2006-04-27 23:50:13 +04:00
/*
Unix SMB / CIFS implementation .
Password and authentication handling
Copyright ( C ) Andrew Bartlett < abartlet @ samba . org > 2001 - 2004
Copyright ( C ) Gerald Carter 2003
Copyright ( C ) Stefan Metzmacher 2005
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
2007-07-10 06:07:03 +04:00
the Free Software Foundation ; either version 3 of the License , or
2006-04-27 23:50:13 +04:00
( at your option ) any later version .
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
You should have received a copy of the GNU General Public License
2007-07-10 06:07:03 +04:00
along with this program . If not , see < http : //www.gnu.org/licenses/>.
2006-04-27 23:50:13 +04:00
*/
# include "includes.h"
# include "system/time.h"
# include "auth/auth.h"
2007-11-16 22:12:00 +03:00
# include <ldb.h>
2008-10-11 23:31:42 +04:00
# include "../lib/util/util_ldb.h"
2006-04-27 23:50:13 +04:00
# include "dsdb/samdb/samdb.h"
# include "libcli/security/security.h"
# include "libcli/ldap/ldap.h"
2006-11-07 03:48:36 +03:00
# include "librpc/gen_ndr/ndr_netlogon.h"
2009-06-04 08:07:35 +04:00
# include "librpc/gen_ndr/ndr_security.h"
2007-09-08 16:42:09 +04:00
# include "param/param.h"
2008-10-20 20:59:51 +04:00
# include "auth/auth_sam.h"
2006-04-27 23:50:13 +04:00
2009-07-16 11:37:36 +04:00
# define KRBTGT_ATTRS \
/* required for the krb5 kdc */ \
" objectClass " , \
" sAMAccountName " , \
" userPrincipalName " , \
" servicePrincipalName " , \
" msDS-KeyVersionNumber " , \
" supplementalCredentials " , \
\
/* passwords */ \
" dBCSPwd " , \
" unicodePwd " , \
\
" userAccountControl " , \
" objectSid " , \
\
" pwdLastSet " , \
" accountExpires "
const char * krbtgt_attrs [ ] = {
KRBTGT_ATTRS
} ;
2006-04-27 23:50:13 +04:00
2009-07-16 11:37:36 +04:00
const char * server_attrs [ ] = {
KRBTGT_ATTRS
} ;
2006-04-27 23:50:13 +04:00
2009-07-16 11:37:36 +04:00
const char * user_attrs [ ] = {
KRBTGT_ATTRS ,
2006-04-27 23:50:13 +04:00
2007-07-27 10:31:12 +04:00
" logonHours " ,
2006-04-27 23:50:13 +04:00
/* check 'allowed workstations' */
" userWorkstations " ,
/* required for server_info, not access control: */
" displayName " ,
" scriptPath " ,
" profilePath " ,
" homeDirectory " ,
" homeDrive " ,
" lastLogon " ,
" lastLogoff " ,
" accountExpires " ,
" badPwdCount " ,
" logonCount " ,
" primaryGroupID " ,
2009-06-04 08:07:35 +04:00
" memberOf " ,
2006-04-27 23:50:13 +04:00
NULL ,
} ;
2007-07-27 10:31:12 +04:00
/****************************************************************************
Check if a user is allowed to logon at this time . Note this is the
servers local time , as logon hours are just specified as a weekly
bitmask .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2007-10-07 02:16:19 +04:00
static bool logon_hours_ok ( struct ldb_message * msg , const char * name_for_logs )
2007-07-27 10:31:12 +04:00
{
/* In logon hours first bit is Sunday from 12AM to 1AM */
const struct ldb_val * hours ;
struct tm * utctime ;
time_t lasttime ;
const char * asct ;
uint8_t bitmask , bitpos ;
hours = ldb_msg_find_ldb_val ( msg , " logonHours " ) ;
if ( ! hours ) {
DEBUG ( 5 , ( " logon_hours_ok: No hours restrictions for user %s \n " , name_for_logs ) ) ;
2007-10-07 02:16:19 +04:00
return true ;
2007-07-27 10:31:12 +04:00
}
if ( hours - > length ! = 168 / 8 ) {
DEBUG ( 5 , ( " logon_hours_ok: malformed logon hours restrictions for user %s \n " , name_for_logs ) ) ;
2007-10-07 02:16:19 +04:00
return true ;
2007-07-27 10:31:12 +04:00
}
lasttime = time ( NULL ) ;
utctime = gmtime ( & lasttime ) ;
if ( ! utctime ) {
DEBUG ( 1 , ( " logon_hours_ok: failed to get gmtime. Failing logon for user %s \n " ,
name_for_logs ) ) ;
2007-10-07 02:16:19 +04:00
return false ;
2007-07-27 10:31:12 +04:00
}
/* find the corresponding byte and bit */
bitpos = ( utctime - > tm_wday * 24 + utctime - > tm_hour ) % 168 ;
bitmask = 1 < < ( bitpos % 8 ) ;
if ( ! ( hours - > data [ bitpos / 8 ] & bitmask ) ) {
struct tm * t = localtime ( & lasttime ) ;
if ( ! t ) {
asct = " INVALID TIME " ;
} else {
asct = asctime ( t ) ;
if ( ! asct ) {
asct = " INVALID TIME " ;
}
}
DEBUG ( 1 , ( " logon_hours_ok: Account for user %s not allowed to "
" logon at this time (%s). \n " ,
name_for_logs , asct ) ) ;
2007-10-07 02:16:19 +04:00
return false ;
2007-07-27 10:31:12 +04:00
}
asct = asctime ( utctime ) ;
DEBUG ( 5 , ( " logon_hours_ok: user %s allowed to logon at this time (%s) \n " ,
name_for_logs , asct ? asct : " UNKNOWN TIME " ) ) ;
2007-10-07 02:16:19 +04:00
return true ;
2007-07-27 10:31:12 +04:00
}
2006-04-27 23:50:13 +04:00
/****************************************************************************
Do a specific test for a SAM_ACCOUNT being vaild for this connection
( ie not disabled , expired and the like ) .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
_PUBLIC_ NTSTATUS authsam_account_ok ( TALLOC_CTX * mem_ctx ,
2009-05-26 06:31:39 +04:00
struct ldb_context * sam_ctx ,
uint32_t logon_parameters ,
struct ldb_dn * domain_dn ,
struct ldb_message * msg ,
const char * logon_workstation ,
const char * name_for_logs ,
2009-06-18 05:08:46 +04:00
bool allow_domain_trust ,
bool password_change )
2006-04-27 23:50:13 +04:00
{
uint16_t acct_flags ;
const char * workstation_list ;
NTTIME acct_expiry ;
NTTIME must_change_time ;
NTTIME now ;
DEBUG ( 4 , ( " authsam_account_ok: Checking SMB password for user %s \n " , name_for_logs ) ) ;
2008-02-28 00:50:00 +03:00
acct_flags = samdb_result_acct_flags ( sam_ctx , mem_ctx , msg , domain_dn ) ;
2006-04-27 23:50:13 +04:00
2008-03-25 07:25:13 +03:00
acct_expiry = samdb_result_account_expires ( msg ) ;
2008-02-29 00:47:42 +03:00
/* Check for when we must change this password, taking the
* userAccountControl flags into account */
2006-04-27 23:50:13 +04:00
must_change_time = samdb_result_force_password_change ( sam_ctx , mem_ctx ,
domain_dn , msg ) ;
workstation_list = samdb_result_string ( msg , " userWorkstations " , NULL ) ;
/* Quit if the account was disabled. */
if ( acct_flags & ACB_DISABLED ) {
DEBUG ( 1 , ( " authsam_account_ok: Account for user '%s' was disabled. \n " , name_for_logs ) ) ;
return NT_STATUS_ACCOUNT_DISABLED ;
}
/* Quit if the account was locked out. */
if ( acct_flags & ACB_AUTOLOCK ) {
DEBUG ( 1 , ( " authsam_account_ok: Account for user %s was locked out. \n " , name_for_logs ) ) ;
return NT_STATUS_ACCOUNT_LOCKED_OUT ;
}
/* Test account expire time */
unix_to_nt_time ( & now , time ( NULL ) ) ;
if ( now > acct_expiry ) {
DEBUG ( 1 , ( " authsam_account_ok: Account for user '%s' has expired. \n " , name_for_logs ) ) ;
DEBUG ( 3 , ( " authsam_account_ok: Account expired at '%s'. \n " ,
nt_time_string ( mem_ctx , acct_expiry ) ) ) ;
return NT_STATUS_ACCOUNT_EXPIRED ;
}
2009-06-18 05:08:46 +04:00
/* check for immediate expiry "must change at next logon" (but not if this is a password change request) */
if ( ( must_change_time = = 0 ) & & ! password_change ) {
2008-02-28 00:50:00 +03:00
DEBUG ( 1 , ( " sam_account_ok: Account for user '%s' password must change!. \n " ,
name_for_logs ) ) ;
return NT_STATUS_PASSWORD_MUST_CHANGE ;
}
2006-04-27 23:50:13 +04:00
2009-06-18 05:08:46 +04:00
/* check for expired password (but not if this is a password change request) */
if ( ( must_change_time < now ) & & ! password_change ) {
2008-02-28 00:50:00 +03:00
DEBUG ( 1 , ( " sam_account_ok: Account for user '%s' password expired!. \n " ,
name_for_logs ) ) ;
DEBUG ( 1 , ( " sam_account_ok: Password expired at '%s' unix time. \n " ,
nt_time_string ( mem_ctx , must_change_time ) ) ) ;
return NT_STATUS_PASSWORD_EXPIRED ;
2006-04-27 23:50:13 +04:00
}
/* Test workstation. Workstation list is comma separated. */
if ( logon_workstation & & workstation_list & & * workstation_list ) {
2007-10-07 02:16:19 +04:00
bool invalid_ws = true ;
2006-04-27 23:50:13 +04:00
int i ;
2008-10-12 02:56:56 +04:00
const char * * workstations = ( const char * * ) str_list_make ( mem_ctx , workstation_list , " , " ) ;
2006-04-27 23:50:13 +04:00
for ( i = 0 ; workstations & & workstations [ i ] ; i + + ) {
DEBUG ( 10 , ( " sam_account_ok: checking for workstation match '%s' and '%s' \n " ,
workstations [ i ] , logon_workstation ) ) ;
2007-07-30 12:58:39 +04:00
if ( strequal ( workstations [ i ] , logon_workstation ) ) {
2007-10-07 02:16:19 +04:00
invalid_ws = false ;
2006-04-27 23:50:13 +04:00
break ;
}
}
talloc_free ( workstations ) ;
if ( invalid_ws ) {
return NT_STATUS_INVALID_WORKSTATION ;
}
}
2007-07-27 10:31:12 +04:00
if ( ! logon_hours_ok ( msg , name_for_logs ) ) {
return NT_STATUS_INVALID_LOGON_HOURS ;
}
2008-12-04 17:09:21 +03:00
if ( ! allow_domain_trust ) {
if ( acct_flags & ACB_DOMTRUST ) {
DEBUG ( 2 , ( " sam_account_ok: Domain trust account %s denied by server \n " , name_for_logs ) ) ;
return NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT ;
}
2006-04-27 23:50:13 +04:00
}
if ( ! ( logon_parameters & MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT ) ) {
if ( acct_flags & ACB_SVRTRUST ) {
DEBUG ( 2 , ( " sam_account_ok: Server trust account %s denied by server \n " , name_for_logs ) ) ;
return NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT ;
}
}
if ( ! ( logon_parameters & MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT ) ) {
if ( acct_flags & ACB_WSTRUST ) {
DEBUG ( 4 , ( " sam_account_ok: Wksta trust account %s denied by server \n " , name_for_logs ) ) ;
return NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT ;
}
}
return NT_STATUS_OK ;
}
_PUBLIC_ NTSTATUS authsam_make_server_info ( TALLOC_CTX * mem_ctx , struct ldb_context * sam_ctx ,
2007-12-03 17:53:17 +03:00
const char * netbios_name ,
2009-05-26 06:31:39 +04:00
const char * domain_name ,
struct ldb_dn * domain_dn ,
2007-12-03 17:53:17 +03:00
struct ldb_message * msg ,
DATA_BLOB user_sess_key , DATA_BLOB lm_sess_key ,
struct auth_serversupplied_info * * _server_info )
2006-04-27 23:50:13 +04:00
{
struct auth_serversupplied_info * server_info ;
2009-06-04 08:07:35 +04:00
int group_ret = 0 ;
2006-04-27 23:50:13 +04:00
/* find list of sids */
struct dom_sid * * groupSIDs = NULL ;
struct dom_sid * account_sid ;
struct dom_sid * primary_group_sid ;
const char * str ;
int i ;
uint_t rid ;
2009-06-04 08:07:35 +04:00
TALLOC_CTX * tmp_ctx = talloc_new ( mem_ctx ) ;
struct ldb_message_element * el ;
2006-04-27 23:50:13 +04:00
2009-06-04 08:07:35 +04:00
server_info = talloc ( tmp_ctx , struct auth_serversupplied_info ) ;
NT_STATUS_HAVE_NO_MEMORY_AND_FREE ( server_info , tmp_ctx ) ;
2006-04-27 23:50:13 +04:00
2009-06-04 08:07:35 +04:00
el = ldb_msg_find_element ( msg , " memberOf " ) ;
if ( el ! = NULL ) {
group_ret = el - > num_values ;
2006-04-27 23:50:13 +04:00
groupSIDs = talloc_array ( server_info , struct dom_sid * , group_ret ) ;
2009-06-04 08:07:35 +04:00
NT_STATUS_HAVE_NO_MEMORY_AND_FREE ( groupSIDs , tmp_ctx ) ;
2006-04-27 23:50:13 +04:00
}
2009-06-04 08:07:35 +04:00
/* TODO Note: this is incomplete. We need to unroll some
* nested groups , but not aliases */
2006-04-27 23:50:13 +04:00
for ( i = 0 ; i < group_ret ; i + + ) {
2009-06-04 08:07:35 +04:00
struct ldb_dn * dn ;
const struct ldb_val * v ;
enum ndr_err_code ndr_err ;
dn = ldb_dn_from_ldb_val ( tmp_ctx , sam_ctx , & el - > values [ i ] ) ;
if ( dn = = NULL ) {
talloc_free ( tmp_ctx ) ;
return NT_STATUS_INTERNAL_DB_CORRUPTION ;
}
v = ldb_dn_get_extended_component ( dn , " SID " ) ;
groupSIDs [ i ] = talloc ( groupSIDs , struct dom_sid ) ;
NT_STATUS_HAVE_NO_MEMORY_AND_FREE ( groupSIDs [ i ] , tmp_ctx ) ;
ndr_err = ndr_pull_struct_blob ( v , groupSIDs [ i ] , NULL , groupSIDs [ i ] ,
( ndr_pull_flags_fn_t ) ndr_pull_dom_sid ) ;
if ( ! NDR_ERR_CODE_IS_SUCCESS ( ndr_err ) ) {
talloc_free ( tmp_ctx ) ;
return NT_STATUS_INTERNAL_DB_CORRUPTION ;
}
2006-04-27 23:50:13 +04:00
}
account_sid = samdb_result_dom_sid ( server_info , msg , " objectSid " ) ;
2009-06-04 08:07:35 +04:00
NT_STATUS_HAVE_NO_MEMORY_AND_FREE ( account_sid , tmp_ctx ) ;
2006-04-27 23:50:13 +04:00
primary_group_sid = dom_sid_dup ( server_info , account_sid ) ;
2009-06-04 08:07:35 +04:00
NT_STATUS_HAVE_NO_MEMORY_AND_FREE ( primary_group_sid , tmp_ctx ) ;
2006-04-27 23:50:13 +04:00
rid = samdb_result_uint ( msg , " primaryGroupID " , ~ 0 ) ;
if ( rid = = ~ 0 ) {
if ( group_ret > 0 ) {
primary_group_sid = groupSIDs [ 0 ] ;
} else {
primary_group_sid = NULL ;
}
} else {
primary_group_sid - > sub_auths [ primary_group_sid - > num_auths - 1 ] = rid ;
}
server_info - > account_sid = account_sid ;
server_info - > primary_group_sid = primary_group_sid ;
server_info - > n_domain_groups = group_ret ;
server_info - > domain_groups = groupSIDs ;
server_info - > account_name = talloc_steal ( server_info , samdb_result_string ( msg , " sAMAccountName " , NULL ) ) ;
2009-05-26 06:31:39 +04:00
server_info - > domain_name = talloc_strdup ( server_info , domain_name ) ;
2009-06-04 08:07:35 +04:00
NT_STATUS_HAVE_NO_MEMORY_AND_FREE ( server_info - > domain_name , tmp_ctx ) ;
2006-04-27 23:50:13 +04:00
str = samdb_result_string ( msg , " displayName " , " " ) ;
server_info - > full_name = talloc_strdup ( server_info , str ) ;
2009-06-04 08:07:35 +04:00
NT_STATUS_HAVE_NO_MEMORY_AND_FREE ( server_info - > full_name , tmp_ctx ) ;
2006-04-27 23:50:13 +04:00
str = samdb_result_string ( msg , " scriptPath " , " " ) ;
server_info - > logon_script = talloc_strdup ( server_info , str ) ;
2009-06-04 08:07:35 +04:00
NT_STATUS_HAVE_NO_MEMORY_AND_FREE ( server_info - > logon_script , tmp_ctx ) ;
2006-04-27 23:50:13 +04:00
str = samdb_result_string ( msg , " profilePath " , " " ) ;
server_info - > profile_path = talloc_strdup ( server_info , str ) ;
2009-06-04 08:07:35 +04:00
NT_STATUS_HAVE_NO_MEMORY_AND_FREE ( server_info - > profile_path , tmp_ctx ) ;
2006-04-27 23:50:13 +04:00
str = samdb_result_string ( msg , " homeDirectory " , " " ) ;
server_info - > home_directory = talloc_strdup ( server_info , str ) ;
2009-06-04 08:07:35 +04:00
NT_STATUS_HAVE_NO_MEMORY_AND_FREE ( server_info - > home_directory , tmp_ctx ) ;
2006-04-27 23:50:13 +04:00
str = samdb_result_string ( msg , " homeDrive " , " " ) ;
server_info - > home_drive = talloc_strdup ( server_info , str ) ;
2009-06-04 08:07:35 +04:00
NT_STATUS_HAVE_NO_MEMORY_AND_FREE ( server_info - > home_drive , tmp_ctx ) ;
2006-04-27 23:50:13 +04:00
2007-12-03 17:53:17 +03:00
server_info - > logon_server = talloc_strdup ( server_info , netbios_name ) ;
2009-06-04 08:07:35 +04:00
NT_STATUS_HAVE_NO_MEMORY_AND_FREE ( server_info - > logon_server , tmp_ctx ) ;
2006-04-27 23:50:13 +04:00
server_info - > last_logon = samdb_result_nttime ( msg , " lastLogon " , 0 ) ;
server_info - > last_logoff = samdb_result_nttime ( msg , " lastLogoff " , 0 ) ;
2008-03-25 07:25:13 +03:00
server_info - > acct_expiry = samdb_result_account_expires ( msg ) ;
2006-04-27 23:50:13 +04:00
server_info - > last_password_change = samdb_result_nttime ( msg , " pwdLastSet " , 0 ) ;
server_info - > allow_password_change
= samdb_result_allow_password_change ( sam_ctx , mem_ctx ,
2009-05-26 08:47:11 +04:00
domain_dn , msg , " pwdLastSet " ) ;
2006-04-27 23:50:13 +04:00
server_info - > force_password_change
= samdb_result_force_password_change ( sam_ctx , mem_ctx ,
2009-05-26 08:47:11 +04:00
domain_dn , msg ) ;
2006-04-27 23:50:13 +04:00
server_info - > logon_count = samdb_result_uint ( msg , " logonCount " , 0 ) ;
server_info - > bad_password_count = samdb_result_uint ( msg , " badPwdCount " , 0 ) ;
2008-02-28 00:50:00 +03:00
server_info - > acct_flags = samdb_result_acct_flags ( sam_ctx , mem_ctx ,
msg , domain_dn ) ;
2006-04-27 23:50:13 +04:00
server_info - > user_session_key = user_sess_key ;
server_info - > lm_session_key = lm_sess_key ;
2007-10-07 02:16:19 +04:00
server_info - > authenticated = true ;
2006-04-27 23:50:13 +04:00
2009-06-04 08:07:35 +04:00
* _server_info = talloc_steal ( mem_ctx , server_info ) ;
2006-04-27 23:50:13 +04:00
return NT_STATUS_OK ;
}
2008-04-02 06:53:27 +04:00
NTSTATUS sam_get_results_principal ( struct ldb_context * sam_ctx ,
2006-04-27 23:50:13 +04:00
TALLOC_CTX * mem_ctx , const char * principal ,
2009-07-28 08:05:19 +04:00
const char * * attrs ,
2009-05-26 06:31:39 +04:00
struct ldb_dn * * domain_dn ,
2009-06-04 08:07:35 +04:00
struct ldb_message * * msg )
2006-04-27 23:50:13 +04:00
{
2009-05-26 06:31:39 +04:00
struct ldb_dn * user_dn ;
2006-04-27 23:50:13 +04:00
NTSTATUS nt_status ;
TALLOC_CTX * tmp_ctx = talloc_new ( mem_ctx ) ;
int ret ;
if ( ! tmp_ctx ) {
return NT_STATUS_NO_MEMORY ;
}
2009-07-28 08:05:19 +04:00
nt_status = crack_user_principal_name ( sam_ctx , tmp_ctx , principal ,
& user_dn , domain_dn ) ;
2006-04-27 23:50:13 +04:00
if ( ! NT_STATUS_IS_OK ( nt_status ) ) {
talloc_free ( tmp_ctx ) ;
return nt_status ;
}
/* pull the user attributes */
2009-06-04 08:07:35 +04:00
ret = gendb_search_single_extended_dn ( sam_ctx , tmp_ctx , user_dn , LDB_SCOPE_BASE ,
2009-07-28 08:05:19 +04:00
msg , attrs , " (objectClass=*) " ) ;
2009-06-04 08:07:35 +04:00
if ( ret ! = LDB_SUCCESS ) {
2006-04-27 23:50:13 +04:00
talloc_free ( tmp_ctx ) ;
return NT_STATUS_INTERNAL_DB_CORRUPTION ;
}
2009-06-04 08:07:35 +04:00
talloc_steal ( mem_ctx , * msg ) ;
2009-05-26 06:31:39 +04:00
talloc_steal ( mem_ctx , * domain_dn ) ;
2006-04-27 23:50:13 +04:00
talloc_free ( tmp_ctx ) ;
return NT_STATUS_OK ;
}