2 Unix SMB/CIFS implementation.
4 Winbind client authentication mechanism designed to defer all
5 authentication to the winbind daemon.
7 Copyright (C) Tim Potter 2000
8 Copyright (C) Andrew Bartlett 2001 - 2002
9 Copyright (C) Dan Sledz 2009
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 3 of the License, or
14 (at your option) any later version.
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
21 You should have received a copy of the GNU General Public License
22 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 /* This auth module is very similar to auth_winbind with 3 distinct
28 * 1) Does not fallback to another auth module if winbindd is unavailable
29 * 2) Does not validate the domain of the user
30 * 3) Handles unencrypted passwords
32 * The purpose of this module is to defer all authentication decisions (ie:
33 * local user vs NIS vs LDAP vs AD; encrypted vs plaintext) to the wbc
34 * compatible daemon. This centeralizes all authentication decisions to a
37 * This auth backend is most useful when used in conjunction with pdb_wbc_sam.
43 #define DBGC_CLASS DBGC_AUTH
45 /* Authenticate a user with a challenge/response */
47 static NTSTATUS
check_wbc_security(const struct auth_context
*auth_context
,
48 void *my_private_data
,
50 const struct auth_usersupplied_info
*user_info
,
51 struct auth_serversupplied_info
**server_info
)
55 struct wbcAuthUserParams params
;
56 struct wbcAuthUserInfo
*info
= NULL
;
57 struct wbcAuthErrorInfo
*err
= NULL
;
59 if (!user_info
|| !auth_context
|| !server_info
) {
60 return NT_STATUS_INVALID_PARAMETER
;
62 /* Send off request */
64 params
.account_name
= user_info
->smb_name
;
65 params
.domain_name
= user_info
->domain
;
66 params
.workstation_name
= user_info
->wksta_name
;
69 params
.parameter_control
= user_info
->logon_parameters
;
71 /* Handle plaintext */
72 if (!user_info
->encrypted
) {
73 DEBUG(3,("Checking plaintext password for %s.\n",
74 user_info
->internal_username
));
75 params
.level
= WBC_AUTH_USER_LEVEL_PLAIN
;
77 params
.password
.plaintext
= (char *)user_info
->plaintext_password
.data
;
79 DEBUG(3,("Checking encrypted password for %s.\n",
80 user_info
->internal_username
));
81 params
.level
= WBC_AUTH_USER_LEVEL_RESPONSE
;
83 memcpy(params
.password
.response
.challenge
,
84 auth_context
->challenge
.data
,
85 sizeof(params
.password
.response
.challenge
));
87 params
.password
.response
.nt_length
= user_info
->nt_resp
.length
;
88 params
.password
.response
.nt_data
= user_info
->nt_resp
.data
;
89 params
.password
.response
.lm_length
= user_info
->lm_resp
.length
;
90 params
.password
.response
.lm_data
= user_info
->lm_resp
.data
;
94 /* we are contacting the privileged pipe */
96 wbc_status
= wbcAuthenticateUserEx(¶ms
, &info
, &err
);
99 if (!WBC_ERROR_IS_OK(wbc_status
)) {
100 DEBUG(10,("wbcAuthenticateUserEx failed (%d): %s\n",
101 wbc_status
, wbcErrorString(wbc_status
)));
104 if (wbc_status
== WBC_ERR_NO_MEMORY
) {
105 return NT_STATUS_NO_MEMORY
;
108 if (wbc_status
== WBC_ERR_AUTH_ERROR
) {
109 nt_status
= NT_STATUS(err
->nt_status
);
114 if (!WBC_ERROR_IS_OK(wbc_status
)) {
115 return NT_STATUS_LOGON_FAILURE
;
118 DEBUG(10,("wbcAuthenticateUserEx succeeded\n"));
120 nt_status
= make_server_info_wbcAuthUserInfo(mem_ctx
,
125 if (!NT_STATUS_IS_OK(nt_status
)) {
129 (*server_info
)->nss_token
|= user_info
->was_mapped
;
134 /* module initialisation */
135 static NTSTATUS
auth_init_wbc(struct auth_context
*auth_context
, const char *param
, auth_methods
**auth_method
)
137 if (!make_auth_methods(auth_context
, auth_method
)) {
138 return NT_STATUS_NO_MEMORY
;
141 (*auth_method
)->name
= "wbc";
142 (*auth_method
)->auth
= check_wbc_security
;
147 NTSTATUS
auth_wbc_init(void)
149 return smb_register_auth(AUTH_INTERFACE_VERSION
, "wbc", auth_init_wbc
);