2001-11-24 15:16:27 +03:00
/*
2002-01-30 09:08:46 +03:00
Unix SMB / CIFS implementation .
2001-11-24 15:16:27 +03:00
Winbind authentication mechnism
Copyright ( C ) Tim Potter 2000
2002-09-25 19:19:00 +04:00
Copyright ( C ) Andrew Bartlett 2001 - 2002
2010-04-11 13:50:55 +04:00
2001-11-24 15:16:27 +03:00
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
2007-07-09 23:25:36 +04:00
the Free Software Foundation ; either version 3 of the License , or
2001-11-24 15:16:27 +03:00
( at your option ) any later version .
2010-04-11 13:50:55 +04:00
2001-11-24 15:16:27 +03:00
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
2010-04-11 13:50:55 +04:00
2001-11-24 15:16:27 +03:00
You should have received a copy of the GNU General Public License
2007-07-10 04:52:41 +04:00
along with this program . If not , see < http : //www.gnu.org/licenses/>.
2001-11-24 15:16:27 +03:00
*/
# include "includes.h"
2011-03-25 04:28:05 +03:00
# include "auth.h"
2011-02-25 00:30:16 +03:00
# include "nsswitch/libwbclient/wbclient.h"
2001-11-24 15:16:27 +03:00
2002-07-15 14:35:28 +04:00
# undef DBGC_CLASS
# define DBGC_CLASS DBGC_AUTH
2001-11-24 15:16:27 +03:00
/* Authenticate a user with a challenge/response */
2002-01-05 07:55:41 +03:00
static NTSTATUS check_winbind_security ( const struct auth_context * auth_context ,
void * my_private_data ,
2002-01-01 06:10:32 +03:00
TALLOC_CTX * mem_ctx ,
2010-01-10 16:16:04 +03:00
const struct auth_usersupplied_info * user_info ,
2010-01-10 16:24:22 +03:00
struct auth_serversupplied_info * * server_info )
2001-11-24 15:16:27 +03:00
{
NTSTATUS nt_status ;
2008-02-04 20:18:36 +03:00
wbcErr wbc_status ;
struct wbcAuthUserParams params ;
struct wbcAuthUserInfo * info = NULL ;
struct wbcAuthErrorInfo * err = NULL ;
2001-11-24 15:16:27 +03:00
2011-01-14 15:14:22 +03:00
ZERO_STRUCT ( params ) ;
2001-11-24 15:16:27 +03:00
if ( ! user_info ) {
2002-08-17 21:00:51 +04:00
return NT_STATUS_INVALID_PARAMETER ;
2001-11-24 15:16:27 +03:00
}
2010-06-16 14:31:11 +04:00
DEBUG ( 10 , ( " Check auth for: [%s] \n " , user_info - > mapped . account_name ) ) ;
2010-05-30 00:49:37 +04:00
2002-01-05 07:55:41 +03:00
if ( ! auth_context ) {
2001-11-26 07:05:28 +03:00
DEBUG ( 3 , ( " Password for user %s cannot be checked because we have no auth_info to get the challenge from. \n " ,
2010-06-01 14:30:56 +04:00
user_info - > mapped . account_name ) ) ;
2003-07-03 18:36:42 +04:00
return NT_STATUS_INVALID_PARAMETER ;
2001-11-24 15:16:27 +03:00
}
2010-06-01 15:11:14 +04:00
if ( strequal ( user_info - > mapped . domain_name , get_global_sam_name ( ) ) ) {
2003-12-19 03:33:09 +03:00
DEBUG ( 3 , ( " check_winbind_security: Not using winbind, requested domain [%s] was for this SAM. \n " ,
2010-06-01 15:11:14 +04:00
user_info - > mapped . domain_name ) ) ;
2003-07-03 18:36:42 +04:00
return NT_STATUS_NOT_IMPLEMENTED ;
}
2001-11-24 15:16:27 +03:00
/* Send off request */
2010-06-01 14:27:03 +04:00
params . account_name = user_info - > client . account_name ;
2013-04-24 17:27:21 +04:00
/*
* We need to send the domain name from the client to the DC . With
* NTLMv2 the domain name is part of the hashed second challenge ,
* if we change the domain name , the DC will fail to verify the
* challenge cause we changed the domain name , this is like a
* man in the middle attack .
*/
params . domain_name = user_info - > client . domain_name ;
2010-06-01 05:23:50 +04:00
params . workstation_name = user_info - > workstation_name ;
2001-11-24 15:16:27 +03:00
2008-02-04 20:18:36 +03:00
params . flags = 0 ;
params . parameter_control = user_info - > logon_parameters ;
2001-11-24 15:16:27 +03:00
2008-02-04 20:18:36 +03:00
params . level = WBC_AUTH_USER_LEVEL_RESPONSE ;
2005-11-08 09:19:34 +03:00
2008-02-04 20:18:36 +03:00
memcpy ( params . password . response . challenge ,
auth_context - > challenge . data ,
sizeof ( params . password . response . challenge ) ) ;
2002-01-25 13:16:20 +03:00
2011-01-14 15:14:22 +03:00
if ( user_info - > password . response . nt . length ! = 0 ) {
params . password . response . nt_length =
user_info - > password . response . nt . length ;
params . password . response . nt_data =
user_info - > password . response . nt . data ;
}
if ( user_info - > password . response . lanman . length ! = 0 ) {
params . password . response . lm_length =
user_info - > password . response . lanman . length ;
params . password . response . lm_data =
user_info - > password . response . lanman . data ;
}
2003-07-03 18:36:42 +04:00
/* we are contacting the privileged pipe */
become_root ( ) ;
2008-02-04 20:18:36 +03:00
wbc_status = wbcAuthenticateUserEx ( & params , & info , & err ) ;
2003-07-03 18:36:42 +04:00
unbecome_root ( ) ;
2001-11-24 15:16:27 +03:00
2008-03-26 03:25:57 +03:00
if ( ! WBC_ERROR_IS_OK ( wbc_status ) ) {
DEBUG ( 10 , ( " check_winbind_security: wbcAuthenticateUserEx failed: %s \n " ,
wbcErrorString ( wbc_status ) ) ) ;
}
2008-02-04 20:18:36 +03:00
if ( wbc_status = = WBC_ERR_NO_MEMORY ) {
return NT_STATUS_NO_MEMORY ;
}
if ( wbc_status = = WBC_ERR_WINBIND_NOT_AVAILABLE ) {
2006-08-20 21:55:06 +04:00
struct auth_methods * auth_method =
( struct auth_methods * ) my_private_data ;
2003-05-27 20:46:51 +04:00
if ( auth_method )
return auth_method - > auth ( auth_context , auth_method - > private_data ,
mem_ctx , user_info , server_info ) ;
2010-11-09 22:29:17 +03:00
return NT_STATUS_LOGON_FAILURE ;
2003-04-24 15:56:09 +04:00
}
2008-02-04 20:18:36 +03:00
if ( wbc_status = = WBC_ERR_AUTH_ERROR ) {
nt_status = NT_STATUS ( err - > nt_status ) ;
2017-02-11 12:25:44 +03:00
if ( NT_STATUS_EQUAL ( nt_status , NT_STATUS_NO_SUCH_USER ) & &
( err - > authoritative = = 0 ) ) {
/*
* Trigger a fallback to local SAM
*/
nt_status = NT_STATUS_NOT_IMPLEMENTED ;
}
2008-02-04 20:18:36 +03:00
wbcFreeMemory ( err ) ;
return nt_status ;
}
if ( ! WBC_ERROR_IS_OK ( wbc_status ) ) {
return NT_STATUS_LOGON_FAILURE ;
}
nt_status = make_server_info_wbcAuthUserInfo ( mem_ctx ,
2010-06-01 14:27:03 +04:00
user_info - > client . account_name ,
2010-06-01 15:11:14 +04:00
user_info - > mapped . domain_name ,
2008-02-04 20:18:36 +03:00
info , server_info ) ;
wbcFreeMemory ( info ) ;
if ( ! NT_STATUS_IS_OK ( nt_status ) ) {
return nt_status ;
}
2008-05-06 19:37:00 +04:00
( * server_info ) - > nss_token | = user_info - > was_mapped ;
2001-11-24 15:16:27 +03:00
return nt_status ;
}
2002-01-05 07:55:41 +03:00
/* module initialisation */
2003-06-04 20:40:50 +04:00
static NTSTATUS auth_init_winbind ( struct auth_context * auth_context , const char * param , auth_methods * * auth_method )
2001-11-24 15:16:27 +03:00
{
2010-04-11 14:37:48 +04:00
struct auth_methods * result ;
2011-06-07 05:44:43 +04:00
result = talloc_zero ( auth_context , struct auth_methods ) ;
2010-04-11 14:37:48 +04:00
if ( result = = NULL ) {
2003-05-26 20:38:35 +04:00
return NT_STATUS_NO_MEMORY ;
}
2010-04-11 14:37:48 +04:00
result - > name = " winbind " ;
result - > auth = check_winbind_security ;
2003-04-24 15:56:09 +04:00
if ( param & & * param ) {
/* we load the 'fallback' module - if winbind isn't here, call this
module */
2006-09-19 05:25:52 +04:00
auth_methods * priv ;
if ( ! load_auth_module ( auth_context , param , & priv ) ) {
2003-04-24 15:56:09 +04:00
return NT_STATUS_UNSUCCESSFUL ;
}
2010-04-11 14:37:48 +04:00
result - > private_data = ( void * ) priv ;
2003-04-24 15:56:09 +04:00
}
2010-04-11 14:37:48 +04:00
* auth_method = result ;
2002-07-15 14:35:28 +04:00
return NT_STATUS_OK ;
2001-11-24 15:16:27 +03:00
}
2003-04-16 16:13:07 +04:00
2017-04-20 22:24:43 +03:00
NTSTATUS auth_winbind_init ( TALLOC_CTX * mem_ctx )
2003-04-16 16:13:07 +04:00
{
2003-04-28 21:48:48 +04:00
return smb_register_auth ( AUTH_INTERFACE_VERSION , " winbind " , auth_init_winbind ) ;
2003-04-16 16:13:07 +04:00
}
