2489
2490 /* Check if the user is in the right group */
2491 result = check_info3_in_group(
2492 info3,
2493 state->request->data.auth_crap.require_membership_of_sid);
2494 if (!NT_STATUS_IS_OK(result)) {
2495 DEBUG(3, ("User %s is not in the required group (%s), so "
2496 "crap authentication is rejected\n",
2497 state->request->data.auth_crap.user,
2498 state->request->data.auth_crap.require_membership_of_sid));
2499 goto done;
2500 }
2501
2502 result = append_auth_data(state->mem_ctx, state->response,
2503 state->request->flags,
2504 validation_level,
2505 validation,
2506 name_domain, name_user);
2507 if (!NT_STATUS_IS_OK(result)) {
2508 goto done;
2509 }
2510 }
2511
2512 done:
2513
2514 if (state->request->flags & WBFLAG_PAM_NT_STATUS_SQUASH) {
2515 result = nt_status_squash(result);
2516 }
2517
2518 set_auth_errors(state->response, result);
2519
2520 return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
2521 }
2522
2523 enum winbindd_result winbindd_dual_pam_chauthtok(struct winbindd_domain *contact_domain,
2524 struct winbindd_cli_state *state)
2525 {
2526 char *oldpass;
2527 char *newpass = NULL;
2528 struct policy_handle dom_pol;
2529 struct rpc_pipe_client *cli = NULL;
2530 bool got_info = false;
2531 struct samr_DomInfo1 *info = NULL;
2532 struct userPwdChangeFailureInformation *reject = NULL;
2533 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
2534 fstring namespace, domain, user;
2535 struct dcerpc_binding_handle *b = NULL;
2536 bool ok;
2537
2538 ZERO_STRUCT(dom_pol);
2539
2540 DEBUG(3, ("[%5lu]: dual pam chauthtok %s\n", (unsigned long)state->pid,
2541 state->request->data.auth.user));
2542
2543 ok = parse_domain_user(state->request->data.chauthtok.user,
2544 namespace,
2545 domain,
2546 user);
2547 if (!ok) {
2548 goto done;
2549 }
2550
2551 /* Change password */
2552
2553 oldpass = state->request->data.chauthtok.oldpass;
2554 newpass = state->request->data.chauthtok.newpass;
2555
2556 /* Initialize reject reason */
2557 state->response->data.auth.reject_reason = Undefined;
2558
2559 /* Get sam handle */
2560
2561 result = cm_connect_sam(contact_domain, state->mem_ctx, true, &cli,
2562 &dom_pol);
2563 if (!NT_STATUS_IS_OK(result)) {
2564 DEBUG(1, ("could not get SAM handle on DC for %s\n", domain));
2565 goto done;
2566 }
2567
2568 b = cli->binding_handle;
2569
2570 result = rpccli_samr_chgpasswd_user3(cli, state->mem_ctx,
2571 user,
2572 newpass,
2573 oldpass,
2574 &info,
2575 &reject);
2576
2577 /* Windows 2003 returns NT_STATUS_PASSWORD_RESTRICTION */
2578
2579 if (NT_STATUS_EQUAL(result, NT_STATUS_PASSWORD_RESTRICTION) ) {
2580
2581 fill_in_password_policy(state->response, info);
2582
2583 state->response->data.auth.reject_reason =
2584 reject->extendedFailureReason;
2585
2586 got_info = true;
2587 }
2588
2589 /* atm the pidl generated rpccli_samr_ChangePasswordUser3 function will
2590 * return with NT_STATUS_BUFFER_TOO_SMALL for w2k dcs as w2k just
2591 * returns with 4byte error code (NT_STATUS_NOT_SUPPORTED) which is too
2592 * short to comply with the samr_ChangePasswordUser3 idl - gd */
2593
2594 /* only fallback when the chgpasswd_user3 call is not supported */
2595 if (NT_STATUS_EQUAL(result, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE) ||
2596 NT_STATUS_EQUAL(result, NT_STATUS_NOT_SUPPORTED) ||
2597 NT_STATUS_EQUAL(result, NT_STATUS_BUFFER_TOO_SMALL) ||
2598 NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) {
2599
2600 DEBUG(10,("Password change with chgpasswd_user3 failed with: %s, retrying chgpasswd_user2\n",
2601 nt_errstr(result)));
2602
2603 result = rpccli_samr_chgpasswd_user2(cli, state->mem_ctx, user, newpass, oldpass);
2604
2605 /* Windows 2000 returns NT_STATUS_ACCOUNT_RESTRICTION.
2606 Map to the same status code as Windows 2003. */
2607
2608 if ( NT_STATUS_EQUAL(NT_STATUS_ACCOUNT_RESTRICTION, result ) ) {
2609 result = NT_STATUS_PASSWORD_RESTRICTION;
2610 }
2611 }
2612
2613 done:
2614
2615 if (NT_STATUS_IS_OK(result)
2616 && (state->request->flags & WBFLAG_PAM_CACHED_LOGIN)
2617 && lp_winbind_offline_logon()) {
2618 result = winbindd_update_creds_by_name(contact_domain, user,
2619 newpass);
2620 /* Again, this happens when we login from gdm or xdm
2621 * and the password expires, *BUT* cached crendentials
2622 * doesn't exist. winbindd_update_creds_by_name()
2623 * returns NT_STATUS_NO_SUCH_USER.
2624 * This is not a failure.
2625 * --- BoYang
2626 * */
2627 if (NT_STATUS_EQUAL(result, NT_STATUS_NO_SUCH_USER)) {
2628 result = NT_STATUS_OK;
2629 }
2630
2631 if (!NT_STATUS_IS_OK(result)) {
2632 DEBUG(10, ("Failed to store creds: %s\n",
2633 nt_errstr(result)));
2634 goto process_result;
2635 }
2636 }
2637
2638 if (!NT_STATUS_IS_OK(result) && !got_info && contact_domain) {
2639
2640 NTSTATUS policy_ret;
2641
2642 policy_ret = fillup_password_policy(
2643 contact_domain, state->response);
2644
2645 /* failure of this is non critical, it will just provide no
2646 * additional information to the client why the change has
2647 * failed - Guenther */
2648
2649 if (!NT_STATUS_IS_OK(policy_ret)) {
2650 DEBUG(10,("Failed to get password policies: %s\n", nt_errstr(policy_ret)));
2651 goto process_result;
2652 }
2653 }
2654
2655 process_result:
2656
2657 if (strequal(contact_domain->name, get_global_sam_name())) {
2658 /* FIXME: internal rpc pipe does not cache handles yet */
2659 if (b) {
2660 if (is_valid_policy_hnd(&dom_pol)) {
2661 NTSTATUS _result;
2662 dcerpc_samr_Close(b, state->mem_ctx, &dom_pol, &_result);
2663 }
2664 TALLOC_FREE(cli);
2665 }
2666 }
2667
2668 set_auth_errors(state->response, result);
2669
2670 DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2,
2671 ("Password change for user [%s]\\[%s] returned %s (PAM: %d)\n",
2672 domain,
2673 user,
2674 state->response->data.auth.nt_status_string,
2675 state->response->data.auth.pam_error));
2676
2677 return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
2678 }
2679
2680 enum winbindd_result winbindd_dual_pam_logoff(struct winbindd_domain *domain,
2681 struct winbindd_cli_state *state)
2682 {
2683 NTSTATUS result = NT_STATUS_NOT_SUPPORTED;
2684
2685 DEBUG(3, ("[%5lu]: pam dual logoff %s\n", (unsigned long)state->pid,
2686 state->request->data.logoff.user));
2687
2688 if (!(state->request->flags & WBFLAG_PAM_KRB5)) {
2689 result = NT_STATUS_OK;
2690 goto process_result;
2691 }
2692
2693 if (state->request->data.logoff.krb5ccname[0] == '\0') {
2694 result = NT_STATUS_OK;
2695 goto process_result;
2696 }
2697
2698 #ifdef HAVE_KRB5
2699
2700 if (state->request->data.logoff.uid == (uid_t)-1) {
2701 DEBUG(0,("winbindd_pam_logoff: invalid uid\n"));
2702 goto process_result;
2703 }
2704
2705 /* what we need here is to find the corresponding krb5 ccache name *we*
2706 * created for a given username and destroy it */
2707
2708 if (!ccache_entry_exists(state->request->data.logoff.user)) {
2709 result = NT_STATUS_OK;
2710 DEBUG(10,("winbindd_pam_logoff: no entry found.\n"));
2711 goto process_result;
2712 }
2713
2714 if (!ccache_entry_identical(state->request->data.logoff.user,
2715 state->request->data.logoff.uid,
2716 state->request->data.logoff.krb5ccname)) {
2717 DEBUG(0,("winbindd_pam_logoff: cached entry differs.\n"));
2718 goto process_result;
2719 }
2720
2721 result = remove_ccache(state->request->data.logoff.user);
2722 if (!NT_STATUS_IS_OK(result)) {
2723 DEBUG(0,("winbindd_pam_logoff: failed to remove ccache: %s\n",
2724 nt_errstr(result)));
2725 goto process_result;
2726 }
2727
2728 /*
2729 * Remove any mlock'ed memory creds in the child
2730 * we might be using for krb5 ticket renewal.
2731 */
2732
2733 winbindd_delete_memory_creds(state->request->data.logoff.user);
2734
2735 #else
2736 result = NT_STATUS_NOT_SUPPORTED;
2737 #endif
2738
2739 process_result:
2740
2741
2742 set_auth_errors(state->response, result);
2743
2744 return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
2745 }
2746
2747 /* Change user password with auth crap*/
2748
2749 enum winbindd_result winbindd_dual_pam_chng_pswd_auth_crap(struct winbindd_domain *domainSt, struct winbindd_cli_state *state)
2750 {
2751 NTSTATUS result;
2752 DATA_BLOB new_nt_password;
2753 DATA_BLOB old_nt_hash_enc;
2754 DATA_BLOB new_lm_password;
2755 DATA_BLOB old_lm_hash_enc;
2756 fstring namespace, domain, user;
2757 struct policy_handle dom_pol;
2758 struct winbindd_domain *contact_domain = domainSt;
2759 struct rpc_pipe_client *cli = NULL;
2760 struct dcerpc_binding_handle *b = NULL;
2761
2762 ZERO_STRUCT(dom_pol);
2763
2764 /* Ensure null termination */
2765 state->request->data.chng_pswd_auth_crap.user[
2766 sizeof(state->request->data.chng_pswd_auth_crap.user)-1]=0;
2767 state->request->data.chng_pswd_auth_crap.domain[
2768 sizeof(state->request->data.chng_pswd_auth_crap.domain)-1]=0;
2769 domain[0] = '\0';
2770 namespace[0] = '\0';
2771 user[0] = '\0';
2772
2773 DEBUG(3, ("[%5lu]: pam change pswd auth crap domain: %s user: %s\n",
2774 (unsigned long)state->pid,
2775 state->request->data.chng_pswd_auth_crap.domain,
2776 state->request->data.chng_pswd_auth_crap.user));
2777
2778 if (lp_winbind_offline_logon()) {
2779 DEBUG(0,("Refusing password change as winbind offline logons are enabled. "));
2780 DEBUGADD(0,("Changing passwords here would risk inconsistent logons\n"));
2781 result = NT_STATUS_ACCESS_DENIED;
2782 goto done;
2783 }
2784
2785 if (*state->request->data.chng_pswd_auth_crap.domain) {
2786 fstrcpy(domain,state->request->data.chng_pswd_auth_crap.domain);
2787 } else {
2788 bool ok;
2789
2790 ok = parse_domain_user(state->request->data.chng_pswd_auth_crap.user,
2791 namespace,
2792 domain,
2793 user);
2794 if (!ok) {
2795 result = NT_STATUS_INVALID_PARAMETER;
2796 goto done;
2797 }
2798
2799 if(!*domain) {
2800 DEBUG(3,("no domain specified with username (%s) - "
2801 "failing auth\n",
2802 state->request->data.chng_pswd_auth_crap.user));
2803 result = NT_STATUS_NO_SUCH_USER;
2804 goto done;
2805 }
2806 }
2807
2808 if (!*domain && lp_winbind_use_default_domain()) {
2809 fstrcpy(domain,lp_workgroup());
2810 }
2811
2812 if(!*user) {
2813 fstrcpy(user, state->request->data.chng_pswd_auth_crap.user);
2814 }
2815
2816 DEBUG(3, ("[%5lu]: pam auth crap domain: %s user: %s\n",
2817 (unsigned long)state->pid, domain, user));
2818
2819 /* Change password */
2820 new_nt_password = data_blob_const(
2821 state->request->data.chng_pswd_auth_crap.new_nt_pswd,
2822 state->request->data.chng_pswd_auth_crap.new_nt_pswd_len);
2823
2824 old_nt_hash_enc = data_blob_const(
2825 state->request->data.chng_pswd_auth_crap.old_nt_hash_enc,
2826 state->request->data.chng_pswd_auth_crap.old_nt_hash_enc_len);
2827
2828 if(state->request->data.chng_pswd_auth_crap.new_lm_pswd_len > 0) {
2829 new_lm_password = data_blob_const(
2830 state->request->data.chng_pswd_auth_crap.new_lm_pswd,
2831 state->request->data.chng_pswd_auth_crap.new_lm_pswd_len);
2832
2833 old_lm_hash_enc = data_blob_const(
2834 state->request->data.chng_pswd_auth_crap.old_lm_hash_enc,
2835 state->request->data.chng_pswd_auth_crap.old_lm_hash_enc_len);
2836 } else {
2837 new_lm_password = data_blob_null;
2838 old_lm_hash_enc = data_blob_null;
2839 }
2840
2841 /* Get sam handle */
2842
2843 result = cm_connect_sam(contact_domain, state->mem_ctx, true, &cli, &dom_pol);
2844 if (!NT_STATUS_IS_OK(result)) {
2845 DEBUG(1, ("could not get SAM handle on DC for %s\n", domain));
2846 goto done;
2847 }
2848
2849 b = cli->binding_handle;
2850
2851 result = rpccli_samr_chng_pswd_auth_crap(
2852 cli, state->mem_ctx, user, new_nt_password, old_nt_hash_enc,
2853 new_lm_password, old_lm_hash_enc);
2854
2855 done:
2856
2857 if (strequal(contact_domain->name, get_global_sam_name())) {
2858 /* FIXME: internal rpc pipe does not cache handles yet */
2859 if (b) {
2860 if (is_valid_policy_hnd(&dom_pol)) {
2861 NTSTATUS _result;
2862 dcerpc_samr_Close(b, state->mem_ctx, &dom_pol, &_result);
2863 }
2864 TALLOC_FREE(cli);
2865 }
2866 }
2867
2868 set_auth_errors(state->response, result);
2869
2870 DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2,
2871 ("Password change for user [%s]\\[%s] returned %s (PAM: %d)\n",
2872 domain, user,
2873 state->response->data.auth.nt_status_string,
2874 state->response->data.auth.pam_error));
2875
2876 return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
2877 }
2878
2879 #ifdef HAVE_KRB5
2880 static NTSTATUS extract_pac_vrfy_sigs(TALLOC_CTX *mem_ctx, DATA_BLOB pac_blob,
2881 struct PAC_DATA **p_pac_data)
2882 {
2883 krb5_context krbctx = NULL;
2884 krb5_error_code k5ret;
2885 krb5_keytab keytab;
2886 krb5_kt_cursor cursor;
2887 krb5_keytab_entry entry;
2888 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
2889
2890 ZERO_STRUCT(entry);
2891 ZERO_STRUCT(cursor);
2892
2893 k5ret = krb5_init_context(&krbctx);
2894 if (k5ret) {
2895 DEBUG(1, ("Failed to initialize kerberos context: %s\n",
2896 error_message(k5ret)));
2897 status = krb5_to_nt_status(k5ret);
2898 goto out;
2899 }
2900
2901 k5ret = gse_krb5_get_server_keytab(krbctx, &keytab);
2902 if (k5ret) {
2903 DEBUG(1, ("Failed to get keytab: %s\n",
2904 error_message(k5ret)));
2905 status = krb5_to_nt_status(k5ret);
2906 goto out_free;
2907 }
2908
2909 k5ret = krb5_kt_start_seq_get(krbctx, keytab, &cursor);
2910 if (k5ret) {
2911 DEBUG(1, ("Failed to start seq: %s\n",
2912 error_message(k5ret)));
2913 status = krb5_to_nt_status(k5ret);
2914 goto out_keytab;
2915 }
2916
2917 k5ret = krb5_kt_next_entry(krbctx, keytab, &entry, &cursor);
2918 while (k5ret == 0) {
2919 status = kerberos_decode_pac(mem_ctx,
2920 pac_blob,
2921 krbctx,
2922 NULL, /* krbtgt_keyblock */
2923 KRB5_KT_KEY(&entry), /* service_keyblock */
2924 NULL, /* client_principal */
2925 0, /* tgs_authtime */
2926 p_pac_data);
2927 if (NT_STATUS_IS_OK(status)) {
2928 break;
2929 }
2930 k5ret = smb_krb5_kt_free_entry(krbctx, &entry);
2931 k5ret = krb5_kt_next_entry(krbctx, keytab, &entry, &cursor);
2932 }
2933
2934 k5ret = krb5_kt_end_seq_get(krbctx, keytab, &cursor);
2935 if (k5ret) {
2936 DEBUG(1, ("Failed to end seq: %s\n",
2937 error_message(k5ret)));
2938 }
2939 out_keytab:
2940 k5ret = krb5_kt_close(krbctx, keytab);
2941 if (k5ret) {
2942 DEBUG(1, ("Failed to close keytab: %s\n",
2943 error_message(k5ret)));
2944 }
2945 out_free:
2946 krb5_free_context(krbctx);
2947 out:
2948 return status;
2949 }
2950
2951 NTSTATUS winbindd_pam_auth_pac_verify(struct winbindd_cli_state *state,
2952 bool *p_is_trusted,
2953 uint16_t *p_validation_level,
2954 union netr_Validation **p_validation)
2955 {
2956 struct winbindd_request *req = state->request;
2957 DATA_BLOB pac_blob;
2958 struct PAC_DATA *pac_data = NULL;
2959 struct PAC_LOGON_INFO *logon_info = NULL;
2960 struct PAC_UPN_DNS_INFO *upn_dns_info = NULL;
2961 struct netr_SamInfo6 *info6 = NULL;
2962 uint16_t validation_level = 0;
2963 union netr_Validation *validation = NULL;
2964 struct netr_SamInfo3 *info3_copy = NULL;
2965 NTSTATUS result;
2966 bool is_trusted = false;
2967 uint32_t i;
2968
2969 *p_is_trusted = false;
2970 *p_validation_level = 0;
2971 *p_validation = NULL;
2972
2973 pac_blob = data_blob_const(req->extra_data.data, req->extra_len);
2974 result = extract_pac_vrfy_sigs(state->mem_ctx, pac_blob, &pac_data);
2975 if (NT_STATUS_IS_OK(result)) {
2976 is_trusted = true;
2977 }
2978 if (NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED)) {
2979 /* Try without signature verification */
2980 result = kerberos_decode_pac(state->mem_ctx,
2981 pac_blob,
2982 NULL, /* krb5_context */
2983 NULL, /* krbtgt_keyblock */
2984 NULL, /* service_keyblock */
2985 NULL, /* client_principal */
2986 0, /* tgs_authtime */
2987 &pac_data);
2988 }
2989 if (!NT_STATUS_IS_OK(result)) {
2990 DEBUG(1, ("Error during PAC signature verification: %s\n",
2991 nt_errstr(result)));
2992 return result;
2993 }
2994
2995 for (i=0; i < pac_data->num_buffers; i++) {
2996 if (pac_data->buffers[i].type == PAC_TYPE_LOGON_INFO) {
2997 logon_info = pac_data->buffers[i].info->logon_info.info;
2998 continue;
2999 }
3000 if (pac_data->buffers[i].type == PAC_TYPE_UPN_DNS_INFO) {
3001 upn_dns_info = &pac_data->buffers[i].info->upn_dns_info;
3002 continue;
3003 }
3004 }
3005
3006 result = create_info6_from_pac(state->mem_ctx,
3007 logon_info,
3008 upn_dns_info,
3009 &info6);
3010 if (!NT_STATUS_IS_OK(result)) {
3011 return result;
3012 }
3013
3014 result = map_info6_to_validation(state->mem_ctx,
3015 info6,
3016 &validation_level,
3017 &validation);
3018 if (!NT_STATUS_IS_OK(result)) {
3019 return result;
3020 }
3021
3022 result = map_validation_to_info3(state->mem_ctx,
3023 validation_level,
3024 validation,
3025 &info3_copy);
3026 if (!NT_STATUS_IS_OK(result)) {
3027 return result;
3028 }
3029
3030 if (is_trusted) {
3031 /*
3032 * Signature verification succeeded, we can
3033 * trust the PAC and prime the netsamlogon
3034 * and name2sid caches. DO NOT DO THIS
3035 * in the signature verification failed
3036 * code path.
3037 */
3038 struct winbindd_domain *domain = NULL;
3039
3040 netsamlogon_cache_store(NULL, info3_copy);
3041
3042 /*
3043 * We're in the parent here, so find the child
3044 * pointer from the PAC domain name.
3045 */
3046 domain = find_lookup_domain_from_name(
3047 info3_copy->base.logon_domain.string);
3048 if (domain && domain->primary ) {
3049 struct dom_sid user_sid;
3050
3051 sid_compose(&user_sid,
3052 info3_copy->base.domain_sid,
3053 info3_copy->base.rid);
3054
3055 cache_name2sid_trusted(domain,
3056 info3_copy->base.logon_domain.string,
3057 info3_copy->base.account_name.string,
3058 SID_NAME_USER,
3059 &user_sid);
3060
3061 DBG_INFO("PAC for user %s\\%s SID %s primed cache\n",
3062 info3_copy->base.logon_domain.string,
3063 info3_copy->base.account_name.string,
3064 sid_string_dbg(&user_sid));
3065 }
3066 }
3067
3068 *p_is_trusted = is_trusted;
3069 *p_validation_level = validation_level;
3070 *p_validation = validation;
3071 return NT_STATUS_OK;
3072 }
3073 #else /* HAVE_KRB5 */
3074 NTSTATUS winbindd_pam_auth_pac_verify(struct winbindd_cli_state *state,
3075 bool *p_is_trusted,
3076 uint16_t *p_validation_level,
3077 union netr_Validation **p_validation);
3078 {
3079
3080 *p_is_trusted = false;
3081 *p_validation_level = 0;
3082 *p_validation = NULL;
3083 return NT_STATUS_NO_SUCH_USER;
3084 }
3085 #endif /* HAVE_KRB5 */
Samba GIT mirror