search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3:auth check the user is valid first
[Samba.git] / source3 / auth / auth_util.c
blobf937a9bb6084556c5981473f1b3a163c9b297787
1 /*
2 Unix SMB/CIFS implementation.
3 Authentication utility functions
4 Copyright (C) Andrew Tridgell 1992-1998
5 Copyright (C) Andrew Bartlett 2001
6 Copyright (C) Jeremy Allison 2000-2001
7 Copyright (C) Rafal Szczesniak 2002
8 Copyright (C) Volker Lendecke 2006
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include "smbd/globals.h"
26 #include "../libcli/auth/libcli_auth.h"
27 #include "../lib/crypto/arcfour.h"
28
29 #undef DBGC_CLASS
30 #define DBGC_CLASS DBGC_AUTH
31
32 /****************************************************************************
33 Ensure primary group SID is always at position 0 in a
34 auth_serversupplied_info struct.
35 ****************************************************************************/
36
37 static void sort_sid_array_for_smbd(struct auth_serversupplied_info *result,
38 const struct dom_sid *pgroup_sid)
39 {
40 unsigned int i;
41
42 if (!result->sids) {
43 return;
44 }
45
46 if (sid_compare(&result->sids[0], pgroup_sid)==0) {
47 return;
48 }
49
50 for (i = 1; i < result->num_sids; i++) {
51 if (sid_compare(pgroup_sid,
52 &result->sids[i]) == 0) {
53 sid_copy(&result->sids[i], &result->sids[0]);
54 sid_copy(&result->sids[0], pgroup_sid);
55 return;
56 }
57 }
58 }
59
60 /****************************************************************************
61 Create a UNIX user on demand.
62 ****************************************************************************/
63
64 static int _smb_create_user(const char *domain, const char *unix_username, const char *homedir)
65 {
66 TALLOC_CTX *ctx = talloc_tos();
67 char *add_script;
68 int ret;
69
70 add_script = talloc_strdup(ctx, lp_adduser_script());
71 if (!add_script || !*add_script) {
72 return -1;
73 }
74 add_script = talloc_all_string_sub(ctx,
75 add_script,
76 "%u",
77 unix_username);
78 if (!add_script) {
79 return -1;
80 }
81 if (domain) {
82 add_script = talloc_all_string_sub(ctx,
83 add_script,
84 "%D",
85 domain);
86 if (!add_script) {
87 return -1;
88 }
89 }
90 if (homedir) {
91 add_script = talloc_all_string_sub(ctx,
92 add_script,
93 "%H",
94 homedir);
95 if (!add_script) {
96 return -1;
97 }
98 }
99 ret = smbrun(add_script,NULL);
100 flush_pwnam_cache();
101 DEBUG(ret ? 0 : 3,
102 ("smb_create_user: Running the command `%s' gave %d\n",
103 add_script,ret));
104 return ret;
105 }
106
107 /****************************************************************************
108 Create an auth_usersupplied_data structure after appropriate mapping.
109 ****************************************************************************/
110
111 NTSTATUS make_user_info_map(struct auth_usersupplied_info **user_info,
112 const char *smb_name,
113 const char *client_domain,
114 const char *workstation_name,
115 DATA_BLOB *lm_pwd,
116 DATA_BLOB *nt_pwd,
117 DATA_BLOB *lm_interactive_pwd,
118 DATA_BLOB *nt_interactive_pwd,
119 DATA_BLOB *plaintext,
120 bool encrypted)
121 {
122 const char *domain;
123 NTSTATUS result;
124 bool was_mapped;
125 fstring internal_username;
126 fstrcpy(internal_username, smb_name);
127 was_mapped = map_username(internal_username);
128
129 DEBUG(5, ("Mapping user [%s]\\[%s] from workstation [%s]\n",
130 client_domain, smb_name, workstation_name));
131
132 domain = client_domain;
133
134 /* If you connect to a Windows domain member using a bogus domain name,
135 * the Windows box will map the BOGUS\user to SAMNAME\user. Thus, if
136 * the Windows box is a DC the name will become DOMAIN\user and be
137 * authenticated against AD, if the Windows box is a member server but
138 * not a DC the name will become WORKSTATION\user. A standalone
139 * non-domain member box will also map to WORKSTATION\user.
140 * This also deals with the client passing in a "" domain */
141
142 if (!is_trusted_domain(domain) &&
143 !strequal(domain, my_sam_name()))
144 {
145 if (lp_map_untrusted_to_domain())
146 domain = my_sam_name();
147 else
148 domain = get_global_sam_name();
149 DEBUG(5, ("Mapped domain from [%s] to [%s] for user [%s] from "
150 "workstation [%s]\n",
151 client_domain, domain, smb_name, workstation_name));
152 }
153
154 /* We know that the given domain is trusted (and we are allowing them),
155 * it is our global SAM name, or for legacy behavior it is our
156 * primary domain name */
157
158 result = make_user_info(user_info, smb_name, internal_username,
159 client_domain, domain, workstation_name,
160 lm_pwd, nt_pwd,
161 lm_interactive_pwd, nt_interactive_pwd,
162 plaintext, encrypted);
163 if (NT_STATUS_IS_OK(result)) {
164 (*user_info)->was_mapped = was_mapped;
165 }
166 return result;
167 }
168
169 /****************************************************************************
170 Create an auth_usersupplied_data, making the DATA_BLOBs here.
171 Decrypt and encrypt the passwords.
172 ****************************************************************************/
173
174 bool make_user_info_netlogon_network(struct auth_usersupplied_info **user_info,
175 const char *smb_name,
176 const char *client_domain,
177 const char *workstation_name,
178 uint32 logon_parameters,
179 const uchar *lm_network_pwd,
180 int lm_pwd_len,
181 const uchar *nt_network_pwd,
182 int nt_pwd_len)
183 {
184 bool ret;
185 NTSTATUS status;
186 DATA_BLOB lm_blob = data_blob(lm_network_pwd, lm_pwd_len);
187 DATA_BLOB nt_blob = data_blob(nt_network_pwd, nt_pwd_len);
188
189 status = make_user_info_map(user_info,
190 smb_name, client_domain,
191 workstation_name,
192 lm_pwd_len ? &lm_blob : NULL,
193 nt_pwd_len ? &nt_blob : NULL,
194 NULL, NULL, NULL,
195 True);
196
197 if (NT_STATUS_IS_OK(status)) {
198 (*user_info)->logon_parameters = logon_parameters;
199 }
200 ret = NT_STATUS_IS_OK(status) ? True : False;
201
202 data_blob_free(&lm_blob);
203 data_blob_free(&nt_blob);
204 return ret;
205 }
206
207 /****************************************************************************
208 Create an auth_usersupplied_data, making the DATA_BLOBs here.
209 Decrypt and encrypt the passwords.
210 ****************************************************************************/
211
212 bool make_user_info_netlogon_interactive(struct auth_usersupplied_info **user_info,
213 const char *smb_name,
214 const char *client_domain,
215 const char *workstation_name,
216 uint32 logon_parameters,
217 const uchar chal[8],
218 const uchar lm_interactive_pwd[16],
219 const uchar nt_interactive_pwd[16],
220 const uchar *dc_sess_key)
221 {
222 unsigned char lm_pwd[16];
223 unsigned char nt_pwd[16];
224 unsigned char local_lm_response[24];
225 unsigned char local_nt_response[24];
226 unsigned char key[16];
227
228 memcpy(key, dc_sess_key, 16);
229
230 if (lm_interactive_pwd)
231 memcpy(lm_pwd, lm_interactive_pwd, sizeof(lm_pwd));
232
233 if (nt_interactive_pwd)
234 memcpy(nt_pwd, nt_interactive_pwd, sizeof(nt_pwd));
235
236 #ifdef DEBUG_PASSWORD
237 DEBUG(100,("key:"));
238 dump_data(100, key, sizeof(key));
239
240 DEBUG(100,("lm owf password:"));
241 dump_data(100, lm_pwd, sizeof(lm_pwd));
242
243 DEBUG(100,("nt owf password:"));
244 dump_data(100, nt_pwd, sizeof(nt_pwd));
245 #endif
246
247 if (lm_interactive_pwd)
248 arcfour_crypt(lm_pwd, key, sizeof(lm_pwd));
249
250 if (nt_interactive_pwd)
251 arcfour_crypt(nt_pwd, key, sizeof(nt_pwd));
252
253 #ifdef DEBUG_PASSWORD
254 DEBUG(100,("decrypt of lm owf password:"));
255 dump_data(100, lm_pwd, sizeof(lm_pwd));
256
257 DEBUG(100,("decrypt of nt owf password:"));
258 dump_data(100, nt_pwd, sizeof(nt_pwd));
259 #endif
260
261 if (lm_interactive_pwd)
262 SMBOWFencrypt(lm_pwd, chal,
263 local_lm_response);
264
265 if (nt_interactive_pwd)
266 SMBOWFencrypt(nt_pwd, chal,
267 local_nt_response);
268
269 /* Password info paranoia */
270 ZERO_STRUCT(key);
271
272 {
273 bool ret;
274 NTSTATUS nt_status;
275 DATA_BLOB local_lm_blob;
276 DATA_BLOB local_nt_blob;
277
278 DATA_BLOB lm_interactive_blob;
279 DATA_BLOB nt_interactive_blob;
280
281 if (lm_interactive_pwd) {
282 local_lm_blob = data_blob(local_lm_response,
283 sizeof(local_lm_response));
284 lm_interactive_blob = data_blob(lm_pwd,
285 sizeof(lm_pwd));
286 ZERO_STRUCT(lm_pwd);
287 }
288
289 if (nt_interactive_pwd) {
290 local_nt_blob = data_blob(local_nt_response,
291 sizeof(local_nt_response));
292 nt_interactive_blob = data_blob(nt_pwd,
293 sizeof(nt_pwd));
294 ZERO_STRUCT(nt_pwd);
295 }
296
297 nt_status = make_user_info_map(
298 user_info,
299 smb_name, client_domain, workstation_name,
300 lm_interactive_pwd ? &local_lm_blob : NULL,
301 nt_interactive_pwd ? &local_nt_blob : NULL,
302 lm_interactive_pwd ? &lm_interactive_blob : NULL,
303 nt_interactive_pwd ? &nt_interactive_blob : NULL,
304 NULL, True);
305
306 if (NT_STATUS_IS_OK(nt_status)) {
307 (*user_info)->logon_parameters = logon_parameters;
308 }
309
310 ret = NT_STATUS_IS_OK(nt_status) ? True : False;
311 data_blob_free(&local_lm_blob);
312 data_blob_free(&local_nt_blob);
313 data_blob_free(&lm_interactive_blob);
314 data_blob_free(&nt_interactive_blob);
315 return ret;
316 }
317 }
318
319
320 /****************************************************************************
321 Create an auth_usersupplied_data structure
322 ****************************************************************************/
323
324 bool make_user_info_for_reply(struct auth_usersupplied_info **user_info,
325 const char *smb_name,
326 const char *client_domain,
327 const uint8 chal[8],
328 DATA_BLOB plaintext_password)
329 {
330
331 DATA_BLOB local_lm_blob;
332 DATA_BLOB local_nt_blob;
333 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
334
335 /*
336 * Not encrypted - do so.
337 */
338
339 DEBUG(5,("make_user_info_for_reply: User passwords not in encrypted "
340 "format.\n"));
341
342 if (plaintext_password.data && plaintext_password.length) {
343 unsigned char local_lm_response[24];
344
345 #ifdef DEBUG_PASSWORD
346 DEBUG(10,("Unencrypted password (len %d):\n",
347 (int)plaintext_password.length));
348 dump_data(100, plaintext_password.data,
349 plaintext_password.length);
350 #endif
351
352 SMBencrypt( (const char *)plaintext_password.data,
353 (const uchar*)chal, local_lm_response);
354 local_lm_blob = data_blob(local_lm_response, 24);
355
356 /* We can't do an NT hash here, as the password needs to be
357 case insensitive */
358 local_nt_blob = data_blob_null;
359 } else {
360 local_lm_blob = data_blob_null;
361 local_nt_blob = data_blob_null;
362 }
363
364 ret = make_user_info_map(
365 user_info, smb_name, client_domain,
366 get_remote_machine_name(),
367 local_lm_blob.data ? &local_lm_blob : NULL,
368 local_nt_blob.data ? &local_nt_blob : NULL,
369 NULL, NULL,
370 plaintext_password.data && plaintext_password.length ? &plaintext_password : NULL,
371 False);
372
373 data_blob_free(&local_lm_blob);
374 return NT_STATUS_IS_OK(ret) ? True : False;
375 }
376
377 /****************************************************************************
378 Create an auth_usersupplied_data structure
379 ****************************************************************************/
380
381 NTSTATUS make_user_info_for_reply_enc(struct auth_usersupplied_info **user_info,
382 const char *smb_name,
383 const char *client_domain,
384 DATA_BLOB lm_resp, DATA_BLOB nt_resp)
385 {
386 return make_user_info_map(user_info, smb_name,
387 client_domain,
388 get_remote_machine_name(),
389 lm_resp.data ? &lm_resp : NULL,
390 nt_resp.data ? &nt_resp : NULL,
391 NULL, NULL, NULL,
392 True);
393 }
394
395 /****************************************************************************
396 Create a guest user_info blob, for anonymous authenticaion.
397 ****************************************************************************/
398
399 bool make_user_info_guest(struct auth_usersupplied_info **user_info)
400 {
401 NTSTATUS nt_status;
402
403 nt_status = make_user_info(user_info,
404 "","",
405 "","",
406 "",
407 NULL, NULL,
408 NULL, NULL,
409 NULL,
410 True);
411
412 return NT_STATUS_IS_OK(nt_status) ? True : False;
413 }
414
415 static NTSTATUS log_nt_token(NT_USER_TOKEN *token)
416 {
417 TALLOC_CTX *frame = talloc_stackframe();
418 char *command;
419 char *group_sidstr;
420 size_t i;
421
422 if ((lp_log_nt_token_command() == NULL) ||
423 (strlen(lp_log_nt_token_command()) == 0)) {
424 TALLOC_FREE(frame);
425 return NT_STATUS_OK;
426 }
427
428 group_sidstr = talloc_strdup(frame, "");
429 for (i=1; i<token->num_sids; i++) {
430 group_sidstr = talloc_asprintf(
431 frame, "%s %s", group_sidstr,
432 sid_string_talloc(frame, &token->user_sids[i]));
433 }
434
435 command = talloc_string_sub(
436 frame, lp_log_nt_token_command(),
437 "%s", sid_string_talloc(frame, &token->user_sids[0]));
438 command = talloc_string_sub(frame, command, "%t", group_sidstr);
439
440 if (command == NULL) {
441 TALLOC_FREE(frame);
442 return NT_STATUS_NO_MEMORY;
443 }
444
445 DEBUG(8, ("running command: [%s]\n", command));
446 if (smbrun(command, NULL) != 0) {
447 DEBUG(0, ("Could not log NT token\n"));
448 TALLOC_FREE(frame);
449 return NT_STATUS_ACCESS_DENIED;
450 }
451
452 TALLOC_FREE(frame);
453 return NT_STATUS_OK;
454 }
455
456 /*
457 * Create the token to use from server_info->info3 and
458 * server_info->sids (the info3/sam groups). Find the unix gids.
459 */
460
461 NTSTATUS create_local_token(struct auth_serversupplied_info *server_info)
462 {
463 NTSTATUS status;
464 size_t i;
465 struct dom_sid tmp_sid;
466 struct dom_sid user_sid;
467
468 /*
469 * If winbind is not around, we can not make much use of the SIDs the
470 * domain controller provided us with. Likewise if the user name was
471 * mapped to some local unix user.
472 */
473
474 if (((lp_server_role() == ROLE_DOMAIN_MEMBER) && !winbind_ping()) ||
475 (server_info->nss_token)) {
476 status = create_token_from_username(server_info,
477 server_info->unix_name,
478 server_info->guest,
479 &server_info->utok.uid,
480 &server_info->utok.gid,
481 &server_info->unix_name,
482 &server_info->ptok);
483
484 } else {
485 sid_compose(&user_sid,
486 server_info->info3->base.domain_sid,
487 server_info->info3->base.rid);
488
489 server_info->ptok = create_local_nt_token(
490 server_info,
491 &user_sid,
492 server_info->guest,
493 server_info->num_sids, server_info->sids);
494 status = server_info->ptok ?
495 NT_STATUS_OK : NT_STATUS_NO_SUCH_USER;
496 }
497
498 if (!NT_STATUS_IS_OK(status)) {
499 return status;
500 }
501
502 /* Convert the SIDs to gids. */
503
504 server_info->utok.ngroups = 0;
505 server_info->utok.groups = NULL;
506
507 /* Start at index 1, where the groups start. */
508
509 for (i=1; i<server_info->ptok->num_sids; i++) {
510 gid_t gid;
511 struct dom_sid *sid = &server_info->ptok->user_sids[i];
512
513 if (!sid_to_gid(sid, &gid)) {
514 DEBUG(10, ("Could not convert SID %s to gid, "
515 "ignoring it\n", sid_string_dbg(sid)));
516 continue;
517 }
518 add_gid_to_array_unique(server_info, gid,
519 &server_info->utok.groups,
520 &server_info->utok.ngroups);
521 }
522
523 /*
524 * Add the "Unix Group" SID for each gid to catch mapped groups
525 * and their Unix equivalent. This is to solve the backwards
526 * compatibility problem of 'valid users = +ntadmin' where
527 * ntadmin has been paired with "Domain Admins" in the group
528 * mapping table. Otherwise smb.conf would need to be changed
529 * to 'valid user = "Domain Admins"'. --jerry
530 *
531 * For consistency we also add the "Unix User" SID,
532 * so that the complete unix token is represented within
533 * the nt token.
534 */
535
536 if (!uid_to_unix_users_sid(server_info->utok.uid, &tmp_sid)) {
537 DEBUG(1,("create_local_token: Failed to create SID "
538 "for uid %u!\n", (unsigned int)server_info->utok.uid));
539 }
540 add_sid_to_array_unique(server_info->ptok, &tmp_sid,
541 &server_info->ptok->user_sids,
542 &server_info->ptok->num_sids);
543
544 for ( i=0; i<server_info->utok.ngroups; i++ ) {
545 if (!gid_to_unix_groups_sid( server_info->utok.groups[i], &tmp_sid ) ) {
546 DEBUG(1,("create_local_token: Failed to create SID "
547 "for gid %u!\n", (unsigned int)server_info->utok.groups[i]));
548 continue;
549 }
550 add_sid_to_array_unique(server_info->ptok, &tmp_sid,
551 &server_info->ptok->user_sids,
552 &server_info->ptok->num_sids);
553 }
554
555 debug_nt_user_token(DBGC_AUTH, 10, server_info->ptok);
556 debug_unix_user_token(DBGC_AUTH, 10,
557 server_info->utok.uid,
558 server_info->utok.gid,
559 server_info->utok.ngroups,
560 server_info->utok.groups);
561
562 status = log_nt_token(server_info->ptok);
563 return status;
564 }
565
566 /***************************************************************************
567 Make (and fill) a server_info struct from a 'struct passwd' by conversion
568 to a struct samu
569 ***************************************************************************/
570
571 NTSTATUS make_server_info_pw(struct auth_serversupplied_info **server_info,
572 char *unix_username,
573 struct passwd *pwd)
574 {
575 NTSTATUS status;
576 struct samu *sampass = NULL;
577 gid_t *gids;
578 char *qualified_name = NULL;
579 TALLOC_CTX *mem_ctx = NULL;
580 struct dom_sid u_sid;
581 enum lsa_SidType type;
582 struct auth_serversupplied_info *result;
583
584 /*
585 * The SID returned in server_info->sam_account is based
586 * on our SAM sid even though for a pure UNIX account this should
587 * not be the case as it doesn't really exist in the SAM db.
588 * This causes lookups on "[in]valid users" to fail as they
589 * will lookup this name as a "Unix User" SID to check against
590 * the user token. Fix this by adding the "Unix User"\unix_username
591 * SID to the sid array. The correct fix should probably be
592 * changing the server_info->sam_account user SID to be a
593 * S-1-22 Unix SID, but this might break old configs where
594 * plaintext passwords were used with no SAM backend.
595 */
596
597 mem_ctx = talloc_init("make_server_info_pw_tmp");
598 if (!mem_ctx) {
599 return NT_STATUS_NO_MEMORY;
600 }
601
602 qualified_name = talloc_asprintf(mem_ctx, "%s\\%s",
603 unix_users_domain_name(),
604 unix_username );
605 if (!qualified_name) {
606 TALLOC_FREE(mem_ctx);
607 return NT_STATUS_NO_MEMORY;
608 }
609
610 if (!lookup_name(mem_ctx, qualified_name, LOOKUP_NAME_ALL,
611 NULL, NULL,
612 &u_sid, &type)) {
613 TALLOC_FREE(mem_ctx);
614 return NT_STATUS_NO_SUCH_USER;
615 }
616
617 TALLOC_FREE(mem_ctx);
618
619 if (type != SID_NAME_USER) {
620 return NT_STATUS_NO_SUCH_USER;
621 }
622
623 if ( !(sampass = samu_new( NULL )) ) {
624 return NT_STATUS_NO_MEMORY;
625 }
626
627 status = samu_set_unix( sampass, pwd );
628 if (!NT_STATUS_IS_OK(status)) {
629 return status;
630 }
631
632 /* In pathological cases the above call can set the account
633 * name to the DOMAIN\username form. Reset the account name
634 * using unix_username */
635 pdb_set_username(sampass, unix_username, PDB_SET);
636
637 result = make_server_info(NULL);
638 if (result == NULL) {
639 TALLOC_FREE(sampass);
640 return NT_STATUS_NO_MEMORY;
641 }
642
643 status = samu_to_SamInfo3(result, sampass,
644 global_myname(), &result->info3);
645 if (!NT_STATUS_IS_OK(status)) {
646 DEBUG(10, ("Failed to convert samu to info3: %s\n",
647 nt_errstr(status)));
648 TALLOC_FREE(sampass);
649 TALLOC_FREE(result);
650 return status;
651 }
652
653
654 result->unix_name = talloc_strdup(result, unix_username);
655 result->sanitized_username = sanitize_username(result, unix_username);
656
657 if ((result->unix_name == NULL)
658 || (result->sanitized_username == NULL)) {
659 TALLOC_FREE(sampass);
660 TALLOC_FREE(result);
661 return NT_STATUS_NO_MEMORY;
662 }
663
664 result->utok.uid = pwd->pw_uid;
665 result->utok.gid = pwd->pw_gid;
666
667 status = pdb_enum_group_memberships(result, sampass,
668 &result->sids, &gids,
669 &result->num_sids);
670
671 if (!NT_STATUS_IS_OK(status)) {
672 DEBUG(10, ("pdb_enum_group_memberships failed: %s\n",
673 nt_errstr(status)));
674 TALLOC_FREE(sampass);
675 TALLOC_FREE(result);
676 return status;
677 }
678
679 TALLOC_FREE(sampass);
680
681 /* FIXME: add to info3 too ? */
682 status = add_sid_to_array_unique(result, &u_sid,
683 &result->sids,
684 &result->num_sids);
685 if (!NT_STATUS_IS_OK(status)) {
686 TALLOC_FREE(result);
687 return status;
688 }
689
690 /* For now we throw away the gids and convert via sid_to_gid
691 * later. This needs fixing, but I'd like to get the code straight and
692 * simple first. */
693 TALLOC_FREE(gids);
694
695 *server_info = result;
696
697 return NT_STATUS_OK;
698 }
699
700 /***************************************************************************
701 Make (and fill) a user_info struct for a guest login.
702 This *must* succeed for smbd to start. If there is no mapping entry for
703 the guest gid, then create one.
704 ***************************************************************************/
705
706 static NTSTATUS make_new_server_info_guest(struct auth_serversupplied_info **server_info)
707 {
708 NTSTATUS status;
709 struct samu *sampass = NULL;
710 struct dom_sid guest_sid;
711 bool ret;
712 static const char zeros[16] = {0, };
713 fstring tmp;
714
715 if ( !(sampass = samu_new( NULL )) ) {
716 return NT_STATUS_NO_MEMORY;
717 }
718
719 sid_compose(&guest_sid, get_global_sam_sid(), DOMAIN_RID_GUEST);
720
721 become_root();
722 ret = pdb_getsampwsid(sampass, &guest_sid);
723 unbecome_root();
724
725 if (!ret) {
726 TALLOC_FREE(sampass);
727 return NT_STATUS_NO_SUCH_USER;
728 }
729
730 status = make_server_info_sam(server_info, sampass);
731 if (!NT_STATUS_IS_OK(status)) {
732 TALLOC_FREE(sampass);
733 return status;
734 }
735
736 TALLOC_FREE(sampass);
737
738 (*server_info)->guest = True;
739
740 status = create_local_token(*server_info);
741 if (!NT_STATUS_IS_OK(status)) {
742 DEBUG(10, ("create_local_token failed: %s\n",
743 nt_errstr(status)));
744 return status;
745 }
746
747 /* annoying, but the Guest really does have a session key, and it is
748 all zeros! */
749 (*server_info)->user_session_key = data_blob(zeros, sizeof(zeros));
750 (*server_info)->lm_session_key = data_blob(zeros, sizeof(zeros));
751
752 alpha_strcpy(tmp, (*server_info)->info3->base.account_name.string,
753 ". _-$", sizeof(tmp));
754 (*server_info)->sanitized_username = talloc_strdup(*server_info, tmp);
755
756 return NT_STATUS_OK;
757 }
758
759 /***************************************************************************
760 Make (and fill) a user_info struct for a system user login.
761 This *must* succeed for smbd to start.
762 ***************************************************************************/
763
764 static NTSTATUS make_new_server_info_system(TALLOC_CTX *mem_ctx,
765 struct auth_serversupplied_info **server_info)
766 {
767 struct passwd *pwd;
768 NTSTATUS status;
769
770 pwd = getpwuid_alloc(mem_ctx, sec_initial_uid());
771 if (pwd == NULL) {
772 return NT_STATUS_NO_MEMORY;
773 }
774
775 status = make_serverinfo_from_username(mem_ctx,
776 pwd->pw_name,
777 false,
778 server_info);
779 if (!NT_STATUS_IS_OK(status)) {
780 return status;
781 }
782
783 (*server_info)->system = true;
784
785 return NT_STATUS_OK;
786 }
787
788 /****************************************************************************
789 Fake a auth_serversupplied_info just from a username
790 ****************************************************************************/
791
792 NTSTATUS make_serverinfo_from_username(TALLOC_CTX *mem_ctx,
793 const char *username,
794 bool is_guest,
795 struct auth_serversupplied_info **presult)
796 {
797 struct auth_serversupplied_info *result;
798 struct passwd *pwd;
799 NTSTATUS status;
800
801 pwd = getpwnam_alloc(talloc_tos(), username);
802 if (pwd == NULL) {
803 return NT_STATUS_NO_SUCH_USER;
804 }
805
806 status = make_server_info_pw(&result, pwd->pw_name, pwd);
807
808 TALLOC_FREE(pwd);
809
810 if (!NT_STATUS_IS_OK(status)) {
811 return status;
812 }
813
814 result->nss_token = true;
815 result->guest = is_guest;
816
817 status = create_local_token(result);
818
819 if (!NT_STATUS_IS_OK(status)) {
820 TALLOC_FREE(result);
821 return status;
822 }
823
824 *presult = result;
825 return NT_STATUS_OK;
826 }
827
828
829 struct auth_serversupplied_info *copy_serverinfo(TALLOC_CTX *mem_ctx,
830 const struct auth_serversupplied_info *src)
831 {
832 struct auth_serversupplied_info *dst;
833
834 dst = make_server_info(mem_ctx);
835 if (dst == NULL) {
836 return NULL;
837 }
838
839 dst->guest = src->guest;
840 dst->system = src->system;
841 dst->utok.uid = src->utok.uid;
842 dst->utok.gid = src->utok.gid;
843 dst->utok.ngroups = src->utok.ngroups;
844 if (src->utok.ngroups != 0) {
845 dst->utok.groups = (gid_t *)TALLOC_MEMDUP(
846 dst, src->utok.groups,
847 sizeof(gid_t)*dst->utok.ngroups);
848 } else {
849 dst->utok.groups = NULL;
850 }
851
852 if (src->ptok) {
853 dst->ptok = dup_nt_token(dst, src->ptok);
854 if (!dst->ptok) {
855 TALLOC_FREE(dst);
856 return NULL;
857 }
858 }
859
860 dst->user_session_key = data_blob_talloc( dst, src->user_session_key.data,
861 src->user_session_key.length);
862
863 dst->lm_session_key = data_blob_talloc(dst, src->lm_session_key.data,
864 src->lm_session_key.length);
865
866 dst->info3 = copy_netr_SamInfo3(dst, src->info3);
867 if (!dst->info3) {
868 TALLOC_FREE(dst);
869 return NULL;
870 }
871
872 dst->pam_handle = NULL;
873 dst->unix_name = talloc_strdup(dst, src->unix_name);
874 if (!dst->unix_name) {
875 TALLOC_FREE(dst);
876 return NULL;
877 }
878
879 dst->sanitized_username = talloc_strdup(dst, src->sanitized_username);
880 if (!dst->sanitized_username) {
881 TALLOC_FREE(dst);
882 return NULL;
883 }
884
885 return dst;
886 }
887
888 /*
889 * Set a new session key. Used in the rpc server where we have to override the
890 * SMB level session key with SystemLibraryDTC
891 */
892
893 bool server_info_set_session_key(struct auth_serversupplied_info *info,
894 DATA_BLOB session_key)
895 {
896 TALLOC_FREE(info->user_session_key.data);
897
898 info->user_session_key = data_blob_talloc(
899 info, session_key.data, session_key.length);
900
901 return (info->user_session_key.data != NULL);
902 }
903
904 static struct auth_serversupplied_info *guest_info = NULL;
905
906 bool init_guest_info(void)
907 {
908 if (guest_info != NULL)
909 return True;
910
911 return NT_STATUS_IS_OK(make_new_server_info_guest(&guest_info));
912 }
913
914 NTSTATUS make_server_info_guest(TALLOC_CTX *mem_ctx,
915 struct auth_serversupplied_info **server_info)
916 {
917 *server_info = copy_serverinfo(mem_ctx, guest_info);
918 return (*server_info != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
919 }
920
921 static struct auth_serversupplied_info *system_info = NULL;
922
923 bool init_system_info(void)
924 {
925 if (system_info != NULL)
926 return True;
927
928 return NT_STATUS_IS_OK(make_new_server_info_system(talloc_autofree_context(), &system_info));
929 }
930
931 NTSTATUS make_server_info_system(TALLOC_CTX *mem_ctx,
932 struct auth_serversupplied_info **server_info)
933 {
934 if (system_info == NULL) return NT_STATUS_UNSUCCESSFUL;
935 *server_info = copy_serverinfo(mem_ctx, system_info);
936 return (*server_info != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
937 }
938
939 bool copy_current_user(struct current_user *dst, struct current_user *src)
940 {
941 gid_t *groups;
942 NT_USER_TOKEN *nt_token;
943
944 groups = (gid_t *)memdup(src->ut.groups,
945 sizeof(gid_t) * src->ut.ngroups);
946 if ((src->ut.ngroups != 0) && (groups == NULL)) {
947 return False;
948 }
949
950 nt_token = dup_nt_token(NULL, src->nt_user_token);
951 if (nt_token == NULL) {
952 SAFE_FREE(groups);
953 return False;
954 }
955
956 dst->conn = src->conn;
957 dst->vuid = src->vuid;
958 dst->ut.uid = src->ut.uid;
959 dst->ut.gid = src->ut.gid;
960 dst->ut.ngroups = src->ut.ngroups;
961 dst->ut.groups = groups;
962 dst->nt_user_token = nt_token;
963 return True;
964 }
965
966 /***************************************************************************
967 Purely internal function for make_server_info_info3
968 ***************************************************************************/
969
970 static NTSTATUS check_account(TALLOC_CTX *mem_ctx, const char *domain,
971 const char *username, char **found_username,
972 uid_t *uid, gid_t *gid,
973 bool *username_was_mapped)
974 {
975 fstring dom_user, lower_username;
976 fstring real_username;
977 struct passwd *passwd;
978
979 fstrcpy( lower_username, username );
980 strlower_m( lower_username );
981
982 fstr_sprintf(dom_user, "%s%c%s", domain, *lp_winbind_separator(),
983 lower_username);
984
985 /* Get the passwd struct. Try to create the account if necessary. */
986
987 *username_was_mapped = map_username(dom_user);
988
989 passwd = smb_getpwnam( NULL, dom_user, real_username, True );
990 if (!passwd) {
991 DEBUG(3, ("Failed to find authenticated user %s via "
992 "getpwnam(), denying access.\n", dom_user));
993 return NT_STATUS_NO_SUCH_USER;
994 }
995
996 *uid = passwd->pw_uid;
997 *gid = passwd->pw_gid;
998
999 /* This is pointless -- there is no suport for differing
1000 unix and windows names. Make sure to always store the
1001 one we actually looked up and succeeded. Have I mentioned
1002 why I hate the 'winbind use default domain' parameter?
1003 --jerry */
1004
1005 *found_username = talloc_strdup( mem_ctx, real_username );
1006
1007 TALLOC_FREE(passwd);
1008
1009 return NT_STATUS_OK;
1010 }
1011
1012 /****************************************************************************
1013 Wrapper to allow the getpwnam() call to strip the domain name and
1014 try again in case a local UNIX user is already there. Also run through
1015 the username if we fallback to the username only.
1016 ****************************************************************************/
1017
1018 struct passwd *smb_getpwnam( TALLOC_CTX *mem_ctx, char *domuser,
1019 fstring save_username, bool create )
1020 {
1021 struct passwd *pw = NULL;
1022 char *p;
1023 fstring username;
1024
1025 /* we only save a copy of the username it has been mangled
1026 by winbindd use default domain */
1027
1028 save_username[0] = '\0';
1029
1030 /* don't call map_username() here since it has to be done higher
1031 up the stack so we don't call it multiple times */
1032
1033 fstrcpy( username, domuser );
1034
1035 p = strchr_m( username, *lp_winbind_separator() );
1036
1037 /* code for a DOMAIN\user string */
1038
1039 if ( p ) {
1040 fstring strip_username;
1041
1042 pw = Get_Pwnam_alloc( mem_ctx, domuser );
1043 if ( pw ) {
1044 /* make sure we get the case of the username correct */
1045 /* work around 'winbind use default domain = yes' */
1046
1047 if ( !strchr_m( pw->pw_name, *lp_winbind_separator() ) ) {
1048 char *domain;
1049
1050 /* split the domain and username into 2 strings */
1051 *p = '\0';
1052 domain = username;
1053
1054 fstr_sprintf(save_username, "%s%c%s", domain, *lp_winbind_separator(), pw->pw_name);
1055 }
1056 else
1057 fstrcpy( save_username, pw->pw_name );
1058
1059 /* whew -- done! */
1060 return pw;
1061 }
1062
1063 /* setup for lookup of just the username */
1064 /* remember that p and username are overlapping memory */
1065
1066 p++;
1067 fstrcpy( strip_username, p );
1068 fstrcpy( username, strip_username );
1069 }
1070
1071 /* just lookup a plain username */
1072
1073 pw = Get_Pwnam_alloc(mem_ctx, username);
1074
1075 /* Create local user if requested but only if winbindd
1076 is not running. We need to protect against cases
1077 where winbindd is failing and then prematurely
1078 creating users in /etc/passwd */
1079
1080 if ( !pw && create && !winbind_ping() ) {
1081 /* Don't add a machine account. */
1082 if (username[strlen(username)-1] == '$')
1083 return NULL;
1084
1085 _smb_create_user(NULL, username, NULL);
1086 pw = Get_Pwnam_alloc(mem_ctx, username);
1087 }
1088
1089 /* one last check for a valid passwd struct */
1090
1091 if ( pw )
1092 fstrcpy( save_username, pw->pw_name );
1093
1094 return pw;
1095 }
1096
1097 /***************************************************************************
1098 Make a server_info struct from the info3 returned by a domain logon
1099 ***************************************************************************/
1100
1101 NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
1102 const char *sent_nt_username,
1103 const char *domain,
1104 struct auth_serversupplied_info **server_info,
1105 struct netr_SamInfo3 *info3)
1106 {
1107 static const char zeros[16] = {0, };
1108
1109 NTSTATUS nt_status = NT_STATUS_OK;
1110 char *found_username = NULL;
1111 const char *nt_domain;
1112 const char *nt_username;
1113 struct dom_sid user_sid;
1114 struct dom_sid group_sid;
1115 bool username_was_mapped;
1116
1117 uid_t uid = (uid_t)-1;
1118 gid_t gid = (gid_t)-1;
1119
1120 struct auth_serversupplied_info *result;
1121
1122 /*
1123 Here is where we should check the list of
1124 trusted domains, and verify that the SID
1125 matches.
1126 */
1127
1128 if (!sid_compose(&user_sid, info3->base.domain_sid, info3->base.rid)) {
1129 return NT_STATUS_INVALID_PARAMETER;
1130 }
1131
1132 if (!sid_compose(&group_sid, info3->base.domain_sid,
1133 info3->base.primary_gid)) {
1134 return NT_STATUS_INVALID_PARAMETER;
1135 }
1136
1137 nt_username = talloc_strdup(mem_ctx, info3->base.account_name.string);
1138 if (!nt_username) {
1139 /* If the server didn't give us one, just use the one we sent
1140 * them */
1141 nt_username = sent_nt_username;
1142 }
1143
1144 nt_domain = talloc_strdup(mem_ctx, info3->base.domain.string);
1145 if (!nt_domain) {
1146 /* If the server didn't give us one, just use the one we sent
1147 * them */
1148 nt_domain = domain;
1149 }
1150
1151 /* If getpwnam() fails try the add user script (2.2.x behavior).
1152
1153 We use the _unmapped_ username here in an attempt to provide
1154 consistent username mapping behavior between kerberos and NTLM[SSP]
1155 authentication in domain mode security. I.E. Username mapping
1156 should be applied to the fully qualified username
1157 (e.g. DOMAIN\user) and not just the login name. Yes this means we
1158 called map_username() unnecessarily in make_user_info_map() but
1159 that is how the current code is designed. Making the change here
1160 is the least disruptive place. -- jerry */
1161
1162 /* this call will try to create the user if necessary */
1163
1164 nt_status = check_account(mem_ctx, nt_domain, sent_nt_username,
1165 &found_username, &uid, &gid,
1166 &username_was_mapped);
1167
1168 if (!NT_STATUS_IS_OK(nt_status)) {
1169 return nt_status;
1170 }
1171
1172 result = make_server_info(NULL);
1173 if (result == NULL) {
1174 DEBUG(4, ("make_server_info failed!\n"));
1175 return NT_STATUS_NO_MEMORY;
1176 }
1177
1178 result->unix_name = talloc_strdup(result, found_username);
1179
1180 result->sanitized_username = sanitize_username(result,
1181 result->unix_name);
1182 if (result->sanitized_username == NULL) {
1183 TALLOC_FREE(result);
1184 return NT_STATUS_NO_MEMORY;
1185 }
1186
1187 /* copy in the info3 */
1188 result->info3 = copy_netr_SamInfo3(result, info3);
1189
1190 /* Fill in the unix info we found on the way */
1191
1192 result->utok.uid = uid;
1193 result->utok.gid = gid;
1194
1195 /* Create a 'combined' list of all SIDs we might want in the SD */
1196
1197 result->num_sids = 0;
1198 result->sids = NULL;
1199
1200 nt_status = sid_array_from_info3(result, info3,
1201 &result->sids,
1202 &result->num_sids,
1203 false, false);
1204 if (!NT_STATUS_IS_OK(nt_status)) {
1205 TALLOC_FREE(result);
1206 return nt_status;
1207 }
1208
1209 /* Ensure the primary group sid is at position 0. */
1210 sort_sid_array_for_smbd(result, &group_sid);
1211
1212 /* ensure we are never given NULL session keys */
1213
1214 if (memcmp(info3->base.key.key, zeros, sizeof(zeros)) == 0) {
1215 result->user_session_key = data_blob_null;
1216 } else {
1217 result->user_session_key = data_blob_talloc(
1218 result, info3->base.key.key,
1219 sizeof(info3->base.key.key));
1220 }
1221
1222 if (memcmp(info3->base.LMSessKey.key, zeros, 8) == 0) {
1223 result->lm_session_key = data_blob_null;
1224 } else {
1225 result->lm_session_key = data_blob_talloc(
1226 result, info3->base.LMSessKey.key,
1227 sizeof(info3->base.LMSessKey.key));
1228 }
1229
1230 result->nss_token |= username_was_mapped;
1231
1232 *server_info = result;
1233
1234 return NT_STATUS_OK;
1235 }
1236
1237 /*****************************************************************************
1238 Make a server_info struct from the wbcAuthUserInfo returned by a domain logon
1239 ******************************************************************************/
1240
1241 NTSTATUS make_server_info_wbcAuthUserInfo(TALLOC_CTX *mem_ctx,
1242 const char *sent_nt_username,
1243 const char *domain,
1244 const struct wbcAuthUserInfo *info,
1245 struct auth_serversupplied_info **server_info)
1246 {
1247 struct netr_SamInfo3 *info3;
1248
1249 info3 = wbcAuthUserInfo_to_netr_SamInfo3(mem_ctx, info);
1250 if (!info3) {
1251 return NT_STATUS_NO_MEMORY;
1252 }
1253
1254 return make_server_info_info3(mem_ctx,
1255 sent_nt_username, domain,
1256 server_info, info3);
1257 }
1258
1259 /**
1260 * Verify whether or not given domain is trusted.
1261 *
1262 * @param domain_name name of the domain to be verified
1263 * @return true if domain is one of the trusted ones or
1264 * false if otherwise
1265 **/
1266
1267 bool is_trusted_domain(const char* dom_name)
1268 {
1269 struct dom_sid trustdom_sid;
1270 bool ret;
1271
1272 /* no trusted domains for a standalone server */
1273
1274 if ( lp_server_role() == ROLE_STANDALONE )
1275 return False;
1276
1277 if (dom_name == NULL || dom_name[0] == '\0') {
1278 return false;
1279 }
1280
1281 if (strequal(dom_name, get_global_sam_name())) {
1282 return false;
1283 }
1284
1285 /* if we are a DC, then check for a direct trust relationships */
1286
1287 if ( IS_DC ) {
1288 become_root();
1289 DEBUG (5,("is_trusted_domain: Checking for domain trust with "
1290 "[%s]\n", dom_name ));
1291 ret = pdb_get_trusteddom_pw(dom_name, NULL, NULL, NULL);
1292 unbecome_root();
1293 if (ret)
1294 return True;
1295 }
1296 else {
1297 wbcErr result;
1298
1299 /* If winbind is around, ask it */
1300
1301 result = wb_is_trusted_domain(dom_name);
1302
1303 if (result == WBC_ERR_SUCCESS) {
1304 return True;
1305 }
1306
1307 if (result == WBC_ERR_DOMAIN_NOT_FOUND) {
1308 /* winbind could not find the domain */
1309 return False;
1310 }
1311
1312 /* The only other possible result is that winbind is not up
1313 and running. We need to update the trustdom_cache
1314 ourselves */
1315
1316 update_trustdom_cache();
1317 }
1318
1319 /* now the trustdom cache should be available a DC could still
1320 * have a transitive trust so fall back to the cache of trusted
1321 * domains (like a domain member would use */
1322
1323 if ( trustdom_cache_fetch(dom_name, &trustdom_sid) ) {
1324 return True;
1325 }
1326
1327 return False;
1328 }
1329
Samba GIT mirror