search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Describe implication of upstream ICU-22610
[samba.git] / nsswitch / krb5_plugin / winbind_krb5_localauth.c
blob80a35de412f2660f128be9c364dca5dd04ac0652
1 /*
2 Unix SMB/CIFS implementation.
3
4 A localauth plugin for MIT Kerberos
5
6 Copyright (C) 2018 Andreas Schneider <asn@samba.org>
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
12
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
17
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
20 */
21
22 #include "replace.h"
23 #include <krb5/localauth_plugin.h>
24 #include <wbclient.h>
25 #ifdef HAVE_COM_ERR_H
26 #include <com_err.h>
27 #endif
28
29 struct krb5_localauth_moddata_st {
30 struct wbcContext *wbc_ctx;
31 };
32
33 /*
34 * Initialize the module data.
35 *
36 * This creates the wbclient context.
37 */
38 static krb5_error_code winbind_init(krb5_context context,
39 krb5_localauth_moddata *data)
40 {
41 krb5_localauth_moddata d;
42
43 *data = NULL;
44 d = malloc(sizeof(struct krb5_localauth_moddata_st));
45 if (d == NULL) {
46 return ENOMEM;
47 }
48
49 d->wbc_ctx = wbcCtxCreate();
50 if (d->wbc_ctx == NULL) {
51 free(d);
52 return ENOMEM;
53 }
54
55 wbcSetClientProcessName("krb5_localauth_plugin");
56
57 *data = d;
58
59 return 0;
60 }
61
62 /*
63 * Release resources used by module data.
64 */
65 static void winbind_fini(krb5_context context, krb5_localauth_moddata data)
66 {
67 wbcCtxFree(data->wbc_ctx);
68 free(data);
69 data = NULL;
70 }
71
72 /*
73 * Determine whether aname is authorized to log in as the local account lname.
74 *
75 * Return 0 if aname is authorized, EPERM if aname is authoritatively not
76 * authorized, KRB5_PLUGIN_NO_HANDLE if the module cannot determine whether
77 * aname is authorized, and any other error code for a serious failure to
78 * process the request. aname will be considered authorized if at least one
79 * module returns 0 and all other modules return KRB5_PLUGIN_NO_HANDLE.
80 */
81 static krb5_error_code winbind_userok(krb5_context context,
82 krb5_localauth_moddata data,
83 krb5_const_principal aname,
84 const char *lname)
85 {
86 krb5_error_code code = 0;
87 char *princ_str = NULL;
88 struct passwd *pwd = NULL;
89 uid_t princ_uid = (uid_t)-1;
90 uid_t lname_uid = (uid_t)-1;
91 wbcErr wbc_status;
92 int cmp;
93
94 code = krb5_unparse_name(context, aname, &princ_str);
95 if (code != 0) {
96 return code;
97 }
98
99 cmp = strcasecmp(princ_str, lname);
100 if (cmp == 0) {
101 goto out;
102 }
103
104 wbc_status = wbcCtxGetpwnam(data->wbc_ctx,
105 princ_str,
106 &pwd);
107 switch (wbc_status) {
108 case WBC_ERR_SUCCESS:
109 princ_uid = pwd->pw_uid;
110 code = 0;
111 break;
112 case WBC_ERR_UNKNOWN_USER:
113 /* match other insane libwbclient return codes */
114 case WBC_ERR_WINBIND_NOT_AVAILABLE:
115 case WBC_ERR_DOMAIN_NOT_FOUND:
116 case WBC_ERR_NOT_MAPPED:
117 code = KRB5_PLUGIN_NO_HANDLE;
118 break;
119 default:
120 code = EIO;
121 break;
122 }
123 wbcFreeMemory(pwd);
124 pwd = NULL;
125 if (code != 0) {
126 goto out;
127 }
128
129 wbc_status = wbcCtxGetpwnam(data->wbc_ctx,
130 lname,
131 &pwd);
132 switch (wbc_status) {
133 case WBC_ERR_SUCCESS:
134 lname_uid = pwd->pw_uid;
135 break;
136 case WBC_ERR_UNKNOWN_USER:
137 /* match other insane libwbclient return codes */
138 case WBC_ERR_WINBIND_NOT_AVAILABLE:
139 case WBC_ERR_DOMAIN_NOT_FOUND:
140 case WBC_ERR_NOT_MAPPED:
141 code = KRB5_PLUGIN_NO_HANDLE;
142 break;
143 default:
144 code = EIO;
145 break;
146 }
147 wbcFreeMemory(pwd);
148 if (code != 0) {
149 goto out;
150 }
151
152 if (princ_uid != lname_uid) {
153 code = EPERM;
154 }
155
156 com_err("winbind_localauth",
157 code,
158 "Access %s: %s (uid=%u) %sequal to %s (uid=%u)",
159 code == 0 ? "granted" : "denied",
160 princ_str,
161 (unsigned int)princ_uid,
162 code == 0 ? "" : "not ",
163 lname,
164 (unsigned int)lname_uid);
165
166 out:
167 krb5_free_unparsed_name(context, princ_str);
168
169 return code;
170 }
171
172 /*
173 * Determine the local account name corresponding to aname.
174 *
175 * Return 0 and set *lname_out if a mapping can be determined; the contents of
176 * *lname_out will later be released with a call to the module's free_string
177 * method. Return KRB5_LNAME_NOTRANS if no mapping can be determined. Return
178 * any other error code for a serious failure to process the request; this will
179 * halt the krb5_aname_to_localname operation.
180 *
181 * If the module's an2ln_types field is set, this method will only be invoked
182 * when a profile "auth_to_local" value references one of the module's types.
183 * type and residual will be set to the type and residual of the auth_to_local
184 * value.
185 *
186 * If the module's an2ln_types field is not set but the an2ln method is
187 * implemented, this method will be invoked independently of the profile's
188 * auth_to_local settings, with type and residual set to NULL. If multiple
189 * modules are registered with an2ln methods but no an2ln_types field, the
190 * order of invocation is not defined, but all such modules will be consulted
191 * before the built-in mechanisms are tried.
192 */
193 static krb5_error_code winbind_an2ln(krb5_context context,
194 krb5_localauth_moddata data,
195 const char *type,
196 const char *residual,
197 krb5_const_principal aname,
198 char **lname_out)
199 {
200 krb5_error_code code = 0;
201 char *princ_str = NULL;
202 char *name = NULL;
203 struct passwd *pwd = NULL;
204 wbcErr wbc_status;
205
206 code = krb5_unparse_name(context, aname, &princ_str);
207 if (code != 0) {
208 return code;
209 }
210
211 wbc_status = wbcCtxGetpwnam(data->wbc_ctx,
212 princ_str,
213 &pwd);
214 krb5_free_unparsed_name(context, princ_str);
215 switch (wbc_status) {
216 case WBC_ERR_SUCCESS:
217 name = strdup(pwd->pw_name);
218 code = 0;
219 break;
220 case WBC_ERR_UNKNOWN_USER:
221 /* match other insane libwbclient return codes */
222 case WBC_ERR_WINBIND_NOT_AVAILABLE:
223 case WBC_ERR_DOMAIN_NOT_FOUND:
224 case WBC_ERR_NOT_MAPPED:
225 code = KRB5_LNAME_NOTRANS;
226 break;
227 default:
228 code = EIO;
229 break;
230 }
231 wbcFreeMemory(pwd);
232 if (code != 0) {
233 return code;
234 }
235
236 if (name == NULL) {
237 return ENOMEM;
238 }
239
240 *lname_out = name;
241
242 return code;
243 }
244
245 /*
246 * Release the memory returned by an invocation of an2ln.
247 */
248 static void winbind_free_string(krb5_context context,
249 krb5_localauth_moddata data,
250 char *str)
251 {
252 free(str);
253 }
254
255 _PUBLIC_ krb5_error_code
256 localauth_winbind_initvt(krb5_context context,
257 int maj_ver,
258 int min_ver,
259 krb5_plugin_vtable vtable);
260
261 _PUBLIC_ krb5_error_code
262 localauth_winbind_initvt(krb5_context context,
263 int maj_ver,
264 int min_ver,
265 krb5_plugin_vtable vtable)
266 {
267 krb5_localauth_vtable vt = (krb5_localauth_vtable)vtable;
268
269 if (maj_ver != 1) {
270 com_err("winbind_localauth",
271 EINVAL,
272 "Failed to load, plugin API changed.");
273 return KRB5_PLUGIN_VER_NOTSUPP;
274 }
275
276 vt->init = winbind_init;
277 vt->fini = winbind_fini;
278 vt->name = "winbind";
279 vt->an2ln = winbind_an2ln;
280 vt->userok = winbind_userok;
281 vt->free_string = winbind_free_string;
282
283 return 0;
284 }
Samba git mirror