search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
tevent: expose tevent_context_init_ops
[Samba/gebeck_regimport.git] / source3 / auth / auth_util.c
blobf270ccd413e3ac1ea140f307a7ded50d0b744fbd
1 /*
2 Unix SMB/CIFS implementation.
3 Authentication utility functions
4 Copyright (C) Andrew Tridgell 1992-1998
5 Copyright (C) Andrew Bartlett 2001-2011
6 Copyright (C) Jeremy Allison 2000-2001
7 Copyright (C) Rafal Szczesniak 2002
8 Copyright (C) Volker Lendecke 2006-2008
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include "auth.h"
26 #include "../libcli/auth/libcli_auth.h"
27 #include "../lib/crypto/arcfour.h"
28 #include "rpc_client/init_lsa.h"
29 #include "../libcli/security/security.h"
30 #include "../lib/util/util_pw.h"
31 #include "lib/winbind_util.h"
32 #include "passdb.h"
33 #include "../librpc/gen_ndr/ndr_auth.h"
34 #include "../auth/auth_sam_reply.h"
35 #include "../librpc/gen_ndr/idmap.h"
36
37 #undef DBGC_CLASS
38 #define DBGC_CLASS DBGC_AUTH
39
40 /****************************************************************************
41 Create a UNIX user on demand.
42 ****************************************************************************/
43
44 static int _smb_create_user(const char *domain, const char *unix_username, const char *homedir)
45 {
46 TALLOC_CTX *ctx = talloc_tos();
47 char *add_script;
48 int ret;
49
50 add_script = talloc_strdup(ctx, lp_adduser_script());
51 if (!add_script || !*add_script) {
52 return -1;
53 }
54 add_script = talloc_all_string_sub(ctx,
55 add_script,
56 "%u",
57 unix_username);
58 if (!add_script) {
59 return -1;
60 }
61 if (domain) {
62 add_script = talloc_all_string_sub(ctx,
63 add_script,
64 "%D",
65 domain);
66 if (!add_script) {
67 return -1;
68 }
69 }
70 if (homedir) {
71 add_script = talloc_all_string_sub(ctx,
72 add_script,
73 "%H",
74 homedir);
75 if (!add_script) {
76 return -1;
77 }
78 }
79 ret = smbrun(add_script,NULL);
80 flush_pwnam_cache();
81 DEBUG(ret ? 0 : 3,
82 ("smb_create_user: Running the command `%s' gave %d\n",
83 add_script,ret));
84 return ret;
85 }
86
87 /****************************************************************************
88 Create an auth_usersupplied_data structure after appropriate mapping.
89 ****************************************************************************/
90
91 NTSTATUS make_user_info_map(struct auth_usersupplied_info **user_info,
92 const char *smb_name,
93 const char *client_domain,
94 const char *workstation_name,
95 const struct tsocket_address *remote_address,
96 const DATA_BLOB *lm_pwd,
97 const DATA_BLOB *nt_pwd,
98 const struct samr_Password *lm_interactive_pwd,
99 const struct samr_Password *nt_interactive_pwd,
100 const char *plaintext,
101 enum auth_password_state password_state)
102 {
103 const char *domain;
104 NTSTATUS result;
105 bool was_mapped;
106 char *internal_username = NULL;
107
108 was_mapped = map_username(talloc_tos(), smb_name, &internal_username);
109 if (!internal_username) {
110 return NT_STATUS_NO_MEMORY;
111 }
112
113 DEBUG(5, ("Mapping user [%s]\\[%s] from workstation [%s]\n",
114 client_domain, smb_name, workstation_name));
115
116 domain = client_domain;
117
118 /* If you connect to a Windows domain member using a bogus domain name,
119 * the Windows box will map the BOGUS\user to SAMNAME\user. Thus, if
120 * the Windows box is a DC the name will become DOMAIN\user and be
121 * authenticated against AD, if the Windows box is a member server but
122 * not a DC the name will become WORKSTATION\user. A standalone
123 * non-domain member box will also map to WORKSTATION\user.
124 * This also deals with the client passing in a "" domain */
125
126 if (!is_trusted_domain(domain) &&
127 !strequal(domain, my_sam_name()))
128 {
129 if (lp_map_untrusted_to_domain())
130 domain = my_sam_name();
131 else
132 domain = get_global_sam_name();
133 DEBUG(5, ("Mapped domain from [%s] to [%s] for user [%s] from "
134 "workstation [%s]\n",
135 client_domain, domain, smb_name, workstation_name));
136 }
137
138 /* We know that the given domain is trusted (and we are allowing them),
139 * it is our global SAM name, or for legacy behavior it is our
140 * primary domain name */
141
142 result = make_user_info(user_info, smb_name, internal_username,
143 client_domain, domain, workstation_name,
144 remote_address, lm_pwd, nt_pwd,
145 lm_interactive_pwd, nt_interactive_pwd,
146 plaintext, password_state);
147 if (NT_STATUS_IS_OK(result)) {
148 /* We have tried mapping */
149 (*user_info)->mapped_state = true;
150 /* did we actually map the user to a different name? */
151 (*user_info)->was_mapped = was_mapped;
152 }
153 return result;
154 }
155
156 /****************************************************************************
157 Create an auth_usersupplied_data, making the DATA_BLOBs here.
158 Decrypt and encrypt the passwords.
159 ****************************************************************************/
160
161 bool make_user_info_netlogon_network(struct auth_usersupplied_info **user_info,
162 const char *smb_name,
163 const char *client_domain,
164 const char *workstation_name,
165 const struct tsocket_address *remote_address,
166 uint32 logon_parameters,
167 const uchar *lm_network_pwd,
168 int lm_pwd_len,
169 const uchar *nt_network_pwd,
170 int nt_pwd_len)
171 {
172 bool ret;
173 NTSTATUS status;
174 DATA_BLOB lm_blob = data_blob(lm_network_pwd, lm_pwd_len);
175 DATA_BLOB nt_blob = data_blob(nt_network_pwd, nt_pwd_len);
176
177 status = make_user_info_map(user_info,
178 smb_name, client_domain,
179 workstation_name,
180 remote_address,
181 lm_pwd_len ? &lm_blob : NULL,
182 nt_pwd_len ? &nt_blob : NULL,
183 NULL, NULL, NULL,
184 AUTH_PASSWORD_RESPONSE);
185
186 if (NT_STATUS_IS_OK(status)) {
187 (*user_info)->logon_parameters = logon_parameters;
188 }
189 ret = NT_STATUS_IS_OK(status) ? true : false;
190
191 data_blob_free(&lm_blob);
192 data_blob_free(&nt_blob);
193 return ret;
194 }
195
196 /****************************************************************************
197 Create an auth_usersupplied_data, making the DATA_BLOBs here.
198 Decrypt and encrypt the passwords.
199 ****************************************************************************/
200
201 bool make_user_info_netlogon_interactive(struct auth_usersupplied_info **user_info,
202 const char *smb_name,
203 const char *client_domain,
204 const char *workstation_name,
205 const struct tsocket_address *remote_address,
206 uint32 logon_parameters,
207 const uchar chal[8],
208 const uchar lm_interactive_pwd[16],
209 const uchar nt_interactive_pwd[16],
210 const uchar *dc_sess_key)
211 {
212 struct samr_Password lm_pwd;
213 struct samr_Password nt_pwd;
214 unsigned char local_lm_response[24];
215 unsigned char local_nt_response[24];
216 unsigned char key[16];
217
218 memcpy(key, dc_sess_key, 16);
219
220 if (lm_interactive_pwd)
221 memcpy(lm_pwd.hash, lm_interactive_pwd, sizeof(lm_pwd.hash));
222
223 if (nt_interactive_pwd)
224 memcpy(nt_pwd.hash, nt_interactive_pwd, sizeof(nt_pwd.hash));
225
226 #ifdef DEBUG_PASSWORD
227 DEBUG(100,("key:"));
228 dump_data(100, key, sizeof(key));
229
230 DEBUG(100,("lm owf password:"));
231 dump_data(100, lm_pwd.hash, sizeof(lm_pwd.hash));
232
233 DEBUG(100,("nt owf password:"));
234 dump_data(100, nt_pwd.hash, sizeof(nt_pwd.hash));
235 #endif
236
237 if (lm_interactive_pwd)
238 arcfour_crypt(lm_pwd.hash, key, sizeof(lm_pwd.hash));
239
240 if (nt_interactive_pwd)
241 arcfour_crypt(nt_pwd.hash, key, sizeof(nt_pwd.hash));
242
243 #ifdef DEBUG_PASSWORD
244 DEBUG(100,("decrypt of lm owf password:"));
245 dump_data(100, lm_pwd.hash, sizeof(lm_pwd));
246
247 DEBUG(100,("decrypt of nt owf password:"));
248 dump_data(100, nt_pwd.hash, sizeof(nt_pwd));
249 #endif
250
251 if (lm_interactive_pwd)
252 SMBOWFencrypt(lm_pwd.hash, chal,
253 local_lm_response);
254
255 if (nt_interactive_pwd)
256 SMBOWFencrypt(nt_pwd.hash, chal,
257 local_nt_response);
258
259 /* Password info paranoia */
260 ZERO_STRUCT(key);
261
262 {
263 bool ret;
264 NTSTATUS nt_status;
265 DATA_BLOB local_lm_blob;
266 DATA_BLOB local_nt_blob;
267
268 if (lm_interactive_pwd) {
269 local_lm_blob = data_blob(local_lm_response,
270 sizeof(local_lm_response));
271 }
272
273 if (nt_interactive_pwd) {
274 local_nt_blob = data_blob(local_nt_response,
275 sizeof(local_nt_response));
276 }
277
278 nt_status = make_user_info_map(
279 user_info,
280 smb_name, client_domain, workstation_name,
281 remote_address,
282 lm_interactive_pwd ? &local_lm_blob : NULL,
283 nt_interactive_pwd ? &local_nt_blob : NULL,
284 lm_interactive_pwd ? &lm_pwd : NULL,
285 nt_interactive_pwd ? &nt_pwd : NULL,
286 NULL, AUTH_PASSWORD_HASH);
287
288 if (NT_STATUS_IS_OK(nt_status)) {
289 (*user_info)->logon_parameters = logon_parameters;
290 }
291
292 ret = NT_STATUS_IS_OK(nt_status) ? true : false;
293 data_blob_free(&local_lm_blob);
294 data_blob_free(&local_nt_blob);
295 return ret;
296 }
297 }
298
299
300 /****************************************************************************
301 Create an auth_usersupplied_data structure
302 ****************************************************************************/
303
304 bool make_user_info_for_reply(struct auth_usersupplied_info **user_info,
305 const char *smb_name,
306 const char *client_domain,
307 const struct tsocket_address *remote_address,
308 const uint8 chal[8],
309 DATA_BLOB plaintext_password)
310 {
311
312 DATA_BLOB local_lm_blob;
313 DATA_BLOB local_nt_blob;
314 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
315 char *plaintext_password_string;
316 /*
317 * Not encrypted - do so.
318 */
319
320 DEBUG(5,("make_user_info_for_reply: User passwords not in encrypted "
321 "format.\n"));
322 if (plaintext_password.data && plaintext_password.length) {
323 unsigned char local_lm_response[24];
324
325 #ifdef DEBUG_PASSWORD
326 DEBUG(10,("Unencrypted password (len %d):\n",
327 (int)plaintext_password.length));
328 dump_data(100, plaintext_password.data,
329 plaintext_password.length);
330 #endif
331
332 SMBencrypt( (const char *)plaintext_password.data,
333 (const uchar*)chal, local_lm_response);
334 local_lm_blob = data_blob(local_lm_response, 24);
335
336 /* We can't do an NT hash here, as the password needs to be
337 case insensitive */
338 local_nt_blob = data_blob_null;
339 } else {
340 local_lm_blob = data_blob_null;
341 local_nt_blob = data_blob_null;
342 }
343
344 plaintext_password_string = talloc_strndup(talloc_tos(),
345 (const char *)plaintext_password.data,
346 plaintext_password.length);
347 if (!plaintext_password_string) {
348 return false;
349 }
350
351 ret = make_user_info(
352 user_info, smb_name, smb_name, client_domain, client_domain,
353 get_remote_machine_name(),
354 remote_address,
355 local_lm_blob.data ? &local_lm_blob : NULL,
356 local_nt_blob.data ? &local_nt_blob : NULL,
357 NULL, NULL,
358 plaintext_password_string,
359 AUTH_PASSWORD_PLAIN);
360
361 if (plaintext_password_string) {
362 memset(plaintext_password_string, '\0', strlen(plaintext_password_string));
363 talloc_free(plaintext_password_string);
364 }
365
366 data_blob_free(&local_lm_blob);
367 return NT_STATUS_IS_OK(ret) ? true : false;
368 }
369
370 /****************************************************************************
371 Create an auth_usersupplied_data structure
372 ****************************************************************************/
373
374 NTSTATUS make_user_info_for_reply_enc(struct auth_usersupplied_info **user_info,
375 const char *smb_name,
376 const char *client_domain,
377 const struct tsocket_address *remote_address,
378 DATA_BLOB lm_resp, DATA_BLOB nt_resp)
379 {
380 return make_user_info(user_info, smb_name, smb_name,
381 client_domain, client_domain,
382 get_remote_machine_name(),
383 remote_address,
384 lm_resp.data && (lm_resp.length > 0) ? &lm_resp : NULL,
385 nt_resp.data && (nt_resp.length > 0) ? &nt_resp : NULL,
386 NULL, NULL, NULL,
387 AUTH_PASSWORD_RESPONSE);
388 }
389
390 /****************************************************************************
391 Create a guest user_info blob, for anonymous authentication.
392 ****************************************************************************/
393
394 bool make_user_info_guest(const struct tsocket_address *remote_address,
395 struct auth_usersupplied_info **user_info)
396 {
397 NTSTATUS nt_status;
398
399 nt_status = make_user_info(user_info,
400 "","",
401 "","",
402 "",
403 remote_address,
404 NULL, NULL,
405 NULL, NULL,
406 NULL,
407 AUTH_PASSWORD_RESPONSE);
408
409 return NT_STATUS_IS_OK(nt_status) ? true : false;
410 }
411
412 static NTSTATUS log_nt_token(struct security_token *token)
413 {
414 TALLOC_CTX *frame = talloc_stackframe();
415 char *command;
416 char *group_sidstr;
417 size_t i;
418
419 if ((lp_log_nt_token_command() == NULL) ||
420 (strlen(lp_log_nt_token_command()) == 0)) {
421 TALLOC_FREE(frame);
422 return NT_STATUS_OK;
423 }
424
425 group_sidstr = talloc_strdup(frame, "");
426 for (i=1; i<token->num_sids; i++) {
427 group_sidstr = talloc_asprintf(
428 frame, "%s %s", group_sidstr,
429 sid_string_talloc(frame, &token->sids[i]));
430 }
431
432 command = talloc_string_sub(
433 frame, lp_log_nt_token_command(),
434 "%s", sid_string_talloc(frame, &token->sids[0]));
435 command = talloc_string_sub(frame, command, "%t", group_sidstr);
436
437 if (command == NULL) {
438 TALLOC_FREE(frame);
439 return NT_STATUS_NO_MEMORY;
440 }
441
442 DEBUG(8, ("running command: [%s]\n", command));
443 if (smbrun(command, NULL) != 0) {
444 DEBUG(0, ("Could not log NT token\n"));
445 TALLOC_FREE(frame);
446 return NT_STATUS_ACCESS_DENIED;
447 }
448
449 TALLOC_FREE(frame);
450 return NT_STATUS_OK;
451 }
452
453 /*
454 * Create the token to use from server_info->info3 and
455 * server_info->sids (the info3/sam groups). Find the unix gids.
456 */
457
458 NTSTATUS create_local_token(TALLOC_CTX *mem_ctx,
459 const struct auth_serversupplied_info *server_info,
460 DATA_BLOB *session_key,
461 const char *smb_username, /* for ->sanitized_username, for %U subs */
462 struct auth_session_info **session_info_out)
463 {
464 struct security_token *t;
465 NTSTATUS status;
466 size_t i;
467 struct dom_sid tmp_sid;
468 struct auth_session_info *session_info;
469 struct unixid *ids;
470 fstring tmp;
471
472 /* Ensure we can't possible take a code path leading to a
473 * null defref. */
474 if (!server_info) {
475 return NT_STATUS_LOGON_FAILURE;
476 }
477
478 session_info = talloc_zero(mem_ctx, struct auth_session_info);
479 if (!session_info) {
480 return NT_STATUS_NO_MEMORY;
481 }
482
483 session_info->unix_token = talloc_zero(session_info, struct security_unix_token);
484 if (!session_info->unix_token) {
485 TALLOC_FREE(session_info);
486 return NT_STATUS_NO_MEMORY;
487 }
488
489 session_info->unix_token->uid = server_info->utok.uid;
490 session_info->unix_token->gid = server_info->utok.gid;
491
492 session_info->unix_info = talloc_zero(session_info, struct auth_user_info_unix);
493 if (!session_info->unix_info) {
494 TALLOC_FREE(session_info);
495 return NT_STATUS_NO_MEMORY;
496 }
497
498 session_info->unix_info->unix_name = talloc_strdup(session_info, server_info->unix_name);
499 if (!session_info->unix_info->unix_name) {
500 TALLOC_FREE(session_info);
501 return NT_STATUS_NO_MEMORY;
502 }
503
504 /* This is a potentially untrusted username for use in %U */
505 alpha_strcpy(tmp, smb_username, ". _-$", sizeof(tmp));
506 session_info->unix_info->sanitized_username =
507 talloc_strdup(session_info->unix_info, tmp);
508
509 session_info->unix_info->system = server_info->system;
510
511 if (session_key) {
512 data_blob_free(&session_info->session_key);
513 session_info->session_key = data_blob_talloc(session_info,
514 session_key->data,
515 session_key->length);
516 if (!session_info->session_key.data && session_key->length) {
517 return NT_STATUS_NO_MEMORY;
518 }
519 } else {
520 session_info->session_key = data_blob_talloc( session_info, server_info->session_key.data,
521 server_info->session_key.length);
522 }
523
524 /* We need to populate session_info->info with the information found in server_info->info3 */
525 status = make_user_info_SamBaseInfo(session_info, "", &server_info->info3->base,
526 server_info->guest == false,
527 &session_info->info);
528 if (!NT_STATUS_IS_OK(status)) {
529 DEBUG(0, ("conversion of info3 into auth_user_info failed!\n"));
530 TALLOC_FREE(session_info);
531 return status;
532 }
533
534 if (server_info->security_token) {
535 /* Just copy the token, it has already been finalised
536 * (nasty hack to support a cached guest session_info,
537 * and a possible strategy for auth_samba4 to pass in
538 * a finalised session) */
539
540 session_info->security_token = dup_nt_token(session_info, server_info->security_token);
541 if (!session_info->security_token) {
542 TALLOC_FREE(session_info);
543 return NT_STATUS_NO_MEMORY;
544 }
545
546 session_info->unix_token->ngroups = server_info->utok.ngroups;
547 if (server_info->utok.ngroups != 0) {
548 session_info->unix_token->groups = (gid_t *)talloc_memdup(
549 session_info->unix_token, server_info->utok.groups,
550 sizeof(gid_t)*session_info->unix_token->ngroups);
551 } else {
552 session_info->unix_token->groups = NULL;
553 }
554
555 *session_info_out = session_info;
556 return NT_STATUS_OK;
557 }
558
559 /*
560 * If winbind is not around, we can not make much use of the SIDs the
561 * domain controller provided us with. Likewise if the user name was
562 * mapped to some local unix user.
563 */
564
565 if (((lp_server_role() == ROLE_DOMAIN_MEMBER) && !winbind_ping()) ||
566 (server_info->nss_token)) {
567 char *found_username = NULL;
568 status = create_token_from_username(session_info,
569 server_info->unix_name,
570 server_info->guest,
571 &session_info->unix_token->uid,
572 &session_info->unix_token->gid,
573 &found_username,
574 &session_info->security_token);
575 if (NT_STATUS_IS_OK(status)) {
576 session_info->unix_info->unix_name = found_username;
577 }
578 } else {
579 status = create_local_nt_token_from_info3(session_info,
580 server_info->guest,
581 server_info->info3,
582 &server_info->extra,
583 &session_info->security_token);
584 }
585
586 if (!NT_STATUS_IS_OK(status)) {
587 return status;
588 }
589
590 /* Convert the SIDs to gids. */
591
592 session_info->unix_token->ngroups = 0;
593 session_info->unix_token->groups = NULL;
594
595 t = session_info->security_token;
596
597 ids = talloc_array(talloc_tos(), struct unixid,
598 t->num_sids);
599 if (ids == NULL) {
600 return NT_STATUS_NO_MEMORY;
601 }
602
603 if (!sids_to_unixids(t->sids, t->num_sids, ids)) {
604 TALLOC_FREE(ids);
605 return NT_STATUS_NO_MEMORY;
606 }
607
608 for (i=0; i<t->num_sids; i++) {
609
610 if (i == 0 && ids[i].type != ID_TYPE_BOTH) {
611 continue;
612 }
613
614 if (ids[i].type != ID_TYPE_GID &&
615 ids[i].type != ID_TYPE_BOTH) {
616 DEBUG(10, ("Could not convert SID %s to gid, "
617 "ignoring it\n",
618 sid_string_dbg(&t->sids[i])));
619 continue;
620 }
621 if (!add_gid_to_array_unique(session_info, ids[i].id,
622 &session_info->unix_token->groups,
623 &session_info->unix_token->ngroups)) {
624 return NT_STATUS_NO_MEMORY;
625 }
626 }
627
628 /*
629 * Add the "Unix Group" SID for each gid to catch mapped groups
630 * and their Unix equivalent. This is to solve the backwards
631 * compatibility problem of 'valid users = +ntadmin' where
632 * ntadmin has been paired with "Domain Admins" in the group
633 * mapping table. Otherwise smb.conf would need to be changed
634 * to 'valid user = "Domain Admins"'. --jerry
635 *
636 * For consistency we also add the "Unix User" SID,
637 * so that the complete unix token is represented within
638 * the nt token.
639 */
640
641 uid_to_unix_users_sid(session_info->unix_token->uid, &tmp_sid);
642
643 add_sid_to_array_unique(session_info->security_token, &tmp_sid,
644 &session_info->security_token->sids,
645 &session_info->security_token->num_sids);
646
647 for ( i=0; i<session_info->unix_token->ngroups; i++ ) {
648 gid_to_unix_groups_sid(session_info->unix_token->groups[i], &tmp_sid);
649 add_sid_to_array_unique(session_info->security_token, &tmp_sid,
650 &session_info->security_token->sids,
651 &session_info->security_token->num_sids);
652 }
653
654 security_token_debug(DBGC_AUTH, 10, session_info->security_token);
655 debug_unix_user_token(DBGC_AUTH, 10,
656 session_info->unix_token->uid,
657 session_info->unix_token->gid,
658 session_info->unix_token->ngroups,
659 session_info->unix_token->groups);
660
661 status = log_nt_token(session_info->security_token);
662 if (!NT_STATUS_IS_OK(status)) {
663 return status;
664 }
665
666 *session_info_out = session_info;
667 return NT_STATUS_OK;
668 }
669
670 /***************************************************************************
671 Make (and fill) a server_info struct from a 'struct passwd' by conversion
672 to a struct samu
673 ***************************************************************************/
674
675 NTSTATUS make_server_info_pw(struct auth_serversupplied_info **server_info,
676 char *unix_username,
677 struct passwd *pwd)
678 {
679 NTSTATUS status;
680 struct samu *sampass = NULL;
681 char *qualified_name = NULL;
682 TALLOC_CTX *mem_ctx = NULL;
683 struct dom_sid u_sid;
684 enum lsa_SidType type;
685 struct auth_serversupplied_info *result;
686
687 /*
688 * The SID returned in server_info->sam_account is based
689 * on our SAM sid even though for a pure UNIX account this should
690 * not be the case as it doesn't really exist in the SAM db.
691 * This causes lookups on "[in]valid users" to fail as they
692 * will lookup this name as a "Unix User" SID to check against
693 * the user token. Fix this by adding the "Unix User"\unix_username
694 * SID to the sid array. The correct fix should probably be
695 * changing the server_info->sam_account user SID to be a
696 * S-1-22 Unix SID, but this might break old configs where
697 * plaintext passwords were used with no SAM backend.
698 */
699
700 mem_ctx = talloc_init("make_server_info_pw_tmp");
701 if (!mem_ctx) {
702 return NT_STATUS_NO_MEMORY;
703 }
704
705 qualified_name = talloc_asprintf(mem_ctx, "%s\\%s",
706 unix_users_domain_name(),
707 unix_username );
708 if (!qualified_name) {
709 TALLOC_FREE(mem_ctx);
710 return NT_STATUS_NO_MEMORY;
711 }
712
713 if (!lookup_name(mem_ctx, qualified_name, LOOKUP_NAME_ALL,
714 NULL, NULL,
715 &u_sid, &type)) {
716 TALLOC_FREE(mem_ctx);
717 return NT_STATUS_NO_SUCH_USER;
718 }
719
720 TALLOC_FREE(mem_ctx);
721
722 if (type != SID_NAME_USER) {
723 return NT_STATUS_NO_SUCH_USER;
724 }
725
726 if ( !(sampass = samu_new( NULL )) ) {
727 return NT_STATUS_NO_MEMORY;
728 }
729
730 status = samu_set_unix( sampass, pwd );
731 if (!NT_STATUS_IS_OK(status)) {
732 return status;
733 }
734
735 /* In pathological cases the above call can set the account
736 * name to the DOMAIN\username form. Reset the account name
737 * using unix_username */
738 pdb_set_username(sampass, unix_username, PDB_SET);
739
740 /* set the user sid to be the calculated u_sid */
741 pdb_set_user_sid(sampass, &u_sid, PDB_SET);
742
743 result = make_server_info(NULL);
744 if (result == NULL) {
745 TALLOC_FREE(sampass);
746 return NT_STATUS_NO_MEMORY;
747 }
748
749 status = samu_to_SamInfo3(result, sampass, lp_netbios_name(),
750 &result->info3, &result->extra);
751 TALLOC_FREE(sampass);
752 if (!NT_STATUS_IS_OK(status)) {
753 DEBUG(10, ("Failed to convert samu to info3: %s\n",
754 nt_errstr(status)));
755 TALLOC_FREE(result);
756 return status;
757 }
758
759 result->unix_name = talloc_strdup(result, unix_username);
760
761 if (result->unix_name == NULL) {
762 TALLOC_FREE(result);
763 return NT_STATUS_NO_MEMORY;
764 }
765
766 result->utok.uid = pwd->pw_uid;
767 result->utok.gid = pwd->pw_gid;
768
769 *server_info = result;
770
771 return NT_STATUS_OK;
772 }
773
774 static NTSTATUS get_system_info3(TALLOC_CTX *mem_ctx,
775 struct passwd *pwd,
776 struct netr_SamInfo3 *info3)
777 {
778 struct dom_sid domain_sid;
779 const char *tmp;
780
781 /* Set account name */
782 tmp = talloc_strdup(mem_ctx, pwd->pw_name);
783 if (tmp == NULL) {
784 return NT_STATUS_NO_MEMORY;
785 }
786 init_lsa_String(&info3->base.account_name, tmp);
787
788 /* Set domain name */
789 tmp = talloc_strdup(mem_ctx, get_global_sam_name());
790 if (tmp == NULL) {
791 return NT_STATUS_NO_MEMORY;
792 }
793 init_lsa_StringLarge(&info3->base.logon_domain, tmp);
794
795 /* Domain sid */
796 sid_copy(&domain_sid, get_global_sam_sid());
797
798 info3->base.domain_sid = dom_sid_dup(mem_ctx, &domain_sid);
799 if (info3->base.domain_sid == NULL) {
800 return NT_STATUS_NO_MEMORY;
801 }
802
803 /* Admin rid */
804 info3->base.rid = DOMAIN_RID_ADMINISTRATOR;
805
806 /* Primary gid */
807 info3->base.primary_gid = dom_sid_parse_talloc(mem_ctx, SID_NT_SYSTEM);
808
809 return NT_STATUS_OK;
810 }
811
812 static NTSTATUS get_guest_info3(TALLOC_CTX *mem_ctx,
813 struct netr_SamInfo3 *info3)
814 {
815 const char *guest_account = lp_guestaccount();
816 struct dom_sid domain_sid;
817 struct passwd *pwd;
818 const char *tmp;
819
820 pwd = Get_Pwnam_alloc(mem_ctx, guest_account);
821 if (pwd == NULL) {
822 DEBUG(0,("SamInfo3_for_guest: Unable to locate guest "
823 "account [%s]!\n", guest_account));
824 return NT_STATUS_NO_SUCH_USER;
825 }
826
827 /* Set account name */
828 tmp = talloc_strdup(mem_ctx, pwd->pw_name);
829 if (tmp == NULL) {
830 return NT_STATUS_NO_MEMORY;
831 }
832 init_lsa_String(&info3->base.account_name, tmp);
833
834 /* Set domain name */
835 tmp = talloc_strdup(mem_ctx, get_global_sam_name());
836 if (tmp == NULL) {
837 return NT_STATUS_NO_MEMORY;
838 }
839 init_lsa_StringLarge(&info3->base.logon_domain, tmp);
840
841 /* Domain sid */
842 sid_copy(&domain_sid, get_global_sam_sid());
843
844 info3->base.domain_sid = dom_sid_dup(mem_ctx, &domain_sid);
845 if (info3->base.domain_sid == NULL) {
846 return NT_STATUS_NO_MEMORY;
847 }
848
849 /* Guest rid */
850 info3->base.rid = DOMAIN_RID_GUEST;
851
852 /* Primary gid */
853 info3->base.primary_gid = BUILTIN_RID_GUESTS;
854
855 /* Set as guest */
856 info3->base.user_flags = NETLOGON_GUEST;
857
858 TALLOC_FREE(pwd);
859 return NT_STATUS_OK;
860 }
861
862 /***************************************************************************
863 Make (and fill) a user_info struct for a guest login.
864 This *must* succeed for smbd to start. If there is no mapping entry for
865 the guest gid, then create one.
866
867 The resulting structure is a 'session_info' because
868 create_local_token() has already been called on it. This is quite
869 nasty, as the auth subsystem isn't expect this, but the behavior is
870 left as-is for now.
871 ***************************************************************************/
872
873 static NTSTATUS make_new_session_info_guest(struct auth_session_info **session_info, struct auth_serversupplied_info **server_info)
874 {
875 static const char zeros[16] = {0};
876 const char *guest_account = lp_guestaccount();
877 const char *domain = lp_netbios_name();
878 struct netr_SamInfo3 info3;
879 TALLOC_CTX *tmp_ctx;
880 NTSTATUS status;
881
882 tmp_ctx = talloc_stackframe();
883 if (tmp_ctx == NULL) {
884 return NT_STATUS_NO_MEMORY;
885 }
886
887 ZERO_STRUCT(info3);
888
889 status = get_guest_info3(tmp_ctx, &info3);
890 if (!NT_STATUS_IS_OK(status)) {
891 DEBUG(0, ("get_guest_info3 failed with %s\n",
892 nt_errstr(status)));
893 goto done;
894 }
895
896 status = make_server_info_info3(tmp_ctx,
897 guest_account,
898 domain,
899 server_info,
900 &info3);
901 if (!NT_STATUS_IS_OK(status)) {
902 DEBUG(0, ("make_server_info_info3 failed with %s\n",
903 nt_errstr(status)));
904 goto done;
905 }
906
907 (*server_info)->guest = true;
908
909 /* This should not be done here (we should produce a server
910 * info, and later construct a session info from it), but for
911 * now this does not change the previous behavior */
912 status = create_local_token(tmp_ctx, *server_info, NULL,
913 (*server_info)->info3->base.account_name.string,
914 session_info);
915 if (!NT_STATUS_IS_OK(status)) {
916 DEBUG(0, ("create_local_token failed: %s\n",
917 nt_errstr(status)));
918 goto done;
919 }
920 talloc_steal(NULL, *session_info);
921 talloc_steal(NULL, *server_info);
922
923 /* annoying, but the Guest really does have a session key, and it is
924 all zeros! */
925 (*session_info)->session_key = data_blob(zeros, sizeof(zeros));
926
927 status = NT_STATUS_OK;
928 done:
929 TALLOC_FREE(tmp_ctx);
930 return status;
931 }
932
933 /****************************************************************************
934 Fake a auth_session_info just from a username (as a
935 session_info structure, with create_local_token() already called on
936 it.
937 ****************************************************************************/
938
939 static NTSTATUS make_system_session_info_from_pw(TALLOC_CTX *mem_ctx,
940 struct passwd *pwd,
941 struct auth_session_info **session_info)
942 {
943 struct auth_serversupplied_info *server_info;
944 const char *domain = lp_netbios_name();
945 struct netr_SamInfo3 info3;
946 TALLOC_CTX *tmp_ctx;
947 NTSTATUS status;
948
949 tmp_ctx = talloc_stackframe();
950 if (tmp_ctx == NULL) {
951 return NT_STATUS_NO_MEMORY;
952 }
953
954 ZERO_STRUCT(info3);
955
956 status = get_system_info3(tmp_ctx, pwd, &info3);
957 if (!NT_STATUS_IS_OK(status)) {
958 DEBUG(0, ("Failed creating system info3 with %s\n",
959 nt_errstr(status)));
960 goto done;
961 }
962
963 status = make_server_info_info3(tmp_ctx,
964 pwd->pw_name,
965 domain,
966 &server_info,
967 &info3);
968 if (!NT_STATUS_IS_OK(status)) {
969 DEBUG(0, ("make_server_info_info3 failed with %s\n",
970 nt_errstr(status)));
971 goto done;
972 }
973
974 server_info->nss_token = true;
975
976 /* Now turn the server_info into a session_info with the full token etc */
977 status = create_local_token(mem_ctx, server_info, NULL, pwd->pw_name, session_info);
978 if (!NT_STATUS_IS_OK(status)) {
979 DEBUG(0, ("create_local_token failed: %s\n",
980 nt_errstr(status)));
981 goto done;
982 }
983
984 talloc_free(server_info);
985 talloc_steal(mem_ctx, *session_info);
986
987 status = NT_STATUS_OK;
988 done:
989 TALLOC_FREE(tmp_ctx);
990 return status;
991 }
992
993 static NTSTATUS make_session_info_from_pw(TALLOC_CTX *mem_ctx,
994 struct passwd *pwd,
995 bool is_guest,
996 struct auth_session_info **session_info)
997 {
998 struct auth_serversupplied_info *result;
999 NTSTATUS status;
1000
1001 status = make_server_info_pw(&result, pwd->pw_name, pwd);
1002
1003 if (!NT_STATUS_IS_OK(status)) {
1004 return status;
1005 }
1006
1007 result->nss_token = true;
1008 result->guest = is_guest;
1009
1010 /* Now turn the server_info into a session_info with the full token etc */
1011 status = create_local_token(mem_ctx, result, NULL, pwd->pw_name, session_info);
1012 talloc_free(result);
1013 return status;
1014 }
1015
1016 /***************************************************************************
1017 Make (and fill) a auth_session_info struct for a system user login.
1018 This *must* succeed for smbd to start.
1019 ***************************************************************************/
1020
1021 static NTSTATUS make_new_session_info_system(TALLOC_CTX *mem_ctx,
1022 struct auth_session_info **session_info)
1023 {
1024 struct passwd *pwd;
1025 NTSTATUS status;
1026
1027 pwd = getpwuid_alloc(mem_ctx, sec_initial_uid());
1028 if (pwd == NULL) {
1029 return NT_STATUS_NO_SUCH_USER;
1030 }
1031
1032 status = make_system_session_info_from_pw(mem_ctx,
1033 pwd,
1034 session_info);
1035 TALLOC_FREE(pwd);
1036 if (!NT_STATUS_IS_OK(status)) {
1037 return status;
1038 }
1039
1040 (*session_info)->unix_info->system = true;
1041
1042 status = add_sid_to_array_unique((*session_info)->security_token->sids,
1043 &global_sid_System,
1044 &(*session_info)->security_token->sids,
1045 &(*session_info)->security_token->num_sids);
1046 if (!NT_STATUS_IS_OK(status)) {
1047 TALLOC_FREE((*session_info));
1048 return status;
1049 }
1050
1051 return NT_STATUS_OK;
1052 }
1053
1054 /****************************************************************************
1055 Fake a auth_session_info just from a username (as a
1056 session_info structure, with create_local_token() already called on
1057 it.
1058 ****************************************************************************/
1059
1060 NTSTATUS make_session_info_from_username(TALLOC_CTX *mem_ctx,
1061 const char *username,
1062 bool is_guest,
1063 struct auth_session_info **session_info)
1064 {
1065 struct passwd *pwd;
1066 NTSTATUS status;
1067
1068 pwd = Get_Pwnam_alloc(talloc_tos(), username);
1069 if (pwd == NULL) {
1070 return NT_STATUS_NO_SUCH_USER;
1071 }
1072
1073 status = make_session_info_from_pw(mem_ctx, pwd, is_guest, session_info);
1074
1075 if (!NT_STATUS_IS_OK(status)) {
1076 TALLOC_FREE(pwd);
1077 return status;
1078 }
1079
1080 TALLOC_FREE(pwd);
1081 return status;
1082 }
1083
1084 /* This function MUST only used to create the cached server_info for
1085 * guest.
1086 *
1087 * This is a lossy conversion. Variables known to be lost so far
1088 * include:
1089 *
1090 * - nss_token (not needed because the only read doesn't happen
1091 * for the GUEST user, as this routine populates ->security_token
1092 *
1093 * - extra (not needed because the guest account must have valid RIDs per the output of get_guest_info3())
1094 *
1095 * - The 'server_info' parameter allows the missing 'info3' to be copied across.
1096 */
1097 static struct auth_serversupplied_info *copy_session_info_serverinfo_guest(TALLOC_CTX *mem_ctx,
1098 const struct auth_session_info *src,
1099 struct auth_serversupplied_info *server_info)
1100 {
1101 struct auth_serversupplied_info *dst;
1102
1103 dst = make_server_info(mem_ctx);
1104 if (dst == NULL) {
1105 return NULL;
1106 }
1107
1108 /* This element must be provided to convert back to an auth_serversupplied_info */
1109 SMB_ASSERT(src->unix_info);
1110
1111 dst->guest = true;
1112 dst->system = false;
1113
1114 /* This element must be provided to convert back to an
1115 * auth_serversupplied_info. This needs to be from the
1116 * auth_session_info because the group values in particular
1117 * may change during create_local_token() processing */
1118 SMB_ASSERT(src->unix_token);
1119 dst->utok.uid = src->unix_token->uid;
1120 dst->utok.gid = src->unix_token->gid;
1121 dst->utok.ngroups = src->unix_token->ngroups;
1122 if (src->unix_token->ngroups != 0) {
1123 dst->utok.groups = (gid_t *)talloc_memdup(
1124 dst, src->unix_token->groups,
1125 sizeof(gid_t)*dst->utok.ngroups);
1126 } else {
1127 dst->utok.groups = NULL;
1128 }
1129
1130 /* We must have a security_token as otherwise the lossy
1131 * conversion without nss_token would cause create_local_token
1132 * to take the wrong path */
1133 SMB_ASSERT(src->security_token);
1134
1135 dst->security_token = dup_nt_token(dst, src->security_token);
1136 if (!dst->security_token) {
1137 TALLOC_FREE(dst);
1138 return NULL;
1139 }
1140
1141 dst->session_key = data_blob_talloc( dst, src->session_key.data,
1142 src->session_key.length);
1143
1144 /* This is OK because this functions is only used for the
1145 * GUEST account, which has all-zero keys for both values */
1146 dst->lm_session_key = data_blob_talloc(dst, src->session_key.data,
1147 src->session_key.length);
1148
1149 dst->info3 = copy_netr_SamInfo3(dst, server_info->info3);
1150 if (!dst->info3) {
1151 TALLOC_FREE(dst);
1152 return NULL;
1153 }
1154
1155 dst->unix_name = talloc_strdup(dst, src->unix_info->unix_name);
1156 if (!dst->unix_name) {
1157 TALLOC_FREE(dst);
1158 return NULL;
1159 }
1160
1161 return dst;
1162 }
1163
1164 struct auth_session_info *copy_session_info(TALLOC_CTX *mem_ctx,
1165 const struct auth_session_info *src)
1166 {
1167 struct auth_session_info *dst;
1168 DATA_BLOB blob;
1169 enum ndr_err_code ndr_err;
1170
1171 ndr_err = ndr_push_struct_blob(
1172 &blob, talloc_tos(), src,
1173 (ndr_push_flags_fn_t)ndr_push_auth_session_info);
1174 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1175 DEBUG(0, ("copy_session_info(): ndr_push_auth_session_info failed: "
1176 "%s\n", ndr_errstr(ndr_err)));
1177 return NULL;
1178 }
1179
1180 dst = talloc(mem_ctx, struct auth_session_info);
1181 if (dst == NULL) {
1182 DEBUG(0, ("talloc failed\n"));
1183 TALLOC_FREE(blob.data);
1184 return NULL;
1185 }
1186
1187 ndr_err = ndr_pull_struct_blob(
1188 &blob, dst, dst,
1189 (ndr_pull_flags_fn_t)ndr_pull_auth_session_info);
1190 TALLOC_FREE(blob.data);
1191
1192 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1193 DEBUG(0, ("copy_session_info(): ndr_pull_auth_session_info failed: "
1194 "%s\n", ndr_errstr(ndr_err)));
1195 TALLOC_FREE(dst);
1196 return NULL;
1197 }
1198
1199 return dst;
1200 }
1201
1202 /*
1203 * Set a new session key. Used in the rpc server where we have to override the
1204 * SMB level session key with SystemLibraryDTC
1205 */
1206
1207 bool session_info_set_session_key(struct auth_session_info *info,
1208 DATA_BLOB session_key)
1209 {
1210 TALLOC_FREE(info->session_key.data);
1211
1212 info->session_key = data_blob_talloc(
1213 info, session_key.data, session_key.length);
1214
1215 return (info->session_key.data != NULL);
1216 }
1217
1218 static struct auth_session_info *guest_info = NULL;
1219
1220 static struct auth_serversupplied_info *guest_server_info = NULL;
1221
1222 bool init_guest_info(void)
1223 {
1224 if (guest_info != NULL)
1225 return true;
1226
1227 return NT_STATUS_IS_OK(make_new_session_info_guest(&guest_info, &guest_server_info));
1228 }
1229
1230 NTSTATUS make_server_info_guest(TALLOC_CTX *mem_ctx,
1231 struct auth_serversupplied_info **server_info)
1232 {
1233 /* This is trickier than it would appear to need to be because
1234 * we are trying to avoid certain costly operations when the
1235 * structure is converted to a 'auth_session_info' again in
1236 * create_local_token() */
1237 *server_info = copy_session_info_serverinfo_guest(mem_ctx, guest_info, guest_server_info);
1238 return (*server_info != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
1239 }
1240
1241 NTSTATUS make_session_info_guest(TALLOC_CTX *mem_ctx,
1242 struct auth_session_info **session_info)
1243 {
1244 *session_info = copy_session_info(mem_ctx, guest_info);
1245 return (*session_info != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
1246 }
1247
1248 static struct auth_session_info *system_info = NULL;
1249
1250 NTSTATUS init_system_session_info(void)
1251 {
1252 if (system_info != NULL)
1253 return NT_STATUS_OK;
1254
1255 return make_new_session_info_system(NULL, &system_info);
1256 }
1257
1258 NTSTATUS make_session_info_system(TALLOC_CTX *mem_ctx,
1259 struct auth_session_info **session_info)
1260 {
1261 if (system_info == NULL) return NT_STATUS_UNSUCCESSFUL;
1262 *session_info = copy_session_info(mem_ctx, system_info);
1263 return (*session_info != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
1264 }
1265
1266 const struct auth_session_info *get_session_info_system(void)
1267 {
1268 return system_info;
1269 }
1270
1271 /***************************************************************************
1272 Purely internal function for make_server_info_info3
1273 ***************************************************************************/
1274
1275 static NTSTATUS check_account(TALLOC_CTX *mem_ctx, const char *domain,
1276 const char *username, char **found_username,
1277 struct passwd **pwd,
1278 bool *username_was_mapped)
1279 {
1280 char *orig_dom_user = NULL;
1281 char *dom_user = NULL;
1282 char *lower_username = NULL;
1283 char *real_username = NULL;
1284 struct passwd *passwd;
1285
1286 lower_username = talloc_strdup(mem_ctx, username);
1287 if (!lower_username) {
1288 return NT_STATUS_NO_MEMORY;
1289 }
1290 strlower_m( lower_username );
1291
1292 orig_dom_user = talloc_asprintf(mem_ctx,
1293 "%s%c%s",
1294 domain,
1295 *lp_winbind_separator(),
1296 lower_username);
1297 if (!orig_dom_user) {
1298 return NT_STATUS_NO_MEMORY;
1299 }
1300
1301 /* Get the passwd struct. Try to create the account if necessary. */
1302
1303 *username_was_mapped = map_username(mem_ctx, orig_dom_user, &dom_user);
1304 if (!dom_user) {
1305 return NT_STATUS_NO_MEMORY;
1306 }
1307
1308 passwd = smb_getpwnam(mem_ctx, dom_user, &real_username, true );
1309 if (!passwd) {
1310 DEBUG(3, ("Failed to find authenticated user %s via "
1311 "getpwnam(), denying access.\n", dom_user));
1312 return NT_STATUS_NO_SUCH_USER;
1313 }
1314
1315 if (!real_username) {
1316 return NT_STATUS_NO_MEMORY;
1317 }
1318
1319 *pwd = passwd;
1320
1321 /* This is pointless -- there is no support for differing
1322 unix and windows names. Make sure to always store the
1323 one we actually looked up and succeeded. Have I mentioned
1324 why I hate the 'winbind use default domain' parameter?
1325 --jerry */
1326
1327 *found_username = talloc_strdup( mem_ctx, real_username );
1328
1329 return NT_STATUS_OK;
1330 }
1331
1332 /****************************************************************************
1333 Wrapper to allow the getpwnam() call to strip the domain name and
1334 try again in case a local UNIX user is already there. Also run through
1335 the username if we fallback to the username only.
1336 ****************************************************************************/
1337
1338 struct passwd *smb_getpwnam( TALLOC_CTX *mem_ctx, const char *domuser,
1339 char **p_save_username, bool create )
1340 {
1341 struct passwd *pw = NULL;
1342 char *p = NULL;
1343 char *username = NULL;
1344
1345 /* we only save a copy of the username it has been mangled
1346 by winbindd use default domain */
1347 *p_save_username = NULL;
1348
1349 /* don't call map_username() here since it has to be done higher
1350 up the stack so we don't call it multiple times */
1351
1352 username = talloc_strdup(mem_ctx, domuser);
1353 if (!username) {
1354 return NULL;
1355 }
1356
1357 p = strchr_m( username, *lp_winbind_separator() );
1358
1359 /* code for a DOMAIN\user string */
1360
1361 if ( p ) {
1362 pw = Get_Pwnam_alloc( mem_ctx, domuser );
1363 if ( pw ) {
1364 /* make sure we get the case of the username correct */
1365 /* work around 'winbind use default domain = yes' */
1366
1367 if ( !strchr_m( pw->pw_name, *lp_winbind_separator() ) ) {
1368 char *domain;
1369
1370 /* split the domain and username into 2 strings */
1371 *p = '\0';
1372 domain = username;
1373
1374 *p_save_username = talloc_asprintf(mem_ctx,
1375 "%s%c%s",
1376 domain,
1377 *lp_winbind_separator(),
1378 pw->pw_name);
1379 if (!*p_save_username) {
1380 TALLOC_FREE(pw);
1381 return NULL;
1382 }
1383 } else {
1384 *p_save_username = talloc_strdup(mem_ctx, pw->pw_name);
1385 }
1386
1387 /* whew -- done! */
1388 return pw;
1389 }
1390
1391 /* setup for lookup of just the username */
1392 /* remember that p and username are overlapping memory */
1393
1394 p++;
1395 username = talloc_strdup(mem_ctx, p);
1396 if (!username) {
1397 return NULL;
1398 }
1399 }
1400
1401 /* just lookup a plain username */
1402
1403 pw = Get_Pwnam_alloc(mem_ctx, username);
1404
1405 /* Create local user if requested but only if winbindd
1406 is not running. We need to protect against cases
1407 where winbindd is failing and then prematurely
1408 creating users in /etc/passwd */
1409
1410 if ( !pw && create && !winbind_ping() ) {
1411 /* Don't add a machine account. */
1412 if (username[strlen(username)-1] == '$')
1413 return NULL;
1414
1415 _smb_create_user(NULL, username, NULL);
1416 pw = Get_Pwnam_alloc(mem_ctx, username);
1417 }
1418
1419 /* one last check for a valid passwd struct */
1420
1421 if (pw) {
1422 *p_save_username = talloc_strdup(mem_ctx, pw->pw_name);
1423 }
1424 return pw;
1425 }
1426
1427 /***************************************************************************
1428 Make a server_info struct from the info3 returned by a domain logon
1429 ***************************************************************************/
1430
1431 NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
1432 const char *sent_nt_username,
1433 const char *domain,
1434 struct auth_serversupplied_info **server_info,
1435 struct netr_SamInfo3 *info3)
1436 {
1437 static const char zeros[16] = {0, };
1438
1439 NTSTATUS nt_status = NT_STATUS_OK;
1440 char *found_username = NULL;
1441 const char *nt_domain;
1442 const char *nt_username;
1443 bool username_was_mapped;
1444 struct passwd *pwd;
1445 struct auth_serversupplied_info *result;
1446 struct dom_sid *group_sid;
1447 struct netr_SamInfo3 *i3;
1448
1449 /*
1450 Here is where we should check the list of
1451 trusted domains, and verify that the SID
1452 matches.
1453 */
1454
1455 nt_username = talloc_strdup(mem_ctx, info3->base.account_name.string);
1456 if (!nt_username) {
1457 /* If the server didn't give us one, just use the one we sent
1458 * them */
1459 nt_username = sent_nt_username;
1460 }
1461
1462 nt_domain = talloc_strdup(mem_ctx, info3->base.logon_domain.string);
1463 if (!nt_domain) {
1464 /* If the server didn't give us one, just use the one we sent
1465 * them */
1466 nt_domain = domain;
1467 }
1468
1469 /* If getpwnam() fails try the add user script (2.2.x behavior).
1470
1471 We use the _unmapped_ username here in an attempt to provide
1472 consistent username mapping behavior between kerberos and NTLM[SSP]
1473 authentication in domain mode security. I.E. Username mapping
1474 should be applied to the fully qualified username
1475 (e.g. DOMAIN\user) and not just the login name. Yes this means we
1476 called map_username() unnecessarily in make_user_info_map() but
1477 that is how the current code is designed. Making the change here
1478 is the least disruptive place. -- jerry */
1479
1480 /* this call will try to create the user if necessary */
1481
1482 nt_status = check_account(mem_ctx, nt_domain, sent_nt_username,
1483 &found_username, &pwd,
1484 &username_was_mapped);
1485
1486 if (!NT_STATUS_IS_OK(nt_status)) {
1487 return nt_status;
1488 }
1489
1490 result = make_server_info(NULL);
1491 if (result == NULL) {
1492 DEBUG(4, ("make_server_info failed!\n"));
1493 return NT_STATUS_NO_MEMORY;
1494 }
1495
1496 result->unix_name = talloc_strdup(result, found_username);
1497
1498 /* copy in the info3 */
1499 result->info3 = i3 = copy_netr_SamInfo3(result, info3);
1500 if (result->info3 == NULL) {
1501 TALLOC_FREE(result);
1502 return NT_STATUS_NO_MEMORY;
1503 }
1504
1505 /* Fill in the unix info we found on the way */
1506 result->utok.uid = pwd->pw_uid;
1507 result->utok.gid = pwd->pw_gid;
1508
1509 /* We can't just trust that the primary group sid sent us is something
1510 * we can really use. Obtain the usable sid, and store the original
1511 * one as an additional group if it had to be replaced */
1512 nt_status = get_primary_group_sid(mem_ctx, found_username,
1513 &pwd, &group_sid);
1514 if (!NT_STATUS_IS_OK(nt_status)) {
1515 TALLOC_FREE(result);
1516 return nt_status;
1517 }
1518
1519 /* store and check if it is the same we got originally */
1520 sid_peek_rid(group_sid, &i3->base.primary_gid);
1521 if (i3->base.primary_gid != info3->base.primary_gid) {
1522 uint32_t n = i3->base.groups.count;
1523 /* not the same, store the original as an additional group */
1524 i3->base.groups.rids =
1525 talloc_realloc(i3, i3->base.groups.rids,
1526 struct samr_RidWithAttribute, n + 1);
1527 if (i3->base.groups.rids == NULL) {
1528 TALLOC_FREE(result);
1529 return NT_STATUS_NO_MEMORY;
1530 }
1531 i3->base.groups.rids[n].rid = info3->base.primary_gid;
1532 i3->base.groups.rids[n].attributes = SE_GROUP_ENABLED;
1533 i3->base.groups.count = n + 1;
1534 }
1535
1536 /* ensure we are never given NULL session keys */
1537
1538 if (memcmp(info3->base.key.key, zeros, sizeof(zeros)) == 0) {
1539 result->session_key = data_blob_null;
1540 } else {
1541 result->session_key = data_blob_talloc(
1542 result, info3->base.key.key,
1543 sizeof(info3->base.key.key));
1544 }
1545
1546 if (memcmp(info3->base.LMSessKey.key, zeros, 8) == 0) {
1547 result->lm_session_key = data_blob_null;
1548 } else {
1549 result->lm_session_key = data_blob_talloc(
1550 result, info3->base.LMSessKey.key,
1551 sizeof(info3->base.LMSessKey.key));
1552 }
1553
1554 result->nss_token |= username_was_mapped;
1555
1556 result->guest = (info3->base.user_flags & NETLOGON_GUEST);
1557
1558 *server_info = result;
1559
1560 return NT_STATUS_OK;
1561 }
1562
1563 /*****************************************************************************
1564 Make a server_info struct from the wbcAuthUserInfo returned by a domain logon
1565 ******************************************************************************/
1566
1567 NTSTATUS make_server_info_wbcAuthUserInfo(TALLOC_CTX *mem_ctx,
1568 const char *sent_nt_username,
1569 const char *domain,
1570 const struct wbcAuthUserInfo *info,
1571 struct auth_serversupplied_info **server_info)
1572 {
1573 struct netr_SamInfo3 *info3;
1574
1575 info3 = wbcAuthUserInfo_to_netr_SamInfo3(mem_ctx, info);
1576 if (!info3) {
1577 return NT_STATUS_NO_MEMORY;
1578 }
1579
1580 return make_server_info_info3(mem_ctx,
1581 sent_nt_username, domain,
1582 server_info, info3);
1583 }
1584
1585 /**
1586 * Verify whether or not given domain is trusted.
1587 *
1588 * @param domain_name name of the domain to be verified
1589 * @return true if domain is one of the trusted ones or
1590 * false if otherwise
1591 **/
1592
1593 bool is_trusted_domain(const char* dom_name)
1594 {
1595 struct dom_sid trustdom_sid;
1596 bool ret;
1597
1598 /* no trusted domains for a standalone server */
1599
1600 if ( lp_server_role() == ROLE_STANDALONE )
1601 return false;
1602
1603 if (dom_name == NULL || dom_name[0] == '\0') {
1604 return false;
1605 }
1606
1607 if (strequal(dom_name, get_global_sam_name())) {
1608 return false;
1609 }
1610
1611 /* if we are a DC, then check for a direct trust relationships */
1612
1613 if ( IS_DC ) {
1614 become_root();
1615 DEBUG (5,("is_trusted_domain: Checking for domain trust with "
1616 "[%s]\n", dom_name ));
1617 ret = pdb_get_trusteddom_pw(dom_name, NULL, NULL, NULL);
1618 unbecome_root();
1619 if (ret)
1620 return true;
1621 }
1622 else {
1623 wbcErr result;
1624
1625 /* If winbind is around, ask it */
1626
1627 result = wb_is_trusted_domain(dom_name);
1628
1629 if (result == WBC_ERR_SUCCESS) {
1630 return true;
1631 }
1632
1633 if (result == WBC_ERR_DOMAIN_NOT_FOUND) {
1634 /* winbind could not find the domain */
1635 return false;
1636 }
1637
1638 /* The only other possible result is that winbind is not up
1639 and running. We need to update the trustdom_cache
1640 ourselves */
1641
1642 update_trustdom_cache();
1643 }
1644
1645 /* now the trustdom cache should be available a DC could still
1646 * have a transitive trust so fall back to the cache of trusted
1647 * domains (like a domain member would use */
1648
1649 if ( trustdom_cache_fetch(dom_name, &trustdom_sid) ) {
1650 return true;
1651 }
1652
1653 return false;
1654 }
1655
1656
1657
1658 /*
1659 on a logon error possibly map the error to success if "map to guest"
1660 is set approriately
1661 */
1662 NTSTATUS do_map_to_guest_server_info(NTSTATUS status,
1663 struct auth_serversupplied_info **server_info,
1664 const char *user, const char *domain)
1665 {
1666 user = user ? user : "";
1667 domain = domain ? domain : "";
1668
1669 if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) {
1670 if ((lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_USER) ||
1671 (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_PASSWORD)) {
1672 DEBUG(3,("No such user %s [%s] - using guest account\n",
1673 user, domain));
1674 return make_server_info_guest(NULL, server_info);
1675 }
1676 } else if (NT_STATUS_EQUAL(status, NT_STATUS_WRONG_PASSWORD)) {
1677 if (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_PASSWORD) {
1678 DEBUG(3,("Registered username %s for guest access\n",
1679 user));
1680 return make_server_info_guest(NULL, server_info);
1681 }
1682 }
1683
1684 return status;
1685 }
1686
1687 /*
1688 Extract session key from a session info and return it in a blob
1689 if intent is KEY_USE_16BYTES, truncate it to 16 bytes
1690
1691 See sections 3.2.4.15 and 3.3.4.2 of MS-SMB
1692 Also see https://lists.samba.org/archive/cifs-protocol/2012-January/002265.html for details
1693
1694 Note that returned session_key is referencing the original key, it is supposed to be
1695 short-lived. If original session_info->session_key is gone, the reference will be broken.
1696 */
1697 NTSTATUS session_extract_session_key(const struct auth_session_info *session_info, DATA_BLOB *session_key, enum session_key_use_intent intent)
1698 {
1699
1700 if (session_key == NULL || session_info == NULL) {
1701 return NT_STATUS_INVALID_PARAMETER;
1702 }
1703
1704 if (session_info->session_key.length == 0) {
1705 return NT_STATUS_NO_USER_SESSION_KEY;
1706 }
1707
1708 *session_key = session_info->session_key;
1709 if (intent == KEY_USE_16BYTES) {
1710 session_key->length = MIN(session_info->session_key.length, 16);
1711 }
1712 return NT_STATUS_OK;
1713 }
reg import