2 Unix SMB/CIFS implementation.
3 Authentication utility functions
4 Copyright (C) Volker Lendecke 2010
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 #include "../lib/crypto/arcfour.h"
22 #include "../librpc/gen_ndr/netlogon.h"
25 #define DBGC_CLASS DBGC_AUTH
27 /* FIXME: do we really still need this ? */
28 static int server_info_dtor(struct auth_serversupplied_info
*server_info
)
30 TALLOC_FREE(server_info
->info3
);
31 ZERO_STRUCTP(server_info
);
35 /***************************************************************************
36 Make a server_info struct. Free with TALLOC_FREE().
37 ***************************************************************************/
39 struct auth_serversupplied_info
*make_server_info(TALLOC_CTX
*mem_ctx
)
41 struct auth_serversupplied_info
*result
;
43 result
= TALLOC_ZERO_P(mem_ctx
, struct auth_serversupplied_info
);
45 DEBUG(0, ("talloc failed\n"));
49 talloc_set_destructor(result
, server_info_dtor
);
51 /* Initialise the uid and gid values to something non-zero
52 which may save us from giving away root access if there
53 is a bug in allocating these fields. */
55 result
->utok
.uid
= -1;
56 result
->utok
.gid
= -1;
61 /****************************************************************************
62 inits a netr_SamInfo2 structure from an auth_serversupplied_info. sam2 must
63 already be initialized and is used as the talloc parent for its members.
64 *****************************************************************************/
66 NTSTATUS
serverinfo_to_SamInfo2(struct auth_serversupplied_info
*server_info
,
67 uint8_t *pipe_session_key
,
68 size_t pipe_session_key_len
,
69 struct netr_SamInfo2
*sam2
)
71 struct netr_SamInfo3
*info3
;
73 info3
= copy_netr_SamInfo3(sam2
, server_info
->info3
);
75 return NT_STATUS_NO_MEMORY
;
78 if (server_info
->user_session_key
.length
) {
79 memcpy(info3
->base
.key
.key
,
80 server_info
->user_session_key
.data
,
81 MIN(sizeof(info3
->base
.key
.key
),
82 server_info
->user_session_key
.length
));
83 if (pipe_session_key
) {
84 arcfour_crypt(info3
->base
.key
.key
,
85 pipe_session_key
, 16);
88 if (server_info
->lm_session_key
.length
) {
89 memcpy(info3
->base
.LMSessKey
.key
,
90 server_info
->lm_session_key
.data
,
91 MIN(sizeof(info3
->base
.LMSessKey
.key
),
92 server_info
->lm_session_key
.length
));
93 if (pipe_session_key
) {
94 arcfour_crypt(info3
->base
.LMSessKey
.key
,
99 sam2
->base
= info3
->base
;
104 /****************************************************************************
105 inits a netr_SamInfo3 structure from an auth_serversupplied_info. sam3 must
106 already be initialized and is used as the talloc parent for its members.
107 *****************************************************************************/
109 NTSTATUS
serverinfo_to_SamInfo3(struct auth_serversupplied_info
*server_info
,
110 uint8_t *pipe_session_key
,
111 size_t pipe_session_key_len
,
112 struct netr_SamInfo3
*sam3
)
114 struct netr_SamInfo3
*info3
;
116 info3
= copy_netr_SamInfo3(sam3
, server_info
->info3
);
118 return NT_STATUS_NO_MEMORY
;
121 if (server_info
->user_session_key
.length
) {
122 memcpy(info3
->base
.key
.key
,
123 server_info
->user_session_key
.data
,
124 MIN(sizeof(info3
->base
.key
.key
),
125 server_info
->user_session_key
.length
));
126 if (pipe_session_key
) {
127 arcfour_crypt(info3
->base
.key
.key
,
128 pipe_session_key
, 16);
131 if (server_info
->lm_session_key
.length
) {
132 memcpy(info3
->base
.LMSessKey
.key
,
133 server_info
->lm_session_key
.data
,
134 MIN(sizeof(info3
->base
.LMSessKey
.key
),
135 server_info
->lm_session_key
.length
));
136 if (pipe_session_key
) {
137 arcfour_crypt(info3
->base
.LMSessKey
.key
,
138 pipe_session_key
, 8);
142 sam3
->base
= info3
->base
;
150 /****************************************************************************
151 inits a netr_SamInfo6 structure from an auth_serversupplied_info. sam6 must
152 already be initialized and is used as the talloc parent for its members.
153 *****************************************************************************/
155 NTSTATUS
serverinfo_to_SamInfo6(struct auth_serversupplied_info
*server_info
,
156 uint8_t *pipe_session_key
,
157 size_t pipe_session_key_len
,
158 struct netr_SamInfo6
*sam6
)
160 struct pdb_domain_info
*dominfo
;
161 struct netr_SamInfo3
*info3
;
163 if ((pdb_capabilities() & PDB_CAP_ADS
) == 0) {
164 DEBUG(10,("Not adding validation info level 6 "
165 "without ADS passdb backend\n"));
166 return NT_STATUS_INVALID_INFO_CLASS
;
169 dominfo
= pdb_get_domain_info(sam6
);
170 if (dominfo
== NULL
) {
171 return NT_STATUS_NO_MEMORY
;
174 info3
= copy_netr_SamInfo3(sam6
, server_info
->info3
);
176 return NT_STATUS_NO_MEMORY
;
179 if (server_info
->user_session_key
.length
) {
180 memcpy(info3
->base
.key
.key
,
181 server_info
->user_session_key
.data
,
182 MIN(sizeof(info3
->base
.key
.key
),
183 server_info
->user_session_key
.length
));
184 if (pipe_session_key
) {
185 arcfour_crypt(info3
->base
.key
.key
,
186 pipe_session_key
, 16);
189 if (server_info
->lm_session_key
.length
) {
190 memcpy(info3
->base
.LMSessKey
.key
,
191 server_info
->lm_session_key
.data
,
192 MIN(sizeof(info3
->base
.LMSessKey
.key
),
193 server_info
->lm_session_key
.length
));
194 if (pipe_session_key
) {
195 arcfour_crypt(info3
->base
.LMSessKey
.key
,
196 pipe_session_key
, 8);
200 sam6
->base
= info3
->base
;
205 sam6
->dns_domainname
.string
= talloc_strdup(sam6
, dominfo
->dns_domain
);
206 if (sam6
->dns_domainname
.string
== NULL
) {
207 return NT_STATUS_NO_MEMORY
;
210 sam6
->principle
.string
= talloc_asprintf(sam6
, "%s@%s",
211 sam6
->base
.account_name
.string
,
212 sam6
->dns_domainname
.string
);
213 if (sam6
->principle
.string
== NULL
) {
214 return NT_STATUS_NO_MEMORY
;
220 static NTSTATUS
append_netr_SidAttr(TALLOC_CTX
*mem_ctx
,
221 struct netr_SidAttr
**sids
,
223 const struct dom_sid2
*asid
,
228 *sids
= talloc_realloc(mem_ctx
, *sids
, struct netr_SidAttr
, t
+ 1);
230 return NT_STATUS_NO_MEMORY
;
232 (*sids
)[t
].sid
= sid_dup_talloc(*sids
, asid
);
233 if ((*sids
)[t
].sid
== NULL
) {
234 return NT_STATUS_NO_MEMORY
;
236 (*sids
)[t
].attributes
= attributes
;
242 /* Fils the samr_RidWithAttributeArray with the provided sids.
243 * If it happens that we have additional groups that do not belong
244 * to the domain, add their sids as extra sids */
245 static NTSTATUS
group_sids_to_info3(struct netr_SamInfo3
*info3
,
246 const struct dom_sid
*sids
,
249 uint32_t attributes
= SE_GROUP_MANDATORY
|
250 SE_GROUP_ENABLED_BY_DEFAULT
|
252 struct samr_RidWithAttributeArray
*groups
;
253 struct dom_sid
*domain_sid
;
259 domain_sid
= info3
->base
.domain_sid
;
260 groups
= &info3
->base
.groups
;
262 groups
->rids
= talloc_array(info3
,
263 struct samr_RidWithAttribute
, num_sids
);
265 return NT_STATUS_NO_MEMORY
;
268 for (i
= 0; i
< num_sids
; i
++) {
269 ok
= sid_peek_check_rid(domain_sid
, &sids
[i
], &rid
);
272 /* if it is the primary gid, skip it, we
273 * obviously already have it */
274 if (info3
->base
.primary_gid
== rid
) continue;
276 /* store domain group rid */
277 groups
->rids
[i
].rid
= rid
;
278 groups
->rids
[i
].attributes
= attributes
;
283 /* if this wasn't a domain sid, add it as extra sid */
284 status
= append_netr_SidAttr(info3
, &info3
->sids
,
286 &sids
[i
], attributes
);
287 if (!NT_STATUS_IS_OK(status
)) {
295 #define RET_NOMEM(ptr) do { \
297 TALLOC_FREE(info3); \
298 return NT_STATUS_NO_MEMORY; \
301 NTSTATUS
samu_to_SamInfo3(TALLOC_CTX
*mem_ctx
,
303 const char *login_server
,
304 struct netr_SamInfo3
**_info3
,
305 struct extra_auth_info
*extra
)
307 struct netr_SamInfo3
*info3
;
308 const struct dom_sid
*user_sid
;
309 const struct dom_sid
*group_sid
;
310 struct dom_sid domain_sid
;
311 struct dom_sid
*group_sids
;
312 size_t num_group_sids
= 0;
318 user_sid
= pdb_get_user_sid(samu
);
319 group_sid
= pdb_get_group_sid(samu
);
321 if (!user_sid
|| !group_sid
) {
322 DEBUG(1, ("Sam account is missing sids!\n"));
323 return NT_STATUS_UNSUCCESSFUL
;
326 info3
= talloc_zero(mem_ctx
, struct netr_SamInfo3
);
328 return NT_STATUS_NO_MEMORY
;
331 ZERO_STRUCT(domain_sid
);
333 /* check if this is a "Unix Users" domain user,
334 * we need to handle it in a special way if that's the case */
335 if (sid_compare_domain(user_sid
, &global_sid_Unix_Users
) == 0) {
336 /* in info3 you can only set rids for the user and the
337 * primary group, and the domain sid must be that of
340 * Store a completely bogus value here.
341 * The real SID is stored in the extra sids.
342 * Other code will know to look there if (-1) is found
344 info3
->base
.rid
= (uint32_t)(-1);
345 sid_copy(&extra
->user_sid
, user_sid
);
347 DEBUG(10, ("Unix User found in struct samu. Rid marked as "
348 "special and sid (%s) saved as extra sid\n",
349 sid_string_dbg(user_sid
)));
351 sid_copy(&domain_sid
, user_sid
);
352 sid_split_rid(&domain_sid
, &info3
->base
.rid
);
355 if (is_null_sid(&domain_sid
)) {
356 sid_copy(&domain_sid
, get_global_sam_sid());
359 /* check if this is a "Unix Groups" domain group,
360 * if so we need special handling */
361 if (sid_compare_domain(group_sid
, &global_sid_Unix_Groups
) == 0) {
362 /* in info3 you can only set rids for the user and the
363 * primary group, and the domain sid must be that of
366 * Store a completely bogus value here.
367 * The real SID is stored in the extra sids.
368 * Other code will know to look there if (-1) is found
370 info3
->base
.primary_gid
= (uint32_t)(-1);
371 sid_copy(&extra
->pgid_sid
, group_sid
);
373 DEBUG(10, ("Unix Group found in struct samu. Rid marked as "
374 "special and sid (%s) saved as extra sid\n",
375 sid_string_dbg(group_sid
)));
378 ok
= sid_peek_check_rid(&domain_sid
, group_sid
,
379 &info3
->base
.primary_gid
);
381 DEBUG(1, ("The primary group domain sid(%s) does not "
382 "match the domain sid(%s) for %s(%s)\n",
383 sid_string_dbg(group_sid
),
384 sid_string_dbg(&domain_sid
),
385 pdb_get_username(samu
),
386 sid_string_dbg(user_sid
)));
388 return NT_STATUS_UNSUCCESSFUL
;
392 unix_to_nt_time(&info3
->base
.last_logon
, pdb_get_logon_time(samu
));
393 unix_to_nt_time(&info3
->base
.last_logoff
, get_time_t_max());
394 unix_to_nt_time(&info3
->base
.acct_expiry
, get_time_t_max());
395 unix_to_nt_time(&info3
->base
.last_password_change
,
396 pdb_get_pass_last_set_time(samu
));
397 unix_to_nt_time(&info3
->base
.allow_password_change
,
398 pdb_get_pass_can_change_time(samu
));
399 unix_to_nt_time(&info3
->base
.force_password_change
,
400 pdb_get_pass_must_change_time(samu
));
402 tmp
= pdb_get_username(samu
);
404 info3
->base
.account_name
.string
= talloc_strdup(info3
, tmp
);
405 RET_NOMEM(info3
->base
.account_name
.string
);
407 tmp
= pdb_get_fullname(samu
);
409 info3
->base
.full_name
.string
= talloc_strdup(info3
, tmp
);
410 RET_NOMEM(info3
->base
.full_name
.string
);
412 tmp
= pdb_get_logon_script(samu
);
414 info3
->base
.logon_script
.string
= talloc_strdup(info3
, tmp
);
415 RET_NOMEM(info3
->base
.logon_script
.string
);
417 tmp
= pdb_get_profile_path(samu
);
419 info3
->base
.profile_path
.string
= talloc_strdup(info3
, tmp
);
420 RET_NOMEM(info3
->base
.profile_path
.string
);
422 tmp
= pdb_get_homedir(samu
);
424 info3
->base
.home_directory
.string
= talloc_strdup(info3
, tmp
);
425 RET_NOMEM(info3
->base
.home_directory
.string
);
427 tmp
= pdb_get_dir_drive(samu
);
429 info3
->base
.home_drive
.string
= talloc_strdup(info3
, tmp
);
430 RET_NOMEM(info3
->base
.home_drive
.string
);
433 info3
->base
.logon_count
= pdb_get_logon_count(samu
);
434 info3
->base
.bad_password_count
= pdb_get_bad_password_count(samu
);
436 status
= pdb_enum_group_memberships(mem_ctx
, samu
,
439 if (!NT_STATUS_IS_OK(status
)) {
440 DEBUG(1, ("Failed to get groups from sam account.\n"));
445 if (num_group_sids
) {
446 status
= group_sids_to_info3(info3
, group_sids
, num_group_sids
);
447 if (!NT_STATUS_IS_OK(status
)) {
453 /* We don't need sids and gids after the conversion */
454 TALLOC_FREE(group_sids
);
458 /* FIXME: should we add other flags ? */
459 info3
->base
.user_flags
= NETLOGON_EXTRA_SIDS
;
462 info3
->base
.logon_server
.string
= talloc_strdup(info3
, login_server
);
463 RET_NOMEM(info3
->base
.logon_server
.string
);
466 info3
->base
.domain
.string
= talloc_strdup(info3
,
467 pdb_get_domain(samu
));
468 RET_NOMEM(info3
->base
.domain
.string
);
470 info3
->base
.domain_sid
= sid_dup_talloc(info3
, &domain_sid
);
471 RET_NOMEM(info3
->base
.domain_sid
);
473 info3
->base
.acct_flags
= pdb_get_acct_ctrl(samu
);
481 #define RET_NOMEM(ptr) do { \
483 TALLOC_FREE(info3); \
487 struct netr_SamInfo3
*copy_netr_SamInfo3(TALLOC_CTX
*mem_ctx
,
488 struct netr_SamInfo3
*orig
)
490 struct netr_SamInfo3
*info3
;
493 info3
= talloc_zero(mem_ctx
, struct netr_SamInfo3
);
494 if (!info3
) return NULL
;
496 /* first copy all, then realloc pointers */
497 info3
->base
= orig
->base
;
499 if (orig
->base
.account_name
.string
) {
500 info3
->base
.account_name
.string
=
501 talloc_strdup(info3
, orig
->base
.account_name
.string
);
502 RET_NOMEM(info3
->base
.account_name
.string
);
504 if (orig
->base
.full_name
.string
) {
505 info3
->base
.full_name
.string
=
506 talloc_strdup(info3
, orig
->base
.full_name
.string
);
507 RET_NOMEM(info3
->base
.full_name
.string
);
509 if (orig
->base
.logon_script
.string
) {
510 info3
->base
.logon_script
.string
=
511 talloc_strdup(info3
, orig
->base
.logon_script
.string
);
512 RET_NOMEM(info3
->base
.logon_script
.string
);
514 if (orig
->base
.profile_path
.string
) {
515 info3
->base
.profile_path
.string
=
516 talloc_strdup(info3
, orig
->base
.profile_path
.string
);
517 RET_NOMEM(info3
->base
.profile_path
.string
);
519 if (orig
->base
.home_directory
.string
) {
520 info3
->base
.home_directory
.string
=
521 talloc_strdup(info3
, orig
->base
.home_directory
.string
);
522 RET_NOMEM(info3
->base
.home_directory
.string
);
524 if (orig
->base
.home_drive
.string
) {
525 info3
->base
.home_drive
.string
=
526 talloc_strdup(info3
, orig
->base
.home_drive
.string
);
527 RET_NOMEM(info3
->base
.home_drive
.string
);
530 if (orig
->base
.groups
.count
) {
531 info3
->base
.groups
.rids
= (struct samr_RidWithAttribute
*)
532 talloc_memdup(info3
, orig
->base
.groups
.rids
,
533 (sizeof(struct samr_RidWithAttribute
) *
534 orig
->base
.groups
.count
));
535 RET_NOMEM(info3
->base
.groups
.rids
);
538 if (orig
->base
.logon_server
.string
) {
539 info3
->base
.logon_server
.string
=
540 talloc_strdup(info3
, orig
->base
.logon_server
.string
);
541 RET_NOMEM(info3
->base
.logon_server
.string
);
543 if (orig
->base
.domain
.string
) {
544 info3
->base
.domain
.string
=
545 talloc_strdup(info3
, orig
->base
.domain
.string
);
546 RET_NOMEM(info3
->base
.domain
.string
);
549 if (orig
->base
.domain_sid
) {
550 info3
->base
.domain_sid
= sid_dup_talloc(info3
, orig
->base
.domain_sid
);
551 RET_NOMEM(info3
->base
.domain_sid
);
554 if (orig
->sidcount
) {
555 info3
->sidcount
= orig
->sidcount
;
556 info3
->sids
= talloc_array(info3
, struct netr_SidAttr
,
558 RET_NOMEM(info3
->sids
);
559 for (i
= 0; i
< orig
->sidcount
; i
++) {
560 info3
->sids
[i
].sid
= sid_dup_talloc(info3
->sids
,
562 RET_NOMEM(info3
->sids
[i
].sid
);
563 info3
->sids
[i
].attributes
=
564 orig
->sids
[i
].attributes
;
571 static NTSTATUS
wbcsids_to_samr_RidWithAttributeArray(
573 struct samr_RidWithAttributeArray
*groups
,
574 const struct dom_sid
*domain_sid
,
575 const struct wbcSidWithAttr
*sids
,
581 groups
->rids
= talloc_array(mem_ctx
,
582 struct samr_RidWithAttribute
, num_sids
);
584 return NT_STATUS_NO_MEMORY
;
587 /* a wbcDomainSid is the same as a dom_sid */
588 for (i
= 0; i
< num_sids
; i
++) {
589 ok
= sid_peek_check_rid(domain_sid
,
590 (const struct dom_sid
*)&sids
[i
].sid
,
591 &groups
->rids
[i
].rid
);
594 groups
->rids
[i
].attributes
= SE_GROUP_MANDATORY
|
595 SE_GROUP_ENABLED_BY_DEFAULT
|
603 struct netr_SamInfo3
*wbcAuthUserInfo_to_netr_SamInfo3(TALLOC_CTX
*mem_ctx
,
604 const struct wbcAuthUserInfo
*info
)
606 struct netr_SamInfo3
*info3
;
607 struct dom_sid user_sid
;
608 struct dom_sid group_sid
;
609 struct dom_sid domain_sid
;
613 memcpy(&user_sid
, &info
->sids
[0].sid
, sizeof(user_sid
));
614 memcpy(&group_sid
, &info
->sids
[1].sid
, sizeof(group_sid
));
616 info3
= talloc_zero(mem_ctx
, struct netr_SamInfo3
);
617 if (!info3
) return NULL
;
619 info3
->base
.last_logon
= info
->logon_time
;
620 info3
->base
.last_logoff
= info
->logoff_time
;
621 info3
->base
.acct_expiry
= info
->kickoff_time
;
622 info3
->base
.last_password_change
= info
->pass_last_set_time
;
623 info3
->base
.allow_password_change
= info
->pass_can_change_time
;
624 info3
->base
.force_password_change
= info
->pass_must_change_time
;
626 if (info
->account_name
) {
627 info3
->base
.account_name
.string
=
628 talloc_strdup(info3
, info
->account_name
);
629 RET_NOMEM(info3
->base
.account_name
.string
);
631 if (info
->full_name
) {
632 info3
->base
.full_name
.string
=
633 talloc_strdup(info3
, info
->full_name
);
634 RET_NOMEM(info3
->base
.full_name
.string
);
636 if (info
->logon_script
) {
637 info3
->base
.logon_script
.string
=
638 talloc_strdup(info3
, info
->logon_script
);
639 RET_NOMEM(info3
->base
.logon_script
.string
);
641 if (info
->profile_path
) {
642 info3
->base
.profile_path
.string
=
643 talloc_strdup(info3
, info
->profile_path
);
644 RET_NOMEM(info3
->base
.profile_path
.string
);
646 if (info
->home_directory
) {
647 info3
->base
.home_directory
.string
=
648 talloc_strdup(info3
, info
->home_directory
);
649 RET_NOMEM(info3
->base
.home_directory
.string
);
651 if (info
->home_drive
) {
652 info3
->base
.home_drive
.string
=
653 talloc_strdup(info3
, info
->home_drive
);
654 RET_NOMEM(info3
->base
.home_drive
.string
);
657 info3
->base
.logon_count
= info
->logon_count
;
658 info3
->base
.bad_password_count
= info
->bad_password_count
;
660 sid_copy(&domain_sid
, &user_sid
);
661 sid_split_rid(&domain_sid
, &info3
->base
.rid
);
663 ok
= sid_peek_check_rid(&domain_sid
, &group_sid
,
664 &info3
->base
.primary_gid
);
666 DEBUG(1, ("The primary group sid domain does not"
667 "match user sid domain for user: %s\n",
668 info
->account_name
));
673 status
= wbcsids_to_samr_RidWithAttributeArray(info3
,
678 if (!NT_STATUS_IS_OK(status
)) {
683 info3
->base
.user_flags
= info
->user_flags
;
684 memcpy(info3
->base
.key
.key
, info
->user_session_key
, 16);
686 if (info
->logon_server
) {
687 info3
->base
.logon_server
.string
=
688 talloc_strdup(info3
, info
->logon_server
);
689 RET_NOMEM(info3
->base
.logon_server
.string
);
691 if (info
->domain_name
) {
692 info3
->base
.domain
.string
=
693 talloc_strdup(info3
, info
->domain_name
);
694 RET_NOMEM(info3
->base
.domain
.string
);
697 info3
->base
.domain_sid
= sid_dup_talloc(info3
, &domain_sid
);
698 RET_NOMEM(info3
->base
.domain_sid
);
700 memcpy(info3
->base
.LMSessKey
.key
, info
->lm_session_key
, 8);
701 info3
->base
.acct_flags
= info
->acct_flags
;