search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
r14259: Fix coverity #42. Ensure contact_domain can't be null derefed
[Samba/nascimento.git] / source3 / nsswitch / winbindd_pam.c
blobfdc6e0711905dbe512e4d17e4edeff6cb23d1ba0
1 /*
2 Unix SMB/CIFS implementation.
3
4 Winbind daemon - pam auth funcions
5
6 Copyright (C) Andrew Tridgell 2000
7 Copyright (C) Tim Potter 2001
8 Copyright (C) Andrew Bartlett 2001-2002
9 Copyright (C) Guenther Deschner 2005
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 2 of the License, or
14 (at your option) any later version.
15
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
20
21 You should have received a copy of the GNU General Public License
22 along with this program; if not, write to the Free Software
23 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
24 */
25
26 #include "includes.h"
27 #include "winbindd.h"
28 #undef DBGC_CLASS
29 #define DBGC_CLASS DBGC_WINBIND
30
31 static NTSTATUS append_info3_as_txt(TALLOC_CTX *mem_ctx,
32 struct winbindd_cli_state *state,
33 NET_USER_INFO_3 *info3)
34 {
35 fstring str_sid;
36
37 state->response.data.auth.info3.logon_time =
38 nt_time_to_unix(&(info3->logon_time));
39 state->response.data.auth.info3.logoff_time =
40 nt_time_to_unix(&(info3->logoff_time));
41 state->response.data.auth.info3.kickoff_time =
42 nt_time_to_unix(&(info3->kickoff_time));
43 state->response.data.auth.info3.pass_last_set_time =
44 nt_time_to_unix(&(info3->pass_last_set_time));
45 state->response.data.auth.info3.pass_can_change_time =
46 nt_time_to_unix(&(info3->pass_can_change_time));
47 state->response.data.auth.info3.pass_must_change_time =
48 nt_time_to_unix(&(info3->pass_must_change_time));
49
50 state->response.data.auth.info3.logon_count = info3->logon_count;
51 state->response.data.auth.info3.bad_pw_count = info3->bad_pw_count;
52
53 state->response.data.auth.info3.user_rid = info3->user_rid;
54 state->response.data.auth.info3.group_rid = info3->group_rid;
55 sid_to_string(str_sid, &(info3->dom_sid.sid));
56 fstrcpy(state->response.data.auth.info3.dom_sid, str_sid);
57
58 state->response.data.auth.info3.num_groups = info3->num_groups;
59 state->response.data.auth.info3.user_flgs = info3->user_flgs;
60
61 state->response.data.auth.info3.acct_flags = info3->acct_flags;
62 state->response.data.auth.info3.num_other_sids = info3->num_other_sids;
63
64 unistr2_to_ascii(state->response.data.auth.info3.user_name,
65 &info3->uni_user_name, -1);
66 unistr2_to_ascii(state->response.data.auth.info3.full_name,
67 &info3->uni_full_name, -1);
68 unistr2_to_ascii(state->response.data.auth.info3.logon_script,
69 &info3->uni_logon_script, -1);
70 unistr2_to_ascii(state->response.data.auth.info3.profile_path,
71 &info3->uni_profile_path, -1);
72 unistr2_to_ascii(state->response.data.auth.info3.home_dir,
73 &info3->uni_home_dir, -1);
74 unistr2_to_ascii(state->response.data.auth.info3.dir_drive,
75 &info3->uni_dir_drive, -1);
76
77 unistr2_to_ascii(state->response.data.auth.info3.logon_srv,
78 &info3->uni_logon_srv, -1);
79 unistr2_to_ascii(state->response.data.auth.info3.logon_dom,
80 &info3->uni_logon_dom, -1);
81
82 return NT_STATUS_OK;
83 }
84
85 static NTSTATUS append_info3_as_ndr(TALLOC_CTX *mem_ctx,
86 struct winbindd_cli_state *state,
87 NET_USER_INFO_3 *info3)
88 {
89 prs_struct ps;
90 uint32 size;
91 if (!prs_init(&ps, 256 /* Random, non-zero number */, mem_ctx, MARSHALL)) {
92 return NT_STATUS_NO_MEMORY;
93 }
94 if (!net_io_user_info3("", info3, &ps, 1, 3, False)) {
95 prs_mem_free(&ps);
96 return NT_STATUS_UNSUCCESSFUL;
97 }
98
99 size = prs_data_size(&ps);
100 state->response.extra_data = SMB_MALLOC(size);
101 if (!state->response.extra_data) {
102 prs_mem_free(&ps);
103 return NT_STATUS_NO_MEMORY;
104 }
105 memset( state->response.extra_data, '\0', size );
106 prs_copy_all_data_out(state->response.extra_data, &ps);
107 state->response.length += size;
108 prs_mem_free(&ps);
109 return NT_STATUS_OK;
110 }
111
112 static NTSTATUS check_info3_in_group(TALLOC_CTX *mem_ctx,
113 NET_USER_INFO_3 *info3,
114 const char *group_sid)
115 {
116 DOM_SID require_membership_of_sid;
117 DOM_SID *all_sids;
118 size_t num_all_sids = (2 + info3->num_groups2 + info3->num_other_sids);
119 size_t i, j = 0;
120
121 /* Parse the 'required group' SID */
122
123 if (!group_sid || !group_sid[0]) {
124 /* NO sid supplied, all users may access */
125 return NT_STATUS_OK;
126 }
127
128 if (!string_to_sid(&require_membership_of_sid, group_sid)) {
129 DEBUG(0, ("check_info3_in_group: could not parse %s as a SID!",
130 group_sid));
131
132 return NT_STATUS_INVALID_PARAMETER;
133 }
134
135 all_sids = TALLOC_ARRAY(mem_ctx, DOM_SID, num_all_sids);
136 if (!all_sids)
137 return NT_STATUS_NO_MEMORY;
138
139 /* and create (by appending rids) the 'domain' sids */
140
141 sid_copy(&all_sids[0], &(info3->dom_sid.sid));
142
143 if (!sid_append_rid(&all_sids[0], info3->user_rid)) {
144 DEBUG(3,("could not append user's primary RID 0x%x\n",
145 info3->user_rid));
146
147 return NT_STATUS_INVALID_PARAMETER;
148 }
149 j++;
150
151 sid_copy(&all_sids[1], &(info3->dom_sid.sid));
152
153 if (!sid_append_rid(&all_sids[1], info3->group_rid)) {
154 DEBUG(3,("could not append additional group rid 0x%x\n",
155 info3->group_rid));
156
157 return NT_STATUS_INVALID_PARAMETER;
158 }
159 j++;
160
161 for (i = 0; i < info3->num_groups2; i++) {
162
163 sid_copy(&all_sids[j], &(info3->dom_sid.sid));
164
165 if (!sid_append_rid(&all_sids[j], info3->gids[i].g_rid)) {
166 DEBUG(3,("could not append additional group rid 0x%x\n",
167 info3->gids[i].g_rid));
168
169 return NT_STATUS_INVALID_PARAMETER;
170 }
171 j++;
172 }
173
174 /* Copy 'other' sids. We need to do sid filtering here to
175 prevent possible elevation of privileges. See:
176
177 http://www.microsoft.com/windows2000/techinfo/administration/security/sidfilter.asp
178 */
179
180 for (i = 0; i < info3->num_other_sids; i++) {
181 sid_copy(&all_sids[info3->num_groups2 + i + 2],
182 &info3->other_sids[i].sid);
183 j++;
184 }
185
186 for (i = 0; i < j; i++) {
187 fstring sid1, sid2;
188 DEBUG(10, ("User has SID: %s\n",
189 sid_to_string(sid1, &all_sids[i])));
190 if (sid_equal(&require_membership_of_sid, &all_sids[i])) {
191 DEBUG(10, ("SID %s matches %s - user permitted to authenticate!\n",
192 sid_to_string(sid1, &require_membership_of_sid), sid_to_string(sid2, &all_sids[i])));
193 return NT_STATUS_OK;
194 }
195 }
196
197 /* Do not distinguish this error from a wrong username/pw */
198
199 return NT_STATUS_LOGON_FAILURE;
200 }
201
202 static struct winbindd_domain *find_auth_domain(struct winbindd_cli_state *state,
203 const char *domain_name)
204 {
205 struct winbindd_domain *domain;
206
207 if (IS_DC) {
208 domain = find_domain_from_name_noinit(domain_name);
209 if (domain == NULL) {
210 DEBUG(3, ("Authentication for domain [%s] refused"
211 "as it is not a trusted domain\n",
212 domain_name));
213 }
214 return domain;
215 }
216
217 if (is_myname(domain_name)) {
218 DEBUG(3, ("Authentication for domain %s (local domain "
219 "to this server) not supported at this "
220 "stage\n", domain_name));
221 return NULL;
222 }
223
224 return find_our_domain();
225 }
226
227 static void set_auth_errors(struct winbindd_response *resp, NTSTATUS result)
228 {
229 resp->data.auth.nt_status = NT_STATUS_V(result);
230 fstrcpy(resp->data.auth.nt_status_string, nt_errstr(result));
231
232 /* we might have given a more useful error above */
233 if (*resp->data.auth.error_string == '\0')
234 fstrcpy(resp->data.auth.error_string,
235 get_friendly_nt_error_msg(result));
236 resp->data.auth.pam_error = nt_status_to_pam(result);
237 }
238
239 static NTSTATUS fillup_password_policy(struct winbindd_domain *domain,
240 struct winbindd_cli_state *state)
241 {
242 struct winbindd_methods *methods;
243 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
244 SAM_UNK_INFO_1 password_policy;
245
246 methods = domain->methods;
247
248 status = methods->password_policy(domain, state->mem_ctx, &password_policy);
249 if (NT_STATUS_IS_ERR(status)) {
250 return status;
251 }
252
253 state->response.data.auth.policy.min_length_password =
254 password_policy.min_length_password;
255 state->response.data.auth.policy.password_history =
256 password_policy.password_history;
257 state->response.data.auth.policy.password_properties =
258 password_policy.password_properties;
259 state->response.data.auth.policy.expire =
260 nt_time_to_unix_abs(&(password_policy.expire));
261 state->response.data.auth.policy.min_passwordage =
262 nt_time_to_unix_abs(&(password_policy.min_passwordage));
263
264 return NT_STATUS_OK;
265 }
266
267 static NTSTATUS get_max_bad_attempts_from_lockout_policy(struct winbindd_domain *domain,
268 TALLOC_CTX *mem_ctx,
269 uint16 *max_allowed_bad_attempts)
270 {
271 struct winbindd_methods *methods;
272 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
273 SAM_UNK_INFO_12 lockout_policy;
274
275 *max_allowed_bad_attempts = 0;
276
277 methods = domain->methods;
278
279 status = methods->lockout_policy(domain, mem_ctx, &lockout_policy);
280 if (NT_STATUS_IS_ERR(status)) {
281 return status;
282 }
283
284 *max_allowed_bad_attempts = lockout_policy.bad_attempt_lockout;
285
286 return NT_STATUS_OK;
287 }
288
289 static NTSTATUS get_pwd_properties(struct winbindd_domain *domain,
290 TALLOC_CTX *mem_ctx,
291 uint32 *password_properties)
292 {
293 struct winbindd_methods *methods;
294 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
295 SAM_UNK_INFO_1 password_policy;
296
297 *password_properties = 0;
298
299 methods = domain->methods;
300
301 status = methods->password_policy(domain, mem_ctx, &password_policy);
302 if (NT_STATUS_IS_ERR(status)) {
303 return status;
304 }
305
306 *password_properties = password_policy.password_properties;
307
308 return NT_STATUS_OK;
309 }
310
311 static const char *generate_krb5_ccache(TALLOC_CTX *mem_ctx,
312 const char *type,
313 uid_t uid,
314 BOOL *internal_ccache)
315 {
316 /* accept FILE and WRFILE as krb5_cc_type from the client and then
317 * build the full ccname string based on the user's uid here -
318 * Guenther*/
319
320 const char *gen_cc = NULL;
321
322 *internal_ccache = True;
323
324 if (uid == -1) {
325 goto memory_ccache;
326 }
327
328 if (!type || type[0] == '\0') {
329 goto memory_ccache;
330 }
331
332 if (strequal(type, "FILE")) {
333 gen_cc = talloc_asprintf(mem_ctx, "FILE:/tmp/krb5cc_%d", uid);
334 } else if (strequal(type, "WRFILE")) {
335 gen_cc = talloc_asprintf(mem_ctx, "WRFILE:/tmp/krb5cc_%d", uid);
336 } else {
337 DEBUG(10,("we don't allow to set a %s type ccache\n", type));
338 goto memory_ccache;
339 }
340
341 *internal_ccache = False;
342 goto done;
343
344 memory_ccache:
345 gen_cc = talloc_strdup(mem_ctx, "MEMORY:winbind_cache");
346
347 done:
348 if (gen_cc == NULL) {
349 DEBUG(0,("out of memory\n"));
350 return NULL;
351 }
352
353 DEBUG(10,("using ccache: %s %s\n", gen_cc, *internal_ccache ? "(internal)":""));
354
355 return gen_cc;
356 }
357
358 static uid_t get_uid_from_state(struct winbindd_cli_state *state)
359 {
360 uid_t uid = -1;
361
362 uid = state->request.data.auth.uid;
363
364 if (uid < 0) {
365 DEBUG(1,("invalid uid: '%d'\n", uid));
366 return -1;
367 }
368 return uid;
369 }
370
371 static void setup_return_cc_name(struct winbindd_cli_state *state, const char *cc)
372 {
373 const char *type = state->request.data.auth.krb5_cc_type;
374
375 state->response.data.auth.krb5ccname[0] = '\0';
376
377 if (type[0] == '\0') {
378 return;
379 }
380
381 if (!strequal(type, "FILE") &&
382 !strequal(type, "WRFILE")) {
383 DEBUG(10,("won't return krbccname for a %s type ccache\n",
384 type));
385 return;
386 }
387
388 fstrcpy(state->response.data.auth.krb5ccname, cc);
389 }
390
391 /**********************************************************************
392 Authenticate a user with a clear text password using Kerberos and fill up
393 ccache if required
394 **********************************************************************/
395 static NTSTATUS winbindd_raw_kerberos_login(struct winbindd_domain *domain,
396 struct winbindd_cli_state *state,
397 NET_USER_INFO_3 **info3)
398 {
399 #ifdef HAVE_KRB5
400 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
401 krb5_error_code krb5_ret;
402 DATA_BLOB tkt, session_key_krb5;
403 DATA_BLOB ap_rep, session_key;
404 PAC_DATA *pac_data = NULL;
405 PAC_LOGON_INFO *logon_info = NULL;
406 char *client_princ = NULL;
407 char *client_princ_out = NULL;
408 char *local_service = NULL;
409 const char *cc = NULL;
410 const char *principal_s = NULL;
411 const char *service = NULL;
412 char *realm = NULL;
413 fstring name_domain, name_user;
414 time_t ticket_lifetime = 0;
415 time_t renewal_until = 0;
416 uid_t uid = -1;
417 ADS_STRUCT *ads;
418 time_t time_offset = 0;
419 BOOL internal_ccache = True;
420
421 ZERO_STRUCT(session_key);
422 ZERO_STRUCT(session_key_krb5);
423 ZERO_STRUCT(tkt);
424 ZERO_STRUCT(ap_rep);
425
426 ZERO_STRUCTP(info3);
427
428 *info3 = NULL;
429
430 /* 1st step:
431 * prepare a krb5_cc_cache string for the user */
432
433 uid = get_uid_from_state(state);
434 if (uid == -1) {
435 DEBUG(0,("no valid uid\n"));
436 }
437
438 cc = generate_krb5_ccache(state->mem_ctx,
439 state->request.data.auth.krb5_cc_type,
440 state->request.data.auth.uid,
441 &internal_ccache);
442 if (cc == NULL) {
443 return NT_STATUS_NO_MEMORY;
444 }
445
446
447 /* 2nd step:
448 * get kerberos properties */
449
450 if (domain->private_data) {
451 ads = (ADS_STRUCT *)domain->private_data;
452 time_offset = ads->auth.time_offset;
453 }
454
455
456 /* 3rd step:
457 * do kerberos auth and setup ccache as the user */
458
459 parse_domain_user(state->request.data.auth.user, name_domain, name_user);
460
461 realm = domain->alt_name;
462 strupper_m(realm);
463
464 principal_s = talloc_asprintf(state->mem_ctx, "%s@%s", name_user, realm);
465 if (principal_s == NULL) {
466 return NT_STATUS_NO_MEMORY;
467 }
468
469 service = talloc_asprintf(state->mem_ctx, "krbtgt/%s@%s", realm, realm);
470 if (service == NULL) {
471 return NT_STATUS_NO_MEMORY;
472 }
473
474 /* if this is a user ccache, we need to act as the user to let the krb5
475 * library handle the chown, etc. */
476
477 /************************ NON-ROOT **********************/
478
479 if (!internal_ccache) {
480
481 seteuid(uid);
482 DEBUG(10,("winbindd_raw_kerberos_login: uid is %d\n", uid));
483 }
484
485 krb5_ret = kerberos_kinit_password(principal_s,
486 state->request.data.auth.pass,
487 time_offset,
488 &ticket_lifetime,
489 &renewal_until,
490 cc,
491 True,
492 WINBINDD_PAM_AUTH_KRB5_RENEW_TIME);
493
494 if (krb5_ret) {
495 DEBUG(1,("winbindd_raw_kerberos_login: kinit failed for '%s' with: %s (%d)\n",
496 principal_s, error_message(krb5_ret), krb5_ret));
497 result = krb5_to_nt_status(krb5_ret);
498 goto done;
499 }
500
501 /* does http_timestring use heimdals libroken strftime?? - Guenther */
502 DEBUG(10,("got TGT for %s in %s (valid until: %s (%d), renewable till: %s (%d))\n",
503 principal_s, cc,
504 http_timestring(ticket_lifetime), (int)ticket_lifetime,
505 http_timestring(renewal_until), (int)renewal_until));
506
507 client_princ = talloc_strdup(state->mem_ctx, global_myname());
508 if (client_princ == NULL) {
509 result = NT_STATUS_NO_MEMORY;
510 goto done;
511 }
512 strlower_m(client_princ);
513
514 local_service = talloc_asprintf(state->mem_ctx, "HOST/%s@%s", client_princ, lp_realm());
515 if (local_service == NULL) {
516 DEBUG(0,("winbindd_raw_kerberos_login: out of memory\n"));
517 result = NT_STATUS_NO_MEMORY;
518 goto done;
519 }
520
521 krb5_ret = cli_krb5_get_ticket(local_service,
522 time_offset,
523 &tkt,
524 &session_key_krb5,
525 0,
526 cc);
527 if (krb5_ret) {
528 DEBUG(1,("winbindd_raw_kerberos_login: failed to get ticket for: %s\n",
529 local_service));
530 result = krb5_to_nt_status(krb5_ret);
531 goto done;
532 }
533
534 if (!internal_ccache) {
535 seteuid(0);
536 }
537
538 /************************ NON-ROOT **********************/
539
540 result = ads_verify_ticket(state->mem_ctx,
541 lp_realm(),
542 &tkt,
543 &client_princ_out,
544 &pac_data,
545 &ap_rep,
546 &session_key);
547 if (!NT_STATUS_IS_OK(result)) {
548 DEBUG(0,("winbindd_raw_kerberos_login: ads_verify_ticket failed: %s\n",
549 nt_errstr(result)));
550 goto done;
551 }
552
553 DEBUG(10,("winbindd_raw_kerberos_login: winbindd validated ticket of %s\n",
554 local_service));
555
556 if (!pac_data) {
557 DEBUG(3,("winbindd_raw_kerberos_login: no pac data\n"));
558 result = NT_STATUS_INVALID_PARAMETER;
559 goto done;
560 }
561
562 logon_info = get_logon_info_from_pac(pac_data);
563 if (logon_info == NULL) {
564 DEBUG(1,("winbindd_raw_kerberos_login: no logon info\n"));
565 result = NT_STATUS_INVALID_PARAMETER;
566 goto done;
567 }
568
569
570 /* last step:
571 * put results together */
572
573 *info3 = &logon_info->info3;
574
575 /* if we had a user's ccache then return that string for the pam
576 * environment */
577
578 if (!internal_ccache) {
579
580 setup_return_cc_name(state, cc);
581
582 result = add_ccache_to_list(principal_s,
583 cc,
584 service,
585 state->request.data.auth.user,
586 NULL,
587 state->request.data.auth.pass,
588 uid,
589 time(NULL),
590 ticket_lifetime,
591 renewal_until,
592 lp_winbind_refresh_tickets());
593
594 if (!NT_STATUS_IS_OK(result)) {
595 DEBUG(10,("winbindd_raw_kerberos_login: failed to add ccache to list: %s\n",
596 nt_errstr(result)));
597 }
598 }
599
600 result = NT_STATUS_OK;
601
602 done:
603 data_blob_free(&session_key);
604 data_blob_free(&session_key_krb5);
605 data_blob_free(&ap_rep);
606 data_blob_free(&tkt);
607
608 SAFE_FREE(client_princ_out);
609
610 if (!internal_ccache) {
611 seteuid(0);
612 }
613
614 return result;
615 #else
616 return NT_STATUS_NOT_SUPPORTED;
617 #endif /* HAVE_KRB5 */
618 }
619
620 void winbindd_pam_auth(struct winbindd_cli_state *state)
621 {
622 struct winbindd_domain *domain;
623 fstring name_domain, name_user;
624
625 /* Ensure null termination */
626 state->request.data.auth.user
627 [sizeof(state->request.data.auth.user)-1]='\0';
628
629 /* Ensure null termination */
630 state->request.data.auth.pass
631 [sizeof(state->request.data.auth.pass)-1]='\0';
632
633 DEBUG(3, ("[%5lu]: pam auth %s\n", (unsigned long)state->pid,
634 state->request.data.auth.user));
635
636 /* Parse domain and username */
637
638 if (!parse_domain_user(state->request.data.auth.user,
639 name_domain, name_user)) {
640 set_auth_errors(&state->response, NT_STATUS_NO_SUCH_USER);
641 DEBUG(5, ("Plain text authentication for %s returned %s "
642 "(PAM: %d)\n",
643 state->request.data.auth.user,
644 state->response.data.auth.nt_status_string,
645 state->response.data.auth.pam_error));
646 request_error(state);
647 return;
648 }
649
650 domain = find_auth_domain(state, name_domain);
651
652 if (domain == NULL) {
653 set_auth_errors(&state->response, NT_STATUS_NO_SUCH_USER);
654 DEBUG(5, ("Plain text authentication for %s returned %s "
655 "(PAM: %d)\n",
656 state->request.data.auth.user,
657 state->response.data.auth.nt_status_string,
658 state->response.data.auth.pam_error));
659 request_error(state);
660 return;
661 }
662
663 sendto_domain(state, domain);
664 }
665
666 NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain,
667 struct winbindd_cli_state *state,
668 NET_USER_INFO_3 **info3)
669 {
670 NTSTATUS result = NT_STATUS_LOGON_FAILURE;
671 uint16 max_allowed_bad_attempts;
672 fstring name_domain, name_user;
673 DOM_SID sid;
674 enum SID_NAME_USE type;
675 uchar new_nt_pass[NT_HASH_LEN];
676 const uint8 *cached_nt_pass;
677 NET_USER_INFO_3 *my_info3;
678 time_t kickoff_time, must_change_time;
679
680 *info3 = NULL;
681
682 ZERO_STRUCTP(info3);
683
684 DEBUG(10,("winbindd_dual_pam_auth_cached\n"));
685
686 /* Parse domain and username */
687
688 parse_domain_user(state->request.data.auth.user, name_domain, name_user);
689
690
691 if (!lookup_cached_name(state->mem_ctx,
692 name_domain,
693 name_user,
694 &sid,
695 &type)) {
696 DEBUG(10,("winbindd_dual_pam_auth_cached: no such user in the cache\n"));
697 return NT_STATUS_NO_SUCH_USER;
698 }
699
700 if (type != SID_NAME_USER) {
701 DEBUG(10,("winbindd_dual_pam_auth_cached: not a user (%s)\n", sid_type_lookup(type)));
702 return NT_STATUS_LOGON_FAILURE;
703 }
704
705 result = winbindd_get_creds(domain,
706 state->mem_ctx,
707 &sid,
708 &my_info3,
709 &cached_nt_pass);
710 if (!NT_STATUS_IS_OK(result)) {
711 DEBUG(10,("winbindd_dual_pam_auth_cached: failed to get creds: %s\n", nt_errstr(result)));
712 return result;
713 }
714
715 *info3 = my_info3;
716
717 E_md4hash(state->request.data.auth.pass, new_nt_pass);
718
719 dump_data(100, (const char *)new_nt_pass, NT_HASH_LEN);
720 dump_data(100, (const char *)cached_nt_pass, NT_HASH_LEN);
721
722 if (!memcmp(cached_nt_pass, new_nt_pass, NT_HASH_LEN)) {
723
724 /* User *DOES* know the password, update logon_time and reset
725 * bad_pw_count */
726
727 my_info3->user_flgs |= LOGON_CACHED_ACCOUNT;
728
729 if (my_info3->acct_flags & ACB_AUTOLOCK) {
730 return NT_STATUS_ACCOUNT_LOCKED_OUT;
731 }
732
733 if (my_info3->acct_flags & ACB_DISABLED) {
734 return NT_STATUS_ACCOUNT_DISABLED;
735 }
736
737 if (my_info3->acct_flags & ACB_WSTRUST) {
738 return NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT;
739 }
740
741 if (my_info3->acct_flags & ACB_SVRTRUST) {
742 return NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT;
743 }
744
745 if (my_info3->acct_flags & ACB_DOMTRUST) {
746 return NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT;
747 }
748
749 if (!(my_info3->acct_flags & ACB_NORMAL)) {
750 DEBUG(10,("winbindd_dual_pam_auth_cached: whats wrong with that one?: 0x%08x\n",
751 my_info3->acct_flags));
752 return NT_STATUS_LOGON_FAILURE;
753 }
754
755 kickoff_time = nt_time_to_unix(&my_info3->kickoff_time);
756 if (kickoff_time != 0 && time(NULL) > kickoff_time) {
757 return NT_STATUS_ACCOUNT_EXPIRED;
758 }
759
760 must_change_time = nt_time_to_unix(&my_info3->pass_must_change_time);
761 if (must_change_time != 0 && must_change_time < time(NULL)) {
762 return NT_STATUS_PASSWORD_EXPIRED;
763 }
764
765 /* FIXME: we possibly should handle logon hours as well (does xp when
766 * offline?) see auth/auth_sam.c:sam_account_ok for details */
767
768 unix_to_nt_time(&my_info3->logon_time, time(NULL));
769 my_info3->bad_pw_count = 0;
770
771 result = winbindd_update_creds_by_info3(domain,
772 state->mem_ctx,
773 state->request.data.auth.user,
774 state->request.data.auth.pass,
775 my_info3);
776 if (!NT_STATUS_IS_OK(result)) {
777 DEBUG(1,("failed to update creds: %s\n", nt_errstr(result)));
778 return result;
779 }
780
781 return NT_STATUS_OK;
782
783 }
784
785 /* User does *NOT* know the correct password, modify info3 accordingly */
786
787 /* failure of this is not critical */
788 result = get_max_bad_attempts_from_lockout_policy(domain, state->mem_ctx, &max_allowed_bad_attempts);
789 if (!NT_STATUS_IS_OK(result)) {
790 DEBUG(10,("winbindd_dual_pam_auth_cached: failed to get max_allowed_bad_attempts. "
791 "Won't be able to honour account lockout policies\n"));
792 }
793
794 /* increase counter */
795 my_info3->bad_pw_count++;
796
797 if (max_allowed_bad_attempts == 0) {
798 goto failed;
799 }
800
801 /* lockout user */
802 if (my_info3->bad_pw_count >= max_allowed_bad_attempts) {
803
804 uint32 password_properties;
805
806 result = get_pwd_properties(domain, state->mem_ctx, &password_properties);
807 if (!NT_STATUS_IS_OK(result)) {
808 DEBUG(10,("winbindd_dual_pam_auth_cached: failed to get password properties.\n"));
809 }
810
811 if ((my_info3->user_rid != DOMAIN_USER_RID_ADMIN) ||
812 (password_properties & DOMAIN_LOCKOUT_ADMINS)) {
813 my_info3->acct_flags |= ACB_AUTOLOCK;
814 }
815 }
816
817 failed:
818 result = winbindd_update_creds_by_info3(domain,
819 state->mem_ctx,
820 state->request.data.auth.user,
821 NULL,
822 my_info3);
823
824 if (!NT_STATUS_IS_OK(result)) {
825 DEBUG(0,("winbindd_dual_pam_auth_cached: failed to update creds %s\n",
826 nt_errstr(result)));
827 }
828
829 return NT_STATUS_LOGON_FAILURE;
830 }
831
832 NTSTATUS winbindd_dual_pam_auth_kerberos(struct winbindd_domain *domain,
833 struct winbindd_cli_state *state,
834 NET_USER_INFO_3 **info3)
835 {
836 struct winbindd_domain *contact_domain;
837 fstring name_domain, name_user;
838 NTSTATUS result;
839
840 DEBUG(10,("winbindd_dual_pam_auth_kerberos\n"));
841
842 /* Parse domain and username */
843
844 parse_domain_user(state->request.data.auth.user, name_domain, name_user);
845
846 /* what domain should we contact? */
847
848 if ( IS_DC ) {
849 if (!(contact_domain = find_domain_from_name(name_domain))) {
850 DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
851 state->request.data.auth.user, name_domain, name_user, name_domain));
852 result = NT_STATUS_NO_SUCH_USER;
853 goto done;
854 }
855
856 } else {
857 if (is_myname(name_domain)) {
858 DEBUG(3, ("Authentication for domain %s (local domain to this server) not supported at this stage\n", name_domain));
859 result = NT_STATUS_NO_SUCH_USER;
860 goto done;
861 }
862
863 contact_domain = find_domain_from_name(name_domain);
864 if (contact_domain == NULL) {
865 DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
866 state->request.data.auth.user, name_domain, name_user, name_domain));
867
868 contact_domain = find_our_domain();
869 }
870 }
871
872 set_dc_type_and_flags(contact_domain);
873
874 if (!contact_domain->active_directory) {
875 DEBUG(3,("krb5 auth requested but domain is not Active Directory\n"));
876 return NT_STATUS_INVALID_LOGON_TYPE;
877 }
878
879 result = winbindd_raw_kerberos_login(contact_domain, state, info3);
880 done:
881 return result;
882 }
883
884 NTSTATUS winbindd_dual_pam_auth_samlogon(struct winbindd_domain *domain,
885 struct winbindd_cli_state *state,
886 NET_USER_INFO_3 **info3)
887 {
888
889 struct rpc_pipe_client *netlogon_pipe;
890 uchar chal[8];
891 DATA_BLOB lm_resp;
892 DATA_BLOB nt_resp;
893 int attempts = 0;
894 unsigned char local_lm_response[24];
895 unsigned char local_nt_response[24];
896 struct winbindd_domain *contact_domain;
897 fstring name_domain, name_user;
898 BOOL retry;
899 NTSTATUS result;
900 NET_USER_INFO_3 *my_info3;
901
902 ZERO_STRUCTP(info3);
903
904 *info3 = NULL;
905
906 my_info3 = TALLOC_ZERO_P(state->mem_ctx, NET_USER_INFO_3);
907 if (my_info3 == NULL) {
908 return NT_STATUS_NO_MEMORY;
909 }
910
911
912 DEBUG(10,("winbindd_dual_pam_auth_samlogon\n"));
913
914 /* Parse domain and username */
915
916 parse_domain_user(state->request.data.auth.user, name_domain, name_user);
917
918 /* do password magic */
919
920
921 generate_random_buffer(chal, 8);
922 if (lp_client_ntlmv2_auth()) {
923 DATA_BLOB server_chal;
924 DATA_BLOB names_blob;
925 DATA_BLOB nt_response;
926 DATA_BLOB lm_response;
927 server_chal = data_blob_talloc(state->mem_ctx, chal, 8);
928
929 /* note that the 'workgroup' here is a best guess - we don't know
930 the server's domain at this point. The 'server name' is also
931 dodgy...
932 */
933 names_blob = NTLMv2_generate_names_blob(global_myname(), lp_workgroup());
934
935 if (!SMBNTLMv2encrypt(name_user, name_domain,
936 state->request.data.auth.pass,
937 &server_chal,
938 &names_blob,
939 &lm_response, &nt_response, NULL)) {
940 data_blob_free(&names_blob);
941 data_blob_free(&server_chal);
942 DEBUG(0, ("winbindd_pam_auth: SMBNTLMv2encrypt() failed!\n"));
943 result = NT_STATUS_NO_MEMORY;
944 goto done;
945 }
946 data_blob_free(&names_blob);
947 data_blob_free(&server_chal);
948 lm_resp = data_blob_talloc(state->mem_ctx, lm_response.data,
949 lm_response.length);
950 nt_resp = data_blob_talloc(state->mem_ctx, nt_response.data,
951 nt_response.length);
952 data_blob_free(&lm_response);
953 data_blob_free(&nt_response);
954
955 } else {
956 if (lp_client_lanman_auth()
957 && SMBencrypt(state->request.data.auth.pass,
958 chal,
959 local_lm_response)) {
960 lm_resp = data_blob_talloc(state->mem_ctx,
961 local_lm_response,
962 sizeof(local_lm_response));
963 } else {
964 lm_resp = data_blob(NULL, 0);
965 }
966 SMBNTencrypt(state->request.data.auth.pass,
967 chal,
968 local_nt_response);
969
970 nt_resp = data_blob_talloc(state->mem_ctx,
971 local_nt_response,
972 sizeof(local_nt_response));
973 }
974
975 /* what domain should we contact? */
976
977 if ( IS_DC ) {
978 if (!(contact_domain = find_domain_from_name(name_domain))) {
979 DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
980 state->request.data.auth.user, name_domain, name_user, name_domain));
981 result = NT_STATUS_NO_SUCH_USER;
982 goto done;
983 }
984
985 } else {
986 if (is_myname(name_domain)) {
987 DEBUG(3, ("Authentication for domain %s (local domain to this server) not supported at this stage\n", name_domain));
988 result = NT_STATUS_NO_SUCH_USER;
989 goto done;
990 }
991
992 contact_domain = find_our_domain();
993 }
994
995 /* check authentication loop */
996
997 do {
998
999 ZERO_STRUCTP(my_info3);
1000 retry = False;
1001
1002 result = cm_connect_netlogon(contact_domain, &netlogon_pipe);
1003
1004 if (!NT_STATUS_IS_OK(result)) {
1005 DEBUG(3, ("could not open handle to NETLOGON pipe\n"));
1006 goto done;
1007 }
1008
1009 result = rpccli_netlogon_sam_network_logon(netlogon_pipe,
1010 state->mem_ctx,
1011 0,
1012 contact_domain->dcname, /* server name */
1013 name_user, /* user name */
1014 name_domain, /* target domain */
1015 global_myname(), /* workstation */
1016 chal,
1017 lm_resp,
1018 nt_resp,
1019 my_info3);
1020 attempts += 1;
1021
1022 /* We have to try a second time as cm_connect_netlogon
1023 might not yet have noticed that the DC has killed
1024 our connection. */
1025
1026 if (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)) {
1027 retry = True;
1028 continue;
1029 }
1030
1031 /* if we get access denied, a possible cause was that we had
1032 and open connection to the DC, but someone changed our
1033 machine account password out from underneath us using 'net
1034 rpc changetrustpw' */
1035
1036 if ( NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) ) {
1037 DEBUG(3,("winbindd_pam_auth: sam_logon returned "
1038 "ACCESS_DENIED. Maybe the trust account "
1039 "password was changed and we didn't know it. "
1040 "Killing connections to domain %s\n",
1041 name_domain));
1042 invalidate_cm_connection(&contact_domain->conn);
1043 retry = True;
1044 }
1045
1046 } while ( (attempts < 2) && retry );
1047
1048 *info3 = my_info3;
1049 done:
1050 return result;
1051 }
1052
1053 enum winbindd_result winbindd_dual_pam_auth(struct winbindd_domain *domain,
1054 struct winbindd_cli_state *state)
1055 {
1056 NTSTATUS result = NT_STATUS_LOGON_FAILURE;
1057 fstring name_domain, name_user;
1058 NET_USER_INFO_3 *info3 = NULL;
1059
1060 /* Ensure null termination */
1061 state->request.data.auth.user[sizeof(state->request.data.auth.user)-1]='\0';
1062
1063 /* Ensure null termination */
1064 state->request.data.auth.pass[sizeof(state->request.data.auth.pass)-1]='\0';
1065
1066 DEBUG(3, ("[%5lu]: dual pam auth %s\n", (unsigned long)state->pid,
1067 state->request.data.auth.user));
1068
1069 /* Parse domain and username */
1070
1071 parse_domain_user(state->request.data.auth.user, name_domain, name_user);
1072
1073 DEBUG(10,("winbindd_dual_pam_auth: domain: %s last was %s\n", domain->name, domain->online ? "online":"offline"));
1074
1075 /* Check for Kerberos authentication */
1076 if (domain->online && (state->request.flags & WBFLAG_PAM_KRB5)) {
1077
1078 result = winbindd_dual_pam_auth_kerberos(domain, state, &info3);
1079
1080 if (NT_STATUS_IS_OK(result)) {
1081 DEBUG(10,("winbindd_dual_pam_auth_kerberos succeeded\n"));
1082 goto process_result;
1083 } else {
1084 DEBUG(10,("winbindd_dual_pam_auth_kerberos failed: %s\n", nt_errstr(result)));
1085 }
1086
1087 if (NT_STATUS_EQUAL(result, NT_STATUS_NO_LOGON_SERVERS)) {
1088 DEBUG(10,("winbindd_dual_pam_auth_kerberos setting domain to offline\n"));
1089 domain->online = False;
1090 }
1091
1092 if (state->request.flags & WBFLAG_PAM_FALLBACK_AFTER_KRB5) {
1093 DEBUG(3,("falling back to samlogon\n"));
1094 goto sam_logon;
1095 } else {
1096 goto cached_logon;
1097 }
1098 }
1099
1100 sam_logon:
1101 /* Check for Samlogon authentication */
1102 if (domain->online) {
1103 result = winbindd_dual_pam_auth_samlogon(domain, state, &info3);
1104
1105 if (NT_STATUS_IS_OK(result)) {
1106 DEBUG(10,("winbindd_dual_pam_auth_samlogon succeeded\n"));
1107 goto process_result;
1108 } else {
1109 DEBUG(10,("winbindd_dual_pam_auth_samlogon failed: %s\n", nt_errstr(result)));
1110 if (domain->online) {
1111 /* We're still online - fail. */
1112 goto done;
1113 }
1114 /* Else drop through and see if we can check offline.... */
1115 }
1116 }
1117
1118 cached_logon:
1119 /* Check for Cached logons */
1120 if (!domain->online && (state->request.flags & WBFLAG_PAM_CACHED_LOGIN) &&
1121 lp_winbind_offline_logon()) {
1122
1123 result = winbindd_dual_pam_auth_cached(domain, state, &info3);
1124
1125 if (NT_STATUS_IS_OK(result)) {
1126 DEBUG(10,("winbindd_dual_pam_auth_cached succeeded\n"));
1127 goto process_result;
1128 } else {
1129 DEBUG(10,("winbindd_dual_pam_auth_cached failed: %s\n", nt_errstr(result)));
1130 goto done;
1131 }
1132 }
1133
1134 process_result:
1135
1136 if (NT_STATUS_IS_OK(result)) {
1137
1138 DOM_SID user_sid;
1139
1140 netsamlogon_cache_store(name_user, info3);
1141 wcache_invalidate_samlogon(find_domain_from_name(name_domain), info3);
1142
1143 /* save name_to_sid info as early as possible */
1144 sid_compose(&user_sid, &info3->dom_sid.sid, info3->user_rid);
1145 cache_name2sid(domain, name_domain, name_user, SID_NAME_USER, &user_sid);
1146
1147 /* Check if the user is in the right group */
1148
1149 if (!NT_STATUS_IS_OK(result = check_info3_in_group(state->mem_ctx, info3,
1150 state->request.data.auth.require_membership_of_sid))) {
1151 DEBUG(3, ("User %s is not in the required group (%s), so plaintext authentication is rejected\n",
1152 state->request.data.auth.user,
1153 state->request.data.auth.require_membership_of_sid));
1154 goto done;
1155 }
1156
1157 if (state->request.flags & WBFLAG_PAM_INFO3_NDR) {
1158 result = append_info3_as_ndr(state->mem_ctx, state, info3);
1159 if (!NT_STATUS_IS_OK(result)) {
1160 DEBUG(10,("Failed to append INFO3 (NDR): %s\n", nt_errstr(result)));
1161 goto done;
1162 }
1163 }
1164
1165 if (state->request.flags & WBFLAG_PAM_INFO3_TEXT) {
1166 result = append_info3_as_txt(state->mem_ctx, state, info3);
1167 if (!NT_STATUS_IS_OK(result)) {
1168 DEBUG(10,("Failed to append INFO3 (TXT): %s\n", nt_errstr(result)));
1169 goto done;
1170 }
1171
1172 }
1173
1174 if ((state->request.flags & WBFLAG_PAM_CACHED_LOGIN) &&
1175 lp_winbind_offline_logon()) {
1176
1177 result = winbindd_store_creds(domain,
1178 state->mem_ctx,
1179 state->request.data.auth.user,
1180 state->request.data.auth.pass,
1181 info3, NULL);
1182 if (!NT_STATUS_IS_OK(result)) {
1183 DEBUG(10,("Failed to store creds: %s\n", nt_errstr(result)));
1184 goto done;
1185 }
1186
1187 }
1188
1189 result = fillup_password_policy(domain, state);
1190
1191 if (!NT_STATUS_IS_OK(result)) {
1192 DEBUG(10,("Failed to get password policies: %s\n", nt_errstr(result)));
1193 goto done;
1194 }
1195
1196 }
1197
1198 done:
1199 /* give us a more useful (more correct?) error code */
1200 if ((NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) ||
1201 (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)))) {
1202 result = NT_STATUS_NO_LOGON_SERVERS;
1203 }
1204
1205 state->response.data.auth.nt_status = NT_STATUS_V(result);
1206 fstrcpy(state->response.data.auth.nt_status_string, nt_errstr(result));
1207
1208 /* we might have given a more useful error above */
1209 if (!*state->response.data.auth.error_string)
1210 fstrcpy(state->response.data.auth.error_string, get_friendly_nt_error_msg(result));
1211 state->response.data.auth.pam_error = nt_status_to_pam(result);
1212
1213 DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2, ("Plain-text authentication for user %s returned %s (PAM: %d)\n",
1214 state->request.data.auth.user,
1215 state->response.data.auth.nt_status_string,
1216 state->response.data.auth.pam_error));
1217
1218 if ( NT_STATUS_IS_OK(result) &&
1219 (state->request.flags & WBFLAG_PAM_AFS_TOKEN) ) {
1220
1221 char *afsname = talloc_strdup(state->mem_ctx,
1222 lp_afs_username_map());
1223 char *cell;
1224
1225 if (afsname == NULL) {
1226 goto no_token;
1227 }
1228
1229 afsname = talloc_string_sub(state->mem_ctx,
1230 lp_afs_username_map(),
1231 "%D", name_domain);
1232 afsname = talloc_string_sub(state->mem_ctx, afsname,
1233 "%u", name_user);
1234 afsname = talloc_string_sub(state->mem_ctx, afsname,
1235 "%U", name_user);
1236
1237 {
1238 DOM_SID user_sid;
1239 fstring sidstr;
1240
1241 sid_copy(&user_sid, &info3->dom_sid.sid);
1242 sid_append_rid(&user_sid, info3->user_rid);
1243 sid_to_string(sidstr, &user_sid);
1244 afsname = talloc_string_sub(state->mem_ctx, afsname,
1245 "%s", sidstr);
1246 }
1247
1248 if (afsname == NULL) {
1249 goto no_token;
1250 }
1251
1252 strlower_m(afsname);
1253
1254 DEBUG(10, ("Generating token for user %s\n", afsname));
1255
1256 cell = strchr(afsname, '@');
1257
1258 if (cell == NULL) {
1259 goto no_token;
1260 }
1261
1262 *cell = '\0';
1263 cell += 1;
1264
1265 /* Append an AFS token string */
1266 state->response.extra_data =
1267 afs_createtoken_str(afsname, cell);
1268
1269 if (state->response.extra_data != NULL)
1270 state->response.length +=
1271 strlen(state->response.extra_data)+1;
1272
1273 no_token:
1274 TALLOC_FREE(afsname);
1275 }
1276
1277 return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
1278 }
1279
1280
1281 /**********************************************************************
1282 Challenge Response Authentication Protocol
1283 **********************************************************************/
1284
1285 void winbindd_pam_auth_crap(struct winbindd_cli_state *state)
1286 {
1287 struct winbindd_domain *domain = NULL;
1288 const char *domain_name = NULL;
1289 NTSTATUS result;
1290
1291 if (!state->privileged) {
1292 char *error_string = NULL;
1293 DEBUG(2, ("winbindd_pam_auth_crap: non-privileged access "
1294 "denied. !\n"));
1295 DEBUGADD(2, ("winbindd_pam_auth_crap: Ensure permissions "
1296 "on %s are set correctly.\n",
1297 get_winbind_priv_pipe_dir()));
1298 /* send a better message than ACCESS_DENIED */
1299 error_string = talloc_asprintf(state->mem_ctx,
1300 "winbind client not authorized "
1301 "to use winbindd_pam_auth_crap."
1302 " Ensure permissions on %s "
1303 "are set correctly.",
1304 get_winbind_priv_pipe_dir());
1305 fstrcpy(state->response.data.auth.error_string, error_string);
1306 result = NT_STATUS_ACCESS_DENIED;
1307 goto done;
1308 }
1309
1310 /* Ensure null termination */
1311 state->request.data.auth_crap.user
1312 [sizeof(state->request.data.auth_crap.user)-1]=0;
1313 state->request.data.auth_crap.domain
1314 [sizeof(state->request.data.auth_crap.domain)-1]=0;
1315
1316 DEBUG(3, ("[%5lu]: pam auth crap domain: [%s] user: %s\n",
1317 (unsigned long)state->pid,
1318 state->request.data.auth_crap.domain,
1319 state->request.data.auth_crap.user));
1320
1321 if (*state->request.data.auth_crap.domain != '\0') {
1322 domain_name = state->request.data.auth_crap.domain;
1323 } else if (lp_winbind_use_default_domain()) {
1324 domain_name = lp_workgroup();
1325 }
1326
1327 if (domain_name != NULL)
1328 domain = find_auth_domain(state, domain_name);
1329
1330 if (domain != NULL) {
1331 sendto_domain(state, domain);
1332 return;
1333 }
1334
1335 result = NT_STATUS_NO_SUCH_USER;
1336
1337 done:
1338 set_auth_errors(&state->response, result);
1339 DEBUG(5, ("CRAP authentication for %s\\%s returned %s (PAM: %d)\n",
1340 state->request.data.auth_crap.domain,
1341 state->request.data.auth_crap.user,
1342 state->response.data.auth.nt_status_string,
1343 state->response.data.auth.pam_error));
1344 request_error(state);
1345 return;
1346 }
1347
1348
1349 enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
1350 struct winbindd_cli_state *state)
1351 {
1352 NTSTATUS result;
1353 NET_USER_INFO_3 info3;
1354 struct rpc_pipe_client *netlogon_pipe;
1355 const char *name_user = NULL;
1356 const char *name_domain = NULL;
1357 const char *workstation;
1358 struct winbindd_domain *contact_domain;
1359 int attempts = 0;
1360 BOOL retry;
1361
1362 DATA_BLOB lm_resp, nt_resp;
1363
1364 /* This is child-only, so no check for privileged access is needed
1365 anymore */
1366
1367 /* Ensure null termination */
1368 state->request.data.auth_crap.user[sizeof(state->request.data.auth_crap.user)-1]=0;
1369 state->request.data.auth_crap.domain[sizeof(state->request.data.auth_crap.domain)-1]=0;
1370
1371 name_user = state->request.data.auth_crap.user;
1372
1373 if (*state->request.data.auth_crap.domain) {
1374 name_domain = state->request.data.auth_crap.domain;
1375 } else if (lp_winbind_use_default_domain()) {
1376 name_domain = lp_workgroup();
1377 } else {
1378 DEBUG(5,("no domain specified with username (%s) - failing auth\n",
1379 name_user));
1380 result = NT_STATUS_NO_SUCH_USER;
1381 goto done;
1382 }
1383
1384 DEBUG(3, ("[%5lu]: pam auth crap domain: %s user: %s\n", (unsigned long)state->pid,
1385 name_domain, name_user));
1386
1387 if (*state->request.data.auth_crap.workstation) {
1388 workstation = state->request.data.auth_crap.workstation;
1389 } else {
1390 workstation = global_myname();
1391 }
1392
1393 if (state->request.data.auth_crap.lm_resp_len > sizeof(state->request.data.auth_crap.lm_resp)
1394 || state->request.data.auth_crap.nt_resp_len > sizeof(state->request.data.auth_crap.nt_resp)) {
1395 DEBUG(0, ("winbindd_pam_auth_crap: invalid password length %u/%u\n",
1396 state->request.data.auth_crap.lm_resp_len,
1397 state->request.data.auth_crap.nt_resp_len));
1398 result = NT_STATUS_INVALID_PARAMETER;
1399 goto done;
1400 }
1401
1402 lm_resp = data_blob_talloc(state->mem_ctx, state->request.data.auth_crap.lm_resp,
1403 state->request.data.auth_crap.lm_resp_len);
1404 nt_resp = data_blob_talloc(state->mem_ctx, state->request.data.auth_crap.nt_resp,
1405 state->request.data.auth_crap.nt_resp_len);
1406
1407 /* what domain should we contact? */
1408
1409 if ( IS_DC ) {
1410 if (!(contact_domain = find_domain_from_name(name_domain))) {
1411 DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
1412 state->request.data.auth_crap.user, name_domain, name_user, name_domain));
1413 result = NT_STATUS_NO_SUCH_USER;
1414 goto done;
1415 }
1416 } else {
1417 if (is_myname(name_domain)) {
1418 DEBUG(3, ("Authentication for domain %s (local domain to this server) not supported at this stage\n", name_domain));
1419 result = NT_STATUS_NO_SUCH_USER;
1420 goto done;
1421 }
1422 contact_domain = find_our_domain();
1423 }
1424
1425 do {
1426 ZERO_STRUCT(info3);
1427 retry = False;
1428
1429 netlogon_pipe = NULL;
1430 result = cm_connect_netlogon(contact_domain, &netlogon_pipe);
1431
1432 if (!NT_STATUS_IS_OK(result)) {
1433 DEBUG(3, ("could not open handle to NETLOGON pipe (error: %s)\n",
1434 nt_errstr(result)));
1435 goto done;
1436 }
1437
1438 result = rpccli_netlogon_sam_network_logon(netlogon_pipe,
1439 state->mem_ctx,
1440 state->request.data.auth_crap.logon_parameters,
1441 contact_domain->dcname,
1442 name_user,
1443 name_domain,
1444 /* Bug #3248 - found by Stefan Burkei. */
1445 workstation, /* We carefully set this above so use it... */
1446 state->request.data.auth_crap.chal,
1447 lm_resp,
1448 nt_resp,
1449 &info3);
1450
1451 attempts += 1;
1452
1453 /* We have to try a second time as cm_connect_netlogon
1454 might not yet have noticed that the DC has killed
1455 our connection. */
1456
1457 if (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)) {
1458 retry = True;
1459 continue;
1460 }
1461
1462 /* if we get access denied, a possible cause was that we had and open
1463 connection to the DC, but someone changed our machine account password
1464 out from underneath us using 'net rpc changetrustpw' */
1465
1466 if ( NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) ) {
1467 DEBUG(3,("winbindd_pam_auth: sam_logon returned "
1468 "ACCESS_DENIED. Maybe the trust account "
1469 "password was changed and we didn't know it. "
1470 "Killing connections to domain %s\n",
1471 name_domain));
1472 invalidate_cm_connection(&contact_domain->conn);
1473 retry = True;
1474 }
1475
1476 } while ( (attempts < 2) && retry );
1477
1478 if (NT_STATUS_IS_OK(result)) {
1479
1480 netsamlogon_cache_store(name_user, &info3);
1481 wcache_invalidate_samlogon(find_domain_from_name(name_domain), &info3);
1482
1483 /* Check if the user is in the right group */
1484
1485 if (!NT_STATUS_IS_OK(result = check_info3_in_group(state->mem_ctx, &info3,
1486 state->request.data.auth_crap.require_membership_of_sid))) {
1487 DEBUG(3, ("User %s is not in the required group (%s), so plaintext authentication is rejected\n",
1488 state->request.data.auth_crap.user,
1489 state->request.data.auth_crap.require_membership_of_sid));
1490 goto done;
1491 }
1492
1493 if (state->request.flags & WBFLAG_PAM_INFO3_NDR) {
1494 result = append_info3_as_ndr(state->mem_ctx, state, &info3);
1495 } else if (state->request.flags & WBFLAG_PAM_UNIX_NAME) {
1496 /* ntlm_auth should return the unix username, per
1497 'winbind use default domain' settings and the like */
1498
1499 fstring username_out;
1500 const char *nt_username, *nt_domain;
1501 if (!(nt_username = unistr2_tdup(state->mem_ctx, &(info3.uni_user_name)))) {
1502 /* If the server didn't give us one, just use the one we sent them */
1503 nt_username = name_user;
1504 }
1505
1506 if (!(nt_domain = unistr2_tdup(state->mem_ctx, &(info3.uni_logon_dom)))) {
1507 /* If the server didn't give us one, just use the one we sent them */
1508 nt_domain = name_domain;
1509 }
1510
1511 fill_domain_username(username_out, nt_domain, nt_username);
1512
1513 DEBUG(5, ("Setting unix username to [%s]\n", username_out));
1514
1515 state->response.extra_data = SMB_STRDUP(username_out);
1516 if (!state->response.extra_data) {
1517 result = NT_STATUS_NO_MEMORY;
1518 goto done;
1519 }
1520 state->response.length += strlen(state->response.extra_data)+1;
1521 }
1522
1523 if (state->request.flags & WBFLAG_PAM_USER_SESSION_KEY) {
1524 memcpy(state->response.data.auth.user_session_key, info3.user_sess_key,
1525 sizeof(state->response.data.auth.user_session_key) /* 16 */);
1526 }
1527 if (state->request.flags & WBFLAG_PAM_LMKEY) {
1528 memcpy(state->response.data.auth.first_8_lm_hash, info3.lm_sess_key,
1529 sizeof(state->response.data.auth.first_8_lm_hash) /* 8 */);
1530 }
1531 }
1532
1533 done:
1534
1535 /* give us a more useful (more correct?) error code */
1536 if ((NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) ||
1537 (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)))) {
1538 result = NT_STATUS_NO_LOGON_SERVERS;
1539 }
1540
1541 if (state->request.flags & WBFLAG_PAM_NT_STATUS_SQUASH) {
1542 result = nt_status_squash(result);
1543 }
1544
1545 state->response.data.auth.nt_status = NT_STATUS_V(result);
1546 fstrcpy(state->response.data.auth.nt_status_string, nt_errstr(result));
1547
1548 /* we might have given a more useful error above */
1549 if (!*state->response.data.auth.error_string) {
1550 fstrcpy(state->response.data.auth.error_string, get_friendly_nt_error_msg(result));
1551 }
1552 state->response.data.auth.pam_error = nt_status_to_pam(result);
1553
1554 DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2,
1555 ("NTLM CRAP authentication for user [%s]\\[%s] returned %s (PAM: %d)\n",
1556 name_domain,
1557 name_user,
1558 state->response.data.auth.nt_status_string,
1559 state->response.data.auth.pam_error));
1560
1561 return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
1562 }
1563
1564 /* Change a user password */
1565
1566 void winbindd_pam_chauthtok(struct winbindd_cli_state *state)
1567 {
1568 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1569 char *oldpass;
1570 char *newpass = NULL;
1571 fstring domain, user;
1572 POLICY_HND dom_pol;
1573 struct winbindd_domain *contact_domain;
1574 struct rpc_pipe_client *cli;
1575 BOOL got_info = False;
1576 SAM_UNK_INFO_1 info;
1577 SAMR_CHANGE_REJECT reject;
1578
1579 DEBUG(3, ("[%5lu]: pam chauthtok %s\n", (unsigned long)state->pid,
1580 state->request.data.chauthtok.user));
1581
1582 /* Setup crap */
1583
1584 parse_domain_user(state->request.data.chauthtok.user, domain, user);
1585
1586 contact_domain = find_domain_from_name(domain);
1587 if (!contact_domain) {
1588 DEBUG(3, ("Cannot change password for [%s] -> [%s]\\[%s] as %s is not a trusted domain\n",
1589 state->request.data.chauthtok.user, domain, user, domain));
1590 result = NT_STATUS_NO_SUCH_USER;
1591 goto done;
1592 }
1593
1594 /* Change password */
1595
1596 oldpass = state->request.data.chauthtok.oldpass;
1597 newpass = state->request.data.chauthtok.newpass;
1598
1599 /* Get sam handle */
1600
1601 result = cm_connect_sam(contact_domain, state->mem_ctx, &cli,
1602 &dom_pol);
1603 if (!NT_STATUS_IS_OK(result)) {
1604 DEBUG(1, ("could not get SAM handle on DC for %s\n", domain));
1605 goto done;
1606 }
1607
1608 result = rpccli_samr_chgpasswd3(cli, state->mem_ctx, user, newpass, oldpass, &info, &reject);
1609
1610 /* FIXME: need to check for other error codes ? */
1611 if (NT_STATUS_EQUAL(result, NT_STATUS_PASSWORD_RESTRICTION)) {
1612
1613 state->response.data.auth.policy.min_length_password =
1614 info.min_length_password;
1615 state->response.data.auth.policy.password_history =
1616 info.password_history;
1617 state->response.data.auth.policy.password_properties =
1618 info.password_properties;
1619 state->response.data.auth.policy.expire =
1620 nt_time_to_unix_abs(&info.expire);
1621 state->response.data.auth.policy.min_passwordage =
1622 nt_time_to_unix_abs(&info.min_passwordage);
1623
1624 state->response.data.auth.reject_reason =
1625 reject.reject_reason;
1626
1627 got_info = True;
1628
1629 } else if (!NT_STATUS_IS_OK(result)) {
1630
1631 DEBUG(10,("Password change with chgpasswd3 failed with: %s, retrying chgpasswd_user\n",
1632 nt_errstr(result)));
1633
1634 state->response.data.auth.reject_reason = 0;
1635
1636 result = rpccli_samr_chgpasswd_user(cli, state->mem_ctx, user, newpass, oldpass);
1637 }
1638
1639 done:
1640 if (NT_STATUS_IS_OK(result) && (state->request.flags & WBFLAG_PAM_CACHED_LOGIN) &&
1641 lp_winbind_offline_logon()) {
1642
1643 NTSTATUS cred_ret;
1644
1645 cred_ret = winbindd_update_creds_by_name(contact_domain,
1646 state->mem_ctx, user,
1647 newpass);
1648 if (!NT_STATUS_IS_OK(cred_ret)) {
1649 DEBUG(10,("Failed to store creds: %s\n", nt_errstr(cred_ret)));
1650 goto process_result; /* FIXME: hm, risking inconsistant cache ? */
1651 }
1652 }
1653
1654 if (!NT_STATUS_IS_OK(result) && !got_info && contact_domain) {
1655
1656 NTSTATUS policy_ret;
1657
1658 policy_ret = fillup_password_policy(contact_domain, state);
1659
1660 /* failure of this is non critical, it will just provide no
1661 * additional information to the client why the change has
1662 * failed - Guenther */
1663
1664 if (!NT_STATUS_IS_OK(policy_ret)) {
1665 DEBUG(10,("Failed to get password policies: %s\n", nt_errstr(policy_ret)));
1666 goto process_result;
1667 }
1668 }
1669
1670 process_result:
1671
1672 state->response.data.auth.nt_status = NT_STATUS_V(result);
1673 fstrcpy(state->response.data.auth.nt_status_string, nt_errstr(result));
1674 fstrcpy(state->response.data.auth.error_string, get_friendly_nt_error_msg(result));
1675 state->response.data.auth.pam_error = nt_status_to_pam(result);
1676
1677 DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2,
1678 ("Password change for user [%s]\\[%s] returned %s (PAM: %d)\n",
1679 domain,
1680 user,
1681 state->response.data.auth.nt_status_string,
1682 state->response.data.auth.pam_error));
1683
1684 if (NT_STATUS_IS_OK(result)) {
1685 request_ok(state);
1686 } else {
1687 request_error(state);
1688 }
1689 }
1690
1691 void winbindd_pam_logoff(struct winbindd_cli_state *state)
1692 {
1693 struct winbindd_domain *domain;
1694 fstring name_domain, user;
1695
1696 DEBUG(3, ("[%5lu]: pam logoff %s\n", (unsigned long)state->pid,
1697 state->request.data.logoff.user));
1698
1699 /* Ensure null termination */
1700 state->request.data.logoff.user
1701 [sizeof(state->request.data.logoff.user)-1]='\0';
1702
1703 state->request.data.logoff.krb5ccname
1704 [sizeof(state->request.data.logoff.krb5ccname)-1]='\0';
1705
1706 parse_domain_user(state->request.data.logoff.user, name_domain, user);
1707
1708 domain = find_auth_domain(state, name_domain);
1709
1710 if (domain == NULL) {
1711 set_auth_errors(&state->response, NT_STATUS_NO_SUCH_USER);
1712 DEBUG(5, ("Pam Logoff for %s returned %s "
1713 "(PAM: %d)\n",
1714 state->request.data.auth.user,
1715 state->response.data.auth.nt_status_string,
1716 state->response.data.auth.pam_error));
1717 request_error(state);
1718 return;
1719 }
1720
1721 sendto_domain(state, domain);
1722 }
1723
1724 enum winbindd_result winbindd_dual_pam_logoff(struct winbindd_domain *domain,
1725 struct winbindd_cli_state *state)
1726 {
1727 NTSTATUS result = NT_STATUS_NOT_SUPPORTED;
1728 struct WINBINDD_CCACHE_ENTRY *entry;
1729 int ret;
1730
1731 DEBUG(3, ("[%5lu]: pam dual logoff %s\n", (unsigned long)state->pid,
1732 state->request.data.logoff.user));
1733
1734 if (!(state->request.flags & WBFLAG_PAM_KRB5)) {
1735 result = NT_STATUS_OK;
1736 goto process_result;
1737 }
1738
1739 #ifdef HAVE_KRB5
1740
1741 /* what we need here is to find the corresponding krb5 ccache name *we*
1742 * created for a given username and destroy it (as the user who created it) */
1743
1744 entry = get_ccache_by_username(state->request.data.logoff.user);
1745 if (entry == NULL) {
1746 DEBUG(10,("winbindd_pam_logoff: could not get ccname for user %s\n",
1747 state->request.data.logoff.user));
1748 goto process_result;
1749 }
1750
1751 DEBUG(10,("winbindd_pam_logoff: found ccache [%s]\n", entry->ccname));
1752
1753 if (entry->uid < 0 || state->request.data.logoff.uid < 0) {
1754 DEBUG(0,("winbindd_pam_logoff: invalid uid\n"));
1755 goto process_result;
1756 }
1757
1758 if (entry->uid != state->request.data.logoff.uid) {
1759 DEBUG(0,("winbindd_pam_logoff: uid's differ: %d != %d\n",
1760 entry->uid, state->request.data.logoff.uid));
1761 goto process_result;
1762 }
1763
1764 if (!strcsequal(entry->ccname, state->request.data.logoff.krb5ccname)) {
1765 DEBUG(0,("winbindd_pam_logoff: krb5ccnames differ: (daemon) %s != (client) %s\n",
1766 entry->ccname, state->request.data.logoff.krb5ccname));
1767 goto process_result;
1768 }
1769
1770 seteuid(entry->uid);
1771
1772 ret = ads_kdestroy(entry->ccname);
1773
1774 seteuid(0);
1775
1776 if (ret) {
1777 DEBUG(0,("winbindd_pam_logoff: failed to destroy user ccache %s with: %s\n",
1778 entry->ccname, error_message(ret)));
1779 } else {
1780 DEBUG(10,("winbindd_pam_logoff: successfully destroyed ccache %s for user %s\n",
1781 entry->ccname, state->request.data.logoff.user));
1782 remove_ccache_by_ccname(entry->ccname);
1783 }
1784
1785 result = krb5_to_nt_status(ret);
1786 #else
1787 result = NT_STATUS_NOT_SUPPORTED;
1788 #endif
1789
1790 process_result:
1791 state->response.data.auth.nt_status = NT_STATUS_V(result);
1792 fstrcpy(state->response.data.auth.nt_status_string, nt_errstr(result));
1793 fstrcpy(state->response.data.auth.error_string, get_friendly_nt_error_msg(result));
1794 state->response.data.auth.pam_error = nt_status_to_pam(result);
1795
1796 return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
1797 }
1798