2 Unix SMB/CIFS implementation.
6 Copyright (C) Gerald (Jerry) Carter 2007
7 Copyright (C) Guenther Deschner 2008
8 Copyright (C) Volker Lendecke 2009
10 This library is free software; you can redistribute it and/or
11 modify it under the terms of the GNU Lesser General Public
12 License as published by the Free Software Foundation; either
13 version 3 of the License, or (at your option) any later version.
15 This library is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
18 Library General Public License for more details.
20 You should have received a copy of the GNU Lesser General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 /* Required Headers */
26 #define UID_WRAPPER_NOT_REPLACE
28 #include "libwbclient.h"
29 #include "../winbind_client.h"
31 /* Authenticate a username/password pair */
32 wbcErr
wbcAuthenticateUser(const char *username
,
35 wbcErr wbc_status
= WBC_ERR_SUCCESS
;
36 struct wbcAuthUserParams params
;
40 params
.account_name
= username
;
41 params
.level
= WBC_AUTH_USER_LEVEL_PLAIN
;
42 params
.password
.plaintext
= password
;
44 wbc_status
= wbcAuthenticateUserEx(¶ms
, NULL
, NULL
);
45 BAIL_ON_WBC_ERROR(wbc_status
);
51 static bool sid_attr_compose(struct wbcSidWithAttr
*s
,
52 const struct wbcDomainSid
*d
,
53 uint32_t rid
, uint32_t attr
)
55 if (d
->num_auths
>= WBC_MAXSUBAUTHS
) {
59 s
->sid
.sub_auths
[s
->sid
.num_auths
++] = rid
;
64 static void wbcAuthUserInfoDestructor(void *ptr
)
66 struct wbcAuthUserInfo
*i
= (struct wbcAuthUserInfo
*)ptr
;
67 free(i
->account_name
);
68 free(i
->user_principal
);
71 free(i
->dns_domain_name
);
72 free(i
->logon_server
);
73 free(i
->logon_script
);
74 free(i
->profile_path
);
75 free(i
->home_directory
);
80 static wbcErr
wbc_create_auth_info(const struct winbindd_response
*resp
,
81 struct wbcAuthUserInfo
**_i
)
83 wbcErr wbc_status
= WBC_ERR_SUCCESS
;
84 struct wbcAuthUserInfo
*i
;
85 struct wbcDomainSid domain_sid
;
90 i
= (struct wbcAuthUserInfo
*)wbcAllocateMemory(
91 1, sizeof(struct wbcAuthUserInfo
),
92 wbcAuthUserInfoDestructor
);
93 BAIL_ON_PTR_ERROR(i
, wbc_status
);
95 i
->user_flags
= resp
->data
.auth
.info3
.user_flgs
;
97 i
->account_name
= strdup(resp
->data
.auth
.info3
.user_name
);
98 BAIL_ON_PTR_ERROR(i
->account_name
, wbc_status
);
99 i
->user_principal
= NULL
;
100 i
->full_name
= strdup(resp
->data
.auth
.info3
.full_name
);
101 BAIL_ON_PTR_ERROR(i
->full_name
, wbc_status
);
102 i
->domain_name
= strdup(resp
->data
.auth
.info3
.logon_dom
);
103 BAIL_ON_PTR_ERROR(i
->domain_name
, wbc_status
);
104 i
->dns_domain_name
= NULL
;
106 i
->acct_flags
= resp
->data
.auth
.info3
.acct_flags
;
107 memcpy(i
->user_session_key
,
108 resp
->data
.auth
.user_session_key
,
109 sizeof(i
->user_session_key
));
110 memcpy(i
->lm_session_key
,
111 resp
->data
.auth
.first_8_lm_hash
,
112 sizeof(i
->lm_session_key
));
114 i
->logon_count
= resp
->data
.auth
.info3
.logon_count
;
115 i
->bad_password_count
= resp
->data
.auth
.info3
.bad_pw_count
;
117 i
->logon_time
= resp
->data
.auth
.info3
.logon_time
;
118 i
->logoff_time
= resp
->data
.auth
.info3
.logoff_time
;
119 i
->kickoff_time
= resp
->data
.auth
.info3
.kickoff_time
;
120 i
->pass_last_set_time
= resp
->data
.auth
.info3
.pass_last_set_time
;
121 i
->pass_can_change_time
= resp
->data
.auth
.info3
.pass_can_change_time
;
122 i
->pass_must_change_time
= resp
->data
.auth
.info3
.pass_must_change_time
;
124 i
->logon_server
= strdup(resp
->data
.auth
.info3
.logon_srv
);
125 BAIL_ON_PTR_ERROR(i
->logon_server
, wbc_status
);
126 i
->logon_script
= strdup(resp
->data
.auth
.info3
.logon_script
);
127 BAIL_ON_PTR_ERROR(i
->logon_script
, wbc_status
);
128 i
->profile_path
= strdup(resp
->data
.auth
.info3
.profile_path
);
129 BAIL_ON_PTR_ERROR(i
->profile_path
, wbc_status
);
130 i
->home_directory
= strdup(resp
->data
.auth
.info3
.home_dir
);
131 BAIL_ON_PTR_ERROR(i
->home_directory
, wbc_status
);
132 i
->home_drive
= strdup(resp
->data
.auth
.info3
.dir_drive
);
133 BAIL_ON_PTR_ERROR(i
->home_drive
, wbc_status
);
136 i
->num_sids
+= resp
->data
.auth
.info3
.num_groups
;
137 i
->num_sids
+= resp
->data
.auth
.info3
.num_other_sids
;
139 i
->sids
= (struct wbcSidWithAttr
*)calloc(
140 sizeof(struct wbcSidWithAttr
), i
->num_sids
);
141 BAIL_ON_PTR_ERROR(i
->sids
, wbc_status
);
143 wbc_status
= wbcStringToSid(resp
->data
.auth
.info3
.dom_sid
,
145 BAIL_ON_WBC_ERROR(wbc_status
);
148 if (!sid_attr_compose(&i
->sids
[sn
], &domain_sid
,
149 resp
->data
.auth
.info3
.user_rid
, 0)) {
150 wbc_status
= WBC_ERR_INVALID_SID
;
154 if (!sid_attr_compose(&i
->sids
[sn
], &domain_sid
,
155 resp
->data
.auth
.info3
.group_rid
, 0)) {
156 wbc_status
= WBC_ERR_INVALID_SID
;
161 p
= (char *)resp
->extra_data
.data
;
163 wbc_status
= WBC_ERR_INVALID_RESPONSE
;
164 BAIL_ON_WBC_ERROR(wbc_status
);
167 for (j
=0; j
< resp
->data
.auth
.info3
.num_groups
; j
++) {
172 char *e
= strchr(p
, '\n');
174 wbc_status
= WBC_ERR_INVALID_RESPONSE
;
175 BAIL_ON_WBC_ERROR(wbc_status
);
180 ret
= sscanf(s
, "0x%08X:0x%08X", &rid
, &attrs
);
182 wbc_status
= WBC_ERR_INVALID_RESPONSE
;
183 BAIL_ON_WBC_ERROR(wbc_status
);
186 if (!sid_attr_compose(&i
->sids
[sn
], &domain_sid
,
188 wbc_status
= WBC_ERR_INVALID_SID
;
194 for (j
=0; j
< resp
->data
.auth
.info3
.num_other_sids
; j
++) {
199 char *e
= strchr(p
, '\n');
201 wbc_status
= WBC_ERR_INVALID_RESPONSE
;
202 BAIL_ON_WBC_ERROR(wbc_status
);
209 wbc_status
= WBC_ERR_INVALID_RESPONSE
;
210 BAIL_ON_WBC_ERROR(wbc_status
);
215 ret
= sscanf(a
, "0x%08X",
218 wbc_status
= WBC_ERR_INVALID_RESPONSE
;
219 BAIL_ON_WBC_ERROR(wbc_status
);
222 wbc_status
= wbcStringToSid(s
, &i
->sids
[sn
].sid
);
223 BAIL_ON_WBC_ERROR(wbc_status
);
225 i
->sids
[sn
].attributes
= attrs
;
238 static void wbcAuthErrorInfoDestructor(void *ptr
)
240 struct wbcAuthErrorInfo
*e
= (struct wbcAuthErrorInfo
*)ptr
;
242 free(e
->display_string
);
245 static wbcErr
wbc_create_error_info(const struct winbindd_response
*resp
,
246 struct wbcAuthErrorInfo
**_e
)
248 wbcErr wbc_status
= WBC_ERR_SUCCESS
;
249 struct wbcAuthErrorInfo
*e
;
251 e
= (struct wbcAuthErrorInfo
*)wbcAllocateMemory(
252 1, sizeof(struct wbcAuthErrorInfo
),
253 wbcAuthErrorInfoDestructor
);
254 BAIL_ON_PTR_ERROR(e
, wbc_status
);
256 e
->nt_status
= resp
->data
.auth
.nt_status
;
257 e
->pam_error
= resp
->data
.auth
.pam_error
;
258 e
->nt_string
= strdup(resp
->data
.auth
.nt_status_string
);
259 BAIL_ON_PTR_ERROR(e
->nt_string
, wbc_status
);
261 e
->display_string
= strdup(resp
->data
.auth
.error_string
);
262 BAIL_ON_PTR_ERROR(e
->display_string
, wbc_status
);
272 static wbcErr
wbc_create_password_policy_info(const struct winbindd_response
*resp
,
273 struct wbcUserPasswordPolicyInfo
**_i
)
275 wbcErr wbc_status
= WBC_ERR_SUCCESS
;
276 struct wbcUserPasswordPolicyInfo
*i
;
278 i
= (struct wbcUserPasswordPolicyInfo
*)wbcAllocateMemory(
279 1, sizeof(struct wbcUserPasswordPolicyInfo
), NULL
);
280 BAIL_ON_PTR_ERROR(i
, wbc_status
);
282 i
->min_passwordage
= resp
->data
.auth
.policy
.min_passwordage
;
283 i
->min_length_password
= resp
->data
.auth
.policy
.min_length_password
;
284 i
->password_history
= resp
->data
.auth
.policy
.password_history
;
285 i
->password_properties
= resp
->data
.auth
.policy
.password_properties
;
286 i
->expire
= resp
->data
.auth
.policy
.expire
;
296 static void wbcLogonUserInfoDestructor(void *ptr
)
298 struct wbcLogonUserInfo
*i
= (struct wbcLogonUserInfo
*)ptr
;
299 wbcFreeMemory(i
->info
);
300 wbcFreeMemory(i
->blobs
);
303 static wbcErr
wbc_create_logon_info(struct winbindd_response
*resp
,
304 struct wbcLogonUserInfo
**_i
)
306 wbcErr wbc_status
= WBC_ERR_SUCCESS
;
307 struct wbcLogonUserInfo
*i
;
309 i
= (struct wbcLogonUserInfo
*)wbcAllocateMemory(
310 1, sizeof(struct wbcLogonUserInfo
),
311 wbcLogonUserInfoDestructor
);
312 BAIL_ON_PTR_ERROR(i
, wbc_status
);
314 wbc_status
= wbc_create_auth_info(resp
, &i
->info
);
315 BAIL_ON_WBC_ERROR(wbc_status
);
317 if (resp
->data
.auth
.krb5ccname
[0] != '\0') {
318 wbc_status
= wbcAddNamedBlob(&i
->num_blobs
,
322 (uint8_t *)resp
->data
.auth
.krb5ccname
,
323 strlen(resp
->data
.auth
.krb5ccname
)+1);
324 BAIL_ON_WBC_ERROR(wbc_status
);
327 if (resp
->data
.auth
.unix_username
[0] != '\0') {
328 wbc_status
= wbcAddNamedBlob(&i
->num_blobs
,
332 (uint8_t *)resp
->data
.auth
.unix_username
,
333 strlen(resp
->data
.auth
.unix_username
)+1);
334 BAIL_ON_WBC_ERROR(wbc_status
);
345 /* Authenticate with more detailed information */
346 wbcErr
wbcAuthenticateUserEx(const struct wbcAuthUserParams
*params
,
347 struct wbcAuthUserInfo
**info
,
348 struct wbcAuthErrorInfo
**error
)
350 wbcErr wbc_status
= WBC_ERR_UNKNOWN_FAILURE
;
352 struct winbindd_request request
;
353 struct winbindd_response response
;
355 ZERO_STRUCT(request
);
356 ZERO_STRUCT(response
);
363 wbc_status
= WBC_ERR_INVALID_PARAM
;
364 BAIL_ON_WBC_ERROR(wbc_status
);
367 if (!params
->account_name
) {
368 wbc_status
= WBC_ERR_INVALID_PARAM
;
369 BAIL_ON_WBC_ERROR(wbc_status
);
372 /* Initialize request */
374 switch (params
->level
) {
375 case WBC_AUTH_USER_LEVEL_PLAIN
:
376 cmd
= WINBINDD_PAM_AUTH
;
377 request
.flags
= WBFLAG_PAM_INFO3_TEXT
|
378 WBFLAG_PAM_USER_SESSION_KEY
|
381 if (!params
->password
.plaintext
) {
382 wbc_status
= WBC_ERR_INVALID_PARAM
;
383 BAIL_ON_WBC_ERROR(wbc_status
);
386 if (params
->domain_name
&& params
->domain_name
[0]) {
387 /* We need to get the winbind separator :-( */
388 struct winbindd_response sep_response
;
390 ZERO_STRUCT(sep_response
);
392 wbc_status
= wbcRequestResponse(WINBINDD_INFO
,
393 NULL
, &sep_response
);
394 BAIL_ON_WBC_ERROR(wbc_status
);
396 snprintf(request
.data
.auth
.user
,
397 sizeof(request
.data
.auth
.user
)-1,
400 sep_response
.data
.info
.winbind_separator
,
401 params
->account_name
);
403 strncpy(request
.data
.auth
.user
,
404 params
->account_name
,
405 sizeof(request
.data
.auth
.user
)-1);
408 strncpy(request
.data
.auth
.pass
,
409 params
->password
.plaintext
,
410 sizeof(request
.data
.auth
.pass
)-1);
413 case WBC_AUTH_USER_LEVEL_HASH
:
414 wbc_status
= WBC_ERR_NOT_IMPLEMENTED
;
415 BAIL_ON_WBC_ERROR(wbc_status
);
418 case WBC_AUTH_USER_LEVEL_RESPONSE
:
419 cmd
= WINBINDD_PAM_AUTH_CRAP
;
420 request
.flags
= WBFLAG_PAM_INFO3_TEXT
|
421 WBFLAG_PAM_USER_SESSION_KEY
|
424 if (params
->password
.response
.lm_length
&&
425 !params
->password
.response
.lm_data
) {
426 wbc_status
= WBC_ERR_INVALID_PARAM
;
427 BAIL_ON_WBC_ERROR(wbc_status
);
429 if (params
->password
.response
.lm_length
== 0 &&
430 params
->password
.response
.lm_data
) {
431 wbc_status
= WBC_ERR_INVALID_PARAM
;
432 BAIL_ON_WBC_ERROR(wbc_status
);
435 if (params
->password
.response
.nt_length
&&
436 !params
->password
.response
.nt_data
) {
437 wbc_status
= WBC_ERR_INVALID_PARAM
;
438 BAIL_ON_WBC_ERROR(wbc_status
);
440 if (params
->password
.response
.nt_length
== 0&&
441 params
->password
.response
.nt_data
) {
442 wbc_status
= WBC_ERR_INVALID_PARAM
;
443 BAIL_ON_WBC_ERROR(wbc_status
);
446 strncpy(request
.data
.auth_crap
.user
,
447 params
->account_name
,
448 sizeof(request
.data
.auth_crap
.user
)-1);
449 if (params
->domain_name
) {
450 strncpy(request
.data
.auth_crap
.domain
,
452 sizeof(request
.data
.auth_crap
.domain
)-1);
454 if (params
->workstation_name
) {
455 strncpy(request
.data
.auth_crap
.workstation
,
456 params
->workstation_name
,
457 sizeof(request
.data
.auth_crap
.workstation
)-1);
460 request
.data
.auth_crap
.logon_parameters
=
461 params
->parameter_control
;
463 memcpy(request
.data
.auth_crap
.chal
,
464 params
->password
.response
.challenge
,
465 sizeof(request
.data
.auth_crap
.chal
));
467 request
.data
.auth_crap
.lm_resp_len
=
468 MIN(params
->password
.response
.lm_length
,
469 sizeof(request
.data
.auth_crap
.lm_resp
));
470 if (params
->password
.response
.lm_data
) {
471 memcpy(request
.data
.auth_crap
.lm_resp
,
472 params
->password
.response
.lm_data
,
473 request
.data
.auth_crap
.lm_resp_len
);
475 request
.data
.auth_crap
.nt_resp_len
= params
->password
.response
.nt_length
;
476 if (params
->password
.response
.nt_length
> sizeof(request
.data
.auth_crap
.nt_resp
)) {
477 request
.flags
|= WBFLAG_BIG_NTLMV2_BLOB
;
478 request
.extra_len
= params
->password
.response
.nt_length
;
479 request
.extra_data
.data
= (char *)malloc(
481 if (request
.extra_data
.data
== NULL
) {
482 wbc_status
= WBC_ERR_NO_MEMORY
;
483 BAIL_ON_WBC_ERROR(wbc_status
);
485 memcpy(request
.extra_data
.data
,
486 params
->password
.response
.nt_data
,
487 request
.data
.auth_crap
.nt_resp_len
);
488 } else if (params
->password
.response
.nt_data
) {
489 memcpy(request
.data
.auth_crap
.nt_resp
,
490 params
->password
.response
.nt_data
,
491 request
.data
.auth_crap
.nt_resp_len
);
499 wbc_status
= WBC_ERR_INVALID_PARAM
;
500 BAIL_ON_WBC_ERROR(wbc_status
);
504 request
.flags
|= params
->flags
;
507 if (cmd
== WINBINDD_PAM_AUTH_CRAP
) {
508 wbc_status
= wbcRequestResponsePriv(cmd
, &request
, &response
);
510 wbc_status
= wbcRequestResponse(cmd
, &request
, &response
);
512 if (response
.data
.auth
.nt_status
!= 0) {
514 wbc_status
= wbc_create_error_info(&response
,
516 BAIL_ON_WBC_ERROR(wbc_status
);
519 wbc_status
= WBC_ERR_AUTH_ERROR
;
520 BAIL_ON_WBC_ERROR(wbc_status
);
522 BAIL_ON_WBC_ERROR(wbc_status
);
525 wbc_status
= wbc_create_auth_info(&response
, info
);
526 BAIL_ON_WBC_ERROR(wbc_status
);
530 winbindd_free_response(&response
);
532 free(request
.extra_data
.data
);
537 /* Trigger a verification of the trust credentials of a specific domain */
538 wbcErr
wbcCheckTrustCredentials(const char *domain
,
539 struct wbcAuthErrorInfo
**error
)
541 struct winbindd_request request
;
542 struct winbindd_response response
;
543 wbcErr wbc_status
= WBC_ERR_UNKNOWN_FAILURE
;
545 ZERO_STRUCT(request
);
546 ZERO_STRUCT(response
);
549 strncpy(request
.domain_name
, domain
,
550 sizeof(request
.domain_name
)-1);
555 wbc_status
= wbcRequestResponsePriv(WINBINDD_CHECK_MACHACC
,
556 &request
, &response
);
557 if (response
.data
.auth
.nt_status
!= 0) {
559 wbc_status
= wbc_create_error_info(&response
,
561 BAIL_ON_WBC_ERROR(wbc_status
);
564 wbc_status
= WBC_ERR_AUTH_ERROR
;
565 BAIL_ON_WBC_ERROR(wbc_status
);
567 BAIL_ON_WBC_ERROR(wbc_status
);
573 /* Trigger a change of the trust credentials for a specific domain */
574 wbcErr
wbcChangeTrustCredentials(const char *domain
,
575 struct wbcAuthErrorInfo
**error
)
577 struct winbindd_request request
;
578 struct winbindd_response response
;
579 wbcErr wbc_status
= WBC_ERR_UNKNOWN_FAILURE
;
581 ZERO_STRUCT(request
);
582 ZERO_STRUCT(response
);
585 strncpy(request
.domain_name
, domain
,
586 sizeof(request
.domain_name
)-1);
591 wbc_status
= wbcRequestResponsePriv(WINBINDD_CHANGE_MACHACC
,
592 &request
, &response
);
593 if (response
.data
.auth
.nt_status
!= 0) {
595 wbc_status
= wbc_create_error_info(&response
,
597 BAIL_ON_WBC_ERROR(wbc_status
);
600 wbc_status
= WBC_ERR_AUTH_ERROR
;
601 BAIL_ON_WBC_ERROR(wbc_status
);
603 BAIL_ON_WBC_ERROR(wbc_status
);
610 * Trigger a no-op NETLOGON call. Lightweight version of
611 * wbcCheckTrustCredentials
613 wbcErr
wbcPingDc(const char *domain
, struct wbcAuthErrorInfo
**error
)
615 return wbcPingDc2(domain
, error
, NULL
);
619 * Trigger a no-op NETLOGON call. Lightweight version of
620 * wbcCheckTrustCredentials, optionally return attempted DC
622 wbcErr
wbcPingDc2(const char *domain
, struct wbcAuthErrorInfo
**error
,
625 struct winbindd_request request
;
626 struct winbindd_response response
;
627 wbcErr wbc_status
= WBC_ERR_UNKNOWN_FAILURE
;
631 * the current protocol doesn't support
632 * specifying a domain
634 wbc_status
= WBC_ERR_NOT_IMPLEMENTED
;
635 BAIL_ON_WBC_ERROR(wbc_status
);
638 ZERO_STRUCT(request
);
639 ZERO_STRUCT(response
);
643 wbc_status
= wbcRequestResponse(WINBINDD_PING_DC
,
647 if (dcname
&& response
.extra_data
.data
) {
650 len
= response
.length
- sizeof(struct winbindd_response
);
651 *dcname
= wbcAllocateMemory(1, len
, NULL
);
652 BAIL_ON_PTR_ERROR(*dcname
, wbc_status
);
654 strlcpy(*dcname
, response
.extra_data
.data
, len
);
657 if (response
.data
.auth
.nt_status
!= 0) {
659 wbc_status
= wbc_create_error_info(&response
,
661 BAIL_ON_WBC_ERROR(wbc_status
);
664 wbc_status
= WBC_ERR_AUTH_ERROR
;
665 BAIL_ON_WBC_ERROR(wbc_status
);
667 BAIL_ON_WBC_ERROR(wbc_status
);
673 /* Trigger an extended logoff notification to Winbind for a specific user */
674 wbcErr
wbcLogoffUserEx(const struct wbcLogoffUserParams
*params
,
675 struct wbcAuthErrorInfo
**error
)
677 struct winbindd_request request
;
678 struct winbindd_response response
;
679 wbcErr wbc_status
= WBC_ERR_UNKNOWN_FAILURE
;
684 if (!params
|| !params
->username
) {
685 wbc_status
= WBC_ERR_INVALID_PARAM
;
686 BAIL_ON_WBC_ERROR(wbc_status
);
689 if ((params
->num_blobs
> 0) && (params
->blobs
== NULL
)) {
690 wbc_status
= WBC_ERR_INVALID_PARAM
;
691 BAIL_ON_WBC_ERROR(wbc_status
);
693 if ((params
->num_blobs
== 0) && (params
->blobs
!= NULL
)) {
694 wbc_status
= WBC_ERR_INVALID_PARAM
;
695 BAIL_ON_WBC_ERROR(wbc_status
);
698 ZERO_STRUCT(request
);
699 ZERO_STRUCT(response
);
701 strncpy(request
.data
.logoff
.user
, params
->username
,
702 sizeof(request
.data
.logoff
.user
)-1);
704 for (i
=0; i
<params
->num_blobs
; i
++) {
706 if (strcasecmp(params
->blobs
[i
].name
, "ccfilename") == 0) {
707 if (params
->blobs
[i
].blob
.data
) {
708 strncpy(request
.data
.logoff
.krb5ccname
,
709 (const char *)params
->blobs
[i
].blob
.data
,
710 sizeof(request
.data
.logoff
.krb5ccname
) - 1);
715 if (strcasecmp(params
->blobs
[i
].name
, "user_uid") == 0) {
716 if (params
->blobs
[i
].blob
.data
) {
717 memcpy(&request
.data
.logoff
.uid
,
718 params
->blobs
[i
].blob
.data
,
719 MIN(params
->blobs
[i
].blob
.length
,
720 sizeof(request
.data
.logoff
.uid
)));
725 if (strcasecmp(params
->blobs
[i
].name
, "flags") == 0) {
726 if (params
->blobs
[i
].blob
.data
) {
727 memcpy(&request
.flags
,
728 params
->blobs
[i
].blob
.data
,
729 MIN(params
->blobs
[i
].blob
.length
,
730 sizeof(request
.flags
)));
738 wbc_status
= wbcRequestResponse(WINBINDD_PAM_LOGOFF
,
742 /* Take the response above and return it to the caller */
743 if (response
.data
.auth
.nt_status
!= 0) {
745 wbc_status
= wbc_create_error_info(&response
,
747 BAIL_ON_WBC_ERROR(wbc_status
);
750 wbc_status
= WBC_ERR_AUTH_ERROR
;
751 BAIL_ON_WBC_ERROR(wbc_status
);
753 BAIL_ON_WBC_ERROR(wbc_status
);
759 /* Trigger a logoff notification to Winbind for a specific user */
760 wbcErr
wbcLogoffUser(const char *username
,
762 const char *ccfilename
)
764 struct winbindd_request request
;
765 struct winbindd_response response
;
766 wbcErr wbc_status
= WBC_ERR_UNKNOWN_FAILURE
;
771 wbc_status
= WBC_ERR_INVALID_PARAM
;
772 BAIL_ON_WBC_ERROR(wbc_status
);
775 ZERO_STRUCT(request
);
776 ZERO_STRUCT(response
);
778 strncpy(request
.data
.logoff
.user
, username
,
779 sizeof(request
.data
.logoff
.user
)-1);
780 request
.data
.logoff
.uid
= uid
;
783 strncpy(request
.data
.logoff
.krb5ccname
, ccfilename
,
784 sizeof(request
.data
.logoff
.krb5ccname
)-1);
789 wbc_status
= wbcRequestResponse(WINBINDD_PAM_LOGOFF
,
793 /* Take the response above and return it to the caller */
799 /* Change a password for a user with more detailed information upon failure */
800 wbcErr
wbcChangeUserPasswordEx(const struct wbcChangePasswordParams
*params
,
801 struct wbcAuthErrorInfo
**error
,
802 enum wbcPasswordChangeRejectReason
*reject_reason
,
803 struct wbcUserPasswordPolicyInfo
**policy
)
805 struct winbindd_request request
;
806 struct winbindd_response response
;
807 wbcErr wbc_status
= WBC_ERR_UNKNOWN_FAILURE
;
812 if (!params
->account_name
) {
813 wbc_status
= WBC_ERR_INVALID_PARAM
;
829 ZERO_STRUCT(request
);
830 ZERO_STRUCT(response
);
832 switch (params
->level
) {
833 case WBC_CHANGE_PASSWORD_LEVEL_PLAIN
:
834 cmd
= WINBINDD_PAM_CHAUTHTOK
;
836 if (!params
->account_name
) {
837 wbc_status
= WBC_ERR_INVALID_PARAM
;
841 strncpy(request
.data
.chauthtok
.user
, params
->account_name
,
842 sizeof(request
.data
.chauthtok
.user
) - 1);
844 if (params
->old_password
.plaintext
) {
845 strncpy(request
.data
.chauthtok
.oldpass
,
846 params
->old_password
.plaintext
,
847 sizeof(request
.data
.chauthtok
.oldpass
) - 1);
850 if (params
->new_password
.plaintext
) {
851 strncpy(request
.data
.chauthtok
.newpass
,
852 params
->new_password
.plaintext
,
853 sizeof(request
.data
.chauthtok
.newpass
) - 1);
857 case WBC_CHANGE_PASSWORD_LEVEL_RESPONSE
:
858 cmd
= WINBINDD_PAM_CHNG_PSWD_AUTH_CRAP
;
860 if (!params
->account_name
|| !params
->domain_name
) {
861 wbc_status
= WBC_ERR_INVALID_PARAM
;
865 if (params
->old_password
.response
.old_lm_hash_enc_length
&&
866 !params
->old_password
.response
.old_lm_hash_enc_data
) {
867 wbc_status
= WBC_ERR_INVALID_PARAM
;
871 if (params
->old_password
.response
.old_lm_hash_enc_length
== 0 &&
872 params
->old_password
.response
.old_lm_hash_enc_data
) {
873 wbc_status
= WBC_ERR_INVALID_PARAM
;
877 if (params
->old_password
.response
.old_nt_hash_enc_length
&&
878 !params
->old_password
.response
.old_nt_hash_enc_data
) {
879 wbc_status
= WBC_ERR_INVALID_PARAM
;
883 if (params
->old_password
.response
.old_nt_hash_enc_length
== 0 &&
884 params
->old_password
.response
.old_nt_hash_enc_data
) {
885 wbc_status
= WBC_ERR_INVALID_PARAM
;
889 if (params
->new_password
.response
.lm_length
&&
890 !params
->new_password
.response
.lm_data
) {
891 wbc_status
= WBC_ERR_INVALID_PARAM
;
895 if (params
->new_password
.response
.lm_length
== 0 &&
896 params
->new_password
.response
.lm_data
) {
897 wbc_status
= WBC_ERR_INVALID_PARAM
;
901 if (params
->new_password
.response
.nt_length
&&
902 !params
->new_password
.response
.nt_data
) {
903 wbc_status
= WBC_ERR_INVALID_PARAM
;
907 if (params
->new_password
.response
.nt_length
== 0 &&
908 params
->new_password
.response
.nt_data
) {
909 wbc_status
= WBC_ERR_INVALID_PARAM
;
913 strncpy(request
.data
.chng_pswd_auth_crap
.user
,
914 params
->account_name
,
915 sizeof(request
.data
.chng_pswd_auth_crap
.user
) - 1);
917 strncpy(request
.data
.chng_pswd_auth_crap
.domain
,
919 sizeof(request
.data
.chng_pswd_auth_crap
.domain
) - 1);
921 if (params
->new_password
.response
.nt_data
) {
922 request
.data
.chng_pswd_auth_crap
.new_nt_pswd_len
=
923 params
->new_password
.response
.nt_length
;
924 memcpy(request
.data
.chng_pswd_auth_crap
.new_nt_pswd
,
925 params
->new_password
.response
.nt_data
,
926 request
.data
.chng_pswd_auth_crap
.new_nt_pswd_len
);
929 if (params
->new_password
.response
.lm_data
) {
930 request
.data
.chng_pswd_auth_crap
.new_lm_pswd_len
=
931 params
->new_password
.response
.lm_length
;
932 memcpy(request
.data
.chng_pswd_auth_crap
.new_lm_pswd
,
933 params
->new_password
.response
.lm_data
,
934 request
.data
.chng_pswd_auth_crap
.new_lm_pswd_len
);
937 if (params
->old_password
.response
.old_nt_hash_enc_data
) {
938 request
.data
.chng_pswd_auth_crap
.old_nt_hash_enc_len
=
939 params
->old_password
.response
.old_nt_hash_enc_length
;
940 memcpy(request
.data
.chng_pswd_auth_crap
.old_nt_hash_enc
,
941 params
->old_password
.response
.old_nt_hash_enc_data
,
942 request
.data
.chng_pswd_auth_crap
.old_nt_hash_enc_len
);
945 if (params
->old_password
.response
.old_lm_hash_enc_data
) {
946 request
.data
.chng_pswd_auth_crap
.old_lm_hash_enc_len
=
947 params
->old_password
.response
.old_lm_hash_enc_length
;
948 memcpy(request
.data
.chng_pswd_auth_crap
.old_lm_hash_enc
,
949 params
->old_password
.response
.old_lm_hash_enc_data
,
950 request
.data
.chng_pswd_auth_crap
.old_lm_hash_enc_len
);
955 wbc_status
= WBC_ERR_INVALID_PARAM
;
962 wbc_status
= wbcRequestResponse(cmd
,
965 if (WBC_ERROR_IS_OK(wbc_status
)) {
969 /* Take the response above and return it to the caller */
971 if (response
.data
.auth
.nt_status
!= 0) {
973 wbc_status
= wbc_create_error_info(&response
,
975 BAIL_ON_WBC_ERROR(wbc_status
);
981 wbc_status
= wbc_create_password_policy_info(&response
,
983 BAIL_ON_WBC_ERROR(wbc_status
);
987 *reject_reason
= response
.data
.auth
.reject_reason
;
990 wbc_status
= WBC_ERR_PWD_CHANGE_FAILED
;
991 BAIL_ON_WBC_ERROR(wbc_status
);
997 /* Change a password for a user */
998 wbcErr
wbcChangeUserPassword(const char *username
,
999 const char *old_password
,
1000 const char *new_password
)
1002 wbcErr wbc_status
= WBC_ERR_SUCCESS
;
1003 struct wbcChangePasswordParams params
;
1005 ZERO_STRUCT(params
);
1007 params
.account_name
= username
;
1008 params
.level
= WBC_CHANGE_PASSWORD_LEVEL_PLAIN
;
1009 params
.old_password
.plaintext
= old_password
;
1010 params
.new_password
.plaintext
= new_password
;
1012 wbc_status
= wbcChangeUserPasswordEx(¶ms
,
1016 BAIL_ON_WBC_ERROR(wbc_status
);
1023 wbcErr
wbcLogonUser(const struct wbcLogonUserParams
*params
,
1024 struct wbcLogonUserInfo
**info
,
1025 struct wbcAuthErrorInfo
**error
,
1026 struct wbcUserPasswordPolicyInfo
**policy
)
1028 wbcErr wbc_status
= WBC_ERR_UNKNOWN_FAILURE
;
1029 struct winbindd_request request
;
1030 struct winbindd_response response
;
1033 ZERO_STRUCT(request
);
1034 ZERO_STRUCT(response
);
1047 wbc_status
= WBC_ERR_INVALID_PARAM
;
1048 BAIL_ON_WBC_ERROR(wbc_status
);
1051 if (!params
->username
) {
1052 wbc_status
= WBC_ERR_INVALID_PARAM
;
1053 BAIL_ON_WBC_ERROR(wbc_status
);
1056 if ((params
->num_blobs
> 0) && (params
->blobs
== NULL
)) {
1057 wbc_status
= WBC_ERR_INVALID_PARAM
;
1058 BAIL_ON_WBC_ERROR(wbc_status
);
1060 if ((params
->num_blobs
== 0) && (params
->blobs
!= NULL
)) {
1061 wbc_status
= WBC_ERR_INVALID_PARAM
;
1062 BAIL_ON_WBC_ERROR(wbc_status
);
1065 /* Initialize request */
1067 request
.flags
= WBFLAG_PAM_INFO3_TEXT
|
1068 WBFLAG_PAM_USER_SESSION_KEY
|
1071 if (!params
->password
) {
1072 wbc_status
= WBC_ERR_INVALID_PARAM
;
1073 BAIL_ON_WBC_ERROR(wbc_status
);
1076 strncpy(request
.data
.auth
.user
,
1078 sizeof(request
.data
.auth
.user
)-1);
1080 strncpy(request
.data
.auth
.pass
,
1082 sizeof(request
.data
.auth
.pass
)-1);
1084 for (i
=0; i
<params
->num_blobs
; i
++) {
1086 if (strcasecmp(params
->blobs
[i
].name
, "krb5_cc_type") == 0) {
1087 if (params
->blobs
[i
].blob
.data
) {
1088 strncpy(request
.data
.auth
.krb5_cc_type
,
1089 (const char *)params
->blobs
[i
].blob
.data
,
1090 sizeof(request
.data
.auth
.krb5_cc_type
) - 1);
1095 if (strcasecmp(params
->blobs
[i
].name
, "user_uid") == 0) {
1096 if (params
->blobs
[i
].blob
.data
) {
1097 memcpy(&request
.data
.auth
.uid
,
1098 params
->blobs
[i
].blob
.data
,
1099 MIN(sizeof(request
.data
.auth
.uid
),
1100 params
->blobs
[i
].blob
.length
));
1105 if (strcasecmp(params
->blobs
[i
].name
, "flags") == 0) {
1106 if (params
->blobs
[i
].blob
.data
) {
1109 params
->blobs
[i
].blob
.data
,
1111 params
->blobs
[i
].blob
.length
));
1112 request
.flags
|= flags
;
1117 if (strcasecmp(params
->blobs
[i
].name
, "membership_of") == 0) {
1118 if (params
->blobs
[i
].blob
.data
&&
1119 params
->blobs
[i
].blob
.data
[0] > 0) {
1120 strncpy(request
.data
.auth
.require_membership_of_sid
,
1121 (const char *)params
->blobs
[i
].blob
.data
,
1122 sizeof(request
.data
.auth
.require_membership_of_sid
) - 1);
1128 wbc_status
= wbcRequestResponse(WINBINDD_PAM_AUTH
,
1132 if (response
.data
.auth
.nt_status
!= 0) {
1134 wbc_status
= wbc_create_error_info(&response
,
1136 BAIL_ON_WBC_ERROR(wbc_status
);
1139 wbc_status
= WBC_ERR_AUTH_ERROR
;
1140 BAIL_ON_WBC_ERROR(wbc_status
);
1142 BAIL_ON_WBC_ERROR(wbc_status
);
1145 wbc_status
= wbc_create_logon_info(&response
,
1147 BAIL_ON_WBC_ERROR(wbc_status
);
1151 wbc_status
= wbc_create_password_policy_info(&response
,
1153 BAIL_ON_WBC_ERROR(wbc_status
);
1157 winbindd_free_response(&response
);
1162 static void wbcCredentialCacheInfoDestructor(void *ptr
)
1164 struct wbcCredentialCacheInfo
*i
=
1165 (struct wbcCredentialCacheInfo
*)ptr
;
1166 wbcFreeMemory(i
->blobs
);
1169 /* Authenticate a user with cached credentials */
1170 wbcErr
wbcCredentialCache(struct wbcCredentialCacheParams
*params
,
1171 struct wbcCredentialCacheInfo
**info
,
1172 struct wbcAuthErrorInfo
**error
)
1174 wbcErr status
= WBC_ERR_UNKNOWN_FAILURE
;
1175 struct wbcCredentialCacheInfo
*result
= NULL
;
1176 struct winbindd_request request
;
1177 struct winbindd_response response
;
1178 struct wbcNamedBlob
*initial_blob
= NULL
;
1179 struct wbcNamedBlob
*challenge_blob
= NULL
;
1182 ZERO_STRUCT(request
);
1183 ZERO_STRUCT(response
);
1187 if (error
!= NULL
) {
1190 if ((params
== NULL
)
1191 || (params
->account_name
== NULL
)
1192 || (params
->level
!= WBC_CREDENTIAL_CACHE_LEVEL_NTLMSSP
)) {
1193 status
= WBC_ERR_INVALID_PARAM
;
1197 if (params
->domain_name
!= NULL
) {
1198 status
= wbcRequestResponse(WINBINDD_INFO
, NULL
, &response
);
1199 if (!WBC_ERROR_IS_OK(status
)) {
1202 snprintf(request
.data
.ccache_ntlm_auth
.user
,
1203 sizeof(request
.data
.ccache_ntlm_auth
.user
)-1,
1204 "%s%c%s", params
->domain_name
,
1205 response
.data
.info
.winbind_separator
,
1206 params
->account_name
);
1208 strncpy(request
.data
.ccache_ntlm_auth
.user
,
1209 params
->account_name
,
1210 sizeof(request
.data
.ccache_ntlm_auth
.user
)-1);
1212 request
.data
.ccache_ntlm_auth
.uid
= getuid();
1214 for (i
=0; i
<params
->num_blobs
; i
++) {
1215 if (strcasecmp(params
->blobs
[i
].name
, "initial_blob") == 0) {
1216 initial_blob
= ¶ms
->blobs
[i
];
1219 if (strcasecmp(params
->blobs
[i
].name
, "challenge_blob") == 0) {
1220 challenge_blob
= ¶ms
->blobs
[i
];
1225 request
.data
.ccache_ntlm_auth
.initial_blob_len
= 0;
1226 request
.data
.ccache_ntlm_auth
.challenge_blob_len
= 0;
1227 request
.extra_len
= 0;
1229 if (initial_blob
!= NULL
) {
1230 request
.data
.ccache_ntlm_auth
.initial_blob_len
=
1231 initial_blob
->blob
.length
;
1232 request
.extra_len
+= initial_blob
->blob
.length
;
1234 if (challenge_blob
!= NULL
) {
1235 request
.data
.ccache_ntlm_auth
.challenge_blob_len
=
1236 challenge_blob
->blob
.length
;
1237 request
.extra_len
+= challenge_blob
->blob
.length
;
1240 if (request
.extra_len
!= 0) {
1241 request
.extra_data
.data
= (char *)malloc(request
.extra_len
);
1242 if (request
.extra_data
.data
== NULL
) {
1243 status
= WBC_ERR_NO_MEMORY
;
1247 if (initial_blob
!= NULL
) {
1248 memcpy(request
.extra_data
.data
,
1249 initial_blob
->blob
.data
, initial_blob
->blob
.length
);
1251 if (challenge_blob
!= NULL
) {
1252 memcpy(request
.extra_data
.data
1253 + request
.data
.ccache_ntlm_auth
.initial_blob_len
,
1254 challenge_blob
->blob
.data
,
1255 challenge_blob
->blob
.length
);
1258 status
= wbcRequestResponse(WINBINDD_CCACHE_NTLMAUTH
, &request
,
1260 if (!WBC_ERROR_IS_OK(status
)) {
1264 result
= (struct wbcCredentialCacheInfo
*)wbcAllocateMemory(
1265 1, sizeof(struct wbcCredentialCacheInfo
),
1266 wbcCredentialCacheInfoDestructor
);
1267 if (result
== NULL
) {
1268 status
= WBC_ERR_NO_MEMORY
;
1271 result
->num_blobs
= 0;
1272 result
->blobs
= NULL
;
1273 status
= wbcAddNamedBlob(&result
->num_blobs
, &result
->blobs
,
1275 (uint8_t *)response
.extra_data
.data
,
1276 response
.data
.ccache_ntlm_auth
.auth_blob_len
);
1277 if (!WBC_ERROR_IS_OK(status
)) {
1280 status
= wbcAddNamedBlob(
1281 &result
->num_blobs
, &result
->blobs
, "session_key", 0,
1282 response
.data
.ccache_ntlm_auth
.session_key
,
1283 sizeof(response
.data
.ccache_ntlm_auth
.session_key
));
1284 if (!WBC_ERROR_IS_OK(status
)) {
1290 status
= WBC_ERR_SUCCESS
;
1292 free(request
.extra_data
.data
);
1293 winbindd_free_response(&response
);
1294 wbcFreeMemory(result
);
1298 /* Authenticate a user with cached credentials */
1299 wbcErr
wbcCredentialSave(const char *user
, const char *password
)
1301 struct winbindd_request request
;
1302 struct winbindd_response response
;
1304 ZERO_STRUCT(request
);
1305 ZERO_STRUCT(response
);
1307 strncpy(request
.data
.ccache_save
.user
, user
,
1308 sizeof(request
.data
.ccache_save
.user
)-1);
1309 strncpy(request
.data
.ccache_save
.pass
, password
,
1310 sizeof(request
.data
.ccache_save
.pass
)-1);
1311 request
.data
.ccache_save
.uid
= getuid();
1313 return wbcRequestResponse(WINBINDD_CCACHE_SAVE
, &request
, &response
);