search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
r25528: Only do transactions on registry.tdb if anything changes
[Samba.git] / source / auth / auth_util.c
blob325b05f80f8d678bd082b63e387e8388b5f76490
1 /*
2 Unix SMB/CIFS implementation.
3 Authentication utility functions
4 Copyright (C) Andrew Tridgell 1992-1998
5 Copyright (C) Andrew Bartlett 2001
6 Copyright (C) Jeremy Allison 2000-2001
7 Copyright (C) Rafal Szczesniak 2002
8 Copyright (C) Volker Lendecke 2006
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25
26 #undef DBGC_CLASS
27 #define DBGC_CLASS DBGC_AUTH
28
29 /****************************************************************************
30 Create a UNIX user on demand.
31 ****************************************************************************/
32
33 static int smb_create_user(const char *domain, const char *unix_username, const char *homedir)
34 {
35 pstring add_script;
36 int ret;
37
38 pstrcpy(add_script, lp_adduser_script());
39 if (! *add_script)
40 return -1;
41 all_string_sub(add_script, "%u", unix_username, sizeof(pstring));
42 if (domain)
43 all_string_sub(add_script, "%D", domain, sizeof(pstring));
44 if (homedir)
45 all_string_sub(add_script, "%H", homedir, sizeof(pstring));
46 ret = smbrun(add_script,NULL);
47 flush_pwnam_cache();
48 DEBUG(ret ? 0 : 3,("smb_create_user: Running the command `%s' gave %d\n",add_script,ret));
49 return ret;
50 }
51
52 /****************************************************************************
53 Create an auth_usersupplied_data structure
54 ****************************************************************************/
55
56 static NTSTATUS make_user_info(auth_usersupplied_info **user_info,
57 const char *smb_name,
58 const char *internal_username,
59 const char *client_domain,
60 const char *domain,
61 const char *wksta_name,
62 DATA_BLOB *lm_pwd, DATA_BLOB *nt_pwd,
63 DATA_BLOB *lm_interactive_pwd, DATA_BLOB *nt_interactive_pwd,
64 DATA_BLOB *plaintext,
65 BOOL encrypted)
66 {
67
68 DEBUG(5,("attempting to make a user_info for %s (%s)\n", internal_username, smb_name));
69
70 *user_info = SMB_MALLOC_P(auth_usersupplied_info);
71 if (*user_info == NULL) {
72 DEBUG(0,("malloc failed for user_info (size %lu)\n", (unsigned long)sizeof(*user_info)));
73 return NT_STATUS_NO_MEMORY;
74 }
75
76 ZERO_STRUCTP(*user_info);
77
78 DEBUG(5,("making strings for %s's user_info struct\n", internal_username));
79
80 (*user_info)->smb_name = SMB_STRDUP(smb_name);
81 if ((*user_info)->smb_name == NULL) {
82 free_user_info(user_info);
83 return NT_STATUS_NO_MEMORY;
84 }
85
86 (*user_info)->internal_username = SMB_STRDUP(internal_username);
87 if ((*user_info)->internal_username == NULL) {
88 free_user_info(user_info);
89 return NT_STATUS_NO_MEMORY;
90 }
91
92 (*user_info)->domain = SMB_STRDUP(domain);
93 if ((*user_info)->domain == NULL) {
94 free_user_info(user_info);
95 return NT_STATUS_NO_MEMORY;
96 }
97
98 (*user_info)->client_domain = SMB_STRDUP(client_domain);
99 if ((*user_info)->client_domain == NULL) {
100 free_user_info(user_info);
101 return NT_STATUS_NO_MEMORY;
102 }
103
104 (*user_info)->wksta_name = SMB_STRDUP(wksta_name);
105 if ((*user_info)->wksta_name == NULL) {
106 free_user_info(user_info);
107 return NT_STATUS_NO_MEMORY;
108 }
109
110 DEBUG(5,("making blobs for %s's user_info struct\n", internal_username));
111
112 if (lm_pwd)
113 (*user_info)->lm_resp = data_blob(lm_pwd->data, lm_pwd->length);
114 if (nt_pwd)
115 (*user_info)->nt_resp = data_blob(nt_pwd->data, nt_pwd->length);
116 if (lm_interactive_pwd)
117 (*user_info)->lm_interactive_pwd = data_blob(lm_interactive_pwd->data, lm_interactive_pwd->length);
118 if (nt_interactive_pwd)
119 (*user_info)->nt_interactive_pwd = data_blob(nt_interactive_pwd->data, nt_interactive_pwd->length);
120
121 if (plaintext)
122 (*user_info)->plaintext_password = data_blob(plaintext->data, plaintext->length);
123
124 (*user_info)->encrypted = encrypted;
125
126 (*user_info)->logon_parameters = 0;
127
128 DEBUG(10,("made an %sencrypted user_info for %s (%s)\n", encrypted ? "":"un" , internal_username, smb_name));
129
130 return NT_STATUS_OK;
131 }
132
133 /****************************************************************************
134 Create an auth_usersupplied_data structure after appropriate mapping.
135 ****************************************************************************/
136
137 NTSTATUS make_user_info_map(auth_usersupplied_info **user_info,
138 const char *smb_name,
139 const char *client_domain,
140 const char *wksta_name,
141 DATA_BLOB *lm_pwd, DATA_BLOB *nt_pwd,
142 DATA_BLOB *lm_interactive_pwd, DATA_BLOB *nt_interactive_pwd,
143 DATA_BLOB *plaintext,
144 BOOL encrypted)
145 {
146 const char *domain;
147 NTSTATUS result;
148 BOOL was_mapped;
149 fstring internal_username;
150 fstrcpy(internal_username, smb_name);
151 was_mapped = map_username(internal_username);
152
153 DEBUG(5, ("make_user_info_map: Mapping user [%s]\\[%s] from workstation [%s]\n",
154 client_domain, smb_name, wksta_name));
155
156 /* don't allow "" as a domain, fixes a Win9X bug
157 where it doens't supply a domain for logon script
158 'net use' commands. */
159
160 if ( *client_domain )
161 domain = client_domain;
162 else
163 domain = lp_workgroup();
164
165 /* do what win2k does. Always map unknown domains to our own
166 and let the "passdb backend" handle unknown users. */
167
168 if ( !is_trusted_domain(domain) && !strequal(domain, get_global_sam_name()) )
169 domain = my_sam_name();
170
171 /* we know that it is a trusted domain (and we are allowing them) or it is our domain */
172
173 result = make_user_info(user_info, smb_name, internal_username,
174 client_domain, domain, wksta_name,
175 lm_pwd, nt_pwd,
176 lm_interactive_pwd, nt_interactive_pwd,
177 plaintext, encrypted);
178 if (NT_STATUS_IS_OK(result)) {
179 (*user_info)->was_mapped = was_mapped;
180 }
181 return result;
182 }
183
184 /****************************************************************************
185 Create an auth_usersupplied_data, making the DATA_BLOBs here.
186 Decrypt and encrypt the passwords.
187 ****************************************************************************/
188
189 BOOL make_user_info_netlogon_network(auth_usersupplied_info **user_info,
190 const char *smb_name,
191 const char *client_domain,
192 const char *wksta_name,
193 uint32 logon_parameters,
194 const uchar *lm_network_pwd,
195 int lm_pwd_len,
196 const uchar *nt_network_pwd,
197 int nt_pwd_len)
198 {
199 BOOL ret;
200 NTSTATUS status;
201 DATA_BLOB lm_blob = data_blob(lm_network_pwd, lm_pwd_len);
202 DATA_BLOB nt_blob = data_blob(nt_network_pwd, nt_pwd_len);
203
204 status = make_user_info_map(user_info,
205 smb_name, client_domain,
206 wksta_name,
207 lm_pwd_len ? &lm_blob : NULL,
208 nt_pwd_len ? &nt_blob : NULL,
209 NULL, NULL, NULL,
210 True);
211
212 if (NT_STATUS_IS_OK(status)) {
213 (*user_info)->logon_parameters = logon_parameters;
214 }
215 ret = NT_STATUS_IS_OK(status) ? True : False;
216
217 data_blob_free(&lm_blob);
218 data_blob_free(&nt_blob);
219 return ret;
220 }
221
222 /****************************************************************************
223 Create an auth_usersupplied_data, making the DATA_BLOBs here.
224 Decrypt and encrypt the passwords.
225 ****************************************************************************/
226
227 BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info,
228 const char *smb_name,
229 const char *client_domain,
230 const char *wksta_name,
231 uint32 logon_parameters,
232 const uchar chal[8],
233 const uchar lm_interactive_pwd[16],
234 const uchar nt_interactive_pwd[16],
235 const uchar *dc_sess_key)
236 {
237 unsigned char lm_pwd[16];
238 unsigned char nt_pwd[16];
239 unsigned char local_lm_response[24];
240 unsigned char local_nt_response[24];
241 unsigned char key[16];
242
243 ZERO_STRUCT(key);
244 memcpy(key, dc_sess_key, 8);
245
246 if (lm_interactive_pwd)
247 memcpy(lm_pwd, lm_interactive_pwd, sizeof(lm_pwd));
248
249 if (nt_interactive_pwd)
250 memcpy(nt_pwd, nt_interactive_pwd, sizeof(nt_pwd));
251
252 #ifdef DEBUG_PASSWORD
253 DEBUG(100,("key:"));
254 dump_data(100, key, sizeof(key));
255
256 DEBUG(100,("lm owf password:"));
257 dump_data(100, lm_pwd, sizeof(lm_pwd));
258
259 DEBUG(100,("nt owf password:"));
260 dump_data(100, nt_pwd, sizeof(nt_pwd));
261 #endif
262
263 if (lm_interactive_pwd)
264 SamOEMhash(lm_pwd, key, sizeof(lm_pwd));
265
266 if (nt_interactive_pwd)
267 SamOEMhash(nt_pwd, key, sizeof(nt_pwd));
268
269 #ifdef DEBUG_PASSWORD
270 DEBUG(100,("decrypt of lm owf password:"));
271 dump_data(100, lm_pwd, sizeof(lm_pwd));
272
273 DEBUG(100,("decrypt of nt owf password:"));
274 dump_data(100, nt_pwd, sizeof(nt_pwd));
275 #endif
276
277 if (lm_interactive_pwd)
278 SMBOWFencrypt(lm_pwd, chal,
279 local_lm_response);
280
281 if (nt_interactive_pwd)
282 SMBOWFencrypt(nt_pwd, chal,
283 local_nt_response);
284
285 /* Password info paranoia */
286 ZERO_STRUCT(key);
287
288 {
289 BOOL ret;
290 NTSTATUS nt_status;
291 DATA_BLOB local_lm_blob;
292 DATA_BLOB local_nt_blob;
293
294 DATA_BLOB lm_interactive_blob;
295 DATA_BLOB nt_interactive_blob;
296
297 if (lm_interactive_pwd) {
298 local_lm_blob = data_blob(local_lm_response,
299 sizeof(local_lm_response));
300 lm_interactive_blob = data_blob(lm_pwd,
301 sizeof(lm_pwd));
302 ZERO_STRUCT(lm_pwd);
303 }
304
305 if (nt_interactive_pwd) {
306 local_nt_blob = data_blob(local_nt_response,
307 sizeof(local_nt_response));
308 nt_interactive_blob = data_blob(nt_pwd,
309 sizeof(nt_pwd));
310 ZERO_STRUCT(nt_pwd);
311 }
312
313 nt_status = make_user_info_map(
314 user_info,
315 smb_name, client_domain, wksta_name,
316 lm_interactive_pwd ? &local_lm_blob : NULL,
317 nt_interactive_pwd ? &local_nt_blob : NULL,
318 lm_interactive_pwd ? &lm_interactive_blob : NULL,
319 nt_interactive_pwd ? &nt_interactive_blob : NULL,
320 NULL, True);
321
322 if (NT_STATUS_IS_OK(nt_status)) {
323 (*user_info)->logon_parameters = logon_parameters;
324 }
325
326 ret = NT_STATUS_IS_OK(nt_status) ? True : False;
327 data_blob_free(&local_lm_blob);
328 data_blob_free(&local_nt_blob);
329 data_blob_free(&lm_interactive_blob);
330 data_blob_free(&nt_interactive_blob);
331 return ret;
332 }
333 }
334
335
336 /****************************************************************************
337 Create an auth_usersupplied_data structure
338 ****************************************************************************/
339
340 BOOL make_user_info_for_reply(auth_usersupplied_info **user_info,
341 const char *smb_name,
342 const char *client_domain,
343 const uint8 chal[8],
344 DATA_BLOB plaintext_password)
345 {
346
347 DATA_BLOB local_lm_blob;
348 DATA_BLOB local_nt_blob;
349 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
350
351 /*
352 * Not encrypted - do so.
353 */
354
355 DEBUG(5,("make_user_info_for_reply: User passwords not in encrypted "
356 "format.\n"));
357
358 if (plaintext_password.data) {
359 unsigned char local_lm_response[24];
360
361 #ifdef DEBUG_PASSWORD
362 DEBUG(10,("Unencrypted password (len %d):\n",
363 (int)plaintext_password.length));
364 dump_data(100, plaintext_password.data,
365 plaintext_password.length);
366 #endif
367
368 SMBencrypt( (const char *)plaintext_password.data,
369 (const uchar*)chal, local_lm_response);
370 local_lm_blob = data_blob(local_lm_response, 24);
371
372 /* We can't do an NT hash here, as the password needs to be
373 case insensitive */
374 local_nt_blob = data_blob_null;
375
376 } else {
377 local_lm_blob = data_blob_null;
378 local_nt_blob = data_blob_null;
379 }
380
381 ret = make_user_info_map(
382 user_info, smb_name, client_domain,
383 get_remote_machine_name(),
384 local_lm_blob.data ? &local_lm_blob : NULL,
385 local_nt_blob.data ? &local_nt_blob : NULL,
386 NULL, NULL,
387 plaintext_password.data ? &plaintext_password : NULL,
388 False);
389
390 data_blob_free(&local_lm_blob);
391 return NT_STATUS_IS_OK(ret) ? True : False;
392 }
393
394 /****************************************************************************
395 Create an auth_usersupplied_data structure
396 ****************************************************************************/
397
398 NTSTATUS make_user_info_for_reply_enc(auth_usersupplied_info **user_info,
399 const char *smb_name,
400 const char *client_domain,
401 DATA_BLOB lm_resp, DATA_BLOB nt_resp)
402 {
403 return make_user_info_map(user_info, smb_name,
404 client_domain,
405 get_remote_machine_name(),
406 lm_resp.data ? &lm_resp : NULL,
407 nt_resp.data ? &nt_resp : NULL,
408 NULL, NULL, NULL,
409 True);
410 }
411
412 /****************************************************************************
413 Create a guest user_info blob, for anonymous authenticaion.
414 ****************************************************************************/
415
416 BOOL make_user_info_guest(auth_usersupplied_info **user_info)
417 {
418 NTSTATUS nt_status;
419
420 nt_status = make_user_info(user_info,
421 "","",
422 "","",
423 "",
424 NULL, NULL,
425 NULL, NULL,
426 NULL,
427 True);
428
429 return NT_STATUS_IS_OK(nt_status) ? True : False;
430 }
431
432 static int server_info_dtor(auth_serversupplied_info *server_info)
433 {
434 TALLOC_FREE(server_info->sam_account);
435 ZERO_STRUCTP(server_info);
436 return 0;
437 }
438
439 /***************************************************************************
440 Make a server_info struct. Free with TALLOC_FREE().
441 ***************************************************************************/
442
443 static auth_serversupplied_info *make_server_info(TALLOC_CTX *mem_ctx)
444 {
445 struct auth_serversupplied_info *result;
446
447 result = TALLOC_ZERO_P(mem_ctx, auth_serversupplied_info);
448 if (result == NULL) {
449 DEBUG(0, ("talloc failed\n"));
450 return NULL;
451 }
452
453 talloc_set_destructor(result, server_info_dtor);
454
455 /* Initialise the uid and gid values to something non-zero
456 which may save us from giving away root access if there
457 is a bug in allocating these fields. */
458
459 result->uid = -1;
460 result->gid = -1;
461 return result;
462 }
463
464 /***************************************************************************
465 Make (and fill) a user_info struct from a struct samu
466 ***************************************************************************/
467
468 NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info,
469 struct samu *sampass)
470 {
471 NTSTATUS status;
472 struct passwd *pwd;
473 gid_t *gids;
474 auth_serversupplied_info *result;
475 int i;
476 size_t num_gids;
477 DOM_SID unix_group_sid;
478
479
480 if ( !(result = make_server_info(NULL)) ) {
481 return NT_STATUS_NO_MEMORY;
482 }
483
484 if ( !(pwd = getpwnam_alloc(result, pdb_get_username(sampass))) ) {
485 DEBUG(1, ("User %s in passdb, but getpwnam() fails!\n",
486 pdb_get_username(sampass)));
487 TALLOC_FREE(result);
488 return NT_STATUS_NO_SUCH_USER;
489 }
490
491 result->sam_account = sampass;
492 /* Ensure thaat the sampass will be freed with the result */
493 talloc_steal(result, sampass);
494 result->unix_name = pwd->pw_name;
495 /* Ensure that we keep pwd->pw_name, because we will free pwd below */
496 talloc_steal(result, pwd->pw_name);
497 result->gid = pwd->pw_gid;
498 result->uid = pwd->pw_uid;
499
500 TALLOC_FREE(pwd);
501
502 status = pdb_enum_group_memberships(result, sampass,
503 &result->sids, &gids,
504 &result->num_sids);
505
506 if (!NT_STATUS_IS_OK(status)) {
507 DEBUG(10, ("pdb_enum_group_memberships failed: %s\n",
508 nt_errstr(status)));
509 result->sam_account = NULL; /* Don't free on error exit. */
510 TALLOC_FREE(result);
511 return status;
512 }
513
514 /* Add the "Unix Group" SID for each gid to catch mapped groups
515 and their Unix equivalent. This is to solve the backwards
516 compatibility problem of 'valid users = +ntadmin' where
517 ntadmin has been paired with "Domain Admins" in the group
518 mapping table. Otherwise smb.conf would need to be changed
519 to 'valid user = "Domain Admins"'. --jerry */
520
521 num_gids = result->num_sids;
522 for ( i=0; i<num_gids; i++ ) {
523 if ( !gid_to_unix_groups_sid( gids[i], &unix_group_sid ) ) {
524 DEBUG(1,("make_server_info_sam: Failed to create SID "
525 "for gid %d!\n", gids[i]));
526 continue;
527 }
528 if (!add_sid_to_array_unique( result, &unix_group_sid,
529 &result->sids, &result->num_sids )) {
530 result->sam_account = NULL; /* Don't free on error exit. */
531 TALLOC_FREE(result);
532 return NT_STATUS_NO_MEMORY;
533 }
534 }
535
536 /* For now we throw away the gids and convert via sid_to_gid
537 * later. This needs fixing, but I'd like to get the code straight and
538 * simple first. */
539
540 TALLOC_FREE(gids);
541
542 DEBUG(5,("make_server_info_sam: made server info for user %s -> %s\n",
543 pdb_get_username(sampass), result->unix_name));
544
545 *server_info = result;
546
547 return NT_STATUS_OK;
548 }
549
550 static NTSTATUS log_nt_token(TALLOC_CTX *tmp_ctx, NT_USER_TOKEN *token)
551 {
552 char *command;
553 char *group_sidstr;
554 size_t i;
555
556 if ((lp_log_nt_token_command() == NULL) ||
557 (strlen(lp_log_nt_token_command()) == 0)) {
558 return NT_STATUS_OK;
559 }
560
561 group_sidstr = talloc_strdup(tmp_ctx, "");
562 for (i=1; i<token->num_sids; i++) {
563 group_sidstr = talloc_asprintf(
564 tmp_ctx, "%s %s", group_sidstr,
565 sid_string_static(&token->user_sids[i]));
566 }
567
568 command = talloc_string_sub(
569 tmp_ctx, lp_log_nt_token_command(),
570 "%s", sid_string_static(&token->user_sids[0]));
571 command = talloc_string_sub(tmp_ctx, command, "%t", group_sidstr);
572
573 if (command == NULL) {
574 return NT_STATUS_NO_MEMORY;
575 }
576
577 DEBUG(8, ("running command: [%s]\n", command));
578 if (smbrun(command, NULL) != 0) {
579 DEBUG(0, ("Could not log NT token\n"));
580 return NT_STATUS_ACCESS_DENIED;
581 }
582
583 return NT_STATUS_OK;
584 }
585
586 /*
587 * Create the token to use from server_info->sam_account and
588 * server_info->sids (the info3/sam groups). Find the unix gids.
589 */
590
591 NTSTATUS create_local_token(auth_serversupplied_info *server_info)
592 {
593 TALLOC_CTX *mem_ctx;
594 NTSTATUS status;
595 size_t i;
596
597
598 mem_ctx = talloc_new(NULL);
599 if (mem_ctx == NULL) {
600 DEBUG(0, ("talloc_new failed\n"));
601 return NT_STATUS_NO_MEMORY;
602 }
603
604 /*
605 * If winbind is not around, we can not make much use of the SIDs the
606 * domain controller provided us with. Likewise if the user name was
607 * mapped to some local unix user.
608 */
609
610 if (((lp_server_role() == ROLE_DOMAIN_MEMBER) && !winbind_ping()) ||
611 (server_info->was_mapped)) {
612 status = create_token_from_username(server_info,
613 server_info->unix_name,
614 server_info->guest,
615 &server_info->uid,
616 &server_info->gid,
617 &server_info->unix_name,
618 &server_info->ptok);
619
620 } else {
621 server_info->ptok = create_local_nt_token(
622 server_info,
623 pdb_get_user_sid(server_info->sam_account),
624 server_info->guest,
625 server_info->num_sids, server_info->sids);
626 status = server_info->ptok ?
627 NT_STATUS_OK : NT_STATUS_NO_SUCH_USER;
628 }
629
630 if (!NT_STATUS_IS_OK(status)) {
631 TALLOC_FREE(mem_ctx);
632 return status;
633 }
634
635 /* Convert the SIDs to gids. */
636
637 server_info->n_groups = 0;
638 server_info->groups = NULL;
639
640 /* Start at index 1, where the groups start. */
641
642 for (i=1; i<server_info->ptok->num_sids; i++) {
643 gid_t gid;
644 DOM_SID *sid = &server_info->ptok->user_sids[i];
645
646 if (!sid_to_gid(sid, &gid)) {
647 DEBUG(10, ("Could not convert SID %s to gid, "
648 "ignoring it\n", sid_string_static(sid)));
649 continue;
650 }
651 add_gid_to_array_unique(server_info, gid, &server_info->groups,
652 &server_info->n_groups);
653 }
654
655 debug_nt_user_token(DBGC_AUTH, 10, server_info->ptok);
656
657 status = log_nt_token(mem_ctx, server_info->ptok);
658
659 TALLOC_FREE(mem_ctx);
660 return status;
661 }
662
663 /*
664 * Create an artificial NT token given just a username. (Initially indended
665 * for force user)
666 *
667 * We go through lookup_name() to avoid problems we had with 'winbind use
668 * default domain'.
669 *
670 * We have 3 cases:
671 *
672 * unmapped unix users: Go directly to nss to find the user's group.
673 *
674 * A passdb user: The list of groups is provided by pdb_enum_group_memberships.
675 *
676 * If the user is provided by winbind, the primary gid is set to "domain
677 * users" of the user's domain. For an explanation why this is necessary, see
678 * the thread starting at
679 * http://lists.samba.org/archive/samba-technical/2006-January/044803.html.
680 */
681
682 NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username,
683 BOOL is_guest,
684 uid_t *uid, gid_t *gid,
685 char **found_username,
686 struct nt_user_token **token)
687 {
688 NTSTATUS result = NT_STATUS_NO_SUCH_USER;
689 TALLOC_CTX *tmp_ctx;
690 DOM_SID user_sid;
691 enum lsa_SidType type;
692 gid_t *gids;
693 DOM_SID *group_sids;
694 DOM_SID unix_group_sid;
695 size_t num_group_sids;
696 size_t num_gids;
697 size_t i;
698
699 tmp_ctx = talloc_new(NULL);
700 if (tmp_ctx == NULL) {
701 DEBUG(0, ("talloc_new failed\n"));
702 return NT_STATUS_NO_MEMORY;
703 }
704
705 if (!lookup_name_smbconf(tmp_ctx, username, LOOKUP_NAME_ALL,
706 NULL, NULL, &user_sid, &type)) {
707 DEBUG(1, ("lookup_name_smbconf for %s failed\n", username));
708 goto done;
709 }
710
711 if (type != SID_NAME_USER) {
712 DEBUG(1, ("%s is a %s, not a user\n", username,
713 sid_type_lookup(type)));
714 goto done;
715 }
716
717 if (!sid_to_uid(&user_sid, uid)) {
718 DEBUG(1, ("sid_to_uid for %s (%s) failed\n",
719 username, sid_string_static(&user_sid)));
720 goto done;
721 }
722
723 if (sid_check_is_in_our_domain(&user_sid)) {
724
725 /* This is a passdb user, so ask passdb */
726
727 struct samu *sam_acct = NULL;
728
729 if ( !(sam_acct = samu_new( tmp_ctx )) ) {
730 result = NT_STATUS_NO_MEMORY;
731 goto done;
732 }
733
734 if (!pdb_getsampwsid(sam_acct, &user_sid)) {
735 DEBUG(1, ("pdb_getsampwsid(%s) for user %s failed\n",
736 sid_string_static(&user_sid), username));
737 DEBUGADD(1, ("Fall back to unix user %s\n", username));
738 goto unix_user;
739 }
740
741 result = pdb_enum_group_memberships(tmp_ctx, sam_acct,
742 &group_sids, &gids,
743 &num_group_sids);
744 if (!NT_STATUS_IS_OK(result)) {
745 DEBUG(10, ("enum_group_memberships failed for %s\n",
746 username));
747 DEBUGADD(1, ("Fall back to unix user %s\n", username));
748 goto unix_user;
749 }
750
751 /* see the smb_panic() in pdb_default_enum_group_memberships */
752 SMB_ASSERT(num_group_sids > 0);
753
754 *gid = gids[0];
755
756 /* Ensure we're returning the found_username on the right context. */
757 *found_username = talloc_strdup(mem_ctx,
758 pdb_get_username(sam_acct));
759
760 } else if (sid_check_is_in_unix_users(&user_sid)) {
761
762 /* This is a unix user not in passdb. We need to ask nss
763 * directly, without consulting passdb */
764
765 struct passwd *pass;
766
767 /*
768 * This goto target is used as a fallback for the passdb
769 * case. The concrete bug report is when passdb gave us an
770 * unmapped gid.
771 */
772
773 unix_user:
774
775 uid_to_unix_users_sid(*uid, &user_sid);
776
777 pass = getpwuid_alloc(tmp_ctx, *uid);
778 if (pass == NULL) {
779 DEBUG(1, ("getpwuid(%d) for user %s failed\n",
780 *uid, username));
781 goto done;
782 }
783
784 if (!getgroups_unix_user(tmp_ctx, username, pass->pw_gid,
785 &gids, &num_group_sids)) {
786 DEBUG(1, ("getgroups_unix_user for user %s failed\n",
787 username));
788 goto done;
789 }
790
791 if (num_group_sids) {
792 group_sids = TALLOC_ARRAY(tmp_ctx, DOM_SID, num_group_sids);
793 if (group_sids == NULL) {
794 DEBUG(1, ("TALLOC_ARRAY failed\n"));
795 result = NT_STATUS_NO_MEMORY;
796 goto done;
797 }
798 } else {
799 group_sids = NULL;
800 }
801
802 for (i=0; i<num_group_sids; i++) {
803 gid_to_sid(&group_sids[i], gids[i]);
804 }
805
806 /* In getgroups_unix_user we always set the primary gid */
807 SMB_ASSERT(num_group_sids > 0);
808
809 *gid = gids[0];
810
811 /* Ensure we're returning the found_username on the right context. */
812 *found_username = talloc_strdup(mem_ctx, pass->pw_name);
813 } else {
814
815 /* This user is from winbind, force the primary gid to the
816 * user's "domain users" group. Under certain circumstances
817 * (user comes from NT4), this might be a loss of
818 * information. But we can not rely on winbind getting the
819 * correct info. AD might prohibit winbind looking up that
820 * information. */
821
822 uint32 dummy;
823
824 num_group_sids = 1;
825 group_sids = TALLOC_ARRAY(tmp_ctx, DOM_SID, num_group_sids);
826 if (group_sids == NULL) {
827 DEBUG(1, ("TALLOC_ARRAY failed\n"));
828 result = NT_STATUS_NO_MEMORY;
829 goto done;
830 }
831
832 sid_copy(&group_sids[0], &user_sid);
833 sid_split_rid(&group_sids[0], &dummy);
834 sid_append_rid(&group_sids[0], DOMAIN_GROUP_RID_USERS);
835
836 if (!sid_to_gid(&group_sids[0], gid)) {
837 DEBUG(1, ("sid_to_gid(%s) failed\n",
838 sid_string_static(&group_sids[0])));
839 goto done;
840 }
841
842 gids = gid;
843
844 /* Ensure we're returning the found_username on the right context. */
845 *found_username = talloc_strdup(mem_ctx, username);
846 }
847
848 /* Add the "Unix Group" SID for each gid to catch mapped groups
849 and their Unix equivalent. This is to solve the backwards
850 compatibility problem of 'valid users = +ntadmin' where
851 ntadmin has been paired with "Domain Admins" in the group
852 mapping table. Otherwise smb.conf would need to be changed
853 to 'valid user = "Domain Admins"'. --jerry */
854
855 num_gids = num_group_sids;
856 for ( i=0; i<num_gids; i++ ) {
857 gid_t high, low;
858
859 /* don't pickup anything managed by Winbind */
860
861 if ( lp_idmap_gid(&low, &high) && (gids[i] >= low) && (gids[i] <= high) )
862 continue;
863
864 if ( !gid_to_unix_groups_sid( gids[i], &unix_group_sid ) ) {
865 DEBUG(1,("create_token_from_username: Failed to create SID "
866 "for gid %d!\n", gids[i]));
867 continue;
868 }
869 if (!add_sid_to_array_unique(tmp_ctx, &unix_group_sid,
870 &group_sids, &num_group_sids )) {
871 result = NT_STATUS_NO_MEMORY;
872 goto done;
873 }
874 }
875
876 /* Ensure we're creating the nt_token on the right context. */
877 *token = create_local_nt_token(mem_ctx, &user_sid,
878 is_guest, num_group_sids, group_sids);
879
880 if ((*token == NULL) || (*found_username == NULL)) {
881 result = NT_STATUS_NO_MEMORY;
882 goto done;
883 }
884
885 result = NT_STATUS_OK;
886 done:
887 TALLOC_FREE(tmp_ctx);
888 return result;
889 }
890
891 /***************************************************************************
892 Build upon create_token_from_username:
893
894 Expensive helper function to figure out whether a user given its name is
895 member of a particular group.
896 ***************************************************************************/
897
898 BOOL user_in_group_sid(const char *username, const DOM_SID *group_sid)
899 {
900 NTSTATUS status;
901 uid_t uid;
902 gid_t gid;
903 char *found_username;
904 struct nt_user_token *token;
905 BOOL result;
906
907 TALLOC_CTX *mem_ctx;
908
909 mem_ctx = talloc_new(NULL);
910 if (mem_ctx == NULL) {
911 DEBUG(0, ("talloc_new failed\n"));
912 return False;
913 }
914
915 status = create_token_from_username(mem_ctx, username, False,
916 &uid, &gid, &found_username,
917 &token);
918
919 if (!NT_STATUS_IS_OK(status)) {
920 DEBUG(10, ("could not create token for %s\n", username));
921 return False;
922 }
923
924 result = nt_token_check_sid(group_sid, token);
925
926 TALLOC_FREE(mem_ctx);
927 return result;
928
929 }
930
931 BOOL user_in_group(const char *username, const char *groupname)
932 {
933 TALLOC_CTX *mem_ctx;
934 DOM_SID group_sid;
935 BOOL ret;
936
937 mem_ctx = talloc_new(NULL);
938 if (mem_ctx == NULL) {
939 DEBUG(0, ("talloc_new failed\n"));
940 return False;
941 }
942
943 ret = lookup_name(mem_ctx, groupname, LOOKUP_NAME_ALL,
944 NULL, NULL, &group_sid, NULL);
945 TALLOC_FREE(mem_ctx);
946
947 if (!ret) {
948 DEBUG(10, ("lookup_name for (%s) failed.\n", groupname));
949 return False;
950 }
951
952 return user_in_group_sid(username, &group_sid);
953 }
954
955
956 /***************************************************************************
957 Make (and fill) a user_info struct from a 'struct passwd' by conversion
958 to a struct samu
959 ***************************************************************************/
960
961 NTSTATUS make_server_info_pw(auth_serversupplied_info **server_info,
962 char *unix_username,
963 struct passwd *pwd)
964 {
965 NTSTATUS status;
966 struct samu *sampass = NULL;
967 gid_t *gids;
968 char *qualified_name = NULL;
969 TALLOC_CTX *mem_ctx = NULL;
970 DOM_SID u_sid;
971 enum lsa_SidType type;
972 auth_serversupplied_info *result;
973
974 if ( !(sampass = samu_new( NULL )) ) {
975 return NT_STATUS_NO_MEMORY;
976 }
977
978 status = samu_set_unix( sampass, pwd );
979 if (!NT_STATUS_IS_OK(status)) {
980 return status;
981 }
982
983 result = make_server_info(NULL);
984 if (result == NULL) {
985 TALLOC_FREE(sampass);
986 return NT_STATUS_NO_MEMORY;
987 }
988
989 result->sam_account = sampass;
990 result->unix_name = talloc_strdup(result, unix_username);
991 result->uid = pwd->pw_uid;
992 result->gid = pwd->pw_gid;
993
994 status = pdb_enum_group_memberships(result, sampass,
995 &result->sids, &gids,
996 &result->num_sids);
997
998 if (!NT_STATUS_IS_OK(status)) {
999 DEBUG(10, ("pdb_enum_group_memberships failed: %s\n",
1000 nt_errstr(status)));
1001 TALLOC_FREE(result);
1002 return status;
1003 }
1004
1005 /*
1006 * The SID returned in server_info->sam_account is based
1007 * on our SAM sid even though for a pure UNIX account this should
1008 * not be the case as it doesn't really exist in the SAM db.
1009 * This causes lookups on "[in]valid users" to fail as they
1010 * will lookup this name as a "Unix User" SID to check against
1011 * the user token. Fix this by adding the "Unix User"\unix_username
1012 * SID to the sid array. The correct fix should probably be
1013 * changing the server_info->sam_account user SID to be a
1014 * S-1-22 Unix SID, but this might break old configs where
1015 * plaintext passwords were used with no SAM backend.
1016 */
1017
1018 mem_ctx = talloc_init("make_server_info_pw_tmp");
1019 if (!mem_ctx) {
1020 TALLOC_FREE(result);
1021 return NT_STATUS_NO_MEMORY;
1022 }
1023
1024 qualified_name = talloc_asprintf(mem_ctx, "%s\\%s",
1025 unix_users_domain_name(),
1026 unix_username );
1027 if (!qualified_name) {
1028 TALLOC_FREE(result);
1029 TALLOC_FREE(mem_ctx);
1030 return NT_STATUS_NO_MEMORY;
1031 }
1032
1033 if (!lookup_name(mem_ctx, qualified_name, LOOKUP_NAME_ALL,
1034 NULL, NULL,
1035 &u_sid, &type)) {
1036 TALLOC_FREE(result);
1037 TALLOC_FREE(mem_ctx);
1038 return NT_STATUS_NO_SUCH_USER;
1039 }
1040
1041 TALLOC_FREE(mem_ctx);
1042
1043 if (type != SID_NAME_USER) {
1044 TALLOC_FREE(result);
1045 return NT_STATUS_NO_SUCH_USER;
1046 }
1047
1048 if (!add_sid_to_array_unique(result, &u_sid,
1049 &result->sids,
1050 &result->num_sids)) {
1051 TALLOC_FREE(result);
1052 return NT_STATUS_NO_MEMORY;
1053 }
1054
1055 /* For now we throw away the gids and convert via sid_to_gid
1056 * later. This needs fixing, but I'd like to get the code straight and
1057 * simple first. */
1058 TALLOC_FREE(gids);
1059
1060 *server_info = result;
1061
1062 return NT_STATUS_OK;
1063 }
1064
1065 /***************************************************************************
1066 Make (and fill) a user_info struct for a guest login.
1067 This *must* succeed for smbd to start. If there is no mapping entry for
1068 the guest gid, then create one.
1069 ***************************************************************************/
1070
1071 static NTSTATUS make_new_server_info_guest(auth_serversupplied_info **server_info)
1072 {
1073 NTSTATUS status;
1074 struct samu *sampass = NULL;
1075 DOM_SID guest_sid;
1076 BOOL ret;
1077 static const char zeros[16] = { 0, };
1078
1079 if ( !(sampass = samu_new( NULL )) ) {
1080 return NT_STATUS_NO_MEMORY;
1081 }
1082
1083 sid_copy(&guest_sid, get_global_sam_sid());
1084 sid_append_rid(&guest_sid, DOMAIN_USER_RID_GUEST);
1085
1086 become_root();
1087 ret = pdb_getsampwsid(sampass, &guest_sid);
1088 unbecome_root();
1089
1090 if (!ret) {
1091 TALLOC_FREE(sampass);
1092 return NT_STATUS_NO_SUCH_USER;
1093 }
1094
1095 status = make_server_info_sam(server_info, sampass);
1096 if (!NT_STATUS_IS_OK(status)) {
1097 TALLOC_FREE(sampass);
1098 return status;
1099 }
1100
1101 (*server_info)->guest = True;
1102
1103 status = create_local_token(*server_info);
1104 if (!NT_STATUS_IS_OK(status)) {
1105 DEBUG(10, ("create_local_token failed: %s\n",
1106 nt_errstr(status)));
1107 return status;
1108 }
1109
1110 /* annoying, but the Guest really does have a session key, and it is
1111 all zeros! */
1112 (*server_info)->user_session_key = data_blob(zeros, sizeof(zeros));
1113 (*server_info)->lm_session_key = data_blob(zeros, sizeof(zeros));
1114
1115 return NT_STATUS_OK;
1116 }
1117
1118 static auth_serversupplied_info *copy_serverinfo(auth_serversupplied_info *src)
1119 {
1120 auth_serversupplied_info *dst;
1121
1122 dst = make_server_info(NULL);
1123 if (dst == NULL) {
1124 return NULL;
1125 }
1126
1127 dst->guest = src->guest;
1128 dst->uid = src->uid;
1129 dst->gid = src->gid;
1130 dst->n_groups = src->n_groups;
1131 if (src->n_groups != 0) {
1132 dst->groups = (gid_t *)TALLOC_MEMDUP(
1133 dst, src->groups, sizeof(gid_t)*dst->n_groups);
1134 } else {
1135 dst->groups = NULL;
1136 }
1137
1138 if (src->ptok) {
1139 dst->ptok = dup_nt_token(dst, src->ptok);
1140 if (!dst->ptok) {
1141 TALLOC_FREE(dst);
1142 return NULL;
1143 }
1144 }
1145
1146 dst->user_session_key = data_blob_talloc( dst, src->user_session_key.data,
1147 src->user_session_key.length);
1148
1149 dst->lm_session_key = data_blob_talloc(dst, src->lm_session_key.data,
1150 src->lm_session_key.length);
1151
1152 dst->sam_account = samu_new(NULL);
1153 if (!dst->sam_account) {
1154 TALLOC_FREE(dst);
1155 return NULL;
1156 }
1157
1158 if (!pdb_copy_sam_account(dst->sam_account, src->sam_account)) {
1159 TALLOC_FREE(dst);
1160 return NULL;
1161 }
1162
1163 dst->pam_handle = NULL;
1164 dst->unix_name = talloc_strdup(dst, src->unix_name);
1165 if (!dst->unix_name) {
1166 TALLOC_FREE(dst);
1167 return NULL;
1168 }
1169
1170 return dst;
1171 }
1172
1173 static auth_serversupplied_info *guest_info = NULL;
1174
1175 BOOL init_guest_info(void)
1176 {
1177 if (guest_info != NULL)
1178 return True;
1179
1180 return NT_STATUS_IS_OK(make_new_server_info_guest(&guest_info));
1181 }
1182
1183 NTSTATUS make_server_info_guest(auth_serversupplied_info **server_info)
1184 {
1185 *server_info = copy_serverinfo(guest_info);
1186 return (*server_info != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
1187 }
1188
1189 BOOL copy_current_user(struct current_user *dst, struct current_user *src)
1190 {
1191 gid_t *groups;
1192 NT_USER_TOKEN *nt_token;
1193
1194 groups = (gid_t *)memdup(src->ut.groups,
1195 sizeof(gid_t) * src->ut.ngroups);
1196 if ((src->ut.ngroups != 0) && (groups == NULL)) {
1197 return False;
1198 }
1199
1200 nt_token = dup_nt_token(NULL, src->nt_user_token);
1201 if (nt_token == NULL) {
1202 SAFE_FREE(groups);
1203 return False;
1204 }
1205
1206 dst->conn = src->conn;
1207 dst->vuid = src->vuid;
1208 dst->ut.uid = src->ut.uid;
1209 dst->ut.gid = src->ut.gid;
1210 dst->ut.ngroups = src->ut.ngroups;
1211 dst->ut.groups = groups;
1212 dst->nt_user_token = nt_token;
1213 return True;
1214 }
1215
1216 BOOL set_current_user_guest(struct current_user *dst)
1217 {
1218 gid_t *groups;
1219 NT_USER_TOKEN *nt_token;
1220
1221 groups = (gid_t *)memdup(guest_info->groups,
1222 sizeof(gid_t) * guest_info->n_groups);
1223 if (groups == NULL) {
1224 return False;
1225 }
1226
1227 nt_token = dup_nt_token(NULL, guest_info->ptok);
1228 if (nt_token == NULL) {
1229 SAFE_FREE(groups);
1230 return False;
1231 }
1232
1233 TALLOC_FREE(dst->nt_user_token);
1234 SAFE_FREE(dst->ut.groups);
1235
1236 /* dst->conn is never really dereferenced, it's only tested for
1237 * equality in uid.c */
1238 dst->conn = NULL;
1239
1240 dst->vuid = UID_FIELD_INVALID;
1241 dst->ut.uid = guest_info->uid;
1242 dst->ut.gid = guest_info->gid;
1243 dst->ut.ngroups = guest_info->n_groups;
1244 dst->ut.groups = groups;
1245 dst->nt_user_token = nt_token;
1246 return True;
1247 }
1248
1249 /***************************************************************************
1250 Purely internal function for make_server_info_info3
1251 Fill the sam account from getpwnam
1252 ***************************************************************************/
1253 static NTSTATUS fill_sam_account(TALLOC_CTX *mem_ctx,
1254 const char *domain,
1255 const char *username,
1256 char **found_username,
1257 uid_t *uid, gid_t *gid,
1258 struct samu *account,
1259 BOOL *username_was_mapped)
1260 {
1261 NTSTATUS nt_status;
1262 fstring dom_user, lower_username;
1263 fstring real_username;
1264 struct passwd *passwd;
1265
1266 fstrcpy( lower_username, username );
1267 strlower_m( lower_username );
1268
1269 fstr_sprintf(dom_user, "%s%c%s", domain, *lp_winbind_separator(),
1270 lower_username);
1271
1272 /* Get the passwd struct. Try to create the account is necessary. */
1273
1274 *username_was_mapped = map_username( dom_user );
1275
1276 if ( !(passwd = smb_getpwnam( NULL, dom_user, real_username, True )) )
1277 return NT_STATUS_NO_SUCH_USER;
1278
1279 *uid = passwd->pw_uid;
1280 *gid = passwd->pw_gid;
1281
1282 /* This is pointless -- there is no suport for differing
1283 unix and windows names. Make sure to always store the
1284 one we actually looked up and succeeded. Have I mentioned
1285 why I hate the 'winbind use default domain' parameter?
1286 --jerry */
1287
1288 *found_username = talloc_strdup( mem_ctx, real_username );
1289
1290 DEBUG(5,("fill_sam_account: located username was [%s]\n", *found_username));
1291
1292 nt_status = samu_set_unix( account, passwd );
1293
1294 TALLOC_FREE(passwd);
1295
1296 return nt_status;
1297 }
1298
1299 /****************************************************************************
1300 Wrapper to allow the getpwnam() call to strip the domain name and
1301 try again in case a local UNIX user is already there. Also run through
1302 the username if we fallback to the username only.
1303 ****************************************************************************/
1304
1305 struct passwd *smb_getpwnam( TALLOC_CTX *mem_ctx, char *domuser,
1306 fstring save_username, BOOL create )
1307 {
1308 struct passwd *pw = NULL;
1309 char *p;
1310 fstring username;
1311
1312 /* we only save a copy of the username it has been mangled
1313 by winbindd use default domain */
1314
1315 save_username[0] = '\0';
1316
1317 /* don't call map_username() here since it has to be done higher
1318 up the stack so we don't call it mutliple times */
1319
1320 fstrcpy( username, domuser );
1321
1322 p = strchr_m( username, *lp_winbind_separator() );
1323
1324 /* code for a DOMAIN\user string */
1325
1326 if ( p ) {
1327 fstring strip_username;
1328
1329 pw = Get_Pwnam_alloc( mem_ctx, domuser );
1330 if ( pw ) {
1331 /* make sure we get the case of the username correct */
1332 /* work around 'winbind use default domain = yes' */
1333
1334 if ( !strchr_m( pw->pw_name, *lp_winbind_separator() ) ) {
1335 char *domain;
1336
1337 /* split the domain and username into 2 strings */
1338 *p = '\0';
1339 domain = username;
1340
1341 fstr_sprintf(save_username, "%s%c%s", domain, *lp_winbind_separator(), pw->pw_name);
1342 }
1343 else
1344 fstrcpy( save_username, pw->pw_name );
1345
1346 /* whew -- done! */
1347 return pw;
1348 }
1349
1350 /* setup for lookup of just the username */
1351 /* remember that p and username are overlapping memory */
1352
1353 p++;
1354 fstrcpy( strip_username, p );
1355 fstrcpy( username, strip_username );
1356 }
1357
1358 /* just lookup a plain username */
1359
1360 pw = Get_Pwnam_alloc(mem_ctx, username);
1361
1362 /* Create local user if requested but only if winbindd
1363 is not running. We need to protect against cases
1364 where winbindd is failing and then prematurely
1365 creating users in /etc/passwd */
1366
1367 if ( !pw && create && !winbind_ping() ) {
1368 /* Don't add a machine account. */
1369 if (username[strlen(username)-1] == '$')
1370 return NULL;
1371
1372 smb_create_user(NULL, username, NULL);
1373 pw = Get_Pwnam_alloc(mem_ctx, username);
1374 }
1375
1376 /* one last check for a valid passwd struct */
1377
1378 if ( pw )
1379 fstrcpy( save_username, pw->pw_name );
1380
1381 return pw;
1382 }
1383
1384 /***************************************************************************
1385 Make a server_info struct from the info3 returned by a domain logon
1386 ***************************************************************************/
1387
1388 NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
1389 const char *sent_nt_username,
1390 const char *domain,
1391 auth_serversupplied_info **server_info,
1392 NET_USER_INFO_3 *info3)
1393 {
1394 static const char zeros[16] = { 0, };
1395
1396 NTSTATUS nt_status = NT_STATUS_OK;
1397 char *found_username;
1398 const char *nt_domain;
1399 const char *nt_username;
1400 struct samu *sam_account = NULL;
1401 DOM_SID user_sid;
1402 DOM_SID group_sid;
1403 BOOL username_was_mapped;
1404
1405 uid_t uid;
1406 gid_t gid;
1407
1408 auth_serversupplied_info *result;
1409
1410 /*
1411 Here is where we should check the list of
1412 trusted domains, and verify that the SID
1413 matches.
1414 */
1415
1416 sid_copy(&user_sid, &info3->dom_sid.sid);
1417 if (!sid_append_rid(&user_sid, info3->user_rid)) {
1418 return NT_STATUS_INVALID_PARAMETER;
1419 }
1420
1421 sid_copy(&group_sid, &info3->dom_sid.sid);
1422 if (!sid_append_rid(&group_sid, info3->group_rid)) {
1423 return NT_STATUS_INVALID_PARAMETER;
1424 }
1425
1426 if (!(nt_username = unistr2_tdup(mem_ctx, &(info3->uni_user_name)))) {
1427 /* If the server didn't give us one, just use the one we sent
1428 * them */
1429 nt_username = sent_nt_username;
1430 }
1431
1432 if (!(nt_domain = unistr2_tdup(mem_ctx, &(info3->uni_logon_dom)))) {
1433 /* If the server didn't give us one, just use the one we sent
1434 * them */
1435 nt_domain = domain;
1436 }
1437
1438 /* try to fill the SAM account.. If getpwnam() fails, then try the
1439 add user script (2.2.x behavior).
1440
1441 We use the _unmapped_ username here in an attempt to provide
1442 consistent username mapping behavior between kerberos and NTLM[SSP]
1443 authentication in domain mode security. I.E. Username mapping
1444 should be applied to the fully qualified username
1445 (e.g. DOMAIN\user) and not just the login name. Yes this means we
1446 called map_username() unnecessarily in make_user_info_map() but
1447 that is how the current code is designed. Making the change here
1448 is the least disruptive place. -- jerry */
1449
1450 if ( !(sam_account = samu_new( NULL )) ) {
1451 return NT_STATUS_NO_MEMORY;
1452 }
1453
1454 /* this call will try to create the user if necessary */
1455
1456 nt_status = fill_sam_account(mem_ctx, nt_domain, sent_nt_username,
1457 &found_username, &uid, &gid, sam_account,
1458 &username_was_mapped);
1459
1460
1461 /* if we still don't have a valid unix account check for
1462 'map to guest = bad uid' */
1463
1464 if (!NT_STATUS_IS_OK(nt_status)) {
1465 TALLOC_FREE( sam_account );
1466 if ( lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_UID ) {
1467 make_server_info_guest(server_info);
1468 return NT_STATUS_OK;
1469 }
1470 return nt_status;
1471 }
1472
1473 if (!pdb_set_nt_username(sam_account, nt_username, PDB_CHANGED)) {
1474 TALLOC_FREE(sam_account);
1475 return NT_STATUS_NO_MEMORY;
1476 }
1477
1478 if (!pdb_set_username(sam_account, nt_username, PDB_CHANGED)) {
1479 TALLOC_FREE(sam_account);
1480 return NT_STATUS_NO_MEMORY;
1481 }
1482
1483 if (!pdb_set_domain(sam_account, nt_domain, PDB_CHANGED)) {
1484 TALLOC_FREE(sam_account);
1485 return NT_STATUS_NO_MEMORY;
1486 }
1487
1488 if (!pdb_set_user_sid(sam_account, &user_sid, PDB_CHANGED)) {
1489 TALLOC_FREE(sam_account);
1490 return NT_STATUS_UNSUCCESSFUL;
1491 }
1492
1493 if (!pdb_set_group_sid(sam_account, &group_sid, PDB_CHANGED)) {
1494 TALLOC_FREE(sam_account);
1495 return NT_STATUS_UNSUCCESSFUL;
1496 }
1497
1498 if (!pdb_set_fullname(sam_account,
1499 unistr2_static(&(info3->uni_full_name)),
1500 PDB_CHANGED)) {
1501 TALLOC_FREE(sam_account);
1502 return NT_STATUS_NO_MEMORY;
1503 }
1504
1505 if (!pdb_set_logon_script(sam_account,
1506 unistr2_static(&(info3->uni_logon_script)),
1507 PDB_CHANGED)) {
1508 TALLOC_FREE(sam_account);
1509 return NT_STATUS_NO_MEMORY;
1510 }
1511
1512 if (!pdb_set_profile_path(sam_account,
1513 unistr2_static(&(info3->uni_profile_path)),
1514 PDB_CHANGED)) {
1515 TALLOC_FREE(sam_account);
1516 return NT_STATUS_NO_MEMORY;
1517 }
1518
1519 if (!pdb_set_homedir(sam_account,
1520 unistr2_static(&(info3->uni_home_dir)),
1521 PDB_CHANGED)) {
1522 TALLOC_FREE(sam_account);
1523 return NT_STATUS_NO_MEMORY;
1524 }
1525
1526 if (!pdb_set_dir_drive(sam_account,
1527 unistr2_static(&(info3->uni_dir_drive)),
1528 PDB_CHANGED)) {
1529 TALLOC_FREE(sam_account);
1530 return NT_STATUS_NO_MEMORY;
1531 }
1532
1533 if (!pdb_set_acct_ctrl(sam_account, info3->acct_flags, PDB_CHANGED)) {
1534 TALLOC_FREE(sam_account);
1535 return NT_STATUS_NO_MEMORY;
1536 }
1537
1538 if (!pdb_set_pass_last_set_time(
1539 sam_account,
1540 nt_time_to_unix(info3->pass_last_set_time),
1541 PDB_CHANGED)) {
1542 TALLOC_FREE(sam_account);
1543 return NT_STATUS_NO_MEMORY;
1544 }
1545
1546 if (!pdb_set_pass_can_change_time(
1547 sam_account,
1548 nt_time_to_unix(info3->pass_can_change_time),
1549 PDB_CHANGED)) {
1550 TALLOC_FREE(sam_account);
1551 return NT_STATUS_NO_MEMORY;
1552 }
1553
1554 if (!pdb_set_pass_must_change_time(
1555 sam_account,
1556 nt_time_to_unix(info3->pass_must_change_time),
1557 PDB_CHANGED)) {
1558 TALLOC_FREE(sam_account);
1559 return NT_STATUS_NO_MEMORY;
1560 }
1561
1562 result = make_server_info(NULL);
1563 if (result == NULL) {
1564 DEBUG(4, ("make_server_info failed!\n"));
1565 TALLOC_FREE(sam_account);
1566 return NT_STATUS_NO_MEMORY;
1567 }
1568
1569 /* save this here to _net_sam_logon() doesn't fail (it assumes a
1570 valid struct samu) */
1571
1572 result->sam_account = sam_account;
1573 result->unix_name = talloc_strdup(result, found_username);
1574
1575 /* Fill in the unix info we found on the way */
1576
1577 result->uid = uid;
1578 result->gid = gid;
1579
1580 /* Create a 'combined' list of all SIDs we might want in the SD */
1581
1582 result->num_sids = 0;
1583 result->sids = NULL;
1584
1585 nt_status = sid_array_from_info3(result, info3,
1586 &result->sids,
1587 &result->num_sids,
1588 False);
1589 if (!NT_STATUS_IS_OK(nt_status)) {
1590 TALLOC_FREE(result);
1591 return nt_status;
1592 }
1593
1594 result->login_server = unistr2_tdup(result,
1595 &(info3->uni_logon_srv));
1596
1597 /* ensure we are never given NULL session keys */
1598
1599 if (memcmp(info3->user_sess_key, zeros, sizeof(zeros)) == 0) {
1600 result->user_session_key = data_blob_null;
1601 } else {
1602 result->user_session_key = data_blob_talloc(
1603 result, info3->user_sess_key,
1604 sizeof(info3->user_sess_key));
1605 }
1606
1607 if (memcmp(info3->lm_sess_key, zeros, 8) == 0) {
1608 result->lm_session_key = data_blob_null;
1609 } else {
1610 result->lm_session_key = data_blob_talloc(
1611 result, info3->lm_sess_key,
1612 sizeof(info3->lm_sess_key));
1613 }
1614
1615 result->was_mapped = username_was_mapped;
1616
1617 *server_info = result;
1618
1619 return NT_STATUS_OK;
1620 }
1621
1622 /***************************************************************************
1623 Free a user_info struct
1624 ***************************************************************************/
1625
1626 void free_user_info(auth_usersupplied_info **user_info)
1627 {
1628 DEBUG(5,("attempting to free (and zero) a user_info structure\n"));
1629 if (*user_info != NULL) {
1630 if ((*user_info)->smb_name) {
1631 DEBUG(10,("structure was created for %s\n",
1632 (*user_info)->smb_name));
1633 }
1634 SAFE_FREE((*user_info)->smb_name);
1635 SAFE_FREE((*user_info)->internal_username);
1636 SAFE_FREE((*user_info)->client_domain);
1637 SAFE_FREE((*user_info)->domain);
1638 SAFE_FREE((*user_info)->wksta_name);
1639 data_blob_free(&(*user_info)->lm_resp);
1640 data_blob_free(&(*user_info)->nt_resp);
1641 data_blob_clear_free(&(*user_info)->lm_interactive_pwd);
1642 data_blob_clear_free(&(*user_info)->nt_interactive_pwd);
1643 data_blob_clear_free(&(*user_info)->plaintext_password);
1644 ZERO_STRUCT(**user_info);
1645 }
1646 SAFE_FREE(*user_info);
1647 }
1648
1649 /***************************************************************************
1650 Make an auth_methods struct
1651 ***************************************************************************/
1652
1653 BOOL make_auth_methods(struct auth_context *auth_context, auth_methods **auth_method)
1654 {
1655 if (!auth_context) {
1656 smb_panic("no auth_context supplied to "
1657 "make_auth_methods()!\n");
1658 }
1659
1660 if (!auth_method) {
1661 smb_panic("make_auth_methods: pointer to auth_method pointer "
1662 "is NULL!\n");
1663 }
1664
1665 *auth_method = TALLOC_P(auth_context->mem_ctx, auth_methods);
1666 if (!*auth_method) {
1667 DEBUG(0,("make_auth_method: malloc failed!\n"));
1668 return False;
1669 }
1670 ZERO_STRUCTP(*auth_method);
1671
1672 return True;
1673 }
1674
1675 /**
1676 * Verify whether or not given domain is trusted.
1677 *
1678 * @param domain_name name of the domain to be verified
1679 * @return true if domain is one of the trusted once or
1680 * false if otherwise
1681 **/
1682
1683 BOOL is_trusted_domain(const char* dom_name)
1684 {
1685 DOM_SID trustdom_sid;
1686 BOOL ret;
1687
1688 /* no trusted domains for a standalone server */
1689
1690 if ( lp_server_role() == ROLE_STANDALONE )
1691 return False;
1692
1693 /* if we are a DC, then check for a direct trust relationships */
1694
1695 if ( IS_DC ) {
1696 become_root();
1697 DEBUG (5,("is_trusted_domain: Checking for domain trust with "
1698 "[%s]\n", dom_name ));
1699 ret = pdb_get_trusteddom_pw(dom_name, NULL, NULL, NULL);
1700 unbecome_root();
1701 if (ret)
1702 return True;
1703 }
1704 else {
1705 NSS_STATUS result;
1706
1707 /* If winbind is around, ask it */
1708
1709 result = wb_is_trusted_domain(dom_name);
1710
1711 if (result == NSS_STATUS_SUCCESS) {
1712 return True;
1713 }
1714
1715 if (result == NSS_STATUS_NOTFOUND) {
1716 /* winbind could not find the domain */
1717 return False;
1718 }
1719
1720 /* The only other possible result is that winbind is not up
1721 and running. We need to update the trustdom_cache
1722 ourselves */
1723
1724 update_trustdom_cache();
1725 }
1726
1727 /* now the trustdom cache should be available a DC could still
1728 * have a transitive trust so fall back to the cache of trusted
1729 * domains (like a domain member would use */
1730
1731 if ( trustdom_cache_fetch(dom_name, &trustdom_sid) ) {
1732 return True;
1733 }
1734
1735 return False;
1736 }
1737
Samba GIT mirror