source3/winbindd/winbindd_pam_auth_crap.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3    async implementation of WINBINDD_PAM_AUTH_CRAP
   4    Copyright (C) Volker Lendecke 2010
   5
   6    This program is free software; you can redistribute it and/or modify
   7    it under the terms of the GNU General Public License as published by
   8    the Free Software Foundation; either version 3 of the License, or
   9    (at your option) any later version.
  10
  11    This program is distributed in the hope that it will be useful,
  12    but WITHOUT ANY WARRANTY; without even the implied warranty of
  13    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  14    GNU General Public License for more details.
  15
  16    You should have received a copy of the GNU General Public License
  17    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  18 */
  19
  20 #include "includes.h"
  21 #include "winbindd.h"
  22 #include "rpc_client/util_netlogon.h"
  23 #include "libcli/security/dom_sid.h"
  24
  25 struct winbindd_pam_auth_crap_state {
  26         struct winbindd_response *response;
  27         struct netr_SamInfo3 *info3;
  28         uint32_t flags;
  29 };
  30
  31 static void winbindd_pam_auth_crap_done(struct tevent_req *subreq);
  32
  33 struct tevent_req *winbindd_pam_auth_crap_send(
  34         TALLOC_CTX *mem_ctx,
  35         struct tevent_context *ev,
  36         struct winbindd_cli_state *cli,
  37         struct winbindd_request *request)
  38 {
  39         struct tevent_req *req, *subreq;
  40         struct winbindd_pam_auth_crap_state *state;
  41         struct winbindd_domain *domain;
  42         const char *auth_domain = NULL;
  43
  44         req = tevent_req_create(mem_ctx, &state,
  45                                 struct winbindd_pam_auth_crap_state);
  46         if (req == NULL) {
  47                 return NULL;
  48         }
  49
  50         state->flags = request->flags;
  51
  52         if (state->flags & WBFLAG_PAM_AUTH_PAC) {
  53                 NTSTATUS status;
  54
  55                 status = winbindd_pam_auth_pac_send(cli, &state->info3);
  56                 if (NT_STATUS_IS_OK(status)) {
  57                         /* Defer filling out response to recv */
  58                         tevent_req_done(req);
  59                 } else {
  60                         tevent_req_nterror(req, status);
  61                 }
  62
  63                 return tevent_req_post(req, ev);
  64         }
  65
  66         /* Ensure null termination */
  67         request->data.auth_crap.user[
  68                 sizeof(request->data.auth_crap.user)-1] = '\0';
  69         request->data.auth_crap.domain[
  70                 sizeof(request->data.auth_crap.domain)-1] = '\0';
  71         request->data.auth_crap.workstation[
  72                 sizeof(request->data.auth_crap.workstation)-1] = '\0';
  73
  74         DEBUG(3, ("[%5lu]: pam auth crap domain: [%s] user: %s\n",
  75                   (unsigned long)cli->pid,
  76                   request->data.auth_crap.domain,
  77                   request->data.auth_crap.user));
  78
  79         if (!check_request_flags(request->flags)) {
  80                 tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
  81                 return tevent_req_post(req, ev);
  82         }
  83
  84         auth_domain = request->data.auth_crap.domain;
  85         if (auth_domain[0] == '\0') {
  86                 auth_domain = lp_workgroup();
  87         }
  88
  89         domain = find_auth_domain(request->flags, auth_domain);
  90         if (domain == NULL) {
  91                 tevent_req_nterror(req, NT_STATUS_NO_SUCH_USER);
  92                 return tevent_req_post(req, ev);
  93         }
  94
  95         if (request->data.auth_crap.workstation[0] == '\0') {
  96                 fstrcpy(request->data.auth_crap.workstation, lp_netbios_name());
  97         }
  98
  99         subreq = wb_domain_request_send(state, server_event_context(), domain,
 100                                         request);
 101         if (tevent_req_nomem(subreq, req)) {
 102                 return tevent_req_post(req, ev);
 103         }
 104         tevent_req_set_callback(subreq, winbindd_pam_auth_crap_done, req);
 105         return req;
 106 }
 107
 108 static void winbindd_pam_auth_crap_done(struct tevent_req *subreq)
 109 {
 110         struct tevent_req *req = tevent_req_callback_data(
 111                 subreq, struct tevent_req);
 112         struct winbindd_pam_auth_crap_state *state = tevent_req_data(
 113                 req, struct winbindd_pam_auth_crap_state);
 114         int res, err;
 115
 116         res = wb_domain_request_recv(subreq, state, &state->response, &err);
 117         TALLOC_FREE(subreq);
 118         if (res == -1) {
 119                 tevent_req_nterror(req, map_nt_error_from_unix(err));
 120                 return;
 121         }
 122         tevent_req_done(req);
 123 }
 124
 125 NTSTATUS winbindd_pam_auth_crap_recv(struct tevent_req *req,
 126                                      struct winbindd_response *response)
 127 {
 128         struct winbindd_pam_auth_crap_state *state = tevent_req_data(
 129                 req, struct winbindd_pam_auth_crap_state);
 130         NTSTATUS status;
 131
 132         if (tevent_req_is_nterror(req, &status)) {
 133                 set_auth_errors(response, status);
 134                 return status;
 135         }
 136
 137         if (state->flags & WBFLAG_PAM_AUTH_PAC) {
 138                 uint16_t validation_level;
 139                 union netr_Validation *validation = NULL;
 140
 141                 status = map_info3_to_validation(talloc_tos(),
 142                                                  state->info3,
 143                                                  &validation_level,
 144                                                  &validation);
 145                 if (!NT_STATUS_IS_OK(status)) {
 146                         return status;
 147                 }
 148
 149                 status = append_auth_data(response,
 150                                         response,
 151                                         state->flags,
 152                                         validation_level,
 153                                         validation,
 154                                         NULL, NULL);
 155                 TALLOC_FREE(validation);
 156                 return status;
 157
 158         }
 159
 160         if (NT_STATUS_IS_OK(NT_STATUS(state->response->data.auth.nt_status)) &&
 161             (state->flags & WBFLAG_PAM_INFO3_TEXT))
 162         {
 163                 bool ok;
 164
 165                 ok = add_trusted_domain_from_auth(
 166                         state->response->data.auth.validation_level,
 167                         &state->response->data.auth.info3,
 168                         &state->response->data.auth.info6);
 169                 if (!ok) {
 170                         DBG_ERR("add_trusted_domain_from_auth failed\n");
 171                         set_auth_errors(response, NT_STATUS_LOGON_FAILURE);
 172                         return NT_STATUS_LOGON_FAILURE;
 173                 }
 174         }
 175
 176         *response = *state->response;
 177         response->result = WINBINDD_PENDING;
 178         state->response = talloc_move(response, &state->response);
 179         return NT_STATUS(response->data.auth.nt_status);
 180 }