2 Unix SMB/CIFS implementation.
4 Winbind client authentication mechanism designed to defer all
5 authentication to the winbind daemon.
7 Copyright (C) Tim Potter 2000
8 Copyright (C) Andrew Bartlett 2001 - 2002
9 Copyright (C) Dan Sledz 2009
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 3 of the License, or
14 (at your option) any later version.
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
21 You should have received a copy of the GNU General Public License
22 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 /* This auth module is very similar to auth_winbind with 3 distinct
28 * 1) Does not fallback to another auth module if winbindd is unavailable
29 * 2) Does not validate the domain of the user
30 * 3) Handles unencrypted passwords
32 * The purpose of this module is to defer all authentication decisions (ie:
33 * local user vs NIS vs LDAP vs AD; encrypted vs plaintext) to the wbc
34 * compatible daemon. This centeralizes all authentication decisions to a
37 * This auth backend is most useful when used in conjunction with pdb_wbc_sam.
43 #define DBGC_CLASS DBGC_AUTH
45 /* Authenticate a user with a challenge/response */
47 static NTSTATUS
check_wbc_security(const struct auth_context
*auth_context
,
48 void *my_private_data
,
50 const struct auth_usersupplied_info
*user_info
,
51 struct auth_serversupplied_info
**server_info
)
55 struct wbcAuthUserParams params
;
56 struct wbcAuthUserInfo
*info
= NULL
;
57 struct wbcAuthErrorInfo
*err
= NULL
;
59 if (!user_info
|| !auth_context
|| !server_info
) {
60 return NT_STATUS_INVALID_PARAMETER
;
62 /* Send off request */
64 DEBUG(10, ("Check auth for: [%s]", user_info
->mapped
.account_name
));
66 params
.account_name
= user_info
->client
.account_name
;
67 params
.domain_name
= user_info
->mapped
.domain_name
;
68 params
.workstation_name
= user_info
->workstation_name
;
71 params
.parameter_control
= user_info
->logon_parameters
;
73 /* Handle plaintext */
74 switch (user_info
->password_state
) {
75 case AUTH_PASSWORD_PLAIN
:
77 DEBUG(3,("Checking plaintext password for %s.\n",
78 user_info
->mapped
.account_name
));
79 params
.level
= WBC_AUTH_USER_LEVEL_PLAIN
;
81 params
.password
.plaintext
= user_info
->password
.plaintext
;
83 case AUTH_PASSWORD_RESPONSE
:
84 case AUTH_PASSWORD_HASH
:
86 DEBUG(3,("Checking encrypted password for %s.\n",
87 user_info
->mapped
.account_name
));
88 params
.level
= WBC_AUTH_USER_LEVEL_RESPONSE
;
90 memcpy(params
.password
.response
.challenge
,
91 auth_context
->challenge
.data
,
92 sizeof(params
.password
.response
.challenge
));
94 params
.password
.response
.nt_length
= user_info
->password
.response
.nt
.length
;
95 params
.password
.response
.nt_data
= user_info
->password
.response
.nt
.data
;
96 params
.password
.response
.lm_length
= user_info
->password
.response
.lanman
.length
;
97 params
.password
.response
.lm_data
= user_info
->password
.response
.lanman
.data
;
99 DEBUG(0,("user_info constructed for user '%s' was invalid - password_state=%u invalid.\n",user_info
->mapped
.account_name
, user_info
->password_state
));
100 return NT_STATUS_INTERNAL_ERROR
;
102 #if 0 /* If ever implemented in libwbclient */
103 case AUTH_PASSWORD_HASH
:
105 DEBUG(3,("Checking logon (hash) password for %s.\n",
106 user_info
->mapped
.account_name
));
107 params
.level
= WBC_AUTH_USER_LEVEL_HASH
;
109 if (user_info
->password
.hash
.nt
) {
110 memcpy(params
.password
.hash
.nt_hash
, user_info
->password
.hash
.nt
, sizeof(* user_info
->password
.hash
.nt
));
112 memset(params
.password
.hash
.nt_hash
, '\0', sizeof(params
.password
.hash
.nt_hash
));
115 if (user_info
->password
.hash
.lanman
) {
116 memcpy(params
.password
.hash
.lm_hash
, user_info
->password
.hash
.lanman
, sizeof(* user_info
->password
.hash
.lanman
));
118 memset(params
.password
.hash
.lm_hash
, '\0', sizeof(params
.password
.hash
.lm_hash
));
125 /* we are contacting the privileged pipe */
127 wbc_status
= wbcAuthenticateUserEx(¶ms
, &info
, &err
);
130 if (!WBC_ERROR_IS_OK(wbc_status
)) {
131 DEBUG(10,("wbcAuthenticateUserEx failed (%d): %s\n",
132 wbc_status
, wbcErrorString(wbc_status
)));
135 if (wbc_status
== WBC_ERR_NO_MEMORY
) {
136 return NT_STATUS_NO_MEMORY
;
139 if (wbc_status
== WBC_ERR_AUTH_ERROR
) {
140 nt_status
= NT_STATUS(err
->nt_status
);
145 if (!WBC_ERROR_IS_OK(wbc_status
)) {
146 return NT_STATUS_LOGON_FAILURE
;
149 DEBUG(10,("wbcAuthenticateUserEx succeeded\n"));
151 nt_status
= make_server_info_wbcAuthUserInfo(mem_ctx
,
152 user_info
->client
.account_name
,
153 user_info
->mapped
.domain_name
,
156 if (!NT_STATUS_IS_OK(nt_status
)) {
160 (*server_info
)->nss_token
|= user_info
->was_mapped
;
165 /* module initialisation */
166 static NTSTATUS
auth_init_wbc(struct auth_context
*auth_context
, const char *param
, auth_methods
**auth_method
)
168 struct auth_methods
*result
;
170 result
= TALLOC_ZERO_P(auth_context
, struct auth_methods
);
171 if (result
== NULL
) {
172 return NT_STATUS_NO_MEMORY
;
174 result
->name
= "wbc";
175 result
->auth
= check_wbc_security
;
177 *auth_method
= result
;
181 NTSTATUS
auth_wbc_init(void)
183 return smb_register_auth(AUTH_INTERFACE_VERSION
, "wbc", auth_init_wbc
);