2 Unix SMB/CIFS implementation.
3 Authentication utility functions
4 Copyright (C) Andrew Tridgell 1992-1998
5 Copyright (C) Andrew Bartlett 2001
6 Copyright (C) Jeremy Allison 2000-2001
7 Copyright (C) Rafal Szczesniak 2002
8 Copyright (C) Volker Lendecke 2006
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
26 #include "../libcli/auth/libcli_auth.h"
27 #include "../lib/crypto/arcfour.h"
28 #include "rpc_client/init_lsa.h"
29 #include "../libcli/security/security.h"
30 #include "../lib/util/util_pw.h"
31 #include "lib/winbind_util.h"
35 #define DBGC_CLASS DBGC_AUTH
37 /****************************************************************************
38 Create a UNIX user on demand.
39 ****************************************************************************/
41 static int _smb_create_user(const char *domain, const char *unix_username, const char *homedir)
43 TALLOC_CTX *ctx = talloc_tos();
47 add_script = talloc_strdup(ctx, lp_adduser_script());
48 if (!add_script || !*add_script) {
51 add_script = talloc_all_string_sub(ctx,
59 add_script = talloc_all_string_sub(ctx,
68 add_script = talloc_all_string_sub(ctx,
76 ret = smbrun(add_script,NULL);
79 ("smb_create_user: Running the command `%s' gave %d\n",
84 /****************************************************************************
85 Create an auth_usersupplied_data structure after appropriate mapping.
86 ****************************************************************************/
88 NTSTATUS make_user_info_map(struct auth_usersupplied_info **user_info,
90 const char *client_domain,
91 const char *workstation_name,
94 const struct samr_Password *lm_interactive_pwd,
95 const struct samr_Password *nt_interactive_pwd,
96 const char *plaintext,
97 enum auth_password_state password_state)
102 char *internal_username = NULL;
104 was_mapped = map_username(talloc_tos(), smb_name, &internal_username);
105 if (!internal_username) {
106 return NT_STATUS_NO_MEMORY;
109 DEBUG(5, ("Mapping user [%s]\\[%s] from workstation [%s]\n",
110 client_domain, smb_name, workstation_name));
112 domain = client_domain;
114 /* If you connect to a Windows domain member using a bogus domain name,
115 * the Windows box will map the BOGUS\user to SAMNAME\user. Thus, if
116 * the Windows box is a DC the name will become DOMAIN\user and be
117 * authenticated against AD, if the Windows box is a member server but
118 * not a DC the name will become WORKSTATION\user. A standalone
119 * non-domain member box will also map to WORKSTATION\user.
120 * This also deals with the client passing in a "" domain */
122 if (!is_trusted_domain(domain) &&
123 !strequal(domain, my_sam_name()))
125 if (lp_map_untrusted_to_domain())
126 domain = my_sam_name();
128 domain = get_global_sam_name();
129 DEBUG(5, ("Mapped domain from [%s] to [%s] for user [%s] from "
130 "workstation [%s]\n",
131 client_domain, domain, smb_name, workstation_name));
134 /* We know that the given domain is trusted (and we are allowing them),
135 * it is our global SAM name, or for legacy behavior it is our
136 * primary domain name */
138 result = make_user_info(user_info, smb_name, internal_username,
139 client_domain, domain, workstation_name,
141 lm_interactive_pwd, nt_interactive_pwd,
142 plaintext, password_state);
143 if (NT_STATUS_IS_OK(result)) {
144 /* We have tried mapping */
145 (*user_info)->mapped_state = True;
146 /* did we actually map the user to a different name? */
147 (*user_info)->was_mapped = was_mapped;
152 /****************************************************************************
153 Create an auth_usersupplied_data, making the DATA_BLOBs here.
154 Decrypt and encrypt the passwords.
155 ****************************************************************************/
157 bool make_user_info_netlogon_network(struct auth_usersupplied_info **user_info,
158 const char *smb_name,
159 const char *client_domain,
160 const char *workstation_name,
161 uint32 logon_parameters,
162 const uchar *lm_network_pwd,
164 const uchar *nt_network_pwd,
169 DATA_BLOB lm_blob = data_blob(lm_network_pwd, lm_pwd_len);
170 DATA_BLOB nt_blob = data_blob(nt_network_pwd, nt_pwd_len);
172 status = make_user_info_map(user_info,
173 smb_name, client_domain,
175 lm_pwd_len ? &lm_blob : NULL,
176 nt_pwd_len ? &nt_blob : NULL,
178 AUTH_PASSWORD_RESPONSE);
180 if (NT_STATUS_IS_OK(status)) {
181 (*user_info)->logon_parameters = logon_parameters;
183 ret = NT_STATUS_IS_OK(status) ? True : False;
185 data_blob_free(&lm_blob);
186 data_blob_free(&nt_blob);
190 /****************************************************************************
191 Create an auth_usersupplied_data, making the DATA_BLOBs here.
192 Decrypt and encrypt the passwords.
193 ****************************************************************************/
195 bool make_user_info_netlogon_interactive(struct auth_usersupplied_info **user_info,
196 const char *smb_name,
197 const char *client_domain,
198 const char *workstation_name,
199 uint32 logon_parameters,
201 const uchar lm_interactive_pwd[16],
202 const uchar nt_interactive_pwd[16],
203 const uchar *dc_sess_key)
205 struct samr_Password lm_pwd;
206 struct samr_Password nt_pwd;
207 unsigned char local_lm_response[24];
208 unsigned char local_nt_response[24];
209 unsigned char key[16];
211 memcpy(key, dc_sess_key, 16);
213 if (lm_interactive_pwd)
214 memcpy(lm_pwd.hash, lm_interactive_pwd, sizeof(lm_pwd.hash));
216 if (nt_interactive_pwd)
217 memcpy(nt_pwd.hash, nt_interactive_pwd, sizeof(nt_pwd.hash));
219 #ifdef DEBUG_PASSWORD
221 dump_data(100, key, sizeof(key));
223 DEBUG(100,("lm owf password:"));
224 dump_data(100, lm_pwd.hash, sizeof(lm_pwd.hash));
226 DEBUG(100,("nt owf password:"));
227 dump_data(100, nt_pwd.hash, sizeof(nt_pwd.hash));
230 if (lm_interactive_pwd)
231 arcfour_crypt(lm_pwd.hash, key, sizeof(lm_pwd.hash));
233 if (nt_interactive_pwd)
234 arcfour_crypt(nt_pwd.hash, key, sizeof(nt_pwd.hash));
236 #ifdef DEBUG_PASSWORD
237 DEBUG(100,("decrypt of lm owf password:"));
238 dump_data(100, lm_pwd.hash, sizeof(lm_pwd));
240 DEBUG(100,("decrypt of nt owf password:"));
241 dump_data(100, nt_pwd.hash, sizeof(nt_pwd));
244 if (lm_interactive_pwd)
245 SMBOWFencrypt(lm_pwd.hash, chal,
248 if (nt_interactive_pwd)
249 SMBOWFencrypt(nt_pwd.hash, chal,
252 /* Password info paranoia */
258 DATA_BLOB local_lm_blob;
259 DATA_BLOB local_nt_blob;
261 if (lm_interactive_pwd) {
262 local_lm_blob = data_blob(local_lm_response,
263 sizeof(local_lm_response));
266 if (nt_interactive_pwd) {
267 local_nt_blob = data_blob(local_nt_response,
268 sizeof(local_nt_response));
271 nt_status = make_user_info_map(
273 smb_name, client_domain, workstation_name,
274 lm_interactive_pwd ? &local_lm_blob : NULL,
275 nt_interactive_pwd ? &local_nt_blob : NULL,
276 lm_interactive_pwd ? &lm_pwd : NULL,
277 nt_interactive_pwd ? &nt_pwd : NULL,
278 NULL, AUTH_PASSWORD_HASH);
280 if (NT_STATUS_IS_OK(nt_status)) {
281 (*user_info)->logon_parameters = logon_parameters;
284 ret = NT_STATUS_IS_OK(nt_status) ? True : False;
285 data_blob_free(&local_lm_blob);
286 data_blob_free(&local_nt_blob);
292 /****************************************************************************
293 Create an auth_usersupplied_data structure
294 ****************************************************************************/
296 bool make_user_info_for_reply(struct auth_usersupplied_info **user_info,
297 const char *smb_name,
298 const char *client_domain,
300 DATA_BLOB plaintext_password)
303 DATA_BLOB local_lm_blob;
304 DATA_BLOB local_nt_blob;
305 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
306 char *plaintext_password_string;
308 * Not encrypted - do so.
311 DEBUG(5,("make_user_info_for_reply: User passwords not in encrypted "
313 if (plaintext_password.data && plaintext_password.length) {
314 unsigned char local_lm_response[24];
316 #ifdef DEBUG_PASSWORD
317 DEBUG(10,("Unencrypted password (len %d):\n",
318 (int)plaintext_password.length));
319 dump_data(100, plaintext_password.data,
320 plaintext_password.length);
323 SMBencrypt( (const char *)plaintext_password.data,
324 (const uchar*)chal, local_lm_response);
325 local_lm_blob = data_blob(local_lm_response, 24);
327 /* We can't do an NT hash here, as the password needs to be
329 local_nt_blob = data_blob_null;
331 local_lm_blob = data_blob_null;
332 local_nt_blob = data_blob_null;
335 plaintext_password_string = talloc_strndup(talloc_tos(),
336 (const char *)plaintext_password.data,
337 plaintext_password.length);
338 if (!plaintext_password_string) {
342 ret = make_user_info_map(
343 user_info, smb_name, client_domain,
344 get_remote_machine_name(),
345 local_lm_blob.data ? &local_lm_blob : NULL,
346 local_nt_blob.data ? &local_nt_blob : NULL,
348 plaintext_password_string,
349 AUTH_PASSWORD_PLAIN);
351 if (plaintext_password_string) {
352 memset(plaintext_password_string, '\0', strlen(plaintext_password_string));
353 talloc_free(plaintext_password_string);
356 data_blob_free(&local_lm_blob);
357 return NT_STATUS_IS_OK(ret) ? True : False;
360 /****************************************************************************
361 Create an auth_usersupplied_data structure
362 ****************************************************************************/
364 NTSTATUS make_user_info_for_reply_enc(struct auth_usersupplied_info **user_info,
365 const char *smb_name,
366 const char *client_domain,
367 DATA_BLOB lm_resp, DATA_BLOB nt_resp)
369 return make_user_info_map(user_info, smb_name,
371 get_remote_machine_name(),
372 lm_resp.data && (lm_resp.length > 0) ? &lm_resp : NULL,
373 nt_resp.data && (nt_resp.length > 0) ? &nt_resp : NULL,
375 AUTH_PASSWORD_RESPONSE);
378 /****************************************************************************
379 Create a guest user_info blob, for anonymous authenticaion.
380 ****************************************************************************/
382 bool make_user_info_guest(struct auth_usersupplied_info **user_info)
386 nt_status = make_user_info(user_info,
393 AUTH_PASSWORD_RESPONSE);
395 return NT_STATUS_IS_OK(nt_status) ? True : False;
398 static NTSTATUS log_nt_token(struct security_token *token)
400 TALLOC_CTX *frame = talloc_stackframe();
405 if ((lp_log_nt_token_command() == NULL) ||
406 (strlen(lp_log_nt_token_command()) == 0)) {
411 group_sidstr = talloc_strdup(frame, "");
412 for (i=1; i<token->num_sids; i++) {
413 group_sidstr = talloc_asprintf(
414 frame, "%s %s", group_sidstr,
415 sid_string_talloc(frame, &token->sids[i]));
418 command = talloc_string_sub(
419 frame, lp_log_nt_token_command(),
420 "%s", sid_string_talloc(frame, &token->sids[0]));
421 command = talloc_string_sub(frame, command, "%t", group_sidstr);
423 if (command == NULL) {
425 return NT_STATUS_NO_MEMORY;
428 DEBUG(8, ("running command: [%s]\n", command));
429 if (smbrun(command, NULL) != 0) {
430 DEBUG(0, ("Could not log NT token\n"));
432 return NT_STATUS_ACCESS_DENIED;
440 * Create the token to use from server_info->info3 and
441 * server_info->sids (the info3/sam groups). Find the unix gids.
444 NTSTATUS create_local_token(struct auth_serversupplied_info *server_info)
446 struct security_token *t;
449 struct dom_sid tmp_sid;
450 struct wbcUnixId *ids;
453 * If winbind is not around, we can not make much use of the SIDs the
454 * domain controller provided us with. Likewise if the user name was
455 * mapped to some local unix user.
458 if (((lp_server_role() == ROLE_DOMAIN_MEMBER) && !winbind_ping()) ||
459 (server_info->nss_token)) {
460 status = create_token_from_username(server_info,
461 server_info->unix_name,
463 &server_info->utok.uid,
464 &server_info->utok.gid,
465 &server_info->unix_name,
466 &server_info->security_token);
469 status = create_local_nt_token_from_info3(server_info,
473 &server_info->security_token);
476 if (!NT_STATUS_IS_OK(status)) {
480 /* Convert the SIDs to gids. */
482 server_info->utok.ngroups = 0;
483 server_info->utok.groups = NULL;
485 t = server_info->security_token;
487 ids = TALLOC_ARRAY(talloc_tos(), struct wbcUnixId,
490 return NT_STATUS_NO_MEMORY;
493 if (!sids_to_unix_ids(t->sids, t->num_sids, ids)) {
495 return NT_STATUS_NO_MEMORY;
498 /* Start at index 1, where the groups start. */
500 for (i=1; i<t->num_sids; i++) {
502 if (ids[i].type != WBC_ID_TYPE_GID) {
503 DEBUG(2, ("Could not convert SID %s to gid, "
505 sid_string_dbg(&t->sids[i])));
508 if (!add_gid_to_array_unique(server_info, ids[i].id.gid,
509 &server_info->utok.groups,
510 &server_info->utok.ngroups)) {
511 return NT_STATUS_NO_MEMORY;
516 * Add the "Unix Group" SID for each gid to catch mapped groups
517 * and their Unix equivalent. This is to solve the backwards
518 * compatibility problem of 'valid users = +ntadmin' where
519 * ntadmin has been paired with "Domain Admins" in the group
520 * mapping table. Otherwise smb.conf would need to be changed
521 * to 'valid user = "Domain Admins"'. --jerry
523 * For consistency we also add the "Unix User" SID,
524 * so that the complete unix token is represented within
528 uid_to_unix_users_sid(server_info->utok.uid, &tmp_sid);
530 add_sid_to_array_unique(server_info->security_token, &tmp_sid,
531 &server_info->security_token->sids,
532 &server_info->security_token->num_sids);
534 for ( i=0; i<server_info->utok.ngroups; i++ ) {
535 gid_to_unix_groups_sid(server_info->utok.groups[i], &tmp_sid);
536 add_sid_to_array_unique(server_info->security_token, &tmp_sid,
537 &server_info->security_token->sids,
538 &server_info->security_token->num_sids);
541 security_token_debug(DBGC_AUTH, 10, server_info->security_token);
542 debug_unix_user_token(DBGC_AUTH, 10,
543 server_info->utok.uid,
544 server_info->utok.gid,
545 server_info->utok.ngroups,
546 server_info->utok.groups);
548 status = log_nt_token(server_info->security_token);
552 /***************************************************************************
553 Make (and fill) a server_info struct from a 'struct passwd' by conversion
555 ***************************************************************************/
557 NTSTATUS make_server_info_pw(struct auth_serversupplied_info **server_info,
562 struct samu *sampass = NULL;
563 char *qualified_name = NULL;
564 TALLOC_CTX *mem_ctx = NULL;
565 struct dom_sid u_sid;
566 enum lsa_SidType type;
567 struct auth_serversupplied_info *result;
570 * The SID returned in server_info->sam_account is based
571 * on our SAM sid even though for a pure UNIX account this should
572 * not be the case as it doesn't really exist in the SAM db.
573 * This causes lookups on "[in]valid users" to fail as they
574 * will lookup this name as a "Unix User" SID to check against
575 * the user token. Fix this by adding the "Unix User"\unix_username
576 * SID to the sid array. The correct fix should probably be
577 * changing the server_info->sam_account user SID to be a
578 * S-1-22 Unix SID, but this might break old configs where
579 * plaintext passwords were used with no SAM backend.
582 mem_ctx = talloc_init("make_server_info_pw_tmp");
584 return NT_STATUS_NO_MEMORY;
587 qualified_name = talloc_asprintf(mem_ctx, "%s\\%s",
588 unix_users_domain_name(),
590 if (!qualified_name) {
591 TALLOC_FREE(mem_ctx);
592 return NT_STATUS_NO_MEMORY;
595 if (!lookup_name(mem_ctx, qualified_name, LOOKUP_NAME_ALL,
598 TALLOC_FREE(mem_ctx);
599 return NT_STATUS_NO_SUCH_USER;
602 TALLOC_FREE(mem_ctx);
604 if (type != SID_NAME_USER) {
605 return NT_STATUS_NO_SUCH_USER;
608 if ( !(sampass = samu_new( NULL )) ) {
609 return NT_STATUS_NO_MEMORY;
612 status = samu_set_unix( sampass, pwd );
613 if (!NT_STATUS_IS_OK(status)) {
617 /* In pathological cases the above call can set the account
618 * name to the DOMAIN\username form. Reset the account name
619 * using unix_username */
620 pdb_set_username(sampass, unix_username, PDB_SET);
622 /* set the user sid to be the calculated u_sid */
623 pdb_set_user_sid(sampass, &u_sid, PDB_SET);
625 result = make_server_info(NULL);
626 if (result == NULL) {
627 TALLOC_FREE(sampass);
628 return NT_STATUS_NO_MEMORY;
631 status = samu_to_SamInfo3(result, sampass, global_myname(),
632 &result->info3, &result->extra);
633 TALLOC_FREE(sampass);
634 if (!NT_STATUS_IS_OK(status)) {
635 DEBUG(10, ("Failed to convert samu to info3: %s\n",
641 result->unix_name = talloc_strdup(result, unix_username);
642 result->sanitized_username = sanitize_username(result, unix_username);
644 if ((result->unix_name == NULL)
645 || (result->sanitized_username == NULL)) {
647 return NT_STATUS_NO_MEMORY;
650 result->utok.uid = pwd->pw_uid;
651 result->utok.gid = pwd->pw_gid;
653 *server_info = result;
658 static NTSTATUS get_system_info3(TALLOC_CTX *mem_ctx,
660 struct netr_SamInfo3 *info3)
662 struct dom_sid domain_sid;
665 /* Set account name */
666 tmp = talloc_strdup(mem_ctx, pwd->pw_name);
668 return NT_STATUS_NO_MEMORY;
670 init_lsa_String(&info3->base.account_name, tmp);
672 /* Set domain name */
673 tmp = talloc_strdup(mem_ctx, get_global_sam_name());
675 return NT_STATUS_NO_MEMORY;
677 init_lsa_StringLarge(&info3->base.domain, tmp);
680 sid_copy(&domain_sid, get_global_sam_sid());
682 info3->base.domain_sid = dom_sid_dup(mem_ctx, &domain_sid);
683 if (info3->base.domain_sid == NULL) {
684 return NT_STATUS_NO_MEMORY;
688 info3->base.rid = DOMAIN_RID_ADMINISTRATOR;
691 info3->base.primary_gid = BUILTIN_RID_ADMINISTRATORS;
696 static NTSTATUS get_guest_info3(TALLOC_CTX *mem_ctx,
697 struct netr_SamInfo3 *info3)
699 const char *guest_account = lp_guestaccount();
700 struct dom_sid domain_sid;
704 pwd = Get_Pwnam_alloc(mem_ctx, guest_account);
706 DEBUG(0,("SamInfo3_for_guest: Unable to locate guest "
707 "account [%s]!\n", guest_account));
708 return NT_STATUS_NO_SUCH_USER;
711 /* Set acount name */
712 tmp = talloc_strdup(mem_ctx, pwd->pw_name);
714 return NT_STATUS_NO_MEMORY;
716 init_lsa_String(&info3->base.account_name, tmp);
718 /* Set domain name */
719 tmp = talloc_strdup(mem_ctx, get_global_sam_name());
721 return NT_STATUS_NO_MEMORY;
723 init_lsa_StringLarge(&info3->base.domain, tmp);
726 sid_copy(&domain_sid, get_global_sam_sid());
728 info3->base.domain_sid = dom_sid_dup(mem_ctx, &domain_sid);
729 if (info3->base.domain_sid == NULL) {
730 return NT_STATUS_NO_MEMORY;
734 info3->base.rid = DOMAIN_RID_GUEST;
737 info3->base.primary_gid = DOMAIN_RID_GUESTS;
743 /***************************************************************************
744 Make (and fill) a user_info struct for a guest login.
745 This *must* succeed for smbd to start. If there is no mapping entry for
746 the guest gid, then create one.
747 ***************************************************************************/
749 static NTSTATUS make_new_server_info_guest(struct auth_serversupplied_info **server_info)
751 static const char zeros[16] = {0};
752 const char *guest_account = lp_guestaccount();
753 const char *domain = global_myname();
754 struct netr_SamInfo3 info3;
759 tmp_ctx = talloc_stackframe();
760 if (tmp_ctx == NULL) {
761 return NT_STATUS_NO_MEMORY;
766 status = get_guest_info3(tmp_ctx, &info3);
767 if (!NT_STATUS_IS_OK(status)) {
771 status = make_server_info_info3(tmp_ctx,
776 if (!NT_STATUS_IS_OK(status)) {
780 (*server_info)->guest = True;
782 status = create_local_token(*server_info);
783 if (!NT_STATUS_IS_OK(status)) {
784 DEBUG(10, ("create_local_token failed: %s\n",
789 /* annoying, but the Guest really does have a session key, and it is
791 (*server_info)->user_session_key = data_blob(zeros, sizeof(zeros));
792 (*server_info)->lm_session_key = data_blob(zeros, sizeof(zeros));
794 alpha_strcpy(tmp, (*server_info)->info3->base.account_name.string,
795 ". _-$", sizeof(tmp));
796 (*server_info)->sanitized_username = talloc_strdup(*server_info, tmp);
798 status = NT_STATUS_OK;
800 TALLOC_FREE(tmp_ctx);
804 /****************************************************************************
805 Fake a auth_session_info just from a username (as a
806 session_info structure, with create_local_token() already called on
808 ****************************************************************************/
810 static NTSTATUS make_system_session_info_from_pw(TALLOC_CTX *mem_ctx,
812 struct auth_serversupplied_info **server_info)
814 const char *domain = global_myname();
815 struct netr_SamInfo3 info3;
819 tmp_ctx = talloc_stackframe();
820 if (tmp_ctx == NULL) {
821 return NT_STATUS_NO_MEMORY;
826 status = get_system_info3(tmp_ctx, pwd, &info3);
827 if (!NT_STATUS_IS_OK(status)) {
828 DEBUG(0, ("Failed creating system info3 with %s\n",
833 status = make_server_info_info3(mem_ctx,
838 if (!NT_STATUS_IS_OK(status)) {
839 DEBUG(0, ("make_server_info_info3 failed with %s\n",
844 (*server_info)->nss_token = true;
846 /* Now turn the server_info into a session_info with the full token etc */
847 status = create_local_token(*server_info);
848 if (!NT_STATUS_IS_OK(status)) {
849 DEBUG(0, ("create_local_token failed: %s\n",
854 status = NT_STATUS_OK;
856 TALLOC_FREE(tmp_ctx);
860 /***************************************************************************
861 Make (and fill) a auth_session_info struct for a system user login.
862 This *must* succeed for smbd to start.
863 ***************************************************************************/
865 static NTSTATUS make_new_session_info_system(TALLOC_CTX *mem_ctx,
866 struct auth_serversupplied_info **session_info)
871 pwd = getpwuid_alloc(mem_ctx, sec_initial_uid());
873 return NT_STATUS_NO_SUCH_USER;
876 status = make_system_session_info_from_pw(mem_ctx,
880 if (!NT_STATUS_IS_OK(status)) {
884 (*session_info)->system = true;
886 status = add_sid_to_array_unique((*session_info)->security_token->sids,
888 &(*session_info)->security_token->sids,
889 &(*session_info)->security_token->num_sids);
890 if (!NT_STATUS_IS_OK(status)) {
891 TALLOC_FREE((*session_info));
898 /****************************************************************************
899 Fake a auth_serversupplied_info just from a username
900 ****************************************************************************/
902 NTSTATUS make_serverinfo_from_username(TALLOC_CTX *mem_ctx,
903 const char *username,
905 struct auth_serversupplied_info **presult)
907 struct auth_serversupplied_info *result;
911 pwd = Get_Pwnam_alloc(talloc_tos(), username);
913 return NT_STATUS_NO_SUCH_USER;
916 status = make_server_info_pw(&result, pwd->pw_name, pwd);
920 if (!NT_STATUS_IS_OK(status)) {
924 result->nss_token = true;
925 result->guest = is_guest;
927 status = create_local_token(result);
929 if (!NT_STATUS_IS_OK(status)) {
934 *presult = talloc_steal(mem_ctx, result);
939 struct auth_serversupplied_info *copy_serverinfo(TALLOC_CTX *mem_ctx,
940 const struct auth_serversupplied_info *src)
942 struct auth_serversupplied_info *dst;
944 dst = make_server_info(mem_ctx);
949 dst->guest = src->guest;
950 dst->system = src->system;
951 dst->utok.uid = src->utok.uid;
952 dst->utok.gid = src->utok.gid;
953 dst->utok.ngroups = src->utok.ngroups;
954 if (src->utok.ngroups != 0) {
955 dst->utok.groups = (gid_t *)TALLOC_MEMDUP(
956 dst, src->utok.groups,
957 sizeof(gid_t)*dst->utok.ngroups);
959 dst->utok.groups = NULL;
962 if (src->security_token) {
963 dst->security_token = dup_nt_token(dst, src->security_token);
964 if (!dst->security_token) {
970 dst->user_session_key = data_blob_talloc( dst, src->user_session_key.data,
971 src->user_session_key.length);
973 dst->lm_session_key = data_blob_talloc(dst, src->lm_session_key.data,
974 src->lm_session_key.length);
976 dst->info3 = copy_netr_SamInfo3(dst, src->info3);
981 dst->extra = src->extra;
983 dst->unix_name = talloc_strdup(dst, src->unix_name);
984 if (!dst->unix_name) {
989 dst->sanitized_username = talloc_strdup(dst, src->sanitized_username);
990 if (!dst->sanitized_username) {
999 * Set a new session key. Used in the rpc server where we have to override the
1000 * SMB level session key with SystemLibraryDTC
1003 bool session_info_set_session_key(struct auth_serversupplied_info *info,
1004 DATA_BLOB session_key)
1006 TALLOC_FREE(info->user_session_key.data);
1008 info->user_session_key = data_blob_talloc(
1009 info, session_key.data, session_key.length);
1011 return (info->user_session_key.data != NULL);
1014 static struct auth_serversupplied_info *guest_info = NULL;
1016 bool init_guest_info(void)
1018 if (guest_info != NULL)
1021 return NT_STATUS_IS_OK(make_new_server_info_guest(&guest_info));
1024 NTSTATUS make_server_info_guest(TALLOC_CTX *mem_ctx,
1025 struct auth_serversupplied_info **server_info)
1027 *server_info = copy_serverinfo(mem_ctx, guest_info);
1028 return (*server_info != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
1031 static struct auth_serversupplied_info *system_info = NULL;
1033 NTSTATUS init_system_info(void)
1035 if (system_info != NULL)
1036 return NT_STATUS_OK;
1038 return make_new_session_info_system(NULL, &system_info);
1041 NTSTATUS make_session_info_system(TALLOC_CTX *mem_ctx,
1042 struct auth_serversupplied_info **session_info)
1044 if (system_info == NULL) return NT_STATUS_UNSUCCESSFUL;
1045 *session_info = copy_serverinfo(mem_ctx, system_info);
1046 return (*session_info != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
1049 const struct auth_serversupplied_info *get_session_info_system(void)
1054 bool copy_current_user(struct current_user *dst, struct current_user *src)
1057 struct security_token *nt_token;
1059 groups = (gid_t *)memdup(src->ut.groups,
1060 sizeof(gid_t) * src->ut.ngroups);
1061 if ((src->ut.ngroups != 0) && (groups == NULL)) {
1065 nt_token = dup_nt_token(NULL, src->nt_user_token);
1066 if (nt_token == NULL) {
1071 dst->conn = src->conn;
1072 dst->vuid = src->vuid;
1073 dst->ut.uid = src->ut.uid;
1074 dst->ut.gid = src->ut.gid;
1075 dst->ut.ngroups = src->ut.ngroups;
1076 dst->ut.groups = groups;
1077 dst->nt_user_token = nt_token;
1081 /***************************************************************************
1082 Purely internal function for make_server_info_info3
1083 ***************************************************************************/
1085 static NTSTATUS check_account(TALLOC_CTX *mem_ctx, const char *domain,
1086 const char *username, char **found_username,
1087 struct passwd **pwd,
1088 bool *username_was_mapped)
1090 char *orig_dom_user = NULL;
1091 char *dom_user = NULL;
1092 char *lower_username = NULL;
1093 char *real_username = NULL;
1094 struct passwd *passwd;
1096 lower_username = talloc_strdup(mem_ctx, username);
1097 if (!lower_username) {
1098 return NT_STATUS_NO_MEMORY;
1100 strlower_m( lower_username );
1102 orig_dom_user = talloc_asprintf(mem_ctx,
1105 *lp_winbind_separator(),
1107 if (!orig_dom_user) {
1108 return NT_STATUS_NO_MEMORY;
1111 /* Get the passwd struct. Try to create the account if necessary. */
1113 *username_was_mapped = map_username(mem_ctx, orig_dom_user, &dom_user);
1115 return NT_STATUS_NO_MEMORY;
1118 passwd = smb_getpwnam(mem_ctx, dom_user, &real_username, True );
1120 DEBUG(3, ("Failed to find authenticated user %s via "
1121 "getpwnam(), denying access.\n", dom_user));
1122 return NT_STATUS_NO_SUCH_USER;
1125 if (!real_username) {
1126 return NT_STATUS_NO_MEMORY;
1131 /* This is pointless -- there is no suport for differing
1132 unix and windows names. Make sure to always store the
1133 one we actually looked up and succeeded. Have I mentioned
1134 why I hate the 'winbind use default domain' parameter?
1137 *found_username = talloc_strdup( mem_ctx, real_username );
1139 return NT_STATUS_OK;
1142 /****************************************************************************
1143 Wrapper to allow the getpwnam() call to strip the domain name and
1144 try again in case a local UNIX user is already there. Also run through
1145 the username if we fallback to the username only.
1146 ****************************************************************************/
1148 struct passwd *smb_getpwnam( TALLOC_CTX *mem_ctx, const char *domuser,
1149 char **p_save_username, bool create )
1151 struct passwd *pw = NULL;
1153 char *username = NULL;
1155 /* we only save a copy of the username it has been mangled
1156 by winbindd use default domain */
1157 *p_save_username = NULL;
1159 /* don't call map_username() here since it has to be done higher
1160 up the stack so we don't call it multiple times */
1162 username = talloc_strdup(mem_ctx, domuser);
1167 p = strchr_m( username, *lp_winbind_separator() );
1169 /* code for a DOMAIN\user string */
1172 pw = Get_Pwnam_alloc( mem_ctx, domuser );
1174 /* make sure we get the case of the username correct */
1175 /* work around 'winbind use default domain = yes' */
1177 if ( !strchr_m( pw->pw_name, *lp_winbind_separator() ) ) {
1180 /* split the domain and username into 2 strings */
1184 *p_save_username = talloc_asprintf(mem_ctx,
1187 *lp_winbind_separator(),
1189 if (!*p_save_username) {
1194 *p_save_username = talloc_strdup(mem_ctx, pw->pw_name);
1201 /* setup for lookup of just the username */
1202 /* remember that p and username are overlapping memory */
1205 username = talloc_strdup(mem_ctx, p);
1211 /* just lookup a plain username */
1213 pw = Get_Pwnam_alloc(mem_ctx, username);
1215 /* Create local user if requested but only if winbindd
1216 is not running. We need to protect against cases
1217 where winbindd is failing and then prematurely
1218 creating users in /etc/passwd */
1220 if ( !pw && create && !winbind_ping() ) {
1221 /* Don't add a machine account. */
1222 if (username[strlen(username)-1] == '$')
1225 _smb_create_user(NULL, username, NULL);
1226 pw = Get_Pwnam_alloc(mem_ctx, username);
1229 /* one last check for a valid passwd struct */
1232 *p_save_username = talloc_strdup(mem_ctx, pw->pw_name);
1237 /***************************************************************************
1238 Make a server_info struct from the info3 returned by a domain logon
1239 ***************************************************************************/
1241 NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
1242 const char *sent_nt_username,
1244 struct auth_serversupplied_info **server_info,
1245 struct netr_SamInfo3 *info3)
1247 static const char zeros[16] = {0, };
1249 NTSTATUS nt_status = NT_STATUS_OK;
1250 char *found_username = NULL;
1251 const char *nt_domain;
1252 const char *nt_username;
1253 struct dom_sid user_sid;
1254 struct dom_sid group_sid;
1255 bool username_was_mapped;
1257 struct auth_serversupplied_info *result;
1260 Here is where we should check the list of
1261 trusted domains, and verify that the SID
1265 if (!sid_compose(&user_sid, info3->base.domain_sid, info3->base.rid)) {
1266 return NT_STATUS_INVALID_PARAMETER;
1269 if (!sid_compose(&group_sid, info3->base.domain_sid,
1270 info3->base.primary_gid)) {
1271 return NT_STATUS_INVALID_PARAMETER;
1274 nt_username = talloc_strdup(mem_ctx, info3->base.account_name.string);
1276 /* If the server didn't give us one, just use the one we sent
1278 nt_username = sent_nt_username;
1281 nt_domain = talloc_strdup(mem_ctx, info3->base.domain.string);
1283 /* If the server didn't give us one, just use the one we sent
1288 /* If getpwnam() fails try the add user script (2.2.x behavior).
1290 We use the _unmapped_ username here in an attempt to provide
1291 consistent username mapping behavior between kerberos and NTLM[SSP]
1292 authentication in domain mode security. I.E. Username mapping
1293 should be applied to the fully qualified username
1294 (e.g. DOMAIN\user) and not just the login name. Yes this means we
1295 called map_username() unnecessarily in make_user_info_map() but
1296 that is how the current code is designed. Making the change here
1297 is the least disruptive place. -- jerry */
1299 /* this call will try to create the user if necessary */
1301 nt_status = check_account(mem_ctx, nt_domain, sent_nt_username,
1302 &found_username, &pwd,
1303 &username_was_mapped);
1305 if (!NT_STATUS_IS_OK(nt_status)) {
1309 result = make_server_info(NULL);
1310 if (result == NULL) {
1311 DEBUG(4, ("make_server_info failed!\n"));
1312 return NT_STATUS_NO_MEMORY;
1315 result->unix_name = talloc_strdup(result, found_username);
1317 result->sanitized_username = sanitize_username(result,
1319 if (result->sanitized_username == NULL) {
1320 TALLOC_FREE(result);
1321 return NT_STATUS_NO_MEMORY;
1324 /* copy in the info3 */
1325 result->info3 = copy_netr_SamInfo3(result, info3);
1326 if (result->info3 == NULL) {
1327 TALLOC_FREE(result);
1328 return NT_STATUS_NO_MEMORY;
1331 /* Fill in the unix info we found on the way */
1333 result->utok.uid = pwd->pw_uid;
1334 result->utok.gid = pwd->pw_gid;
1336 /* ensure we are never given NULL session keys */
1338 if (memcmp(info3->base.key.key, zeros, sizeof(zeros)) == 0) {
1339 result->user_session_key = data_blob_null;
1341 result->user_session_key = data_blob_talloc(
1342 result, info3->base.key.key,
1343 sizeof(info3->base.key.key));
1346 if (memcmp(info3->base.LMSessKey.key, zeros, 8) == 0) {
1347 result->lm_session_key = data_blob_null;
1349 result->lm_session_key = data_blob_talloc(
1350 result, info3->base.LMSessKey.key,
1351 sizeof(info3->base.LMSessKey.key));
1354 result->nss_token |= username_was_mapped;
1356 *server_info = result;
1358 return NT_STATUS_OK;
1361 /*****************************************************************************
1362 Make a server_info struct from the wbcAuthUserInfo returned by a domain logon
1363 ******************************************************************************/
1365 NTSTATUS make_server_info_wbcAuthUserInfo(TALLOC_CTX *mem_ctx,
1366 const char *sent_nt_username,
1368 const struct wbcAuthUserInfo *info,
1369 struct auth_serversupplied_info **server_info)
1371 struct netr_SamInfo3 *info3;
1373 info3 = wbcAuthUserInfo_to_netr_SamInfo3(mem_ctx, info);
1375 return NT_STATUS_NO_MEMORY;
1378 return make_server_info_info3(mem_ctx,
1379 sent_nt_username, domain,
1380 server_info, info3);
1384 * Verify whether or not given domain is trusted.
1386 * @param domain_name name of the domain to be verified
1387 * @return true if domain is one of the trusted ones or
1388 * false if otherwise
1391 bool is_trusted_domain(const char* dom_name)
1393 struct dom_sid trustdom_sid;
1396 /* no trusted domains for a standalone server */
1398 if ( lp_server_role() == ROLE_STANDALONE )
1401 if (dom_name == NULL || dom_name[0] == '\0') {
1405 if (strequal(dom_name, get_global_sam_name())) {
1409 /* if we are a DC, then check for a direct trust relationships */
1413 DEBUG (5,("is_trusted_domain: Checking for domain trust with "
1414 "[%s]\n", dom_name ));
1415 ret = pdb_get_trusteddom_pw(dom_name, NULL, NULL, NULL);
1423 /* If winbind is around, ask it */
1425 result = wb_is_trusted_domain(dom_name);
1427 if (result == WBC_ERR_SUCCESS) {
1431 if (result == WBC_ERR_DOMAIN_NOT_FOUND) {
1432 /* winbind could not find the domain */
1436 /* The only other possible result is that winbind is not up
1437 and running. We need to update the trustdom_cache
1440 update_trustdom_cache();
1443 /* now the trustdom cache should be available a DC could still
1444 * have a transitive trust so fall back to the cache of trusted
1445 * domains (like a domain member would use */
1447 if ( trustdom_cache_fetch(dom_name, &trustdom_sid) ) {
git.samba.org / metze / samba / wip.git / blob