2 Unix SMB/CIFS implementation.
4 Winbind daemon - pam auth funcions
6 Copyright (C) Andrew Tridgell 2000
7 Copyright (C) Tim Potter 2001
8 Copyright (C) Andrew Bartlett 2001-2002
9 Copyright (C) Guenther Deschner 2005
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 3 of the License, or
14 (at your option) any later version.
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
21 You should have received a copy of the GNU General Public License
22 along with this program. If not, see <http://www.gnu.org/licenses/>.
27 #include "../libcli/auth/libcli_auth.h"
28 #include "../librpc/gen_ndr/cli_samr.h"
32 #define DBGC_CLASS DBGC_WINBIND
34 #define LOGON_KRB5_FAIL_CLOCK_SKEW 0x02000000
36 static NTSTATUS append_info3_as_txt(TALLOC_CTX *mem_ctx,
37 struct winbindd_cli_state *state,
38 struct netr_SamInfo3 *info3)
43 state->response->data.auth.info3.logon_time =
44 nt_time_to_unix(info3->base.last_logon);
45 state->response->data.auth.info3.logoff_time =
46 nt_time_to_unix(info3->base.last_logoff);
47 state->response->data.auth.info3.kickoff_time =
48 nt_time_to_unix(info3->base.acct_expiry);
49 state->response->data.auth.info3.pass_last_set_time =
50 nt_time_to_unix(info3->base.last_password_change);
51 state->response->data.auth.info3.pass_can_change_time =
52 nt_time_to_unix(info3->base.allow_password_change);
53 state->response->data.auth.info3.pass_must_change_time =
54 nt_time_to_unix(info3->base.force_password_change);
56 state->response->data.auth.info3.logon_count = info3->base.logon_count;
57 state->response->data.auth.info3.bad_pw_count = info3->base.bad_password_count;
59 state->response->data.auth.info3.user_rid = info3->base.rid;
60 state->response->data.auth.info3.group_rid = info3->base.primary_gid;
61 sid_to_fstring(state->response->data.auth.info3.dom_sid, info3->base.domain_sid);
63 state->response->data.auth.info3.num_groups = info3->base.groups.count;
64 state->response->data.auth.info3.user_flgs = info3->base.user_flags;
66 state->response->data.auth.info3.acct_flags = info3->base.acct_flags;
67 state->response->data.auth.info3.num_other_sids = info3->sidcount;
69 fstrcpy(state->response->data.auth.info3.user_name,
70 info3->base.account_name.string);
71 fstrcpy(state->response->data.auth.info3.full_name,
72 info3->base.full_name.string);
73 fstrcpy(state->response->data.auth.info3.logon_script,
74 info3->base.logon_script.string);
75 fstrcpy(state->response->data.auth.info3.profile_path,
76 info3->base.profile_path.string);
77 fstrcpy(state->response->data.auth.info3.home_dir,
78 info3->base.home_directory.string);
79 fstrcpy(state->response->data.auth.info3.dir_drive,
80 info3->base.home_drive.string);
82 fstrcpy(state->response->data.auth.info3.logon_srv,
83 info3->base.logon_server.string);
84 fstrcpy(state->response->data.auth.info3.logon_dom,
85 info3->base.domain.string);
87 ex = talloc_strdup(state->mem_ctx, "");
88 NT_STATUS_HAVE_NO_MEMORY(ex);
90 for (i=0; i < info3->base.groups.count; i++) {
91 ex = talloc_asprintf_append_buffer(ex, "0x%08X:0x%08X\n",
92 info3->base.groups.rids[i].rid,
93 info3->base.groups.rids[i].attributes);
94 NT_STATUS_HAVE_NO_MEMORY(ex);
97 for (i=0; i < info3->sidcount; i++) {
100 sid = dom_sid_string(mem_ctx, info3->sids[i].sid);
101 NT_STATUS_HAVE_NO_MEMORY(sid);
103 ex = talloc_asprintf_append_buffer(ex, "%s:0x%08X\n",
105 info3->sids[i].attributes);
106 NT_STATUS_HAVE_NO_MEMORY(ex);
111 state->response->extra_data.data = ex;
112 state->response->length += talloc_get_size(ex);
117 static NTSTATUS append_info3_as_ndr(TALLOC_CTX *mem_ctx,
118 struct winbindd_cli_state *state,
119 struct netr_SamInfo3 *info3)
122 enum ndr_err_code ndr_err;
124 ndr_err = ndr_push_struct_blob(&blob, mem_ctx, NULL, info3,
125 (ndr_push_flags_fn_t)ndr_push_netr_SamInfo3);
126 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
127 DEBUG(0,("append_info3_as_ndr: failed to append\n"));
128 return ndr_map_error2ntstatus(ndr_err);
131 state->response->extra_data.data = blob.data;
132 state->response->length += blob.length;
137 static NTSTATUS append_unix_username(TALLOC_CTX *mem_ctx,
138 struct winbindd_cli_state *state,
139 const struct netr_SamInfo3 *info3,
140 const char *name_domain,
141 const char *name_user)
143 /* We've been asked to return the unix username, per
144 'winbind use default domain' settings and the like */
146 const char *nt_username, *nt_domain;
148 nt_domain = talloc_strdup(mem_ctx, info3->base.domain.string);
150 /* If the server didn't give us one, just use the one
152 nt_domain = name_domain;
155 nt_username = talloc_strdup(mem_ctx, info3->base.account_name.string);
157 /* If the server didn't give us one, just use the one
159 nt_username = name_user;
162 fill_domain_username(state->response->data.auth.unix_username,
163 nt_domain, nt_username, true);
165 DEBUG(5,("Setting unix username to [%s]\n",
166 state->response->data.auth.unix_username));
171 static NTSTATUS append_afs_token(TALLOC_CTX *mem_ctx,
172 struct winbindd_cli_state *state,
173 const struct netr_SamInfo3 *info3,
174 const char *name_domain,
175 const char *name_user)
177 char *afsname = NULL;
181 afsname = talloc_strdup(mem_ctx, lp_afs_username_map());
182 if (afsname == NULL) {
183 return NT_STATUS_NO_MEMORY;
186 afsname = talloc_string_sub(mem_ctx,
187 lp_afs_username_map(),
189 afsname = talloc_string_sub(mem_ctx, afsname,
191 afsname = talloc_string_sub(mem_ctx, afsname,
198 sid_copy(&user_sid, info3->base.domain_sid);
199 sid_append_rid(&user_sid, info3->base.rid);
200 sid_to_fstring(sidstr, &user_sid);
201 afsname = talloc_string_sub(mem_ctx, afsname,
205 if (afsname == NULL) {
206 return NT_STATUS_NO_MEMORY;
211 DEBUG(10, ("Generating token for user %s\n", afsname));
213 cell = strchr(afsname, '@');
216 return NT_STATUS_NO_MEMORY;
222 token = afs_createtoken_str(afsname, cell);
226 state->response->extra_data.data = talloc_strdup(state->mem_ctx,
228 if (state->response->extra_data.data == NULL) {
229 return NT_STATUS_NO_MEMORY;
231 state->response->length +=
232 strlen((const char *)state->response->extra_data.data)+1;
237 NTSTATUS check_info3_in_group(struct netr_SamInfo3 *info3,
238 const char *group_sid)
240 * Check whether a user belongs to a group or list of groups.
242 * @param mem_ctx talloc memory context.
243 * @param info3 user information, including group membership info.
244 * @param group_sid One or more groups , separated by commas.
246 * @return NT_STATUS_OK on success,
247 * NT_STATUS_LOGON_FAILURE if the user does not belong,
248 * or other NT_STATUS_IS_ERR(status) for other kinds of failure.
251 DOM_SID *require_membership_of_sid;
252 size_t num_require_membership_of_sid;
257 struct nt_user_token *token;
258 TALLOC_CTX *frame = talloc_stackframe();
261 /* Parse the 'required group' SID */
263 if (!group_sid || !group_sid[0]) {
264 /* NO sid supplied, all users may access */
268 token = talloc_zero(talloc_tos(), struct nt_user_token);
270 DEBUG(0, ("talloc failed\n"));
272 return NT_STATUS_NO_MEMORY;
275 num_require_membership_of_sid = 0;
276 require_membership_of_sid = NULL;
280 while (next_token_talloc(talloc_tos(), &p, &req_sid, ",")) {
281 if (!string_to_sid(&sid, req_sid)) {
282 DEBUG(0, ("check_info3_in_group: could not parse %s "
283 "as a SID!", req_sid));
285 return NT_STATUS_INVALID_PARAMETER;
288 status = add_sid_to_array(talloc_tos(), &sid,
289 &require_membership_of_sid,
290 &num_require_membership_of_sid);
291 if (!NT_STATUS_IS_OK(status)) {
292 DEBUG(0, ("add_sid_to_array failed\n"));
298 status = sid_array_from_info3(talloc_tos(), info3,
302 if (!NT_STATUS_IS_OK(status)) {
307 if (!NT_STATUS_IS_OK(status = add_aliases(get_global_sam_sid(),
309 || !NT_STATUS_IS_OK(status = add_aliases(&global_sid_Builtin,
311 DEBUG(3, ("could not add aliases: %s\n",
317 debug_nt_user_token(DBGC_CLASS, 10, token);
319 for (i=0; i<num_require_membership_of_sid; i++) {
320 DEBUG(10, ("Checking SID %s\n", sid_string_dbg(
321 &require_membership_of_sid[i])));
322 if (nt_token_check_sid(&require_membership_of_sid[i],
324 DEBUG(10, ("Access ok\n"));
330 /* Do not distinguish this error from a wrong username/pw */
333 return NT_STATUS_LOGON_FAILURE;
336 struct winbindd_domain *find_auth_domain(uint8_t flags,
337 const char *domain_name)
339 struct winbindd_domain *domain;
342 domain = find_domain_from_name_noinit(domain_name);
343 if (domain == NULL) {
344 DEBUG(3, ("Authentication for domain [%s] refused "
345 "as it is not a trusted domain\n",
351 if (is_myname(domain_name)) {
352 DEBUG(3, ("Authentication for domain %s (local domain "
353 "to this server) not supported at this "
354 "stage\n", domain_name));
358 /* we can auth against trusted domains */
359 if (flags & WBFLAG_PAM_CONTACT_TRUSTDOM) {
360 domain = find_domain_from_name_noinit(domain_name);
361 if (domain == NULL) {
362 DEBUG(3, ("Authentication for domain [%s] skipped "
363 "as it is not a trusted domain\n",
370 return find_our_domain();
373 static void fill_in_password_policy(struct winbindd_response *r,
374 const struct samr_DomInfo1 *p)
376 r->data.auth.policy.min_length_password =
377 p->min_password_length;
378 r->data.auth.policy.password_history =
379 p->password_history_length;
380 r->data.auth.policy.password_properties =
381 p->password_properties;
382 r->data.auth.policy.expire =
383 nt_time_to_unix_abs((NTTIME *)&(p->max_password_age));
384 r->data.auth.policy.min_passwordage =
385 nt_time_to_unix_abs((NTTIME *)&(p->min_password_age));
388 static NTSTATUS fillup_password_policy(struct winbindd_domain *domain,
389 struct winbindd_cli_state *state)
391 struct winbindd_methods *methods;
392 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
393 struct samr_DomInfo1 password_policy;
395 if ( !winbindd_can_contact_domain( domain ) ) {
396 DEBUG(5,("fillup_password_policy: No inbound trust to "
397 "contact domain %s\n", domain->name));
398 return NT_STATUS_NOT_SUPPORTED;
401 methods = domain->methods;
403 status = methods->password_policy(domain, state->mem_ctx, &password_policy);
404 if (NT_STATUS_IS_ERR(status)) {
408 fill_in_password_policy(state->response, &password_policy);
413 static NTSTATUS get_max_bad_attempts_from_lockout_policy(struct winbindd_domain *domain,
415 uint16 *lockout_threshold)
417 struct winbindd_methods *methods;
418 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
419 struct samr_DomInfo12 lockout_policy;
421 *lockout_threshold = 0;
423 methods = domain->methods;
425 status = methods->lockout_policy(domain, mem_ctx, &lockout_policy);
426 if (NT_STATUS_IS_ERR(status)) {
430 *lockout_threshold = lockout_policy.lockout_threshold;
435 static NTSTATUS get_pwd_properties(struct winbindd_domain *domain,
437 uint32 *password_properties)
439 struct winbindd_methods *methods;
440 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
441 struct samr_DomInfo1 password_policy;
443 *password_properties = 0;
445 methods = domain->methods;
447 status = methods->password_policy(domain, mem_ctx, &password_policy);
448 if (NT_STATUS_IS_ERR(status)) {
452 *password_properties = password_policy.password_properties;
459 static const char *generate_krb5_ccache(TALLOC_CTX *mem_ctx,
462 bool *internal_ccache)
464 /* accept FILE and WRFILE as krb5_cc_type from the client and then
465 * build the full ccname string based on the user's uid here -
468 const char *gen_cc = NULL;
470 *internal_ccache = true;
476 if (!type || type[0] == '\0') {
480 if (strequal(type, "FILE")) {
481 gen_cc = talloc_asprintf(mem_ctx, "FILE:/tmp/krb5cc_%d", uid);
482 } else if (strequal(type, "WRFILE")) {
483 gen_cc = talloc_asprintf(mem_ctx, "WRFILE:/tmp/krb5cc_%d", uid);
485 DEBUG(10,("we don't allow to set a %s type ccache\n", type));
489 *internal_ccache = false;
493 gen_cc = talloc_strdup(mem_ctx, "MEMORY:winbindd_pam_ccache");
496 if (gen_cc == NULL) {
497 DEBUG(0,("out of memory\n"));
501 DEBUG(10,("using ccache: %s %s\n", gen_cc, *internal_ccache ? "(internal)":""));
506 static void setup_return_cc_name(struct winbindd_cli_state *state, const char *cc)
508 const char *type = state->request->data.auth.krb5_cc_type;
510 state->response->data.auth.krb5ccname[0] = '\0';
512 if (type[0] == '\0') {
516 if (!strequal(type, "FILE") &&
517 !strequal(type, "WRFILE")) {
518 DEBUG(10,("won't return krbccname for a %s type ccache\n",
523 fstrcpy(state->response->data.auth.krb5ccname, cc);
528 static uid_t get_uid_from_state(struct winbindd_cli_state *state)
532 uid = state->request->data.auth.uid;
535 DEBUG(1,("invalid uid: '%u'\n", (unsigned int)uid));
541 /**********************************************************************
542 Authenticate a user with a clear text password using Kerberos and fill up
544 **********************************************************************/
546 static NTSTATUS winbindd_raw_kerberos_login(struct winbindd_domain *domain,
547 struct winbindd_cli_state *state,
548 struct netr_SamInfo3 **info3)
551 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
552 krb5_error_code krb5_ret;
553 const char *cc = NULL;
554 const char *principal_s = NULL;
555 const char *service = NULL;
557 fstring name_domain, name_user;
558 time_t ticket_lifetime = 0;
559 time_t renewal_until = 0;
562 time_t time_offset = 0;
563 bool internal_ccache = true;
570 * prepare a krb5_cc_cache string for the user */
572 uid = get_uid_from_state(state);
574 DEBUG(0,("no valid uid\n"));
577 cc = generate_krb5_ccache(state->mem_ctx,
578 state->request->data.auth.krb5_cc_type,
579 state->request->data.auth.uid,
582 return NT_STATUS_NO_MEMORY;
587 * get kerberos properties */
589 if (domain->private_data) {
590 ads = (ADS_STRUCT *)domain->private_data;
591 time_offset = ads->auth.time_offset;
596 * do kerberos auth and setup ccache as the user */
598 parse_domain_user(state->request->data.auth.user, name_domain, name_user);
600 realm = domain->alt_name;
603 principal_s = talloc_asprintf(state->mem_ctx, "%s@%s", name_user, realm);
604 if (principal_s == NULL) {
605 return NT_STATUS_NO_MEMORY;
608 service = talloc_asprintf(state->mem_ctx, "%s/%s@%s", KRB5_TGS_NAME, realm, realm);
609 if (service == NULL) {
610 return NT_STATUS_NO_MEMORY;
613 /* if this is a user ccache, we need to act as the user to let the krb5
614 * library handle the chown, etc. */
616 /************************ ENTERING NON-ROOT **********************/
618 if (!internal_ccache) {
619 set_effective_uid(uid);
620 DEBUG(10,("winbindd_raw_kerberos_login: uid is %d\n", uid));
623 result = kerberos_return_info3_from_pac(state->mem_ctx,
625 state->request->data.auth.pass,
632 WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
635 if (!internal_ccache) {
636 gain_root_privilege();
639 /************************ RETURNED TO ROOT **********************/
641 if (!NT_STATUS_IS_OK(result)) {
645 DEBUG(10,("winbindd_raw_kerberos_login: winbindd validated ticket of %s\n",
648 /* if we had a user's ccache then return that string for the pam
651 if (!internal_ccache) {
653 setup_return_cc_name(state, cc);
655 result = add_ccache_to_list(principal_s,
658 state->request->data.auth.user,
659 state->request->data.auth.pass,
667 if (!NT_STATUS_IS_OK(result)) {
668 DEBUG(10,("winbindd_raw_kerberos_login: failed to add ccache to list: %s\n",
673 /* need to delete the memory cred cache, it is not used anymore */
675 krb5_ret = ads_kdestroy(cc);
677 DEBUG(3,("winbindd_raw_kerberos_login: "
678 "could not destroy krb5 credential cache: "
679 "%s\n", error_message(krb5_ret)));
688 /* we could have created a new credential cache with a valid tgt in it
689 * but we werent able to get or verify the service ticket for this
690 * local host and therefor didn't get the PAC, we need to remove that
691 * cache entirely now */
693 krb5_ret = ads_kdestroy(cc);
695 DEBUG(3,("winbindd_raw_kerberos_login: "
696 "could not destroy krb5 credential cache: "
697 "%s\n", error_message(krb5_ret)));
700 if (!NT_STATUS_IS_OK(remove_ccache(state->request->data.auth.user))) {
701 DEBUG(3,("winbindd_raw_kerberos_login: "
702 "could not remove ccache for user %s\n",
703 state->request->data.auth.user));
708 return NT_STATUS_NOT_SUPPORTED;
709 #endif /* HAVE_KRB5 */
712 /****************************************************************
713 ****************************************************************/
715 bool check_request_flags(uint32_t flags)
717 uint32_t flags_edata = WBFLAG_PAM_AFS_TOKEN |
718 WBFLAG_PAM_INFO3_TEXT |
719 WBFLAG_PAM_INFO3_NDR;
721 if ( ( (flags & flags_edata) == WBFLAG_PAM_AFS_TOKEN) ||
722 ( (flags & flags_edata) == WBFLAG_PAM_INFO3_NDR) ||
723 ( (flags & flags_edata) == WBFLAG_PAM_INFO3_TEXT)||
724 !(flags & flags_edata) ) {
728 DEBUG(1, ("check_request_flags: invalid request flags[0x%08X]\n",
734 /****************************************************************
735 ****************************************************************/
737 NTSTATUS append_auth_data(struct winbindd_cli_state *state,
738 struct netr_SamInfo3 *info3,
739 const char *name_domain,
740 const char *name_user)
743 uint32_t flags = state->request->flags;
745 if (flags & WBFLAG_PAM_USER_SESSION_KEY) {
746 memcpy(state->response->data.auth.user_session_key,
748 sizeof(state->response->data.auth.user_session_key)
752 if (flags & WBFLAG_PAM_LMKEY) {
753 memcpy(state->response->data.auth.first_8_lm_hash,
754 info3->base.LMSessKey.key,
755 sizeof(state->response->data.auth.first_8_lm_hash)
759 if (flags & WBFLAG_PAM_INFO3_TEXT) {
760 result = append_info3_as_txt(state->mem_ctx, state, info3);
761 if (!NT_STATUS_IS_OK(result)) {
762 DEBUG(10,("Failed to append INFO3 (TXT): %s\n",
768 /* currently, anything from here on potentially overwrites extra_data. */
770 if (flags & WBFLAG_PAM_INFO3_NDR) {
771 result = append_info3_as_ndr(state->mem_ctx, state, info3);
772 if (!NT_STATUS_IS_OK(result)) {
773 DEBUG(10,("Failed to append INFO3 (NDR): %s\n",
779 if (flags & WBFLAG_PAM_UNIX_NAME) {
780 result = append_unix_username(state->mem_ctx, state, info3,
781 name_domain, name_user);
782 if (!NT_STATUS_IS_OK(result)) {
783 DEBUG(10,("Failed to append Unix Username: %s\n",
789 if (flags & WBFLAG_PAM_AFS_TOKEN) {
790 result = append_afs_token(state->mem_ctx, state, info3,
791 name_domain, name_user);
792 if (!NT_STATUS_IS_OK(result)) {
793 DEBUG(10,("Failed to append AFS token: %s\n",
802 void winbindd_pam_auth(struct winbindd_cli_state *state)
804 struct winbindd_domain *domain;
805 fstring name_domain, name_user;
808 NTSTATUS name_map_status = NT_STATUS_UNSUCCESSFUL;
810 /* Ensure null termination */
811 state->request->data.auth.user
812 [sizeof(state->request->data.auth.user)-1]='\0';
814 /* Ensure null termination */
815 state->request->data.auth.pass
816 [sizeof(state->request->data.auth.pass)-1]='\0';
818 DEBUG(3, ("[%5lu]: pam auth %s\n", (unsigned long)state->pid,
819 state->request->data.auth.user));
821 if (!check_request_flags(state->request->flags)) {
822 result = NT_STATUS_INVALID_PARAMETER_MIX;
826 /* Parse domain and username */
828 name_map_status = normalize_name_unmap(state->mem_ctx,
829 state->request->data.auth.user,
832 /* Update the auth name if we did any mapping */
834 if (NT_STATUS_IS_OK(name_map_status) ||
835 NT_STATUS_EQUAL(name_map_status, NT_STATUS_FILE_RENAMED))
837 fstrcpy(state->request->data.auth.user, mapped);
840 if (!canonicalize_username(state->request->data.auth.user, name_domain, name_user)) {
841 result = NT_STATUS_NO_SUCH_USER;
845 domain = find_auth_domain(state->request->flags, name_domain);
847 if (domain == NULL) {
848 result = NT_STATUS_NO_SUCH_USER;
852 sendto_domain(state, domain);
855 set_auth_errors(state->response, result);
856 DEBUG(5, ("Plain text authentication for %s returned %s "
858 state->request->data.auth.user,
859 state->response->data.auth.nt_status_string,
860 state->response->data.auth.pam_error));
861 request_error(state);
864 static NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain,
865 struct winbindd_cli_state *state,
866 struct netr_SamInfo3 **info3)
868 NTSTATUS result = NT_STATUS_LOGON_FAILURE;
869 uint16 max_allowed_bad_attempts;
870 fstring name_domain, name_user;
872 enum lsa_SidType type;
873 uchar new_nt_pass[NT_HASH_LEN];
874 const uint8 *cached_nt_pass;
875 const uint8 *cached_salt;
876 struct netr_SamInfo3 *my_info3;
877 time_t kickoff_time, must_change_time;
878 bool password_good = false;
880 struct winbindd_tdc_domain *tdc_domain = NULL;
887 DEBUG(10,("winbindd_dual_pam_auth_cached\n"));
889 /* Parse domain and username */
891 parse_domain_user(state->request->data.auth.user, name_domain, name_user);
894 if (!lookup_cached_name(state->mem_ctx,
899 DEBUG(10,("winbindd_dual_pam_auth_cached: no such user in the cache\n"));
900 return NT_STATUS_NO_SUCH_USER;
903 if (type != SID_NAME_USER) {
904 DEBUG(10,("winbindd_dual_pam_auth_cached: not a user (%s)\n", sid_type_lookup(type)));
905 return NT_STATUS_LOGON_FAILURE;
908 result = winbindd_get_creds(domain,
914 if (!NT_STATUS_IS_OK(result)) {
915 DEBUG(10,("winbindd_dual_pam_auth_cached: failed to get creds: %s\n", nt_errstr(result)));
921 E_md4hash(state->request->data.auth.pass, new_nt_pass);
923 dump_data_pw("new_nt_pass", new_nt_pass, NT_HASH_LEN);
924 dump_data_pw("cached_nt_pass", cached_nt_pass, NT_HASH_LEN);
926 dump_data_pw("cached_salt", cached_salt, NT_HASH_LEN);
930 /* In this case we didn't store the nt_hash itself,
931 but the MD5 combination of salt + nt_hash. */
932 uchar salted_hash[NT_HASH_LEN];
933 E_md5hash(cached_salt, new_nt_pass, salted_hash);
935 password_good = (memcmp(cached_nt_pass, salted_hash,
938 /* Old cached cred - direct store of nt_hash (bad bad bad !). */
939 password_good = (memcmp(cached_nt_pass, new_nt_pass,
945 /* User *DOES* know the password, update logon_time and reset
948 my_info3->base.user_flags |= NETLOGON_CACHED_ACCOUNT;
950 if (my_info3->base.acct_flags & ACB_AUTOLOCK) {
951 return NT_STATUS_ACCOUNT_LOCKED_OUT;
954 if (my_info3->base.acct_flags & ACB_DISABLED) {
955 return NT_STATUS_ACCOUNT_DISABLED;
958 if (my_info3->base.acct_flags & ACB_WSTRUST) {
959 return NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT;
962 if (my_info3->base.acct_flags & ACB_SVRTRUST) {
963 return NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT;
966 if (my_info3->base.acct_flags & ACB_DOMTRUST) {
967 return NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT;
970 if (!(my_info3->base.acct_flags & ACB_NORMAL)) {
971 DEBUG(0,("winbindd_dual_pam_auth_cached: whats wrong with that one?: 0x%08x\n",
972 my_info3->base.acct_flags));
973 return NT_STATUS_LOGON_FAILURE;
976 kickoff_time = nt_time_to_unix(my_info3->base.acct_expiry);
977 if (kickoff_time != 0 && time(NULL) > kickoff_time) {
978 return NT_STATUS_ACCOUNT_EXPIRED;
981 must_change_time = nt_time_to_unix(my_info3->base.force_password_change);
982 if (must_change_time != 0 && must_change_time < time(NULL)) {
983 /* we allow grace logons when the password has expired */
984 my_info3->base.user_flags |= NETLOGON_GRACE_LOGON;
985 /* return NT_STATUS_PASSWORD_EXPIRED; */
990 if ((state->request->flags & WBFLAG_PAM_KRB5) &&
991 ((tdc_domain = wcache_tdc_fetch_domain(state->mem_ctx, name_domain)) != NULL) &&
992 ((tdc_domain->trust_type & NETR_TRUST_TYPE_UPLEVEL) ||
993 /* used to cope with the case winbindd starting without network. */
994 !strequal(tdc_domain->domain_name, tdc_domain->dns_name))) {
997 const char *cc = NULL;
999 const char *principal_s = NULL;
1000 const char *service = NULL;
1001 bool internal_ccache = false;
1003 uid = get_uid_from_state(state);
1005 DEBUG(0,("winbindd_dual_pam_auth_cached: invalid uid\n"));
1006 return NT_STATUS_INVALID_PARAMETER;
1009 cc = generate_krb5_ccache(state->mem_ctx,
1010 state->request->data.auth.krb5_cc_type,
1011 state->request->data.auth.uid,
1014 return NT_STATUS_NO_MEMORY;
1017 realm = domain->alt_name;
1020 principal_s = talloc_asprintf(state->mem_ctx, "%s@%s", name_user, realm);
1021 if (principal_s == NULL) {
1022 return NT_STATUS_NO_MEMORY;
1025 service = talloc_asprintf(state->mem_ctx, "%s/%s@%s", KRB5_TGS_NAME, realm, realm);
1026 if (service == NULL) {
1027 return NT_STATUS_NO_MEMORY;
1030 if (!internal_ccache) {
1032 setup_return_cc_name(state, cc);
1034 result = add_ccache_to_list(principal_s,
1037 state->request->data.auth.user,
1038 state->request->data.auth.pass,
1042 time(NULL) + lp_winbind_cache_time(),
1043 time(NULL) + WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
1046 if (!NT_STATUS_IS_OK(result)) {
1047 DEBUG(10,("winbindd_dual_pam_auth_cached: failed "
1048 "to add ccache to list: %s\n",
1049 nt_errstr(result)));
1053 #endif /* HAVE_KRB5 */
1055 /* FIXME: we possibly should handle logon hours as well (does xp when
1056 * offline?) see auth/auth_sam.c:sam_account_ok for details */
1058 unix_to_nt_time(&my_info3->base.last_logon, time(NULL));
1059 my_info3->base.bad_password_count = 0;
1061 result = winbindd_update_creds_by_info3(domain,
1063 state->request->data.auth.user,
1064 state->request->data.auth.pass,
1066 if (!NT_STATUS_IS_OK(result)) {
1067 DEBUG(1,("winbindd_dual_pam_auth_cached: failed to update creds: %s\n",
1068 nt_errstr(result)));
1072 return NT_STATUS_OK;
1076 /* User does *NOT* know the correct password, modify info3 accordingly, but only if online */
1077 if (domain->online == false) {
1081 /* failure of this is not critical */
1082 result = get_max_bad_attempts_from_lockout_policy(domain, state->mem_ctx, &max_allowed_bad_attempts);
1083 if (!NT_STATUS_IS_OK(result)) {
1084 DEBUG(10,("winbindd_dual_pam_auth_cached: failed to get max_allowed_bad_attempts. "
1085 "Won't be able to honour account lockout policies\n"));
1088 /* increase counter */
1089 my_info3->base.bad_password_count++;
1091 if (max_allowed_bad_attempts == 0) {
1096 if (my_info3->base.bad_password_count >= max_allowed_bad_attempts) {
1098 uint32 password_properties;
1100 result = get_pwd_properties(domain, state->mem_ctx, &password_properties);
1101 if (!NT_STATUS_IS_OK(result)) {
1102 DEBUG(10,("winbindd_dual_pam_auth_cached: failed to get password properties.\n"));
1105 if ((my_info3->base.rid != DOMAIN_USER_RID_ADMIN) ||
1106 (password_properties & DOMAIN_PASSWORD_LOCKOUT_ADMINS)) {
1107 my_info3->base.acct_flags |= ACB_AUTOLOCK;
1112 result = winbindd_update_creds_by_info3(domain,
1114 state->request->data.auth.user,
1118 if (!NT_STATUS_IS_OK(result)) {
1119 DEBUG(0,("winbindd_dual_pam_auth_cached: failed to update creds %s\n",
1120 nt_errstr(result)));
1123 return NT_STATUS_LOGON_FAILURE;
1126 static NTSTATUS winbindd_dual_pam_auth_kerberos(struct winbindd_domain *domain,
1127 struct winbindd_cli_state *state,
1128 struct netr_SamInfo3 **info3)
1130 struct winbindd_domain *contact_domain;
1131 fstring name_domain, name_user;
1134 DEBUG(10,("winbindd_dual_pam_auth_kerberos\n"));
1136 /* Parse domain and username */
1138 parse_domain_user(state->request->data.auth.user, name_domain, name_user);
1140 /* what domain should we contact? */
1143 if (!(contact_domain = find_domain_from_name(name_domain))) {
1144 DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
1145 state->request->data.auth.user, name_domain, name_user, name_domain));
1146 result = NT_STATUS_NO_SUCH_USER;
1151 if (is_myname(name_domain)) {
1152 DEBUG(3, ("Authentication for domain %s (local domain to this server) not supported at this stage\n", name_domain));
1153 result = NT_STATUS_NO_SUCH_USER;
1157 contact_domain = find_domain_from_name(name_domain);
1158 if (contact_domain == NULL) {
1159 DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
1160 state->request->data.auth.user, name_domain, name_user, name_domain));
1162 contact_domain = find_our_domain();
1166 if (contact_domain->initialized &&
1167 contact_domain->active_directory) {
1171 if (!contact_domain->initialized) {
1172 init_dc_connection(contact_domain);
1175 if (!contact_domain->active_directory) {
1176 DEBUG(3,("krb5 auth requested but domain is not Active Directory\n"));
1177 return NT_STATUS_INVALID_LOGON_TYPE;
1180 result = winbindd_raw_kerberos_login(contact_domain, state, info3);
1185 typedef NTSTATUS (*netlogon_fn_t)(struct rpc_pipe_client *cli,
1186 TALLOC_CTX *mem_ctx,
1187 uint32 logon_parameters,
1189 const char *username,
1191 const char *workstation,
1192 const uint8 chal[8],
1193 uint16_t validation_level,
1194 DATA_BLOB lm_response,
1195 DATA_BLOB nt_response,
1196 struct netr_SamInfo3 **info3);
1198 static NTSTATUS winbindd_dual_pam_auth_samlogon(struct winbindd_domain *domain,
1199 struct winbindd_cli_state *state,
1200 struct netr_SamInfo3 **info3)
1203 struct rpc_pipe_client *netlogon_pipe;
1208 unsigned char local_lm_response[24];
1209 unsigned char local_nt_response[24];
1210 struct winbindd_domain *contact_domain;
1211 fstring name_domain, name_user;
1214 struct netr_SamInfo3 *my_info3 = NULL;
1218 DEBUG(10,("winbindd_dual_pam_auth_samlogon\n"));
1220 /* Parse domain and username */
1222 parse_domain_user(state->request->data.auth.user, name_domain, name_user);
1224 /* do password magic */
1227 generate_random_buffer(chal, 8);
1228 if (lp_client_ntlmv2_auth()) {
1229 DATA_BLOB server_chal;
1230 DATA_BLOB names_blob;
1231 DATA_BLOB nt_response;
1232 DATA_BLOB lm_response;
1233 server_chal = data_blob_talloc(state->mem_ctx, chal, 8);
1235 /* note that the 'workgroup' here is a best guess - we don't know
1236 the server's domain at this point. The 'server name' is also
1239 names_blob = NTLMv2_generate_names_blob(state->mem_ctx, global_myname(), lp_workgroup());
1241 if (!SMBNTLMv2encrypt(NULL, name_user, name_domain,
1242 state->request->data.auth.pass,
1245 &lm_response, &nt_response, NULL, NULL)) {
1246 data_blob_free(&names_blob);
1247 data_blob_free(&server_chal);
1248 DEBUG(0, ("winbindd_pam_auth: SMBNTLMv2encrypt() failed!\n"));
1249 result = NT_STATUS_NO_MEMORY;
1252 data_blob_free(&names_blob);
1253 data_blob_free(&server_chal);
1254 lm_resp = data_blob_talloc(state->mem_ctx, lm_response.data,
1255 lm_response.length);
1256 nt_resp = data_blob_talloc(state->mem_ctx, nt_response.data,
1257 nt_response.length);
1258 data_blob_free(&lm_response);
1259 data_blob_free(&nt_response);
1262 if (lp_client_lanman_auth()
1263 && SMBencrypt(state->request->data.auth.pass,
1265 local_lm_response)) {
1266 lm_resp = data_blob_talloc(state->mem_ctx,
1268 sizeof(local_lm_response));
1270 lm_resp = data_blob_null;
1272 SMBNTencrypt(state->request->data.auth.pass,
1276 nt_resp = data_blob_talloc(state->mem_ctx,
1278 sizeof(local_nt_response));
1281 /* what domain should we contact? */
1284 if (!(contact_domain = find_domain_from_name(name_domain))) {
1285 DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
1286 state->request->data.auth.user, name_domain, name_user, name_domain));
1287 result = NT_STATUS_NO_SUCH_USER;
1292 if (is_myname(name_domain)) {
1293 DEBUG(3, ("Authentication for domain %s (local domain to this server) not supported at this stage\n", name_domain));
1294 result = NT_STATUS_NO_SUCH_USER;
1298 contact_domain = find_our_domain();
1301 /* check authentication loop */
1304 netlogon_fn_t logon_fn;
1305 const struct cli_pipe_auth_data *auth;
1306 uint32_t neg_flags = 0;
1308 ZERO_STRUCTP(my_info3);
1311 result = cm_connect_netlogon(contact_domain, &netlogon_pipe);
1313 if (!NT_STATUS_IS_OK(result)) {
1314 DEBUG(3, ("could not open handle to NETLOGON pipe\n"));
1317 auth = netlogon_pipe->auth;
1318 if (netlogon_pipe->dc) {
1319 neg_flags = netlogon_pipe->dc->negotiate_flags;
1322 /* It is really important to try SamLogonEx here,
1323 * because in a clustered environment, we want to use
1324 * one machine account from multiple physical
1327 * With a normal SamLogon call, we must keep the
1328 * credentials chain updated and intact between all
1329 * users of the machine account (which would imply
1330 * cross-node communication for every NTLM logon).
1332 * (The credentials chain is not per NETLOGON pipe
1333 * connection, but globally on the server/client pair
1336 * When using SamLogonEx, the credentials are not
1337 * supplied, but the session key is implied by the
1338 * wrapping SamLogon context.
1340 * -- abartlet 21 April 2008
1342 * It's also important to use NetlogonValidationSamInfo4 (6),
1343 * because it relies on the rpc transport encryption
1344 * and avoids using the global netlogon schannel
1345 * session key to en/decrypt secret information
1346 * like the user_session_key for network logons.
1348 * [MS-APDS] 3.1.5.2 NTLM Network Logon
1349 * says NETLOGON_NEG_CROSS_FOREST_TRUSTS and
1350 * NETLOGON_NEG_AUTHENTICATED_RPC set together
1351 * are the indication that the server supports
1352 * NetlogonValidationSamInfo4 (6). And must only
1353 * be used if "SealSecureChannel" is used.
1355 * -- metze 4 February 2011
1359 domain->can_do_validation6 = false;
1360 } else if (auth->auth_type != PIPE_AUTH_TYPE_SCHANNEL) {
1361 domain->can_do_validation6 = false;
1362 } else if (auth->auth_level != DCERPC_AUTH_LEVEL_PRIVACY) {
1363 domain->can_do_validation6 = false;
1364 } else if (!(neg_flags & NETLOGON_NEG_CROSS_FOREST_TRUSTS)) {
1365 domain->can_do_validation6 = false;
1366 } else if (!(neg_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
1367 domain->can_do_validation6 = false;
1370 logon_fn = (contact_domain->can_do_samlogon_ex && domain->can_do_validation6)
1371 ? rpccli_netlogon_sam_network_logon_ex
1372 : rpccli_netlogon_sam_network_logon;
1374 result = logon_fn(netlogon_pipe,
1377 contact_domain->dcname, /* server name */
1378 name_user, /* user name */
1379 name_domain, /* target domain */
1380 global_myname(), /* workstation */
1382 domain->can_do_validation6 ? 6 : 3,
1387 if (NT_STATUS_V(result) == DCERPC_FAULT_OP_RNG_ERROR) {
1390 * It's likely that the server also does not support
1391 * validation level 6
1393 domain->can_do_validation6 = false;
1395 if (contact_domain->can_do_samlogon_ex) {
1396 DEBUG(3, ("Got a DC that can not do NetSamLogonEx, "
1397 "retrying with NetSamLogon\n"));
1398 contact_domain->can_do_samlogon_ex = false;
1403 /* Got DCERPC_FAULT_OP_RNG_ERROR for SamLogon
1404 * (no Ex). This happens against old Samba
1405 * DCs. Drop the connection.
1407 invalidate_cm_connection(&contact_domain->conn);
1408 result = NT_STATUS_LOGON_FAILURE;
1412 if (domain->can_do_validation6 &&
1413 (NT_STATUS_EQUAL(result, NT_STATUS_INVALID_INFO_CLASS) ||
1414 NT_STATUS_EQUAL(result, NT_STATUS_INVALID_PARAMETER) ||
1415 NT_STATUS_EQUAL(result, NT_STATUS_BUFFER_TOO_SMALL))) {
1416 DEBUG(3,("Got a DC that can not do validation level 6, "
1417 "retrying with level 3\n"));
1418 domain->can_do_validation6 = false;
1424 * we increment this after the "feature negotiation"
1425 * for can_do_samlogon_ex and can_do_validation6
1429 /* We have to try a second time as cm_connect_netlogon
1430 might not yet have noticed that the DC has killed
1433 if (!rpccli_is_connected(netlogon_pipe)) {
1438 /* if we get access denied, a possible cause was that we had
1439 and open connection to the DC, but someone changed our
1440 machine account password out from underneath us using 'net
1441 rpc changetrustpw' */
1443 if ( NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) ) {
1444 DEBUG(3,("winbindd_pam_auth: sam_logon returned "
1445 "ACCESS_DENIED. Maybe the trust account "
1446 "password was changed and we didn't know it. "
1447 "Killing connections to domain %s\n",
1449 invalidate_cm_connection(&contact_domain->conn);
1453 } while ( (attempts < 2) && retry );
1455 /* handle the case where a NT4 DC does not fill in the acct_flags in
1456 * the samlogon reply info3. When accurate info3 is required by the
1457 * caller, we look up the account flags ourselve - gd */
1459 if ((state->request->flags & WBFLAG_PAM_INFO3_TEXT) &&
1460 NT_STATUS_IS_OK(result) && (my_info3->base.acct_flags == 0)) {
1462 struct rpc_pipe_client *samr_pipe;
1463 struct policy_handle samr_domain_handle, user_pol;
1464 union samr_UserInfo *info = NULL;
1465 NTSTATUS status_tmp;
1468 status_tmp = cm_connect_sam(contact_domain, state->mem_ctx,
1469 &samr_pipe, &samr_domain_handle);
1471 if (!NT_STATUS_IS_OK(status_tmp)) {
1472 DEBUG(3, ("could not open handle to SAMR pipe: %s\n",
1473 nt_errstr(status_tmp)));
1477 status_tmp = rpccli_samr_OpenUser(samr_pipe, state->mem_ctx,
1478 &samr_domain_handle,
1479 MAXIMUM_ALLOWED_ACCESS,
1483 if (!NT_STATUS_IS_OK(status_tmp)) {
1484 DEBUG(3, ("could not open user handle on SAMR pipe: %s\n",
1485 nt_errstr(status_tmp)));
1489 status_tmp = rpccli_samr_QueryUserInfo(samr_pipe, state->mem_ctx,
1494 if (!NT_STATUS_IS_OK(status_tmp)) {
1495 DEBUG(3, ("could not query user info on SAMR pipe: %s\n",
1496 nt_errstr(status_tmp)));
1497 rpccli_samr_Close(samr_pipe, state->mem_ctx, &user_pol);
1501 acct_flags = info->info16.acct_flags;
1503 if (acct_flags == 0) {
1504 rpccli_samr_Close(samr_pipe, state->mem_ctx, &user_pol);
1508 my_info3->base.acct_flags = acct_flags;
1510 DEBUG(10,("successfully retrieved acct_flags 0x%x\n", acct_flags));
1512 rpccli_samr_Close(samr_pipe, state->mem_ctx, &user_pol);
1520 enum winbindd_result winbindd_dual_pam_auth(struct winbindd_domain *domain,
1521 struct winbindd_cli_state *state)
1523 NTSTATUS result = NT_STATUS_LOGON_FAILURE;
1524 NTSTATUS krb5_result = NT_STATUS_OK;
1525 fstring name_domain, name_user;
1527 fstring domain_user;
1528 struct netr_SamInfo3 *info3 = NULL;
1529 NTSTATUS name_map_status = NT_STATUS_UNSUCCESSFUL;
1531 /* Ensure null termination */
1532 state->request->data.auth.user[sizeof(state->request->data.auth.user)-1]='\0';
1534 /* Ensure null termination */
1535 state->request->data.auth.pass[sizeof(state->request->data.auth.pass)-1]='\0';
1537 DEBUG(3, ("[%5lu]: dual pam auth %s\n", (unsigned long)state->pid,
1538 state->request->data.auth.user));
1540 if (!check_request_flags(state->request->flags)) {
1541 result = NT_STATUS_INVALID_PARAMETER_MIX;
1545 /* Parse domain and username */
1547 name_map_status = normalize_name_unmap(state->mem_ctx,
1548 state->request->data.auth.user,
1551 /* If the name normalization didnt' actually do anything,
1552 just use the original name */
1554 if (!NT_STATUS_IS_OK(name_map_status) &&
1555 !NT_STATUS_EQUAL(name_map_status, NT_STATUS_FILE_RENAMED))
1557 mapped_user = state->request->data.auth.user;
1560 parse_domain_user(mapped_user, name_domain, name_user);
1562 if ( mapped_user != state->request->data.auth.user ) {
1563 fstr_sprintf( domain_user, "%s%c%s", name_domain,
1564 *lp_winbind_separator(),
1566 safe_strcpy( state->request->data.auth.user, domain_user,
1567 sizeof(state->request->data.auth.user)-1 );
1570 if (domain->online == false) {
1571 result = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
1572 if (domain->startup) {
1573 /* Logons are very important to users. If we're offline and
1574 we get a request within the first 30 seconds of startup,
1575 try very hard to find a DC and go online. */
1577 DEBUG(10,("winbindd_dual_pam_auth: domain: %s offline and auth "
1578 "request in startup mode.\n", domain->name ));
1580 winbindd_flush_negative_conn_cache(domain);
1581 result = init_dc_connection(domain);
1585 DEBUG(10,("winbindd_dual_pam_auth: domain: %s last was %s\n", domain->name, domain->online ? "online":"offline"));
1587 /* Check for Kerberos authentication */
1588 if (domain->online && (state->request->flags & WBFLAG_PAM_KRB5)) {
1590 result = winbindd_dual_pam_auth_kerberos(domain, state, &info3);
1591 /* save for later */
1592 krb5_result = result;
1595 if (NT_STATUS_IS_OK(result)) {
1596 DEBUG(10,("winbindd_dual_pam_auth_kerberos succeeded\n"));
1597 goto process_result;
1599 DEBUG(10,("winbindd_dual_pam_auth_kerberos failed: %s\n", nt_errstr(result)));
1602 if (NT_STATUS_EQUAL(result, NT_STATUS_NO_LOGON_SERVERS) ||
1603 NT_STATUS_EQUAL(result, NT_STATUS_IO_TIMEOUT) ||
1604 NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
1605 DEBUG(10,("winbindd_dual_pam_auth_kerberos setting domain to offline\n"));
1606 set_domain_offline( domain );
1610 /* there are quite some NT_STATUS errors where there is no
1611 * point in retrying with a samlogon, we explictly have to take
1612 * care not to increase the bad logon counter on the DC */
1614 if (NT_STATUS_EQUAL(result, NT_STATUS_ACCOUNT_DISABLED) ||
1615 NT_STATUS_EQUAL(result, NT_STATUS_ACCOUNT_EXPIRED) ||
1616 NT_STATUS_EQUAL(result, NT_STATUS_ACCOUNT_LOCKED_OUT) ||
1617 NT_STATUS_EQUAL(result, NT_STATUS_INVALID_LOGON_HOURS) ||
1618 NT_STATUS_EQUAL(result, NT_STATUS_INVALID_WORKSTATION) ||
1619 NT_STATUS_EQUAL(result, NT_STATUS_LOGON_FAILURE) ||
1620 NT_STATUS_EQUAL(result, NT_STATUS_NO_SUCH_USER) ||
1621 NT_STATUS_EQUAL(result, NT_STATUS_PASSWORD_EXPIRED) ||
1622 NT_STATUS_EQUAL(result, NT_STATUS_PASSWORD_MUST_CHANGE) ||
1623 NT_STATUS_EQUAL(result, NT_STATUS_WRONG_PASSWORD)) {
1624 goto process_result;
1627 if (state->request->flags & WBFLAG_PAM_FALLBACK_AFTER_KRB5) {
1628 DEBUG(3,("falling back to samlogon\n"));
1636 /* Check for Samlogon authentication */
1637 if (domain->online) {
1638 result = winbindd_dual_pam_auth_samlogon(domain, state, &info3);
1640 if (NT_STATUS_IS_OK(result)) {
1641 DEBUG(10,("winbindd_dual_pam_auth_samlogon succeeded\n"));
1642 /* add the Krb5 err if we have one */
1643 if ( NT_STATUS_EQUAL(krb5_result, NT_STATUS_TIME_DIFFERENCE_AT_DC ) ) {
1644 info3->base.user_flags |= LOGON_KRB5_FAIL_CLOCK_SKEW;
1646 goto process_result;
1649 DEBUG(10,("winbindd_dual_pam_auth_samlogon failed: %s\n",
1650 nt_errstr(result)));
1652 if (NT_STATUS_EQUAL(result, NT_STATUS_NO_LOGON_SERVERS) ||
1653 NT_STATUS_EQUAL(result, NT_STATUS_IO_TIMEOUT) ||
1654 NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND))
1656 DEBUG(10,("winbindd_dual_pam_auth_samlogon setting domain to offline\n"));
1657 set_domain_offline( domain );
1661 if (domain->online) {
1662 /* We're still online - fail. */
1668 /* Check for Cached logons */
1669 if (!domain->online && (state->request->flags & WBFLAG_PAM_CACHED_LOGIN) &&
1670 lp_winbind_offline_logon()) {
1672 result = winbindd_dual_pam_auth_cached(domain, state, &info3);
1674 if (NT_STATUS_IS_OK(result)) {
1675 DEBUG(10,("winbindd_dual_pam_auth_cached succeeded\n"));
1676 goto process_result;
1678 DEBUG(10,("winbindd_dual_pam_auth_cached failed: %s\n", nt_errstr(result)));
1685 if (NT_STATUS_IS_OK(result)) {
1689 /* In all codepaths where result == NT_STATUS_OK info3 must have
1690 been initialized. */
1692 result = NT_STATUS_INTERNAL_ERROR;
1696 wcache_invalidate_samlogon(find_domain_from_name(name_domain), info3);
1697 netsamlogon_cache_store(name_user, info3);
1699 /* save name_to_sid info as early as possible (only if
1700 this is our primary domain so we don't invalidate
1701 the cache entry by storing the seq_num for the wrong
1703 if ( domain->primary ) {
1704 sid_compose(&user_sid, info3->base.domain_sid,
1706 cache_name2sid(domain, name_domain, name_user,
1707 SID_NAME_USER, &user_sid);
1710 /* Check if the user is in the right group */
1712 result = check_info3_in_group(
1714 state->request->data.auth.require_membership_of_sid);
1715 if (!NT_STATUS_IS_OK(result)) {
1716 DEBUG(3, ("User %s is not in the required group (%s), so plaintext authentication is rejected\n",
1717 state->request->data.auth.user,
1718 state->request->data.auth.require_membership_of_sid));
1722 result = append_auth_data(state, info3, name_domain,
1724 if (!NT_STATUS_IS_OK(result)) {
1728 if ((state->request->flags & WBFLAG_PAM_CACHED_LOGIN)) {
1730 /* Store in-memory creds for single-signon using ntlm_auth. */
1731 result = winbindd_add_memory_creds(state->request->data.auth.user,
1732 get_uid_from_state(state),
1733 state->request->data.auth.pass);
1735 if (!NT_STATUS_IS_OK(result)) {
1736 DEBUG(10,("Failed to store memory creds: %s\n", nt_errstr(result)));
1740 if (lp_winbind_offline_logon()) {
1741 result = winbindd_store_creds(domain,
1743 state->request->data.auth.user,
1744 state->request->data.auth.pass,
1746 if (!NT_STATUS_IS_OK(result)) {
1748 /* Release refcount. */
1749 winbindd_delete_memory_creds(state->request->data.auth.user);
1751 DEBUG(10,("Failed to store creds: %s\n", nt_errstr(result)));
1758 if (state->request->flags & WBFLAG_PAM_GET_PWD_POLICY) {
1759 struct winbindd_domain *our_domain = find_our_domain();
1761 /* This is not entirely correct I believe, but it is
1762 consistent. Only apply the password policy settings
1763 too warn users for our own domain. Cannot obtain these
1764 from trusted DCs all the time so don't do it at all.
1767 result = NT_STATUS_NOT_SUPPORTED;
1768 if (our_domain == domain ) {
1769 result = fillup_password_policy(our_domain, state);
1772 if (!NT_STATUS_IS_OK(result)
1773 && !NT_STATUS_EQUAL(result, NT_STATUS_NOT_SUPPORTED) )
1775 DEBUG(10,("Failed to get password policies for domain %s: %s\n",
1776 domain->name, nt_errstr(result)));
1781 result = NT_STATUS_OK;
1785 /* give us a more useful (more correct?) error code */
1786 if ((NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) ||
1787 (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)))) {
1788 result = NT_STATUS_NO_LOGON_SERVERS;
1791 set_auth_errors(state->response, result);
1793 DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2, ("Plain-text authentication for user %s returned %s (PAM: %d)\n",
1794 state->request->data.auth.user,
1795 state->response->data.auth.nt_status_string,
1796 state->response->data.auth.pam_error));
1798 return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
1802 /**********************************************************************
1803 Challenge Response Authentication Protocol
1804 **********************************************************************/
1806 void winbindd_pam_auth_crap(struct winbindd_cli_state *state)
1808 struct winbindd_domain *domain = NULL;
1809 const char *domain_name = NULL;
1812 if (!check_request_flags(state->request->flags)) {
1813 result = NT_STATUS_INVALID_PARAMETER_MIX;
1817 if (!state->privileged) {
1818 DEBUG(2, ("winbindd_pam_auth_crap: non-privileged access "
1820 DEBUGADD(2, ("winbindd_pam_auth_crap: Ensure permissions "
1821 "on %s are set correctly.\n",
1822 get_winbind_priv_pipe_dir()));
1823 /* send a better message than ACCESS_DENIED */
1824 fstr_sprintf(state->response->data.auth.error_string,
1825 "winbind client not authorized to use "
1826 "winbindd_pam_auth_crap. Ensure permissions on "
1827 "%s are set correctly.",
1828 get_winbind_priv_pipe_dir());
1829 result = NT_STATUS_ACCESS_DENIED;
1833 /* Ensure null termination */
1834 state->request->data.auth_crap.user
1835 [sizeof(state->request->data.auth_crap.user)-1]=0;
1836 state->request->data.auth_crap.domain
1837 [sizeof(state->request->data.auth_crap.domain)-1]=0;
1839 DEBUG(3, ("[%5lu]: pam auth crap domain: [%s] user: %s\n",
1840 (unsigned long)state->pid,
1841 state->request->data.auth_crap.domain,
1842 state->request->data.auth_crap.user));
1844 if (*state->request->data.auth_crap.domain != '\0') {
1845 domain_name = state->request->data.auth_crap.domain;
1846 } else if (lp_winbind_use_default_domain()) {
1847 domain_name = lp_workgroup();
1850 if (domain_name != NULL)
1851 domain = find_auth_domain(state->request->flags, domain_name);
1853 if (domain != NULL) {
1854 sendto_domain(state, domain);
1858 result = NT_STATUS_NO_SUCH_USER;
1861 set_auth_errors(state->response, result);
1862 DEBUG(5, ("CRAP authentication for %s\\%s returned %s (PAM: %d)\n",
1863 state->request->data.auth_crap.domain,
1864 state->request->data.auth_crap.user,
1865 state->response->data.auth.nt_status_string,
1866 state->response->data.auth.pam_error));
1867 request_error(state);
1872 enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
1873 struct winbindd_cli_state *state)
1876 struct netr_SamInfo3 *info3 = NULL;
1877 struct rpc_pipe_client *netlogon_pipe;
1878 const char *name_user = NULL;
1879 const char *name_domain = NULL;
1880 const char *workstation;
1881 struct winbindd_domain *contact_domain;
1885 DATA_BLOB lm_resp, nt_resp;
1887 /* This is child-only, so no check for privileged access is needed
1890 /* Ensure null termination */
1891 state->request->data.auth_crap.user[sizeof(state->request->data.auth_crap.user)-1]=0;
1892 state->request->data.auth_crap.domain[sizeof(state->request->data.auth_crap.domain)-1]=0;
1894 if (!check_request_flags(state->request->flags)) {
1895 result = NT_STATUS_INVALID_PARAMETER_MIX;
1899 name_user = state->request->data.auth_crap.user;
1901 if (*state->request->data.auth_crap.domain) {
1902 name_domain = state->request->data.auth_crap.domain;
1903 } else if (lp_winbind_use_default_domain()) {
1904 name_domain = lp_workgroup();
1906 DEBUG(5,("no domain specified with username (%s) - failing auth\n",
1908 result = NT_STATUS_NO_SUCH_USER;
1912 DEBUG(3, ("[%5lu]: pam auth crap domain: %s user: %s\n", (unsigned long)state->pid,
1913 name_domain, name_user));
1915 if (*state->request->data.auth_crap.workstation) {
1916 workstation = state->request->data.auth_crap.workstation;
1918 workstation = global_myname();
1921 if (state->request->data.auth_crap.lm_resp_len > sizeof(state->request->data.auth_crap.lm_resp)
1922 || state->request->data.auth_crap.nt_resp_len > sizeof(state->request->data.auth_crap.nt_resp)) {
1923 if (!(state->request->flags & WBFLAG_BIG_NTLMV2_BLOB) ||
1924 state->request->extra_len != state->request->data.auth_crap.nt_resp_len) {
1925 DEBUG(0, ("winbindd_pam_auth_crap: invalid password length %u/%u\n",
1926 state->request->data.auth_crap.lm_resp_len,
1927 state->request->data.auth_crap.nt_resp_len));
1928 result = NT_STATUS_INVALID_PARAMETER;
1933 lm_resp = data_blob_talloc(state->mem_ctx, state->request->data.auth_crap.lm_resp,
1934 state->request->data.auth_crap.lm_resp_len);
1936 if (state->request->flags & WBFLAG_BIG_NTLMV2_BLOB) {
1937 nt_resp = data_blob_talloc(state->mem_ctx,
1938 state->request->extra_data.data,
1939 state->request->data.auth_crap.nt_resp_len);
1941 nt_resp = data_blob_talloc(state->mem_ctx,
1942 state->request->data.auth_crap.nt_resp,
1943 state->request->data.auth_crap.nt_resp_len);
1946 /* what domain should we contact? */
1949 if (!(contact_domain = find_domain_from_name(name_domain))) {
1950 DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
1951 state->request->data.auth_crap.user, name_domain, name_user, name_domain));
1952 result = NT_STATUS_NO_SUCH_USER;
1956 if (is_myname(name_domain)) {
1957 DEBUG(3, ("Authentication for domain %s (local domain to this server) not supported at this stage\n", name_domain));
1958 result = NT_STATUS_NO_SUCH_USER;
1961 contact_domain = find_our_domain();
1965 netlogon_fn_t logon_fn;
1966 const struct cli_pipe_auth_data *auth;
1967 uint32_t neg_flags = 0;
1971 netlogon_pipe = NULL;
1972 result = cm_connect_netlogon(contact_domain, &netlogon_pipe);
1974 if (!NT_STATUS_IS_OK(result)) {
1975 DEBUG(3, ("could not open handle to NETLOGON pipe (error: %s)\n",
1976 nt_errstr(result)));
1979 auth = netlogon_pipe->auth;
1980 if (netlogon_pipe->dc) {
1981 neg_flags = netlogon_pipe->dc->negotiate_flags;
1985 domain->can_do_validation6 = false;
1986 } else if (auth->auth_type != PIPE_AUTH_TYPE_SCHANNEL) {
1987 domain->can_do_validation6 = false;
1988 } else if (auth->auth_level != DCERPC_AUTH_LEVEL_PRIVACY) {
1989 domain->can_do_validation6 = false;
1990 } else if (!(neg_flags & NETLOGON_NEG_CROSS_FOREST_TRUSTS)) {
1991 domain->can_do_validation6 = false;
1992 } else if (!(neg_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
1993 domain->can_do_validation6 = false;
1996 logon_fn = (contact_domain->can_do_samlogon_ex && domain->can_do_validation6)
1997 ? rpccli_netlogon_sam_network_logon_ex
1998 : rpccli_netlogon_sam_network_logon;
2000 result = logon_fn(netlogon_pipe,
2002 state->request->data.auth_crap.logon_parameters,
2003 contact_domain->dcname,
2006 /* Bug #3248 - found by Stefan Burkei. */
2007 workstation, /* We carefully set this above so use it... */
2008 state->request->data.auth_crap.chal,
2009 domain->can_do_validation6 ? 6 : 3,
2014 if (NT_STATUS_V(result) == DCERPC_FAULT_OP_RNG_ERROR) {
2017 * It's likely that the server also does not support
2018 * validation level 6
2020 domain->can_do_validation6 = false;
2022 if (contact_domain->can_do_samlogon_ex) {
2023 DEBUG(3, ("Got a DC that can not do NetSamLogonEx, "
2024 "retrying with NetSamLogon\n"));
2025 contact_domain->can_do_samlogon_ex = false;
2030 /* Got DCERPC_FAULT_OP_RNG_ERROR for SamLogon
2031 * (no Ex). This happens against old Samba
2032 * DCs. Drop the connection.
2034 invalidate_cm_connection(&contact_domain->conn);
2035 result = NT_STATUS_LOGON_FAILURE;
2039 if (domain->can_do_validation6 &&
2040 (NT_STATUS_EQUAL(result, NT_STATUS_INVALID_INFO_CLASS) ||
2041 NT_STATUS_EQUAL(result, NT_STATUS_INVALID_PARAMETER) ||
2042 NT_STATUS_EQUAL(result, NT_STATUS_BUFFER_TOO_SMALL))) {
2043 DEBUG(3,("Got a DC that can not do validation level 6, "
2044 "retrying with level 3\n"));
2045 domain->can_do_validation6 = false;
2051 * we increment this after the "feature negotiation"
2052 * for can_do_samlogon_ex and can_do_validation6
2056 /* We have to try a second time as cm_connect_netlogon
2057 might not yet have noticed that the DC has killed
2060 if (!rpccli_is_connected(netlogon_pipe)) {
2065 /* if we get access denied, a possible cause was that we had and open
2066 connection to the DC, but someone changed our machine account password
2067 out from underneath us using 'net rpc changetrustpw' */
2069 if ( NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) ) {
2070 DEBUG(3,("winbindd_pam_auth: sam_logon returned "
2071 "ACCESS_DENIED. Maybe the trust account "
2072 "password was changed and we didn't know it. "
2073 "Killing connections to domain %s\n",
2075 invalidate_cm_connection(&contact_domain->conn);
2079 } while ( (attempts < 2) && retry );
2081 if (NT_STATUS_IS_OK(result)) {
2083 wcache_invalidate_samlogon(find_domain_from_name(name_domain), info3);
2084 netsamlogon_cache_store(name_user, info3);
2086 /* Check if the user is in the right group */
2088 result = check_info3_in_group(
2090 state->request->data.auth_crap.require_membership_of_sid);
2091 if (!NT_STATUS_IS_OK(result)) {
2092 DEBUG(3, ("User %s is not in the required group (%s), so "
2093 "crap authentication is rejected\n",
2094 state->request->data.auth_crap.user,
2095 state->request->data.auth_crap.require_membership_of_sid));
2099 result = append_auth_data(state, info3, name_domain,
2101 if (!NT_STATUS_IS_OK(result)) {
2108 if (NT_STATUS_EQUAL(result, NT_STATUS_IO_TIMEOUT)) {
2109 DEBUG(3,("winbindd_dual_pam_auth_crap: sam_network_logon(ex) "
2110 "returned NT_STATUS_IO_TIMEOUT after the retry."
2111 "We didn't know what's going on killing "
2112 "connections to domain %s\n",
2114 invalidate_cm_connection(&contact_domain->conn);
2117 /* give us a more useful (more correct?) error code */
2118 if ((NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) ||
2119 (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)))) {
2120 result = NT_STATUS_NO_LOGON_SERVERS;
2123 if (state->request->flags & WBFLAG_PAM_NT_STATUS_SQUASH) {
2124 result = nt_status_squash(result);
2127 set_auth_errors(state->response, result);
2129 DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2,
2130 ("NTLM CRAP authentication for user [%s]\\[%s] returned %s (PAM: %d)\n",
2133 state->response->data.auth.nt_status_string,
2134 state->response->data.auth.pam_error));
2136 return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
2139 /* Change a user password */
2141 void winbindd_pam_chauthtok(struct winbindd_cli_state *state)
2143 fstring domain, user;
2145 struct winbindd_domain *contact_domain;
2146 NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
2148 DEBUG(3, ("[%5lu]: pam chauthtok %s\n", (unsigned long)state->pid,
2149 state->request->data.chauthtok.user));
2153 nt_status = normalize_name_unmap(state->mem_ctx,
2154 state->request->data.chauthtok.user,
2157 /* Update the chauthtok name if we did any mapping */
2159 if (NT_STATUS_IS_OK(nt_status) ||
2160 NT_STATUS_EQUAL(nt_status, NT_STATUS_FILE_RENAMED))
2162 fstrcpy(state->request->data.chauthtok.user, mapped_user);
2165 /* Must pass in state->...chauthtok.user because
2166 canonicalize_username() assumes an fstring(). Since
2167 we have already copied it (if necessary), this is ok. */
2169 if (!canonicalize_username(state->request->data.chauthtok.user, domain, user)) {
2170 set_auth_errors(state->response, NT_STATUS_NO_SUCH_USER);
2171 DEBUG(5, ("winbindd_pam_chauthtok: canonicalize_username %s failed with %s"
2173 state->request->data.auth.user,
2174 state->response->data.auth.nt_status_string,
2175 state->response->data.auth.pam_error));
2176 request_error(state);
2180 contact_domain = find_domain_from_name(domain);
2181 if (!contact_domain) {
2182 set_auth_errors(state->response, NT_STATUS_NO_SUCH_USER);
2183 DEBUG(3, ("Cannot change password for [%s] -> [%s]\\[%s] as %s is not a trusted domain\n",
2184 state->request->data.chauthtok.user, domain, user, domain));
2185 request_error(state);
2189 sendto_domain(state, contact_domain);
2192 enum winbindd_result winbindd_dual_pam_chauthtok(struct winbindd_domain *contact_domain,
2193 struct winbindd_cli_state *state)
2196 char *newpass = NULL;
2197 struct policy_handle dom_pol;
2198 struct rpc_pipe_client *cli;
2199 bool got_info = false;
2200 struct samr_DomInfo1 *info = NULL;
2201 struct samr_ChangeReject *reject = NULL;
2202 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
2203 fstring domain, user;
2205 DEBUG(3, ("[%5lu]: dual pam chauthtok %s\n", (unsigned long)state->pid,
2206 state->request->data.auth.user));
2208 if (!parse_domain_user(state->request->data.chauthtok.user, domain, user)) {
2212 /* Change password */
2214 oldpass = state->request->data.chauthtok.oldpass;
2215 newpass = state->request->data.chauthtok.newpass;
2217 /* Initialize reject reason */
2218 state->response->data.auth.reject_reason = Undefined;
2220 /* Get sam handle */
2222 result = cm_connect_sam(contact_domain, state->mem_ctx, &cli,
2224 if (!NT_STATUS_IS_OK(result)) {
2225 DEBUG(1, ("could not get SAM handle on DC for %s\n", domain));
2229 result = rpccli_samr_chgpasswd_user3(cli, state->mem_ctx,
2236 /* Windows 2003 returns NT_STATUS_PASSWORD_RESTRICTION */
2238 if (NT_STATUS_EQUAL(result, NT_STATUS_PASSWORD_RESTRICTION) ) {
2240 fill_in_password_policy(state->response, info);
2242 state->response->data.auth.reject_reason =
2248 /* atm the pidl generated rpccli_samr_ChangePasswordUser3 function will
2249 * return with NT_STATUS_BUFFER_TOO_SMALL for w2k dcs as w2k just
2250 * returns with 4byte error code (NT_STATUS_NOT_SUPPORTED) which is too
2251 * short to comply with the samr_ChangePasswordUser3 idl - gd */
2253 /* only fallback when the chgpasswd_user3 call is not supported */
2254 if ((NT_STATUS_EQUAL(result, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR))) ||
2255 (NT_STATUS_EQUAL(result, NT_STATUS_NOT_SUPPORTED)) ||
2256 (NT_STATUS_EQUAL(result, NT_STATUS_BUFFER_TOO_SMALL)) ||
2257 (NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED))) {
2259 DEBUG(10,("Password change with chgpasswd_user3 failed with: %s, retrying chgpasswd_user2\n",
2260 nt_errstr(result)));
2262 result = rpccli_samr_chgpasswd_user2(cli, state->mem_ctx, user, newpass, oldpass);
2264 /* Windows 2000 returns NT_STATUS_ACCOUNT_RESTRICTION.
2265 Map to the same status code as Windows 2003. */
2267 if ( NT_STATUS_EQUAL(NT_STATUS_ACCOUNT_RESTRICTION, result ) ) {
2268 result = NT_STATUS_PASSWORD_RESTRICTION;
2274 if (NT_STATUS_IS_OK(result) && (state->request->flags & WBFLAG_PAM_CACHED_LOGIN)) {
2276 /* Update the single sign-on memory creds. */
2277 result = winbindd_replace_memory_creds(state->request->data.chauthtok.user,
2280 /* When we login from gdm or xdm and password expires,
2281 * we change password, but there are no memory crendentials
2282 * So, winbindd_replace_memory_creds() returns
2283 * NT_STATUS_OBJECT_NAME_NOT_FOUND. This is not a failure.
2286 if (NT_STATUS_EQUAL(result, NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
2287 result = NT_STATUS_OK;
2290 if (!NT_STATUS_IS_OK(result)) {
2291 DEBUG(10,("Failed to replace memory creds: %s\n", nt_errstr(result)));
2292 goto process_result;
2295 if (lp_winbind_offline_logon()) {
2296 result = winbindd_update_creds_by_name(contact_domain,
2297 state->mem_ctx, user,
2299 /* Again, this happens when we login from gdm or xdm
2300 * and the password expires, *BUT* cached crendentials
2301 * doesn't exist. winbindd_update_creds_by_name()
2302 * returns NT_STATUS_NO_SUCH_USER.
2303 * This is not a failure.
2306 if (NT_STATUS_EQUAL(result, NT_STATUS_NO_SUCH_USER)) {
2307 result = NT_STATUS_OK;
2310 if (!NT_STATUS_IS_OK(result)) {
2311 DEBUG(10,("Failed to store creds: %s\n", nt_errstr(result)));
2312 goto process_result;
2317 if (!NT_STATUS_IS_OK(result) && !got_info && contact_domain) {
2319 NTSTATUS policy_ret;
2321 policy_ret = fillup_password_policy(contact_domain, state);
2323 /* failure of this is non critical, it will just provide no
2324 * additional information to the client why the change has
2325 * failed - Guenther */
2327 if (!NT_STATUS_IS_OK(policy_ret)) {
2328 DEBUG(10,("Failed to get password policies: %s\n", nt_errstr(policy_ret)));
2329 goto process_result;
2335 set_auth_errors(state->response, result);
2337 DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2,
2338 ("Password change for user [%s]\\[%s] returned %s (PAM: %d)\n",
2341 state->response->data.auth.nt_status_string,
2342 state->response->data.auth.pam_error));
2344 return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
2347 void winbindd_pam_logoff(struct winbindd_cli_state *state)
2349 struct winbindd_domain *domain;
2350 fstring name_domain, user;
2351 uid_t caller_uid = (uid_t)-1;
2352 uid_t request_uid = state->request->data.logoff.uid;
2354 DEBUG(3, ("[%5lu]: pam logoff %s\n", (unsigned long)state->pid,
2355 state->request->data.logoff.user));
2357 /* Ensure null termination */
2358 state->request->data.logoff.user
2359 [sizeof(state->request->data.logoff.user)-1]='\0';
2361 state->request->data.logoff.krb5ccname
2362 [sizeof(state->request->data.logoff.krb5ccname)-1]='\0';
2364 if (request_uid == (gid_t)-1) {
2368 if (!canonicalize_username(state->request->data.logoff.user, name_domain, user)) {
2372 if ((domain = find_auth_domain(state->request->flags,
2373 name_domain)) == NULL) {
2377 if ((sys_getpeereid(state->sock, &caller_uid)) != 0) {
2378 DEBUG(1,("winbindd_pam_logoff: failed to check peerid: %s\n",
2383 switch (caller_uid) {
2387 /* root must be able to logoff any user - gd */
2388 state->request->data.logoff.uid = request_uid;
2391 if (caller_uid != request_uid) {
2392 DEBUG(1,("winbindd_pam_logoff: caller requested invalid uid\n"));
2395 state->request->data.logoff.uid = caller_uid;
2399 sendto_domain(state, domain);
2403 set_auth_errors(state->response, NT_STATUS_NO_SUCH_USER);
2404 DEBUG(5, ("Pam Logoff for %s returned %s "
2406 state->request->data.logoff.user,
2407 state->response->data.auth.nt_status_string,
2408 state->response->data.auth.pam_error));
2409 request_error(state);
2413 enum winbindd_result winbindd_dual_pam_logoff(struct winbindd_domain *domain,
2414 struct winbindd_cli_state *state)
2416 NTSTATUS result = NT_STATUS_NOT_SUPPORTED;
2418 DEBUG(3, ("[%5lu]: pam dual logoff %s\n", (unsigned long)state->pid,
2419 state->request->data.logoff.user));
2421 if (!(state->request->flags & WBFLAG_PAM_KRB5)) {
2422 result = NT_STATUS_OK;
2423 goto process_result;
2426 if (state->request->data.logoff.krb5ccname[0] == '\0') {
2427 result = NT_STATUS_OK;
2428 goto process_result;
2433 if (state->request->data.logoff.uid < 0) {
2434 DEBUG(0,("winbindd_pam_logoff: invalid uid\n"));
2435 goto process_result;
2438 /* what we need here is to find the corresponding krb5 ccache name *we*
2439 * created for a given username and destroy it */
2441 if (!ccache_entry_exists(state->request->data.logoff.user)) {
2442 result = NT_STATUS_OK;
2443 DEBUG(10,("winbindd_pam_logoff: no entry found.\n"));
2444 goto process_result;
2447 if (!ccache_entry_identical(state->request->data.logoff.user,
2448 state->request->data.logoff.uid,
2449 state->request->data.logoff.krb5ccname)) {
2450 DEBUG(0,("winbindd_pam_logoff: cached entry differs.\n"));
2451 goto process_result;
2454 result = remove_ccache(state->request->data.logoff.user);
2455 if (!NT_STATUS_IS_OK(result)) {
2456 DEBUG(0,("winbindd_pam_logoff: failed to remove ccache: %s\n",
2457 nt_errstr(result)));
2458 goto process_result;
2462 * Remove any mlock'ed memory creds in the child
2463 * we might be using for krb5 ticket renewal.
2466 winbindd_delete_memory_creds(state->request->data.logoff.user);
2469 result = NT_STATUS_NOT_SUPPORTED;
2474 winbindd_delete_memory_creds(state->request->data.logoff.user);
2476 set_auth_errors(state->response, result);
2478 return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
2481 /* Change user password with auth crap*/
2483 void winbindd_pam_chng_pswd_auth_crap(struct winbindd_cli_state *state)
2485 struct winbindd_domain *domain = NULL;
2486 const char *domain_name = NULL;
2488 /* Ensure null termination */
2489 state->request->data.chng_pswd_auth_crap.user[
2490 sizeof(state->request->data.chng_pswd_auth_crap.user)-1]=0;
2491 state->request->data.chng_pswd_auth_crap.domain[
2492 sizeof(state->request->data.chng_pswd_auth_crap.domain)-1]=0;
2494 DEBUG(3, ("[%5lu]: pam change pswd auth crap domain: %s user: %s\n",
2495 (unsigned long)state->pid,
2496 state->request->data.chng_pswd_auth_crap.domain,
2497 state->request->data.chng_pswd_auth_crap.user));
2499 if (*state->request->data.chng_pswd_auth_crap.domain != '\0') {
2500 domain_name = state->request->data.chng_pswd_auth_crap.domain;
2501 } else if (lp_winbind_use_default_domain()) {
2502 domain_name = lp_workgroup();
2505 if (domain_name != NULL)
2506 domain = find_domain_from_name(domain_name);
2508 if (domain != NULL) {
2509 DEBUG(7, ("[%5lu]: pam auth crap changing pswd in domain: "
2510 "%s\n", (unsigned long)state->pid,domain->name));
2511 sendto_domain(state, domain);
2515 set_auth_errors(state->response, NT_STATUS_NO_SUCH_USER);
2516 DEBUG(5, ("CRAP change password for %s\\%s returned %s (PAM: %d)\n",
2517 state->request->data.chng_pswd_auth_crap.domain,
2518 state->request->data.chng_pswd_auth_crap.user,
2519 state->response->data.auth.nt_status_string,
2520 state->response->data.auth.pam_error));
2521 request_error(state);
2525 enum winbindd_result winbindd_dual_pam_chng_pswd_auth_crap(struct winbindd_domain *domainSt, struct winbindd_cli_state *state)
2528 DATA_BLOB new_nt_password;
2529 DATA_BLOB old_nt_hash_enc;
2530 DATA_BLOB new_lm_password;
2531 DATA_BLOB old_lm_hash_enc;
2532 fstring domain,user;
2533 struct policy_handle dom_pol;
2534 struct winbindd_domain *contact_domain = domainSt;
2535 struct rpc_pipe_client *cli;
2537 /* Ensure null termination */
2538 state->request->data.chng_pswd_auth_crap.user[
2539 sizeof(state->request->data.chng_pswd_auth_crap.user)-1]=0;
2540 state->request->data.chng_pswd_auth_crap.domain[
2541 sizeof(state->request->data.chng_pswd_auth_crap.domain)-1]=0;
2545 DEBUG(3, ("[%5lu]: pam change pswd auth crap domain: %s user: %s\n",
2546 (unsigned long)state->pid,
2547 state->request->data.chng_pswd_auth_crap.domain,
2548 state->request->data.chng_pswd_auth_crap.user));
2550 if (lp_winbind_offline_logon()) {
2551 DEBUG(0,("Refusing password change as winbind offline logons are enabled. "));
2552 DEBUGADD(0,("Changing passwords here would risk inconsistent logons\n"));
2553 result = NT_STATUS_ACCESS_DENIED;
2557 if (*state->request->data.chng_pswd_auth_crap.domain) {
2558 fstrcpy(domain,state->request->data.chng_pswd_auth_crap.domain);
2560 parse_domain_user(state->request->data.chng_pswd_auth_crap.user,
2564 DEBUG(3,("no domain specified with username (%s) - "
2566 state->request->data.chng_pswd_auth_crap.user));
2567 result = NT_STATUS_NO_SUCH_USER;
2572 if (!*domain && lp_winbind_use_default_domain()) {
2573 fstrcpy(domain,(char *)lp_workgroup());
2577 fstrcpy(user, state->request->data.chng_pswd_auth_crap.user);
2580 DEBUG(3, ("[%5lu]: pam auth crap domain: %s user: %s\n",
2581 (unsigned long)state->pid, domain, user));
2583 /* Change password */
2584 new_nt_password = data_blob_talloc(
2586 state->request->data.chng_pswd_auth_crap.new_nt_pswd,
2587 state->request->data.chng_pswd_auth_crap.new_nt_pswd_len);
2589 old_nt_hash_enc = data_blob_talloc(
2591 state->request->data.chng_pswd_auth_crap.old_nt_hash_enc,
2592 state->request->data.chng_pswd_auth_crap.old_nt_hash_enc_len);
2594 if(state->request->data.chng_pswd_auth_crap.new_lm_pswd_len > 0) {
2595 new_lm_password = data_blob_talloc(
2597 state->request->data.chng_pswd_auth_crap.new_lm_pswd,
2598 state->request->data.chng_pswd_auth_crap.new_lm_pswd_len);
2600 old_lm_hash_enc = data_blob_talloc(
2602 state->request->data.chng_pswd_auth_crap.old_lm_hash_enc,
2603 state->request->data.chng_pswd_auth_crap.old_lm_hash_enc_len);
2605 new_lm_password.length = 0;
2606 old_lm_hash_enc.length = 0;
2609 /* Get sam handle */
2611 result = cm_connect_sam(contact_domain, state->mem_ctx, &cli, &dom_pol);
2612 if (!NT_STATUS_IS_OK(result)) {
2613 DEBUG(1, ("could not get SAM handle on DC for %s\n", domain));
2617 result = rpccli_samr_chng_pswd_auth_crap(
2618 cli, state->mem_ctx, user, new_nt_password, old_nt_hash_enc,
2619 new_lm_password, old_lm_hash_enc);
2623 set_auth_errors(state->response, result);
2625 DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2,
2626 ("Password change for user [%s]\\[%s] returned %s (PAM: %d)\n",
2628 state->response->data.auth.nt_status_string,
2629 state->response->data.auth.pam_error));
2631 return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;