2010-03-29 19:52:38 +04:00
/*
Unix SMB / CIFS implementation .
async implementation of WINBINDD_PAM_AUTH
Copyright ( C ) Volker Lendecke 2010
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation ; either version 3 of the License , or
( at your option ) any later version .
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
You should have received a copy of the GNU General Public License
along with this program . If not , see < http : //www.gnu.org/licenses/>.
*/
# include "includes.h"
# include "winbindd.h"
2017-11-29 12:55:25 +03:00
# include "libcli/security/dom_sid.h"
2010-03-29 19:52:38 +04:00
struct winbindd_pam_auth_state {
2010-04-18 16:14:43 +04:00
struct winbindd_request * request ;
2010-03-29 19:52:38 +04:00
struct winbindd_response * response ;
} ;
static void winbindd_pam_auth_done ( struct tevent_req * subreq ) ;
struct tevent_req * winbindd_pam_auth_send ( TALLOC_CTX * mem_ctx ,
struct tevent_context * ev ,
struct winbindd_cli_state * cli ,
struct winbindd_request * request )
{
struct tevent_req * req , * subreq ;
struct winbindd_pam_auth_state * state ;
struct winbindd_domain * domain ;
2018-04-26 18:32:42 +03:00
fstring name_namespace , name_domain , name_user ;
2010-03-29 19:52:38 +04:00
char * mapped = NULL ;
NTSTATUS status ;
2018-04-26 18:32:42 +03:00
bool ok ;
2010-03-29 19:52:38 +04:00
req = tevent_req_create ( mem_ctx , & state ,
struct winbindd_pam_auth_state ) ;
if ( req = = NULL ) {
return NULL ;
}
2010-04-18 16:14:43 +04:00
state - > request = request ;
2010-03-29 19:52:38 +04:00
/* Ensure null termination */
request - > data . auth . user [ sizeof ( request - > data . auth . user ) - 1 ] = ' \0 ' ;
request - > data . auth . pass [ sizeof ( request - > data . auth . pass ) - 1 ] = ' \0 ' ;
2018-11-05 13:56:21 +03:00
DBG_NOTICE ( " [%s (%u)]: pam auth %s \n " ,
cli - > client_name ,
( unsigned int ) cli - > pid ,
request - > data . auth . user ) ;
2010-03-29 19:52:38 +04:00
if ( ! check_request_flags ( request - > flags ) ) {
tevent_req_nterror ( req , NT_STATUS_INVALID_PARAMETER_MIX ) ;
return tevent_req_post ( req , ev ) ;
}
/* Parse domain and username */
status = normalize_name_unmap ( state , request - > data . auth . user , & mapped ) ;
2010-07-29 23:44:00 +04:00
/* If the name normalization changed something, copy it over the given
name */
2010-03-29 19:52:38 +04:00
if ( NT_STATUS_IS_OK ( status )
| | NT_STATUS_EQUAL ( status , NT_STATUS_FILE_RENAMED ) ) {
2010-07-29 23:44:00 +04:00
fstrcpy ( request - > data . auth . user , mapped ) ;
2010-03-29 19:52:38 +04:00
}
2018-04-26 18:32:42 +03:00
ok = canonicalize_username ( request - > data . auth . user ,
name_namespace ,
name_domain ,
name_user ) ;
if ( ! ok ) {
2010-03-29 19:52:38 +04:00
tevent_req_nterror ( req , NT_STATUS_NO_SUCH_USER ) ;
return tevent_req_post ( req , ev ) ;
}
2018-04-26 18:32:42 +03:00
domain = find_auth_domain ( request - > flags , name_namespace ) ;
2010-03-29 19:52:38 +04:00
if ( domain = = NULL ) {
tevent_req_nterror ( req , NT_STATUS_NO_SUCH_USER ) ;
return tevent_req_post ( req , ev ) ;
}
2018-08-21 21:06:16 +03:00
subreq = wb_domain_request_send ( state , global_event_context ( ) , domain ,
2010-03-29 19:52:38 +04:00
request ) ;
if ( tevent_req_nomem ( subreq , req ) ) {
return tevent_req_post ( req , ev ) ;
}
tevent_req_set_callback ( subreq , winbindd_pam_auth_done , req ) ;
return req ;
}
static void winbindd_pam_auth_done ( struct tevent_req * subreq )
{
struct tevent_req * req = tevent_req_callback_data (
subreq , struct tevent_req ) ;
struct winbindd_pam_auth_state * state = tevent_req_data (
req , struct winbindd_pam_auth_state ) ;
int res , err ;
res = wb_domain_request_recv ( subreq , state , & state - > response , & err ) ;
TALLOC_FREE ( subreq ) ;
if ( res = = - 1 ) {
tevent_req_nterror ( req , map_nt_error_from_unix ( err ) ) ;
return ;
}
tevent_req_done ( req ) ;
}
NTSTATUS winbindd_pam_auth_recv ( struct tevent_req * req ,
struct winbindd_response * response )
{
struct winbindd_pam_auth_state * state = tevent_req_data (
req , struct winbindd_pam_auth_state ) ;
NTSTATUS status ;
if ( tevent_req_is_nterror ( req , & status ) ) {
set_auth_errors ( response , status ) ;
return status ;
}
* response = * state - > response ;
response - > result = WINBINDD_PENDING ;
state - > response = talloc_move ( response , & state - > response ) ;
2010-04-18 16:14:43 +04:00
status = NT_STATUS ( response - > data . auth . nt_status ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
}
2017-11-29 12:55:25 +03:00
if ( state - > request - > flags & WBFLAG_PAM_INFO3_TEXT ) {
bool ok ;
ok = add_trusted_domain_from_auth (
state - > response - > data . auth . validation_level ,
& state - > response - > data . auth . info3 ,
& state - > response - > data . auth . info6 ) ;
if ( ! ok ) {
DBG_ERR ( " add_trusted_domain_from_auth failed \n " ) ;
set_auth_errors ( response , NT_STATUS_LOGON_FAILURE ) ;
return NT_STATUS_LOGON_FAILURE ;
}
}
2010-04-18 16:14:43 +04:00
if ( state - > request - > flags & WBFLAG_PAM_CACHED_LOGIN ) {
/* Store in-memory creds for single-signon using ntlm_auth. */
status = winbindd_add_memory_creds (
state - > request - > data . auth . user ,
get_uid_from_request ( state - > request ) ,
state - > request - > data . auth . pass ) ;
DEBUG ( 10 , ( " winbindd_add_memory_creds returned: %s \n " ,
nt_errstr ( status ) ) ) ;
}
return status ;
2010-03-29 19:52:38 +04:00
}