2 Unix SMB/CIFS implementation.
3 Authentication utility functions
4 Copyright (C) Andrew Tridgell 1992-1998
5 Copyright (C) Andrew Bartlett 2001
6 Copyright (C) Jeremy Allison 2000-2001
7 Copyright (C) Rafal Szczesniak 2002
8 Copyright (C) Volker Lendecke 2006
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
27 #define DBGC_CLASS DBGC_AUTH
29 /****************************************************************************
30 Create a UNIX user on demand.
31 ****************************************************************************/
33 static int smb_create_user(const char *domain, const char *unix_username, const char *homedir)
35 TALLOC_CTX *ctx = talloc_tos();
39 add_script = talloc_strdup(ctx, lp_adduser_script());
40 if (!add_script || !*add_script) {
43 add_script = talloc_all_string_sub(ctx,
51 add_script = talloc_all_string_sub(ctx,
60 add_script = talloc_all_string_sub(ctx,
68 ret = smbrun(add_script,NULL);
71 ("smb_create_user: Running the command `%s' gave %d\n",
76 /****************************************************************************
77 Create an auth_usersupplied_data structure
78 ****************************************************************************/
80 static NTSTATUS make_user_info(auth_usersupplied_info **user_info,
82 const char *internal_username,
83 const char *client_domain,
85 const char *wksta_name,
86 DATA_BLOB *lm_pwd, DATA_BLOB *nt_pwd,
87 DATA_BLOB *lm_interactive_pwd, DATA_BLOB *nt_interactive_pwd,
92 DEBUG(5,("attempting to make a user_info for %s (%s)\n", internal_username, smb_name));
94 *user_info = SMB_MALLOC_P(auth_usersupplied_info);
95 if (*user_info == NULL) {
96 DEBUG(0,("malloc failed for user_info (size %lu)\n", (unsigned long)sizeof(*user_info)));
97 return NT_STATUS_NO_MEMORY;
100 ZERO_STRUCTP(*user_info);
102 DEBUG(5,("making strings for %s's user_info struct\n", internal_username));
104 (*user_info)->smb_name = SMB_STRDUP(smb_name);
105 if ((*user_info)->smb_name == NULL) {
106 free_user_info(user_info);
107 return NT_STATUS_NO_MEMORY;
110 (*user_info)->internal_username = SMB_STRDUP(internal_username);
111 if ((*user_info)->internal_username == NULL) {
112 free_user_info(user_info);
113 return NT_STATUS_NO_MEMORY;
116 (*user_info)->domain = SMB_STRDUP(domain);
117 if ((*user_info)->domain == NULL) {
118 free_user_info(user_info);
119 return NT_STATUS_NO_MEMORY;
122 (*user_info)->client_domain = SMB_STRDUP(client_domain);
123 if ((*user_info)->client_domain == NULL) {
124 free_user_info(user_info);
125 return NT_STATUS_NO_MEMORY;
128 (*user_info)->wksta_name = SMB_STRDUP(wksta_name);
129 if ((*user_info)->wksta_name == NULL) {
130 free_user_info(user_info);
131 return NT_STATUS_NO_MEMORY;
134 DEBUG(5,("making blobs for %s's user_info struct\n", internal_username));
137 (*user_info)->lm_resp = data_blob(lm_pwd->data, lm_pwd->length);
139 (*user_info)->nt_resp = data_blob(nt_pwd->data, nt_pwd->length);
140 if (lm_interactive_pwd)
141 (*user_info)->lm_interactive_pwd = data_blob(lm_interactive_pwd->data, lm_interactive_pwd->length);
142 if (nt_interactive_pwd)
143 (*user_info)->nt_interactive_pwd = data_blob(nt_interactive_pwd->data, nt_interactive_pwd->length);
146 (*user_info)->plaintext_password = data_blob(plaintext->data, plaintext->length);
148 (*user_info)->encrypted = encrypted;
150 (*user_info)->logon_parameters = 0;
152 DEBUG(10,("made an %sencrypted user_info for %s (%s)\n", encrypted ? "":"un" , internal_username, smb_name));
157 /****************************************************************************
158 Create an auth_usersupplied_data structure after appropriate mapping.
159 ****************************************************************************/
161 NTSTATUS make_user_info_map(auth_usersupplied_info **user_info,
162 const char *smb_name,
163 const char *client_domain,
164 const char *wksta_name,
165 DATA_BLOB *lm_pwd, DATA_BLOB *nt_pwd,
166 DATA_BLOB *lm_interactive_pwd, DATA_BLOB *nt_interactive_pwd,
167 DATA_BLOB *plaintext,
173 fstring internal_username;
174 fstrcpy(internal_username, smb_name);
175 was_mapped = map_username(internal_username);
177 DEBUG(5, ("make_user_info_map: Mapping user [%s]\\[%s] from workstation [%s]\n",
178 client_domain, smb_name, wksta_name));
180 /* don't allow "" as a domain, fixes a Win9X bug
181 where it doens't supply a domain for logon script
182 'net use' commands. */
184 if ( *client_domain )
185 domain = client_domain;
187 domain = lp_workgroup();
189 /* do what win2k does. Always map unknown domains to our own
190 and let the "passdb backend" handle unknown users. */
192 if ( !is_trusted_domain(domain) && !strequal(domain, get_global_sam_name()) )
193 domain = my_sam_name();
195 /* we know that it is a trusted domain (and we are allowing them) or it is our domain */
197 result = make_user_info(user_info, smb_name, internal_username,
198 client_domain, domain, wksta_name,
200 lm_interactive_pwd, nt_interactive_pwd,
201 plaintext, encrypted);
202 if (NT_STATUS_IS_OK(result)) {
203 (*user_info)->was_mapped = was_mapped;
208 /****************************************************************************
209 Create an auth_usersupplied_data, making the DATA_BLOBs here.
210 Decrypt and encrypt the passwords.
211 ****************************************************************************/
213 bool make_user_info_netlogon_network(auth_usersupplied_info **user_info,
214 const char *smb_name,
215 const char *client_domain,
216 const char *wksta_name,
217 uint32 logon_parameters,
218 const uchar *lm_network_pwd,
220 const uchar *nt_network_pwd,
225 DATA_BLOB lm_blob = data_blob(lm_network_pwd, lm_pwd_len);
226 DATA_BLOB nt_blob = data_blob(nt_network_pwd, nt_pwd_len);
228 status = make_user_info_map(user_info,
229 smb_name, client_domain,
231 lm_pwd_len ? &lm_blob : NULL,
232 nt_pwd_len ? &nt_blob : NULL,
236 if (NT_STATUS_IS_OK(status)) {
237 (*user_info)->logon_parameters = logon_parameters;
239 ret = NT_STATUS_IS_OK(status) ? True : False;
241 data_blob_free(&lm_blob);
242 data_blob_free(&nt_blob);
246 /****************************************************************************
247 Create an auth_usersupplied_data, making the DATA_BLOBs here.
248 Decrypt and encrypt the passwords.
249 ****************************************************************************/
251 bool make_user_info_netlogon_interactive(auth_usersupplied_info **user_info,
252 const char *smb_name,
253 const char *client_domain,
254 const char *wksta_name,
255 uint32 logon_parameters,
257 const uchar lm_interactive_pwd[16],
258 const uchar nt_interactive_pwd[16],
259 const uchar *dc_sess_key)
261 unsigned char lm_pwd[16];
262 unsigned char nt_pwd[16];
263 unsigned char local_lm_response[24];
264 unsigned char local_nt_response[24];
265 unsigned char key[16];
268 memcpy(key, dc_sess_key, 8);
270 if (lm_interactive_pwd)
271 memcpy(lm_pwd, lm_interactive_pwd, sizeof(lm_pwd));
273 if (nt_interactive_pwd)
274 memcpy(nt_pwd, nt_interactive_pwd, sizeof(nt_pwd));
276 #ifdef DEBUG_PASSWORD
278 dump_data(100, key, sizeof(key));
280 DEBUG(100,("lm owf password:"));
281 dump_data(100, lm_pwd, sizeof(lm_pwd));
283 DEBUG(100,("nt owf password:"));
284 dump_data(100, nt_pwd, sizeof(nt_pwd));
287 if (lm_interactive_pwd)
288 SamOEMhash(lm_pwd, key, sizeof(lm_pwd));
290 if (nt_interactive_pwd)
291 SamOEMhash(nt_pwd, key, sizeof(nt_pwd));
293 #ifdef DEBUG_PASSWORD
294 DEBUG(100,("decrypt of lm owf password:"));
295 dump_data(100, lm_pwd, sizeof(lm_pwd));
297 DEBUG(100,("decrypt of nt owf password:"));
298 dump_data(100, nt_pwd, sizeof(nt_pwd));
301 if (lm_interactive_pwd)
302 SMBOWFencrypt(lm_pwd, chal,
305 if (nt_interactive_pwd)
306 SMBOWFencrypt(nt_pwd, chal,
309 /* Password info paranoia */
315 DATA_BLOB local_lm_blob;
316 DATA_BLOB local_nt_blob;
318 DATA_BLOB lm_interactive_blob;
319 DATA_BLOB nt_interactive_blob;
321 if (lm_interactive_pwd) {
322 local_lm_blob = data_blob(local_lm_response,
323 sizeof(local_lm_response));
324 lm_interactive_blob = data_blob(lm_pwd,
329 if (nt_interactive_pwd) {
330 local_nt_blob = data_blob(local_nt_response,
331 sizeof(local_nt_response));
332 nt_interactive_blob = data_blob(nt_pwd,
337 nt_status = make_user_info_map(
339 smb_name, client_domain, wksta_name,
340 lm_interactive_pwd ? &local_lm_blob : NULL,
341 nt_interactive_pwd ? &local_nt_blob : NULL,
342 lm_interactive_pwd ? &lm_interactive_blob : NULL,
343 nt_interactive_pwd ? &nt_interactive_blob : NULL,
346 if (NT_STATUS_IS_OK(nt_status)) {
347 (*user_info)->logon_parameters = logon_parameters;
350 ret = NT_STATUS_IS_OK(nt_status) ? True : False;
351 data_blob_free(&local_lm_blob);
352 data_blob_free(&local_nt_blob);
353 data_blob_free(&lm_interactive_blob);
354 data_blob_free(&nt_interactive_blob);
360 /****************************************************************************
361 Create an auth_usersupplied_data structure
362 ****************************************************************************/
364 bool make_user_info_for_reply(auth_usersupplied_info **user_info,
365 const char *smb_name,
366 const char *client_domain,
368 DATA_BLOB plaintext_password)
371 DATA_BLOB local_lm_blob;
372 DATA_BLOB local_nt_blob;
373 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
376 * Not encrypted - do so.
379 DEBUG(5,("make_user_info_for_reply: User passwords not in encrypted "
382 if (plaintext_password.data) {
383 unsigned char local_lm_response[24];
385 #ifdef DEBUG_PASSWORD
386 DEBUG(10,("Unencrypted password (len %d):\n",
387 (int)plaintext_password.length));
388 dump_data(100, plaintext_password.data,
389 plaintext_password.length);
392 SMBencrypt( (const char *)plaintext_password.data,
393 (const uchar*)chal, local_lm_response);
394 local_lm_blob = data_blob(local_lm_response, 24);
396 /* We can't do an NT hash here, as the password needs to be
398 local_nt_blob = data_blob_null;
401 local_lm_blob = data_blob_null;
402 local_nt_blob = data_blob_null;
405 ret = make_user_info_map(
406 user_info, smb_name, client_domain,
407 get_remote_machine_name(),
408 local_lm_blob.data ? &local_lm_blob : NULL,
409 local_nt_blob.data ? &local_nt_blob : NULL,
411 plaintext_password.data ? &plaintext_password : NULL,
414 data_blob_free(&local_lm_blob);
415 return NT_STATUS_IS_OK(ret) ? True : False;
418 /****************************************************************************
419 Create an auth_usersupplied_data structure
420 ****************************************************************************/
422 NTSTATUS make_user_info_for_reply_enc(auth_usersupplied_info **user_info,
423 const char *smb_name,
424 const char *client_domain,
425 DATA_BLOB lm_resp, DATA_BLOB nt_resp)
427 return make_user_info_map(user_info, smb_name,
429 get_remote_machine_name(),
430 lm_resp.data ? &lm_resp : NULL,
431 nt_resp.data ? &nt_resp : NULL,
436 /****************************************************************************
437 Create a guest user_info blob, for anonymous authenticaion.
438 ****************************************************************************/
440 bool make_user_info_guest(auth_usersupplied_info **user_info)
444 nt_status = make_user_info(user_info,
453 return NT_STATUS_IS_OK(nt_status) ? True : False;
456 static int server_info_dtor(auth_serversupplied_info *server_info)
458 TALLOC_FREE(server_info->sam_account);
459 ZERO_STRUCTP(server_info);
463 /***************************************************************************
464 Make a server_info struct. Free with TALLOC_FREE().
465 ***************************************************************************/
467 static auth_serversupplied_info *make_server_info(TALLOC_CTX *mem_ctx)
469 struct auth_serversupplied_info *result;
471 result = TALLOC_ZERO_P(mem_ctx, auth_serversupplied_info);
472 if (result == NULL) {
473 DEBUG(0, ("talloc failed\n"));
477 talloc_set_destructor(result, server_info_dtor);
479 /* Initialise the uid and gid values to something non-zero
480 which may save us from giving away root access if there
481 is a bug in allocating these fields. */
483 result->utok.uid = -1;
484 result->utok.gid = -1;
488 static char *sanitize_username(TALLOC_CTX *mem_ctx, const char *username)
492 alpha_strcpy(tmp, username, ". _-$", sizeof(tmp));
493 return talloc_strdup(mem_ctx, tmp);
496 /***************************************************************************
497 Make (and fill) a user_info struct from a struct samu
498 ***************************************************************************/
500 NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info,
501 struct samu *sampass)
506 auth_serversupplied_info *result;
509 DOM_SID unix_group_sid;
512 if ( !(result = make_server_info(NULL)) ) {
513 return NT_STATUS_NO_MEMORY;
516 if ( !(pwd = getpwnam_alloc(result, pdb_get_username(sampass))) ) {
517 DEBUG(1, ("User %s in passdb, but getpwnam() fails!\n",
518 pdb_get_username(sampass)));
520 return NT_STATUS_NO_SUCH_USER;
523 result->sam_account = sampass;
524 /* Ensure thaat the sampass will be freed with the result */
525 talloc_steal(result, sampass);
526 result->unix_name = pwd->pw_name;
527 /* Ensure that we keep pwd->pw_name, because we will free pwd below */
528 talloc_steal(result, pwd->pw_name);
529 result->utok.gid = pwd->pw_gid;
530 result->utok.uid = pwd->pw_uid;
534 result->sanitized_username = sanitize_username(result,
536 if (result->sanitized_username == NULL) {
538 return NT_STATUS_NO_MEMORY;
541 status = pdb_enum_group_memberships(result, sampass,
542 &result->sids, &gids,
545 if (!NT_STATUS_IS_OK(status)) {
546 DEBUG(10, ("pdb_enum_group_memberships failed: %s\n",
548 result->sam_account = NULL; /* Don't free on error exit. */
553 /* Add the "Unix Group" SID for each gid to catch mapped groups
554 and their Unix equivalent. This is to solve the backwards
555 compatibility problem of 'valid users = +ntadmin' where
556 ntadmin has been paired with "Domain Admins" in the group
557 mapping table. Otherwise smb.conf would need to be changed
558 to 'valid user = "Domain Admins"'. --jerry */
560 num_gids = result->num_sids;
561 for ( i=0; i<num_gids; i++ ) {
562 if ( !gid_to_unix_groups_sid( gids[i], &unix_group_sid ) ) {
563 DEBUG(1,("make_server_info_sam: Failed to create SID "
564 "for gid %d!\n", gids[i]));
567 status = add_sid_to_array_unique(result, &unix_group_sid,
570 if (!NT_STATUS_IS_OK(status)) {
571 result->sam_account = NULL; /* Don't free on error exit. */
577 /* For now we throw away the gids and convert via sid_to_gid
578 * later. This needs fixing, but I'd like to get the code straight and
583 DEBUG(5,("make_server_info_sam: made server info for user %s -> %s\n",
584 pdb_get_username(sampass), result->unix_name));
586 *server_info = result;
591 static NTSTATUS log_nt_token(TALLOC_CTX *tmp_ctx, NT_USER_TOKEN *token)
597 if ((lp_log_nt_token_command() == NULL) ||
598 (strlen(lp_log_nt_token_command()) == 0)) {
602 group_sidstr = talloc_strdup(tmp_ctx, "");
603 for (i=1; i<token->num_sids; i++) {
604 group_sidstr = talloc_asprintf(
605 tmp_ctx, "%s %s", group_sidstr,
606 sid_string_talloc(tmp_ctx, &token->user_sids[i]));
609 command = talloc_string_sub(
610 tmp_ctx, lp_log_nt_token_command(),
611 "%s", sid_string_talloc(tmp_ctx, &token->user_sids[0]));
612 command = talloc_string_sub(tmp_ctx, command, "%t", group_sidstr);
614 if (command == NULL) {
615 return NT_STATUS_NO_MEMORY;
618 DEBUG(8, ("running command: [%s]\n", command));
619 if (smbrun(command, NULL) != 0) {
620 DEBUG(0, ("Could not log NT token\n"));
621 return NT_STATUS_ACCESS_DENIED;
628 * Create the token to use from server_info->sam_account and
629 * server_info->sids (the info3/sam groups). Find the unix gids.
632 NTSTATUS create_local_token(auth_serversupplied_info *server_info)
639 mem_ctx = talloc_new(NULL);
640 if (mem_ctx == NULL) {
641 DEBUG(0, ("talloc_new failed\n"));
642 return NT_STATUS_NO_MEMORY;
646 * If winbind is not around, we can not make much use of the SIDs the
647 * domain controller provided us with. Likewise if the user name was
648 * mapped to some local unix user.
651 if (((lp_server_role() == ROLE_DOMAIN_MEMBER) && !winbind_ping()) ||
652 (server_info->nss_token)) {
653 status = create_token_from_username(server_info,
654 server_info->unix_name,
656 &server_info->utok.uid,
657 &server_info->utok.gid,
658 &server_info->unix_name,
662 server_info->ptok = create_local_nt_token(
664 pdb_get_user_sid(server_info->sam_account),
666 server_info->num_sids, server_info->sids);
667 status = server_info->ptok ?
668 NT_STATUS_OK : NT_STATUS_NO_SUCH_USER;
671 if (!NT_STATUS_IS_OK(status)) {
672 TALLOC_FREE(mem_ctx);
676 /* Convert the SIDs to gids. */
678 server_info->utok.ngroups = 0;
679 server_info->utok.groups = NULL;
681 /* Start at index 1, where the groups start. */
683 for (i=1; i<server_info->ptok->num_sids; i++) {
685 DOM_SID *sid = &server_info->ptok->user_sids[i];
687 if (!sid_to_gid(sid, &gid)) {
688 DEBUG(10, ("Could not convert SID %s to gid, "
689 "ignoring it\n", sid_string_dbg(sid)));
692 add_gid_to_array_unique(server_info, gid,
693 &server_info->utok.groups,
694 &server_info->utok.ngroups);
697 debug_nt_user_token(DBGC_AUTH, 10, server_info->ptok);
699 status = log_nt_token(mem_ctx, server_info->ptok);
701 TALLOC_FREE(mem_ctx);
706 * Create an artificial NT token given just a username. (Initially indended
709 * We go through lookup_name() to avoid problems we had with 'winbind use
714 * unmapped unix users: Go directly to nss to find the user's group.
716 * A passdb user: The list of groups is provided by pdb_enum_group_memberships.
718 * If the user is provided by winbind, the primary gid is set to "domain
719 * users" of the user's domain. For an explanation why this is necessary, see
720 * the thread starting at
721 * http://lists.samba.org/archive/samba-technical/2006-January/044803.html.
724 NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username,
726 uid_t *uid, gid_t *gid,
727 char **found_username,
728 struct nt_user_token **token)
730 NTSTATUS result = NT_STATUS_NO_SUCH_USER;
733 enum lsa_SidType type;
736 DOM_SID unix_group_sid;
737 size_t num_group_sids;
741 tmp_ctx = talloc_new(NULL);
742 if (tmp_ctx == NULL) {
743 DEBUG(0, ("talloc_new failed\n"));
744 return NT_STATUS_NO_MEMORY;
747 if (!lookup_name_smbconf(tmp_ctx, username, LOOKUP_NAME_ALL,
748 NULL, NULL, &user_sid, &type)) {
749 DEBUG(1, ("lookup_name_smbconf for %s failed\n", username));
753 if (type != SID_NAME_USER) {
754 DEBUG(1, ("%s is a %s, not a user\n", username,
755 sid_type_lookup(type)));
759 if (!sid_to_uid(&user_sid, uid)) {
760 DEBUG(1, ("sid_to_uid for %s (%s) failed\n",
761 username, sid_string_dbg(&user_sid)));
765 if (sid_check_is_in_our_domain(&user_sid)) {
768 /* This is a passdb user, so ask passdb */
770 struct samu *sam_acct = NULL;
772 if ( !(sam_acct = samu_new( tmp_ctx )) ) {
773 result = NT_STATUS_NO_MEMORY;
778 ret = pdb_getsampwsid(sam_acct, &user_sid);
782 DEBUG(1, ("pdb_getsampwsid(%s) for user %s failed\n",
783 sid_string_dbg(&user_sid), username));
784 DEBUGADD(1, ("Fall back to unix user %s\n", username));
788 result = pdb_enum_group_memberships(tmp_ctx, sam_acct,
791 if (!NT_STATUS_IS_OK(result)) {
792 DEBUG(10, ("enum_group_memberships failed for %s\n",
794 DEBUGADD(1, ("Fall back to unix user %s\n", username));
798 /* see the smb_panic() in pdb_default_enum_group_memberships */
799 SMB_ASSERT(num_group_sids > 0);
803 /* Ensure we're returning the found_username on the right context. */
804 *found_username = talloc_strdup(mem_ctx,
805 pdb_get_username(sam_acct));
807 } else if (sid_check_is_in_unix_users(&user_sid)) {
809 /* This is a unix user not in passdb. We need to ask nss
810 * directly, without consulting passdb */
815 * This goto target is used as a fallback for the passdb
816 * case. The concrete bug report is when passdb gave us an
822 uid_to_unix_users_sid(*uid, &user_sid);
824 pass = getpwuid_alloc(tmp_ctx, *uid);
826 DEBUG(1, ("getpwuid(%d) for user %s failed\n",
831 if (!getgroups_unix_user(tmp_ctx, username, pass->pw_gid,
832 &gids, &num_group_sids)) {
833 DEBUG(1, ("getgroups_unix_user for user %s failed\n",
838 if (num_group_sids) {
839 group_sids = TALLOC_ARRAY(tmp_ctx, DOM_SID, num_group_sids);
840 if (group_sids == NULL) {
841 DEBUG(1, ("TALLOC_ARRAY failed\n"));
842 result = NT_STATUS_NO_MEMORY;
849 for (i=0; i<num_group_sids; i++) {
850 gid_to_sid(&group_sids[i], gids[i]);
853 /* In getgroups_unix_user we always set the primary gid */
854 SMB_ASSERT(num_group_sids > 0);
858 /* Ensure we're returning the found_username on the right context. */
859 *found_username = talloc_strdup(mem_ctx, pass->pw_name);
862 /* This user is from winbind, force the primary gid to the
863 * user's "domain users" group. Under certain circumstances
864 * (user comes from NT4), this might be a loss of
865 * information. But we can not rely on winbind getting the
866 * correct info. AD might prohibit winbind looking up that
872 group_sids = TALLOC_ARRAY(tmp_ctx, DOM_SID, num_group_sids);
873 if (group_sids == NULL) {
874 DEBUG(1, ("TALLOC_ARRAY failed\n"));
875 result = NT_STATUS_NO_MEMORY;
879 sid_copy(&group_sids[0], &user_sid);
880 sid_split_rid(&group_sids[0], &dummy);
881 sid_append_rid(&group_sids[0], DOMAIN_GROUP_RID_USERS);
883 if (!sid_to_gid(&group_sids[0], gid)) {
884 DEBUG(1, ("sid_to_gid(%s) failed\n",
885 sid_string_dbg(&group_sids[0])));
891 /* Ensure we're returning the found_username on the right context. */
892 *found_username = talloc_strdup(mem_ctx, username);
895 /* Add the "Unix Group" SID for each gid to catch mapped groups
896 and their Unix equivalent. This is to solve the backwards
897 compatibility problem of 'valid users = +ntadmin' where
898 ntadmin has been paired with "Domain Admins" in the group
899 mapping table. Otherwise smb.conf would need to be changed
900 to 'valid user = "Domain Admins"'. --jerry */
902 num_gids = num_group_sids;
903 for ( i=0; i<num_gids; i++ ) {
906 /* don't pickup anything managed by Winbind */
908 if ( lp_idmap_gid(&low, &high) && (gids[i] >= low) && (gids[i] <= high) )
911 if ( !gid_to_unix_groups_sid( gids[i], &unix_group_sid ) ) {
912 DEBUG(1,("create_token_from_username: Failed to create SID "
913 "for gid %d!\n", gids[i]));
916 result = add_sid_to_array_unique(tmp_ctx, &unix_group_sid,
917 &group_sids, &num_group_sids);
918 if (!NT_STATUS_IS_OK(result)) {
923 /* Ensure we're creating the nt_token on the right context. */
924 *token = create_local_nt_token(mem_ctx, &user_sid,
925 is_guest, num_group_sids, group_sids);
927 if ((*token == NULL) || (*found_username == NULL)) {
928 result = NT_STATUS_NO_MEMORY;
932 result = NT_STATUS_OK;
934 TALLOC_FREE(tmp_ctx);
938 /***************************************************************************
939 Build upon create_token_from_username:
941 Expensive helper function to figure out whether a user given its name is
942 member of a particular group.
943 ***************************************************************************/
945 bool user_in_group_sid(const char *username, const DOM_SID *group_sid)
950 char *found_username;
951 struct nt_user_token *token;
956 mem_ctx = talloc_new(NULL);
957 if (mem_ctx == NULL) {
958 DEBUG(0, ("talloc_new failed\n"));
962 status = create_token_from_username(mem_ctx, username, False,
963 &uid, &gid, &found_username,
966 if (!NT_STATUS_IS_OK(status)) {
967 DEBUG(10, ("could not create token for %s\n", username));
971 result = nt_token_check_sid(group_sid, token);
973 TALLOC_FREE(mem_ctx);
978 bool user_in_group(const char *username, const char *groupname)
984 mem_ctx = talloc_new(NULL);
985 if (mem_ctx == NULL) {
986 DEBUG(0, ("talloc_new failed\n"));
990 ret = lookup_name(mem_ctx, groupname, LOOKUP_NAME_ALL,
991 NULL, NULL, &group_sid, NULL);
992 TALLOC_FREE(mem_ctx);
995 DEBUG(10, ("lookup_name for (%s) failed.\n", groupname));
999 return user_in_group_sid(username, &group_sid);
1002 /***************************************************************************
1003 Make (and fill) a server_info struct from a 'struct passwd' by conversion
1005 ***************************************************************************/
1007 NTSTATUS make_server_info_pw(auth_serversupplied_info **server_info,
1008 char *unix_username,
1012 struct samu *sampass = NULL;
1014 char *qualified_name = NULL;
1015 TALLOC_CTX *mem_ctx = NULL;
1017 enum lsa_SidType type;
1018 auth_serversupplied_info *result;
1020 if ( !(sampass = samu_new( NULL )) ) {
1021 return NT_STATUS_NO_MEMORY;
1024 status = samu_set_unix( sampass, pwd );
1025 if (!NT_STATUS_IS_OK(status)) {
1029 result = make_server_info(NULL);
1030 if (result == NULL) {
1031 TALLOC_FREE(sampass);
1032 return NT_STATUS_NO_MEMORY;
1035 result->sam_account = sampass;
1037 result->unix_name = talloc_strdup(result, unix_username);
1038 result->sanitized_username = sanitize_username(result, unix_username);
1040 if ((result->unix_name == NULL)
1041 || (result->sanitized_username == NULL)) {
1042 TALLOC_FREE(sampass);
1043 TALLOC_FREE(result);
1044 return NT_STATUS_NO_MEMORY;
1047 result->utok.uid = pwd->pw_uid;
1048 result->utok.gid = pwd->pw_gid;
1050 status = pdb_enum_group_memberships(result, sampass,
1051 &result->sids, &gids,
1054 if (!NT_STATUS_IS_OK(status)) {
1055 DEBUG(10, ("pdb_enum_group_memberships failed: %s\n",
1056 nt_errstr(status)));
1057 TALLOC_FREE(result);
1062 * The SID returned in server_info->sam_account is based
1063 * on our SAM sid even though for a pure UNIX account this should
1064 * not be the case as it doesn't really exist in the SAM db.
1065 * This causes lookups on "[in]valid users" to fail as they
1066 * will lookup this name as a "Unix User" SID to check against
1067 * the user token. Fix this by adding the "Unix User"\unix_username
1068 * SID to the sid array. The correct fix should probably be
1069 * changing the server_info->sam_account user SID to be a
1070 * S-1-22 Unix SID, but this might break old configs where
1071 * plaintext passwords were used with no SAM backend.
1074 mem_ctx = talloc_init("make_server_info_pw_tmp");
1076 TALLOC_FREE(result);
1077 return NT_STATUS_NO_MEMORY;
1080 qualified_name = talloc_asprintf(mem_ctx, "%s\\%s",
1081 unix_users_domain_name(),
1083 if (!qualified_name) {
1084 TALLOC_FREE(result);
1085 TALLOC_FREE(mem_ctx);
1086 return NT_STATUS_NO_MEMORY;
1089 if (!lookup_name(mem_ctx, qualified_name, LOOKUP_NAME_ALL,
1092 TALLOC_FREE(result);
1093 TALLOC_FREE(mem_ctx);
1094 return NT_STATUS_NO_SUCH_USER;
1097 TALLOC_FREE(mem_ctx);
1099 if (type != SID_NAME_USER) {
1100 TALLOC_FREE(result);
1101 return NT_STATUS_NO_SUCH_USER;
1104 status = add_sid_to_array_unique(result, &u_sid,
1107 if (!NT_STATUS_IS_OK(status)) {
1108 TALLOC_FREE(result);
1112 /* For now we throw away the gids and convert via sid_to_gid
1113 * later. This needs fixing, but I'd like to get the code straight and
1117 *server_info = result;
1119 return NT_STATUS_OK;
1122 /***************************************************************************
1123 Make (and fill) a user_info struct for a guest login.
1124 This *must* succeed for smbd to start. If there is no mapping entry for
1125 the guest gid, then create one.
1126 ***************************************************************************/
1128 static NTSTATUS make_new_server_info_guest(auth_serversupplied_info **server_info)
1131 struct samu *sampass = NULL;
1137 if ( !(sampass = samu_new( NULL )) ) {
1138 return NT_STATUS_NO_MEMORY;
1141 sid_copy(&guest_sid, get_global_sam_sid());
1142 sid_append_rid(&guest_sid, DOMAIN_USER_RID_GUEST);
1145 ret = pdb_getsampwsid(sampass, &guest_sid);
1149 TALLOC_FREE(sampass);
1150 return NT_STATUS_NO_SUCH_USER;
1153 status = make_server_info_sam(server_info, sampass);
1154 if (!NT_STATUS_IS_OK(status)) {
1155 TALLOC_FREE(sampass);
1159 (*server_info)->guest = True;
1161 status = create_local_token(*server_info);
1162 if (!NT_STATUS_IS_OK(status)) {
1163 DEBUG(10, ("create_local_token failed: %s\n",
1164 nt_errstr(status)));
1168 /* annoying, but the Guest really does have a session key, and it is
1171 (*server_info)->user_session_key = data_blob(zeros, sizeof(zeros));
1172 (*server_info)->lm_session_key = data_blob(zeros, sizeof(zeros));
1174 alpha_strcpy(tmp, pdb_get_username(sampass), ". _-$", sizeof(tmp));
1175 (*server_info)->sanitized_username = talloc_strdup(*server_info, tmp);
1177 return NT_STATUS_OK;
1180 /****************************************************************************
1181 Fake a auth_serversupplied_info just from a username
1182 ****************************************************************************/
1184 NTSTATUS make_serverinfo_from_username(TALLOC_CTX *mem_ctx,
1185 const char *username,
1187 struct auth_serversupplied_info **presult)
1189 struct auth_serversupplied_info *result;
1193 pwd = getpwnam_alloc(talloc_tos(), username);
1195 return NT_STATUS_NO_SUCH_USER;
1198 status = make_server_info_pw(&result, pwd->pw_name, pwd);
1202 if (!NT_STATUS_IS_OK(status)) {
1206 result->nss_token = true;
1207 result->guest = is_guest;
1209 status = create_local_token(result);
1211 if (!NT_STATUS_IS_OK(status)) {
1212 TALLOC_FREE(result);
1217 return NT_STATUS_OK;
1221 struct auth_serversupplied_info *copy_serverinfo(TALLOC_CTX *mem_ctx,
1222 auth_serversupplied_info *src)
1224 auth_serversupplied_info *dst;
1226 dst = make_server_info(mem_ctx);
1231 dst->guest = src->guest;
1232 dst->utok.uid = src->utok.uid;
1233 dst->utok.gid = src->utok.gid;
1234 dst->utok.ngroups = src->utok.ngroups;
1235 if (src->utok.ngroups != 0) {
1236 dst->utok.groups = (gid_t *)TALLOC_MEMDUP(
1237 dst, src->utok.groups,
1238 sizeof(gid_t)*dst->utok.ngroups);
1240 dst->utok.groups = NULL;
1244 dst->ptok = dup_nt_token(dst, src->ptok);
1251 dst->user_session_key = data_blob_talloc( dst, src->user_session_key.data,
1252 src->user_session_key.length);
1254 dst->lm_session_key = data_blob_talloc(dst, src->lm_session_key.data,
1255 src->lm_session_key.length);
1257 dst->sam_account = samu_new(NULL);
1258 if (!dst->sam_account) {
1263 if (!pdb_copy_sam_account(dst->sam_account, src->sam_account)) {
1268 dst->pam_handle = NULL;
1269 dst->unix_name = talloc_strdup(dst, src->unix_name);
1270 if (!dst->unix_name) {
1275 dst->sanitized_username = talloc_strdup(dst, src->sanitized_username);
1276 if (!dst->sanitized_username) {
1284 static auth_serversupplied_info *guest_info = NULL;
1286 bool init_guest_info(void)
1288 if (guest_info != NULL)
1291 return NT_STATUS_IS_OK(make_new_server_info_guest(&guest_info));
1294 NTSTATUS make_server_info_guest(TALLOC_CTX *mem_ctx,
1295 auth_serversupplied_info **server_info)
1297 *server_info = copy_serverinfo(mem_ctx, guest_info);
1298 return (*server_info != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
1301 bool copy_current_user(struct current_user *dst, struct current_user *src)
1304 NT_USER_TOKEN *nt_token;
1306 groups = (gid_t *)memdup(src->ut.groups,
1307 sizeof(gid_t) * src->ut.ngroups);
1308 if ((src->ut.ngroups != 0) && (groups == NULL)) {
1312 nt_token = dup_nt_token(NULL, src->nt_user_token);
1313 if (nt_token == NULL) {
1318 dst->conn = src->conn;
1319 dst->vuid = src->vuid;
1320 dst->ut.uid = src->ut.uid;
1321 dst->ut.gid = src->ut.gid;
1322 dst->ut.ngroups = src->ut.ngroups;
1323 dst->ut.groups = groups;
1324 dst->nt_user_token = nt_token;
1328 /***************************************************************************
1329 Purely internal function for make_server_info_info3
1330 Fill the sam account from getpwnam
1331 ***************************************************************************/
1332 static NTSTATUS fill_sam_account(TALLOC_CTX *mem_ctx,
1334 const char *username,
1335 char **found_username,
1336 uid_t *uid, gid_t *gid,
1337 struct samu *account,
1338 bool *username_was_mapped)
1341 fstring dom_user, lower_username;
1342 fstring real_username;
1343 struct passwd *passwd;
1345 fstrcpy( lower_username, username );
1346 strlower_m( lower_username );
1348 fstr_sprintf(dom_user, "%s%c%s", domain, *lp_winbind_separator(),
1351 /* Get the passwd struct. Try to create the account is necessary. */
1353 *username_was_mapped = map_username( dom_user );
1355 if ( !(passwd = smb_getpwnam( NULL, dom_user, real_username, True )) )
1356 return NT_STATUS_NO_SUCH_USER;
1358 *uid = passwd->pw_uid;
1359 *gid = passwd->pw_gid;
1361 /* This is pointless -- there is no suport for differing
1362 unix and windows names. Make sure to always store the
1363 one we actually looked up and succeeded. Have I mentioned
1364 why I hate the 'winbind use default domain' parameter?
1367 *found_username = talloc_strdup( mem_ctx, real_username );
1369 DEBUG(5,("fill_sam_account: located username was [%s]\n", *found_username));
1371 nt_status = samu_set_unix( account, passwd );
1373 TALLOC_FREE(passwd);
1378 /****************************************************************************
1379 Wrapper to allow the getpwnam() call to strip the domain name and
1380 try again in case a local UNIX user is already there. Also run through
1381 the username if we fallback to the username only.
1382 ****************************************************************************/
1384 struct passwd *smb_getpwnam( TALLOC_CTX *mem_ctx, char *domuser,
1385 fstring save_username, bool create )
1387 struct passwd *pw = NULL;
1391 /* we only save a copy of the username it has been mangled
1392 by winbindd use default domain */
1394 save_username[0] = '\0';
1396 /* don't call map_username() here since it has to be done higher
1397 up the stack so we don't call it mutliple times */
1399 fstrcpy( username, domuser );
1401 p = strchr_m( username, *lp_winbind_separator() );
1403 /* code for a DOMAIN\user string */
1406 fstring strip_username;
1408 pw = Get_Pwnam_alloc( mem_ctx, domuser );
1410 /* make sure we get the case of the username correct */
1411 /* work around 'winbind use default domain = yes' */
1413 if ( !strchr_m( pw->pw_name, *lp_winbind_separator() ) ) {
1416 /* split the domain and username into 2 strings */
1420 fstr_sprintf(save_username, "%s%c%s", domain, *lp_winbind_separator(), pw->pw_name);
1423 fstrcpy( save_username, pw->pw_name );
1429 /* setup for lookup of just the username */
1430 /* remember that p and username are overlapping memory */
1433 fstrcpy( strip_username, p );
1434 fstrcpy( username, strip_username );
1437 /* just lookup a plain username */
1439 pw = Get_Pwnam_alloc(mem_ctx, username);
1441 /* Create local user if requested but only if winbindd
1442 is not running. We need to protect against cases
1443 where winbindd is failing and then prematurely
1444 creating users in /etc/passwd */
1446 if ( !pw && create && !winbind_ping() ) {
1447 /* Don't add a machine account. */
1448 if (username[strlen(username)-1] == '$')
1451 smb_create_user(NULL, username, NULL);
1452 pw = Get_Pwnam_alloc(mem_ctx, username);
1455 /* one last check for a valid passwd struct */
1458 fstrcpy( save_username, pw->pw_name );
1463 /***************************************************************************
1464 Make a server_info struct from the info3 returned by a domain logon
1465 ***************************************************************************/
1467 NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
1468 const char *sent_nt_username,
1470 auth_serversupplied_info **server_info,
1471 struct netr_SamInfo3 *info3)
1475 NTSTATUS nt_status = NT_STATUS_OK;
1476 char *found_username = NULL;
1477 const char *nt_domain;
1478 const char *nt_username;
1479 struct samu *sam_account = NULL;
1482 bool username_was_mapped;
1484 uid_t uid = (uid_t)-1;
1485 gid_t gid = (gid_t)-1;
1487 auth_serversupplied_info *result;
1490 Here is where we should check the list of
1491 trusted domains, and verify that the SID
1495 sid_copy(&user_sid, info3->base.domain_sid);
1496 if (!sid_append_rid(&user_sid, info3->base.rid)) {
1497 return NT_STATUS_INVALID_PARAMETER;
1500 sid_copy(&group_sid, info3->base.domain_sid);
1501 if (!sid_append_rid(&group_sid, info3->base.primary_gid)) {
1502 return NT_STATUS_INVALID_PARAMETER;
1505 nt_username = talloc_strdup(mem_ctx, info3->base.account_name.string);
1507 /* If the server didn't give us one, just use the one we sent
1509 nt_username = sent_nt_username;
1512 nt_domain = talloc_strdup(mem_ctx, info3->base.domain.string);
1514 /* If the server didn't give us one, just use the one we sent
1519 /* try to fill the SAM account.. If getpwnam() fails, then try the
1520 add user script (2.2.x behavior).
1522 We use the _unmapped_ username here in an attempt to provide
1523 consistent username mapping behavior between kerberos and NTLM[SSP]
1524 authentication in domain mode security. I.E. Username mapping
1525 should be applied to the fully qualified username
1526 (e.g. DOMAIN\user) and not just the login name. Yes this means we
1527 called map_username() unnecessarily in make_user_info_map() but
1528 that is how the current code is designed. Making the change here
1529 is the least disruptive place. -- jerry */
1531 if ( !(sam_account = samu_new( NULL )) ) {
1532 return NT_STATUS_NO_MEMORY;
1535 /* this call will try to create the user if necessary */
1537 nt_status = fill_sam_account(mem_ctx, nt_domain, sent_nt_username,
1538 &found_username, &uid, &gid, sam_account,
1539 &username_was_mapped);
1542 /* if we still don't have a valid unix account check for
1543 'map to guest = bad uid' */
1545 if (!NT_STATUS_IS_OK(nt_status)) {
1546 TALLOC_FREE( sam_account );
1547 if ( lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_UID ) {
1548 make_server_info_guest(NULL, server_info);
1549 return NT_STATUS_OK;
1554 if (!pdb_set_nt_username(sam_account, nt_username, PDB_CHANGED)) {
1555 TALLOC_FREE(sam_account);
1556 return NT_STATUS_NO_MEMORY;
1559 if (!pdb_set_username(sam_account, nt_username, PDB_CHANGED)) {
1560 TALLOC_FREE(sam_account);
1561 return NT_STATUS_NO_MEMORY;
1564 if (!pdb_set_domain(sam_account, nt_domain, PDB_CHANGED)) {
1565 TALLOC_FREE(sam_account);
1566 return NT_STATUS_NO_MEMORY;
1569 if (!pdb_set_user_sid(sam_account, &user_sid, PDB_CHANGED)) {
1570 TALLOC_FREE(sam_account);
1571 return NT_STATUS_UNSUCCESSFUL;
1574 if (!pdb_set_group_sid(sam_account, &group_sid, PDB_CHANGED)) {
1575 TALLOC_FREE(sam_account);
1576 return NT_STATUS_UNSUCCESSFUL;
1579 if (!pdb_set_fullname(sam_account,
1580 info3->base.full_name.string,
1582 TALLOC_FREE(sam_account);
1583 return NT_STATUS_NO_MEMORY;
1586 if (!pdb_set_logon_script(sam_account,
1587 info3->base.logon_script.string,
1589 TALLOC_FREE(sam_account);
1590 return NT_STATUS_NO_MEMORY;
1593 if (!pdb_set_profile_path(sam_account,
1594 info3->base.profile_path.string,
1596 TALLOC_FREE(sam_account);
1597 return NT_STATUS_NO_MEMORY;
1600 if (!pdb_set_homedir(sam_account,
1601 info3->base.home_directory.string,
1603 TALLOC_FREE(sam_account);
1604 return NT_STATUS_NO_MEMORY;
1607 if (!pdb_set_dir_drive(sam_account,
1608 info3->base.home_drive.string,
1610 TALLOC_FREE(sam_account);
1611 return NT_STATUS_NO_MEMORY;
1614 if (!pdb_set_acct_ctrl(sam_account, info3->base.acct_flags, PDB_CHANGED)) {
1615 TALLOC_FREE(sam_account);
1616 return NT_STATUS_NO_MEMORY;
1619 if (!pdb_set_pass_last_set_time(
1621 nt_time_to_unix(info3->base.last_password_change),
1623 TALLOC_FREE(sam_account);
1624 return NT_STATUS_NO_MEMORY;
1627 if (!pdb_set_pass_can_change_time(
1629 nt_time_to_unix(info3->base.allow_password_change),
1631 TALLOC_FREE(sam_account);
1632 return NT_STATUS_NO_MEMORY;
1635 if (!pdb_set_pass_must_change_time(
1637 nt_time_to_unix(info3->base.force_password_change),
1639 TALLOC_FREE(sam_account);
1640 return NT_STATUS_NO_MEMORY;
1643 result = make_server_info(NULL);
1644 if (result == NULL) {
1645 DEBUG(4, ("make_server_info failed!\n"));
1646 TALLOC_FREE(sam_account);
1647 return NT_STATUS_NO_MEMORY;
1650 /* save this here to _net_sam_logon() doesn't fail (it assumes a
1651 valid struct samu) */
1653 result->sam_account = sam_account;
1654 result->unix_name = talloc_strdup(result, found_username);
1656 result->sanitized_username = sanitize_username(result,
1658 if (result->sanitized_username == NULL) {
1659 TALLOC_FREE(result);
1660 return NT_STATUS_NO_MEMORY;
1663 /* Fill in the unix info we found on the way */
1665 result->utok.uid = uid;
1666 result->utok.gid = gid;
1668 /* Create a 'combined' list of all SIDs we might want in the SD */
1670 result->num_sids = 0;
1671 result->sids = NULL;
1673 nt_status = sid_array_from_info3(result, info3,
1677 if (!NT_STATUS_IS_OK(nt_status)) {
1678 TALLOC_FREE(result);
1682 result->login_server = talloc_strdup(result,
1683 info3->base.logon_server.string);
1685 /* ensure we are never given NULL session keys */
1689 if (memcmp(info3->base.key.key, zeros, sizeof(zeros)) == 0) {
1690 result->user_session_key = data_blob_null;
1692 result->user_session_key = data_blob_talloc(
1693 result, info3->base.key.key,
1694 sizeof(info3->base.key.key));
1697 if (memcmp(info3->base.LMSessKey.key, zeros, 8) == 0) {
1698 result->lm_session_key = data_blob_null;
1700 result->lm_session_key = data_blob_talloc(
1701 result, info3->base.LMSessKey.key,
1702 sizeof(info3->base.LMSessKey.key));
1705 result->nss_token |= username_was_mapped;
1707 *server_info = result;
1709 return NT_STATUS_OK;
1712 /*****************************************************************************
1713 Make a server_info struct from the wbcAuthUserInfo returned by a domain logon
1714 ******************************************************************************/
1716 NTSTATUS make_server_info_wbcAuthUserInfo(TALLOC_CTX *mem_ctx,
1717 const char *sent_nt_username,
1719 const struct wbcAuthUserInfo *info,
1720 auth_serversupplied_info **server_info)
1724 NTSTATUS nt_status = NT_STATUS_OK;
1725 char *found_username = NULL;
1726 const char *nt_domain;
1727 const char *nt_username;
1728 struct samu *sam_account = NULL;
1731 bool username_was_mapped;
1734 uid_t uid = (uid_t)-1;
1735 gid_t gid = (gid_t)-1;
1737 auth_serversupplied_info *result;
1739 result = make_server_info(NULL);
1740 if (result == NULL) {
1741 DEBUG(4, ("make_server_info failed!\n"));
1742 return NT_STATUS_NO_MEMORY;
1746 Here is where we should check the list of
1747 trusted domains, and verify that the SID
1751 memcpy(&user_sid, &info->sids[0].sid, sizeof(user_sid));
1752 memcpy(&group_sid, &info->sids[1].sid, sizeof(group_sid));
1754 if (info->account_name) {
1755 nt_username = talloc_strdup(result, info->account_name);
1757 /* If the server didn't give us one, just use the one we sent
1759 nt_username = talloc_strdup(result, sent_nt_username);
1762 TALLOC_FREE(result);
1763 return NT_STATUS_NO_MEMORY;
1766 if (info->domain_name) {
1767 nt_domain = talloc_strdup(result, info->domain_name);
1769 /* If the server didn't give us one, just use the one we sent
1771 nt_domain = talloc_strdup(result, domain);
1774 TALLOC_FREE(result);
1775 return NT_STATUS_NO_MEMORY;
1778 /* try to fill the SAM account.. If getpwnam() fails, then try the
1779 add user script (2.2.x behavior).
1781 We use the _unmapped_ username here in an attempt to provide
1782 consistent username mapping behavior between kerberos and NTLM[SSP]
1783 authentication in domain mode security. I.E. Username mapping
1784 should be applied to the fully qualified username
1785 (e.g. DOMAIN\user) and not just the login name. Yes this means we
1786 called map_username() unnecessarily in make_user_info_map() but
1787 that is how the current code is designed. Making the change here
1788 is the least disruptive place. -- jerry */
1790 if ( !(sam_account = samu_new( result )) ) {
1791 TALLOC_FREE(result);
1792 return NT_STATUS_NO_MEMORY;
1795 /* this call will try to create the user if necessary */
1797 nt_status = fill_sam_account(result, nt_domain, sent_nt_username,
1798 &found_username, &uid, &gid, sam_account,
1799 &username_was_mapped);
1801 /* if we still don't have a valid unix account check for
1802 'map to guest = bad uid' */
1804 if (!NT_STATUS_IS_OK(nt_status)) {
1805 TALLOC_FREE( result );
1806 if ( lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_UID ) {
1807 make_server_info_guest(NULL, server_info);
1808 return NT_STATUS_OK;
1813 if (!pdb_set_nt_username(sam_account, nt_username, PDB_CHANGED)) {
1814 TALLOC_FREE(result);
1815 return NT_STATUS_NO_MEMORY;
1818 if (!pdb_set_username(sam_account, nt_username, PDB_CHANGED)) {
1819 TALLOC_FREE(result);
1820 return NT_STATUS_NO_MEMORY;
1823 if (!pdb_set_domain(sam_account, nt_domain, PDB_CHANGED)) {
1824 TALLOC_FREE(result);
1825 return NT_STATUS_NO_MEMORY;
1828 if (!pdb_set_user_sid(sam_account, &user_sid, PDB_CHANGED)) {
1829 TALLOC_FREE(result);
1830 return NT_STATUS_UNSUCCESSFUL;
1833 if (!pdb_set_group_sid(sam_account, &group_sid, PDB_CHANGED)) {
1834 TALLOC_FREE(result);
1835 return NT_STATUS_UNSUCCESSFUL;
1838 if (!pdb_set_fullname(sam_account, info->full_name, PDB_CHANGED)) {
1839 TALLOC_FREE(result);
1840 return NT_STATUS_NO_MEMORY;
1843 if (!pdb_set_logon_script(sam_account, info->logon_script, PDB_CHANGED)) {
1844 TALLOC_FREE(result);
1845 return NT_STATUS_NO_MEMORY;
1848 if (!pdb_set_profile_path(sam_account, info->profile_path, PDB_CHANGED)) {
1849 TALLOC_FREE(result);
1850 return NT_STATUS_NO_MEMORY;
1853 if (!pdb_set_homedir(sam_account, info->home_directory, PDB_CHANGED)) {
1854 TALLOC_FREE(result);
1855 return NT_STATUS_NO_MEMORY;
1858 if (!pdb_set_dir_drive(sam_account, info->home_drive, PDB_CHANGED)) {
1859 TALLOC_FREE(result);
1860 return NT_STATUS_NO_MEMORY;
1863 if (!pdb_set_acct_ctrl(sam_account, info->acct_flags, PDB_CHANGED)) {
1864 TALLOC_FREE(result);
1865 return NT_STATUS_NO_MEMORY;
1868 if (!pdb_set_pass_last_set_time(
1870 nt_time_to_unix(info->pass_last_set_time),
1872 TALLOC_FREE(result);
1873 return NT_STATUS_NO_MEMORY;
1876 if (!pdb_set_pass_can_change_time(
1878 nt_time_to_unix(info->pass_can_change_time),
1880 TALLOC_FREE(result);
1881 return NT_STATUS_NO_MEMORY;
1884 if (!pdb_set_pass_must_change_time(
1886 nt_time_to_unix(info->pass_must_change_time),
1888 TALLOC_FREE(result);
1889 return NT_STATUS_NO_MEMORY;
1892 /* save this here to _net_sam_logon() doesn't fail (it assumes a
1893 valid struct samu) */
1895 result->sam_account = sam_account;
1896 result->unix_name = talloc_strdup(result, found_username);
1898 result->sanitized_username = sanitize_username(result,
1900 result->login_server = talloc_strdup(result, info->logon_server);
1902 if ((result->unix_name == NULL)
1903 || (result->sanitized_username == NULL)
1904 || (result->login_server == NULL)) {
1905 TALLOC_FREE(result);
1906 return NT_STATUS_NO_MEMORY;
1909 /* Fill in the unix info we found on the way */
1911 result->utok.uid = uid;
1912 result->utok.gid = gid;
1914 /* Create a 'combined' list of all SIDs we might want in the SD */
1916 result->num_sids = info->num_sids - 2;
1917 result->sids = talloc_array(result, DOM_SID, result->num_sids);
1918 if (result->sids == NULL) {
1919 TALLOC_FREE(result);
1920 return NT_STATUS_NO_MEMORY;
1923 for (i=0; i < result->num_sids; i++) {
1924 memcpy(&result->sids[i], &info->sids[i+2].sid, sizeof(result->sids[i]));
1927 /* ensure we are never given NULL session keys */
1931 if (memcmp(info->user_session_key, zeros, sizeof(zeros)) == 0) {
1932 result->user_session_key = data_blob_null;
1934 result->user_session_key = data_blob_talloc(
1935 result, info->user_session_key,
1936 sizeof(info->user_session_key));
1939 if (memcmp(info->lm_session_key, zeros, 8) == 0) {
1940 result->lm_session_key = data_blob_null;
1942 result->lm_session_key = data_blob_talloc(
1943 result, info->lm_session_key,
1944 sizeof(info->lm_session_key));
1947 result->nss_token |= username_was_mapped;
1949 *server_info = result;
1951 return NT_STATUS_OK;
1954 /***************************************************************************
1955 Free a user_info struct
1956 ***************************************************************************/
1958 void free_user_info(auth_usersupplied_info **user_info)
1960 DEBUG(5,("attempting to free (and zero) a user_info structure\n"));
1961 if (*user_info != NULL) {
1962 if ((*user_info)->smb_name) {
1963 DEBUG(10,("structure was created for %s\n",
1964 (*user_info)->smb_name));
1966 SAFE_FREE((*user_info)->smb_name);
1967 SAFE_FREE((*user_info)->internal_username);
1968 SAFE_FREE((*user_info)->client_domain);
1969 SAFE_FREE((*user_info)->domain);
1970 SAFE_FREE((*user_info)->wksta_name);
1971 data_blob_free(&(*user_info)->lm_resp);
1972 data_blob_free(&(*user_info)->nt_resp);
1973 data_blob_clear_free(&(*user_info)->lm_interactive_pwd);
1974 data_blob_clear_free(&(*user_info)->nt_interactive_pwd);
1975 data_blob_clear_free(&(*user_info)->plaintext_password);
1976 ZERO_STRUCT(**user_info);
1978 SAFE_FREE(*user_info);
1981 /***************************************************************************
1982 Make an auth_methods struct
1983 ***************************************************************************/
1985 bool make_auth_methods(struct auth_context *auth_context, auth_methods **auth_method)
1987 if (!auth_context) {
1988 smb_panic("no auth_context supplied to "
1989 "make_auth_methods()!\n");
1993 smb_panic("make_auth_methods: pointer to auth_method pointer "
1997 *auth_method = TALLOC_P(auth_context->mem_ctx, auth_methods);
1998 if (!*auth_method) {
1999 DEBUG(0,("make_auth_method: malloc failed!\n"));
2002 ZERO_STRUCTP(*auth_method);
2008 * Verify whether or not given domain is trusted.
2010 * @param domain_name name of the domain to be verified
2011 * @return true if domain is one of the trusted once or
2012 * false if otherwise
2015 bool is_trusted_domain(const char* dom_name)
2017 DOM_SID trustdom_sid;
2020 /* no trusted domains for a standalone server */
2022 if ( lp_server_role() == ROLE_STANDALONE )
2025 /* if we are a DC, then check for a direct trust relationships */
2029 DEBUG (5,("is_trusted_domain: Checking for domain trust with "
2030 "[%s]\n", dom_name ));
2031 ret = pdb_get_trusteddom_pw(dom_name, NULL, NULL, NULL);
2039 /* If winbind is around, ask it */
2041 result = wb_is_trusted_domain(dom_name);
2043 if (result == WBC_ERR_SUCCESS) {
2047 if (result == WBC_ERR_DOMAIN_NOT_FOUND) {
2048 /* winbind could not find the domain */
2052 /* The only other possible result is that winbind is not up
2053 and running. We need to update the trustdom_cache
2056 update_trustdom_cache();
2059 /* now the trustdom cache should be available a DC could still
2060 * have a transitive trust so fall back to the cache of trusted
2061 * domains (like a domain member would use */
2063 if ( trustdom_cache_fetch(dom_name, &trustdom_sid) ) {