auth/wbc_auth_util.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3    Authentication utility functions
   4    Copyright (C) Volker Lendecke 2010
   5
   6    This program is free software; you can redistribute it and/or modify
   7    it under the terms of the GNU General Public License as published by
   8    the Free Software Foundation; either version 3 of the License, or
   9    (at your option) any later version.
  10
  11    This program is distributed in the hope that it will be useful,
  12    but WITHOUT ANY WARRANTY; without even the implied warranty of
  13    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  14    GNU General Public License for more details.
  15
  16    You should have received a copy of the GNU General Public License
  17    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  18 */
  19
  20 #include "includes.h"
  21 #include "libcli/security/security.h"
  22 #include "librpc/gen_ndr/netlogon.h"
  23 #include "nsswitch/libwbclient/wbclient.h"
  24 #include "librpc/gen_ndr/auth.h"
  25 #include "auth/auth_sam_reply.h"
  26
  27 #undef DBGC_CLASS
  28 #define DBGC_CLASS DBGC_AUTH
  29
  30 static NTSTATUS wbcsids_to_samr_RidWithAttributeArray(
  31                                 TALLOC_CTX *mem_ctx,
  32                                 struct samr_RidWithAttributeArray *groups,
  33                                 const struct dom_sid *domain_sid,
  34                                 const struct wbcSidWithAttr *sids,
  35                                 size_t num_sids)
  36 {
  37         unsigned int i, j = 0;
  38         bool ok;
  39
  40         groups->rids = talloc_array(mem_ctx,
  41                                     struct samr_RidWithAttribute, num_sids);
  42         if (!groups->rids) {
  43                 return NT_STATUS_NO_MEMORY;
  44         }
  45
  46         /* a wbcDomainSid is the same as a dom_sid */
  47         for (i = 0; i < num_sids; i++) {
  48                 ok = sid_peek_check_rid(domain_sid,
  49                                         (const struct dom_sid *)&sids[i].sid,
  50                                         &groups->rids[j].rid);
  51                 if (!ok) continue;
  52
  53                 groups->rids[j].attributes = SE_GROUP_MANDATORY |
  54                                              SE_GROUP_ENABLED_BY_DEFAULT |
  55                                              SE_GROUP_ENABLED;
  56                 j++;
  57         }
  58
  59         groups->count = j;
  60         return NT_STATUS_OK;
  61 }
  62
  63 static NTSTATUS wbcsids_to_netr_SidAttrArray(
  64                                 const struct dom_sid *domain_sid,
  65                                 const struct wbcSidWithAttr *sids,
  66                                 size_t num_sids,
  67                                 TALLOC_CTX *mem_ctx,
  68                                 struct netr_SidAttr **_info3_sids,
  69                                 uint32_t *info3_num_sids)
  70 {
  71         unsigned int i, j = 0;
  72         struct netr_SidAttr *info3_sids;
  73
  74         info3_sids = talloc_array(mem_ctx, struct netr_SidAttr, num_sids);
  75         if (info3_sids == NULL) {
  76                 return NT_STATUS_NO_MEMORY;
  77         }
  78
  79         /* a wbcDomainSid is the same as a dom_sid */
  80         for (i = 0; i < num_sids; i++) {
  81                 const struct dom_sid *sid;
  82
  83                 sid = (const struct dom_sid *)&sids[i].sid;
  84
  85                 if (dom_sid_in_domain(domain_sid, sid)) {
  86                         continue;
  87                 }
  88
  89                 info3_sids[j].sid = dom_sid_dup(info3_sids, sid);
  90                 if (info3_sids[j].sid == NULL) {
  91                         talloc_free(info3_sids);
  92                         return NT_STATUS_NO_MEMORY;
  93                 }
  94                 info3_sids[j].attributes = SE_GROUP_MANDATORY |
  95                                            SE_GROUP_ENABLED_BY_DEFAULT |
  96                                            SE_GROUP_ENABLED;
  97                 j++;
  98         }
  99
 100         *info3_num_sids = j;
 101         *_info3_sids = info3_sids;
 102         return NT_STATUS_OK;
 103 }
 104
 105 #undef RET_NOMEM
 106
 107 #define RET_NOMEM(ptr) do { \
 108         if (!ptr) { \
 109                 TALLOC_FREE(info3); \
 110                 return NULL; \
 111         } } while(0)
 112
 113 struct netr_SamInfo3 *wbcAuthUserInfo_to_netr_SamInfo3(TALLOC_CTX *mem_ctx,
 114                                         const struct wbcAuthUserInfo *info)
 115 {
 116         struct netr_SamInfo3 *info3;
 117         struct dom_sid user_sid;
 118         struct dom_sid group_sid;
 119         struct dom_sid domain_sid;
 120         NTSTATUS status;
 121         bool ok;
 122
 123         memcpy(&user_sid, &info->sids[0].sid, sizeof(user_sid));
 124         memcpy(&group_sid, &info->sids[1].sid, sizeof(group_sid));
 125
 126         info3 = talloc_zero(mem_ctx, struct netr_SamInfo3);
 127         if (!info3) return NULL;
 128
 129         unix_to_nt_time(&info3->base.logon_time, info->logon_time);
 130         unix_to_nt_time(&info3->base.logoff_time, info->logoff_time);
 131         unix_to_nt_time(&info3->base.kickoff_time, info->kickoff_time);
 132         unix_to_nt_time(&info3->base.last_password_change, info->pass_last_set_time);
 133         unix_to_nt_time(&info3->base.allow_password_change,
 134                         info->pass_can_change_time);
 135         unix_to_nt_time(&info3->base.force_password_change,
 136                         info->pass_must_change_time);
 137
 138         if (info->account_name) {
 139                 info3->base.account_name.string =
 140                                 talloc_strdup(info3, info->account_name);
 141                 RET_NOMEM(info3->base.account_name.string);
 142         }
 143         if (info->full_name) {
 144                 info3->base.full_name.string =
 145                                 talloc_strdup(info3, info->full_name);
 146                 RET_NOMEM(info3->base.full_name.string);
 147         }
 148         if (info->logon_script) {
 149                 info3->base.logon_script.string =
 150                                 talloc_strdup(info3, info->logon_script);
 151                 RET_NOMEM(info3->base.logon_script.string);
 152         }
 153         if (info->profile_path) {
 154                 info3->base.profile_path.string =
 155                                 talloc_strdup(info3, info->profile_path);
 156                 RET_NOMEM(info3->base.profile_path.string);
 157         }
 158         if (info->home_directory) {
 159                 info3->base.home_directory.string =
 160                                 talloc_strdup(info3, info->home_directory);
 161                 RET_NOMEM(info3->base.home_directory.string);
 162         }
 163         if (info->home_drive) {
 164                 info3->base.home_drive.string =
 165                                 talloc_strdup(info3, info->home_drive);
 166                 RET_NOMEM(info3->base.home_drive.string);
 167         }
 168
 169         info3->base.logon_count = info->logon_count;
 170         info3->base.bad_password_count = info->bad_password_count;
 171
 172         sid_copy(&domain_sid, &user_sid);
 173         sid_split_rid(&domain_sid, &info3->base.rid);
 174
 175         ok = sid_peek_check_rid(&domain_sid, &group_sid,
 176                                 &info3->base.primary_gid);
 177         if (!ok) {
 178                 DEBUG(1, ("The primary group sid domain does not"
 179                           "match user sid domain for user: %s\n",
 180                           info->account_name));
 181                 TALLOC_FREE(info3);
 182                 return NULL;
 183         }
 184
 185         status = wbcsids_to_samr_RidWithAttributeArray(info3,
 186                                                        &info3->base.groups,
 187                                                        &domain_sid,
 188                                                        &info->sids[1],
 189                                                        info->num_sids - 1);
 190         if (!NT_STATUS_IS_OK(status)) {
 191                 TALLOC_FREE(info3);
 192                 return NULL;
 193         }
 194
 195         status = wbcsids_to_netr_SidAttrArray(&domain_sid,
 196                                               &info->sids[1],
 197                                               info->num_sids - 1,
 198                                               info3,
 199                                               &info3->sids,
 200                                               &info3->sidcount);
 201         if (!NT_STATUS_IS_OK(status)) {
 202                 TALLOC_FREE(info3);
 203                 return NULL;
 204         }
 205
 206         info3->base.user_flags = info->user_flags;
 207         memcpy(info3->base.key.key, info->user_session_key, 16);
 208
 209         if (info->logon_server) {
 210                 info3->base.logon_server.string =
 211                                 talloc_strdup(info3, info->logon_server);
 212                 RET_NOMEM(info3->base.logon_server.string);
 213         }
 214         if (info->domain_name) {
 215                 info3->base.logon_domain.string =
 216                                 talloc_strdup(info3, info->domain_name);
 217                 RET_NOMEM(info3->base.logon_domain.string);
 218         }
 219
 220         info3->base.domain_sid = dom_sid_dup(info3, &domain_sid);
 221         RET_NOMEM(info3->base.domain_sid);
 222
 223         memcpy(info3->base.LMSessKey.key, info->lm_session_key, 8);
 224         info3->base.acct_flags = info->acct_flags;
 225
 226         return info3;
 227 }