2001-11-24 15:16:27 +03:00
/*
2002-01-30 09:08:46 +03:00
Unix SMB / CIFS implementation .
2001-11-24 15:16:27 +03:00
Winbind authentication mechnism
Copyright ( C ) Tim Potter 2000
2002-09-25 19:19:00 +04:00
Copyright ( C ) Andrew Bartlett 2001 - 2002
2001-11-24 15:16:27 +03:00
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation ; either version 2 of the License , or
( at your option ) any later version .
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
You should have received a copy of the GNU General Public License
along with this program ; if not , write to the Free Software
Foundation , Inc . , 675 Mass Ave , Cambridge , MA 0213 9 , USA .
*/
# include "includes.h"
2002-07-15 14:35:28 +04:00
# undef DBGC_CLASS
# define DBGC_CLASS DBGC_AUTH
2002-11-16 00:43:57 +03:00
static NTSTATUS get_info3_from_ndr ( TALLOC_CTX * mem_ctx , struct winbindd_response * response , NET_USER_INFO_3 * info3 )
2002-08-17 21:00:51 +04:00
{
uint8 * info3_ndr ;
2003-07-01 00:41:40 +04:00
size_t len = response - > length - sizeof ( struct winbindd_response ) ;
2002-08-17 21:00:51 +04:00
prs_struct ps ;
if ( len > 0 ) {
2006-04-12 18:10:39 +04:00
info3_ndr = response - > extra_data . data ;
2002-08-17 21:00:51 +04:00
if ( ! prs_init ( & ps , len , mem_ctx , UNMARSHALL ) ) {
return NT_STATUS_NO_MEMORY ;
}
2003-08-15 08:42:05 +04:00
prs_copy_data_in ( & ps , ( char * ) info3_ndr , len ) ;
2003-02-15 01:55:46 +03:00
prs_set_offset ( & ps , 0 ) ;
2005-09-30 21:13:37 +04:00
if ( ! net_io_user_info3 ( " " , info3 , & ps , 1 , 3 , False ) ) {
2002-08-17 21:00:51 +04:00
DEBUG ( 2 , ( " get_info3_from_ndr: could not parse info3 struct! \n " ) ) ;
return NT_STATUS_UNSUCCESSFUL ;
}
prs_mem_free ( & ps ) ;
return NT_STATUS_OK ;
} else {
DEBUG ( 2 , ( " get_info3_from_ndr: No info3 struct found! \n " ) ) ;
return NT_STATUS_UNSUCCESSFUL ;
}
}
2001-11-24 15:16:27 +03:00
/* Authenticate a user with a challenge/response */
2002-01-05 07:55:41 +03:00
static NTSTATUS check_winbind_security ( const struct auth_context * auth_context ,
void * my_private_data ,
2002-01-01 06:10:32 +03:00
TALLOC_CTX * mem_ctx ,
const auth_usersupplied_info * user_info ,
auth_serversupplied_info * * server_info )
2001-11-24 15:16:27 +03:00
{
struct winbindd_request request ;
struct winbindd_response response ;
NSS_STATUS result ;
NTSTATUS nt_status ;
2002-08-17 21:00:51 +04:00
NET_USER_INFO_3 info3 ;
2001-11-24 15:16:27 +03:00
if ( ! user_info ) {
2002-08-17 21:00:51 +04:00
return NT_STATUS_INVALID_PARAMETER ;
2001-11-24 15:16:27 +03:00
}
2002-01-05 07:55:41 +03:00
if ( ! auth_context ) {
2001-11-26 07:05:28 +03:00
DEBUG ( 3 , ( " Password for user %s cannot be checked because we have no auth_info to get the challenge from. \n " ,
2006-02-04 01:19:41 +03:00
user_info - > internal_username ) ) ;
2003-07-03 18:36:42 +04:00
return NT_STATUS_INVALID_PARAMETER ;
2001-11-24 15:16:27 +03:00
}
2006-02-04 01:19:41 +03:00
if ( strequal ( user_info - > domain , get_global_sam_name ( ) ) ) {
2003-12-19 03:33:09 +03:00
DEBUG ( 3 , ( " check_winbind_security: Not using winbind, requested domain [%s] was for this SAM. \n " ,
2006-02-04 01:19:41 +03:00
user_info - > domain ) ) ;
2003-07-03 18:36:42 +04:00
return NT_STATUS_NOT_IMPLEMENTED ;
}
2001-11-24 15:16:27 +03:00
/* Send off request */
ZERO_STRUCT ( request ) ;
ZERO_STRUCT ( response ) ;
2003-07-07 09:11:10 +04:00
request . flags = WBFLAG_PAM_INFO3_NDR ;
2001-11-24 15:16:27 +03:00
2005-11-08 09:19:34 +03:00
request . data . auth_crap . logon_parameters = user_info - > logon_parameters ;
2006-02-04 01:19:41 +03:00
fstrcpy ( request . data . auth_crap . user , user_info - > smb_name ) ;
fstrcpy ( request . data . auth_crap . domain , user_info - > domain ) ;
fstrcpy ( request . data . auth_crap . workstation , user_info - > wksta_name ) ;
2002-01-25 13:16:20 +03:00
2002-01-05 07:55:41 +03:00
memcpy ( request . data . auth_crap . chal , auth_context - > challenge . data , sizeof ( request . data . auth_crap . chal ) ) ;
2001-11-24 15:16:27 +03:00
request . data . auth_crap . lm_resp_len = MIN ( user_info - > lm_resp . length ,
sizeof ( request . data . auth_crap . lm_resp ) ) ;
request . data . auth_crap . nt_resp_len = MIN ( user_info - > nt_resp . length ,
sizeof ( request . data . auth_crap . nt_resp ) ) ;
memcpy ( request . data . auth_crap . lm_resp , user_info - > lm_resp . data ,
request . data . auth_crap . lm_resp_len ) ;
2002-08-17 21:00:51 +04:00
memcpy ( request . data . auth_crap . nt_resp , user_info - > nt_resp . data ,
request . data . auth_crap . nt_resp_len ) ;
2003-07-03 18:36:42 +04:00
/* we are contacting the privileged pipe */
become_root ( ) ;
2005-06-25 00:25:18 +04:00
result = winbindd_request_response ( WINBINDD_PAM_AUTH_CRAP , & request , & response ) ;
2003-07-03 18:36:42 +04:00
unbecome_root ( ) ;
2001-11-24 15:16:27 +03:00
2003-05-27 20:46:51 +04:00
if ( result = = NSS_STATUS_UNAVAIL ) {
2003-04-24 15:56:09 +04:00
struct auth_methods * auth_method = my_private_data ;
2003-05-27 20:46:51 +04:00
if ( auth_method )
return auth_method - > auth ( auth_context , auth_method - > private_data ,
mem_ctx , user_info , server_info ) ;
else
/* log an error since this should not happen */
DEBUG ( 0 , ( " check_winbind_security: ERROR! my_private_data == NULL! \n " ) ) ;
2003-04-24 15:56:09 +04:00
}
2002-08-17 21:00:51 +04:00
nt_status = NT_STATUS ( response . data . auth . nt_status ) ;
2006-04-12 18:10:39 +04:00
if ( result = = NSS_STATUS_SUCCESS & & response . extra_data . data ) {
2002-08-17 21:00:51 +04:00
if ( NT_STATUS_IS_OK ( nt_status ) ) {
2004-05-20 01:49:58 +04:00
if ( NT_STATUS_IS_OK ( nt_status = get_info3_from_ndr ( mem_ctx , & response , & info3 ) ) ) {
2003-10-07 20:34:23 +04:00
nt_status = make_server_info_info3 ( mem_ctx ,
2006-02-04 01:19:41 +03:00
user_info - > smb_name , user_info - > domain ,
2003-10-07 20:34:23 +04:00
server_info , & info3 ) ;
2001-11-24 15:16:27 +03:00
}
2003-10-07 20:34:23 +04:00
2006-05-06 23:24:35 +04:00
if ( NT_STATUS_IS_OK ( nt_status ) ) {
( * server_info ) - > was_mapped | = user_info - > was_mapped ;
}
2001-11-24 15:16:27 +03:00
}
2002-08-17 21:00:51 +04:00
} else if ( NT_STATUS_IS_OK ( nt_status ) ) {
2003-07-03 18:36:42 +04:00
nt_status = NT_STATUS_NO_LOGON_SERVERS ;
2001-11-24 15:16:27 +03:00
}
2006-04-12 18:10:39 +04:00
SAFE_FREE ( response . extra_data . data ) ;
2001-11-24 15:16:27 +03:00
return nt_status ;
}
2002-01-05 07:55:41 +03:00
/* module initialisation */
2003-06-04 20:40:50 +04:00
static NTSTATUS auth_init_winbind ( struct auth_context * auth_context , const char * param , auth_methods * * auth_method )
2001-11-24 15:16:27 +03:00
{
2003-05-26 20:38:35 +04:00
if ( ! make_auth_methods ( auth_context , auth_method ) ) {
return NT_STATUS_NO_MEMORY ;
}
2001-11-24 15:16:27 +03:00
2002-07-15 14:35:28 +04:00
( * auth_method ) - > name = " winbind " ;
2001-11-24 15:16:27 +03:00
( * auth_method ) - > auth = check_winbind_security ;
2003-04-24 15:56:09 +04:00
if ( param & & * param ) {
/* we load the 'fallback' module - if winbind isn't here, call this
module */
2003-04-28 18:23:44 +04:00
if ( ! load_auth_module ( auth_context , param , ( auth_methods * * ) & ( * auth_method ) - > private_data ) ) {
2003-04-24 15:56:09 +04:00
return NT_STATUS_UNSUCCESSFUL ;
}
}
2002-07-15 14:35:28 +04:00
return NT_STATUS_OK ;
2001-11-24 15:16:27 +03:00
}
2003-04-16 16:13:07 +04:00
2003-04-28 21:48:48 +04:00
NTSTATUS auth_winbind_init ( void )
2003-04-16 16:13:07 +04:00
{
2003-04-28 21:48:48 +04:00
return smb_register_auth ( AUTH_INTERFACE_VERSION , " winbind " , auth_init_winbind ) ;
2003-04-16 16:13:07 +04:00
}