2 Unix SMB/CIFS implementation.
4 Winbind daemon - pam auth funcions
6 Copyright (C) Andrew Tridgell 2000
7 Copyright (C) Tim Potter 2001
8 Copyright (C) Andrew Bartlett 2001-2002
9 Copyright (C) Guenther Deschner 2005
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 3 of the License, or
14 (at your option) any later version.
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
21 You should have received a copy of the GNU General Public License
22 along with this program. If not, see <http://www.gnu.org/licenses/>.
27 #include "../libcli/auth/libcli_auth.h"
28 #include "../librpc/gen_ndr/cli_samr.h"
32 #define DBGC_CLASS DBGC_WINBIND
34 #define LOGON_KRB5_FAIL_CLOCK_SKEW 0x02000000
36 static NTSTATUS append_info3_as_txt(TALLOC_CTX *mem_ctx,
37 struct winbindd_cli_state *state,
38 struct netr_SamInfo3 *info3)
43 state->response->data.auth.info3.logon_time =
44 nt_time_to_unix(info3->base.last_logon);
45 state->response->data.auth.info3.logoff_time =
46 nt_time_to_unix(info3->base.last_logoff);
47 state->response->data.auth.info3.kickoff_time =
48 nt_time_to_unix(info3->base.acct_expiry);
49 state->response->data.auth.info3.pass_last_set_time =
50 nt_time_to_unix(info3->base.last_password_change);
51 state->response->data.auth.info3.pass_can_change_time =
52 nt_time_to_unix(info3->base.allow_password_change);
53 state->response->data.auth.info3.pass_must_change_time =
54 nt_time_to_unix(info3->base.force_password_change);
56 state->response->data.auth.info3.logon_count = info3->base.logon_count;
57 state->response->data.auth.info3.bad_pw_count = info3->base.bad_password_count;
59 state->response->data.auth.info3.user_rid = info3->base.rid;
60 state->response->data.auth.info3.group_rid = info3->base.primary_gid;
61 sid_to_fstring(state->response->data.auth.info3.dom_sid, info3->base.domain_sid);
63 state->response->data.auth.info3.num_groups = info3->base.groups.count;
64 state->response->data.auth.info3.user_flgs = info3->base.user_flags;
66 state->response->data.auth.info3.acct_flags = info3->base.acct_flags;
67 state->response->data.auth.info3.num_other_sids = info3->sidcount;
69 fstrcpy(state->response->data.auth.info3.user_name,
70 info3->base.account_name.string);
71 fstrcpy(state->response->data.auth.info3.full_name,
72 info3->base.full_name.string);
73 fstrcpy(state->response->data.auth.info3.logon_script,
74 info3->base.logon_script.string);
75 fstrcpy(state->response->data.auth.info3.profile_path,
76 info3->base.profile_path.string);
77 fstrcpy(state->response->data.auth.info3.home_dir,
78 info3->base.home_directory.string);
79 fstrcpy(state->response->data.auth.info3.dir_drive,
80 info3->base.home_drive.string);
82 fstrcpy(state->response->data.auth.info3.logon_srv,
83 info3->base.logon_server.string);
84 fstrcpy(state->response->data.auth.info3.logon_dom,
85 info3->base.domain.string);
87 ex = talloc_strdup(state->mem_ctx, "");
88 NT_STATUS_HAVE_NO_MEMORY(ex);
90 for (i=0; i < info3->base.groups.count; i++) {
91 ex = talloc_asprintf_append_buffer(ex, "0x%08X:0x%08X\n",
92 info3->base.groups.rids[i].rid,
93 info3->base.groups.rids[i].attributes);
94 NT_STATUS_HAVE_NO_MEMORY(ex);
97 for (i=0; i < info3->sidcount; i++) {
100 sid = dom_sid_string(mem_ctx, info3->sids[i].sid);
101 NT_STATUS_HAVE_NO_MEMORY(sid);
103 ex = talloc_asprintf_append_buffer(ex, "%s:0x%08X\n",
105 info3->sids[i].attributes);
106 NT_STATUS_HAVE_NO_MEMORY(ex);
111 state->response->extra_data.data = ex;
112 state->response->length += talloc_get_size(ex);
117 static NTSTATUS append_info3_as_ndr(TALLOC_CTX *mem_ctx,
118 struct winbindd_cli_state *state,
119 struct netr_SamInfo3 *info3)
122 enum ndr_err_code ndr_err;
124 ndr_err = ndr_push_struct_blob(&blob, mem_ctx, NULL, info3,
125 (ndr_push_flags_fn_t)ndr_push_netr_SamInfo3);
126 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
127 DEBUG(0,("append_info3_as_ndr: failed to append\n"));
128 return ndr_map_error2ntstatus(ndr_err);
131 state->response->extra_data.data = blob.data;
132 state->response->length += blob.length;
137 static NTSTATUS append_unix_username(TALLOC_CTX *mem_ctx,
138 struct winbindd_cli_state *state,
139 const struct netr_SamInfo3 *info3,
140 const char *name_domain,
141 const char *name_user)
143 /* We've been asked to return the unix username, per
144 'winbind use default domain' settings and the like */
146 const char *nt_username, *nt_domain;
148 nt_domain = talloc_strdup(mem_ctx, info3->base.domain.string);
150 /* If the server didn't give us one, just use the one
152 nt_domain = name_domain;
155 nt_username = talloc_strdup(mem_ctx, info3->base.account_name.string);
157 /* If the server didn't give us one, just use the one
159 nt_username = name_user;
162 fill_domain_username(state->response->data.auth.unix_username,
163 nt_domain, nt_username, true);
165 DEBUG(5,("Setting unix username to [%s]\n",
166 state->response->data.auth.unix_username));
171 static NTSTATUS append_afs_token(TALLOC_CTX *mem_ctx,
172 struct winbindd_cli_state *state,
173 const struct netr_SamInfo3 *info3,
174 const char *name_domain,
175 const char *name_user)
177 char *afsname = NULL;
181 afsname = talloc_strdup(mem_ctx, lp_afs_username_map());
182 if (afsname == NULL) {
183 return NT_STATUS_NO_MEMORY;
186 afsname = talloc_string_sub(mem_ctx,
187 lp_afs_username_map(),
189 afsname = talloc_string_sub(mem_ctx, afsname,
191 afsname = talloc_string_sub(mem_ctx, afsname,
198 sid_copy(&user_sid, info3->base.domain_sid);
199 sid_append_rid(&user_sid, info3->base.rid);
200 sid_to_fstring(sidstr, &user_sid);
201 afsname = talloc_string_sub(mem_ctx, afsname,
205 if (afsname == NULL) {
206 return NT_STATUS_NO_MEMORY;
211 DEBUG(10, ("Generating token for user %s\n", afsname));
213 cell = strchr(afsname, '@');
216 return NT_STATUS_NO_MEMORY;
222 token = afs_createtoken_str(afsname, cell);
226 state->response->extra_data.data = talloc_strdup(state->mem_ctx,
228 if (state->response->extra_data.data == NULL) {
229 return NT_STATUS_NO_MEMORY;
231 state->response->length +=
232 strlen((const char *)state->response->extra_data.data)+1;
237 NTSTATUS check_info3_in_group(struct netr_SamInfo3 *info3,
238 const char *group_sid)
240 * Check whether a user belongs to a group or list of groups.
242 * @param mem_ctx talloc memory context.
243 * @param info3 user information, including group membership info.
244 * @param group_sid One or more groups , separated by commas.
246 * @return NT_STATUS_OK on success,
247 * NT_STATUS_LOGON_FAILURE if the user does not belong,
248 * or other NT_STATUS_IS_ERR(status) for other kinds of failure.
251 DOM_SID *require_membership_of_sid;
252 size_t num_require_membership_of_sid;
257 struct nt_user_token *token;
258 TALLOC_CTX *frame = talloc_stackframe();
261 /* Parse the 'required group' SID */
263 if (!group_sid || !group_sid[0]) {
264 /* NO sid supplied, all users may access */
268 token = talloc_zero(talloc_tos(), struct nt_user_token);
270 DEBUG(0, ("talloc failed\n"));
272 return NT_STATUS_NO_MEMORY;
275 num_require_membership_of_sid = 0;
276 require_membership_of_sid = NULL;
280 while (next_token_talloc(talloc_tos(), &p, &req_sid, ",")) {
281 if (!string_to_sid(&sid, req_sid)) {
282 DEBUG(0, ("check_info3_in_group: could not parse %s "
283 "as a SID!", req_sid));
285 return NT_STATUS_INVALID_PARAMETER;
288 status = add_sid_to_array(talloc_tos(), &sid,
289 &require_membership_of_sid,
290 &num_require_membership_of_sid);
291 if (!NT_STATUS_IS_OK(status)) {
292 DEBUG(0, ("add_sid_to_array failed\n"));
298 status = sid_array_from_info3(talloc_tos(), info3,
302 if (!NT_STATUS_IS_OK(status)) {
307 if (!NT_STATUS_IS_OK(status = add_aliases(get_global_sam_sid(),
309 || !NT_STATUS_IS_OK(status = add_aliases(&global_sid_Builtin,
311 DEBUG(3, ("could not add aliases: %s\n",
317 debug_nt_user_token(DBGC_CLASS, 10, token);
319 for (i=0; i<num_require_membership_of_sid; i++) {
320 DEBUG(10, ("Checking SID %s\n", sid_string_dbg(
321 &require_membership_of_sid[i])));
322 if (nt_token_check_sid(&require_membership_of_sid[i],
324 DEBUG(10, ("Access ok\n"));
330 /* Do not distinguish this error from a wrong username/pw */
333 return NT_STATUS_LOGON_FAILURE;
336 struct winbindd_domain *find_auth_domain(uint8_t flags,
337 const char *domain_name)
339 struct winbindd_domain *domain;
342 domain = find_domain_from_name_noinit(domain_name);
343 if (domain == NULL) {
344 DEBUG(3, ("Authentication for domain [%s] refused "
345 "as it is not a trusted domain\n",
351 if (is_myname(domain_name)) {
352 DEBUG(3, ("Authentication for domain %s (local domain "
353 "to this server) not supported at this "
354 "stage\n", domain_name));
358 /* we can auth against trusted domains */
359 if (flags & WBFLAG_PAM_CONTACT_TRUSTDOM) {
360 domain = find_domain_from_name_noinit(domain_name);
361 if (domain == NULL) {
362 DEBUG(3, ("Authentication for domain [%s] skipped "
363 "as it is not a trusted domain\n",
370 return find_our_domain();
373 static void fill_in_password_policy(struct winbindd_response *r,
374 const struct samr_DomInfo1 *p)
376 r->data.auth.policy.min_length_password =
377 p->min_password_length;
378 r->data.auth.policy.password_history =
379 p->password_history_length;
380 r->data.auth.policy.password_properties =
381 p->password_properties;
382 r->data.auth.policy.expire =
383 nt_time_to_unix_abs((NTTIME *)&(p->max_password_age));
384 r->data.auth.policy.min_passwordage =
385 nt_time_to_unix_abs((NTTIME *)&(p->min_password_age));
388 static NTSTATUS fillup_password_policy(struct winbindd_domain *domain,
389 struct winbindd_cli_state *state)
391 struct winbindd_methods *methods;
392 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
393 struct samr_DomInfo1 password_policy;
395 if ( !winbindd_can_contact_domain( domain ) ) {
396 DEBUG(5,("fillup_password_policy: No inbound trust to "
397 "contact domain %s\n", domain->name));
398 return NT_STATUS_NOT_SUPPORTED;
401 methods = domain->methods;
403 status = methods->password_policy(domain, state->mem_ctx, &password_policy);
404 if (NT_STATUS_IS_ERR(status)) {
408 fill_in_password_policy(state->response, &password_policy);
413 static NTSTATUS get_max_bad_attempts_from_lockout_policy(struct winbindd_domain *domain,
415 uint16 *lockout_threshold)
417 struct winbindd_methods *methods;
418 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
419 struct samr_DomInfo12 lockout_policy;
421 *lockout_threshold = 0;
423 methods = domain->methods;
425 status = methods->lockout_policy(domain, mem_ctx, &lockout_policy);
426 if (NT_STATUS_IS_ERR(status)) {
430 *lockout_threshold = lockout_policy.lockout_threshold;
435 static NTSTATUS get_pwd_properties(struct winbindd_domain *domain,
437 uint32 *password_properties)
439 struct winbindd_methods *methods;
440 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
441 struct samr_DomInfo1 password_policy;
443 *password_properties = 0;
445 methods = domain->methods;
447 status = methods->password_policy(domain, mem_ctx, &password_policy);
448 if (NT_STATUS_IS_ERR(status)) {
452 *password_properties = password_policy.password_properties;
459 static const char *generate_krb5_ccache(TALLOC_CTX *mem_ctx,
462 bool *internal_ccache)
464 /* accept FILE and WRFILE as krb5_cc_type from the client and then
465 * build the full ccname string based on the user's uid here -
468 const char *gen_cc = NULL;
470 *internal_ccache = true;
476 if (!type || type[0] == '\0') {
480 if (strequal(type, "FILE")) {
481 gen_cc = talloc_asprintf(mem_ctx, "FILE:/tmp/krb5cc_%d", uid);
482 } else if (strequal(type, "WRFILE")) {
483 gen_cc = talloc_asprintf(mem_ctx, "WRFILE:/tmp/krb5cc_%d", uid);
485 DEBUG(10,("we don't allow to set a %s type ccache\n", type));
489 *internal_ccache = false;
493 gen_cc = talloc_strdup(mem_ctx, "MEMORY:winbindd_pam_ccache");
496 if (gen_cc == NULL) {
497 DEBUG(0,("out of memory\n"));
501 DEBUG(10,("using ccache: %s %s\n", gen_cc, *internal_ccache ? "(internal)":""));
506 static void setup_return_cc_name(struct winbindd_cli_state *state, const char *cc)
508 const char *type = state->request->data.auth.krb5_cc_type;
510 state->response->data.auth.krb5ccname[0] = '\0';
512 if (type[0] == '\0') {
516 if (!strequal(type, "FILE") &&
517 !strequal(type, "WRFILE")) {
518 DEBUG(10,("won't return krbccname for a %s type ccache\n",
523 fstrcpy(state->response->data.auth.krb5ccname, cc);
528 static uid_t get_uid_from_state(struct winbindd_cli_state *state)
532 uid = state->request->data.auth.uid;
535 DEBUG(1,("invalid uid: '%u'\n", (unsigned int)uid));
541 /**********************************************************************
542 Authenticate a user with a clear text password using Kerberos and fill up
544 **********************************************************************/
546 static NTSTATUS winbindd_raw_kerberos_login(struct winbindd_domain *domain,
547 struct winbindd_cli_state *state,
548 struct netr_SamInfo3 **info3)
551 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
552 krb5_error_code krb5_ret;
553 const char *cc = NULL;
554 const char *principal_s = NULL;
555 const char *service = NULL;
557 fstring name_domain, name_user;
558 time_t ticket_lifetime = 0;
559 time_t renewal_until = 0;
562 time_t time_offset = 0;
563 bool internal_ccache = true;
570 * prepare a krb5_cc_cache string for the user */
572 uid = get_uid_from_state(state);
574 DEBUG(0,("no valid uid\n"));
577 cc = generate_krb5_ccache(state->mem_ctx,
578 state->request->data.auth.krb5_cc_type,
579 state->request->data.auth.uid,
582 return NT_STATUS_NO_MEMORY;
587 * get kerberos properties */
589 if (domain->private_data) {
590 ads = (ADS_STRUCT *)domain->private_data;
591 time_offset = ads->auth.time_offset;
596 * do kerberos auth and setup ccache as the user */
598 parse_domain_user(state->request->data.auth.user, name_domain, name_user);
600 realm = domain->alt_name;
603 principal_s = talloc_asprintf(state->mem_ctx, "%s@%s", name_user, realm);
604 if (principal_s == NULL) {
605 return NT_STATUS_NO_MEMORY;
608 service = talloc_asprintf(state->mem_ctx, "%s/%s@%s", KRB5_TGS_NAME, realm, realm);
609 if (service == NULL) {
610 return NT_STATUS_NO_MEMORY;
613 /* if this is a user ccache, we need to act as the user to let the krb5
614 * library handle the chown, etc. */
616 /************************ ENTERING NON-ROOT **********************/
618 if (!internal_ccache) {
619 set_effective_uid(uid);
620 DEBUG(10,("winbindd_raw_kerberos_login: uid is %d\n", uid));
623 result = kerberos_return_info3_from_pac(state->mem_ctx,
625 state->request->data.auth.pass,
632 WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
635 if (!internal_ccache) {
636 gain_root_privilege();
639 /************************ RETURNED TO ROOT **********************/
641 if (!NT_STATUS_IS_OK(result)) {
645 DEBUG(10,("winbindd_raw_kerberos_login: winbindd validated ticket of %s\n",
648 /* if we had a user's ccache then return that string for the pam
651 if (!internal_ccache) {
653 setup_return_cc_name(state, cc);
655 result = add_ccache_to_list(principal_s,
658 state->request->data.auth.user,
666 if (!NT_STATUS_IS_OK(result)) {
667 DEBUG(10,("winbindd_raw_kerberos_login: failed to add ccache to list: %s\n",
672 /* need to delete the memory cred cache, it is not used anymore */
674 krb5_ret = ads_kdestroy(cc);
676 DEBUG(3,("winbindd_raw_kerberos_login: "
677 "could not destroy krb5 credential cache: "
678 "%s\n", error_message(krb5_ret)));
687 /* we could have created a new credential cache with a valid tgt in it
688 * but we werent able to get or verify the service ticket for this
689 * local host and therefor didn't get the PAC, we need to remove that
690 * cache entirely now */
692 krb5_ret = ads_kdestroy(cc);
694 DEBUG(3,("winbindd_raw_kerberos_login: "
695 "could not destroy krb5 credential cache: "
696 "%s\n", error_message(krb5_ret)));
699 if (!NT_STATUS_IS_OK(remove_ccache(state->request->data.auth.user))) {
700 DEBUG(3,("winbindd_raw_kerberos_login: "
701 "could not remove ccache for user %s\n",
702 state->request->data.auth.user));
707 return NT_STATUS_NOT_SUPPORTED;
708 #endif /* HAVE_KRB5 */
711 /****************************************************************
712 ****************************************************************/
714 bool check_request_flags(uint32_t flags)
716 uint32_t flags_edata = WBFLAG_PAM_AFS_TOKEN |
717 WBFLAG_PAM_INFO3_TEXT |
718 WBFLAG_PAM_INFO3_NDR;
720 if ( ( (flags & flags_edata) == WBFLAG_PAM_AFS_TOKEN) ||
721 ( (flags & flags_edata) == WBFLAG_PAM_INFO3_NDR) ||
722 ( (flags & flags_edata) == WBFLAG_PAM_INFO3_TEXT)||
723 !(flags & flags_edata) ) {
727 DEBUG(1, ("check_request_flags: invalid request flags[0x%08X]\n",
733 /****************************************************************
734 ****************************************************************/
736 NTSTATUS append_auth_data(struct winbindd_cli_state *state,
737 struct netr_SamInfo3 *info3,
738 const char *name_domain,
739 const char *name_user)
742 uint32_t flags = state->request->flags;
744 if (flags & WBFLAG_PAM_USER_SESSION_KEY) {
745 memcpy(state->response->data.auth.user_session_key,
747 sizeof(state->response->data.auth.user_session_key)
751 if (flags & WBFLAG_PAM_LMKEY) {
752 memcpy(state->response->data.auth.first_8_lm_hash,
753 info3->base.LMSessKey.key,
754 sizeof(state->response->data.auth.first_8_lm_hash)
758 if (flags & WBFLAG_PAM_INFO3_TEXT) {
759 result = append_info3_as_txt(state->mem_ctx, state, info3);
760 if (!NT_STATUS_IS_OK(result)) {
761 DEBUG(10,("Failed to append INFO3 (TXT): %s\n",
767 /* currently, anything from here on potentially overwrites extra_data. */
769 if (flags & WBFLAG_PAM_INFO3_NDR) {
770 result = append_info3_as_ndr(state->mem_ctx, state, info3);
771 if (!NT_STATUS_IS_OK(result)) {
772 DEBUG(10,("Failed to append INFO3 (NDR): %s\n",
778 if (flags & WBFLAG_PAM_UNIX_NAME) {
779 result = append_unix_username(state->mem_ctx, state, info3,
780 name_domain, name_user);
781 if (!NT_STATUS_IS_OK(result)) {
782 DEBUG(10,("Failed to append Unix Username: %s\n",
788 if (flags & WBFLAG_PAM_AFS_TOKEN) {
789 result = append_afs_token(state->mem_ctx, state, info3,
790 name_domain, name_user);
791 if (!NT_STATUS_IS_OK(result)) {
792 DEBUG(10,("Failed to append AFS token: %s\n",
801 void winbindd_pam_auth(struct winbindd_cli_state *state)
803 struct winbindd_domain *domain;
804 fstring name_domain, name_user;
807 NTSTATUS name_map_status = NT_STATUS_UNSUCCESSFUL;
809 /* Ensure null termination */
810 state->request->data.auth.user
811 [sizeof(state->request->data.auth.user)-1]='\0';
813 /* Ensure null termination */
814 state->request->data.auth.pass
815 [sizeof(state->request->data.auth.pass)-1]='\0';
817 DEBUG(3, ("[%5lu]: pam auth %s\n", (unsigned long)state->pid,
818 state->request->data.auth.user));
820 if (!check_request_flags(state->request->flags)) {
821 result = NT_STATUS_INVALID_PARAMETER_MIX;
825 /* Parse domain and username */
827 name_map_status = normalize_name_unmap(state->mem_ctx,
828 state->request->data.auth.user,
831 /* Update the auth name if we did any mapping */
833 if (NT_STATUS_IS_OK(name_map_status) ||
834 NT_STATUS_EQUAL(name_map_status, NT_STATUS_FILE_RENAMED))
836 fstrcpy(state->request->data.auth.user, mapped);
839 if (!canonicalize_username(state->request->data.auth.user, name_domain, name_user)) {
840 result = NT_STATUS_NO_SUCH_USER;
844 domain = find_auth_domain(state->request->flags, name_domain);
846 if (domain == NULL) {
847 result = NT_STATUS_NO_SUCH_USER;
851 sendto_domain(state, domain);
854 set_auth_errors(state->response, result);
855 DEBUG(5, ("Plain text authentication for %s returned %s "
857 state->request->data.auth.user,
858 state->response->data.auth.nt_status_string,
859 state->response->data.auth.pam_error));
860 request_error(state);
863 static NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain,
864 struct winbindd_cli_state *state,
865 struct netr_SamInfo3 **info3)
867 NTSTATUS result = NT_STATUS_LOGON_FAILURE;
868 uint16 max_allowed_bad_attempts;
869 fstring name_domain, name_user;
871 enum lsa_SidType type;
872 uchar new_nt_pass[NT_HASH_LEN];
873 const uint8 *cached_nt_pass;
874 const uint8 *cached_salt;
875 struct netr_SamInfo3 *my_info3;
876 time_t kickoff_time, must_change_time;
877 bool password_good = false;
879 struct winbindd_tdc_domain *tdc_domain = NULL;
886 DEBUG(10,("winbindd_dual_pam_auth_cached\n"));
888 /* Parse domain and username */
890 parse_domain_user(state->request->data.auth.user, name_domain, name_user);
893 if (!lookup_cached_name(state->mem_ctx,
898 DEBUG(10,("winbindd_dual_pam_auth_cached: no such user in the cache\n"));
899 return NT_STATUS_NO_SUCH_USER;
902 if (type != SID_NAME_USER) {
903 DEBUG(10,("winbindd_dual_pam_auth_cached: not a user (%s)\n", sid_type_lookup(type)));
904 return NT_STATUS_LOGON_FAILURE;
907 result = winbindd_get_creds(domain,
913 if (!NT_STATUS_IS_OK(result)) {
914 DEBUG(10,("winbindd_dual_pam_auth_cached: failed to get creds: %s\n", nt_errstr(result)));
920 E_md4hash(state->request->data.auth.pass, new_nt_pass);
922 dump_data_pw("new_nt_pass", new_nt_pass, NT_HASH_LEN);
923 dump_data_pw("cached_nt_pass", cached_nt_pass, NT_HASH_LEN);
925 dump_data_pw("cached_salt", cached_salt, NT_HASH_LEN);
929 /* In this case we didn't store the nt_hash itself,
930 but the MD5 combination of salt + nt_hash. */
931 uchar salted_hash[NT_HASH_LEN];
932 E_md5hash(cached_salt, new_nt_pass, salted_hash);
934 password_good = (memcmp(cached_nt_pass, salted_hash,
937 /* Old cached cred - direct store of nt_hash (bad bad bad !). */
938 password_good = (memcmp(cached_nt_pass, new_nt_pass,
944 /* User *DOES* know the password, update logon_time and reset
947 my_info3->base.user_flags |= NETLOGON_CACHED_ACCOUNT;
949 if (my_info3->base.acct_flags & ACB_AUTOLOCK) {
950 return NT_STATUS_ACCOUNT_LOCKED_OUT;
953 if (my_info3->base.acct_flags & ACB_DISABLED) {
954 return NT_STATUS_ACCOUNT_DISABLED;
957 if (my_info3->base.acct_flags & ACB_WSTRUST) {
958 return NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT;
961 if (my_info3->base.acct_flags & ACB_SVRTRUST) {
962 return NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT;
965 if (my_info3->base.acct_flags & ACB_DOMTRUST) {
966 return NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT;
969 if (!(my_info3->base.acct_flags & ACB_NORMAL)) {
970 DEBUG(0,("winbindd_dual_pam_auth_cached: whats wrong with that one?: 0x%08x\n",
971 my_info3->base.acct_flags));
972 return NT_STATUS_LOGON_FAILURE;
975 kickoff_time = nt_time_to_unix(my_info3->base.acct_expiry);
976 if (kickoff_time != 0 && time(NULL) > kickoff_time) {
977 return NT_STATUS_ACCOUNT_EXPIRED;
980 must_change_time = nt_time_to_unix(my_info3->base.force_password_change);
981 if (must_change_time != 0 && must_change_time < time(NULL)) {
982 /* we allow grace logons when the password has expired */
983 my_info3->base.user_flags |= NETLOGON_GRACE_LOGON;
984 /* return NT_STATUS_PASSWORD_EXPIRED; */
989 if ((state->request->flags & WBFLAG_PAM_KRB5) &&
990 ((tdc_domain = wcache_tdc_fetch_domain(state->mem_ctx, name_domain)) != NULL) &&
991 ((tdc_domain->trust_type & NETR_TRUST_TYPE_UPLEVEL) ||
992 /* used to cope with the case winbindd starting without network. */
993 !strequal(tdc_domain->domain_name, tdc_domain->dns_name))) {
996 const char *cc = NULL;
998 const char *principal_s = NULL;
999 const char *service = NULL;
1000 bool internal_ccache = false;
1002 uid = get_uid_from_state(state);
1004 DEBUG(0,("winbindd_dual_pam_auth_cached: invalid uid\n"));
1005 return NT_STATUS_INVALID_PARAMETER;
1008 cc = generate_krb5_ccache(state->mem_ctx,
1009 state->request->data.auth.krb5_cc_type,
1010 state->request->data.auth.uid,
1013 return NT_STATUS_NO_MEMORY;
1016 realm = domain->alt_name;
1019 principal_s = talloc_asprintf(state->mem_ctx, "%s@%s", name_user, realm);
1020 if (principal_s == NULL) {
1021 return NT_STATUS_NO_MEMORY;
1024 service = talloc_asprintf(state->mem_ctx, "%s/%s@%s", KRB5_TGS_NAME, realm, realm);
1025 if (service == NULL) {
1026 return NT_STATUS_NO_MEMORY;
1029 if (!internal_ccache) {
1031 setup_return_cc_name(state, cc);
1033 result = add_ccache_to_list(principal_s,
1036 state->request->data.auth.user,
1040 time(NULL) + lp_winbind_cache_time(),
1041 time(NULL) + WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
1044 if (!NT_STATUS_IS_OK(result)) {
1045 DEBUG(10,("winbindd_dual_pam_auth_cached: failed "
1046 "to add ccache to list: %s\n",
1047 nt_errstr(result)));
1051 #endif /* HAVE_KRB5 */
1053 /* FIXME: we possibly should handle logon hours as well (does xp when
1054 * offline?) see auth/auth_sam.c:sam_account_ok for details */
1056 unix_to_nt_time(&my_info3->base.last_logon, time(NULL));
1057 my_info3->base.bad_password_count = 0;
1059 result = winbindd_update_creds_by_info3(domain,
1061 state->request->data.auth.user,
1062 state->request->data.auth.pass,
1064 if (!NT_STATUS_IS_OK(result)) {
1065 DEBUG(1,("winbindd_dual_pam_auth_cached: failed to update creds: %s\n",
1066 nt_errstr(result)));
1070 return NT_STATUS_OK;
1074 /* User does *NOT* know the correct password, modify info3 accordingly, but only if online */
1075 if (domain->online == false) {
1079 /* failure of this is not critical */
1080 result = get_max_bad_attempts_from_lockout_policy(domain, state->mem_ctx, &max_allowed_bad_attempts);
1081 if (!NT_STATUS_IS_OK(result)) {
1082 DEBUG(10,("winbindd_dual_pam_auth_cached: failed to get max_allowed_bad_attempts. "
1083 "Won't be able to honour account lockout policies\n"));
1086 /* increase counter */
1087 my_info3->base.bad_password_count++;
1089 if (max_allowed_bad_attempts == 0) {
1094 if (my_info3->base.bad_password_count >= max_allowed_bad_attempts) {
1096 uint32 password_properties;
1098 result = get_pwd_properties(domain, state->mem_ctx, &password_properties);
1099 if (!NT_STATUS_IS_OK(result)) {
1100 DEBUG(10,("winbindd_dual_pam_auth_cached: failed to get password properties.\n"));
1103 if ((my_info3->base.rid != DOMAIN_USER_RID_ADMIN) ||
1104 (password_properties & DOMAIN_PASSWORD_LOCKOUT_ADMINS)) {
1105 my_info3->base.acct_flags |= ACB_AUTOLOCK;
1110 result = winbindd_update_creds_by_info3(domain,
1112 state->request->data.auth.user,
1116 if (!NT_STATUS_IS_OK(result)) {
1117 DEBUG(0,("winbindd_dual_pam_auth_cached: failed to update creds %s\n",
1118 nt_errstr(result)));
1121 return NT_STATUS_LOGON_FAILURE;
1124 static NTSTATUS winbindd_dual_pam_auth_kerberos(struct winbindd_domain *domain,
1125 struct winbindd_cli_state *state,
1126 struct netr_SamInfo3 **info3)
1128 struct winbindd_domain *contact_domain;
1129 fstring name_domain, name_user;
1132 DEBUG(10,("winbindd_dual_pam_auth_kerberos\n"));
1134 /* Parse domain and username */
1136 parse_domain_user(state->request->data.auth.user, name_domain, name_user);
1138 /* what domain should we contact? */
1141 if (!(contact_domain = find_domain_from_name(name_domain))) {
1142 DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
1143 state->request->data.auth.user, name_domain, name_user, name_domain));
1144 result = NT_STATUS_NO_SUCH_USER;
1149 if (is_myname(name_domain)) {
1150 DEBUG(3, ("Authentication for domain %s (local domain to this server) not supported at this stage\n", name_domain));
1151 result = NT_STATUS_NO_SUCH_USER;
1155 contact_domain = find_domain_from_name(name_domain);
1156 if (contact_domain == NULL) {
1157 DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
1158 state->request->data.auth.user, name_domain, name_user, name_domain));
1160 contact_domain = find_our_domain();
1164 if (contact_domain->initialized &&
1165 contact_domain->active_directory) {
1169 if (!contact_domain->initialized) {
1170 init_dc_connection(contact_domain);
1173 if (!contact_domain->active_directory) {
1174 DEBUG(3,("krb5 auth requested but domain is not Active Directory\n"));
1175 return NT_STATUS_INVALID_LOGON_TYPE;
1178 result = winbindd_raw_kerberos_login(contact_domain, state, info3);
1183 typedef NTSTATUS (*netlogon_fn_t)(struct rpc_pipe_client *cli,
1184 TALLOC_CTX *mem_ctx,
1185 uint32 logon_parameters,
1187 const char *username,
1189 const char *workstation,
1190 const uint8 chal[8],
1191 uint16_t validation_level,
1192 DATA_BLOB lm_response,
1193 DATA_BLOB nt_response,
1194 struct netr_SamInfo3 **info3);
1196 static NTSTATUS winbindd_dual_pam_auth_samlogon(struct winbindd_domain *domain,
1197 struct winbindd_cli_state *state,
1198 struct netr_SamInfo3 **info3)
1201 struct rpc_pipe_client *netlogon_pipe;
1206 unsigned char local_lm_response[24];
1207 unsigned char local_nt_response[24];
1208 struct winbindd_domain *contact_domain;
1209 fstring name_domain, name_user;
1212 struct netr_SamInfo3 *my_info3 = NULL;
1216 DEBUG(10,("winbindd_dual_pam_auth_samlogon\n"));
1218 /* Parse domain and username */
1220 parse_domain_user(state->request->data.auth.user, name_domain, name_user);
1222 /* do password magic */
1225 generate_random_buffer(chal, 8);
1226 if (lp_client_ntlmv2_auth()) {
1227 DATA_BLOB server_chal;
1228 DATA_BLOB names_blob;
1229 DATA_BLOB nt_response;
1230 DATA_BLOB lm_response;
1231 server_chal = data_blob_talloc(state->mem_ctx, chal, 8);
1233 /* note that the 'workgroup' here is a best guess - we don't know
1234 the server's domain at this point. The 'server name' is also
1237 names_blob = NTLMv2_generate_names_blob(state->mem_ctx, global_myname(), lp_workgroup());
1239 if (!SMBNTLMv2encrypt(NULL, name_user, name_domain,
1240 state->request->data.auth.pass,
1243 &lm_response, &nt_response, NULL, NULL)) {
1244 data_blob_free(&names_blob);
1245 data_blob_free(&server_chal);
1246 DEBUG(0, ("winbindd_pam_auth: SMBNTLMv2encrypt() failed!\n"));
1247 result = NT_STATUS_NO_MEMORY;
1250 data_blob_free(&names_blob);
1251 data_blob_free(&server_chal);
1252 lm_resp = data_blob_talloc(state->mem_ctx, lm_response.data,
1253 lm_response.length);
1254 nt_resp = data_blob_talloc(state->mem_ctx, nt_response.data,
1255 nt_response.length);
1256 data_blob_free(&lm_response);
1257 data_blob_free(&nt_response);
1260 if (lp_client_lanman_auth()
1261 && SMBencrypt(state->request->data.auth.pass,
1263 local_lm_response)) {
1264 lm_resp = data_blob_talloc(state->mem_ctx,
1266 sizeof(local_lm_response));
1268 lm_resp = data_blob_null;
1270 SMBNTencrypt(state->request->data.auth.pass,
1274 nt_resp = data_blob_talloc(state->mem_ctx,
1276 sizeof(local_nt_response));
1279 /* what domain should we contact? */
1282 if (!(contact_domain = find_domain_from_name(name_domain))) {
1283 DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
1284 state->request->data.auth.user, name_domain, name_user, name_domain));
1285 result = NT_STATUS_NO_SUCH_USER;
1290 if (is_myname(name_domain)) {
1291 DEBUG(3, ("Authentication for domain %s (local domain to this server) not supported at this stage\n", name_domain));
1292 result = NT_STATUS_NO_SUCH_USER;
1296 contact_domain = find_our_domain();
1299 /* check authentication loop */
1302 netlogon_fn_t logon_fn;
1303 const struct cli_pipe_auth_data *auth;
1304 uint32_t neg_flags = 0;
1306 ZERO_STRUCTP(my_info3);
1309 result = cm_connect_netlogon(contact_domain, &netlogon_pipe);
1311 if (!NT_STATUS_IS_OK(result)) {
1312 DEBUG(3, ("could not open handle to NETLOGON pipe\n"));
1315 auth = netlogon_pipe->auth;
1316 if (netlogon_pipe->dc) {
1317 neg_flags = netlogon_pipe->dc->negotiate_flags;
1320 /* It is really important to try SamLogonEx here,
1321 * because in a clustered environment, we want to use
1322 * one machine account from multiple physical
1325 * With a normal SamLogon call, we must keep the
1326 * credentials chain updated and intact between all
1327 * users of the machine account (which would imply
1328 * cross-node communication for every NTLM logon).
1330 * (The credentials chain is not per NETLOGON pipe
1331 * connection, but globally on the server/client pair
1334 * When using SamLogonEx, the credentials are not
1335 * supplied, but the session key is implied by the
1336 * wrapping SamLogon context.
1338 * -- abartlet 21 April 2008
1340 * It's also important to use NetlogonValidationSamInfo4 (6),
1341 * because it relies on the rpc transport encryption
1342 * and avoids using the global netlogon schannel
1343 * session key to en/decrypt secret information
1344 * like the user_session_key for network logons.
1346 * [MS-APDS] 3.1.5.2 NTLM Network Logon
1347 * says NETLOGON_NEG_CROSS_FOREST_TRUSTS and
1348 * NETLOGON_NEG_AUTHENTICATED_RPC set together
1349 * are the indication that the server supports
1350 * NetlogonValidationSamInfo4 (6). And must only
1351 * be used if "SealSecureChannel" is used.
1353 * -- metze 4 February 2011
1357 domain->can_do_validation6 = false;
1358 } else if (auth->auth_type != PIPE_AUTH_TYPE_SCHANNEL) {
1359 domain->can_do_validation6 = false;
1360 } else if (auth->auth_level != DCERPC_AUTH_LEVEL_PRIVACY) {
1361 domain->can_do_validation6 = false;
1362 } else if (!(neg_flags & NETLOGON_NEG_CROSS_FOREST_TRUSTS)) {
1363 domain->can_do_validation6 = false;
1364 } else if (!(neg_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
1365 domain->can_do_validation6 = false;
1368 logon_fn = (contact_domain->can_do_samlogon_ex && domain->can_do_validation6)
1369 ? rpccli_netlogon_sam_network_logon_ex
1370 : rpccli_netlogon_sam_network_logon;
1372 result = logon_fn(netlogon_pipe,
1375 contact_domain->dcname, /* server name */
1376 name_user, /* user name */
1377 name_domain, /* target domain */
1378 global_myname(), /* workstation */
1380 domain->can_do_validation6 ? 6 : 3,
1385 if (NT_STATUS_V(result) == DCERPC_FAULT_OP_RNG_ERROR) {
1388 * It's likely that the server also does not support
1389 * validation level 6
1391 domain->can_do_validation6 = false;
1393 if (contact_domain->can_do_samlogon_ex) {
1394 DEBUG(3, ("Got a DC that can not do NetSamLogonEx, "
1395 "retrying with NetSamLogon\n"));
1396 contact_domain->can_do_samlogon_ex = false;
1401 /* Got DCERPC_FAULT_OP_RNG_ERROR for SamLogon
1402 * (no Ex). This happens against old Samba
1403 * DCs. Drop the connection.
1405 invalidate_cm_connection(&contact_domain->conn);
1406 result = NT_STATUS_LOGON_FAILURE;
1410 if (domain->can_do_validation6 &&
1411 (NT_STATUS_EQUAL(result, NT_STATUS_INVALID_INFO_CLASS) ||
1412 NT_STATUS_EQUAL(result, NT_STATUS_INVALID_PARAMETER) ||
1413 NT_STATUS_EQUAL(result, NT_STATUS_BUFFER_TOO_SMALL))) {
1414 DEBUG(3,("Got a DC that can not do validation level 6, "
1415 "retrying with level 3\n"));
1416 domain->can_do_validation6 = false;
1422 * we increment this after the "feature negotiation"
1423 * for can_do_samlogon_ex and can_do_validation6
1427 /* We have to try a second time as cm_connect_netlogon
1428 might not yet have noticed that the DC has killed
1431 if (!rpccli_is_connected(netlogon_pipe)) {
1436 /* if we get access denied, a possible cause was that we had
1437 and open connection to the DC, but someone changed our
1438 machine account password out from underneath us using 'net
1439 rpc changetrustpw' */
1441 if ( NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) ) {
1442 DEBUG(3,("winbindd_pam_auth: sam_logon returned "
1443 "ACCESS_DENIED. Maybe the trust account "
1444 "password was changed and we didn't know it. "
1445 "Killing connections to domain %s\n",
1447 invalidate_cm_connection(&contact_domain->conn);
1451 } while ( (attempts < 2) && retry );
1453 /* handle the case where a NT4 DC does not fill in the acct_flags in
1454 * the samlogon reply info3. When accurate info3 is required by the
1455 * caller, we look up the account flags ourselve - gd */
1457 if ((state->request->flags & WBFLAG_PAM_INFO3_TEXT) &&
1458 NT_STATUS_IS_OK(result) && (my_info3->base.acct_flags == 0)) {
1460 struct rpc_pipe_client *samr_pipe;
1461 struct policy_handle samr_domain_handle, user_pol;
1462 union samr_UserInfo *info = NULL;
1463 NTSTATUS status_tmp;
1466 status_tmp = cm_connect_sam(contact_domain, state->mem_ctx,
1467 &samr_pipe, &samr_domain_handle);
1469 if (!NT_STATUS_IS_OK(status_tmp)) {
1470 DEBUG(3, ("could not open handle to SAMR pipe: %s\n",
1471 nt_errstr(status_tmp)));
1475 status_tmp = rpccli_samr_OpenUser(samr_pipe, state->mem_ctx,
1476 &samr_domain_handle,
1477 MAXIMUM_ALLOWED_ACCESS,
1481 if (!NT_STATUS_IS_OK(status_tmp)) {
1482 DEBUG(3, ("could not open user handle on SAMR pipe: %s\n",
1483 nt_errstr(status_tmp)));
1487 status_tmp = rpccli_samr_QueryUserInfo(samr_pipe, state->mem_ctx,
1492 if (!NT_STATUS_IS_OK(status_tmp)) {
1493 DEBUG(3, ("could not query user info on SAMR pipe: %s\n",
1494 nt_errstr(status_tmp)));
1495 rpccli_samr_Close(samr_pipe, state->mem_ctx, &user_pol);
1499 acct_flags = info->info16.acct_flags;
1501 if (acct_flags == 0) {
1502 rpccli_samr_Close(samr_pipe, state->mem_ctx, &user_pol);
1506 my_info3->base.acct_flags = acct_flags;
1508 DEBUG(10,("successfully retrieved acct_flags 0x%x\n", acct_flags));
1510 rpccli_samr_Close(samr_pipe, state->mem_ctx, &user_pol);
1518 enum winbindd_result winbindd_dual_pam_auth(struct winbindd_domain *domain,
1519 struct winbindd_cli_state *state)
1521 NTSTATUS result = NT_STATUS_LOGON_FAILURE;
1522 NTSTATUS krb5_result = NT_STATUS_OK;
1523 fstring name_domain, name_user;
1525 fstring domain_user;
1526 struct netr_SamInfo3 *info3 = NULL;
1527 NTSTATUS name_map_status = NT_STATUS_UNSUCCESSFUL;
1529 /* Ensure null termination */
1530 state->request->data.auth.user[sizeof(state->request->data.auth.user)-1]='\0';
1532 /* Ensure null termination */
1533 state->request->data.auth.pass[sizeof(state->request->data.auth.pass)-1]='\0';
1535 DEBUG(3, ("[%5lu]: dual pam auth %s\n", (unsigned long)state->pid,
1536 state->request->data.auth.user));
1538 if (!check_request_flags(state->request->flags)) {
1539 result = NT_STATUS_INVALID_PARAMETER_MIX;
1543 /* Parse domain and username */
1545 name_map_status = normalize_name_unmap(state->mem_ctx,
1546 state->request->data.auth.user,
1549 /* If the name normalization didnt' actually do anything,
1550 just use the original name */
1552 if (!NT_STATUS_IS_OK(name_map_status) &&
1553 !NT_STATUS_EQUAL(name_map_status, NT_STATUS_FILE_RENAMED))
1555 mapped_user = state->request->data.auth.user;
1558 parse_domain_user(mapped_user, name_domain, name_user);
1560 if ( mapped_user != state->request->data.auth.user ) {
1561 fstr_sprintf( domain_user, "%s%c%s", name_domain,
1562 *lp_winbind_separator(),
1564 safe_strcpy( state->request->data.auth.user, domain_user,
1565 sizeof(state->request->data.auth.user)-1 );
1568 if (domain->online == false) {
1569 result = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
1570 if (domain->startup) {
1571 /* Logons are very important to users. If we're offline and
1572 we get a request within the first 30 seconds of startup,
1573 try very hard to find a DC and go online. */
1575 DEBUG(10,("winbindd_dual_pam_auth: domain: %s offline and auth "
1576 "request in startup mode.\n", domain->name ));
1578 winbindd_flush_negative_conn_cache(domain);
1579 result = init_dc_connection(domain);
1583 DEBUG(10,("winbindd_dual_pam_auth: domain: %s last was %s\n", domain->name, domain->online ? "online":"offline"));
1585 /* Check for Kerberos authentication */
1586 if (domain->online && (state->request->flags & WBFLAG_PAM_KRB5)) {
1588 result = winbindd_dual_pam_auth_kerberos(domain, state, &info3);
1589 /* save for later */
1590 krb5_result = result;
1593 if (NT_STATUS_IS_OK(result)) {
1594 DEBUG(10,("winbindd_dual_pam_auth_kerberos succeeded\n"));
1595 goto process_result;
1597 DEBUG(10,("winbindd_dual_pam_auth_kerberos failed: %s\n", nt_errstr(result)));
1600 if (NT_STATUS_EQUAL(result, NT_STATUS_NO_LOGON_SERVERS) ||
1601 NT_STATUS_EQUAL(result, NT_STATUS_IO_TIMEOUT) ||
1602 NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
1603 DEBUG(10,("winbindd_dual_pam_auth_kerberos setting domain to offline\n"));
1604 set_domain_offline( domain );
1608 /* there are quite some NT_STATUS errors where there is no
1609 * point in retrying with a samlogon, we explictly have to take
1610 * care not to increase the bad logon counter on the DC */
1612 if (NT_STATUS_EQUAL(result, NT_STATUS_ACCOUNT_DISABLED) ||
1613 NT_STATUS_EQUAL(result, NT_STATUS_ACCOUNT_EXPIRED) ||
1614 NT_STATUS_EQUAL(result, NT_STATUS_ACCOUNT_LOCKED_OUT) ||
1615 NT_STATUS_EQUAL(result, NT_STATUS_INVALID_LOGON_HOURS) ||
1616 NT_STATUS_EQUAL(result, NT_STATUS_INVALID_WORKSTATION) ||
1617 NT_STATUS_EQUAL(result, NT_STATUS_LOGON_FAILURE) ||
1618 NT_STATUS_EQUAL(result, NT_STATUS_NO_SUCH_USER) ||
1619 NT_STATUS_EQUAL(result, NT_STATUS_PASSWORD_EXPIRED) ||
1620 NT_STATUS_EQUAL(result, NT_STATUS_PASSWORD_MUST_CHANGE) ||
1621 NT_STATUS_EQUAL(result, NT_STATUS_WRONG_PASSWORD)) {
1622 goto process_result;
1625 if (state->request->flags & WBFLAG_PAM_FALLBACK_AFTER_KRB5) {
1626 DEBUG(3,("falling back to samlogon\n"));
1634 /* Check for Samlogon authentication */
1635 if (domain->online) {
1636 result = winbindd_dual_pam_auth_samlogon(domain, state, &info3);
1638 if (NT_STATUS_IS_OK(result)) {
1639 DEBUG(10,("winbindd_dual_pam_auth_samlogon succeeded\n"));
1640 /* add the Krb5 err if we have one */
1641 if ( NT_STATUS_EQUAL(krb5_result, NT_STATUS_TIME_DIFFERENCE_AT_DC ) ) {
1642 info3->base.user_flags |= LOGON_KRB5_FAIL_CLOCK_SKEW;
1644 goto process_result;
1647 DEBUG(10,("winbindd_dual_pam_auth_samlogon failed: %s\n",
1648 nt_errstr(result)));
1650 if (NT_STATUS_EQUAL(result, NT_STATUS_NO_LOGON_SERVERS) ||
1651 NT_STATUS_EQUAL(result, NT_STATUS_IO_TIMEOUT) ||
1652 NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND))
1654 DEBUG(10,("winbindd_dual_pam_auth_samlogon setting domain to offline\n"));
1655 set_domain_offline( domain );
1659 if (domain->online) {
1660 /* We're still online - fail. */
1666 /* Check for Cached logons */
1667 if (!domain->online && (state->request->flags & WBFLAG_PAM_CACHED_LOGIN) &&
1668 lp_winbind_offline_logon()) {
1670 result = winbindd_dual_pam_auth_cached(domain, state, &info3);
1672 if (NT_STATUS_IS_OK(result)) {
1673 DEBUG(10,("winbindd_dual_pam_auth_cached succeeded\n"));
1674 goto process_result;
1676 DEBUG(10,("winbindd_dual_pam_auth_cached failed: %s\n", nt_errstr(result)));
1683 if (NT_STATUS_IS_OK(result)) {
1687 /* In all codepaths where result == NT_STATUS_OK info3 must have
1688 been initialized. */
1690 result = NT_STATUS_INTERNAL_ERROR;
1694 wcache_invalidate_samlogon(find_domain_from_name(name_domain), info3);
1695 netsamlogon_cache_store(name_user, info3);
1697 /* save name_to_sid info as early as possible (only if
1698 this is our primary domain so we don't invalidate
1699 the cache entry by storing the seq_num for the wrong
1701 if ( domain->primary ) {
1702 sid_compose(&user_sid, info3->base.domain_sid,
1704 cache_name2sid(domain, name_domain, name_user,
1705 SID_NAME_USER, &user_sid);
1708 /* Check if the user is in the right group */
1710 result = check_info3_in_group(
1712 state->request->data.auth.require_membership_of_sid);
1713 if (!NT_STATUS_IS_OK(result)) {
1714 DEBUG(3, ("User %s is not in the required group (%s), so plaintext authentication is rejected\n",
1715 state->request->data.auth.user,
1716 state->request->data.auth.require_membership_of_sid));
1720 result = append_auth_data(state, info3, name_domain,
1722 if (!NT_STATUS_IS_OK(result)) {
1726 if ((state->request->flags & WBFLAG_PAM_CACHED_LOGIN)) {
1728 /* Store in-memory creds for single-signon using ntlm_auth. */
1729 result = winbindd_add_memory_creds(state->request->data.auth.user,
1730 get_uid_from_state(state),
1731 state->request->data.auth.pass);
1733 if (!NT_STATUS_IS_OK(result)) {
1734 DEBUG(10,("Failed to store memory creds: %s\n", nt_errstr(result)));
1738 if (lp_winbind_offline_logon()) {
1739 result = winbindd_store_creds(domain,
1741 state->request->data.auth.user,
1742 state->request->data.auth.pass,
1744 if (!NT_STATUS_IS_OK(result)) {
1746 /* Release refcount. */
1747 winbindd_delete_memory_creds(state->request->data.auth.user);
1749 DEBUG(10,("Failed to store creds: %s\n", nt_errstr(result)));
1756 if (state->request->flags & WBFLAG_PAM_GET_PWD_POLICY) {
1757 struct winbindd_domain *our_domain = find_our_domain();
1759 /* This is not entirely correct I believe, but it is
1760 consistent. Only apply the password policy settings
1761 too warn users for our own domain. Cannot obtain these
1762 from trusted DCs all the time so don't do it at all.
1765 result = NT_STATUS_NOT_SUPPORTED;
1766 if (our_domain == domain ) {
1767 result = fillup_password_policy(our_domain, state);
1770 if (!NT_STATUS_IS_OK(result)
1771 && !NT_STATUS_EQUAL(result, NT_STATUS_NOT_SUPPORTED) )
1773 DEBUG(10,("Failed to get password policies for domain %s: %s\n",
1774 domain->name, nt_errstr(result)));
1779 result = NT_STATUS_OK;
1783 /* give us a more useful (more correct?) error code */
1784 if ((NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) ||
1785 (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)))) {
1786 result = NT_STATUS_NO_LOGON_SERVERS;
1789 set_auth_errors(state->response, result);
1791 DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2, ("Plain-text authentication for user %s returned %s (PAM: %d)\n",
1792 state->request->data.auth.user,
1793 state->response->data.auth.nt_status_string,
1794 state->response->data.auth.pam_error));
1796 return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
1800 /**********************************************************************
1801 Challenge Response Authentication Protocol
1802 **********************************************************************/
1804 void winbindd_pam_auth_crap(struct winbindd_cli_state *state)
1806 struct winbindd_domain *domain = NULL;
1807 const char *domain_name = NULL;
1810 if (!check_request_flags(state->request->flags)) {
1811 result = NT_STATUS_INVALID_PARAMETER_MIX;
1815 if (!state->privileged) {
1816 DEBUG(2, ("winbindd_pam_auth_crap: non-privileged access "
1818 DEBUGADD(2, ("winbindd_pam_auth_crap: Ensure permissions "
1819 "on %s are set correctly.\n",
1820 get_winbind_priv_pipe_dir()));
1821 /* send a better message than ACCESS_DENIED */
1822 fstr_sprintf(state->response->data.auth.error_string,
1823 "winbind client not authorized to use "
1824 "winbindd_pam_auth_crap. Ensure permissions on "
1825 "%s are set correctly.",
1826 get_winbind_priv_pipe_dir());
1827 result = NT_STATUS_ACCESS_DENIED;
1831 /* Ensure null termination */
1832 state->request->data.auth_crap.user
1833 [sizeof(state->request->data.auth_crap.user)-1]=0;
1834 state->request->data.auth_crap.domain
1835 [sizeof(state->request->data.auth_crap.domain)-1]=0;
1837 DEBUG(3, ("[%5lu]: pam auth crap domain: [%s] user: %s\n",
1838 (unsigned long)state->pid,
1839 state->request->data.auth_crap.domain,
1840 state->request->data.auth_crap.user));
1842 if (*state->request->data.auth_crap.domain != '\0') {
1843 domain_name = state->request->data.auth_crap.domain;
1844 } else if (lp_winbind_use_default_domain()) {
1845 domain_name = lp_workgroup();
1848 if (domain_name != NULL)
1849 domain = find_auth_domain(state->request->flags, domain_name);
1851 if (domain != NULL) {
1852 sendto_domain(state, domain);
1856 result = NT_STATUS_NO_SUCH_USER;
1859 set_auth_errors(state->response, result);
1860 DEBUG(5, ("CRAP authentication for %s\\%s returned %s (PAM: %d)\n",
1861 state->request->data.auth_crap.domain,
1862 state->request->data.auth_crap.user,
1863 state->response->data.auth.nt_status_string,
1864 state->response->data.auth.pam_error));
1865 request_error(state);
1870 enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
1871 struct winbindd_cli_state *state)
1874 struct netr_SamInfo3 *info3 = NULL;
1875 struct rpc_pipe_client *netlogon_pipe;
1876 const char *name_user = NULL;
1877 const char *name_domain = NULL;
1878 const char *workstation;
1879 struct winbindd_domain *contact_domain;
1883 DATA_BLOB lm_resp, nt_resp;
1885 /* This is child-only, so no check for privileged access is needed
1888 /* Ensure null termination */
1889 state->request->data.auth_crap.user[sizeof(state->request->data.auth_crap.user)-1]=0;
1890 state->request->data.auth_crap.domain[sizeof(state->request->data.auth_crap.domain)-1]=0;
1892 if (!check_request_flags(state->request->flags)) {
1893 result = NT_STATUS_INVALID_PARAMETER_MIX;
1897 name_user = state->request->data.auth_crap.user;
1899 if (*state->request->data.auth_crap.domain) {
1900 name_domain = state->request->data.auth_crap.domain;
1901 } else if (lp_winbind_use_default_domain()) {
1902 name_domain = lp_workgroup();
1904 DEBUG(5,("no domain specified with username (%s) - failing auth\n",
1906 result = NT_STATUS_NO_SUCH_USER;
1910 DEBUG(3, ("[%5lu]: pam auth crap domain: %s user: %s\n", (unsigned long)state->pid,
1911 name_domain, name_user));
1913 if (*state->request->data.auth_crap.workstation) {
1914 workstation = state->request->data.auth_crap.workstation;
1916 workstation = global_myname();
1919 if (state->request->data.auth_crap.lm_resp_len > sizeof(state->request->data.auth_crap.lm_resp)
1920 || state->request->data.auth_crap.nt_resp_len > sizeof(state->request->data.auth_crap.nt_resp)) {
1921 if (!(state->request->flags & WBFLAG_BIG_NTLMV2_BLOB) ||
1922 state->request->extra_len != state->request->data.auth_crap.nt_resp_len) {
1923 DEBUG(0, ("winbindd_pam_auth_crap: invalid password length %u/%u\n",
1924 state->request->data.auth_crap.lm_resp_len,
1925 state->request->data.auth_crap.nt_resp_len));
1926 result = NT_STATUS_INVALID_PARAMETER;
1931 lm_resp = data_blob_talloc(state->mem_ctx, state->request->data.auth_crap.lm_resp,
1932 state->request->data.auth_crap.lm_resp_len);
1934 if (state->request->flags & WBFLAG_BIG_NTLMV2_BLOB) {
1935 nt_resp = data_blob_talloc(state->mem_ctx,
1936 state->request->extra_data.data,
1937 state->request->data.auth_crap.nt_resp_len);
1939 nt_resp = data_blob_talloc(state->mem_ctx,
1940 state->request->data.auth_crap.nt_resp,
1941 state->request->data.auth_crap.nt_resp_len);
1944 /* what domain should we contact? */
1947 if (!(contact_domain = find_domain_from_name(name_domain))) {
1948 DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
1949 state->request->data.auth_crap.user, name_domain, name_user, name_domain));
1950 result = NT_STATUS_NO_SUCH_USER;
1954 if (is_myname(name_domain)) {
1955 DEBUG(3, ("Authentication for domain %s (local domain to this server) not supported at this stage\n", name_domain));
1956 result = NT_STATUS_NO_SUCH_USER;
1959 contact_domain = find_our_domain();
1963 netlogon_fn_t logon_fn;
1964 const struct cli_pipe_auth_data *auth;
1965 uint32_t neg_flags = 0;
1969 netlogon_pipe = NULL;
1970 result = cm_connect_netlogon(contact_domain, &netlogon_pipe);
1972 if (!NT_STATUS_IS_OK(result)) {
1973 DEBUG(3, ("could not open handle to NETLOGON pipe (error: %s)\n",
1974 nt_errstr(result)));
1977 auth = netlogon_pipe->auth;
1978 if (netlogon_pipe->dc) {
1979 neg_flags = netlogon_pipe->dc->negotiate_flags;
1983 domain->can_do_validation6 = false;
1984 } else if (auth->auth_type != PIPE_AUTH_TYPE_SCHANNEL) {
1985 domain->can_do_validation6 = false;
1986 } else if (auth->auth_level != DCERPC_AUTH_LEVEL_PRIVACY) {
1987 domain->can_do_validation6 = false;
1988 } else if (!(neg_flags & NETLOGON_NEG_CROSS_FOREST_TRUSTS)) {
1989 domain->can_do_validation6 = false;
1990 } else if (!(neg_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
1991 domain->can_do_validation6 = false;
1994 logon_fn = (contact_domain->can_do_samlogon_ex && domain->can_do_validation6)
1995 ? rpccli_netlogon_sam_network_logon_ex
1996 : rpccli_netlogon_sam_network_logon;
1998 result = logon_fn(netlogon_pipe,
2000 state->request->data.auth_crap.logon_parameters,
2001 contact_domain->dcname,
2004 /* Bug #3248 - found by Stefan Burkei. */
2005 workstation, /* We carefully set this above so use it... */
2006 state->request->data.auth_crap.chal,
2007 domain->can_do_validation6 ? 6 : 3,
2012 if (NT_STATUS_V(result) == DCERPC_FAULT_OP_RNG_ERROR) {
2015 * It's likely that the server also does not support
2016 * validation level 6
2018 domain->can_do_validation6 = false;
2020 if (contact_domain->can_do_samlogon_ex) {
2021 DEBUG(3, ("Got a DC that can not do NetSamLogonEx, "
2022 "retrying with NetSamLogon\n"));
2023 contact_domain->can_do_samlogon_ex = false;
2028 /* Got DCERPC_FAULT_OP_RNG_ERROR for SamLogon
2029 * (no Ex). This happens against old Samba
2030 * DCs. Drop the connection.
2032 invalidate_cm_connection(&contact_domain->conn);
2033 result = NT_STATUS_LOGON_FAILURE;
2037 if (domain->can_do_validation6 &&
2038 (NT_STATUS_EQUAL(result, NT_STATUS_INVALID_INFO_CLASS) ||
2039 NT_STATUS_EQUAL(result, NT_STATUS_INVALID_PARAMETER) ||
2040 NT_STATUS_EQUAL(result, NT_STATUS_BUFFER_TOO_SMALL))) {
2041 DEBUG(3,("Got a DC that can not do validation level 6, "
2042 "retrying with level 3\n"));
2043 domain->can_do_validation6 = false;
2049 * we increment this after the "feature negotiation"
2050 * for can_do_samlogon_ex and can_do_validation6
2054 /* We have to try a second time as cm_connect_netlogon
2055 might not yet have noticed that the DC has killed
2058 if (!rpccli_is_connected(netlogon_pipe)) {
2063 /* if we get access denied, a possible cause was that we had and open
2064 connection to the DC, but someone changed our machine account password
2065 out from underneath us using 'net rpc changetrustpw' */
2067 if ( NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) ) {
2068 DEBUG(3,("winbindd_pam_auth: sam_logon returned "
2069 "ACCESS_DENIED. Maybe the trust account "
2070 "password was changed and we didn't know it. "
2071 "Killing connections to domain %s\n",
2073 invalidate_cm_connection(&contact_domain->conn);
2077 } while ( (attempts < 2) && retry );
2079 if (NT_STATUS_IS_OK(result)) {
2081 wcache_invalidate_samlogon(find_domain_from_name(name_domain), info3);
2082 netsamlogon_cache_store(name_user, info3);
2084 /* Check if the user is in the right group */
2086 result = check_info3_in_group(
2088 state->request->data.auth_crap.require_membership_of_sid);
2089 if (!NT_STATUS_IS_OK(result)) {
2090 DEBUG(3, ("User %s is not in the required group (%s), so "
2091 "crap authentication is rejected\n",
2092 state->request->data.auth_crap.user,
2093 state->request->data.auth_crap.require_membership_of_sid));
2097 result = append_auth_data(state, info3, name_domain,
2099 if (!NT_STATUS_IS_OK(result)) {
2106 if (NT_STATUS_EQUAL(result, NT_STATUS_IO_TIMEOUT)) {
2107 DEBUG(3,("winbindd_dual_pam_auth_crap: sam_network_logon(ex) "
2108 "returned NT_STATUS_IO_TIMEOUT after the retry."
2109 "We didn't know what's going on killing "
2110 "connections to domain %s\n",
2112 invalidate_cm_connection(&contact_domain->conn);
2115 /* give us a more useful (more correct?) error code */
2116 if ((NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) ||
2117 (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)))) {
2118 result = NT_STATUS_NO_LOGON_SERVERS;
2121 if (state->request->flags & WBFLAG_PAM_NT_STATUS_SQUASH) {
2122 result = nt_status_squash(result);
2125 set_auth_errors(state->response, result);
2127 DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2,
2128 ("NTLM CRAP authentication for user [%s]\\[%s] returned %s (PAM: %d)\n",
2131 state->response->data.auth.nt_status_string,
2132 state->response->data.auth.pam_error));
2134 return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
2137 /* Change a user password */
2139 void winbindd_pam_chauthtok(struct winbindd_cli_state *state)
2141 fstring domain, user;
2143 struct winbindd_domain *contact_domain;
2144 NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
2146 DEBUG(3, ("[%5lu]: pam chauthtok %s\n", (unsigned long)state->pid,
2147 state->request->data.chauthtok.user));
2151 nt_status = normalize_name_unmap(state->mem_ctx,
2152 state->request->data.chauthtok.user,
2155 /* Update the chauthtok name if we did any mapping */
2157 if (NT_STATUS_IS_OK(nt_status) ||
2158 NT_STATUS_EQUAL(nt_status, NT_STATUS_FILE_RENAMED))
2160 fstrcpy(state->request->data.chauthtok.user, mapped_user);
2163 /* Must pass in state->...chauthtok.user because
2164 canonicalize_username() assumes an fstring(). Since
2165 we have already copied it (if necessary), this is ok. */
2167 if (!canonicalize_username(state->request->data.chauthtok.user, domain, user)) {
2168 set_auth_errors(state->response, NT_STATUS_NO_SUCH_USER);
2169 DEBUG(5, ("winbindd_pam_chauthtok: canonicalize_username %s failed with %s"
2171 state->request->data.auth.user,
2172 state->response->data.auth.nt_status_string,
2173 state->response->data.auth.pam_error));
2174 request_error(state);
2178 contact_domain = find_domain_from_name(domain);
2179 if (!contact_domain) {
2180 set_auth_errors(state->response, NT_STATUS_NO_SUCH_USER);
2181 DEBUG(3, ("Cannot change password for [%s] -> [%s]\\[%s] as %s is not a trusted domain\n",
2182 state->request->data.chauthtok.user, domain, user, domain));
2183 request_error(state);
2187 sendto_domain(state, contact_domain);
2190 enum winbindd_result winbindd_dual_pam_chauthtok(struct winbindd_domain *contact_domain,
2191 struct winbindd_cli_state *state)
2194 char *newpass = NULL;
2195 struct policy_handle dom_pol;
2196 struct rpc_pipe_client *cli;
2197 bool got_info = false;
2198 struct samr_DomInfo1 *info = NULL;
2199 struct samr_ChangeReject *reject = NULL;
2200 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
2201 fstring domain, user;
2203 DEBUG(3, ("[%5lu]: dual pam chauthtok %s\n", (unsigned long)state->pid,
2204 state->request->data.auth.user));
2206 if (!parse_domain_user(state->request->data.chauthtok.user, domain, user)) {
2210 /* Change password */
2212 oldpass = state->request->data.chauthtok.oldpass;
2213 newpass = state->request->data.chauthtok.newpass;
2215 /* Initialize reject reason */
2216 state->response->data.auth.reject_reason = Undefined;
2218 /* Get sam handle */
2220 result = cm_connect_sam(contact_domain, state->mem_ctx, &cli,
2222 if (!NT_STATUS_IS_OK(result)) {
2223 DEBUG(1, ("could not get SAM handle on DC for %s\n", domain));
2227 result = rpccli_samr_chgpasswd_user3(cli, state->mem_ctx,
2234 /* Windows 2003 returns NT_STATUS_PASSWORD_RESTRICTION */
2236 if (NT_STATUS_EQUAL(result, NT_STATUS_PASSWORD_RESTRICTION) ) {
2238 fill_in_password_policy(state->response, info);
2240 state->response->data.auth.reject_reason =
2246 /* atm the pidl generated rpccli_samr_ChangePasswordUser3 function will
2247 * return with NT_STATUS_BUFFER_TOO_SMALL for w2k dcs as w2k just
2248 * returns with 4byte error code (NT_STATUS_NOT_SUPPORTED) which is too
2249 * short to comply with the samr_ChangePasswordUser3 idl - gd */
2251 /* only fallback when the chgpasswd_user3 call is not supported */
2252 if ((NT_STATUS_EQUAL(result, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR))) ||
2253 (NT_STATUS_EQUAL(result, NT_STATUS_NOT_SUPPORTED)) ||
2254 (NT_STATUS_EQUAL(result, NT_STATUS_BUFFER_TOO_SMALL)) ||
2255 (NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED))) {
2257 DEBUG(10,("Password change with chgpasswd_user3 failed with: %s, retrying chgpasswd_user2\n",
2258 nt_errstr(result)));
2260 result = rpccli_samr_chgpasswd_user2(cli, state->mem_ctx, user, newpass, oldpass);
2262 /* Windows 2000 returns NT_STATUS_ACCOUNT_RESTRICTION.
2263 Map to the same status code as Windows 2003. */
2265 if ( NT_STATUS_EQUAL(NT_STATUS_ACCOUNT_RESTRICTION, result ) ) {
2266 result = NT_STATUS_PASSWORD_RESTRICTION;
2272 if (NT_STATUS_IS_OK(result) && (state->request->flags & WBFLAG_PAM_CACHED_LOGIN)) {
2274 /* Update the single sign-on memory creds. */
2275 result = winbindd_replace_memory_creds(state->request->data.chauthtok.user,
2278 /* When we login from gdm or xdm and password expires,
2279 * we change password, but there are no memory crendentials
2280 * So, winbindd_replace_memory_creds() returns
2281 * NT_STATUS_OBJECT_NAME_NOT_FOUND. This is not a failure.
2284 if (NT_STATUS_EQUAL(result, NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
2285 result = NT_STATUS_OK;
2288 if (!NT_STATUS_IS_OK(result)) {
2289 DEBUG(10,("Failed to replace memory creds: %s\n", nt_errstr(result)));
2290 goto process_result;
2293 if (lp_winbind_offline_logon()) {
2294 result = winbindd_update_creds_by_name(contact_domain,
2295 state->mem_ctx, user,
2297 /* Again, this happens when we login from gdm or xdm
2298 * and the password expires, *BUT* cached crendentials
2299 * doesn't exist. winbindd_update_creds_by_name()
2300 * returns NT_STATUS_NO_SUCH_USER.
2301 * This is not a failure.
2304 if (NT_STATUS_EQUAL(result, NT_STATUS_NO_SUCH_USER)) {
2305 result = NT_STATUS_OK;
2308 if (!NT_STATUS_IS_OK(result)) {
2309 DEBUG(10,("Failed to store creds: %s\n", nt_errstr(result)));
2310 goto process_result;
2315 if (!NT_STATUS_IS_OK(result) && !got_info && contact_domain) {
2317 NTSTATUS policy_ret;
2319 policy_ret = fillup_password_policy(contact_domain, state);
2321 /* failure of this is non critical, it will just provide no
2322 * additional information to the client why the change has
2323 * failed - Guenther */
2325 if (!NT_STATUS_IS_OK(policy_ret)) {
2326 DEBUG(10,("Failed to get password policies: %s\n", nt_errstr(policy_ret)));
2327 goto process_result;
2333 set_auth_errors(state->response, result);
2335 DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2,
2336 ("Password change for user [%s]\\[%s] returned %s (PAM: %d)\n",
2339 state->response->data.auth.nt_status_string,
2340 state->response->data.auth.pam_error));
2342 return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
2345 void winbindd_pam_logoff(struct winbindd_cli_state *state)
2347 struct winbindd_domain *domain;
2348 fstring name_domain, user;
2349 uid_t caller_uid = (uid_t)-1;
2350 uid_t request_uid = state->request->data.logoff.uid;
2352 DEBUG(3, ("[%5lu]: pam logoff %s\n", (unsigned long)state->pid,
2353 state->request->data.logoff.user));
2355 /* Ensure null termination */
2356 state->request->data.logoff.user
2357 [sizeof(state->request->data.logoff.user)-1]='\0';
2359 state->request->data.logoff.krb5ccname
2360 [sizeof(state->request->data.logoff.krb5ccname)-1]='\0';
2362 if (request_uid == (gid_t)-1) {
2366 if (!canonicalize_username(state->request->data.logoff.user, name_domain, user)) {
2370 if ((domain = find_auth_domain(state->request->flags,
2371 name_domain)) == NULL) {
2375 if ((sys_getpeereid(state->sock, &caller_uid)) != 0) {
2376 DEBUG(1,("winbindd_pam_logoff: failed to check peerid: %s\n",
2381 switch (caller_uid) {
2385 /* root must be able to logoff any user - gd */
2386 state->request->data.logoff.uid = request_uid;
2389 if (caller_uid != request_uid) {
2390 DEBUG(1,("winbindd_pam_logoff: caller requested invalid uid\n"));
2393 state->request->data.logoff.uid = caller_uid;
2397 sendto_domain(state, domain);
2401 set_auth_errors(state->response, NT_STATUS_NO_SUCH_USER);
2402 DEBUG(5, ("Pam Logoff for %s returned %s "
2404 state->request->data.logoff.user,
2405 state->response->data.auth.nt_status_string,
2406 state->response->data.auth.pam_error));
2407 request_error(state);
2411 enum winbindd_result winbindd_dual_pam_logoff(struct winbindd_domain *domain,
2412 struct winbindd_cli_state *state)
2414 NTSTATUS result = NT_STATUS_NOT_SUPPORTED;
2416 DEBUG(3, ("[%5lu]: pam dual logoff %s\n", (unsigned long)state->pid,
2417 state->request->data.logoff.user));
2419 if (!(state->request->flags & WBFLAG_PAM_KRB5)) {
2420 result = NT_STATUS_OK;
2421 goto process_result;
2424 if (state->request->data.logoff.krb5ccname[0] == '\0') {
2425 result = NT_STATUS_OK;
2426 goto process_result;
2431 if (state->request->data.logoff.uid < 0) {
2432 DEBUG(0,("winbindd_pam_logoff: invalid uid\n"));
2433 goto process_result;
2436 /* what we need here is to find the corresponding krb5 ccache name *we*
2437 * created for a given username and destroy it */
2439 if (!ccache_entry_exists(state->request->data.logoff.user)) {
2440 result = NT_STATUS_OK;
2441 DEBUG(10,("winbindd_pam_logoff: no entry found.\n"));
2442 goto process_result;
2445 if (!ccache_entry_identical(state->request->data.logoff.user,
2446 state->request->data.logoff.uid,
2447 state->request->data.logoff.krb5ccname)) {
2448 DEBUG(0,("winbindd_pam_logoff: cached entry differs.\n"));
2449 goto process_result;
2452 result = remove_ccache(state->request->data.logoff.user);
2453 if (!NT_STATUS_IS_OK(result)) {
2454 DEBUG(0,("winbindd_pam_logoff: failed to remove ccache: %s\n",
2455 nt_errstr(result)));
2456 goto process_result;
2460 result = NT_STATUS_NOT_SUPPORTED;
2465 winbindd_delete_memory_creds(state->request->data.logoff.user);
2467 set_auth_errors(state->response, result);
2469 return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
2472 /* Change user password with auth crap*/
2474 void winbindd_pam_chng_pswd_auth_crap(struct winbindd_cli_state *state)
2476 struct winbindd_domain *domain = NULL;
2477 const char *domain_name = NULL;
2479 /* Ensure null termination */
2480 state->request->data.chng_pswd_auth_crap.user[
2481 sizeof(state->request->data.chng_pswd_auth_crap.user)-1]=0;
2482 state->request->data.chng_pswd_auth_crap.domain[
2483 sizeof(state->request->data.chng_pswd_auth_crap.domain)-1]=0;
2485 DEBUG(3, ("[%5lu]: pam change pswd auth crap domain: %s user: %s\n",
2486 (unsigned long)state->pid,
2487 state->request->data.chng_pswd_auth_crap.domain,
2488 state->request->data.chng_pswd_auth_crap.user));
2490 if (*state->request->data.chng_pswd_auth_crap.domain != '\0') {
2491 domain_name = state->request->data.chng_pswd_auth_crap.domain;
2492 } else if (lp_winbind_use_default_domain()) {
2493 domain_name = lp_workgroup();
2496 if (domain_name != NULL)
2497 domain = find_domain_from_name(domain_name);
2499 if (domain != NULL) {
2500 DEBUG(7, ("[%5lu]: pam auth crap changing pswd in domain: "
2501 "%s\n", (unsigned long)state->pid,domain->name));
2502 sendto_domain(state, domain);
2506 set_auth_errors(state->response, NT_STATUS_NO_SUCH_USER);
2507 DEBUG(5, ("CRAP change password for %s\\%s returned %s (PAM: %d)\n",
2508 state->request->data.chng_pswd_auth_crap.domain,
2509 state->request->data.chng_pswd_auth_crap.user,
2510 state->response->data.auth.nt_status_string,
2511 state->response->data.auth.pam_error));
2512 request_error(state);
2516 enum winbindd_result winbindd_dual_pam_chng_pswd_auth_crap(struct winbindd_domain *domainSt, struct winbindd_cli_state *state)
2519 DATA_BLOB new_nt_password;
2520 DATA_BLOB old_nt_hash_enc;
2521 DATA_BLOB new_lm_password;
2522 DATA_BLOB old_lm_hash_enc;
2523 fstring domain,user;
2524 struct policy_handle dom_pol;
2525 struct winbindd_domain *contact_domain = domainSt;
2526 struct rpc_pipe_client *cli;
2528 /* Ensure null termination */
2529 state->request->data.chng_pswd_auth_crap.user[
2530 sizeof(state->request->data.chng_pswd_auth_crap.user)-1]=0;
2531 state->request->data.chng_pswd_auth_crap.domain[
2532 sizeof(state->request->data.chng_pswd_auth_crap.domain)-1]=0;
2536 DEBUG(3, ("[%5lu]: pam change pswd auth crap domain: %s user: %s\n",
2537 (unsigned long)state->pid,
2538 state->request->data.chng_pswd_auth_crap.domain,
2539 state->request->data.chng_pswd_auth_crap.user));
2541 if (lp_winbind_offline_logon()) {
2542 DEBUG(0,("Refusing password change as winbind offline logons are enabled. "));
2543 DEBUGADD(0,("Changing passwords here would risk inconsistent logons\n"));
2544 result = NT_STATUS_ACCESS_DENIED;
2548 if (*state->request->data.chng_pswd_auth_crap.domain) {
2549 fstrcpy(domain,state->request->data.chng_pswd_auth_crap.domain);
2551 parse_domain_user(state->request->data.chng_pswd_auth_crap.user,
2555 DEBUG(3,("no domain specified with username (%s) - "
2557 state->request->data.chng_pswd_auth_crap.user));
2558 result = NT_STATUS_NO_SUCH_USER;
2563 if (!*domain && lp_winbind_use_default_domain()) {
2564 fstrcpy(domain,(char *)lp_workgroup());
2568 fstrcpy(user, state->request->data.chng_pswd_auth_crap.user);
2571 DEBUG(3, ("[%5lu]: pam auth crap domain: %s user: %s\n",
2572 (unsigned long)state->pid, domain, user));
2574 /* Change password */
2575 new_nt_password = data_blob_talloc(
2577 state->request->data.chng_pswd_auth_crap.new_nt_pswd,
2578 state->request->data.chng_pswd_auth_crap.new_nt_pswd_len);
2580 old_nt_hash_enc = data_blob_talloc(
2582 state->request->data.chng_pswd_auth_crap.old_nt_hash_enc,
2583 state->request->data.chng_pswd_auth_crap.old_nt_hash_enc_len);
2585 if(state->request->data.chng_pswd_auth_crap.new_lm_pswd_len > 0) {
2586 new_lm_password = data_blob_talloc(
2588 state->request->data.chng_pswd_auth_crap.new_lm_pswd,
2589 state->request->data.chng_pswd_auth_crap.new_lm_pswd_len);
2591 old_lm_hash_enc = data_blob_talloc(
2593 state->request->data.chng_pswd_auth_crap.old_lm_hash_enc,
2594 state->request->data.chng_pswd_auth_crap.old_lm_hash_enc_len);
2596 new_lm_password.length = 0;
2597 old_lm_hash_enc.length = 0;
2600 /* Get sam handle */
2602 result = cm_connect_sam(contact_domain, state->mem_ctx, &cli, &dom_pol);
2603 if (!NT_STATUS_IS_OK(result)) {
2604 DEBUG(1, ("could not get SAM handle on DC for %s\n", domain));
2608 result = rpccli_samr_chng_pswd_auth_crap(
2609 cli, state->mem_ctx, user, new_nt_password, old_nt_hash_enc,
2610 new_lm_password, old_lm_hash_enc);
2614 set_auth_errors(state->response, result);
2616 DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2,
2617 ("Password change for user [%s]\\[%s] returned %s (PAM: %d)\n",
2619 state->response->data.auth.nt_status_string,
2620 state->response->data.auth.pam_error));
2622 return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
git.samba.org / samba.git / blob