2 Unix SMB/CIFS implementation.
4 Winbind authentication mechnism
6 Copyright (C) Tim Potter 2000
7 Copyright (C) Andrew Bartlett 2001 - 2002
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
26 #define DBGC_CLASS DBGC_AUTH
28 /* Authenticate a user with a challenge/response */
30 static NTSTATUS
check_winbind_security(const struct auth_context
*auth_context
,
31 void *my_private_data
,
33 const struct auth_usersupplied_info
*user_info
,
34 struct auth_serversupplied_info
**server_info
)
38 struct wbcAuthUserParams params
;
39 struct wbcAuthUserInfo
*info
= NULL
;
40 struct wbcAuthErrorInfo
*err
= NULL
;
43 return NT_STATUS_INVALID_PARAMETER
;
46 DEBUG(10, ("Check auth for: [%s]\n", user_info
->mapped
.account_name
));
49 DEBUG(3,("Password for user %s cannot be checked because we have no auth_info to get the challenge from.\n",
50 user_info
->mapped
.account_name
));
51 return NT_STATUS_INVALID_PARAMETER
;
54 if (strequal(user_info
->mapped
.domain_name
, get_global_sam_name())) {
55 DEBUG(3,("check_winbind_security: Not using winbind, requested domain [%s] was for this SAM.\n",
56 user_info
->mapped
.domain_name
));
57 return NT_STATUS_NOT_IMPLEMENTED
;
60 /* Send off request */
62 params
.account_name
= user_info
->client
.account_name
;
63 params
.domain_name
= user_info
->mapped
.domain_name
;
64 params
.workstation_name
= user_info
->workstation_name
;
67 params
.parameter_control
= user_info
->logon_parameters
;
69 params
.level
= WBC_AUTH_USER_LEVEL_RESPONSE
;
71 memcpy(params
.password
.response
.challenge
,
72 auth_context
->challenge
.data
,
73 sizeof(params
.password
.response
.challenge
));
75 params
.password
.response
.nt_length
= user_info
->password
.response
.nt
.length
;
76 params
.password
.response
.nt_data
= user_info
->password
.response
.nt
.data
;
77 params
.password
.response
.lm_length
= user_info
->password
.response
.lanman
.length
;
78 params
.password
.response
.lm_data
= user_info
->password
.response
.lanman
.data
;
80 /* we are contacting the privileged pipe */
82 wbc_status
= wbcAuthenticateUserEx(¶ms
, &info
, &err
);
85 if (!WBC_ERROR_IS_OK(wbc_status
)) {
86 DEBUG(10,("check_winbind_security: wbcAuthenticateUserEx failed: %s\n",
87 wbcErrorString(wbc_status
)));
90 if (wbc_status
== WBC_ERR_NO_MEMORY
) {
91 return NT_STATUS_NO_MEMORY
;
94 if (wbc_status
== WBC_ERR_WINBIND_NOT_AVAILABLE
) {
95 struct auth_methods
*auth_method
=
96 (struct auth_methods
*)my_private_data
;
99 return auth_method
->auth(auth_context
, auth_method
->private_data
,
100 mem_ctx
, user_info
, server_info
);
101 return NT_STATUS_LOGON_FAILURE
;
104 if (wbc_status
== WBC_ERR_AUTH_ERROR
) {
105 nt_status
= NT_STATUS(err
->nt_status
);
110 if (!WBC_ERROR_IS_OK(wbc_status
)) {
111 return NT_STATUS_LOGON_FAILURE
;
114 nt_status
= make_server_info_wbcAuthUserInfo(mem_ctx
,
115 user_info
->client
.account_name
,
116 user_info
->mapped
.domain_name
,
119 if (!NT_STATUS_IS_OK(nt_status
)) {
123 (*server_info
)->nss_token
|= user_info
->was_mapped
;
128 /* module initialisation */
129 static NTSTATUS
auth_init_winbind(struct auth_context
*auth_context
, const char *param
, auth_methods
**auth_method
)
131 struct auth_methods
*result
;
133 result
= TALLOC_ZERO_P(auth_context
, struct auth_methods
);
134 if (result
== NULL
) {
135 return NT_STATUS_NO_MEMORY
;
137 result
->name
= "winbind";
138 result
->auth
= check_winbind_security
;
140 if (param
&& *param
) {
141 /* we load the 'fallback' module - if winbind isn't here, call this
144 if (!load_auth_module(auth_context
, param
, &priv
)) {
145 return NT_STATUS_UNSUCCESSFUL
;
147 result
->private_data
= (void *)priv
;
150 *auth_method
= result
;
154 NTSTATUS
auth_winbind_init(void)
156 return smb_register_auth(AUTH_INTERFACE_VERSION
, "winbind", auth_init_winbind
);