2001-11-24 12:16:27 +00:00
/*
2002-01-30 06:08:46 +00:00
Unix SMB / CIFS implementation .
2001-11-24 12:16:27 +00:00
Winbind authentication mechnism
Copyright ( C ) Tim Potter 2000
2002-09-25 15:19:00 +00:00
Copyright ( C ) Andrew Bartlett 2001 - 2002
2010-04-11 11:50:55 +02:00
2001-11-24 12:16:27 +00:00
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
2007-07-09 19:25:36 +00:00
the Free Software Foundation ; either version 3 of the License , or
2001-11-24 12:16:27 +00:00
( at your option ) any later version .
2010-04-11 11:50:55 +02:00
2001-11-24 12:16:27 +00:00
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
2010-04-11 11:50:55 +02:00
2001-11-24 12:16:27 +00:00
You should have received a copy of the GNU General Public License
2007-07-10 00:52:41 +00:00
along with this program . If not , see < http : //www.gnu.org/licenses/>.
2001-11-24 12:16:27 +00:00
*/
# include "includes.h"
2011-03-25 02:28:05 +01:00
# include "auth.h"
2018-12-08 23:25:40 +01:00
# include "passdb.h"
2011-02-24 22:30:16 +01:00
# include "nsswitch/libwbclient/wbclient.h"
2001-11-24 12:16:27 +00:00
2002-07-15 10:35:28 +00:00
# undef DBGC_CLASS
# define DBGC_CLASS DBGC_AUTH
2001-11-24 12:16:27 +00:00
/* Authenticate a user with a challenge/response */
2002-01-05 04:55:41 +00:00
static NTSTATUS check_winbind_security ( const struct auth_context * auth_context ,
void * my_private_data ,
2002-01-01 03:10:32 +00:00
TALLOC_CTX * mem_ctx ,
2010-01-10 14:16:04 +01:00
const struct auth_usersupplied_info * user_info ,
2010-01-10 14:24:22 +01:00
struct auth_serversupplied_info * * server_info )
2001-11-24 12:16:27 +00:00
{
NTSTATUS nt_status ;
2008-02-04 18:18:36 +01:00
wbcErr wbc_status ;
struct wbcAuthUserParams params ;
struct wbcAuthUserInfo * info = NULL ;
struct wbcAuthErrorInfo * err = NULL ;
2001-11-24 12:16:27 +00:00
2011-01-14 05:14:22 -07:00
ZERO_STRUCT ( params ) ;
2001-11-24 12:16:27 +00:00
if ( ! user_info ) {
2002-08-17 17:00:51 +00:00
return NT_STATUS_INVALID_PARAMETER ;
2001-11-24 12:16:27 +00:00
}
2010-06-16 12:31:11 +02:00
DEBUG ( 10 , ( " Check auth for: [%s] \n " , user_info - > mapped . account_name ) ) ;
2010-05-29 16:49:37 -04:00
2002-01-05 04:55:41 +00:00
if ( ! auth_context ) {
2001-11-26 04:05:28 +00:00
DEBUG ( 3 , ( " Password for user %s cannot be checked because we have no auth_info to get the challenge from. \n " ,
2010-06-01 20:30:56 +10:00
user_info - > mapped . account_name ) ) ;
2003-07-03 14:36:42 +00:00
return NT_STATUS_INVALID_PARAMETER ;
2001-11-24 12:16:27 +00:00
}
2010-06-01 21:11:14 +10:00
if ( strequal ( user_info - > mapped . domain_name , get_global_sam_name ( ) ) ) {
2003-12-19 00:33:09 +00:00
DEBUG ( 3 , ( " check_winbind_security: Not using winbind, requested domain [%s] was for this SAM. \n " ,
2010-06-01 21:11:14 +10:00
user_info - > mapped . domain_name ) ) ;
2003-07-03 14:36:42 +00:00
return NT_STATUS_NOT_IMPLEMENTED ;
}
2001-11-24 12:16:27 +00:00
/* Send off request */
2010-06-01 20:27:03 +10:00
params . account_name = user_info - > client . account_name ;
2013-04-24 15:27:21 +02:00
/*
* We need to send the domain name from the client to the DC . With
* NTLMv2 the domain name is part of the hashed second challenge ,
* if we change the domain name , the DC will fail to verify the
* challenge cause we changed the domain name , this is like a
* man in the middle attack .
*/
params . domain_name = user_info - > client . domain_name ;
2010-06-01 11:23:50 +10:00
params . workstation_name = user_info - > workstation_name ;
2001-11-24 12:16:27 +00:00
2008-02-04 18:18:36 +01:00
params . flags = 0 ;
params . parameter_control = user_info - > logon_parameters ;
2001-11-24 12:16:27 +00:00
2008-02-04 18:18:36 +01:00
params . level = WBC_AUTH_USER_LEVEL_RESPONSE ;
2005-11-08 06:19:34 +00:00
2008-02-04 18:18:36 +01:00
memcpy ( params . password . response . challenge ,
auth_context - > challenge . data ,
sizeof ( params . password . response . challenge ) ) ;
2002-01-25 10:16:20 +00:00
2011-01-14 05:14:22 -07:00
if ( user_info - > password . response . nt . length ! = 0 ) {
params . password . response . nt_length =
user_info - > password . response . nt . length ;
params . password . response . nt_data =
user_info - > password . response . nt . data ;
}
if ( user_info - > password . response . lanman . length ! = 0 ) {
params . password . response . lm_length =
user_info - > password . response . lanman . length ;
params . password . response . lm_data =
user_info - > password . response . lanman . data ;
}
2003-07-03 14:36:42 +00:00
/* we are contacting the privileged pipe */
become_root ( ) ;
2008-02-04 18:18:36 +01:00
wbc_status = wbcAuthenticateUserEx ( & params , & info , & err ) ;
2003-07-03 14:36:42 +00:00
unbecome_root ( ) ;
2001-11-24 12:16:27 +00:00
2008-03-26 01:25:57 +01:00
if ( ! WBC_ERROR_IS_OK ( wbc_status ) ) {
DEBUG ( 10 , ( " check_winbind_security: wbcAuthenticateUserEx failed: %s \n " ,
wbcErrorString ( wbc_status ) ) ) ;
}
2008-02-04 18:18:36 +01:00
if ( wbc_status = = WBC_ERR_NO_MEMORY ) {
return NT_STATUS_NO_MEMORY ;
}
if ( wbc_status = = WBC_ERR_WINBIND_NOT_AVAILABLE ) {
2018-12-08 23:25:40 +01:00
struct pdb_trusted_domain * * domains = NULL ;
uint32_t num_domains = 0 ;
NTSTATUS status ;
if ( lp_server_role ( ) = = ROLE_DOMAIN_MEMBER ) {
status = NT_STATUS_NO_LOGON_SERVERS ;
DBG_ERR ( " winbindd not running - "
" but required as domain member: %s \n " ,
nt_errstr ( status ) ) ;
return status ;
}
status = pdb_enum_trusted_domains ( talloc_tos ( ) , & num_domains , & domains ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
DBG_ERR ( " pdb_enum_trusted_domains() failed - %s \n " ,
nt_errstr ( status ) ) ;
return status ;
}
TALLOC_FREE ( domains ) ;
if ( num_domains = = 0 ) {
DBG_DEBUG ( " winbindd not running - ignoring without "
" trusted domains \n " ) ;
return NT_STATUS_NOT_IMPLEMENTED ;
}
status = NT_STATUS_NO_LOGON_SERVERS ;
DBG_ERR ( " winbindd not running - "
" but required as DC with trusts: %s \n " ,
nt_errstr ( status ) ) ;
return status ;
2003-04-24 11:56:09 +00:00
}
2008-02-04 18:18:36 +01:00
if ( wbc_status = = WBC_ERR_AUTH_ERROR ) {
nt_status = NT_STATUS ( err - > nt_status ) ;
2017-02-11 10:25:44 +01:00
if ( NT_STATUS_EQUAL ( nt_status , NT_STATUS_NO_SUCH_USER ) & &
( err - > authoritative = = 0 ) ) {
/*
* Trigger a fallback to local SAM
*/
nt_status = NT_STATUS_NOT_IMPLEMENTED ;
}
2008-02-04 18:18:36 +01:00
wbcFreeMemory ( err ) ;
return nt_status ;
}
if ( ! WBC_ERROR_IS_OK ( wbc_status ) ) {
return NT_STATUS_LOGON_FAILURE ;
}
nt_status = make_server_info_wbcAuthUserInfo ( mem_ctx ,
2010-06-01 20:27:03 +10:00
user_info - > client . account_name ,
2010-06-01 21:11:14 +10:00
user_info - > mapped . domain_name ,
2008-02-04 18:18:36 +01:00
info , server_info ) ;
wbcFreeMemory ( info ) ;
if ( ! NT_STATUS_IS_OK ( nt_status ) ) {
return nt_status ;
}
2008-05-06 17:37:00 +02:00
( * server_info ) - > nss_token | = user_info - > was_mapped ;
2001-11-24 12:16:27 +00:00
return nt_status ;
}
2002-01-05 04:55:41 +00:00
/* module initialisation */
2020-01-03 13:47:14 +01:00
static NTSTATUS auth_init_winbind (
struct auth_context * auth_context ,
const char * param ,
struct auth_methods * * auth_method )
2001-11-24 12:16:27 +00:00
{
2010-04-11 12:37:48 +02:00
struct auth_methods * result ;
2011-06-07 11:44:43 +10:00
result = talloc_zero ( auth_context , struct auth_methods ) ;
2010-04-11 12:37:48 +02:00
if ( result = = NULL ) {
2003-05-26 16:38:35 +00:00
return NT_STATUS_NO_MEMORY ;
}
2010-04-11 12:37:48 +02:00
result - > name = " winbind " ;
result - > auth = check_winbind_security ;
2003-04-24 11:56:09 +00:00
2010-04-11 12:37:48 +02:00
* auth_method = result ;
2002-07-15 10:35:28 +00:00
return NT_STATUS_OK ;
2001-11-24 12:16:27 +00:00
}
2003-04-16 12:13:07 +00:00
2017-04-20 12:24:43 -07:00
NTSTATUS auth_winbind_init ( TALLOC_CTX * mem_ctx )
2003-04-16 12:13:07 +00:00
{
2003-04-28 17:48:48 +00:00
return smb_register_auth ( AUTH_INTERFACE_VERSION , " winbind " , auth_init_winbind ) ;
2003-04-16 12:13:07 +00:00
}