search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s4:librpc/rpc: make PyErr_SetDCERPCStatus() static
[Samba/gebeck_regimport.git] / source3 / auth / auth_util.c
blob5e39dca60aa49c4116b0e45bd95f8b8f7d4360ab
1 /*
2 Unix SMB/CIFS implementation.
3 Authentication utility functions
4 Copyright (C) Andrew Tridgell 1992-1998
5 Copyright (C) Andrew Bartlett 2001
6 Copyright (C) Jeremy Allison 2000-2001
7 Copyright (C) Rafal Szczesniak 2002
8 Copyright (C) Volker Lendecke 2006
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include "smbd/globals.h"
26 #include "../libcli/auth/libcli_auth.h"
27
28 #undef DBGC_CLASS
29 #define DBGC_CLASS DBGC_AUTH
30
31 /****************************************************************************
32 Ensure primary group SID is always at position 0 in a
33 auth_serversupplied_info struct.
34 ****************************************************************************/
35
36 static void sort_sid_array_for_smbd(struct auth_serversupplied_info *result,
37 const DOM_SID *pgroup_sid)
38 {
39 unsigned int i;
40
41 if (!result->sids) {
42 return;
43 }
44
45 if (sid_compare(&result->sids[0], pgroup_sid)==0) {
46 return;
47 }
48
49 for (i = 1; i < result->num_sids; i++) {
50 if (sid_compare(pgroup_sid,
51 &result->sids[i]) == 0) {
52 sid_copy(&result->sids[i], &result->sids[0]);
53 sid_copy(&result->sids[0], pgroup_sid);
54 return;
55 }
56 }
57 }
58
59 /****************************************************************************
60 Create a UNIX user on demand.
61 ****************************************************************************/
62
63 static int _smb_create_user(const char *domain, const char *unix_username, const char *homedir)
64 {
65 TALLOC_CTX *ctx = talloc_tos();
66 char *add_script;
67 int ret;
68
69 add_script = talloc_strdup(ctx, lp_adduser_script());
70 if (!add_script || !*add_script) {
71 return -1;
72 }
73 add_script = talloc_all_string_sub(ctx,
74 add_script,
75 "%u",
76 unix_username);
77 if (!add_script) {
78 return -1;
79 }
80 if (domain) {
81 add_script = talloc_all_string_sub(ctx,
82 add_script,
83 "%D",
84 domain);
85 if (!add_script) {
86 return -1;
87 }
88 }
89 if (homedir) {
90 add_script = talloc_all_string_sub(ctx,
91 add_script,
92 "%H",
93 homedir);
94 if (!add_script) {
95 return -1;
96 }
97 }
98 ret = smbrun(add_script,NULL);
99 flush_pwnam_cache();
100 DEBUG(ret ? 0 : 3,
101 ("smb_create_user: Running the command `%s' gave %d\n",
102 add_script,ret));
103 return ret;
104 }
105
106 /****************************************************************************
107 Create an auth_usersupplied_data structure after appropriate mapping.
108 ****************************************************************************/
109
110 NTSTATUS make_user_info_map(struct auth_usersupplied_info **user_info,
111 const char *smb_name,
112 const char *client_domain,
113 const char *wksta_name,
114 DATA_BLOB *lm_pwd,
115 DATA_BLOB *nt_pwd,
116 DATA_BLOB *lm_interactive_pwd,
117 DATA_BLOB *nt_interactive_pwd,
118 DATA_BLOB *plaintext,
119 bool encrypted)
120 {
121 struct smbd_server_connection *sconn = smbd_server_conn;
122 const char *domain;
123 NTSTATUS result;
124 bool was_mapped;
125 fstring internal_username;
126 fstrcpy(internal_username, smb_name);
127 was_mapped = map_username(sconn, internal_username);
128
129 DEBUG(5, ("Mapping user [%s]\\[%s] from workstation [%s]\n",
130 client_domain, smb_name, wksta_name));
131
132 domain = client_domain;
133
134 /* If you connect to a Windows domain member using a bogus domain name,
135 * the Windows box will map the BOGUS\user to SAMNAME\user. Thus, if
136 * the Windows box is a DC the name will become DOMAIN\user and be
137 * authenticated against AD, if the Windows box is a member server but
138 * not a DC the name will become WORKSTATION\user. A standalone
139 * non-domain member box will also map to WORKSTATION\user.
140 * This also deals with the client passing in a "" domain */
141
142 if (!is_trusted_domain(domain) &&
143 !strequal(domain, my_sam_name()))
144 {
145 if (lp_map_untrusted_to_domain())
146 domain = my_sam_name();
147 else
148 domain = get_global_sam_name();
149 DEBUG(5, ("Mapped domain from [%s] to [%s] for user [%s] from "
150 "workstation [%s]\n",
151 client_domain, domain, smb_name, wksta_name));
152 }
153
154 /* We know that the given domain is trusted (and we are allowing them),
155 * it is our global SAM name, or for legacy behavior it is our
156 * primary domain name */
157
158 result = make_user_info(user_info, smb_name, internal_username,
159 client_domain, domain, wksta_name,
160 lm_pwd, nt_pwd,
161 lm_interactive_pwd, nt_interactive_pwd,
162 plaintext, encrypted);
163 if (NT_STATUS_IS_OK(result)) {
164 (*user_info)->was_mapped = was_mapped;
165 }
166 return result;
167 }
168
169 /****************************************************************************
170 Create an auth_usersupplied_data, making the DATA_BLOBs here.
171 Decrypt and encrypt the passwords.
172 ****************************************************************************/
173
174 bool make_user_info_netlogon_network(struct auth_usersupplied_info **user_info,
175 const char *smb_name,
176 const char *client_domain,
177 const char *wksta_name,
178 uint32 logon_parameters,
179 const uchar *lm_network_pwd,
180 int lm_pwd_len,
181 const uchar *nt_network_pwd,
182 int nt_pwd_len)
183 {
184 bool ret;
185 NTSTATUS status;
186 DATA_BLOB lm_blob = data_blob(lm_network_pwd, lm_pwd_len);
187 DATA_BLOB nt_blob = data_blob(nt_network_pwd, nt_pwd_len);
188
189 status = make_user_info_map(user_info,
190 smb_name, client_domain,
191 wksta_name,
192 lm_pwd_len ? &lm_blob : NULL,
193 nt_pwd_len ? &nt_blob : NULL,
194 NULL, NULL, NULL,
195 True);
196
197 if (NT_STATUS_IS_OK(status)) {
198 (*user_info)->logon_parameters = logon_parameters;
199 }
200 ret = NT_STATUS_IS_OK(status) ? True : False;
201
202 data_blob_free(&lm_blob);
203 data_blob_free(&nt_blob);
204 return ret;
205 }
206
207 /****************************************************************************
208 Create an auth_usersupplied_data, making the DATA_BLOBs here.
209 Decrypt and encrypt the passwords.
210 ****************************************************************************/
211
212 bool make_user_info_netlogon_interactive(struct auth_usersupplied_info **user_info,
213 const char *smb_name,
214 const char *client_domain,
215 const char *wksta_name,
216 uint32 logon_parameters,
217 const uchar chal[8],
218 const uchar lm_interactive_pwd[16],
219 const uchar nt_interactive_pwd[16],
220 const uchar *dc_sess_key)
221 {
222 unsigned char lm_pwd[16];
223 unsigned char nt_pwd[16];
224 unsigned char local_lm_response[24];
225 unsigned char local_nt_response[24];
226 unsigned char key[16];
227
228 memcpy(key, dc_sess_key, 16);
229
230 if (lm_interactive_pwd)
231 memcpy(lm_pwd, lm_interactive_pwd, sizeof(lm_pwd));
232
233 if (nt_interactive_pwd)
234 memcpy(nt_pwd, nt_interactive_pwd, sizeof(nt_pwd));
235
236 #ifdef DEBUG_PASSWORD
237 DEBUG(100,("key:"));
238 dump_data(100, key, sizeof(key));
239
240 DEBUG(100,("lm owf password:"));
241 dump_data(100, lm_pwd, sizeof(lm_pwd));
242
243 DEBUG(100,("nt owf password:"));
244 dump_data(100, nt_pwd, sizeof(nt_pwd));
245 #endif
246
247 if (lm_interactive_pwd)
248 arcfour_crypt(lm_pwd, key, sizeof(lm_pwd));
249
250 if (nt_interactive_pwd)
251 arcfour_crypt(nt_pwd, key, sizeof(nt_pwd));
252
253 #ifdef DEBUG_PASSWORD
254 DEBUG(100,("decrypt of lm owf password:"));
255 dump_data(100, lm_pwd, sizeof(lm_pwd));
256
257 DEBUG(100,("decrypt of nt owf password:"));
258 dump_data(100, nt_pwd, sizeof(nt_pwd));
259 #endif
260
261 if (lm_interactive_pwd)
262 SMBOWFencrypt(lm_pwd, chal,
263 local_lm_response);
264
265 if (nt_interactive_pwd)
266 SMBOWFencrypt(nt_pwd, chal,
267 local_nt_response);
268
269 /* Password info paranoia */
270 ZERO_STRUCT(key);
271
272 {
273 bool ret;
274 NTSTATUS nt_status;
275 DATA_BLOB local_lm_blob;
276 DATA_BLOB local_nt_blob;
277
278 DATA_BLOB lm_interactive_blob;
279 DATA_BLOB nt_interactive_blob;
280
281 if (lm_interactive_pwd) {
282 local_lm_blob = data_blob(local_lm_response,
283 sizeof(local_lm_response));
284 lm_interactive_blob = data_blob(lm_pwd,
285 sizeof(lm_pwd));
286 ZERO_STRUCT(lm_pwd);
287 }
288
289 if (nt_interactive_pwd) {
290 local_nt_blob = data_blob(local_nt_response,
291 sizeof(local_nt_response));
292 nt_interactive_blob = data_blob(nt_pwd,
293 sizeof(nt_pwd));
294 ZERO_STRUCT(nt_pwd);
295 }
296
297 nt_status = make_user_info_map(
298 user_info,
299 smb_name, client_domain, wksta_name,
300 lm_interactive_pwd ? &local_lm_blob : NULL,
301 nt_interactive_pwd ? &local_nt_blob : NULL,
302 lm_interactive_pwd ? &lm_interactive_blob : NULL,
303 nt_interactive_pwd ? &nt_interactive_blob : NULL,
304 NULL, True);
305
306 if (NT_STATUS_IS_OK(nt_status)) {
307 (*user_info)->logon_parameters = logon_parameters;
308 }
309
310 ret = NT_STATUS_IS_OK(nt_status) ? True : False;
311 data_blob_free(&local_lm_blob);
312 data_blob_free(&local_nt_blob);
313 data_blob_free(&lm_interactive_blob);
314 data_blob_free(&nt_interactive_blob);
315 return ret;
316 }
317 }
318
319
320 /****************************************************************************
321 Create an auth_usersupplied_data structure
322 ****************************************************************************/
323
324 bool make_user_info_for_reply(struct auth_usersupplied_info **user_info,
325 const char *smb_name,
326 const char *client_domain,
327 const uint8 chal[8],
328 DATA_BLOB plaintext_password)
329 {
330
331 DATA_BLOB local_lm_blob;
332 DATA_BLOB local_nt_blob;
333 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
334
335 /*
336 * Not encrypted - do so.
337 */
338
339 DEBUG(5,("make_user_info_for_reply: User passwords not in encrypted "
340 "format.\n"));
341
342 if (plaintext_password.data && plaintext_password.length) {
343 unsigned char local_lm_response[24];
344
345 #ifdef DEBUG_PASSWORD
346 DEBUG(10,("Unencrypted password (len %d):\n",
347 (int)plaintext_password.length));
348 dump_data(100, plaintext_password.data,
349 plaintext_password.length);
350 #endif
351
352 SMBencrypt( (const char *)plaintext_password.data,
353 (const uchar*)chal, local_lm_response);
354 local_lm_blob = data_blob(local_lm_response, 24);
355
356 /* We can't do an NT hash here, as the password needs to be
357 case insensitive */
358 local_nt_blob = data_blob_null;
359 } else {
360 local_lm_blob = data_blob_null;
361 local_nt_blob = data_blob_null;
362 }
363
364 ret = make_user_info_map(
365 user_info, smb_name, client_domain,
366 get_remote_machine_name(),
367 local_lm_blob.data ? &local_lm_blob : NULL,
368 local_nt_blob.data ? &local_nt_blob : NULL,
369 NULL, NULL,
370 plaintext_password.data && plaintext_password.length ? &plaintext_password : NULL,
371 False);
372
373 data_blob_free(&local_lm_blob);
374 return NT_STATUS_IS_OK(ret) ? True : False;
375 }
376
377 /****************************************************************************
378 Create an auth_usersupplied_data structure
379 ****************************************************************************/
380
381 NTSTATUS make_user_info_for_reply_enc(struct auth_usersupplied_info **user_info,
382 const char *smb_name,
383 const char *client_domain,
384 DATA_BLOB lm_resp, DATA_BLOB nt_resp)
385 {
386 return make_user_info_map(user_info, smb_name,
387 client_domain,
388 get_remote_machine_name(),
389 lm_resp.data ? &lm_resp : NULL,
390 nt_resp.data ? &nt_resp : NULL,
391 NULL, NULL, NULL,
392 True);
393 }
394
395 /****************************************************************************
396 Create a guest user_info blob, for anonymous authenticaion.
397 ****************************************************************************/
398
399 bool make_user_info_guest(struct auth_usersupplied_info **user_info)
400 {
401 NTSTATUS nt_status;
402
403 nt_status = make_user_info(user_info,
404 "","",
405 "","",
406 "",
407 NULL, NULL,
408 NULL, NULL,
409 NULL,
410 True);
411
412 return NT_STATUS_IS_OK(nt_status) ? True : False;
413 }
414
415 static NTSTATUS log_nt_token(NT_USER_TOKEN *token)
416 {
417 TALLOC_CTX *frame = talloc_stackframe();
418 char *command;
419 char *group_sidstr;
420 size_t i;
421
422 if ((lp_log_nt_token_command() == NULL) ||
423 (strlen(lp_log_nt_token_command()) == 0)) {
424 TALLOC_FREE(frame);
425 return NT_STATUS_OK;
426 }
427
428 group_sidstr = talloc_strdup(frame, "");
429 for (i=1; i<token->num_sids; i++) {
430 group_sidstr = talloc_asprintf(
431 frame, "%s %s", group_sidstr,
432 sid_string_talloc(frame, &token->user_sids[i]));
433 }
434
435 command = talloc_string_sub(
436 frame, lp_log_nt_token_command(),
437 "%s", sid_string_talloc(frame, &token->user_sids[0]));
438 command = talloc_string_sub(frame, command, "%t", group_sidstr);
439
440 if (command == NULL) {
441 TALLOC_FREE(frame);
442 return NT_STATUS_NO_MEMORY;
443 }
444
445 DEBUG(8, ("running command: [%s]\n", command));
446 if (smbrun(command, NULL) != 0) {
447 DEBUG(0, ("Could not log NT token\n"));
448 TALLOC_FREE(frame);
449 return NT_STATUS_ACCESS_DENIED;
450 }
451
452 TALLOC_FREE(frame);
453 return NT_STATUS_OK;
454 }
455
456 /*
457 * Create the token to use from server_info->sam_account and
458 * server_info->sids (the info3/sam groups). Find the unix gids.
459 */
460
461 NTSTATUS create_local_token(struct auth_serversupplied_info *server_info)
462 {
463 NTSTATUS status;
464 size_t i;
465 struct dom_sid tmp_sid;
466
467 /*
468 * If winbind is not around, we can not make much use of the SIDs the
469 * domain controller provided us with. Likewise if the user name was
470 * mapped to some local unix user.
471 */
472
473 if (((lp_server_role() == ROLE_DOMAIN_MEMBER) && !winbind_ping()) ||
474 (server_info->nss_token)) {
475 status = create_token_from_username(server_info,
476 server_info->unix_name,
477 server_info->guest,
478 &server_info->utok.uid,
479 &server_info->utok.gid,
480 &server_info->unix_name,
481 &server_info->ptok);
482
483 } else {
484 server_info->ptok = create_local_nt_token(
485 server_info,
486 pdb_get_user_sid(server_info->sam_account),
487 server_info->guest,
488 server_info->num_sids, server_info->sids);
489 status = server_info->ptok ?
490 NT_STATUS_OK : NT_STATUS_NO_SUCH_USER;
491 }
492
493 if (!NT_STATUS_IS_OK(status)) {
494 return status;
495 }
496
497 /* Convert the SIDs to gids. */
498
499 server_info->utok.ngroups = 0;
500 server_info->utok.groups = NULL;
501
502 /* Start at index 1, where the groups start. */
503
504 for (i=1; i<server_info->ptok->num_sids; i++) {
505 gid_t gid;
506 DOM_SID *sid = &server_info->ptok->user_sids[i];
507
508 if (!sid_to_gid(sid, &gid)) {
509 DEBUG(10, ("Could not convert SID %s to gid, "
510 "ignoring it\n", sid_string_dbg(sid)));
511 continue;
512 }
513 add_gid_to_array_unique(server_info, gid,
514 &server_info->utok.groups,
515 &server_info->utok.ngroups);
516 }
517
518 /*
519 * Add the "Unix Group" SID for each gid to catch mapped groups
520 * and their Unix equivalent. This is to solve the backwards
521 * compatibility problem of 'valid users = +ntadmin' where
522 * ntadmin has been paired with "Domain Admins" in the group
523 * mapping table. Otherwise smb.conf would need to be changed
524 * to 'valid user = "Domain Admins"'. --jerry
525 *
526 * For consistency we also add the "Unix User" SID,
527 * so that the complete unix token is represented within
528 * the nt token.
529 */
530
531 if (!uid_to_unix_users_sid(server_info->utok.uid, &tmp_sid)) {
532 DEBUG(1,("create_local_token: Failed to create SID "
533 "for uid %u!\n", (unsigned int)server_info->utok.uid));
534 }
535 add_sid_to_array_unique(server_info->ptok, &tmp_sid,
536 &server_info->ptok->user_sids,
537 &server_info->ptok->num_sids);
538
539 for ( i=0; i<server_info->utok.ngroups; i++ ) {
540 if (!gid_to_unix_groups_sid( server_info->utok.groups[i], &tmp_sid ) ) {
541 DEBUG(1,("create_local_token: Failed to create SID "
542 "for gid %u!\n", (unsigned int)server_info->utok.groups[i]));
543 continue;
544 }
545 add_sid_to_array_unique(server_info->ptok, &tmp_sid,
546 &server_info->ptok->user_sids,
547 &server_info->ptok->num_sids);
548 }
549
550 debug_nt_user_token(DBGC_AUTH, 10, server_info->ptok);
551 debug_unix_user_token(DBGC_AUTH, 10,
552 server_info->utok.uid,
553 server_info->utok.gid,
554 server_info->utok.ngroups,
555 server_info->utok.groups);
556
557 status = log_nt_token(server_info->ptok);
558 return status;
559 }
560
561 /***************************************************************************
562 Make (and fill) a server_info struct from a 'struct passwd' by conversion
563 to a struct samu
564 ***************************************************************************/
565
566 NTSTATUS make_server_info_pw(struct auth_serversupplied_info **server_info,
567 char *unix_username,
568 struct passwd *pwd)
569 {
570 NTSTATUS status;
571 struct samu *sampass = NULL;
572 gid_t *gids;
573 char *qualified_name = NULL;
574 TALLOC_CTX *mem_ctx = NULL;
575 DOM_SID u_sid;
576 enum lsa_SidType type;
577 struct auth_serversupplied_info *result;
578
579 if ( !(sampass = samu_new( NULL )) ) {
580 return NT_STATUS_NO_MEMORY;
581 }
582
583 status = samu_set_unix( sampass, pwd );
584 if (!NT_STATUS_IS_OK(status)) {
585 return status;
586 }
587
588 result = make_server_info(NULL);
589 if (result == NULL) {
590 TALLOC_FREE(sampass);
591 return NT_STATUS_NO_MEMORY;
592 }
593
594 result->sam_account = sampass;
595
596 result->unix_name = talloc_strdup(result, unix_username);
597 result->sanitized_username = sanitize_username(result, unix_username);
598
599 if ((result->unix_name == NULL)
600 || (result->sanitized_username == NULL)) {
601 TALLOC_FREE(sampass);
602 TALLOC_FREE(result);
603 return NT_STATUS_NO_MEMORY;
604 }
605
606 result->utok.uid = pwd->pw_uid;
607 result->utok.gid = pwd->pw_gid;
608
609 status = pdb_enum_group_memberships(result, sampass,
610 &result->sids, &gids,
611 &result->num_sids);
612
613 if (!NT_STATUS_IS_OK(status)) {
614 DEBUG(10, ("pdb_enum_group_memberships failed: %s\n",
615 nt_errstr(status)));
616 TALLOC_FREE(result);
617 return status;
618 }
619
620 /*
621 * The SID returned in server_info->sam_account is based
622 * on our SAM sid even though for a pure UNIX account this should
623 * not be the case as it doesn't really exist in the SAM db.
624 * This causes lookups on "[in]valid users" to fail as they
625 * will lookup this name as a "Unix User" SID to check against
626 * the user token. Fix this by adding the "Unix User"\unix_username
627 * SID to the sid array. The correct fix should probably be
628 * changing the server_info->sam_account user SID to be a
629 * S-1-22 Unix SID, but this might break old configs where
630 * plaintext passwords were used with no SAM backend.
631 */
632
633 mem_ctx = talloc_init("make_server_info_pw_tmp");
634 if (!mem_ctx) {
635 TALLOC_FREE(result);
636 return NT_STATUS_NO_MEMORY;
637 }
638
639 qualified_name = talloc_asprintf(mem_ctx, "%s\\%s",
640 unix_users_domain_name(),
641 unix_username );
642 if (!qualified_name) {
643 TALLOC_FREE(result);
644 TALLOC_FREE(mem_ctx);
645 return NT_STATUS_NO_MEMORY;
646 }
647
648 if (!lookup_name(mem_ctx, qualified_name, LOOKUP_NAME_ALL,
649 NULL, NULL,
650 &u_sid, &type)) {
651 TALLOC_FREE(result);
652 TALLOC_FREE(mem_ctx);
653 return NT_STATUS_NO_SUCH_USER;
654 }
655
656 TALLOC_FREE(mem_ctx);
657
658 if (type != SID_NAME_USER) {
659 TALLOC_FREE(result);
660 return NT_STATUS_NO_SUCH_USER;
661 }
662
663 status = add_sid_to_array_unique(result, &u_sid,
664 &result->sids,
665 &result->num_sids);
666 if (!NT_STATUS_IS_OK(status)) {
667 TALLOC_FREE(result);
668 return status;
669 }
670
671 /* For now we throw away the gids and convert via sid_to_gid
672 * later. This needs fixing, but I'd like to get the code straight and
673 * simple first. */
674 TALLOC_FREE(gids);
675
676 *server_info = result;
677
678 return NT_STATUS_OK;
679 }
680
681 /***************************************************************************
682 Make (and fill) a user_info struct for a guest login.
683 This *must* succeed for smbd to start. If there is no mapping entry for
684 the guest gid, then create one.
685 ***************************************************************************/
686
687 static NTSTATUS make_new_server_info_guest(struct auth_serversupplied_info **server_info)
688 {
689 NTSTATUS status;
690 struct samu *sampass = NULL;
691 DOM_SID guest_sid;
692 bool ret;
693 static const char zeros[16] = {0, };
694 fstring tmp;
695
696 if ( !(sampass = samu_new( NULL )) ) {
697 return NT_STATUS_NO_MEMORY;
698 }
699
700 sid_compose(&guest_sid, get_global_sam_sid(), DOMAIN_USER_RID_GUEST);
701
702 become_root();
703 ret = pdb_getsampwsid(sampass, &guest_sid);
704 unbecome_root();
705
706 if (!ret) {
707 TALLOC_FREE(sampass);
708 return NT_STATUS_NO_SUCH_USER;
709 }
710
711 status = make_server_info_sam(server_info, sampass);
712 if (!NT_STATUS_IS_OK(status)) {
713 TALLOC_FREE(sampass);
714 return status;
715 }
716
717 (*server_info)->guest = True;
718
719 status = create_local_token(*server_info);
720 if (!NT_STATUS_IS_OK(status)) {
721 DEBUG(10, ("create_local_token failed: %s\n",
722 nt_errstr(status)));
723 return status;
724 }
725
726 /* annoying, but the Guest really does have a session key, and it is
727 all zeros! */
728 (*server_info)->user_session_key = data_blob(zeros, sizeof(zeros));
729 (*server_info)->lm_session_key = data_blob(zeros, sizeof(zeros));
730
731 alpha_strcpy(tmp, pdb_get_username(sampass), ". _-$", sizeof(tmp));
732 (*server_info)->sanitized_username = talloc_strdup(*server_info, tmp);
733
734 return NT_STATUS_OK;
735 }
736
737 /****************************************************************************
738 Fake a auth_serversupplied_info just from a username
739 ****************************************************************************/
740
741 NTSTATUS make_serverinfo_from_username(TALLOC_CTX *mem_ctx,
742 const char *username,
743 bool is_guest,
744 struct auth_serversupplied_info **presult)
745 {
746 struct auth_serversupplied_info *result;
747 struct passwd *pwd;
748 NTSTATUS status;
749
750 pwd = getpwnam_alloc(talloc_tos(), username);
751 if (pwd == NULL) {
752 return NT_STATUS_NO_SUCH_USER;
753 }
754
755 status = make_server_info_pw(&result, pwd->pw_name, pwd);
756
757 TALLOC_FREE(pwd);
758
759 if (!NT_STATUS_IS_OK(status)) {
760 return status;
761 }
762
763 result->nss_token = true;
764 result->guest = is_guest;
765
766 status = create_local_token(result);
767
768 if (!NT_STATUS_IS_OK(status)) {
769 TALLOC_FREE(result);
770 return status;
771 }
772
773 *presult = result;
774 return NT_STATUS_OK;
775 }
776
777
778 struct auth_serversupplied_info *copy_serverinfo(TALLOC_CTX *mem_ctx,
779 const struct auth_serversupplied_info *src)
780 {
781 struct auth_serversupplied_info *dst;
782
783 dst = make_server_info(mem_ctx);
784 if (dst == NULL) {
785 return NULL;
786 }
787
788 dst->guest = src->guest;
789 dst->utok.uid = src->utok.uid;
790 dst->utok.gid = src->utok.gid;
791 dst->utok.ngroups = src->utok.ngroups;
792 if (src->utok.ngroups != 0) {
793 dst->utok.groups = (gid_t *)TALLOC_MEMDUP(
794 dst, src->utok.groups,
795 sizeof(gid_t)*dst->utok.ngroups);
796 } else {
797 dst->utok.groups = NULL;
798 }
799
800 if (src->ptok) {
801 dst->ptok = dup_nt_token(dst, src->ptok);
802 if (!dst->ptok) {
803 TALLOC_FREE(dst);
804 return NULL;
805 }
806 }
807
808 dst->user_session_key = data_blob_talloc( dst, src->user_session_key.data,
809 src->user_session_key.length);
810
811 dst->lm_session_key = data_blob_talloc(dst, src->lm_session_key.data,
812 src->lm_session_key.length);
813
814 dst->sam_account = samu_new(NULL);
815 if (!dst->sam_account) {
816 TALLOC_FREE(dst);
817 return NULL;
818 }
819
820 if (!pdb_copy_sam_account(dst->sam_account, src->sam_account)) {
821 TALLOC_FREE(dst);
822 return NULL;
823 }
824
825 dst->pam_handle = NULL;
826 dst->unix_name = talloc_strdup(dst, src->unix_name);
827 if (!dst->unix_name) {
828 TALLOC_FREE(dst);
829 return NULL;
830 }
831
832 dst->sanitized_username = talloc_strdup(dst, src->sanitized_username);
833 if (!dst->sanitized_username) {
834 TALLOC_FREE(dst);
835 return NULL;
836 }
837
838 return dst;
839 }
840
841 /*
842 * Set a new session key. Used in the rpc server where we have to override the
843 * SMB level session key with SystemLibraryDTC
844 */
845
846 bool server_info_set_session_key(struct auth_serversupplied_info *info,
847 DATA_BLOB session_key)
848 {
849 TALLOC_FREE(info->user_session_key.data);
850
851 info->user_session_key = data_blob_talloc(
852 info, session_key.data, session_key.length);
853
854 return (info->user_session_key.data != NULL);
855 }
856
857 static struct auth_serversupplied_info *guest_info = NULL;
858
859 bool init_guest_info(void)
860 {
861 if (guest_info != NULL)
862 return True;
863
864 return NT_STATUS_IS_OK(make_new_server_info_guest(&guest_info));
865 }
866
867 NTSTATUS make_server_info_guest(TALLOC_CTX *mem_ctx,
868 struct auth_serversupplied_info **server_info)
869 {
870 *server_info = copy_serverinfo(mem_ctx, guest_info);
871 return (*server_info != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
872 }
873
874 bool copy_current_user(struct current_user *dst, struct current_user *src)
875 {
876 gid_t *groups;
877 NT_USER_TOKEN *nt_token;
878
879 groups = (gid_t *)memdup(src->ut.groups,
880 sizeof(gid_t) * src->ut.ngroups);
881 if ((src->ut.ngroups != 0) && (groups == NULL)) {
882 return False;
883 }
884
885 nt_token = dup_nt_token(NULL, src->nt_user_token);
886 if (nt_token == NULL) {
887 SAFE_FREE(groups);
888 return False;
889 }
890
891 dst->conn = src->conn;
892 dst->vuid = src->vuid;
893 dst->ut.uid = src->ut.uid;
894 dst->ut.gid = src->ut.gid;
895 dst->ut.ngroups = src->ut.ngroups;
896 dst->ut.groups = groups;
897 dst->nt_user_token = nt_token;
898 return True;
899 }
900
901 /***************************************************************************
902 Purely internal function for make_server_info_info3
903 Fill the sam account from getpwnam
904 ***************************************************************************/
905 static NTSTATUS fill_sam_account(TALLOC_CTX *mem_ctx,
906 const char *domain,
907 const char *username,
908 char **found_username,
909 uid_t *uid, gid_t *gid,
910 struct samu *account,
911 bool *username_was_mapped)
912 {
913 struct smbd_server_connection *sconn = smbd_server_conn;
914 NTSTATUS nt_status;
915 fstring dom_user, lower_username;
916 fstring real_username;
917 struct passwd *passwd;
918
919 fstrcpy( lower_username, username );
920 strlower_m( lower_username );
921
922 fstr_sprintf(dom_user, "%s%c%s", domain, *lp_winbind_separator(),
923 lower_username);
924
925 /* Get the passwd struct. Try to create the account is necessary. */
926
927 *username_was_mapped = map_username(sconn, dom_user);
928
929 if ( !(passwd = smb_getpwnam( NULL, dom_user, real_username, True )) )
930 return NT_STATUS_NO_SUCH_USER;
931
932 *uid = passwd->pw_uid;
933 *gid = passwd->pw_gid;
934
935 /* This is pointless -- there is no suport for differing
936 unix and windows names. Make sure to always store the
937 one we actually looked up and succeeded. Have I mentioned
938 why I hate the 'winbind use default domain' parameter?
939 --jerry */
940
941 *found_username = talloc_strdup( mem_ctx, real_username );
942
943 DEBUG(5,("fill_sam_account: located username was [%s]\n", *found_username));
944
945 nt_status = samu_set_unix( account, passwd );
946
947 TALLOC_FREE(passwd);
948
949 return nt_status;
950 }
951
952 /****************************************************************************
953 Wrapper to allow the getpwnam() call to strip the domain name and
954 try again in case a local UNIX user is already there. Also run through
955 the username if we fallback to the username only.
956 ****************************************************************************/
957
958 struct passwd *smb_getpwnam( TALLOC_CTX *mem_ctx, char *domuser,
959 fstring save_username, bool create )
960 {
961 struct passwd *pw = NULL;
962 char *p;
963 fstring username;
964
965 /* we only save a copy of the username it has been mangled
966 by winbindd use default domain */
967
968 save_username[0] = '\0';
969
970 /* don't call map_username() here since it has to be done higher
971 up the stack so we don't call it multiple times */
972
973 fstrcpy( username, domuser );
974
975 p = strchr_m( username, *lp_winbind_separator() );
976
977 /* code for a DOMAIN\user string */
978
979 if ( p ) {
980 fstring strip_username;
981
982 pw = Get_Pwnam_alloc( mem_ctx, domuser );
983 if ( pw ) {
984 /* make sure we get the case of the username correct */
985 /* work around 'winbind use default domain = yes' */
986
987 if ( !strchr_m( pw->pw_name, *lp_winbind_separator() ) ) {
988 char *domain;
989
990 /* split the domain and username into 2 strings */
991 *p = '\0';
992 domain = username;
993
994 fstr_sprintf(save_username, "%s%c%s", domain, *lp_winbind_separator(), pw->pw_name);
995 }
996 else
997 fstrcpy( save_username, pw->pw_name );
998
999 /* whew -- done! */
1000 return pw;
1001 }
1002
1003 /* setup for lookup of just the username */
1004 /* remember that p and username are overlapping memory */
1005
1006 p++;
1007 fstrcpy( strip_username, p );
1008 fstrcpy( username, strip_username );
1009 }
1010
1011 /* just lookup a plain username */
1012
1013 pw = Get_Pwnam_alloc(mem_ctx, username);
1014
1015 /* Create local user if requested but only if winbindd
1016 is not running. We need to protect against cases
1017 where winbindd is failing and then prematurely
1018 creating users in /etc/passwd */
1019
1020 if ( !pw && create && !winbind_ping() ) {
1021 /* Don't add a machine account. */
1022 if (username[strlen(username)-1] == '$')
1023 return NULL;
1024
1025 _smb_create_user(NULL, username, NULL);
1026 pw = Get_Pwnam_alloc(mem_ctx, username);
1027 }
1028
1029 /* one last check for a valid passwd struct */
1030
1031 if ( pw )
1032 fstrcpy( save_username, pw->pw_name );
1033
1034 return pw;
1035 }
1036
1037 /***************************************************************************
1038 Make a server_info struct from the info3 returned by a domain logon
1039 ***************************************************************************/
1040
1041 NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
1042 const char *sent_nt_username,
1043 const char *domain,
1044 struct auth_serversupplied_info **server_info,
1045 struct netr_SamInfo3 *info3)
1046 {
1047 static const char zeros[16] = {0, };
1048
1049 NTSTATUS nt_status = NT_STATUS_OK;
1050 char *found_username = NULL;
1051 const char *nt_domain;
1052 const char *nt_username;
1053 struct samu *sam_account = NULL;
1054 DOM_SID user_sid;
1055 DOM_SID group_sid;
1056 bool username_was_mapped;
1057
1058 uid_t uid = (uid_t)-1;
1059 gid_t gid = (gid_t)-1;
1060
1061 struct auth_serversupplied_info *result;
1062
1063 /*
1064 Here is where we should check the list of
1065 trusted domains, and verify that the SID
1066 matches.
1067 */
1068
1069 if (!sid_compose(&user_sid, info3->base.domain_sid, info3->base.rid)) {
1070 return NT_STATUS_INVALID_PARAMETER;
1071 }
1072
1073 if (!sid_compose(&group_sid, info3->base.domain_sid,
1074 info3->base.primary_gid)) {
1075 return NT_STATUS_INVALID_PARAMETER;
1076 }
1077
1078 nt_username = talloc_strdup(mem_ctx, info3->base.account_name.string);
1079 if (!nt_username) {
1080 /* If the server didn't give us one, just use the one we sent
1081 * them */
1082 nt_username = sent_nt_username;
1083 }
1084
1085 nt_domain = talloc_strdup(mem_ctx, info3->base.domain.string);
1086 if (!nt_domain) {
1087 /* If the server didn't give us one, just use the one we sent
1088 * them */
1089 nt_domain = domain;
1090 }
1091
1092 /* try to fill the SAM account.. If getpwnam() fails, then try the
1093 add user script (2.2.x behavior).
1094
1095 We use the _unmapped_ username here in an attempt to provide
1096 consistent username mapping behavior between kerberos and NTLM[SSP]
1097 authentication in domain mode security. I.E. Username mapping
1098 should be applied to the fully qualified username
1099 (e.g. DOMAIN\user) and not just the login name. Yes this means we
1100 called map_username() unnecessarily in make_user_info_map() but
1101 that is how the current code is designed. Making the change here
1102 is the least disruptive place. -- jerry */
1103
1104 if ( !(sam_account = samu_new( NULL )) ) {
1105 return NT_STATUS_NO_MEMORY;
1106 }
1107
1108 /* this call will try to create the user if necessary */
1109
1110 nt_status = fill_sam_account(mem_ctx, nt_domain, sent_nt_username,
1111 &found_username, &uid, &gid, sam_account,
1112 &username_was_mapped);
1113
1114
1115 /* if we still don't have a valid unix account check for
1116 'map to guest = bad uid' */
1117
1118 if (!NT_STATUS_IS_OK(nt_status)) {
1119 TALLOC_FREE( sam_account );
1120 if ( lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_UID ) {
1121 make_server_info_guest(NULL, server_info);
1122 return NT_STATUS_OK;
1123 }
1124 return nt_status;
1125 }
1126
1127 if (!pdb_set_nt_username(sam_account, nt_username, PDB_CHANGED)) {
1128 TALLOC_FREE(sam_account);
1129 return NT_STATUS_NO_MEMORY;
1130 }
1131
1132 if (!pdb_set_username(sam_account, nt_username, PDB_CHANGED)) {
1133 TALLOC_FREE(sam_account);
1134 return NT_STATUS_NO_MEMORY;
1135 }
1136
1137 if (!pdb_set_domain(sam_account, nt_domain, PDB_CHANGED)) {
1138 TALLOC_FREE(sam_account);
1139 return NT_STATUS_NO_MEMORY;
1140 }
1141
1142 if (!pdb_set_user_sid(sam_account, &user_sid, PDB_CHANGED)) {
1143 TALLOC_FREE(sam_account);
1144 return NT_STATUS_UNSUCCESSFUL;
1145 }
1146
1147 if (!pdb_set_group_sid(sam_account, &group_sid, PDB_CHANGED)) {
1148 TALLOC_FREE(sam_account);
1149 return NT_STATUS_UNSUCCESSFUL;
1150 }
1151
1152 if (!pdb_set_fullname(sam_account,
1153 info3->base.full_name.string,
1154 PDB_CHANGED)) {
1155 TALLOC_FREE(sam_account);
1156 return NT_STATUS_NO_MEMORY;
1157 }
1158
1159 if (!pdb_set_logon_script(sam_account,
1160 info3->base.logon_script.string,
1161 PDB_CHANGED)) {
1162 TALLOC_FREE(sam_account);
1163 return NT_STATUS_NO_MEMORY;
1164 }
1165
1166 if (!pdb_set_profile_path(sam_account,
1167 info3->base.profile_path.string,
1168 PDB_CHANGED)) {
1169 TALLOC_FREE(sam_account);
1170 return NT_STATUS_NO_MEMORY;
1171 }
1172
1173 if (!pdb_set_homedir(sam_account,
1174 info3->base.home_directory.string,
1175 PDB_CHANGED)) {
1176 TALLOC_FREE(sam_account);
1177 return NT_STATUS_NO_MEMORY;
1178 }
1179
1180 if (!pdb_set_dir_drive(sam_account,
1181 info3->base.home_drive.string,
1182 PDB_CHANGED)) {
1183 TALLOC_FREE(sam_account);
1184 return NT_STATUS_NO_MEMORY;
1185 }
1186
1187 if (!pdb_set_acct_ctrl(sam_account, info3->base.acct_flags, PDB_CHANGED)) {
1188 TALLOC_FREE(sam_account);
1189 return NT_STATUS_NO_MEMORY;
1190 }
1191
1192 if (!pdb_set_pass_last_set_time(
1193 sam_account,
1194 nt_time_to_unix(info3->base.last_password_change),
1195 PDB_CHANGED)) {
1196 TALLOC_FREE(sam_account);
1197 return NT_STATUS_NO_MEMORY;
1198 }
1199
1200 if (!pdb_set_pass_can_change_time(
1201 sam_account,
1202 nt_time_to_unix(info3->base.allow_password_change),
1203 PDB_CHANGED)) {
1204 TALLOC_FREE(sam_account);
1205 return NT_STATUS_NO_MEMORY;
1206 }
1207
1208 if (!pdb_set_pass_must_change_time(
1209 sam_account,
1210 nt_time_to_unix(info3->base.force_password_change),
1211 PDB_CHANGED)) {
1212 TALLOC_FREE(sam_account);
1213 return NT_STATUS_NO_MEMORY;
1214 }
1215
1216 result = make_server_info(NULL);
1217 if (result == NULL) {
1218 DEBUG(4, ("make_server_info failed!\n"));
1219 TALLOC_FREE(sam_account);
1220 return NT_STATUS_NO_MEMORY;
1221 }
1222
1223 /* save this here to _net_sam_logon() doesn't fail (it assumes a
1224 valid struct samu) */
1225
1226 result->sam_account = sam_account;
1227 result->unix_name = talloc_strdup(result, found_username);
1228
1229 result->sanitized_username = sanitize_username(result,
1230 result->unix_name);
1231 if (result->sanitized_username == NULL) {
1232 TALLOC_FREE(result);
1233 return NT_STATUS_NO_MEMORY;
1234 }
1235
1236 /* Fill in the unix info we found on the way */
1237
1238 result->utok.uid = uid;
1239 result->utok.gid = gid;
1240
1241 /* Create a 'combined' list of all SIDs we might want in the SD */
1242
1243 result->num_sids = 0;
1244 result->sids = NULL;
1245
1246 nt_status = sid_array_from_info3(result, info3,
1247 &result->sids,
1248 &result->num_sids,
1249 false, false);
1250 if (!NT_STATUS_IS_OK(nt_status)) {
1251 TALLOC_FREE(result);
1252 return nt_status;
1253 }
1254
1255 /* Ensure the primary group sid is at position 0. */
1256 sort_sid_array_for_smbd(result, &group_sid);
1257
1258 result->login_server = talloc_strdup(result,
1259 info3->base.logon_server.string);
1260
1261 /* ensure we are never given NULL session keys */
1262
1263 if (memcmp(info3->base.key.key, zeros, sizeof(zeros)) == 0) {
1264 result->user_session_key = data_blob_null;
1265 } else {
1266 result->user_session_key = data_blob_talloc(
1267 result, info3->base.key.key,
1268 sizeof(info3->base.key.key));
1269 }
1270
1271 if (memcmp(info3->base.LMSessKey.key, zeros, 8) == 0) {
1272 result->lm_session_key = data_blob_null;
1273 } else {
1274 result->lm_session_key = data_blob_talloc(
1275 result, info3->base.LMSessKey.key,
1276 sizeof(info3->base.LMSessKey.key));
1277 }
1278
1279 result->nss_token |= username_was_mapped;
1280
1281 *server_info = result;
1282
1283 return NT_STATUS_OK;
1284 }
1285
1286 /*****************************************************************************
1287 Make a server_info struct from the wbcAuthUserInfo returned by a domain logon
1288 ******************************************************************************/
1289
1290 NTSTATUS make_server_info_wbcAuthUserInfo(TALLOC_CTX *mem_ctx,
1291 const char *sent_nt_username,
1292 const char *domain,
1293 const struct wbcAuthUserInfo *info,
1294 struct auth_serversupplied_info **server_info)
1295 {
1296 static const char zeros[16] = {0, };
1297
1298 NTSTATUS nt_status = NT_STATUS_OK;
1299 char *found_username = NULL;
1300 const char *nt_domain;
1301 const char *nt_username;
1302 struct samu *sam_account = NULL;
1303 DOM_SID user_sid;
1304 DOM_SID group_sid;
1305 bool username_was_mapped;
1306 uint32_t i;
1307
1308 uid_t uid = (uid_t)-1;
1309 gid_t gid = (gid_t)-1;
1310
1311 struct auth_serversupplied_info *result;
1312
1313 result = make_server_info(NULL);
1314 if (result == NULL) {
1315 DEBUG(4, ("make_server_info failed!\n"));
1316 return NT_STATUS_NO_MEMORY;
1317 }
1318
1319 /*
1320 Here is where we should check the list of
1321 trusted domains, and verify that the SID
1322 matches.
1323 */
1324
1325 memcpy(&user_sid, &info->sids[0].sid, sizeof(user_sid));
1326 memcpy(&group_sid, &info->sids[1].sid, sizeof(group_sid));
1327
1328 if (info->account_name) {
1329 nt_username = talloc_strdup(result, info->account_name);
1330 } else {
1331 /* If the server didn't give us one, just use the one we sent
1332 * them */
1333 nt_username = talloc_strdup(result, sent_nt_username);
1334 }
1335 if (!nt_username) {
1336 TALLOC_FREE(result);
1337 return NT_STATUS_NO_MEMORY;
1338 }
1339
1340 if (info->domain_name) {
1341 nt_domain = talloc_strdup(result, info->domain_name);
1342 } else {
1343 /* If the server didn't give us one, just use the one we sent
1344 * them */
1345 nt_domain = talloc_strdup(result, domain);
1346 }
1347 if (!nt_domain) {
1348 TALLOC_FREE(result);
1349 return NT_STATUS_NO_MEMORY;
1350 }
1351
1352 /* try to fill the SAM account.. If getpwnam() fails, then try the
1353 add user script (2.2.x behavior).
1354
1355 We use the _unmapped_ username here in an attempt to provide
1356 consistent username mapping behavior between kerberos and NTLM[SSP]
1357 authentication in domain mode security. I.E. Username mapping
1358 should be applied to the fully qualified username
1359 (e.g. DOMAIN\user) and not just the login name. Yes this means we
1360 called map_username() unnecessarily in make_user_info_map() but
1361 that is how the current code is designed. Making the change here
1362 is the least disruptive place. -- jerry */
1363
1364 if ( !(sam_account = samu_new( result )) ) {
1365 TALLOC_FREE(result);
1366 return NT_STATUS_NO_MEMORY;
1367 }
1368
1369 /* this call will try to create the user if necessary */
1370
1371 nt_status = fill_sam_account(result, nt_domain, sent_nt_username,
1372 &found_username, &uid, &gid, sam_account,
1373 &username_was_mapped);
1374
1375 /* if we still don't have a valid unix account check for
1376 'map to guest = bad uid' */
1377
1378 if (!NT_STATUS_IS_OK(nt_status)) {
1379 TALLOC_FREE( result );
1380 if ( lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_UID ) {
1381 make_server_info_guest(NULL, server_info);
1382 return NT_STATUS_OK;
1383 }
1384 return nt_status;
1385 }
1386
1387 if (!pdb_set_nt_username(sam_account, nt_username, PDB_CHANGED)) {
1388 TALLOC_FREE(result);
1389 return NT_STATUS_NO_MEMORY;
1390 }
1391
1392 if (!pdb_set_username(sam_account, nt_username, PDB_CHANGED)) {
1393 TALLOC_FREE(result);
1394 return NT_STATUS_NO_MEMORY;
1395 }
1396
1397 if (!pdb_set_domain(sam_account, nt_domain, PDB_CHANGED)) {
1398 TALLOC_FREE(result);
1399 return NT_STATUS_NO_MEMORY;
1400 }
1401
1402 if (!pdb_set_user_sid(sam_account, &user_sid, PDB_CHANGED)) {
1403 TALLOC_FREE(result);
1404 return NT_STATUS_UNSUCCESSFUL;
1405 }
1406
1407 if (!pdb_set_group_sid(sam_account, &group_sid, PDB_CHANGED)) {
1408 TALLOC_FREE(result);
1409 return NT_STATUS_UNSUCCESSFUL;
1410 }
1411
1412 if (!pdb_set_fullname(sam_account, info->full_name, PDB_CHANGED)) {
1413 TALLOC_FREE(result);
1414 return NT_STATUS_NO_MEMORY;
1415 }
1416
1417 if (!pdb_set_logon_script(sam_account, info->logon_script, PDB_CHANGED)) {
1418 TALLOC_FREE(result);
1419 return NT_STATUS_NO_MEMORY;
1420 }
1421
1422 if (!pdb_set_profile_path(sam_account, info->profile_path, PDB_CHANGED)) {
1423 TALLOC_FREE(result);
1424 return NT_STATUS_NO_MEMORY;
1425 }
1426
1427 if (!pdb_set_homedir(sam_account, info->home_directory, PDB_CHANGED)) {
1428 TALLOC_FREE(result);
1429 return NT_STATUS_NO_MEMORY;
1430 }
1431
1432 if (!pdb_set_dir_drive(sam_account, info->home_drive, PDB_CHANGED)) {
1433 TALLOC_FREE(result);
1434 return NT_STATUS_NO_MEMORY;
1435 }
1436
1437 if (!pdb_set_acct_ctrl(sam_account, info->acct_flags, PDB_CHANGED)) {
1438 TALLOC_FREE(result);
1439 return NT_STATUS_NO_MEMORY;
1440 }
1441
1442 if (!pdb_set_pass_last_set_time(
1443 sam_account,
1444 nt_time_to_unix(info->pass_last_set_time),
1445 PDB_CHANGED)) {
1446 TALLOC_FREE(result);
1447 return NT_STATUS_NO_MEMORY;
1448 }
1449
1450 if (!pdb_set_pass_can_change_time(
1451 sam_account,
1452 nt_time_to_unix(info->pass_can_change_time),
1453 PDB_CHANGED)) {
1454 TALLOC_FREE(result);
1455 return NT_STATUS_NO_MEMORY;
1456 }
1457
1458 if (!pdb_set_pass_must_change_time(
1459 sam_account,
1460 nt_time_to_unix(info->pass_must_change_time),
1461 PDB_CHANGED)) {
1462 TALLOC_FREE(result);
1463 return NT_STATUS_NO_MEMORY;
1464 }
1465
1466 /* save this here to _net_sam_logon() doesn't fail (it assumes a
1467 valid struct samu) */
1468
1469 result->sam_account = sam_account;
1470 result->unix_name = talloc_strdup(result, found_username);
1471
1472 result->sanitized_username = sanitize_username(result,
1473 result->unix_name);
1474 result->login_server = talloc_strdup(result, info->logon_server);
1475
1476 if ((result->unix_name == NULL)
1477 || (result->sanitized_username == NULL)
1478 || (result->login_server == NULL)) {
1479 TALLOC_FREE(result);
1480 return NT_STATUS_NO_MEMORY;
1481 }
1482
1483 /* Fill in the unix info we found on the way */
1484
1485 result->utok.uid = uid;
1486 result->utok.gid = gid;
1487
1488 /* Create a 'combined' list of all SIDs we might want in the SD */
1489
1490 result->num_sids = info->num_sids - 2;
1491 result->sids = talloc_array(result, DOM_SID, result->num_sids);
1492 if (result->sids == NULL) {
1493 TALLOC_FREE(result);
1494 return NT_STATUS_NO_MEMORY;
1495 }
1496
1497 for (i=0; i < result->num_sids; i++) {
1498 memcpy(&result->sids[i], &info->sids[i+2].sid, sizeof(result->sids[i]));
1499 }
1500
1501 /* Ensure the primary group sid is at position 0. */
1502 sort_sid_array_for_smbd(result, &group_sid);
1503
1504 /* ensure we are never given NULL session keys */
1505
1506 if (memcmp(info->user_session_key, zeros, sizeof(zeros)) == 0) {
1507 result->user_session_key = data_blob_null;
1508 } else {
1509 result->user_session_key = data_blob_talloc(
1510 result, info->user_session_key,
1511 sizeof(info->user_session_key));
1512 }
1513
1514 if (memcmp(info->lm_session_key, zeros, 8) == 0) {
1515 result->lm_session_key = data_blob_null;
1516 } else {
1517 result->lm_session_key = data_blob_talloc(
1518 result, info->lm_session_key,
1519 sizeof(info->lm_session_key));
1520 }
1521
1522 result->nss_token |= username_was_mapped;
1523
1524 *server_info = result;
1525
1526 return NT_STATUS_OK;
1527 }
1528
1529 /**
1530 * Verify whether or not given domain is trusted.
1531 *
1532 * @param domain_name name of the domain to be verified
1533 * @return true if domain is one of the trusted ones or
1534 * false if otherwise
1535 **/
1536
1537 bool is_trusted_domain(const char* dom_name)
1538 {
1539 DOM_SID trustdom_sid;
1540 bool ret;
1541
1542 /* no trusted domains for a standalone server */
1543
1544 if ( lp_server_role() == ROLE_STANDALONE )
1545 return False;
1546
1547 if (dom_name == NULL || dom_name[0] == '\0') {
1548 return false;
1549 }
1550
1551 if (strequal(dom_name, get_global_sam_name())) {
1552 return false;
1553 }
1554
1555 /* if we are a DC, then check for a direct trust relationships */
1556
1557 if ( IS_DC ) {
1558 become_root();
1559 DEBUG (5,("is_trusted_domain: Checking for domain trust with "
1560 "[%s]\n", dom_name ));
1561 ret = pdb_get_trusteddom_pw(dom_name, NULL, NULL, NULL);
1562 unbecome_root();
1563 if (ret)
1564 return True;
1565 }
1566 else {
1567 wbcErr result;
1568
1569 /* If winbind is around, ask it */
1570
1571 result = wb_is_trusted_domain(dom_name);
1572
1573 if (result == WBC_ERR_SUCCESS) {
1574 return True;
1575 }
1576
1577 if (result == WBC_ERR_DOMAIN_NOT_FOUND) {
1578 /* winbind could not find the domain */
1579 return False;
1580 }
1581
1582 /* The only other possible result is that winbind is not up
1583 and running. We need to update the trustdom_cache
1584 ourselves */
1585
1586 update_trustdom_cache();
1587 }
1588
1589 /* now the trustdom cache should be available a DC could still
1590 * have a transitive trust so fall back to the cache of trusted
1591 * domains (like a domain member would use */
1592
1593 if ( trustdom_cache_fetch(dom_name, &trustdom_sid) ) {
1594 return True;
1595 }
1596
1597 return False;
1598 }
1599
reg import