2 Unix SMB/CIFS implementation.
3 Authentication utility functions
4 Copyright (C) Simo Sorce 2010
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 #define DBGC_CLASS DBGC_AUTH
26 NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
28 const char *princ_name,
29 struct PAC_LOGON_INFO *logon_info,
31 bool *mapped_to_guest,
44 struct passwd *pw = NULL;
46 DEBUG(3, ("Kerberos ticket principal name is [%s]\n", princ_name));
48 p = strchr_m(princ_name, '@');
50 DEBUG(3, ("[%s] Doesn't look like a valid principal\n",
52 return NT_STATUS_LOGON_FAILURE;
55 user = talloc_strndup(mem_ctx, princ_name, p - princ_name);
57 return NT_STATUS_NO_MEMORY;
60 realm = talloc_strdup(talloc_tos(), p + 1);
62 return NT_STATUS_NO_MEMORY;
65 if (!strequal(realm, lp_realm())) {
66 DEBUG(3, ("Ticket for foreign realm %s@%s\n", user, realm));
67 if (!lp_allow_trusted_domains()) {
68 return NT_STATUS_LOGON_FAILURE;
72 if (logon_info && logon_info->info3.base.domain.string) {
73 domain = talloc_strdup(mem_ctx,
74 logon_info->info3.base.domain.string);
76 return NT_STATUS_NO_MEMORY;
78 DEBUG(10, ("Domain is [%s] (using PAC)\n", domain));
81 /* If we have winbind running, we can (and must) shorten the
82 username by using the short netbios name. Otherwise we will
83 have inconsistent user names. With Kerberos, we get the
84 fully qualified realm, with ntlmssp we get the short
85 name. And even w2k3 does use ntlmssp if you for example
86 connect to an ip address. */
89 struct wbcDomainInfo *info = NULL;
91 DEBUG(10, ("Mapping [%s] to short name using winbindd\n",
94 wbc_status = wbcDomainInfo(realm, &info);
96 if (WBC_ERROR_IS_OK(wbc_status)) {
97 domain = talloc_strdup(mem_ctx,
101 DEBUG(3, ("Could not find short name: %s\n",
102 wbcErrorString(wbc_status)));
103 domain = talloc_strdup(mem_ctx, realm);
106 return NT_STATUS_NO_MEMORY;
108 DEBUG(10, ("Domain is [%s] (using Winbind)\n", domain));
111 /* We have to use fstring for this - map_username requires it. */
112 fstr_sprintf(fuser, "%s%c%s", domain, *lp_winbind_separator(), user);
114 *is_mapped = map_username(fuser);
116 pw = smb_getpwnam(mem_ctx, fuser, unixuser, true);
118 /* if a real user check pam account restrictions */
119 /* only really perfomed if "obey pam restriction" is true */
120 /* do this before an eventual mapping to guest occurs */
121 status = smb_pam_accountcheck(pw->pw_name, cli_name);
122 if (!NT_STATUS_IS_OK(status)) {
123 DEBUG(1, ("PAM account restrictions prevent user "
124 "[%s] login\n", unixuser));
130 /* this was originally the behavior of Samba 2.2, if a user
131 did not have a local uid but has been authenticated, then
132 map them to a guest account */
134 if (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_UID) {
135 *mapped_to_guest = true;
136 fstrcpy(fuser, lp_guestaccount());
137 pw = smb_getpwnam(mem_ctx, fuser, unixuser, true);
140 /* extra sanity check that the guest account is valid */
142 DEBUG(1, ("Username %s is invalid on this system\n",
144 return NT_STATUS_LOGON_FAILURE;
148 *username = talloc_strdup(mem_ctx, unixuser);
150 return NT_STATUS_NO_MEMORY;
158 #else /* HAVE_KRB5 */
159 NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
160 const char *cli_name,
161 const char *princ_name,
162 struct PAC_LOGON_INFO *logon_info,
164 bool *mapped_to_guest,
170 return NT_STATUS_NOT_IMPLEMENTED;
172 #endif /* HAVE_KRB5 */