2 Unix SMB/CIFS implementation.
4 Winbind daemon - pam auth funcions
6 Copyright (C) Andrew Tridgell 2000
7 Copyright (C) Tim Potter 2001
8 Copyright (C) Andrew Bartlett 2001-2002
9 Copyright (C) Guenther Deschner 2005
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 3 of the License, or
14 (at your option) any later version.
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
21 You should have received a copy of the GNU General Public License
22 along with this program. If not, see <http://www.gnu.org/licenses/>.
27 #include "../libcli/auth/libcli_auth.h"
28 #include "../librpc/gen_ndr/cli_samr.h"
29 #include "rpc_client/cli_samr.h"
30 #include "../librpc/gen_ndr/ndr_netlogon.h"
31 #include "rpc_client/cli_netlogon.h"
33 #include "../lib/crypto/arcfour.h"
34 #include "../libcli/security/dom_sid.h"
36 #include "../librpc/gen_ndr/krb5pac.h"
39 #define DBGC_CLASS DBGC_WINBIND
41 #define LOGON_KRB5_FAIL_CLOCK_SKEW 0x02000000
43 static NTSTATUS append_info3_as_txt(TALLOC_CTX *mem_ctx,
44 struct winbindd_cli_state *state,
45 struct netr_SamInfo3 *info3)
50 state->response->data.auth.info3.logon_time =
51 nt_time_to_unix(info3->base.last_logon);
52 state->response->data.auth.info3.logoff_time =
53 nt_time_to_unix(info3->base.last_logoff);
54 state->response->data.auth.info3.kickoff_time =
55 nt_time_to_unix(info3->base.acct_expiry);
56 state->response->data.auth.info3.pass_last_set_time =
57 nt_time_to_unix(info3->base.last_password_change);
58 state->response->data.auth.info3.pass_can_change_time =
59 nt_time_to_unix(info3->base.allow_password_change);
60 state->response->data.auth.info3.pass_must_change_time =
61 nt_time_to_unix(info3->base.force_password_change);
63 state->response->data.auth.info3.logon_count = info3->base.logon_count;
64 state->response->data.auth.info3.bad_pw_count = info3->base.bad_password_count;
66 state->response->data.auth.info3.user_rid = info3->base.rid;
67 state->response->data.auth.info3.group_rid = info3->base.primary_gid;
68 sid_to_fstring(state->response->data.auth.info3.dom_sid, info3->base.domain_sid);
70 state->response->data.auth.info3.num_groups = info3->base.groups.count;
71 state->response->data.auth.info3.user_flgs = info3->base.user_flags;
73 state->response->data.auth.info3.acct_flags = info3->base.acct_flags;
74 state->response->data.auth.info3.num_other_sids = info3->sidcount;
76 fstrcpy(state->response->data.auth.info3.user_name,
77 info3->base.account_name.string);
78 fstrcpy(state->response->data.auth.info3.full_name,
79 info3->base.full_name.string);
80 fstrcpy(state->response->data.auth.info3.logon_script,
81 info3->base.logon_script.string);
82 fstrcpy(state->response->data.auth.info3.profile_path,
83 info3->base.profile_path.string);
84 fstrcpy(state->response->data.auth.info3.home_dir,
85 info3->base.home_directory.string);
86 fstrcpy(state->response->data.auth.info3.dir_drive,
87 info3->base.home_drive.string);
89 fstrcpy(state->response->data.auth.info3.logon_srv,
90 info3->base.logon_server.string);
91 fstrcpy(state->response->data.auth.info3.logon_dom,
92 info3->base.domain.string);
94 ex = talloc_strdup(state->mem_ctx, "");
95 NT_STATUS_HAVE_NO_MEMORY(ex);
97 for (i=0; i < info3->base.groups.count; i++) {
98 ex = talloc_asprintf_append_buffer(ex, "0x%08X:0x%08X\n",
99 info3->base.groups.rids[i].rid,
100 info3->base.groups.rids[i].attributes);
101 NT_STATUS_HAVE_NO_MEMORY(ex);
104 for (i=0; i < info3->sidcount; i++) {
107 sid = dom_sid_string(mem_ctx, info3->sids[i].sid);
108 NT_STATUS_HAVE_NO_MEMORY(sid);
110 ex = talloc_asprintf_append_buffer(ex, "%s:0x%08X\n",
112 info3->sids[i].attributes);
113 NT_STATUS_HAVE_NO_MEMORY(ex);
118 state->response->extra_data.data = ex;
119 state->response->length += talloc_get_size(ex);
124 static NTSTATUS append_info3_as_ndr(TALLOC_CTX *mem_ctx,
125 struct winbindd_cli_state *state,
126 struct netr_SamInfo3 *info3)
129 enum ndr_err_code ndr_err;
131 ndr_err = ndr_push_struct_blob(&blob, mem_ctx, info3,
132 (ndr_push_flags_fn_t)ndr_push_netr_SamInfo3);
133 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
134 DEBUG(0,("append_info3_as_ndr: failed to append\n"));
135 return ndr_map_error2ntstatus(ndr_err);
138 state->response->extra_data.data = blob.data;
139 state->response->length += blob.length;
144 static NTSTATUS append_unix_username(TALLOC_CTX *mem_ctx,
145 struct winbindd_cli_state *state,
146 const struct netr_SamInfo3 *info3,
147 const char *name_domain,
148 const char *name_user)
150 /* We've been asked to return the unix username, per
151 'winbind use default domain' settings and the like */
153 const char *nt_username, *nt_domain;
155 nt_domain = talloc_strdup(mem_ctx, info3->base.domain.string);
157 /* If the server didn't give us one, just use the one
159 nt_domain = name_domain;
162 nt_username = talloc_strdup(mem_ctx, info3->base.account_name.string);
164 /* If the server didn't give us one, just use the one
166 nt_username = name_user;
169 fill_domain_username(state->response->data.auth.unix_username,
170 nt_domain, nt_username, true);
172 DEBUG(5,("Setting unix username to [%s]\n",
173 state->response->data.auth.unix_username));
178 static NTSTATUS append_afs_token(TALLOC_CTX *mem_ctx,
179 struct winbindd_cli_state *state,
180 const struct netr_SamInfo3 *info3,
181 const char *name_domain,
182 const char *name_user)
184 char *afsname = NULL;
188 afsname = talloc_strdup(mem_ctx, lp_afs_username_map());
189 if (afsname == NULL) {
190 return NT_STATUS_NO_MEMORY;
193 afsname = talloc_string_sub(mem_ctx,
194 lp_afs_username_map(),
196 afsname = talloc_string_sub(mem_ctx, afsname,
198 afsname = talloc_string_sub(mem_ctx, afsname,
202 struct dom_sid user_sid;
205 sid_compose(&user_sid, info3->base.domain_sid,
207 sid_to_fstring(sidstr, &user_sid);
208 afsname = talloc_string_sub(mem_ctx, afsname,
212 if (afsname == NULL) {
213 return NT_STATUS_NO_MEMORY;
218 DEBUG(10, ("Generating token for user %s\n", afsname));
220 cell = strchr(afsname, '@');
223 return NT_STATUS_NO_MEMORY;
229 token = afs_createtoken_str(afsname, cell);
233 state->response->extra_data.data = talloc_strdup(state->mem_ctx,
235 if (state->response->extra_data.data == NULL) {
236 return NT_STATUS_NO_MEMORY;
238 state->response->length +=
239 strlen((const char *)state->response->extra_data.data)+1;
244 static NTSTATUS check_info3_in_group(struct netr_SamInfo3 *info3,
245 const char *group_sid)
247 * Check whether a user belongs to a group or list of groups.
249 * @param mem_ctx talloc memory context.
250 * @param info3 user information, including group membership info.
251 * @param group_sid One or more groups , separated by commas.
253 * @return NT_STATUS_OK on success,
254 * NT_STATUS_LOGON_FAILURE if the user does not belong,
255 * or other NT_STATUS_IS_ERR(status) for other kinds of failure.
258 struct dom_sid *require_membership_of_sid;
259 size_t num_require_membership_of_sid;
264 struct nt_user_token *token;
265 TALLOC_CTX *frame = talloc_stackframe();
268 /* Parse the 'required group' SID */
270 if (!group_sid || !group_sid[0]) {
271 /* NO sid supplied, all users may access */
275 token = talloc_zero(talloc_tos(), struct nt_user_token);
277 DEBUG(0, ("talloc failed\n"));
279 return NT_STATUS_NO_MEMORY;
282 num_require_membership_of_sid = 0;
283 require_membership_of_sid = NULL;
287 while (next_token_talloc(talloc_tos(), &p, &req_sid, ",")) {
288 if (!string_to_sid(&sid, req_sid)) {
289 DEBUG(0, ("check_info3_in_group: could not parse %s "
290 "as a SID!", req_sid));
292 return NT_STATUS_INVALID_PARAMETER;
295 status = add_sid_to_array(talloc_tos(), &sid,
296 &require_membership_of_sid,
297 &num_require_membership_of_sid);
298 if (!NT_STATUS_IS_OK(status)) {
299 DEBUG(0, ("add_sid_to_array failed\n"));
305 status = sid_array_from_info3(talloc_tos(), info3,
309 if (!NT_STATUS_IS_OK(status)) {
314 if (!NT_STATUS_IS_OK(status = add_aliases(get_global_sam_sid(),
316 || !NT_STATUS_IS_OK(status = add_aliases(&global_sid_Builtin,
318 DEBUG(3, ("could not add aliases: %s\n",
324 debug_nt_user_token(DBGC_CLASS, 10, token);
326 for (i=0; i<num_require_membership_of_sid; i++) {
327 DEBUG(10, ("Checking SID %s\n", sid_string_dbg(
328 &require_membership_of_sid[i])));
329 if (nt_token_check_sid(&require_membership_of_sid[i],
331 DEBUG(10, ("Access ok\n"));
337 /* Do not distinguish this error from a wrong username/pw */
340 return NT_STATUS_LOGON_FAILURE;
343 struct winbindd_domain *find_auth_domain(uint8_t flags,
344 const char *domain_name)
346 struct winbindd_domain *domain;
349 domain = find_domain_from_name_noinit(domain_name);
350 if (domain == NULL) {
351 DEBUG(3, ("Authentication for domain [%s] refused "
352 "as it is not a trusted domain\n",
358 if (strequal(domain_name, get_global_sam_name())) {
359 return find_domain_from_name_noinit(domain_name);
362 /* we can auth against trusted domains */
363 if (flags & WBFLAG_PAM_CONTACT_TRUSTDOM) {
364 domain = find_domain_from_name_noinit(domain_name);
365 if (domain == NULL) {
366 DEBUG(3, ("Authentication for domain [%s] skipped "
367 "as it is not a trusted domain\n",
374 return find_our_domain();
377 static void fill_in_password_policy(struct winbindd_response *r,
378 const struct samr_DomInfo1 *p)
380 r->data.auth.policy.min_length_password =
381 p->min_password_length;
382 r->data.auth.policy.password_history =
383 p->password_history_length;
384 r->data.auth.policy.password_properties =
385 p->password_properties;
386 r->data.auth.policy.expire =
387 nt_time_to_unix_abs((NTTIME *)&(p->max_password_age));
388 r->data.auth.policy.min_passwordage =
389 nt_time_to_unix_abs((NTTIME *)&(p->min_password_age));
392 static NTSTATUS fillup_password_policy(struct winbindd_domain *domain,
393 struct winbindd_cli_state *state)
395 struct winbindd_methods *methods;
396 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
397 struct samr_DomInfo1 password_policy;
399 if ( !winbindd_can_contact_domain( domain ) ) {
400 DEBUG(5,("fillup_password_policy: No inbound trust to "
401 "contact domain %s\n", domain->name));
402 return NT_STATUS_NOT_SUPPORTED;
405 methods = domain->methods;
407 status = methods->password_policy(domain, state->mem_ctx, &password_policy);
408 if (NT_STATUS_IS_ERR(status)) {
412 fill_in_password_policy(state->response, &password_policy);
417 static NTSTATUS get_max_bad_attempts_from_lockout_policy(struct winbindd_domain *domain,
419 uint16 *lockout_threshold)
421 struct winbindd_methods *methods;
422 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
423 struct samr_DomInfo12 lockout_policy;
425 *lockout_threshold = 0;
427 methods = domain->methods;
429 status = methods->lockout_policy(domain, mem_ctx, &lockout_policy);
430 if (NT_STATUS_IS_ERR(status)) {
434 *lockout_threshold = lockout_policy.lockout_threshold;
439 static NTSTATUS get_pwd_properties(struct winbindd_domain *domain,
441 uint32 *password_properties)
443 struct winbindd_methods *methods;
444 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
445 struct samr_DomInfo1 password_policy;
447 *password_properties = 0;
449 methods = domain->methods;
451 status = methods->password_policy(domain, mem_ctx, &password_policy);
452 if (NT_STATUS_IS_ERR(status)) {
456 *password_properties = password_policy.password_properties;
463 static const char *generate_krb5_ccache(TALLOC_CTX *mem_ctx,
466 bool *internal_ccache)
468 /* accept FILE and WRFILE as krb5_cc_type from the client and then
469 * build the full ccname string based on the user's uid here -
472 const char *gen_cc = NULL;
474 *internal_ccache = true;
480 if (!type || type[0] == '\0') {
484 if (strequal(type, "FILE")) {
485 gen_cc = talloc_asprintf(mem_ctx, "FILE:/tmp/krb5cc_%d", uid);
486 } else if (strequal(type, "WRFILE")) {
487 gen_cc = talloc_asprintf(mem_ctx, "WRFILE:/tmp/krb5cc_%d", uid);
489 DEBUG(10,("we don't allow to set a %s type ccache\n", type));
493 *internal_ccache = false;
497 gen_cc = talloc_strdup(mem_ctx, "MEMORY:winbindd_pam_ccache");
500 if (gen_cc == NULL) {
501 DEBUG(0,("out of memory\n"));
505 DEBUG(10,("using ccache: %s %s\n", gen_cc, *internal_ccache ? "(internal)":""));
510 static void setup_return_cc_name(struct winbindd_cli_state *state, const char *cc)
512 const char *type = state->request->data.auth.krb5_cc_type;
514 state->response->data.auth.krb5ccname[0] = '\0';
516 if (type[0] == '\0') {
520 if (!strequal(type, "FILE") &&
521 !strequal(type, "WRFILE")) {
522 DEBUG(10,("won't return krbccname for a %s type ccache\n",
527 fstrcpy(state->response->data.auth.krb5ccname, cc);
532 uid_t get_uid_from_request(struct winbindd_request *request)
536 uid = request->data.auth.uid;
539 DEBUG(1,("invalid uid: '%u'\n", (unsigned int)uid));
545 static uid_t get_uid_from_state(struct winbindd_cli_state *state)
547 return get_uid_from_request(state->request);
550 /**********************************************************************
551 Authenticate a user with a clear text password using Kerberos and fill up
553 **********************************************************************/
555 static NTSTATUS winbindd_raw_kerberos_login(struct winbindd_domain *domain,
556 struct winbindd_cli_state *state,
557 struct netr_SamInfo3 **info3)
560 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
561 krb5_error_code krb5_ret;
562 const char *cc = NULL;
563 const char *principal_s = NULL;
564 const char *service = NULL;
566 fstring name_domain, name_user;
567 time_t ticket_lifetime = 0;
568 time_t renewal_until = 0;
571 time_t time_offset = 0;
572 bool internal_ccache = true;
573 struct PAC_LOGON_INFO *logon_info = NULL;
578 * prepare a krb5_cc_cache string for the user */
580 uid = get_uid_from_state(state);
582 DEBUG(0,("no valid uid\n"));
585 cc = generate_krb5_ccache(state->mem_ctx,
586 state->request->data.auth.krb5_cc_type,
587 state->request->data.auth.uid,
590 return NT_STATUS_NO_MEMORY;
595 * get kerberos properties */
597 if (domain->private_data) {
598 ads = (ADS_STRUCT *)domain->private_data;
599 time_offset = ads->auth.time_offset;
604 * do kerberos auth and setup ccache as the user */
606 parse_domain_user(state->request->data.auth.user, name_domain, name_user);
608 realm = domain->alt_name;
611 principal_s = talloc_asprintf(state->mem_ctx, "%s@%s", name_user, realm);
612 if (principal_s == NULL) {
613 return NT_STATUS_NO_MEMORY;
616 service = talloc_asprintf(state->mem_ctx, "%s/%s@%s", KRB5_TGS_NAME, realm, realm);
617 if (service == NULL) {
618 return NT_STATUS_NO_MEMORY;
621 /* if this is a user ccache, we need to act as the user to let the krb5
622 * library handle the chown, etc. */
624 /************************ ENTERING NON-ROOT **********************/
626 if (!internal_ccache) {
627 set_effective_uid(uid);
628 DEBUG(10,("winbindd_raw_kerberos_login: uid is %d\n", uid));
631 result = kerberos_return_pac(state->mem_ctx,
633 state->request->data.auth.pass,
640 WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
643 if (!internal_ccache) {
644 gain_root_privilege();
647 /************************ RETURNED TO ROOT **********************/
649 if (!NT_STATUS_IS_OK(result)) {
653 *info3 = &logon_info->info3;
655 DEBUG(10,("winbindd_raw_kerberos_login: winbindd validated ticket of %s\n",
658 /* if we had a user's ccache then return that string for the pam
661 if (!internal_ccache) {
663 setup_return_cc_name(state, cc);
665 result = add_ccache_to_list(principal_s,
668 state->request->data.auth.user,
676 if (!NT_STATUS_IS_OK(result)) {
677 DEBUG(10,("winbindd_raw_kerberos_login: failed to add ccache to list: %s\n",
682 /* need to delete the memory cred cache, it is not used anymore */
684 krb5_ret = ads_kdestroy(cc);
686 DEBUG(3,("winbindd_raw_kerberos_login: "
687 "could not destroy krb5 credential cache: "
688 "%s\n", error_message(krb5_ret)));
697 /* we could have created a new credential cache with a valid tgt in it
698 * but we werent able to get or verify the service ticket for this
699 * local host and therefor didn't get the PAC, we need to remove that
700 * cache entirely now */
702 krb5_ret = ads_kdestroy(cc);
704 DEBUG(3,("winbindd_raw_kerberos_login: "
705 "could not destroy krb5 credential cache: "
706 "%s\n", error_message(krb5_ret)));
709 if (!NT_STATUS_IS_OK(remove_ccache(state->request->data.auth.user))) {
710 DEBUG(3,("winbindd_raw_kerberos_login: "
711 "could not remove ccache for user %s\n",
712 state->request->data.auth.user));
717 return NT_STATUS_NOT_SUPPORTED;
718 #endif /* HAVE_KRB5 */
721 /****************************************************************
722 ****************************************************************/
724 bool check_request_flags(uint32_t flags)
726 uint32_t flags_edata = WBFLAG_PAM_AFS_TOKEN |
727 WBFLAG_PAM_INFO3_TEXT |
728 WBFLAG_PAM_INFO3_NDR;
730 if ( ( (flags & flags_edata) == WBFLAG_PAM_AFS_TOKEN) ||
731 ( (flags & flags_edata) == WBFLAG_PAM_INFO3_NDR) ||
732 ( (flags & flags_edata) == WBFLAG_PAM_INFO3_TEXT)||
733 !(flags & flags_edata) ) {
737 DEBUG(1, ("check_request_flags: invalid request flags[0x%08X]\n",
743 /****************************************************************
744 ****************************************************************/
746 static NTSTATUS append_auth_data(struct winbindd_cli_state *state,
747 struct netr_SamInfo3 *info3,
748 const char *name_domain,
749 const char *name_user)
752 uint32_t flags = state->request->flags;
754 if (flags & WBFLAG_PAM_USER_SESSION_KEY) {
755 memcpy(state->response->data.auth.user_session_key,
757 sizeof(state->response->data.auth.user_session_key)
761 if (flags & WBFLAG_PAM_LMKEY) {
762 memcpy(state->response->data.auth.first_8_lm_hash,
763 info3->base.LMSessKey.key,
764 sizeof(state->response->data.auth.first_8_lm_hash)
768 if (flags & WBFLAG_PAM_UNIX_NAME) {
769 result = append_unix_username(state->mem_ctx, state, info3,
770 name_domain, name_user);
771 if (!NT_STATUS_IS_OK(result)) {
772 DEBUG(10,("Failed to append Unix Username: %s\n",
778 /* currently, anything from here on potentially overwrites extra_data. */
780 if (flags & WBFLAG_PAM_INFO3_NDR) {
781 result = append_info3_as_ndr(state->mem_ctx, state, info3);
782 if (!NT_STATUS_IS_OK(result)) {
783 DEBUG(10,("Failed to append INFO3 (NDR): %s\n",
789 if (flags & WBFLAG_PAM_INFO3_TEXT) {
790 result = append_info3_as_txt(state->mem_ctx, state, info3);
791 if (!NT_STATUS_IS_OK(result)) {
792 DEBUG(10,("Failed to append INFO3 (TXT): %s\n",
798 if (flags & WBFLAG_PAM_AFS_TOKEN) {
799 result = append_afs_token(state->mem_ctx, state, info3,
800 name_domain, name_user);
801 if (!NT_STATUS_IS_OK(result)) {
802 DEBUG(10,("Failed to append AFS token: %s\n",
811 static NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain,
812 struct winbindd_cli_state *state,
813 struct netr_SamInfo3 **info3)
815 NTSTATUS result = NT_STATUS_LOGON_FAILURE;
816 uint16 max_allowed_bad_attempts;
817 fstring name_domain, name_user;
819 enum lsa_SidType type;
820 uchar new_nt_pass[NT_HASH_LEN];
821 const uint8 *cached_nt_pass;
822 const uint8 *cached_salt;
823 struct netr_SamInfo3 *my_info3;
824 time_t kickoff_time, must_change_time;
825 bool password_good = false;
827 struct winbindd_tdc_domain *tdc_domain = NULL;
834 DEBUG(10,("winbindd_dual_pam_auth_cached\n"));
836 /* Parse domain and username */
838 parse_domain_user(state->request->data.auth.user, name_domain, name_user);
841 if (!lookup_cached_name(state->mem_ctx,
846 DEBUG(10,("winbindd_dual_pam_auth_cached: no such user in the cache\n"));
847 return NT_STATUS_NO_SUCH_USER;
850 if (type != SID_NAME_USER) {
851 DEBUG(10,("winbindd_dual_pam_auth_cached: not a user (%s)\n", sid_type_lookup(type)));
852 return NT_STATUS_LOGON_FAILURE;
855 result = winbindd_get_creds(domain,
861 if (!NT_STATUS_IS_OK(result)) {
862 DEBUG(10,("winbindd_dual_pam_auth_cached: failed to get creds: %s\n", nt_errstr(result)));
868 E_md4hash(state->request->data.auth.pass, new_nt_pass);
870 dump_data_pw("new_nt_pass", new_nt_pass, NT_HASH_LEN);
871 dump_data_pw("cached_nt_pass", cached_nt_pass, NT_HASH_LEN);
873 dump_data_pw("cached_salt", cached_salt, NT_HASH_LEN);
877 /* In this case we didn't store the nt_hash itself,
878 but the MD5 combination of salt + nt_hash. */
879 uchar salted_hash[NT_HASH_LEN];
880 E_md5hash(cached_salt, new_nt_pass, salted_hash);
882 password_good = (memcmp(cached_nt_pass, salted_hash,
885 /* Old cached cred - direct store of nt_hash (bad bad bad !). */
886 password_good = (memcmp(cached_nt_pass, new_nt_pass,
892 /* User *DOES* know the password, update logon_time and reset
895 my_info3->base.user_flags |= NETLOGON_CACHED_ACCOUNT;
897 if (my_info3->base.acct_flags & ACB_AUTOLOCK) {
898 return NT_STATUS_ACCOUNT_LOCKED_OUT;
901 if (my_info3->base.acct_flags & ACB_DISABLED) {
902 return NT_STATUS_ACCOUNT_DISABLED;
905 if (my_info3->base.acct_flags & ACB_WSTRUST) {
906 return NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT;
909 if (my_info3->base.acct_flags & ACB_SVRTRUST) {
910 return NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT;
913 if (my_info3->base.acct_flags & ACB_DOMTRUST) {
914 return NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT;
917 if (!(my_info3->base.acct_flags & ACB_NORMAL)) {
918 DEBUG(0,("winbindd_dual_pam_auth_cached: whats wrong with that one?: 0x%08x\n",
919 my_info3->base.acct_flags));
920 return NT_STATUS_LOGON_FAILURE;
923 kickoff_time = nt_time_to_unix(my_info3->base.acct_expiry);
924 if (kickoff_time != 0 && time(NULL) > kickoff_time) {
925 return NT_STATUS_ACCOUNT_EXPIRED;
928 must_change_time = nt_time_to_unix(my_info3->base.force_password_change);
929 if (must_change_time != 0 && must_change_time < time(NULL)) {
930 /* we allow grace logons when the password has expired */
931 my_info3->base.user_flags |= NETLOGON_GRACE_LOGON;
932 /* return NT_STATUS_PASSWORD_EXPIRED; */
937 if ((state->request->flags & WBFLAG_PAM_KRB5) &&
938 ((tdc_domain = wcache_tdc_fetch_domain(state->mem_ctx, name_domain)) != NULL) &&
939 ((tdc_domain->trust_type & NETR_TRUST_TYPE_UPLEVEL) ||
940 /* used to cope with the case winbindd starting without network. */
941 !strequal(tdc_domain->domain_name, tdc_domain->dns_name))) {
944 const char *cc = NULL;
946 const char *principal_s = NULL;
947 const char *service = NULL;
948 bool internal_ccache = false;
950 uid = get_uid_from_state(state);
952 DEBUG(0,("winbindd_dual_pam_auth_cached: invalid uid\n"));
953 return NT_STATUS_INVALID_PARAMETER;
956 cc = generate_krb5_ccache(state->mem_ctx,
957 state->request->data.auth.krb5_cc_type,
958 state->request->data.auth.uid,
961 return NT_STATUS_NO_MEMORY;
964 realm = domain->alt_name;
967 principal_s = talloc_asprintf(state->mem_ctx, "%s@%s", name_user, realm);
968 if (principal_s == NULL) {
969 return NT_STATUS_NO_MEMORY;
972 service = talloc_asprintf(state->mem_ctx, "%s/%s@%s", KRB5_TGS_NAME, realm, realm);
973 if (service == NULL) {
974 return NT_STATUS_NO_MEMORY;
977 if (!internal_ccache) {
979 setup_return_cc_name(state, cc);
981 result = add_ccache_to_list(principal_s,
984 state->request->data.auth.user,
988 time(NULL) + lp_winbind_cache_time(),
989 time(NULL) + WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
992 if (!NT_STATUS_IS_OK(result)) {
993 DEBUG(10,("winbindd_dual_pam_auth_cached: failed "
994 "to add ccache to list: %s\n",
999 #endif /* HAVE_KRB5 */
1001 /* FIXME: we possibly should handle logon hours as well (does xp when
1002 * offline?) see auth/auth_sam.c:sam_account_ok for details */
1004 unix_to_nt_time(&my_info3->base.last_logon, time(NULL));
1005 my_info3->base.bad_password_count = 0;
1007 result = winbindd_update_creds_by_info3(domain,
1009 state->request->data.auth.user,
1010 state->request->data.auth.pass,
1012 if (!NT_STATUS_IS_OK(result)) {
1013 DEBUG(1,("winbindd_dual_pam_auth_cached: failed to update creds: %s\n",
1014 nt_errstr(result)));
1018 return NT_STATUS_OK;
1022 /* User does *NOT* know the correct password, modify info3 accordingly */
1024 /* failure of this is not critical */
1025 result = get_max_bad_attempts_from_lockout_policy(domain, state->mem_ctx, &max_allowed_bad_attempts);
1026 if (!NT_STATUS_IS_OK(result)) {
1027 DEBUG(10,("winbindd_dual_pam_auth_cached: failed to get max_allowed_bad_attempts. "
1028 "Won't be able to honour account lockout policies\n"));
1031 /* increase counter */
1032 my_info3->base.bad_password_count++;
1034 if (max_allowed_bad_attempts == 0) {
1039 if (my_info3->base.bad_password_count >= max_allowed_bad_attempts) {
1041 uint32 password_properties;
1043 result = get_pwd_properties(domain, state->mem_ctx, &password_properties);
1044 if (!NT_STATUS_IS_OK(result)) {
1045 DEBUG(10,("winbindd_dual_pam_auth_cached: failed to get password properties.\n"));
1048 if ((my_info3->base.rid != DOMAIN_RID_ADMINISTRATOR) ||
1049 (password_properties & DOMAIN_PASSWORD_LOCKOUT_ADMINS)) {
1050 my_info3->base.acct_flags |= ACB_AUTOLOCK;
1055 result = winbindd_update_creds_by_info3(domain,
1057 state->request->data.auth.user,
1061 if (!NT_STATUS_IS_OK(result)) {
1062 DEBUG(0,("winbindd_dual_pam_auth_cached: failed to update creds %s\n",
1063 nt_errstr(result)));
1066 return NT_STATUS_LOGON_FAILURE;
1069 static NTSTATUS winbindd_dual_pam_auth_kerberos(struct winbindd_domain *domain,
1070 struct winbindd_cli_state *state,
1071 struct netr_SamInfo3 **info3)
1073 struct winbindd_domain *contact_domain;
1074 fstring name_domain, name_user;
1077 DEBUG(10,("winbindd_dual_pam_auth_kerberos\n"));
1079 /* Parse domain and username */
1081 parse_domain_user(state->request->data.auth.user, name_domain, name_user);
1083 /* what domain should we contact? */
1086 if (!(contact_domain = find_domain_from_name(name_domain))) {
1087 DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
1088 state->request->data.auth.user, name_domain, name_user, name_domain));
1089 result = NT_STATUS_NO_SUCH_USER;
1094 if (is_myname(name_domain)) {
1095 DEBUG(3, ("Authentication for domain %s (local domain to this server) not supported at this stage\n", name_domain));
1096 result = NT_STATUS_NO_SUCH_USER;
1100 contact_domain = find_domain_from_name(name_domain);
1101 if (contact_domain == NULL) {
1102 DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
1103 state->request->data.auth.user, name_domain, name_user, name_domain));
1105 contact_domain = find_our_domain();
1109 if (contact_domain->initialized &&
1110 contact_domain->active_directory) {
1114 if (!contact_domain->initialized) {
1115 init_dc_connection(contact_domain);
1118 if (!contact_domain->active_directory) {
1119 DEBUG(3,("krb5 auth requested but domain is not Active Directory\n"));
1120 return NT_STATUS_INVALID_LOGON_TYPE;
1123 result = winbindd_raw_kerberos_login(contact_domain, state, info3);
1128 static NTSTATUS winbindd_dual_auth_passdb(TALLOC_CTX *mem_ctx,
1129 const char *domain, const char *user,
1130 const DATA_BLOB *challenge,
1131 const DATA_BLOB *lm_resp,
1132 const DATA_BLOB *nt_resp,
1133 struct netr_SamInfo3 **pinfo3)
1135 struct auth_usersupplied_info *user_info = NULL;
1136 struct auth_serversupplied_info *server_info = NULL;
1137 struct netr_SamInfo3 *info3;
1140 status = make_user_info(&user_info, user, user, domain, domain,
1141 global_myname(), lm_resp, nt_resp, NULL, NULL,
1143 if (!NT_STATUS_IS_OK(status)) {
1144 DEBUG(10, ("make_user_info failed: %s\n", nt_errstr(status)));
1148 status = check_sam_security(challenge, talloc_tos(), user_info,
1150 free_user_info(&user_info);
1152 if (!NT_STATUS_IS_OK(status)) {
1153 DEBUG(10, ("check_ntlm_password failed: %s\n",
1154 nt_errstr(status)));
1158 info3 = TALLOC_ZERO_P(mem_ctx, struct netr_SamInfo3);
1159 if (info3 == NULL) {
1160 return NT_STATUS_NO_MEMORY;
1163 status = serverinfo_to_SamInfo3(server_info, NULL, 0, info3);
1164 if (!NT_STATUS_IS_OK(status)) {
1165 DEBUG(10, ("serverinfo_to_SamInfo3 failed: %s\n",
1166 nt_errstr(status)));
1170 DEBUG(10, ("Authenticated user %s\\%s successfully\n", domain, user));
1172 return NT_STATUS_OK;
1175 typedef NTSTATUS (*netlogon_fn_t)(struct rpc_pipe_client *cli,
1176 TALLOC_CTX *mem_ctx,
1177 uint32 logon_parameters,
1179 const char *username,
1181 const char *workstation,
1182 const uint8 chal[8],
1183 DATA_BLOB lm_response,
1184 DATA_BLOB nt_response,
1185 struct netr_SamInfo3 **info3);
1187 static NTSTATUS winbindd_dual_pam_auth_samlogon(struct winbindd_domain *domain,
1188 struct winbindd_cli_state *state,
1189 struct netr_SamInfo3 **info3)
1192 struct rpc_pipe_client *netlogon_pipe;
1197 unsigned char local_lm_response[24];
1198 unsigned char local_nt_response[24];
1199 fstring name_domain, name_user;
1202 struct netr_SamInfo3 *my_info3 = NULL;
1206 DEBUG(10,("winbindd_dual_pam_auth_samlogon\n"));
1208 /* Parse domain and username */
1210 parse_domain_user(state->request->data.auth.user, name_domain, name_user);
1212 /* do password magic */
1214 generate_random_buffer(chal, sizeof(chal));
1216 if (lp_client_ntlmv2_auth()) {
1217 DATA_BLOB server_chal;
1218 DATA_BLOB names_blob;
1219 DATA_BLOB nt_response;
1220 DATA_BLOB lm_response;
1221 server_chal = data_blob_talloc(state->mem_ctx, chal, 8);
1223 /* note that the 'workgroup' here is a best guess - we don't know
1224 the server's domain at this point. The 'server name' is also
1227 names_blob = NTLMv2_generate_names_blob(state->mem_ctx, global_myname(), lp_workgroup());
1229 if (!SMBNTLMv2encrypt(NULL, name_user, name_domain,
1230 state->request->data.auth.pass,
1233 &lm_response, &nt_response, NULL, NULL)) {
1234 data_blob_free(&names_blob);
1235 data_blob_free(&server_chal);
1236 DEBUG(0, ("winbindd_pam_auth: SMBNTLMv2encrypt() failed!\n"));
1237 result = NT_STATUS_NO_MEMORY;
1240 data_blob_free(&names_blob);
1241 data_blob_free(&server_chal);
1242 lm_resp = data_blob_talloc(state->mem_ctx, lm_response.data,
1243 lm_response.length);
1244 nt_resp = data_blob_talloc(state->mem_ctx, nt_response.data,
1245 nt_response.length);
1246 data_blob_free(&lm_response);
1247 data_blob_free(&nt_response);
1250 if (lp_client_lanman_auth()
1251 && SMBencrypt(state->request->data.auth.pass,
1253 local_lm_response)) {
1254 lm_resp = data_blob_talloc(state->mem_ctx,
1256 sizeof(local_lm_response));
1258 lm_resp = data_blob_null;
1260 SMBNTencrypt(state->request->data.auth.pass,
1264 nt_resp = data_blob_talloc(state->mem_ctx,
1266 sizeof(local_nt_response));
1269 if (strequal(name_domain, get_global_sam_name())) {
1270 DATA_BLOB chal_blob = data_blob_const(chal, sizeof(chal));
1272 result = winbindd_dual_auth_passdb(
1273 state->mem_ctx, name_domain, name_user,
1274 &chal_blob, &lm_resp, &nt_resp, info3);
1278 /* check authentication loop */
1281 netlogon_fn_t logon_fn;
1283 ZERO_STRUCTP(my_info3);
1286 result = cm_connect_netlogon(domain, &netlogon_pipe);
1288 if (!NT_STATUS_IS_OK(result)) {
1289 DEBUG(3, ("could not open handle to NETLOGON pipe\n"));
1293 /* It is really important to try SamLogonEx here,
1294 * because in a clustered environment, we want to use
1295 * one machine account from multiple physical
1298 * With a normal SamLogon call, we must keep the
1299 * credentials chain updated and intact between all
1300 * users of the machine account (which would imply
1301 * cross-node communication for every NTLM logon).
1303 * (The credentials chain is not per NETLOGON pipe
1304 * connection, but globally on the server/client pair
1307 * When using SamLogonEx, the credentials are not
1308 * supplied, but the session key is implied by the
1309 * wrapping SamLogon context.
1311 * -- abartlet 21 April 2008
1314 logon_fn = domain->can_do_samlogon_ex
1315 ? rpccli_netlogon_sam_network_logon_ex
1316 : rpccli_netlogon_sam_network_logon;
1318 result = logon_fn(netlogon_pipe,
1321 domain->dcname, /* server name */
1322 name_user, /* user name */
1323 name_domain, /* target domain */
1324 global_myname(), /* workstation */
1331 if ((NT_STATUS_V(result) == DCERPC_FAULT_OP_RNG_ERROR)
1332 && domain->can_do_samlogon_ex) {
1333 DEBUG(3, ("Got a DC that can not do NetSamLogonEx, "
1334 "retrying with NetSamLogon\n"));
1335 domain->can_do_samlogon_ex = false;
1340 /* We have to try a second time as cm_connect_netlogon
1341 might not yet have noticed that the DC has killed
1344 if (!rpccli_is_connected(netlogon_pipe)) {
1349 /* if we get access denied, a possible cause was that we had
1350 and open connection to the DC, but someone changed our
1351 machine account password out from underneath us using 'net
1352 rpc changetrustpw' */
1354 if ( NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) ) {
1355 DEBUG(3,("winbindd_pam_auth: sam_logon returned "
1356 "ACCESS_DENIED. Maybe the trust account "
1357 "password was changed and we didn't know it. "
1358 "Killing connections to domain %s\n",
1360 invalidate_cm_connection(&domain->conn);
1364 } while ( (attempts < 2) && retry );
1366 /* handle the case where a NT4 DC does not fill in the acct_flags in
1367 * the samlogon reply info3. When accurate info3 is required by the
1368 * caller, we look up the account flags ourselve - gd */
1370 if ((state->request->flags & WBFLAG_PAM_INFO3_TEXT) &&
1371 NT_STATUS_IS_OK(result) && (my_info3->base.acct_flags == 0)) {
1373 struct rpc_pipe_client *samr_pipe;
1374 struct policy_handle samr_domain_handle, user_pol;
1375 union samr_UserInfo *info = NULL;
1376 NTSTATUS status_tmp;
1379 status_tmp = cm_connect_sam(domain, state->mem_ctx,
1380 &samr_pipe, &samr_domain_handle);
1382 if (!NT_STATUS_IS_OK(status_tmp)) {
1383 DEBUG(3, ("could not open handle to SAMR pipe: %s\n",
1384 nt_errstr(status_tmp)));
1388 status_tmp = rpccli_samr_OpenUser(samr_pipe, state->mem_ctx,
1389 &samr_domain_handle,
1390 MAXIMUM_ALLOWED_ACCESS,
1394 if (!NT_STATUS_IS_OK(status_tmp)) {
1395 DEBUG(3, ("could not open user handle on SAMR pipe: %s\n",
1396 nt_errstr(status_tmp)));
1400 status_tmp = rpccli_samr_QueryUserInfo(samr_pipe, state->mem_ctx,
1405 if (!NT_STATUS_IS_OK(status_tmp)) {
1406 DEBUG(3, ("could not query user info on SAMR pipe: %s\n",
1407 nt_errstr(status_tmp)));
1408 rpccli_samr_Close(samr_pipe, state->mem_ctx, &user_pol);
1412 acct_flags = info->info16.acct_flags;
1414 if (acct_flags == 0) {
1415 rpccli_samr_Close(samr_pipe, state->mem_ctx, &user_pol);
1419 my_info3->base.acct_flags = acct_flags;
1421 DEBUG(10,("successfully retrieved acct_flags 0x%x\n", acct_flags));
1423 rpccli_samr_Close(samr_pipe, state->mem_ctx, &user_pol);
1431 enum winbindd_result winbindd_dual_pam_auth(struct winbindd_domain *domain,
1432 struct winbindd_cli_state *state)
1434 NTSTATUS result = NT_STATUS_LOGON_FAILURE;
1435 NTSTATUS krb5_result = NT_STATUS_OK;
1436 fstring name_domain, name_user;
1438 fstring domain_user;
1439 struct netr_SamInfo3 *info3 = NULL;
1440 NTSTATUS name_map_status = NT_STATUS_UNSUCCESSFUL;
1442 /* Ensure null termination */
1443 state->request->data.auth.user[sizeof(state->request->data.auth.user)-1]='\0';
1445 /* Ensure null termination */
1446 state->request->data.auth.pass[sizeof(state->request->data.auth.pass)-1]='\0';
1448 DEBUG(3, ("[%5lu]: dual pam auth %s\n", (unsigned long)state->pid,
1449 state->request->data.auth.user));
1451 if (!check_request_flags(state->request->flags)) {
1452 result = NT_STATUS_INVALID_PARAMETER_MIX;
1456 /* Parse domain and username */
1458 name_map_status = normalize_name_unmap(state->mem_ctx,
1459 state->request->data.auth.user,
1462 /* If the name normalization didnt' actually do anything,
1463 just use the original name */
1465 if (!NT_STATUS_IS_OK(name_map_status) &&
1466 !NT_STATUS_EQUAL(name_map_status, NT_STATUS_FILE_RENAMED))
1468 mapped_user = state->request->data.auth.user;
1471 parse_domain_user(mapped_user, name_domain, name_user);
1473 if ( mapped_user != state->request->data.auth.user ) {
1474 fstr_sprintf( domain_user, "%s%c%s", name_domain,
1475 *lp_winbind_separator(),
1477 safe_strcpy( state->request->data.auth.user, domain_user,
1478 sizeof(state->request->data.auth.user)-1 );
1481 if (domain->online == false) {
1482 result = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
1483 if (domain->startup) {
1484 /* Logons are very important to users. If we're offline and
1485 we get a request within the first 30 seconds of startup,
1486 try very hard to find a DC and go online. */
1488 DEBUG(10,("winbindd_dual_pam_auth: domain: %s offline and auth "
1489 "request in startup mode.\n", domain->name ));
1491 winbindd_flush_negative_conn_cache(domain);
1492 result = init_dc_connection(domain);
1496 DEBUG(10,("winbindd_dual_pam_auth: domain: %s last was %s\n", domain->name, domain->online ? "online":"offline"));
1498 /* Check for Kerberos authentication */
1499 if (domain->online && (state->request->flags & WBFLAG_PAM_KRB5)) {
1501 result = winbindd_dual_pam_auth_kerberos(domain, state, &info3);
1502 /* save for later */
1503 krb5_result = result;
1506 if (NT_STATUS_IS_OK(result)) {
1507 DEBUG(10,("winbindd_dual_pam_auth_kerberos succeeded\n"));
1508 goto process_result;
1510 DEBUG(10,("winbindd_dual_pam_auth_kerberos failed: %s\n", nt_errstr(result)));
1513 if (NT_STATUS_EQUAL(result, NT_STATUS_NO_LOGON_SERVERS) ||
1514 NT_STATUS_EQUAL(result, NT_STATUS_IO_TIMEOUT) ||
1515 NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
1516 DEBUG(10,("winbindd_dual_pam_auth_kerberos setting domain to offline\n"));
1517 set_domain_offline( domain );
1521 /* there are quite some NT_STATUS errors where there is no
1522 * point in retrying with a samlogon, we explictly have to take
1523 * care not to increase the bad logon counter on the DC */
1525 if (NT_STATUS_EQUAL(result, NT_STATUS_ACCOUNT_DISABLED) ||
1526 NT_STATUS_EQUAL(result, NT_STATUS_ACCOUNT_EXPIRED) ||
1527 NT_STATUS_EQUAL(result, NT_STATUS_ACCOUNT_LOCKED_OUT) ||
1528 NT_STATUS_EQUAL(result, NT_STATUS_INVALID_LOGON_HOURS) ||
1529 NT_STATUS_EQUAL(result, NT_STATUS_INVALID_WORKSTATION) ||
1530 NT_STATUS_EQUAL(result, NT_STATUS_LOGON_FAILURE) ||
1531 NT_STATUS_EQUAL(result, NT_STATUS_NO_SUCH_USER) ||
1532 NT_STATUS_EQUAL(result, NT_STATUS_PASSWORD_EXPIRED) ||
1533 NT_STATUS_EQUAL(result, NT_STATUS_PASSWORD_MUST_CHANGE) ||
1534 NT_STATUS_EQUAL(result, NT_STATUS_WRONG_PASSWORD)) {
1538 if (state->request->flags & WBFLAG_PAM_FALLBACK_AFTER_KRB5) {
1539 DEBUG(3,("falling back to samlogon\n"));
1547 /* Check for Samlogon authentication */
1548 if (domain->online) {
1549 result = winbindd_dual_pam_auth_samlogon(domain, state, &info3);
1551 if (NT_STATUS_IS_OK(result)) {
1552 DEBUG(10,("winbindd_dual_pam_auth_samlogon succeeded\n"));
1553 /* add the Krb5 err if we have one */
1554 if ( NT_STATUS_EQUAL(krb5_result, NT_STATUS_TIME_DIFFERENCE_AT_DC ) ) {
1555 info3->base.user_flags |= LOGON_KRB5_FAIL_CLOCK_SKEW;
1557 goto process_result;
1560 DEBUG(10,("winbindd_dual_pam_auth_samlogon failed: %s\n",
1561 nt_errstr(result)));
1563 if (NT_STATUS_EQUAL(result, NT_STATUS_NO_LOGON_SERVERS) ||
1564 NT_STATUS_EQUAL(result, NT_STATUS_IO_TIMEOUT) ||
1565 NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND))
1567 DEBUG(10,("winbindd_dual_pam_auth_samlogon setting domain to offline\n"));
1568 set_domain_offline( domain );
1572 if (domain->online) {
1573 /* We're still online - fail. */
1579 /* Check for Cached logons */
1580 if (!domain->online && (state->request->flags & WBFLAG_PAM_CACHED_LOGIN) &&
1581 lp_winbind_offline_logon()) {
1583 result = winbindd_dual_pam_auth_cached(domain, state, &info3);
1585 if (NT_STATUS_IS_OK(result)) {
1586 DEBUG(10,("winbindd_dual_pam_auth_cached succeeded\n"));
1587 goto process_result;
1589 DEBUG(10,("winbindd_dual_pam_auth_cached failed: %s\n", nt_errstr(result)));
1596 if (NT_STATUS_IS_OK(result)) {
1598 struct dom_sid user_sid;
1600 /* In all codepaths where result == NT_STATUS_OK info3 must have
1601 been initialized. */
1603 result = NT_STATUS_INTERNAL_ERROR;
1607 wcache_invalidate_samlogon(find_domain_from_name(name_domain), info3);
1608 netsamlogon_cache_store(name_user, info3);
1610 /* save name_to_sid info as early as possible (only if
1611 this is our primary domain so we don't invalidate
1612 the cache entry by storing the seq_num for the wrong
1614 if ( domain->primary ) {
1615 sid_compose(&user_sid, info3->base.domain_sid,
1617 cache_name2sid(domain, name_domain, name_user,
1618 SID_NAME_USER, &user_sid);
1621 /* Check if the user is in the right group */
1623 result = check_info3_in_group(
1625 state->request->data.auth.require_membership_of_sid);
1626 if (!NT_STATUS_IS_OK(result)) {
1627 DEBUG(3, ("User %s is not in the required group (%s), so plaintext authentication is rejected\n",
1628 state->request->data.auth.user,
1629 state->request->data.auth.require_membership_of_sid));
1633 result = append_auth_data(state, info3, name_domain,
1635 if (!NT_STATUS_IS_OK(result)) {
1639 if ((state->request->flags & WBFLAG_PAM_CACHED_LOGIN)) {
1641 if (lp_winbind_offline_logon()) {
1642 result = winbindd_store_creds(domain,
1644 state->request->data.auth.user,
1645 state->request->data.auth.pass,
1651 if (state->request->flags & WBFLAG_PAM_GET_PWD_POLICY) {
1652 struct winbindd_domain *our_domain = find_our_domain();
1654 /* This is not entirely correct I believe, but it is
1655 consistent. Only apply the password policy settings
1656 too warn users for our own domain. Cannot obtain these
1657 from trusted DCs all the time so don't do it at all.
1660 result = NT_STATUS_NOT_SUPPORTED;
1661 if (our_domain == domain ) {
1662 result = fillup_password_policy(our_domain, state);
1665 if (!NT_STATUS_IS_OK(result)
1666 && !NT_STATUS_EQUAL(result, NT_STATUS_NOT_SUPPORTED) )
1668 DEBUG(10,("Failed to get password policies for domain %s: %s\n",
1669 domain->name, nt_errstr(result)));
1674 result = NT_STATUS_OK;
1678 /* give us a more useful (more correct?) error code */
1679 if ((NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) ||
1680 (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)))) {
1681 result = NT_STATUS_NO_LOGON_SERVERS;
1684 set_auth_errors(state->response, result);
1686 DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2, ("Plain-text authentication for user %s returned %s (PAM: %d)\n",
1687 state->request->data.auth.user,
1688 state->response->data.auth.nt_status_string,
1689 state->response->data.auth.pam_error));
1691 return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
1694 enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
1695 struct winbindd_cli_state *state)
1698 struct netr_SamInfo3 *info3 = NULL;
1699 struct rpc_pipe_client *netlogon_pipe;
1700 const char *name_user = NULL;
1701 const char *name_domain = NULL;
1702 const char *workstation;
1706 DATA_BLOB lm_resp, nt_resp;
1708 /* This is child-only, so no check for privileged access is needed
1711 /* Ensure null termination */
1712 state->request->data.auth_crap.user[sizeof(state->request->data.auth_crap.user)-1]=0;
1713 state->request->data.auth_crap.domain[sizeof(state->request->data.auth_crap.domain)-1]=0;
1715 if (!check_request_flags(state->request->flags)) {
1716 result = NT_STATUS_INVALID_PARAMETER_MIX;
1720 name_user = state->request->data.auth_crap.user;
1722 if (*state->request->data.auth_crap.domain) {
1723 name_domain = state->request->data.auth_crap.domain;
1724 } else if (lp_winbind_use_default_domain()) {
1725 name_domain = lp_workgroup();
1727 DEBUG(5,("no domain specified with username (%s) - failing auth\n",
1729 result = NT_STATUS_NO_SUCH_USER;
1733 DEBUG(3, ("[%5lu]: pam auth crap domain: %s user: %s\n", (unsigned long)state->pid,
1734 name_domain, name_user));
1736 if (*state->request->data.auth_crap.workstation) {
1737 workstation = state->request->data.auth_crap.workstation;
1739 workstation = global_myname();
1742 if (state->request->data.auth_crap.lm_resp_len > sizeof(state->request->data.auth_crap.lm_resp)
1743 || state->request->data.auth_crap.nt_resp_len > sizeof(state->request->data.auth_crap.nt_resp)) {
1744 if (!(state->request->flags & WBFLAG_BIG_NTLMV2_BLOB) ||
1745 state->request->extra_len != state->request->data.auth_crap.nt_resp_len) {
1746 DEBUG(0, ("winbindd_pam_auth_crap: invalid password length %u/%u\n",
1747 state->request->data.auth_crap.lm_resp_len,
1748 state->request->data.auth_crap.nt_resp_len));
1749 result = NT_STATUS_INVALID_PARAMETER;
1754 lm_resp = data_blob_talloc(state->mem_ctx, state->request->data.auth_crap.lm_resp,
1755 state->request->data.auth_crap.lm_resp_len);
1757 if (state->request->flags & WBFLAG_BIG_NTLMV2_BLOB) {
1758 nt_resp = data_blob_talloc(state->mem_ctx,
1759 state->request->extra_data.data,
1760 state->request->data.auth_crap.nt_resp_len);
1762 nt_resp = data_blob_talloc(state->mem_ctx,
1763 state->request->data.auth_crap.nt_resp,
1764 state->request->data.auth_crap.nt_resp_len);
1767 if (strequal(name_domain, get_global_sam_name())) {
1768 DATA_BLOB chal_blob = data_blob_const(
1769 state->request->data.auth_crap.chal,
1770 sizeof(state->request->data.auth_crap.chal));
1772 result = winbindd_dual_auth_passdb(
1773 state->mem_ctx, name_domain, name_user,
1774 &chal_blob, &lm_resp, &nt_resp, &info3);
1775 goto process_result;
1779 netlogon_fn_t logon_fn;
1783 netlogon_pipe = NULL;
1784 result = cm_connect_netlogon(domain, &netlogon_pipe);
1786 if (!NT_STATUS_IS_OK(result)) {
1787 DEBUG(3, ("could not open handle to NETLOGON pipe (error: %s)\n",
1788 nt_errstr(result)));
1792 logon_fn = domain->can_do_samlogon_ex
1793 ? rpccli_netlogon_sam_network_logon_ex
1794 : rpccli_netlogon_sam_network_logon;
1796 result = logon_fn(netlogon_pipe,
1798 state->request->data.auth_crap.logon_parameters,
1802 /* Bug #3248 - found by Stefan Burkei. */
1803 workstation, /* We carefully set this above so use it... */
1804 state->request->data.auth_crap.chal,
1809 if ((NT_STATUS_V(result) == DCERPC_FAULT_OP_RNG_ERROR)
1810 && domain->can_do_samlogon_ex) {
1811 DEBUG(3, ("Got a DC that can not do NetSamLogonEx, "
1812 "retrying with NetSamLogon\n"));
1813 domain->can_do_samlogon_ex = false;
1820 /* We have to try a second time as cm_connect_netlogon
1821 might not yet have noticed that the DC has killed
1824 if (!rpccli_is_connected(netlogon_pipe)) {
1829 /* if we get access denied, a possible cause was that we had and open
1830 connection to the DC, but someone changed our machine account password
1831 out from underneath us using 'net rpc changetrustpw' */
1833 if ( NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) ) {
1834 DEBUG(3,("winbindd_pam_auth: sam_logon returned "
1835 "ACCESS_DENIED. Maybe the trust account "
1836 "password was changed and we didn't know it. "
1837 "Killing connections to domain %s\n",
1839 invalidate_cm_connection(&domain->conn);
1843 } while ( (attempts < 2) && retry );
1847 if (NT_STATUS_IS_OK(result)) {
1849 wcache_invalidate_samlogon(find_domain_from_name(name_domain), info3);
1850 netsamlogon_cache_store(name_user, info3);
1852 /* Check if the user is in the right group */
1854 result = check_info3_in_group(
1856 state->request->data.auth_crap.require_membership_of_sid);
1857 if (!NT_STATUS_IS_OK(result)) {
1858 DEBUG(3, ("User %s is not in the required group (%s), so "
1859 "crap authentication is rejected\n",
1860 state->request->data.auth_crap.user,
1861 state->request->data.auth_crap.require_membership_of_sid));
1865 result = append_auth_data(state, info3, name_domain,
1867 if (!NT_STATUS_IS_OK(result)) {
1874 /* give us a more useful (more correct?) error code */
1875 if ((NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) ||
1876 (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)))) {
1877 result = NT_STATUS_NO_LOGON_SERVERS;
1880 if (state->request->flags & WBFLAG_PAM_NT_STATUS_SQUASH) {
1881 result = nt_status_squash(result);
1884 set_auth_errors(state->response, result);
1886 DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2,
1887 ("NTLM CRAP authentication for user [%s]\\[%s] returned %s (PAM: %d)\n",
1890 state->response->data.auth.nt_status_string,
1891 state->response->data.auth.pam_error));
1893 return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
1896 enum winbindd_result winbindd_dual_pam_chauthtok(struct winbindd_domain *contact_domain,
1897 struct winbindd_cli_state *state)
1900 char *newpass = NULL;
1901 struct policy_handle dom_pol;
1902 struct rpc_pipe_client *cli = NULL;
1903 bool got_info = false;
1904 struct samr_DomInfo1 *info = NULL;
1905 struct userPwdChangeFailureInformation *reject = NULL;
1906 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1907 fstring domain, user;
1909 ZERO_STRUCT(dom_pol);
1911 DEBUG(3, ("[%5lu]: dual pam chauthtok %s\n", (unsigned long)state->pid,
1912 state->request->data.auth.user));
1914 if (!parse_domain_user(state->request->data.chauthtok.user, domain, user)) {
1918 /* Change password */
1920 oldpass = state->request->data.chauthtok.oldpass;
1921 newpass = state->request->data.chauthtok.newpass;
1923 /* Initialize reject reason */
1924 state->response->data.auth.reject_reason = Undefined;
1926 /* Get sam handle */
1928 result = cm_connect_sam(contact_domain, state->mem_ctx, &cli,
1930 if (!NT_STATUS_IS_OK(result)) {
1931 DEBUG(1, ("could not get SAM handle on DC for %s\n", domain));
1935 result = rpccli_samr_chgpasswd_user3(cli, state->mem_ctx,
1942 /* Windows 2003 returns NT_STATUS_PASSWORD_RESTRICTION */
1944 if (NT_STATUS_EQUAL(result, NT_STATUS_PASSWORD_RESTRICTION) ) {
1946 fill_in_password_policy(state->response, info);
1948 state->response->data.auth.reject_reason =
1949 reject->extendedFailureReason;
1954 /* atm the pidl generated rpccli_samr_ChangePasswordUser3 function will
1955 * return with NT_STATUS_BUFFER_TOO_SMALL for w2k dcs as w2k just
1956 * returns with 4byte error code (NT_STATUS_NOT_SUPPORTED) which is too
1957 * short to comply with the samr_ChangePasswordUser3 idl - gd */
1959 /* only fallback when the chgpasswd_user3 call is not supported */
1960 if ((NT_STATUS_EQUAL(result, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR))) ||
1961 (NT_STATUS_EQUAL(result, NT_STATUS_NOT_SUPPORTED)) ||
1962 (NT_STATUS_EQUAL(result, NT_STATUS_BUFFER_TOO_SMALL)) ||
1963 (NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED))) {
1965 DEBUG(10,("Password change with chgpasswd_user3 failed with: %s, retrying chgpasswd_user2\n",
1966 nt_errstr(result)));
1968 result = rpccli_samr_chgpasswd_user2(cli, state->mem_ctx, user, newpass, oldpass);
1970 /* Windows 2000 returns NT_STATUS_ACCOUNT_RESTRICTION.
1971 Map to the same status code as Windows 2003. */
1973 if ( NT_STATUS_EQUAL(NT_STATUS_ACCOUNT_RESTRICTION, result ) ) {
1974 result = NT_STATUS_PASSWORD_RESTRICTION;
1980 if (NT_STATUS_IS_OK(result) && (state->request->flags & WBFLAG_PAM_CACHED_LOGIN)) {
1981 if (lp_winbind_offline_logon()) {
1982 result = winbindd_update_creds_by_name(contact_domain,
1983 state->mem_ctx, user,
1985 /* Again, this happens when we login from gdm or xdm
1986 * and the password expires, *BUT* cached crendentials
1987 * doesn't exist. winbindd_update_creds_by_name()
1988 * returns NT_STATUS_NO_SUCH_USER.
1989 * This is not a failure.
1992 if (NT_STATUS_EQUAL(result, NT_STATUS_NO_SUCH_USER)) {
1993 result = NT_STATUS_OK;
1996 if (!NT_STATUS_IS_OK(result)) {
1997 DEBUG(10,("Failed to store creds: %s\n", nt_errstr(result)));
1998 goto process_result;
2003 if (!NT_STATUS_IS_OK(result) && !got_info && contact_domain) {
2005 NTSTATUS policy_ret;
2007 policy_ret = fillup_password_policy(contact_domain, state);
2009 /* failure of this is non critical, it will just provide no
2010 * additional information to the client why the change has
2011 * failed - Guenther */
2013 if (!NT_STATUS_IS_OK(policy_ret)) {
2014 DEBUG(10,("Failed to get password policies: %s\n", nt_errstr(policy_ret)));
2015 goto process_result;
2021 if (strequal(contact_domain->name, get_global_sam_name())) {
2022 /* FIXME: internal rpc pipe does not cache handles yet */
2024 if (is_valid_policy_hnd(&dom_pol)) {
2025 rpccli_samr_Close(cli, state->mem_ctx, &dom_pol);
2031 set_auth_errors(state->response, result);
2033 DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2,
2034 ("Password change for user [%s]\\[%s] returned %s (PAM: %d)\n",
2037 state->response->data.auth.nt_status_string,
2038 state->response->data.auth.pam_error));
2040 return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
2043 enum winbindd_result winbindd_dual_pam_logoff(struct winbindd_domain *domain,
2044 struct winbindd_cli_state *state)
2046 NTSTATUS result = NT_STATUS_NOT_SUPPORTED;
2048 DEBUG(3, ("[%5lu]: pam dual logoff %s\n", (unsigned long)state->pid,
2049 state->request->data.logoff.user));
2051 if (!(state->request->flags & WBFLAG_PAM_KRB5)) {
2052 result = NT_STATUS_OK;
2053 goto process_result;
2056 if (state->request->data.logoff.krb5ccname[0] == '\0') {
2057 result = NT_STATUS_OK;
2058 goto process_result;
2063 if (state->request->data.logoff.uid < 0) {
2064 DEBUG(0,("winbindd_pam_logoff: invalid uid\n"));
2065 goto process_result;
2068 /* what we need here is to find the corresponding krb5 ccache name *we*
2069 * created for a given username and destroy it */
2071 if (!ccache_entry_exists(state->request->data.logoff.user)) {
2072 result = NT_STATUS_OK;
2073 DEBUG(10,("winbindd_pam_logoff: no entry found.\n"));
2074 goto process_result;
2077 if (!ccache_entry_identical(state->request->data.logoff.user,
2078 state->request->data.logoff.uid,
2079 state->request->data.logoff.krb5ccname)) {
2080 DEBUG(0,("winbindd_pam_logoff: cached entry differs.\n"));
2081 goto process_result;
2084 result = remove_ccache(state->request->data.logoff.user);
2085 if (!NT_STATUS_IS_OK(result)) {
2086 DEBUG(0,("winbindd_pam_logoff: failed to remove ccache: %s\n",
2087 nt_errstr(result)));
2088 goto process_result;
2092 result = NT_STATUS_NOT_SUPPORTED;
2098 set_auth_errors(state->response, result);
2100 return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
2103 /* Change user password with auth crap*/
2105 enum winbindd_result winbindd_dual_pam_chng_pswd_auth_crap(struct winbindd_domain *domainSt, struct winbindd_cli_state *state)
2108 DATA_BLOB new_nt_password;
2109 DATA_BLOB old_nt_hash_enc;
2110 DATA_BLOB new_lm_password;
2111 DATA_BLOB old_lm_hash_enc;
2112 fstring domain,user;
2113 struct policy_handle dom_pol;
2114 struct winbindd_domain *contact_domain = domainSt;
2115 struct rpc_pipe_client *cli = NULL;
2117 ZERO_STRUCT(dom_pol);
2119 /* Ensure null termination */
2120 state->request->data.chng_pswd_auth_crap.user[
2121 sizeof(state->request->data.chng_pswd_auth_crap.user)-1]=0;
2122 state->request->data.chng_pswd_auth_crap.domain[
2123 sizeof(state->request->data.chng_pswd_auth_crap.domain)-1]=0;
2127 DEBUG(3, ("[%5lu]: pam change pswd auth crap domain: %s user: %s\n",
2128 (unsigned long)state->pid,
2129 state->request->data.chng_pswd_auth_crap.domain,
2130 state->request->data.chng_pswd_auth_crap.user));
2132 if (lp_winbind_offline_logon()) {
2133 DEBUG(0,("Refusing password change as winbind offline logons are enabled. "));
2134 DEBUGADD(0,("Changing passwords here would risk inconsistent logons\n"));
2135 result = NT_STATUS_ACCESS_DENIED;
2139 if (*state->request->data.chng_pswd_auth_crap.domain) {
2140 fstrcpy(domain,state->request->data.chng_pswd_auth_crap.domain);
2142 parse_domain_user(state->request->data.chng_pswd_auth_crap.user,
2146 DEBUG(3,("no domain specified with username (%s) - "
2148 state->request->data.chng_pswd_auth_crap.user));
2149 result = NT_STATUS_NO_SUCH_USER;
2154 if (!*domain && lp_winbind_use_default_domain()) {
2155 fstrcpy(domain,(char *)lp_workgroup());
2159 fstrcpy(user, state->request->data.chng_pswd_auth_crap.user);
2162 DEBUG(3, ("[%5lu]: pam auth crap domain: %s user: %s\n",
2163 (unsigned long)state->pid, domain, user));
2165 /* Change password */
2166 new_nt_password = data_blob_const(
2167 state->request->data.chng_pswd_auth_crap.new_nt_pswd,
2168 state->request->data.chng_pswd_auth_crap.new_nt_pswd_len);
2170 old_nt_hash_enc = data_blob_const(
2171 state->request->data.chng_pswd_auth_crap.old_nt_hash_enc,
2172 state->request->data.chng_pswd_auth_crap.old_nt_hash_enc_len);
2174 if(state->request->data.chng_pswd_auth_crap.new_lm_pswd_len > 0) {
2175 new_lm_password = data_blob_const(
2176 state->request->data.chng_pswd_auth_crap.new_lm_pswd,
2177 state->request->data.chng_pswd_auth_crap.new_lm_pswd_len);
2179 old_lm_hash_enc = data_blob_const(
2180 state->request->data.chng_pswd_auth_crap.old_lm_hash_enc,
2181 state->request->data.chng_pswd_auth_crap.old_lm_hash_enc_len);
2183 new_lm_password.length = 0;
2184 old_lm_hash_enc.length = 0;
2187 /* Get sam handle */
2189 result = cm_connect_sam(contact_domain, state->mem_ctx, &cli, &dom_pol);
2190 if (!NT_STATUS_IS_OK(result)) {
2191 DEBUG(1, ("could not get SAM handle on DC for %s\n", domain));
2195 result = rpccli_samr_chng_pswd_auth_crap(
2196 cli, state->mem_ctx, user, new_nt_password, old_nt_hash_enc,
2197 new_lm_password, old_lm_hash_enc);
2201 if (strequal(contact_domain->name, get_global_sam_name())) {
2202 /* FIXME: internal rpc pipe does not cache handles yet */
2204 if (is_valid_policy_hnd(&dom_pol)) {
2205 rpccli_samr_Close(cli, state->mem_ctx, &dom_pol);
2211 set_auth_errors(state->response, result);
2213 DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2,
2214 ("Password change for user [%s]\\[%s] returned %s (PAM: %d)\n",
2216 state->response->data.auth.nt_status_string,
2217 state->response->data.auth.pam_error));
2219 return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
git.samba.org / metze / samba / wip.git / blob