sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-08 21:18:16 +03:00
Code
dd69be8020
samba-mirror/source3/winbindd/winbindd_pam_auth_crap.c

219 lines
6.3 KiB
C
Raw Normal View History

s3: Convert WINBINDD_PAM_AUTH_CRAP to the new async API
2010-03-31 01:02:36 +04:00
/*
Unix SMB/CIFS implementation.
async implementation of WINBINDD_PAM_AUTH_CRAP
Copyright (C) Volker Lendecke 2010
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "includes.h"
#include "winbindd.h"
winbindd: pass down validation to append_auth_data() Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2017-12-02 12:27:12 +03:00
#include "rpc_client/util_netlogon.h"
winbindd: use add_trusted_domain_from_auth After a successfully authentication, ensure we have the users domain in our domain list and the TDC. Signed-off-by: Ralph Boehme <slow@samba.org>
2017-11-29 12:55:25 +03:00
#include "libcli/security/dom_sid.h"
s3: safe_string: do not include string_wrappers.h Rather than have safe_string.h #include string_wrappers.h, make users of string_wrappers.h include it explicitly. includes.h now no longer includes string_wrappers.h transitively. Still allow includes.h to #include safe_string.h for now so that as many modules as possible get the safety checks in it. Signed-off-by: Matthew DeVore <matvore@google.com> Reviewed-by: David Mulder <dmulder@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2020-08-07 21:17:34 +03:00
#include "lib/util/string_wrappers.h"
lib: give global_contexts.c its own header file It's a bit shocking how many references we have to global contexts. Make this a bit more obvious. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2021-01-03 23:53:49 +03:00
#include "lib/global_contexts.h"
s3: Convert WINBINDD_PAM_AUTH_CRAP to the new async API
2010-03-31 01:02:36 +04:00
struct winbindd_pam_auth_crap_state {
struct winbindd_response *response;
s3:winbind: Use uint8_t for authoritative flag It is the type used in the winbindd_response struct. Signed-off-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2022-04-18 17:44:23 +03:00
uint8_t authoritative;
winbind: Extend wbcAuthenticateUserEx to provide PAC With this new interface, external applications that have authenticated to an ADS can pass the PAC from the Kerberos ticket to wbcAuthenticateUserEx. winbindd decodes and extracts the info3 information for the external application. If winbindd can verify the PAC signature, the info3 from the PACis also added to the netsamlogon_cache. The info3 data can be used by the external application to get the uid and primary gid. The data in netsamlogon_cache allows to retrieve the complete group list through the NSS function getgrouplist. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2012-07-19 01:38:47 +04:00
uint32_t flags;
s3:winbind: Refactor winbindd_pam_auth_crap_{send,recv} The winbindd_dual_pam_auth_crap() will be converted to a local RPC call handler and the winbindd_response won't be filled by the child process but in the parent's winbindd_pam_auth_crap_recv() function. Move all code filling the winbindd_response struct to a common place, winbindd_pam_auth_crap_recv(). Signed-off-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2022-02-24 20:02:42 +03:00
bool pac_is_trusted;
uint16_t validation_level;
union netr_Validation *validation;
s3: Convert WINBINDD_PAM_AUTH_CRAP to the new async API
2010-03-31 01:02:36 +04:00
};
static void winbindd_pam_auth_crap_done(struct tevent_req *subreq);
struct tevent_req *winbindd_pam_auth_crap_send(
TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
struct winbindd_cli_state *cli,
struct winbindd_request *request)
{
struct tevent_req *req, *subreq;
struct winbindd_pam_auth_crap_state *state;
struct winbindd_domain *domain;
winbindd: do not modify credentials in NTLM passthrough When doing NTLM validation of credentials, do not modify the credentials - they might be used in the calculation of the response. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12375 Signed-off-by: Uri Simchoni <uri@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2016-10-22 22:40:26 +03:00
const char *auth_domain = NULL;
s3: Convert WINBINDD_PAM_AUTH_CRAP to the new async API
2010-03-31 01:02:36 +04:00
req = tevent_req_create(mem_ctx, &state,
struct winbindd_pam_auth_crap_state);
if (req == NULL) {
return NULL;
}
s3:winbind: Use uint8_t for authoritative flag It is the type used in the winbindd_response struct. Signed-off-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2022-04-18 17:44:23 +03:00
state->authoritative = 1;
winbindd: use add_trusted_domain_from_auth After a successfully authentication, ensure we have the users domain in our domain list and the TDC. Signed-off-by: Ralph Boehme <slow@samba.org>
2017-11-29 12:55:25 +03:00
state->flags = request->flags;
if (state->flags & WBFLAG_PAM_AUTH_PAC) {
winbind: Extend wbcAuthenticateUserEx to provide PAC With this new interface, external applications that have authenticated to an ADS can pass the PAC from the Kerberos ticket to wbcAuthenticateUserEx. winbindd decodes and extracts the info3 information for the external application. If winbindd can verify the PAC signature, the info3 from the PACis also added to the netsamlogon_cache. The info3 data can be used by the external application to get the uid and primary gid. The data in netsamlogon_cache allows to retrieve the complete group list through the NSS function getgrouplist. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2012-07-19 01:38:47 +04:00
NTSTATUS status;
winbindd: rename winbindd_pam_auth_pac_send and let it return validation Just a preperational step. The next commit will update the caller to make use of the validation info. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13262 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-09 10:38:18 +03:00
status = winbindd_pam_auth_pac_verify(cli,
s3:winbind: Use temp memory context in winbindd_pam_auth_pac_verify() Signed-off-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2022-02-25 14:11:36 +03:00
state,
s3:winbind: Refactor winbindd_pam_auth_crap_{send,recv} The winbindd_dual_pam_auth_crap() will be converted to a local RPC call handler and the winbindd_response won't be filled by the child process but in the parent's winbindd_pam_auth_crap_recv() function. Move all code filling the winbindd_response struct to a common place, winbindd_pam_auth_crap_recv(). Signed-off-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2022-02-24 20:02:42 +03:00
&state->pac_is_trusted,
&state->validation_level,
&state->validation);
winbindd: complete WBFLAG_PAM_AUTH_PAC handling in winbindd_pam_auth_crap_send() winbindd_pam_auth_crap_recv() should not have any real logic. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13262 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
2018-01-24 01:10:42 +03:00
if (tevent_req_nterror(req, status)) {
return tevent_req_post(req, ev);
}
tevent_req_done(req);
winbind: Extend wbcAuthenticateUserEx to provide PAC With this new interface, external applications that have authenticated to an ADS can pass the PAC from the Kerberos ticket to wbcAuthenticateUserEx. winbindd decodes and extracts the info3 information for the external application. If winbindd can verify the PAC signature, the info3 from the PACis also added to the netsamlogon_cache. The info3 data can be used by the external application to get the uid and primary gid. The data in netsamlogon_cache allows to retrieve the complete group list through the NSS function getgrouplist. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2012-07-19 01:38:47 +04:00
return tevent_req_post(req, ev);
}
s3: Convert WINBINDD_PAM_AUTH_CRAP to the new async API
2010-03-31 01:02:36 +04:00
/* Ensure null termination */
request->data.auth_crap.user[
sizeof(request->data.auth_crap.user)-1] = '\0';
request->data.auth_crap.domain[
sizeof(request->data.auth_crap.domain)-1] = '\0';
s3: Ensure NULL termination for "workstation" in auth_crap
2010-09-09 18:25:09 +04:00
request->data.auth_crap.workstation[
sizeof(request->data.auth_crap.workstation)-1] = '\0';
s3: Convert WINBINDD_PAM_AUTH_CRAP to the new async API
2010-03-31 01:02:36 +04:00
DEBUG(3, ("[%5lu]: pam auth crap domain: [%s] user: %s\n",
(unsigned long)cli->pid,
request->data.auth_crap.domain,
request->data.auth_crap.user));
if (!check_request_flags(request->flags)) {
tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
return tevent_req_post(req, ev);
}
winbindd: do not modify credentials in NTLM passthrough When doing NTLM validation of credentials, do not modify the credentials - they might be used in the calculation of the response. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12375 Signed-off-by: Uri Simchoni <uri@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2016-10-22 22:40:26 +03:00
auth_domain = request->data.auth_crap.domain;
if (auth_domain[0] == '\0') {
auth_domain = lp_workgroup();
s3: Convert WINBINDD_PAM_AUTH_CRAP to the new async API
2010-03-31 01:02:36 +04:00
}
winbindd: do not modify credentials in NTLM passthrough When doing NTLM validation of credentials, do not modify the credentials - they might be used in the calculation of the response. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12375 Signed-off-by: Uri Simchoni <uri@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2016-10-22 22:40:26 +03:00
domain = find_auth_domain(request->flags, auth_domain);
s3: Convert WINBINDD_PAM_AUTH_CRAP to the new async API
2010-03-31 01:02:36 +04:00
if (domain == NULL) {
CVE-2020-25717: s3:winbindd: make sure we default to r->out.authoritative = true We need to make sure that temporary failures don't trigger a fallback to the local SAM that silently ignores the domain name part for users. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-10-04 18:29:34 +03:00
/*
* We don't know the domain so
* we're not authoritative
*/
s3:winbind: Use uint8_t for authoritative flag It is the type used in the winbindd_response struct. Signed-off-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2022-04-18 17:44:23 +03:00
state->authoritative = 0;
s3: Convert WINBINDD_PAM_AUTH_CRAP to the new async API
2010-03-31 01:02:36 +04:00
tevent_req_nterror(req, NT_STATUS_NO_SUCH_USER);
return tevent_req_post(req, ev);
}
s3: Fill in workstation in winbindd_pam_auth_crap_send
2010-09-09 05:09:07 +04:00
if (request->data.auth_crap.workstation[0] == '\0') {
s3-param Remove special case for global_myname(), rename to lp_netbios_name() There is no reason this can't be a normal constant string in the loadparm system, now that we have lp_set_cmdline() to handle overrides correctly. Andrew Bartlett
2011-06-09 09:31:03 +04:00
fstrcpy(request->data.auth_crap.workstation, lp_netbios_name());
s3: Fill in workstation in winbindd_pam_auth_crap_send
2010-09-09 05:09:07 +04:00
}
s3:winbind: Move big NTLMv2 blob checks to parent process The winbindd_dual_pam_auth_crap() function will be converted to a local RPC call handler and it won't receive a winbindd_cli_state struct. Move the checks accessing this struct to the parent. Signed-off-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2022-02-24 19:48:27 +03:00
if (request->data.auth_crap.lm_resp_len > sizeof(request->data.auth_crap.lm_resp)
|| request->data.auth_crap.nt_resp_len > sizeof(request->data.auth_crap.nt_resp)) {
if (!(request->flags & WBFLAG_BIG_NTLMV2_BLOB) ||
request->extra_len != request->data.auth_crap.nt_resp_len) {
DBG_ERR("Invalid password length %u/%u\n",
request->data.auth_crap.lm_resp_len,
request->data.auth_crap.nt_resp_len);
tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
return tevent_req_post(req, ev);
}
}
s3: Rename server_event_context() to global_event_context() This reflects that the event context is also used outside of the server processes. The command used for the rename: find . -name '*.[hc]' -print0 | xargs -0 sed -i 's/server_event_context/global_event_context/' Signed-off-by: Christof Schmitt <cs@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
2018-08-21 21:06:16 +03:00
subreq = wb_domain_request_send(state, global_event_context(), domain,
s3: Convert WINBINDD_PAM_AUTH_CRAP to the new async API
2010-03-31 01:02:36 +04:00
request);
if (tevent_req_nomem(subreq, req)) {
return tevent_req_post(req, ev);
}
tevent_req_set_callback(subreq, winbindd_pam_auth_crap_done, req);
return req;
}
static void winbindd_pam_auth_crap_done(struct tevent_req *subreq)
{
struct tevent_req *req = tevent_req_callback_data(
subreq, struct tevent_req);
struct winbindd_pam_auth_crap_state *state = tevent_req_data(
req, struct winbindd_pam_auth_crap_state);
int res, err;
res = wb_domain_request_recv(subreq, state, &state->response, &err);
TALLOC_FREE(subreq);
if (res == -1) {
tevent_req_nterror(req, map_nt_error_from_unix(err));
return;
}
winbindd: call add_trusted_domain_from_auth() in winbindd_pam_auth_crap_done() Bug: https://bugzilla.samba.org/show_bug.cgi?id=13262 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
2018-01-24 00:00:35 +03:00
s3: Convert WINBINDD_PAM_AUTH_CRAP to the new async API
2010-03-31 01:02:36 +04:00
tevent_req_done(req);
}
NTSTATUS winbindd_pam_auth_crap_recv(struct tevent_req *req,
struct winbindd_response *response)
{
struct winbindd_pam_auth_crap_state *state = tevent_req_data(
req, struct winbindd_pam_auth_crap_state);
NTSTATUS status;
if (tevent_req_is_nterror(req, &status)) {
set_auth_errors(response, status);
CVE-2020-25717: s3:winbindd: make sure we default to r->out.authoritative = true We need to make sure that temporary failures don't trigger a fallback to the local SAM that silently ignores the domain name part for users. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-10-04 18:29:34 +03:00
response->data.auth.authoritative = state->authoritative;
s3: Convert WINBINDD_PAM_AUTH_CRAP to the new async API
2010-03-31 01:02:36 +04:00
return status;
}
winbind: Extend wbcAuthenticateUserEx to provide PAC With this new interface, external applications that have authenticated to an ADS can pass the PAC from the Kerberos ticket to wbcAuthenticateUserEx. winbindd decodes and extracts the info3 information for the external application. If winbindd can verify the PAC signature, the info3 from the PACis also added to the netsamlogon_cache. The info3 data can be used by the external application to get the uid and primary gid. The data in netsamlogon_cache allows to retrieve the complete group list through the NSS function getgrouplist. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2012-07-19 01:38:47 +04:00
s3:winbind: Refactor winbindd_pam_auth_crap_{send,recv} The winbindd_dual_pam_auth_crap() will be converted to a local RPC call handler and the winbindd_response won't be filled by the child process but in the parent's winbindd_pam_auth_crap_recv() function. Move all code filling the winbindd_response struct to a common place, winbindd_pam_auth_crap_recv(). Signed-off-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2022-02-24 20:02:42 +03:00
if (state->flags & WBFLAG_PAM_AUTH_PAC) {
state->response = talloc_zero(state,
struct winbindd_response);
if (state->response == NULL) {
status = NT_STATUS_NO_MEMORY;
set_auth_errors(response, status);
response->data.auth.authoritative = state->authoritative;
return status;
}
state->response->result = WINBINDD_PENDING;
state->response->length = sizeof(struct winbindd_response);
status = append_auth_data(state->response,
state->response,
state->flags,
state->validation_level,
state->validation,
NULL, NULL);
if (NT_STATUS_IS_ERR(status)) {
set_auth_errors(response, status);
response->data.auth.authoritative = state->authoritative;
return status;
}
if (!state->pac_is_trusted) {
/*
* Clear the flag in state to do no add the domain
* from auth below.
*/
state->flags &= ~WBFLAG_PAM_INFO3_TEXT;
}
}
s3:winbind: Refactor winbindd_pam_auth_crap_{send,recv} Move the code filling the winbindd_response to a common place, winbindd_pam_auth_crap_recv(). Signed-off-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2022-02-18 17:29:13 +03:00
if (NT_STATUS_IS_OK(NT_STATUS(state->response->data.auth.nt_status)) &&
(state->flags & WBFLAG_PAM_INFO3_TEXT)) {
bool ok;
ok = add_trusted_domain_from_auth(
state->response->data.auth.validation_level,
&state->response->data.auth.info3,
&state->response->data.auth.info6);
if (!ok) {
status = NT_STATUS_LOGON_FAILURE;
DBG_ERR("add_trusted_domain_from_auth failed\n");
set_auth_errors(response, status);
response->data.auth.authoritative =
state->authoritative;
return status;
}
}
s3: Convert WINBINDD_PAM_AUTH_CRAP to the new async API
2010-03-31 01:02:36 +04:00
*response = *state->response;
response->result = WINBINDD_PENDING;
state->response = talloc_move(response, &state->response);
return NT_STATUS(response->data.auth.nt_status);
}
Copy Permalink