2 Unix SMB/CIFS implementation.
4 Winbind client authentication mechanism designed to defer all
5 authentication to the winbind daemon.
7 Copyright (C) Tim Potter 2000
8 Copyright (C) Andrew Bartlett 2001 - 2002
9 Copyright (C) Dan Sledz 2009
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 3 of the License, or
14 (at your option) any later version.
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
21 You should have received a copy of the GNU General Public License
22 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 /* This auth module is very similar to auth_winbind with 3 distinct
28 * 1) Does not fallback to another auth module if winbindd is unavailable
29 * 2) Does not validate the domain of the user
30 * 3) Handles unencrypted passwords
32 * The purpose of this module is to defer all authentication decisions (ie:
33 * local user vs NIS vs LDAP vs AD; encrypted vs plaintext) to the wbc
34 * compatible daemon. This centeralizes all authentication decisions to a
37 * This auth backend is most useful when used in conjunction with pdb_wbc_sam.
42 #include "nsswitch/libwbclient/wbclient.h"
45 #define DBGC_CLASS DBGC_AUTH
47 /* Authenticate a user with a challenge/response */
49 static NTSTATUS
check_wbc_security(const struct auth_context
*auth_context
,
50 void *my_private_data
,
52 const struct auth_usersupplied_info
*user_info
,
53 struct auth_serversupplied_info
**server_info
)
57 struct wbcAuthUserParams params
;
58 struct wbcAuthUserInfo
*info
= NULL
;
59 struct wbcAuthErrorInfo
*err
= NULL
;
61 if (!user_info
|| !auth_context
|| !server_info
) {
62 return NT_STATUS_INVALID_PARAMETER
;
67 /* Send off request */
69 DEBUG(10, ("Check auth for: [%s]", user_info
->mapped
.account_name
));
71 params
.account_name
= user_info
->client
.account_name
;
72 params
.domain_name
= user_info
->mapped
.domain_name
;
73 params
.workstation_name
= user_info
->workstation_name
;
76 params
.parameter_control
= user_info
->logon_parameters
;
78 /* Handle plaintext */
79 switch (user_info
->password_state
) {
80 case AUTH_PASSWORD_PLAIN
:
82 DEBUG(3,("Checking plaintext password for %s.\n",
83 user_info
->mapped
.account_name
));
84 params
.level
= WBC_AUTH_USER_LEVEL_PLAIN
;
86 params
.password
.plaintext
= user_info
->password
.plaintext
;
89 case AUTH_PASSWORD_RESPONSE
:
90 case AUTH_PASSWORD_HASH
:
92 DEBUG(3,("Checking encrypted password for %s.\n",
93 user_info
->mapped
.account_name
));
94 params
.level
= WBC_AUTH_USER_LEVEL_RESPONSE
;
96 memcpy(params
.password
.response
.challenge
,
97 auth_context
->challenge
.data
,
98 sizeof(params
.password
.response
.challenge
));
100 if (user_info
->password
.response
.nt
.length
!= 0) {
101 params
.password
.response
.nt_length
=
102 user_info
->password
.response
.nt
.length
;
103 params
.password
.response
.nt_data
=
104 user_info
->password
.response
.nt
.data
;
106 if (user_info
->password
.response
.lanman
.length
!= 0) {
107 params
.password
.response
.lm_length
=
108 user_info
->password
.response
.lanman
.length
;
109 params
.password
.response
.lm_data
=
110 user_info
->password
.response
.lanman
.data
;
115 DEBUG(0,("user_info constructed for user '%s' was invalid - password_state=%u invalid.\n",user_info
->mapped
.account_name
, user_info
->password_state
));
116 return NT_STATUS_INTERNAL_ERROR
;
117 #if 0 /* If ever implemented in libwbclient */
118 case AUTH_PASSWORD_HASH
:
120 DEBUG(3,("Checking logon (hash) password for %s.\n",
121 user_info
->mapped
.account_name
));
122 params
.level
= WBC_AUTH_USER_LEVEL_HASH
;
124 if (user_info
->password
.hash
.nt
) {
125 memcpy(params
.password
.hash
.nt_hash
, user_info
->password
.hash
.nt
, sizeof(* user_info
->password
.hash
.nt
));
127 memset(params
.password
.hash
.nt_hash
, '\0', sizeof(params
.password
.hash
.nt_hash
));
130 if (user_info
->password
.hash
.lanman
) {
131 memcpy(params
.password
.hash
.lm_hash
, user_info
->password
.hash
.lanman
, sizeof(* user_info
->password
.hash
.lanman
));
133 memset(params
.password
.hash
.lm_hash
, '\0', sizeof(params
.password
.hash
.lm_hash
));
140 /* we are contacting the privileged pipe */
142 wbc_status
= wbcAuthenticateUserEx(¶ms
, &info
, &err
);
145 if (!WBC_ERROR_IS_OK(wbc_status
)) {
146 DEBUG(10,("wbcAuthenticateUserEx failed (%d): %s\n",
147 wbc_status
, wbcErrorString(wbc_status
)));
150 if (wbc_status
== WBC_ERR_NO_MEMORY
) {
151 return NT_STATUS_NO_MEMORY
;
154 if (wbc_status
== WBC_ERR_AUTH_ERROR
) {
155 nt_status
= NT_STATUS(err
->nt_status
);
160 if (!WBC_ERROR_IS_OK(wbc_status
)) {
161 return NT_STATUS_LOGON_FAILURE
;
164 DEBUG(10,("wbcAuthenticateUserEx succeeded\n"));
166 nt_status
= make_server_info_wbcAuthUserInfo(mem_ctx
,
167 user_info
->client
.account_name
,
168 user_info
->mapped
.domain_name
,
171 if (!NT_STATUS_IS_OK(nt_status
)) {
175 (*server_info
)->nss_token
|= user_info
->was_mapped
;
180 /* module initialisation */
181 static NTSTATUS
auth_init_wbc(struct auth_context
*auth_context
, const char *param
, auth_methods
**auth_method
)
183 struct auth_methods
*result
;
185 result
= talloc_zero(auth_context
, struct auth_methods
);
186 if (result
== NULL
) {
187 return NT_STATUS_NO_MEMORY
;
189 result
->name
= "wbc";
190 result
->auth
= check_wbc_security
;
192 *auth_method
= result
;
196 NTSTATUS
auth_wbc_init(void)
198 return smb_register_auth(AUTH_INTERFACE_VERSION
, "wbc", auth_init_wbc
);