2 Unix SMB/CIFS implementation.
4 Winbind daemon - pam auth funcions
6 Copyright (C) Andrew Tridgell 2000
7 Copyright (C) Tim Potter 2001
8 Copyright (C) Andrew Bartlett 2001-2002
9 Copyright (C) Guenther Deschner 2005
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 3 of the License, or
14 (at your option) any later version.
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
21 You should have received a copy of the GNU General Public License
22 along with this program. If not, see <http://www.gnu.org/licenses/>.
27 #include "../libcli/auth/libcli_auth.h"
28 #include "../librpc/gen_ndr/ndr_samr_c.h"
29 #include "rpc_client/cli_pipe.h"
30 #include "rpc_client/cli_samr.h"
31 #include "../librpc/gen_ndr/ndr_netlogon.h"
32 #include "rpc_client/cli_netlogon.h"
34 #include "../lib/crypto/arcfour.h"
35 #include "../libcli/security/security.h"
37 #include "../librpc/gen_ndr/krb5pac.h"
38 #include "passdb/machine_sid.h"
40 #include "../lib/tsocket/tsocket.h"
41 #include "auth/kerberos/pac_utils.h"
42 #include "auth/gensec/gensec.h"
43 #include "librpc/crypto/gse_krb5.h"
46 #define DBGC_CLASS DBGC_WINBIND
48 #define LOGON_KRB5_FAIL_CLOCK_SKEW 0x02000000
50 static NTSTATUS
append_info3_as_txt(TALLOC_CTX
*mem_ctx
,
51 struct winbindd_response
*resp
,
52 struct netr_SamInfo3
*info3
)
57 resp
->data
.auth
.info3
.logon_time
=
58 nt_time_to_unix(info3
->base
.logon_time
);
59 resp
->data
.auth
.info3
.logoff_time
=
60 nt_time_to_unix(info3
->base
.logoff_time
);
61 resp
->data
.auth
.info3
.kickoff_time
=
62 nt_time_to_unix(info3
->base
.kickoff_time
);
63 resp
->data
.auth
.info3
.pass_last_set_time
=
64 nt_time_to_unix(info3
->base
.last_password_change
);
65 resp
->data
.auth
.info3
.pass_can_change_time
=
66 nt_time_to_unix(info3
->base
.allow_password_change
);
67 resp
->data
.auth
.info3
.pass_must_change_time
=
68 nt_time_to_unix(info3
->base
.force_password_change
);
70 resp
->data
.auth
.info3
.logon_count
= info3
->base
.logon_count
;
71 resp
->data
.auth
.info3
.bad_pw_count
= info3
->base
.bad_password_count
;
73 resp
->data
.auth
.info3
.user_rid
= info3
->base
.rid
;
74 resp
->data
.auth
.info3
.group_rid
= info3
->base
.primary_gid
;
75 sid_to_fstring(resp
->data
.auth
.info3
.dom_sid
, info3
->base
.domain_sid
);
77 resp
->data
.auth
.info3
.num_groups
= info3
->base
.groups
.count
;
78 resp
->data
.auth
.info3
.user_flgs
= info3
->base
.user_flags
;
80 resp
->data
.auth
.info3
.acct_flags
= info3
->base
.acct_flags
;
81 resp
->data
.auth
.info3
.num_other_sids
= info3
->sidcount
;
83 fstrcpy(resp
->data
.auth
.info3
.user_name
,
84 info3
->base
.account_name
.string
);
85 fstrcpy(resp
->data
.auth
.info3
.full_name
,
86 info3
->base
.full_name
.string
);
87 fstrcpy(resp
->data
.auth
.info3
.logon_script
,
88 info3
->base
.logon_script
.string
);
89 fstrcpy(resp
->data
.auth
.info3
.profile_path
,
90 info3
->base
.profile_path
.string
);
91 fstrcpy(resp
->data
.auth
.info3
.home_dir
,
92 info3
->base
.home_directory
.string
);
93 fstrcpy(resp
->data
.auth
.info3
.dir_drive
,
94 info3
->base
.home_drive
.string
);
96 fstrcpy(resp
->data
.auth
.info3
.logon_srv
,
97 info3
->base
.logon_server
.string
);
98 fstrcpy(resp
->data
.auth
.info3
.logon_dom
,
99 info3
->base
.logon_domain
.string
);
101 ex
= talloc_strdup(mem_ctx
, "");
102 NT_STATUS_HAVE_NO_MEMORY(ex
);
104 for (i
=0; i
< info3
->base
.groups
.count
; i
++) {
105 ex
= talloc_asprintf_append_buffer(ex
, "0x%08X:0x%08X\n",
106 info3
->base
.groups
.rids
[i
].rid
,
107 info3
->base
.groups
.rids
[i
].attributes
);
108 NT_STATUS_HAVE_NO_MEMORY(ex
);
111 for (i
=0; i
< info3
->sidcount
; i
++) {
114 sid
= dom_sid_string(mem_ctx
, info3
->sids
[i
].sid
);
115 NT_STATUS_HAVE_NO_MEMORY(sid
);
117 ex
= talloc_asprintf_append_buffer(ex
, "%s:0x%08X\n",
119 info3
->sids
[i
].attributes
);
120 NT_STATUS_HAVE_NO_MEMORY(ex
);
125 resp
->extra_data
.data
= ex
;
126 resp
->length
+= talloc_get_size(ex
);
131 static NTSTATUS
append_info3_as_ndr(TALLOC_CTX
*mem_ctx
,
132 struct winbindd_response
*resp
,
133 struct netr_SamInfo3
*info3
)
136 enum ndr_err_code ndr_err
;
138 ndr_err
= ndr_push_struct_blob(&blob
, mem_ctx
, info3
,
139 (ndr_push_flags_fn_t
)ndr_push_netr_SamInfo3
);
140 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
141 DEBUG(0,("append_info3_as_ndr: failed to append\n"));
142 return ndr_map_error2ntstatus(ndr_err
);
145 resp
->extra_data
.data
= blob
.data
;
146 resp
->length
+= blob
.length
;
151 static NTSTATUS
append_unix_username(TALLOC_CTX
*mem_ctx
,
152 struct winbindd_response
*resp
,
153 const struct netr_SamInfo3
*info3
,
154 const char *name_domain
,
155 const char *name_user
)
157 /* We've been asked to return the unix username, per
158 'winbind use default domain' settings and the like */
160 const char *nt_username
, *nt_domain
;
162 nt_domain
= talloc_strdup(mem_ctx
, info3
->base
.logon_domain
.string
);
164 /* If the server didn't give us one, just use the one
166 nt_domain
= name_domain
;
169 nt_username
= talloc_strdup(mem_ctx
, info3
->base
.account_name
.string
);
171 /* If the server didn't give us one, just use the one
173 nt_username
= name_user
;
176 fill_domain_username(resp
->data
.auth
.unix_username
,
177 nt_domain
, nt_username
, true);
179 DEBUG(5, ("Setting unix username to [%s]\n",
180 resp
->data
.auth
.unix_username
));
185 static NTSTATUS
append_afs_token(TALLOC_CTX
*mem_ctx
,
186 struct winbindd_response
*resp
,
187 const struct netr_SamInfo3
*info3
,
188 const char *name_domain
,
189 const char *name_user
)
191 char *afsname
= NULL
;
195 afsname
= talloc_strdup(mem_ctx
, lp_afs_username_map());
196 if (afsname
== NULL
) {
197 return NT_STATUS_NO_MEMORY
;
200 afsname
= talloc_string_sub(mem_ctx
,
201 lp_afs_username_map(),
203 afsname
= talloc_string_sub(mem_ctx
, afsname
,
205 afsname
= talloc_string_sub(mem_ctx
, afsname
,
209 struct dom_sid user_sid
;
212 sid_compose(&user_sid
, info3
->base
.domain_sid
,
214 sid_to_fstring(sidstr
, &user_sid
);
215 afsname
= talloc_string_sub(mem_ctx
, afsname
,
219 if (afsname
== NULL
) {
220 return NT_STATUS_NO_MEMORY
;
223 if (!strlower_m(afsname
)) {
224 return NT_STATUS_INVALID_PARAMETER
;
227 DEBUG(10, ("Generating token for user %s\n", afsname
));
229 cell
= strchr(afsname
, '@');
232 return NT_STATUS_NO_MEMORY
;
238 token
= afs_createtoken_str(afsname
, cell
);
242 resp
->extra_data
.data
= talloc_strdup(mem_ctx
, token
);
243 if (resp
->extra_data
.data
== NULL
) {
244 return NT_STATUS_NO_MEMORY
;
246 resp
->length
+= strlen((const char *)resp
->extra_data
.data
)+1;
251 static NTSTATUS
check_info3_in_group(struct netr_SamInfo3
*info3
,
252 const char *group_sid
)
254 * Check whether a user belongs to a group or list of groups.
256 * @param mem_ctx talloc memory context.
257 * @param info3 user information, including group membership info.
258 * @param group_sid One or more groups , separated by commas.
260 * @return NT_STATUS_OK on success,
261 * NT_STATUS_LOGON_FAILURE if the user does not belong,
262 * or other NT_STATUS_IS_ERR(status) for other kinds of failure.
265 struct dom_sid
*require_membership_of_sid
;
266 uint32_t num_require_membership_of_sid
;
271 struct security_token
*token
;
272 TALLOC_CTX
*frame
= talloc_stackframe();
275 /* Parse the 'required group' SID */
277 if (!group_sid
|| !group_sid
[0]) {
278 /* NO sid supplied, all users may access */
283 token
= talloc_zero(talloc_tos(), struct security_token
);
285 DEBUG(0, ("talloc failed\n"));
287 return NT_STATUS_NO_MEMORY
;
290 num_require_membership_of_sid
= 0;
291 require_membership_of_sid
= NULL
;
295 while (next_token_talloc(talloc_tos(), &p
, &req_sid
, ",")) {
296 if (!string_to_sid(&sid
, req_sid
)) {
297 DEBUG(0, ("check_info3_in_group: could not parse %s "
298 "as a SID!", req_sid
));
300 return NT_STATUS_INVALID_PARAMETER
;
303 status
= add_sid_to_array(talloc_tos(), &sid
,
304 &require_membership_of_sid
,
305 &num_require_membership_of_sid
);
306 if (!NT_STATUS_IS_OK(status
)) {
307 DEBUG(0, ("add_sid_to_array failed\n"));
313 status
= sid_array_from_info3(talloc_tos(), info3
,
317 if (!NT_STATUS_IS_OK(status
)) {
322 if (!NT_STATUS_IS_OK(status
= add_aliases(get_global_sam_sid(),
324 || !NT_STATUS_IS_OK(status
= add_aliases(&global_sid_Builtin
,
326 DEBUG(3, ("could not add aliases: %s\n",
332 security_token_debug(DBGC_CLASS
, 10, token
);
334 for (i
=0; i
<num_require_membership_of_sid
; i
++) {
335 DEBUG(10, ("Checking SID %s\n", sid_string_dbg(
336 &require_membership_of_sid
[i
])));
337 if (nt_token_check_sid(&require_membership_of_sid
[i
],
339 DEBUG(10, ("Access ok\n"));
345 /* Do not distinguish this error from a wrong username/pw */
348 return NT_STATUS_LOGON_FAILURE
;
351 struct winbindd_domain
*find_auth_domain(uint8_t flags
,
352 const char *domain_name
)
354 struct winbindd_domain
*domain
;
357 domain
= find_domain_from_name_noinit(domain_name
);
358 if (domain
== NULL
) {
359 DEBUG(3, ("Authentication for domain [%s] refused "
360 "as it is not a trusted domain\n",
366 if (strequal(domain_name
, get_global_sam_name())) {
367 return find_domain_from_name_noinit(domain_name
);
370 /* we can auth against trusted domains */
371 if (flags
& WBFLAG_PAM_CONTACT_TRUSTDOM
) {
372 domain
= find_domain_from_name_noinit(domain_name
);
373 if (domain
== NULL
) {
374 DEBUG(3, ("Authentication for domain [%s] skipped "
375 "as it is not a trusted domain\n",
382 return find_our_domain();
385 static void fill_in_password_policy(struct winbindd_response
*r
,
386 const struct samr_DomInfo1
*p
)
388 r
->data
.auth
.policy
.min_length_password
=
389 p
->min_password_length
;
390 r
->data
.auth
.policy
.password_history
=
391 p
->password_history_length
;
392 r
->data
.auth
.policy
.password_properties
=
393 p
->password_properties
;
394 r
->data
.auth
.policy
.expire
=
395 nt_time_to_unix_abs((const NTTIME
*)&(p
->max_password_age
));
396 r
->data
.auth
.policy
.min_passwordage
=
397 nt_time_to_unix_abs((const NTTIME
*)&(p
->min_password_age
));
400 static NTSTATUS
fillup_password_policy(struct winbindd_domain
*domain
,
401 struct winbindd_response
*response
)
403 TALLOC_CTX
*frame
= talloc_stackframe();
404 struct winbindd_methods
*methods
;
406 struct samr_DomInfo1 password_policy
;
408 if ( !winbindd_can_contact_domain( domain
) ) {
409 DEBUG(5,("fillup_password_policy: No inbound trust to "
410 "contact domain %s\n", domain
->name
));
411 status
= NT_STATUS_NOT_SUPPORTED
;
415 methods
= domain
->methods
;
417 status
= methods
->password_policy(domain
, talloc_tos(), &password_policy
);
418 if (NT_STATUS_IS_ERR(status
)) {
422 fill_in_password_policy(response
, &password_policy
);
429 static NTSTATUS
get_max_bad_attempts_from_lockout_policy(struct winbindd_domain
*domain
,
431 uint16
*lockout_threshold
)
433 struct winbindd_methods
*methods
;
434 NTSTATUS status
= NT_STATUS_UNSUCCESSFUL
;
435 struct samr_DomInfo12 lockout_policy
;
437 *lockout_threshold
= 0;
439 methods
= domain
->methods
;
441 status
= methods
->lockout_policy(domain
, mem_ctx
, &lockout_policy
);
442 if (NT_STATUS_IS_ERR(status
)) {
446 *lockout_threshold
= lockout_policy
.lockout_threshold
;
451 static NTSTATUS
get_pwd_properties(struct winbindd_domain
*domain
,
453 uint32
*password_properties
)
455 struct winbindd_methods
*methods
;
456 NTSTATUS status
= NT_STATUS_UNSUCCESSFUL
;
457 struct samr_DomInfo1 password_policy
;
459 *password_properties
= 0;
461 methods
= domain
->methods
;
463 status
= methods
->password_policy(domain
, mem_ctx
, &password_policy
);
464 if (NT_STATUS_IS_ERR(status
)) {
468 *password_properties
= password_policy
.password_properties
;
475 static const char *generate_krb5_ccache(TALLOC_CTX
*mem_ctx
,
478 const char **user_ccache_file
)
480 /* accept FILE and WRFILE as krb5_cc_type from the client and then
481 * build the full ccname string based on the user's uid here -
484 const char *gen_cc
= NULL
;
487 if (strequal(type
, "FILE")) {
488 gen_cc
= talloc_asprintf(
489 mem_ctx
, "FILE:/tmp/krb5cc_%d", uid
);
491 if (strequal(type
, "WRFILE")) {
492 gen_cc
= talloc_asprintf(
493 mem_ctx
, "WRFILE:/tmp/krb5cc_%d", uid
);
497 *user_ccache_file
= gen_cc
;
499 if (gen_cc
== NULL
) {
500 gen_cc
= talloc_strdup(mem_ctx
, "MEMORY:winbindd_pam_ccache");
502 if (gen_cc
== NULL
) {
503 DEBUG(0,("out of memory\n"));
507 DEBUG(10, ("using ccache: %s%s\n", gen_cc
,
508 (*user_ccache_file
== NULL
) ? " (internal)":""));
515 uid_t
get_uid_from_request(struct winbindd_request
*request
)
519 uid
= request
->data
.auth
.uid
;
522 DEBUG(1,("invalid uid: '%u'\n", (unsigned int)uid
));
528 /**********************************************************************
529 Authenticate a user with a clear text password using Kerberos and fill up
531 **********************************************************************/
533 static NTSTATUS
winbindd_raw_kerberos_login(TALLOC_CTX
*mem_ctx
,
534 struct winbindd_domain
*domain
,
537 const char *krb5_cc_type
,
539 struct netr_SamInfo3
**info3
,
543 NTSTATUS result
= NT_STATUS_UNSUCCESSFUL
;
544 krb5_error_code krb5_ret
;
545 const char *cc
= NULL
;
546 const char *principal_s
= NULL
;
547 const char *service
= NULL
;
549 fstring name_domain
, name_user
;
550 time_t ticket_lifetime
= 0;
551 time_t renewal_until
= 0;
553 time_t time_offset
= 0;
554 const char *user_ccache_file
;
555 struct PAC_LOGON_INFO
*logon_info
= NULL
;
560 * prepare a krb5_cc_cache string for the user */
563 DEBUG(0,("no valid uid\n"));
566 cc
= generate_krb5_ccache(mem_ctx
,
571 return NT_STATUS_NO_MEMORY
;
576 * get kerberos properties */
578 if (domain
->private_data
) {
579 ads
= (ADS_STRUCT
*)domain
->private_data
;
580 time_offset
= ads
->auth
.time_offset
;
585 * do kerberos auth and setup ccache as the user */
587 parse_domain_user(user
, name_domain
, name_user
);
589 realm
= domain
->alt_name
;
590 if (!strupper_m(realm
)) {
591 return NT_STATUS_INVALID_PARAMETER
;
594 principal_s
= talloc_asprintf(mem_ctx
, "%s@%s", name_user
, realm
);
595 if (principal_s
== NULL
) {
596 return NT_STATUS_NO_MEMORY
;
599 service
= talloc_asprintf(mem_ctx
, "%s/%s@%s", KRB5_TGS_NAME
, realm
, realm
);
600 if (service
== NULL
) {
601 return NT_STATUS_NO_MEMORY
;
604 /* if this is a user ccache, we need to act as the user to let the krb5
605 * library handle the chown, etc. */
607 /************************ ENTERING NON-ROOT **********************/
609 if (user_ccache_file
!= NULL
) {
610 set_effective_uid(uid
);
611 DEBUG(10,("winbindd_raw_kerberos_login: uid is %d\n", uid
));
614 result
= kerberos_return_pac(mem_ctx
,
623 WINBINDD_PAM_AUTH_KRB5_RENEW_TIME
,
626 if (user_ccache_file
!= NULL
) {
627 gain_root_privilege();
630 /************************ RETURNED TO ROOT **********************/
632 if (!NT_STATUS_IS_OK(result
)) {
636 *info3
= &logon_info
->info3
;
638 DEBUG(10,("winbindd_raw_kerberos_login: winbindd validated ticket of %s\n",
641 /* if we had a user's ccache then return that string for the pam
644 if (user_ccache_file
!= NULL
) {
646 fstrcpy(krb5ccname
, user_ccache_file
);
648 result
= add_ccache_to_list(principal_s
,
660 if (!NT_STATUS_IS_OK(result
)) {
661 DEBUG(10,("winbindd_raw_kerberos_login: failed to add ccache to list: %s\n",
666 /* need to delete the memory cred cache, it is not used anymore */
668 krb5_ret
= ads_kdestroy(cc
);
670 DEBUG(3,("winbindd_raw_kerberos_login: "
671 "could not destroy krb5 credential cache: "
672 "%s\n", error_message(krb5_ret
)));
681 /* we could have created a new credential cache with a valid tgt in it
682 * but we werent able to get or verify the service ticket for this
683 * local host and therefor didn't get the PAC, we need to remove that
684 * cache entirely now */
686 krb5_ret
= ads_kdestroy(cc
);
688 DEBUG(3,("winbindd_raw_kerberos_login: "
689 "could not destroy krb5 credential cache: "
690 "%s\n", error_message(krb5_ret
)));
693 if (!NT_STATUS_IS_OK(remove_ccache(user
))) {
694 DEBUG(3,("winbindd_raw_kerberos_login: "
695 "could not remove ccache for user %s\n",
701 return NT_STATUS_NOT_SUPPORTED
;
702 #endif /* HAVE_KRB5 */
705 /****************************************************************
706 ****************************************************************/
708 bool check_request_flags(uint32_t flags
)
710 uint32_t flags_edata
= WBFLAG_PAM_AFS_TOKEN
|
711 WBFLAG_PAM_INFO3_TEXT
|
712 WBFLAG_PAM_INFO3_NDR
;
714 if ( ( (flags
& flags_edata
) == WBFLAG_PAM_AFS_TOKEN
) ||
715 ( (flags
& flags_edata
) == WBFLAG_PAM_INFO3_NDR
) ||
716 ( (flags
& flags_edata
) == WBFLAG_PAM_INFO3_TEXT
)||
717 !(flags
& flags_edata
) ) {
721 DEBUG(1, ("check_request_flags: invalid request flags[0x%08X]\n",
727 /****************************************************************
728 ****************************************************************/
730 NTSTATUS
append_auth_data(TALLOC_CTX
*mem_ctx
,
731 struct winbindd_response
*resp
,
732 uint32_t request_flags
,
733 struct netr_SamInfo3
*info3
,
734 const char *name_domain
,
735 const char *name_user
)
739 if (request_flags
& WBFLAG_PAM_USER_SESSION_KEY
) {
740 memcpy(resp
->data
.auth
.user_session_key
,
742 sizeof(resp
->data
.auth
.user_session_key
)
746 if (request_flags
& WBFLAG_PAM_LMKEY
) {
747 memcpy(resp
->data
.auth
.first_8_lm_hash
,
748 info3
->base
.LMSessKey
.key
,
749 sizeof(resp
->data
.auth
.first_8_lm_hash
)
753 if (request_flags
& WBFLAG_PAM_UNIX_NAME
) {
754 result
= append_unix_username(mem_ctx
, resp
,
755 info3
, name_domain
, name_user
);
756 if (!NT_STATUS_IS_OK(result
)) {
757 DEBUG(10,("Failed to append Unix Username: %s\n",
763 /* currently, anything from here on potentially overwrites extra_data. */
765 if (request_flags
& WBFLAG_PAM_INFO3_NDR
) {
766 result
= append_info3_as_ndr(mem_ctx
, resp
, info3
);
767 if (!NT_STATUS_IS_OK(result
)) {
768 DEBUG(10,("Failed to append INFO3 (NDR): %s\n",
774 if (request_flags
& WBFLAG_PAM_INFO3_TEXT
) {
775 result
= append_info3_as_txt(mem_ctx
, resp
, info3
);
776 if (!NT_STATUS_IS_OK(result
)) {
777 DEBUG(10,("Failed to append INFO3 (TXT): %s\n",
783 if (request_flags
& WBFLAG_PAM_AFS_TOKEN
) {
784 result
= append_afs_token(mem_ctx
, resp
,
785 info3
, name_domain
, name_user
);
786 if (!NT_STATUS_IS_OK(result
)) {
787 DEBUG(10,("Failed to append AFS token: %s\n",
796 static NTSTATUS
winbindd_dual_pam_auth_cached(struct winbindd_domain
*domain
,
797 struct winbindd_cli_state
*state
,
798 struct netr_SamInfo3
**info3
)
800 NTSTATUS result
= NT_STATUS_LOGON_FAILURE
;
801 uint16 max_allowed_bad_attempts
;
802 fstring name_domain
, name_user
;
804 enum lsa_SidType type
;
805 uchar new_nt_pass
[NT_HASH_LEN
];
806 const uint8
*cached_nt_pass
;
807 const uint8
*cached_salt
;
808 struct netr_SamInfo3
*my_info3
;
809 time_t kickoff_time
, must_change_time
;
810 bool password_good
= false;
812 struct winbindd_tdc_domain
*tdc_domain
= NULL
;
819 DEBUG(10,("winbindd_dual_pam_auth_cached\n"));
821 /* Parse domain and username */
823 parse_domain_user(state
->request
->data
.auth
.user
, name_domain
, name_user
);
826 if (!lookup_cached_name(name_domain
,
830 DEBUG(10,("winbindd_dual_pam_auth_cached: no such user in the cache\n"));
831 return NT_STATUS_NO_SUCH_USER
;
834 if (type
!= SID_NAME_USER
) {
835 DEBUG(10,("winbindd_dual_pam_auth_cached: not a user (%s)\n", sid_type_lookup(type
)));
836 return NT_STATUS_LOGON_FAILURE
;
839 result
= winbindd_get_creds(domain
,
845 if (!NT_STATUS_IS_OK(result
)) {
846 DEBUG(10,("winbindd_dual_pam_auth_cached: failed to get creds: %s\n", nt_errstr(result
)));
852 E_md4hash(state
->request
->data
.auth
.pass
, new_nt_pass
);
854 dump_data_pw("new_nt_pass", new_nt_pass
, NT_HASH_LEN
);
855 dump_data_pw("cached_nt_pass", cached_nt_pass
, NT_HASH_LEN
);
857 dump_data_pw("cached_salt", cached_salt
, NT_HASH_LEN
);
861 /* In this case we didn't store the nt_hash itself,
862 but the MD5 combination of salt + nt_hash. */
863 uchar salted_hash
[NT_HASH_LEN
];
864 E_md5hash(cached_salt
, new_nt_pass
, salted_hash
);
866 password_good
= (memcmp(cached_nt_pass
, salted_hash
,
869 /* Old cached cred - direct store of nt_hash (bad bad bad !). */
870 password_good
= (memcmp(cached_nt_pass
, new_nt_pass
,
876 /* User *DOES* know the password, update logon_time and reset
879 my_info3
->base
.user_flags
|= NETLOGON_CACHED_ACCOUNT
;
881 if (my_info3
->base
.acct_flags
& ACB_AUTOLOCK
) {
882 return NT_STATUS_ACCOUNT_LOCKED_OUT
;
885 if (my_info3
->base
.acct_flags
& ACB_DISABLED
) {
886 return NT_STATUS_ACCOUNT_DISABLED
;
889 if (my_info3
->base
.acct_flags
& ACB_WSTRUST
) {
890 return NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT
;
893 if (my_info3
->base
.acct_flags
& ACB_SVRTRUST
) {
894 return NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT
;
897 if (my_info3
->base
.acct_flags
& ACB_DOMTRUST
) {
898 return NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT
;
901 if (!(my_info3
->base
.acct_flags
& ACB_NORMAL
)) {
902 DEBUG(0,("winbindd_dual_pam_auth_cached: whats wrong with that one?: 0x%08x\n",
903 my_info3
->base
.acct_flags
));
904 return NT_STATUS_LOGON_FAILURE
;
907 kickoff_time
= nt_time_to_unix(my_info3
->base
.kickoff_time
);
908 if (kickoff_time
!= 0 && time(NULL
) > kickoff_time
) {
909 return NT_STATUS_ACCOUNT_EXPIRED
;
912 must_change_time
= nt_time_to_unix(my_info3
->base
.force_password_change
);
913 if (must_change_time
!= 0 && must_change_time
< time(NULL
)) {
914 /* we allow grace logons when the password has expired */
915 my_info3
->base
.user_flags
|= NETLOGON_GRACE_LOGON
;
916 /* return NT_STATUS_PASSWORD_EXPIRED; */
921 if ((state
->request
->flags
& WBFLAG_PAM_KRB5
) &&
922 ((tdc_domain
= wcache_tdc_fetch_domain(state
->mem_ctx
, name_domain
)) != NULL
) &&
923 ((tdc_domain
->trust_type
& NETR_TRUST_TYPE_UPLEVEL
) ||
924 /* used to cope with the case winbindd starting without network. */
925 !strequal(tdc_domain
->domain_name
, tdc_domain
->dns_name
))) {
928 const char *cc
= NULL
;
930 const char *principal_s
= NULL
;
931 const char *service
= NULL
;
932 const char *user_ccache_file
;
934 uid
= get_uid_from_request(state
->request
);
936 DEBUG(0,("winbindd_dual_pam_auth_cached: invalid uid\n"));
937 return NT_STATUS_INVALID_PARAMETER
;
940 cc
= generate_krb5_ccache(state
->mem_ctx
,
941 state
->request
->data
.auth
.krb5_cc_type
,
942 state
->request
->data
.auth
.uid
,
945 return NT_STATUS_NO_MEMORY
;
948 realm
= domain
->alt_name
;
949 if (!strupper_m(realm
)) {
950 return NT_STATUS_INVALID_PARAMETER
;
953 principal_s
= talloc_asprintf(state
->mem_ctx
, "%s@%s", name_user
, realm
);
954 if (principal_s
== NULL
) {
955 return NT_STATUS_NO_MEMORY
;
958 service
= talloc_asprintf(state
->mem_ctx
, "%s/%s@%s", KRB5_TGS_NAME
, realm
, realm
);
959 if (service
== NULL
) {
960 return NT_STATUS_NO_MEMORY
;
963 if (user_ccache_file
!= NULL
) {
965 fstrcpy(state
->response
->data
.auth
.krb5ccname
,
968 result
= add_ccache_to_list(principal_s
,
971 state
->request
->data
.auth
.user
,
972 state
->request
->data
.auth
.pass
,
976 time(NULL
) + lp_winbind_cache_time(),
977 time(NULL
) + WINBINDD_PAM_AUTH_KRB5_RENEW_TIME
,
980 if (!NT_STATUS_IS_OK(result
)) {
981 DEBUG(10,("winbindd_dual_pam_auth_cached: failed "
982 "to add ccache to list: %s\n",
987 #endif /* HAVE_KRB5 */
989 /* FIXME: we possibly should handle logon hours as well (does xp when
990 * offline?) see auth/auth_sam.c:sam_account_ok for details */
992 unix_to_nt_time(&my_info3
->base
.logon_time
, time(NULL
));
993 my_info3
->base
.bad_password_count
= 0;
995 result
= winbindd_update_creds_by_info3(domain
,
996 state
->request
->data
.auth
.user
,
997 state
->request
->data
.auth
.pass
,
999 if (!NT_STATUS_IS_OK(result
)) {
1000 DEBUG(1,("winbindd_dual_pam_auth_cached: failed to update creds: %s\n",
1001 nt_errstr(result
)));
1005 return NT_STATUS_OK
;
1009 /* User does *NOT* know the correct password, modify info3 accordingly, but only if online */
1010 if (domain
->online
== false) {
1014 /* failure of this is not critical */
1015 result
= get_max_bad_attempts_from_lockout_policy(domain
, state
->mem_ctx
, &max_allowed_bad_attempts
);
1016 if (!NT_STATUS_IS_OK(result
)) {
1017 DEBUG(10,("winbindd_dual_pam_auth_cached: failed to get max_allowed_bad_attempts. "
1018 "Won't be able to honour account lockout policies\n"));
1021 /* increase counter */
1022 my_info3
->base
.bad_password_count
++;
1024 if (max_allowed_bad_attempts
== 0) {
1029 if (my_info3
->base
.bad_password_count
>= max_allowed_bad_attempts
) {
1031 uint32 password_properties
;
1033 result
= get_pwd_properties(domain
, state
->mem_ctx
, &password_properties
);
1034 if (!NT_STATUS_IS_OK(result
)) {
1035 DEBUG(10,("winbindd_dual_pam_auth_cached: failed to get password properties.\n"));
1038 if ((my_info3
->base
.rid
!= DOMAIN_RID_ADMINISTRATOR
) ||
1039 (password_properties
& DOMAIN_PASSWORD_LOCKOUT_ADMINS
)) {
1040 my_info3
->base
.acct_flags
|= ACB_AUTOLOCK
;
1045 result
= winbindd_update_creds_by_info3(domain
,
1046 state
->request
->data
.auth
.user
,
1050 if (!NT_STATUS_IS_OK(result
)) {
1051 DEBUG(0,("winbindd_dual_pam_auth_cached: failed to update creds %s\n",
1052 nt_errstr(result
)));
1055 return NT_STATUS_LOGON_FAILURE
;
1058 static NTSTATUS
winbindd_dual_pam_auth_kerberos(struct winbindd_domain
*domain
,
1059 struct winbindd_cli_state
*state
,
1060 struct netr_SamInfo3
**info3
)
1062 struct winbindd_domain
*contact_domain
;
1063 fstring name_domain
, name_user
;
1066 DEBUG(10,("winbindd_dual_pam_auth_kerberos\n"));
1068 /* Parse domain and username */
1070 parse_domain_user(state
->request
->data
.auth
.user
, name_domain
, name_user
);
1072 /* what domain should we contact? */
1075 if (!(contact_domain
= find_domain_from_name(name_domain
))) {
1076 DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
1077 state
->request
->data
.auth
.user
, name_domain
, name_user
, name_domain
));
1078 result
= NT_STATUS_NO_SUCH_USER
;
1083 if (is_myname(name_domain
)) {
1084 DEBUG(3, ("Authentication for domain %s (local domain to this server) not supported at this stage\n", name_domain
));
1085 result
= NT_STATUS_NO_SUCH_USER
;
1089 contact_domain
= find_domain_from_name(name_domain
);
1090 if (contact_domain
== NULL
) {
1091 DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
1092 state
->request
->data
.auth
.user
, name_domain
, name_user
, name_domain
));
1094 result
= NT_STATUS_NO_SUCH_USER
;
1099 if (contact_domain
->initialized
&&
1100 contact_domain
->active_directory
) {
1104 if (!contact_domain
->initialized
) {
1105 init_dc_connection(contact_domain
);
1108 if (!contact_domain
->active_directory
) {
1109 DEBUG(3,("krb5 auth requested but domain is not Active Directory\n"));
1110 return NT_STATUS_INVALID_LOGON_TYPE
;
1113 result
= winbindd_raw_kerberos_login(
1114 state
->mem_ctx
, contact_domain
,
1115 state
->request
->data
.auth
.user
,
1116 state
->request
->data
.auth
.pass
,
1117 state
->request
->data
.auth
.krb5_cc_type
,
1118 get_uid_from_request(state
->request
),
1119 info3
, state
->response
->data
.auth
.krb5ccname
);
1124 static NTSTATUS
winbindd_dual_auth_passdb(TALLOC_CTX
*mem_ctx
,
1125 uint32_t logon_parameters
,
1126 const char *domain
, const char *user
,
1127 const DATA_BLOB
*challenge
,
1128 const DATA_BLOB
*lm_resp
,
1129 const DATA_BLOB
*nt_resp
,
1130 struct netr_SamInfo3
**pinfo3
)
1132 struct auth_usersupplied_info
*user_info
= NULL
;
1133 struct tsocket_address
*local
;
1137 rc
= tsocket_address_inet_from_strings(mem_ctx
,
1143 return NT_STATUS_NO_MEMORY
;
1145 status
= make_user_info(&user_info
, user
, user
, domain
, domain
,
1146 lp_netbios_name(), local
, lm_resp
, nt_resp
, NULL
, NULL
,
1147 NULL
, AUTH_PASSWORD_RESPONSE
);
1148 if (!NT_STATUS_IS_OK(status
)) {
1149 DEBUG(10, ("make_user_info failed: %s\n", nt_errstr(status
)));
1152 user_info
->logon_parameters
= logon_parameters
;
1154 /* We don't want any more mapping of the username */
1155 user_info
->mapped_state
= True
;
1157 status
= check_sam_security_info3(challenge
, talloc_tos(), user_info
,
1159 free_user_info(&user_info
);
1160 DEBUG(10, ("Authenticaticating user %s\\%s returned %s\n", domain
,
1161 user
, nt_errstr(status
)));
1165 static NTSTATUS
winbind_samlogon_retry_loop(struct winbindd_domain
*domain
,
1166 TALLOC_CTX
*mem_ctx
,
1167 uint32_t logon_parameters
,
1169 const char *username
,
1170 const char *domainname
,
1171 const char *workstation
,
1172 const uint8_t chal
[8],
1173 DATA_BLOB lm_response
,
1174 DATA_BLOB nt_response
,
1175 struct netr_SamInfo3
**info3
)
1182 struct rpc_pipe_client
*netlogon_pipe
;
1183 const struct pipe_auth_data
*auth
;
1184 uint32_t neg_flags
= 0;
1186 ZERO_STRUCTP(info3
);
1189 result
= cm_connect_netlogon(domain
, &netlogon_pipe
);
1191 if (!NT_STATUS_IS_OK(result
)) {
1192 DEBUG(3,("could not open handle to NETLOGON pipe (error: %s)\n",
1193 nt_errstr(result
)));
1194 if (NT_STATUS_EQUAL(result
, NT_STATUS_IO_TIMEOUT
)) {
1196 DEBUG(3, ("This is the second problem for this "
1197 "particular call, forcing the close of "
1198 "this connection\n"));
1199 invalidate_cm_connection(&domain
->conn
);
1201 DEBUG(3, ("First call to cm_connect_netlogon "
1202 "has timed out, retrying\n"));
1208 auth
= netlogon_pipe
->auth
;
1209 if (netlogon_pipe
->dc
) {
1210 neg_flags
= netlogon_pipe
->dc
->negotiate_flags
;
1213 /* It is really important to try SamLogonEx here,
1214 * because in a clustered environment, we want to use
1215 * one machine account from multiple physical
1218 * With a normal SamLogon call, we must keep the
1219 * credentials chain updated and intact between all
1220 * users of the machine account (which would imply
1221 * cross-node communication for every NTLM logon).
1223 * (The credentials chain is not per NETLOGON pipe
1224 * connection, but globally on the server/client pair
1227 * When using SamLogonEx, the credentials are not
1228 * supplied, but the session key is implied by the
1229 * wrapping SamLogon context.
1231 * -- abartlet 21 April 2008
1233 * It's also important to use NetlogonValidationSamInfo4 (6),
1234 * because it relies on the rpc transport encryption
1235 * and avoids using the global netlogon schannel
1236 * session key to en/decrypt secret information
1237 * like the user_session_key for network logons.
1239 * [MS-APDS] 3.1.5.2 NTLM Network Logon
1240 * says NETLOGON_NEG_CROSS_FOREST_TRUSTS and
1241 * NETLOGON_NEG_AUTHENTICATED_RPC set together
1242 * are the indication that the server supports
1243 * NetlogonValidationSamInfo4 (6). And it must only
1244 * be used if "SealSecureChannel" is used.
1246 * -- metze 4 February 2011
1250 domain
->can_do_validation6
= false;
1251 } else if (auth
->auth_type
!= DCERPC_AUTH_TYPE_SCHANNEL
) {
1252 domain
->can_do_validation6
= false;
1253 } else if (auth
->auth_level
!= DCERPC_AUTH_LEVEL_PRIVACY
) {
1254 domain
->can_do_validation6
= false;
1255 } else if (!(neg_flags
& NETLOGON_NEG_CROSS_FOREST_TRUSTS
)) {
1256 domain
->can_do_validation6
= false;
1257 } else if (!(neg_flags
& NETLOGON_NEG_AUTHENTICATED_RPC
)) {
1258 domain
->can_do_validation6
= false;
1261 if (domain
->can_do_samlogon_ex
&& domain
->can_do_validation6
) {
1262 result
= rpccli_netlogon_sam_network_logon_ex(
1266 server
, /* server name */
1267 username
, /* user name */
1268 domainname
, /* target domain */
1269 workstation
, /* workstation */
1276 result
= rpccli_netlogon_sam_network_logon(
1280 server
, /* server name */
1281 username
, /* user name */
1282 domainname
, /* target domain */
1283 workstation
, /* workstation */
1285 domain
->can_do_validation6
? 6 : 3,
1291 if (NT_STATUS_EQUAL(result
, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE
)) {
1294 * It's likely that the server also does not support
1295 * validation level 6
1297 domain
->can_do_validation6
= false;
1299 if (domain
->can_do_samlogon_ex
) {
1300 DEBUG(3, ("Got a DC that can not do NetSamLogonEx, "
1301 "retrying with NetSamLogon\n"));
1302 domain
->can_do_samlogon_ex
= false;
1308 /* Got DCERPC_FAULT_OP_RNG_ERROR for SamLogon
1309 * (no Ex). This happens against old Samba
1310 * DCs. Drop the connection.
1312 invalidate_cm_connection(&domain
->conn
);
1313 result
= NT_STATUS_LOGON_FAILURE
;
1317 if (domain
->can_do_validation6
&&
1318 (NT_STATUS_EQUAL(result
, NT_STATUS_INVALID_INFO_CLASS
) ||
1319 NT_STATUS_EQUAL(result
, NT_STATUS_INVALID_PARAMETER
) ||
1320 NT_STATUS_EQUAL(result
, NT_STATUS_BUFFER_TOO_SMALL
))) {
1321 DEBUG(3,("Got a DC that can not do validation level 6, "
1322 "retrying with level 3\n"));
1323 domain
->can_do_validation6
= false;
1329 * we increment this after the "feature negotiation"
1330 * for can_do_samlogon_ex and can_do_validation6
1334 /* We have to try a second time as cm_connect_netlogon
1335 might not yet have noticed that the DC has killed
1338 if (!rpccli_is_connected(netlogon_pipe
)) {
1343 /* if we get access denied, a possible cause was that we had
1344 and open connection to the DC, but someone changed our
1345 machine account password out from underneath us using 'net
1346 rpc changetrustpw' */
1348 if ( NT_STATUS_EQUAL(result
, NT_STATUS_ACCESS_DENIED
) ) {
1349 DEBUG(3,("winbind_samlogon_retry_loop: sam_logon returned "
1350 "ACCESS_DENIED. Maybe the trust account "
1351 "password was changed and we didn't know it. "
1352 "Killing connections to domain %s\n",
1354 invalidate_cm_connection(&domain
->conn
);
1358 } while ( (attempts
< 2) && retry
);
1360 if (NT_STATUS_EQUAL(result
, NT_STATUS_IO_TIMEOUT
)) {
1361 DEBUG(3,("winbind_samlogon_retry_loop: sam_network_logon(ex) "
1362 "returned NT_STATUS_IO_TIMEOUT after the retry."
1363 "Killing connections to domain %s\n",
1365 invalidate_cm_connection(&domain
->conn
);
1370 static NTSTATUS
winbindd_dual_pam_auth_samlogon(TALLOC_CTX
*mem_ctx
,
1371 struct winbindd_domain
*domain
,
1374 uint32_t request_flags
,
1375 struct netr_SamInfo3
**info3
)
1381 unsigned char local_nt_response
[24];
1382 fstring name_domain
, name_user
;
1384 struct netr_SamInfo3
*my_info3
= NULL
;
1388 DEBUG(10,("winbindd_dual_pam_auth_samlogon\n"));
1390 /* Parse domain and username */
1392 parse_domain_user(user
, name_domain
, name_user
);
1394 /* do password magic */
1396 generate_random_buffer(chal
, sizeof(chal
));
1398 if (lp_client_ntlmv2_auth()) {
1399 DATA_BLOB server_chal
;
1400 DATA_BLOB names_blob
;
1401 server_chal
= data_blob_const(chal
, 8);
1403 /* note that the 'workgroup' here is for the local
1404 machine. The 'server name' must match the
1405 'workstation' passed to the actual SamLogon call.
1407 names_blob
= NTLMv2_generate_names_blob(
1408 mem_ctx
, lp_netbios_name(), lp_workgroup());
1410 if (!SMBNTLMv2encrypt(mem_ctx
, name_user
, name_domain
,
1414 &lm_resp
, &nt_resp
, NULL
, NULL
)) {
1415 data_blob_free(&names_blob
);
1416 DEBUG(0, ("winbindd_pam_auth: SMBNTLMv2encrypt() failed!\n"));
1417 result
= NT_STATUS_NO_MEMORY
;
1420 data_blob_free(&names_blob
);
1422 lm_resp
= data_blob_null
;
1423 SMBNTencrypt(pass
, chal
, local_nt_response
);
1425 nt_resp
= data_blob_talloc(mem_ctx
, local_nt_response
,
1426 sizeof(local_nt_response
));
1429 if (strequal(name_domain
, get_global_sam_name())) {
1430 DATA_BLOB chal_blob
= data_blob_const(chal
, sizeof(chal
));
1432 result
= winbindd_dual_auth_passdb(
1433 mem_ctx
, 0, name_domain
, name_user
,
1434 &chal_blob
, &lm_resp
, &nt_resp
, info3
);
1438 /* check authentication loop */
1440 result
= winbind_samlogon_retry_loop(domain
,
1451 if (!NT_STATUS_IS_OK(result
)) {
1455 /* handle the case where a NT4 DC does not fill in the acct_flags in
1456 * the samlogon reply info3. When accurate info3 is required by the
1457 * caller, we look up the account flags ourselve - gd */
1459 if ((request_flags
& WBFLAG_PAM_INFO3_TEXT
) &&
1460 NT_STATUS_IS_OK(result
) && (my_info3
->base
.acct_flags
== 0)) {
1462 struct rpc_pipe_client
*samr_pipe
;
1463 struct policy_handle samr_domain_handle
, user_pol
;
1464 union samr_UserInfo
*info
= NULL
;
1465 NTSTATUS status_tmp
, result_tmp
;
1467 struct dcerpc_binding_handle
*b
;
1469 status_tmp
= cm_connect_sam(domain
, mem_ctx
,
1470 &samr_pipe
, &samr_domain_handle
);
1472 if (!NT_STATUS_IS_OK(status_tmp
)) {
1473 DEBUG(3, ("could not open handle to SAMR pipe: %s\n",
1474 nt_errstr(status_tmp
)));
1478 b
= samr_pipe
->binding_handle
;
1480 status_tmp
= dcerpc_samr_OpenUser(b
, mem_ctx
,
1481 &samr_domain_handle
,
1482 MAXIMUM_ALLOWED_ACCESS
,
1487 if (!NT_STATUS_IS_OK(status_tmp
)) {
1488 DEBUG(3, ("could not open user handle on SAMR pipe: %s\n",
1489 nt_errstr(status_tmp
)));
1492 if (!NT_STATUS_IS_OK(result_tmp
)) {
1493 DEBUG(3, ("could not open user handle on SAMR pipe: %s\n",
1494 nt_errstr(result_tmp
)));
1498 status_tmp
= dcerpc_samr_QueryUserInfo(b
, mem_ctx
,
1504 if (!NT_STATUS_IS_OK(status_tmp
)) {
1505 DEBUG(3, ("could not query user info on SAMR pipe: %s\n",
1506 nt_errstr(status_tmp
)));
1507 dcerpc_samr_Close(b
, mem_ctx
, &user_pol
, &result_tmp
);
1510 if (!NT_STATUS_IS_OK(result_tmp
)) {
1511 DEBUG(3, ("could not query user info on SAMR pipe: %s\n",
1512 nt_errstr(result_tmp
)));
1513 dcerpc_samr_Close(b
, mem_ctx
, &user_pol
, &result_tmp
);
1517 acct_flags
= info
->info16
.acct_flags
;
1519 if (acct_flags
== 0) {
1520 dcerpc_samr_Close(b
, mem_ctx
, &user_pol
, &result_tmp
);
1524 my_info3
->base
.acct_flags
= acct_flags
;
1526 DEBUG(10,("successfully retrieved acct_flags 0x%x\n", acct_flags
));
1528 dcerpc_samr_Close(b
, mem_ctx
, &user_pol
, &result_tmp
);
1536 enum winbindd_result
winbindd_dual_pam_auth(struct winbindd_domain
*domain
,
1537 struct winbindd_cli_state
*state
)
1539 NTSTATUS result
= NT_STATUS_LOGON_FAILURE
;
1540 NTSTATUS krb5_result
= NT_STATUS_OK
;
1541 fstring name_domain
, name_user
;
1543 fstring domain_user
;
1544 struct netr_SamInfo3
*info3
= NULL
;
1545 NTSTATUS name_map_status
= NT_STATUS_UNSUCCESSFUL
;
1547 /* Ensure null termination */
1548 state
->request
->data
.auth
.user
[sizeof(state
->request
->data
.auth
.user
)-1]='\0';
1550 /* Ensure null termination */
1551 state
->request
->data
.auth
.pass
[sizeof(state
->request
->data
.auth
.pass
)-1]='\0';
1553 DEBUG(3, ("[%5lu]: dual pam auth %s\n", (unsigned long)state
->pid
,
1554 state
->request
->data
.auth
.user
));
1556 /* Parse domain and username */
1558 name_map_status
= normalize_name_unmap(state
->mem_ctx
,
1559 state
->request
->data
.auth
.user
,
1562 /* If the name normalization didnt' actually do anything,
1563 just use the original name */
1565 if (!NT_STATUS_IS_OK(name_map_status
) &&
1566 !NT_STATUS_EQUAL(name_map_status
, NT_STATUS_FILE_RENAMED
))
1568 mapped_user
= state
->request
->data
.auth
.user
;
1571 parse_domain_user(mapped_user
, name_domain
, name_user
);
1573 if ( mapped_user
!= state
->request
->data
.auth
.user
) {
1574 fstr_sprintf( domain_user
, "%s%c%s", name_domain
,
1575 *lp_winbind_separator(),
1577 strlcpy( state
->request
->data
.auth
.user
, domain_user
,
1578 sizeof(state
->request
->data
.auth
.user
));
1581 if (!domain
->online
) {
1582 result
= NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND
;
1583 if (domain
->startup
) {
1584 /* Logons are very important to users. If we're offline and
1585 we get a request within the first 30 seconds of startup,
1586 try very hard to find a DC and go online. */
1588 DEBUG(10,("winbindd_dual_pam_auth: domain: %s offline and auth "
1589 "request in startup mode.\n", domain
->name
));
1591 winbindd_flush_negative_conn_cache(domain
);
1592 result
= init_dc_connection(domain
);
1596 DEBUG(10,("winbindd_dual_pam_auth: domain: %s last was %s\n", domain
->name
, domain
->online
? "online":"offline"));
1598 /* Check for Kerberos authentication */
1599 if (domain
->online
&& (state
->request
->flags
& WBFLAG_PAM_KRB5
)) {
1601 result
= winbindd_dual_pam_auth_kerberos(domain
, state
, &info3
);
1602 /* save for later */
1603 krb5_result
= result
;
1606 if (NT_STATUS_IS_OK(result
)) {
1607 DEBUG(10,("winbindd_dual_pam_auth_kerberos succeeded\n"));
1608 goto process_result
;
1610 DEBUG(10,("winbindd_dual_pam_auth_kerberos failed: %s\n", nt_errstr(result
)));
1613 if (NT_STATUS_EQUAL(result
, NT_STATUS_NO_LOGON_SERVERS
) ||
1614 NT_STATUS_EQUAL(result
, NT_STATUS_IO_TIMEOUT
) ||
1615 NT_STATUS_EQUAL(result
, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND
)) {
1616 DEBUG(10,("winbindd_dual_pam_auth_kerberos setting domain to offline\n"));
1617 set_domain_offline( domain
);
1621 /* there are quite some NT_STATUS errors where there is no
1622 * point in retrying with a samlogon, we explictly have to take
1623 * care not to increase the bad logon counter on the DC */
1625 if (NT_STATUS_EQUAL(result
, NT_STATUS_ACCOUNT_DISABLED
) ||
1626 NT_STATUS_EQUAL(result
, NT_STATUS_ACCOUNT_EXPIRED
) ||
1627 NT_STATUS_EQUAL(result
, NT_STATUS_ACCOUNT_LOCKED_OUT
) ||
1628 NT_STATUS_EQUAL(result
, NT_STATUS_INVALID_LOGON_HOURS
) ||
1629 NT_STATUS_EQUAL(result
, NT_STATUS_INVALID_WORKSTATION
) ||
1630 NT_STATUS_EQUAL(result
, NT_STATUS_LOGON_FAILURE
) ||
1631 NT_STATUS_EQUAL(result
, NT_STATUS_NO_SUCH_USER
) ||
1632 NT_STATUS_EQUAL(result
, NT_STATUS_PASSWORD_EXPIRED
) ||
1633 NT_STATUS_EQUAL(result
, NT_STATUS_PASSWORD_MUST_CHANGE
) ||
1634 NT_STATUS_EQUAL(result
, NT_STATUS_WRONG_PASSWORD
)) {
1638 if (state
->request
->flags
& WBFLAG_PAM_FALLBACK_AFTER_KRB5
) {
1639 DEBUG(3,("falling back to samlogon\n"));
1647 /* Check for Samlogon authentication */
1648 if (domain
->online
) {
1649 result
= winbindd_dual_pam_auth_samlogon(
1650 state
->mem_ctx
, domain
,
1651 state
->request
->data
.auth
.user
,
1652 state
->request
->data
.auth
.pass
,
1653 state
->request
->flags
,
1656 if (NT_STATUS_IS_OK(result
)) {
1657 DEBUG(10,("winbindd_dual_pam_auth_samlogon succeeded\n"));
1658 /* add the Krb5 err if we have one */
1659 if ( NT_STATUS_EQUAL(krb5_result
, NT_STATUS_TIME_DIFFERENCE_AT_DC
) ) {
1660 info3
->base
.user_flags
|= LOGON_KRB5_FAIL_CLOCK_SKEW
;
1662 goto process_result
;
1665 DEBUG(10,("winbindd_dual_pam_auth_samlogon failed: %s\n",
1666 nt_errstr(result
)));
1668 if (NT_STATUS_EQUAL(result
, NT_STATUS_NO_LOGON_SERVERS
) ||
1669 NT_STATUS_EQUAL(result
, NT_STATUS_IO_TIMEOUT
) ||
1670 NT_STATUS_EQUAL(result
, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND
))
1672 DEBUG(10,("winbindd_dual_pam_auth_samlogon setting domain to offline\n"));
1673 set_domain_offline( domain
);
1677 if (domain
->online
) {
1678 /* We're still online - fail. */
1684 /* Check for Cached logons */
1685 if (!domain
->online
&& (state
->request
->flags
& WBFLAG_PAM_CACHED_LOGIN
) &&
1686 lp_winbind_offline_logon()) {
1688 result
= winbindd_dual_pam_auth_cached(domain
, state
, &info3
);
1690 if (NT_STATUS_IS_OK(result
)) {
1691 DEBUG(10,("winbindd_dual_pam_auth_cached succeeded\n"));
1692 goto process_result
;
1694 DEBUG(10,("winbindd_dual_pam_auth_cached failed: %s\n", nt_errstr(result
)));
1701 if (NT_STATUS_IS_OK(result
)) {
1703 struct dom_sid user_sid
;
1705 /* In all codepaths where result == NT_STATUS_OK info3 must have
1706 been initialized. */
1708 result
= NT_STATUS_INTERNAL_ERROR
;
1712 sid_compose(&user_sid
, info3
->base
.domain_sid
,
1715 wcache_invalidate_samlogon(find_domain_from_name(name_domain
),
1717 netsamlogon_cache_store(name_user
, info3
);
1719 /* save name_to_sid info as early as possible (only if
1720 this is our primary domain so we don't invalidate
1721 the cache entry by storing the seq_num for the wrong
1723 if ( domain
->primary
) {
1724 cache_name2sid(domain
, name_domain
, name_user
,
1725 SID_NAME_USER
, &user_sid
);
1728 /* Check if the user is in the right group */
1730 result
= check_info3_in_group(
1732 state
->request
->data
.auth
.require_membership_of_sid
);
1733 if (!NT_STATUS_IS_OK(result
)) {
1734 DEBUG(3, ("User %s is not in the required group (%s), so plaintext authentication is rejected\n",
1735 state
->request
->data
.auth
.user
,
1736 state
->request
->data
.auth
.require_membership_of_sid
));
1740 result
= append_auth_data(state
->mem_ctx
, state
->response
,
1741 state
->request
->flags
, info3
,
1742 name_domain
, name_user
);
1743 if (!NT_STATUS_IS_OK(result
)) {
1747 if ((state
->request
->flags
& WBFLAG_PAM_CACHED_LOGIN
)
1748 && lp_winbind_offline_logon()) {
1750 result
= winbindd_store_creds(domain
,
1751 state
->request
->data
.auth
.user
,
1752 state
->request
->data
.auth
.pass
,
1756 if (state
->request
->flags
& WBFLAG_PAM_GET_PWD_POLICY
) {
1757 struct winbindd_domain
*our_domain
= find_our_domain();
1759 /* This is not entirely correct I believe, but it is
1760 consistent. Only apply the password policy settings
1761 too warn users for our own domain. Cannot obtain these
1762 from trusted DCs all the time so don't do it at all.
1765 result
= NT_STATUS_NOT_SUPPORTED
;
1766 if (our_domain
== domain
) {
1767 result
= fillup_password_policy(
1768 our_domain
, state
->response
);
1771 if (!NT_STATUS_IS_OK(result
)
1772 && !NT_STATUS_EQUAL(result
, NT_STATUS_NOT_SUPPORTED
) )
1774 DEBUG(10,("Failed to get password policies for domain %s: %s\n",
1775 domain
->name
, nt_errstr(result
)));
1780 result
= NT_STATUS_OK
;
1784 /* give us a more useful (more correct?) error code */
1785 if ((NT_STATUS_EQUAL(result
, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND
) ||
1786 (NT_STATUS_EQUAL(result
, NT_STATUS_UNSUCCESSFUL
)))) {
1787 result
= NT_STATUS_NO_LOGON_SERVERS
;
1790 set_auth_errors(state
->response
, result
);
1792 DEBUG(NT_STATUS_IS_OK(result
) ? 5 : 2, ("Plain-text authentication for user %s returned %s (PAM: %d)\n",
1793 state
->request
->data
.auth
.user
,
1794 state
->response
->data
.auth
.nt_status_string
,
1795 state
->response
->data
.auth
.pam_error
));
1797 return NT_STATUS_IS_OK(result
) ? WINBINDD_OK
: WINBINDD_ERROR
;
1800 enum winbindd_result
winbindd_dual_pam_auth_crap(struct winbindd_domain
*domain
,
1801 struct winbindd_cli_state
*state
)
1804 struct netr_SamInfo3
*info3
= NULL
;
1805 const char *name_user
= NULL
;
1806 const char *name_domain
= NULL
;
1807 const char *workstation
;
1809 DATA_BLOB lm_resp
, nt_resp
;
1811 /* This is child-only, so no check for privileged access is needed
1814 /* Ensure null termination */
1815 state
->request
->data
.auth_crap
.user
[sizeof(state
->request
->data
.auth_crap
.user
)-1]=0;
1816 state
->request
->data
.auth_crap
.domain
[sizeof(state
->request
->data
.auth_crap
.domain
)-1]=0;
1818 name_user
= state
->request
->data
.auth_crap
.user
;
1819 name_domain
= state
->request
->data
.auth_crap
.domain
;
1820 workstation
= state
->request
->data
.auth_crap
.workstation
;
1822 DEBUG(3, ("[%5lu]: pam auth crap domain: %s user: %s\n", (unsigned long)state
->pid
,
1823 name_domain
, name_user
));
1825 if (state
->request
->data
.auth_crap
.lm_resp_len
> sizeof(state
->request
->data
.auth_crap
.lm_resp
)
1826 || state
->request
->data
.auth_crap
.nt_resp_len
> sizeof(state
->request
->data
.auth_crap
.nt_resp
)) {
1827 if (!(state
->request
->flags
& WBFLAG_BIG_NTLMV2_BLOB
) ||
1828 state
->request
->extra_len
!= state
->request
->data
.auth_crap
.nt_resp_len
) {
1829 DEBUG(0, ("winbindd_pam_auth_crap: invalid password length %u/%u\n",
1830 state
->request
->data
.auth_crap
.lm_resp_len
,
1831 state
->request
->data
.auth_crap
.nt_resp_len
));
1832 result
= NT_STATUS_INVALID_PARAMETER
;
1837 lm_resp
= data_blob_talloc(state
->mem_ctx
, state
->request
->data
.auth_crap
.lm_resp
,
1838 state
->request
->data
.auth_crap
.lm_resp_len
);
1840 if (state
->request
->flags
& WBFLAG_BIG_NTLMV2_BLOB
) {
1841 nt_resp
= data_blob_talloc(state
->mem_ctx
,
1842 state
->request
->extra_data
.data
,
1843 state
->request
->data
.auth_crap
.nt_resp_len
);
1845 nt_resp
= data_blob_talloc(state
->mem_ctx
,
1846 state
->request
->data
.auth_crap
.nt_resp
,
1847 state
->request
->data
.auth_crap
.nt_resp_len
);
1850 if (strequal(name_domain
, get_global_sam_name())) {
1851 DATA_BLOB chal_blob
= data_blob_const(
1852 state
->request
->data
.auth_crap
.chal
,
1853 sizeof(state
->request
->data
.auth_crap
.chal
));
1855 result
= winbindd_dual_auth_passdb(
1857 state
->request
->data
.auth_crap
.logon_parameters
,
1858 name_domain
, name_user
,
1859 &chal_blob
, &lm_resp
, &nt_resp
, &info3
);
1860 goto process_result
;
1863 result
= winbind_samlogon_retry_loop(domain
,
1865 state
->request
->data
.auth_crap
.logon_parameters
,
1869 /* Bug #3248 - found by Stefan Burkei. */
1870 workstation
, /* We carefully set this above so use it... */
1871 state
->request
->data
.auth_crap
.chal
,
1875 if (!NT_STATUS_IS_OK(result
)) {
1881 if (NT_STATUS_IS_OK(result
)) {
1882 struct dom_sid user_sid
;
1884 sid_compose(&user_sid
, info3
->base
.domain_sid
,
1886 wcache_invalidate_samlogon(find_domain_from_name(name_domain
),
1888 netsamlogon_cache_store(name_user
, info3
);
1890 /* Check if the user is in the right group */
1892 result
= check_info3_in_group(
1894 state
->request
->data
.auth_crap
.require_membership_of_sid
);
1895 if (!NT_STATUS_IS_OK(result
)) {
1896 DEBUG(3, ("User %s is not in the required group (%s), so "
1897 "crap authentication is rejected\n",
1898 state
->request
->data
.auth_crap
.user
,
1899 state
->request
->data
.auth_crap
.require_membership_of_sid
));
1903 result
= append_auth_data(state
->mem_ctx
, state
->response
,
1904 state
->request
->flags
, info3
,
1905 name_domain
, name_user
);
1906 if (!NT_STATUS_IS_OK(result
)) {
1913 /* give us a more useful (more correct?) error code */
1914 if ((NT_STATUS_EQUAL(result
, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND
) ||
1915 (NT_STATUS_EQUAL(result
, NT_STATUS_UNSUCCESSFUL
)))) {
1916 result
= NT_STATUS_NO_LOGON_SERVERS
;
1919 if (state
->request
->flags
& WBFLAG_PAM_NT_STATUS_SQUASH
) {
1920 result
= nt_status_squash(result
);
1923 set_auth_errors(state
->response
, result
);
1925 DEBUG(NT_STATUS_IS_OK(result
) ? 5 : 2,
1926 ("NTLM CRAP authentication for user [%s]\\[%s] returned %s (PAM: %d)\n",
1929 state
->response
->data
.auth
.nt_status_string
,
1930 state
->response
->data
.auth
.pam_error
));
1932 return NT_STATUS_IS_OK(result
) ? WINBINDD_OK
: WINBINDD_ERROR
;
1935 enum winbindd_result
winbindd_dual_pam_chauthtok(struct winbindd_domain
*contact_domain
,
1936 struct winbindd_cli_state
*state
)
1939 char *newpass
= NULL
;
1940 struct policy_handle dom_pol
;
1941 struct rpc_pipe_client
*cli
= NULL
;
1942 bool got_info
= false;
1943 struct samr_DomInfo1
*info
= NULL
;
1944 struct userPwdChangeFailureInformation
*reject
= NULL
;
1945 NTSTATUS result
= NT_STATUS_UNSUCCESSFUL
;
1946 fstring domain
, user
;
1947 struct dcerpc_binding_handle
*b
= NULL
;
1949 ZERO_STRUCT(dom_pol
);
1951 DEBUG(3, ("[%5lu]: dual pam chauthtok %s\n", (unsigned long)state
->pid
,
1952 state
->request
->data
.auth
.user
));
1954 if (!parse_domain_user(state
->request
->data
.chauthtok
.user
, domain
, user
)) {
1958 /* Change password */
1960 oldpass
= state
->request
->data
.chauthtok
.oldpass
;
1961 newpass
= state
->request
->data
.chauthtok
.newpass
;
1963 /* Initialize reject reason */
1964 state
->response
->data
.auth
.reject_reason
= Undefined
;
1966 /* Get sam handle */
1968 result
= cm_connect_sam(contact_domain
, state
->mem_ctx
, &cli
,
1970 if (!NT_STATUS_IS_OK(result
)) {
1971 DEBUG(1, ("could not get SAM handle on DC for %s\n", domain
));
1975 b
= cli
->binding_handle
;
1977 result
= rpccli_samr_chgpasswd_user3(cli
, state
->mem_ctx
,
1984 /* Windows 2003 returns NT_STATUS_PASSWORD_RESTRICTION */
1986 if (NT_STATUS_EQUAL(result
, NT_STATUS_PASSWORD_RESTRICTION
) ) {
1988 fill_in_password_policy(state
->response
, info
);
1990 state
->response
->data
.auth
.reject_reason
=
1991 reject
->extendedFailureReason
;
1996 /* atm the pidl generated rpccli_samr_ChangePasswordUser3 function will
1997 * return with NT_STATUS_BUFFER_TOO_SMALL for w2k dcs as w2k just
1998 * returns with 4byte error code (NT_STATUS_NOT_SUPPORTED) which is too
1999 * short to comply with the samr_ChangePasswordUser3 idl - gd */
2001 /* only fallback when the chgpasswd_user3 call is not supported */
2002 if (NT_STATUS_EQUAL(result
, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE
) ||
2003 NT_STATUS_EQUAL(result
, NT_STATUS_NOT_SUPPORTED
) ||
2004 NT_STATUS_EQUAL(result
, NT_STATUS_BUFFER_TOO_SMALL
) ||
2005 NT_STATUS_EQUAL(result
, NT_STATUS_NOT_IMPLEMENTED
)) {
2007 DEBUG(10,("Password change with chgpasswd_user3 failed with: %s, retrying chgpasswd_user2\n",
2008 nt_errstr(result
)));
2010 result
= rpccli_samr_chgpasswd_user2(cli
, state
->mem_ctx
, user
, newpass
, oldpass
);
2012 /* Windows 2000 returns NT_STATUS_ACCOUNT_RESTRICTION.
2013 Map to the same status code as Windows 2003. */
2015 if ( NT_STATUS_EQUAL(NT_STATUS_ACCOUNT_RESTRICTION
, result
) ) {
2016 result
= NT_STATUS_PASSWORD_RESTRICTION
;
2022 if (NT_STATUS_IS_OK(result
)
2023 && (state
->request
->flags
& WBFLAG_PAM_CACHED_LOGIN
)
2024 && lp_winbind_offline_logon()) {
2025 result
= winbindd_update_creds_by_name(contact_domain
, user
,
2027 /* Again, this happens when we login from gdm or xdm
2028 * and the password expires, *BUT* cached crendentials
2029 * doesn't exist. winbindd_update_creds_by_name()
2030 * returns NT_STATUS_NO_SUCH_USER.
2031 * This is not a failure.
2034 if (NT_STATUS_EQUAL(result
, NT_STATUS_NO_SUCH_USER
)) {
2035 result
= NT_STATUS_OK
;
2038 if (!NT_STATUS_IS_OK(result
)) {
2039 DEBUG(10, ("Failed to store creds: %s\n",
2040 nt_errstr(result
)));
2041 goto process_result
;
2045 if (!NT_STATUS_IS_OK(result
) && !got_info
&& contact_domain
) {
2047 NTSTATUS policy_ret
;
2049 policy_ret
= fillup_password_policy(
2050 contact_domain
, state
->response
);
2052 /* failure of this is non critical, it will just provide no
2053 * additional information to the client why the change has
2054 * failed - Guenther */
2056 if (!NT_STATUS_IS_OK(policy_ret
)) {
2057 DEBUG(10,("Failed to get password policies: %s\n", nt_errstr(policy_ret
)));
2058 goto process_result
;
2064 if (strequal(contact_domain
->name
, get_global_sam_name())) {
2065 /* FIXME: internal rpc pipe does not cache handles yet */
2067 if (is_valid_policy_hnd(&dom_pol
)) {
2069 dcerpc_samr_Close(b
, state
->mem_ctx
, &dom_pol
, &_result
);
2075 set_auth_errors(state
->response
, result
);
2077 DEBUG(NT_STATUS_IS_OK(result
) ? 5 : 2,
2078 ("Password change for user [%s]\\[%s] returned %s (PAM: %d)\n",
2081 state
->response
->data
.auth
.nt_status_string
,
2082 state
->response
->data
.auth
.pam_error
));
2084 return NT_STATUS_IS_OK(result
) ? WINBINDD_OK
: WINBINDD_ERROR
;
2087 enum winbindd_result
winbindd_dual_pam_logoff(struct winbindd_domain
*domain
,
2088 struct winbindd_cli_state
*state
)
2090 NTSTATUS result
= NT_STATUS_NOT_SUPPORTED
;
2092 DEBUG(3, ("[%5lu]: pam dual logoff %s\n", (unsigned long)state
->pid
,
2093 state
->request
->data
.logoff
.user
));
2095 if (!(state
->request
->flags
& WBFLAG_PAM_KRB5
)) {
2096 result
= NT_STATUS_OK
;
2097 goto process_result
;
2100 if (state
->request
->data
.logoff
.krb5ccname
[0] == '\0') {
2101 result
= NT_STATUS_OK
;
2102 goto process_result
;
2107 if (state
->request
->data
.logoff
.uid
< 0) {
2108 DEBUG(0,("winbindd_pam_logoff: invalid uid\n"));
2109 goto process_result
;
2112 /* what we need here is to find the corresponding krb5 ccache name *we*
2113 * created for a given username and destroy it */
2115 if (!ccache_entry_exists(state
->request
->data
.logoff
.user
)) {
2116 result
= NT_STATUS_OK
;
2117 DEBUG(10,("winbindd_pam_logoff: no entry found.\n"));
2118 goto process_result
;
2121 if (!ccache_entry_identical(state
->request
->data
.logoff
.user
,
2122 state
->request
->data
.logoff
.uid
,
2123 state
->request
->data
.logoff
.krb5ccname
)) {
2124 DEBUG(0,("winbindd_pam_logoff: cached entry differs.\n"));
2125 goto process_result
;
2128 result
= remove_ccache(state
->request
->data
.logoff
.user
);
2129 if (!NT_STATUS_IS_OK(result
)) {
2130 DEBUG(0,("winbindd_pam_logoff: failed to remove ccache: %s\n",
2131 nt_errstr(result
)));
2132 goto process_result
;
2136 * Remove any mlock'ed memory creds in the child
2137 * we might be using for krb5 ticket renewal.
2140 winbindd_delete_memory_creds(state
->request
->data
.logoff
.user
);
2143 result
= NT_STATUS_NOT_SUPPORTED
;
2149 set_auth_errors(state
->response
, result
);
2151 return NT_STATUS_IS_OK(result
) ? WINBINDD_OK
: WINBINDD_ERROR
;
2154 /* Change user password with auth crap*/
2156 enum winbindd_result
winbindd_dual_pam_chng_pswd_auth_crap(struct winbindd_domain
*domainSt
, struct winbindd_cli_state
*state
)
2159 DATA_BLOB new_nt_password
;
2160 DATA_BLOB old_nt_hash_enc
;
2161 DATA_BLOB new_lm_password
;
2162 DATA_BLOB old_lm_hash_enc
;
2163 fstring domain
,user
;
2164 struct policy_handle dom_pol
;
2165 struct winbindd_domain
*contact_domain
= domainSt
;
2166 struct rpc_pipe_client
*cli
= NULL
;
2167 struct dcerpc_binding_handle
*b
= NULL
;
2169 ZERO_STRUCT(dom_pol
);
2171 /* Ensure null termination */
2172 state
->request
->data
.chng_pswd_auth_crap
.user
[
2173 sizeof(state
->request
->data
.chng_pswd_auth_crap
.user
)-1]=0;
2174 state
->request
->data
.chng_pswd_auth_crap
.domain
[
2175 sizeof(state
->request
->data
.chng_pswd_auth_crap
.domain
)-1]=0;
2179 DEBUG(3, ("[%5lu]: pam change pswd auth crap domain: %s user: %s\n",
2180 (unsigned long)state
->pid
,
2181 state
->request
->data
.chng_pswd_auth_crap
.domain
,
2182 state
->request
->data
.chng_pswd_auth_crap
.user
));
2184 if (lp_winbind_offline_logon()) {
2185 DEBUG(0,("Refusing password change as winbind offline logons are enabled. "));
2186 DEBUGADD(0,("Changing passwords here would risk inconsistent logons\n"));
2187 result
= NT_STATUS_ACCESS_DENIED
;
2191 if (*state
->request
->data
.chng_pswd_auth_crap
.domain
) {
2192 fstrcpy(domain
,state
->request
->data
.chng_pswd_auth_crap
.domain
);
2194 parse_domain_user(state
->request
->data
.chng_pswd_auth_crap
.user
,
2198 DEBUG(3,("no domain specified with username (%s) - "
2200 state
->request
->data
.chng_pswd_auth_crap
.user
));
2201 result
= NT_STATUS_NO_SUCH_USER
;
2206 if (!*domain
&& lp_winbind_use_default_domain()) {
2207 fstrcpy(domain
,lp_workgroup());
2211 fstrcpy(user
, state
->request
->data
.chng_pswd_auth_crap
.user
);
2214 DEBUG(3, ("[%5lu]: pam auth crap domain: %s user: %s\n",
2215 (unsigned long)state
->pid
, domain
, user
));
2217 /* Change password */
2218 new_nt_password
= data_blob_const(
2219 state
->request
->data
.chng_pswd_auth_crap
.new_nt_pswd
,
2220 state
->request
->data
.chng_pswd_auth_crap
.new_nt_pswd_len
);
2222 old_nt_hash_enc
= data_blob_const(
2223 state
->request
->data
.chng_pswd_auth_crap
.old_nt_hash_enc
,
2224 state
->request
->data
.chng_pswd_auth_crap
.old_nt_hash_enc_len
);
2226 if(state
->request
->data
.chng_pswd_auth_crap
.new_lm_pswd_len
> 0) {
2227 new_lm_password
= data_blob_const(
2228 state
->request
->data
.chng_pswd_auth_crap
.new_lm_pswd
,
2229 state
->request
->data
.chng_pswd_auth_crap
.new_lm_pswd_len
);
2231 old_lm_hash_enc
= data_blob_const(
2232 state
->request
->data
.chng_pswd_auth_crap
.old_lm_hash_enc
,
2233 state
->request
->data
.chng_pswd_auth_crap
.old_lm_hash_enc_len
);
2235 new_lm_password
= data_blob_null
;
2236 old_lm_hash_enc
= data_blob_null
;
2239 /* Get sam handle */
2241 result
= cm_connect_sam(contact_domain
, state
->mem_ctx
, &cli
, &dom_pol
);
2242 if (!NT_STATUS_IS_OK(result
)) {
2243 DEBUG(1, ("could not get SAM handle on DC for %s\n", domain
));
2247 b
= cli
->binding_handle
;
2249 result
= rpccli_samr_chng_pswd_auth_crap(
2250 cli
, state
->mem_ctx
, user
, new_nt_password
, old_nt_hash_enc
,
2251 new_lm_password
, old_lm_hash_enc
);
2255 if (strequal(contact_domain
->name
, get_global_sam_name())) {
2256 /* FIXME: internal rpc pipe does not cache handles yet */
2258 if (is_valid_policy_hnd(&dom_pol
)) {
2260 dcerpc_samr_Close(b
, state
->mem_ctx
, &dom_pol
, &_result
);
2266 set_auth_errors(state
->response
, result
);
2268 DEBUG(NT_STATUS_IS_OK(result
) ? 5 : 2,
2269 ("Password change for user [%s]\\[%s] returned %s (PAM: %d)\n",
2271 state
->response
->data
.auth
.nt_status_string
,
2272 state
->response
->data
.auth
.pam_error
));
2274 return NT_STATUS_IS_OK(result
) ? WINBINDD_OK
: WINBINDD_ERROR
;
2278 static NTSTATUS
extract_pac_vrfy_sigs(TALLOC_CTX
*mem_ctx
, DATA_BLOB pac_blob
,
2279 struct PAC_LOGON_INFO
**logon_info
)
2281 krb5_context krbctx
= NULL
;
2282 krb5_error_code k5ret
;
2284 krb5_kt_cursor cursor
;
2285 krb5_keytab_entry entry
;
2286 NTSTATUS status
= NT_STATUS_UNSUCCESSFUL
;
2289 ZERO_STRUCT(cursor
);
2291 k5ret
= krb5_init_context(&krbctx
);
2293 DEBUG(1, ("Failed to initialize kerberos context: %s\n",
2294 error_message(k5ret
)));
2295 status
= krb5_to_nt_status(k5ret
);
2299 k5ret
= gse_krb5_get_server_keytab(krbctx
, &keytab
);
2301 DEBUG(1, ("Failed to get keytab: %s\n",
2302 error_message(k5ret
)));
2303 status
= krb5_to_nt_status(k5ret
);
2307 k5ret
= krb5_kt_start_seq_get(krbctx
, keytab
, &cursor
);
2309 DEBUG(1, ("Failed to start seq: %s\n",
2310 error_message(k5ret
)));
2311 status
= krb5_to_nt_status(k5ret
);
2315 k5ret
= krb5_kt_next_entry(krbctx
, keytab
, &entry
, &cursor
);
2316 while (k5ret
== 0) {
2317 status
= kerberos_pac_logon_info(mem_ctx
, pac_blob
,
2319 KRB5_KT_KEY(&entry
), NULL
, 0,
2321 if (NT_STATUS_IS_OK(status
)) {
2324 k5ret
= smb_krb5_kt_free_entry(krbctx
, &entry
);
2325 k5ret
= krb5_kt_next_entry(krbctx
, keytab
, &entry
, &cursor
);
2328 k5ret
= krb5_kt_end_seq_get(krbctx
, keytab
, &cursor
);
2330 DEBUG(1, ("Failed to end seq: %s\n",
2331 error_message(k5ret
)));
2334 k5ret
= krb5_kt_close(krbctx
, keytab
);
2336 DEBUG(1, ("Failed to close keytab: %s\n",
2337 error_message(k5ret
)));
2340 krb5_free_context(krbctx
);
2345 NTSTATUS
winbindd_pam_auth_pac_send(struct winbindd_cli_state
*state
,
2346 struct netr_SamInfo3
**info3
)
2348 struct winbindd_request
*req
= state
->request
;
2350 struct PAC_LOGON_INFO
*logon_info
= NULL
;
2353 pac_blob
= data_blob_const(req
->extra_data
.data
, req
->extra_len
);
2354 result
= extract_pac_vrfy_sigs(state
->mem_ctx
, pac_blob
, &logon_info
);
2355 if (!NT_STATUS_IS_OK(result
) &&
2356 !NT_STATUS_EQUAL(result
, NT_STATUS_ACCESS_DENIED
)) {
2357 DEBUG(1, ("Error during PAC signature verification: %s\n",
2358 nt_errstr(result
)));
2363 /* Signature verification succeeded, trust the PAC */
2364 netsamlogon_cache_store(NULL
, &logon_info
->info3
);
2367 /* Try without signature verification */
2368 result
= kerberos_pac_logon_info(state
->mem_ctx
, pac_blob
, NULL
,
2369 NULL
, NULL
, NULL
, 0,
2371 if (!NT_STATUS_IS_OK(result
)) {
2372 DEBUG(10, ("Could not extract PAC: %s\n",
2373 nt_errstr(result
)));
2378 *info3
= &logon_info
->info3
;
2380 return NT_STATUS_OK
;
2382 #else /* HAVE_KRB5 */
2383 NTSTATUS
winbindd_pam_auth_pac_send(struct winbindd_cli_state
*state
,
2384 struct netr_SamInfo3
**info3
)
2386 return NT_STATUS_NO_SUCH_USER
;
2388 #endif /* HAVE_KRB5 */