Line data    Source code

       1             : /* 
       2             :    Unix SMB/CIFS implementation.
       3             : 
       4             :    Winbind authentication mechanism
       5             : 
       6             :    Copyright (C) Tim Potter 2000
       7             :    Copyright (C) Andrew Bartlett 2001 - 2002
       8             : 
       9             :    This program is free software; you can redistribute it and/or modify
      10             :    it under the terms of the GNU General Public License as published by
      11             :    the Free Software Foundation; either version 3 of the License, or
      12             :    (at your option) any later version.
      13             : 
      14             :    This program is distributed in the hope that it will be useful,
      15             :    but WITHOUT ANY WARRANTY; without even the implied warranty of
      16             :    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
      17             :    GNU General Public License for more details.
      18             : 
      19             :    You should have received a copy of the GNU General Public License
      20             :    along with this program.  If not, see <http://www.gnu.org/licenses/>.
      21             : */
      22             : 
      23             : #include "includes.h"
      24             : #include "auth.h"
      25             : #include "passdb.h"
      26             : #include "nsswitch/libwbclient/wbclient.h"
      27             : 
      28             : #undef DBGC_CLASS
      29             : #define DBGC_CLASS DBGC_AUTH
      30             : 
      31             : /* Authenticate a user with a challenge/response */
      32             : 
      33        3521 : static NTSTATUS check_winbind_security(const struct auth_context *auth_context,
      34             :                                        void *my_private_data, 
      35             :                                        TALLOC_CTX *mem_ctx,
      36             :                                        const struct auth_usersupplied_info *user_info,
      37             :                                        struct auth_serversupplied_info **server_info)
      38             : {
      39           0 :         NTSTATUS nt_status;
      40           0 :         wbcErr wbc_status;
      41           0 :         struct wbcAuthUserParams params;
      42        3521 :         struct wbcAuthUserInfo *info = NULL;
      43        3521 :         struct wbcAuthErrorInfo *err = NULL;
      44             : 
      45        3521 :         ZERO_STRUCT(params);
      46             : 
      47        3521 :         if (!user_info) {
      48           0 :                 return NT_STATUS_INVALID_PARAMETER;
      49             :         }
      50             : 
      51        3521 :         DEBUG(10, ("Check auth for: [%s]\n", user_info->mapped.account_name));
      52             : 
      53        3521 :         if (!auth_context) {
      54           0 :                 DEBUG(3,("Password for user %s cannot be checked because we have no auth_info to get the challenge from.\n", 
      55             :                          user_info->mapped.account_name));
      56           0 :                 return NT_STATUS_INVALID_PARAMETER;
      57             :         }               
      58             : 
      59        3521 :         if (strequal(user_info->mapped.domain_name, get_global_sam_name())) {
      60           7 :                 DEBUG(3,("check_winbind_security: Not using winbind, requested domain [%s] was for this SAM.\n",
      61             :                         user_info->mapped.domain_name));
      62           7 :                 return NT_STATUS_NOT_IMPLEMENTED;
      63             :         }
      64             : 
      65             :         /* Send off request */
      66        3514 :         params.account_name     = user_info->client.account_name;
      67             :         /*
      68             :          * We need to send the domain name from the client to the DC. With
      69             :          * NTLMv2 the domain name is part of the hashed second challenge,
      70             :          * if we change the domain name, the DC will fail to verify the
      71             :          * challenge cause we changed the domain name, this is like a
      72             :          * man in the middle attack.
      73             :          */
      74        3514 :         params.domain_name      = user_info->client.domain_name;
      75        3514 :         params.workstation_name = user_info->workstation_name;
      76             : 
      77        3514 :         params.flags            = 0;
      78        3514 :         params.parameter_control= user_info->logon_parameters;
      79             : 
      80        3514 :         params.level            = WBC_AUTH_USER_LEVEL_RESPONSE;
      81             : 
      82        3514 :         memcpy(params.password.response.challenge,
      83        3514 :                auth_context->challenge.data,
      84             :                sizeof(params.password.response.challenge));
      85             : 
      86        3514 :         if (user_info->password.response.nt.length != 0) {
      87        3498 :                 params.password.response.nt_length =
      88        3498 :                         user_info->password.response.nt.length;
      89        3498 :                 params.password.response.nt_data =
      90        3498 :                         user_info->password.response.nt.data;
      91             :         }
      92        3514 :         if (user_info->password.response.lanman.length != 0) {
      93        3466 :                 params.password.response.lm_length =
      94        3466 :                         user_info->password.response.lanman.length;
      95        3466 :                 params.password.response.lm_data =
      96        3466 :                         user_info->password.response.lanman.data;
      97             :         }
      98             : 
      99             :         /* we are contacting the privileged pipe */
     100        3514 :         become_root();
     101        3514 :         wbc_status = wbcAuthenticateUserEx(&params, &info, &err);
     102        3514 :         unbecome_root();
     103             : 
     104        3514 :         if (!WBC_ERROR_IS_OK(wbc_status)) {
     105        3282 :                 DEBUG(10,("check_winbind_security: wbcAuthenticateUserEx failed: %s\n",
     106             :                         wbcErrorString(wbc_status)));
     107             :         }
     108             : 
     109        3514 :         if (wbc_status == WBC_ERR_NO_MEMORY) {
     110           0 :                 return NT_STATUS_NO_MEMORY;
     111             :         }
     112             : 
     113        3514 :         if (wbc_status == WBC_ERR_WINBIND_NOT_AVAILABLE) {
     114           0 :                 struct pdb_trusted_domain **domains = NULL;
     115           0 :                 uint32_t num_domains = 0;
     116           0 :                 NTSTATUS status;
     117             : 
     118           0 :                 if (lp_server_role() == ROLE_DOMAIN_MEMBER) {
     119           0 :                         status = NT_STATUS_NO_LOGON_SERVERS;
     120           0 :                         DBG_ERR("winbindd not running - "
     121             :                                 "but required as domain member: %s\n",
     122             :                                 nt_errstr(status));
     123           0 :                         return status;
     124             :                 }
     125             : 
     126           0 :                 status = pdb_enum_trusted_domains(talloc_tos(), &num_domains, &domains);
     127           0 :                 if (!NT_STATUS_IS_OK(status)) {
     128           0 :                         DBG_ERR("pdb_enum_trusted_domains() failed - %s\n",
     129             :                                 nt_errstr(status));
     130           0 :                         return status;
     131             :                 }
     132           0 :                 TALLOC_FREE(domains);
     133             : 
     134           0 :                 if (num_domains == 0) {
     135           0 :                         DBG_DEBUG("winbindd not running - ignoring without "
     136             :                                   "trusted domains\n");
     137           0 :                         return NT_STATUS_NOT_IMPLEMENTED;
     138             :                 }
     139             : 
     140           0 :                 status = NT_STATUS_NO_LOGON_SERVERS;
     141           0 :                 DBG_ERR("winbindd not running - "
     142             :                         "but required as DC with trusts: %s\n",
     143             :                         nt_errstr(status));
     144           0 :                 return status;
     145             :         }
     146             : 
     147        3514 :         if (wbc_status == WBC_ERR_AUTH_ERROR) {
     148        3282 :                 nt_status = NT_STATUS(err->nt_status);
     149             : 
     150        3282 :                 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER) &&
     151        3266 :                     (err->authoritative == 0)) {
     152             :                         /*
     153             :                          * Trigger a fallback to local SAM
     154             :                          */
     155        3194 :                         nt_status = NT_STATUS_NOT_IMPLEMENTED;
     156             :                 }
     157             : 
     158        3282 :                 wbcFreeMemory(err);
     159        3282 :                 return nt_status;
     160             :         }
     161             : 
     162         232 :         if (!WBC_ERROR_IS_OK(wbc_status)) {
     163           0 :                 return NT_STATUS_LOGON_FAILURE;
     164             :         }
     165             : 
     166         232 :         nt_status = make_server_info_wbcAuthUserInfo(mem_ctx,
     167         232 :                                                      user_info->client.account_name,
     168         232 :                                                      user_info->mapped.domain_name,
     169             :                                                      info, server_info);
     170         232 :         wbcFreeMemory(info);
     171         232 :         if (!NT_STATUS_IS_OK(nt_status)) {
     172           4 :                 return nt_status;
     173             :         }
     174             : 
     175         228 :         (*server_info)->nss_token |= user_info->was_mapped;
     176             : 
     177         228 :         return nt_status;
     178             : }
     179             : 
     180             : /* module initialisation */
     181       47860 : static NTSTATUS auth_init_winbind(
     182             :         struct auth_context *auth_context,
     183             :         const char *param,
     184             :         struct auth_methods **auth_method)
     185             : {
     186           0 :         struct auth_methods *result;
     187             : 
     188       47860 :         result = talloc_zero(auth_context, struct auth_methods);
     189       47860 :         if (result == NULL) {
     190           0 :                 return NT_STATUS_NO_MEMORY;
     191             :         }
     192       47860 :         result->name = "winbind";
     193       47860 :         result->auth = check_winbind_security;
     194             : 
     195       47860 :         *auth_method = result;
     196       47860 :         return NT_STATUS_OK;
     197             : }
     198             : 
     199       31182 : NTSTATUS auth_winbind_init(TALLOC_CTX *mem_ctx)
     200             : {
     201       31182 :         return smb_register_auth(AUTH_INTERFACE_VERSION, "winbind", auth_init_winbind);
     202             : }