2 Unix SMB/CIFS implementation.
4 Winbind daemon - pam auth funcions
6 Copyright (C) Andrew Tridgell 2000
7 Copyright (C) Tim Potter 2001
8 Copyright (C) Andrew Bartlett 2001-2002
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 2 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program; if not, write to the Free Software
22 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
28 #define DBGC_CLASS DBGC_WINBIND
31 static NTSTATUS
append_info3_as_ndr(TALLOC_CTX
*mem_ctx
,
32 struct winbindd_cli_state
*state
,
33 NET_USER_INFO_3
*info3
)
37 if (!prs_init(&ps
, 256 /* Random, non-zero number */, mem_ctx
, MARSHALL
)) {
38 return NT_STATUS_NO_MEMORY
;
40 if (!net_io_user_info3("", info3
, &ps
, 1, 3)) {
42 return NT_STATUS_UNSUCCESSFUL
;
45 size
= prs_data_size(&ps
);
46 state
->response
.extra_data
= malloc(size
);
47 if (!state
->response
.extra_data
) {
49 return NT_STATUS_NO_MEMORY
;
51 prs_copy_all_data_out(state
->response
.extra_data
, &ps
);
52 state
->response
.length
+= size
;
57 /**********************************************************************
58 Authenticate a user with a clear test password
59 **********************************************************************/
61 enum winbindd_result
winbindd_pam_auth(struct winbindd_cli_state
*state
)
64 fstring name_domain
, name_user
;
65 unsigned char trust_passwd
[16];
66 time_t last_change_time
;
67 uint32 sec_channel_type
;
68 NET_USER_INFO_3 info3
;
69 struct cli_state
*cli
= NULL
;
71 TALLOC_CTX
*mem_ctx
= NULL
;
76 unsigned char local_lm_response
[24];
77 unsigned char local_nt_response
[24];
78 const char *contact_domain
;
81 /* Ensure null termination */
82 state
->request
.data
.auth
.user
[sizeof(state
->request
.data
.auth
.user
)-1]='\0';
84 /* Ensure null termination */
85 state
->request
.data
.auth
.pass
[sizeof(state
->request
.data
.auth
.pass
)-1]='\0';
87 DEBUG(3, ("[%5lu]: pam auth %s\n", (unsigned long)state
->pid
,
88 state
->request
.data
.auth
.user
));
90 if (!(mem_ctx
= talloc_init("winbind pam auth for %s", state
->request
.data
.auth
.user
))) {
91 DEBUG(0, ("winbindd_pam_auth: could not talloc_init()!\n"));
92 result
= NT_STATUS_NO_MEMORY
;
96 /* Parse domain and username */
98 parse_domain_user(state
->request
.data
.auth
.user
, name_domain
, name_user
);
100 /* do password magic */
102 generate_random_buffer(chal
, 8, False
);
103 SMBencrypt(state
->request
.data
.auth
.pass
, chal
, local_lm_response
);
105 SMBNTencrypt(state
->request
.data
.auth
.pass
, chal
, local_nt_response
);
107 lm_resp
= data_blob_talloc(mem_ctx
, local_lm_response
, sizeof(local_lm_response
));
108 nt_resp
= data_blob_talloc(mem_ctx
, local_nt_response
, sizeof(local_nt_response
));
110 if ( !get_trust_pw(name_domain
, trust_passwd
, &last_change_time
, &sec_channel_type
) ) {
111 result
= NT_STATUS_CANT_ACCESS_DOMAIN_INFO
;
115 /* what domain should we contact? */
118 if (!find_domain_from_name(name_domain
)) {
119 DEBUG(3, ("Cannot change password for [%s] -> [%s]\\[%s] as %s is not a trusted domain\n",
120 state
->request
.data
.auth
.user
, name_domain
, name_user
, name_domain
));
121 result
= NT_STATUS_NO_SUCH_USER
;
124 contact_domain
= name_domain
;
127 if (is_myname(name_domain
)) {
128 DEBUG(3, ("Authentication for domain %s (local domain to this server) not supported at this stage\n", name_domain
));
129 result
= NT_STATUS_NO_SUCH_USER
;
132 contact_domain
= lp_workgroup();
134 /* check authentication loop */
138 ZERO_STRUCT(ret_creds
);
141 /* Don't shut this down - it belongs to the connection cache code */
142 result
= cm_get_netlogon_cli(contact_domain
, trust_passwd
,
143 sec_channel_type
, False
, &cli
);
145 if (!NT_STATUS_IS_OK(result
)) {
146 DEBUG(3, ("could not open handle to NETLOGON pipe\n"));
150 result
= cli_netlogon_sam_network_logon(cli
, mem_ctx
,
152 name_user
, name_domain
,
153 global_myname(), chal
,
158 /* We have to try a second time as cm_get_netlogon_cli
159 might not yet have noticed that the DC has killed
162 if ( cli
->fd
== -1 ) {
167 /* if we get access denied, a possible cuase was that we had and open
168 connection to the DC, but someone changed our machine account password
169 out from underneath us using 'net rpc changetrustpw' */
171 if ( NT_STATUS_V(result
) == NT_STATUS_V(NT_STATUS_ACCESS_DENIED
) ) {
172 DEBUG(3,("winbindd_pam_auth: sam_logon returned ACCESS_DENIED. Maybe the trust account "
173 "password was changed and we didn't know it. Killing connections to domain %s\n",
180 } while ( (attempts
< 2) && retry
);
182 clnt_deal_with_creds(cli
->sess_key
, &(cli
->clnt_cred
), &ret_creds
);
184 if (NT_STATUS_IS_OK(result
)) {
185 netsamlogon_cache_store( cli
->mem_ctx
, &info3
);
186 wcache_invalidate_samlogon(find_domain_from_name(name_domain
), &info3
);
190 /* give us a more useful (more correct?) error code */
191 if ((NT_STATUS_EQUAL(result
, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND
) || (NT_STATUS_EQUAL(result
, NT_STATUS_UNSUCCESSFUL
)))) {
192 result
= NT_STATUS_NO_LOGON_SERVERS
;
195 state
->response
.data
.auth
.nt_status
= NT_STATUS_V(result
);
196 fstrcpy(state
->response
.data
.auth
.nt_status_string
, nt_errstr(result
));
197 fstrcpy(state
->response
.data
.auth
.error_string
, get_friendly_nt_error_msg(result
));
198 state
->response
.data
.auth
.pam_error
= nt_status_to_pam(result
);
200 DEBUG(NT_STATUS_IS_OK(result
) ? 5 : 2, ("Plain-text authentication for user %s returned %s (PAM: %d)\n",
201 state
->request
.data
.auth
.user
,
202 state
->response
.data
.auth
.nt_status_string
,
203 state
->response
.data
.auth
.pam_error
));
206 talloc_destroy(mem_ctx
);
208 return NT_STATUS_IS_OK(result
) ? WINBINDD_OK
: WINBINDD_ERROR
;
211 /**********************************************************************
212 Challenge Response Authentication Protocol
213 **********************************************************************/
215 enum winbindd_result
winbindd_pam_auth_crap(struct winbindd_cli_state
*state
)
218 unsigned char trust_passwd
[16];
219 time_t last_change_time
;
220 uint32 sec_channel_type
;
221 NET_USER_INFO_3 info3
;
222 struct cli_state
*cli
= NULL
;
223 TALLOC_CTX
*mem_ctx
= NULL
;
225 const char *domain
= NULL
;
226 const char *workstation
;
227 const char *contact_domain
;
232 DATA_BLOB lm_resp
, nt_resp
;
234 if (!state
->privileged
) {
235 char *error_string
= NULL
;
236 DEBUG(2, ("winbindd_pam_auth_crap: non-privileged access denied. !\n"));
237 DEBUGADD(2, ("winbindd_pam_auth_crap: Ensure permissions on %s are set correctly.\n",
238 get_winbind_priv_pipe_dir()));
239 /* send a better message than ACCESS_DENIED */
240 asprintf(&error_string
, "winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on %s are set correctly.",
241 get_winbind_priv_pipe_dir());
242 push_utf8_fstring(state
->response
.data
.auth
.error_string
, error_string
);
243 SAFE_FREE(error_string
);
244 result
= NT_STATUS_ACCESS_DENIED
;
248 /* Ensure null termination */
249 state
->request
.data
.auth_crap
.user
[sizeof(state
->request
.data
.auth_crap
.user
)-1]=0;
250 state
->request
.data
.auth_crap
.domain
[sizeof(state
->request
.data
.auth_crap
.domain
)-1]=0;
252 if (!(mem_ctx
= talloc_init("winbind pam auth crap for (utf8) %s", state
->request
.data
.auth_crap
.user
))) {
253 DEBUG(0, ("winbindd_pam_auth_crap: could not talloc_init()!\n"));
254 result
= NT_STATUS_NO_MEMORY
;
258 if (pull_utf8_talloc(mem_ctx
, &user
, state
->request
.data
.auth_crap
.user
) == (size_t)-1) {
259 DEBUG(0, ("winbindd_pam_auth_crap: pull_utf8_talloc failed!\n"));
260 result
= NT_STATUS_UNSUCCESSFUL
;
264 if (*state
->request
.data
.auth_crap
.domain
) {
266 if (pull_utf8_talloc(mem_ctx
, &dom
, state
->request
.data
.auth_crap
.domain
) == (size_t)-1) {
267 DEBUG(0, ("winbindd_pam_auth_crap: pull_utf8_talloc failed!\n"));
268 result
= NT_STATUS_UNSUCCESSFUL
;
272 } else if (lp_winbind_use_default_domain()) {
273 domain
= lp_workgroup();
275 DEBUG(5,("no domain specified with username (%s) - failing auth\n",
277 result
= NT_STATUS_INVALID_PARAMETER
;
281 DEBUG(3, ("[%5lu]: pam auth crap domain: %s user: %s\n", (unsigned long)state
->pid
,
284 if ( !get_trust_pw(domain
, trust_passwd
, &last_change_time
, &sec_channel_type
) ) {
285 result
= NT_STATUS_CANT_ACCESS_DOMAIN_INFO
;
289 if (*state
->request
.data
.auth_crap
.workstation
) {
291 if (pull_utf8_talloc(mem_ctx
, &wrk
, state
->request
.data
.auth_crap
.workstation
) == (size_t)-1) {
292 DEBUG(0, ("winbindd_pam_auth_crap: pull_utf8_talloc failed!\n"));
293 result
= NT_STATUS_UNSUCCESSFUL
;
298 workstation
= global_myname();
301 if (state
->request
.data
.auth_crap
.lm_resp_len
> sizeof(state
->request
.data
.auth_crap
.lm_resp
)
302 || state
->request
.data
.auth_crap
.nt_resp_len
> sizeof(state
->request
.data
.auth_crap
.nt_resp
)) {
303 DEBUG(0, ("winbindd_pam_auth_crap: invalid password length %u/%u\n",
304 state
->request
.data
.auth_crap
.lm_resp_len
,
305 state
->request
.data
.auth_crap
.nt_resp_len
));
306 result
= NT_STATUS_INVALID_PARAMETER
;
310 lm_resp
= data_blob_talloc(mem_ctx
, state
->request
.data
.auth_crap
.lm_resp
, state
->request
.data
.auth_crap
.lm_resp_len
);
311 nt_resp
= data_blob_talloc(mem_ctx
, state
->request
.data
.auth_crap
.nt_resp
, state
->request
.data
.auth_crap
.nt_resp_len
);
313 /* what domain should we contact? */
316 if (!find_domain_from_name(domain
)) {
317 DEBUG(3, ("Cannot change password for [%s] -> [%s]\\[%s] as %s is not a trusted domain\n",
318 state
->request
.data
.auth
.user
, domain
, user
, domain
));
319 result
= NT_STATUS_NO_SUCH_USER
;
322 contact_domain
= domain
;
324 if (is_myname(domain
)) {
325 DEBUG(3, ("Authentication for domain %s (local domain to this server) not supported at this stage\n", domain
));
326 result
= NT_STATUS_NO_SUCH_USER
;
329 contact_domain
= lp_workgroup();
334 ZERO_STRUCT(ret_creds
);
337 /* Don't shut this down - it belongs to the connection cache code */
338 result
= cm_get_netlogon_cli(contact_domain
, trust_passwd
, sec_channel_type
, False
, &cli
);
340 if (!NT_STATUS_IS_OK(result
)) {
341 DEBUG(3, ("could not open handle to NETLOGON pipe (error: %s)\n",
346 result
= cli_netlogon_sam_network_logon(cli
, mem_ctx
,
350 state
->request
.data
.auth_crap
.chal
,
356 /* We have to try a second time as cm_get_netlogon_cli
357 might not yet have noticed that the DC has killed
360 if ( cli
->fd
== -1 ) {
365 /* if we get access denied, a possible cause was that we had and open
366 connection to the DC, but someone changed our machine account password
367 out from underneath us using 'net rpc changetrustpw' */
369 if ( NT_STATUS_V(result
) == NT_STATUS_V(NT_STATUS_ACCESS_DENIED
) ) {
370 DEBUG(3,("winbindd_pam_auth_crap: sam_logon returned ACCESS_DENIED. Maybe the trust account "
371 "password was changed and we didn't know it. Killing connections to domain %s\n",
378 } while ( (attempts
< 2) && retry
);
380 clnt_deal_with_creds(cli
->sess_key
, &(cli
->clnt_cred
), &ret_creds
);
382 if (NT_STATUS_IS_OK(result
)) {
383 netsamlogon_cache_store( cli
->mem_ctx
, &info3
);
384 wcache_invalidate_samlogon(find_domain_from_name(domain
), &info3
);
386 if (state
->request
.flags
& WBFLAG_PAM_INFO3_NDR
) {
387 result
= append_info3_as_ndr(mem_ctx
, state
, &info3
);
388 } else if (state
->request
.flags
& WBFLAG_PAM_UNIX_NAME
) {
389 /* ntlm_auth should return the unix username, per
390 'winbind use default domain' settings and the like */
392 fstring username_out
;
393 const char *nt_username
, *nt_domain
;
394 if (!(nt_username
= unistr2_tdup(mem_ctx
, &(info3
.uni_user_name
)))) {
395 /* If the server didn't give us one, just use the one we sent them */
399 if (!(nt_domain
= unistr2_tdup(mem_ctx
, &(info3
.uni_logon_dom
)))) {
400 /* If the server didn't give us one, just use the one we sent them */
404 fill_domain_username(username_out
, nt_domain
, nt_username
);
406 DEBUG(5, ("Setting unix username to [%s]\n", username_out
));
408 /* this interface is in UTF8 */
409 if (push_utf8_allocate((char **)&state
->response
.extra_data
, username_out
) == -1) {
410 result
= NT_STATUS_NO_MEMORY
;
413 state
->response
.length
+= strlen(state
->response
.extra_data
)+1;
416 if (state
->request
.flags
& WBFLAG_PAM_NTKEY
) {
417 memcpy(state
->response
.data
.auth
.nt_session_key
, info3
.user_sess_key
, sizeof(state
->response
.data
.auth
.nt_session_key
) /* 16 */);
419 if (state
->request
.flags
& WBFLAG_PAM_LMKEY
) {
420 memcpy(state
->response
.data
.auth
.first_8_lm_hash
, info3
.padding
, sizeof(state
->response
.data
.auth
.first_8_lm_hash
) /* 8 */);
425 /* give us a more useful (more correct?) error code */
426 if ((NT_STATUS_EQUAL(result
, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND
) || (NT_STATUS_EQUAL(result
, NT_STATUS_UNSUCCESSFUL
)))) {
427 result
= NT_STATUS_NO_LOGON_SERVERS
;
430 state
->response
.data
.auth
.nt_status
= NT_STATUS_V(result
);
431 push_utf8_fstring(state
->response
.data
.auth
.nt_status_string
, nt_errstr(result
));
433 /* we might have given a more useful error above */
434 if (!*state
->response
.data
.auth
.error_string
)
435 push_utf8_fstring(state
->response
.data
.auth
.error_string
, get_friendly_nt_error_msg(result
));
436 state
->response
.data
.auth
.pam_error
= nt_status_to_pam(result
);
438 DEBUG(NT_STATUS_IS_OK(result
) ? 5 : 2,
439 ("NTLM CRAP authentication for user [%s]\\[%s] returned %s (PAM: %d)\n",
442 state
->response
.data
.auth
.nt_status_string
,
443 state
->response
.data
.auth
.pam_error
));
446 talloc_destroy(mem_ctx
);
448 return NT_STATUS_IS_OK(result
) ? WINBINDD_OK
: WINBINDD_ERROR
;
451 /* Change a user password */
453 enum winbindd_result
winbindd_pam_chauthtok(struct winbindd_cli_state
*state
)
456 char *oldpass
, *newpass
;
457 fstring domain
, user
;
460 DEBUG(3, ("[%5lu]: pam chauthtok %s\n", (unsigned long)state
->pid
,
461 state
->request
.data
.chauthtok
.user
));
466 return WINBINDD_ERROR
;
468 parse_domain_user(state
->request
.data
.chauthtok
.user
, domain
, user
);
470 if (!find_domain_from_name(domain
)) {
471 DEBUG(3, ("Cannot change password for [%s] -> [%s]\\[%s] as %s is not a trusted domain\n",
472 state
->request
.data
.chauthtok
.user
, domain
, user
, domain
));
473 result
= NT_STATUS_NO_SUCH_USER
;
477 /* Change password */
479 oldpass
= state
->request
.data
.chauthtok
.oldpass
;
480 newpass
= state
->request
.data
.chauthtok
.newpass
;
484 if ( NT_STATUS_IS_ERR(result
= cm_get_sam_handle(domain
, &hnd
)) ) {
485 DEBUG(1, ("could not get SAM handle on DC for %s\n", domain
));
489 if (!cli_oem_change_password(hnd
->cli
, user
, newpass
, oldpass
)) {
490 DEBUG(1, ("password change failed for user %s/%s\n", domain
,
492 result
= NT_STATUS_WRONG_PASSWORD
;
494 result
= NT_STATUS_OK
;
498 state
->response
.data
.auth
.nt_status
= NT_STATUS_V(result
);
499 fstrcpy(state
->response
.data
.auth
.nt_status_string
, nt_errstr(result
));
500 fstrcpy(state
->response
.data
.auth
.error_string
, nt_errstr(result
));
501 state
->response
.data
.auth
.pam_error
= nt_status_to_pam(result
);
503 DEBUG(NT_STATUS_IS_OK(result
) ? 5 : 2,
504 ("Password change for user [%s]\\[%s] returned %s (PAM: %d)\n",
507 state
->response
.data
.auth
.nt_status_string
,
508 state
->response
.data
.auth
.pam_error
));
510 return NT_STATUS_IS_OK(result
) ? WINBINDD_OK
: WINBINDD_ERROR
;