search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
r13720: Only lockout Administrator after x bad password attempts in offline-mode
[Samba/bb.git] / source3 / nsswitch / winbindd_pam.c
blobaa759af09aa36e50b579e3351cf9df7c1e4a1a2f
1 /*
2 Unix SMB/CIFS implementation.
3
4 Winbind daemon - pam auth funcions
5
6 Copyright (C) Andrew Tridgell 2000
7 Copyright (C) Tim Potter 2001
8 Copyright (C) Andrew Bartlett 2001-2002
9 Copyright (C) Guenther Deschner 2005
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 2 of the License, or
14 (at your option) any later version.
15
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
20
21 You should have received a copy of the GNU General Public License
22 along with this program; if not, write to the Free Software
23 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
24 */
25
26 #include "includes.h"
27 #include "winbindd.h"
28 #undef DBGC_CLASS
29 #define DBGC_CLASS DBGC_WINBIND
30
31 static NTSTATUS append_info3_as_txt(TALLOC_CTX *mem_ctx,
32 struct winbindd_cli_state *state,
33 NET_USER_INFO_3 *info3)
34 {
35 fstring str_sid;
36
37 state->response.data.auth.info3.logon_time =
38 nt_time_to_unix(&(info3->logon_time));
39 state->response.data.auth.info3.logoff_time =
40 nt_time_to_unix(&(info3->logoff_time));
41 state->response.data.auth.info3.kickoff_time =
42 nt_time_to_unix(&(info3->kickoff_time));
43 state->response.data.auth.info3.pass_last_set_time =
44 nt_time_to_unix(&(info3->pass_last_set_time));
45 state->response.data.auth.info3.pass_can_change_time =
46 nt_time_to_unix(&(info3->pass_can_change_time));
47 state->response.data.auth.info3.pass_must_change_time =
48 nt_time_to_unix(&(info3->pass_must_change_time));
49
50 state->response.data.auth.info3.logon_count = info3->logon_count;
51 state->response.data.auth.info3.bad_pw_count = info3->bad_pw_count;
52
53 state->response.data.auth.info3.user_rid = info3->user_rid;
54 state->response.data.auth.info3.group_rid = info3->group_rid;
55 sid_to_string(str_sid, &(info3->dom_sid.sid));
56 fstrcpy(state->response.data.auth.info3.dom_sid, str_sid);
57
58 state->response.data.auth.info3.num_groups = info3->num_groups;
59 state->response.data.auth.info3.user_flgs = info3->user_flgs;
60
61 state->response.data.auth.info3.acct_flags = info3->acct_flags;
62 state->response.data.auth.info3.num_other_sids = info3->num_other_sids;
63
64 unistr2_to_ascii(state->response.data.auth.info3.user_name,
65 &info3->uni_user_name, -1);
66 unistr2_to_ascii(state->response.data.auth.info3.full_name,
67 &info3->uni_full_name, -1);
68 unistr2_to_ascii(state->response.data.auth.info3.logon_script,
69 &info3->uni_logon_script, -1);
70 unistr2_to_ascii(state->response.data.auth.info3.profile_path,
71 &info3->uni_profile_path, -1);
72 unistr2_to_ascii(state->response.data.auth.info3.home_dir,
73 &info3->uni_home_dir, -1);
74 unistr2_to_ascii(state->response.data.auth.info3.dir_drive,
75 &info3->uni_dir_drive, -1);
76
77 unistr2_to_ascii(state->response.data.auth.info3.logon_srv,
78 &info3->uni_logon_srv, -1);
79 unistr2_to_ascii(state->response.data.auth.info3.logon_dom,
80 &info3->uni_logon_dom, -1);
81
82 return NT_STATUS_OK;
83 }
84
85 static NTSTATUS append_info3_as_ndr(TALLOC_CTX *mem_ctx,
86 struct winbindd_cli_state *state,
87 NET_USER_INFO_3 *info3)
88 {
89 prs_struct ps;
90 uint32 size;
91 if (!prs_init(&ps, 256 /* Random, non-zero number */, mem_ctx, MARSHALL)) {
92 return NT_STATUS_NO_MEMORY;
93 }
94 if (!net_io_user_info3("", info3, &ps, 1, 3, False)) {
95 prs_mem_free(&ps);
96 return NT_STATUS_UNSUCCESSFUL;
97 }
98
99 size = prs_data_size(&ps);
100 state->response.extra_data = SMB_MALLOC(size);
101 if (!state->response.extra_data) {
102 prs_mem_free(&ps);
103 return NT_STATUS_NO_MEMORY;
104 }
105 memset( state->response.extra_data, '\0', size );
106 prs_copy_all_data_out(state->response.extra_data, &ps);
107 state->response.length += size;
108 prs_mem_free(&ps);
109 return NT_STATUS_OK;
110 }
111
112 static NTSTATUS check_info3_in_group(TALLOC_CTX *mem_ctx,
113 NET_USER_INFO_3 *info3,
114 const char *group_sid)
115 {
116 DOM_SID require_membership_of_sid;
117 DOM_SID *all_sids;
118 size_t num_all_sids = (2 + info3->num_groups2 + info3->num_other_sids);
119 size_t i, j = 0;
120
121 /* Parse the 'required group' SID */
122
123 if (!group_sid || !group_sid[0]) {
124 /* NO sid supplied, all users may access */
125 return NT_STATUS_OK;
126 }
127
128 if (!string_to_sid(&require_membership_of_sid, group_sid)) {
129 DEBUG(0, ("check_info3_in_group: could not parse %s as a SID!",
130 group_sid));
131
132 return NT_STATUS_INVALID_PARAMETER;
133 }
134
135 all_sids = TALLOC_ARRAY(mem_ctx, DOM_SID, num_all_sids);
136 if (!all_sids)
137 return NT_STATUS_NO_MEMORY;
138
139 /* and create (by appending rids) the 'domain' sids */
140
141 sid_copy(&all_sids[0], &(info3->dom_sid.sid));
142
143 if (!sid_append_rid(&all_sids[0], info3->user_rid)) {
144 DEBUG(3,("could not append user's primary RID 0x%x\n",
145 info3->user_rid));
146
147 return NT_STATUS_INVALID_PARAMETER;
148 }
149 j++;
150
151 sid_copy(&all_sids[1], &(info3->dom_sid.sid));
152
153 if (!sid_append_rid(&all_sids[1], info3->group_rid)) {
154 DEBUG(3,("could not append additional group rid 0x%x\n",
155 info3->group_rid));
156
157 return NT_STATUS_INVALID_PARAMETER;
158 }
159 j++;
160
161 for (i = 0; i < info3->num_groups2; i++) {
162
163 sid_copy(&all_sids[j], &(info3->dom_sid.sid));
164
165 if (!sid_append_rid(&all_sids[j], info3->gids[i].g_rid)) {
166 DEBUG(3,("could not append additional group rid 0x%x\n",
167 info3->gids[i].g_rid));
168
169 return NT_STATUS_INVALID_PARAMETER;
170 }
171 j++;
172 }
173
174 /* Copy 'other' sids. We need to do sid filtering here to
175 prevent possible elevation of privileges. See:
176
177 http://www.microsoft.com/windows2000/techinfo/administration/security/sidfilter.asp
178 */
179
180 for (i = 0; i < info3->num_other_sids; i++) {
181 sid_copy(&all_sids[info3->num_groups2 + i + 2],
182 &info3->other_sids[i].sid);
183 j++;
184 }
185
186 for (i = 0; i < j; i++) {
187 fstring sid1, sid2;
188 DEBUG(10, ("User has SID: %s\n",
189 sid_to_string(sid1, &all_sids[i])));
190 if (sid_equal(&require_membership_of_sid, &all_sids[i])) {
191 DEBUG(10, ("SID %s matches %s - user permitted to authenticate!\n",
192 sid_to_string(sid1, &require_membership_of_sid), sid_to_string(sid2, &all_sids[i])));
193 return NT_STATUS_OK;
194 }
195 }
196
197 /* Do not distinguish this error from a wrong username/pw */
198
199 return NT_STATUS_LOGON_FAILURE;
200 }
201
202 static struct winbindd_domain *find_auth_domain(struct winbindd_cli_state *state,
203 const char *domain_name)
204 {
205 struct winbindd_domain *domain;
206
207 if (IS_DC) {
208 domain = find_domain_from_name_noinit(domain_name);
209 if (domain == NULL) {
210 DEBUG(3, ("Authentication for domain [%s] refused"
211 "as it is not a trusted domain\n",
212 domain_name));
213 }
214 return domain;
215 }
216
217 if (is_myname(domain_name)) {
218 DEBUG(3, ("Authentication for domain %s (local domain "
219 "to this server) not supported at this "
220 "stage\n", domain_name));
221 return NULL;
222 }
223
224 /* we can auth against trusted domains */
225 if (state->request.flags & WBFLAG_PAM_CONTACT_TRUSTDOM) {
226 domain = find_domain_from_name_noinit(domain_name);
227 if (domain == NULL) {
228 DEBUG(3, ("Authentication for domain [%s] skipped "
229 "as it is not a trusted domain\n",
230 domain_name));
231 } else {
232 return domain;
233 }
234 }
235
236 return find_our_domain();
237 }
238
239 static void set_auth_errors(struct winbindd_response *resp, NTSTATUS result)
240 {
241 resp->data.auth.nt_status = NT_STATUS_V(result);
242 fstrcpy(resp->data.auth.nt_status_string, nt_errstr(result));
243
244 /* we might have given a more useful error above */
245 if (*resp->data.auth.error_string == '\0')
246 fstrcpy(resp->data.auth.error_string,
247 get_friendly_nt_error_msg(result));
248 resp->data.auth.pam_error = nt_status_to_pam(result);
249 }
250
251 static NTSTATUS fillup_password_policy(struct winbindd_domain *domain,
252 struct winbindd_cli_state *state)
253 {
254 struct winbindd_methods *methods;
255 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
256 SAM_UNK_INFO_1 password_policy;
257
258 methods = domain->methods;
259
260 status = methods->password_policy(domain, state->mem_ctx, &password_policy);
261 if (NT_STATUS_IS_ERR(status)) {
262 return status;
263 }
264
265 state->response.data.auth.policy.min_length_password =
266 password_policy.min_length_password;
267 state->response.data.auth.policy.password_history =
268 password_policy.password_history;
269 state->response.data.auth.policy.password_properties =
270 password_policy.password_properties;
271 state->response.data.auth.policy.expire =
272 nt_time_to_unix_abs(&(password_policy.expire));
273 state->response.data.auth.policy.min_passwordage =
274 nt_time_to_unix_abs(&(password_policy.min_passwordage));
275
276 return NT_STATUS_OK;
277 }
278
279 static NTSTATUS get_max_bad_attempts_from_lockout_policy(struct winbindd_domain *domain,
280 TALLOC_CTX *mem_ctx,
281 uint16 *max_allowed_bad_attempts)
282 {
283 struct winbindd_methods *methods;
284 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
285 SAM_UNK_INFO_12 lockout_policy;
286
287 *max_allowed_bad_attempts = 0;
288
289 methods = domain->methods;
290
291 status = methods->lockout_policy(domain, mem_ctx, &lockout_policy);
292 if (NT_STATUS_IS_ERR(status)) {
293 return status;
294 }
295
296 *max_allowed_bad_attempts = lockout_policy.bad_attempt_lockout;
297
298 return NT_STATUS_OK;
299 }
300
301 static NTSTATUS get_pwd_properties(struct winbindd_domain *domain,
302 TALLOC_CTX *mem_ctx,
303 uint32 *password_properties)
304 {
305 struct winbindd_methods *methods;
306 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
307 SAM_UNK_INFO_1 password_policy;
308
309 *password_properties = 0;
310
311 methods = domain->methods;
312
313 status = methods->password_policy(domain, mem_ctx, &password_policy);
314 if (NT_STATUS_IS_ERR(status)) {
315 return status;
316 }
317
318 *password_properties = password_policy.password_properties;
319
320 return NT_STATUS_OK;
321 }
322
323 static const char *generate_krb5_ccache(TALLOC_CTX *mem_ctx,
324 const char *type,
325 uid_t uid,
326 BOOL *internal_ccache)
327 {
328 /* accept KCM, FILE and WRFILE as krb5_cc_type from the client and then
329 * build the full ccname string based on the user's uid here -
330 * Guenther*/
331
332 const char *gen_cc = NULL;
333
334 *internal_ccache = True;
335
336 if (uid == -1) {
337 goto memory_ccache;
338 }
339
340 if (!type || type[0] == '\0') {
341 goto memory_ccache;
342 }
343
344 if (strequal(type, "FILE")) {
345 gen_cc = talloc_asprintf(mem_ctx, "FILE:/tmp/krb5cc_%d", uid);
346 } else if (strequal(type, "WRFILE")) {
347 gen_cc = talloc_asprintf(mem_ctx, "WRFILE:/tmp/krb5cc_%d", uid);
348 #ifdef WITH_KCM
349 } else if (strequal(type, "KCM")) {
350 gen_cc = talloc_asprintf(mem_ctx, "KCM:%d", uid);
351 #endif
352 } else {
353 DEBUG(10,("we don't allow to set a %s type ccache\n", type));
354 goto memory_ccache;
355 }
356
357 *internal_ccache = False;
358 goto done;
359
360 memory_ccache:
361 gen_cc = talloc_strdup(mem_ctx, "MEMORY:winbind_cache");
362
363 done:
364 if (gen_cc == NULL) {
365 DEBUG(0,("out of memory\n"));
366 return NULL;
367 }
368
369 DEBUG(10,("using ccache: %s %s\n", gen_cc, *internal_ccache ? "(internal)":""));
370
371 return gen_cc;
372 }
373
374 static uid_t get_uid_from_state(struct winbindd_cli_state *state)
375 {
376 uid_t uid = -1;
377
378 uid = state->request.data.auth.uid;
379
380 if (uid < 0) {
381 DEBUG(1,("invalid uid: '%d'\n", uid));
382 return -1;
383 }
384 return uid;
385 }
386
387 static void setup_return_cc_name(struct winbindd_cli_state *state, const char *cc)
388 {
389 const char *type = state->request.data.auth.krb5_cc_type;
390
391 state->response.data.auth.krb5ccname[0] = '\0';
392
393 if (type[0] == '\0') {
394 return;
395 }
396
397 if (!strequal(type, "FILE") &&
398 #ifdef WITH_KCM
399 !strequal(type, "KCM") &&
400 #endif
401 !strequal(type, "WRFILE")) {
402 DEBUG(10,("won't return krbccname for a %s type ccache\n",
403 type));
404 return;
405 }
406
407 fstrcpy(state->response.data.auth.krb5ccname, cc);
408 }
409
410 /**********************************************************************
411 Authenticate a user with a clear text password using Kerberos and fill up
412 ccache if required
413 **********************************************************************/
414 static NTSTATUS winbindd_raw_kerberos_login(struct winbindd_domain *domain,
415 struct winbindd_cli_state *state,
416 NET_USER_INFO_3 **info3)
417 {
418 #ifdef HAVE_KRB5
419 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
420 krb5_error_code krb5_ret;
421 DATA_BLOB tkt, session_key_krb5;
422 DATA_BLOB ap_rep, session_key;
423 PAC_DATA *pac_data = NULL;
424 PAC_LOGON_INFO *logon_info = NULL;
425 char *client_princ = NULL;
426 char *client_princ_out = NULL;
427 char *local_service = NULL;
428 const char *cc = NULL;
429 const char *principal_s = NULL;
430 const char *service = NULL;
431 char *realm = NULL;
432 fstring name_domain, name_user;
433 time_t ticket_lifetime = 0;
434 time_t renewal_until = 0;
435 uid_t uid = -1;
436 ADS_STRUCT *ads;
437 time_t time_offset = 0;
438 BOOL internal_ccache = True;
439
440 ZERO_STRUCT(session_key);
441 ZERO_STRUCT(session_key_krb5);
442 ZERO_STRUCT(tkt);
443 ZERO_STRUCT(ap_rep);
444
445 ZERO_STRUCTP(info3);
446
447 *info3 = NULL;
448
449 /* 1st step:
450 * prepare a krb5_cc_cache string for the user */
451
452 uid = get_uid_from_state(state);
453 if (uid == -1) {
454 DEBUG(0,("no valid uid\n"));
455 }
456
457 cc = generate_krb5_ccache(state->mem_ctx,
458 state->request.data.auth.krb5_cc_type,
459 state->request.data.auth.uid,
460 &internal_ccache);
461 if (cc == NULL) {
462 return NT_STATUS_NO_MEMORY;
463 }
464
465
466 /* 2nd step:
467 * get kerberos properties */
468
469 if (domain->private_data) {
470 ads = (ADS_STRUCT *)domain->private_data;
471 time_offset = ads->auth.time_offset;
472 }
473
474
475 /* 3rd step:
476 * do kerberos auth and setup ccache as the user */
477
478 parse_domain_user(state->request.data.auth.user, name_domain, name_user);
479
480 realm = domain->alt_name;
481 strupper_m(realm);
482
483 principal_s = talloc_asprintf(state->mem_ctx, "%s@%s", name_user, realm);
484 if (principal_s == NULL) {
485 return NT_STATUS_NO_MEMORY;
486 }
487
488 service = talloc_asprintf(state->mem_ctx, "krbtgt/%s@%s", realm, realm);
489 if (service == NULL) {
490 return NT_STATUS_NO_MEMORY;
491 }
492
493 /* if this is a user ccache, we need to act as the user to let the krb5
494 * library handle the chown, etc. */
495
496 /************************ NON-ROOT **********************/
497
498 if (!internal_ccache) {
499
500 seteuid(uid);
501 DEBUG(10,("winbindd_raw_kerberos_login: uid is %d\n", uid));
502 }
503
504 krb5_ret = kerberos_kinit_password(principal_s,
505 state->request.data.auth.pass,
506 time_offset,
507 &ticket_lifetime,
508 &renewal_until,
509 cc,
510 True,
511 WINBINDD_PAM_AUTH_KRB5_RENEW_TIME);
512
513 if (krb5_ret) {
514 DEBUG(1,("winbindd_raw_kerberos_login: kinit failed for '%s' with: %s (%d)\n",
515 principal_s, error_message(krb5_ret), krb5_ret));
516 result = krb5_to_nt_status(krb5_ret);
517 goto done;
518 }
519
520 /* does http_timestring use heimdals libroken strftime?? - Guenther */
521 DEBUG(10,("got TGT for %s in %s (valid until: %s (%d), renewable till: %s (%d))\n",
522 principal_s, cc,
523 http_timestring(ticket_lifetime), (int)ticket_lifetime,
524 http_timestring(renewal_until), (int)renewal_until));
525
526 client_princ = talloc_strdup(state->mem_ctx, global_myname());
527 if (client_princ == NULL) {
528 result = NT_STATUS_NO_MEMORY;
529 goto done;
530 }
531 strlower_m(client_princ);
532
533 local_service = talloc_asprintf(state->mem_ctx, "HOST/%s@%s", client_princ, lp_realm());
534 if (local_service == NULL) {
535 DEBUG(0,("winbindd_raw_kerberos_login: out of memory\n"));
536 result = NT_STATUS_NO_MEMORY;
537 goto done;
538 }
539
540 krb5_ret = cli_krb5_get_ticket(local_service,
541 time_offset,
542 &tkt,
543 &session_key_krb5,
544 0,
545 cc);
546 if (krb5_ret) {
547 DEBUG(1,("winbindd_raw_kerberos_login: failed to get ticket for: %s\n",
548 local_service));
549 result = krb5_to_nt_status(krb5_ret);
550 goto done;
551 }
552
553 if (!internal_ccache) {
554 seteuid(0);
555 }
556
557 /************************ NON-ROOT **********************/
558
559 result = ads_verify_ticket(state->mem_ctx,
560 lp_realm(),
561 &tkt,
562 &client_princ_out,
563 &pac_data,
564 &ap_rep,
565 &session_key);
566 if (!NT_STATUS_IS_OK(result)) {
567 DEBUG(0,("winbindd_raw_kerberos_login: ads_verify_ticket failed: %s\n",
568 nt_errstr(result)));
569 goto done;
570 }
571
572 DEBUG(10,("winbindd_raw_kerberos_login: winbindd validated ticket of %s\n",
573 local_service));
574
575 if (!pac_data) {
576 DEBUG(3,("winbindd_raw_kerberos_login: no pac data\n"));
577 result = NT_STATUS_INVALID_PARAMETER;
578 goto done;
579 }
580
581 logon_info = get_logon_info_from_pac(pac_data);
582 if (logon_info == NULL) {
583 DEBUG(1,("winbindd_raw_kerberos_login: no logon info\n"));
584 result = NT_STATUS_INVALID_PARAMETER;
585 goto done;
586 }
587
588
589 /* last step:
590 * put results together */
591
592 *info3 = &logon_info->info3;
593
594 /* if we had a user's ccache then return that string for the pam
595 * environment */
596
597 if (!internal_ccache) {
598
599 setup_return_cc_name(state, cc);
600
601 result = add_ccache_to_list(principal_s,
602 cc,
603 service,
604 state->request.data.auth.user,
605 NULL,
606 state->request.data.auth.pass,
607 uid,
608 time(NULL),
609 ticket_lifetime,
610 renewal_until,
611 lp_winbind_refresh_tickets());
612
613 if (!NT_STATUS_IS_OK(result)) {
614 DEBUG(10,("winbindd_raw_kerberos_login: failed to add ccache to list: %s\n",
615 nt_errstr(result)));
616 }
617 }
618
619 result = NT_STATUS_OK;
620
621 done:
622 data_blob_free(&session_key);
623 data_blob_free(&session_key_krb5);
624 data_blob_free(&ap_rep);
625 data_blob_free(&tkt);
626
627 SAFE_FREE(client_princ_out);
628
629 if (!internal_ccache) {
630 seteuid(0);
631 }
632
633 return result;
634 #else
635 return NT_STATUS_NOT_SUPPORTED;
636 #endif /* HAVE_KRB5 */
637 }
638
639 void winbindd_pam_auth(struct winbindd_cli_state *state)
640 {
641 struct winbindd_domain *domain;
642 fstring name_domain, name_user;
643
644 /* Ensure null termination */
645 state->request.data.auth.user
646 [sizeof(state->request.data.auth.user)-1]='\0';
647
648 /* Ensure null termination */
649 state->request.data.auth.pass
650 [sizeof(state->request.data.auth.pass)-1]='\0';
651
652 DEBUG(3, ("[%5lu]: pam auth %s\n", (unsigned long)state->pid,
653 state->request.data.auth.user));
654
655 /* Parse domain and username */
656
657 if (!parse_domain_user(state->request.data.auth.user,
658 name_domain, name_user)) {
659 set_auth_errors(&state->response, NT_STATUS_NO_SUCH_USER);
660 DEBUG(5, ("Plain text authentication for %s returned %s "
661 "(PAM: %d)\n",
662 state->request.data.auth.user,
663 state->response.data.auth.nt_status_string,
664 state->response.data.auth.pam_error));
665 request_error(state);
666 return;
667 }
668
669 domain = find_auth_domain(state, name_domain);
670
671 if (domain == NULL) {
672 set_auth_errors(&state->response, NT_STATUS_NO_SUCH_USER);
673 DEBUG(5, ("Plain text authentication for %s returned %s "
674 "(PAM: %d)\n",
675 state->request.data.auth.user,
676 state->response.data.auth.nt_status_string,
677 state->response.data.auth.pam_error));
678 request_error(state);
679 return;
680 }
681
682 sendto_domain(state, domain);
683 }
684
685 NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain,
686 struct winbindd_cli_state *state,
687 NET_USER_INFO_3 **info3)
688 {
689 NTSTATUS result = NT_STATUS_LOGON_FAILURE;
690 uint16 max_allowed_bad_attempts;
691 fstring name_domain, name_user;
692 DOM_SID sid;
693 enum SID_NAME_USE type;
694 uchar new_nt_pass[NT_HASH_LEN];
695 const uint8 *cached_nt_pass;
696 NET_USER_INFO_3 *my_info3;
697 time_t kickoff_time, must_change_time;
698
699 *info3 = NULL;
700
701 ZERO_STRUCTP(info3);
702
703 DEBUG(10,("winbindd_dual_pam_auth_cached\n"));
704
705 /* Parse domain and username */
706
707 parse_domain_user(state->request.data.auth.user, name_domain, name_user);
708
709
710 if (!lookup_cached_name(state->mem_ctx,
711 name_domain,
712 name_user,
713 &sid,
714 &type)) {
715 DEBUG(10,("winbindd_dual_pam_auth_cached: no such user in the cache\n"));
716 return NT_STATUS_NO_SUCH_USER;
717 }
718
719 if (type != SID_NAME_USER) {
720 DEBUG(10,("winbindd_dual_pam_auth_cached: not a user (%s)\n", sid_type_lookup(type)));
721 return NT_STATUS_LOGON_FAILURE;
722 }
723
724 result = winbindd_get_creds(domain,
725 state->mem_ctx,
726 &sid,
727 &my_info3,
728 &cached_nt_pass);
729 if (!NT_STATUS_IS_OK(result)) {
730 DEBUG(10,("winbindd_dual_pam_auth_cached: failed to get creds: %s\n", nt_errstr(result)));
731 return result;
732 }
733
734 *info3 = my_info3;
735
736 E_md4hash(state->request.data.auth.pass, new_nt_pass);
737
738 dump_data(100, (const char *)new_nt_pass, NT_HASH_LEN);
739 dump_data(100, (const char *)cached_nt_pass, NT_HASH_LEN);
740
741 if (!memcmp(cached_nt_pass, new_nt_pass, NT_HASH_LEN)) {
742
743 /* User *DOES* know the password, update logon_time and reset
744 * bad_pw_count */
745
746 my_info3->user_flgs |= LOGON_CACHED_ACCOUNT;
747
748 if (my_info3->acct_flags & ACB_AUTOLOCK) {
749 return NT_STATUS_ACCOUNT_LOCKED_OUT;
750 }
751
752 if (my_info3->acct_flags & ACB_DISABLED) {
753 return NT_STATUS_ACCOUNT_DISABLED;
754 }
755
756 if (my_info3->acct_flags & ACB_WSTRUST) {
757 return NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT;
758 }
759
760 if (my_info3->acct_flags & ACB_SVRTRUST) {
761 return NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT;
762 }
763
764 if (my_info3->acct_flags & ACB_DOMTRUST) {
765 return NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT;
766 }
767
768 if (!(my_info3->acct_flags & ACB_NORMAL)) {
769 DEBUG(10,("winbindd_dual_pam_auth_cached: whats wrong with that one?: 0x%08x\n",
770 my_info3->acct_flags));
771 return NT_STATUS_LOGON_FAILURE;
772 }
773
774 kickoff_time = nt_time_to_unix(&my_info3->kickoff_time);
775 if (kickoff_time != 0 && time(NULL) > kickoff_time) {
776 return NT_STATUS_ACCOUNT_EXPIRED;
777 }
778
779 must_change_time = nt_time_to_unix(&my_info3->pass_must_change_time);
780 if (must_change_time != 0 && must_change_time < time(NULL)) {
781 return NT_STATUS_PASSWORD_EXPIRED;
782 }
783
784 /* FIXME: we possibly should handle logon hours as well (does xp when
785 * offline?) see auth/auth_sam.c:sam_account_ok for details */
786
787 unix_to_nt_time(&my_info3->logon_time, time(NULL));
788 my_info3->bad_pw_count = 0;
789
790 result = winbindd_update_creds_by_info3(domain,
791 state->mem_ctx,
792 state->request.data.auth.user,
793 state->request.data.auth.pass,
794 my_info3);
795 if (!NT_STATUS_IS_OK(result)) {
796 DEBUG(1,("failed to update creds: %s\n", nt_errstr(result)));
797 return result;
798 }
799
800 return NT_STATUS_OK;
801
802 }
803
804 /* User does *NOT* know the correct password, modify info3 accordingly */
805
806 /* failure of this is not critical */
807 result = get_max_bad_attempts_from_lockout_policy(domain, state->mem_ctx, &max_allowed_bad_attempts);
808 if (!NT_STATUS_IS_OK(result)) {
809 DEBUG(10,("winbindd_dual_pam_auth_cached: failed to get max_allowed_bad_attempts. "
810 "Won't be able to honour account lockout policies\n"));
811 }
812
813 /* increase counter */
814 my_info3->bad_pw_count++;
815
816 if (max_allowed_bad_attempts == 0) {
817 goto failed;
818 }
819
820 /* lockout user */
821 if (my_info3->bad_pw_count >= max_allowed_bad_attempts) {
822
823 uint32 password_properties;
824
825 result = get_pwd_properties(domain, state->mem_ctx, &password_properties);
826 if (!NT_STATUS_IS_OK(result)) {
827 DEBUG(10,("winbindd_dual_pam_auth_cached: failed to get password properties.\n"));
828 }
829
830 if ((my_info3->user_rid != DOMAIN_USER_RID_ADMIN) ||
831 (password_properties & DOMAIN_LOCKOUT_ADMINS)) {
832 my_info3->acct_flags |= ACB_AUTOLOCK;
833 }
834 }
835
836 failed:
837 result = winbindd_update_creds_by_info3(domain,
838 state->mem_ctx,
839 state->request.data.auth.user,
840 NULL,
841 my_info3);
842
843 if (!NT_STATUS_IS_OK(result)) {
844 DEBUG(0,("winbindd_dual_pam_auth_cached: failed to update creds %s\n",
845 nt_errstr(result)));
846 }
847
848 return NT_STATUS_LOGON_FAILURE;
849 }
850
851 NTSTATUS winbindd_dual_pam_auth_kerberos(struct winbindd_domain *domain,
852 struct winbindd_cli_state *state,
853 NET_USER_INFO_3 **info3)
854 {
855 struct winbindd_domain *contact_domain;
856 fstring name_domain, name_user;
857 NTSTATUS result;
858
859 DEBUG(10,("winbindd_dual_pam_auth_kerberos\n"));
860
861 /* Parse domain and username */
862
863 parse_domain_user(state->request.data.auth.user, name_domain, name_user);
864
865 /* what domain should we contact? */
866
867 if ( IS_DC ) {
868 if (!(contact_domain = find_domain_from_name(name_domain))) {
869 DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
870 state->request.data.auth.user, name_domain, name_user, name_domain));
871 result = NT_STATUS_NO_SUCH_USER;
872 goto done;
873 }
874
875 } else {
876 if (is_myname(name_domain)) {
877 DEBUG(3, ("Authentication for domain %s (local domain to this server) not supported at this stage\n", name_domain));
878 result = NT_STATUS_NO_SUCH_USER;
879 goto done;
880 }
881
882 contact_domain = find_domain_from_name(name_domain);
883 if (contact_domain == NULL) {
884 DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
885 state->request.data.auth.user, name_domain, name_user, name_domain));
886
887 contact_domain = find_our_domain();
888 }
889 }
890
891 set_dc_type_and_flags(contact_domain);
892
893 if (!contact_domain->active_directory) {
894 DEBUG(3,("krb5 auth requested but domain is not Active Directory\n"));
895 return NT_STATUS_INVALID_LOGON_TYPE;
896 }
897
898 result = winbindd_raw_kerberos_login(contact_domain, state, info3);
899 done:
900 return result;
901 }
902
903 NTSTATUS winbindd_dual_pam_auth_samlogon(struct winbindd_domain *domain,
904 struct winbindd_cli_state *state,
905 NET_USER_INFO_3 **info3)
906 {
907
908 struct rpc_pipe_client *netlogon_pipe;
909 uchar chal[8];
910 DATA_BLOB lm_resp;
911 DATA_BLOB nt_resp;
912 int attempts = 0;
913 unsigned char local_lm_response[24];
914 unsigned char local_nt_response[24];
915 struct winbindd_domain *contact_domain;
916 fstring name_domain, name_user;
917 BOOL retry;
918 NTSTATUS result;
919 NET_USER_INFO_3 *my_info3;
920
921 ZERO_STRUCTP(info3);
922
923 *info3 = NULL;
924
925 my_info3 = TALLOC_ZERO_P(state->mem_ctx, NET_USER_INFO_3);
926 if (my_info3 == NULL) {
927 return NT_STATUS_NO_MEMORY;
928 }
929
930
931 DEBUG(10,("winbindd_dual_pam_auth_samlogon\n"));
932
933 /* Parse domain and username */
934
935 parse_domain_user(state->request.data.auth.user, name_domain, name_user);
936
937 /* do password magic */
938
939
940 generate_random_buffer(chal, 8);
941 if (lp_client_ntlmv2_auth()) {
942 DATA_BLOB server_chal;
943 DATA_BLOB names_blob;
944 DATA_BLOB nt_response;
945 DATA_BLOB lm_response;
946 server_chal = data_blob_talloc(state->mem_ctx, chal, 8);
947
948 /* note that the 'workgroup' here is a best guess - we don't know
949 the server's domain at this point. The 'server name' is also
950 dodgy...
951 */
952 names_blob = NTLMv2_generate_names_blob(global_myname(), lp_workgroup());
953
954 if (!SMBNTLMv2encrypt(name_user, name_domain,
955 state->request.data.auth.pass,
956 &server_chal,
957 &names_blob,
958 &lm_response, &nt_response, NULL)) {
959 data_blob_free(&names_blob);
960 data_blob_free(&server_chal);
961 DEBUG(0, ("winbindd_pam_auth: SMBNTLMv2encrypt() failed!\n"));
962 result = NT_STATUS_NO_MEMORY;
963 goto done;
964 }
965 data_blob_free(&names_blob);
966 data_blob_free(&server_chal);
967 lm_resp = data_blob_talloc(state->mem_ctx, lm_response.data,
968 lm_response.length);
969 nt_resp = data_blob_talloc(state->mem_ctx, nt_response.data,
970 nt_response.length);
971 data_blob_free(&lm_response);
972 data_blob_free(&nt_response);
973
974 } else {
975 if (lp_client_lanman_auth()
976 && SMBencrypt(state->request.data.auth.pass,
977 chal,
978 local_lm_response)) {
979 lm_resp = data_blob_talloc(state->mem_ctx,
980 local_lm_response,
981 sizeof(local_lm_response));
982 } else {
983 lm_resp = data_blob(NULL, 0);
984 }
985 SMBNTencrypt(state->request.data.auth.pass,
986 chal,
987 local_nt_response);
988
989 nt_resp = data_blob_talloc(state->mem_ctx,
990 local_nt_response,
991 sizeof(local_nt_response));
992 }
993
994 /* what domain should we contact? */
995
996 if ( IS_DC ) {
997 if (!(contact_domain = find_domain_from_name(name_domain))) {
998 DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
999 state->request.data.auth.user, name_domain, name_user, name_domain));
1000 result = NT_STATUS_NO_SUCH_USER;
1001 goto done;
1002 }
1003
1004 } else {
1005 if (is_myname(name_domain)) {
1006 DEBUG(3, ("Authentication for domain %s (local domain to this server) not supported at this stage\n", name_domain));
1007 result = NT_STATUS_NO_SUCH_USER;
1008 goto done;
1009 }
1010
1011 contact_domain = find_our_domain();
1012 }
1013
1014 /* check authentication loop */
1015
1016 do {
1017
1018 ZERO_STRUCTP(my_info3);
1019 retry = False;
1020
1021 result = cm_connect_netlogon(contact_domain, &netlogon_pipe);
1022
1023 if (!NT_STATUS_IS_OK(result)) {
1024 DEBUG(3, ("could not open handle to NETLOGON pipe\n"));
1025 goto done;
1026 }
1027
1028 result = rpccli_netlogon_sam_network_logon(netlogon_pipe,
1029 state->mem_ctx,
1030 0,
1031 contact_domain->dcname, /* server name */
1032 name_user, /* user name */
1033 name_domain, /* target domain */
1034 global_myname(), /* workstation */
1035 chal,
1036 lm_resp,
1037 nt_resp,
1038 my_info3);
1039 attempts += 1;
1040
1041 /* We have to try a second time as cm_connect_netlogon
1042 might not yet have noticed that the DC has killed
1043 our connection. */
1044
1045 if (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)) {
1046 retry = True;
1047 continue;
1048 }
1049
1050 /* if we get access denied, a possible cause was that we had
1051 and open connection to the DC, but someone changed our
1052 machine account password out from underneath us using 'net
1053 rpc changetrustpw' */
1054
1055 if ( NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) ) {
1056 DEBUG(3,("winbindd_pam_auth: sam_logon returned "
1057 "ACCESS_DENIED. Maybe the trust account "
1058 "password was changed and we didn't know it. "
1059 "Killing connections to domain %s\n",
1060 name_domain));
1061 invalidate_cm_connection(&contact_domain->conn);
1062 retry = True;
1063 }
1064
1065 } while ( (attempts < 2) && retry );
1066
1067 *info3 = my_info3;
1068 done:
1069 return result;
1070 }
1071
1072 enum winbindd_result winbindd_dual_pam_auth(struct winbindd_domain *domain,
1073 struct winbindd_cli_state *state)
1074 {
1075 NTSTATUS result = NT_STATUS_LOGON_FAILURE;
1076 fstring name_domain, name_user;
1077 NET_USER_INFO_3 *info3;
1078
1079 /* Ensure null termination */
1080 state->request.data.auth.user[sizeof(state->request.data.auth.user)-1]='\0';
1081
1082 /* Ensure null termination */
1083 state->request.data.auth.pass[sizeof(state->request.data.auth.pass)-1]='\0';
1084
1085 DEBUG(3, ("[%5lu]: dual pam auth %s\n", (unsigned long)state->pid,
1086 state->request.data.auth.user));
1087
1088 /* Parse domain and username */
1089
1090 parse_domain_user(state->request.data.auth.user, name_domain, name_user);
1091
1092 DEBUG(10,("winbindd_dual_pam_auth: domain: %s last was %s\n", domain->name, domain->online ? "online":"offline"));
1093
1094 /* Check for Kerberos authentication */
1095 if (domain->online && (state->request.flags & WBFLAG_PAM_KRB5)) {
1096
1097 result = winbindd_dual_pam_auth_kerberos(domain, state, &info3);
1098
1099 if (NT_STATUS_IS_OK(result)) {
1100 DEBUG(10,("winbindd_dual_pam_auth_kerberos succeeded\n"));
1101 goto process_result;
1102 } else {
1103 DEBUG(10,("winbindd_dual_pam_auth_kerberos failed: %s\n", nt_errstr(result)));
1104 }
1105
1106 if (NT_STATUS_EQUAL(result, NT_STATUS_NO_LOGON_SERVERS)) {
1107 DEBUG(10,("winbindd_dual_pam_auth_kerberos setting domain to offline\n"));
1108 domain->online = False;
1109 }
1110
1111 if (state->request.flags & WBFLAG_PAM_FALLBACK_AFTER_KRB5) {
1112 DEBUG(3,("falling back to samlogon\n"));
1113 goto sam_logon;
1114 } else {
1115 goto cached_logon;
1116 }
1117 }
1118
1119 sam_logon:
1120 /* Check for Samlogon authentication */
1121 if (domain->online) {
1122 result = winbindd_dual_pam_auth_samlogon(domain, state, &info3);
1123
1124 if (NT_STATUS_IS_OK(result)) {
1125 DEBUG(10,("winbindd_dual_pam_auth_samlogon succeeded\n"));
1126 goto process_result;
1127 } else {
1128 DEBUG(10,("winbindd_dual_pam_auth_samlogon failed: %s\n", nt_errstr(result)));
1129 if (domain->online) {
1130 /* We're still online - fail. */
1131 goto done;
1132 }
1133 /* Else drop through and see if we can check offline.... */
1134 }
1135 }
1136
1137 cached_logon:
1138 /* Check for Cached logons */
1139 if (!domain->online && (state->request.flags & WBFLAG_PAM_CACHED_LOGIN) &&
1140 lp_winbind_offline_logon()) {
1141
1142 result = winbindd_dual_pam_auth_cached(domain, state, &info3);
1143
1144 if (NT_STATUS_IS_OK(result)) {
1145 DEBUG(10,("winbindd_dual_pam_auth_cached succeeded\n"));
1146 goto process_result;
1147 } else {
1148 DEBUG(10,("winbindd_dual_pam_auth_cached failed: %s\n", nt_errstr(result)));
1149 goto done;
1150 }
1151 }
1152
1153 process_result:
1154
1155 if (NT_STATUS_IS_OK(result)) {
1156
1157 DOM_SID user_sid;
1158
1159 netsamlogon_cache_store(name_user, info3);
1160 wcache_invalidate_samlogon(find_domain_from_name(name_domain), info3);
1161
1162 /* save name_to_sid info as early as possible */
1163 sid_compose(&user_sid, &info3->dom_sid.sid, info3->user_rid);
1164 cache_name2sid(domain, name_domain, name_user, SID_NAME_USER, &user_sid);
1165
1166 /* Check if the user is in the right group */
1167
1168 if (!NT_STATUS_IS_OK(result = check_info3_in_group(state->mem_ctx, info3,
1169 state->request.data.auth.require_membership_of_sid))) {
1170 DEBUG(3, ("User %s is not in the required group (%s), so plaintext authentication is rejected\n",
1171 state->request.data.auth.user,
1172 state->request.data.auth.require_membership_of_sid));
1173 goto done;
1174 }
1175
1176 if (state->request.flags & WBFLAG_PAM_INFO3_NDR) {
1177 result = append_info3_as_ndr(state->mem_ctx, state, info3);
1178 if (!NT_STATUS_IS_OK(result)) {
1179 DEBUG(10,("Failed to append INFO3 (NDR): %s\n", nt_errstr(result)));
1180 goto done;
1181 }
1182 }
1183
1184 if (state->request.flags & WBFLAG_PAM_INFO3_TEXT) {
1185 result = append_info3_as_txt(state->mem_ctx, state, info3);
1186 if (!NT_STATUS_IS_OK(result)) {
1187 DEBUG(10,("Failed to append INFO3 (TXT): %s\n", nt_errstr(result)));
1188 goto done;
1189 }
1190
1191 }
1192
1193 if ((state->request.flags & WBFLAG_PAM_CACHED_LOGIN) &&
1194 lp_winbind_offline_logon()) {
1195
1196 result = winbindd_store_creds(domain,
1197 state->mem_ctx,
1198 state->request.data.auth.user,
1199 state->request.data.auth.pass,
1200 info3, NULL);
1201 if (!NT_STATUS_IS_OK(result)) {
1202 DEBUG(10,("Failed to store creds: %s\n", nt_errstr(result)));
1203 goto done;
1204 }
1205
1206 }
1207
1208 result = fillup_password_policy(domain, state);
1209
1210 if (!NT_STATUS_IS_OK(result)) {
1211 DEBUG(10,("Failed to get password policies: %s\n", nt_errstr(result)));
1212 goto done;
1213 }
1214
1215 }
1216
1217 done:
1218 /* give us a more useful (more correct?) error code */
1219 if ((NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) ||
1220 (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)))) {
1221 result = NT_STATUS_NO_LOGON_SERVERS;
1222 }
1223
1224 state->response.data.auth.nt_status = NT_STATUS_V(result);
1225 fstrcpy(state->response.data.auth.nt_status_string, nt_errstr(result));
1226
1227 /* we might have given a more useful error above */
1228 if (!*state->response.data.auth.error_string)
1229 fstrcpy(state->response.data.auth.error_string, get_friendly_nt_error_msg(result));
1230 state->response.data.auth.pam_error = nt_status_to_pam(result);
1231
1232 DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2, ("Plain-text authentication for user %s returned %s (PAM: %d)\n",
1233 state->request.data.auth.user,
1234 state->response.data.auth.nt_status_string,
1235 state->response.data.auth.pam_error));
1236
1237 if ( NT_STATUS_IS_OK(result) &&
1238 (state->request.flags & WBFLAG_PAM_AFS_TOKEN) ) {
1239
1240 char *afsname = talloc_strdup(state->mem_ctx,
1241 lp_afs_username_map());
1242 char *cell;
1243
1244 if (afsname == NULL) {
1245 goto no_token;
1246 }
1247
1248 afsname = talloc_string_sub(state->mem_ctx,
1249 lp_afs_username_map(),
1250 "%D", name_domain);
1251 afsname = talloc_string_sub(state->mem_ctx, afsname,
1252 "%u", name_user);
1253 afsname = talloc_string_sub(state->mem_ctx, afsname,
1254 "%U", name_user);
1255
1256 {
1257 DOM_SID user_sid;
1258 fstring sidstr;
1259
1260 sid_copy(&user_sid, &info3->dom_sid.sid);
1261 sid_append_rid(&user_sid, info3->user_rid);
1262 sid_to_string(sidstr, &user_sid);
1263 afsname = talloc_string_sub(state->mem_ctx, afsname,
1264 "%s", sidstr);
1265 }
1266
1267 if (afsname == NULL) {
1268 goto no_token;
1269 }
1270
1271 strlower_m(afsname);
1272
1273 DEBUG(10, ("Generating token for user %s\n", afsname));
1274
1275 cell = strchr(afsname, '@');
1276
1277 if (cell == NULL) {
1278 goto no_token;
1279 }
1280
1281 *cell = '\0';
1282 cell += 1;
1283
1284 /* Append an AFS token string */
1285 state->response.extra_data =
1286 afs_createtoken_str(afsname, cell);
1287
1288 if (state->response.extra_data != NULL)
1289 state->response.length +=
1290 strlen(state->response.extra_data)+1;
1291
1292 no_token:
1293 TALLOC_FREE(afsname);
1294 }
1295
1296 return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
1297 }
1298
1299
1300 /**********************************************************************
1301 Challenge Response Authentication Protocol
1302 **********************************************************************/
1303
1304 void winbindd_pam_auth_crap(struct winbindd_cli_state *state)
1305 {
1306 struct winbindd_domain *domain = NULL;
1307 const char *domain_name = NULL;
1308 NTSTATUS result;
1309
1310 if (!state->privileged) {
1311 char *error_string = NULL;
1312 DEBUG(2, ("winbindd_pam_auth_crap: non-privileged access "
1313 "denied. !\n"));
1314 DEBUGADD(2, ("winbindd_pam_auth_crap: Ensure permissions "
1315 "on %s are set correctly.\n",
1316 get_winbind_priv_pipe_dir()));
1317 /* send a better message than ACCESS_DENIED */
1318 error_string = talloc_asprintf(state->mem_ctx,
1319 "winbind client not authorized "
1320 "to use winbindd_pam_auth_crap."
1321 " Ensure permissions on %s "
1322 "are set correctly.",
1323 get_winbind_priv_pipe_dir());
1324 fstrcpy(state->response.data.auth.error_string, error_string);
1325 result = NT_STATUS_ACCESS_DENIED;
1326 goto done;
1327 }
1328
1329 /* Ensure null termination */
1330 state->request.data.auth_crap.user
1331 [sizeof(state->request.data.auth_crap.user)-1]=0;
1332 state->request.data.auth_crap.domain
1333 [sizeof(state->request.data.auth_crap.domain)-1]=0;
1334
1335 DEBUG(3, ("[%5lu]: pam auth crap domain: [%s] user: %s\n",
1336 (unsigned long)state->pid,
1337 state->request.data.auth_crap.domain,
1338 state->request.data.auth_crap.user));
1339
1340 if (*state->request.data.auth_crap.domain != '\0') {
1341 domain_name = state->request.data.auth_crap.domain;
1342 } else if (lp_winbind_use_default_domain()) {
1343 domain_name = lp_workgroup();
1344 }
1345
1346 if (domain_name != NULL)
1347 domain = find_auth_domain(state, domain_name);
1348
1349 if (domain != NULL) {
1350 sendto_domain(state, domain);
1351 return;
1352 }
1353
1354 result = NT_STATUS_NO_SUCH_USER;
1355
1356 done:
1357 set_auth_errors(&state->response, result);
1358 DEBUG(5, ("CRAP authentication for %s\\%s returned %s (PAM: %d)\n",
1359 state->request.data.auth_crap.domain,
1360 state->request.data.auth_crap.user,
1361 state->response.data.auth.nt_status_string,
1362 state->response.data.auth.pam_error));
1363 request_error(state);
1364 return;
1365 }
1366
1367
1368 enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
1369 struct winbindd_cli_state *state)
1370 {
1371 NTSTATUS result;
1372 NET_USER_INFO_3 info3;
1373 struct rpc_pipe_client *netlogon_pipe;
1374 const char *name_user = NULL;
1375 const char *name_domain = NULL;
1376 const char *workstation;
1377 struct winbindd_domain *contact_domain;
1378 int attempts = 0;
1379 BOOL retry;
1380
1381 DATA_BLOB lm_resp, nt_resp;
1382
1383 /* This is child-only, so no check for privileged access is needed
1384 anymore */
1385
1386 /* Ensure null termination */
1387 state->request.data.auth_crap.user[sizeof(state->request.data.auth_crap.user)-1]=0;
1388 state->request.data.auth_crap.domain[sizeof(state->request.data.auth_crap.domain)-1]=0;
1389
1390 name_user = state->request.data.auth_crap.user;
1391
1392 if (*state->request.data.auth_crap.domain) {
1393 name_domain = state->request.data.auth_crap.domain;
1394 } else if (lp_winbind_use_default_domain()) {
1395 name_domain = lp_workgroup();
1396 } else {
1397 DEBUG(5,("no domain specified with username (%s) - failing auth\n",
1398 name_user));
1399 result = NT_STATUS_NO_SUCH_USER;
1400 goto done;
1401 }
1402
1403 DEBUG(3, ("[%5lu]: pam auth crap domain: %s user: %s\n", (unsigned long)state->pid,
1404 name_domain, name_user));
1405
1406 if (*state->request.data.auth_crap.workstation) {
1407 workstation = state->request.data.auth_crap.workstation;
1408 } else {
1409 workstation = global_myname();
1410 }
1411
1412 if (state->request.data.auth_crap.lm_resp_len > sizeof(state->request.data.auth_crap.lm_resp)
1413 || state->request.data.auth_crap.nt_resp_len > sizeof(state->request.data.auth_crap.nt_resp)) {
1414 DEBUG(0, ("winbindd_pam_auth_crap: invalid password length %u/%u\n",
1415 state->request.data.auth_crap.lm_resp_len,
1416 state->request.data.auth_crap.nt_resp_len));
1417 result = NT_STATUS_INVALID_PARAMETER;
1418 goto done;
1419 }
1420
1421 lm_resp = data_blob_talloc(state->mem_ctx, state->request.data.auth_crap.lm_resp,
1422 state->request.data.auth_crap.lm_resp_len);
1423 nt_resp = data_blob_talloc(state->mem_ctx, state->request.data.auth_crap.nt_resp,
1424 state->request.data.auth_crap.nt_resp_len);
1425
1426 /* what domain should we contact? */
1427
1428 if ( IS_DC ) {
1429 if (!(contact_domain = find_domain_from_name(name_domain))) {
1430 DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
1431 state->request.data.auth_crap.user, name_domain, name_user, name_domain));
1432 result = NT_STATUS_NO_SUCH_USER;
1433 goto done;
1434 }
1435 } else {
1436 if (is_myname(name_domain)) {
1437 DEBUG(3, ("Authentication for domain %s (local domain to this server) not supported at this stage\n", name_domain));
1438 result = NT_STATUS_NO_SUCH_USER;
1439 goto done;
1440 }
1441 contact_domain = find_our_domain();
1442 }
1443
1444 do {
1445 ZERO_STRUCT(info3);
1446 retry = False;
1447
1448 netlogon_pipe = NULL;
1449 result = cm_connect_netlogon(contact_domain, &netlogon_pipe);
1450
1451 if (!NT_STATUS_IS_OK(result)) {
1452 DEBUG(3, ("could not open handle to NETLOGON pipe (error: %s)\n",
1453 nt_errstr(result)));
1454 goto done;
1455 }
1456
1457 result = rpccli_netlogon_sam_network_logon(netlogon_pipe,
1458 state->mem_ctx,
1459 state->request.data.auth_crap.logon_parameters,
1460 contact_domain->dcname,
1461 name_user,
1462 name_domain,
1463 /* Bug #3248 - found by Stefan Burkei. */
1464 workstation, /* We carefully set this above so use it... */
1465 state->request.data.auth_crap.chal,
1466 lm_resp,
1467 nt_resp,
1468 &info3);
1469
1470 attempts += 1;
1471
1472 /* We have to try a second time as cm_connect_netlogon
1473 might not yet have noticed that the DC has killed
1474 our connection. */
1475
1476 if (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)) {
1477 retry = True;
1478 continue;
1479 }
1480
1481 /* if we get access denied, a possible cause was that we had and open
1482 connection to the DC, but someone changed our machine account password
1483 out from underneath us using 'net rpc changetrustpw' */
1484
1485 if ( NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) ) {
1486 DEBUG(3,("winbindd_pam_auth: sam_logon returned "
1487 "ACCESS_DENIED. Maybe the trust account "
1488 "password was changed and we didn't know it. "
1489 "Killing connections to domain %s\n",
1490 name_domain));
1491 invalidate_cm_connection(&contact_domain->conn);
1492 retry = True;
1493 }
1494
1495 } while ( (attempts < 2) && retry );
1496
1497 if (NT_STATUS_IS_OK(result)) {
1498
1499 netsamlogon_cache_store(name_user, &info3);
1500 wcache_invalidate_samlogon(find_domain_from_name(name_domain), &info3);
1501
1502 /* Check if the user is in the right group */
1503
1504 if (!NT_STATUS_IS_OK(result = check_info3_in_group(state->mem_ctx, &info3,
1505 state->request.data.auth_crap.require_membership_of_sid))) {
1506 DEBUG(3, ("User %s is not in the required group (%s), so plaintext authentication is rejected\n",
1507 state->request.data.auth_crap.user,
1508 state->request.data.auth_crap.require_membership_of_sid));
1509 goto done;
1510 }
1511
1512 if (state->request.flags & WBFLAG_PAM_INFO3_NDR) {
1513 result = append_info3_as_ndr(state->mem_ctx, state, &info3);
1514 } else if (state->request.flags & WBFLAG_PAM_UNIX_NAME) {
1515 /* ntlm_auth should return the unix username, per
1516 'winbind use default domain' settings and the like */
1517
1518 fstring username_out;
1519 const char *nt_username, *nt_domain;
1520 if (!(nt_username = unistr2_tdup(state->mem_ctx, &(info3.uni_user_name)))) {
1521 /* If the server didn't give us one, just use the one we sent them */
1522 nt_username = name_user;
1523 }
1524
1525 if (!(nt_domain = unistr2_tdup(state->mem_ctx, &(info3.uni_logon_dom)))) {
1526 /* If the server didn't give us one, just use the one we sent them */
1527 nt_domain = name_domain;
1528 }
1529
1530 fill_domain_username(username_out, nt_domain, nt_username);
1531
1532 DEBUG(5, ("Setting unix username to [%s]\n", username_out));
1533
1534 state->response.extra_data = SMB_STRDUP(username_out);
1535 if (!state->response.extra_data) {
1536 result = NT_STATUS_NO_MEMORY;
1537 goto done;
1538 }
1539 state->response.length += strlen(state->response.extra_data)+1;
1540 }
1541
1542 if (state->request.flags & WBFLAG_PAM_USER_SESSION_KEY) {
1543 memcpy(state->response.data.auth.user_session_key, info3.user_sess_key,
1544 sizeof(state->response.data.auth.user_session_key) /* 16 */);
1545 }
1546 if (state->request.flags & WBFLAG_PAM_LMKEY) {
1547 memcpy(state->response.data.auth.first_8_lm_hash, info3.lm_sess_key,
1548 sizeof(state->response.data.auth.first_8_lm_hash) /* 8 */);
1549 }
1550 }
1551
1552 done:
1553
1554 /* give us a more useful (more correct?) error code */
1555 if ((NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) ||
1556 (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)))) {
1557 result = NT_STATUS_NO_LOGON_SERVERS;
1558 }
1559
1560 if (state->request.flags & WBFLAG_PAM_NT_STATUS_SQUASH) {
1561 result = nt_status_squash(result);
1562 }
1563
1564 state->response.data.auth.nt_status = NT_STATUS_V(result);
1565 fstrcpy(state->response.data.auth.nt_status_string, nt_errstr(result));
1566
1567 /* we might have given a more useful error above */
1568 if (!*state->response.data.auth.error_string) {
1569 fstrcpy(state->response.data.auth.error_string, get_friendly_nt_error_msg(result));
1570 }
1571 state->response.data.auth.pam_error = nt_status_to_pam(result);
1572
1573 DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2,
1574 ("NTLM CRAP authentication for user [%s]\\[%s] returned %s (PAM: %d)\n",
1575 name_domain,
1576 name_user,
1577 state->response.data.auth.nt_status_string,
1578 state->response.data.auth.pam_error));
1579
1580 return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
1581 }
1582
1583 /* Change a user password */
1584
1585 void winbindd_pam_chauthtok(struct winbindd_cli_state *state)
1586 {
1587 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1588 char *oldpass;
1589 char *newpass = NULL;
1590 fstring domain, user;
1591 POLICY_HND dom_pol;
1592 struct winbindd_domain *contact_domain;
1593 struct rpc_pipe_client *cli;
1594 BOOL got_info = False;
1595 SAM_UNK_INFO_1 info;
1596 SAMR_CHANGE_REJECT reject;
1597
1598 DEBUG(3, ("[%5lu]: pam chauthtok %s\n", (unsigned long)state->pid,
1599 state->request.data.chauthtok.user));
1600
1601 /* Setup crap */
1602
1603 parse_domain_user(state->request.data.chauthtok.user, domain, user);
1604
1605 if (!(contact_domain = find_domain_from_name(domain))) {
1606 DEBUG(3, ("Cannot change password for [%s] -> [%s]\\[%s] as %s is not a trusted domain\n",
1607 state->request.data.chauthtok.user, domain, user, domain));
1608 result = NT_STATUS_NO_SUCH_USER;
1609 goto done;
1610 }
1611
1612 /* Change password */
1613
1614 oldpass = state->request.data.chauthtok.oldpass;
1615 newpass = state->request.data.chauthtok.newpass;
1616
1617 /* Get sam handle */
1618
1619 result = cm_connect_sam(contact_domain, state->mem_ctx, &cli,
1620 &dom_pol);
1621 if (!NT_STATUS_IS_OK(result)) {
1622 DEBUG(1, ("could not get SAM handle on DC for %s\n", domain));
1623 goto done;
1624 }
1625
1626 result = rpccli_samr_chgpasswd3(cli, state->mem_ctx, user, newpass, oldpass, &info, &reject);
1627
1628 /* FIXME: need to check for other error codes ? */
1629 if (NT_STATUS_EQUAL(result, NT_STATUS_PASSWORD_RESTRICTION)) {
1630
1631 state->response.data.auth.policy.min_length_password =
1632 info.min_length_password;
1633 state->response.data.auth.policy.password_history =
1634 info.password_history;
1635 state->response.data.auth.policy.password_properties =
1636 info.password_properties;
1637 state->response.data.auth.policy.expire =
1638 nt_time_to_unix_abs(&info.expire);
1639 state->response.data.auth.policy.min_passwordage =
1640 nt_time_to_unix_abs(&info.min_passwordage);
1641
1642 state->response.data.auth.reject_reason =
1643 reject.reject_reason;
1644
1645 got_info = True;
1646
1647 } else if (!NT_STATUS_IS_OK(result)) {
1648
1649 DEBUG(10,("Password change with chgpasswd3 failed with: %s, retrying chgpasswd_user\n",
1650 nt_errstr(result)));
1651
1652 state->response.data.auth.reject_reason = 0;
1653
1654 result = rpccli_samr_chgpasswd_user(cli, state->mem_ctx, user, newpass, oldpass);
1655 }
1656
1657 done:
1658 if (NT_STATUS_IS_OK(result) && (state->request.flags & WBFLAG_PAM_CACHED_LOGIN) &&
1659 lp_winbind_offline_logon()) {
1660
1661 NTSTATUS cred_ret;
1662
1663 cred_ret = winbindd_update_creds_by_name(contact_domain,
1664 state->mem_ctx, user,
1665 newpass);
1666 if (!NT_STATUS_IS_OK(cred_ret)) {
1667 DEBUG(10,("Failed to store creds: %s\n", nt_errstr(cred_ret)));
1668 goto process_result; /* FIXME: hm, risking inconsistant cache ? */
1669 }
1670 }
1671
1672 if (!NT_STATUS_IS_OK(result) && !got_info) {
1673
1674 NTSTATUS policy_ret;
1675
1676 policy_ret = fillup_password_policy(contact_domain, state);
1677
1678 /* failure of this is non critical, it will just provide no
1679 * additional information to the client why the change has
1680 * failed - Guenther */
1681
1682 if (!NT_STATUS_IS_OK(policy_ret)) {
1683 DEBUG(10,("Failed to get password policies: %s\n", nt_errstr(policy_ret)));
1684 goto process_result;
1685 }
1686 }
1687
1688 process_result:
1689
1690 state->response.data.auth.nt_status = NT_STATUS_V(result);
1691 fstrcpy(state->response.data.auth.nt_status_string, nt_errstr(result));
1692 fstrcpy(state->response.data.auth.error_string, get_friendly_nt_error_msg(result));
1693 state->response.data.auth.pam_error = nt_status_to_pam(result);
1694
1695 DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2,
1696 ("Password change for user [%s]\\[%s] returned %s (PAM: %d)\n",
1697 domain,
1698 user,
1699 state->response.data.auth.nt_status_string,
1700 state->response.data.auth.pam_error));
1701
1702 if (NT_STATUS_IS_OK(result))
1703 request_ok(state);
1704 else
1705 request_error(state);
1706 }
1707
1708 void winbindd_pam_logoff(struct winbindd_cli_state *state)
1709 {
1710 struct winbindd_domain *domain;
1711 fstring name_domain, user;
1712
1713 DEBUG(3, ("[%5lu]: pam logoff %s\n", (unsigned long)state->pid,
1714 state->request.data.logoff.user));
1715
1716 /* Ensure null termination */
1717 state->request.data.logoff.user
1718 [sizeof(state->request.data.logoff.user)-1]='\0';
1719
1720 state->request.data.logoff.krb5ccname
1721 [sizeof(state->request.data.logoff.krb5ccname)-1]='\0';
1722
1723 parse_domain_user(state->request.data.logoff.user, name_domain, user);
1724
1725 domain = find_auth_domain(state, name_domain);
1726
1727 if (domain == NULL) {
1728 set_auth_errors(&state->response, NT_STATUS_NO_SUCH_USER);
1729 DEBUG(5, ("Pam Logoff for %s returned %s "
1730 "(PAM: %d)\n",
1731 state->request.data.auth.user,
1732 state->response.data.auth.nt_status_string,
1733 state->response.data.auth.pam_error));
1734 request_error(state);
1735 return;
1736 }
1737
1738 sendto_domain(state, domain);
1739 }
1740
1741 enum winbindd_result winbindd_dual_pam_logoff(struct winbindd_domain *domain,
1742 struct winbindd_cli_state *state)
1743 {
1744 NTSTATUS result = NT_STATUS_NOT_SUPPORTED;
1745 struct WINBINDD_CCACHE_ENTRY *entry;
1746 int ret;
1747
1748 DEBUG(3, ("[%5lu]: pam dual logoff %s\n", (unsigned long)state->pid,
1749 state->request.data.logoff.user));
1750
1751 if (!(state->request.flags & WBFLAG_PAM_KRB5)) {
1752 result = NT_STATUS_OK;
1753 goto process_result;
1754 }
1755
1756 #ifdef HAVE_KRB5
1757
1758 /* what we need here is to find the corresponding krb5 ccache name *we*
1759 * created for a given username and destroy it (as the user who created it) */
1760
1761 entry = get_ccache_by_username(state->request.data.logoff.user);
1762 if (entry == NULL) {
1763 DEBUG(10,("winbindd_pam_logoff: could not get ccname for user %s\n",
1764 state->request.data.logoff.user));
1765 goto process_result;
1766 }
1767
1768 DEBUG(10,("winbindd_pam_logoff: found ccache [%s]\n", entry->ccname));
1769
1770 if (entry->uid < 0 || state->request.data.logoff.uid < 0) {
1771 DEBUG(0,("winbindd_pam_logoff: invalid uid\n"));
1772 goto process_result;
1773 }
1774
1775 if (entry->uid != state->request.data.logoff.uid) {
1776 DEBUG(0,("winbindd_pam_logoff: uid's differ: %d != %d\n",
1777 entry->uid, state->request.data.logoff.uid));
1778 goto process_result;
1779 }
1780
1781 if (!strcsequal(entry->ccname, state->request.data.logoff.krb5ccname)) {
1782 DEBUG(0,("winbindd_pam_logoff: krb5ccnames differ: (daemon) %s != (client) %s\n",
1783 entry->ccname, state->request.data.logoff.krb5ccname));
1784 goto process_result;
1785 }
1786
1787 seteuid(entry->uid);
1788
1789 ret = ads_kdestroy(entry->ccname);
1790
1791 seteuid(0);
1792
1793 if (ret) {
1794 DEBUG(0,("winbindd_pam_logoff: failed to destroy user ccache %s with: %s\n",
1795 entry->ccname, error_message(ret)));
1796 } else {
1797 DEBUG(10,("winbindd_pam_logoff: successfully destroyed ccache %s for user %s\n",
1798 entry->ccname, state->request.data.logoff.user));
1799 remove_ccache_by_ccname(entry->ccname);
1800 }
1801
1802 result = krb5_to_nt_status(ret);
1803 #else
1804 result = NT_STATUS_NOT_SUPPORTED;
1805 #endif
1806
1807 process_result:
1808 state->response.data.auth.nt_status = NT_STATUS_V(result);
1809 fstrcpy(state->response.data.auth.nt_status_string, nt_errstr(result));
1810 fstrcpy(state->response.data.auth.error_string, get_friendly_nt_error_msg(result));
1811 state->response.data.auth.pam_error = nt_status_to_pam(result);
1812
1813 return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
1814 }
1815