2 Unix SMB/CIFS implementation.
4 Winbind client authentication mechanism designed to defer all
5 authentication to the winbind daemon.
7 Copyright (C) Tim Potter 2000
8 Copyright (C) Andrew Bartlett 2001 - 2002
9 Copyright (C) Dan Sledz 2009
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 3 of the License, or
14 (at your option) any later version.
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
21 You should have received a copy of the GNU General Public License
22 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 /* This auth module is very similar to auth_winbind with 3 distinct
28 * 1) Does not fallback to another auth module if winbindd is unavailable
29 * 2) Does not validate the domain of the user
30 * 3) Handles unencrypted passwords
32 * The purpose of this module is to defer all authentication decisions (ie:
33 * local user vs NIS vs LDAP vs AD; encrypted vs plaintext) to the wbc
34 * compatible daemon. This centeralizes all authentication decisions to a
37 * This auth backend is most useful when used in conjunction with pdb_wbc_sam.
43 #define DBGC_CLASS DBGC_AUTH
45 /* Authenticate a user with a challenge/response */
47 static NTSTATUS
check_wbc_security(const struct auth_context
*auth_context
,
48 void *my_private_data
,
50 const struct auth_usersupplied_info
*user_info
,
51 struct auth_serversupplied_info
**server_info
)
55 struct wbcAuthUserParams params
;
56 struct wbcAuthUserInfo
*info
= NULL
;
57 struct wbcAuthErrorInfo
*err
= NULL
;
59 if (!user_info
|| !auth_context
|| !server_info
) {
60 return NT_STATUS_INVALID_PARAMETER
;
62 /* Send off request */
64 DEBUG(10, ("Check auth for: [%s]", user_info
->internal_username
));
66 params
.account_name
= user_info
->smb_name
;
67 params
.domain_name
= user_info
->domain
;
68 params
.workstation_name
= user_info
->workstation_name
;
71 params
.parameter_control
= user_info
->logon_parameters
;
73 /* Handle plaintext */
74 if (!user_info
->encrypted
) {
75 DEBUG(3,("Checking plaintext password for %s.\n",
76 user_info
->internal_username
));
77 params
.level
= WBC_AUTH_USER_LEVEL_PLAIN
;
79 params
.password
.plaintext
= (char *)user_info
->plaintext_password
.data
;
81 DEBUG(3,("Checking encrypted password for %s.\n",
82 user_info
->internal_username
));
83 params
.level
= WBC_AUTH_USER_LEVEL_RESPONSE
;
85 memcpy(params
.password
.response
.challenge
,
86 auth_context
->challenge
.data
,
87 sizeof(params
.password
.response
.challenge
));
89 params
.password
.response
.nt_length
= user_info
->nt_resp
.length
;
90 params
.password
.response
.nt_data
= user_info
->nt_resp
.data
;
91 params
.password
.response
.lm_length
= user_info
->lm_resp
.length
;
92 params
.password
.response
.lm_data
= user_info
->lm_resp
.data
;
96 /* we are contacting the privileged pipe */
98 wbc_status
= wbcAuthenticateUserEx(¶ms
, &info
, &err
);
101 if (!WBC_ERROR_IS_OK(wbc_status
)) {
102 DEBUG(10,("wbcAuthenticateUserEx failed (%d): %s\n",
103 wbc_status
, wbcErrorString(wbc_status
)));
106 if (wbc_status
== WBC_ERR_NO_MEMORY
) {
107 return NT_STATUS_NO_MEMORY
;
110 if (wbc_status
== WBC_ERR_AUTH_ERROR
) {
111 nt_status
= NT_STATUS(err
->nt_status
);
116 if (!WBC_ERROR_IS_OK(wbc_status
)) {
117 return NT_STATUS_LOGON_FAILURE
;
120 DEBUG(10,("wbcAuthenticateUserEx succeeded\n"));
122 nt_status
= make_server_info_wbcAuthUserInfo(mem_ctx
,
127 if (!NT_STATUS_IS_OK(nt_status
)) {
131 (*server_info
)->nss_token
|= user_info
->was_mapped
;
136 /* module initialisation */
137 static NTSTATUS
auth_init_wbc(struct auth_context
*auth_context
, const char *param
, auth_methods
**auth_method
)
139 struct auth_methods
*result
;
141 result
= TALLOC_ZERO_P(auth_context
, struct auth_methods
);
142 if (result
== NULL
) {
143 return NT_STATUS_NO_MEMORY
;
145 result
->name
= "wbc";
146 result
->auth
= check_wbc_security
;
148 *auth_method
= result
;
152 NTSTATUS
auth_wbc_init(void)
154 return smb_register_auth(AUTH_INTERFACE_VERSION
, "wbc", auth_init_wbc
);