2 Unix SMB/CIFS implementation.
3 Authentication utility functions
4 Copyright (C) Andrew Tridgell 1992-1998
5 Copyright (C) Andrew Bartlett 2001
6 Copyright (C) Jeremy Allison 2000-2001
7 Copyright (C) Rafal Szczesniak 2002
8 Copyright (C) Volker Lendecke 2006
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 #include "smbd/globals.h"
26 #include "../libcli/auth/libcli_auth.h"
27 #include "../lib/crypto/arcfour.h"
28 #include "rpc_client/init_lsa.h"
29 #include "../libcli/security/security.h"
30 #include "../lib/util/util_pw.h"
31 #include "lib/winbind_util.h"
34 #define DBGC_CLASS DBGC_AUTH
36 /****************************************************************************
37 Create a UNIX user on demand.
38 ****************************************************************************/
40 static int _smb_create_user(const char *domain, const char *unix_username, const char *homedir)
42 TALLOC_CTX *ctx = talloc_tos();
46 add_script = talloc_strdup(ctx, lp_adduser_script());
47 if (!add_script || !*add_script) {
50 add_script = talloc_all_string_sub(ctx,
58 add_script = talloc_all_string_sub(ctx,
67 add_script = talloc_all_string_sub(ctx,
75 ret = smbrun(add_script,NULL);
78 ("smb_create_user: Running the command `%s' gave %d\n",
83 /****************************************************************************
84 Create an auth_usersupplied_data structure after appropriate mapping.
85 ****************************************************************************/
87 NTSTATUS make_user_info_map(struct auth_usersupplied_info **user_info,
89 const char *client_domain,
90 const char *workstation_name,
93 const struct samr_Password *lm_interactive_pwd,
94 const struct samr_Password *nt_interactive_pwd,
95 const char *plaintext,
96 enum auth_password_state password_state)
101 char *internal_username = NULL;
103 was_mapped = map_username(talloc_tos(), smb_name, &internal_username);
104 if (!internal_username) {
105 return NT_STATUS_NO_MEMORY;
108 DEBUG(5, ("Mapping user [%s]\\[%s] from workstation [%s]\n",
109 client_domain, smb_name, workstation_name));
111 domain = client_domain;
113 /* If you connect to a Windows domain member using a bogus domain name,
114 * the Windows box will map the BOGUS\user to SAMNAME\user. Thus, if
115 * the Windows box is a DC the name will become DOMAIN\user and be
116 * authenticated against AD, if the Windows box is a member server but
117 * not a DC the name will become WORKSTATION\user. A standalone
118 * non-domain member box will also map to WORKSTATION\user.
119 * This also deals with the client passing in a "" domain */
121 if (!is_trusted_domain(domain) &&
122 !strequal(domain, my_sam_name()))
124 if (lp_map_untrusted_to_domain())
125 domain = my_sam_name();
127 domain = get_global_sam_name();
128 DEBUG(5, ("Mapped domain from [%s] to [%s] for user [%s] from "
129 "workstation [%s]\n",
130 client_domain, domain, smb_name, workstation_name));
133 /* We know that the given domain is trusted (and we are allowing them),
134 * it is our global SAM name, or for legacy behavior it is our
135 * primary domain name */
137 result = make_user_info(user_info, smb_name, internal_username,
138 client_domain, domain, workstation_name,
140 lm_interactive_pwd, nt_interactive_pwd,
141 plaintext, password_state);
142 if (NT_STATUS_IS_OK(result)) {
143 /* We have tried mapping */
144 (*user_info)->mapped_state = True;
145 /* did we actually map the user to a different name? */
146 (*user_info)->was_mapped = was_mapped;
151 /****************************************************************************
152 Create an auth_usersupplied_data, making the DATA_BLOBs here.
153 Decrypt and encrypt the passwords.
154 ****************************************************************************/
156 bool make_user_info_netlogon_network(struct auth_usersupplied_info **user_info,
157 const char *smb_name,
158 const char *client_domain,
159 const char *workstation_name,
160 uint32 logon_parameters,
161 const uchar *lm_network_pwd,
163 const uchar *nt_network_pwd,
168 DATA_BLOB lm_blob = data_blob(lm_network_pwd, lm_pwd_len);
169 DATA_BLOB nt_blob = data_blob(nt_network_pwd, nt_pwd_len);
171 status = make_user_info_map(user_info,
172 smb_name, client_domain,
174 lm_pwd_len ? &lm_blob : NULL,
175 nt_pwd_len ? &nt_blob : NULL,
177 AUTH_PASSWORD_RESPONSE);
179 if (NT_STATUS_IS_OK(status)) {
180 (*user_info)->logon_parameters = logon_parameters;
182 ret = NT_STATUS_IS_OK(status) ? True : False;
184 data_blob_free(&lm_blob);
185 data_blob_free(&nt_blob);
189 /****************************************************************************
190 Create an auth_usersupplied_data, making the DATA_BLOBs here.
191 Decrypt and encrypt the passwords.
192 ****************************************************************************/
194 bool make_user_info_netlogon_interactive(struct auth_usersupplied_info **user_info,
195 const char *smb_name,
196 const char *client_domain,
197 const char *workstation_name,
198 uint32 logon_parameters,
200 const uchar lm_interactive_pwd[16],
201 const uchar nt_interactive_pwd[16],
202 const uchar *dc_sess_key)
204 struct samr_Password lm_pwd;
205 struct samr_Password nt_pwd;
206 unsigned char local_lm_response[24];
207 unsigned char local_nt_response[24];
208 unsigned char key[16];
210 memcpy(key, dc_sess_key, 16);
212 if (lm_interactive_pwd)
213 memcpy(lm_pwd.hash, lm_interactive_pwd, sizeof(lm_pwd.hash));
215 if (nt_interactive_pwd)
216 memcpy(nt_pwd.hash, nt_interactive_pwd, sizeof(nt_pwd.hash));
218 #ifdef DEBUG_PASSWORD
220 dump_data(100, key, sizeof(key));
222 DEBUG(100,("lm owf password:"));
223 dump_data(100, lm_pwd.hash, sizeof(lm_pwd.hash));
225 DEBUG(100,("nt owf password:"));
226 dump_data(100, nt_pwd.hash, sizeof(nt_pwd.hash));
229 if (lm_interactive_pwd)
230 arcfour_crypt(lm_pwd.hash, key, sizeof(lm_pwd.hash));
232 if (nt_interactive_pwd)
233 arcfour_crypt(nt_pwd.hash, key, sizeof(nt_pwd.hash));
235 #ifdef DEBUG_PASSWORD
236 DEBUG(100,("decrypt of lm owf password:"));
237 dump_data(100, lm_pwd.hash, sizeof(lm_pwd));
239 DEBUG(100,("decrypt of nt owf password:"));
240 dump_data(100, nt_pwd.hash, sizeof(nt_pwd));
243 if (lm_interactive_pwd)
244 SMBOWFencrypt(lm_pwd.hash, chal,
247 if (nt_interactive_pwd)
248 SMBOWFencrypt(nt_pwd.hash, chal,
251 /* Password info paranoia */
257 DATA_BLOB local_lm_blob;
258 DATA_BLOB local_nt_blob;
260 if (lm_interactive_pwd) {
261 local_lm_blob = data_blob(local_lm_response,
262 sizeof(local_lm_response));
265 if (nt_interactive_pwd) {
266 local_nt_blob = data_blob(local_nt_response,
267 sizeof(local_nt_response));
270 nt_status = make_user_info_map(
272 smb_name, client_domain, workstation_name,
273 lm_interactive_pwd ? &local_lm_blob : NULL,
274 nt_interactive_pwd ? &local_nt_blob : NULL,
275 lm_interactive_pwd ? &lm_pwd : NULL,
276 nt_interactive_pwd ? &nt_pwd : NULL,
277 NULL, AUTH_PASSWORD_HASH);
279 if (NT_STATUS_IS_OK(nt_status)) {
280 (*user_info)->logon_parameters = logon_parameters;
283 ret = NT_STATUS_IS_OK(nt_status) ? True : False;
284 data_blob_free(&local_lm_blob);
285 data_blob_free(&local_nt_blob);
291 /****************************************************************************
292 Create an auth_usersupplied_data structure
293 ****************************************************************************/
295 bool make_user_info_for_reply(struct auth_usersupplied_info **user_info,
296 const char *smb_name,
297 const char *client_domain,
299 DATA_BLOB plaintext_password)
302 DATA_BLOB local_lm_blob;
303 DATA_BLOB local_nt_blob;
304 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
305 char *plaintext_password_string;
307 * Not encrypted - do so.
310 DEBUG(5,("make_user_info_for_reply: User passwords not in encrypted "
312 if (plaintext_password.data && plaintext_password.length) {
313 unsigned char local_lm_response[24];
315 #ifdef DEBUG_PASSWORD
316 DEBUG(10,("Unencrypted password (len %d):\n",
317 (int)plaintext_password.length));
318 dump_data(100, plaintext_password.data,
319 plaintext_password.length);
322 SMBencrypt( (const char *)plaintext_password.data,
323 (const uchar*)chal, local_lm_response);
324 local_lm_blob = data_blob(local_lm_response, 24);
326 /* We can't do an NT hash here, as the password needs to be
328 local_nt_blob = data_blob_null;
330 local_lm_blob = data_blob_null;
331 local_nt_blob = data_blob_null;
334 plaintext_password_string = talloc_strndup(talloc_tos(),
335 (const char *)plaintext_password.data,
336 plaintext_password.length);
337 if (!plaintext_password_string) {
341 ret = make_user_info_map(
342 user_info, smb_name, client_domain,
343 get_remote_machine_name(),
344 local_lm_blob.data ? &local_lm_blob : NULL,
345 local_nt_blob.data ? &local_nt_blob : NULL,
347 plaintext_password_string,
348 AUTH_PASSWORD_PLAIN);
350 if (plaintext_password_string) {
351 memset(plaintext_password_string, '\0', strlen(plaintext_password_string));
352 talloc_free(plaintext_password_string);
355 data_blob_free(&local_lm_blob);
356 return NT_STATUS_IS_OK(ret) ? True : False;
359 /****************************************************************************
360 Create an auth_usersupplied_data structure
361 ****************************************************************************/
363 NTSTATUS make_user_info_for_reply_enc(struct auth_usersupplied_info **user_info,
364 const char *smb_name,
365 const char *client_domain,
366 DATA_BLOB lm_resp, DATA_BLOB nt_resp)
368 return make_user_info_map(user_info, smb_name,
370 get_remote_machine_name(),
371 lm_resp.data && (lm_resp.length > 0) ? &lm_resp : NULL,
372 nt_resp.data && (nt_resp.length > 0) ? &nt_resp : NULL,
374 AUTH_PASSWORD_RESPONSE);
377 /****************************************************************************
378 Create a guest user_info blob, for anonymous authenticaion.
379 ****************************************************************************/
381 bool make_user_info_guest(struct auth_usersupplied_info **user_info)
385 nt_status = make_user_info(user_info,
392 AUTH_PASSWORD_RESPONSE);
394 return NT_STATUS_IS_OK(nt_status) ? True : False;
397 static NTSTATUS log_nt_token(struct security_token *token)
399 TALLOC_CTX *frame = talloc_stackframe();
404 if ((lp_log_nt_token_command() == NULL) ||
405 (strlen(lp_log_nt_token_command()) == 0)) {
410 group_sidstr = talloc_strdup(frame, "");
411 for (i=1; i<token->num_sids; i++) {
412 group_sidstr = talloc_asprintf(
413 frame, "%s %s", group_sidstr,
414 sid_string_talloc(frame, &token->sids[i]));
417 command = talloc_string_sub(
418 frame, lp_log_nt_token_command(),
419 "%s", sid_string_talloc(frame, &token->sids[0]));
420 command = talloc_string_sub(frame, command, "%t", group_sidstr);
422 if (command == NULL) {
424 return NT_STATUS_NO_MEMORY;
427 DEBUG(8, ("running command: [%s]\n", command));
428 if (smbrun(command, NULL) != 0) {
429 DEBUG(0, ("Could not log NT token\n"));
431 return NT_STATUS_ACCESS_DENIED;
439 * Create the token to use from server_info->info3 and
440 * server_info->sids (the info3/sam groups). Find the unix gids.
443 NTSTATUS create_local_token(struct auth_serversupplied_info *server_info)
447 struct dom_sid tmp_sid;
450 * If winbind is not around, we can not make much use of the SIDs the
451 * domain controller provided us with. Likewise if the user name was
452 * mapped to some local unix user.
455 if (((lp_server_role() == ROLE_DOMAIN_MEMBER) && !winbind_ping()) ||
456 (server_info->nss_token)) {
457 status = create_token_from_username(server_info,
458 server_info->unix_name,
460 &server_info->utok.uid,
461 &server_info->utok.gid,
462 &server_info->unix_name,
463 &server_info->security_token);
466 status = create_local_nt_token_from_info3(server_info,
470 &server_info->security_token);
473 if (!NT_STATUS_IS_OK(status)) {
477 /* Convert the SIDs to gids. */
479 server_info->utok.ngroups = 0;
480 server_info->utok.groups = NULL;
482 /* Start at index 1, where the groups start. */
484 for (i=1; i<server_info->security_token->num_sids; i++) {
486 struct dom_sid *sid = &server_info->security_token->sids[i];
488 if (!sid_to_gid(sid, &gid)) {
489 DEBUG(10, ("Could not convert SID %s to gid, "
490 "ignoring it\n", sid_string_dbg(sid)));
493 if (!add_gid_to_array_unique(server_info, gid,
494 &server_info->utok.groups,
495 &server_info->utok.ngroups)) {
496 return NT_STATUS_NO_MEMORY;
501 * Add the "Unix Group" SID for each gid to catch mapped groups
502 * and their Unix equivalent. This is to solve the backwards
503 * compatibility problem of 'valid users = +ntadmin' where
504 * ntadmin has been paired with "Domain Admins" in the group
505 * mapping table. Otherwise smb.conf would need to be changed
506 * to 'valid user = "Domain Admins"'. --jerry
508 * For consistency we also add the "Unix User" SID,
509 * so that the complete unix token is represented within
513 uid_to_unix_users_sid(server_info->utok.uid, &tmp_sid);
515 add_sid_to_array_unique(server_info->security_token, &tmp_sid,
516 &server_info->security_token->sids,
517 &server_info->security_token->num_sids);
519 for ( i=0; i<server_info->utok.ngroups; i++ ) {
520 gid_to_unix_groups_sid(server_info->utok.groups[i], &tmp_sid);
521 add_sid_to_array_unique(server_info->security_token, &tmp_sid,
522 &server_info->security_token->sids,
523 &server_info->security_token->num_sids);
526 security_token_debug(DBGC_AUTH, 10, server_info->security_token);
527 debug_unix_user_token(DBGC_AUTH, 10,
528 server_info->utok.uid,
529 server_info->utok.gid,
530 server_info->utok.ngroups,
531 server_info->utok.groups);
533 status = log_nt_token(server_info->security_token);
537 /***************************************************************************
538 Make (and fill) a server_info struct from a 'struct passwd' by conversion
540 ***************************************************************************/
542 NTSTATUS make_server_info_pw(struct auth_serversupplied_info **server_info,
547 struct samu *sampass = NULL;
548 char *qualified_name = NULL;
549 TALLOC_CTX *mem_ctx = NULL;
550 struct dom_sid u_sid;
551 enum lsa_SidType type;
552 struct auth_serversupplied_info *result;
555 * The SID returned in server_info->sam_account is based
556 * on our SAM sid even though for a pure UNIX account this should
557 * not be the case as it doesn't really exist in the SAM db.
558 * This causes lookups on "[in]valid users" to fail as they
559 * will lookup this name as a "Unix User" SID to check against
560 * the user token. Fix this by adding the "Unix User"\unix_username
561 * SID to the sid array. The correct fix should probably be
562 * changing the server_info->sam_account user SID to be a
563 * S-1-22 Unix SID, but this might break old configs where
564 * plaintext passwords were used with no SAM backend.
567 mem_ctx = talloc_init("make_server_info_pw_tmp");
569 return NT_STATUS_NO_MEMORY;
572 qualified_name = talloc_asprintf(mem_ctx, "%s\\%s",
573 unix_users_domain_name(),
575 if (!qualified_name) {
576 TALLOC_FREE(mem_ctx);
577 return NT_STATUS_NO_MEMORY;
580 if (!lookup_name(mem_ctx, qualified_name, LOOKUP_NAME_ALL,
583 TALLOC_FREE(mem_ctx);
584 return NT_STATUS_NO_SUCH_USER;
587 TALLOC_FREE(mem_ctx);
589 if (type != SID_NAME_USER) {
590 return NT_STATUS_NO_SUCH_USER;
593 if ( !(sampass = samu_new( NULL )) ) {
594 return NT_STATUS_NO_MEMORY;
597 status = samu_set_unix( sampass, pwd );
598 if (!NT_STATUS_IS_OK(status)) {
602 /* In pathological cases the above call can set the account
603 * name to the DOMAIN\username form. Reset the account name
604 * using unix_username */
605 pdb_set_username(sampass, unix_username, PDB_SET);
607 /* set the user sid to be the calculated u_sid */
608 pdb_set_user_sid(sampass, &u_sid, PDB_SET);
610 result = make_server_info(NULL);
611 if (result == NULL) {
612 TALLOC_FREE(sampass);
613 return NT_STATUS_NO_MEMORY;
616 status = samu_to_SamInfo3(result, sampass, global_myname(),
617 &result->info3, &result->extra);
618 TALLOC_FREE(sampass);
619 if (!NT_STATUS_IS_OK(status)) {
620 DEBUG(10, ("Failed to convert samu to info3: %s\n",
626 result->unix_name = talloc_strdup(result, unix_username);
627 result->sanitized_username = sanitize_username(result, unix_username);
629 if ((result->unix_name == NULL)
630 || (result->sanitized_username == NULL)) {
632 return NT_STATUS_NO_MEMORY;
635 result->utok.uid = pwd->pw_uid;
636 result->utok.gid = pwd->pw_gid;
638 *server_info = result;
643 static NTSTATUS get_guest_info3(TALLOC_CTX *mem_ctx,
644 struct netr_SamInfo3 *info3)
646 const char *guest_account = lp_guestaccount();
647 struct dom_sid domain_sid;
651 pwd = Get_Pwnam_alloc(mem_ctx, guest_account);
653 DEBUG(0,("SamInfo3_for_guest: Unable to locate guest "
654 "account [%s]!\n", guest_account));
655 return NT_STATUS_NO_SUCH_USER;
658 /* Set acount name */
659 tmp = talloc_strdup(mem_ctx, pwd->pw_name);
661 return NT_STATUS_NO_MEMORY;
663 init_lsa_String(&info3->base.account_name, tmp);
665 /* Set domain name */
666 tmp = talloc_strdup(mem_ctx, get_global_sam_name());
668 return NT_STATUS_NO_MEMORY;
670 init_lsa_StringLarge(&info3->base.domain, tmp);
673 sid_copy(&domain_sid, get_global_sam_sid());
675 info3->base.domain_sid = dom_sid_dup(mem_ctx, &domain_sid);
676 if (info3->base.domain_sid == NULL) {
677 return NT_STATUS_NO_MEMORY;
681 info3->base.rid = DOMAIN_RID_GUEST;
684 info3->base.primary_gid = BUILTIN_RID_GUESTS;
690 /***************************************************************************
691 Make (and fill) a user_info struct for a guest login.
692 This *must* succeed for smbd to start. If there is no mapping entry for
693 the guest gid, then create one.
694 ***************************************************************************/
696 static NTSTATUS make_new_server_info_guest(struct auth_serversupplied_info **server_info)
698 static const char zeros[16] = {0};
699 const char *guest_account = lp_guestaccount();
700 const char *domain = global_myname();
701 struct netr_SamInfo3 info3;
706 tmp_ctx = talloc_stackframe();
707 if (tmp_ctx == NULL) {
708 return NT_STATUS_NO_MEMORY;
713 status = get_guest_info3(tmp_ctx, &info3);
714 if (!NT_STATUS_IS_OK(status)) {
718 status = make_server_info_info3(tmp_ctx,
723 if (!NT_STATUS_IS_OK(status)) {
727 (*server_info)->guest = True;
729 status = create_local_token(*server_info);
730 if (!NT_STATUS_IS_OK(status)) {
731 DEBUG(10, ("create_local_token failed: %s\n",
736 /* annoying, but the Guest really does have a session key, and it is
738 (*server_info)->user_session_key = data_blob(zeros, sizeof(zeros));
739 (*server_info)->lm_session_key = data_blob(zeros, sizeof(zeros));
741 alpha_strcpy(tmp, (*server_info)->info3->base.account_name.string,
742 ". _-$", sizeof(tmp));
743 (*server_info)->sanitized_username = talloc_strdup(*server_info, tmp);
745 status = NT_STATUS_OK;
747 TALLOC_FREE(tmp_ctx);
751 /***************************************************************************
752 Make (and fill) a auth_session_info struct for a system user login.
753 This *must* succeed for smbd to start.
754 ***************************************************************************/
756 static NTSTATUS make_new_session_info_system(TALLOC_CTX *mem_ctx,
757 struct auth_serversupplied_info **session_info)
762 pwd = getpwuid_alloc(mem_ctx, sec_initial_uid());
764 return NT_STATUS_NO_SUCH_USER;
767 status = make_serverinfo_from_username(mem_ctx,
772 if (!NT_STATUS_IS_OK(status)) {
776 (*session_info)->system = true;
778 status = add_sid_to_array_unique((*session_info)->security_token->sids,
780 &(*session_info)->security_token->sids,
781 &(*session_info)->security_token->num_sids);
782 if (!NT_STATUS_IS_OK(status)) {
783 TALLOC_FREE((*session_info));
790 /****************************************************************************
791 Fake a auth_serversupplied_info just from a username
792 ****************************************************************************/
794 NTSTATUS make_serverinfo_from_username(TALLOC_CTX *mem_ctx,
795 const char *username,
797 struct auth_serversupplied_info **presult)
799 struct auth_serversupplied_info *result;
803 pwd = Get_Pwnam_alloc(talloc_tos(), username);
805 return NT_STATUS_NO_SUCH_USER;
808 status = make_server_info_pw(&result, pwd->pw_name, pwd);
812 if (!NT_STATUS_IS_OK(status)) {
816 result->nss_token = true;
817 result->guest = is_guest;
819 status = create_local_token(result);
821 if (!NT_STATUS_IS_OK(status)) {
826 *presult = talloc_steal(mem_ctx, result);
831 struct auth_serversupplied_info *copy_serverinfo(TALLOC_CTX *mem_ctx,
832 const struct auth_serversupplied_info *src)
834 struct auth_serversupplied_info *dst;
836 dst = make_server_info(mem_ctx);
841 dst->guest = src->guest;
842 dst->system = src->system;
843 dst->utok.uid = src->utok.uid;
844 dst->utok.gid = src->utok.gid;
845 dst->utok.ngroups = src->utok.ngroups;
846 if (src->utok.ngroups != 0) {
847 dst->utok.groups = (gid_t *)TALLOC_MEMDUP(
848 dst, src->utok.groups,
849 sizeof(gid_t)*dst->utok.ngroups);
851 dst->utok.groups = NULL;
854 if (src->security_token) {
855 dst->security_token = dup_nt_token(dst, src->security_token);
856 if (!dst->security_token) {
862 dst->user_session_key = data_blob_talloc( dst, src->user_session_key.data,
863 src->user_session_key.length);
865 dst->lm_session_key = data_blob_talloc(dst, src->lm_session_key.data,
866 src->lm_session_key.length);
868 dst->info3 = copy_netr_SamInfo3(dst, src->info3);
873 dst->extra = src->extra;
875 dst->unix_name = talloc_strdup(dst, src->unix_name);
876 if (!dst->unix_name) {
881 dst->sanitized_username = talloc_strdup(dst, src->sanitized_username);
882 if (!dst->sanitized_username) {
891 * Set a new session key. Used in the rpc server where we have to override the
892 * SMB level session key with SystemLibraryDTC
895 bool session_info_set_session_key(struct auth_serversupplied_info *info,
896 DATA_BLOB session_key)
898 TALLOC_FREE(info->user_session_key.data);
900 info->user_session_key = data_blob_talloc(
901 info, session_key.data, session_key.length);
903 return (info->user_session_key.data != NULL);
906 static struct auth_serversupplied_info *guest_info = NULL;
908 bool init_guest_info(void)
910 if (guest_info != NULL)
913 return NT_STATUS_IS_OK(make_new_server_info_guest(&guest_info));
916 NTSTATUS make_server_info_guest(TALLOC_CTX *mem_ctx,
917 struct auth_serversupplied_info **server_info)
919 *server_info = copy_serverinfo(mem_ctx, guest_info);
920 return (*server_info != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
923 static struct auth_serversupplied_info *system_info = NULL;
925 NTSTATUS init_system_info(void)
927 if (system_info != NULL)
930 return make_new_session_info_system(NULL, &system_info);
933 NTSTATUS make_session_info_system(TALLOC_CTX *mem_ctx,
934 struct auth_serversupplied_info **session_info)
936 if (system_info == NULL) return NT_STATUS_UNSUCCESSFUL;
937 *session_info = copy_serverinfo(mem_ctx, system_info);
938 return (*session_info != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
941 const struct auth_serversupplied_info *get_session_info_system(void)
946 bool copy_current_user(struct current_user *dst, struct current_user *src)
949 struct security_token *nt_token;
951 groups = (gid_t *)memdup(src->ut.groups,
952 sizeof(gid_t) * src->ut.ngroups);
953 if ((src->ut.ngroups != 0) && (groups == NULL)) {
957 nt_token = dup_nt_token(NULL, src->nt_user_token);
958 if (nt_token == NULL) {
963 dst->conn = src->conn;
964 dst->vuid = src->vuid;
965 dst->ut.uid = src->ut.uid;
966 dst->ut.gid = src->ut.gid;
967 dst->ut.ngroups = src->ut.ngroups;
968 dst->ut.groups = groups;
969 dst->nt_user_token = nt_token;
973 /***************************************************************************
974 Purely internal function for make_server_info_info3
975 ***************************************************************************/
977 static NTSTATUS check_account(TALLOC_CTX *mem_ctx, const char *domain,
978 const char *username, char **found_username,
980 bool *username_was_mapped)
982 char *orig_dom_user = NULL;
983 char *dom_user = NULL;
984 char *lower_username = NULL;
985 char *real_username = NULL;
986 struct passwd *passwd;
988 lower_username = talloc_strdup(mem_ctx, username);
989 if (!lower_username) {
990 return NT_STATUS_NO_MEMORY;
992 strlower_m( lower_username );
994 orig_dom_user = talloc_asprintf(mem_ctx,
997 *lp_winbind_separator(),
999 if (!orig_dom_user) {
1000 return NT_STATUS_NO_MEMORY;
1003 /* Get the passwd struct. Try to create the account if necessary. */
1005 *username_was_mapped = map_username(mem_ctx, orig_dom_user, &dom_user);
1007 return NT_STATUS_NO_MEMORY;
1010 passwd = smb_getpwnam(mem_ctx, dom_user, &real_username, True );
1012 DEBUG(3, ("Failed to find authenticated user %s via "
1013 "getpwnam(), denying access.\n", dom_user));
1014 return NT_STATUS_NO_SUCH_USER;
1017 if (!real_username) {
1018 return NT_STATUS_NO_MEMORY;
1023 /* This is pointless -- there is no suport for differing
1024 unix and windows names. Make sure to always store the
1025 one we actually looked up and succeeded. Have I mentioned
1026 why I hate the 'winbind use default domain' parameter?
1029 *found_username = talloc_strdup( mem_ctx, real_username );
1031 return NT_STATUS_OK;
1034 /****************************************************************************
1035 Wrapper to allow the getpwnam() call to strip the domain name and
1036 try again in case a local UNIX user is already there. Also run through
1037 the username if we fallback to the username only.
1038 ****************************************************************************/
1040 struct passwd *smb_getpwnam( TALLOC_CTX *mem_ctx, const char *domuser,
1041 char **p_save_username, bool create )
1043 struct passwd *pw = NULL;
1045 char *username = NULL;
1047 /* we only save a copy of the username it has been mangled
1048 by winbindd use default domain */
1049 *p_save_username = NULL;
1051 /* don't call map_username() here since it has to be done higher
1052 up the stack so we don't call it multiple times */
1054 username = talloc_strdup(mem_ctx, domuser);
1059 p = strchr_m( username, *lp_winbind_separator() );
1061 /* code for a DOMAIN\user string */
1064 pw = Get_Pwnam_alloc( mem_ctx, domuser );
1066 /* make sure we get the case of the username correct */
1067 /* work around 'winbind use default domain = yes' */
1069 if ( !strchr_m( pw->pw_name, *lp_winbind_separator() ) ) {
1072 /* split the domain and username into 2 strings */
1076 *p_save_username = talloc_asprintf(mem_ctx,
1079 *lp_winbind_separator(),
1081 if (!*p_save_username) {
1086 *p_save_username = talloc_strdup(mem_ctx, pw->pw_name);
1093 /* setup for lookup of just the username */
1094 /* remember that p and username are overlapping memory */
1097 username = talloc_strdup(mem_ctx, p);
1103 /* just lookup a plain username */
1105 pw = Get_Pwnam_alloc(mem_ctx, username);
1107 /* Create local user if requested but only if winbindd
1108 is not running. We need to protect against cases
1109 where winbindd is failing and then prematurely
1110 creating users in /etc/passwd */
1112 if ( !pw && create && !winbind_ping() ) {
1113 /* Don't add a machine account. */
1114 if (username[strlen(username)-1] == '$')
1117 _smb_create_user(NULL, username, NULL);
1118 pw = Get_Pwnam_alloc(mem_ctx, username);
1121 /* one last check for a valid passwd struct */
1124 *p_save_username = talloc_strdup(mem_ctx, pw->pw_name);
1129 /***************************************************************************
1130 Make a server_info struct from the info3 returned by a domain logon
1131 ***************************************************************************/
1133 NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
1134 const char *sent_nt_username,
1136 struct auth_serversupplied_info **server_info,
1137 struct netr_SamInfo3 *info3)
1139 static const char zeros[16] = {0, };
1141 NTSTATUS nt_status = NT_STATUS_OK;
1142 char *found_username = NULL;
1143 const char *nt_domain;
1144 const char *nt_username;
1145 bool username_was_mapped;
1147 struct auth_serversupplied_info *result;
1148 struct dom_sid *group_sid;
1149 struct netr_SamInfo3 *i3;
1152 Here is where we should check the list of
1153 trusted domains, and verify that the SID
1157 nt_username = talloc_strdup(mem_ctx, info3->base.account_name.string);
1159 /* If the server didn't give us one, just use the one we sent
1161 nt_username = sent_nt_username;
1164 nt_domain = talloc_strdup(mem_ctx, info3->base.domain.string);
1166 /* If the server didn't give us one, just use the one we sent
1171 /* If getpwnam() fails try the add user script (2.2.x behavior).
1173 We use the _unmapped_ username here in an attempt to provide
1174 consistent username mapping behavior between kerberos and NTLM[SSP]
1175 authentication in domain mode security. I.E. Username mapping
1176 should be applied to the fully qualified username
1177 (e.g. DOMAIN\user) and not just the login name. Yes this means we
1178 called map_username() unnecessarily in make_user_info_map() but
1179 that is how the current code is designed. Making the change here
1180 is the least disruptive place. -- jerry */
1182 /* this call will try to create the user if necessary */
1184 nt_status = check_account(mem_ctx, nt_domain, sent_nt_username,
1185 &found_username, &pwd,
1186 &username_was_mapped);
1188 if (!NT_STATUS_IS_OK(nt_status)) {
1192 result = make_server_info(NULL);
1193 if (result == NULL) {
1194 DEBUG(4, ("make_server_info failed!\n"));
1195 return NT_STATUS_NO_MEMORY;
1198 result->unix_name = talloc_strdup(result, found_username);
1200 result->sanitized_username = sanitize_username(result,
1202 if (result->sanitized_username == NULL) {
1203 TALLOC_FREE(result);
1204 return NT_STATUS_NO_MEMORY;
1207 /* copy in the info3 */
1208 result->info3 = i3 = copy_netr_SamInfo3(result, info3);
1209 if (result->info3 == NULL) {
1210 TALLOC_FREE(result);
1211 return NT_STATUS_NO_MEMORY;
1214 /* Fill in the unix info we found on the way */
1215 result->utok.uid = pwd->pw_uid;
1216 result->utok.gid = pwd->pw_gid;
1218 /* We can't just trust that the primary group sid sent us is something
1219 * we can really use. Obtain the useable sid, and store the original
1220 * one as an additional group if it had to be replaced */
1221 nt_status = get_primary_group_sid(mem_ctx, found_username,
1223 if (!NT_STATUS_IS_OK(nt_status)) {
1224 TALLOC_FREE(result);
1228 /* store and check if it is the same we got originally */
1229 sid_peek_rid(group_sid, &i3->base.primary_gid);
1230 if (i3->base.primary_gid != info3->base.primary_gid) {
1231 uint32_t n = i3->base.groups.count;
1232 /* not the same, store the original as an additional group */
1233 i3->base.groups.rids =
1234 talloc_realloc(i3, i3->base.groups.rids,
1235 struct samr_RidWithAttribute, n + 1);
1236 if (i3->base.groups.rids == NULL) {
1237 TALLOC_FREE(result);
1238 return NT_STATUS_NO_MEMORY;
1240 i3->base.groups.rids[n].rid = info3->base.primary_gid;
1241 i3->base.groups.rids[n].attributes = SE_GROUP_ENABLED;
1242 i3->base.groups.count = n + 1;
1245 /* ensure we are never given NULL session keys */
1247 if (memcmp(info3->base.key.key, zeros, sizeof(zeros)) == 0) {
1248 result->user_session_key = data_blob_null;
1250 result->user_session_key = data_blob_talloc(
1251 result, info3->base.key.key,
1252 sizeof(info3->base.key.key));
1255 if (memcmp(info3->base.LMSessKey.key, zeros, 8) == 0) {
1256 result->lm_session_key = data_blob_null;
1258 result->lm_session_key = data_blob_talloc(
1259 result, info3->base.LMSessKey.key,
1260 sizeof(info3->base.LMSessKey.key));
1263 result->nss_token |= username_was_mapped;
1265 *server_info = result;
1267 return NT_STATUS_OK;
1270 /*****************************************************************************
1271 Make a server_info struct from the wbcAuthUserInfo returned by a domain logon
1272 ******************************************************************************/
1274 NTSTATUS make_server_info_wbcAuthUserInfo(TALLOC_CTX *mem_ctx,
1275 const char *sent_nt_username,
1277 const struct wbcAuthUserInfo *info,
1278 struct auth_serversupplied_info **server_info)
1280 struct netr_SamInfo3 *info3;
1282 info3 = wbcAuthUserInfo_to_netr_SamInfo3(mem_ctx, info);
1284 return NT_STATUS_NO_MEMORY;
1287 return make_server_info_info3(mem_ctx,
1288 sent_nt_username, domain,
1289 server_info, info3);
1293 * Verify whether or not given domain is trusted.
1295 * @param domain_name name of the domain to be verified
1296 * @return true if domain is one of the trusted ones or
1297 * false if otherwise
1300 bool is_trusted_domain(const char* dom_name)
1302 struct dom_sid trustdom_sid;
1305 /* no trusted domains for a standalone server */
1307 if ( lp_server_role() == ROLE_STANDALONE )
1310 if (dom_name == NULL || dom_name[0] == '\0') {
1314 if (strequal(dom_name, get_global_sam_name())) {
1318 /* if we are a DC, then check for a direct trust relationships */
1322 DEBUG (5,("is_trusted_domain: Checking for domain trust with "
1323 "[%s]\n", dom_name ));
1324 ret = pdb_get_trusteddom_pw(dom_name, NULL, NULL, NULL);
1332 /* If winbind is around, ask it */
1334 result = wb_is_trusted_domain(dom_name);
1336 if (result == WBC_ERR_SUCCESS) {
1340 if (result == WBC_ERR_DOMAIN_NOT_FOUND) {
1341 /* winbind could not find the domain */
1345 /* The only other possible result is that winbind is not up
1346 and running. We need to update the trustdom_cache
1349 update_trustdom_cache();
1352 /* now the trustdom cache should be available a DC could still
1353 * have a transitive trust so fall back to the cache of trusted
1354 * domains (like a domain member would use */
1356 if ( trustdom_cache_fetch(dom_name, &trustdom_sid) ) {