search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
tests/krb5: Fix method for creating invalid length zeroed checksum
[Samba.git] / source3 / winbindd / winbindd_pam.c
blobc49033b375dfc43ef14fe11968ddca1c333c8f20
1 /*
2 Unix SMB/CIFS implementation.
3
4 Winbind daemon - pam auth funcions
5
6 Copyright (C) Andrew Tridgell 2000
7 Copyright (C) Tim Potter 2001
8 Copyright (C) Andrew Bartlett 2001-2002
9 Copyright (C) Guenther Deschner 2005
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 3 of the License, or
14 (at your option) any later version.
15
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
20
21 You should have received a copy of the GNU General Public License
22 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 */
24
25 #include "includes.h"
26 #include "winbindd.h"
27 #include "libsmb/namequery.h"
28 #include "../libcli/auth/libcli_auth.h"
29 #include "../librpc/gen_ndr/ndr_samr_c.h"
30 #include "rpc_client/cli_pipe.h"
31 #include "rpc_client/cli_samr.h"
32 #include "../librpc/gen_ndr/ndr_netlogon.h"
33 #include "rpc_client/cli_netlogon.h"
34 #include "smb_krb5.h"
35 #include "../libcli/security/security.h"
36 #include "ads.h"
37 #include "../librpc/gen_ndr/krb5pac.h"
38 #include "passdb/machine_sid.h"
39 #include "auth.h"
40 #include "../lib/tsocket/tsocket.h"
41 #include "auth/kerberos/pac_utils.h"
42 #include "auth/gensec/gensec.h"
43 #include "librpc/crypto/gse_krb5.h"
44 #include "lib/afs/afs_funcs.h"
45 #include "libsmb/samlogon_cache.h"
46 #include "rpc_client/util_netlogon.h"
47 #include "param/param.h"
48 #include "messaging/messaging.h"
49 #include "lib/crypto/gnutls_helpers.h"
50
51 #include "lib/crypto/gnutls_helpers.h"
52 #include <gnutls/crypto.h>
53
54 #undef DBGC_CLASS
55 #define DBGC_CLASS DBGC_WINBIND
56
57 #define LOGON_KRB5_FAIL_CLOCK_SKEW 0x02000000
58
59 static NTSTATUS append_info3_as_txt(TALLOC_CTX *mem_ctx,
60 struct winbindd_response *resp,
61 uint16_t validation_level,
62 union netr_Validation *validation)
63 {
64 struct netr_SamInfo3 *info3 = NULL;
65 char *ex = NULL;
66 uint32_t i;
67 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
68 TALLOC_CTX *frame = talloc_stackframe();
69
70 status = map_validation_to_info3(frame,
71 validation_level,
72 validation,
73 &info3);
74 if (!NT_STATUS_IS_OK(status)) {
75 goto out;
76 }
77
78 resp->data.auth.info3.logon_time =
79 nt_time_to_unix(info3->base.logon_time);
80 resp->data.auth.info3.logoff_time =
81 nt_time_to_unix(info3->base.logoff_time);
82 resp->data.auth.info3.kickoff_time =
83 nt_time_to_unix(info3->base.kickoff_time);
84 resp->data.auth.info3.pass_last_set_time =
85 nt_time_to_unix(info3->base.last_password_change);
86 resp->data.auth.info3.pass_can_change_time =
87 nt_time_to_unix(info3->base.allow_password_change);
88 resp->data.auth.info3.pass_must_change_time =
89 nt_time_to_unix(info3->base.force_password_change);
90
91 resp->data.auth.info3.logon_count = info3->base.logon_count;
92 resp->data.auth.info3.bad_pw_count = info3->base.bad_password_count;
93
94 resp->data.auth.info3.user_rid = info3->base.rid;
95 resp->data.auth.info3.group_rid = info3->base.primary_gid;
96 sid_to_fstring(resp->data.auth.info3.dom_sid, info3->base.domain_sid);
97
98 resp->data.auth.info3.num_groups = info3->base.groups.count;
99 resp->data.auth.info3.user_flgs = info3->base.user_flags;
100
101 resp->data.auth.info3.acct_flags = info3->base.acct_flags;
102 resp->data.auth.info3.num_other_sids = info3->sidcount;
103
104 fstrcpy(resp->data.auth.info3.user_name,
105 info3->base.account_name.string);
106 fstrcpy(resp->data.auth.info3.full_name,
107 info3->base.full_name.string);
108 fstrcpy(resp->data.auth.info3.logon_script,
109 info3->base.logon_script.string);
110 fstrcpy(resp->data.auth.info3.profile_path,
111 info3->base.profile_path.string);
112 fstrcpy(resp->data.auth.info3.home_dir,
113 info3->base.home_directory.string);
114 fstrcpy(resp->data.auth.info3.dir_drive,
115 info3->base.home_drive.string);
116
117 fstrcpy(resp->data.auth.info3.logon_srv,
118 info3->base.logon_server.string);
119 fstrcpy(resp->data.auth.info3.logon_dom,
120 info3->base.logon_domain.string);
121
122 resp->data.auth.validation_level = validation_level;
123 if (validation_level == 6) {
124 fstrcpy(resp->data.auth.info6.dns_domainname,
125 validation->sam6->dns_domainname.string);
126 fstrcpy(resp->data.auth.info6.principal_name,
127 validation->sam6->principal_name.string);
128 }
129
130 ex = talloc_strdup(frame, "");
131 if (ex == NULL) {
132 status = NT_STATUS_NO_MEMORY;
133 goto out;
134 }
135
136 for (i=0; i < info3->base.groups.count; i++) {
137 ex = talloc_asprintf_append_buffer(ex, "0x%08X:0x%08X\n",
138 info3->base.groups.rids[i].rid,
139 info3->base.groups.rids[i].attributes);
140 if (ex == NULL) {
141 status = NT_STATUS_NO_MEMORY;
142 goto out;
143 }
144 }
145
146 for (i=0; i < info3->sidcount; i++) {
147 struct dom_sid_buf sidbuf;
148
149 ex = talloc_asprintf_append_buffer(
150 ex,
151 "%s:0x%08X\n",
152 dom_sid_str_buf(info3->sids[i].sid, &sidbuf),
153 info3->sids[i].attributes);
154 if (ex == NULL) {
155 status = NT_STATUS_NO_MEMORY;
156 goto out;
157 }
158 }
159
160 resp->length += talloc_get_size(ex);
161 resp->extra_data.data = talloc_move(mem_ctx, &ex);
162
163 status = NT_STATUS_OK;
164 out:
165 TALLOC_FREE(frame);
166 return status;
167 }
168
169 static NTSTATUS append_info3_as_ndr(TALLOC_CTX *mem_ctx,
170 struct winbindd_response *resp,
171 struct netr_SamInfo3 *info3)
172 {
173 DATA_BLOB blob;
174 enum ndr_err_code ndr_err;
175
176 ndr_err = ndr_push_struct_blob(&blob, mem_ctx, info3,
177 (ndr_push_flags_fn_t)ndr_push_netr_SamInfo3);
178 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
179 DEBUG(0,("append_info3_as_ndr: failed to append\n"));
180 return ndr_map_error2ntstatus(ndr_err);
181 }
182
183 resp->extra_data.data = blob.data;
184 resp->length += blob.length;
185
186 return NT_STATUS_OK;
187 }
188
189 static NTSTATUS append_unix_username(TALLOC_CTX *mem_ctx,
190 struct winbindd_response *resp,
191 const struct netr_SamInfo3 *info3,
192 const char *name_domain,
193 const char *name_user)
194 {
195 /* We've been asked to return the unix username, per
196 'winbind use default domain' settings and the like */
197
198 const char *nt_username, *nt_domain, *unix_username;
199
200 nt_domain = talloc_strdup(mem_ctx, info3->base.logon_domain.string);
201 if (!nt_domain) {
202 /* If the server didn't give us one, just use the one
203 * we sent them */
204 nt_domain = name_domain;
205 }
206
207 nt_username = talloc_strdup(mem_ctx, info3->base.account_name.string);
208 if (!nt_username) {
209 /* If the server didn't give us one, just use the one
210 * we sent them */
211 nt_username = name_user;
212 }
213
214 unix_username = fill_domain_username_talloc(mem_ctx,
215 nt_domain,
216 nt_username,
217 true);
218 if (unix_username == NULL) {
219 return NT_STATUS_NO_MEMORY;
220 }
221
222 fstrcpy(resp->data.auth.unix_username, unix_username);
223
224 DEBUG(5, ("Setting unix username to [%s]\n",
225 resp->data.auth.unix_username));
226
227 return NT_STATUS_OK;
228 }
229
230 static NTSTATUS append_afs_token(TALLOC_CTX *mem_ctx,
231 struct winbindd_response *resp,
232 const struct netr_SamInfo3 *info3,
233 const char *name_domain,
234 const char *name_user)
235 {
236 char *afsname = NULL;
237 char *cell;
238 char *token;
239
240 afsname = talloc_strdup(mem_ctx, lp_afs_username_map());
241 if (afsname == NULL) {
242 return NT_STATUS_NO_MEMORY;
243 }
244
245 afsname = talloc_string_sub(mem_ctx,
246 lp_afs_username_map(),
247 "%D", name_domain);
248 afsname = talloc_string_sub(mem_ctx, afsname,
249 "%u", name_user);
250 afsname = talloc_string_sub(mem_ctx, afsname,
251 "%U", name_user);
252
253 {
254 struct dom_sid user_sid;
255 struct dom_sid_buf sidstr;
256
257 sid_compose(&user_sid, info3->base.domain_sid,
258 info3->base.rid);
259 afsname = talloc_string_sub(
260 mem_ctx,
261 afsname,
262 "%s",
263 dom_sid_str_buf(&user_sid, &sidstr));
264 }
265
266 if (afsname == NULL) {
267 return NT_STATUS_NO_MEMORY;
268 }
269
270 if (!strlower_m(afsname)) {
271 return NT_STATUS_INVALID_PARAMETER;
272 }
273
274 DEBUG(10, ("Generating token for user %s\n", afsname));
275
276 cell = strchr(afsname, '@');
277
278 if (cell == NULL) {
279 return NT_STATUS_NO_MEMORY;
280 }
281
282 *cell = '\0';
283 cell += 1;
284
285 token = afs_createtoken_str(afsname, cell);
286 if (token == NULL) {
287 return NT_STATUS_OK;
288 }
289 resp->extra_data.data = talloc_strdup(mem_ctx, token);
290 if (resp->extra_data.data == NULL) {
291 return NT_STATUS_NO_MEMORY;
292 }
293 resp->length += strlen((const char *)resp->extra_data.data)+1;
294
295 return NT_STATUS_OK;
296 }
297
298 static NTSTATUS check_info3_in_group(struct netr_SamInfo3 *info3,
299 const char *group_sid)
300 /**
301 * Check whether a user belongs to a group or list of groups.
302 *
303 * @param mem_ctx talloc memory context.
304 * @param info3 user information, including group membership info.
305 * @param group_sid One or more groups , separated by commas.
306 *
307 * @return NT_STATUS_OK on success,
308 * NT_STATUS_LOGON_FAILURE if the user does not belong,
309 * or other NT_STATUS_IS_ERR(status) for other kinds of failure.
310 */
311 {
312 struct dom_sid *require_membership_of_sid;
313 uint32_t num_require_membership_of_sid;
314 char *req_sid;
315 const char *p;
316 struct dom_sid sid;
317 size_t i;
318 struct security_token *token;
319 TALLOC_CTX *frame = talloc_stackframe();
320 NTSTATUS status;
321
322 /* Parse the 'required group' SID */
323
324 if (!group_sid || !group_sid[0]) {
325 /* NO sid supplied, all users may access */
326 TALLOC_FREE(frame);
327 return NT_STATUS_OK;
328 }
329
330 token = talloc_zero(talloc_tos(), struct security_token);
331 if (token == NULL) {
332 DEBUG(0, ("talloc failed\n"));
333 TALLOC_FREE(frame);
334 return NT_STATUS_NO_MEMORY;
335 }
336
337 num_require_membership_of_sid = 0;
338 require_membership_of_sid = NULL;
339
340 p = group_sid;
341
342 while (next_token_talloc(talloc_tos(), &p, &req_sid, ",")) {
343 if (!string_to_sid(&sid, req_sid)) {
344 DEBUG(0, ("check_info3_in_group: could not parse %s "
345 "as a SID!", req_sid));
346 TALLOC_FREE(frame);
347 return NT_STATUS_INVALID_PARAMETER;
348 }
349
350 status = add_sid_to_array(talloc_tos(), &sid,
351 &require_membership_of_sid,
352 &num_require_membership_of_sid);
353 if (!NT_STATUS_IS_OK(status)) {
354 DEBUG(0, ("add_sid_to_array failed\n"));
355 TALLOC_FREE(frame);
356 return status;
357 }
358 }
359
360 status = sid_array_from_info3(talloc_tos(), info3,
361 &token->sids,
362 &token->num_sids,
363 true);
364 if (!NT_STATUS_IS_OK(status)) {
365 TALLOC_FREE(frame);
366 return status;
367 }
368
369 if (!NT_STATUS_IS_OK(status = add_aliases(get_global_sam_sid(),
370 token))
371 || !NT_STATUS_IS_OK(status = add_aliases(&global_sid_Builtin,
372 token))) {
373 DEBUG(3, ("could not add aliases: %s\n",
374 nt_errstr(status)));
375 TALLOC_FREE(frame);
376 return status;
377 }
378
379 security_token_debug(DBGC_CLASS, 10, token);
380
381 for (i=0; i<num_require_membership_of_sid; i++) {
382 struct dom_sid_buf buf;
383 DEBUG(10, ("Checking SID %s\n",
384 dom_sid_str_buf(&require_membership_of_sid[i],
385 &buf)));
386 if (nt_token_check_sid(&require_membership_of_sid[i],
387 token)) {
388 DEBUG(10, ("Access ok\n"));
389 TALLOC_FREE(frame);
390 return NT_STATUS_OK;
391 }
392 }
393
394 /* Do not distinguish this error from a wrong username/pw */
395
396 TALLOC_FREE(frame);
397 return NT_STATUS_LOGON_FAILURE;
398 }
399
400 struct winbindd_domain *find_auth_domain(uint8_t flags,
401 const char *domain_name)
402 {
403 struct winbindd_domain *domain;
404
405 if (IS_DC) {
406 domain = find_domain_from_name_noinit(domain_name);
407 if (domain == NULL) {
408 DEBUG(3, ("Authentication for domain [%s] refused "
409 "as it is not a trusted domain\n",
410 domain_name));
411 return NULL;
412 }
413
414 if (domain->secure_channel_type != SEC_CHAN_NULL) {
415 return domain;
416 }
417
418 return domain->routing_domain;
419 }
420
421 if (strequal(domain_name, get_global_sam_name())) {
422 return find_domain_from_name_noinit(domain_name);
423 }
424
425 if (lp_winbind_use_krb5_enterprise_principals()) {
426 /*
427 * If we use enterprise principals
428 * we always go trough our primary domain
429 * and follow the WRONG_REALM replies.
430 */
431 flags &= ~WBFLAG_PAM_CONTACT_TRUSTDOM;
432 }
433
434 /* we can auth against trusted domains */
435 if (flags & WBFLAG_PAM_CONTACT_TRUSTDOM) {
436 domain = find_domain_from_name_noinit(domain_name);
437 if (domain == NULL) {
438 DEBUG(3, ("Authentication for domain [%s] skipped "
439 "as it is not a trusted domain\n",
440 domain_name));
441 } else {
442 return domain;
443 }
444 }
445
446 return find_our_domain();
447 }
448
449 static void fake_password_policy(struct winbindd_response *r,
450 const struct netr_SamBaseInfo *bi)
451 {
452 NTTIME min_password_age;
453 NTTIME max_password_age;
454
455 if (bi->allow_password_change > bi->last_password_change) {
456 min_password_age = bi->allow_password_change -
457 bi->last_password_change;
458 } else {
459 min_password_age = 0;
460 }
461
462 if (bi->force_password_change > bi->last_password_change) {
463 max_password_age = bi->force_password_change -
464 bi->last_password_change;
465 } else {
466 max_password_age = 0;
467 }
468
469 r->data.auth.policy.min_length_password = 0;
470 r->data.auth.policy.password_history = 0;
471 r->data.auth.policy.password_properties = 0;
472 r->data.auth.policy.expire =
473 nt_time_to_unix_abs(&max_password_age);
474 r->data.auth.policy.min_passwordage =
475 nt_time_to_unix_abs(&min_password_age);
476 }
477
478 static void fill_in_password_policy(struct winbindd_response *r,
479 const struct samr_DomInfo1 *p)
480 {
481 r->data.auth.policy.min_length_password =
482 p->min_password_length;
483 r->data.auth.policy.password_history =
484 p->password_history_length;
485 r->data.auth.policy.password_properties =
486 p->password_properties;
487 r->data.auth.policy.expire =
488 nt_time_to_unix_abs((const NTTIME *)&(p->max_password_age));
489 r->data.auth.policy.min_passwordage =
490 nt_time_to_unix_abs((const NTTIME *)&(p->min_password_age));
491 }
492
493 static NTSTATUS fillup_password_policy(struct winbindd_domain *domain,
494 struct winbindd_response *response)
495 {
496 TALLOC_CTX *frame = talloc_stackframe();
497 NTSTATUS status;
498 struct samr_DomInfo1 password_policy;
499
500 if ( !winbindd_can_contact_domain( domain ) ) {
501 DEBUG(5,("fillup_password_policy: No inbound trust to "
502 "contact domain %s\n", domain->name));
503 status = NT_STATUS_NOT_SUPPORTED;
504 goto done;
505 }
506
507 status = wb_cache_password_policy(domain, talloc_tos(),
508 &password_policy);
509 if (NT_STATUS_IS_ERR(status)) {
510 goto done;
511 }
512
513 fill_in_password_policy(response, &password_policy);
514
515 done:
516 TALLOC_FREE(frame);
517 return NT_STATUS_OK;
518 }
519
520 static NTSTATUS get_max_bad_attempts_from_lockout_policy(struct winbindd_domain *domain,
521 TALLOC_CTX *mem_ctx,
522 uint16_t *lockout_threshold)
523 {
524 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
525 struct samr_DomInfo12 lockout_policy;
526
527 *lockout_threshold = 0;
528
529 status = wb_cache_lockout_policy(domain, mem_ctx, &lockout_policy);
530 if (NT_STATUS_IS_ERR(status)) {
531 return status;
532 }
533
534 *lockout_threshold = lockout_policy.lockout_threshold;
535
536 return NT_STATUS_OK;
537 }
538
539 static NTSTATUS get_pwd_properties(struct winbindd_domain *domain,
540 TALLOC_CTX *mem_ctx,
541 uint32_t *password_properties)
542 {
543 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
544 struct samr_DomInfo1 password_policy;
545
546 *password_properties = 0;
547
548 status = wb_cache_password_policy(domain, mem_ctx, &password_policy);
549 if (NT_STATUS_IS_ERR(status)) {
550 return status;
551 }
552
553 *password_properties = password_policy.password_properties;
554
555 return NT_STATUS_OK;
556 }
557
558 #ifdef HAVE_KRB5
559
560 static const char *generate_krb5_ccache(TALLOC_CTX *mem_ctx,
561 const char *type,
562 uid_t uid,
563 const char **user_ccache_file)
564 {
565 /* accept FILE and WRFILE as krb5_cc_type from the client and then
566 * build the full ccname string based on the user's uid here -
567 * Guenther*/
568
569 const char *gen_cc = NULL;
570
571 if (uid != -1) {
572 if (strequal(type, "FILE")) {
573 gen_cc = talloc_asprintf(
574 mem_ctx, "FILE:/tmp/krb5cc_%d", uid);
575 }
576 if (strequal(type, "WRFILE")) {
577 gen_cc = talloc_asprintf(
578 mem_ctx, "WRFILE:/tmp/krb5cc_%d", uid);
579 }
580 if (strequal(type, "KEYRING")) {
581 gen_cc = talloc_asprintf(
582 mem_ctx, "KEYRING:persistent:%d", uid);
583 }
584 if (strequal(type, "KCM")) {
585 gen_cc = talloc_asprintf(mem_ctx,
586 "KCM:%d",
587 uid);
588 }
589
590 if (strnequal(type, "FILE:/", 6) ||
591 strnequal(type, "WRFILE:/", 8) ||
592 strnequal(type, "DIR:/", 5)) {
593
594 /* we allow only one "%u" substitution */
595
596 char *p;
597
598 p = strchr(type, '%');
599 if (p != NULL) {
600
601 p++;
602
603 if (p != NULL && *p == 'u' && strchr(p, '%') == NULL) {
604 char uid_str[sizeof("18446744073709551615")];
605
606 snprintf(uid_str, sizeof(uid_str), "%u", uid);
607
608 gen_cc = talloc_string_sub2(mem_ctx,
609 type,
610 "%u",
611 uid_str,
612 /* remove_unsafe_characters */
613 false,
614 /* replace_once */
615 true,
616 /* allow_trailing_dollar */
617 false);
618 }
619 }
620 }
621 }
622
623 *user_ccache_file = gen_cc;
624
625 if (gen_cc == NULL) {
626 gen_cc = talloc_strdup(mem_ctx, "MEMORY:winbindd_pam_ccache");
627 }
628 if (gen_cc == NULL) {
629 DEBUG(0,("out of memory\n"));
630 return NULL;
631 }
632
633 DEBUG(10, ("using ccache: %s%s\n", gen_cc,
634 (*user_ccache_file == NULL) ? " (internal)":""));
635
636 return gen_cc;
637 }
638
639 #endif
640
641 uid_t get_uid_from_request(struct winbindd_request *request)
642 {
643 uid_t uid;
644
645 uid = request->data.auth.uid;
646
647 if (uid == (uid_t)-1) {
648 DEBUG(1,("invalid uid: '%u'\n", (unsigned int)uid));
649 return -1;
650 }
651 return uid;
652 }
653
654 /**********************************************************************
655 Authenticate a user with a clear text password using Kerberos and fill up
656 ccache if required
657 **********************************************************************/
658
659 static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
660 struct winbindd_domain *domain,
661 const char *user,
662 const char *pass,
663 const char *krb5_cc_type,
664 uid_t uid,
665 struct netr_SamInfo6 **info6,
666 fstring krb5ccname)
667 {
668 #ifdef HAVE_KRB5
669 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
670 krb5_error_code krb5_ret;
671 const char *cc = NULL;
672 const char *principal_s = NULL;
673 const char *service = NULL;
674 char *realm = NULL;
675 fstring name_namespace, name_domain, name_user;
676 time_t ticket_lifetime = 0;
677 time_t renewal_until = 0;
678 ADS_STRUCT *ads;
679 time_t time_offset = 0;
680 const char *user_ccache_file;
681 struct PAC_LOGON_INFO *logon_info = NULL;
682 struct PAC_UPN_DNS_INFO *upn_dns_info = NULL;
683 struct PAC_DATA *pac_data = NULL;
684 struct PAC_DATA_CTR *pac_data_ctr = NULL;
685 const char *local_service;
686 uint32_t i;
687 struct netr_SamInfo6 *info6_copy = NULL;
688 bool ok;
689
690 *info6 = NULL;
691
692 if (domain->alt_name == NULL) {
693 return NT_STATUS_INVALID_PARAMETER;
694 }
695
696 /* 1st step:
697 * prepare a krb5_cc_cache string for the user */
698
699 if (uid == -1) {
700 DEBUG(0,("no valid uid\n"));
701 }
702
703 cc = generate_krb5_ccache(mem_ctx,
704 krb5_cc_type,
705 uid,
706 &user_ccache_file);
707 if (cc == NULL) {
708 return NT_STATUS_NO_MEMORY;
709 }
710
711
712 /* 2nd step:
713 * get kerberos properties */
714
715 if (domain->private_data) {
716 ads = (ADS_STRUCT *)domain->private_data;
717 time_offset = ads->auth.time_offset;
718 }
719
720
721 /* 3rd step:
722 * do kerberos auth and setup ccache as the user */
723
724 ok = parse_domain_user(user, name_namespace, name_domain, name_user);
725 if (!ok) {
726 return NT_STATUS_INVALID_PARAMETER;
727 }
728
729 realm = talloc_strdup(mem_ctx, domain->alt_name);
730 if (realm == NULL) {
731 return NT_STATUS_NO_MEMORY;
732 }
733
734 if (!strupper_m(realm)) {
735 return NT_STATUS_INVALID_PARAMETER;
736 }
737
738 if (lp_winbind_use_krb5_enterprise_principals() &&
739 name_namespace[0] != '\0')
740 {
741 principal_s = talloc_asprintf(mem_ctx,
742 "%s@%s@%s",
743 name_user,
744 name_namespace,
745 realm);
746 } else {
747 principal_s = talloc_asprintf(mem_ctx,
748 "%s@%s",
749 name_user,
750 realm);
751 }
752 if (principal_s == NULL) {
753 return NT_STATUS_NO_MEMORY;
754 }
755
756 service = talloc_asprintf(mem_ctx, "%s/%s@%s", KRB5_TGS_NAME, realm, realm);
757 if (service == NULL) {
758 return NT_STATUS_NO_MEMORY;
759 }
760
761 local_service = talloc_asprintf(mem_ctx, "%s$@%s",
762 lp_netbios_name(), lp_realm());
763 if (local_service == NULL) {
764 return NT_STATUS_NO_MEMORY;
765 }
766
767
768 /* if this is a user ccache, we need to act as the user to let the krb5
769 * library handle the chown, etc. */
770
771 /************************ ENTERING NON-ROOT **********************/
772
773 if (user_ccache_file != NULL) {
774 set_effective_uid(uid);
775 DEBUG(10,("winbindd_raw_kerberos_login: uid is %d\n", uid));
776 }
777
778 result = kerberos_return_pac(mem_ctx,
779 principal_s,
780 pass,
781 time_offset,
782 &ticket_lifetime,
783 &renewal_until,
784 cc,
785 true,
786 true,
787 WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
788 NULL,
789 local_service,
790 &pac_data_ctr);
791 if (user_ccache_file != NULL) {
792 gain_root_privilege();
793 }
794
795 /************************ RETURNED TO ROOT **********************/
796
797 if (!NT_STATUS_IS_OK(result)) {
798 goto failed;
799 }
800
801 if (pac_data_ctr == NULL) {
802 goto failed;
803 }
804
805 pac_data = pac_data_ctr->pac_data;
806 if (pac_data == NULL) {
807 goto failed;
808 }
809
810 for (i=0; i < pac_data->num_buffers; i++) {
811
812 if (pac_data->buffers[i].type == PAC_TYPE_LOGON_INFO) {
813 logon_info = pac_data->buffers[i].info->logon_info.info;
814 continue;
815 }
816
817 if (pac_data->buffers[i].type == PAC_TYPE_UPN_DNS_INFO) {
818 upn_dns_info = &pac_data->buffers[i].info->upn_dns_info;
819 continue;
820 }
821 }
822
823 if (logon_info == NULL) {
824 DEBUG(10,("Missing logon_info in ticket of %s\n",
825 principal_s));
826 return NT_STATUS_INVALID_PARAMETER;
827 }
828
829 DEBUG(10,("winbindd_raw_kerberos_login: winbindd validated ticket of %s\n",
830 principal_s));
831
832 result = create_info6_from_pac(mem_ctx, logon_info,
833 upn_dns_info, &info6_copy);
834 if (!NT_STATUS_IS_OK(result)) {
835 goto failed;
836 }
837
838 /* if we had a user's ccache then return that string for the pam
839 * environment */
840
841 if (user_ccache_file != NULL) {
842
843 fstrcpy(krb5ccname, user_ccache_file);
844
845 result = add_ccache_to_list(principal_s,
846 cc,
847 service,
848 user,
849 pass,
850 realm,
851 uid,
852 time(NULL),
853 ticket_lifetime,
854 renewal_until,
855 false);
856
857 if (!NT_STATUS_IS_OK(result)) {
858 DEBUG(10,("winbindd_raw_kerberos_login: failed to add ccache to list: %s\n",
859 nt_errstr(result)));
860 }
861 } else {
862
863 /* need to delete the memory cred cache, it is not used anymore */
864
865 krb5_ret = ads_kdestroy(cc);
866 if (krb5_ret) {
867 DEBUG(3,("winbindd_raw_kerberos_login: "
868 "could not destroy krb5 credential cache: "
869 "%s\n", error_message(krb5_ret)));
870 }
871
872 }
873 *info6 = info6_copy;
874 return NT_STATUS_OK;
875
876 failed:
877 /*
878 * Do not delete an existing valid credential cache, if the user
879 * e.g. enters a wrong password
880 */
881 if ((strequal(krb5_cc_type, "FILE") || strequal(krb5_cc_type, "WRFILE"))
882 && user_ccache_file != NULL) {
883 return result;
884 }
885
886 /* we could have created a new credential cache with a valid tgt in it
887 * but we werent able to get or verify the service ticket for this
888 * local host and therefor didn't get the PAC, we need to remove that
889 * cache entirely now */
890
891 krb5_ret = ads_kdestroy(cc);
892 if (krb5_ret) {
893 DEBUG(3,("winbindd_raw_kerberos_login: "
894 "could not destroy krb5 credential cache: "
895 "%s\n", error_message(krb5_ret)));
896 }
897
898 if (!NT_STATUS_IS_OK(remove_ccache(user))) {
899 DEBUG(3,("winbindd_raw_kerberos_login: "
900 "could not remove ccache for user %s\n",
901 user));
902 }
903
904 return result;
905 #else
906 return NT_STATUS_NOT_SUPPORTED;
907 #endif /* HAVE_KRB5 */
908 }
909
910 /****************************************************************
911 ****************************************************************/
912
913 bool check_request_flags(uint32_t flags)
914 {
915 uint32_t flags_edata = WBFLAG_PAM_AFS_TOKEN |
916 WBFLAG_PAM_INFO3_TEXT |
917 WBFLAG_PAM_INFO3_NDR;
918
919 if ( ( (flags & flags_edata) == WBFLAG_PAM_AFS_TOKEN) ||
920 ( (flags & flags_edata) == WBFLAG_PAM_INFO3_NDR) ||
921 ( (flags & flags_edata) == WBFLAG_PAM_INFO3_TEXT)||
922 !(flags & flags_edata) ) {
923 return true;
924 }
925
926 DEBUG(1, ("check_request_flags: invalid request flags[0x%08X]\n",
927 flags));
928
929 return false;
930 }
931
932 /****************************************************************
933 ****************************************************************/
934
935 NTSTATUS append_auth_data(TALLOC_CTX *mem_ctx,
936 struct winbindd_response *resp,
937 uint32_t request_flags,
938 uint16_t validation_level,
939 union netr_Validation *validation,
940 const char *name_domain,
941 const char *name_user)
942 {
943 struct netr_SamInfo3 *info3 = NULL;
944 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
945
946 result = map_validation_to_info3(talloc_tos(),
947 validation_level,
948 validation,
949 &info3);
950 if (!NT_STATUS_IS_OK(result)) {
951 goto out;
952 }
953
954 if (request_flags & WBFLAG_PAM_USER_SESSION_KEY) {
955 memcpy(resp->data.auth.user_session_key,
956 info3->base.key.key,
957 sizeof(resp->data.auth.user_session_key)
958 /* 16 */);
959 }
960
961 if (request_flags & WBFLAG_PAM_LMKEY) {
962 memcpy(resp->data.auth.first_8_lm_hash,
963 info3->base.LMSessKey.key,
964 sizeof(resp->data.auth.first_8_lm_hash)
965 /* 8 */);
966 }
967
968 if (request_flags & WBFLAG_PAM_UNIX_NAME) {
969 result = append_unix_username(mem_ctx, resp,
970 info3, name_domain, name_user);
971 if (!NT_STATUS_IS_OK(result)) {
972 DEBUG(10,("Failed to append Unix Username: %s\n",
973 nt_errstr(result)));
974 goto out;
975 }
976 }
977
978 /* currently, anything from here on potentially overwrites extra_data. */
979
980 if (request_flags & WBFLAG_PAM_INFO3_NDR) {
981 result = append_info3_as_ndr(mem_ctx, resp, info3);
982 if (!NT_STATUS_IS_OK(result)) {
983 DEBUG(10,("Failed to append INFO3 (NDR): %s\n",
984 nt_errstr(result)));
985 goto out;
986 }
987 }
988
989 if (request_flags & WBFLAG_PAM_INFO3_TEXT) {
990 result = append_info3_as_txt(mem_ctx, resp,
991 validation_level,
992 validation);
993 if (!NT_STATUS_IS_OK(result)) {
994 DEBUG(10,("Failed to append INFO3 (TXT): %s\n",
995 nt_errstr(result)));
996 goto out;
997 }
998 }
999
1000 if (request_flags & WBFLAG_PAM_AFS_TOKEN) {
1001 result = append_afs_token(mem_ctx, resp,
1002 info3, name_domain, name_user);
1003 if (!NT_STATUS_IS_OK(result)) {
1004 DEBUG(10,("Failed to append AFS token: %s\n",
1005 nt_errstr(result)));
1006 goto out;
1007 }
1008 }
1009
1010 result = NT_STATUS_OK;
1011 out:
1012 TALLOC_FREE(info3);
1013 return result;
1014 }
1015
1016 static NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain,
1017 struct winbindd_cli_state *state,
1018 struct netr_SamInfo3 **info3)
1019 {
1020 NTSTATUS result = NT_STATUS_LOGON_FAILURE;
1021 uint16_t max_allowed_bad_attempts;
1022 fstring name_namespace, name_domain, name_user;
1023 struct dom_sid sid;
1024 enum lsa_SidType type;
1025 uchar new_nt_pass[NT_HASH_LEN];
1026 const uint8_t *cached_nt_pass;
1027 const uint8_t *cached_salt;
1028 struct netr_SamInfo3 *my_info3;
1029 time_t kickoff_time, must_change_time;
1030 bool password_good = false;
1031 bool ok;
1032 #ifdef HAVE_KRB5
1033 struct winbindd_tdc_domain *tdc_domain = NULL;
1034 #endif
1035
1036 *info3 = NULL;
1037
1038 ZERO_STRUCTP(info3);
1039
1040 DEBUG(10,("winbindd_dual_pam_auth_cached\n"));
1041
1042 /* Parse domain and username */
1043
1044 ok = parse_domain_user(state->request->data.auth.user,
1045 name_namespace,
1046 name_domain,
1047 name_user);
1048 if (!ok) {
1049 DBG_DEBUG("parse_domain_user failed\n");
1050 return NT_STATUS_NO_SUCH_USER;
1051 }
1052
1053 if (!lookup_cached_name(name_namespace,
1054 name_domain,
1055 name_user,
1056 &sid,
1057 &type)) {
1058 DEBUG(10,("winbindd_dual_pam_auth_cached: no such user in the cache\n"));
1059 return NT_STATUS_NO_SUCH_USER;
1060 }
1061
1062 if (type != SID_NAME_USER) {
1063 DEBUG(10,("winbindd_dual_pam_auth_cached: not a user (%s)\n", sid_type_lookup(type)));
1064 return NT_STATUS_LOGON_FAILURE;
1065 }
1066
1067 result = winbindd_get_creds(domain,
1068 state->mem_ctx,
1069 &sid,
1070 &my_info3,
1071 &cached_nt_pass,
1072 &cached_salt);
1073 if (!NT_STATUS_IS_OK(result)) {
1074 DEBUG(10,("winbindd_dual_pam_auth_cached: failed to get creds: %s\n", nt_errstr(result)));
1075 return result;
1076 }
1077
1078 *info3 = my_info3;
1079
1080 E_md4hash(state->request->data.auth.pass, new_nt_pass);
1081
1082 dump_data_pw("new_nt_pass", new_nt_pass, NT_HASH_LEN);
1083 dump_data_pw("cached_nt_pass", cached_nt_pass, NT_HASH_LEN);
1084 if (cached_salt) {
1085 dump_data_pw("cached_salt", cached_salt, NT_HASH_LEN);
1086 }
1087
1088 if (cached_salt) {
1089 /* In this case we didn't store the nt_hash itself,
1090 but the MD5 combination of salt + nt_hash. */
1091 uchar salted_hash[NT_HASH_LEN];
1092 gnutls_hash_hd_t hash_hnd = NULL;
1093 int rc;
1094
1095 rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5);
1096 if (rc < 0) {
1097 return gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED);
1098 }
1099
1100 rc = gnutls_hash(hash_hnd, cached_salt, 16);
1101 if (rc < 0) {
1102 gnutls_hash_deinit(hash_hnd, NULL);
1103 return gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED);
1104 }
1105 rc = gnutls_hash(hash_hnd, new_nt_pass, 16);
1106 if (rc < 0) {
1107 gnutls_hash_deinit(hash_hnd, NULL);
1108 return gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED);
1109 }
1110 gnutls_hash_deinit(hash_hnd, salted_hash);
1111
1112 password_good = (memcmp(cached_nt_pass, salted_hash,
1113 NT_HASH_LEN) == 0);
1114 } else {
1115 /* Old cached cred - direct store of nt_hash (bad bad bad !). */
1116 password_good = (memcmp(cached_nt_pass, new_nt_pass,
1117 NT_HASH_LEN) == 0);
1118 }
1119
1120 if (password_good) {
1121
1122 /* User *DOES* know the password, update logon_time and reset
1123 * bad_pw_count */
1124
1125 my_info3->base.user_flags |= NETLOGON_CACHED_ACCOUNT;
1126
1127 if (my_info3->base.acct_flags & ACB_AUTOLOCK) {
1128 return NT_STATUS_ACCOUNT_LOCKED_OUT;
1129 }
1130
1131 if (my_info3->base.acct_flags & ACB_DISABLED) {
1132 return NT_STATUS_ACCOUNT_DISABLED;
1133 }
1134
1135 if (my_info3->base.acct_flags & ACB_WSTRUST) {
1136 return NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT;
1137 }
1138
1139 if (my_info3->base.acct_flags & ACB_SVRTRUST) {
1140 return NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT;
1141 }
1142
1143 if (my_info3->base.acct_flags & ACB_DOMTRUST) {
1144 return NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT;
1145 }
1146
1147 if (!(my_info3->base.acct_flags & ACB_NORMAL)) {
1148 DEBUG(0,("winbindd_dual_pam_auth_cached: whats wrong with that one?: 0x%08x\n",
1149 my_info3->base.acct_flags));
1150 return NT_STATUS_LOGON_FAILURE;
1151 }
1152
1153 kickoff_time = nt_time_to_unix(my_info3->base.kickoff_time);
1154 if (kickoff_time != 0 && time(NULL) > kickoff_time) {
1155 return NT_STATUS_ACCOUNT_EXPIRED;
1156 }
1157
1158 must_change_time = nt_time_to_unix(my_info3->base.force_password_change);
1159 if (must_change_time != 0 && must_change_time < time(NULL)) {
1160 /* we allow grace logons when the password has expired */
1161 my_info3->base.user_flags |= NETLOGON_GRACE_LOGON;
1162 /* return NT_STATUS_PASSWORD_EXPIRED; */
1163 goto success;
1164 }
1165
1166 #ifdef HAVE_KRB5
1167 if ((state->request->flags & WBFLAG_PAM_KRB5) &&
1168 ((tdc_domain = wcache_tdc_fetch_domain(state->mem_ctx, name_domain)) != NULL) &&
1169 ((tdc_domain->trust_type & LSA_TRUST_TYPE_UPLEVEL) ||
1170 /* used to cope with the case winbindd starting without network. */
1171 !strequal(tdc_domain->domain_name, tdc_domain->dns_name))) {
1172
1173 uid_t uid = -1;
1174 const char *cc = NULL;
1175 char *realm = NULL;
1176 const char *principal_s = NULL;
1177 const char *service = NULL;
1178 const char *user_ccache_file;
1179
1180 if (domain->alt_name == NULL) {
1181 return NT_STATUS_INVALID_PARAMETER;
1182 }
1183
1184 uid = get_uid_from_request(state->request);
1185 if (uid == -1) {
1186 DEBUG(0,("winbindd_dual_pam_auth_cached: invalid uid\n"));
1187 return NT_STATUS_INVALID_PARAMETER;
1188 }
1189
1190 cc = generate_krb5_ccache(state->mem_ctx,
1191 state->request->data.auth.krb5_cc_type,
1192 state->request->data.auth.uid,
1193 &user_ccache_file);
1194 if (cc == NULL) {
1195 return NT_STATUS_NO_MEMORY;
1196 }
1197
1198 realm = talloc_strdup(state->mem_ctx, domain->alt_name);
1199 if (realm == NULL) {
1200 return NT_STATUS_NO_MEMORY;
1201 }
1202
1203 if (!strupper_m(realm)) {
1204 return NT_STATUS_INVALID_PARAMETER;
1205 }
1206
1207 principal_s = talloc_asprintf(state->mem_ctx, "%s@%s", name_user, realm);
1208 if (principal_s == NULL) {
1209 return NT_STATUS_NO_MEMORY;
1210 }
1211
1212 service = talloc_asprintf(state->mem_ctx, "%s/%s@%s", KRB5_TGS_NAME, realm, realm);
1213 if (service == NULL) {
1214 return NT_STATUS_NO_MEMORY;
1215 }
1216
1217 if (user_ccache_file != NULL) {
1218
1219 fstrcpy(state->response->data.auth.krb5ccname,
1220 user_ccache_file);
1221
1222 result = add_ccache_to_list(principal_s,
1223 cc,
1224 service,
1225 state->request->data.auth.user,
1226 state->request->data.auth.pass,
1227 realm,
1228 uid,
1229 time(NULL),
1230 time(NULL) + lp_winbind_cache_time(),
1231 time(NULL) + WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
1232 true);
1233
1234 if (!NT_STATUS_IS_OK(result)) {
1235 DEBUG(10,("winbindd_dual_pam_auth_cached: failed "
1236 "to add ccache to list: %s\n",
1237 nt_errstr(result)));
1238 }
1239 }
1240 }
1241 #endif /* HAVE_KRB5 */
1242 success:
1243 /* FIXME: we possibly should handle logon hours as well (does xp when
1244 * offline?) see auth/auth_sam.c:sam_account_ok for details */
1245
1246 unix_to_nt_time(&my_info3->base.logon_time, time(NULL));
1247 my_info3->base.bad_password_count = 0;
1248
1249 result = winbindd_update_creds_by_info3(domain,
1250 state->request->data.auth.user,
1251 state->request->data.auth.pass,
1252 my_info3);
1253 if (!NT_STATUS_IS_OK(result)) {
1254 DEBUG(1,("winbindd_dual_pam_auth_cached: failed to update creds: %s\n",
1255 nt_errstr(result)));
1256 return result;
1257 }
1258
1259 return NT_STATUS_OK;
1260
1261 }
1262
1263 /* User does *NOT* know the correct password, modify info3 accordingly, but only if online */
1264 if (domain->online == false) {
1265 goto failed;
1266 }
1267
1268 /* failure of this is not critical */
1269 result = get_max_bad_attempts_from_lockout_policy(domain, state->mem_ctx, &max_allowed_bad_attempts);
1270 if (!NT_STATUS_IS_OK(result)) {
1271 DEBUG(10,("winbindd_dual_pam_auth_cached: failed to get max_allowed_bad_attempts. "
1272 "Won't be able to honour account lockout policies\n"));
1273 }
1274
1275 /* increase counter */
1276 my_info3->base.bad_password_count++;
1277
1278 if (max_allowed_bad_attempts == 0) {
1279 goto failed;
1280 }
1281
1282 /* lockout user */
1283 if (my_info3->base.bad_password_count >= max_allowed_bad_attempts) {
1284
1285 uint32_t password_properties;
1286
1287 result = get_pwd_properties(domain, state->mem_ctx, &password_properties);
1288 if (!NT_STATUS_IS_OK(result)) {
1289 DEBUG(10,("winbindd_dual_pam_auth_cached: failed to get password properties.\n"));
1290 }
1291
1292 if ((my_info3->base.rid != DOMAIN_RID_ADMINISTRATOR) ||
1293 (password_properties & DOMAIN_PASSWORD_LOCKOUT_ADMINS)) {
1294 my_info3->base.acct_flags |= ACB_AUTOLOCK;
1295 }
1296 }
1297
1298 failed:
1299 result = winbindd_update_creds_by_info3(domain,
1300 state->request->data.auth.user,
1301 NULL,
1302 my_info3);
1303
1304 if (!NT_STATUS_IS_OK(result)) {
1305 DEBUG(0,("winbindd_dual_pam_auth_cached: failed to update creds %s\n",
1306 nt_errstr(result)));
1307 }
1308
1309 return NT_STATUS_LOGON_FAILURE;
1310 }
1311
1312 static NTSTATUS winbindd_dual_pam_auth_kerberos(struct winbindd_domain *domain,
1313 struct winbindd_cli_state *state,
1314 struct netr_SamInfo6 **info6)
1315 {
1316 struct winbindd_domain *contact_domain;
1317 fstring name_namespace, name_domain, name_user;
1318 NTSTATUS result;
1319 bool ok;
1320
1321 DEBUG(10,("winbindd_dual_pam_auth_kerberos\n"));
1322
1323 /* Parse domain and username */
1324
1325 ok = parse_domain_user(state->request->data.auth.user,
1326 name_namespace,
1327 name_domain,
1328 name_user);
1329 if (!ok) {
1330 result = NT_STATUS_INVALID_PARAMETER;
1331 goto done;
1332 }
1333
1334 /* what domain should we contact? */
1335
1336 if (lp_winbind_use_krb5_enterprise_principals()) {
1337 contact_domain = find_auth_domain(0, name_namespace);
1338 } else {
1339 contact_domain = find_domain_from_name(name_namespace);
1340 }
1341 if (contact_domain == NULL) {
1342 DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
1343 state->request->data.auth.user, name_domain, name_user, name_namespace));
1344 result = NT_STATUS_NO_SUCH_USER;
1345 goto done;
1346 }
1347
1348 if (contact_domain->initialized &&
1349 contact_domain->active_directory) {
1350 goto try_login;
1351 }
1352
1353 if (!contact_domain->initialized) {
1354 init_dc_connection(contact_domain, false);
1355 }
1356
1357 if (!contact_domain->active_directory) {
1358 DEBUG(3,("krb5 auth requested but domain (%s) is not Active Directory\n",
1359 contact_domain->name));
1360 return NT_STATUS_INVALID_LOGON_TYPE;
1361 }
1362 try_login:
1363 result = winbindd_raw_kerberos_login(
1364 state->mem_ctx, contact_domain,
1365 state->request->data.auth.user,
1366 state->request->data.auth.pass,
1367 state->request->data.auth.krb5_cc_type,
1368 get_uid_from_request(state->request),
1369 info6, state->response->data.auth.krb5ccname);
1370 done:
1371 return result;
1372 }
1373
1374 static NTSTATUS winbindd_dual_auth_passdb(TALLOC_CTX *mem_ctx,
1375 uint32_t logon_parameters,
1376 const char *domain,
1377 const char *user,
1378 const uint64_t logon_id,
1379 const char *client_name,
1380 const int client_pid,
1381 const DATA_BLOB *challenge,
1382 const DATA_BLOB *lm_resp,
1383 const DATA_BLOB *nt_resp,
1384 const struct tsocket_address *remote,
1385 const struct tsocket_address *local,
1386 bool interactive,
1387 uint8_t *pauthoritative,
1388 struct netr_SamInfo3 **pinfo3)
1389 {
1390 struct auth_context *auth_context;
1391 struct auth_serversupplied_info *server_info;
1392 struct auth_usersupplied_info *user_info = NULL;
1393 struct netr_SamInfo3 *info3;
1394 NTSTATUS status;
1395 bool ok;
1396 TALLOC_CTX *frame = talloc_stackframe();
1397
1398 /*
1399 * We are authoritative by default
1400 */
1401 *pauthoritative = 1;
1402
1403 status = make_user_info(frame, &user_info, user, user, domain, domain,
1404 lp_netbios_name(), remote, local,
1405 "winbind",
1406 lm_resp, nt_resp, NULL, NULL,
1407 NULL, AUTH_PASSWORD_RESPONSE);
1408 if (!NT_STATUS_IS_OK(status)) {
1409 DEBUG(10, ("make_user_info failed: %s\n", nt_errstr(status)));
1410 TALLOC_FREE(frame);
1411 return status;
1412 }
1413
1414 user_info->logon_parameters = logon_parameters;
1415 user_info->logon_id = logon_id;
1416 user_info->auth_description = talloc_asprintf(
1417 frame, "PASSDB, %s, %d", client_name, client_pid);
1418 if (user_info->auth_description == NULL) {
1419 TALLOC_FREE(frame);
1420 return NT_STATUS_NO_MEMORY;
1421 }
1422
1423 /* We don't want any more mapping of the username */
1424 user_info->mapped_state = True;
1425
1426 /* We don't want to come back to winbindd or to do PAM account checks */
1427 user_info->flags |= USER_INFO_INFO3_AND_NO_AUTHZ;
1428
1429 if (interactive) {
1430 user_info->flags |= USER_INFO_INTERACTIVE_LOGON;
1431 }
1432
1433 status = make_auth3_context_for_winbind(frame, &auth_context);
1434 if (!NT_STATUS_IS_OK(status)) {
1435 DBG_ERR("make_auth3_context_for_winbind failed: %s\n",
1436 nt_errstr(status));
1437 TALLOC_FREE(frame);
1438 return status;
1439 }
1440
1441 ok = auth3_context_set_challenge(auth_context,
1442 challenge->data, "fixed");
1443 if (!ok) {
1444 TALLOC_FREE(frame);
1445 return NT_STATUS_NO_MEMORY;
1446 }
1447
1448 status = auth_check_ntlm_password(mem_ctx,
1449 auth_context,
1450 user_info,
1451 &server_info,
1452 pauthoritative);
1453 if (!NT_STATUS_IS_OK(status)) {
1454 TALLOC_FREE(frame);
1455 return status;
1456 }
1457
1458 info3 = talloc_zero(mem_ctx, struct netr_SamInfo3);
1459 if (info3 == NULL) {
1460 TALLOC_FREE(frame);
1461 return NT_STATUS_NO_MEMORY;
1462 }
1463
1464 status = serverinfo_to_SamInfo3(server_info, info3);
1465 if (!NT_STATUS_IS_OK(status)) {
1466 TALLOC_FREE(frame);
1467 TALLOC_FREE(info3);
1468 DEBUG(0, ("serverinfo_to_SamInfo3 failed: %s\n",
1469 nt_errstr(status)));
1470 return status;
1471 }
1472
1473 *pinfo3 = info3;
1474 DEBUG(10, ("Authenticaticating user %s\\%s returned %s\n", domain,
1475 user, nt_errstr(status)));
1476 TALLOC_FREE(frame);
1477 return status;
1478 }
1479
1480 static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
1481 TALLOC_CTX *mem_ctx,
1482 uint32_t logon_parameters,
1483 const char *username,
1484 const char *password,
1485 const char *domainname,
1486 const char *workstation,
1487 const uint64_t logon_id,
1488 bool plaintext_given,
1489 const uint8_t chal[8],
1490 DATA_BLOB lm_response,
1491 DATA_BLOB nt_response,
1492 bool interactive,
1493 uint8_t *authoritative,
1494 uint32_t *flags,
1495 uint16_t *_validation_level,
1496 union netr_Validation **_validation)
1497 {
1498 int attempts = 0;
1499 int netr_attempts = 0;
1500 bool retry = false;
1501 NTSTATUS result;
1502 enum netr_LogonInfoClass logon_type_i;
1503 enum netr_LogonInfoClass logon_type_n;
1504 uint16_t validation_level = UINT16_MAX;
1505 union netr_Validation *validation = NULL;
1506
1507 do {
1508 struct rpc_pipe_client *netlogon_pipe;
1509 struct netlogon_creds_cli_context *netlogon_creds_ctx = NULL;
1510
1511 retry = false;
1512
1513 result = cm_connect_netlogon_secure(domain, &netlogon_pipe,
1514 &netlogon_creds_ctx);
1515
1516 if (NT_STATUS_EQUAL(result,
1517 NT_STATUS_CANT_ACCESS_DOMAIN_INFO)) {
1518 /*
1519 * This means we don't have a trust account.
1520 */
1521 *authoritative = 0;
1522 result = NT_STATUS_NO_SUCH_USER;
1523 break;
1524 }
1525
1526 if (!NT_STATUS_IS_OK(result)) {
1527 DEBUG(3,("Could not open handle to NETLOGON pipe "
1528 "(error: %s, attempts: %d)\n",
1529 nt_errstr(result), netr_attempts));
1530
1531 /* After the first retry always close the connection */
1532 if (netr_attempts > 0) {
1533 DEBUG(3, ("This is again a problem for this "
1534 "particular call, forcing the close "
1535 "of this connection\n"));
1536 invalidate_cm_connection(domain);
1537 }
1538
1539 /* After the second retry failover to the next DC */
1540 if (netr_attempts > 1) {
1541 /*
1542 * If the netlogon server is not reachable then
1543 * it is possible that the DC is rebuilding
1544 * sysvol and shutdown netlogon for that time.
1545 * We should failover to the next dc.
1546 */
1547 DEBUG(3, ("This is the third problem for this "
1548 "particular call, adding DC to the "
1549 "negative cache list: %s %s\n", domain->name, domain->dcname));
1550 add_failed_connection_entry(domain->name,
1551 domain->dcname,
1552 result);
1553 saf_delete(domain->name);
1554 }
1555
1556 /* Only allow 3 retries */
1557 if (netr_attempts < 3) {
1558 DEBUG(3, ("The connection to netlogon "
1559 "failed, retrying\n"));
1560 netr_attempts++;
1561 retry = true;
1562 continue;
1563 }
1564 return result;
1565 }
1566
1567 logon_type_i = NetlogonInteractiveInformation;
1568 logon_type_n = NetlogonNetworkInformation;
1569 if (domain->domain_trust_attribs & LSA_TRUST_ATTRIBUTE_WITHIN_FOREST) {
1570 logon_type_i = NetlogonInteractiveTransitiveInformation;
1571 logon_type_n = NetlogonNetworkTransitiveInformation;
1572 }
1573
1574 if (domain->domain_trust_attribs & LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) {
1575 logon_type_i = NetlogonInteractiveTransitiveInformation;
1576 logon_type_n = NetlogonNetworkTransitiveInformation;
1577 }
1578
1579 if (domain->domain_trust_attribs & LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE) {
1580 logon_type_i = NetlogonInteractiveInformation;
1581 logon_type_n = NetlogonNetworkInformation;
1582 }
1583
1584 if (domain->domain_trust_attribs & LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN) {
1585 logon_type_i = NetlogonInteractiveInformation;
1586 logon_type_n = NetlogonNetworkInformation;
1587 }
1588
1589 netr_attempts = 0;
1590 if (plaintext_given) {
1591 result = rpccli_netlogon_password_logon(
1592 netlogon_creds_ctx,
1593 netlogon_pipe->binding_handle,
1594 mem_ctx,
1595 logon_parameters,
1596 domainname,
1597 username,
1598 password,
1599 workstation,
1600 logon_id,
1601 logon_type_i,
1602 authoritative,
1603 flags,
1604 &validation_level,
1605 &validation);
1606 } else if (interactive) {
1607 result = rpccli_netlogon_interactive_logon(
1608 netlogon_creds_ctx,
1609 netlogon_pipe->binding_handle,
1610 mem_ctx,
1611 logon_parameters,
1612 username,
1613 domainname,
1614 workstation,
1615 logon_id,
1616 lm_response,
1617 nt_response,
1618 logon_type_i,
1619 authoritative,
1620 flags,
1621 &validation_level,
1622 &validation);
1623 } else {
1624 result = rpccli_netlogon_network_logon(
1625 netlogon_creds_ctx,
1626 netlogon_pipe->binding_handle,
1627 mem_ctx,
1628 logon_parameters,
1629 username,
1630 domainname,
1631 workstation,
1632 logon_id,
1633 chal,
1634 lm_response,
1635 nt_response,
1636 logon_type_n,
1637 authoritative,
1638 flags,
1639 &validation_level,
1640 &validation);
1641 }
1642
1643 /*
1644 * we increment this after the "feature negotiation"
1645 * for can_do_samlogon_ex and can_do_validation6
1646 */
1647 attempts += 1;
1648
1649 /* We have to try a second time as cm_connect_netlogon
1650 might not yet have noticed that the DC has killed
1651 our connection. */
1652
1653 if (!rpccli_is_connected(netlogon_pipe)) {
1654 retry = true;
1655 continue;
1656 }
1657
1658 /* if we get access denied, a possible cause was that we had
1659 an open connection to the DC, but someone changed our
1660 machine account password out from underneath us using 'net
1661 rpc changetrustpw' */
1662
1663 if ( NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) ) {
1664 DEBUG(1,("winbind_samlogon_retry_loop: sam_logon returned "
1665 "ACCESS_DENIED. Maybe the DC has Restrict "
1666 "NTLM set or the trust account "
1667 "password was changed and we didn't know it. "
1668 "Killing connections to domain %s\n",
1669 domainname));
1670 invalidate_cm_connection(domain);
1671 retry = true;
1672 }
1673
1674 if (NT_STATUS_EQUAL(result, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
1675 /*
1676 * Got DCERPC_FAULT_OP_RNG_ERROR for SamLogon
1677 * (no Ex). This happens against old Samba
1678 * DCs, if LogonSamLogonEx() fails with an error
1679 * e.g. NT_STATUS_NO_SUCH_USER or NT_STATUS_WRONG_PASSWORD.
1680 *
1681 * The server will log something like this:
1682 * api_net_sam_logon_ex: Failed to marshall NET_R_SAM_LOGON_EX.
1683 *
1684 * This sets the whole connection into a fault_state mode
1685 * and all following request get NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE.
1686 *
1687 * This also happens to our retry with LogonSamLogonWithFlags()
1688 * and LogonSamLogon().
1689 *
1690 * In order to recover from this situation, we need to
1691 * drop the connection.
1692 */
1693 invalidate_cm_connection(domain);
1694 result = NT_STATUS_LOGON_FAILURE;
1695 break;
1696 }
1697
1698 } while ( (attempts < 2) && retry );
1699
1700 if (NT_STATUS_EQUAL(result, NT_STATUS_IO_TIMEOUT)) {
1701 DEBUG(3,("winbind_samlogon_retry_loop: sam_network_logon(ex) "
1702 "returned NT_STATUS_IO_TIMEOUT after the retry. "
1703 "Killing connections to domain %s\n",
1704 domainname));
1705 invalidate_cm_connection(domain);
1706 }
1707
1708 if (!NT_STATUS_IS_OK(result)) {
1709 return result;
1710 }
1711
1712 *_validation_level = validation_level;
1713 *_validation = validation;
1714 return NT_STATUS_OK;
1715 }
1716
1717 static NTSTATUS nt_dual_auth_passdb(TALLOC_CTX *mem_ctx,
1718 fstring name_user,
1719 fstring name_domain,
1720 const char *pass,
1721 uint64_t logon_id,
1722 const char *client_name,
1723 const int client_pid,
1724 const struct tsocket_address *remote,
1725 const struct tsocket_address *local,
1726 uint8_t *authoritative,
1727 struct netr_SamInfo3 **info3)
1728 {
1729 unsigned char local_nt_response[24];
1730 uchar chal[8];
1731 DATA_BLOB chal_blob;
1732 DATA_BLOB lm_resp;
1733 DATA_BLOB nt_resp;
1734
1735 /* do password magic */
1736
1737 generate_random_buffer(chal, sizeof(chal));
1738 chal_blob = data_blob_const(chal, sizeof(chal));
1739
1740 if (lp_client_ntlmv2_auth()) {
1741 DATA_BLOB server_chal;
1742 DATA_BLOB names_blob;
1743 server_chal = data_blob_const(chal, 8);
1744
1745 /* note that the 'workgroup' here is for the local
1746 machine. The 'server name' must match the
1747 'workstation' passed to the actual SamLogon call.
1748 */
1749 names_blob = NTLMv2_generate_names_blob(mem_ctx,
1750 lp_netbios_name(),
1751 lp_workgroup());
1752
1753 if (!SMBNTLMv2encrypt(mem_ctx, name_user, name_domain,
1754 pass, &server_chal, &names_blob,
1755 &lm_resp, &nt_resp, NULL, NULL)) {
1756 data_blob_free(&names_blob);
1757 DEBUG(0, ("SMBNTLMv2encrypt() failed!\n"));
1758 return NT_STATUS_NO_MEMORY;
1759 }
1760 data_blob_free(&names_blob);
1761 } else {
1762 int rc;
1763 lm_resp = data_blob_null;
1764
1765 rc = SMBNTencrypt(pass, chal, local_nt_response);
1766 if (rc != 0) {
1767 DEBUG(0, ("SMBNTencrypt() failed!\n"));
1768 return gnutls_error_to_ntstatus(rc,
1769 NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
1770 }
1771
1772 nt_resp = data_blob_talloc(mem_ctx, local_nt_response,
1773 sizeof(local_nt_response));
1774 }
1775
1776 return winbindd_dual_auth_passdb(talloc_tos(), 0, name_domain,
1777 name_user, logon_id, client_name,
1778 client_pid, &chal_blob, &lm_resp,
1779 &nt_resp, remote, local,
1780 true, /* interactive */
1781 authoritative, info3);
1782 }
1783
1784 static NTSTATUS winbindd_dual_pam_auth_samlogon(
1785 TALLOC_CTX *mem_ctx,
1786 struct winbindd_domain *domain,
1787 const char *user,
1788 const char *pass,
1789 uint64_t logon_id,
1790 const char *client_name,
1791 const int client_pid,
1792 uint32_t request_flags,
1793 const struct tsocket_address *remote,
1794 const struct tsocket_address *local,
1795 uint16_t *_validation_level,
1796 union netr_Validation **_validation)
1797 {
1798 fstring name_namespace, name_domain, name_user;
1799 NTSTATUS result;
1800 uint8_t authoritative = 0;
1801 uint32_t flags = 0;
1802 uint16_t validation_level = 0;
1803 union netr_Validation *validation = NULL;
1804 struct netr_SamBaseInfo *base_info = NULL;
1805 bool ok;
1806
1807 DEBUG(10,("winbindd_dual_pam_auth_samlogon\n"));
1808
1809 /* Parse domain and username */
1810
1811 ok = parse_domain_user(user, name_namespace, name_domain, name_user);
1812 if (!ok) {
1813 return NT_STATUS_INVALID_PARAMETER;
1814 }
1815
1816 /*
1817 * We check against domain->name instead of
1818 * name_domain, as find_auth_domain() ->
1819 * find_domain_from_name_noinit() already decided
1820 * that we are in a child for the correct domain.
1821 *
1822 * name_domain can also be lp_realm()
1823 * we need to check against domain->name.
1824 */
1825 if (strequal(domain->name, get_global_sam_name())) {
1826 struct netr_SamInfo3 *info3 = NULL;
1827
1828 result = nt_dual_auth_passdb(mem_ctx, name_user, name_domain,
1829 pass, logon_id, client_name,
1830 client_pid, remote, local,
1831 &authoritative, &info3);
1832
1833 /*
1834 * We need to try the remote NETLOGON server if this is
1835 * not authoritative (for example on the RODC).
1836 */
1837 if (authoritative != 0) {
1838 if (NT_STATUS_IS_OK(result)) {
1839 result = map_info3_to_validation(
1840 mem_ctx,
1841 info3,
1842 &validation_level,
1843 &validation);
1844 TALLOC_FREE(info3);
1845 if (!NT_STATUS_IS_OK(result)) {
1846 goto done;
1847 }
1848 }
1849
1850 goto done;
1851 }
1852 }
1853
1854 /* check authentication loop */
1855
1856 result = winbind_samlogon_retry_loop(domain,
1857 mem_ctx,
1858 0,
1859 name_user,
1860 pass,
1861 name_domain,
1862 lp_netbios_name(),
1863 logon_id,
1864 true, /* plaintext_given */
1865 NULL,
1866 data_blob_null, data_blob_null,
1867 true, /* interactive */
1868 &authoritative,
1869 &flags,
1870 &validation_level,
1871 &validation);
1872 if (!NT_STATUS_IS_OK(result)) {
1873 goto done;
1874 }
1875
1876 /* handle the case where a NT4 DC does not fill in the acct_flags in
1877 * the samlogon reply info3. When accurate info3 is required by the
1878 * caller, we look up the account flags ourselves - gd */
1879
1880 switch (validation_level) {
1881 case 3:
1882 base_info = &validation->sam3->base;
1883 break;
1884 case 6:
1885 base_info = &validation->sam6->base;
1886 break;
1887 default:
1888 DBG_ERR("Bad validation level %d", (int)validation_level);
1889 result = NT_STATUS_INTERNAL_ERROR;
1890 goto done;
1891 }
1892 if ((request_flags & WBFLAG_PAM_INFO3_TEXT) &&
1893 (base_info->acct_flags == 0))
1894 {
1895 struct rpc_pipe_client *samr_pipe;
1896 struct policy_handle samr_domain_handle, user_pol;
1897 union samr_UserInfo *info = NULL;
1898 NTSTATUS status_tmp, result_tmp;
1899 uint32_t acct_flags;
1900 struct dcerpc_binding_handle *b;
1901
1902 status_tmp = cm_connect_sam(domain, mem_ctx, false,
1903 &samr_pipe, &samr_domain_handle);
1904
1905 if (!NT_STATUS_IS_OK(status_tmp)) {
1906 DEBUG(3, ("could not open handle to SAMR pipe: %s\n",
1907 nt_errstr(status_tmp)));
1908 goto done;
1909 }
1910
1911 b = samr_pipe->binding_handle;
1912
1913 status_tmp = dcerpc_samr_OpenUser(b, mem_ctx,
1914 &samr_domain_handle,
1915 MAXIMUM_ALLOWED_ACCESS,
1916 base_info->rid,
1917 &user_pol,
1918 &result_tmp);
1919
1920 if (!NT_STATUS_IS_OK(status_tmp)) {
1921 DEBUG(3, ("could not open user handle on SAMR pipe: %s\n",
1922 nt_errstr(status_tmp)));
1923 goto done;
1924 }
1925 if (!NT_STATUS_IS_OK(result_tmp)) {
1926 DEBUG(3, ("could not open user handle on SAMR pipe: %s\n",
1927 nt_errstr(result_tmp)));
1928 goto done;
1929 }
1930
1931 status_tmp = dcerpc_samr_QueryUserInfo(b, mem_ctx,
1932 &user_pol,
1933 16,
1934 &info,
1935 &result_tmp);
1936
1937 if (any_nt_status_not_ok(status_tmp, result_tmp,
1938 &status_tmp)) {
1939 DEBUG(3, ("could not query user info on SAMR pipe: %s\n",
1940 nt_errstr(status_tmp)));
1941 dcerpc_samr_Close(b, mem_ctx, &user_pol, &result_tmp);
1942 goto done;
1943 }
1944
1945 acct_flags = info->info16.acct_flags;
1946
1947 if (acct_flags == 0) {
1948 dcerpc_samr_Close(b, mem_ctx, &user_pol, &result_tmp);
1949 goto done;
1950 }
1951
1952 base_info->acct_flags = acct_flags;
1953
1954 DEBUG(10,("successfully retrieved acct_flags 0x%x\n", acct_flags));
1955
1956 dcerpc_samr_Close(b, mem_ctx, &user_pol, &result_tmp);
1957 }
1958
1959 done:
1960 if (NT_STATUS_IS_OK(result)) {
1961 *_validation_level = validation_level;
1962 *_validation = validation;
1963 }
1964 return result;
1965 }
1966
1967 /*
1968 * @brief build a tsocket_address for the remote address of the supplied socket
1969 *
1970 */
1971 static struct tsocket_address *get_remote_address(TALLOC_CTX *mem_ctx, int sock)
1972 {
1973 struct sockaddr_storage st = {0};
1974 struct sockaddr *sar = (struct sockaddr *)&st;
1975 socklen_t sa_len = sizeof(st);
1976 struct tsocket_address *remote = NULL;
1977 int ret = 0;
1978
1979 ret = getpeername(sock, sar, &sa_len);
1980 if (ret != 0) {
1981 DBG_ERR("getpeername failed - %s", strerror(errno));
1982 return NULL;
1983 }
1984 ret = tsocket_address_bsd_from_sockaddr(mem_ctx, sar, sa_len, &remote);
1985 if (ret != 0) {
1986 DBG_ERR("tsocket_address_bsd_from_sockaddr failed - %s",
1987 strerror(errno));
1988 return NULL;
1989 }
1990 return remote;
1991 }
1992
1993 /*
1994 * @brief build a tsocket_address for the local address of the supplied socket
1995 *
1996 */
1997 static struct tsocket_address *get_local_address(TALLOC_CTX *mem_ctx, int sock)
1998 {
1999 struct sockaddr_storage st = {0};
2000 struct sockaddr *sar = (struct sockaddr *)&st;
2001 socklen_t sa_len = sizeof(st);
2002 struct tsocket_address *local = NULL;
2003 int ret = 0;
2004
2005 ret = getsockname(sock, sar, &sa_len);
2006 if (ret != 0) {
2007 DBG_ERR("getsockname failed - %s", strerror(errno));
2008 return NULL;
2009 }
2010 ret = tsocket_address_bsd_from_sockaddr(mem_ctx, sar, sa_len, &local);
2011 if (ret != 0) {
2012 DBG_ERR("tsocket_address_bsd_from_sockaddr failed - %s",
2013 strerror(errno));
2014 return NULL;
2015 }
2016 return local;
2017 }
2018
2019 /*
2020 * @brief generate an authentication message in the logs.
2021 *
2022 */
2023 static void log_authentication(
2024 TALLOC_CTX *mem_ctx,
2025 const struct winbindd_domain *domain,
2026 const struct winbindd_cli_state *state,
2027 const struct timeval start_time,
2028 const uint64_t logon_id,
2029 const char *command,
2030 const char *user_name,
2031 const char *domain_name,
2032 const char *workstation,
2033 const DATA_BLOB lm_resp,
2034 const DATA_BLOB nt_resp,
2035 const struct tsocket_address *remote,
2036 const struct tsocket_address *local,
2037 NTSTATUS result)
2038 {
2039
2040 struct auth_usersupplied_info *ui = NULL;
2041 struct dom_sid *sid = NULL;
2042 struct loadparm_context *lp_ctx = NULL;
2043 struct imessaging_context *msg_ctx = NULL;
2044
2045 ui = talloc_zero(mem_ctx, struct auth_usersupplied_info);
2046 ui->logon_id = logon_id;
2047 ui->service_description = "winbind";
2048 ui->password.response.nt.length = nt_resp.length;
2049 ui->password.response.nt.data = nt_resp.data;
2050 ui->password.response.lanman.length = lm_resp.length;
2051 ui->password.response.lanman.data = lm_resp.data;
2052 if (nt_resp.length == 0 && lm_resp.length == 0) {
2053 ui->password_state = AUTH_PASSWORD_PLAIN;
2054 } else {
2055 ui->password_state = AUTH_PASSWORD_RESPONSE;
2056 }
2057 /*
2058 * In the event of a failure ui->auth_description will be null,
2059 * the logging code handles this correctly so it can be ignored.
2060 */
2061 ui->auth_description = talloc_asprintf(
2062 ui,
2063 "%s, %s, %d",
2064 command,
2065 state->request->client_name,
2066 state->pid);
2067 if (ui->auth_description == NULL) {
2068 DBG_ERR("OOM Unable to create auth_description");
2069 }
2070 ui->client.account_name = user_name;
2071 ui->client.domain_name = domain_name;
2072 ui->workstation_name = workstation;
2073 ui->remote_host = remote;
2074 ui->local_host = local;
2075
2076 sid = dom_sid_parse_talloc(
2077 ui, state->response->data.auth.info3.dom_sid);
2078 if (sid != NULL) {
2079 sid_append_rid(sid, state->response->data.auth.info3.user_rid);
2080 }
2081
2082 if (lp_auth_event_notification()) {
2083 lp_ctx = loadparm_init_s3(ui, loadparm_s3_helpers());
2084 msg_ctx = imessaging_client_init(
2085 ui, lp_ctx, global_event_context());
2086 }
2087 log_authentication_event(
2088 msg_ctx,
2089 lp_ctx,
2090 &start_time,
2091 ui,
2092 result,
2093 state->response->data.auth.info3.logon_dom,
2094 state->response->data.auth.info3.user_name,
2095 sid);
2096 TALLOC_FREE(ui);
2097 }
2098
2099 enum winbindd_result winbindd_dual_pam_auth(struct winbindd_domain *domain,
2100 struct winbindd_cli_state *state)
2101 {
2102 NTSTATUS result = NT_STATUS_LOGON_FAILURE;
2103 NTSTATUS krb5_result = NT_STATUS_OK;
2104 fstring name_namespace, name_domain, name_user;
2105 char *mapped_user;
2106 fstring domain_user;
2107 uint16_t validation_level = UINT16_MAX;
2108 union netr_Validation *validation = NULL;
2109 NTSTATUS name_map_status = NT_STATUS_UNSUCCESSFUL;
2110 bool ok;
2111 uint64_t logon_id = 0;
2112 const struct timeval start_time = timeval_current();
2113 const struct tsocket_address *remote = NULL;
2114 const struct tsocket_address *local = NULL;
2115
2116 /* Ensure null termination */
2117 state->request->data.auth.user[sizeof(state->request->data.auth.user)-1]='\0';
2118
2119 /* Ensure null termination */
2120 state->request->data.auth.pass[sizeof(state->request->data.auth.pass)-1]='\0';
2121
2122 /*
2123 * Generate a logon_id for this session.
2124 */
2125 logon_id = generate_random_u64();
2126 remote = get_remote_address(state->mem_ctx, state->sock);
2127 local = get_local_address(state->mem_ctx, state->sock);
2128 DEBUG(3, ("[%5lu]: dual pam auth %s\n", (unsigned long)state->pid,
2129 state->request->data.auth.user));
2130
2131 /* Parse domain and username */
2132
2133 name_map_status = normalize_name_unmap(state->mem_ctx,
2134 state->request->data.auth.user,
2135 &mapped_user);
2136
2137 /* If the name normalization didn't actually do anything,
2138 just use the original name */
2139
2140 if (!NT_STATUS_IS_OK(name_map_status) &&
2141 !NT_STATUS_EQUAL(name_map_status, NT_STATUS_FILE_RENAMED))
2142 {
2143 mapped_user = state->request->data.auth.user;
2144 }
2145
2146 ok = parse_domain_user(mapped_user,
2147 name_namespace,
2148 name_domain,
2149 name_user);
2150 if (!ok) {
2151 result = NT_STATUS_INVALID_PARAMETER;
2152 goto process_result;
2153 }
2154
2155 if ( mapped_user != state->request->data.auth.user ) {
2156 fstr_sprintf( domain_user, "%s%c%s", name_domain,
2157 *lp_winbind_separator(),
2158 name_user );
2159 strlcpy( state->request->data.auth.user, domain_user,
2160 sizeof(state->request->data.auth.user));
2161 }
2162
2163 if (!domain->online) {
2164 result = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
2165 if (domain->startup) {
2166 /* Logons are very important to users. If we're offline and
2167 we get a request within the first 30 seconds of startup,
2168 try very hard to find a DC and go online. */
2169
2170 DEBUG(10,("winbindd_dual_pam_auth: domain: %s offline and auth "
2171 "request in startup mode.\n", domain->name ));
2172
2173 winbindd_flush_negative_conn_cache(domain);
2174 result = init_dc_connection(domain, false);
2175 }
2176 }
2177
2178 DEBUG(10,("winbindd_dual_pam_auth: domain: %s last was %s\n", domain->name, domain->online ? "online":"offline"));
2179
2180 /* Check for Kerberos authentication */
2181 if (domain->online && (state->request->flags & WBFLAG_PAM_KRB5)) {
2182 struct netr_SamInfo6 *info6 = NULL;
2183
2184 result = winbindd_dual_pam_auth_kerberos(domain, state, &info6);
2185 /* save for later */
2186 krb5_result = result;
2187
2188 if (NT_STATUS_IS_OK(result)) {
2189 DEBUG(10,("winbindd_dual_pam_auth_kerberos succeeded\n"));
2190
2191 result = map_info6_to_validation(state->mem_ctx,
2192 info6,
2193 &validation_level,
2194 &validation);
2195 TALLOC_FREE(info6);
2196 if (!NT_STATUS_IS_OK(result)) {
2197 DBG_ERR("map_info6_to_validation failed\n");
2198 goto done;
2199 }
2200 goto process_result;
2201 }
2202
2203 DBG_DEBUG("winbindd_dual_pam_auth_kerberos failed: %s\n",
2204 nt_errstr(result));
2205
2206 if (NT_STATUS_EQUAL(result, NT_STATUS_NO_LOGON_SERVERS) ||
2207 NT_STATUS_EQUAL(result, NT_STATUS_IO_TIMEOUT) ||
2208 NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
2209 DEBUG(10,("winbindd_dual_pam_auth_kerberos setting domain to offline\n"));
2210 set_domain_offline( domain );
2211 goto cached_logon;
2212 }
2213
2214 /* there are quite some NT_STATUS errors where there is no
2215 * point in retrying with a samlogon, we explictly have to take
2216 * care not to increase the bad logon counter on the DC */
2217
2218 if (NT_STATUS_EQUAL(result, NT_STATUS_ACCOUNT_DISABLED) ||
2219 NT_STATUS_EQUAL(result, NT_STATUS_ACCOUNT_EXPIRED) ||
2220 NT_STATUS_EQUAL(result, NT_STATUS_ACCOUNT_LOCKED_OUT) ||
2221 NT_STATUS_EQUAL(result, NT_STATUS_INVALID_LOGON_HOURS) ||
2222 NT_STATUS_EQUAL(result, NT_STATUS_INVALID_WORKSTATION) ||
2223 NT_STATUS_EQUAL(result, NT_STATUS_LOGON_FAILURE) ||
2224 NT_STATUS_EQUAL(result, NT_STATUS_NO_SUCH_USER) ||
2225 NT_STATUS_EQUAL(result, NT_STATUS_PASSWORD_EXPIRED) ||
2226 NT_STATUS_EQUAL(result, NT_STATUS_PASSWORD_MUST_CHANGE) ||
2227 NT_STATUS_EQUAL(result, NT_STATUS_WRONG_PASSWORD)) {
2228 goto done;
2229 }
2230
2231 if (state->request->flags & WBFLAG_PAM_FALLBACK_AFTER_KRB5) {
2232 DEBUG(3,("falling back to samlogon\n"));
2233 goto sam_logon;
2234 } else {
2235 goto cached_logon;
2236 }
2237 }
2238
2239 sam_logon:
2240 /* Check for Samlogon authentication */
2241 if (domain->online) {
2242 struct netr_SamBaseInfo *base_info = NULL;
2243
2244 result = winbindd_dual_pam_auth_samlogon(
2245 state->mem_ctx, domain,
2246 state->request->data.auth.user,
2247 state->request->data.auth.pass,
2248 logon_id,
2249 state->request->client_name,
2250 state->pid,
2251 state->request->flags,
2252 remote,
2253 local,
2254 &validation_level,
2255 &validation);
2256
2257 if (NT_STATUS_IS_OK(result)) {
2258 DEBUG(10,("winbindd_dual_pam_auth_samlogon succeeded\n"));
2259
2260 switch (validation_level) {
2261 case 3:
2262 base_info = &validation->sam3->base;
2263 break;
2264 case 6:
2265 base_info = &validation->sam6->base;
2266 break;
2267 default:
2268 DBG_ERR("Bad validation level %d\n",
2269 validation_level);
2270 result = NT_STATUS_INTERNAL_ERROR;
2271 goto done;
2272 }
2273
2274 /* add the Krb5 err if we have one */
2275 if ( NT_STATUS_EQUAL(krb5_result, NT_STATUS_TIME_DIFFERENCE_AT_DC ) ) {
2276 base_info->user_flags |= LOGON_KRB5_FAIL_CLOCK_SKEW;
2277 }
2278
2279 goto process_result;
2280 }
2281
2282 DEBUG(10,("winbindd_dual_pam_auth_samlogon failed: %s\n",
2283 nt_errstr(result)));
2284
2285 if (NT_STATUS_EQUAL(result, NT_STATUS_NO_LOGON_SERVERS) ||
2286 NT_STATUS_EQUAL(result, NT_STATUS_IO_TIMEOUT) ||
2287 NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND))
2288 {
2289 DEBUG(10,("winbindd_dual_pam_auth_samlogon setting domain to offline\n"));
2290 set_domain_offline( domain );
2291 goto cached_logon;
2292 }
2293
2294 if (domain->online) {
2295 /* We're still online - fail. */
2296 goto done;
2297 }
2298 }
2299
2300 cached_logon:
2301 /* Check for Cached logons */
2302 if (!domain->online && (state->request->flags & WBFLAG_PAM_CACHED_LOGIN) &&
2303 lp_winbind_offline_logon()) {
2304 struct netr_SamInfo3 *info3 = NULL;
2305
2306 result = winbindd_dual_pam_auth_cached(domain, state, &info3);
2307
2308 if (!NT_STATUS_IS_OK(result)) {
2309 DEBUG(10,("winbindd_dual_pam_auth_cached failed: %s\n", nt_errstr(result)));
2310 goto done;
2311 }
2312 DEBUG(10,("winbindd_dual_pam_auth_cached succeeded\n"));
2313
2314 result = map_info3_to_validation(state->mem_ctx,
2315 info3,
2316 &validation_level,
2317 &validation);
2318 TALLOC_FREE(info3);
2319 if (!NT_STATUS_IS_OK(result)) {
2320 DBG_ERR("map_info3_to_validation failed\n");
2321 goto done;
2322 }
2323 }
2324
2325 process_result:
2326
2327 if (NT_STATUS_IS_OK(result)) {
2328 struct dom_sid user_sid;
2329 TALLOC_CTX *base_ctx = NULL;
2330 struct netr_SamBaseInfo *base_info = NULL;
2331 struct netr_SamInfo3 *info3 = NULL;
2332
2333 switch (validation_level) {
2334 case 3:
2335 base_ctx = validation->sam3;
2336 base_info = &validation->sam3->base;
2337 break;
2338 case 6:
2339 base_ctx = validation->sam6;
2340 base_info = &validation->sam6->base;
2341 break;
2342 default:
2343 result = NT_STATUS_INTERNAL_ERROR;
2344 goto done;
2345 }
2346
2347 sid_compose(&user_sid, base_info->domain_sid, base_info->rid);
2348
2349 if (base_info->full_name.string == NULL) {
2350 struct netr_SamInfo3 *cached_info3;
2351
2352 cached_info3 = netsamlogon_cache_get(state->mem_ctx,
2353 &user_sid);
2354 if (cached_info3 != NULL &&
2355 cached_info3->base.full_name.string != NULL) {
2356 base_info->full_name.string = talloc_strdup(
2357 base_ctx,
2358 cached_info3->base.full_name.string);
2359 if (base_info->full_name.string == NULL) {
2360 result = NT_STATUS_NO_MEMORY;
2361 goto done;
2362 }
2363 } else {
2364
2365 /* this might fail so we don't check the return code */
2366 wcache_query_user_fullname(domain,
2367 base_ctx,
2368 &user_sid,
2369 &base_info->full_name.string);
2370 }
2371 }
2372
2373 result = map_validation_to_info3(talloc_tos(),
2374 validation_level,
2375 validation,
2376 &info3);
2377 if (!NT_STATUS_IS_OK(result)) {
2378 goto done;
2379 }
2380
2381 wcache_invalidate_samlogon(find_domain_from_name(name_domain),
2382 &user_sid);
2383 netsamlogon_cache_store(name_user, info3);
2384
2385 /* save name_to_sid info as early as possible (only if
2386 this is our primary domain so we don't invalidate
2387 the cache entry by storing the seq_num for the wrong
2388 domain). */
2389 if ( domain->primary ) {
2390 cache_name2sid(domain, name_domain, name_user,
2391 SID_NAME_USER, &user_sid);
2392 }
2393
2394 /* Check if the user is in the right group */
2395
2396 result = check_info3_in_group(
2397 info3,
2398 state->request->data.auth.require_membership_of_sid);
2399 if (!NT_STATUS_IS_OK(result)) {
2400 DEBUG(3, ("User %s is not in the required group (%s), so plaintext authentication is rejected\n",
2401 state->request->data.auth.user,
2402 state->request->data.auth.require_membership_of_sid));
2403 goto done;
2404 }
2405
2406 if (!is_allowed_domain(info3->base.logon_domain.string)) {
2407 DBG_NOTICE("Authentication failed for user [%s] "
2408 "from firewalled domain [%s]\n",
2409 info3->base.account_name.string,
2410 info3->base.logon_domain.string);
2411 result = NT_STATUS_AUTHENTICATION_FIREWALL_FAILED;
2412 goto done;
2413 }
2414
2415 result = append_auth_data(state->mem_ctx, state->response,
2416 state->request->flags,
2417 validation_level,
2418 validation,
2419 name_domain, name_user);
2420 if (!NT_STATUS_IS_OK(result)) {
2421 goto done;
2422 }
2423
2424 if ((state->request->flags & WBFLAG_PAM_CACHED_LOGIN)
2425 && lp_winbind_offline_logon()) {
2426
2427 result = winbindd_store_creds(domain,
2428 state->request->data.auth.user,
2429 state->request->data.auth.pass,
2430 info3);
2431 }
2432
2433 if (state->request->flags & WBFLAG_PAM_GET_PWD_POLICY) {
2434 /*
2435 * WBFLAG_PAM_GET_PWD_POLICY is not used within
2436 * any Samba caller anymore.
2437 *
2438 * We just fake this based on the effective values
2439 * for the user, for legacy callers.
2440 */
2441 fake_password_policy(state->response, &info3->base);
2442 }
2443
2444 result = NT_STATUS_OK;
2445 }
2446
2447 done:
2448 /* give us a more useful (more correct?) error code */
2449 if ((NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) ||
2450 (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)))) {
2451 result = NT_STATUS_NO_LOGON_SERVERS;
2452 }
2453
2454 set_auth_errors(state->response, result);
2455
2456 DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2, ("Plain-text authentication for user %s returned %s (PAM: %d)\n",
2457 state->request->data.auth.user,
2458 state->response->data.auth.nt_status_string,
2459 state->response->data.auth.pam_error));
2460
2461 /*
2462 * Log the winbind pam authentication, the logon_id will tie this to
2463 * any of the logons invoked from this request.
2464 */
2465 log_authentication(
2466 state->mem_ctx,
2467 domain,
2468 state,
2469 start_time,
2470 logon_id,
2471 "PAM_AUTH",
2472 name_user,
2473 name_domain,
2474 NULL,
2475 data_blob_null,
2476 data_blob_null,
2477 remote,
2478 local,
2479 result);
2480
2481 return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
2482 }
2483
2484 NTSTATUS winbind_dual_SamLogon(struct winbindd_domain *domain,
2485 TALLOC_CTX *mem_ctx,
2486 bool interactive,
2487 uint32_t logon_parameters,
2488 const char *name_user,
2489 const char *name_domain,
2490 const char *workstation,
2491 const uint64_t logon_id,
2492 const char* client_name,
2493 const int client_pid,
2494 const uint8_t chal[8],
2495 DATA_BLOB lm_response,
2496 DATA_BLOB nt_response,
2497 const struct tsocket_address *remote,
2498 const struct tsocket_address *local,
2499 uint8_t *authoritative,
2500 bool skip_sam,
2501 uint32_t *flags,
2502 uint16_t *_validation_level,
2503 union netr_Validation **_validation)
2504 {
2505 uint16_t validation_level = 0;
2506 union netr_Validation *validation = NULL;
2507 NTSTATUS result;
2508
2509 /*
2510 * We check against domain->name instead of
2511 * name_domain, as find_auth_domain() ->
2512 * find_domain_from_name_noinit() already decided
2513 * that we are in a child for the correct domain.
2514 *
2515 * name_domain can also be lp_realm()
2516 * we need to check against domain->name.
2517 */
2518 if (!skip_sam && strequal(domain->name, get_global_sam_name())) {
2519 DATA_BLOB chal_blob = data_blob_const(
2520 chal, 8);
2521 struct netr_SamInfo3 *info3 = NULL;
2522
2523 result = winbindd_dual_auth_passdb(
2524 talloc_tos(),
2525 logon_parameters,
2526 name_domain, name_user,
2527 logon_id,
2528 client_name,
2529 client_pid,
2530 &chal_blob, &lm_response, &nt_response,
2531 remote,
2532 local,
2533 interactive,
2534 authoritative,
2535 &info3);
2536 if (NT_STATUS_IS_OK(result)) {
2537 result = map_info3_to_validation(mem_ctx,
2538 info3,
2539 &validation_level,
2540 &validation);
2541 TALLOC_FREE(info3);
2542 if (!NT_STATUS_IS_OK(result)) {
2543 goto done;
2544 }
2545 }
2546
2547 /*
2548 * We need to try the remote NETLOGON server if this is
2549 * not authoritative.
2550 */
2551 if (*authoritative != 0) {
2552 *flags = 0;
2553 goto process_result;
2554 }
2555 }
2556
2557 result = winbind_samlogon_retry_loop(domain,
2558 mem_ctx,
2559 logon_parameters,
2560 name_user,
2561 NULL, /* password */
2562 name_domain,
2563 /* Bug #3248 - found by Stefan Burkei. */
2564 workstation, /* We carefully set this above so use it... */
2565 logon_id,
2566 false, /* plaintext_given */
2567 chal,
2568 lm_response,
2569 nt_response,
2570 interactive,
2571 authoritative,
2572 flags,
2573 &validation_level,
2574 &validation);
2575 if (!NT_STATUS_IS_OK(result)) {
2576 goto done;
2577 }
2578
2579 process_result:
2580
2581 if (NT_STATUS_IS_OK(result)) {
2582 struct dom_sid user_sid;
2583 TALLOC_CTX *base_ctx = NULL;
2584 struct netr_SamBaseInfo *base_info = NULL;
2585 struct netr_SamInfo3 *info3 = NULL;
2586
2587 switch (validation_level) {
2588 case 3:
2589 base_ctx = validation->sam3;
2590 base_info = &validation->sam3->base;
2591 break;
2592 case 6:
2593 base_ctx = validation->sam6;
2594 base_info = &validation->sam6->base;
2595 break;
2596 default:
2597 result = NT_STATUS_INTERNAL_ERROR;
2598 goto done;
2599 }
2600
2601 sid_compose(&user_sid, base_info->domain_sid, base_info->rid);
2602
2603 if (base_info->full_name.string == NULL) {
2604 struct netr_SamInfo3 *cached_info3;
2605
2606 cached_info3 = netsamlogon_cache_get(mem_ctx,
2607 &user_sid);
2608 if (cached_info3 != NULL &&
2609 cached_info3->base.full_name.string != NULL)
2610 {
2611 base_info->full_name.string = talloc_strdup(
2612 base_ctx,
2613 cached_info3->base.full_name.string);
2614 } else {
2615
2616 /* this might fail so we don't check the return code */
2617 wcache_query_user_fullname(domain,
2618 base_ctx,
2619 &user_sid,
2620 &base_info->full_name.string);
2621 }
2622 }
2623
2624 result = map_validation_to_info3(talloc_tos(),
2625 validation_level,
2626 validation,
2627 &info3);
2628 if (!NT_STATUS_IS_OK(result)) {
2629 goto done;
2630 }
2631 wcache_invalidate_samlogon(find_domain_from_name(name_domain),
2632 &user_sid);
2633 netsamlogon_cache_store(name_user, info3);
2634 TALLOC_FREE(info3);
2635 }
2636
2637 done:
2638
2639 /* give us a more useful (more correct?) error code */
2640 if ((NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) ||
2641 (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)))) {
2642 result = NT_STATUS_NO_LOGON_SERVERS;
2643 }
2644
2645 DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2,
2646 ("NTLM CRAP authentication for user [%s]\\[%s] returned %s\n",
2647 name_domain,
2648 name_user,
2649 nt_errstr(result)));
2650
2651 if (!NT_STATUS_IS_OK(result)) {
2652 return result;
2653 }
2654
2655 *_validation_level = validation_level;
2656 *_validation = validation;
2657 return NT_STATUS_OK;
2658 }
2659
2660 enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
2661 struct winbindd_cli_state *state)
2662 {
2663 NTSTATUS result;
2664 const char *name_user = NULL;
2665 const char *name_domain = NULL;
2666 const char *workstation;
2667 uint64_t logon_id = 0;
2668 uint8_t authoritative = 0;
2669 uint32_t flags = 0;
2670 uint16_t validation_level;
2671 union netr_Validation *validation = NULL;
2672 DATA_BLOB lm_resp = { 0 }, nt_resp = { 0 };
2673 const struct timeval start_time = timeval_current();
2674 const struct tsocket_address *remote = NULL;
2675 const struct tsocket_address *local = NULL;
2676
2677 /* This is child-only, so no check for privileged access is needed
2678 anymore */
2679
2680 /* Ensure null termination */
2681 state->request->data.auth_crap.user[sizeof(state->request->data.auth_crap.user)-1]=0;
2682 state->request->data.auth_crap.domain[sizeof(state->request->data.auth_crap.domain)-1]=0;
2683
2684 name_user = state->request->data.auth_crap.user;
2685 name_domain = state->request->data.auth_crap.domain;
2686 workstation = state->request->data.auth_crap.workstation;
2687 logon_id = generate_random_u64();
2688 remote = get_remote_address(state->mem_ctx, state->sock);
2689 local = get_local_address(state->mem_ctx, state->sock);
2690
2691 DEBUG(3, ("[%5lu]: pam auth crap domain: %s user: %s\n", (unsigned long)state->pid,
2692 name_domain, name_user));
2693
2694 if (state->request->data.auth_crap.lm_resp_len > sizeof(state->request->data.auth_crap.lm_resp)
2695 || state->request->data.auth_crap.nt_resp_len > sizeof(state->request->data.auth_crap.nt_resp)) {
2696 if (!(state->request->flags & WBFLAG_BIG_NTLMV2_BLOB) ||
2697 state->request->extra_len != state->request->data.auth_crap.nt_resp_len) {
2698 DEBUG(0, ("winbindd_pam_auth_crap: invalid password length %u/%u\n",
2699 state->request->data.auth_crap.lm_resp_len,
2700 state->request->data.auth_crap.nt_resp_len));
2701 result = NT_STATUS_INVALID_PARAMETER;
2702 goto done;
2703 }
2704 }
2705
2706 lm_resp = data_blob_talloc(state->mem_ctx, state->request->data.auth_crap.lm_resp,
2707 state->request->data.auth_crap.lm_resp_len);
2708
2709 if (state->request->flags & WBFLAG_BIG_NTLMV2_BLOB) {
2710 nt_resp = data_blob_talloc(state->mem_ctx,
2711 state->request->extra_data.data,
2712 state->request->data.auth_crap.nt_resp_len);
2713 } else {
2714 nt_resp = data_blob_talloc(state->mem_ctx,
2715 state->request->data.auth_crap.nt_resp,
2716 state->request->data.auth_crap.nt_resp_len);
2717 }
2718
2719 result = winbind_dual_SamLogon(domain,
2720 state->mem_ctx,
2721 false, /* interactive */
2722 state->request->data.auth_crap.logon_parameters,
2723 name_user,
2724 name_domain,
2725 /* Bug #3248 - found by Stefan Burkei. */
2726 workstation, /* We carefully set this above so use it... */
2727 logon_id,
2728 state->request->client_name,
2729 state->request->pid,
2730 state->request->data.auth_crap.chal,
2731 lm_resp,
2732 nt_resp,
2733 remote,
2734 local,
2735 &authoritative,
2736 false,
2737 &flags,
2738 &validation_level,
2739 &validation);
2740 if (!NT_STATUS_IS_OK(result)) {
2741 state->response->data.auth.authoritative = authoritative;
2742 goto done;
2743 }
2744
2745 if (NT_STATUS_IS_OK(result)) {
2746 struct netr_SamInfo3 *info3 = NULL;
2747
2748 result = map_validation_to_info3(state->mem_ctx,
2749 validation_level,
2750 validation,
2751 &info3);
2752 if (!NT_STATUS_IS_OK(result)) {
2753 goto done;
2754 }
2755
2756 /* Check if the user is in the right group */
2757 result = check_info3_in_group(
2758 info3,
2759 state->request->data.auth_crap.require_membership_of_sid);
2760 if (!NT_STATUS_IS_OK(result)) {
2761 DEBUG(3, ("User %s is not in the required group (%s), so "
2762 "crap authentication is rejected\n",
2763 state->request->data.auth_crap.user,
2764 state->request->data.auth_crap.require_membership_of_sid));
2765 goto done;
2766 }
2767
2768 if (!is_allowed_domain(info3->base.logon_domain.string)) {
2769 DBG_NOTICE("Authentication failed for user [%s] "
2770 "from firewalled domain [%s]\n",
2771 info3->base.account_name.string,
2772 info3->base.logon_domain.string);
2773 state->response->data.auth.authoritative = true;
2774 result = NT_STATUS_AUTHENTICATION_FIREWALL_FAILED;
2775 goto done;
2776 }
2777
2778 result = append_auth_data(state->mem_ctx, state->response,
2779 state->request->flags,
2780 validation_level,
2781 validation,
2782 name_domain, name_user);
2783 if (!NT_STATUS_IS_OK(result)) {
2784 goto done;
2785 }
2786 }
2787
2788 done:
2789
2790 if (state->request->flags & WBFLAG_PAM_NT_STATUS_SQUASH) {
2791 result = nt_status_squash(result);
2792 }
2793
2794 set_auth_errors(state->response, result);
2795 /*
2796 * Log the winbind pam authentication, the logon_id will tie this to
2797 * any of the logons invoked from this request.
2798 */
2799 log_authentication(
2800 state->mem_ctx,
2801 domain,
2802 state,
2803 start_time,
2804 logon_id,
2805 "NTLM_AUTH",
2806 name_user,
2807 name_domain,
2808 workstation,
2809 lm_resp,
2810 nt_resp,
2811 remote,
2812 local,
2813 result);
2814
2815 return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
2816 }
2817
2818 enum winbindd_result winbindd_dual_pam_chauthtok(struct winbindd_domain *contact_domain,
2819 struct winbindd_cli_state *state)
2820 {
2821 char *oldpass;
2822 char *newpass = NULL;
2823 struct policy_handle dom_pol;
2824 struct rpc_pipe_client *cli = NULL;
2825 bool got_info = false;
2826 struct samr_DomInfo1 *info = NULL;
2827 struct userPwdChangeFailureInformation *reject = NULL;
2828 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
2829 fstring namespace, domain, user;
2830 struct dcerpc_binding_handle *b = NULL;
2831 bool ok;
2832
2833 ZERO_STRUCT(dom_pol);
2834
2835 DEBUG(3, ("[%5lu]: dual pam chauthtok %s\n", (unsigned long)state->pid,
2836 state->request->data.auth.user));
2837
2838 ok = parse_domain_user(state->request->data.chauthtok.user,
2839 namespace,
2840 domain,
2841 user);
2842 if (!ok) {
2843 goto done;
2844 }
2845
2846 if (!is_allowed_domain(domain)) {
2847 DBG_NOTICE("Authentication failed for user [%s] "
2848 "from firewalled domain [%s]\n",
2849 user, domain);
2850 result = NT_STATUS_AUTHENTICATION_FIREWALL_FAILED;
2851 goto done;
2852 }
2853
2854 /* Change password */
2855
2856 oldpass = state->request->data.chauthtok.oldpass;
2857 newpass = state->request->data.chauthtok.newpass;
2858
2859 /* Initialize reject reason */
2860 state->response->data.auth.reject_reason = Undefined;
2861
2862 /* Get sam handle */
2863
2864 result = cm_connect_sam(contact_domain, state->mem_ctx, true, &cli,
2865 &dom_pol);
2866 if (!NT_STATUS_IS_OK(result)) {
2867 DEBUG(1, ("could not get SAM handle on DC for %s\n", domain));
2868 goto done;
2869 }
2870
2871 b = cli->binding_handle;
2872
2873 result = rpccli_samr_chgpasswd_user3(cli, state->mem_ctx,
2874 user,
2875 newpass,
2876 oldpass,
2877 &info,
2878 &reject);
2879
2880 /* Windows 2003 returns NT_STATUS_PASSWORD_RESTRICTION */
2881
2882 if (NT_STATUS_EQUAL(result, NT_STATUS_PASSWORD_RESTRICTION) ) {
2883
2884 fill_in_password_policy(state->response, info);
2885
2886 state->response->data.auth.reject_reason =
2887 reject->extendedFailureReason;
2888
2889 got_info = true;
2890 }
2891
2892 /* atm the pidl generated rpccli_samr_ChangePasswordUser3 function will
2893 * return with NT_STATUS_BUFFER_TOO_SMALL for w2k dcs as w2k just
2894 * returns with 4byte error code (NT_STATUS_NOT_SUPPORTED) which is too
2895 * short to comply with the samr_ChangePasswordUser3 idl - gd */
2896
2897 /* only fallback when the chgpasswd_user3 call is not supported */
2898 if (NT_STATUS_EQUAL(result, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE) ||
2899 NT_STATUS_EQUAL(result, NT_STATUS_NOT_SUPPORTED) ||
2900 NT_STATUS_EQUAL(result, NT_STATUS_BUFFER_TOO_SMALL) ||
2901 NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) {
2902
2903 DEBUG(10,("Password change with chgpasswd_user3 failed with: %s, retrying chgpasswd_user2\n",
2904 nt_errstr(result)));
2905
2906 result = rpccli_samr_chgpasswd_user2(cli, state->mem_ctx, user, newpass, oldpass);
2907
2908 /* Windows 2000 returns NT_STATUS_ACCOUNT_RESTRICTION.
2909 Map to the same status code as Windows 2003. */
2910
2911 if ( NT_STATUS_EQUAL(NT_STATUS_ACCOUNT_RESTRICTION, result ) ) {
2912 result = NT_STATUS_PASSWORD_RESTRICTION;
2913 }
2914 }
2915
2916 done:
2917
2918 if (NT_STATUS_IS_OK(result)
2919 && (state->request->flags & WBFLAG_PAM_CACHED_LOGIN)
2920 && lp_winbind_offline_logon()) {
2921 result = winbindd_update_creds_by_name(contact_domain, user,
2922 newpass);
2923 /* Again, this happens when we login from gdm or xdm
2924 * and the password expires, *BUT* cached crendentials
2925 * doesn't exist. winbindd_update_creds_by_name()
2926 * returns NT_STATUS_NO_SUCH_USER.
2927 * This is not a failure.
2928 * --- BoYang
2929 * */
2930 if (NT_STATUS_EQUAL(result, NT_STATUS_NO_SUCH_USER)) {
2931 result = NT_STATUS_OK;
2932 }
2933
2934 if (!NT_STATUS_IS_OK(result)) {
2935 DEBUG(10, ("Failed to store creds: %s\n",
2936 nt_errstr(result)));
2937 goto process_result;
2938 }
2939 }
2940
2941 if (!NT_STATUS_IS_OK(result) && !got_info && contact_domain) {
2942
2943 NTSTATUS policy_ret;
2944
2945 policy_ret = fillup_password_policy(
2946 contact_domain, state->response);
2947
2948 /* failure of this is non critical, it will just provide no
2949 * additional information to the client why the change has
2950 * failed - Guenther */
2951
2952 if (!NT_STATUS_IS_OK(policy_ret)) {
2953 DEBUG(10,("Failed to get password policies: %s\n", nt_errstr(policy_ret)));
2954 goto process_result;
2955 }
2956 }
2957
2958 process_result:
2959
2960 if (strequal(contact_domain->name, get_global_sam_name())) {
2961 /* FIXME: internal rpc pipe does not cache handles yet */
2962 if (b) {
2963 if (is_valid_policy_hnd(&dom_pol)) {
2964 NTSTATUS _result;
2965 dcerpc_samr_Close(b, state->mem_ctx, &dom_pol, &_result);
2966 }
2967 TALLOC_FREE(cli);
2968 }
2969 }
2970
2971 set_auth_errors(state->response, result);
2972
2973 DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2,
2974 ("Password change for user [%s]\\[%s] returned %s (PAM: %d)\n",
2975 domain,
2976 user,
2977 state->response->data.auth.nt_status_string,
2978 state->response->data.auth.pam_error));
2979
2980 return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
2981 }
2982
2983 enum winbindd_result winbindd_dual_pam_logoff(struct winbindd_domain *domain,
2984 struct winbindd_cli_state *state)
2985 {
2986 NTSTATUS result = NT_STATUS_NOT_SUPPORTED;
2987
2988 DEBUG(3, ("[%5lu]: pam dual logoff %s\n", (unsigned long)state->pid,
2989 state->request->data.logoff.user));
2990
2991 if (!(state->request->flags & WBFLAG_PAM_KRB5)) {
2992 result = NT_STATUS_OK;
2993 goto process_result;
2994 }
2995
2996 if (state->request->data.logoff.krb5ccname[0] == '\0') {
2997 result = NT_STATUS_OK;
2998 goto process_result;
2999 }
3000
3001 #ifdef HAVE_KRB5
3002
3003 if (state->request->data.logoff.uid == (uid_t)-1) {
3004 DEBUG(0,("winbindd_pam_logoff: invalid uid\n"));
3005 goto process_result;
3006 }
3007
3008 /* what we need here is to find the corresponding krb5 ccache name *we*
3009 * created for a given username and destroy it */
3010
3011 if (!ccache_entry_exists(state->request->data.logoff.user)) {
3012 result = NT_STATUS_OK;
3013 DEBUG(10,("winbindd_pam_logoff: no entry found.\n"));
3014 goto process_result;
3015 }
3016
3017 if (!ccache_entry_identical(state->request->data.logoff.user,
3018 state->request->data.logoff.uid,
3019 state->request->data.logoff.krb5ccname)) {
3020 DEBUG(0,("winbindd_pam_logoff: cached entry differs.\n"));
3021 goto process_result;
3022 }
3023
3024 result = remove_ccache(state->request->data.logoff.user);
3025 if (!NT_STATUS_IS_OK(result)) {
3026 DEBUG(0,("winbindd_pam_logoff: failed to remove ccache: %s\n",
3027 nt_errstr(result)));
3028 goto process_result;
3029 }
3030
3031 /*
3032 * Remove any mlock'ed memory creds in the child
3033 * we might be using for krb5 ticket renewal.
3034 */
3035
3036 winbindd_delete_memory_creds(state->request->data.logoff.user);
3037
3038 #else
3039 result = NT_STATUS_NOT_SUPPORTED;
3040 #endif
3041
3042 process_result:
3043
3044
3045 set_auth_errors(state->response, result);
3046
3047 return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
3048 }
3049
3050 /* Change user password with auth crap*/
3051
3052 enum winbindd_result winbindd_dual_pam_chng_pswd_auth_crap(struct winbindd_domain *domainSt, struct winbindd_cli_state *state)
3053 {
3054 NTSTATUS result;
3055 DATA_BLOB new_nt_password;
3056 DATA_BLOB old_nt_hash_enc;
3057 DATA_BLOB new_lm_password;
3058 DATA_BLOB old_lm_hash_enc;
3059 fstring namespace, domain, user;
3060 struct policy_handle dom_pol;
3061 struct winbindd_domain *contact_domain = domainSt;
3062 struct rpc_pipe_client *cli = NULL;
3063 struct dcerpc_binding_handle *b = NULL;
3064
3065 ZERO_STRUCT(dom_pol);
3066
3067 /* Ensure null termination */
3068 state->request->data.chng_pswd_auth_crap.user[
3069 sizeof(state->request->data.chng_pswd_auth_crap.user)-1]=0;
3070 state->request->data.chng_pswd_auth_crap.domain[
3071 sizeof(state->request->data.chng_pswd_auth_crap.domain)-1]=0;
3072 domain[0] = '\0';
3073 namespace[0] = '\0';
3074 user[0] = '\0';
3075
3076 DEBUG(3, ("[%5lu]: pam change pswd auth crap domain: %s user: %s\n",
3077 (unsigned long)state->pid,
3078 state->request->data.chng_pswd_auth_crap.domain,
3079 state->request->data.chng_pswd_auth_crap.user));
3080
3081 if (lp_winbind_offline_logon()) {
3082 DEBUG(0,("Refusing password change as winbind offline logons are enabled. "));
3083 DEBUGADD(0,("Changing passwords here would risk inconsistent logons\n"));
3084 result = NT_STATUS_ACCESS_DENIED;
3085 goto done;
3086 }
3087
3088 if (*state->request->data.chng_pswd_auth_crap.domain) {
3089 fstrcpy(domain,state->request->data.chng_pswd_auth_crap.domain);
3090 } else {
3091 bool ok;
3092
3093 ok = parse_domain_user(state->request->data.chng_pswd_auth_crap.user,
3094 namespace,
3095 domain,
3096 user);
3097 if (!ok) {
3098 result = NT_STATUS_INVALID_PARAMETER;
3099 goto done;
3100 }
3101
3102 if(!*domain) {
3103 DEBUG(3,("no domain specified with username (%s) - "
3104 "failing auth\n",
3105 state->request->data.chng_pswd_auth_crap.user));
3106 result = NT_STATUS_NO_SUCH_USER;
3107 goto done;
3108 }
3109 }
3110
3111 if (!*domain && lp_winbind_use_default_domain()) {
3112 fstrcpy(domain,lp_workgroup());
3113 }
3114
3115 if (!is_allowed_domain(domain)) {
3116 DBG_NOTICE("Authentication failed for user [%s] "
3117 "from firewalled domain [%s]\n",
3118 state->request->data.chng_pswd_auth_crap.user,
3119 domain);
3120 result = NT_STATUS_AUTHENTICATION_FIREWALL_FAILED;
3121 goto done;
3122 }
3123
3124 if(!*user) {
3125 fstrcpy(user, state->request->data.chng_pswd_auth_crap.user);
3126 }
3127
3128 DEBUG(3, ("[%5lu]: pam auth crap domain: %s user: %s\n",
3129 (unsigned long)state->pid, domain, user));
3130
3131 /* Change password */
3132 new_nt_password = data_blob_const(
3133 state->request->data.chng_pswd_auth_crap.new_nt_pswd,
3134 state->request->data.chng_pswd_auth_crap.new_nt_pswd_len);
3135
3136 old_nt_hash_enc = data_blob_const(
3137 state->request->data.chng_pswd_auth_crap.old_nt_hash_enc,
3138 state->request->data.chng_pswd_auth_crap.old_nt_hash_enc_len);
3139
3140 if(state->request->data.chng_pswd_auth_crap.new_lm_pswd_len > 0) {
3141 new_lm_password = data_blob_const(
3142 state->request->data.chng_pswd_auth_crap.new_lm_pswd,
3143 state->request->data.chng_pswd_auth_crap.new_lm_pswd_len);
3144
3145 old_lm_hash_enc = data_blob_const(
3146 state->request->data.chng_pswd_auth_crap.old_lm_hash_enc,
3147 state->request->data.chng_pswd_auth_crap.old_lm_hash_enc_len);
3148 } else {
3149 new_lm_password = data_blob_null;
3150 old_lm_hash_enc = data_blob_null;
3151 }
3152
3153 /* Get sam handle */
3154
3155 result = cm_connect_sam(contact_domain, state->mem_ctx, true, &cli, &dom_pol);
3156 if (!NT_STATUS_IS_OK(result)) {
3157 DEBUG(1, ("could not get SAM handle on DC for %s\n", domain));
3158 goto done;
3159 }
3160
3161 b = cli->binding_handle;
3162
3163 result = rpccli_samr_chng_pswd_auth_crap(
3164 cli, state->mem_ctx, user, new_nt_password, old_nt_hash_enc,
3165 new_lm_password, old_lm_hash_enc);
3166
3167 done:
3168
3169 if (strequal(contact_domain->name, get_global_sam_name())) {
3170 /* FIXME: internal rpc pipe does not cache handles yet */
3171 if (b) {
3172 if (is_valid_policy_hnd(&dom_pol)) {
3173 NTSTATUS _result;
3174 dcerpc_samr_Close(b, state->mem_ctx, &dom_pol, &_result);
3175 }
3176 TALLOC_FREE(cli);
3177 }
3178 }
3179
3180 set_auth_errors(state->response, result);
3181
3182 DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2,
3183 ("Password change for user [%s]\\[%s] returned %s (PAM: %d)\n",
3184 domain, user,
3185 state->response->data.auth.nt_status_string,
3186 state->response->data.auth.pam_error));
3187
3188 return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
3189 }
3190
3191 #ifdef HAVE_KRB5
3192 static NTSTATUS extract_pac_vrfy_sigs(TALLOC_CTX *mem_ctx, DATA_BLOB pac_blob,
3193 struct PAC_DATA **p_pac_data)
3194 {
3195 krb5_context krbctx = NULL;
3196 krb5_error_code k5ret;
3197 krb5_keytab keytab;
3198 krb5_kt_cursor cursor;
3199 krb5_keytab_entry entry;
3200 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
3201
3202 ZERO_STRUCT(entry);
3203 ZERO_STRUCT(cursor);
3204
3205 k5ret = smb_krb5_init_context_common(&krbctx);
3206 if (k5ret) {
3207 DBG_ERR("kerberos init context failed (%s)\n",
3208 error_message(k5ret));
3209 status = krb5_to_nt_status(k5ret);
3210 goto out;
3211 }
3212
3213 k5ret = gse_krb5_get_server_keytab(krbctx, &keytab);
3214 if (k5ret) {
3215 DEBUG(1, ("Failed to get keytab: %s\n",
3216 error_message(k5ret)));
3217 status = krb5_to_nt_status(k5ret);
3218 goto out_free;
3219 }
3220
3221 k5ret = krb5_kt_start_seq_get(krbctx, keytab, &cursor);
3222 if (k5ret) {
3223 DEBUG(1, ("Failed to start seq: %s\n",
3224 error_message(k5ret)));
3225 status = krb5_to_nt_status(k5ret);
3226 goto out_keytab;
3227 }
3228
3229 k5ret = krb5_kt_next_entry(krbctx, keytab, &entry, &cursor);
3230 while (k5ret == 0) {
3231 status = kerberos_decode_pac(mem_ctx,
3232 pac_blob,
3233 krbctx,
3234 NULL, /* krbtgt_keyblock */
3235 KRB5_KT_KEY(&entry), /* service_keyblock */
3236 NULL, /* client_principal */
3237 0, /* tgs_authtime */
3238 p_pac_data);
3239 if (NT_STATUS_IS_OK(status)) {
3240 break;
3241 }
3242 k5ret = smb_krb5_kt_free_entry(krbctx, &entry);
3243 k5ret = krb5_kt_next_entry(krbctx, keytab, &entry, &cursor);
3244 }
3245
3246 k5ret = krb5_kt_end_seq_get(krbctx, keytab, &cursor);
3247 if (k5ret) {
3248 DEBUG(1, ("Failed to end seq: %s\n",
3249 error_message(k5ret)));
3250 }
3251 out_keytab:
3252 k5ret = krb5_kt_close(krbctx, keytab);
3253 if (k5ret) {
3254 DEBUG(1, ("Failed to close keytab: %s\n",
3255 error_message(k5ret)));
3256 }
3257 out_free:
3258 krb5_free_context(krbctx);
3259 out:
3260 return status;
3261 }
3262
3263 NTSTATUS winbindd_pam_auth_pac_verify(struct winbindd_cli_state *state,
3264 bool *p_is_trusted,
3265 uint16_t *p_validation_level,
3266 union netr_Validation **p_validation)
3267 {
3268 struct winbindd_request *req = state->request;
3269 DATA_BLOB pac_blob;
3270 struct PAC_DATA *pac_data = NULL;
3271 struct PAC_LOGON_INFO *logon_info = NULL;
3272 struct PAC_UPN_DNS_INFO *upn_dns_info = NULL;
3273 struct netr_SamInfo6 *info6 = NULL;
3274 uint16_t validation_level = 0;
3275 union netr_Validation *validation = NULL;
3276 struct netr_SamInfo3 *info3_copy = NULL;
3277 NTSTATUS result;
3278 bool is_trusted = false;
3279 uint32_t i;
3280
3281 *p_is_trusted = false;
3282 *p_validation_level = 0;
3283 *p_validation = NULL;
3284
3285 pac_blob = data_blob_const(req->extra_data.data, req->extra_len);
3286 result = extract_pac_vrfy_sigs(state->mem_ctx, pac_blob, &pac_data);
3287 if (NT_STATUS_IS_OK(result)) {
3288 is_trusted = true;
3289 }
3290 if (NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED)) {
3291 /* Try without signature verification */
3292 result = kerberos_decode_pac(state->mem_ctx,
3293 pac_blob,
3294 NULL, /* krb5_context */
3295 NULL, /* krbtgt_keyblock */
3296 NULL, /* service_keyblock */
3297 NULL, /* client_principal */
3298 0, /* tgs_authtime */
3299 &pac_data);
3300 }
3301 if (!NT_STATUS_IS_OK(result)) {
3302 DEBUG(1, ("Error during PAC signature verification: %s\n",
3303 nt_errstr(result)));
3304 return result;
3305 }
3306
3307 for (i=0; i < pac_data->num_buffers; i++) {
3308 if (pac_data->buffers[i].type == PAC_TYPE_LOGON_INFO) {
3309 logon_info = pac_data->buffers[i].info->logon_info.info;
3310 continue;
3311 }
3312 if (pac_data->buffers[i].type == PAC_TYPE_UPN_DNS_INFO) {
3313 upn_dns_info = &pac_data->buffers[i].info->upn_dns_info;
3314 continue;
3315 }
3316 }
3317
3318 result = create_info6_from_pac(state->mem_ctx,
3319 logon_info,
3320 upn_dns_info,
3321 &info6);
3322 if (!NT_STATUS_IS_OK(result)) {
3323 return result;
3324 }
3325
3326 if (!is_allowed_domain(info6->base.logon_domain.string)) {
3327 DBG_NOTICE("Authentication failed for user [%s] "
3328 "from firewalled domain [%s]\n",
3329 info6->base.account_name.string,
3330 info6->base.logon_domain.string);
3331 return NT_STATUS_AUTHENTICATION_FIREWALL_FAILED;
3332 }
3333
3334 result = map_info6_to_validation(state->mem_ctx,
3335 info6,
3336 &validation_level,
3337 &validation);
3338 if (!NT_STATUS_IS_OK(result)) {
3339 return result;
3340 }
3341
3342 result = map_validation_to_info3(state->mem_ctx,
3343 validation_level,
3344 validation,
3345 &info3_copy);
3346 if (!NT_STATUS_IS_OK(result)) {
3347 return result;
3348 }
3349
3350 if (is_trusted) {
3351 /*
3352 * Signature verification succeeded, we can
3353 * trust the PAC and prime the netsamlogon
3354 * and name2sid caches. DO NOT DO THIS
3355 * in the signature verification failed
3356 * code path.
3357 */
3358 struct winbindd_domain *domain = NULL;
3359
3360 netsamlogon_cache_store(NULL, info3_copy);
3361
3362 /*
3363 * We're in the parent here, so find the child
3364 * pointer from the PAC domain name.
3365 */
3366 domain = find_lookup_domain_from_name(
3367 info3_copy->base.logon_domain.string);
3368 if (domain && domain->primary ) {
3369 struct dom_sid user_sid;
3370 struct dom_sid_buf buf;
3371
3372 sid_compose(&user_sid,
3373 info3_copy->base.domain_sid,
3374 info3_copy->base.rid);
3375
3376 cache_name2sid_trusted(domain,
3377 info3_copy->base.logon_domain.string,
3378 info3_copy->base.account_name.string,
3379 SID_NAME_USER,
3380 &user_sid);
3381
3382 DBG_INFO("PAC for user %s\\%s SID %s primed cache\n",
3383 info3_copy->base.logon_domain.string,
3384 info3_copy->base.account_name.string,
3385 dom_sid_str_buf(&user_sid, &buf));
3386 }
3387 }
3388
3389 *p_is_trusted = is_trusted;
3390 *p_validation_level = validation_level;
3391 *p_validation = validation;
3392 return NT_STATUS_OK;
3393 }
3394 #else /* HAVE_KRB5 */
3395 NTSTATUS winbindd_pam_auth_pac_verify(struct winbindd_cli_state *state,
3396 bool *p_is_trusted,
3397 uint16_t *p_validation_level,
3398 union netr_Validation **p_validation);
3399 {
3400
3401 *p_is_trusted = false;
3402 *p_validation_level = 0;
3403 *p_validation = NULL;
3404 return NT_STATUS_NO_SUCH_USER;
3405 }
3406 #endif /* HAVE_KRB5 */
Samba GIT mirror