source3/auth/auth_wbc.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    Winbind client authentication mechanism designed to defer all
   5    authentication to the winbind daemon.
   6
   7    Copyright (C) Tim Potter 2000
   8    Copyright (C) Andrew Bartlett 2001 - 2002
   9    Copyright (C) Dan Sledz 2009
  10
  11    This program is free software; you can redistribute it and/or modify
  12    it under the terms of the GNU General Public License as published by
  13    the Free Software Foundation; either version 3 of the License, or
  14    (at your option) any later version.
  15
  16    This program is distributed in the hope that it will be useful,
  17    but WITHOUT ANY WARRANTY; without even the implied warranty of
  18    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  19    GNU General Public License for more details.
  20
  21    You should have received a copy of the GNU General Public License
  22    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  23 */
  24
  25 /* This auth module is very similar to auth_winbind with 3 distinct
  26  * differences.
  27  *
  28  *      1) Does not fallback to another auth module if winbindd is unavailable
  29  *      2) Does not validate the domain of the user
  30  *      3) Handles unencrypted passwords
  31  *
  32  * The purpose of this module is to defer all authentication decisions (ie:
  33  * local user vs NIS vs LDAP vs AD; encrypted vs plaintext) to the wbc
  34  * compatible daemon.  This centeralizes all authentication decisions to a
  35  * single provider.
  36  *
  37  * This auth backend is most useful when used in conjunction with pdb_wbc_sam.
  38  */
  39
  40 #include "includes.h"
  41
  42 #undef DBGC_CLASS
  43 #define DBGC_CLASS DBGC_AUTH
  44
  45 /* Authenticate a user with a challenge/response */
  46
  47 static NTSTATUS check_wbc_security(const struct auth_context *auth_context,
  48                                        void *my_private_data,
  49                                        TALLOC_CTX *mem_ctx,
  50                                        const struct auth_usersupplied_info *user_info,
  51                                        struct auth_serversupplied_info **server_info)
  52 {
  53         NTSTATUS nt_status;
  54         wbcErr wbc_status;
  55         struct wbcAuthUserParams params;
  56         struct wbcAuthUserInfo *info = NULL;
  57         struct wbcAuthErrorInfo *err = NULL;
  58
  59         if (!user_info || !auth_context || !server_info) {
  60                 return NT_STATUS_INVALID_PARAMETER;
  61         }
  62
  63         ZERO_STRUCT(params);
  64
  65         /* Send off request */
  66
  67         DEBUG(10, ("Check auth for: [%s]", user_info->mapped.account_name));
  68
  69         params.account_name     = user_info->client.account_name;
  70         params.domain_name      = user_info->mapped.domain_name;
  71         params.workstation_name = user_info->workstation_name;
  72
  73         params.flags            = 0;
  74         params.parameter_control= user_info->logon_parameters;
  75
  76         /* Handle plaintext */
  77         switch (user_info->password_state) {
  78         case AUTH_PASSWORD_PLAIN:
  79         {
  80                 DEBUG(3,("Checking plaintext password for %s.\n",
  81                          user_info->mapped.account_name));
  82                 params.level = WBC_AUTH_USER_LEVEL_PLAIN;
  83
  84                 params.password.plaintext = user_info->password.plaintext;
  85                 break;
  86         }
  87         case AUTH_PASSWORD_RESPONSE:
  88         case AUTH_PASSWORD_HASH:
  89         {
  90                 DEBUG(3,("Checking encrypted password for %s.\n",
  91                          user_info->mapped.account_name));
  92                 params.level = WBC_AUTH_USER_LEVEL_RESPONSE;
  93
  94                 memcpy(params.password.response.challenge,
  95                     auth_context->challenge.data,
  96                     sizeof(params.password.response.challenge));
  97
  98                 if (user_info->password.response.nt.length != 0) {
  99                         params.password.response.nt_length =
 100                                 user_info->password.response.nt.length;
 101                         params.password.response.nt_data =
 102                                 user_info->password.response.nt.data;
 103                 }
 104                 if (user_info->password.response.lanman.length != 0) {
 105                         params.password.response.lm_length =
 106                                 user_info->password.response.lanman.length;
 107                         params.password.response.lm_data =
 108                                 user_info->password.response.lanman.data;
 109                 }
 110                 break;
 111         }
 112         default:
 113                 DEBUG(0,("user_info constructed for user '%s' was invalid - password_state=%u invalid.\n",user_info->mapped.account_name, user_info->password_state));
 114                 return NT_STATUS_INTERNAL_ERROR;
 115 #if 0 /* If ever implemented in libwbclient */
 116         case AUTH_PASSWORD_HASH:
 117         {
 118                 DEBUG(3,("Checking logon (hash) password for %s.\n",
 119                          user_info->mapped.account_name));
 120                 params.level = WBC_AUTH_USER_LEVEL_HASH;
 121
 122                 if (user_info->password.hash.nt) {
 123                         memcpy(params.password.hash.nt_hash, user_info->password.hash.nt, sizeof(* user_info->password.hash.nt));
 124                 } else {
 125                         memset(params.password.hash.nt_hash, '\0', sizeof(params.password.hash.nt_hash));
 126                 }
 127
 128                 if (user_info->password.hash.lanman) {
 129                         memcpy(params.password.hash.lm_hash, user_info->password.hash.lanman, sizeof(* user_info->password.hash.lanman));
 130                 } else {
 131                         memset(params.password.hash.lm_hash, '\0', sizeof(params.password.hash.lm_hash));
 132                 }
 133
 134         }
 135 #endif
 136         }
 137
 138         /* we are contacting the privileged pipe */
 139         become_root();
 140         wbc_status = wbcAuthenticateUserEx(&params, &info, &err);
 141         unbecome_root();
 142
 143         if (!WBC_ERROR_IS_OK(wbc_status)) {
 144                 DEBUG(10,("wbcAuthenticateUserEx failed (%d): %s\n",
 145                         wbc_status, wbcErrorString(wbc_status)));
 146         }
 147
 148         if (wbc_status == WBC_ERR_NO_MEMORY) {
 149                 return NT_STATUS_NO_MEMORY;
 150         }
 151
 152         if (wbc_status == WBC_ERR_AUTH_ERROR) {
 153                 nt_status = NT_STATUS(err->nt_status);
 154                 wbcFreeMemory(err);
 155                 return nt_status;
 156         }
 157
 158         if (!WBC_ERROR_IS_OK(wbc_status)) {
 159                 return NT_STATUS_LOGON_FAILURE;
 160         }
 161
 162         DEBUG(10,("wbcAuthenticateUserEx succeeded\n"));
 163
 164         nt_status = make_server_info_wbcAuthUserInfo(mem_ctx,
 165                                                      user_info->client.account_name,
 166                                                      user_info->mapped.domain_name,
 167                                                      info, server_info);
 168         wbcFreeMemory(info);
 169         if (!NT_STATUS_IS_OK(nt_status)) {
 170                 return nt_status;
 171         }
 172
 173         (*server_info)->nss_token |= user_info->was_mapped;
 174
 175         return nt_status;
 176 }
 177
 178 /* module initialisation */
 179 static NTSTATUS auth_init_wbc(struct auth_context *auth_context, const char *param, auth_methods **auth_method)
 180 {
 181         struct auth_methods *result;
 182
 183         result = TALLOC_ZERO_P(auth_context, struct auth_methods);
 184         if (result == NULL) {
 185                 return NT_STATUS_NO_MEMORY;
 186         }
 187         result->name = "wbc";
 188         result->auth = check_wbc_security;
 189
 190         *auth_method = result;
 191         return NT_STATUS_OK;
 192 }
 193
 194 NTSTATUS auth_wbc_init(void)
 195 {
 196         return smb_register_auth(AUTH_INTERFACE_VERSION, "wbc", auth_init_wbc);
 197 }