2 Unix SMB/CIFS implementation.
3 Authentication utility functions
4 Copyright (C) Andrew Tridgell 1992-1998
5 Copyright (C) Andrew Bartlett 2001
6 Copyright (C) Jeremy Allison 2000-2001
7 Copyright (C) Rafal Szczesniak 2002
8 Copyright (C) Volker Lendecke 2006
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
26 #include "../libcli/auth/libcli_auth.h"
27 #include "../lib/crypto/arcfour.h"
28 #include "rpc_client/init_lsa.h"
29 #include "../libcli/security/security.h"
30 #include "../lib/util/util_pw.h"
31 #include "lib/winbind_util.h"
35 #define DBGC_CLASS DBGC_AUTH
37 /****************************************************************************
38 Create a UNIX user on demand.
39 ****************************************************************************/
41 static int _smb_create_user(const char *domain, const char *unix_username, const char *homedir)
43 TALLOC_CTX *ctx = talloc_tos();
47 add_script = talloc_strdup(ctx, lp_adduser_script());
48 if (!add_script || !*add_script) {
51 add_script = talloc_all_string_sub(ctx,
59 add_script = talloc_all_string_sub(ctx,
68 add_script = talloc_all_string_sub(ctx,
76 ret = smbrun(add_script,NULL);
79 ("smb_create_user: Running the command `%s' gave %d\n",
84 /****************************************************************************
85 Create an auth_usersupplied_data structure after appropriate mapping.
86 ****************************************************************************/
88 NTSTATUS make_user_info_map(struct auth_usersupplied_info **user_info,
90 const char *client_domain,
91 const char *workstation_name,
94 const struct samr_Password *lm_interactive_pwd,
95 const struct samr_Password *nt_interactive_pwd,
96 const char *plaintext,
97 enum auth_password_state password_state)
102 char *internal_username = NULL;
104 was_mapped = map_username(talloc_tos(), smb_name, &internal_username);
105 if (!internal_username) {
106 return NT_STATUS_NO_MEMORY;
109 DEBUG(5, ("Mapping user [%s]\\[%s] from workstation [%s]\n",
110 client_domain, smb_name, workstation_name));
112 domain = client_domain;
114 /* If you connect to a Windows domain member using a bogus domain name,
115 * the Windows box will map the BOGUS\user to SAMNAME\user. Thus, if
116 * the Windows box is a DC the name will become DOMAIN\user and be
117 * authenticated against AD, if the Windows box is a member server but
118 * not a DC the name will become WORKSTATION\user. A standalone
119 * non-domain member box will also map to WORKSTATION\user.
120 * This also deals with the client passing in a "" domain */
122 if (!is_trusted_domain(domain) &&
123 !strequal(domain, my_sam_name()))
125 if (lp_map_untrusted_to_domain())
126 domain = my_sam_name();
128 domain = get_global_sam_name();
129 DEBUG(5, ("Mapped domain from [%s] to [%s] for user [%s] from "
130 "workstation [%s]\n",
131 client_domain, domain, smb_name, workstation_name));
134 /* We know that the given domain is trusted (and we are allowing them),
135 * it is our global SAM name, or for legacy behavior it is our
136 * primary domain name */
138 result = make_user_info(user_info, smb_name, internal_username,
139 client_domain, domain, workstation_name,
141 lm_interactive_pwd, nt_interactive_pwd,
142 plaintext, password_state);
143 if (NT_STATUS_IS_OK(result)) {
144 /* We have tried mapping */
145 (*user_info)->mapped_state = True;
146 /* did we actually map the user to a different name? */
147 (*user_info)->was_mapped = was_mapped;
152 /****************************************************************************
153 Create an auth_usersupplied_data, making the DATA_BLOBs here.
154 Decrypt and encrypt the passwords.
155 ****************************************************************************/
157 bool make_user_info_netlogon_network(struct auth_usersupplied_info **user_info,
158 const char *smb_name,
159 const char *client_domain,
160 const char *workstation_name,
161 uint32 logon_parameters,
162 const uchar *lm_network_pwd,
164 const uchar *nt_network_pwd,
169 DATA_BLOB lm_blob = data_blob(lm_network_pwd, lm_pwd_len);
170 DATA_BLOB nt_blob = data_blob(nt_network_pwd, nt_pwd_len);
172 status = make_user_info_map(user_info,
173 smb_name, client_domain,
175 lm_pwd_len ? &lm_blob : NULL,
176 nt_pwd_len ? &nt_blob : NULL,
178 AUTH_PASSWORD_RESPONSE);
180 if (NT_STATUS_IS_OK(status)) {
181 (*user_info)->logon_parameters = logon_parameters;
183 ret = NT_STATUS_IS_OK(status) ? True : False;
185 data_blob_free(&lm_blob);
186 data_blob_free(&nt_blob);
190 /****************************************************************************
191 Create an auth_usersupplied_data, making the DATA_BLOBs here.
192 Decrypt and encrypt the passwords.
193 ****************************************************************************/
195 bool make_user_info_netlogon_interactive(struct auth_usersupplied_info **user_info,
196 const char *smb_name,
197 const char *client_domain,
198 const char *workstation_name,
199 uint32 logon_parameters,
201 const uchar lm_interactive_pwd[16],
202 const uchar nt_interactive_pwd[16],
203 const uchar *dc_sess_key)
205 struct samr_Password lm_pwd;
206 struct samr_Password nt_pwd;
207 unsigned char local_lm_response[24];
208 unsigned char local_nt_response[24];
209 unsigned char key[16];
211 memcpy(key, dc_sess_key, 16);
213 if (lm_interactive_pwd)
214 memcpy(lm_pwd.hash, lm_interactive_pwd, sizeof(lm_pwd.hash));
216 if (nt_interactive_pwd)
217 memcpy(nt_pwd.hash, nt_interactive_pwd, sizeof(nt_pwd.hash));
219 #ifdef DEBUG_PASSWORD
221 dump_data(100, key, sizeof(key));
223 DEBUG(100,("lm owf password:"));
224 dump_data(100, lm_pwd.hash, sizeof(lm_pwd.hash));
226 DEBUG(100,("nt owf password:"));
227 dump_data(100, nt_pwd.hash, sizeof(nt_pwd.hash));
230 if (lm_interactive_pwd)
231 arcfour_crypt(lm_pwd.hash, key, sizeof(lm_pwd.hash));
233 if (nt_interactive_pwd)
234 arcfour_crypt(nt_pwd.hash, key, sizeof(nt_pwd.hash));
236 #ifdef DEBUG_PASSWORD
237 DEBUG(100,("decrypt of lm owf password:"));
238 dump_data(100, lm_pwd.hash, sizeof(lm_pwd));
240 DEBUG(100,("decrypt of nt owf password:"));
241 dump_data(100, nt_pwd.hash, sizeof(nt_pwd));
244 if (lm_interactive_pwd)
245 SMBOWFencrypt(lm_pwd.hash, chal,
248 if (nt_interactive_pwd)
249 SMBOWFencrypt(nt_pwd.hash, chal,
252 /* Password info paranoia */
258 DATA_BLOB local_lm_blob;
259 DATA_BLOB local_nt_blob;
261 if (lm_interactive_pwd) {
262 local_lm_blob = data_blob(local_lm_response,
263 sizeof(local_lm_response));
266 if (nt_interactive_pwd) {
267 local_nt_blob = data_blob(local_nt_response,
268 sizeof(local_nt_response));
271 nt_status = make_user_info_map(
273 smb_name, client_domain, workstation_name,
274 lm_interactive_pwd ? &local_lm_blob : NULL,
275 nt_interactive_pwd ? &local_nt_blob : NULL,
276 lm_interactive_pwd ? &lm_pwd : NULL,
277 nt_interactive_pwd ? &nt_pwd : NULL,
278 NULL, AUTH_PASSWORD_HASH);
280 if (NT_STATUS_IS_OK(nt_status)) {
281 (*user_info)->logon_parameters = logon_parameters;
284 ret = NT_STATUS_IS_OK(nt_status) ? True : False;
285 data_blob_free(&local_lm_blob);
286 data_blob_free(&local_nt_blob);
292 /****************************************************************************
293 Create an auth_usersupplied_data structure
294 ****************************************************************************/
296 bool make_user_info_for_reply(struct auth_usersupplied_info **user_info,
297 const char *smb_name,
298 const char *client_domain,
300 DATA_BLOB plaintext_password)
303 DATA_BLOB local_lm_blob;
304 DATA_BLOB local_nt_blob;
305 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
306 char *plaintext_password_string;
308 * Not encrypted - do so.
311 DEBUG(5,("make_user_info_for_reply: User passwords not in encrypted "
313 if (plaintext_password.data && plaintext_password.length) {
314 unsigned char local_lm_response[24];
316 #ifdef DEBUG_PASSWORD
317 DEBUG(10,("Unencrypted password (len %d):\n",
318 (int)plaintext_password.length));
319 dump_data(100, plaintext_password.data,
320 plaintext_password.length);
323 SMBencrypt( (const char *)plaintext_password.data,
324 (const uchar*)chal, local_lm_response);
325 local_lm_blob = data_blob(local_lm_response, 24);
327 /* We can't do an NT hash here, as the password needs to be
329 local_nt_blob = data_blob_null;
331 local_lm_blob = data_blob_null;
332 local_nt_blob = data_blob_null;
335 plaintext_password_string = talloc_strndup(talloc_tos(),
336 (const char *)plaintext_password.data,
337 plaintext_password.length);
338 if (!plaintext_password_string) {
342 ret = make_user_info_map(
343 user_info, smb_name, client_domain,
344 get_remote_machine_name(),
345 local_lm_blob.data ? &local_lm_blob : NULL,
346 local_nt_blob.data ? &local_nt_blob : NULL,
348 plaintext_password_string,
349 AUTH_PASSWORD_PLAIN);
351 if (plaintext_password_string) {
352 memset(plaintext_password_string, '\0', strlen(plaintext_password_string));
353 talloc_free(plaintext_password_string);
356 data_blob_free(&local_lm_blob);
357 return NT_STATUS_IS_OK(ret) ? True : False;
360 /****************************************************************************
361 Create an auth_usersupplied_data structure
362 ****************************************************************************/
364 NTSTATUS make_user_info_for_reply_enc(struct auth_usersupplied_info **user_info,
365 const char *smb_name,
366 const char *client_domain,
367 DATA_BLOB lm_resp, DATA_BLOB nt_resp)
369 return make_user_info_map(user_info, smb_name,
371 get_remote_machine_name(),
372 lm_resp.data && (lm_resp.length > 0) ? &lm_resp : NULL,
373 nt_resp.data && (nt_resp.length > 0) ? &nt_resp : NULL,
375 AUTH_PASSWORD_RESPONSE);
378 /****************************************************************************
379 Create a guest user_info blob, for anonymous authenticaion.
380 ****************************************************************************/
382 bool make_user_info_guest(struct auth_usersupplied_info **user_info)
386 nt_status = make_user_info(user_info,
393 AUTH_PASSWORD_RESPONSE);
395 return NT_STATUS_IS_OK(nt_status) ? True : False;
398 static NTSTATUS log_nt_token(struct security_token *token)
400 TALLOC_CTX *frame = talloc_stackframe();
405 if ((lp_log_nt_token_command() == NULL) ||
406 (strlen(lp_log_nt_token_command()) == 0)) {
411 group_sidstr = talloc_strdup(frame, "");
412 for (i=1; i<token->num_sids; i++) {
413 group_sidstr = talloc_asprintf(
414 frame, "%s %s", group_sidstr,
415 sid_string_talloc(frame, &token->sids[i]));
418 command = talloc_string_sub(
419 frame, lp_log_nt_token_command(),
420 "%s", sid_string_talloc(frame, &token->sids[0]));
421 command = talloc_string_sub(frame, command, "%t", group_sidstr);
423 if (command == NULL) {
425 return NT_STATUS_NO_MEMORY;
428 DEBUG(8, ("running command: [%s]\n", command));
429 if (smbrun(command, NULL) != 0) {
430 DEBUG(0, ("Could not log NT token\n"));
432 return NT_STATUS_ACCESS_DENIED;
440 * Create the token to use from server_info->info3 and
441 * server_info->sids (the info3/sam groups). Find the unix gids.
444 NTSTATUS create_local_token(TALLOC_CTX *mem_ctx,
445 const struct auth_serversupplied_info *server_info,
446 DATA_BLOB *session_key,
447 struct auth_serversupplied_info **session_info_out)
449 struct security_token *t;
452 struct dom_sid tmp_sid;
453 struct auth_serversupplied_info *session_info;
454 struct wbcUnixId *ids;
456 /* Ensure we can't possible take a code path leading to a
459 return NT_STATUS_LOGON_FAILURE;
462 session_info = copy_serverinfo(mem_ctx, server_info);
465 return NT_STATUS_NO_MEMORY;
469 data_blob_free(&session_info->session_key);
470 session_info->session_key = data_blob_talloc(session_info,
472 session_key->length);
473 if (!session_info->session_key.data && session_key->length) {
474 return NT_STATUS_NO_MEMORY;
478 if (session_info->security_token) {
479 /* Just copy the token, it has already been finalised
480 * (nasty hack to support a cached guest session_info,
481 * and a possible strategy for auth_samba4 to pass in
482 * a finalised session) */
483 *session_info_out = session_info;
488 * If winbind is not around, we can not make much use of the SIDs the
489 * domain controller provided us with. Likewise if the user name was
490 * mapped to some local unix user.
493 if (((lp_server_role() == ROLE_DOMAIN_MEMBER) && !winbind_ping()) ||
494 (session_info->nss_token)) {
495 status = create_token_from_username(session_info,
496 session_info->unix_name,
498 &session_info->utok.uid,
499 &session_info->utok.gid,
500 &session_info->unix_name,
501 &session_info->security_token);
504 status = create_local_nt_token_from_info3(session_info,
507 &session_info->extra,
508 &session_info->security_token);
511 if (!NT_STATUS_IS_OK(status)) {
515 /* Convert the SIDs to gids. */
517 session_info->utok.ngroups = 0;
518 session_info->utok.groups = NULL;
520 t = session_info->security_token;
522 ids = talloc_array(talloc_tos(), struct wbcUnixId,
525 return NT_STATUS_NO_MEMORY;
528 if (!sids_to_unix_ids(t->sids, t->num_sids, ids)) {
530 return NT_STATUS_NO_MEMORY;
533 /* Start at index 1, where the groups start. */
535 for (i=1; i<t->num_sids; i++) {
537 if (ids[i].type != WBC_ID_TYPE_GID) {
538 DEBUG(10, ("Could not convert SID %s to gid, "
540 sid_string_dbg(&t->sids[i])));
543 if (!add_gid_to_array_unique(session_info, ids[i].id.gid,
544 &session_info->utok.groups,
545 &session_info->utok.ngroups)) {
546 return NT_STATUS_NO_MEMORY;
551 * Add the "Unix Group" SID for each gid to catch mapped groups
552 * and their Unix equivalent. This is to solve the backwards
553 * compatibility problem of 'valid users = +ntadmin' where
554 * ntadmin has been paired with "Domain Admins" in the group
555 * mapping table. Otherwise smb.conf would need to be changed
556 * to 'valid user = "Domain Admins"'. --jerry
558 * For consistency we also add the "Unix User" SID,
559 * so that the complete unix token is represented within
563 uid_to_unix_users_sid(session_info->utok.uid, &tmp_sid);
565 add_sid_to_array_unique(session_info->security_token, &tmp_sid,
566 &session_info->security_token->sids,
567 &session_info->security_token->num_sids);
569 for ( i=0; i<session_info->utok.ngroups; i++ ) {
570 gid_to_unix_groups_sid(session_info->utok.groups[i], &tmp_sid);
571 add_sid_to_array_unique(session_info->security_token, &tmp_sid,
572 &session_info->security_token->sids,
573 &session_info->security_token->num_sids);
576 security_token_debug(DBGC_AUTH, 10, session_info->security_token);
577 debug_unix_user_token(DBGC_AUTH, 10,
578 session_info->utok.uid,
579 session_info->utok.gid,
580 session_info->utok.ngroups,
581 session_info->utok.groups);
583 status = log_nt_token(session_info->security_token);
584 if (!NT_STATUS_IS_OK(status)) {
588 *session_info_out = session_info;
592 /***************************************************************************
593 Make (and fill) a server_info struct from a 'struct passwd' by conversion
595 ***************************************************************************/
597 NTSTATUS make_server_info_pw(struct auth_serversupplied_info **server_info,
602 struct samu *sampass = NULL;
603 char *qualified_name = NULL;
604 TALLOC_CTX *mem_ctx = NULL;
605 struct dom_sid u_sid;
606 enum lsa_SidType type;
607 struct auth_serversupplied_info *result;
610 * The SID returned in server_info->sam_account is based
611 * on our SAM sid even though for a pure UNIX account this should
612 * not be the case as it doesn't really exist in the SAM db.
613 * This causes lookups on "[in]valid users" to fail as they
614 * will lookup this name as a "Unix User" SID to check against
615 * the user token. Fix this by adding the "Unix User"\unix_username
616 * SID to the sid array. The correct fix should probably be
617 * changing the server_info->sam_account user SID to be a
618 * S-1-22 Unix SID, but this might break old configs where
619 * plaintext passwords were used with no SAM backend.
622 mem_ctx = talloc_init("make_server_info_pw_tmp");
624 return NT_STATUS_NO_MEMORY;
627 qualified_name = talloc_asprintf(mem_ctx, "%s\\%s",
628 unix_users_domain_name(),
630 if (!qualified_name) {
631 TALLOC_FREE(mem_ctx);
632 return NT_STATUS_NO_MEMORY;
635 if (!lookup_name(mem_ctx, qualified_name, LOOKUP_NAME_ALL,
638 TALLOC_FREE(mem_ctx);
639 return NT_STATUS_NO_SUCH_USER;
642 TALLOC_FREE(mem_ctx);
644 if (type != SID_NAME_USER) {
645 return NT_STATUS_NO_SUCH_USER;
648 if ( !(sampass = samu_new( NULL )) ) {
649 return NT_STATUS_NO_MEMORY;
652 status = samu_set_unix( sampass, pwd );
653 if (!NT_STATUS_IS_OK(status)) {
657 /* In pathological cases the above call can set the account
658 * name to the DOMAIN\username form. Reset the account name
659 * using unix_username */
660 pdb_set_username(sampass, unix_username, PDB_SET);
662 /* set the user sid to be the calculated u_sid */
663 pdb_set_user_sid(sampass, &u_sid, PDB_SET);
665 result = make_server_info(NULL);
666 if (result == NULL) {
667 TALLOC_FREE(sampass);
668 return NT_STATUS_NO_MEMORY;
671 status = samu_to_SamInfo3(result, sampass, lp_netbios_name(),
672 &result->info3, &result->extra);
673 TALLOC_FREE(sampass);
674 if (!NT_STATUS_IS_OK(status)) {
675 DEBUG(10, ("Failed to convert samu to info3: %s\n",
681 result->unix_name = talloc_strdup(result, unix_username);
682 result->sanitized_username = sanitize_username(result, unix_username);
684 if ((result->unix_name == NULL)
685 || (result->sanitized_username == NULL)) {
687 return NT_STATUS_NO_MEMORY;
690 result->utok.uid = pwd->pw_uid;
691 result->utok.gid = pwd->pw_gid;
693 *server_info = result;
698 static NTSTATUS get_guest_info3(TALLOC_CTX *mem_ctx,
699 struct netr_SamInfo3 *info3)
701 const char *guest_account = lp_guestaccount();
702 struct dom_sid domain_sid;
706 pwd = Get_Pwnam_alloc(mem_ctx, guest_account);
708 DEBUG(0,("SamInfo3_for_guest: Unable to locate guest "
709 "account [%s]!\n", guest_account));
710 return NT_STATUS_NO_SUCH_USER;
713 /* Set acount name */
714 tmp = talloc_strdup(mem_ctx, pwd->pw_name);
716 return NT_STATUS_NO_MEMORY;
718 init_lsa_String(&info3->base.account_name, tmp);
720 /* Set domain name */
721 tmp = talloc_strdup(mem_ctx, get_global_sam_name());
723 return NT_STATUS_NO_MEMORY;
725 init_lsa_StringLarge(&info3->base.domain, tmp);
728 sid_copy(&domain_sid, get_global_sam_sid());
730 info3->base.domain_sid = dom_sid_dup(mem_ctx, &domain_sid);
731 if (info3->base.domain_sid == NULL) {
732 return NT_STATUS_NO_MEMORY;
736 info3->base.rid = DOMAIN_RID_GUEST;
739 info3->base.primary_gid = BUILTIN_RID_GUESTS;
745 /***************************************************************************
746 Make (and fill) a user_info struct for a guest login.
747 This *must* succeed for smbd to start. If there is no mapping entry for
748 the guest gid, then create one.
750 The resulting structure is a 'session_info' because
751 create_local_token() has already been called on it. This is quite
752 nasty, as the auth subsystem isn't expect this, but the behaviour is
754 ***************************************************************************/
756 static NTSTATUS make_new_server_info_guest(struct auth_serversupplied_info **session_info)
758 struct auth_serversupplied_info *server_info;
759 static const char zeros[16] = {0};
760 const char *guest_account = lp_guestaccount();
761 const char *domain = lp_netbios_name();
762 struct netr_SamInfo3 info3;
767 tmp_ctx = talloc_stackframe();
768 if (tmp_ctx == NULL) {
769 return NT_STATUS_NO_MEMORY;
774 status = get_guest_info3(tmp_ctx, &info3);
775 if (!NT_STATUS_IS_OK(status)) {
776 DEBUG(0, ("get_guest_info3 failed with %s\n",
781 status = make_server_info_info3(tmp_ctx,
786 if (!NT_STATUS_IS_OK(status)) {
787 DEBUG(0, ("make_server_info_info3 failed with %s\n",
792 server_info->guest = True;
794 /* This should not be done here (we should produce a server
795 * info, and later construct a session info from it), but for
796 * now this does not change the previous behaviours */
797 status = create_local_token(tmp_ctx, server_info, NULL, session_info);
798 TALLOC_FREE(server_info);
799 if (!NT_STATUS_IS_OK(status)) {
800 DEBUG(0, ("create_local_token failed: %s\n",
804 talloc_steal(NULL, *session_info);
806 /* annoying, but the Guest really does have a session key, and it is
808 (*session_info)->session_key = data_blob(zeros, sizeof(zeros));
809 (*session_info)->lm_session_key = data_blob(zeros, sizeof(zeros));
811 alpha_strcpy(tmp, (*session_info)->info3->base.account_name.string,
812 ". _-$", sizeof(tmp));
813 (*session_info)->sanitized_username = talloc_strdup(*session_info, tmp);
815 status = NT_STATUS_OK;
817 TALLOC_FREE(tmp_ctx);
821 /***************************************************************************
822 Make (and fill) a auth_session_info struct for a system user login.
823 This *must* succeed for smbd to start.
824 ***************************************************************************/
826 static NTSTATUS make_new_session_info_system(TALLOC_CTX *mem_ctx,
827 struct auth_serversupplied_info **session_info)
832 pwd = getpwuid_alloc(mem_ctx, sec_initial_uid());
834 return NT_STATUS_NO_SUCH_USER;
837 status = make_session_info_from_username(mem_ctx,
842 if (!NT_STATUS_IS_OK(status)) {
846 (*session_info)->system = true;
848 status = add_sid_to_array_unique((*session_info)->security_token->sids,
850 &(*session_info)->security_token->sids,
851 &(*session_info)->security_token->num_sids);
852 if (!NT_STATUS_IS_OK(status)) {
853 TALLOC_FREE((*session_info));
860 /****************************************************************************
861 Fake a auth_serversupplied_info just from a username (as a
862 session_info structure, with create_local_token() already called on
864 ****************************************************************************/
866 NTSTATUS make_session_info_from_username(TALLOC_CTX *mem_ctx,
867 const char *username,
869 struct auth_serversupplied_info **session_info)
871 struct auth_serversupplied_info *result;
875 pwd = Get_Pwnam_alloc(talloc_tos(), username);
877 return NT_STATUS_NO_SUCH_USER;
880 status = make_server_info_pw(&result, pwd->pw_name, pwd);
884 if (!NT_STATUS_IS_OK(status)) {
888 result->nss_token = true;
889 result->guest = is_guest;
891 /* Now turn the server_info into a session_info with the full token etc */
892 status = create_local_token(mem_ctx, result, NULL, session_info);
898 struct auth_serversupplied_info *copy_serverinfo(TALLOC_CTX *mem_ctx,
899 const struct auth_serversupplied_info *src)
901 struct auth_serversupplied_info *dst;
903 dst = make_server_info(mem_ctx);
908 dst->guest = src->guest;
909 dst->system = src->system;
910 dst->utok.uid = src->utok.uid;
911 dst->utok.gid = src->utok.gid;
912 dst->utok.ngroups = src->utok.ngroups;
913 if (src->utok.ngroups != 0) {
914 dst->utok.groups = (gid_t *)talloc_memdup(
915 dst, src->utok.groups,
916 sizeof(gid_t)*dst->utok.ngroups);
918 dst->utok.groups = NULL;
921 if (src->security_token) {
922 dst->security_token = dup_nt_token(dst, src->security_token);
923 if (!dst->security_token) {
929 dst->session_key = data_blob_talloc( dst, src->session_key.data,
930 src->session_key.length);
932 dst->lm_session_key = data_blob_talloc(dst, src->lm_session_key.data,
933 src->lm_session_key.length);
935 dst->info3 = copy_netr_SamInfo3(dst, src->info3);
940 dst->extra = src->extra;
942 dst->unix_name = talloc_strdup(dst, src->unix_name);
943 if (!dst->unix_name) {
948 dst->sanitized_username = talloc_strdup(dst, src->sanitized_username);
949 if (!dst->sanitized_username) {
958 * Set a new session key. Used in the rpc server where we have to override the
959 * SMB level session key with SystemLibraryDTC
962 bool session_info_set_session_key(struct auth_serversupplied_info *info,
963 DATA_BLOB session_key)
965 TALLOC_FREE(info->session_key.data);
967 info->session_key = data_blob_talloc(
968 info, session_key.data, session_key.length);
970 return (info->session_key.data != NULL);
973 static struct auth_serversupplied_info *guest_info = NULL;
975 bool init_guest_info(void)
977 if (guest_info != NULL)
980 return NT_STATUS_IS_OK(make_new_server_info_guest(&guest_info));
983 NTSTATUS make_server_info_guest(TALLOC_CTX *mem_ctx,
984 struct auth_serversupplied_info **server_info)
986 *server_info = copy_serverinfo(mem_ctx, guest_info);
987 return (*server_info != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
990 static struct auth_serversupplied_info *system_info = NULL;
992 NTSTATUS init_system_info(void)
994 if (system_info != NULL)
997 return make_new_session_info_system(NULL, &system_info);
1000 NTSTATUS make_session_info_system(TALLOC_CTX *mem_ctx,
1001 struct auth_serversupplied_info **session_info)
1003 if (system_info == NULL) return NT_STATUS_UNSUCCESSFUL;
1004 *session_info = copy_serverinfo(mem_ctx, system_info);
1005 return (*session_info != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
1008 const struct auth_serversupplied_info *get_session_info_system(void)
1013 bool copy_current_user(struct current_user *dst, struct current_user *src)
1016 struct security_token *nt_token;
1018 groups = (gid_t *)memdup(src->ut.groups,
1019 sizeof(gid_t) * src->ut.ngroups);
1020 if ((src->ut.ngroups != 0) && (groups == NULL)) {
1024 nt_token = dup_nt_token(NULL, src->nt_user_token);
1025 if (nt_token == NULL) {
1030 dst->conn = src->conn;
1031 dst->vuid = src->vuid;
1032 dst->ut.uid = src->ut.uid;
1033 dst->ut.gid = src->ut.gid;
1034 dst->ut.ngroups = src->ut.ngroups;
1035 dst->ut.groups = groups;
1036 dst->nt_user_token = nt_token;
1040 /***************************************************************************
1041 Purely internal function for make_server_info_info3
1042 ***************************************************************************/
1044 static NTSTATUS check_account(TALLOC_CTX *mem_ctx, const char *domain,
1045 const char *username, char **found_username,
1046 struct passwd **pwd,
1047 bool *username_was_mapped)
1049 char *orig_dom_user = NULL;
1050 char *dom_user = NULL;
1051 char *lower_username = NULL;
1052 char *real_username = NULL;
1053 struct passwd *passwd;
1055 lower_username = talloc_strdup(mem_ctx, username);
1056 if (!lower_username) {
1057 return NT_STATUS_NO_MEMORY;
1059 strlower_m( lower_username );
1061 orig_dom_user = talloc_asprintf(mem_ctx,
1064 *lp_winbind_separator(),
1066 if (!orig_dom_user) {
1067 return NT_STATUS_NO_MEMORY;
1070 /* Get the passwd struct. Try to create the account if necessary. */
1072 *username_was_mapped = map_username(mem_ctx, orig_dom_user, &dom_user);
1074 return NT_STATUS_NO_MEMORY;
1077 passwd = smb_getpwnam(mem_ctx, dom_user, &real_username, True );
1079 DEBUG(3, ("Failed to find authenticated user %s via "
1080 "getpwnam(), denying access.\n", dom_user));
1081 return NT_STATUS_NO_SUCH_USER;
1084 if (!real_username) {
1085 return NT_STATUS_NO_MEMORY;
1090 /* This is pointless -- there is no suport for differing
1091 unix and windows names. Make sure to always store the
1092 one we actually looked up and succeeded. Have I mentioned
1093 why I hate the 'winbind use default domain' parameter?
1096 *found_username = talloc_strdup( mem_ctx, real_username );
1098 return NT_STATUS_OK;
1101 /****************************************************************************
1102 Wrapper to allow the getpwnam() call to strip the domain name and
1103 try again in case a local UNIX user is already there. Also run through
1104 the username if we fallback to the username only.
1105 ****************************************************************************/
1107 struct passwd *smb_getpwnam( TALLOC_CTX *mem_ctx, const char *domuser,
1108 char **p_save_username, bool create )
1110 struct passwd *pw = NULL;
1112 char *username = NULL;
1114 /* we only save a copy of the username it has been mangled
1115 by winbindd use default domain */
1116 *p_save_username = NULL;
1118 /* don't call map_username() here since it has to be done higher
1119 up the stack so we don't call it multiple times */
1121 username = talloc_strdup(mem_ctx, domuser);
1126 p = strchr_m( username, *lp_winbind_separator() );
1128 /* code for a DOMAIN\user string */
1131 pw = Get_Pwnam_alloc( mem_ctx, domuser );
1133 /* make sure we get the case of the username correct */
1134 /* work around 'winbind use default domain = yes' */
1136 if ( !strchr_m( pw->pw_name, *lp_winbind_separator() ) ) {
1139 /* split the domain and username into 2 strings */
1143 *p_save_username = talloc_asprintf(mem_ctx,
1146 *lp_winbind_separator(),
1148 if (!*p_save_username) {
1153 *p_save_username = talloc_strdup(mem_ctx, pw->pw_name);
1160 /* setup for lookup of just the username */
1161 /* remember that p and username are overlapping memory */
1164 username = talloc_strdup(mem_ctx, p);
1170 /* just lookup a plain username */
1172 pw = Get_Pwnam_alloc(mem_ctx, username);
1174 /* Create local user if requested but only if winbindd
1175 is not running. We need to protect against cases
1176 where winbindd is failing and then prematurely
1177 creating users in /etc/passwd */
1179 if ( !pw && create && !winbind_ping() ) {
1180 /* Don't add a machine account. */
1181 if (username[strlen(username)-1] == '$')
1184 _smb_create_user(NULL, username, NULL);
1185 pw = Get_Pwnam_alloc(mem_ctx, username);
1188 /* one last check for a valid passwd struct */
1191 *p_save_username = talloc_strdup(mem_ctx, pw->pw_name);
1196 /***************************************************************************
1197 Make a server_info struct from the info3 returned by a domain logon
1198 ***************************************************************************/
1200 NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
1201 const char *sent_nt_username,
1203 struct auth_serversupplied_info **server_info,
1204 struct netr_SamInfo3 *info3)
1206 static const char zeros[16] = {0, };
1208 NTSTATUS nt_status = NT_STATUS_OK;
1209 char *found_username = NULL;
1210 const char *nt_domain;
1211 const char *nt_username;
1212 bool username_was_mapped;
1214 struct auth_serversupplied_info *result;
1215 struct dom_sid *group_sid;
1216 struct netr_SamInfo3 *i3;
1219 Here is where we should check the list of
1220 trusted domains, and verify that the SID
1224 nt_username = talloc_strdup(mem_ctx, info3->base.account_name.string);
1226 /* If the server didn't give us one, just use the one we sent
1228 nt_username = sent_nt_username;
1231 nt_domain = talloc_strdup(mem_ctx, info3->base.domain.string);
1233 /* If the server didn't give us one, just use the one we sent
1238 /* If getpwnam() fails try the add user script (2.2.x behavior).
1240 We use the _unmapped_ username here in an attempt to provide
1241 consistent username mapping behavior between kerberos and NTLM[SSP]
1242 authentication in domain mode security. I.E. Username mapping
1243 should be applied to the fully qualified username
1244 (e.g. DOMAIN\user) and not just the login name. Yes this means we
1245 called map_username() unnecessarily in make_user_info_map() but
1246 that is how the current code is designed. Making the change here
1247 is the least disruptive place. -- jerry */
1249 /* this call will try to create the user if necessary */
1251 nt_status = check_account(mem_ctx, nt_domain, sent_nt_username,
1252 &found_username, &pwd,
1253 &username_was_mapped);
1255 if (!NT_STATUS_IS_OK(nt_status)) {
1259 result = make_server_info(NULL);
1260 if (result == NULL) {
1261 DEBUG(4, ("make_server_info failed!\n"));
1262 return NT_STATUS_NO_MEMORY;
1265 result->unix_name = talloc_strdup(result, found_username);
1267 result->sanitized_username = sanitize_username(result,
1269 if (result->sanitized_username == NULL) {
1270 TALLOC_FREE(result);
1271 return NT_STATUS_NO_MEMORY;
1274 /* copy in the info3 */
1275 result->info3 = i3 = copy_netr_SamInfo3(result, info3);
1276 if (result->info3 == NULL) {
1277 TALLOC_FREE(result);
1278 return NT_STATUS_NO_MEMORY;
1281 /* Fill in the unix info we found on the way */
1282 result->utok.uid = pwd->pw_uid;
1283 result->utok.gid = pwd->pw_gid;
1285 /* We can't just trust that the primary group sid sent us is something
1286 * we can really use. Obtain the useable sid, and store the original
1287 * one as an additional group if it had to be replaced */
1288 nt_status = get_primary_group_sid(mem_ctx, found_username,
1290 if (!NT_STATUS_IS_OK(nt_status)) {
1291 TALLOC_FREE(result);
1295 /* store and check if it is the same we got originally */
1296 sid_peek_rid(group_sid, &i3->base.primary_gid);
1297 if (i3->base.primary_gid != info3->base.primary_gid) {
1298 uint32_t n = i3->base.groups.count;
1299 /* not the same, store the original as an additional group */
1300 i3->base.groups.rids =
1301 talloc_realloc(i3, i3->base.groups.rids,
1302 struct samr_RidWithAttribute, n + 1);
1303 if (i3->base.groups.rids == NULL) {
1304 TALLOC_FREE(result);
1305 return NT_STATUS_NO_MEMORY;
1307 i3->base.groups.rids[n].rid = info3->base.primary_gid;
1308 i3->base.groups.rids[n].attributes = SE_GROUP_ENABLED;
1309 i3->base.groups.count = n + 1;
1312 /* ensure we are never given NULL session keys */
1314 if (memcmp(info3->base.key.key, zeros, sizeof(zeros)) == 0) {
1315 result->session_key = data_blob_null;
1317 result->session_key = data_blob_talloc(
1318 result, info3->base.key.key,
1319 sizeof(info3->base.key.key));
1322 if (memcmp(info3->base.LMSessKey.key, zeros, 8) == 0) {
1323 result->lm_session_key = data_blob_null;
1325 result->lm_session_key = data_blob_talloc(
1326 result, info3->base.LMSessKey.key,
1327 sizeof(info3->base.LMSessKey.key));
1330 result->nss_token |= username_was_mapped;
1332 *server_info = result;
1334 return NT_STATUS_OK;
1337 /*****************************************************************************
1338 Make a server_info struct from the wbcAuthUserInfo returned by a domain logon
1339 ******************************************************************************/
1341 NTSTATUS make_server_info_wbcAuthUserInfo(TALLOC_CTX *mem_ctx,
1342 const char *sent_nt_username,
1344 const struct wbcAuthUserInfo *info,
1345 struct auth_serversupplied_info **server_info)
1347 struct netr_SamInfo3 *info3;
1349 info3 = wbcAuthUserInfo_to_netr_SamInfo3(mem_ctx, info);
1351 return NT_STATUS_NO_MEMORY;
1354 return make_server_info_info3(mem_ctx,
1355 sent_nt_username, domain,
1356 server_info, info3);
1360 * Verify whether or not given domain is trusted.
1362 * @param domain_name name of the domain to be verified
1363 * @return true if domain is one of the trusted ones or
1364 * false if otherwise
1367 bool is_trusted_domain(const char* dom_name)
1369 struct dom_sid trustdom_sid;
1372 /* no trusted domains for a standalone server */
1374 if ( lp_server_role() == ROLE_STANDALONE )
1377 if (dom_name == NULL || dom_name[0] == '\0') {
1381 if (strequal(dom_name, get_global_sam_name())) {
1385 /* if we are a DC, then check for a direct trust relationships */
1389 DEBUG (5,("is_trusted_domain: Checking for domain trust with "
1390 "[%s]\n", dom_name ));
1391 ret = pdb_get_trusteddom_pw(dom_name, NULL, NULL, NULL);
1399 /* If winbind is around, ask it */
1401 result = wb_is_trusted_domain(dom_name);
1403 if (result == WBC_ERR_SUCCESS) {
1407 if (result == WBC_ERR_DOMAIN_NOT_FOUND) {
1408 /* winbind could not find the domain */
1412 /* The only other possible result is that winbind is not up
1413 and running. We need to update the trustdom_cache
1416 update_trustdom_cache();
1419 /* now the trustdom cache should be available a DC could still
1420 * have a transitive trust so fall back to the cache of trusted
1421 * domains (like a domain member would use */
1423 if ( trustdom_cache_fetch(dom_name, &trustdom_sid) ) {
git.samba.org / vlendec / samba-autobuild / .git / blob