2 Unix SMB/CIFS implementation.
3 Password and authentication handling
4 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2001-2009
5 Copyright (C) Gerald Carter 2003
6 Copyright (C) Stefan Metzmacher 2005
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 #include "system/time.h"
24 #include "lib/ldb/include/ldb.h"
25 #include "../lib/util/util_ldb.h"
26 #include "auth/auth.h"
27 #include "../libcli/auth/ntlm_check.h"
28 #include "auth/ntlm/auth_proto.h"
29 #include "auth/auth_sam.h"
30 #include "dsdb/samdb/samdb.h"
31 #include "param/param.h"
33 extern const char *user_attrs
[];
34 extern const char *domain_ref_attrs
[];
36 /****************************************************************************
37 Look for the specified user in the sam, return ldb result structures
38 ****************************************************************************/
40 static NTSTATUS
authsam_search_account(TALLOC_CTX
*mem_ctx
, struct ldb_context
*sam_ctx
,
41 const char *account_name
,
42 struct ldb_dn
*domain_dn
,
43 struct ldb_message
**ret_msg
)
47 /* pull the user attributes */
48 ret
= gendb_search_single_extended_dn(sam_ctx
, mem_ctx
, domain_dn
, LDB_SCOPE_SUBTREE
,
50 "(&(sAMAccountName=%s)(objectclass=user))",
51 ldb_binary_encode_string(mem_ctx
, account_name
));
52 if (ret
== LDB_ERR_NO_SUCH_OBJECT
) {
53 DEBUG(3,("sam_search_user: Couldn't find user [%s] in samdb, under %s\n",
54 account_name
, ldb_dn_get_linearized(domain_dn
)));
55 return NT_STATUS_NO_SUCH_USER
;
57 if (ret
!= LDB_SUCCESS
) {
58 return NT_STATUS_INTERNAL_DB_CORRUPTION
;
64 /****************************************************************************
65 Do a specific test for an smb password being correct, given a smb_password and
66 the lanman and NT responses.
67 ****************************************************************************/
68 static NTSTATUS
authsam_password_ok(struct auth_context
*auth_context
,
71 const struct samr_Password
*lm_pwd
,
72 const struct samr_Password
*nt_pwd
,
73 const struct auth_usersupplied_info
*user_info
,
74 DATA_BLOB
*user_sess_key
,
75 DATA_BLOB
*lm_sess_key
)
79 switch (user_info
->password_state
) {
80 case AUTH_PASSWORD_PLAIN
:
82 const struct auth_usersupplied_info
*user_info_temp
;
83 status
= encrypt_user_info(mem_ctx
, auth_context
,
85 user_info
, &user_info_temp
);
86 if (!NT_STATUS_IS_OK(status
)) {
87 DEBUG(1, ("Failed to convert plaintext password to password HASH: %s\n", nt_errstr(status
)));
90 user_info
= user_info_temp
;
94 case AUTH_PASSWORD_HASH
:
95 *lm_sess_key
= data_blob(NULL
, 0);
96 *user_sess_key
= data_blob(NULL
, 0);
97 status
= hash_password_check(mem_ctx
,
98 lp_lanman_auth(auth_context
->lp_ctx
),
99 user_info
->password
.hash
.lanman
,
100 user_info
->password
.hash
.nt
,
101 user_info
->mapped
.account_name
,
103 NT_STATUS_NOT_OK_RETURN(status
);
106 case AUTH_PASSWORD_RESPONSE
:
107 status
= ntlm_password_check(mem_ctx
,
108 lp_lanman_auth(auth_context
->lp_ctx
),
109 lp_ntlm_auth(auth_context
->lp_ctx
),
110 user_info
->logon_parameters
,
111 &auth_context
->challenge
.data
,
112 &user_info
->password
.response
.lanman
,
113 &user_info
->password
.response
.nt
,
114 user_info
->mapped
.account_name
,
115 user_info
->client
.account_name
,
116 user_info
->client
.domain_name
,
118 user_sess_key
, lm_sess_key
);
119 NT_STATUS_NOT_OK_RETURN(status
);
123 if (user_sess_key
&& user_sess_key
->data
) {
124 talloc_steal(auth_context
, user_sess_key
->data
);
126 if (lm_sess_key
&& lm_sess_key
->data
) {
127 talloc_steal(auth_context
, lm_sess_key
->data
);
135 static NTSTATUS
authsam_authenticate(struct auth_context
*auth_context
,
136 TALLOC_CTX
*mem_ctx
, struct ldb_context
*sam_ctx
,
137 struct ldb_dn
*domain_dn
,
138 struct ldb_message
*msg
,
139 const struct auth_usersupplied_info
*user_info
,
140 DATA_BLOB
*user_sess_key
, DATA_BLOB
*lm_sess_key
)
142 struct samr_Password
*lm_pwd
, *nt_pwd
;
145 uint16_t acct_flags
= samdb_result_acct_flags(sam_ctx
, mem_ctx
, msg
, domain_dn
);
147 /* Quit if the account was locked out. */
148 if (acct_flags
& ACB_AUTOLOCK
) {
149 DEBUG(3,("check_sam_security: Account for user %s was locked out.\n",
150 user_info
->mapped
.account_name
));
151 return NT_STATUS_ACCOUNT_LOCKED_OUT
;
154 /* You can only do an interactive login to normal accounts */
155 if (user_info
->flags
& USER_INFO_INTERACTIVE_LOGON
) {
156 if (!(acct_flags
& ACB_NORMAL
)) {
157 return NT_STATUS_NO_SUCH_USER
;
161 nt_status
= samdb_result_passwords(mem_ctx
, auth_context
->lp_ctx
, msg
, &lm_pwd
, &nt_pwd
);
162 NT_STATUS_NOT_OK_RETURN(nt_status
);
164 nt_status
= authsam_password_ok(auth_context
, mem_ctx
,
165 acct_flags
, lm_pwd
, nt_pwd
,
166 user_info
, user_sess_key
, lm_sess_key
);
167 NT_STATUS_NOT_OK_RETURN(nt_status
);
169 nt_status
= authsam_account_ok(mem_ctx
, sam_ctx
,
170 user_info
->logon_parameters
,
173 user_info
->workstation_name
,
174 user_info
->mapped
.account_name
,
182 static NTSTATUS
authsam_check_password_internals(struct auth_method_context
*ctx
,
184 const struct auth_usersupplied_info
*user_info
,
185 struct auth_serversupplied_info
**server_info
)
188 const char *account_name
= user_info
->mapped
.account_name
;
189 struct ldb_message
*msg
;
190 struct ldb_context
*sam_ctx
;
191 struct ldb_dn
*domain_dn
;
192 DATA_BLOB user_sess_key
, lm_sess_key
;
195 if (!account_name
|| !*account_name
) {
197 return NT_STATUS_NOT_IMPLEMENTED
;
200 tmp_ctx
= talloc_new(mem_ctx
);
202 return NT_STATUS_NO_MEMORY
;
205 sam_ctx
= samdb_connect(tmp_ctx
, ctx
->auth_ctx
->event_ctx
, ctx
->auth_ctx
->lp_ctx
, system_session(ctx
->auth_ctx
->lp_ctx
));
206 if (sam_ctx
== NULL
) {
207 talloc_free(tmp_ctx
);
208 return NT_STATUS_INVALID_SYSTEM_SERVICE
;
211 domain_dn
= ldb_get_default_basedn(sam_ctx
);
212 if (domain_dn
== NULL
) {
213 talloc_free(tmp_ctx
);
214 return NT_STATUS_NO_SUCH_DOMAIN
;
217 nt_status
= authsam_search_account(tmp_ctx
, sam_ctx
, account_name
, domain_dn
, &msg
);
218 if (!NT_STATUS_IS_OK(nt_status
)) {
219 talloc_free(tmp_ctx
);
223 nt_status
= authsam_authenticate(ctx
->auth_ctx
, tmp_ctx
, sam_ctx
, domain_dn
, msg
, user_info
,
224 &user_sess_key
, &lm_sess_key
);
225 if (!NT_STATUS_IS_OK(nt_status
)) {
226 talloc_free(tmp_ctx
);
230 nt_status
= authsam_make_server_info(tmp_ctx
, sam_ctx
, lp_netbios_name(ctx
->auth_ctx
->lp_ctx
),
231 lp_sam_name(ctx
->auth_ctx
->lp_ctx
),
234 user_sess_key
, lm_sess_key
,
236 if (!NT_STATUS_IS_OK(nt_status
)) {
237 talloc_free(tmp_ctx
);
241 talloc_steal(mem_ctx
, *server_info
);
242 talloc_free(tmp_ctx
);
247 static NTSTATUS
authsam_ignoredomain_want_check(struct auth_method_context
*ctx
,
249 const struct auth_usersupplied_info
*user_info
)
251 if (!user_info
->mapped
.account_name
|| !*user_info
->mapped
.account_name
) {
252 return NT_STATUS_NOT_IMPLEMENTED
;
258 /****************************************************************************
259 Check SAM security (above) but with a few extra checks.
260 ****************************************************************************/
261 static NTSTATUS
authsam_want_check(struct auth_method_context
*ctx
,
263 const struct auth_usersupplied_info
*user_info
)
265 bool is_local_name
, is_my_domain
;
267 if (!user_info
->mapped
.account_name
|| !*user_info
->mapped
.account_name
) {
268 return NT_STATUS_NOT_IMPLEMENTED
;
271 is_local_name
= lp_is_myname(ctx
->auth_ctx
->lp_ctx
,
272 user_info
->mapped
.domain_name
);
273 is_my_domain
= lp_is_mydomain(ctx
->auth_ctx
->lp_ctx
,
274 user_info
->mapped
.domain_name
);
276 /* check whether or not we service this domain/workgroup name */
277 switch (lp_server_role(ctx
->auth_ctx
->lp_ctx
)) {
278 case ROLE_STANDALONE
:
281 case ROLE_DOMAIN_MEMBER
:
282 if (!is_local_name
) {
283 DEBUG(6,("authsam_check_password: %s is not one of my local names (DOMAIN_MEMBER)\n",
284 user_info
->mapped
.domain_name
));
285 return NT_STATUS_NOT_IMPLEMENTED
;
289 case ROLE_DOMAIN_CONTROLLER
:
290 if (!is_local_name
&& !is_my_domain
) {
291 DEBUG(6,("authsam_check_password: %s is not one of my local names or domain name (DC)\n",
292 user_info
->mapped
.domain_name
));
293 return NT_STATUS_NOT_IMPLEMENTED
;
298 DEBUG(6,("authsam_check_password: lp_server_role() has an undefined value\n"));
299 return NT_STATUS_NOT_IMPLEMENTED
;
303 /* Used in the gensec_gssapi and gensec_krb5 server-side code, where the PAC isn't available */
304 NTSTATUS
authsam_get_server_info_principal(TALLOC_CTX
*mem_ctx
,
305 struct auth_context
*auth_context
,
306 const char *principal
,
307 struct auth_serversupplied_info
**server_info
)
310 DATA_BLOB user_sess_key
= data_blob(NULL
, 0);
311 DATA_BLOB lm_sess_key
= data_blob(NULL
, 0);
313 struct ldb_message
*msg
;
314 struct ldb_context
*sam_ctx
;
315 struct ldb_dn
*domain_dn
;
317 TALLOC_CTX
*tmp_ctx
= talloc_new(mem_ctx
);
319 return NT_STATUS_NO_MEMORY
;
322 sam_ctx
= samdb_connect(tmp_ctx
, auth_context
->event_ctx
, auth_context
->lp_ctx
,
323 system_session(auth_context
->lp_ctx
));
324 if (sam_ctx
== NULL
) {
325 talloc_free(tmp_ctx
);
326 return NT_STATUS_INVALID_SYSTEM_SERVICE
;
329 nt_status
= sam_get_results_principal(sam_ctx
, tmp_ctx
, principal
,
330 user_attrs
, &domain_dn
, &msg
);
331 if (!NT_STATUS_IS_OK(nt_status
)) {
332 talloc_free(tmp_ctx
);
336 nt_status
= authsam_make_server_info(tmp_ctx
, sam_ctx
,
337 lp_netbios_name(auth_context
->lp_ctx
),
338 lp_workgroup(auth_context
->lp_ctx
),
341 user_sess_key
, lm_sess_key
,
343 if (!NT_STATUS_IS_OK(nt_status
)) {
344 talloc_free(tmp_ctx
);
348 talloc_steal(mem_ctx
, *server_info
);
349 talloc_free(tmp_ctx
);
354 static const struct auth_operations sam_ignoredomain_ops
= {
355 .name
= "sam_ignoredomain",
356 .get_challenge
= auth_get_challenge_not_implemented
,
357 .want_check
= authsam_ignoredomain_want_check
,
358 .check_password
= authsam_check_password_internals
,
359 .get_server_info_principal
= authsam_get_server_info_principal
362 static const struct auth_operations sam_ops
= {
364 .get_challenge
= auth_get_challenge_not_implemented
,
365 .want_check
= authsam_want_check
,
366 .check_password
= authsam_check_password_internals
,
367 .get_server_info_principal
= authsam_get_server_info_principal
370 _PUBLIC_ NTSTATUS
auth_sam_init(void)
374 ret
= auth_register(&sam_ops
);
375 if (!NT_STATUS_IS_OK(ret
)) {
376 DEBUG(0,("Failed to register 'sam' auth backend!\n"));
380 ret
= auth_register(&sam_ignoredomain_ops
);
381 if (!NT_STATUS_IS_OK(ret
)) {
382 DEBUG(0,("Failed to register 'sam_ignoredomain' auth backend!\n"));