source3/auth/auth_wbc.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    Winbind client authentication mechanism designed to defer all
   5    authentication to the winbind daemon.
   6
   7    Copyright (C) Tim Potter 2000
   8    Copyright (C) Andrew Bartlett 2001 - 2002
   9    Copyright (C) Dan Sledz 2009
  10
  11    This program is free software; you can redistribute it and/or modify
  12    it under the terms of the GNU General Public License as published by
  13    the Free Software Foundation; either version 3 of the License, or
  14    (at your option) any later version.
  15
  16    This program is distributed in the hope that it will be useful,
  17    but WITHOUT ANY WARRANTY; without even the implied warranty of
  18    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  19    GNU General Public License for more details.
  20
  21    You should have received a copy of the GNU General Public License
  22    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  23 */
  24
  25 /* This auth module is very similar to auth_winbind with 3 distinct
  26  * differences.
  27  *
  28  *      1) Does not fallback to another auth module if winbindd is unavailable
  29  *      2) Does not validate the domain of the user
  30  *      3) Handles unencrypted passwords
  31  *
  32  * The purpose of this module is to defer all authentication decisions (ie:
  33  * local user vs NIS vs LDAP vs AD; encrypted vs plaintext) to the wbc
  34  * compatible daemon.  This centeralizes all authentication decisions to a
  35  * single provider.
  36  *
  37  * This auth backend is most useful when used in conjunction with pdb_wbc_sam.
  38  */
  39
  40 #include "includes.h"
  41
  42 #undef DBGC_CLASS
  43 #define DBGC_CLASS DBGC_AUTH
  44
  45 /* Authenticate a user with a challenge/response */
  46
  47 static NTSTATUS check_wbc_security(const struct auth_context *auth_context,
  48                                        void *my_private_data,
  49                                        TALLOC_CTX *mem_ctx,
  50                                        const struct auth_usersupplied_info *user_info,
  51                                        struct auth_serversupplied_info **server_info)
  52 {
  53         NTSTATUS nt_status;
  54         wbcErr wbc_status;
  55         struct wbcAuthUserParams params;
  56         struct wbcAuthUserInfo *info = NULL;
  57         struct wbcAuthErrorInfo *err = NULL;
  58
  59         if (!user_info || !auth_context || !server_info) {
  60                 return NT_STATUS_INVALID_PARAMETER;
  61         }
  62         /* Send off request */
  63
  64         DEBUG(10, ("Check auth for: [%s]", user_info->mapped.account_name));
  65
  66         params.account_name     = user_info->client.account_name;
  67         params.domain_name      = user_info->mapped.domain_name;
  68         params.workstation_name = user_info->workstation_name;
  69
  70         params.flags            = 0;
  71         params.parameter_control= user_info->logon_parameters;
  72
  73         /* Handle plaintext */
  74         switch (user_info->password_state) {
  75         case AUTH_PASSWORD_PLAIN:
  76         {
  77                 DEBUG(3,("Checking plaintext password for %s.\n",
  78                          user_info->mapped.account_name));
  79                 params.level = WBC_AUTH_USER_LEVEL_PLAIN;
  80
  81                 params.password.plaintext = user_info->password.plaintext;
  82         }
  83         case AUTH_PASSWORD_RESPONSE:
  84         case AUTH_PASSWORD_HASH:
  85         {
  86                 DEBUG(3,("Checking encrypted password for %s.\n",
  87                          user_info->mapped.account_name));
  88                 params.level = WBC_AUTH_USER_LEVEL_RESPONSE;
  89
  90                 memcpy(params.password.response.challenge,
  91                     auth_context->challenge.data,
  92                     sizeof(params.password.response.challenge));
  93
  94                 params.password.response.nt_length = user_info->password.response.nt.length;
  95                 params.password.response.nt_data = user_info->password.response.nt.data;
  96                 params.password.response.lm_length = user_info->password.response.lanman.length;
  97                 params.password.response.lm_data = user_info->password.response.lanman.data;
  98         default:
  99                 DEBUG(0,("user_info constructed for user '%s' was invalid - password_state=%u invalid.\n",user_info->mapped.account_name, user_info->password_state));
 100                 return NT_STATUS_INTERNAL_ERROR;
 101         }
 102 #if 0 /* If ever implemented in libwbclient */
 103         case AUTH_PASSWORD_HASH:
 104         {
 105                 DEBUG(3,("Checking logon (hash) password for %s.\n",
 106                          user_info->mapped.account_name));
 107                 params.level = WBC_AUTH_USER_LEVEL_HASH;
 108
 109                 if (user_info->password.hash.nt) {
 110                         memcpy(params.password.hash.nt_hash, user_info->password.hash.nt, sizeof(* user_info->password.hash.nt));
 111                 } else {
 112                         memset(params.password.hash.nt_hash, '\0', sizeof(params.password.hash.nt_hash));
 113                 }
 114
 115                 if (user_info->password.hash.lanman) {
 116                         memcpy(params.password.hash.lm_hash, user_info->password.hash.lanman, sizeof(* user_info->password.hash.lanman));
 117                 } else {
 118                         memset(params.password.hash.lm_hash, '\0', sizeof(params.password.hash.lm_hash));
 119                 }
 120
 121         }
 122 #endif
 123         }
 124
 125         /* we are contacting the privileged pipe */
 126         become_root();
 127         wbc_status = wbcAuthenticateUserEx(&params, &info, &err);
 128         unbecome_root();
 129
 130         if (!WBC_ERROR_IS_OK(wbc_status)) {
 131                 DEBUG(10,("wbcAuthenticateUserEx failed (%d): %s\n",
 132                         wbc_status, wbcErrorString(wbc_status)));
 133         }
 134
 135         if (wbc_status == WBC_ERR_NO_MEMORY) {
 136                 return NT_STATUS_NO_MEMORY;
 137         }
 138
 139         if (wbc_status == WBC_ERR_AUTH_ERROR) {
 140                 nt_status = NT_STATUS(err->nt_status);
 141                 wbcFreeMemory(err);
 142                 return nt_status;
 143         }
 144
 145         if (!WBC_ERROR_IS_OK(wbc_status)) {
 146                 return NT_STATUS_LOGON_FAILURE;
 147         }
 148
 149         DEBUG(10,("wbcAuthenticateUserEx succeeded\n"));
 150
 151         nt_status = make_server_info_wbcAuthUserInfo(mem_ctx,
 152                                                      user_info->client.account_name,
 153                                                      user_info->mapped.domain_name,
 154                                                      info, server_info);
 155         wbcFreeMemory(info);
 156         if (!NT_STATUS_IS_OK(nt_status)) {
 157                 return nt_status;
 158         }
 159
 160         (*server_info)->nss_token |= user_info->was_mapped;
 161
 162         return nt_status;
 163 }
 164
 165 /* module initialisation */
 166 static NTSTATUS auth_init_wbc(struct auth_context *auth_context, const char *param, auth_methods **auth_method)
 167 {
 168         struct auth_methods *result;
 169
 170         result = TALLOC_ZERO_P(auth_context, struct auth_methods);
 171         if (result == NULL) {
 172                 return NT_STATUS_NO_MEMORY;
 173         }
 174         result->name = "wbc";
 175         result->auth = check_wbc_security;
 176
 177         *auth_method = result;
 178         return NT_STATUS_OK;
 179 }
 180
 181 NTSTATUS auth_wbc_init(void)
 182 {
 183         return smb_register_auth(AUTH_INTERFACE_VERSION, "wbc", auth_init_wbc);
 184 }