search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s4 dns: Implement RFC-compatible update prescan
[Samba/gebeck_regimport.git] / source3 / auth / auth_util.c
blobfcfed834e523b6457e4d3760b2efd0eef3a59eb7
1 /*
2 Unix SMB/CIFS implementation.
3 Authentication utility functions
4 Copyright (C) Andrew Tridgell 1992-1998
5 Copyright (C) Andrew Bartlett 2001-2011
6 Copyright (C) Jeremy Allison 2000-2001
7 Copyright (C) Rafal Szczesniak 2002
8 Copyright (C) Volker Lendecke 2006-2008
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include "auth.h"
26 #include "../libcli/auth/libcli_auth.h"
27 #include "../lib/crypto/arcfour.h"
28 #include "rpc_client/init_lsa.h"
29 #include "../libcli/security/security.h"
30 #include "../lib/util/util_pw.h"
31 #include "lib/winbind_util.h"
32 #include "passdb.h"
33 #include "../librpc/gen_ndr/ndr_auth.h"
34 #include "../auth/auth_sam_reply.h"
35
36 #undef DBGC_CLASS
37 #define DBGC_CLASS DBGC_AUTH
38
39 /****************************************************************************
40 Create a UNIX user on demand.
41 ****************************************************************************/
42
43 static int _smb_create_user(const char *domain, const char *unix_username, const char *homedir)
44 {
45 TALLOC_CTX *ctx = talloc_tos();
46 char *add_script;
47 int ret;
48
49 add_script = talloc_strdup(ctx, lp_adduser_script());
50 if (!add_script || !*add_script) {
51 return -1;
52 }
53 add_script = talloc_all_string_sub(ctx,
54 add_script,
55 "%u",
56 unix_username);
57 if (!add_script) {
58 return -1;
59 }
60 if (domain) {
61 add_script = talloc_all_string_sub(ctx,
62 add_script,
63 "%D",
64 domain);
65 if (!add_script) {
66 return -1;
67 }
68 }
69 if (homedir) {
70 add_script = talloc_all_string_sub(ctx,
71 add_script,
72 "%H",
73 homedir);
74 if (!add_script) {
75 return -1;
76 }
77 }
78 ret = smbrun(add_script,NULL);
79 flush_pwnam_cache();
80 DEBUG(ret ? 0 : 3,
81 ("smb_create_user: Running the command `%s' gave %d\n",
82 add_script,ret));
83 return ret;
84 }
85
86 /****************************************************************************
87 Create an auth_usersupplied_data structure after appropriate mapping.
88 ****************************************************************************/
89
90 NTSTATUS make_user_info_map(struct auth_usersupplied_info **user_info,
91 const char *smb_name,
92 const char *client_domain,
93 const char *workstation_name,
94 const struct tsocket_address *remote_address,
95 DATA_BLOB *lm_pwd,
96 DATA_BLOB *nt_pwd,
97 const struct samr_Password *lm_interactive_pwd,
98 const struct samr_Password *nt_interactive_pwd,
99 const char *plaintext,
100 enum auth_password_state password_state)
101 {
102 const char *domain;
103 NTSTATUS result;
104 bool was_mapped;
105 char *internal_username = NULL;
106
107 was_mapped = map_username(talloc_tos(), smb_name, &internal_username);
108 if (!internal_username) {
109 return NT_STATUS_NO_MEMORY;
110 }
111
112 DEBUG(5, ("Mapping user [%s]\\[%s] from workstation [%s]\n",
113 client_domain, smb_name, workstation_name));
114
115 domain = client_domain;
116
117 /* If you connect to a Windows domain member using a bogus domain name,
118 * the Windows box will map the BOGUS\user to SAMNAME\user. Thus, if
119 * the Windows box is a DC the name will become DOMAIN\user and be
120 * authenticated against AD, if the Windows box is a member server but
121 * not a DC the name will become WORKSTATION\user. A standalone
122 * non-domain member box will also map to WORKSTATION\user.
123 * This also deals with the client passing in a "" domain */
124
125 if (!is_trusted_domain(domain) &&
126 !strequal(domain, my_sam_name()))
127 {
128 if (lp_map_untrusted_to_domain())
129 domain = my_sam_name();
130 else
131 domain = get_global_sam_name();
132 DEBUG(5, ("Mapped domain from [%s] to [%s] for user [%s] from "
133 "workstation [%s]\n",
134 client_domain, domain, smb_name, workstation_name));
135 }
136
137 /* We know that the given domain is trusted (and we are allowing them),
138 * it is our global SAM name, or for legacy behavior it is our
139 * primary domain name */
140
141 result = make_user_info(user_info, smb_name, internal_username,
142 client_domain, domain, workstation_name,
143 remote_address, lm_pwd, nt_pwd,
144 lm_interactive_pwd, nt_interactive_pwd,
145 plaintext, password_state);
146 if (NT_STATUS_IS_OK(result)) {
147 /* We have tried mapping */
148 (*user_info)->mapped_state = true;
149 /* did we actually map the user to a different name? */
150 (*user_info)->was_mapped = was_mapped;
151 }
152 return result;
153 }
154
155 /****************************************************************************
156 Create an auth_usersupplied_data, making the DATA_BLOBs here.
157 Decrypt and encrypt the passwords.
158 ****************************************************************************/
159
160 bool make_user_info_netlogon_network(struct auth_usersupplied_info **user_info,
161 const char *smb_name,
162 const char *client_domain,
163 const char *workstation_name,
164 const struct tsocket_address *remote_address,
165 uint32 logon_parameters,
166 const uchar *lm_network_pwd,
167 int lm_pwd_len,
168 const uchar *nt_network_pwd,
169 int nt_pwd_len)
170 {
171 bool ret;
172 NTSTATUS status;
173 DATA_BLOB lm_blob = data_blob(lm_network_pwd, lm_pwd_len);
174 DATA_BLOB nt_blob = data_blob(nt_network_pwd, nt_pwd_len);
175
176 status = make_user_info_map(user_info,
177 smb_name, client_domain,
178 workstation_name,
179 remote_address,
180 lm_pwd_len ? &lm_blob : NULL,
181 nt_pwd_len ? &nt_blob : NULL,
182 NULL, NULL, NULL,
183 AUTH_PASSWORD_RESPONSE);
184
185 if (NT_STATUS_IS_OK(status)) {
186 (*user_info)->logon_parameters = logon_parameters;
187 }
188 ret = NT_STATUS_IS_OK(status) ? true : false;
189
190 data_blob_free(&lm_blob);
191 data_blob_free(&nt_blob);
192 return ret;
193 }
194
195 /****************************************************************************
196 Create an auth_usersupplied_data, making the DATA_BLOBs here.
197 Decrypt and encrypt the passwords.
198 ****************************************************************************/
199
200 bool make_user_info_netlogon_interactive(struct auth_usersupplied_info **user_info,
201 const char *smb_name,
202 const char *client_domain,
203 const char *workstation_name,
204 const struct tsocket_address *remote_address,
205 uint32 logon_parameters,
206 const uchar chal[8],
207 const uchar lm_interactive_pwd[16],
208 const uchar nt_interactive_pwd[16],
209 const uchar *dc_sess_key)
210 {
211 struct samr_Password lm_pwd;
212 struct samr_Password nt_pwd;
213 unsigned char local_lm_response[24];
214 unsigned char local_nt_response[24];
215 unsigned char key[16];
216
217 memcpy(key, dc_sess_key, 16);
218
219 if (lm_interactive_pwd)
220 memcpy(lm_pwd.hash, lm_interactive_pwd, sizeof(lm_pwd.hash));
221
222 if (nt_interactive_pwd)
223 memcpy(nt_pwd.hash, nt_interactive_pwd, sizeof(nt_pwd.hash));
224
225 #ifdef DEBUG_PASSWORD
226 DEBUG(100,("key:"));
227 dump_data(100, key, sizeof(key));
228
229 DEBUG(100,("lm owf password:"));
230 dump_data(100, lm_pwd.hash, sizeof(lm_pwd.hash));
231
232 DEBUG(100,("nt owf password:"));
233 dump_data(100, nt_pwd.hash, sizeof(nt_pwd.hash));
234 #endif
235
236 if (lm_interactive_pwd)
237 arcfour_crypt(lm_pwd.hash, key, sizeof(lm_pwd.hash));
238
239 if (nt_interactive_pwd)
240 arcfour_crypt(nt_pwd.hash, key, sizeof(nt_pwd.hash));
241
242 #ifdef DEBUG_PASSWORD
243 DEBUG(100,("decrypt of lm owf password:"));
244 dump_data(100, lm_pwd.hash, sizeof(lm_pwd));
245
246 DEBUG(100,("decrypt of nt owf password:"));
247 dump_data(100, nt_pwd.hash, sizeof(nt_pwd));
248 #endif
249
250 if (lm_interactive_pwd)
251 SMBOWFencrypt(lm_pwd.hash, chal,
252 local_lm_response);
253
254 if (nt_interactive_pwd)
255 SMBOWFencrypt(nt_pwd.hash, chal,
256 local_nt_response);
257
258 /* Password info paranoia */
259 ZERO_STRUCT(key);
260
261 {
262 bool ret;
263 NTSTATUS nt_status;
264 DATA_BLOB local_lm_blob;
265 DATA_BLOB local_nt_blob;
266
267 if (lm_interactive_pwd) {
268 local_lm_blob = data_blob(local_lm_response,
269 sizeof(local_lm_response));
270 }
271
272 if (nt_interactive_pwd) {
273 local_nt_blob = data_blob(local_nt_response,
274 sizeof(local_nt_response));
275 }
276
277 nt_status = make_user_info_map(
278 user_info,
279 smb_name, client_domain, workstation_name,
280 remote_address,
281 lm_interactive_pwd ? &local_lm_blob : NULL,
282 nt_interactive_pwd ? &local_nt_blob : NULL,
283 lm_interactive_pwd ? &lm_pwd : NULL,
284 nt_interactive_pwd ? &nt_pwd : NULL,
285 NULL, AUTH_PASSWORD_HASH);
286
287 if (NT_STATUS_IS_OK(nt_status)) {
288 (*user_info)->logon_parameters = logon_parameters;
289 }
290
291 ret = NT_STATUS_IS_OK(nt_status) ? true : false;
292 data_blob_free(&local_lm_blob);
293 data_blob_free(&local_nt_blob);
294 return ret;
295 }
296 }
297
298
299 /****************************************************************************
300 Create an auth_usersupplied_data structure
301 ****************************************************************************/
302
303 bool make_user_info_for_reply(struct auth_usersupplied_info **user_info,
304 const char *smb_name,
305 const char *client_domain,
306 const struct tsocket_address *remote_address,
307 const uint8 chal[8],
308 DATA_BLOB plaintext_password)
309 {
310
311 DATA_BLOB local_lm_blob;
312 DATA_BLOB local_nt_blob;
313 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
314 char *plaintext_password_string;
315 /*
316 * Not encrypted - do so.
317 */
318
319 DEBUG(5,("make_user_info_for_reply: User passwords not in encrypted "
320 "format.\n"));
321 if (plaintext_password.data && plaintext_password.length) {
322 unsigned char local_lm_response[24];
323
324 #ifdef DEBUG_PASSWORD
325 DEBUG(10,("Unencrypted password (len %d):\n",
326 (int)plaintext_password.length));
327 dump_data(100, plaintext_password.data,
328 plaintext_password.length);
329 #endif
330
331 SMBencrypt( (const char *)plaintext_password.data,
332 (const uchar*)chal, local_lm_response);
333 local_lm_blob = data_blob(local_lm_response, 24);
334
335 /* We can't do an NT hash here, as the password needs to be
336 case insensitive */
337 local_nt_blob = data_blob_null;
338 } else {
339 local_lm_blob = data_blob_null;
340 local_nt_blob = data_blob_null;
341 }
342
343 plaintext_password_string = talloc_strndup(talloc_tos(),
344 (const char *)plaintext_password.data,
345 plaintext_password.length);
346 if (!plaintext_password_string) {
347 return false;
348 }
349
350 ret = make_user_info_map(
351 user_info, smb_name, client_domain,
352 get_remote_machine_name(),
353 remote_address,
354 local_lm_blob.data ? &local_lm_blob : NULL,
355 local_nt_blob.data ? &local_nt_blob : NULL,
356 NULL, NULL,
357 plaintext_password_string,
358 AUTH_PASSWORD_PLAIN);
359
360 if (plaintext_password_string) {
361 memset(plaintext_password_string, '\0', strlen(plaintext_password_string));
362 talloc_free(plaintext_password_string);
363 }
364
365 data_blob_free(&local_lm_blob);
366 return NT_STATUS_IS_OK(ret) ? true : false;
367 }
368
369 /****************************************************************************
370 Create an auth_usersupplied_data structure
371 ****************************************************************************/
372
373 NTSTATUS make_user_info_for_reply_enc(struct auth_usersupplied_info **user_info,
374 const char *smb_name,
375 const char *client_domain,
376 const struct tsocket_address *remote_address,
377 DATA_BLOB lm_resp, DATA_BLOB nt_resp)
378 {
379 return make_user_info_map(user_info, smb_name,
380 client_domain,
381 get_remote_machine_name(),
382 remote_address,
383 lm_resp.data && (lm_resp.length > 0) ? &lm_resp : NULL,
384 nt_resp.data && (nt_resp.length > 0) ? &nt_resp : NULL,
385 NULL, NULL, NULL,
386 AUTH_PASSWORD_RESPONSE);
387 }
388
389 /****************************************************************************
390 Create a guest user_info blob, for anonymous authentication.
391 ****************************************************************************/
392
393 bool make_user_info_guest(const struct tsocket_address *remote_address,
394 struct auth_usersupplied_info **user_info)
395 {
396 NTSTATUS nt_status;
397
398 nt_status = make_user_info(user_info,
399 "","",
400 "","",
401 "",
402 remote_address,
403 NULL, NULL,
404 NULL, NULL,
405 NULL,
406 AUTH_PASSWORD_RESPONSE);
407
408 return NT_STATUS_IS_OK(nt_status) ? true : false;
409 }
410
411 static NTSTATUS log_nt_token(struct security_token *token)
412 {
413 TALLOC_CTX *frame = talloc_stackframe();
414 char *command;
415 char *group_sidstr;
416 size_t i;
417
418 if ((lp_log_nt_token_command() == NULL) ||
419 (strlen(lp_log_nt_token_command()) == 0)) {
420 TALLOC_FREE(frame);
421 return NT_STATUS_OK;
422 }
423
424 group_sidstr = talloc_strdup(frame, "");
425 for (i=1; i<token->num_sids; i++) {
426 group_sidstr = talloc_asprintf(
427 frame, "%s %s", group_sidstr,
428 sid_string_talloc(frame, &token->sids[i]));
429 }
430
431 command = talloc_string_sub(
432 frame, lp_log_nt_token_command(),
433 "%s", sid_string_talloc(frame, &token->sids[0]));
434 command = talloc_string_sub(frame, command, "%t", group_sidstr);
435
436 if (command == NULL) {
437 TALLOC_FREE(frame);
438 return NT_STATUS_NO_MEMORY;
439 }
440
441 DEBUG(8, ("running command: [%s]\n", command));
442 if (smbrun(command, NULL) != 0) {
443 DEBUG(0, ("Could not log NT token\n"));
444 TALLOC_FREE(frame);
445 return NT_STATUS_ACCESS_DENIED;
446 }
447
448 TALLOC_FREE(frame);
449 return NT_STATUS_OK;
450 }
451
452 /*
453 * Create the token to use from server_info->info3 and
454 * server_info->sids (the info3/sam groups). Find the unix gids.
455 */
456
457 NTSTATUS create_local_token(TALLOC_CTX *mem_ctx,
458 const struct auth_serversupplied_info *server_info,
459 DATA_BLOB *session_key,
460 const char *smb_username, /* for ->sanitized_username, for %U subs */
461 struct auth_session_info **session_info_out)
462 {
463 struct security_token *t;
464 NTSTATUS status;
465 size_t i;
466 struct dom_sid tmp_sid;
467 struct auth_session_info *session_info;
468 struct wbcUnixId *ids;
469 fstring tmp;
470
471 /* Ensure we can't possible take a code path leading to a
472 * null defref. */
473 if (!server_info) {
474 return NT_STATUS_LOGON_FAILURE;
475 }
476
477 session_info = talloc_zero(mem_ctx, struct auth_session_info);
478 if (!session_info) {
479 return NT_STATUS_NO_MEMORY;
480 }
481
482 session_info->unix_token = talloc_zero(session_info, struct security_unix_token);
483 if (!session_info->unix_token) {
484 TALLOC_FREE(session_info);
485 return NT_STATUS_NO_MEMORY;
486 }
487
488 session_info->unix_token->uid = server_info->utok.uid;
489 session_info->unix_token->gid = server_info->utok.gid;
490
491 session_info->unix_info = talloc_zero(session_info, struct auth_user_info_unix);
492 if (!session_info->unix_info) {
493 TALLOC_FREE(session_info);
494 return NT_STATUS_NO_MEMORY;
495 }
496
497 session_info->unix_info->unix_name = talloc_strdup(session_info, server_info->unix_name);
498 if (!session_info->unix_info->unix_name) {
499 TALLOC_FREE(session_info);
500 return NT_STATUS_NO_MEMORY;
501 }
502
503 /* This is a potentially untrusted username for use in %U */
504 alpha_strcpy(tmp, smb_username, ". _-$", sizeof(tmp));
505 session_info->unix_info->sanitized_username =
506 talloc_strdup(session_info->unix_info, tmp);
507
508 session_info->unix_info->system = server_info->system;
509
510 if (session_key) {
511 data_blob_free(&session_info->session_key);
512 session_info->session_key = data_blob_talloc(session_info,
513 session_key->data,
514 session_key->length);
515 if (!session_info->session_key.data && session_key->length) {
516 return NT_STATUS_NO_MEMORY;
517 }
518 } else {
519 session_info->session_key = data_blob_talloc( session_info, server_info->session_key.data,
520 server_info->session_key.length);
521 }
522
523 if (session_info->security_token) {
524 /* Just copy the token, it has already been finalised
525 * (nasty hack to support a cached guest session_info,
526 * and a possible strategy for auth_samba4 to pass in
527 * a finalised session) */
528
529 session_info->security_token = dup_nt_token(session_info, server_info->security_token);
530 if (!session_info->security_token) {
531 TALLOC_FREE(session_info);
532 return NT_STATUS_NO_MEMORY;
533 }
534
535 session_info->unix_token->ngroups = server_info->utok.ngroups;
536 if (server_info->utok.ngroups != 0) {
537 session_info->unix_token->groups = (gid_t *)talloc_memdup(
538 session_info->unix_token, server_info->utok.groups,
539 sizeof(gid_t)*session_info->unix_token->ngroups);
540 } else {
541 session_info->unix_token->groups = NULL;
542 }
543
544 *session_info_out = session_info;
545 return NT_STATUS_OK;
546 }
547
548 /* We need to populate session_info->info with the information found in server_info->info3 */
549 status = make_user_info_SamBaseInfo(session_info, "", &server_info->info3->base,
550 server_info->guest == false,
551 &session_info->info);
552 if (!NT_STATUS_IS_OK(status)) {
553 DEBUG(0, ("conversion of info3 into auth_user_info failed!\n"));
554 TALLOC_FREE(session_info);
555 return status;
556 }
557
558 /*
559 * If winbind is not around, we can not make much use of the SIDs the
560 * domain controller provided us with. Likewise if the user name was
561 * mapped to some local unix user.
562 */
563
564 if (((lp_server_role() == ROLE_DOMAIN_MEMBER) && !winbind_ping()) ||
565 (server_info->nss_token)) {
566 char *found_username = NULL;
567 status = create_token_from_username(session_info,
568 server_info->unix_name,
569 server_info->guest,
570 &session_info->unix_token->uid,
571 &session_info->unix_token->gid,
572 &found_username,
573 &session_info->security_token);
574 if (NT_STATUS_IS_OK(status)) {
575 session_info->unix_info->unix_name = found_username;
576 }
577 } else {
578 status = create_local_nt_token_from_info3(session_info,
579 server_info->guest,
580 server_info->info3,
581 &server_info->extra,
582 &session_info->security_token);
583 }
584
585 if (!NT_STATUS_IS_OK(status)) {
586 return status;
587 }
588
589 /* Convert the SIDs to gids. */
590
591 session_info->unix_token->ngroups = 0;
592 session_info->unix_token->groups = NULL;
593
594 t = session_info->security_token;
595
596 ids = talloc_array(talloc_tos(), struct wbcUnixId,
597 t->num_sids);
598 if (ids == NULL) {
599 return NT_STATUS_NO_MEMORY;
600 }
601
602 if (!sids_to_unix_ids(t->sids, t->num_sids, ids)) {
603 TALLOC_FREE(ids);
604 return NT_STATUS_NO_MEMORY;
605 }
606
607 for (i=0; i<t->num_sids; i++) {
608
609 if (i == 0 && ids[i].type != WBC_ID_TYPE_BOTH) {
610 continue;
611 }
612
613 if (ids[i].type != WBC_ID_TYPE_GID &&
614 ids[i].type != WBC_ID_TYPE_BOTH) {
615 DEBUG(10, ("Could not convert SID %s to gid, "
616 "ignoring it\n",
617 sid_string_dbg(&t->sids[i])));
618 continue;
619 }
620 if (!add_gid_to_array_unique(session_info, ids[i].id.gid,
621 &session_info->unix_token->groups,
622 &session_info->unix_token->ngroups)) {
623 return NT_STATUS_NO_MEMORY;
624 }
625 }
626
627 /*
628 * Add the "Unix Group" SID for each gid to catch mapped groups
629 * and their Unix equivalent. This is to solve the backwards
630 * compatibility problem of 'valid users = +ntadmin' where
631 * ntadmin has been paired with "Domain Admins" in the group
632 * mapping table. Otherwise smb.conf would need to be changed
633 * to 'valid user = "Domain Admins"'. --jerry
634 *
635 * For consistency we also add the "Unix User" SID,
636 * so that the complete unix token is represented within
637 * the nt token.
638 */
639
640 uid_to_unix_users_sid(session_info->unix_token->uid, &tmp_sid);
641
642 add_sid_to_array_unique(session_info->security_token, &tmp_sid,
643 &session_info->security_token->sids,
644 &session_info->security_token->num_sids);
645
646 for ( i=0; i<session_info->unix_token->ngroups; i++ ) {
647 gid_to_unix_groups_sid(session_info->unix_token->groups[i], &tmp_sid);
648 add_sid_to_array_unique(session_info->security_token, &tmp_sid,
649 &session_info->security_token->sids,
650 &session_info->security_token->num_sids);
651 }
652
653 security_token_debug(DBGC_AUTH, 10, session_info->security_token);
654 debug_unix_user_token(DBGC_AUTH, 10,
655 session_info->unix_token->uid,
656 session_info->unix_token->gid,
657 session_info->unix_token->ngroups,
658 session_info->unix_token->groups);
659
660 status = log_nt_token(session_info->security_token);
661 if (!NT_STATUS_IS_OK(status)) {
662 return status;
663 }
664
665 *session_info_out = session_info;
666 return NT_STATUS_OK;
667 }
668
669 /***************************************************************************
670 Make (and fill) a server_info struct from a 'struct passwd' by conversion
671 to a struct samu
672 ***************************************************************************/
673
674 NTSTATUS make_server_info_pw(struct auth_serversupplied_info **server_info,
675 char *unix_username,
676 struct passwd *pwd)
677 {
678 NTSTATUS status;
679 struct samu *sampass = NULL;
680 char *qualified_name = NULL;
681 TALLOC_CTX *mem_ctx = NULL;
682 struct dom_sid u_sid;
683 enum lsa_SidType type;
684 struct auth_serversupplied_info *result;
685
686 /*
687 * The SID returned in server_info->sam_account is based
688 * on our SAM sid even though for a pure UNIX account this should
689 * not be the case as it doesn't really exist in the SAM db.
690 * This causes lookups on "[in]valid users" to fail as they
691 * will lookup this name as a "Unix User" SID to check against
692 * the user token. Fix this by adding the "Unix User"\unix_username
693 * SID to the sid array. The correct fix should probably be
694 * changing the server_info->sam_account user SID to be a
695 * S-1-22 Unix SID, but this might break old configs where
696 * plaintext passwords were used with no SAM backend.
697 */
698
699 mem_ctx = talloc_init("make_server_info_pw_tmp");
700 if (!mem_ctx) {
701 return NT_STATUS_NO_MEMORY;
702 }
703
704 qualified_name = talloc_asprintf(mem_ctx, "%s\\%s",
705 unix_users_domain_name(),
706 unix_username );
707 if (!qualified_name) {
708 TALLOC_FREE(mem_ctx);
709 return NT_STATUS_NO_MEMORY;
710 }
711
712 if (!lookup_name(mem_ctx, qualified_name, LOOKUP_NAME_ALL,
713 NULL, NULL,
714 &u_sid, &type)) {
715 TALLOC_FREE(mem_ctx);
716 return NT_STATUS_NO_SUCH_USER;
717 }
718
719 TALLOC_FREE(mem_ctx);
720
721 if (type != SID_NAME_USER) {
722 return NT_STATUS_NO_SUCH_USER;
723 }
724
725 if ( !(sampass = samu_new( NULL )) ) {
726 return NT_STATUS_NO_MEMORY;
727 }
728
729 status = samu_set_unix( sampass, pwd );
730 if (!NT_STATUS_IS_OK(status)) {
731 return status;
732 }
733
734 /* In pathological cases the above call can set the account
735 * name to the DOMAIN\username form. Reset the account name
736 * using unix_username */
737 pdb_set_username(sampass, unix_username, PDB_SET);
738
739 /* set the user sid to be the calculated u_sid */
740 pdb_set_user_sid(sampass, &u_sid, PDB_SET);
741
742 result = make_server_info(NULL);
743 if (result == NULL) {
744 TALLOC_FREE(sampass);
745 return NT_STATUS_NO_MEMORY;
746 }
747
748 status = samu_to_SamInfo3(result, sampass, lp_netbios_name(),
749 &result->info3, &result->extra);
750 TALLOC_FREE(sampass);
751 if (!NT_STATUS_IS_OK(status)) {
752 DEBUG(10, ("Failed to convert samu to info3: %s\n",
753 nt_errstr(status)));
754 TALLOC_FREE(result);
755 return status;
756 }
757
758 result->unix_name = talloc_strdup(result, unix_username);
759
760 if (result->unix_name == NULL) {
761 TALLOC_FREE(result);
762 return NT_STATUS_NO_MEMORY;
763 }
764
765 result->utok.uid = pwd->pw_uid;
766 result->utok.gid = pwd->pw_gid;
767
768 *server_info = result;
769
770 return NT_STATUS_OK;
771 }
772
773 static NTSTATUS get_guest_info3(TALLOC_CTX *mem_ctx,
774 struct netr_SamInfo3 *info3)
775 {
776 const char *guest_account = lp_guestaccount();
777 struct dom_sid domain_sid;
778 struct passwd *pwd;
779 const char *tmp;
780
781 pwd = Get_Pwnam_alloc(mem_ctx, guest_account);
782 if (pwd == NULL) {
783 DEBUG(0,("SamInfo3_for_guest: Unable to locate guest "
784 "account [%s]!\n", guest_account));
785 return NT_STATUS_NO_SUCH_USER;
786 }
787
788 /* Set account name */
789 tmp = talloc_strdup(mem_ctx, pwd->pw_name);
790 if (tmp == NULL) {
791 return NT_STATUS_NO_MEMORY;
792 }
793 init_lsa_String(&info3->base.account_name, tmp);
794
795 /* Set domain name */
796 tmp = talloc_strdup(mem_ctx, get_global_sam_name());
797 if (tmp == NULL) {
798 return NT_STATUS_NO_MEMORY;
799 }
800 init_lsa_StringLarge(&info3->base.logon_domain, tmp);
801
802 /* Domain sid */
803 sid_copy(&domain_sid, get_global_sam_sid());
804
805 info3->base.domain_sid = dom_sid_dup(mem_ctx, &domain_sid);
806 if (info3->base.domain_sid == NULL) {
807 return NT_STATUS_NO_MEMORY;
808 }
809
810 /* Guest rid */
811 info3->base.rid = DOMAIN_RID_GUEST;
812
813 /* Primary gid */
814 info3->base.primary_gid = BUILTIN_RID_GUESTS;
815
816 /* Set as guest */
817 info3->base.user_flags = NETLOGON_GUEST;
818
819 TALLOC_FREE(pwd);
820 return NT_STATUS_OK;
821 }
822
823 /***************************************************************************
824 Make (and fill) a user_info struct for a guest login.
825 This *must* succeed for smbd to start. If there is no mapping entry for
826 the guest gid, then create one.
827
828 The resulting structure is a 'session_info' because
829 create_local_token() has already been called on it. This is quite
830 nasty, as the auth subsystem isn't expect this, but the behavior is
831 left as-is for now.
832 ***************************************************************************/
833
834 static NTSTATUS make_new_session_info_guest(struct auth_session_info **session_info, struct auth_serversupplied_info **server_info)
835 {
836 static const char zeros[16] = {0};
837 const char *guest_account = lp_guestaccount();
838 const char *domain = lp_netbios_name();
839 struct netr_SamInfo3 info3;
840 TALLOC_CTX *tmp_ctx;
841 NTSTATUS status;
842
843 tmp_ctx = talloc_stackframe();
844 if (tmp_ctx == NULL) {
845 return NT_STATUS_NO_MEMORY;
846 }
847
848 ZERO_STRUCT(info3);
849
850 status = get_guest_info3(tmp_ctx, &info3);
851 if (!NT_STATUS_IS_OK(status)) {
852 DEBUG(0, ("get_guest_info3 failed with %s\n",
853 nt_errstr(status)));
854 goto done;
855 }
856
857 status = make_server_info_info3(tmp_ctx,
858 guest_account,
859 domain,
860 server_info,
861 &info3);
862 if (!NT_STATUS_IS_OK(status)) {
863 DEBUG(0, ("make_server_info_info3 failed with %s\n",
864 nt_errstr(status)));
865 goto done;
866 }
867
868 (*server_info)->guest = true;
869
870 /* This should not be done here (we should produce a server
871 * info, and later construct a session info from it), but for
872 * now this does not change the previous behavior */
873 status = create_local_token(tmp_ctx, *server_info, NULL,
874 (*server_info)->info3->base.account_name.string,
875 session_info);
876 if (!NT_STATUS_IS_OK(status)) {
877 DEBUG(0, ("create_local_token failed: %s\n",
878 nt_errstr(status)));
879 goto done;
880 }
881 talloc_steal(NULL, *session_info);
882 talloc_steal(NULL, *server_info);
883
884 /* annoying, but the Guest really does have a session key, and it is
885 all zeros! */
886 (*session_info)->session_key = data_blob(zeros, sizeof(zeros));
887
888 status = NT_STATUS_OK;
889 done:
890 TALLOC_FREE(tmp_ctx);
891 return status;
892 }
893
894 /***************************************************************************
895 Make (and fill) a auth_session_info struct for a system user login.
896 This *must* succeed for smbd to start.
897 ***************************************************************************/
898
899 static NTSTATUS make_new_session_info_system(TALLOC_CTX *mem_ctx,
900 struct auth_session_info **session_info)
901 {
902 struct passwd *pwd;
903 NTSTATUS status;
904
905 pwd = getpwuid_alloc(mem_ctx, sec_initial_uid());
906 if (pwd == NULL) {
907 return NT_STATUS_NO_SUCH_USER;
908 }
909
910 status = make_session_info_from_username(mem_ctx,
911 pwd->pw_name,
912 false,
913 session_info);
914 TALLOC_FREE(pwd);
915 if (!NT_STATUS_IS_OK(status)) {
916 return status;
917 }
918
919 (*session_info)->unix_info->system = true;
920
921 status = add_sid_to_array_unique((*session_info)->security_token->sids,
922 &global_sid_System,
923 &(*session_info)->security_token->sids,
924 &(*session_info)->security_token->num_sids);
925 if (!NT_STATUS_IS_OK(status)) {
926 TALLOC_FREE((*session_info));
927 return status;
928 }
929
930 return NT_STATUS_OK;
931 }
932
933 /****************************************************************************
934 Fake a auth_session_info just from a username (as a
935 session_info structure, with create_local_token() already called on
936 it.
937 ****************************************************************************/
938
939 NTSTATUS make_session_info_from_username(TALLOC_CTX *mem_ctx,
940 const char *username,
941 bool is_guest,
942 struct auth_session_info **session_info)
943 {
944 struct auth_serversupplied_info *result;
945 struct passwd *pwd;
946 NTSTATUS status;
947
948 pwd = Get_Pwnam_alloc(talloc_tos(), username);
949 if (pwd == NULL) {
950 return NT_STATUS_NO_SUCH_USER;
951 }
952
953 status = make_server_info_pw(&result, pwd->pw_name, pwd);
954
955 if (!NT_STATUS_IS_OK(status)) {
956 TALLOC_FREE(pwd);
957 return status;
958 }
959
960 result->nss_token = true;
961 result->guest = is_guest;
962
963 /* Now turn the server_info into a session_info with the full token etc */
964 status = create_local_token(mem_ctx, result, NULL, pwd->pw_name, session_info);
965 TALLOC_FREE(pwd);
966 talloc_free(result);
967 return status;
968 }
969
970 /* This function MUST only used to create the cached server_info for
971 * guest.
972 *
973 * This is a lossy conversion. Variables known to be lost so far
974 * include:
975 *
976 * - nss_token (not needed because the only read doesn't happen
977 * for the GUEST user, as this routine populates ->security_token
978 *
979 * - extra (not needed because the guest account must have valid RIDs per the output of get_guest_info3())
980 *
981 * - The 'server_info' parameter allows the missing 'info3' to be copied across.
982 */
983 static struct auth_serversupplied_info *copy_session_info_serverinfo_guest(TALLOC_CTX *mem_ctx,
984 const struct auth_session_info *src,
985 struct auth_serversupplied_info *server_info)
986 {
987 struct auth_serversupplied_info *dst;
988
989 dst = make_server_info(mem_ctx);
990 if (dst == NULL) {
991 return NULL;
992 }
993
994 /* This element must be provided to convert back to an auth_serversupplied_info */
995 SMB_ASSERT(src->unix_info);
996
997 dst->guest = true;
998 dst->system = false;
999
1000 /* This element must be provided to convert back to an
1001 * auth_serversupplied_info. This needs to be from the
1002 * auth_session_info because the group values in particular
1003 * may change during create_local_token() processing */
1004 SMB_ASSERT(src->unix_token);
1005 dst->utok.uid = src->unix_token->uid;
1006 dst->utok.gid = src->unix_token->gid;
1007 dst->utok.ngroups = src->unix_token->ngroups;
1008 if (src->unix_token->ngroups != 0) {
1009 dst->utok.groups = (gid_t *)talloc_memdup(
1010 dst, src->unix_token->groups,
1011 sizeof(gid_t)*dst->utok.ngroups);
1012 } else {
1013 dst->utok.groups = NULL;
1014 }
1015
1016 /* We must have a security_token as otherwise the lossy
1017 * conversion without nss_token would cause create_local_token
1018 * to take the wrong path */
1019 SMB_ASSERT(src->security_token);
1020
1021 dst->security_token = dup_nt_token(dst, src->security_token);
1022 if (!dst->security_token) {
1023 TALLOC_FREE(dst);
1024 return NULL;
1025 }
1026
1027 dst->session_key = data_blob_talloc( dst, src->session_key.data,
1028 src->session_key.length);
1029
1030 /* This is OK because this functions is only used for the
1031 * GUEST account, which has all-zero keys for both values */
1032 dst->lm_session_key = data_blob_talloc(dst, src->session_key.data,
1033 src->session_key.length);
1034
1035 dst->info3 = copy_netr_SamInfo3(dst, server_info->info3);
1036 if (!dst->info3) {
1037 TALLOC_FREE(dst);
1038 return NULL;
1039 }
1040
1041 dst->unix_name = talloc_strdup(dst, src->unix_info->unix_name);
1042 if (!dst->unix_name) {
1043 TALLOC_FREE(dst);
1044 return NULL;
1045 }
1046
1047 return dst;
1048 }
1049
1050 struct auth_session_info *copy_session_info(TALLOC_CTX *mem_ctx,
1051 const struct auth_session_info *src)
1052 {
1053 struct auth_session_info *dst;
1054 DATA_BLOB blob;
1055 enum ndr_err_code ndr_err;
1056
1057 ndr_err = ndr_push_struct_blob(
1058 &blob, talloc_tos(), src,
1059 (ndr_push_flags_fn_t)ndr_push_auth_session_info);
1060 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1061 DEBUG(0, ("copy_session_info(): ndr_push_auth_session_info failed: "
1062 "%s\n", ndr_errstr(ndr_err)));
1063 return NULL;
1064 }
1065
1066 dst = talloc(mem_ctx, struct auth_session_info);
1067 if (dst == NULL) {
1068 DEBUG(0, ("talloc failed\n"));
1069 TALLOC_FREE(blob.data);
1070 return NULL;
1071 }
1072
1073 ndr_err = ndr_pull_struct_blob(
1074 &blob, dst, dst,
1075 (ndr_pull_flags_fn_t)ndr_pull_auth_session_info);
1076 TALLOC_FREE(blob.data);
1077
1078 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1079 DEBUG(0, ("copy_session_info(): ndr_pull_auth_session_info failed: "
1080 "%s\n", ndr_errstr(ndr_err)));
1081 TALLOC_FREE(dst);
1082 return NULL;
1083 }
1084
1085 return dst;
1086 }
1087
1088 /*
1089 * Set a new session key. Used in the rpc server where we have to override the
1090 * SMB level session key with SystemLibraryDTC
1091 */
1092
1093 bool session_info_set_session_key(struct auth_session_info *info,
1094 DATA_BLOB session_key)
1095 {
1096 TALLOC_FREE(info->session_key.data);
1097
1098 info->session_key = data_blob_talloc(
1099 info, session_key.data, session_key.length);
1100
1101 return (info->session_key.data != NULL);
1102 }
1103
1104 static struct auth_session_info *guest_info = NULL;
1105
1106 static struct auth_serversupplied_info *guest_server_info = NULL;
1107
1108 bool init_guest_info(void)
1109 {
1110 if (guest_info != NULL)
1111 return true;
1112
1113 return NT_STATUS_IS_OK(make_new_session_info_guest(&guest_info, &guest_server_info));
1114 }
1115
1116 NTSTATUS make_server_info_guest(TALLOC_CTX *mem_ctx,
1117 struct auth_serversupplied_info **server_info)
1118 {
1119 /* This is trickier than it would appear to need to be because
1120 * we are trying to avoid certain costly operations when the
1121 * structure is converted to a 'auth_session_info' again in
1122 * create_local_token() */
1123 *server_info = copy_session_info_serverinfo_guest(mem_ctx, guest_info, guest_server_info);
1124 return (*server_info != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
1125 }
1126
1127 NTSTATUS make_session_info_guest(TALLOC_CTX *mem_ctx,
1128 struct auth_session_info **session_info)
1129 {
1130 *session_info = copy_session_info(mem_ctx, guest_info);
1131 return (*session_info != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
1132 }
1133
1134 static struct auth_session_info *system_info = NULL;
1135
1136 NTSTATUS init_system_info(void)
1137 {
1138 if (system_info != NULL)
1139 return NT_STATUS_OK;
1140
1141 return make_new_session_info_system(NULL, &system_info);
1142 }
1143
1144 NTSTATUS make_session_info_system(TALLOC_CTX *mem_ctx,
1145 struct auth_session_info **session_info)
1146 {
1147 if (system_info == NULL) return NT_STATUS_UNSUCCESSFUL;
1148 *session_info = copy_session_info(mem_ctx, system_info);
1149 return (*session_info != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
1150 }
1151
1152 const struct auth_session_info *get_session_info_system(void)
1153 {
1154 return system_info;
1155 }
1156
1157 bool copy_current_user(struct current_user *dst, struct current_user *src)
1158 {
1159 gid_t *groups;
1160 struct security_token *nt_token;
1161
1162 groups = (gid_t *)memdup(src->ut.groups,
1163 sizeof(gid_t) * src->ut.ngroups);
1164 if ((src->ut.ngroups != 0) && (groups == NULL)) {
1165 return false;
1166 }
1167
1168 nt_token = dup_nt_token(NULL, src->nt_user_token);
1169 if (nt_token == NULL) {
1170 SAFE_FREE(groups);
1171 return false;
1172 }
1173
1174 dst->conn = src->conn;
1175 dst->vuid = src->vuid;
1176 dst->ut.uid = src->ut.uid;
1177 dst->ut.gid = src->ut.gid;
1178 dst->ut.ngroups = src->ut.ngroups;
1179 dst->ut.groups = groups;
1180 dst->nt_user_token = nt_token;
1181 return true;
1182 }
1183
1184 /***************************************************************************
1185 Purely internal function for make_server_info_info3
1186 ***************************************************************************/
1187
1188 static NTSTATUS check_account(TALLOC_CTX *mem_ctx, const char *domain,
1189 const char *username, char **found_username,
1190 struct passwd **pwd,
1191 bool *username_was_mapped)
1192 {
1193 char *orig_dom_user = NULL;
1194 char *dom_user = NULL;
1195 char *lower_username = NULL;
1196 char *real_username = NULL;
1197 struct passwd *passwd;
1198
1199 lower_username = talloc_strdup(mem_ctx, username);
1200 if (!lower_username) {
1201 return NT_STATUS_NO_MEMORY;
1202 }
1203 strlower_m( lower_username );
1204
1205 orig_dom_user = talloc_asprintf(mem_ctx,
1206 "%s%c%s",
1207 domain,
1208 *lp_winbind_separator(),
1209 lower_username);
1210 if (!orig_dom_user) {
1211 return NT_STATUS_NO_MEMORY;
1212 }
1213
1214 /* Get the passwd struct. Try to create the account if necessary. */
1215
1216 *username_was_mapped = map_username(mem_ctx, orig_dom_user, &dom_user);
1217 if (!dom_user) {
1218 return NT_STATUS_NO_MEMORY;
1219 }
1220
1221 passwd = smb_getpwnam(mem_ctx, dom_user, &real_username, true );
1222 if (!passwd) {
1223 DEBUG(3, ("Failed to find authenticated user %s via "
1224 "getpwnam(), denying access.\n", dom_user));
1225 return NT_STATUS_NO_SUCH_USER;
1226 }
1227
1228 if (!real_username) {
1229 return NT_STATUS_NO_MEMORY;
1230 }
1231
1232 *pwd = passwd;
1233
1234 /* This is pointless -- there is no support for differing
1235 unix and windows names. Make sure to always store the
1236 one we actually looked up and succeeded. Have I mentioned
1237 why I hate the 'winbind use default domain' parameter?
1238 --jerry */
1239
1240 *found_username = talloc_strdup( mem_ctx, real_username );
1241
1242 return NT_STATUS_OK;
1243 }
1244
1245 /****************************************************************************
1246 Wrapper to allow the getpwnam() call to strip the domain name and
1247 try again in case a local UNIX user is already there. Also run through
1248 the username if we fallback to the username only.
1249 ****************************************************************************/
1250
1251 struct passwd *smb_getpwnam( TALLOC_CTX *mem_ctx, const char *domuser,
1252 char **p_save_username, bool create )
1253 {
1254 struct passwd *pw = NULL;
1255 char *p = NULL;
1256 char *username = NULL;
1257
1258 /* we only save a copy of the username it has been mangled
1259 by winbindd use default domain */
1260 *p_save_username = NULL;
1261
1262 /* don't call map_username() here since it has to be done higher
1263 up the stack so we don't call it multiple times */
1264
1265 username = talloc_strdup(mem_ctx, domuser);
1266 if (!username) {
1267 return NULL;
1268 }
1269
1270 p = strchr_m( username, *lp_winbind_separator() );
1271
1272 /* code for a DOMAIN\user string */
1273
1274 if ( p ) {
1275 pw = Get_Pwnam_alloc( mem_ctx, domuser );
1276 if ( pw ) {
1277 /* make sure we get the case of the username correct */
1278 /* work around 'winbind use default domain = yes' */
1279
1280 if ( !strchr_m( pw->pw_name, *lp_winbind_separator() ) ) {
1281 char *domain;
1282
1283 /* split the domain and username into 2 strings */
1284 *p = '\0';
1285 domain = username;
1286
1287 *p_save_username = talloc_asprintf(mem_ctx,
1288 "%s%c%s",
1289 domain,
1290 *lp_winbind_separator(),
1291 pw->pw_name);
1292 if (!*p_save_username) {
1293 TALLOC_FREE(pw);
1294 return NULL;
1295 }
1296 } else {
1297 *p_save_username = talloc_strdup(mem_ctx, pw->pw_name);
1298 }
1299
1300 /* whew -- done! */
1301 return pw;
1302 }
1303
1304 /* setup for lookup of just the username */
1305 /* remember that p and username are overlapping memory */
1306
1307 p++;
1308 username = talloc_strdup(mem_ctx, p);
1309 if (!username) {
1310 return NULL;
1311 }
1312 }
1313
1314 /* just lookup a plain username */
1315
1316 pw = Get_Pwnam_alloc(mem_ctx, username);
1317
1318 /* Create local user if requested but only if winbindd
1319 is not running. We need to protect against cases
1320 where winbindd is failing and then prematurely
1321 creating users in /etc/passwd */
1322
1323 if ( !pw && create && !winbind_ping() ) {
1324 /* Don't add a machine account. */
1325 if (username[strlen(username)-1] == '$')
1326 return NULL;
1327
1328 _smb_create_user(NULL, username, NULL);
1329 pw = Get_Pwnam_alloc(mem_ctx, username);
1330 }
1331
1332 /* one last check for a valid passwd struct */
1333
1334 if (pw) {
1335 *p_save_username = talloc_strdup(mem_ctx, pw->pw_name);
1336 }
1337 return pw;
1338 }
1339
1340 /***************************************************************************
1341 Make a server_info struct from the info3 returned by a domain logon
1342 ***************************************************************************/
1343
1344 NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
1345 const char *sent_nt_username,
1346 const char *domain,
1347 struct auth_serversupplied_info **server_info,
1348 struct netr_SamInfo3 *info3)
1349 {
1350 static const char zeros[16] = {0, };
1351
1352 NTSTATUS nt_status = NT_STATUS_OK;
1353 char *found_username = NULL;
1354 const char *nt_domain;
1355 const char *nt_username;
1356 bool username_was_mapped;
1357 struct passwd *pwd;
1358 struct auth_serversupplied_info *result;
1359 struct dom_sid *group_sid;
1360 struct netr_SamInfo3 *i3;
1361
1362 /*
1363 Here is where we should check the list of
1364 trusted domains, and verify that the SID
1365 matches.
1366 */
1367
1368 nt_username = talloc_strdup(mem_ctx, info3->base.account_name.string);
1369 if (!nt_username) {
1370 /* If the server didn't give us one, just use the one we sent
1371 * them */
1372 nt_username = sent_nt_username;
1373 }
1374
1375 nt_domain = talloc_strdup(mem_ctx, info3->base.logon_domain.string);
1376 if (!nt_domain) {
1377 /* If the server didn't give us one, just use the one we sent
1378 * them */
1379 nt_domain = domain;
1380 }
1381
1382 /* If getpwnam() fails try the add user script (2.2.x behavior).
1383
1384 We use the _unmapped_ username here in an attempt to provide
1385 consistent username mapping behavior between kerberos and NTLM[SSP]
1386 authentication in domain mode security. I.E. Username mapping
1387 should be applied to the fully qualified username
1388 (e.g. DOMAIN\user) and not just the login name. Yes this means we
1389 called map_username() unnecessarily in make_user_info_map() but
1390 that is how the current code is designed. Making the change here
1391 is the least disruptive place. -- jerry */
1392
1393 /* this call will try to create the user if necessary */
1394
1395 nt_status = check_account(mem_ctx, nt_domain, sent_nt_username,
1396 &found_username, &pwd,
1397 &username_was_mapped);
1398
1399 if (!NT_STATUS_IS_OK(nt_status)) {
1400 return nt_status;
1401 }
1402
1403 result = make_server_info(NULL);
1404 if (result == NULL) {
1405 DEBUG(4, ("make_server_info failed!\n"));
1406 return NT_STATUS_NO_MEMORY;
1407 }
1408
1409 result->unix_name = talloc_strdup(result, found_username);
1410
1411 /* copy in the info3 */
1412 result->info3 = i3 = copy_netr_SamInfo3(result, info3);
1413 if (result->info3 == NULL) {
1414 TALLOC_FREE(result);
1415 return NT_STATUS_NO_MEMORY;
1416 }
1417
1418 /* Fill in the unix info we found on the way */
1419 result->utok.uid = pwd->pw_uid;
1420 result->utok.gid = pwd->pw_gid;
1421
1422 /* We can't just trust that the primary group sid sent us is something
1423 * we can really use. Obtain the usable sid, and store the original
1424 * one as an additional group if it had to be replaced */
1425 nt_status = get_primary_group_sid(mem_ctx, found_username,
1426 &pwd, &group_sid);
1427 if (!NT_STATUS_IS_OK(nt_status)) {
1428 TALLOC_FREE(result);
1429 return nt_status;
1430 }
1431
1432 /* store and check if it is the same we got originally */
1433 sid_peek_rid(group_sid, &i3->base.primary_gid);
1434 if (i3->base.primary_gid != info3->base.primary_gid) {
1435 uint32_t n = i3->base.groups.count;
1436 /* not the same, store the original as an additional group */
1437 i3->base.groups.rids =
1438 talloc_realloc(i3, i3->base.groups.rids,
1439 struct samr_RidWithAttribute, n + 1);
1440 if (i3->base.groups.rids == NULL) {
1441 TALLOC_FREE(result);
1442 return NT_STATUS_NO_MEMORY;
1443 }
1444 i3->base.groups.rids[n].rid = info3->base.primary_gid;
1445 i3->base.groups.rids[n].attributes = SE_GROUP_ENABLED;
1446 i3->base.groups.count = n + 1;
1447 }
1448
1449 /* ensure we are never given NULL session keys */
1450
1451 if (memcmp(info3->base.key.key, zeros, sizeof(zeros)) == 0) {
1452 result->session_key = data_blob_null;
1453 } else {
1454 result->session_key = data_blob_talloc(
1455 result, info3->base.key.key,
1456 sizeof(info3->base.key.key));
1457 }
1458
1459 if (memcmp(info3->base.LMSessKey.key, zeros, 8) == 0) {
1460 result->lm_session_key = data_blob_null;
1461 } else {
1462 result->lm_session_key = data_blob_talloc(
1463 result, info3->base.LMSessKey.key,
1464 sizeof(info3->base.LMSessKey.key));
1465 }
1466
1467 result->nss_token |= username_was_mapped;
1468
1469 result->guest = (info3->base.user_flags & NETLOGON_GUEST);
1470
1471 *server_info = result;
1472
1473 return NT_STATUS_OK;
1474 }
1475
1476 /*****************************************************************************
1477 Make a server_info struct from the wbcAuthUserInfo returned by a domain logon
1478 ******************************************************************************/
1479
1480 NTSTATUS make_server_info_wbcAuthUserInfo(TALLOC_CTX *mem_ctx,
1481 const char *sent_nt_username,
1482 const char *domain,
1483 const struct wbcAuthUserInfo *info,
1484 struct auth_serversupplied_info **server_info)
1485 {
1486 struct netr_SamInfo3 *info3;
1487
1488 info3 = wbcAuthUserInfo_to_netr_SamInfo3(mem_ctx, info);
1489 if (!info3) {
1490 return NT_STATUS_NO_MEMORY;
1491 }
1492
1493 return make_server_info_info3(mem_ctx,
1494 sent_nt_username, domain,
1495 server_info, info3);
1496 }
1497
1498 /**
1499 * Verify whether or not given domain is trusted.
1500 *
1501 * @param domain_name name of the domain to be verified
1502 * @return true if domain is one of the trusted ones or
1503 * false if otherwise
1504 **/
1505
1506 bool is_trusted_domain(const char* dom_name)
1507 {
1508 struct dom_sid trustdom_sid;
1509 bool ret;
1510
1511 /* no trusted domains for a standalone server */
1512
1513 if ( lp_server_role() == ROLE_STANDALONE )
1514 return false;
1515
1516 if (dom_name == NULL || dom_name[0] == '\0') {
1517 return false;
1518 }
1519
1520 if (strequal(dom_name, get_global_sam_name())) {
1521 return false;
1522 }
1523
1524 /* if we are a DC, then check for a direct trust relationships */
1525
1526 if ( IS_DC ) {
1527 become_root();
1528 DEBUG (5,("is_trusted_domain: Checking for domain trust with "
1529 "[%s]\n", dom_name ));
1530 ret = pdb_get_trusteddom_pw(dom_name, NULL, NULL, NULL);
1531 unbecome_root();
1532 if (ret)
1533 return true;
1534 }
1535 else {
1536 wbcErr result;
1537
1538 /* If winbind is around, ask it */
1539
1540 result = wb_is_trusted_domain(dom_name);
1541
1542 if (result == WBC_ERR_SUCCESS) {
1543 return true;
1544 }
1545
1546 if (result == WBC_ERR_DOMAIN_NOT_FOUND) {
1547 /* winbind could not find the domain */
1548 return false;
1549 }
1550
1551 /* The only other possible result is that winbind is not up
1552 and running. We need to update the trustdom_cache
1553 ourselves */
1554
1555 update_trustdom_cache();
1556 }
1557
1558 /* now the trustdom cache should be available a DC could still
1559 * have a transitive trust so fall back to the cache of trusted
1560 * domains (like a domain member would use */
1561
1562 if ( trustdom_cache_fetch(dom_name, &trustdom_sid) ) {
1563 return true;
1564 }
1565
1566 return false;
1567 }
1568
1569
1570
1571 /*
1572 on a logon error possibly map the error to success if "map to guest"
1573 is set approriately
1574 */
1575 NTSTATUS do_map_to_guest_server_info(NTSTATUS status,
1576 struct auth_serversupplied_info **server_info,
1577 const char *user, const char *domain)
1578 {
1579 user = user ? user : "";
1580 domain = domain ? domain : "";
1581
1582 if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) {
1583 if ((lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_USER) ||
1584 (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_PASSWORD)) {
1585 DEBUG(3,("No such user %s [%s] - using guest account\n",
1586 user, domain));
1587 return make_server_info_guest(NULL, server_info);
1588 }
1589 } else if (NT_STATUS_EQUAL(status, NT_STATUS_WRONG_PASSWORD)) {
1590 if (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_PASSWORD) {
1591 DEBUG(3,("Registered username %s for guest access\n",
1592 user));
1593 return make_server_info_guest(NULL, server_info);
1594 }
1595 }
1596
1597 return status;
1598 }
reg import