2 Unix SMB/CIFS implementation.
4 Winbind daemon - pam auth funcions
6 Copyright (C) Andrew Tridgell 2000
7 Copyright (C) Tim Potter 2001
8 Copyright (C) Andrew Bartlett 2001-2002
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 2 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program; if not, write to the Free Software
22 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
27 #define DBGC_CLASS DBGC_WINBIND
30 static NTSTATUS
append_info3_as_ndr(TALLOC_CTX
*mem_ctx
,
31 struct winbindd_cli_state
*state
,
32 NET_USER_INFO_3
*info3
)
36 if (!prs_init(&ps
, 256 /* Random, non-zero number */, mem_ctx
, MARSHALL
)) {
37 return NT_STATUS_NO_MEMORY
;
39 if (!net_io_user_info3("", info3
, &ps
, 1, 3)) {
41 return NT_STATUS_UNSUCCESSFUL
;
44 size
= prs_data_size(&ps
);
45 state
->response
.extra_data
= malloc(size
);
46 if (!state
->response
.extra_data
) {
48 return NT_STATUS_NO_MEMORY
;
50 prs_copy_all_data_out(state
->response
.extra_data
, &ps
);
51 state
->response
.length
+= size
;
56 /* Return a password structure from a username. */
58 enum winbindd_result
winbindd_pam_auth(struct winbindd_cli_state
*state
)
61 fstring name_domain
, name_user
;
62 unsigned char trust_passwd
[16];
63 time_t last_change_time
;
65 NET_USER_INFO_3 info3
;
66 struct cli_state
*cli
= NULL
;
68 TALLOC_CTX
*mem_ctx
= NULL
;
72 /* Ensure null termination */
73 state
->request
.data
.auth
.user
[sizeof(state
->request
.data
.auth
.user
)-1]='\0';
75 /* Ensure null termination */
76 state
->request
.data
.auth
.pass
[sizeof(state
->request
.data
.auth
.pass
)-1]='\0';
78 DEBUG(3, ("[%5d]: pam auth %s\n", state
->pid
,
79 state
->request
.data
.auth
.user
));
81 if (!(mem_ctx
= talloc_init("winbind pam auth for %s", state
->request
.data
.auth
.user
))) {
82 DEBUG(0, ("winbindd_pam_auth: could not talloc_init()!\n"));
83 result
= NT_STATUS_NO_MEMORY
;
87 /* Parse domain and username */
89 if (!parse_domain_user(state
->request
.data
.auth
.user
, name_domain
,
91 DEBUG(5,("no domain separator (%s) in username (%s) - failing auth\n", lp_winbind_separator(), state
->request
.data
.auth
.user
));
92 result
= NT_STATUS_INVALID_PARAMETER
;
97 unsigned char local_lm_response
[24];
98 unsigned char local_nt_response
[24];
100 generate_random_buffer(chal
, 8, False
);
101 SMBencrypt(state
->request
.data
.auth
.pass
, chal
, local_lm_response
);
103 SMBNTencrypt(state
->request
.data
.auth
.pass
, chal
, local_nt_response
);
105 lm_resp
= data_blob_talloc(mem_ctx
, local_lm_response
, sizeof(local_lm_response
));
106 nt_resp
= data_blob_talloc(mem_ctx
, local_nt_response
, sizeof(local_nt_response
));
110 * Get the machine account password for our primary domain
113 if (!secrets_fetch_trust_account_password(
114 lp_workgroup(), trust_passwd
, &last_change_time
)) {
115 DEBUG(0, ("winbindd_pam_auth: could not fetch trust account "
116 "password for domain %s\n", lp_workgroup()));
117 result
= NT_STATUS_CANT_ACCESS_DOMAIN_INFO
;
121 /* We really don't care what LUID we give the user. */
123 generate_random_buffer( (unsigned char *)&smb_uid_low
, 4, False
);
127 /* Don't shut this down - it belongs to the connection cache code */
128 result
= cm_get_netlogon_cli(lp_workgroup(), trust_passwd
, &cli
);
130 if (!NT_STATUS_IS_OK(result
)) {
131 DEBUG(3, ("could not open handle to NETLOGON pipe\n"));
135 result
= cli_netlogon_sam_network_logon(cli
, mem_ctx
,
136 name_user
, name_domain
,
137 lp_netbios_name(), chal
,
141 uni_group_cache_store_netlogon(mem_ctx
, &info3
);
144 state
->response
.data
.auth
.nt_status
= NT_STATUS_V(result
);
145 fstrcpy(state
->response
.data
.auth
.nt_status_string
, nt_errstr(result
));
146 fstrcpy(state
->response
.data
.auth
.error_string
, get_friendly_nt_error_msg(result
));
147 state
->response
.data
.auth
.pam_error
= nt_status_to_pam(result
);
149 DEBUG(NT_STATUS_IS_OK(result
) ? 5 : 2, ("Plain-text authentication for user %s returned %s (PAM: %d)\n",
150 state
->request
.data
.auth
.user
,
151 state
->response
.data
.auth
.nt_status_string
,
152 state
->response
.data
.auth
.pam_error
));
155 talloc_destroy(mem_ctx
);
157 return NT_STATUS_IS_OK(result
) ? WINBINDD_OK
: WINBINDD_ERROR
;
160 /* Challenge Response Authentication Protocol */
162 enum winbindd_result
winbindd_pam_auth_crap(struct winbindd_cli_state
*state
)
165 unsigned char trust_passwd
[16];
166 time_t last_change_time
;
167 NET_USER_INFO_3 info3
;
168 struct cli_state
*cli
= NULL
;
169 TALLOC_CTX
*mem_ctx
= NULL
;
171 const char *domain
= NULL
;
172 const char *contact_domain
;
173 const char *workstation
;
175 DATA_BLOB lm_resp
, nt_resp
;
177 /* Ensure null termination */
178 state
->request
.data
.auth_crap
.user
[sizeof(state
->request
.data
.auth_crap
.user
)-1]='\0';
180 /* Ensure null termination */
181 state
->request
.data
.auth_crap
.domain
[sizeof(state
->request
.data
.auth_crap
.domain
)-1]='\0';
183 if (!(mem_ctx
= talloc_init("winbind pam auth crap for (utf8) %s", state
->request
.data
.auth_crap
.user
))) {
184 DEBUG(0, ("winbindd_pam_auth_crap: could not talloc_init()!\n"));
185 result
= NT_STATUS_NO_MEMORY
;
189 if (pull_utf8_talloc(mem_ctx
, &user
, state
->request
.data
.auth_crap
.user
) == (size_t)-1) {
190 DEBUG(0, ("winbindd_pam_auth_crap: pull_utf8_talloc failed!\n"));
193 if (*state
->request
.data
.auth_crap
.domain
) {
195 if (pull_utf8_talloc(mem_ctx
, &dom
, state
->request
.data
.auth_crap
.domain
) == (size_t)-1) {
196 DEBUG(0, ("winbindd_pam_auth_crap: pull_utf8_talloc failed!\n"));
199 } else if (lp_winbind_use_default_domain()) {
200 domain
= lp_workgroup();
202 DEBUG(5,("no domain specified with username (%s) - failing auth\n",
204 result
= NT_STATUS_INVALID_PARAMETER
;
208 DEBUG(3, ("[%5d]: pam auth crap domain: %s user: %s\n", state
->pid
,
211 if (lp_allow_trusted_domains() && (state
->request
.data
.auth_crap
.flags
& WINBIND_PAM_CONTACT_TRUSTDOM
)) {
212 contact_domain
= domain
;
214 contact_domain
= lp_workgroup();
217 if (*state
->request
.data
.auth_crap
.workstation
) {
219 if (pull_utf8_talloc(mem_ctx
, &wrk
, state
->request
.data
.auth_crap
.workstation
) == (size_t)-1) {
220 DEBUG(0, ("winbindd_pam_auth_crap: pull_utf8_talloc failed!\n"));
224 workstation
= lp_netbios_name();
227 if (state
->request
.data
.auth_crap
.lm_resp_len
> sizeof(state
->request
.data
.auth_crap
.lm_resp
)
228 || state
->request
.data
.auth_crap
.nt_resp_len
> sizeof(state
->request
.data
.auth_crap
.nt_resp
)) {
229 DEBUG(0, ("winbindd_pam_auth_crap: invalid password length %u/%u\n",
230 state
->request
.data
.auth_crap
.lm_resp_len
,
231 state
->request
.data
.auth_crap
.nt_resp_len
));
232 result
= NT_STATUS_INVALID_PARAMETER
;
236 lm_resp
= data_blob_talloc(mem_ctx
, state
->request
.data
.auth_crap
.lm_resp
, state
->request
.data
.auth_crap
.lm_resp_len
);
237 nt_resp
= data_blob_talloc(mem_ctx
, state
->request
.data
.auth_crap
.nt_resp
, state
->request
.data
.auth_crap
.nt_resp_len
);
240 * Get the machine account password for the domain to contact.
241 * This is either our own domain for a workstation, or possibly
242 * any domain for a PDC with trusted domains.
245 if (!secrets_fetch_trust_account_password (
246 contact_domain
, trust_passwd
, &last_change_time
)) {
247 DEBUG(0, ("winbindd_pam_auth: could not fetch trust account "
248 "password for domain %s\n", contact_domain
));
249 result
= NT_STATUS_CANT_ACCESS_DOMAIN_INFO
;
255 /* Don't shut this down - it belongs to the connection cache code */
256 result
= cm_get_netlogon_cli(contact_domain
, trust_passwd
, &cli
);
258 if (!NT_STATUS_IS_OK(result
)) {
259 DEBUG(3, ("could not open handle to NETLOGON pipe (error: %s)\n", nt_errstr(result
)));
263 result
= cli_netlogon_sam_network_logon(cli
, mem_ctx
,
265 workstation
, state
->request
.data
.auth_crap
.chal
,
269 if (NT_STATUS_IS_OK(result
)) {
270 uni_group_cache_store_netlogon(mem_ctx
, &info3
);
271 if (state
->request
.data
.auth_crap
.flags
& WINBIND_PAM_INFO3_NDR
) {
272 result
= append_info3_as_ndr(mem_ctx
, state
, &info3
);
276 /* we don't currently do this stuff right */
277 /* Doing an assert in a daemon is going to be a pretty bad
279 if (state
->request
.data
.auth_crap
.flags
& WINBIND_PAM_NTKEY
) {
280 SMB_ASSERT(sizeof(state
->response
.data
.auth
.nt_session_key
) == sizeof(info3
.user_sess_key
));
281 memcpy(state
->response
.data
.auth
.nt_session_key
, info3
.user_sess_key
, sizeof(state
->response
.data
.auth
.nt_session_key
) /* 16 */);
283 if (state
->request
.data
.auth_crap
.flags
& WINBIND_PAM_LMKEY
) {
284 SMB_ASSERT(sizeof(state
->response
.data
.auth
.nt_session_key
) <= sizeof(info3
.user_sess_key
));
285 memcpy(state
->response
.data
.auth
.first_8_lm_hash
, info3
.padding
, sizeof(state
->response
.data
.auth
.nt_session_key
) /* 16 */);
292 state
->response
.data
.auth
.nt_status
= NT_STATUS_V(result
);
293 push_utf8_fstring(state
->response
.data
.auth
.nt_status_string
, nt_errstr(result
));
294 push_utf8_fstring(state
->response
.data
.auth
.error_string
, nt_errstr(result
));
295 state
->response
.data
.auth
.pam_error
= nt_status_to_pam(result
);
297 DEBUG(NT_STATUS_IS_OK(result
) ? 5 : 2,
298 ("NTLM CRAP authentication for user [%s]\\[%s] returned %s (PAM: %d)\n",
301 state
->response
.data
.auth
.nt_status_string
,
302 state
->response
.data
.auth
.pam_error
));
305 talloc_destroy(mem_ctx
);
307 return NT_STATUS_IS_OK(result
) ? WINBINDD_OK
: WINBINDD_ERROR
;
310 /* Change a user password */
312 enum winbindd_result
winbindd_pam_chauthtok(struct winbindd_cli_state
*state
)
315 char *oldpass
, *newpass
;
316 fstring domain
, user
;
319 DEBUG(3, ("[%5d]: pam chauthtok %s\n", state
->pid
,
320 state
->request
.data
.chauthtok
.user
));
325 return WINBINDD_ERROR
;
327 if (!parse_domain_user(state
->request
.data
.chauthtok
.user
, domain
,
329 result
= NT_STATUS_INVALID_PARAMETER
;
333 /* Change password */
335 oldpass
= state
->request
.data
.chauthtok
.oldpass
;
336 newpass
= state
->request
.data
.chauthtok
.newpass
;
340 if (!(hnd
= cm_get_sam_handle(domain
))) {
341 DEBUG(1, ("could not get SAM handle on DC for %s\n", domain
));
342 result
= NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND
;
346 if (!cli_oem_change_password(hnd
->cli
, user
, newpass
, oldpass
)) {
347 DEBUG(1, ("password change failed for user %s/%s\n", domain
,
349 result
= NT_STATUS_WRONG_PASSWORD
;
351 result
= NT_STATUS_OK
;
355 state
->response
.data
.auth
.nt_status
= NT_STATUS_V(result
);
356 fstrcpy(state
->response
.data
.auth
.nt_status_string
, nt_errstr(result
));
357 fstrcpy(state
->response
.data
.auth
.error_string
, nt_errstr(result
));
358 state
->response
.data
.auth
.pam_error
= nt_status_to_pam(result
);
360 DEBUG(NT_STATUS_IS_OK(result
) ? 5 : 2,
361 ("Password change for user [%s]\\[%s] returned %s (PAM: %d)\n",
364 state
->response
.data
.auth
.nt_status_string
,
365 state
->response
.data
.auth
.pam_error
));
367 return NT_STATUS_IS_OK(result
) ? WINBINDD_OK
: WINBINDD_ERROR
;