source3/auth/auth_winbind.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    Winbind authentication mechnism
   5
   6    Copyright (C) Tim Potter 2000
   7    Copyright (C) Andrew Bartlett 2001 - 2002
   8
   9    This program is free software; you can redistribute it and/or modify
  10    it under the terms of the GNU General Public License as published by
  11    the Free Software Foundation; either version 3 of the License, or
  12    (at your option) any later version.
  13
  14    This program is distributed in the hope that it will be useful,
  15    but WITHOUT ANY WARRANTY; without even the implied warranty of
  16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17    GNU General Public License for more details.
  18
  19    You should have received a copy of the GNU General Public License
  20    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  21 */
  22
  23 #include "includes.h"
  24
  25 #undef DBGC_CLASS
  26 #define DBGC_CLASS DBGC_AUTH
  27
  28 /* Authenticate a user with a challenge/response */
  29
  30 static NTSTATUS check_winbind_security(const struct auth_context *auth_context,
  31                                        void *my_private_data,
  32                                        TALLOC_CTX *mem_ctx,
  33                                        const struct auth_usersupplied_info *user_info,
  34                                        struct auth_serversupplied_info **server_info)
  35 {
  36         NTSTATUS nt_status;
  37         wbcErr wbc_status;
  38         struct wbcAuthUserParams params;
  39         struct wbcAuthUserInfo *info = NULL;
  40         struct wbcAuthErrorInfo *err = NULL;
  41
  42         if (!user_info) {
  43                 return NT_STATUS_INVALID_PARAMETER;
  44         }
  45
  46         DEBUG(10, ("Check auth for: [%s]\n", user_info->mapped.account_name));
  47
  48         if (!auth_context) {
  49                 DEBUG(3,("Password for user %s cannot be checked because we have no auth_info to get the challenge from.\n",
  50                          user_info->mapped.account_name));
  51                 return NT_STATUS_INVALID_PARAMETER;
  52         }
  53
  54         if (strequal(user_info->mapped.domain_name, get_global_sam_name())) {
  55                 DEBUG(3,("check_winbind_security: Not using winbind, requested domain [%s] was for this SAM.\n",
  56                         user_info->mapped.domain_name));
  57                 return NT_STATUS_NOT_IMPLEMENTED;
  58         }
  59
  60         /* Send off request */
  61
  62         params.account_name     = user_info->client.account_name;
  63         params.domain_name      = user_info->mapped.domain_name;
  64         params.workstation_name = user_info->workstation_name;
  65
  66         params.flags            = 0;
  67         params.parameter_control= user_info->logon_parameters;
  68
  69         params.level            = WBC_AUTH_USER_LEVEL_RESPONSE;
  70
  71         memcpy(params.password.response.challenge,
  72                auth_context->challenge.data,
  73                sizeof(params.password.response.challenge));
  74
  75         params.password.response.nt_length      = user_info->nt_resp.length;
  76         if (params.password.response.nt_length) {
  77                 params.password.response.nt_data        = user_info->nt_resp.data;
  78         } else {
  79                 params.password.response.nt_data        = NULL;
  80         }
  81         params.password.response.lm_length      = user_info->lm_resp.length;
  82         if (params.password.response.lm_length) {
  83                 params.password.response.lm_data        = user_info->lm_resp.data;
  84         } else {
  85                 params.password.response.lm_data        = NULL;
  86         }
  87
  88         /* we are contacting the privileged pipe */
  89         become_root();
  90         wbc_status = wbcAuthenticateUserEx(&params, &info, &err);
  91         unbecome_root();
  92
  93         if (!WBC_ERROR_IS_OK(wbc_status)) {
  94                 DEBUG(10,("check_winbind_security: wbcAuthenticateUserEx failed: %s\n",
  95                         wbcErrorString(wbc_status)));
  96         }
  97
  98         if (wbc_status == WBC_ERR_NO_MEMORY) {
  99                 return NT_STATUS_NO_MEMORY;
 100         }
 101
 102         if (wbc_status == WBC_ERR_WINBIND_NOT_AVAILABLE) {
 103                 struct auth_methods *auth_method =
 104                         (struct auth_methods *)my_private_data;
 105
 106                 if ( auth_method )
 107                         return auth_method->auth(auth_context, auth_method->private_data,
 108                                 mem_ctx, user_info, server_info);
 109                 else
 110                         /* log an error since this should not happen */
 111                         DEBUG(0,("check_winbind_security: ERROR!  my_private_data == NULL!\n"));
 112         }
 113
 114         if (wbc_status == WBC_ERR_AUTH_ERROR) {
 115                 nt_status = NT_STATUS(err->nt_status);
 116                 wbcFreeMemory(err);
 117                 return nt_status;
 118         }
 119
 120         if (!WBC_ERROR_IS_OK(wbc_status)) {
 121                 return NT_STATUS_LOGON_FAILURE;
 122         }
 123
 124         nt_status = make_server_info_wbcAuthUserInfo(mem_ctx,
 125                                                      user_info->client.account_name,
 126                                                      user_info->mapped.domain_name,
 127                                                      info, server_info);
 128         wbcFreeMemory(info);
 129         if (!NT_STATUS_IS_OK(nt_status)) {
 130                 return nt_status;
 131         }
 132
 133         (*server_info)->nss_token |= user_info->was_mapped;
 134
 135         return nt_status;
 136 }
 137
 138 /* module initialisation */
 139 static NTSTATUS auth_init_winbind(struct auth_context *auth_context, const char *param, auth_methods **auth_method)
 140 {
 141         struct auth_methods *result;
 142
 143         result = TALLOC_ZERO_P(auth_context, struct auth_methods);
 144         if (result == NULL) {
 145                 return NT_STATUS_NO_MEMORY;
 146         }
 147         result->name = "winbind";
 148         result->auth = check_winbind_security;
 149
 150         if (param && *param) {
 151                 /* we load the 'fallback' module - if winbind isn't here, call this
 152                    module */
 153                 auth_methods *priv;
 154                 if (!load_auth_module(auth_context, param, &priv)) {
 155                         return NT_STATUS_UNSUCCESSFUL;
 156                 }
 157                 result->private_data = (void *)priv;
 158         }
 159
 160         *auth_method = result;
 161         return NT_STATUS_OK;
 162 }
 163
 164 NTSTATUS auth_winbind_init(void)
 165 {
 166         return smb_register_auth(AUTH_INTERFACE_VERSION, "winbind", auth_init_winbind);
 167 }