2010-04-01 14:35:14 +04:00
/*
Unix SMB / CIFS implementation .
async implementation of WINBINDD_PAM_CHAUTHTOK
Copyright ( C ) Volker Lendecke 2010
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation ; either version 3 of the License , or
( at your option ) any later version .
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
You should have received a copy of the GNU General Public License
along with this program . If not , see < http : //www.gnu.org/licenses/>.
*/
# include "includes.h"
# include "winbindd.h"
2020-08-07 21:17:34 +03:00
# include "lib/util/string_wrappers.h"
2021-01-03 23:53:49 +03:00
# include "lib/global_contexts.h"
2021-06-22 11:23:04 +03:00
# include "librpc/gen_ndr/ndr_winbind_c.h"
static void fill_in_password_policy ( struct winbindd_response * r ,
const struct samr_DomInfo1 * p )
{
r - > data . auth . policy . min_length_password =
p - > min_password_length ;
r - > data . auth . policy . password_history =
p - > password_history_length ;
r - > data . auth . policy . password_properties =
p - > password_properties ;
r - > data . auth . policy . expire =
nt_time_to_unix_abs ( ( const NTTIME * ) & ( p - > max_password_age ) ) ;
r - > data . auth . policy . min_passwordage =
nt_time_to_unix_abs ( ( const NTTIME * ) & ( p - > min_password_age ) ) ;
}
2010-04-01 14:35:14 +04:00
struct winbindd_pam_chauthtok_state {
2021-06-22 11:23:04 +03:00
struct wbint_PamAuthChangePassword r ;
2010-04-01 14:35:14 +04:00
} ;
static void winbindd_pam_chauthtok_done ( struct tevent_req * subreq ) ;
struct tevent_req * winbindd_pam_chauthtok_send (
TALLOC_CTX * mem_ctx ,
struct tevent_context * ev ,
struct winbindd_cli_state * cli ,
struct winbindd_request * request )
{
struct tevent_req * req , * subreq ;
struct winbindd_pam_chauthtok_state * state ;
struct winbindd_domain * contact_domain ;
2023-10-21 23:29:34 +03:00
char * namespace = NULL ;
char * domain = NULL ;
char * user = NULL ;
char * chauthtok_user = NULL ;
2010-04-01 14:35:14 +04:00
char * mapped_user ;
NTSTATUS status ;
2018-04-26 18:32:42 +03:00
bool ok ;
2010-04-01 14:35:14 +04:00
req = tevent_req_create ( mem_ctx , & state ,
struct winbindd_pam_chauthtok_state ) ;
if ( req = = NULL ) {
return NULL ;
}
/* Ensure null termination */
request - > data . chauthtok . user [
sizeof ( request - > data . chauthtok . user ) - 1 ] = ' \0 ' ;
DEBUG ( 3 , ( " [%5lu]: pam chauthtok %s \n " , ( unsigned long ) cli - > pid ,
request - > data . chauthtok . user ) ) ;
status = normalize_name_unmap ( state , request - > data . chauthtok . user ,
& mapped_user ) ;
if ( NT_STATUS_IS_OK ( status ) | |
NT_STATUS_EQUAL ( status , NT_STATUS_FILE_RENAMED ) ) {
fstrcpy ( request - > data . chauthtok . user , mapped_user ) ;
}
2023-10-21 23:29:34 +03:00
chauthtok_user = request - > data . chauthtok . user ;
ok = canonicalize_username ( req ,
& chauthtok_user ,
& namespace ,
& domain ,
& user ) ;
2018-04-26 18:32:42 +03:00
if ( ! ok ) {
2010-04-01 14:35:14 +04:00
DEBUG ( 10 , ( " winbindd_pam_chauthtok: canonicalize_username %s "
" failed with \n " , request - > data . chauthtok . user ) ) ;
tevent_req_nterror ( req , NT_STATUS_NO_SUCH_USER ) ;
return tevent_req_post ( req , ev ) ;
}
2023-10-21 23:29:34 +03:00
fstrcpy ( request - > data . chauthtok . user , chauthtok_user ) ;
2018-04-26 18:32:42 +03:00
contact_domain = find_domain_from_name ( namespace ) ;
2010-04-01 14:35:14 +04:00
if ( contact_domain = = NULL ) {
DEBUG ( 3 , ( " Cannot change password for [%s] -> [%s] \\ [%s] "
" as %s is not a trusted domain \n " ,
request - > data . chauthtok . user , domain , user , domain ) ) ;
tevent_req_nterror ( req , NT_STATUS_NO_SUCH_USER ) ;
return tevent_req_post ( req , ev ) ;
}
2021-06-22 11:23:04 +03:00
state - > r . in . client_pid = request - > pid ;
state - > r . in . flags = request - > flags ;
state - > r . in . client_name = talloc_strdup ( state , request - > client_name ) ;
if ( tevent_req_nomem ( state - > r . in . client_name , req ) ) {
return tevent_req_post ( req , ev ) ;
}
state - > r . in . user = talloc_strdup ( state , request - > data . chauthtok . user ) ;
if ( tevent_req_nomem ( state - > r . in . user , req ) ) {
return tevent_req_post ( req , ev ) ;
}
state - > r . in . old_password = talloc_strdup ( state ,
request - > data . chauthtok . oldpass ) ;
if ( tevent_req_nomem ( state - > r . in . old_password , req ) ) {
return tevent_req_post ( req , ev ) ;
}
state - > r . in . new_password = talloc_strdup ( state ,
request - > data . chauthtok . newpass ) ;
if ( tevent_req_nomem ( state - > r . in . new_password , req ) ) {
return tevent_req_post ( req , ev ) ;
}
subreq = dcerpc_wbint_PamAuthChangePassword_r_send ( state ,
global_event_context ( ) ,
dom_child_handle ( contact_domain ) ,
& state - > r ) ;
2010-04-01 14:35:14 +04:00
if ( tevent_req_nomem ( subreq , req ) ) {
return tevent_req_post ( req , ev ) ;
}
tevent_req_set_callback ( subreq , winbindd_pam_chauthtok_done , req ) ;
return req ;
}
static void winbindd_pam_chauthtok_done ( struct tevent_req * subreq )
{
struct tevent_req * req = tevent_req_callback_data (
subreq , struct tevent_req ) ;
struct winbindd_pam_chauthtok_state * state = tevent_req_data (
req , struct winbindd_pam_chauthtok_state ) ;
2021-06-22 11:23:04 +03:00
NTSTATUS status ;
2010-04-01 14:35:14 +04:00
2021-06-22 11:23:04 +03:00
status = dcerpc_wbint_PamAuthChangePassword_r_recv ( subreq , state ) ;
2010-04-01 14:35:14 +04:00
TALLOC_FREE ( subreq ) ;
2021-06-22 11:23:04 +03:00
if ( tevent_req_nterror ( req , status ) ) {
2010-04-01 14:35:14 +04:00
return ;
}
2021-06-22 11:23:04 +03:00
2010-04-01 14:35:14 +04:00
tevent_req_done ( req ) ;
}
NTSTATUS winbindd_pam_chauthtok_recv ( struct tevent_req * req ,
struct winbindd_response * response )
{
struct winbindd_pam_chauthtok_state * state = tevent_req_data (
req , struct winbindd_pam_chauthtok_state ) ;
2021-06-22 11:23:04 +03:00
NTSTATUS status = NT_STATUS_OK ;
2010-04-01 14:35:14 +04:00
if ( tevent_req_is_nterror ( req , & status ) ) {
set_auth_errors ( response , status ) ;
return status ;
}
2021-06-22 11:23:04 +03:00
2010-04-01 14:35:14 +04:00
response - > result = WINBINDD_PENDING ;
2010-04-18 16:14:43 +04:00
2021-06-22 11:23:04 +03:00
set_auth_errors ( response , state - > r . out . result ) ;
if ( * state - > r . out . dominfo ! = NULL ) {
fill_in_password_policy ( response , * state - > r . out . dominfo ) ;
2010-04-18 16:14:43 +04:00
}
2021-06-22 11:23:04 +03:00
response - > data . auth . reject_reason = * state - > r . out . reject_reason ;
2010-04-18 16:14:43 +04:00
2021-06-22 11:23:04 +03:00
if ( state - > r . in . flags & WBFLAG_PAM_CACHED_LOGIN ) {
2010-04-18 16:14:43 +04:00
/* Update the single sign-on memory creds. */
status = winbindd_replace_memory_creds (
2021-06-22 11:23:04 +03:00
state - > r . in . user , state - > r . in . new_password ) ;
2010-04-18 16:14:43 +04:00
DEBUG ( 10 , ( " winbindd_replace_memory_creds returned %s \n " ,
nt_errstr ( status ) ) ) ;
/*
* When we login from gdm or xdm and password expires ,
* we change password , but there are no memory
2023-09-04 05:17:35 +03:00
* credentials . So , winbindd_replace_memory_creds ( )
2010-04-18 16:14:43 +04:00
* returns NT_STATUS_OBJECT_NAME_NOT_FOUND . This is
* not a failure . - - - BoYang
*/
if ( NT_STATUS_EQUAL ( status , NT_STATUS_OBJECT_NAME_NOT_FOUND ) ) {
status = NT_STATUS_OK ;
}
}
2021-06-22 11:23:04 +03:00
return NT_STATUS ( response - > data . auth . nt_status ) ;
2010-04-01 14:35:14 +04:00
}
