2 Unix SMB/CIFS implementation.
3 Authentication utility functions
4 Copyright (C) Simo Sorce 2010
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 #include "librpc/gen_ndr/krb5pac.h"
23 #include "nsswitch/libwbclient/wbclient.h"
25 #include "lib/param/loadparm.h"
28 #define DBGC_CLASS DBGC_AUTH
31 NTSTATUS
get_user_from_kerberos_info(TALLOC_CTX
*mem_ctx
,
33 const char *princ_name
,
34 struct PAC_LOGON_INFO
*logon_info
,
36 bool *mapped_to_guest
,
48 char *unixuser
= NULL
;
49 struct passwd
*pw
= NULL
;
51 DEBUG(3, ("Kerberos ticket principal name is [%s]\n", princ_name
));
53 p
= strchr_m(princ_name
, '@');
55 DEBUG(3, ("[%s] Doesn't look like a valid principal\n",
57 return NT_STATUS_LOGON_FAILURE
;
60 user
= talloc_strndup(mem_ctx
, princ_name
, p
- princ_name
);
62 return NT_STATUS_NO_MEMORY
;
65 realm
= talloc_strdup(talloc_tos(), p
+ 1);
67 return NT_STATUS_NO_MEMORY
;
70 if (!strequal(realm
, lp_realm())) {
71 DEBUG(3, ("Ticket for foreign realm %s@%s\n", user
, realm
));
72 if (!lp_allow_trusted_domains()) {
73 return NT_STATUS_LOGON_FAILURE
;
77 if (logon_info
&& logon_info
->info3
.base
.logon_domain
.string
) {
78 domain
= talloc_strdup(mem_ctx
,
79 logon_info
->info3
.base
.logon_domain
.string
);
81 return NT_STATUS_NO_MEMORY
;
83 DEBUG(10, ("Domain is [%s] (using PAC)\n", domain
));
86 /* If we have winbind running, we can (and must) shorten the
87 username by using the short netbios name. Otherwise we will
88 have inconsistent user names. With Kerberos, we get the
89 fully qualified realm, with ntlmssp we get the short
90 name. And even w2k3 does use ntlmssp if you for example
91 connect to an ip address. */
94 struct wbcDomainInfo
*info
= NULL
;
96 DEBUG(10, ("Mapping [%s] to short name using winbindd\n",
99 wbc_status
= wbcDomainInfo(realm
, &info
);
101 if (WBC_ERROR_IS_OK(wbc_status
)) {
102 domain
= talloc_strdup(mem_ctx
,
106 DEBUG(3, ("Could not find short name: %s\n",
107 wbcErrorString(wbc_status
)));
108 domain
= talloc_strdup(mem_ctx
, realm
);
111 return NT_STATUS_NO_MEMORY
;
113 DEBUG(10, ("Domain is [%s] (using Winbind)\n", domain
));
116 fuser
= talloc_asprintf(mem_ctx
,
119 *lp_winbind_separator(),
122 return NT_STATUS_NO_MEMORY
;
125 *is_mapped
= map_username(mem_ctx
, fuser
, &fuser
);
127 return NT_STATUS_NO_MEMORY
;
129 *mapped_to_guest
= false;
131 pw
= smb_getpwnam(mem_ctx
, fuser
, &unixuser
, true);
134 return NT_STATUS_NO_MEMORY
;
136 /* if a real user check pam account restrictions */
137 /* only really performed if "obey pam restriction" is true */
138 /* do this before an eventual mapping to guest occurs */
139 status
= smb_pam_accountcheck(pw
->pw_name
, cli_name
);
140 if (!NT_STATUS_IS_OK(status
)) {
141 DEBUG(1, ("PAM account restrictions prevent user "
142 "[%s] login\n", unixuser
));
148 /* this was originally the behavior of Samba 2.2, if a user
149 did not have a local uid but has been authenticated, then
150 map them to a guest account */
152 if (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_UID
) {
153 *mapped_to_guest
= true;
154 fuser
= talloc_strdup(mem_ctx
, lp_guest_account());
156 return NT_STATUS_NO_MEMORY
;
158 pw
= smb_getpwnam(mem_ctx
, fuser
, &unixuser
, true);
161 /* extra sanity check that the guest account is valid */
163 DBG_NOTICE("Username %s is invalid on this system\n",
165 return NT_STATUS_LOGON_FAILURE
;
170 return NT_STATUS_NO_MEMORY
;
173 *username
= talloc_strdup(mem_ctx
, unixuser
);
175 return NT_STATUS_NO_MEMORY
;
184 NTSTATUS
make_session_info_krb5(TALLOC_CTX
*mem_ctx
,
189 const struct netr_SamInfo3
*info3
,
190 bool mapped_to_guest
, bool username_was_mapped
,
191 DATA_BLOB
*session_key
,
192 struct auth_session_info
**session_info
)
195 struct auth_serversupplied_info
*server_info
;
197 if (mapped_to_guest
) {
198 status
= make_server_info_guest(mem_ctx
, &server_info
);
199 if (!NT_STATUS_IS_OK(status
)) {
200 DEBUG(1, ("make_server_info_guest failed: %s!\n",
206 /* pass the unmapped username here since map_username()
207 will be called again in make_server_info_info3() */
209 status
= make_server_info_info3(mem_ctx
,
213 if (!NT_STATUS_IS_OK(status
)) {
214 DEBUG(1, ("make_server_info_info3 failed: %s!\n",
221 * We didn't get a PAC, we have to make up the user
222 * ourselves. Try to ask the pdb backend to provide
223 * SID consistency with ntlmssp session setup
225 struct samu
*sampass
;
227 sampass
= samu_new(talloc_tos());
228 if (sampass
== NULL
) {
229 return NT_STATUS_NO_MEMORY
;
232 if (pdb_getsampwnam(sampass
, username
)) {
233 DEBUG(10, ("found user %s in passdb, calling "
234 "make_server_info_sam\n", username
));
235 status
= make_server_info_sam(mem_ctx
,
240 * User not in passdb, make it up artificially
242 DEBUG(10, ("didn't find user %s in passdb, calling "
243 "make_server_info_pw\n", username
));
244 status
= make_server_info_pw(mem_ctx
,
250 TALLOC_FREE(sampass
);
252 if (!NT_STATUS_IS_OK(status
)) {
253 DEBUG(1, ("make_server_info_[sam|pw] failed: %s!\n",
258 /* make_server_info_pw does not set the domain. Without this
259 * we end up with the local netbios name in substitutions for
262 if (server_info
->info3
!= NULL
) {
263 server_info
->info3
->base
.logon_domain
.string
=
264 talloc_strdup(server_info
->info3
, ntdomain
);
268 server_info
->nss_token
|= username_was_mapped
;
270 status
= create_local_token(mem_ctx
, server_info
, session_key
, ntuser
, session_info
);
271 talloc_free(server_info
);
272 if (!NT_STATUS_IS_OK(status
)) {
273 DEBUG(10,("failed to create local token: %s\n",
281 #else /* HAVE_KRB5 */
282 NTSTATUS
get_user_from_kerberos_info(TALLOC_CTX
*mem_ctx
,
283 const char *cli_name
,
284 const char *princ_name
,
285 struct PAC_LOGON_INFO
*logon_info
,
287 bool *mapped_to_guest
,
293 return NT_STATUS_NOT_IMPLEMENTED
;
296 NTSTATUS
make_session_info_krb5(TALLOC_CTX
*mem_ctx
,
301 const struct netr_SamInfo3
*info3
,
302 bool mapped_to_guest
, bool username_was_mapped
,
303 DATA_BLOB
*session_key
,
304 struct auth_session_info
**session_info
)
306 return NT_STATUS_NOT_IMPLEMENTED
;
309 #endif /* HAVE_KRB5 */