2 Unix SMB/CIFS implementation.
4 Winbind daemon - pam auth funcions
6 Copyright (C) Andrew Tridgell 2000
7 Copyright (C) Tim Potter 2001
8 Copyright (C) Andrew Bartlett 2001-2002
9 Copyright (C) Guenther Deschner 2005
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 3 of the License, or
14 (at your option) any later version.
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
21 You should have received a copy of the GNU General Public License
22 along with this program. If not, see <http://www.gnu.org/licenses/>.
27 #include "../libcli/auth/libcli_auth.h"
28 #include "../librpc/gen_ndr/ndr_samr_c.h"
29 #include "rpc_client/cli_pipe.h"
30 #include "rpc_client/cli_samr.h"
31 #include "../librpc/gen_ndr/ndr_netlogon.h"
32 #include "rpc_client/cli_netlogon.h"
34 #include "../lib/crypto/arcfour.h"
35 #include "../libcli/security/security.h"
37 #include "../librpc/gen_ndr/krb5pac.h"
38 #include "passdb/machine_sid.h"
40 #include "../lib/tsocket/tsocket.h"
41 #include "auth/kerberos/pac_utils.h"
42 #include "auth/gensec/gensec.h"
43 #include "librpc/crypto/gse_krb5.h"
44 #include "lib/afs/afs_funcs.h"
47 #define DBGC_CLASS DBGC_WINBIND
49 #define LOGON_KRB5_FAIL_CLOCK_SKEW 0x02000000
51 static NTSTATUS append_info3_as_txt(TALLOC_CTX *mem_ctx,
52 struct winbindd_response *resp,
53 struct netr_SamInfo3 *info3)
58 resp->data.auth.info3.logon_time =
59 nt_time_to_unix(info3->base.logon_time);
60 resp->data.auth.info3.logoff_time =
61 nt_time_to_unix(info3->base.logoff_time);
62 resp->data.auth.info3.kickoff_time =
63 nt_time_to_unix(info3->base.kickoff_time);
64 resp->data.auth.info3.pass_last_set_time =
65 nt_time_to_unix(info3->base.last_password_change);
66 resp->data.auth.info3.pass_can_change_time =
67 nt_time_to_unix(info3->base.allow_password_change);
68 resp->data.auth.info3.pass_must_change_time =
69 nt_time_to_unix(info3->base.force_password_change);
71 resp->data.auth.info3.logon_count = info3->base.logon_count;
72 resp->data.auth.info3.bad_pw_count = info3->base.bad_password_count;
74 resp->data.auth.info3.user_rid = info3->base.rid;
75 resp->data.auth.info3.group_rid = info3->base.primary_gid;
76 sid_to_fstring(resp->data.auth.info3.dom_sid, info3->base.domain_sid);
78 resp->data.auth.info3.num_groups = info3->base.groups.count;
79 resp->data.auth.info3.user_flgs = info3->base.user_flags;
81 resp->data.auth.info3.acct_flags = info3->base.acct_flags;
82 resp->data.auth.info3.num_other_sids = info3->sidcount;
84 fstrcpy(resp->data.auth.info3.user_name,
85 info3->base.account_name.string);
86 fstrcpy(resp->data.auth.info3.full_name,
87 info3->base.full_name.string);
88 fstrcpy(resp->data.auth.info3.logon_script,
89 info3->base.logon_script.string);
90 fstrcpy(resp->data.auth.info3.profile_path,
91 info3->base.profile_path.string);
92 fstrcpy(resp->data.auth.info3.home_dir,
93 info3->base.home_directory.string);
94 fstrcpy(resp->data.auth.info3.dir_drive,
95 info3->base.home_drive.string);
97 fstrcpy(resp->data.auth.info3.logon_srv,
98 info3->base.logon_server.string);
99 fstrcpy(resp->data.auth.info3.logon_dom,
100 info3->base.logon_domain.string);
102 ex = talloc_strdup(mem_ctx, "");
103 NT_STATUS_HAVE_NO_MEMORY(ex);
105 for (i=0; i < info3->base.groups.count; i++) {
106 ex = talloc_asprintf_append_buffer(ex, "0x%08X:0x%08X\n",
107 info3->base.groups.rids[i].rid,
108 info3->base.groups.rids[i].attributes);
109 NT_STATUS_HAVE_NO_MEMORY(ex);
112 for (i=0; i < info3->sidcount; i++) {
115 sid = dom_sid_string(mem_ctx, info3->sids[i].sid);
116 NT_STATUS_HAVE_NO_MEMORY(sid);
118 ex = talloc_asprintf_append_buffer(ex, "%s:0x%08X\n",
120 info3->sids[i].attributes);
121 NT_STATUS_HAVE_NO_MEMORY(ex);
126 resp->extra_data.data = ex;
127 resp->length += talloc_get_size(ex);
132 static NTSTATUS append_info3_as_ndr(TALLOC_CTX *mem_ctx,
133 struct winbindd_response *resp,
134 struct netr_SamInfo3 *info3)
137 enum ndr_err_code ndr_err;
139 ndr_err = ndr_push_struct_blob(&blob, mem_ctx, info3,
140 (ndr_push_flags_fn_t)ndr_push_netr_SamInfo3);
141 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
142 DEBUG(0,("append_info3_as_ndr: failed to append\n"));
143 return ndr_map_error2ntstatus(ndr_err);
146 resp->extra_data.data = blob.data;
147 resp->length += blob.length;
152 static NTSTATUS append_unix_username(TALLOC_CTX *mem_ctx,
153 struct winbindd_response *resp,
154 const struct netr_SamInfo3 *info3,
155 const char *name_domain,
156 const char *name_user)
158 /* We've been asked to return the unix username, per
159 'winbind use default domain' settings and the like */
161 const char *nt_username, *nt_domain;
163 nt_domain = talloc_strdup(mem_ctx, info3->base.logon_domain.string);
165 /* If the server didn't give us one, just use the one
167 nt_domain = name_domain;
170 nt_username = talloc_strdup(mem_ctx, info3->base.account_name.string);
172 /* If the server didn't give us one, just use the one
174 nt_username = name_user;
177 fill_domain_username(resp->data.auth.unix_username,
178 nt_domain, nt_username, true);
180 DEBUG(5, ("Setting unix username to [%s]\n",
181 resp->data.auth.unix_username));
186 static NTSTATUS append_afs_token(TALLOC_CTX *mem_ctx,
187 struct winbindd_response *resp,
188 const struct netr_SamInfo3 *info3,
189 const char *name_domain,
190 const char *name_user)
192 char *afsname = NULL;
196 afsname = talloc_strdup(mem_ctx, lp_afs_username_map());
197 if (afsname == NULL) {
198 return NT_STATUS_NO_MEMORY;
201 afsname = talloc_string_sub(mem_ctx,
202 lp_afs_username_map(),
204 afsname = talloc_string_sub(mem_ctx, afsname,
206 afsname = talloc_string_sub(mem_ctx, afsname,
210 struct dom_sid user_sid;
213 sid_compose(&user_sid, info3->base.domain_sid,
215 sid_to_fstring(sidstr, &user_sid);
216 afsname = talloc_string_sub(mem_ctx, afsname,
220 if (afsname == NULL) {
221 return NT_STATUS_NO_MEMORY;
224 if (!strlower_m(afsname)) {
225 return NT_STATUS_INVALID_PARAMETER;
228 DEBUG(10, ("Generating token for user %s\n", afsname));
230 cell = strchr(afsname, '@');
233 return NT_STATUS_NO_MEMORY;
239 token = afs_createtoken_str(afsname, cell);
243 resp->extra_data.data = talloc_strdup(mem_ctx, token);
244 if (resp->extra_data.data == NULL) {
245 return NT_STATUS_NO_MEMORY;
247 resp->length += strlen((const char *)resp->extra_data.data)+1;
252 static NTSTATUS check_info3_in_group(struct netr_SamInfo3 *info3,
253 const char *group_sid)
255 * Check whether a user belongs to a group or list of groups.
257 * @param mem_ctx talloc memory context.
258 * @param info3 user information, including group membership info.
259 * @param group_sid One or more groups , separated by commas.
261 * @return NT_STATUS_OK on success,
262 * NT_STATUS_LOGON_FAILURE if the user does not belong,
263 * or other NT_STATUS_IS_ERR(status) for other kinds of failure.
266 struct dom_sid *require_membership_of_sid;
267 uint32_t num_require_membership_of_sid;
272 struct security_token *token;
273 TALLOC_CTX *frame = talloc_stackframe();
276 /* Parse the 'required group' SID */
278 if (!group_sid || !group_sid[0]) {
279 /* NO sid supplied, all users may access */
284 token = talloc_zero(talloc_tos(), struct security_token);
286 DEBUG(0, ("talloc failed\n"));
288 return NT_STATUS_NO_MEMORY;
291 num_require_membership_of_sid = 0;
292 require_membership_of_sid = NULL;
296 while (next_token_talloc(talloc_tos(), &p, &req_sid, ",")) {
297 if (!string_to_sid(&sid, req_sid)) {
298 DEBUG(0, ("check_info3_in_group: could not parse %s "
299 "as a SID!", req_sid));
301 return NT_STATUS_INVALID_PARAMETER;
304 status = add_sid_to_array(talloc_tos(), &sid,
305 &require_membership_of_sid,
306 &num_require_membership_of_sid);
307 if (!NT_STATUS_IS_OK(status)) {
308 DEBUG(0, ("add_sid_to_array failed\n"));
314 status = sid_array_from_info3(talloc_tos(), info3,
318 if (!NT_STATUS_IS_OK(status)) {
323 if (!NT_STATUS_IS_OK(status = add_aliases(get_global_sam_sid(),
325 || !NT_STATUS_IS_OK(status = add_aliases(&global_sid_Builtin,
327 DEBUG(3, ("could not add aliases: %s\n",
333 security_token_debug(DBGC_CLASS, 10, token);
335 for (i=0; i<num_require_membership_of_sid; i++) {
336 DEBUG(10, ("Checking SID %s\n", sid_string_dbg(
337 &require_membership_of_sid[i])));
338 if (nt_token_check_sid(&require_membership_of_sid[i],
340 DEBUG(10, ("Access ok\n"));
346 /* Do not distinguish this error from a wrong username/pw */
349 return NT_STATUS_LOGON_FAILURE;
352 struct winbindd_domain *find_auth_domain(uint8_t flags,
353 const char *domain_name)
355 struct winbindd_domain *domain;
358 domain = find_domain_from_name_noinit(domain_name);
359 if (domain == NULL) {
360 DEBUG(3, ("Authentication for domain [%s] refused "
361 "as it is not a trusted domain\n",
367 if (strequal(domain_name, get_global_sam_name())) {
368 return find_domain_from_name_noinit(domain_name);
371 /* we can auth against trusted domains */
372 if (flags & WBFLAG_PAM_CONTACT_TRUSTDOM) {
373 domain = find_domain_from_name_noinit(domain_name);
374 if (domain == NULL) {
375 DEBUG(3, ("Authentication for domain [%s] skipped "
376 "as it is not a trusted domain\n",
383 return find_our_domain();
386 static void fill_in_password_policy(struct winbindd_response *r,
387 const struct samr_DomInfo1 *p)
389 r->data.auth.policy.min_length_password =
390 p->min_password_length;
391 r->data.auth.policy.password_history =
392 p->password_history_length;
393 r->data.auth.policy.password_properties =
394 p->password_properties;
395 r->data.auth.policy.expire =
396 nt_time_to_unix_abs((const NTTIME *)&(p->max_password_age));
397 r->data.auth.policy.min_passwordage =
398 nt_time_to_unix_abs((const NTTIME *)&(p->min_password_age));
401 static NTSTATUS fillup_password_policy(struct winbindd_domain *domain,
402 struct winbindd_response *response)
404 TALLOC_CTX *frame = talloc_stackframe();
405 struct winbindd_methods *methods;
407 struct samr_DomInfo1 password_policy;
409 if ( !winbindd_can_contact_domain( domain ) ) {
410 DEBUG(5,("fillup_password_policy: No inbound trust to "
411 "contact domain %s\n", domain->name));
412 status = NT_STATUS_NOT_SUPPORTED;
416 methods = domain->methods;
418 status = methods->password_policy(domain, talloc_tos(), &password_policy);
419 if (NT_STATUS_IS_ERR(status)) {
423 fill_in_password_policy(response, &password_policy);
430 static NTSTATUS get_max_bad_attempts_from_lockout_policy(struct winbindd_domain *domain,
432 uint16 *lockout_threshold)
434 struct winbindd_methods *methods;
435 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
436 struct samr_DomInfo12 lockout_policy;
438 *lockout_threshold = 0;
440 methods = domain->methods;
442 status = methods->lockout_policy(domain, mem_ctx, &lockout_policy);
443 if (NT_STATUS_IS_ERR(status)) {
447 *lockout_threshold = lockout_policy.lockout_threshold;
452 static NTSTATUS get_pwd_properties(struct winbindd_domain *domain,
454 uint32 *password_properties)
456 struct winbindd_methods *methods;
457 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
458 struct samr_DomInfo1 password_policy;
460 *password_properties = 0;
462 methods = domain->methods;
464 status = methods->password_policy(domain, mem_ctx, &password_policy);
465 if (NT_STATUS_IS_ERR(status)) {
469 *password_properties = password_policy.password_properties;
476 static const char *generate_krb5_ccache(TALLOC_CTX *mem_ctx,
479 const char **user_ccache_file)
481 /* accept FILE and WRFILE as krb5_cc_type from the client and then
482 * build the full ccname string based on the user's uid here -
485 const char *gen_cc = NULL;
488 if (strequal(type, "FILE")) {
489 gen_cc = talloc_asprintf(
490 mem_ctx, "FILE:/tmp/krb5cc_%d", uid);
492 if (strequal(type, "WRFILE")) {
493 gen_cc = talloc_asprintf(
494 mem_ctx, "WRFILE:/tmp/krb5cc_%d", uid);
496 if (strequal(type, "KEYRING")) {
497 gen_cc = talloc_asprintf(
498 mem_ctx, "KEYRING:persistent:%d", uid);
501 if (strnequal(type, "FILE:/", 6) ||
502 strnequal(type, "WRFILE:/", 8) ||
503 strnequal(type, "DIR:/", 5)) {
505 /* we allow only one "%u" substitution */
509 p = strchr(type, '%');
514 if (p != NULL && *p == 'u' && strchr(p, '%') == NULL) {
515 gen_cc = talloc_asprintf(mem_ctx, type, uid);
521 *user_ccache_file = gen_cc;
523 if (gen_cc == NULL) {
524 gen_cc = talloc_strdup(mem_ctx, "MEMORY:winbindd_pam_ccache");
526 if (gen_cc == NULL) {
527 DEBUG(0,("out of memory\n"));
531 DEBUG(10, ("using ccache: %s%s\n", gen_cc,
532 (*user_ccache_file == NULL) ? " (internal)":""));
539 uid_t get_uid_from_request(struct winbindd_request *request)
543 uid = request->data.auth.uid;
546 DEBUG(1,("invalid uid: '%u'\n", (unsigned int)uid));
552 /**********************************************************************
553 Authenticate a user with a clear text password using Kerberos and fill up
555 **********************************************************************/
557 static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
558 struct winbindd_domain *domain,
561 const char *krb5_cc_type,
563 struct netr_SamInfo3 **info3,
567 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
568 krb5_error_code krb5_ret;
569 const char *cc = NULL;
570 const char *principal_s = NULL;
571 const char *service = NULL;
573 fstring name_domain, name_user;
574 time_t ticket_lifetime = 0;
575 time_t renewal_until = 0;
577 time_t time_offset = 0;
578 const char *user_ccache_file;
579 struct PAC_LOGON_INFO *logon_info = NULL;
580 struct PAC_DATA *pac_data = NULL;
581 struct PAC_DATA_CTR *pac_data_ctr = NULL;
582 const char *local_service;
587 if (domain->alt_name == NULL) {
588 return NT_STATUS_INVALID_PARAMETER;
592 * prepare a krb5_cc_cache string for the user */
595 DEBUG(0,("no valid uid\n"));
598 cc = generate_krb5_ccache(mem_ctx,
603 return NT_STATUS_NO_MEMORY;
608 * get kerberos properties */
610 if (domain->private_data) {
611 ads = (ADS_STRUCT *)domain->private_data;
612 time_offset = ads->auth.time_offset;
617 * do kerberos auth and setup ccache as the user */
619 parse_domain_user(user, name_domain, name_user);
621 realm = talloc_strdup(mem_ctx, domain->alt_name);
623 return NT_STATUS_NO_MEMORY;
626 if (!strupper_m(realm)) {
627 return NT_STATUS_INVALID_PARAMETER;
630 principal_s = talloc_asprintf(mem_ctx, "%s@%s", name_user, realm);
631 if (principal_s == NULL) {
632 return NT_STATUS_NO_MEMORY;
635 service = talloc_asprintf(mem_ctx, "%s/%s@%s", KRB5_TGS_NAME, realm, realm);
636 if (service == NULL) {
637 return NT_STATUS_NO_MEMORY;
640 local_service = talloc_asprintf(mem_ctx, "%s$@%s",
641 lp_netbios_name(), lp_realm());
642 if (local_service == NULL) {
643 return NT_STATUS_NO_MEMORY;
647 /* if this is a user ccache, we need to act as the user to let the krb5
648 * library handle the chown, etc. */
650 /************************ ENTERING NON-ROOT **********************/
652 if (user_ccache_file != NULL) {
653 set_effective_uid(uid);
654 DEBUG(10,("winbindd_raw_kerberos_login: uid is %d\n", uid));
657 result = kerberos_return_pac(mem_ctx,
666 WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
670 if (user_ccache_file != NULL) {
671 gain_root_privilege();
674 /************************ RETURNED TO ROOT **********************/
676 if (!NT_STATUS_IS_OK(result)) {
680 if (pac_data_ctr == NULL) {
684 pac_data = pac_data_ctr->pac_data;
685 if (pac_data == NULL) {
689 for (i=0; i < pac_data->num_buffers; i++) {
691 if (pac_data->buffers[i].type != PAC_TYPE_LOGON_INFO) {
695 logon_info = pac_data->buffers[i].info->logon_info.info;
697 return NT_STATUS_INVALID_PARAMETER;
703 *info3 = &logon_info->info3;
705 DEBUG(10,("winbindd_raw_kerberos_login: winbindd validated ticket of %s\n",
708 /* if we had a user's ccache then return that string for the pam
711 if (user_ccache_file != NULL) {
713 fstrcpy(krb5ccname, user_ccache_file);
715 result = add_ccache_to_list(principal_s,
727 if (!NT_STATUS_IS_OK(result)) {
728 DEBUG(10,("winbindd_raw_kerberos_login: failed to add ccache to list: %s\n",
733 /* need to delete the memory cred cache, it is not used anymore */
735 krb5_ret = ads_kdestroy(cc);
737 DEBUG(3,("winbindd_raw_kerberos_login: "
738 "could not destroy krb5 credential cache: "
739 "%s\n", error_message(krb5_ret)));
748 * Do not delete an existing valid credential cache, if the user
749 * e.g. enters a wrong password
751 if ((strequal(krb5_cc_type, "FILE") || strequal(krb5_cc_type, "WRFILE"))
752 && user_ccache_file != NULL) {
756 /* we could have created a new credential cache with a valid tgt in it
757 * but we werent able to get or verify the service ticket for this
758 * local host and therefor didn't get the PAC, we need to remove that
759 * cache entirely now */
761 krb5_ret = ads_kdestroy(cc);
763 DEBUG(3,("winbindd_raw_kerberos_login: "
764 "could not destroy krb5 credential cache: "
765 "%s\n", error_message(krb5_ret)));
768 if (!NT_STATUS_IS_OK(remove_ccache(user))) {
769 DEBUG(3,("winbindd_raw_kerberos_login: "
770 "could not remove ccache for user %s\n",
776 return NT_STATUS_NOT_SUPPORTED;
777 #endif /* HAVE_KRB5 */
780 /****************************************************************
781 ****************************************************************/
783 bool check_request_flags(uint32_t flags)
785 uint32_t flags_edata = WBFLAG_PAM_AFS_TOKEN |
786 WBFLAG_PAM_INFO3_TEXT |
787 WBFLAG_PAM_INFO3_NDR;
789 if ( ( (flags & flags_edata) == WBFLAG_PAM_AFS_TOKEN) ||
790 ( (flags & flags_edata) == WBFLAG_PAM_INFO3_NDR) ||
791 ( (flags & flags_edata) == WBFLAG_PAM_INFO3_TEXT)||
792 !(flags & flags_edata) ) {
796 DEBUG(1, ("check_request_flags: invalid request flags[0x%08X]\n",
802 /****************************************************************
803 ****************************************************************/
805 NTSTATUS append_auth_data(TALLOC_CTX *mem_ctx,
806 struct winbindd_response *resp,
807 uint32_t request_flags,
808 struct netr_SamInfo3 *info3,
809 const char *name_domain,
810 const char *name_user)
814 if (request_flags & WBFLAG_PAM_USER_SESSION_KEY) {
815 memcpy(resp->data.auth.user_session_key,
817 sizeof(resp->data.auth.user_session_key)
821 if (request_flags & WBFLAG_PAM_LMKEY) {
822 memcpy(resp->data.auth.first_8_lm_hash,
823 info3->base.LMSessKey.key,
824 sizeof(resp->data.auth.first_8_lm_hash)
828 if (request_flags & WBFLAG_PAM_UNIX_NAME) {
829 result = append_unix_username(mem_ctx, resp,
830 info3, name_domain, name_user);
831 if (!NT_STATUS_IS_OK(result)) {
832 DEBUG(10,("Failed to append Unix Username: %s\n",
838 /* currently, anything from here on potentially overwrites extra_data. */
840 if (request_flags & WBFLAG_PAM_INFO3_NDR) {
841 result = append_info3_as_ndr(mem_ctx, resp, info3);
842 if (!NT_STATUS_IS_OK(result)) {
843 DEBUG(10,("Failed to append INFO3 (NDR): %s\n",
849 if (request_flags & WBFLAG_PAM_INFO3_TEXT) {
850 result = append_info3_as_txt(mem_ctx, resp, info3);
851 if (!NT_STATUS_IS_OK(result)) {
852 DEBUG(10,("Failed to append INFO3 (TXT): %s\n",
858 if (request_flags & WBFLAG_PAM_AFS_TOKEN) {
859 result = append_afs_token(mem_ctx, resp,
860 info3, name_domain, name_user);
861 if (!NT_STATUS_IS_OK(result)) {
862 DEBUG(10,("Failed to append AFS token: %s\n",
871 static NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain,
872 struct winbindd_cli_state *state,
873 struct netr_SamInfo3 **info3)
875 NTSTATUS result = NT_STATUS_LOGON_FAILURE;
876 uint16 max_allowed_bad_attempts;
877 fstring name_domain, name_user;
879 enum lsa_SidType type;
880 uchar new_nt_pass[NT_HASH_LEN];
881 const uint8 *cached_nt_pass;
882 const uint8 *cached_salt;
883 struct netr_SamInfo3 *my_info3;
884 time_t kickoff_time, must_change_time;
885 bool password_good = false;
887 struct winbindd_tdc_domain *tdc_domain = NULL;
894 DEBUG(10,("winbindd_dual_pam_auth_cached\n"));
896 /* Parse domain and username */
898 parse_domain_user(state->request->data.auth.user, name_domain, name_user);
901 if (!lookup_cached_name(name_domain,
905 DEBUG(10,("winbindd_dual_pam_auth_cached: no such user in the cache\n"));
906 return NT_STATUS_NO_SUCH_USER;
909 if (type != SID_NAME_USER) {
910 DEBUG(10,("winbindd_dual_pam_auth_cached: not a user (%s)\n", sid_type_lookup(type)));
911 return NT_STATUS_LOGON_FAILURE;
914 result = winbindd_get_creds(domain,
920 if (!NT_STATUS_IS_OK(result)) {
921 DEBUG(10,("winbindd_dual_pam_auth_cached: failed to get creds: %s\n", nt_errstr(result)));
927 E_md4hash(state->request->data.auth.pass, new_nt_pass);
929 dump_data_pw("new_nt_pass", new_nt_pass, NT_HASH_LEN);
930 dump_data_pw("cached_nt_pass", cached_nt_pass, NT_HASH_LEN);
932 dump_data_pw("cached_salt", cached_salt, NT_HASH_LEN);
936 /* In this case we didn't store the nt_hash itself,
937 but the MD5 combination of salt + nt_hash. */
938 uchar salted_hash[NT_HASH_LEN];
939 E_md5hash(cached_salt, new_nt_pass, salted_hash);
941 password_good = (memcmp(cached_nt_pass, salted_hash,
944 /* Old cached cred - direct store of nt_hash (bad bad bad !). */
945 password_good = (memcmp(cached_nt_pass, new_nt_pass,
951 /* User *DOES* know the password, update logon_time and reset
954 my_info3->base.user_flags |= NETLOGON_CACHED_ACCOUNT;
956 if (my_info3->base.acct_flags & ACB_AUTOLOCK) {
957 return NT_STATUS_ACCOUNT_LOCKED_OUT;
960 if (my_info3->base.acct_flags & ACB_DISABLED) {
961 return NT_STATUS_ACCOUNT_DISABLED;
964 if (my_info3->base.acct_flags & ACB_WSTRUST) {
965 return NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT;
968 if (my_info3->base.acct_flags & ACB_SVRTRUST) {
969 return NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT;
972 if (my_info3->base.acct_flags & ACB_DOMTRUST) {
973 return NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT;
976 if (!(my_info3->base.acct_flags & ACB_NORMAL)) {
977 DEBUG(0,("winbindd_dual_pam_auth_cached: whats wrong with that one?: 0x%08x\n",
978 my_info3->base.acct_flags));
979 return NT_STATUS_LOGON_FAILURE;
982 kickoff_time = nt_time_to_unix(my_info3->base.kickoff_time);
983 if (kickoff_time != 0 && time(NULL) > kickoff_time) {
984 return NT_STATUS_ACCOUNT_EXPIRED;
987 must_change_time = nt_time_to_unix(my_info3->base.force_password_change);
988 if (must_change_time != 0 && must_change_time < time(NULL)) {
989 /* we allow grace logons when the password has expired */
990 my_info3->base.user_flags |= NETLOGON_GRACE_LOGON;
991 /* return NT_STATUS_PASSWORD_EXPIRED; */
996 if ((state->request->flags & WBFLAG_PAM_KRB5) &&
997 ((tdc_domain = wcache_tdc_fetch_domain(state->mem_ctx, name_domain)) != NULL) &&
998 ((tdc_domain->trust_type & NETR_TRUST_TYPE_UPLEVEL) ||
999 /* used to cope with the case winbindd starting without network. */
1000 !strequal(tdc_domain->domain_name, tdc_domain->dns_name))) {
1003 const char *cc = NULL;
1005 const char *principal_s = NULL;
1006 const char *service = NULL;
1007 const char *user_ccache_file;
1009 if (domain->alt_name == NULL) {
1010 return NT_STATUS_INVALID_PARAMETER;
1013 uid = get_uid_from_request(state->request);
1015 DEBUG(0,("winbindd_dual_pam_auth_cached: invalid uid\n"));
1016 return NT_STATUS_INVALID_PARAMETER;
1019 cc = generate_krb5_ccache(state->mem_ctx,
1020 state->request->data.auth.krb5_cc_type,
1021 state->request->data.auth.uid,
1024 return NT_STATUS_NO_MEMORY;
1027 realm = talloc_strdup(state->mem_ctx, domain->alt_name);
1028 if (realm == NULL) {
1029 return NT_STATUS_NO_MEMORY;
1032 if (!strupper_m(realm)) {
1033 return NT_STATUS_INVALID_PARAMETER;
1036 principal_s = talloc_asprintf(state->mem_ctx, "%s@%s", name_user, realm);
1037 if (principal_s == NULL) {
1038 return NT_STATUS_NO_MEMORY;
1041 service = talloc_asprintf(state->mem_ctx, "%s/%s@%s", KRB5_TGS_NAME, realm, realm);
1042 if (service == NULL) {
1043 return NT_STATUS_NO_MEMORY;
1046 if (user_ccache_file != NULL) {
1048 fstrcpy(state->response->data.auth.krb5ccname,
1051 result = add_ccache_to_list(principal_s,
1054 state->request->data.auth.user,
1055 state->request->data.auth.pass,
1059 time(NULL) + lp_winbind_cache_time(),
1060 time(NULL) + WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
1063 if (!NT_STATUS_IS_OK(result)) {
1064 DEBUG(10,("winbindd_dual_pam_auth_cached: failed "
1065 "to add ccache to list: %s\n",
1066 nt_errstr(result)));
1070 #endif /* HAVE_KRB5 */
1072 /* FIXME: we possibly should handle logon hours as well (does xp when
1073 * offline?) see auth/auth_sam.c:sam_account_ok for details */
1075 unix_to_nt_time(&my_info3->base.logon_time, time(NULL));
1076 my_info3->base.bad_password_count = 0;
1078 result = winbindd_update_creds_by_info3(domain,
1079 state->request->data.auth.user,
1080 state->request->data.auth.pass,
1082 if (!NT_STATUS_IS_OK(result)) {
1083 DEBUG(1,("winbindd_dual_pam_auth_cached: failed to update creds: %s\n",
1084 nt_errstr(result)));
1088 return NT_STATUS_OK;
1092 /* User does *NOT* know the correct password, modify info3 accordingly, but only if online */
1093 if (domain->online == false) {
1097 /* failure of this is not critical */
1098 result = get_max_bad_attempts_from_lockout_policy(domain, state->mem_ctx, &max_allowed_bad_attempts);
1099 if (!NT_STATUS_IS_OK(result)) {
1100 DEBUG(10,("winbindd_dual_pam_auth_cached: failed to get max_allowed_bad_attempts. "
1101 "Won't be able to honour account lockout policies\n"));
1104 /* increase counter */
1105 my_info3->base.bad_password_count++;
1107 if (max_allowed_bad_attempts == 0) {
1112 if (my_info3->base.bad_password_count >= max_allowed_bad_attempts) {
1114 uint32 password_properties;
1116 result = get_pwd_properties(domain, state->mem_ctx, &password_properties);
1117 if (!NT_STATUS_IS_OK(result)) {
1118 DEBUG(10,("winbindd_dual_pam_auth_cached: failed to get password properties.\n"));
1121 if ((my_info3->base.rid != DOMAIN_RID_ADMINISTRATOR) ||
1122 (password_properties & DOMAIN_PASSWORD_LOCKOUT_ADMINS)) {
1123 my_info3->base.acct_flags |= ACB_AUTOLOCK;
1128 result = winbindd_update_creds_by_info3(domain,
1129 state->request->data.auth.user,
1133 if (!NT_STATUS_IS_OK(result)) {
1134 DEBUG(0,("winbindd_dual_pam_auth_cached: failed to update creds %s\n",
1135 nt_errstr(result)));
1138 return NT_STATUS_LOGON_FAILURE;
1141 static NTSTATUS winbindd_dual_pam_auth_kerberos(struct winbindd_domain *domain,
1142 struct winbindd_cli_state *state,
1143 struct netr_SamInfo3 **info3)
1145 struct winbindd_domain *contact_domain;
1146 fstring name_domain, name_user;
1149 DEBUG(10,("winbindd_dual_pam_auth_kerberos\n"));
1151 /* Parse domain and username */
1153 parse_domain_user(state->request->data.auth.user, name_domain, name_user);
1155 /* what domain should we contact? */
1158 if (!(contact_domain = find_domain_from_name(name_domain))) {
1159 DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
1160 state->request->data.auth.user, name_domain, name_user, name_domain));
1161 result = NT_STATUS_NO_SUCH_USER;
1166 if (is_myname(name_domain)) {
1167 DEBUG(3, ("Authentication for domain %s (local domain to this server) not supported at this stage\n", name_domain));
1168 result = NT_STATUS_NO_SUCH_USER;
1172 contact_domain = find_domain_from_name(name_domain);
1173 if (contact_domain == NULL) {
1174 DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
1175 state->request->data.auth.user, name_domain, name_user, name_domain));
1177 result = NT_STATUS_NO_SUCH_USER;
1182 if (contact_domain->initialized &&
1183 contact_domain->active_directory) {
1187 if (!contact_domain->initialized) {
1188 init_dc_connection(contact_domain, false);
1191 if (!contact_domain->active_directory) {
1192 DEBUG(3,("krb5 auth requested but domain is not Active Directory\n"));
1193 return NT_STATUS_INVALID_LOGON_TYPE;
1196 result = winbindd_raw_kerberos_login(
1197 state->mem_ctx, contact_domain,
1198 state->request->data.auth.user,
1199 state->request->data.auth.pass,
1200 state->request->data.auth.krb5_cc_type,
1201 get_uid_from_request(state->request),
1202 info3, state->response->data.auth.krb5ccname);
1207 static NTSTATUS winbindd_dual_auth_passdb(TALLOC_CTX *mem_ctx,
1208 uint32_t logon_parameters,
1209 const char *domain, const char *user,
1210 const DATA_BLOB *challenge,
1211 const DATA_BLOB *lm_resp,
1212 const DATA_BLOB *nt_resp,
1213 struct netr_SamInfo3 **pinfo3)
1215 struct auth_context *auth_context;
1216 struct auth_serversupplied_info *server_info;
1217 struct auth_usersupplied_info *user_info = NULL;
1218 struct tsocket_address *local;
1219 struct netr_SamInfo3 *info3;
1222 TALLOC_CTX *frame = talloc_stackframe();
1224 rc = tsocket_address_inet_from_strings(frame,
1231 return NT_STATUS_NO_MEMORY;
1233 status = make_user_info(frame, &user_info, user, user, domain, domain,
1234 lp_netbios_name(), local, lm_resp, nt_resp, NULL, NULL,
1235 NULL, AUTH_PASSWORD_RESPONSE);
1236 if (!NT_STATUS_IS_OK(status)) {
1237 DEBUG(10, ("make_user_info failed: %s\n", nt_errstr(status)));
1242 user_info->logon_parameters = logon_parameters;
1244 /* We don't want any more mapping of the username */
1245 user_info->mapped_state = True;
1247 /* We don't want to come back to winbindd or to do PAM account checks */
1248 user_info->flags |= USER_INFO_LOCAL_SAM_ONLY | USER_INFO_INFO3_AND_NO_AUTHZ;
1250 status = make_auth_context_fixed(frame, &auth_context, challenge->data);
1252 if (!NT_STATUS_IS_OK(status)) {
1253 DEBUG(0, ("Failed to test authentication with check_sam_security_info3: %s\n", nt_errstr(status)));
1258 status = auth_check_ntlm_password(mem_ctx,
1263 if (!NT_STATUS_IS_OK(status)) {
1268 info3 = talloc_zero(mem_ctx, struct netr_SamInfo3);
1269 if (info3 == NULL) {
1271 return NT_STATUS_NO_MEMORY;
1274 status = serverinfo_to_SamInfo3(server_info, info3);
1275 if (!NT_STATUS_IS_OK(status)) {
1278 DEBUG(0, ("serverinfo_to_SamInfo3 failed: %s\n",
1279 nt_errstr(status)));
1284 DEBUG(10, ("Authenticaticating user %s\\%s returned %s\n", domain,
1285 user, nt_errstr(status)));
1290 static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
1291 TALLOC_CTX *mem_ctx,
1292 uint32_t logon_parameters,
1294 const char *username,
1295 const char *password,
1296 const char *domainname,
1297 const char *workstation,
1298 const uint8_t chal[8],
1299 DATA_BLOB lm_response,
1300 DATA_BLOB nt_response,
1302 struct netr_SamInfo3 **info3)
1305 int netr_attempts = 0;
1310 struct rpc_pipe_client *netlogon_pipe;
1311 uint8_t authoritative = 0;
1314 ZERO_STRUCTP(info3);
1317 result = cm_connect_netlogon(domain, &netlogon_pipe);
1319 if (!NT_STATUS_IS_OK(result)) {
1320 DEBUG(3,("Could not open handle to NETLOGON pipe "
1321 "(error: %s, attempts: %d)\n",
1322 nt_errstr(result), netr_attempts));
1324 /* After the first retry always close the connection */
1325 if (netr_attempts > 0) {
1326 DEBUG(3, ("This is again a problem for this "
1327 "particular call, forcing the close "
1328 "of this connection\n"));
1329 invalidate_cm_connection(&domain->conn);
1332 /* After the second retry failover to the next DC */
1333 if (netr_attempts > 1) {
1335 * If the netlogon server is not reachable then
1336 * it is possible that the DC is rebuilding
1337 * sysvol and shutdown netlogon for that time.
1338 * We should failover to the next dc.
1340 DEBUG(3, ("This is the third problem for this "
1341 "particular call, adding DC to the "
1342 "negative cache list\n"));
1343 add_failed_connection_entry(domain->name,
1346 saf_delete(domain->name);
1349 /* Only allow 3 retries */
1350 if (netr_attempts < 3) {
1351 DEBUG(3, ("The connection to netlogon "
1352 "failed, retrying\n"));
1361 if (interactive && username != NULL && password != NULL) {
1362 result = rpccli_netlogon_password_logon(domain->conn.netlogon_creds,
1363 netlogon_pipe->binding_handle,
1370 NetlogonInteractiveInformation,
1373 result = rpccli_netlogon_network_logon(domain->conn.netlogon_creds,
1374 netlogon_pipe->binding_handle,
1389 * we increment this after the "feature negotiation"
1390 * for can_do_samlogon_ex and can_do_validation6
1394 /* We have to try a second time as cm_connect_netlogon
1395 might not yet have noticed that the DC has killed
1398 if (!rpccli_is_connected(netlogon_pipe)) {
1403 /* if we get access denied, a possible cause was that we had
1404 and open connection to the DC, but someone changed our
1405 machine account password out from underneath us using 'net
1406 rpc changetrustpw' */
1408 if ( NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) ) {
1409 DEBUG(3,("winbind_samlogon_retry_loop: sam_logon returned "
1410 "ACCESS_DENIED. Maybe the trust account "
1411 "password was changed and we didn't know it. "
1412 "Killing connections to domain %s\n",
1414 invalidate_cm_connection(&domain->conn);
1418 if (NT_STATUS_EQUAL(result, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
1420 * Got DCERPC_FAULT_OP_RNG_ERROR for SamLogon
1421 * (no Ex). This happens against old Samba
1422 * DCs, if LogonSamLogonEx() fails with an error
1423 * e.g. NT_STATUS_NO_SUCH_USER or NT_STATUS_WRONG_PASSWORD.
1425 * The server will log something like this:
1426 * api_net_sam_logon_ex: Failed to marshall NET_R_SAM_LOGON_EX.
1428 * This sets the whole connection into a fault_state mode
1429 * and all following request get NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE.
1431 * This also happens to our retry with LogonSamLogonWithFlags()
1432 * and LogonSamLogon().
1434 * In order to recover from this situation, we need to
1435 * drop the connection.
1437 invalidate_cm_connection(&domain->conn);
1438 result = NT_STATUS_LOGON_FAILURE;
1442 } while ( (attempts < 2) && retry );
1444 if (NT_STATUS_EQUAL(result, NT_STATUS_IO_TIMEOUT)) {
1445 DEBUG(3,("winbind_samlogon_retry_loop: sam_network_logon(ex) "
1446 "returned NT_STATUS_IO_TIMEOUT after the retry."
1447 "Killing connections to domain %s\n",
1449 invalidate_cm_connection(&domain->conn);
1454 static NTSTATUS winbindd_dual_pam_auth_samlogon(TALLOC_CTX *mem_ctx,
1455 struct winbindd_domain *domain,
1458 uint32_t request_flags,
1459 struct netr_SamInfo3 **info3)
1465 unsigned char local_nt_response[24];
1466 fstring name_domain, name_user;
1468 struct netr_SamInfo3 *my_info3 = NULL;
1472 DEBUG(10,("winbindd_dual_pam_auth_samlogon\n"));
1474 /* Parse domain and username */
1476 parse_domain_user(user, name_domain, name_user);
1478 /* do password magic */
1480 generate_random_buffer(chal, sizeof(chal));
1482 if (lp_client_ntlmv2_auth()) {
1483 DATA_BLOB server_chal;
1484 DATA_BLOB names_blob;
1485 server_chal = data_blob_const(chal, 8);
1487 /* note that the 'workgroup' here is for the local
1488 machine. The 'server name' must match the
1489 'workstation' passed to the actual SamLogon call.
1491 names_blob = NTLMv2_generate_names_blob(
1492 mem_ctx, lp_netbios_name(), lp_workgroup());
1494 if (!SMBNTLMv2encrypt(mem_ctx, name_user, name_domain,
1498 &lm_resp, &nt_resp, NULL, NULL)) {
1499 data_blob_free(&names_blob);
1500 DEBUG(0, ("winbindd_pam_auth: SMBNTLMv2encrypt() failed!\n"));
1501 result = NT_STATUS_NO_MEMORY;
1504 data_blob_free(&names_blob);
1506 lm_resp = data_blob_null;
1507 SMBNTencrypt(pass, chal, local_nt_response);
1509 nt_resp = data_blob_talloc(mem_ctx, local_nt_response,
1510 sizeof(local_nt_response));
1513 if (strequal(name_domain, get_global_sam_name())) {
1514 DATA_BLOB chal_blob = data_blob_const(chal, sizeof(chal));
1516 result = winbindd_dual_auth_passdb(
1517 mem_ctx, 0, name_domain, name_user,
1518 &chal_blob, &lm_resp, &nt_resp, info3);
1521 * We need to try the remote NETLOGON server if this is NOT_IMPLEMENTED
1523 if (!NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) {
1528 /* check authentication loop */
1530 result = winbind_samlogon_retry_loop(domain,
1541 true, /* interactive */
1543 if (!NT_STATUS_IS_OK(result)) {
1547 /* handle the case where a NT4 DC does not fill in the acct_flags in
1548 * the samlogon reply info3. When accurate info3 is required by the
1549 * caller, we look up the account flags ourselve - gd */
1551 if ((request_flags & WBFLAG_PAM_INFO3_TEXT) &&
1552 NT_STATUS_IS_OK(result) && (my_info3->base.acct_flags == 0)) {
1554 struct rpc_pipe_client *samr_pipe;
1555 struct policy_handle samr_domain_handle, user_pol;
1556 union samr_UserInfo *info = NULL;
1557 NTSTATUS status_tmp, result_tmp;
1559 struct dcerpc_binding_handle *b;
1561 status_tmp = cm_connect_sam(domain, mem_ctx, false,
1562 &samr_pipe, &samr_domain_handle);
1564 if (!NT_STATUS_IS_OK(status_tmp)) {
1565 DEBUG(3, ("could not open handle to SAMR pipe: %s\n",
1566 nt_errstr(status_tmp)));
1570 b = samr_pipe->binding_handle;
1572 status_tmp = dcerpc_samr_OpenUser(b, mem_ctx,
1573 &samr_domain_handle,
1574 MAXIMUM_ALLOWED_ACCESS,
1579 if (!NT_STATUS_IS_OK(status_tmp)) {
1580 DEBUG(3, ("could not open user handle on SAMR pipe: %s\n",
1581 nt_errstr(status_tmp)));
1584 if (!NT_STATUS_IS_OK(result_tmp)) {
1585 DEBUG(3, ("could not open user handle on SAMR pipe: %s\n",
1586 nt_errstr(result_tmp)));
1590 status_tmp = dcerpc_samr_QueryUserInfo(b, mem_ctx,
1596 if (!NT_STATUS_IS_OK(status_tmp)) {
1597 DEBUG(3, ("could not query user info on SAMR pipe: %s\n",
1598 nt_errstr(status_tmp)));
1599 dcerpc_samr_Close(b, mem_ctx, &user_pol, &result_tmp);
1602 if (!NT_STATUS_IS_OK(result_tmp)) {
1603 DEBUG(3, ("could not query user info on SAMR pipe: %s\n",
1604 nt_errstr(result_tmp)));
1605 dcerpc_samr_Close(b, mem_ctx, &user_pol, &result_tmp);
1609 acct_flags = info->info16.acct_flags;
1611 if (acct_flags == 0) {
1612 dcerpc_samr_Close(b, mem_ctx, &user_pol, &result_tmp);
1616 my_info3->base.acct_flags = acct_flags;
1618 DEBUG(10,("successfully retrieved acct_flags 0x%x\n", acct_flags));
1620 dcerpc_samr_Close(b, mem_ctx, &user_pol, &result_tmp);
1628 enum winbindd_result winbindd_dual_pam_auth(struct winbindd_domain *domain,
1629 struct winbindd_cli_state *state)
1631 NTSTATUS result = NT_STATUS_LOGON_FAILURE;
1632 NTSTATUS krb5_result = NT_STATUS_OK;
1633 fstring name_domain, name_user;
1635 fstring domain_user;
1636 struct netr_SamInfo3 *info3 = NULL;
1637 NTSTATUS name_map_status = NT_STATUS_UNSUCCESSFUL;
1639 /* Ensure null termination */
1640 state->request->data.auth.user[sizeof(state->request->data.auth.user)-1]='\0';
1642 /* Ensure null termination */
1643 state->request->data.auth.pass[sizeof(state->request->data.auth.pass)-1]='\0';
1645 DEBUG(3, ("[%5lu]: dual pam auth %s\n", (unsigned long)state->pid,
1646 state->request->data.auth.user));
1648 /* Parse domain and username */
1650 name_map_status = normalize_name_unmap(state->mem_ctx,
1651 state->request->data.auth.user,
1654 /* If the name normalization didnt' actually do anything,
1655 just use the original name */
1657 if (!NT_STATUS_IS_OK(name_map_status) &&
1658 !NT_STATUS_EQUAL(name_map_status, NT_STATUS_FILE_RENAMED))
1660 mapped_user = state->request->data.auth.user;
1663 parse_domain_user(mapped_user, name_domain, name_user);
1665 if ( mapped_user != state->request->data.auth.user ) {
1666 fstr_sprintf( domain_user, "%s%c%s", name_domain,
1667 *lp_winbind_separator(),
1669 strlcpy( state->request->data.auth.user, domain_user,
1670 sizeof(state->request->data.auth.user));
1673 if (!domain->online) {
1674 result = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
1675 if (domain->startup) {
1676 /* Logons are very important to users. If we're offline and
1677 we get a request within the first 30 seconds of startup,
1678 try very hard to find a DC and go online. */
1680 DEBUG(10,("winbindd_dual_pam_auth: domain: %s offline and auth "
1681 "request in startup mode.\n", domain->name ));
1683 winbindd_flush_negative_conn_cache(domain);
1684 result = init_dc_connection(domain, false);
1688 DEBUG(10,("winbindd_dual_pam_auth: domain: %s last was %s\n", domain->name, domain->online ? "online":"offline"));
1690 /* Check for Kerberos authentication */
1691 if (domain->online && (state->request->flags & WBFLAG_PAM_KRB5)) {
1693 result = winbindd_dual_pam_auth_kerberos(domain, state, &info3);
1694 /* save for later */
1695 krb5_result = result;
1698 if (NT_STATUS_IS_OK(result)) {
1699 DEBUG(10,("winbindd_dual_pam_auth_kerberos succeeded\n"));
1700 goto process_result;
1702 DEBUG(10,("winbindd_dual_pam_auth_kerberos failed: %s\n", nt_errstr(result)));
1705 if (NT_STATUS_EQUAL(result, NT_STATUS_NO_LOGON_SERVERS) ||
1706 NT_STATUS_EQUAL(result, NT_STATUS_IO_TIMEOUT) ||
1707 NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
1708 DEBUG(10,("winbindd_dual_pam_auth_kerberos setting domain to offline\n"));
1709 set_domain_offline( domain );
1713 /* there are quite some NT_STATUS errors where there is no
1714 * point in retrying with a samlogon, we explictly have to take
1715 * care not to increase the bad logon counter on the DC */
1717 if (NT_STATUS_EQUAL(result, NT_STATUS_ACCOUNT_DISABLED) ||
1718 NT_STATUS_EQUAL(result, NT_STATUS_ACCOUNT_EXPIRED) ||
1719 NT_STATUS_EQUAL(result, NT_STATUS_ACCOUNT_LOCKED_OUT) ||
1720 NT_STATUS_EQUAL(result, NT_STATUS_INVALID_LOGON_HOURS) ||
1721 NT_STATUS_EQUAL(result, NT_STATUS_INVALID_WORKSTATION) ||
1722 NT_STATUS_EQUAL(result, NT_STATUS_LOGON_FAILURE) ||
1723 NT_STATUS_EQUAL(result, NT_STATUS_NO_SUCH_USER) ||
1724 NT_STATUS_EQUAL(result, NT_STATUS_PASSWORD_EXPIRED) ||
1725 NT_STATUS_EQUAL(result, NT_STATUS_PASSWORD_MUST_CHANGE) ||
1726 NT_STATUS_EQUAL(result, NT_STATUS_WRONG_PASSWORD)) {
1730 if (state->request->flags & WBFLAG_PAM_FALLBACK_AFTER_KRB5) {
1731 DEBUG(3,("falling back to samlogon\n"));
1739 /* Check for Samlogon authentication */
1740 if (domain->online) {
1741 result = winbindd_dual_pam_auth_samlogon(
1742 state->mem_ctx, domain,
1743 state->request->data.auth.user,
1744 state->request->data.auth.pass,
1745 state->request->flags,
1748 if (NT_STATUS_IS_OK(result)) {
1749 DEBUG(10,("winbindd_dual_pam_auth_samlogon succeeded\n"));
1750 /* add the Krb5 err if we have one */
1751 if ( NT_STATUS_EQUAL(krb5_result, NT_STATUS_TIME_DIFFERENCE_AT_DC ) ) {
1752 info3->base.user_flags |= LOGON_KRB5_FAIL_CLOCK_SKEW;
1754 goto process_result;
1757 DEBUG(10,("winbindd_dual_pam_auth_samlogon failed: %s\n",
1758 nt_errstr(result)));
1760 if (NT_STATUS_EQUAL(result, NT_STATUS_NO_LOGON_SERVERS) ||
1761 NT_STATUS_EQUAL(result, NT_STATUS_IO_TIMEOUT) ||
1762 NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND))
1764 DEBUG(10,("winbindd_dual_pam_auth_samlogon setting domain to offline\n"));
1765 set_domain_offline( domain );
1769 if (domain->online) {
1770 /* We're still online - fail. */
1776 /* Check for Cached logons */
1777 if (!domain->online && (state->request->flags & WBFLAG_PAM_CACHED_LOGIN) &&
1778 lp_winbind_offline_logon()) {
1780 result = winbindd_dual_pam_auth_cached(domain, state, &info3);
1782 if (NT_STATUS_IS_OK(result)) {
1783 DEBUG(10,("winbindd_dual_pam_auth_cached succeeded\n"));
1784 goto process_result;
1786 DEBUG(10,("winbindd_dual_pam_auth_cached failed: %s\n", nt_errstr(result)));
1793 if (NT_STATUS_IS_OK(result)) {
1795 struct dom_sid user_sid;
1797 /* In all codepaths where result == NT_STATUS_OK info3 must have
1798 been initialized. */
1800 result = NT_STATUS_INTERNAL_ERROR;
1804 sid_compose(&user_sid, info3->base.domain_sid,
1807 wcache_invalidate_samlogon(find_domain_from_name(name_domain),
1809 netsamlogon_cache_store(name_user, info3);
1811 /* save name_to_sid info as early as possible (only if
1812 this is our primary domain so we don't invalidate
1813 the cache entry by storing the seq_num for the wrong
1815 if ( domain->primary ) {
1816 cache_name2sid(domain, name_domain, name_user,
1817 SID_NAME_USER, &user_sid);
1820 /* Check if the user is in the right group */
1822 result = check_info3_in_group(
1824 state->request->data.auth.require_membership_of_sid);
1825 if (!NT_STATUS_IS_OK(result)) {
1826 DEBUG(3, ("User %s is not in the required group (%s), so plaintext authentication is rejected\n",
1827 state->request->data.auth.user,
1828 state->request->data.auth.require_membership_of_sid));
1832 result = append_auth_data(state->mem_ctx, state->response,
1833 state->request->flags, info3,
1834 name_domain, name_user);
1835 if (!NT_STATUS_IS_OK(result)) {
1839 if ((state->request->flags & WBFLAG_PAM_CACHED_LOGIN)
1840 && lp_winbind_offline_logon()) {
1842 result = winbindd_store_creds(domain,
1843 state->request->data.auth.user,
1844 state->request->data.auth.pass,
1848 if (state->request->flags & WBFLAG_PAM_GET_PWD_POLICY) {
1849 struct winbindd_domain *our_domain = find_our_domain();
1851 /* This is not entirely correct I believe, but it is
1852 consistent. Only apply the password policy settings
1853 too warn users for our own domain. Cannot obtain these
1854 from trusted DCs all the time so don't do it at all.
1857 result = NT_STATUS_NOT_SUPPORTED;
1858 if (our_domain == domain ) {
1859 result = fillup_password_policy(
1860 our_domain, state->response);
1863 if (!NT_STATUS_IS_OK(result)
1864 && !NT_STATUS_EQUAL(result, NT_STATUS_NOT_SUPPORTED) )
1866 DEBUG(10,("Failed to get password policies for domain %s: %s\n",
1867 domain->name, nt_errstr(result)));
1872 result = NT_STATUS_OK;
1876 /* give us a more useful (more correct?) error code */
1877 if ((NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) ||
1878 (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)))) {
1879 result = NT_STATUS_NO_LOGON_SERVERS;
1882 set_auth_errors(state->response, result);
1884 DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2, ("Plain-text authentication for user %s returned %s (PAM: %d)\n",
1885 state->request->data.auth.user,
1886 state->response->data.auth.nt_status_string,
1887 state->response->data.auth.pam_error));
1889 return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
1892 NTSTATUS winbind_dual_SamLogon(struct winbindd_domain *domain,
1893 TALLOC_CTX *mem_ctx,
1894 uint32_t logon_parameters,
1895 const char *name_user,
1896 const char *name_domain,
1897 const char *workstation,
1898 const uint8_t chal[8],
1899 DATA_BLOB lm_response,
1900 DATA_BLOB nt_response,
1901 struct netr_SamInfo3 **info3)
1905 if (strequal(name_domain, get_global_sam_name())) {
1906 DATA_BLOB chal_blob = data_blob_const(
1909 result = winbindd_dual_auth_passdb(
1912 name_domain, name_user,
1913 &chal_blob, &lm_response, &nt_response, info3);
1916 * We need to try the remote NETLOGON server if this is NOT_IMPLEMENTED
1918 if (!NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) {
1919 goto process_result;
1923 result = winbind_samlogon_retry_loop(domain,
1928 NULL, /* password */
1930 /* Bug #3248 - found by Stefan Burkei. */
1931 workstation, /* We carefully set this above so use it... */
1935 false, /* interactive */
1937 if (!NT_STATUS_IS_OK(result)) {
1943 if (NT_STATUS_IS_OK(result)) {
1944 struct dom_sid user_sid;
1946 sid_compose(&user_sid, (*info3)->base.domain_sid,
1947 (*info3)->base.rid);
1948 wcache_invalidate_samlogon(find_domain_from_name(name_domain),
1950 netsamlogon_cache_store(name_user, *info3);
1955 /* give us a more useful (more correct?) error code */
1956 if ((NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) ||
1957 (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)))) {
1958 result = NT_STATUS_NO_LOGON_SERVERS;
1961 DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2,
1962 ("NTLM CRAP authentication for user [%s]\\[%s] returned %s\n",
1965 nt_errstr(result)));
1970 enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
1971 struct winbindd_cli_state *state)
1974 struct netr_SamInfo3 *info3 = NULL;
1975 const char *name_user = NULL;
1976 const char *name_domain = NULL;
1977 const char *workstation;
1979 DATA_BLOB lm_resp, nt_resp;
1981 /* This is child-only, so no check for privileged access is needed
1984 /* Ensure null termination */
1985 state->request->data.auth_crap.user[sizeof(state->request->data.auth_crap.user)-1]=0;
1986 state->request->data.auth_crap.domain[sizeof(state->request->data.auth_crap.domain)-1]=0;
1988 name_user = state->request->data.auth_crap.user;
1989 name_domain = state->request->data.auth_crap.domain;
1990 workstation = state->request->data.auth_crap.workstation;
1992 DEBUG(3, ("[%5lu]: pam auth crap domain: %s user: %s\n", (unsigned long)state->pid,
1993 name_domain, name_user));
1995 if (state->request->data.auth_crap.lm_resp_len > sizeof(state->request->data.auth_crap.lm_resp)
1996 || state->request->data.auth_crap.nt_resp_len > sizeof(state->request->data.auth_crap.nt_resp)) {
1997 if (!(state->request->flags & WBFLAG_BIG_NTLMV2_BLOB) ||
1998 state->request->extra_len != state->request->data.auth_crap.nt_resp_len) {
1999 DEBUG(0, ("winbindd_pam_auth_crap: invalid password length %u/%u\n",
2000 state->request->data.auth_crap.lm_resp_len,
2001 state->request->data.auth_crap.nt_resp_len));
2002 result = NT_STATUS_INVALID_PARAMETER;
2007 lm_resp = data_blob_talloc(state->mem_ctx, state->request->data.auth_crap.lm_resp,
2008 state->request->data.auth_crap.lm_resp_len);
2010 if (state->request->flags & WBFLAG_BIG_NTLMV2_BLOB) {
2011 nt_resp = data_blob_talloc(state->mem_ctx,
2012 state->request->extra_data.data,
2013 state->request->data.auth_crap.nt_resp_len);
2015 nt_resp = data_blob_talloc(state->mem_ctx,
2016 state->request->data.auth_crap.nt_resp,
2017 state->request->data.auth_crap.nt_resp_len);
2020 result = winbind_dual_SamLogon(domain,
2022 state->request->data.auth_crap.logon_parameters,
2025 /* Bug #3248 - found by Stefan Burkei. */
2026 workstation, /* We carefully set this above so use it... */
2027 state->request->data.auth_crap.chal,
2031 if (!NT_STATUS_IS_OK(result)) {
2035 if (NT_STATUS_IS_OK(result)) {
2036 /* Check if the user is in the right group */
2038 result = check_info3_in_group(
2040 state->request->data.auth_crap.require_membership_of_sid);
2041 if (!NT_STATUS_IS_OK(result)) {
2042 DEBUG(3, ("User %s is not in the required group (%s), so "
2043 "crap authentication is rejected\n",
2044 state->request->data.auth_crap.user,
2045 state->request->data.auth_crap.require_membership_of_sid));
2049 result = append_auth_data(state->mem_ctx, state->response,
2050 state->request->flags, info3,
2051 name_domain, name_user);
2052 if (!NT_STATUS_IS_OK(result)) {
2059 if (state->request->flags & WBFLAG_PAM_NT_STATUS_SQUASH) {
2060 result = nt_status_squash(result);
2063 set_auth_errors(state->response, result);
2065 return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
2068 enum winbindd_result winbindd_dual_pam_chauthtok(struct winbindd_domain *contact_domain,
2069 struct winbindd_cli_state *state)
2072 char *newpass = NULL;
2073 struct policy_handle dom_pol;
2074 struct rpc_pipe_client *cli = NULL;
2075 bool got_info = false;
2076 struct samr_DomInfo1 *info = NULL;
2077 struct userPwdChangeFailureInformation *reject = NULL;
2078 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
2079 fstring domain, user;
2080 struct dcerpc_binding_handle *b = NULL;
2082 ZERO_STRUCT(dom_pol);
2084 DEBUG(3, ("[%5lu]: dual pam chauthtok %s\n", (unsigned long)state->pid,
2085 state->request->data.auth.user));
2087 if (!parse_domain_user(state->request->data.chauthtok.user, domain, user)) {
2091 /* Change password */
2093 oldpass = state->request->data.chauthtok.oldpass;
2094 newpass = state->request->data.chauthtok.newpass;
2096 /* Initialize reject reason */
2097 state->response->data.auth.reject_reason = Undefined;
2099 /* Get sam handle */
2101 result = cm_connect_sam(contact_domain, state->mem_ctx, true, &cli,
2103 if (!NT_STATUS_IS_OK(result)) {
2104 DEBUG(1, ("could not get SAM handle on DC for %s\n", domain));
2108 b = cli->binding_handle;
2110 result = rpccli_samr_chgpasswd_user3(cli, state->mem_ctx,
2117 /* Windows 2003 returns NT_STATUS_PASSWORD_RESTRICTION */
2119 if (NT_STATUS_EQUAL(result, NT_STATUS_PASSWORD_RESTRICTION) ) {
2121 fill_in_password_policy(state->response, info);
2123 state->response->data.auth.reject_reason =
2124 reject->extendedFailureReason;
2129 /* atm the pidl generated rpccli_samr_ChangePasswordUser3 function will
2130 * return with NT_STATUS_BUFFER_TOO_SMALL for w2k dcs as w2k just
2131 * returns with 4byte error code (NT_STATUS_NOT_SUPPORTED) which is too
2132 * short to comply with the samr_ChangePasswordUser3 idl - gd */
2134 /* only fallback when the chgpasswd_user3 call is not supported */
2135 if (NT_STATUS_EQUAL(result, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE) ||
2136 NT_STATUS_EQUAL(result, NT_STATUS_NOT_SUPPORTED) ||
2137 NT_STATUS_EQUAL(result, NT_STATUS_BUFFER_TOO_SMALL) ||
2138 NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) {
2140 DEBUG(10,("Password change with chgpasswd_user3 failed with: %s, retrying chgpasswd_user2\n",
2141 nt_errstr(result)));
2143 result = rpccli_samr_chgpasswd_user2(cli, state->mem_ctx, user, newpass, oldpass);
2145 /* Windows 2000 returns NT_STATUS_ACCOUNT_RESTRICTION.
2146 Map to the same status code as Windows 2003. */
2148 if ( NT_STATUS_EQUAL(NT_STATUS_ACCOUNT_RESTRICTION, result ) ) {
2149 result = NT_STATUS_PASSWORD_RESTRICTION;
2155 if (NT_STATUS_IS_OK(result)
2156 && (state->request->flags & WBFLAG_PAM_CACHED_LOGIN)
2157 && lp_winbind_offline_logon()) {
2158 result = winbindd_update_creds_by_name(contact_domain, user,
2160 /* Again, this happens when we login from gdm or xdm
2161 * and the password expires, *BUT* cached crendentials
2162 * doesn't exist. winbindd_update_creds_by_name()
2163 * returns NT_STATUS_NO_SUCH_USER.
2164 * This is not a failure.
2167 if (NT_STATUS_EQUAL(result, NT_STATUS_NO_SUCH_USER)) {
2168 result = NT_STATUS_OK;
2171 if (!NT_STATUS_IS_OK(result)) {
2172 DEBUG(10, ("Failed to store creds: %s\n",
2173 nt_errstr(result)));
2174 goto process_result;
2178 if (!NT_STATUS_IS_OK(result) && !got_info && contact_domain) {
2180 NTSTATUS policy_ret;
2182 policy_ret = fillup_password_policy(
2183 contact_domain, state->response);
2185 /* failure of this is non critical, it will just provide no
2186 * additional information to the client why the change has
2187 * failed - Guenther */
2189 if (!NT_STATUS_IS_OK(policy_ret)) {
2190 DEBUG(10,("Failed to get password policies: %s\n", nt_errstr(policy_ret)));
2191 goto process_result;
2197 if (strequal(contact_domain->name, get_global_sam_name())) {
2198 /* FIXME: internal rpc pipe does not cache handles yet */
2200 if (is_valid_policy_hnd(&dom_pol)) {
2202 dcerpc_samr_Close(b, state->mem_ctx, &dom_pol, &_result);
2208 set_auth_errors(state->response, result);
2210 DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2,
2211 ("Password change for user [%s]\\[%s] returned %s (PAM: %d)\n",
2214 state->response->data.auth.nt_status_string,
2215 state->response->data.auth.pam_error));
2217 return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
2220 enum winbindd_result winbindd_dual_pam_logoff(struct winbindd_domain *domain,
2221 struct winbindd_cli_state *state)
2223 NTSTATUS result = NT_STATUS_NOT_SUPPORTED;
2225 DEBUG(3, ("[%5lu]: pam dual logoff %s\n", (unsigned long)state->pid,
2226 state->request->data.logoff.user));
2228 if (!(state->request->flags & WBFLAG_PAM_KRB5)) {
2229 result = NT_STATUS_OK;
2230 goto process_result;
2233 if (state->request->data.logoff.krb5ccname[0] == '\0') {
2234 result = NT_STATUS_OK;
2235 goto process_result;
2240 if (state->request->data.logoff.uid < 0) {
2241 DEBUG(0,("winbindd_pam_logoff: invalid uid\n"));
2242 goto process_result;
2245 /* what we need here is to find the corresponding krb5 ccache name *we*
2246 * created for a given username and destroy it */
2248 if (!ccache_entry_exists(state->request->data.logoff.user)) {
2249 result = NT_STATUS_OK;
2250 DEBUG(10,("winbindd_pam_logoff: no entry found.\n"));
2251 goto process_result;
2254 if (!ccache_entry_identical(state->request->data.logoff.user,
2255 state->request->data.logoff.uid,
2256 state->request->data.logoff.krb5ccname)) {
2257 DEBUG(0,("winbindd_pam_logoff: cached entry differs.\n"));
2258 goto process_result;
2261 result = remove_ccache(state->request->data.logoff.user);
2262 if (!NT_STATUS_IS_OK(result)) {
2263 DEBUG(0,("winbindd_pam_logoff: failed to remove ccache: %s\n",
2264 nt_errstr(result)));
2265 goto process_result;
2269 * Remove any mlock'ed memory creds in the child
2270 * we might be using for krb5 ticket renewal.
2273 winbindd_delete_memory_creds(state->request->data.logoff.user);
2276 result = NT_STATUS_NOT_SUPPORTED;
2282 set_auth_errors(state->response, result);
2284 return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
2287 /* Change user password with auth crap*/
2289 enum winbindd_result winbindd_dual_pam_chng_pswd_auth_crap(struct winbindd_domain *domainSt, struct winbindd_cli_state *state)
2292 DATA_BLOB new_nt_password;
2293 DATA_BLOB old_nt_hash_enc;
2294 DATA_BLOB new_lm_password;
2295 DATA_BLOB old_lm_hash_enc;
2296 fstring domain,user;
2297 struct policy_handle dom_pol;
2298 struct winbindd_domain *contact_domain = domainSt;
2299 struct rpc_pipe_client *cli = NULL;
2300 struct dcerpc_binding_handle *b = NULL;
2302 ZERO_STRUCT(dom_pol);
2304 /* Ensure null termination */
2305 state->request->data.chng_pswd_auth_crap.user[
2306 sizeof(state->request->data.chng_pswd_auth_crap.user)-1]=0;
2307 state->request->data.chng_pswd_auth_crap.domain[
2308 sizeof(state->request->data.chng_pswd_auth_crap.domain)-1]=0;
2312 DEBUG(3, ("[%5lu]: pam change pswd auth crap domain: %s user: %s\n",
2313 (unsigned long)state->pid,
2314 state->request->data.chng_pswd_auth_crap.domain,
2315 state->request->data.chng_pswd_auth_crap.user));
2317 if (lp_winbind_offline_logon()) {
2318 DEBUG(0,("Refusing password change as winbind offline logons are enabled. "));
2319 DEBUGADD(0,("Changing passwords here would risk inconsistent logons\n"));
2320 result = NT_STATUS_ACCESS_DENIED;
2324 if (*state->request->data.chng_pswd_auth_crap.domain) {
2325 fstrcpy(domain,state->request->data.chng_pswd_auth_crap.domain);
2327 parse_domain_user(state->request->data.chng_pswd_auth_crap.user,
2331 DEBUG(3,("no domain specified with username (%s) - "
2333 state->request->data.chng_pswd_auth_crap.user));
2334 result = NT_STATUS_NO_SUCH_USER;
2339 if (!*domain && lp_winbind_use_default_domain()) {
2340 fstrcpy(domain,lp_workgroup());
2344 fstrcpy(user, state->request->data.chng_pswd_auth_crap.user);
2347 DEBUG(3, ("[%5lu]: pam auth crap domain: %s user: %s\n",
2348 (unsigned long)state->pid, domain, user));
2350 /* Change password */
2351 new_nt_password = data_blob_const(
2352 state->request->data.chng_pswd_auth_crap.new_nt_pswd,
2353 state->request->data.chng_pswd_auth_crap.new_nt_pswd_len);
2355 old_nt_hash_enc = data_blob_const(
2356 state->request->data.chng_pswd_auth_crap.old_nt_hash_enc,
2357 state->request->data.chng_pswd_auth_crap.old_nt_hash_enc_len);
2359 if(state->request->data.chng_pswd_auth_crap.new_lm_pswd_len > 0) {
2360 new_lm_password = data_blob_const(
2361 state->request->data.chng_pswd_auth_crap.new_lm_pswd,
2362 state->request->data.chng_pswd_auth_crap.new_lm_pswd_len);
2364 old_lm_hash_enc = data_blob_const(
2365 state->request->data.chng_pswd_auth_crap.old_lm_hash_enc,
2366 state->request->data.chng_pswd_auth_crap.old_lm_hash_enc_len);
2368 new_lm_password = data_blob_null;
2369 old_lm_hash_enc = data_blob_null;
2372 /* Get sam handle */
2374 result = cm_connect_sam(contact_domain, state->mem_ctx, true, &cli, &dom_pol);
2375 if (!NT_STATUS_IS_OK(result)) {
2376 DEBUG(1, ("could not get SAM handle on DC for %s\n", domain));
2380 b = cli->binding_handle;
2382 result = rpccli_samr_chng_pswd_auth_crap(
2383 cli, state->mem_ctx, user, new_nt_password, old_nt_hash_enc,
2384 new_lm_password, old_lm_hash_enc);
2388 if (strequal(contact_domain->name, get_global_sam_name())) {
2389 /* FIXME: internal rpc pipe does not cache handles yet */
2391 if (is_valid_policy_hnd(&dom_pol)) {
2393 dcerpc_samr_Close(b, state->mem_ctx, &dom_pol, &_result);
2399 set_auth_errors(state->response, result);
2401 DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2,
2402 ("Password change for user [%s]\\[%s] returned %s (PAM: %d)\n",
2404 state->response->data.auth.nt_status_string,
2405 state->response->data.auth.pam_error));
2407 return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
2411 static NTSTATUS extract_pac_vrfy_sigs(TALLOC_CTX *mem_ctx, DATA_BLOB pac_blob,
2412 struct PAC_LOGON_INFO **logon_info)
2414 krb5_context krbctx = NULL;
2415 krb5_error_code k5ret;
2417 krb5_kt_cursor cursor;
2418 krb5_keytab_entry entry;
2419 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
2422 ZERO_STRUCT(cursor);
2424 k5ret = krb5_init_context(&krbctx);
2426 DEBUG(1, ("Failed to initialize kerberos context: %s\n",
2427 error_message(k5ret)));
2428 status = krb5_to_nt_status(k5ret);
2432 k5ret = gse_krb5_get_server_keytab(krbctx, &keytab);
2434 DEBUG(1, ("Failed to get keytab: %s\n",
2435 error_message(k5ret)));
2436 status = krb5_to_nt_status(k5ret);
2440 k5ret = krb5_kt_start_seq_get(krbctx, keytab, &cursor);
2442 DEBUG(1, ("Failed to start seq: %s\n",
2443 error_message(k5ret)));
2444 status = krb5_to_nt_status(k5ret);
2448 k5ret = krb5_kt_next_entry(krbctx, keytab, &entry, &cursor);
2449 while (k5ret == 0) {
2450 status = kerberos_pac_logon_info(mem_ctx, pac_blob,
2452 KRB5_KT_KEY(&entry), NULL, 0,
2454 if (NT_STATUS_IS_OK(status)) {
2457 k5ret = smb_krb5_kt_free_entry(krbctx, &entry);
2458 k5ret = krb5_kt_next_entry(krbctx, keytab, &entry, &cursor);
2461 k5ret = krb5_kt_end_seq_get(krbctx, keytab, &cursor);
2463 DEBUG(1, ("Failed to end seq: %s\n",
2464 error_message(k5ret)));
2467 k5ret = krb5_kt_close(krbctx, keytab);
2469 DEBUG(1, ("Failed to close keytab: %s\n",
2470 error_message(k5ret)));
2473 krb5_free_context(krbctx);
2478 NTSTATUS winbindd_pam_auth_pac_send(struct winbindd_cli_state *state,
2479 struct netr_SamInfo3 **info3)
2481 struct winbindd_request *req = state->request;
2483 struct PAC_LOGON_INFO *logon_info = NULL;
2484 struct netr_SamInfo3 *info3_copy = NULL;
2487 pac_blob = data_blob_const(req->extra_data.data, req->extra_len);
2488 result = extract_pac_vrfy_sigs(state->mem_ctx, pac_blob, &logon_info);
2489 if (!NT_STATUS_IS_OK(result) &&
2490 !NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED)) {
2491 DEBUG(1, ("Error during PAC signature verification: %s\n",
2492 nt_errstr(result)));
2497 /* Signature verification succeeded, trust the PAC */
2498 result = create_info3_from_pac_logon_info(state->mem_ctx,
2501 if (!NT_STATUS_IS_OK(result)) {
2504 netsamlogon_cache_store(NULL, info3_copy);
2507 /* Try without signature verification */
2508 result = kerberos_pac_logon_info(state->mem_ctx, pac_blob, NULL,
2509 NULL, NULL, NULL, 0,
2511 if (!NT_STATUS_IS_OK(result)) {
2512 DEBUG(10, ("Could not extract PAC: %s\n",
2513 nt_errstr(result)));
2518 * Don't strictly need to copy here,
2519 * but it makes it explicit we're
2520 * returning a copy talloc'ed off
2521 * the state->mem_ctx.
2523 info3_copy = copy_netr_SamInfo3(state->mem_ctx,
2524 &logon_info->info3);
2525 if (info3_copy == NULL) {
2526 return NT_STATUS_NO_MEMORY;
2531 *info3 = info3_copy;
2533 return NT_STATUS_OK;
2535 #else /* HAVE_KRB5 */
2536 NTSTATUS winbindd_pam_auth_pac_send(struct winbindd_cli_state *state,
2537 struct netr_SamInfo3 **info3)
2539 return NT_STATUS_NO_SUCH_USER;
2541 #endif /* HAVE_KRB5 */