search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
r23784: use the GPLv3 boilerplate as recommended by the FSF and the license text
[Samba/bb.git] / source / nsswitch / winbindd_pam.c
blob7846aa0813a5bc9e999d969f040c2541f4b8705d
1 /*
2 Unix SMB/CIFS implementation.
3
4 Winbind daemon - pam auth funcions
5
6 Copyright (C) Andrew Tridgell 2000
7 Copyright (C) Tim Potter 2001
8 Copyright (C) Andrew Bartlett 2001-2002
9 Copyright (C) Guenther Deschner 2005
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 3 of the License, or
14 (at your option) any later version.
15
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
20
21 You should have received a copy of the GNU General Public License
22 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 */
24
25 #include "includes.h"
26 #include "winbindd.h"
27 #undef DBGC_CLASS
28 #define DBGC_CLASS DBGC_WINBIND
29
30 static NTSTATUS append_info3_as_txt(TALLOC_CTX *mem_ctx,
31 struct winbindd_cli_state *state,
32 NET_USER_INFO_3 *info3)
33 {
34 fstring str_sid;
35
36 state->response.data.auth.info3.logon_time =
37 nt_time_to_unix(info3->logon_time);
38 state->response.data.auth.info3.logoff_time =
39 nt_time_to_unix(info3->logoff_time);
40 state->response.data.auth.info3.kickoff_time =
41 nt_time_to_unix(info3->kickoff_time);
42 state->response.data.auth.info3.pass_last_set_time =
43 nt_time_to_unix(info3->pass_last_set_time);
44 state->response.data.auth.info3.pass_can_change_time =
45 nt_time_to_unix(info3->pass_can_change_time);
46 state->response.data.auth.info3.pass_must_change_time =
47 nt_time_to_unix(info3->pass_must_change_time);
48
49 state->response.data.auth.info3.logon_count = info3->logon_count;
50 state->response.data.auth.info3.bad_pw_count = info3->bad_pw_count;
51
52 state->response.data.auth.info3.user_rid = info3->user_rid;
53 state->response.data.auth.info3.group_rid = info3->group_rid;
54 sid_to_string(str_sid, &(info3->dom_sid.sid));
55 fstrcpy(state->response.data.auth.info3.dom_sid, str_sid);
56
57 state->response.data.auth.info3.num_groups = info3->num_groups;
58 state->response.data.auth.info3.user_flgs = info3->user_flgs;
59
60 state->response.data.auth.info3.acct_flags = info3->acct_flags;
61 state->response.data.auth.info3.num_other_sids = info3->num_other_sids;
62
63 unistr2_to_ascii(state->response.data.auth.info3.user_name,
64 &info3->uni_user_name, -1);
65 unistr2_to_ascii(state->response.data.auth.info3.full_name,
66 &info3->uni_full_name, -1);
67 unistr2_to_ascii(state->response.data.auth.info3.logon_script,
68 &info3->uni_logon_script, -1);
69 unistr2_to_ascii(state->response.data.auth.info3.profile_path,
70 &info3->uni_profile_path, -1);
71 unistr2_to_ascii(state->response.data.auth.info3.home_dir,
72 &info3->uni_home_dir, -1);
73 unistr2_to_ascii(state->response.data.auth.info3.dir_drive,
74 &info3->uni_dir_drive, -1);
75
76 unistr2_to_ascii(state->response.data.auth.info3.logon_srv,
77 &info3->uni_logon_srv, -1);
78 unistr2_to_ascii(state->response.data.auth.info3.logon_dom,
79 &info3->uni_logon_dom, -1);
80
81 return NT_STATUS_OK;
82 }
83
84 static NTSTATUS append_info3_as_ndr(TALLOC_CTX *mem_ctx,
85 struct winbindd_cli_state *state,
86 NET_USER_INFO_3 *info3)
87 {
88 prs_struct ps;
89 uint32 size;
90 if (!prs_init(&ps, 256 /* Random, non-zero number */, mem_ctx, MARSHALL)) {
91 return NT_STATUS_NO_MEMORY;
92 }
93 if (!net_io_user_info3("", info3, &ps, 1, 3, False)) {
94 prs_mem_free(&ps);
95 return NT_STATUS_UNSUCCESSFUL;
96 }
97
98 size = prs_data_size(&ps);
99 SAFE_FREE(state->response.extra_data.data);
100 state->response.extra_data.data = SMB_MALLOC(size);
101 if (!state->response.extra_data.data) {
102 prs_mem_free(&ps);
103 return NT_STATUS_NO_MEMORY;
104 }
105 memset( state->response.extra_data.data, '\0', size );
106 prs_copy_all_data_out((char *)state->response.extra_data.data, &ps);
107 state->response.length += size;
108 prs_mem_free(&ps);
109 return NT_STATUS_OK;
110 }
111
112 static NTSTATUS check_info3_in_group(TALLOC_CTX *mem_ctx,
113 NET_USER_INFO_3 *info3,
114 const char *group_sid)
115 /**
116 * Check whether a user belongs to a group or list of groups.
117 *
118 * @param mem_ctx talloc memory context.
119 * @param info3 user information, including group membership info.
120 * @param group_sid One or more groups , separated by commas.
121 *
122 * @return NT_STATUS_OK on success,
123 * NT_STATUS_LOGON_FAILURE if the user does not belong,
124 * or other NT_STATUS_IS_ERR(status) for other kinds of failure.
125 */
126 {
127 DOM_SID *require_membership_of_sid;
128 size_t num_require_membership_of_sid;
129 fstring req_sid;
130 const char *p;
131 DOM_SID sid;
132 size_t i;
133 struct nt_user_token *token;
134 NTSTATUS status;
135
136 /* Parse the 'required group' SID */
137
138 if (!group_sid || !group_sid[0]) {
139 /* NO sid supplied, all users may access */
140 return NT_STATUS_OK;
141 }
142
143 if (!(token = TALLOC_ZERO_P(mem_ctx, struct nt_user_token))) {
144 DEBUG(0, ("talloc failed\n"));
145 return NT_STATUS_NO_MEMORY;
146 }
147
148 num_require_membership_of_sid = 0;
149 require_membership_of_sid = NULL;
150
151 p = group_sid;
152
153 while (next_token(&p, req_sid, ",", sizeof(req_sid))) {
154 if (!string_to_sid(&sid, req_sid)) {
155 DEBUG(0, ("check_info3_in_group: could not parse %s "
156 "as a SID!", req_sid));
157 return NT_STATUS_INVALID_PARAMETER;
158 }
159
160 if (!add_sid_to_array(mem_ctx, &sid,
161 &require_membership_of_sid,
162 &num_require_membership_of_sid)) {
163 DEBUG(0, ("add_sid_to_array failed\n"));
164 return NT_STATUS_NO_MEMORY;
165 }
166 }
167
168 if (!sid_compose(&sid, &(info3->dom_sid.sid),
169 info3->user_rid)
170 || !add_sid_to_array(mem_ctx, &sid,
171 &token->user_sids, &token->num_sids)) {
172 DEBUG(3,("could not add user SID from rid 0x%x\n",
173 info3->user_rid));
174 return NT_STATUS_INVALID_PARAMETER;
175 }
176
177 if (!sid_compose(&sid, &(info3->dom_sid.sid),
178 info3->group_rid)
179 || !add_sid_to_array(mem_ctx, &sid,
180 &token->user_sids, &token->num_sids)) {
181 DEBUG(3,("could not append additional group rid 0x%x\n",
182 info3->group_rid));
183
184 return NT_STATUS_INVALID_PARAMETER;
185 }
186
187 for (i = 0; i < info3->num_groups2; i++) {
188 if (!sid_compose(&sid, &(info3->dom_sid.sid),
189 info3->gids[i].g_rid)
190 || !add_sid_to_array(mem_ctx, &sid,
191 &token->user_sids, &token->num_sids)) {
192 DEBUG(3,("could not append additional group rid 0x%x\n",
193 info3->gids[i].g_rid));
194 return NT_STATUS_INVALID_PARAMETER;
195 }
196 }
197
198 /* Copy 'other' sids. We need to do sid filtering here to
199 prevent possible elevation of privileges. See:
200
201 http://www.microsoft.com/windows2000/techinfo/administration/security/sidfilter.asp
202 */
203
204 for (i = 0; i < info3->num_other_sids; i++) {
205 if (!add_sid_to_array(mem_ctx, &info3->other_sids[i].sid,
206 &token->user_sids, &token->num_sids)) {
207 DEBUG(3, ("could not add SID to array: %s\n",
208 sid_string_static(&info3->other_sids[i].sid)));
209 return NT_STATUS_NO_MEMORY;
210 }
211 }
212
213 if (!NT_STATUS_IS_OK(status = add_aliases(get_global_sam_sid(),
214 token))
215 || !NT_STATUS_IS_OK(status = add_aliases(&global_sid_Builtin,
216 token))) {
217 DEBUG(3, ("could not add aliases: %s\n",
218 nt_errstr(status)));
219 return status;
220 }
221
222 debug_nt_user_token(DBGC_CLASS, 10, token);
223
224 for (i=0; i<num_require_membership_of_sid; i++) {
225 DEBUG(10, ("Checking SID %s\n", sid_string_static(
226 &require_membership_of_sid[i])));
227 if (nt_token_check_sid(&require_membership_of_sid[i],
228 token)) {
229 DEBUG(10, ("Access ok\n"));
230 return NT_STATUS_OK;
231 }
232 }
233
234 /* Do not distinguish this error from a wrong username/pw */
235
236 return NT_STATUS_LOGON_FAILURE;
237 }
238
239 struct winbindd_domain *find_auth_domain(struct winbindd_cli_state *state,
240 const char *domain_name)
241 {
242 struct winbindd_domain *domain;
243
244 if (IS_DC) {
245 domain = find_domain_from_name_noinit(domain_name);
246 if (domain == NULL) {
247 DEBUG(3, ("Authentication for domain [%s] refused"
248 "as it is not a trusted domain\n",
249 domain_name));
250 }
251 return domain;
252 }
253
254 if (is_myname(domain_name)) {
255 DEBUG(3, ("Authentication for domain %s (local domain "
256 "to this server) not supported at this "
257 "stage\n", domain_name));
258 return NULL;
259 }
260
261 /* we can auth against trusted domains */
262 if (state->request.flags & WBFLAG_PAM_CONTACT_TRUSTDOM) {
263 domain = find_domain_from_name_noinit(domain_name);
264 if (domain == NULL) {
265 DEBUG(3, ("Authentication for domain [%s] skipped "
266 "as it is not a trusted domain\n",
267 domain_name));
268 } else {
269 return domain;
270 }
271 }
272
273 return find_our_domain();
274 }
275
276 static void set_auth_errors(struct winbindd_response *resp, NTSTATUS result)
277 {
278 resp->data.auth.nt_status = NT_STATUS_V(result);
279 fstrcpy(resp->data.auth.nt_status_string, nt_errstr(result));
280
281 /* we might have given a more useful error above */
282 if (*resp->data.auth.error_string == '\0')
283 fstrcpy(resp->data.auth.error_string,
284 get_friendly_nt_error_msg(result));
285 resp->data.auth.pam_error = nt_status_to_pam(result);
286 }
287
288 static NTSTATUS fillup_password_policy(struct winbindd_domain *domain,
289 struct winbindd_cli_state *state)
290 {
291 struct winbindd_methods *methods;
292 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
293 SAM_UNK_INFO_1 password_policy;
294
295 if ( !winbindd_can_contact_domain( domain ) ) {
296 DEBUG(5,("fillup_password_policy: No inbound trust to "
297 "contact domain %s\n", domain->name));
298 return NT_STATUS_NOT_SUPPORTED;
299 }
300
301 methods = domain->methods;
302
303 status = methods->password_policy(domain, state->mem_ctx, &password_policy);
304 if (NT_STATUS_IS_ERR(status)) {
305 return status;
306 }
307
308 state->response.data.auth.policy.min_length_password =
309 password_policy.min_length_password;
310 state->response.data.auth.policy.password_history =
311 password_policy.password_history;
312 state->response.data.auth.policy.password_properties =
313 password_policy.password_properties;
314 state->response.data.auth.policy.expire =
315 nt_time_to_unix_abs(&(password_policy.expire));
316 state->response.data.auth.policy.min_passwordage =
317 nt_time_to_unix_abs(&(password_policy.min_passwordage));
318
319 return NT_STATUS_OK;
320 }
321
322 static NTSTATUS get_max_bad_attempts_from_lockout_policy(struct winbindd_domain *domain,
323 TALLOC_CTX *mem_ctx,
324 uint16 *max_allowed_bad_attempts)
325 {
326 struct winbindd_methods *methods;
327 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
328 SAM_UNK_INFO_12 lockout_policy;
329
330 *max_allowed_bad_attempts = 0;
331
332 methods = domain->methods;
333
334 status = methods->lockout_policy(domain, mem_ctx, &lockout_policy);
335 if (NT_STATUS_IS_ERR(status)) {
336 return status;
337 }
338
339 *max_allowed_bad_attempts = lockout_policy.bad_attempt_lockout;
340
341 return NT_STATUS_OK;
342 }
343
344 static NTSTATUS get_pwd_properties(struct winbindd_domain *domain,
345 TALLOC_CTX *mem_ctx,
346 uint32 *password_properties)
347 {
348 struct winbindd_methods *methods;
349 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
350 SAM_UNK_INFO_1 password_policy;
351
352 *password_properties = 0;
353
354 methods = domain->methods;
355
356 status = methods->password_policy(domain, mem_ctx, &password_policy);
357 if (NT_STATUS_IS_ERR(status)) {
358 return status;
359 }
360
361 *password_properties = password_policy.password_properties;
362
363 return NT_STATUS_OK;
364 }
365
366 #ifdef HAVE_KRB5
367
368 static const char *generate_krb5_ccache(TALLOC_CTX *mem_ctx,
369 const char *type,
370 uid_t uid,
371 BOOL *internal_ccache)
372 {
373 /* accept FILE and WRFILE as krb5_cc_type from the client and then
374 * build the full ccname string based on the user's uid here -
375 * Guenther*/
376
377 const char *gen_cc = NULL;
378
379 *internal_ccache = True;
380
381 if (uid == -1) {
382 goto memory_ccache;
383 }
384
385 if (!type || type[0] == '\0') {
386 goto memory_ccache;
387 }
388
389 if (strequal(type, "FILE")) {
390 gen_cc = talloc_asprintf(mem_ctx, "FILE:/tmp/krb5cc_%d", uid);
391 } else if (strequal(type, "WRFILE")) {
392 gen_cc = talloc_asprintf(mem_ctx, "WRFILE:/tmp/krb5cc_%d", uid);
393 } else {
394 DEBUG(10,("we don't allow to set a %s type ccache\n", type));
395 goto memory_ccache;
396 }
397
398 *internal_ccache = False;
399 goto done;
400
401 memory_ccache:
402 gen_cc = talloc_strdup(mem_ctx, "MEMORY:winbindd_pam_ccache");
403
404 done:
405 if (gen_cc == NULL) {
406 DEBUG(0,("out of memory\n"));
407 return NULL;
408 }
409
410 DEBUG(10,("using ccache: %s %s\n", gen_cc, *internal_ccache ? "(internal)":""));
411
412 return gen_cc;
413 }
414
415 static void setup_return_cc_name(struct winbindd_cli_state *state, const char *cc)
416 {
417 const char *type = state->request.data.auth.krb5_cc_type;
418
419 state->response.data.auth.krb5ccname[0] = '\0';
420
421 if (type[0] == '\0') {
422 return;
423 }
424
425 if (!strequal(type, "FILE") &&
426 !strequal(type, "WRFILE")) {
427 DEBUG(10,("won't return krbccname for a %s type ccache\n",
428 type));
429 return;
430 }
431
432 fstrcpy(state->response.data.auth.krb5ccname, cc);
433 }
434
435 #endif
436
437 static uid_t get_uid_from_state(struct winbindd_cli_state *state)
438 {
439 uid_t uid = -1;
440
441 uid = state->request.data.auth.uid;
442
443 if (uid < 0) {
444 DEBUG(1,("invalid uid: '%d'\n", uid));
445 return -1;
446 }
447 return uid;
448 }
449
450 /**********************************************************************
451 Authenticate a user with a clear text password using Kerberos and fill up
452 ccache if required
453 **********************************************************************/
454
455 static NTSTATUS winbindd_raw_kerberos_login(struct winbindd_domain *domain,
456 struct winbindd_cli_state *state,
457 NET_USER_INFO_3 **info3)
458 {
459 #ifdef HAVE_KRB5
460 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
461 krb5_error_code krb5_ret;
462 DATA_BLOB tkt, session_key_krb5;
463 DATA_BLOB ap_rep, session_key;
464 PAC_DATA *pac_data = NULL;
465 PAC_LOGON_INFO *logon_info = NULL;
466 char *client_princ = NULL;
467 char *client_princ_out = NULL;
468 char *local_service = NULL;
469 const char *cc = NULL;
470 const char *principal_s = NULL;
471 const char *service = NULL;
472 char *realm = NULL;
473 fstring name_domain, name_user;
474 time_t ticket_lifetime = 0;
475 time_t renewal_until = 0;
476 uid_t uid = -1;
477 ADS_STRUCT *ads;
478 time_t time_offset = 0;
479 BOOL internal_ccache = True;
480
481 ZERO_STRUCT(session_key);
482 ZERO_STRUCT(session_key_krb5);
483 ZERO_STRUCT(tkt);
484 ZERO_STRUCT(ap_rep);
485
486 ZERO_STRUCTP(info3);
487
488 *info3 = NULL;
489
490 /* 1st step:
491 * prepare a krb5_cc_cache string for the user */
492
493 uid = get_uid_from_state(state);
494 if (uid == -1) {
495 DEBUG(0,("no valid uid\n"));
496 }
497
498 cc = generate_krb5_ccache(state->mem_ctx,
499 state->request.data.auth.krb5_cc_type,
500 state->request.data.auth.uid,
501 &internal_ccache);
502 if (cc == NULL) {
503 return NT_STATUS_NO_MEMORY;
504 }
505
506
507 /* 2nd step:
508 * get kerberos properties */
509
510 if (domain->private_data) {
511 ads = (ADS_STRUCT *)domain->private_data;
512 time_offset = ads->auth.time_offset;
513 }
514
515
516 /* 3rd step:
517 * do kerberos auth and setup ccache as the user */
518
519 parse_domain_user(state->request.data.auth.user, name_domain, name_user);
520
521 realm = domain->alt_name;
522 strupper_m(realm);
523
524 principal_s = talloc_asprintf(state->mem_ctx, "%s@%s", name_user, realm);
525 if (principal_s == NULL) {
526 return NT_STATUS_NO_MEMORY;
527 }
528
529 service = talloc_asprintf(state->mem_ctx, "%s/%s@%s", KRB5_TGS_NAME, realm, realm);
530 if (service == NULL) {
531 return NT_STATUS_NO_MEMORY;
532 }
533
534 /* if this is a user ccache, we need to act as the user to let the krb5
535 * library handle the chown, etc. */
536
537 /************************ NON-ROOT **********************/
538
539 if (!internal_ccache) {
540
541 set_effective_uid(uid);
542 DEBUG(10,("winbindd_raw_kerberos_login: uid is %d\n", uid));
543 }
544
545 krb5_ret = kerberos_kinit_password_ext(principal_s,
546 state->request.data.auth.pass,
547 time_offset,
548 &ticket_lifetime,
549 &renewal_until,
550 cc,
551 True,
552 True,
553 WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
554 &result);
555
556 if (krb5_ret) {
557 DEBUG(1,("winbindd_raw_kerberos_login: kinit failed for '%s' with: %s (%d)\n",
558 principal_s, error_message(krb5_ret), krb5_ret));
559 goto failed;
560 }
561
562 /* does http_timestring use heimdals libroken strftime?? - Guenther */
563 DEBUG(10,("got TGT for %s in %s (valid until: %s (%d), renewable till: %s (%d))\n",
564 principal_s, cc,
565 http_timestring(ticket_lifetime), (int)ticket_lifetime,
566 http_timestring(renewal_until), (int)renewal_until));
567
568 /* we cannot continue with krb5 when UF_DONT_REQUIRE_PREAUTH is set,
569 * in that case fallback to NTLM - gd */
570
571 if ((ticket_lifetime == 0) && (renewal_until == 0)) {
572 result = NT_STATUS_INVALID_LOGON_TYPE;
573 goto failed;
574 }
575
576 client_princ = talloc_strdup(state->mem_ctx, global_myname());
577 if (client_princ == NULL) {
578 result = NT_STATUS_NO_MEMORY;
579 goto failed;
580 }
581 strlower_m(client_princ);
582
583 local_service = talloc_asprintf(state->mem_ctx, "%s$@%s", client_princ, lp_realm());
584 if (local_service == NULL) {
585 DEBUG(0,("winbindd_raw_kerberos_login: out of memory\n"));
586 result = NT_STATUS_NO_MEMORY;
587 goto failed;
588 }
589
590 krb5_ret = cli_krb5_get_ticket(local_service,
591 time_offset,
592 &tkt,
593 &session_key_krb5,
594 0,
595 cc,
596 NULL);
597 if (krb5_ret) {
598 DEBUG(1,("winbindd_raw_kerberos_login: failed to get ticket for %s: %s\n",
599 local_service, error_message(krb5_ret)));
600 result = krb5_to_nt_status(krb5_ret);
601 goto failed;
602 }
603
604 if (!internal_ccache) {
605 gain_root_privilege();
606 }
607
608 /************************ NON-ROOT **********************/
609
610 result = ads_verify_ticket(state->mem_ctx,
611 lp_realm(),
612 time_offset,
613 &tkt,
614 &client_princ_out,
615 &pac_data,
616 &ap_rep,
617 &session_key, False);
618 if (!NT_STATUS_IS_OK(result)) {
619 DEBUG(0,("winbindd_raw_kerberos_login: ads_verify_ticket failed: %s\n",
620 nt_errstr(result)));
621 goto failed;
622 }
623
624 if (!pac_data) {
625 DEBUG(3,("winbindd_raw_kerberos_login: no pac data\n"));
626 result = NT_STATUS_INVALID_PARAMETER;
627 goto failed;
628 }
629
630 logon_info = get_logon_info_from_pac(pac_data);
631 if (logon_info == NULL) {
632 DEBUG(1,("winbindd_raw_kerberos_login: no logon info\n"));
633 result = NT_STATUS_INVALID_PARAMETER;
634 goto failed;
635 }
636
637 DEBUG(10,("winbindd_raw_kerberos_login: winbindd validated ticket of %s\n",
638 local_service));
639
640
641 /* last step:
642 * put results together */
643
644 *info3 = &logon_info->info3;
645
646 /* if we had a user's ccache then return that string for the pam
647 * environment */
648
649 if (!internal_ccache) {
650
651 setup_return_cc_name(state, cc);
652
653 result = add_ccache_to_list(principal_s,
654 cc,
655 service,
656 state->request.data.auth.user,
657 realm,
658 uid,
659 time(NULL),
660 ticket_lifetime,
661 renewal_until,
662 False);
663
664 if (!NT_STATUS_IS_OK(result)) {
665 DEBUG(10,("winbindd_raw_kerberos_login: failed to add ccache to list: %s\n",
666 nt_errstr(result)));
667 }
668 } else {
669
670 /* need to delete the memory cred cache, it is not used anymore */
671
672 krb5_ret = ads_kdestroy(cc);
673 if (krb5_ret) {
674 DEBUG(3,("winbindd_raw_kerberos_login: "
675 "could not destroy krb5 credential cache: "
676 "%s\n", error_message(krb5_ret)));
677 }
678
679 }
680
681 result = NT_STATUS_OK;
682
683 goto done;
684
685 failed:
686
687 /* we could have created a new credential cache with a valid tgt in it
688 * but we werent able to get or verify the service ticket for this
689 * local host and therefor didn't get the PAC, we need to remove that
690 * cache entirely now */
691
692 krb5_ret = ads_kdestroy(cc);
693 if (krb5_ret) {
694 DEBUG(3,("winbindd_raw_kerberos_login: "
695 "could not destroy krb5 credential cache: "
696 "%s\n", error_message(krb5_ret)));
697 }
698
699 if (!NT_STATUS_IS_OK(remove_ccache(state->request.data.auth.user))) {
700 DEBUG(3,("winbindd_raw_kerberos_login: "
701 "could not remove ccache for user %s\n",
702 state->request.data.auth.user));
703 }
704
705 done:
706 data_blob_free(&session_key);
707 data_blob_free(&session_key_krb5);
708 data_blob_free(&ap_rep);
709 data_blob_free(&tkt);
710
711 SAFE_FREE(client_princ_out);
712
713 if (!internal_ccache) {
714 gain_root_privilege();
715 }
716
717 return result;
718 #else
719 return NT_STATUS_NOT_SUPPORTED;
720 #endif /* HAVE_KRB5 */
721 }
722
723 void winbindd_pam_auth(struct winbindd_cli_state *state)
724 {
725 struct winbindd_domain *domain;
726 fstring name_domain, name_user;
727
728 /* Ensure null termination */
729 state->request.data.auth.user
730 [sizeof(state->request.data.auth.user)-1]='\0';
731
732 /* Ensure null termination */
733 state->request.data.auth.pass
734 [sizeof(state->request.data.auth.pass)-1]='\0';
735
736 DEBUG(3, ("[%5lu]: pam auth %s\n", (unsigned long)state->pid,
737 state->request.data.auth.user));
738
739 /* Parse domain and username */
740
741 ws_name_return( state->request.data.auth.user, WB_REPLACE_CHAR );
742
743 if (!canonicalize_username(state->request.data.auth.user,
744 name_domain, name_user)) {
745 set_auth_errors(&state->response, NT_STATUS_NO_SUCH_USER);
746 DEBUG(5, ("Plain text authentication for %s returned %s "
747 "(PAM: %d)\n",
748 state->request.data.auth.user,
749 state->response.data.auth.nt_status_string,
750 state->response.data.auth.pam_error));
751 request_error(state);
752 return;
753 }
754
755 domain = find_auth_domain(state, name_domain);
756
757 if (domain == NULL) {
758 set_auth_errors(&state->response, NT_STATUS_NO_SUCH_USER);
759 DEBUG(5, ("Plain text authentication for %s returned %s "
760 "(PAM: %d)\n",
761 state->request.data.auth.user,
762 state->response.data.auth.nt_status_string,
763 state->response.data.auth.pam_error));
764 request_error(state);
765 return;
766 }
767
768 sendto_domain(state, domain);
769 }
770
771 NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain,
772 struct winbindd_cli_state *state,
773 NET_USER_INFO_3 **info3)
774 {
775 NTSTATUS result = NT_STATUS_LOGON_FAILURE;
776 uint16 max_allowed_bad_attempts;
777 fstring name_domain, name_user;
778 DOM_SID sid;
779 enum lsa_SidType type;
780 uchar new_nt_pass[NT_HASH_LEN];
781 const uint8 *cached_nt_pass;
782 const uint8 *cached_salt;
783 NET_USER_INFO_3 *my_info3;
784 time_t kickoff_time, must_change_time;
785 BOOL password_good = False;
786 #ifdef HAVE_KRB5
787 struct winbindd_tdc_domain *tdc_domain = NULL;
788 #endif
789
790 *info3 = NULL;
791
792 ZERO_STRUCTP(info3);
793
794 DEBUG(10,("winbindd_dual_pam_auth_cached\n"));
795
796 /* Parse domain and username */
797
798 parse_domain_user(state->request.data.auth.user, name_domain, name_user);
799
800
801 if (!lookup_cached_name(state->mem_ctx,
802 name_domain,
803 name_user,
804 &sid,
805 &type)) {
806 DEBUG(10,("winbindd_dual_pam_auth_cached: no such user in the cache\n"));
807 return NT_STATUS_NO_SUCH_USER;
808 }
809
810 if (type != SID_NAME_USER) {
811 DEBUG(10,("winbindd_dual_pam_auth_cached: not a user (%s)\n", sid_type_lookup(type)));
812 return NT_STATUS_LOGON_FAILURE;
813 }
814
815 result = winbindd_get_creds(domain,
816 state->mem_ctx,
817 &sid,
818 &my_info3,
819 &cached_nt_pass,
820 &cached_salt);
821 if (!NT_STATUS_IS_OK(result)) {
822 DEBUG(10,("winbindd_dual_pam_auth_cached: failed to get creds: %s\n", nt_errstr(result)));
823 return result;
824 }
825
826 *info3 = my_info3;
827
828 E_md4hash(state->request.data.auth.pass, new_nt_pass);
829
830 #if DEBUG_PASSWORD
831 dump_data(100, new_nt_pass, NT_HASH_LEN);
832 dump_data(100, cached_nt_pass, NT_HASH_LEN);
833 if (cached_salt) {
834 dump_data(100, cached_salt, NT_HASH_LEN);
835 }
836 #endif
837
838 if (cached_salt) {
839 /* In this case we didn't store the nt_hash itself,
840 but the MD5 combination of salt + nt_hash. */
841 uchar salted_hash[NT_HASH_LEN];
842 E_md5hash(cached_salt, new_nt_pass, salted_hash);
843
844 password_good = (memcmp(cached_nt_pass, salted_hash, NT_HASH_LEN) == 0) ?
845 True : False;
846 } else {
847 /* Old cached cred - direct store of nt_hash (bad bad bad !). */
848 password_good = (memcmp(cached_nt_pass, new_nt_pass, NT_HASH_LEN) == 0) ?
849 True : False;
850 }
851
852 if (password_good) {
853
854 /* User *DOES* know the password, update logon_time and reset
855 * bad_pw_count */
856
857 my_info3->user_flgs |= LOGON_CACHED_ACCOUNT;
858
859 if (my_info3->acct_flags & ACB_AUTOLOCK) {
860 return NT_STATUS_ACCOUNT_LOCKED_OUT;
861 }
862
863 if (my_info3->acct_flags & ACB_DISABLED) {
864 return NT_STATUS_ACCOUNT_DISABLED;
865 }
866
867 if (my_info3->acct_flags & ACB_WSTRUST) {
868 return NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT;
869 }
870
871 if (my_info3->acct_flags & ACB_SVRTRUST) {
872 return NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT;
873 }
874
875 if (my_info3->acct_flags & ACB_DOMTRUST) {
876 return NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT;
877 }
878
879 if (!(my_info3->acct_flags & ACB_NORMAL)) {
880 DEBUG(0,("winbindd_dual_pam_auth_cached: whats wrong with that one?: 0x%08x\n",
881 my_info3->acct_flags));
882 return NT_STATUS_LOGON_FAILURE;
883 }
884
885 kickoff_time = nt_time_to_unix(my_info3->kickoff_time);
886 if (kickoff_time != 0 && time(NULL) > kickoff_time) {
887 return NT_STATUS_ACCOUNT_EXPIRED;
888 }
889
890 must_change_time = nt_time_to_unix(my_info3->pass_must_change_time);
891 if (must_change_time != 0 && must_change_time < time(NULL)) {
892 /* we allow grace logons when the password has expired */
893 my_info3->user_flgs |= LOGON_GRACE_LOGON;
894 /* return NT_STATUS_PASSWORD_EXPIRED; */
895 goto success;
896 }
897
898 #ifdef HAVE_KRB5
899 if ((state->request.flags & WBFLAG_PAM_KRB5) &&
900 ((tdc_domain = wcache_tdc_fetch_domain(state->mem_ctx, name_domain)) != NULL) &&
901 (tdc_domain->trust_type & DS_DOMAIN_TRUST_TYPE_UPLEVEL)) {
902
903 uid_t uid = -1;
904 const char *cc = NULL;
905 char *realm = NULL;
906 const char *principal_s = NULL;
907 const char *service = NULL;
908 BOOL internal_ccache = False;
909
910 uid = get_uid_from_state(state);
911 if (uid == -1) {
912 DEBUG(0,("winbindd_dual_pam_auth_cached: invalid uid\n"));
913 return NT_STATUS_INVALID_PARAMETER;
914 }
915
916 cc = generate_krb5_ccache(state->mem_ctx,
917 state->request.data.auth.krb5_cc_type,
918 state->request.data.auth.uid,
919 &internal_ccache);
920 if (cc == NULL) {
921 return NT_STATUS_NO_MEMORY;
922 }
923
924 realm = domain->alt_name;
925 strupper_m(realm);
926
927 principal_s = talloc_asprintf(state->mem_ctx, "%s@%s", name_user, realm);
928 if (principal_s == NULL) {
929 return NT_STATUS_NO_MEMORY;
930 }
931
932 service = talloc_asprintf(state->mem_ctx, "%s/%s@%s", KRB5_TGS_NAME, realm, realm);
933 if (service == NULL) {
934 return NT_STATUS_NO_MEMORY;
935 }
936
937 if (!internal_ccache) {
938
939 setup_return_cc_name(state, cc);
940
941 result = add_ccache_to_list(principal_s,
942 cc,
943 service,
944 state->request.data.auth.user,
945 domain->alt_name,
946 uid,
947 time(NULL),
948 time(NULL) + lp_winbind_cache_time(),
949 time(NULL) + WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
950 True);
951
952 if (!NT_STATUS_IS_OK(result)) {
953 DEBUG(10,("winbindd_dual_pam_auth_cached: failed "
954 "to add ccache to list: %s\n",
955 nt_errstr(result)));
956 }
957 }
958 }
959 #endif /* HAVE_KRB5 */
960 success:
961 /* FIXME: we possibly should handle logon hours as well (does xp when
962 * offline?) see auth/auth_sam.c:sam_account_ok for details */
963
964 unix_to_nt_time(&my_info3->logon_time, time(NULL));
965 my_info3->bad_pw_count = 0;
966
967 result = winbindd_update_creds_by_info3(domain,
968 state->mem_ctx,
969 state->request.data.auth.user,
970 state->request.data.auth.pass,
971 my_info3);
972 if (!NT_STATUS_IS_OK(result)) {
973 DEBUG(1,("winbindd_dual_pam_auth_cached: failed to update creds: %s\n",
974 nt_errstr(result)));
975 return result;
976 }
977
978 return NT_STATUS_OK;
979
980 }
981
982 /* User does *NOT* know the correct password, modify info3 accordingly */
983
984 /* failure of this is not critical */
985 result = get_max_bad_attempts_from_lockout_policy(domain, state->mem_ctx, &max_allowed_bad_attempts);
986 if (!NT_STATUS_IS_OK(result)) {
987 DEBUG(10,("winbindd_dual_pam_auth_cached: failed to get max_allowed_bad_attempts. "
988 "Won't be able to honour account lockout policies\n"));
989 }
990
991 /* increase counter */
992 my_info3->bad_pw_count++;
993
994 if (max_allowed_bad_attempts == 0) {
995 goto failed;
996 }
997
998 /* lockout user */
999 if (my_info3->bad_pw_count >= max_allowed_bad_attempts) {
1000
1001 uint32 password_properties;
1002
1003 result = get_pwd_properties(domain, state->mem_ctx, &password_properties);
1004 if (!NT_STATUS_IS_OK(result)) {
1005 DEBUG(10,("winbindd_dual_pam_auth_cached: failed to get password properties.\n"));
1006 }
1007
1008 if ((my_info3->user_rid != DOMAIN_USER_RID_ADMIN) ||
1009 (password_properties & DOMAIN_LOCKOUT_ADMINS)) {
1010 my_info3->acct_flags |= ACB_AUTOLOCK;
1011 }
1012 }
1013
1014 failed:
1015 result = winbindd_update_creds_by_info3(domain,
1016 state->mem_ctx,
1017 state->request.data.auth.user,
1018 NULL,
1019 my_info3);
1020
1021 if (!NT_STATUS_IS_OK(result)) {
1022 DEBUG(0,("winbindd_dual_pam_auth_cached: failed to update creds %s\n",
1023 nt_errstr(result)));
1024 }
1025
1026 return NT_STATUS_LOGON_FAILURE;
1027 }
1028
1029 NTSTATUS winbindd_dual_pam_auth_kerberos(struct winbindd_domain *domain,
1030 struct winbindd_cli_state *state,
1031 NET_USER_INFO_3 **info3)
1032 {
1033 struct winbindd_domain *contact_domain;
1034 fstring name_domain, name_user;
1035 NTSTATUS result;
1036
1037 DEBUG(10,("winbindd_dual_pam_auth_kerberos\n"));
1038
1039 /* Parse domain and username */
1040
1041 parse_domain_user(state->request.data.auth.user, name_domain, name_user);
1042
1043 /* what domain should we contact? */
1044
1045 if ( IS_DC ) {
1046 if (!(contact_domain = find_domain_from_name(name_domain))) {
1047 DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
1048 state->request.data.auth.user, name_domain, name_user, name_domain));
1049 result = NT_STATUS_NO_SUCH_USER;
1050 goto done;
1051 }
1052
1053 } else {
1054 if (is_myname(name_domain)) {
1055 DEBUG(3, ("Authentication for domain %s (local domain to this server) not supported at this stage\n", name_domain));
1056 result = NT_STATUS_NO_SUCH_USER;
1057 goto done;
1058 }
1059
1060 contact_domain = find_domain_from_name(name_domain);
1061 if (contact_domain == NULL) {
1062 DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
1063 state->request.data.auth.user, name_domain, name_user, name_domain));
1064
1065 contact_domain = find_our_domain();
1066 }
1067 }
1068
1069 if (contact_domain->initialized &&
1070 contact_domain->active_directory) {
1071 goto try_login;
1072 }
1073
1074 if (!contact_domain->initialized) {
1075 init_dc_connection(contact_domain);
1076 }
1077
1078 if (!contact_domain->active_directory) {
1079 DEBUG(3,("krb5 auth requested but domain is not Active Directory\n"));
1080 return NT_STATUS_INVALID_LOGON_TYPE;
1081 }
1082 try_login:
1083 result = winbindd_raw_kerberos_login(contact_domain, state, info3);
1084 done:
1085 return result;
1086 }
1087
1088 NTSTATUS winbindd_dual_pam_auth_samlogon(struct winbindd_domain *domain,
1089 struct winbindd_cli_state *state,
1090 NET_USER_INFO_3 **info3)
1091 {
1092
1093 struct rpc_pipe_client *netlogon_pipe;
1094 uchar chal[8];
1095 DATA_BLOB lm_resp;
1096 DATA_BLOB nt_resp;
1097 int attempts = 0;
1098 unsigned char local_lm_response[24];
1099 unsigned char local_nt_response[24];
1100 struct winbindd_domain *contact_domain;
1101 fstring name_domain, name_user;
1102 BOOL retry;
1103 NTSTATUS result;
1104 NET_USER_INFO_3 *my_info3;
1105
1106 ZERO_STRUCTP(info3);
1107
1108 *info3 = NULL;
1109
1110 my_info3 = TALLOC_ZERO_P(state->mem_ctx, NET_USER_INFO_3);
1111 if (my_info3 == NULL) {
1112 return NT_STATUS_NO_MEMORY;
1113 }
1114
1115
1116 DEBUG(10,("winbindd_dual_pam_auth_samlogon\n"));
1117
1118 /* Parse domain and username */
1119
1120 parse_domain_user(state->request.data.auth.user, name_domain, name_user);
1121
1122 /* do password magic */
1123
1124
1125 generate_random_buffer(chal, 8);
1126 if (lp_client_ntlmv2_auth()) {
1127 DATA_BLOB server_chal;
1128 DATA_BLOB names_blob;
1129 DATA_BLOB nt_response;
1130 DATA_BLOB lm_response;
1131 server_chal = data_blob_talloc(state->mem_ctx, chal, 8);
1132
1133 /* note that the 'workgroup' here is a best guess - we don't know
1134 the server's domain at this point. The 'server name' is also
1135 dodgy...
1136 */
1137 names_blob = NTLMv2_generate_names_blob(global_myname(), lp_workgroup());
1138
1139 if (!SMBNTLMv2encrypt(name_user, name_domain,
1140 state->request.data.auth.pass,
1141 &server_chal,
1142 &names_blob,
1143 &lm_response, &nt_response, NULL)) {
1144 data_blob_free(&names_blob);
1145 data_blob_free(&server_chal);
1146 DEBUG(0, ("winbindd_pam_auth: SMBNTLMv2encrypt() failed!\n"));
1147 result = NT_STATUS_NO_MEMORY;
1148 goto done;
1149 }
1150 data_blob_free(&names_blob);
1151 data_blob_free(&server_chal);
1152 lm_resp = data_blob_talloc(state->mem_ctx, lm_response.data,
1153 lm_response.length);
1154 nt_resp = data_blob_talloc(state->mem_ctx, nt_response.data,
1155 nt_response.length);
1156 data_blob_free(&lm_response);
1157 data_blob_free(&nt_response);
1158
1159 } else {
1160 if (lp_client_lanman_auth()
1161 && SMBencrypt(state->request.data.auth.pass,
1162 chal,
1163 local_lm_response)) {
1164 lm_resp = data_blob_talloc(state->mem_ctx,
1165 local_lm_response,
1166 sizeof(local_lm_response));
1167 } else {
1168 lm_resp = data_blob_null;
1169 }
1170 SMBNTencrypt(state->request.data.auth.pass,
1171 chal,
1172 local_nt_response);
1173
1174 nt_resp = data_blob_talloc(state->mem_ctx,
1175 local_nt_response,
1176 sizeof(local_nt_response));
1177 }
1178
1179 /* what domain should we contact? */
1180
1181 if ( IS_DC ) {
1182 if (!(contact_domain = find_domain_from_name(name_domain))) {
1183 DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
1184 state->request.data.auth.user, name_domain, name_user, name_domain));
1185 result = NT_STATUS_NO_SUCH_USER;
1186 goto done;
1187 }
1188
1189 } else {
1190 if (is_myname(name_domain)) {
1191 DEBUG(3, ("Authentication for domain %s (local domain to this server) not supported at this stage\n", name_domain));
1192 result = NT_STATUS_NO_SUCH_USER;
1193 goto done;
1194 }
1195
1196 contact_domain = find_our_domain();
1197 }
1198
1199 /* check authentication loop */
1200
1201 do {
1202 NTSTATUS (*logon_fn)(struct rpc_pipe_client
1203 *cli, TALLOC_CTX *mem_ctx,
1204 uint32 logon_parameters,
1205 const char *server,
1206 const char *username,
1207 const char *domain,
1208 const char *workstation,
1209 const uint8 chal[8],
1210 DATA_BLOB lm_response,
1211 DATA_BLOB nt_response,
1212 NET_USER_INFO_3 *info3);
1213
1214 ZERO_STRUCTP(my_info3);
1215 retry = False;
1216
1217 result = cm_connect_netlogon(contact_domain, &netlogon_pipe);
1218
1219 if (!NT_STATUS_IS_OK(result)) {
1220 DEBUG(3, ("could not open handle to NETLOGON pipe\n"));
1221 goto done;
1222 }
1223
1224 logon_fn = contact_domain->can_do_samlogon_ex
1225 ? rpccli_netlogon_sam_network_logon_ex
1226 : rpccli_netlogon_sam_network_logon;
1227
1228 result = logon_fn(netlogon_pipe,
1229 state->mem_ctx,
1230 0,
1231 contact_domain->dcname, /* server name */
1232 name_user, /* user name */
1233 name_domain, /* target domain */
1234 global_myname(), /* workstation */
1235 chal,
1236 lm_resp,
1237 nt_resp,
1238 my_info3);
1239
1240 if ((NT_STATUS_V(result) == DCERPC_FAULT_OP_RNG_ERROR)
1241 && contact_domain->can_do_samlogon_ex) {
1242 DEBUG(3, ("Got a DC that can not do NetSamLogonEx, "
1243 "retrying with NetSamLogon\n"));
1244 contact_domain->can_do_samlogon_ex = False;
1245 retry = True;
1246 continue;
1247 }
1248
1249 attempts += 1;
1250
1251 /* We have to try a second time as cm_connect_netlogon
1252 might not yet have noticed that the DC has killed
1253 our connection. */
1254
1255 if (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)) {
1256 retry = True;
1257 continue;
1258 }
1259
1260 /* if we get access denied, a possible cause was that we had
1261 and open connection to the DC, but someone changed our
1262 machine account password out from underneath us using 'net
1263 rpc changetrustpw' */
1264
1265 if ( NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) ) {
1266 DEBUG(3,("winbindd_pam_auth: sam_logon returned "
1267 "ACCESS_DENIED. Maybe the trust account "
1268 "password was changed and we didn't know it. "
1269 "Killing connections to domain %s\n",
1270 name_domain));
1271 invalidate_cm_connection(&contact_domain->conn);
1272 retry = True;
1273 }
1274
1275 } while ( (attempts < 2) && retry );
1276
1277 /* handle the case where a NT4 DC does not fill in the acct_flags in
1278 * the samlogon reply info3. When accurate info3 is required by the
1279 * caller, we look up the account flags ourselve - gd */
1280
1281 if ((state->request.flags & WBFLAG_PAM_INFO3_TEXT) &&
1282 (my_info3->acct_flags == 0) && NT_STATUS_IS_OK(result)) {
1283
1284 struct rpc_pipe_client *samr_pipe;
1285 POLICY_HND samr_domain_handle, user_pol;
1286 SAM_USERINFO_CTR *user_ctr;
1287 NTSTATUS status_tmp;
1288 uint32 acct_flags;
1289
1290 ZERO_STRUCT(user_ctr);
1291
1292 status_tmp = cm_connect_sam(contact_domain, state->mem_ctx,
1293 &samr_pipe, &samr_domain_handle);
1294
1295 if (!NT_STATUS_IS_OK(status_tmp)) {
1296 DEBUG(3, ("could not open handle to SAMR pipe: %s\n",
1297 nt_errstr(status_tmp)));
1298 goto done;
1299 }
1300
1301 status_tmp = rpccli_samr_open_user(samr_pipe, state->mem_ctx,
1302 &samr_domain_handle,
1303 MAXIMUM_ALLOWED_ACCESS,
1304 my_info3->user_rid, &user_pol);
1305
1306 if (!NT_STATUS_IS_OK(status_tmp)) {
1307 DEBUG(3, ("could not open user handle on SAMR pipe: %s\n",
1308 nt_errstr(status_tmp)));
1309 goto done;
1310 }
1311
1312 status_tmp = rpccli_samr_query_userinfo(samr_pipe, state->mem_ctx,
1313 &user_pol, 16, &user_ctr);
1314
1315 if (!NT_STATUS_IS_OK(status_tmp)) {
1316 DEBUG(3, ("could not query user info on SAMR pipe: %s\n",
1317 nt_errstr(status_tmp)));
1318 rpccli_samr_close(samr_pipe, state->mem_ctx, &user_pol);
1319 goto done;
1320 }
1321
1322 acct_flags = user_ctr->info.id16->acb_info;
1323
1324 if (acct_flags == 0) {
1325 rpccli_samr_close(samr_pipe, state->mem_ctx, &user_pol);
1326 goto done;
1327 }
1328
1329 my_info3->acct_flags = acct_flags;
1330
1331 DEBUG(10,("successfully retrieved acct_flags 0x%x\n", acct_flags));
1332
1333 rpccli_samr_close(samr_pipe, state->mem_ctx, &user_pol);
1334 }
1335
1336 *info3 = my_info3;
1337 done:
1338 return result;
1339 }
1340
1341 enum winbindd_result winbindd_dual_pam_auth(struct winbindd_domain *domain,
1342 struct winbindd_cli_state *state)
1343 {
1344 NTSTATUS result = NT_STATUS_LOGON_FAILURE;
1345 NTSTATUS krb5_result = NT_STATUS_OK;
1346 fstring name_domain, name_user;
1347 NET_USER_INFO_3 *info3 = NULL;
1348
1349 /* Ensure null termination */
1350 state->request.data.auth.user[sizeof(state->request.data.auth.user)-1]='\0';
1351
1352 /* Ensure null termination */
1353 state->request.data.auth.pass[sizeof(state->request.data.auth.pass)-1]='\0';
1354
1355 DEBUG(3, ("[%5lu]: dual pam auth %s\n", (unsigned long)state->pid,
1356 state->request.data.auth.user));
1357
1358 /* Parse domain and username */
1359
1360 ws_name_return( state->request.data.auth.user, WB_REPLACE_CHAR );
1361
1362 parse_domain_user(state->request.data.auth.user, name_domain, name_user);
1363
1364 if (domain->online == False) {
1365 result = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
1366 if (domain->startup) {
1367 /* Logons are very important to users. If we're offline and
1368 we get a request within the first 30 seconds of startup,
1369 try very hard to find a DC and go online. */
1370
1371 DEBUG(10,("winbindd_dual_pam_auth: domain: %s offline and auth "
1372 "request in startup mode.\n", domain->name ));
1373
1374 winbindd_flush_negative_conn_cache(domain);
1375 result = init_dc_connection(domain);
1376 }
1377 }
1378
1379 DEBUG(10,("winbindd_dual_pam_auth: domain: %s last was %s\n", domain->name, domain->online ? "online":"offline"));
1380
1381 /* Check for Kerberos authentication */
1382 if (domain->online && (state->request.flags & WBFLAG_PAM_KRB5)) {
1383
1384 result = winbindd_dual_pam_auth_kerberos(domain, state, &info3);
1385 /* save for later */
1386 krb5_result = result;
1387
1388
1389 if (NT_STATUS_IS_OK(result)) {
1390 DEBUG(10,("winbindd_dual_pam_auth_kerberos succeeded\n"));
1391 goto process_result;
1392 } else {
1393 DEBUG(10,("winbindd_dual_pam_auth_kerberos failed: %s\n", nt_errstr(result)));
1394 }
1395
1396 if (NT_STATUS_EQUAL(result, NT_STATUS_NO_LOGON_SERVERS) ||
1397 NT_STATUS_EQUAL(result, NT_STATUS_IO_TIMEOUT) ||
1398 NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
1399 DEBUG(10,("winbindd_dual_pam_auth_kerberos setting domain to offline\n"));
1400 set_domain_offline( domain );
1401 goto cached_logon;
1402 }
1403
1404 /* there are quite some NT_STATUS errors where there is no
1405 * point in retrying with a samlogon, we explictly have to take
1406 * care not to increase the bad logon counter on the DC */
1407
1408 if (NT_STATUS_EQUAL(result, NT_STATUS_ACCOUNT_DISABLED) ||
1409 NT_STATUS_EQUAL(result, NT_STATUS_ACCOUNT_EXPIRED) ||
1410 NT_STATUS_EQUAL(result, NT_STATUS_ACCOUNT_LOCKED_OUT) ||
1411 NT_STATUS_EQUAL(result, NT_STATUS_INVALID_LOGON_HOURS) ||
1412 NT_STATUS_EQUAL(result, NT_STATUS_INVALID_WORKSTATION) ||
1413 NT_STATUS_EQUAL(result, NT_STATUS_LOGON_FAILURE) ||
1414 NT_STATUS_EQUAL(result, NT_STATUS_NO_SUCH_USER) ||
1415 NT_STATUS_EQUAL(result, NT_STATUS_PASSWORD_EXPIRED) ||
1416 NT_STATUS_EQUAL(result, NT_STATUS_PASSWORD_MUST_CHANGE) ||
1417 NT_STATUS_EQUAL(result, NT_STATUS_WRONG_PASSWORD)) {
1418 goto process_result;
1419 }
1420
1421 if (state->request.flags & WBFLAG_PAM_FALLBACK_AFTER_KRB5) {
1422 DEBUG(3,("falling back to samlogon\n"));
1423 goto sam_logon;
1424 } else {
1425 goto cached_logon;
1426 }
1427 }
1428
1429 sam_logon:
1430 /* Check for Samlogon authentication */
1431 if (domain->online) {
1432 result = winbindd_dual_pam_auth_samlogon(domain, state, &info3);
1433
1434 if (NT_STATUS_IS_OK(result)) {
1435 DEBUG(10,("winbindd_dual_pam_auth_samlogon succeeded\n"));
1436 /* add the Krb5 err if we have one */
1437 if ( NT_STATUS_EQUAL(krb5_result, NT_STATUS_TIME_DIFFERENCE_AT_DC ) ) {
1438 info3->user_flgs |= LOGON_KRB5_FAIL_CLOCK_SKEW;
1439 }
1440 goto process_result;
1441 }
1442
1443 DEBUG(10,("winbindd_dual_pam_auth_samlogon failed: %s\n",
1444 nt_errstr(result)));
1445
1446 if (NT_STATUS_EQUAL(result, NT_STATUS_NO_LOGON_SERVERS) ||
1447 NT_STATUS_EQUAL(result, NT_STATUS_IO_TIMEOUT) ||
1448 NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND))
1449 {
1450 DEBUG(10,("winbindd_dual_pam_auth_samlogon setting domain to offline\n"));
1451 set_domain_offline( domain );
1452 goto cached_logon;
1453 }
1454
1455 if (domain->online) {
1456 /* We're still online - fail. */
1457 goto done;
1458 }
1459 }
1460
1461 cached_logon:
1462 /* Check for Cached logons */
1463 if (!domain->online && (state->request.flags & WBFLAG_PAM_CACHED_LOGIN) &&
1464 lp_winbind_offline_logon()) {
1465
1466 result = winbindd_dual_pam_auth_cached(domain, state, &info3);
1467
1468 if (NT_STATUS_IS_OK(result)) {
1469 DEBUG(10,("winbindd_dual_pam_auth_cached succeeded\n"));
1470 goto process_result;
1471 } else {
1472 DEBUG(10,("winbindd_dual_pam_auth_cached failed: %s\n", nt_errstr(result)));
1473 goto done;
1474 }
1475 }
1476
1477 process_result:
1478
1479 if (NT_STATUS_IS_OK(result)) {
1480
1481 DOM_SID user_sid;
1482
1483 /* In all codepaths where result == NT_STATUS_OK info3 must have
1484 been initialized. */
1485 if (!info3) {
1486 result = NT_STATUS_INTERNAL_ERROR;
1487 goto done;
1488 }
1489
1490 netsamlogon_cache_store(name_user, info3);
1491 wcache_invalidate_samlogon(find_domain_from_name(name_domain), info3);
1492
1493 /* save name_to_sid info as early as possible (only if
1494 this is our primary domain so we don't invalidate
1495 the cache entry by storing the seq_num for the wrong
1496 domain). */
1497 if ( domain->primary ) {
1498 sid_compose(&user_sid, &info3->dom_sid.sid,
1499 info3->user_rid);
1500 cache_name2sid(domain, name_domain, name_user,
1501 SID_NAME_USER, &user_sid);
1502 }
1503
1504 /* Check if the user is in the right group */
1505
1506 if (!NT_STATUS_IS_OK(result = check_info3_in_group(state->mem_ctx, info3,
1507 state->request.data.auth.require_membership_of_sid))) {
1508 DEBUG(3, ("User %s is not in the required group (%s), so plaintext authentication is rejected\n",
1509 state->request.data.auth.user,
1510 state->request.data.auth.require_membership_of_sid));
1511 goto done;
1512 }
1513
1514 if (state->request.flags & WBFLAG_PAM_INFO3_NDR) {
1515 result = append_info3_as_ndr(state->mem_ctx, state, info3);
1516 if (!NT_STATUS_IS_OK(result)) {
1517 DEBUG(10,("Failed to append INFO3 (NDR): %s\n", nt_errstr(result)));
1518 goto done;
1519 }
1520 }
1521
1522 if (state->request.flags & WBFLAG_PAM_INFO3_TEXT) {
1523 result = append_info3_as_txt(state->mem_ctx, state, info3);
1524 if (!NT_STATUS_IS_OK(result)) {
1525 DEBUG(10,("Failed to append INFO3 (TXT): %s\n", nt_errstr(result)));
1526 goto done;
1527 }
1528
1529 }
1530
1531 if ((state->request.flags & WBFLAG_PAM_CACHED_LOGIN)) {
1532
1533 /* Store in-memory creds for single-signon using ntlm_auth. */
1534 result = winbindd_add_memory_creds(state->request.data.auth.user,
1535 get_uid_from_state(state),
1536 state->request.data.auth.pass);
1537
1538 if (!NT_STATUS_IS_OK(result)) {
1539 DEBUG(10,("Failed to store memory creds: %s\n", nt_errstr(result)));
1540 goto done;
1541 }
1542
1543 if (lp_winbind_offline_logon()) {
1544 result = winbindd_store_creds(domain,
1545 state->mem_ctx,
1546 state->request.data.auth.user,
1547 state->request.data.auth.pass,
1548 info3, NULL);
1549 if (!NT_STATUS_IS_OK(result)) {
1550
1551 /* Release refcount. */
1552 winbindd_delete_memory_creds(state->request.data.auth.user);
1553
1554 DEBUG(10,("Failed to store creds: %s\n", nt_errstr(result)));
1555 goto done;
1556 }
1557 }
1558 }
1559
1560 result = fillup_password_policy(domain, state);
1561
1562 if (!NT_STATUS_IS_OK(result)
1563 && !NT_STATUS_EQUAL(result, NT_STATUS_NOT_SUPPORTED) )
1564 {
1565 DEBUG(10,("Failed to get password policies: %s\n", nt_errstr(result)));
1566 goto done;
1567 }
1568
1569 result = NT_STATUS_OK;
1570
1571 if (state->request.flags & WBFLAG_PAM_UNIX_NAME) {
1572 /* We've been asked to return the unix username, per
1573 'winbind use default domain' settings and the like */
1574
1575 fstring username_out;
1576 const char *nt_username, *nt_domain;
1577
1578 if (!(nt_username = unistr2_tdup(state->mem_ctx, &info3->uni_user_name))) {
1579 /* If the server didn't give us one, just use the one we sent them */
1580 nt_username = name_user;
1581 }
1582
1583 if (!(nt_domain = unistr2_tdup(state->mem_ctx, &info3->uni_logon_dom))) {
1584 /* If the server didn't give us one, just use the one we sent them */
1585 nt_domain = name_domain;
1586 }
1587
1588 fill_domain_username(username_out, nt_domain, nt_username, True);
1589
1590 DEBUG(5, ("Setting unix username to [%s]\n", username_out));
1591
1592 SAFE_FREE(state->response.extra_data.data);
1593 state->response.extra_data.data = SMB_STRDUP(username_out);
1594 if (!state->response.extra_data.data) {
1595 result = NT_STATUS_NO_MEMORY;
1596 goto done;
1597 }
1598 state->response.length +=
1599 strlen((const char *)state->response.extra_data.data)+1;
1600 }
1601 }
1602
1603
1604 done:
1605 /* give us a more useful (more correct?) error code */
1606 if ((NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) ||
1607 (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)))) {
1608 result = NT_STATUS_NO_LOGON_SERVERS;
1609 }
1610
1611 state->response.data.auth.nt_status = NT_STATUS_V(result);
1612 fstrcpy(state->response.data.auth.nt_status_string, nt_errstr(result));
1613
1614 /* we might have given a more useful error above */
1615 if (!*state->response.data.auth.error_string)
1616 fstrcpy(state->response.data.auth.error_string, get_friendly_nt_error_msg(result));
1617 state->response.data.auth.pam_error = nt_status_to_pam(result);
1618
1619 DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2, ("Plain-text authentication for user %s returned %s (PAM: %d)\n",
1620 state->request.data.auth.user,
1621 state->response.data.auth.nt_status_string,
1622 state->response.data.auth.pam_error));
1623
1624 if ( NT_STATUS_IS_OK(result) && info3 &&
1625 (state->request.flags & WBFLAG_PAM_AFS_TOKEN) ) {
1626
1627 char *afsname = talloc_strdup(state->mem_ctx,
1628 lp_afs_username_map());
1629 char *cell;
1630
1631 if (afsname == NULL) {
1632 goto no_token;
1633 }
1634
1635 afsname = talloc_string_sub(state->mem_ctx,
1636 lp_afs_username_map(),
1637 "%D", name_domain);
1638 afsname = talloc_string_sub(state->mem_ctx, afsname,
1639 "%u", name_user);
1640 afsname = talloc_string_sub(state->mem_ctx, afsname,
1641 "%U", name_user);
1642
1643 {
1644 DOM_SID user_sid;
1645 fstring sidstr;
1646
1647 sid_copy(&user_sid, &info3->dom_sid.sid);
1648 sid_append_rid(&user_sid, info3->user_rid);
1649 sid_to_string(sidstr, &user_sid);
1650 afsname = talloc_string_sub(state->mem_ctx, afsname,
1651 "%s", sidstr);
1652 }
1653
1654 if (afsname == NULL) {
1655 goto no_token;
1656 }
1657
1658 strlower_m(afsname);
1659
1660 DEBUG(10, ("Generating token for user %s\n", afsname));
1661
1662 cell = strchr(afsname, '@');
1663
1664 if (cell == NULL) {
1665 goto no_token;
1666 }
1667
1668 *cell = '\0';
1669 cell += 1;
1670
1671 /* Append an AFS token string */
1672 SAFE_FREE(state->response.extra_data.data);
1673 state->response.extra_data.data =
1674 afs_createtoken_str(afsname, cell);
1675
1676 if (state->response.extra_data.data != NULL) {
1677 state->response.length +=
1678 strlen((const char *)state->response.extra_data.data)+1;
1679 }
1680
1681 no_token:
1682 TALLOC_FREE(afsname);
1683 }
1684
1685 return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
1686 }
1687
1688
1689 /**********************************************************************
1690 Challenge Response Authentication Protocol
1691 **********************************************************************/
1692
1693 void winbindd_pam_auth_crap(struct winbindd_cli_state *state)
1694 {
1695 struct winbindd_domain *domain = NULL;
1696 const char *domain_name = NULL;
1697 NTSTATUS result;
1698
1699 if (!state->privileged) {
1700 char *error_string = NULL;
1701 DEBUG(2, ("winbindd_pam_auth_crap: non-privileged access "
1702 "denied. !\n"));
1703 DEBUGADD(2, ("winbindd_pam_auth_crap: Ensure permissions "
1704 "on %s are set correctly.\n",
1705 get_winbind_priv_pipe_dir()));
1706 /* send a better message than ACCESS_DENIED */
1707 error_string = talloc_asprintf(state->mem_ctx,
1708 "winbind client not authorized "
1709 "to use winbindd_pam_auth_crap."
1710 " Ensure permissions on %s "
1711 "are set correctly.",
1712 get_winbind_priv_pipe_dir());
1713 fstrcpy(state->response.data.auth.error_string, error_string);
1714 result = NT_STATUS_ACCESS_DENIED;
1715 goto done;
1716 }
1717
1718 /* Ensure null termination */
1719 state->request.data.auth_crap.user
1720 [sizeof(state->request.data.auth_crap.user)-1]=0;
1721 state->request.data.auth_crap.domain
1722 [sizeof(state->request.data.auth_crap.domain)-1]=0;
1723
1724 DEBUG(3, ("[%5lu]: pam auth crap domain: [%s] user: %s\n",
1725 (unsigned long)state->pid,
1726 state->request.data.auth_crap.domain,
1727 state->request.data.auth_crap.user));
1728
1729 if (*state->request.data.auth_crap.domain != '\0') {
1730 domain_name = state->request.data.auth_crap.domain;
1731 } else if (lp_winbind_use_default_domain()) {
1732 domain_name = lp_workgroup();
1733 }
1734
1735 if (domain_name != NULL)
1736 domain = find_auth_domain(state, domain_name);
1737
1738 if (domain != NULL) {
1739 sendto_domain(state, domain);
1740 return;
1741 }
1742
1743 result = NT_STATUS_NO_SUCH_USER;
1744
1745 done:
1746 set_auth_errors(&state->response, result);
1747 DEBUG(5, ("CRAP authentication for %s\\%s returned %s (PAM: %d)\n",
1748 state->request.data.auth_crap.domain,
1749 state->request.data.auth_crap.user,
1750 state->response.data.auth.nt_status_string,
1751 state->response.data.auth.pam_error));
1752 request_error(state);
1753 return;
1754 }
1755
1756
1757 enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
1758 struct winbindd_cli_state *state)
1759 {
1760 NTSTATUS result;
1761 NET_USER_INFO_3 info3;
1762 struct rpc_pipe_client *netlogon_pipe;
1763 const char *name_user = NULL;
1764 const char *name_domain = NULL;
1765 const char *workstation;
1766 struct winbindd_domain *contact_domain;
1767 int attempts = 0;
1768 BOOL retry;
1769
1770 DATA_BLOB lm_resp, nt_resp;
1771
1772 /* This is child-only, so no check for privileged access is needed
1773 anymore */
1774
1775 /* Ensure null termination */
1776 state->request.data.auth_crap.user[sizeof(state->request.data.auth_crap.user)-1]=0;
1777 state->request.data.auth_crap.domain[sizeof(state->request.data.auth_crap.domain)-1]=0;
1778
1779 name_user = state->request.data.auth_crap.user;
1780
1781 if (*state->request.data.auth_crap.domain) {
1782 name_domain = state->request.data.auth_crap.domain;
1783 } else if (lp_winbind_use_default_domain()) {
1784 name_domain = lp_workgroup();
1785 } else {
1786 DEBUG(5,("no domain specified with username (%s) - failing auth\n",
1787 name_user));
1788 result = NT_STATUS_NO_SUCH_USER;
1789 goto done;
1790 }
1791
1792 DEBUG(3, ("[%5lu]: pam auth crap domain: %s user: %s\n", (unsigned long)state->pid,
1793 name_domain, name_user));
1794
1795 if (*state->request.data.auth_crap.workstation) {
1796 workstation = state->request.data.auth_crap.workstation;
1797 } else {
1798 workstation = global_myname();
1799 }
1800
1801 if (state->request.data.auth_crap.lm_resp_len > sizeof(state->request.data.auth_crap.lm_resp)
1802 || state->request.data.auth_crap.nt_resp_len > sizeof(state->request.data.auth_crap.nt_resp)) {
1803 DEBUG(0, ("winbindd_pam_auth_crap: invalid password length %u/%u\n",
1804 state->request.data.auth_crap.lm_resp_len,
1805 state->request.data.auth_crap.nt_resp_len));
1806 result = NT_STATUS_INVALID_PARAMETER;
1807 goto done;
1808 }
1809
1810 lm_resp = data_blob_talloc(state->mem_ctx, state->request.data.auth_crap.lm_resp,
1811 state->request.data.auth_crap.lm_resp_len);
1812 nt_resp = data_blob_talloc(state->mem_ctx, state->request.data.auth_crap.nt_resp,
1813 state->request.data.auth_crap.nt_resp_len);
1814
1815 /* what domain should we contact? */
1816
1817 if ( IS_DC ) {
1818 if (!(contact_domain = find_domain_from_name(name_domain))) {
1819 DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
1820 state->request.data.auth_crap.user, name_domain, name_user, name_domain));
1821 result = NT_STATUS_NO_SUCH_USER;
1822 goto done;
1823 }
1824 } else {
1825 if (is_myname(name_domain)) {
1826 DEBUG(3, ("Authentication for domain %s (local domain to this server) not supported at this stage\n", name_domain));
1827 result = NT_STATUS_NO_SUCH_USER;
1828 goto done;
1829 }
1830 contact_domain = find_our_domain();
1831 }
1832
1833 do {
1834 NTSTATUS (*logon_fn)(struct rpc_pipe_client
1835 *cli, TALLOC_CTX *mem_ctx,
1836 uint32 logon_parameters,
1837 const char *server,
1838 const char *username,
1839 const char *domain,
1840 const char *workstation,
1841 const uint8 chal[8],
1842 DATA_BLOB lm_response,
1843 DATA_BLOB nt_response,
1844 NET_USER_INFO_3 *info3);
1845
1846 ZERO_STRUCT(info3);
1847 retry = False;
1848
1849 netlogon_pipe = NULL;
1850 result = cm_connect_netlogon(contact_domain, &netlogon_pipe);
1851
1852 if (!NT_STATUS_IS_OK(result)) {
1853 DEBUG(3, ("could not open handle to NETLOGON pipe (error: %s)\n",
1854 nt_errstr(result)));
1855 goto done;
1856 }
1857
1858 logon_fn = contact_domain->can_do_samlogon_ex
1859 ? rpccli_netlogon_sam_network_logon_ex
1860 : rpccli_netlogon_sam_network_logon;
1861
1862 result = logon_fn(netlogon_pipe,
1863 state->mem_ctx,
1864 state->request.data.auth_crap.logon_parameters,
1865 contact_domain->dcname,
1866 name_user,
1867 name_domain,
1868 /* Bug #3248 - found by Stefan Burkei. */
1869 workstation, /* We carefully set this above so use it... */
1870 state->request.data.auth_crap.chal,
1871 lm_resp,
1872 nt_resp,
1873 &info3);
1874
1875 if ((NT_STATUS_V(result) == DCERPC_FAULT_OP_RNG_ERROR)
1876 && contact_domain->can_do_samlogon_ex) {
1877 DEBUG(3, ("Got a DC that can not do NetSamLogonEx, "
1878 "retrying with NetSamLogon\n"));
1879 contact_domain->can_do_samlogon_ex = False;
1880 retry = True;
1881 continue;
1882 }
1883
1884 attempts += 1;
1885
1886 /* We have to try a second time as cm_connect_netlogon
1887 might not yet have noticed that the DC has killed
1888 our connection. */
1889
1890 if (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)) {
1891 retry = True;
1892 continue;
1893 }
1894
1895 /* if we get access denied, a possible cause was that we had and open
1896 connection to the DC, but someone changed our machine account password
1897 out from underneath us using 'net rpc changetrustpw' */
1898
1899 if ( NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) ) {
1900 DEBUG(3,("winbindd_pam_auth: sam_logon returned "
1901 "ACCESS_DENIED. Maybe the trust account "
1902 "password was changed and we didn't know it. "
1903 "Killing connections to domain %s\n",
1904 name_domain));
1905 invalidate_cm_connection(&contact_domain->conn);
1906 retry = True;
1907 }
1908
1909 } while ( (attempts < 2) && retry );
1910
1911 if (NT_STATUS_IS_OK(result)) {
1912
1913 netsamlogon_cache_store(name_user, &info3);
1914 wcache_invalidate_samlogon(find_domain_from_name(name_domain), &info3);
1915
1916 /* Check if the user is in the right group */
1917
1918 if (!NT_STATUS_IS_OK(result = check_info3_in_group(state->mem_ctx, &info3,
1919 state->request.data.auth_crap.require_membership_of_sid))) {
1920 DEBUG(3, ("User %s is not in the required group (%s), so "
1921 "crap authentication is rejected\n",
1922 state->request.data.auth_crap.user,
1923 state->request.data.auth_crap.require_membership_of_sid));
1924 goto done;
1925 }
1926
1927 if (state->request.flags & WBFLAG_PAM_INFO3_NDR) {
1928 result = append_info3_as_ndr(state->mem_ctx, state, &info3);
1929 } else if (state->request.flags & WBFLAG_PAM_UNIX_NAME) {
1930 /* ntlm_auth should return the unix username, per
1931 'winbind use default domain' settings and the like */
1932
1933 fstring username_out;
1934 const char *nt_username, *nt_domain;
1935 if (!(nt_username = unistr2_tdup(state->mem_ctx, &(info3.uni_user_name)))) {
1936 /* If the server didn't give us one, just use the one we sent them */
1937 nt_username = name_user;
1938 }
1939
1940 if (!(nt_domain = unistr2_tdup(state->mem_ctx, &(info3.uni_logon_dom)))) {
1941 /* If the server didn't give us one, just use the one we sent them */
1942 nt_domain = name_domain;
1943 }
1944
1945 fill_domain_username(username_out, nt_domain, nt_username, True);
1946
1947 DEBUG(5, ("Setting unix username to [%s]\n", username_out));
1948
1949 SAFE_FREE(state->response.extra_data.data);
1950 state->response.extra_data.data = SMB_STRDUP(username_out);
1951 if (!state->response.extra_data.data) {
1952 result = NT_STATUS_NO_MEMORY;
1953 goto done;
1954 }
1955 state->response.length +=
1956 strlen((const char *)state->response.extra_data.data)+1;
1957 }
1958
1959 if (state->request.flags & WBFLAG_PAM_USER_SESSION_KEY) {
1960 memcpy(state->response.data.auth.user_session_key, info3.user_sess_key,
1961 sizeof(state->response.data.auth.user_session_key) /* 16 */);
1962 }
1963 if (state->request.flags & WBFLAG_PAM_LMKEY) {
1964 memcpy(state->response.data.auth.first_8_lm_hash, info3.lm_sess_key,
1965 sizeof(state->response.data.auth.first_8_lm_hash) /* 8 */);
1966 }
1967 }
1968
1969 done:
1970
1971 /* give us a more useful (more correct?) error code */
1972 if ((NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) ||
1973 (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)))) {
1974 result = NT_STATUS_NO_LOGON_SERVERS;
1975 }
1976
1977 if (state->request.flags & WBFLAG_PAM_NT_STATUS_SQUASH) {
1978 result = nt_status_squash(result);
1979 }
1980
1981 state->response.data.auth.nt_status = NT_STATUS_V(result);
1982 fstrcpy(state->response.data.auth.nt_status_string, nt_errstr(result));
1983
1984 /* we might have given a more useful error above */
1985 if (!*state->response.data.auth.error_string) {
1986 fstrcpy(state->response.data.auth.error_string, get_friendly_nt_error_msg(result));
1987 }
1988 state->response.data.auth.pam_error = nt_status_to_pam(result);
1989
1990 DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2,
1991 ("NTLM CRAP authentication for user [%s]\\[%s] returned %s (PAM: %d)\n",
1992 name_domain,
1993 name_user,
1994 state->response.data.auth.nt_status_string,
1995 state->response.data.auth.pam_error));
1996
1997 return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
1998 }
1999
2000 /* Change a user password */
2001
2002 void winbindd_pam_chauthtok(struct winbindd_cli_state *state)
2003 {
2004 fstring domain, user;
2005 struct winbindd_domain *contact_domain;
2006
2007 DEBUG(3, ("[%5lu]: pam chauthtok %s\n", (unsigned long)state->pid,
2008 state->request.data.chauthtok.user));
2009
2010 /* Setup crap */
2011
2012 ws_name_return( state->request.data.auth.user, WB_REPLACE_CHAR );
2013
2014 if (!canonicalize_username(state->request.data.chauthtok.user, domain, user)) {
2015 set_auth_errors(&state->response, NT_STATUS_NO_SUCH_USER);
2016 DEBUG(5, ("winbindd_pam_chauthtok: canonicalize_username %s failed with %s"
2017 "(PAM: %d)\n",
2018 state->request.data.auth.user,
2019 state->response.data.auth.nt_status_string,
2020 state->response.data.auth.pam_error));
2021 request_error(state);
2022 return;
2023 }
2024
2025 contact_domain = find_domain_from_name(domain);
2026 if (!contact_domain) {
2027 set_auth_errors(&state->response, NT_STATUS_NO_SUCH_USER);
2028 DEBUG(3, ("Cannot change password for [%s] -> [%s]\\[%s] as %s is not a trusted domain\n",
2029 state->request.data.chauthtok.user, domain, user, domain));
2030 request_error(state);
2031 return;
2032 }
2033
2034 sendto_domain(state, contact_domain);
2035 }
2036
2037 enum winbindd_result winbindd_dual_pam_chauthtok(struct winbindd_domain *contact_domain,
2038 struct winbindd_cli_state *state)
2039 {
2040 char *oldpass;
2041 char *newpass = NULL;
2042 POLICY_HND dom_pol;
2043 struct rpc_pipe_client *cli;
2044 BOOL got_info = False;
2045 SAM_UNK_INFO_1 info;
2046 SAMR_CHANGE_REJECT reject;
2047 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
2048 fstring domain, user;
2049
2050 DEBUG(3, ("[%5lu]: dual pam chauthtok %s\n", (unsigned long)state->pid,
2051 state->request.data.auth.user));
2052
2053 if (!parse_domain_user(state->request.data.chauthtok.user, domain, user)) {
2054 goto done;
2055 }
2056
2057 /* Change password */
2058
2059 oldpass = state->request.data.chauthtok.oldpass;
2060 newpass = state->request.data.chauthtok.newpass;
2061
2062 /* Initialize reject reason */
2063 state->response.data.auth.reject_reason = Undefined;
2064
2065 /* Get sam handle */
2066
2067 result = cm_connect_sam(contact_domain, state->mem_ctx, &cli,
2068 &dom_pol);
2069 if (!NT_STATUS_IS_OK(result)) {
2070 DEBUG(1, ("could not get SAM handle on DC for %s\n", domain));
2071 goto done;
2072 }
2073
2074 result = rpccli_samr_chgpasswd3(cli, state->mem_ctx, user, newpass, oldpass, &info, &reject);
2075
2076 /* Windows 2003 returns NT_STATUS_PASSWORD_RESTRICTION */
2077
2078 if (NT_STATUS_EQUAL(result, NT_STATUS_PASSWORD_RESTRICTION) ) {
2079 state->response.data.auth.policy.min_length_password =
2080 info.min_length_password;
2081 state->response.data.auth.policy.password_history =
2082 info.password_history;
2083 state->response.data.auth.policy.password_properties =
2084 info.password_properties;
2085 state->response.data.auth.policy.expire =
2086 nt_time_to_unix_abs(&info.expire);
2087 state->response.data.auth.policy.min_passwordage =
2088 nt_time_to_unix_abs(&info.min_passwordage);
2089
2090 state->response.data.auth.reject_reason =
2091 reject.reject_reason;
2092
2093 got_info = True;
2094 }
2095
2096 /* only fallback when the chgpasswd3 call is not supported */
2097 if ((NT_STATUS_EQUAL(result, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR))) ||
2098 (NT_STATUS_EQUAL(result, NT_STATUS_NOT_SUPPORTED)) ||
2099 (NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED))) {
2100
2101 DEBUG(10,("Password change with chgpasswd3 failed with: %s, retrying chgpasswd_user\n",
2102 nt_errstr(result)));
2103
2104 result = rpccli_samr_chgpasswd_user(cli, state->mem_ctx, user, newpass, oldpass);
2105
2106 /* Windows 2000 returns NT_STATUS_ACCOUNT_RESTRICTION.
2107 Map to the same status code as Windows 2003. */
2108
2109 if ( NT_STATUS_EQUAL(NT_STATUS_ACCOUNT_RESTRICTION, result ) ) {
2110 result = NT_STATUS_PASSWORD_RESTRICTION;
2111 }
2112 }
2113
2114 done:
2115
2116 if (NT_STATUS_IS_OK(result) && (state->request.flags & WBFLAG_PAM_CACHED_LOGIN)) {
2117
2118 /* Update the single sign-on memory creds. */
2119 result = winbindd_replace_memory_creds(state->request.data.chauthtok.user,
2120 newpass);
2121
2122 if (!NT_STATUS_IS_OK(result)) {
2123 DEBUG(10,("Failed to replace memory creds: %s\n", nt_errstr(result)));
2124 goto process_result;
2125 }
2126
2127 if (lp_winbind_offline_logon()) {
2128 result = winbindd_update_creds_by_name(contact_domain,
2129 state->mem_ctx, user,
2130 newpass);
2131 if (!NT_STATUS_IS_OK(result)) {
2132 DEBUG(10,("Failed to store creds: %s\n", nt_errstr(result)));
2133 goto process_result;
2134 }
2135 }
2136 }
2137
2138 if (!NT_STATUS_IS_OK(result) && !got_info && contact_domain) {
2139
2140 NTSTATUS policy_ret;
2141
2142 policy_ret = fillup_password_policy(contact_domain, state);
2143
2144 /* failure of this is non critical, it will just provide no
2145 * additional information to the client why the change has
2146 * failed - Guenther */
2147
2148 if (!NT_STATUS_IS_OK(policy_ret)) {
2149 DEBUG(10,("Failed to get password policies: %s\n", nt_errstr(policy_ret)));
2150 goto process_result;
2151 }
2152 }
2153
2154 process_result:
2155
2156 state->response.data.auth.nt_status = NT_STATUS_V(result);
2157 fstrcpy(state->response.data.auth.nt_status_string, nt_errstr(result));
2158 fstrcpy(state->response.data.auth.error_string, get_friendly_nt_error_msg(result));
2159 state->response.data.auth.pam_error = nt_status_to_pam(result);
2160
2161 DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2,
2162 ("Password change for user [%s]\\[%s] returned %s (PAM: %d)\n",
2163 domain,
2164 user,
2165 state->response.data.auth.nt_status_string,
2166 state->response.data.auth.pam_error));
2167
2168 return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
2169 }
2170
2171 void winbindd_pam_logoff(struct winbindd_cli_state *state)
2172 {
2173 struct winbindd_domain *domain;
2174 fstring name_domain, user;
2175 uid_t caller_uid = (uid_t)-1;
2176 uid_t request_uid = state->request.data.logoff.uid;
2177
2178 DEBUG(3, ("[%5lu]: pam logoff %s\n", (unsigned long)state->pid,
2179 state->request.data.logoff.user));
2180
2181 /* Ensure null termination */
2182 state->request.data.logoff.user
2183 [sizeof(state->request.data.logoff.user)-1]='\0';
2184
2185 state->request.data.logoff.krb5ccname
2186 [sizeof(state->request.data.logoff.krb5ccname)-1]='\0';
2187
2188 if (request_uid == (gid_t)-1) {
2189 goto failed;
2190 }
2191
2192 if (!canonicalize_username(state->request.data.logoff.user, name_domain, user)) {
2193 goto failed;
2194 }
2195
2196 if ((domain = find_auth_domain(state, name_domain)) == NULL) {
2197 goto failed;
2198 }
2199
2200 if ((sys_getpeereid(state->sock, &caller_uid)) != 0) {
2201 DEBUG(1,("winbindd_pam_logoff: failed to check peerid: %s\n",
2202 strerror(errno)));
2203 goto failed;
2204 }
2205
2206 switch (caller_uid) {
2207 case -1:
2208 goto failed;
2209 case 0:
2210 /* root must be able to logoff any user - gd */
2211 state->request.data.logoff.uid = request_uid;
2212 break;
2213 default:
2214 if (caller_uid != request_uid) {
2215 DEBUG(1,("winbindd_pam_logoff: caller requested invalid uid\n"));
2216 goto failed;
2217 }
2218 state->request.data.logoff.uid = caller_uid;
2219 break;
2220 }
2221
2222 sendto_domain(state, domain);
2223 return;
2224
2225 failed:
2226 set_auth_errors(&state->response, NT_STATUS_NO_SUCH_USER);
2227 DEBUG(5, ("Pam Logoff for %s returned %s "
2228 "(PAM: %d)\n",
2229 state->request.data.logoff.user,
2230 state->response.data.auth.nt_status_string,
2231 state->response.data.auth.pam_error));
2232 request_error(state);
2233 return;
2234 }
2235
2236 enum winbindd_result winbindd_dual_pam_logoff(struct winbindd_domain *domain,
2237 struct winbindd_cli_state *state)
2238 {
2239 NTSTATUS result = NT_STATUS_NOT_SUPPORTED;
2240
2241 DEBUG(3, ("[%5lu]: pam dual logoff %s\n", (unsigned long)state->pid,
2242 state->request.data.logoff.user));
2243
2244 if (!(state->request.flags & WBFLAG_PAM_KRB5)) {
2245 result = NT_STATUS_OK;
2246 goto process_result;
2247 }
2248
2249 if (state->request.data.logoff.krb5ccname[0] == '\0') {
2250 result = NT_STATUS_OK;
2251 goto process_result;
2252 }
2253
2254 #ifdef HAVE_KRB5
2255
2256 if (state->request.data.logoff.uid < 0) {
2257 DEBUG(0,("winbindd_pam_logoff: invalid uid\n"));
2258 goto process_result;
2259 }
2260
2261 /* what we need here is to find the corresponding krb5 ccache name *we*
2262 * created for a given username and destroy it */
2263
2264 if (!ccache_entry_exists(state->request.data.logoff.user)) {
2265 result = NT_STATUS_OK;
2266 DEBUG(10,("winbindd_pam_logoff: no entry found.\n"));
2267 goto process_result;
2268 }
2269
2270 if (!ccache_entry_identical(state->request.data.logoff.user,
2271 state->request.data.logoff.uid,
2272 state->request.data.logoff.krb5ccname)) {
2273 DEBUG(0,("winbindd_pam_logoff: cached entry differs.\n"));
2274 goto process_result;
2275 }
2276
2277 result = remove_ccache(state->request.data.logoff.user);
2278 if (!NT_STATUS_IS_OK(result)) {
2279 DEBUG(0,("winbindd_pam_logoff: failed to remove ccache: %s\n",
2280 nt_errstr(result)));
2281 goto process_result;
2282 }
2283
2284 #else
2285 result = NT_STATUS_NOT_SUPPORTED;
2286 #endif
2287
2288 process_result:
2289
2290 winbindd_delete_memory_creds(state->request.data.logoff.user);
2291
2292 state->response.data.auth.nt_status = NT_STATUS_V(result);
2293 fstrcpy(state->response.data.auth.nt_status_string, nt_errstr(result));
2294 fstrcpy(state->response.data.auth.error_string, get_friendly_nt_error_msg(result));
2295 state->response.data.auth.pam_error = nt_status_to_pam(result);
2296
2297 return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
2298 }
2299
2300 /* Change user password with auth crap*/
2301
2302 void winbindd_pam_chng_pswd_auth_crap(struct winbindd_cli_state *state)
2303 {
2304 struct winbindd_domain *domain = NULL;
2305 const char *domain_name = NULL;
2306
2307 /* Ensure null termination */
2308 state->request.data.chng_pswd_auth_crap.user[
2309 sizeof(state->request.data.chng_pswd_auth_crap.user)-1]=0;
2310 state->request.data.chng_pswd_auth_crap.domain[
2311 sizeof(state->request.data.chng_pswd_auth_crap.domain)-1]=0;
2312
2313 DEBUG(3, ("[%5lu]: pam change pswd auth crap domain: %s user: %s\n",
2314 (unsigned long)state->pid,
2315 state->request.data.chng_pswd_auth_crap.domain,
2316 state->request.data.chng_pswd_auth_crap.user));
2317
2318 if (*state->request.data.chng_pswd_auth_crap.domain != '\0') {
2319 domain_name = state->request.data.chng_pswd_auth_crap.domain;
2320 } else if (lp_winbind_use_default_domain()) {
2321 domain_name = lp_workgroup();
2322 }
2323
2324 if (domain_name != NULL)
2325 domain = find_domain_from_name(domain_name);
2326
2327 if (domain != NULL) {
2328 DEBUG(7, ("[%5lu]: pam auth crap changing pswd in domain: "
2329 "%s\n", (unsigned long)state->pid,domain->name));
2330 sendto_domain(state, domain);
2331 return;
2332 }
2333
2334 set_auth_errors(&state->response, NT_STATUS_NO_SUCH_USER);
2335 DEBUG(5, ("CRAP change password for %s\\%s returned %s (PAM: %d)\n",
2336 state->request.data.chng_pswd_auth_crap.domain,
2337 state->request.data.chng_pswd_auth_crap.user,
2338 state->response.data.auth.nt_status_string,
2339 state->response.data.auth.pam_error));
2340 request_error(state);
2341 return;
2342 }
2343
2344 enum winbindd_result winbindd_dual_pam_chng_pswd_auth_crap(struct winbindd_domain *domainSt, struct winbindd_cli_state *state)
2345 {
2346 NTSTATUS result;
2347 DATA_BLOB new_nt_password;
2348 DATA_BLOB old_nt_hash_enc;
2349 DATA_BLOB new_lm_password;
2350 DATA_BLOB old_lm_hash_enc;
2351 fstring domain,user;
2352 POLICY_HND dom_pol;
2353 struct winbindd_domain *contact_domain = domainSt;
2354 struct rpc_pipe_client *cli;
2355
2356 /* Ensure null termination */
2357 state->request.data.chng_pswd_auth_crap.user[
2358 sizeof(state->request.data.chng_pswd_auth_crap.user)-1]=0;
2359 state->request.data.chng_pswd_auth_crap.domain[
2360 sizeof(state->request.data.chng_pswd_auth_crap.domain)-1]=0;
2361 *domain = 0;
2362 *user = 0;
2363
2364 DEBUG(3, ("[%5lu]: pam change pswd auth crap domain: %s user: %s\n",
2365 (unsigned long)state->pid,
2366 state->request.data.chng_pswd_auth_crap.domain,
2367 state->request.data.chng_pswd_auth_crap.user));
2368
2369 if (lp_winbind_offline_logon()) {
2370 DEBUG(0,("Refusing password change as winbind offline logons are enabled. "));
2371 DEBUGADD(0,("Changing passwords here would risk inconsistent logons\n"));
2372 result = NT_STATUS_ACCESS_DENIED;
2373 goto done;
2374 }
2375
2376 if (*state->request.data.chng_pswd_auth_crap.domain) {
2377 fstrcpy(domain,state->request.data.chng_pswd_auth_crap.domain);
2378 } else {
2379 parse_domain_user(state->request.data.chng_pswd_auth_crap.user,
2380 domain, user);
2381
2382 if(!*domain) {
2383 DEBUG(3,("no domain specified with username (%s) - "
2384 "failing auth\n",
2385 state->request.data.chng_pswd_auth_crap.user));
2386 result = NT_STATUS_NO_SUCH_USER;
2387 goto done;
2388 }
2389 }
2390
2391 if (!*domain && lp_winbind_use_default_domain()) {
2392 fstrcpy(domain,(char *)lp_workgroup());
2393 }
2394
2395 if(!*user) {
2396 fstrcpy(user, state->request.data.chng_pswd_auth_crap.user);
2397 }
2398
2399 DEBUG(3, ("[%5lu]: pam auth crap domain: %s user: %s\n",
2400 (unsigned long)state->pid, domain, user));
2401
2402 /* Change password */
2403 new_nt_password = data_blob_talloc(
2404 state->mem_ctx,
2405 state->request.data.chng_pswd_auth_crap.new_nt_pswd,
2406 state->request.data.chng_pswd_auth_crap.new_nt_pswd_len);
2407
2408 old_nt_hash_enc = data_blob_talloc(
2409 state->mem_ctx,
2410 state->request.data.chng_pswd_auth_crap.old_nt_hash_enc,
2411 state->request.data.chng_pswd_auth_crap.old_nt_hash_enc_len);
2412
2413 if(state->request.data.chng_pswd_auth_crap.new_lm_pswd_len > 0) {
2414 new_lm_password = data_blob_talloc(
2415 state->mem_ctx,
2416 state->request.data.chng_pswd_auth_crap.new_lm_pswd,
2417 state->request.data.chng_pswd_auth_crap.new_lm_pswd_len);
2418
2419 old_lm_hash_enc = data_blob_talloc(
2420 state->mem_ctx,
2421 state->request.data.chng_pswd_auth_crap.old_lm_hash_enc,
2422 state->request.data.chng_pswd_auth_crap.old_lm_hash_enc_len);
2423 } else {
2424 new_lm_password.length = 0;
2425 old_lm_hash_enc.length = 0;
2426 }
2427
2428 /* Get sam handle */
2429
2430 result = cm_connect_sam(contact_domain, state->mem_ctx, &cli, &dom_pol);
2431 if (!NT_STATUS_IS_OK(result)) {
2432 DEBUG(1, ("could not get SAM handle on DC for %s\n", domain));
2433 goto done;
2434 }
2435
2436 result = rpccli_samr_chng_pswd_auth_crap(
2437 cli, state->mem_ctx, user, new_nt_password, old_nt_hash_enc,
2438 new_lm_password, old_lm_hash_enc);
2439
2440 done:
2441 state->response.data.auth.nt_status = NT_STATUS_V(result);
2442 fstrcpy(state->response.data.auth.nt_status_string, nt_errstr(result));
2443 fstrcpy(state->response.data.auth.error_string,
2444 get_friendly_nt_error_msg(result));
2445 state->response.data.auth.pam_error = nt_status_to_pam(result);
2446
2447 DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2,
2448 ("Password change for user [%s]\\[%s] returned %s (PAM: %d)\n",
2449 domain, user,
2450 state->response.data.auth.nt_status_string,
2451 state->response.data.auth.pam_error));
2452
2453 return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
2454 }