1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-26 10:04:02 +03:00
samba-mirror/nsswitch/krb5_plugin/winbind_krb5_localauth.c
Andreas Schneider 03357bc825 nssswitch: Log user access to kerberos
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Noel Power <npower@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Feb 18 13:01:12 CET 2019 on sn-devel-144
2019-02-18 13:01:12 +01:00

281 lines
6.6 KiB
C

/*
Unix SMB/CIFS implementation.
A localauth plugin for MIT Kerberos
Copyright (C) 2018 Andreas Schneider <asn@samba.org>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "replace.h"
#include <krb5/localauth_plugin.h>
#include <wbclient.h>
#ifdef HAVE_COM_ERR_H
#include <com_err.h>
#endif
struct krb5_localauth_moddata_st {
struct wbcContext *wbc_ctx;
};
/*
* Initialize the module data.
*
* This creates the wbclient context.
*/
static krb5_error_code winbind_init(krb5_context context,
krb5_localauth_moddata *data)
{
krb5_localauth_moddata d;
*data = NULL;
d = malloc(sizeof(struct krb5_localauth_moddata_st));
if (d == NULL) {
return ENOMEM;
}
d->wbc_ctx = wbcCtxCreate();
if (d->wbc_ctx == NULL) {
free(d);
return ENOMEM;
}
wbcSetClientProcessName("krb5_localauth_plugin");
*data = d;
return 0;
}
/*
* Release resources used by module data.
*/
static void winbind_fini(krb5_context context, krb5_localauth_moddata data)
{
wbcCtxFree(data->wbc_ctx);
free(data);
data = NULL;
}
/*
* Determine whether aname is authorized to log in as the local account lname.
*
* Return 0 if aname is authorized, EPERM if aname is authoritatively not
* authorized, KRB5_PLUGIN_NO_HANDLE if the module cannot determine whether
* aname is authorized, and any other error code for a serious failure to
* process the request. aname will be considered authorized if at least one
* module returns 0 and all other modules return KRB5_PLUGIN_NO_HANDLE.
*/
static krb5_error_code winbind_userok(krb5_context context,
krb5_localauth_moddata data,
krb5_const_principal aname,
const char *lname)
{
krb5_error_code code = 0;
char *princ_str = NULL;
struct passwd *pwd = NULL;
uid_t princ_uid = (uid_t)-1;
uid_t lname_uid = (uid_t)-1;
wbcErr wbc_status;
int cmp;
code = krb5_unparse_name(context, aname, &princ_str);
if (code != 0) {
return code;
}
cmp = strcasecmp(princ_str, lname);
if (cmp == 0) {
goto out;
}
wbc_status = wbcCtxGetpwnam(data->wbc_ctx,
princ_str,
&pwd);
switch (wbc_status) {
case WBC_ERR_SUCCESS:
princ_uid = pwd->pw_uid;
code = 0;
break;
case WBC_ERR_UNKNOWN_USER:
/* match other insane libwbclient return codes */
case WBC_ERR_WINBIND_NOT_AVAILABLE:
case WBC_ERR_DOMAIN_NOT_FOUND:
code = KRB5_PLUGIN_NO_HANDLE;
break;
default:
code = EIO;
break;
}
wbcFreeMemory(pwd);
if (code != 0) {
goto out;
}
wbc_status = wbcCtxGetpwnam(data->wbc_ctx,
lname,
&pwd);
switch (wbc_status) {
case WBC_ERR_SUCCESS:
lname_uid = pwd->pw_uid;
break;
case WBC_ERR_UNKNOWN_USER:
/* match other insane libwbclient return codes */
case WBC_ERR_WINBIND_NOT_AVAILABLE:
case WBC_ERR_DOMAIN_NOT_FOUND:
code = KRB5_PLUGIN_NO_HANDLE;
break;
default:
code = EIO;
break;
}
wbcFreeMemory(pwd);
if (code != 0) {
goto out;
}
if (princ_uid != lname_uid) {
code = EPERM;
}
com_err("winbind_localauth",
code,
"Access %s: %s (uid=%u) %sequal to %s (uid=%u)",
code == 0 ? "granted" : "denied",
princ_str,
(unsigned int)princ_uid,
code == 0 ? "" : "not ",
lname,
(unsigned int)lname_uid);
out:
krb5_free_unparsed_name(context, princ_str);
return code;
}
/*
* Determine the local account name corresponding to aname.
*
* Return 0 and set *lname_out if a mapping can be determined; the contents of
* *lname_out will later be released with a call to the module's free_string
* method. Return KRB5_LNAME_NOTRANS if no mapping can be determined. Return
* any other error code for a serious failure to process the request; this will
* halt the krb5_aname_to_localname operation.
*
* If the module's an2ln_types field is set, this method will only be invoked
* when a profile "auth_to_local" value references one of the module's types.
* type and residual will be set to the type and residual of the auth_to_local
* value.
*
* If the module's an2ln_types field is not set but the an2ln method is
* implemented, this method will be invoked independently of the profile's
* auth_to_local settings, with type and residual set to NULL. If multiple
* modules are registered with an2ln methods but no an2ln_types field, the
* order of invocation is not defined, but all such modules will be consulted
* before the built-in mechanisms are tried.
*/
static krb5_error_code winbind_an2ln(krb5_context context,
krb5_localauth_moddata data,
const char *type,
const char *residual,
krb5_const_principal aname,
char **lname_out)
{
krb5_error_code code = 0;
char *princ_str = NULL;
char *name = NULL;
struct passwd *pwd = NULL;
wbcErr wbc_status;
code = krb5_unparse_name(context, aname, &princ_str);
if (code != 0) {
return code;
}
wbc_status = wbcCtxGetpwnam(data->wbc_ctx,
princ_str,
&pwd);
krb5_free_unparsed_name(context, princ_str);
switch (wbc_status) {
case WBC_ERR_SUCCESS:
name = strdup(pwd->pw_name);
code = 0;
break;
case WBC_ERR_UNKNOWN_USER:
/* match other insane libwbclient return codes */
case WBC_ERR_WINBIND_NOT_AVAILABLE:
case WBC_ERR_DOMAIN_NOT_FOUND:
code = KRB5_LNAME_NOTRANS;
break;
default:
code = EIO;
break;
}
wbcFreeMemory(pwd);
if (code != 0) {
return code;
}
if (name == NULL) {
return ENOMEM;
}
*lname_out = name;
return code;
}
/*
* Release the memory returned by an invocation of an2ln.
*/
static void winbind_free_string(krb5_context context,
krb5_localauth_moddata data,
char *str)
{
free(str);
}
krb5_error_code
localauth_winbind_initvt(krb5_context context,
int maj_ver,
int min_ver,
krb5_plugin_vtable vtable);
krb5_error_code
localauth_winbind_initvt(krb5_context context,
int maj_ver,
int min_ver,
krb5_plugin_vtable vtable)
{
krb5_localauth_vtable vt = (krb5_localauth_vtable)vtable;
if (maj_ver != 1) {
com_err("winbind_localauth",
EINVAL,
"Failed to load, plugin API changed.");
return KRB5_PLUGIN_VER_NOTSUPP;
}
vt->init = winbind_init;
vt->fini = winbind_fini;
vt->name = "winbind";
vt->an2ln = winbind_an2ln;
vt->userok = winbind_userok;
vt->free_string = winbind_free_string;
return 0;
}