2 Unix SMB/CIFS implementation.
3 Authentication utility functions
4 Copyright (C) Andrew Tridgell 1992-1998
5 Copyright (C) Andrew Bartlett 2001
6 Copyright (C) Jeremy Allison 2000-2001
7 Copyright (C) Rafal Szczesniak 2002
8 Copyright (C) Volker Lendecke 2006
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 #include "smbd/globals.h"
26 #include "../libcli/auth/libcli_auth.h"
29 #define DBGC_CLASS DBGC_AUTH
31 /****************************************************************************
32 Ensure primary group SID is always at position 0 in a
33 auth_serversupplied_info struct.
34 ****************************************************************************/
36 static void sort_sid_array_for_smbd(struct auth_serversupplied_info *result,
37 const DOM_SID *pgroup_sid)
45 if (sid_compare(&result->sids[0], pgroup_sid)==0) {
49 for (i = 1; i < result->num_sids; i++) {
50 if (sid_compare(pgroup_sid,
51 &result->sids[i]) == 0) {
52 sid_copy(&result->sids[i], &result->sids[0]);
53 sid_copy(&result->sids[0], pgroup_sid);
59 /****************************************************************************
60 Create a UNIX user on demand.
61 ****************************************************************************/
63 static int _smb_create_user(const char *domain, const char *unix_username, const char *homedir)
65 TALLOC_CTX *ctx = talloc_tos();
69 add_script = talloc_strdup(ctx, lp_adduser_script());
70 if (!add_script || !*add_script) {
73 add_script = talloc_all_string_sub(ctx,
81 add_script = talloc_all_string_sub(ctx,
90 add_script = talloc_all_string_sub(ctx,
98 ret = smbrun(add_script,NULL);
101 ("smb_create_user: Running the command `%s' gave %d\n",
106 /****************************************************************************
107 Create an auth_usersupplied_data structure
108 ****************************************************************************/
110 static NTSTATUS make_user_info(struct auth_usersupplied_info **user_info,
111 const char *smb_name,
112 const char *internal_username,
113 const char *client_domain,
115 const char *wksta_name,
116 DATA_BLOB *lm_pwd, DATA_BLOB *nt_pwd,
117 DATA_BLOB *lm_interactive_pwd, DATA_BLOB *nt_interactive_pwd,
118 DATA_BLOB *plaintext,
122 DEBUG(5,("attempting to make a user_info for %s (%s)\n", internal_username, smb_name));
124 *user_info = SMB_MALLOC_P(struct auth_usersupplied_info);
125 if (*user_info == NULL) {
126 DEBUG(0,("malloc failed for user_info (size %lu)\n", (unsigned long)sizeof(*user_info)));
127 return NT_STATUS_NO_MEMORY;
130 ZERO_STRUCTP(*user_info);
132 DEBUG(5,("making strings for %s's user_info struct\n", internal_username));
134 (*user_info)->smb_name = SMB_STRDUP(smb_name);
135 if ((*user_info)->smb_name == NULL) {
136 free_user_info(user_info);
137 return NT_STATUS_NO_MEMORY;
140 (*user_info)->internal_username = SMB_STRDUP(internal_username);
141 if ((*user_info)->internal_username == NULL) {
142 free_user_info(user_info);
143 return NT_STATUS_NO_MEMORY;
146 (*user_info)->domain = SMB_STRDUP(domain);
147 if ((*user_info)->domain == NULL) {
148 free_user_info(user_info);
149 return NT_STATUS_NO_MEMORY;
152 (*user_info)->client_domain = SMB_STRDUP(client_domain);
153 if ((*user_info)->client_domain == NULL) {
154 free_user_info(user_info);
155 return NT_STATUS_NO_MEMORY;
158 (*user_info)->wksta_name = SMB_STRDUP(wksta_name);
159 if ((*user_info)->wksta_name == NULL) {
160 free_user_info(user_info);
161 return NT_STATUS_NO_MEMORY;
164 DEBUG(5,("making blobs for %s's user_info struct\n", internal_username));
167 (*user_info)->lm_resp = data_blob(lm_pwd->data, lm_pwd->length);
169 (*user_info)->nt_resp = data_blob(nt_pwd->data, nt_pwd->length);
170 if (lm_interactive_pwd)
171 (*user_info)->lm_interactive_pwd = data_blob(lm_interactive_pwd->data, lm_interactive_pwd->length);
172 if (nt_interactive_pwd)
173 (*user_info)->nt_interactive_pwd = data_blob(nt_interactive_pwd->data, nt_interactive_pwd->length);
176 (*user_info)->plaintext_password = data_blob(plaintext->data, plaintext->length);
178 (*user_info)->encrypted = encrypted;
180 (*user_info)->logon_parameters = 0;
182 DEBUG(10,("made an %sencrypted user_info for %s (%s)\n", encrypted ? "":"un" , internal_username, smb_name));
187 /****************************************************************************
188 Create an auth_usersupplied_data structure after appropriate mapping.
189 ****************************************************************************/
191 NTSTATUS make_user_info_map(struct auth_usersupplied_info **user_info,
192 const char *smb_name,
193 const char *client_domain,
194 const char *wksta_name,
197 DATA_BLOB *lm_interactive_pwd,
198 DATA_BLOB *nt_interactive_pwd,
199 DATA_BLOB *plaintext,
202 struct smbd_server_connection *sconn = smbd_server_conn;
206 fstring internal_username;
207 fstrcpy(internal_username, smb_name);
208 was_mapped = map_username(sconn, internal_username);
210 DEBUG(5, ("Mapping user [%s]\\[%s] from workstation [%s]\n",
211 client_domain, smb_name, wksta_name));
213 domain = client_domain;
215 /* If you connect to a Windows domain member using a bogus domain name,
216 * the Windows box will map the BOGUS\user to SAMNAME\user. Thus, if
217 * the Windows box is a DC the name will become DOMAIN\user and be
218 * authenticated against AD, if the Windows box is a member server but
219 * not a DC the name will become WORKSTATION\user. A standalone
220 * non-domain member box will also map to WORKSTATION\user.
221 * This also deals with the client passing in a "" domain */
223 if (!is_trusted_domain(domain) &&
224 !strequal(domain, my_sam_name()))
226 if (lp_map_untrusted_to_domain())
227 domain = my_sam_name();
229 domain = get_global_sam_name();
230 DEBUG(5, ("Mapped domain from [%s] to [%s] for user [%s] from "
231 "workstation [%s]\n",
232 client_domain, domain, smb_name, wksta_name));
235 /* We know that the given domain is trusted (and we are allowing them),
236 * it is our global SAM name, or for legacy behavior it is our
237 * primary domain name */
239 result = make_user_info(user_info, smb_name, internal_username,
240 client_domain, domain, wksta_name,
242 lm_interactive_pwd, nt_interactive_pwd,
243 plaintext, encrypted);
244 if (NT_STATUS_IS_OK(result)) {
245 (*user_info)->was_mapped = was_mapped;
250 /****************************************************************************
251 Create an auth_usersupplied_data, making the DATA_BLOBs here.
252 Decrypt and encrypt the passwords.
253 ****************************************************************************/
255 bool make_user_info_netlogon_network(struct auth_usersupplied_info **user_info,
256 const char *smb_name,
257 const char *client_domain,
258 const char *wksta_name,
259 uint32 logon_parameters,
260 const uchar *lm_network_pwd,
262 const uchar *nt_network_pwd,
267 DATA_BLOB lm_blob = data_blob(lm_network_pwd, lm_pwd_len);
268 DATA_BLOB nt_blob = data_blob(nt_network_pwd, nt_pwd_len);
270 status = make_user_info_map(user_info,
271 smb_name, client_domain,
273 lm_pwd_len ? &lm_blob : NULL,
274 nt_pwd_len ? &nt_blob : NULL,
278 if (NT_STATUS_IS_OK(status)) {
279 (*user_info)->logon_parameters = logon_parameters;
281 ret = NT_STATUS_IS_OK(status) ? True : False;
283 data_blob_free(&lm_blob);
284 data_blob_free(&nt_blob);
288 /****************************************************************************
289 Create an auth_usersupplied_data, making the DATA_BLOBs here.
290 Decrypt and encrypt the passwords.
291 ****************************************************************************/
293 bool make_user_info_netlogon_interactive(struct auth_usersupplied_info **user_info,
294 const char *smb_name,
295 const char *client_domain,
296 const char *wksta_name,
297 uint32 logon_parameters,
299 const uchar lm_interactive_pwd[16],
300 const uchar nt_interactive_pwd[16],
301 const uchar *dc_sess_key)
303 unsigned char lm_pwd[16];
304 unsigned char nt_pwd[16];
305 unsigned char local_lm_response[24];
306 unsigned char local_nt_response[24];
307 unsigned char key[16];
309 memcpy(key, dc_sess_key, 16);
311 if (lm_interactive_pwd)
312 memcpy(lm_pwd, lm_interactive_pwd, sizeof(lm_pwd));
314 if (nt_interactive_pwd)
315 memcpy(nt_pwd, nt_interactive_pwd, sizeof(nt_pwd));
317 #ifdef DEBUG_PASSWORD
319 dump_data(100, key, sizeof(key));
321 DEBUG(100,("lm owf password:"));
322 dump_data(100, lm_pwd, sizeof(lm_pwd));
324 DEBUG(100,("nt owf password:"));
325 dump_data(100, nt_pwd, sizeof(nt_pwd));
328 if (lm_interactive_pwd)
329 arcfour_crypt(lm_pwd, key, sizeof(lm_pwd));
331 if (nt_interactive_pwd)
332 arcfour_crypt(nt_pwd, key, sizeof(nt_pwd));
334 #ifdef DEBUG_PASSWORD
335 DEBUG(100,("decrypt of lm owf password:"));
336 dump_data(100, lm_pwd, sizeof(lm_pwd));
338 DEBUG(100,("decrypt of nt owf password:"));
339 dump_data(100, nt_pwd, sizeof(nt_pwd));
342 if (lm_interactive_pwd)
343 SMBOWFencrypt(lm_pwd, chal,
346 if (nt_interactive_pwd)
347 SMBOWFencrypt(nt_pwd, chal,
350 /* Password info paranoia */
356 DATA_BLOB local_lm_blob;
357 DATA_BLOB local_nt_blob;
359 DATA_BLOB lm_interactive_blob;
360 DATA_BLOB nt_interactive_blob;
362 if (lm_interactive_pwd) {
363 local_lm_blob = data_blob(local_lm_response,
364 sizeof(local_lm_response));
365 lm_interactive_blob = data_blob(lm_pwd,
370 if (nt_interactive_pwd) {
371 local_nt_blob = data_blob(local_nt_response,
372 sizeof(local_nt_response));
373 nt_interactive_blob = data_blob(nt_pwd,
378 nt_status = make_user_info_map(
380 smb_name, client_domain, wksta_name,
381 lm_interactive_pwd ? &local_lm_blob : NULL,
382 nt_interactive_pwd ? &local_nt_blob : NULL,
383 lm_interactive_pwd ? &lm_interactive_blob : NULL,
384 nt_interactive_pwd ? &nt_interactive_blob : NULL,
387 if (NT_STATUS_IS_OK(nt_status)) {
388 (*user_info)->logon_parameters = logon_parameters;
391 ret = NT_STATUS_IS_OK(nt_status) ? True : False;
392 data_blob_free(&local_lm_blob);
393 data_blob_free(&local_nt_blob);
394 data_blob_free(&lm_interactive_blob);
395 data_blob_free(&nt_interactive_blob);
401 /****************************************************************************
402 Create an auth_usersupplied_data structure
403 ****************************************************************************/
405 bool make_user_info_for_reply(struct auth_usersupplied_info **user_info,
406 const char *smb_name,
407 const char *client_domain,
409 DATA_BLOB plaintext_password)
412 DATA_BLOB local_lm_blob;
413 DATA_BLOB local_nt_blob;
414 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
417 * Not encrypted - do so.
420 DEBUG(5,("make_user_info_for_reply: User passwords not in encrypted "
423 if (plaintext_password.data && plaintext_password.length) {
424 unsigned char local_lm_response[24];
426 #ifdef DEBUG_PASSWORD
427 DEBUG(10,("Unencrypted password (len %d):\n",
428 (int)plaintext_password.length));
429 dump_data(100, plaintext_password.data,
430 plaintext_password.length);
433 SMBencrypt( (const char *)plaintext_password.data,
434 (const uchar*)chal, local_lm_response);
435 local_lm_blob = data_blob(local_lm_response, 24);
437 /* We can't do an NT hash here, as the password needs to be
439 local_nt_blob = data_blob_null;
441 local_lm_blob = data_blob_null;
442 local_nt_blob = data_blob_null;
445 ret = make_user_info_map(
446 user_info, smb_name, client_domain,
447 get_remote_machine_name(),
448 local_lm_blob.data ? &local_lm_blob : NULL,
449 local_nt_blob.data ? &local_nt_blob : NULL,
451 plaintext_password.data && plaintext_password.length ? &plaintext_password : NULL,
454 data_blob_free(&local_lm_blob);
455 return NT_STATUS_IS_OK(ret) ? True : False;
458 /****************************************************************************
459 Create an auth_usersupplied_data structure
460 ****************************************************************************/
462 NTSTATUS make_user_info_for_reply_enc(struct auth_usersupplied_info **user_info,
463 const char *smb_name,
464 const char *client_domain,
465 DATA_BLOB lm_resp, DATA_BLOB nt_resp)
467 return make_user_info_map(user_info, smb_name,
469 get_remote_machine_name(),
470 lm_resp.data ? &lm_resp : NULL,
471 nt_resp.data ? &nt_resp : NULL,
476 /****************************************************************************
477 Create a guest user_info blob, for anonymous authenticaion.
478 ****************************************************************************/
480 bool make_user_info_guest(struct auth_usersupplied_info **user_info)
484 nt_status = make_user_info(user_info,
493 return NT_STATUS_IS_OK(nt_status) ? True : False;
496 static NTSTATUS log_nt_token(NT_USER_TOKEN *token)
498 TALLOC_CTX *frame = talloc_stackframe();
503 if ((lp_log_nt_token_command() == NULL) ||
504 (strlen(lp_log_nt_token_command()) == 0)) {
509 group_sidstr = talloc_strdup(frame, "");
510 for (i=1; i<token->num_sids; i++) {
511 group_sidstr = talloc_asprintf(
512 frame, "%s %s", group_sidstr,
513 sid_string_talloc(frame, &token->user_sids[i]));
516 command = talloc_string_sub(
517 frame, lp_log_nt_token_command(),
518 "%s", sid_string_talloc(frame, &token->user_sids[0]));
519 command = talloc_string_sub(frame, command, "%t", group_sidstr);
521 if (command == NULL) {
523 return NT_STATUS_NO_MEMORY;
526 DEBUG(8, ("running command: [%s]\n", command));
527 if (smbrun(command, NULL) != 0) {
528 DEBUG(0, ("Could not log NT token\n"));
530 return NT_STATUS_ACCESS_DENIED;
538 * Create the token to use from server_info->sam_account and
539 * server_info->sids (the info3/sam groups). Find the unix gids.
542 NTSTATUS create_local_token(struct auth_serversupplied_info *server_info)
546 struct dom_sid tmp_sid;
549 * If winbind is not around, we can not make much use of the SIDs the
550 * domain controller provided us with. Likewise if the user name was
551 * mapped to some local unix user.
554 if (((lp_server_role() == ROLE_DOMAIN_MEMBER) && !winbind_ping()) ||
555 (server_info->nss_token)) {
556 status = create_token_from_username(server_info,
557 server_info->unix_name,
559 &server_info->utok.uid,
560 &server_info->utok.gid,
561 &server_info->unix_name,
565 server_info->ptok = create_local_nt_token(
567 pdb_get_user_sid(server_info->sam_account),
569 server_info->num_sids, server_info->sids);
570 status = server_info->ptok ?
571 NT_STATUS_OK : NT_STATUS_NO_SUCH_USER;
574 if (!NT_STATUS_IS_OK(status)) {
578 /* Convert the SIDs to gids. */
580 server_info->utok.ngroups = 0;
581 server_info->utok.groups = NULL;
583 /* Start at index 1, where the groups start. */
585 for (i=1; i<server_info->ptok->num_sids; i++) {
587 DOM_SID *sid = &server_info->ptok->user_sids[i];
589 if (!sid_to_gid(sid, &gid)) {
590 DEBUG(10, ("Could not convert SID %s to gid, "
591 "ignoring it\n", sid_string_dbg(sid)));
594 add_gid_to_array_unique(server_info, gid,
595 &server_info->utok.groups,
596 &server_info->utok.ngroups);
600 * Add the "Unix Group" SID for each gid to catch mapped groups
601 * and their Unix equivalent. This is to solve the backwards
602 * compatibility problem of 'valid users = +ntadmin' where
603 * ntadmin has been paired with "Domain Admins" in the group
604 * mapping table. Otherwise smb.conf would need to be changed
605 * to 'valid user = "Domain Admins"'. --jerry
607 * For consistency we also add the "Unix User" SID,
608 * so that the complete unix token is represented within
612 if (!uid_to_unix_users_sid(server_info->utok.uid, &tmp_sid)) {
613 DEBUG(1,("create_local_token: Failed to create SID "
614 "for uid %u!\n", (unsigned int)server_info->utok.uid));
616 add_sid_to_array_unique(server_info->ptok, &tmp_sid,
617 &server_info->ptok->user_sids,
618 &server_info->ptok->num_sids);
620 for ( i=0; i<server_info->utok.ngroups; i++ ) {
621 if (!gid_to_unix_groups_sid( server_info->utok.groups[i], &tmp_sid ) ) {
622 DEBUG(1,("create_local_token: Failed to create SID "
623 "for gid %u!\n", (unsigned int)server_info->utok.groups[i]));
626 add_sid_to_array_unique(server_info->ptok, &tmp_sid,
627 &server_info->ptok->user_sids,
628 &server_info->ptok->num_sids);
631 debug_nt_user_token(DBGC_AUTH, 10, server_info->ptok);
632 debug_unix_user_token(DBGC_AUTH, 10,
633 server_info->utok.uid,
634 server_info->utok.gid,
635 server_info->utok.ngroups,
636 server_info->utok.groups);
638 status = log_nt_token(server_info->ptok);
642 /***************************************************************************
643 Make (and fill) a server_info struct from a 'struct passwd' by conversion
645 ***************************************************************************/
647 NTSTATUS make_server_info_pw(struct auth_serversupplied_info **server_info,
652 struct samu *sampass = NULL;
654 char *qualified_name = NULL;
655 TALLOC_CTX *mem_ctx = NULL;
657 enum lsa_SidType type;
658 struct auth_serversupplied_info *result;
660 if ( !(sampass = samu_new( NULL )) ) {
661 return NT_STATUS_NO_MEMORY;
664 status = samu_set_unix( sampass, pwd );
665 if (!NT_STATUS_IS_OK(status)) {
669 result = make_server_info(NULL);
670 if (result == NULL) {
671 TALLOC_FREE(sampass);
672 return NT_STATUS_NO_MEMORY;
675 result->sam_account = sampass;
677 result->unix_name = talloc_strdup(result, unix_username);
678 result->sanitized_username = sanitize_username(result, unix_username);
680 if ((result->unix_name == NULL)
681 || (result->sanitized_username == NULL)) {
682 TALLOC_FREE(sampass);
684 return NT_STATUS_NO_MEMORY;
687 result->utok.uid = pwd->pw_uid;
688 result->utok.gid = pwd->pw_gid;
690 status = pdb_enum_group_memberships(result, sampass,
691 &result->sids, &gids,
694 if (!NT_STATUS_IS_OK(status)) {
695 DEBUG(10, ("pdb_enum_group_memberships failed: %s\n",
702 * The SID returned in server_info->sam_account is based
703 * on our SAM sid even though for a pure UNIX account this should
704 * not be the case as it doesn't really exist in the SAM db.
705 * This causes lookups on "[in]valid users" to fail as they
706 * will lookup this name as a "Unix User" SID to check against
707 * the user token. Fix this by adding the "Unix User"\unix_username
708 * SID to the sid array. The correct fix should probably be
709 * changing the server_info->sam_account user SID to be a
710 * S-1-22 Unix SID, but this might break old configs where
711 * plaintext passwords were used with no SAM backend.
714 mem_ctx = talloc_init("make_server_info_pw_tmp");
717 return NT_STATUS_NO_MEMORY;
720 qualified_name = talloc_asprintf(mem_ctx, "%s\\%s",
721 unix_users_domain_name(),
723 if (!qualified_name) {
725 TALLOC_FREE(mem_ctx);
726 return NT_STATUS_NO_MEMORY;
729 if (!lookup_name(mem_ctx, qualified_name, LOOKUP_NAME_ALL,
733 TALLOC_FREE(mem_ctx);
734 return NT_STATUS_NO_SUCH_USER;
737 TALLOC_FREE(mem_ctx);
739 if (type != SID_NAME_USER) {
741 return NT_STATUS_NO_SUCH_USER;
744 status = add_sid_to_array_unique(result, &u_sid,
747 if (!NT_STATUS_IS_OK(status)) {
752 /* For now we throw away the gids and convert via sid_to_gid
753 * later. This needs fixing, but I'd like to get the code straight and
757 *server_info = result;
762 /***************************************************************************
763 Make (and fill) a user_info struct for a guest login.
764 This *must* succeed for smbd to start. If there is no mapping entry for
765 the guest gid, then create one.
766 ***************************************************************************/
768 static NTSTATUS make_new_server_info_guest(struct auth_serversupplied_info **server_info)
771 struct samu *sampass = NULL;
774 static const char zeros[16] = {0, };
777 if ( !(sampass = samu_new( NULL )) ) {
778 return NT_STATUS_NO_MEMORY;
781 sid_compose(&guest_sid, get_global_sam_sid(), DOMAIN_USER_RID_GUEST);
784 ret = pdb_getsampwsid(sampass, &guest_sid);
788 TALLOC_FREE(sampass);
789 return NT_STATUS_NO_SUCH_USER;
792 status = make_server_info_sam(server_info, sampass);
793 if (!NT_STATUS_IS_OK(status)) {
794 TALLOC_FREE(sampass);
798 (*server_info)->guest = True;
800 status = create_local_token(*server_info);
801 if (!NT_STATUS_IS_OK(status)) {
802 DEBUG(10, ("create_local_token failed: %s\n",
807 /* annoying, but the Guest really does have a session key, and it is
809 (*server_info)->user_session_key = data_blob(zeros, sizeof(zeros));
810 (*server_info)->lm_session_key = data_blob(zeros, sizeof(zeros));
812 alpha_strcpy(tmp, pdb_get_username(sampass), ". _-$", sizeof(tmp));
813 (*server_info)->sanitized_username = talloc_strdup(*server_info, tmp);
818 /****************************************************************************
819 Fake a auth_serversupplied_info just from a username
820 ****************************************************************************/
822 NTSTATUS make_serverinfo_from_username(TALLOC_CTX *mem_ctx,
823 const char *username,
825 struct auth_serversupplied_info **presult)
827 struct auth_serversupplied_info *result;
831 pwd = getpwnam_alloc(talloc_tos(), username);
833 return NT_STATUS_NO_SUCH_USER;
836 status = make_server_info_pw(&result, pwd->pw_name, pwd);
840 if (!NT_STATUS_IS_OK(status)) {
844 result->nss_token = true;
845 result->guest = is_guest;
847 status = create_local_token(result);
849 if (!NT_STATUS_IS_OK(status)) {
859 struct auth_serversupplied_info *copy_serverinfo(TALLOC_CTX *mem_ctx,
860 const struct auth_serversupplied_info *src)
862 struct auth_serversupplied_info *dst;
864 dst = make_server_info(mem_ctx);
869 dst->guest = src->guest;
870 dst->utok.uid = src->utok.uid;
871 dst->utok.gid = src->utok.gid;
872 dst->utok.ngroups = src->utok.ngroups;
873 if (src->utok.ngroups != 0) {
874 dst->utok.groups = (gid_t *)TALLOC_MEMDUP(
875 dst, src->utok.groups,
876 sizeof(gid_t)*dst->utok.ngroups);
878 dst->utok.groups = NULL;
882 dst->ptok = dup_nt_token(dst, src->ptok);
889 dst->user_session_key = data_blob_talloc( dst, src->user_session_key.data,
890 src->user_session_key.length);
892 dst->lm_session_key = data_blob_talloc(dst, src->lm_session_key.data,
893 src->lm_session_key.length);
895 dst->sam_account = samu_new(NULL);
896 if (!dst->sam_account) {
901 if (!pdb_copy_sam_account(dst->sam_account, src->sam_account)) {
906 dst->pam_handle = NULL;
907 dst->unix_name = talloc_strdup(dst, src->unix_name);
908 if (!dst->unix_name) {
913 dst->sanitized_username = talloc_strdup(dst, src->sanitized_username);
914 if (!dst->sanitized_username) {
923 * Set a new session key. Used in the rpc server where we have to override the
924 * SMB level session key with SystemLibraryDTC
927 bool server_info_set_session_key(struct auth_serversupplied_info *info,
928 DATA_BLOB session_key)
930 TALLOC_FREE(info->user_session_key.data);
932 info->user_session_key = data_blob_talloc(
933 info, session_key.data, session_key.length);
935 return (info->user_session_key.data != NULL);
938 static struct auth_serversupplied_info *guest_info = NULL;
940 bool init_guest_info(void)
942 if (guest_info != NULL)
945 return NT_STATUS_IS_OK(make_new_server_info_guest(&guest_info));
948 NTSTATUS make_server_info_guest(TALLOC_CTX *mem_ctx,
949 struct auth_serversupplied_info **server_info)
951 *server_info = copy_serverinfo(mem_ctx, guest_info);
952 return (*server_info != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
955 bool copy_current_user(struct current_user *dst, struct current_user *src)
958 NT_USER_TOKEN *nt_token;
960 groups = (gid_t *)memdup(src->ut.groups,
961 sizeof(gid_t) * src->ut.ngroups);
962 if ((src->ut.ngroups != 0) && (groups == NULL)) {
966 nt_token = dup_nt_token(NULL, src->nt_user_token);
967 if (nt_token == NULL) {
972 dst->conn = src->conn;
973 dst->vuid = src->vuid;
974 dst->ut.uid = src->ut.uid;
975 dst->ut.gid = src->ut.gid;
976 dst->ut.ngroups = src->ut.ngroups;
977 dst->ut.groups = groups;
978 dst->nt_user_token = nt_token;
982 /***************************************************************************
983 Purely internal function for make_server_info_info3
984 Fill the sam account from getpwnam
985 ***************************************************************************/
986 static NTSTATUS fill_sam_account(TALLOC_CTX *mem_ctx,
988 const char *username,
989 char **found_username,
990 uid_t *uid, gid_t *gid,
991 struct samu *account,
992 bool *username_was_mapped)
994 struct smbd_server_connection *sconn = smbd_server_conn;
996 fstring dom_user, lower_username;
997 fstring real_username;
998 struct passwd *passwd;
1000 fstrcpy( lower_username, username );
1001 strlower_m( lower_username );
1003 fstr_sprintf(dom_user, "%s%c%s", domain, *lp_winbind_separator(),
1006 /* Get the passwd struct. Try to create the account is necessary. */
1008 *username_was_mapped = map_username(sconn, dom_user);
1010 if ( !(passwd = smb_getpwnam( NULL, dom_user, real_username, True )) )
1011 return NT_STATUS_NO_SUCH_USER;
1013 *uid = passwd->pw_uid;
1014 *gid = passwd->pw_gid;
1016 /* This is pointless -- there is no suport for differing
1017 unix and windows names. Make sure to always store the
1018 one we actually looked up and succeeded. Have I mentioned
1019 why I hate the 'winbind use default domain' parameter?
1022 *found_username = talloc_strdup( mem_ctx, real_username );
1024 DEBUG(5,("fill_sam_account: located username was [%s]\n", *found_username));
1026 nt_status = samu_set_unix( account, passwd );
1028 TALLOC_FREE(passwd);
1033 /****************************************************************************
1034 Wrapper to allow the getpwnam() call to strip the domain name and
1035 try again in case a local UNIX user is already there. Also run through
1036 the username if we fallback to the username only.
1037 ****************************************************************************/
1039 struct passwd *smb_getpwnam( TALLOC_CTX *mem_ctx, char *domuser,
1040 fstring save_username, bool create )
1042 struct passwd *pw = NULL;
1046 /* we only save a copy of the username it has been mangled
1047 by winbindd use default domain */
1049 save_username[0] = '\0';
1051 /* don't call map_username() here since it has to be done higher
1052 up the stack so we don't call it multiple times */
1054 fstrcpy( username, domuser );
1056 p = strchr_m( username, *lp_winbind_separator() );
1058 /* code for a DOMAIN\user string */
1061 fstring strip_username;
1063 pw = Get_Pwnam_alloc( mem_ctx, domuser );
1065 /* make sure we get the case of the username correct */
1066 /* work around 'winbind use default domain = yes' */
1068 if ( !strchr_m( pw->pw_name, *lp_winbind_separator() ) ) {
1071 /* split the domain and username into 2 strings */
1075 fstr_sprintf(save_username, "%s%c%s", domain, *lp_winbind_separator(), pw->pw_name);
1078 fstrcpy( save_username, pw->pw_name );
1084 /* setup for lookup of just the username */
1085 /* remember that p and username are overlapping memory */
1088 fstrcpy( strip_username, p );
1089 fstrcpy( username, strip_username );
1092 /* just lookup a plain username */
1094 pw = Get_Pwnam_alloc(mem_ctx, username);
1096 /* Create local user if requested but only if winbindd
1097 is not running. We need to protect against cases
1098 where winbindd is failing and then prematurely
1099 creating users in /etc/passwd */
1101 if ( !pw && create && !winbind_ping() ) {
1102 /* Don't add a machine account. */
1103 if (username[strlen(username)-1] == '$')
1106 _smb_create_user(NULL, username, NULL);
1107 pw = Get_Pwnam_alloc(mem_ctx, username);
1110 /* one last check for a valid passwd struct */
1113 fstrcpy( save_username, pw->pw_name );
1118 /***************************************************************************
1119 Make a server_info struct from the info3 returned by a domain logon
1120 ***************************************************************************/
1122 NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
1123 const char *sent_nt_username,
1125 struct auth_serversupplied_info **server_info,
1126 struct netr_SamInfo3 *info3)
1128 static const char zeros[16] = {0, };
1130 NTSTATUS nt_status = NT_STATUS_OK;
1131 char *found_username = NULL;
1132 const char *nt_domain;
1133 const char *nt_username;
1134 struct samu *sam_account = NULL;
1137 bool username_was_mapped;
1139 uid_t uid = (uid_t)-1;
1140 gid_t gid = (gid_t)-1;
1142 struct auth_serversupplied_info *result;
1145 Here is where we should check the list of
1146 trusted domains, and verify that the SID
1150 if (!sid_compose(&user_sid, info3->base.domain_sid, info3->base.rid)) {
1151 return NT_STATUS_INVALID_PARAMETER;
1154 if (!sid_compose(&group_sid, info3->base.domain_sid,
1155 info3->base.primary_gid)) {
1156 return NT_STATUS_INVALID_PARAMETER;
1159 nt_username = talloc_strdup(mem_ctx, info3->base.account_name.string);
1161 /* If the server didn't give us one, just use the one we sent
1163 nt_username = sent_nt_username;
1166 nt_domain = talloc_strdup(mem_ctx, info3->base.domain.string);
1168 /* If the server didn't give us one, just use the one we sent
1173 /* try to fill the SAM account.. If getpwnam() fails, then try the
1174 add user script (2.2.x behavior).
1176 We use the _unmapped_ username here in an attempt to provide
1177 consistent username mapping behavior between kerberos and NTLM[SSP]
1178 authentication in domain mode security. I.E. Username mapping
1179 should be applied to the fully qualified username
1180 (e.g. DOMAIN\user) and not just the login name. Yes this means we
1181 called map_username() unnecessarily in make_user_info_map() but
1182 that is how the current code is designed. Making the change here
1183 is the least disruptive place. -- jerry */
1185 if ( !(sam_account = samu_new( NULL )) ) {
1186 return NT_STATUS_NO_MEMORY;
1189 /* this call will try to create the user if necessary */
1191 nt_status = fill_sam_account(mem_ctx, nt_domain, sent_nt_username,
1192 &found_username, &uid, &gid, sam_account,
1193 &username_was_mapped);
1196 /* if we still don't have a valid unix account check for
1197 'map to guest = bad uid' */
1199 if (!NT_STATUS_IS_OK(nt_status)) {
1200 TALLOC_FREE( sam_account );
1201 if ( lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_UID ) {
1202 make_server_info_guest(NULL, server_info);
1203 return NT_STATUS_OK;
1208 if (!pdb_set_nt_username(sam_account, nt_username, PDB_CHANGED)) {
1209 TALLOC_FREE(sam_account);
1210 return NT_STATUS_NO_MEMORY;
1213 if (!pdb_set_username(sam_account, nt_username, PDB_CHANGED)) {
1214 TALLOC_FREE(sam_account);
1215 return NT_STATUS_NO_MEMORY;
1218 if (!pdb_set_domain(sam_account, nt_domain, PDB_CHANGED)) {
1219 TALLOC_FREE(sam_account);
1220 return NT_STATUS_NO_MEMORY;
1223 if (!pdb_set_user_sid(sam_account, &user_sid, PDB_CHANGED)) {
1224 TALLOC_FREE(sam_account);
1225 return NT_STATUS_UNSUCCESSFUL;
1228 if (!pdb_set_group_sid(sam_account, &group_sid, PDB_CHANGED)) {
1229 TALLOC_FREE(sam_account);
1230 return NT_STATUS_UNSUCCESSFUL;
1233 if (!pdb_set_fullname(sam_account,
1234 info3->base.full_name.string,
1236 TALLOC_FREE(sam_account);
1237 return NT_STATUS_NO_MEMORY;
1240 if (!pdb_set_logon_script(sam_account,
1241 info3->base.logon_script.string,
1243 TALLOC_FREE(sam_account);
1244 return NT_STATUS_NO_MEMORY;
1247 if (!pdb_set_profile_path(sam_account,
1248 info3->base.profile_path.string,
1250 TALLOC_FREE(sam_account);
1251 return NT_STATUS_NO_MEMORY;
1254 if (!pdb_set_homedir(sam_account,
1255 info3->base.home_directory.string,
1257 TALLOC_FREE(sam_account);
1258 return NT_STATUS_NO_MEMORY;
1261 if (!pdb_set_dir_drive(sam_account,
1262 info3->base.home_drive.string,
1264 TALLOC_FREE(sam_account);
1265 return NT_STATUS_NO_MEMORY;
1268 if (!pdb_set_acct_ctrl(sam_account, info3->base.acct_flags, PDB_CHANGED)) {
1269 TALLOC_FREE(sam_account);
1270 return NT_STATUS_NO_MEMORY;
1273 if (!pdb_set_pass_last_set_time(
1275 nt_time_to_unix(info3->base.last_password_change),
1277 TALLOC_FREE(sam_account);
1278 return NT_STATUS_NO_MEMORY;
1281 if (!pdb_set_pass_can_change_time(
1283 nt_time_to_unix(info3->base.allow_password_change),
1285 TALLOC_FREE(sam_account);
1286 return NT_STATUS_NO_MEMORY;
1289 if (!pdb_set_pass_must_change_time(
1291 nt_time_to_unix(info3->base.force_password_change),
1293 TALLOC_FREE(sam_account);
1294 return NT_STATUS_NO_MEMORY;
1297 result = make_server_info(NULL);
1298 if (result == NULL) {
1299 DEBUG(4, ("make_server_info failed!\n"));
1300 TALLOC_FREE(sam_account);
1301 return NT_STATUS_NO_MEMORY;
1304 /* save this here to _net_sam_logon() doesn't fail (it assumes a
1305 valid struct samu) */
1307 result->sam_account = sam_account;
1308 result->unix_name = talloc_strdup(result, found_username);
1310 result->sanitized_username = sanitize_username(result,
1312 if (result->sanitized_username == NULL) {
1313 TALLOC_FREE(result);
1314 return NT_STATUS_NO_MEMORY;
1317 /* Fill in the unix info we found on the way */
1319 result->utok.uid = uid;
1320 result->utok.gid = gid;
1322 /* Create a 'combined' list of all SIDs we might want in the SD */
1324 result->num_sids = 0;
1325 result->sids = NULL;
1327 nt_status = sid_array_from_info3(result, info3,
1331 if (!NT_STATUS_IS_OK(nt_status)) {
1332 TALLOC_FREE(result);
1336 /* Ensure the primary group sid is at position 0. */
1337 sort_sid_array_for_smbd(result, &group_sid);
1339 result->login_server = talloc_strdup(result,
1340 info3->base.logon_server.string);
1342 /* ensure we are never given NULL session keys */
1344 if (memcmp(info3->base.key.key, zeros, sizeof(zeros)) == 0) {
1345 result->user_session_key = data_blob_null;
1347 result->user_session_key = data_blob_talloc(
1348 result, info3->base.key.key,
1349 sizeof(info3->base.key.key));
1352 if (memcmp(info3->base.LMSessKey.key, zeros, 8) == 0) {
1353 result->lm_session_key = data_blob_null;
1355 result->lm_session_key = data_blob_talloc(
1356 result, info3->base.LMSessKey.key,
1357 sizeof(info3->base.LMSessKey.key));
1360 result->nss_token |= username_was_mapped;
1362 *server_info = result;
1364 return NT_STATUS_OK;
1367 /*****************************************************************************
1368 Make a server_info struct from the wbcAuthUserInfo returned by a domain logon
1369 ******************************************************************************/
1371 NTSTATUS make_server_info_wbcAuthUserInfo(TALLOC_CTX *mem_ctx,
1372 const char *sent_nt_username,
1374 const struct wbcAuthUserInfo *info,
1375 struct auth_serversupplied_info **server_info)
1377 static const char zeros[16] = {0, };
1379 NTSTATUS nt_status = NT_STATUS_OK;
1380 char *found_username = NULL;
1381 const char *nt_domain;
1382 const char *nt_username;
1383 struct samu *sam_account = NULL;
1386 bool username_was_mapped;
1389 uid_t uid = (uid_t)-1;
1390 gid_t gid = (gid_t)-1;
1392 struct auth_serversupplied_info *result;
1394 result = make_server_info(NULL);
1395 if (result == NULL) {
1396 DEBUG(4, ("make_server_info failed!\n"));
1397 return NT_STATUS_NO_MEMORY;
1401 Here is where we should check the list of
1402 trusted domains, and verify that the SID
1406 memcpy(&user_sid, &info->sids[0].sid, sizeof(user_sid));
1407 memcpy(&group_sid, &info->sids[1].sid, sizeof(group_sid));
1409 if (info->account_name) {
1410 nt_username = talloc_strdup(result, info->account_name);
1412 /* If the server didn't give us one, just use the one we sent
1414 nt_username = talloc_strdup(result, sent_nt_username);
1417 TALLOC_FREE(result);
1418 return NT_STATUS_NO_MEMORY;
1421 if (info->domain_name) {
1422 nt_domain = talloc_strdup(result, info->domain_name);
1424 /* If the server didn't give us one, just use the one we sent
1426 nt_domain = talloc_strdup(result, domain);
1429 TALLOC_FREE(result);
1430 return NT_STATUS_NO_MEMORY;
1433 /* try to fill the SAM account.. If getpwnam() fails, then try the
1434 add user script (2.2.x behavior).
1436 We use the _unmapped_ username here in an attempt to provide
1437 consistent username mapping behavior between kerberos and NTLM[SSP]
1438 authentication in domain mode security. I.E. Username mapping
1439 should be applied to the fully qualified username
1440 (e.g. DOMAIN\user) and not just the login name. Yes this means we
1441 called map_username() unnecessarily in make_user_info_map() but
1442 that is how the current code is designed. Making the change here
1443 is the least disruptive place. -- jerry */
1445 if ( !(sam_account = samu_new( result )) ) {
1446 TALLOC_FREE(result);
1447 return NT_STATUS_NO_MEMORY;
1450 /* this call will try to create the user if necessary */
1452 nt_status = fill_sam_account(result, nt_domain, sent_nt_username,
1453 &found_username, &uid, &gid, sam_account,
1454 &username_was_mapped);
1456 /* if we still don't have a valid unix account check for
1457 'map to guest = bad uid' */
1459 if (!NT_STATUS_IS_OK(nt_status)) {
1460 TALLOC_FREE( result );
1461 if ( lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_UID ) {
1462 make_server_info_guest(NULL, server_info);
1463 return NT_STATUS_OK;
1468 if (!pdb_set_nt_username(sam_account, nt_username, PDB_CHANGED)) {
1469 TALLOC_FREE(result);
1470 return NT_STATUS_NO_MEMORY;
1473 if (!pdb_set_username(sam_account, nt_username, PDB_CHANGED)) {
1474 TALLOC_FREE(result);
1475 return NT_STATUS_NO_MEMORY;
1478 if (!pdb_set_domain(sam_account, nt_domain, PDB_CHANGED)) {
1479 TALLOC_FREE(result);
1480 return NT_STATUS_NO_MEMORY;
1483 if (!pdb_set_user_sid(sam_account, &user_sid, PDB_CHANGED)) {
1484 TALLOC_FREE(result);
1485 return NT_STATUS_UNSUCCESSFUL;
1488 if (!pdb_set_group_sid(sam_account, &group_sid, PDB_CHANGED)) {
1489 TALLOC_FREE(result);
1490 return NT_STATUS_UNSUCCESSFUL;
1493 if (!pdb_set_fullname(sam_account, info->full_name, PDB_CHANGED)) {
1494 TALLOC_FREE(result);
1495 return NT_STATUS_NO_MEMORY;
1498 if (!pdb_set_logon_script(sam_account, info->logon_script, PDB_CHANGED)) {
1499 TALLOC_FREE(result);
1500 return NT_STATUS_NO_MEMORY;
1503 if (!pdb_set_profile_path(sam_account, info->profile_path, PDB_CHANGED)) {
1504 TALLOC_FREE(result);
1505 return NT_STATUS_NO_MEMORY;
1508 if (!pdb_set_homedir(sam_account, info->home_directory, PDB_CHANGED)) {
1509 TALLOC_FREE(result);
1510 return NT_STATUS_NO_MEMORY;
1513 if (!pdb_set_dir_drive(sam_account, info->home_drive, PDB_CHANGED)) {
1514 TALLOC_FREE(result);
1515 return NT_STATUS_NO_MEMORY;
1518 if (!pdb_set_acct_ctrl(sam_account, info->acct_flags, PDB_CHANGED)) {
1519 TALLOC_FREE(result);
1520 return NT_STATUS_NO_MEMORY;
1523 if (!pdb_set_pass_last_set_time(
1525 nt_time_to_unix(info->pass_last_set_time),
1527 TALLOC_FREE(result);
1528 return NT_STATUS_NO_MEMORY;
1531 if (!pdb_set_pass_can_change_time(
1533 nt_time_to_unix(info->pass_can_change_time),
1535 TALLOC_FREE(result);
1536 return NT_STATUS_NO_MEMORY;
1539 if (!pdb_set_pass_must_change_time(
1541 nt_time_to_unix(info->pass_must_change_time),
1543 TALLOC_FREE(result);
1544 return NT_STATUS_NO_MEMORY;
1547 /* save this here to _net_sam_logon() doesn't fail (it assumes a
1548 valid struct samu) */
1550 result->sam_account = sam_account;
1551 result->unix_name = talloc_strdup(result, found_username);
1553 result->sanitized_username = sanitize_username(result,
1555 result->login_server = talloc_strdup(result, info->logon_server);
1557 if ((result->unix_name == NULL)
1558 || (result->sanitized_username == NULL)
1559 || (result->login_server == NULL)) {
1560 TALLOC_FREE(result);
1561 return NT_STATUS_NO_MEMORY;
1564 /* Fill in the unix info we found on the way */
1566 result->utok.uid = uid;
1567 result->utok.gid = gid;
1569 /* Create a 'combined' list of all SIDs we might want in the SD */
1571 result->num_sids = info->num_sids - 2;
1572 result->sids = talloc_array(result, DOM_SID, result->num_sids);
1573 if (result->sids == NULL) {
1574 TALLOC_FREE(result);
1575 return NT_STATUS_NO_MEMORY;
1578 for (i=0; i < result->num_sids; i++) {
1579 memcpy(&result->sids[i], &info->sids[i+2].sid, sizeof(result->sids[i]));
1582 /* Ensure the primary group sid is at position 0. */
1583 sort_sid_array_for_smbd(result, &group_sid);
1585 /* ensure we are never given NULL session keys */
1587 if (memcmp(info->user_session_key, zeros, sizeof(zeros)) == 0) {
1588 result->user_session_key = data_blob_null;
1590 result->user_session_key = data_blob_talloc(
1591 result, info->user_session_key,
1592 sizeof(info->user_session_key));
1595 if (memcmp(info->lm_session_key, zeros, 8) == 0) {
1596 result->lm_session_key = data_blob_null;
1598 result->lm_session_key = data_blob_talloc(
1599 result, info->lm_session_key,
1600 sizeof(info->lm_session_key));
1603 result->nss_token |= username_was_mapped;
1605 *server_info = result;
1607 return NT_STATUS_OK;
1610 /***************************************************************************
1611 Free a user_info struct
1612 ***************************************************************************/
1614 void free_user_info(struct auth_usersupplied_info **user_info)
1616 DEBUG(5,("attempting to free (and zero) a user_info structure\n"));
1617 if (*user_info != NULL) {
1618 if ((*user_info)->smb_name) {
1619 DEBUG(10,("structure was created for %s\n",
1620 (*user_info)->smb_name));
1622 SAFE_FREE((*user_info)->smb_name);
1623 SAFE_FREE((*user_info)->internal_username);
1624 SAFE_FREE((*user_info)->client_domain);
1625 SAFE_FREE((*user_info)->domain);
1626 SAFE_FREE((*user_info)->wksta_name);
1627 data_blob_free(&(*user_info)->lm_resp);
1628 data_blob_free(&(*user_info)->nt_resp);
1629 data_blob_clear_free(&(*user_info)->lm_interactive_pwd);
1630 data_blob_clear_free(&(*user_info)->nt_interactive_pwd);
1631 data_blob_clear_free(&(*user_info)->plaintext_password);
1632 ZERO_STRUCT(**user_info);
1634 SAFE_FREE(*user_info);
1638 * Verify whether or not given domain is trusted.
1640 * @param domain_name name of the domain to be verified
1641 * @return true if domain is one of the trusted ones or
1642 * false if otherwise
1645 bool is_trusted_domain(const char* dom_name)
1647 DOM_SID trustdom_sid;
1650 /* no trusted domains for a standalone server */
1652 if ( lp_server_role() == ROLE_STANDALONE )
1655 if (dom_name == NULL || dom_name[0] == '\0') {
1659 if (strequal(dom_name, get_global_sam_name())) {
1663 /* if we are a DC, then check for a direct trust relationships */
1667 DEBUG (5,("is_trusted_domain: Checking for domain trust with "
1668 "[%s]\n", dom_name ));
1669 ret = pdb_get_trusteddom_pw(dom_name, NULL, NULL, NULL);
1677 /* If winbind is around, ask it */
1679 result = wb_is_trusted_domain(dom_name);
1681 if (result == WBC_ERR_SUCCESS) {
1685 if (result == WBC_ERR_DOMAIN_NOT_FOUND) {
1686 /* winbind could not find the domain */
1690 /* The only other possible result is that winbind is not up
1691 and running. We need to update the trustdom_cache
1694 update_trustdom_cache();
1697 /* now the trustdom cache should be available a DC could still
1698 * have a transitive trust so fall back to the cache of trusted
1699 * domains (like a domain member would use */
1701 if ( trustdom_cache_fetch(dom_name, &trustdom_sid) ) {