Merge from appliance-head: when creating a default security descriptor
[samba.git] / source3 / auth / auth_domain.c
1 /* 
2    Unix SMB/Netbios implementation.
3    Version 3.0.
4    Authenticate against a remote domain
5    Copyright (C) Andrew Tridgell 1992-1998
6    Copyright (C) Andrew Bartlett 2001
7    
8    This program is free software; you can redistribute it and/or modify
9    it under the terms of the GNU General Public License as published by
10    the Free Software Foundation; either version 2 of the License, or
11    (at your option) any later version.
12    
13    This program is distributed in the hope that it will be useful,
14    but WITHOUT ANY WARRANTY; without even the implied warranty of
15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
16    GNU General Public License for more details.
17    
18    You should have received a copy of the GNU General Public License
19    along with this program; if not, write to the Free Software
20    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
21 */
22
23 #include "includes.h"
24
25 BOOL global_machine_password_needs_changing = False;
26
27 extern pstring global_myname;
28
29 /***********************************************************************
30  Connect to a remote machine for domain security authentication
31  given a name or IP address.
32  ***********************************************************************/
33
34 static BOOL connect_to_domain_password_server(struct cli_state *pcli, 
35                                               char *server, unsigned char *trust_passwd)
36 {
37         struct in_addr dest_ip;
38         fstring remote_machine;
39         NTSTATUS result;
40
41         if(cli_initialise(pcli) == NULL) {
42                 DEBUG(0,("connect_to_domain_password_server: unable to initialize client connection.\n"));
43                 return False;
44         }
45
46         if (is_ipaddress(server)) {
47                 struct in_addr to_ip;
48           
49                 /* we shouldn't have 255.255.255.255 forthe IP address of 
50                    a password server anyways */
51                 if ((to_ip.s_addr=inet_addr(server)) == 0xFFFFFFFF) {
52                         DEBUG (0,("connect_to_domain_password_server: inet_addr(%s) returned 0xFFFFFFFF!\n", server));
53                         return False;
54                 }
55
56                 if (!name_status_find("*", 0x20, 0x20, to_ip, remote_machine)) {
57                         DEBUG(0, ("connect_to_domain_password_server: Can't "
58                                   "resolve name for IP %s\n", server));
59                         return False;
60                 }
61         } else {
62                 fstrcpy(remote_machine, server);
63         }
64
65         standard_sub_basic(remote_machine);
66         strupper(remote_machine);
67
68         if(!resolve_name( remote_machine, &dest_ip, 0x20)) {
69                 DEBUG(1,("connect_to_domain_password_server: Can't resolve address for %s\n", remote_machine));
70                 cli_shutdown(pcli);
71                 return False;
72         }
73   
74         if (ismyip(dest_ip)) {
75                 DEBUG(1,("connect_to_domain_password_server: Password server loop - not using password server %s\n",
76                          remote_machine));
77                 cli_shutdown(pcli);
78                 return False;
79         }
80   
81         if (!cli_connect(pcli, remote_machine, &dest_ip)) {
82                 DEBUG(0,("connect_to_domain_password_server: unable to connect to SMB server on \
83 machine %s. Error was : %s.\n", remote_machine, cli_errstr(pcli) ));
84                 cli_shutdown(pcli);
85                 return False;
86         }
87   
88         if (!attempt_netbios_session_request(pcli, global_myname, remote_machine, &dest_ip)) {
89                 DEBUG(0,("connect_to_password_server: machine %s rejected the NetBIOS \
90 session request. Error was : %s.\n", remote_machine, cli_errstr(pcli) ));
91                 return False;
92         }
93   
94         pcli->protocol = PROTOCOL_NT1;
95
96         if (!cli_negprot(pcli)) {
97                 DEBUG(0,("connect_to_domain_password_server: machine %s rejected the negotiate protocol. \
98 Error was : %s.\n", remote_machine, cli_errstr(pcli) ));
99                 cli_shutdown(pcli);
100                 return False;
101         }
102
103         if (pcli->protocol != PROTOCOL_NT1) {
104                 DEBUG(0,("connect_to_domain_password_server: machine %s didn't negotiate NT protocol.\n",
105                          remote_machine));
106                 cli_shutdown(pcli);
107                 return False;
108         }
109
110         /*
111          * Do an anonymous session setup.
112          */
113
114         if (!cli_session_setup(pcli, "", "", 0, "", 0, "")) {
115                 DEBUG(0,("connect_to_domain_password_server: machine %s rejected the session setup. \
116 Error was : %s.\n", remote_machine, cli_errstr(pcli) ));
117                 cli_shutdown(pcli);
118                 return False;
119         }
120
121         if (!(pcli->sec_mode & 1)) {
122                 DEBUG(1,("connect_to_domain_password_server: machine %s isn't in user level security mode\n",
123                          remote_machine));
124                 cli_shutdown(pcli);
125                 return False;
126         }
127
128         if (!cli_send_tconX(pcli, "IPC$", "IPC", "", 1)) {
129                 DEBUG(0,("connect_to_domain_password_server: machine %s rejected the tconX on the IPC$ share. \
130 Error was : %s.\n", remote_machine, cli_errstr(pcli) ));
131                 cli_shutdown(pcli);
132                 return False;
133         }
134
135         /*
136          * We now have an anonymous connection to IPC$ on the domain password server.
137          */
138
139         /*
140          * Even if the connect succeeds we need to setup the netlogon
141          * pipe here. We do this as we may just have changed the domain
142          * account password on the PDC and yet we may be talking to
143          * a BDC that doesn't have this replicated yet. In this case
144          * a successful connect to a DC needs to take the netlogon connect
145          * into account also. This patch from "Bjart Kvarme" <bjart.kvarme@usit.uio.no>.
146          */
147
148         if(cli_nt_session_open(pcli, PIPE_NETLOGON) == False) {
149                 DEBUG(0,("connect_to_domain_password_server: unable to open the domain client session to \
150 machine %s. Error was : %s.\n", remote_machine, cli_errstr(pcli)));
151                 cli_nt_session_close(pcli);
152                 cli_ulogoff(pcli);
153                 cli_shutdown(pcli);
154                 return False;
155         }
156
157         result = cli_nt_setup_creds(pcli, trust_passwd);
158
159         if (!NT_STATUS_IS_OK(result)) {
160                 DEBUG(0,("connect_to_domain_password_server: unable to setup the PDC credentials to machine \
161 %s. Error was : %s.\n", remote_machine, get_nt_error_msg(result)));
162                 cli_nt_session_close(pcli);
163                 cli_ulogoff(pcli);
164                 cli_shutdown(pcli);
165                 return(False);
166         }
167
168         return True;
169 }
170
171 /***********************************************************************
172  Utility function to attempt a connection to an IP address of a DC.
173 ************************************************************************/
174
175 static BOOL attempt_connect_to_dc(struct cli_state *pcli, struct in_addr *ip, 
176                                   unsigned char *trust_passwd)
177 {
178         fstring dc_name;
179
180         /*
181          * Ignore addresses we have already tried.
182          */
183
184         if (is_zero_ip(*ip))
185                 return False;
186
187         if (!lookup_pdc_name(global_myname, lp_workgroup(), ip, dc_name))
188                 return False;
189
190         return connect_to_domain_password_server(pcli, dc_name, trust_passwd);
191 }
192
193 /***********************************************************************
194  We have been asked to dynamcially determine the IP addresses of
195  the PDC and BDC's for this DOMAIN, and query them in turn.
196 ************************************************************************/
197 static BOOL find_connect_pdc(struct cli_state *pcli, 
198                              unsigned char *trust_passwd, 
199                              time_t last_change_time)
200 {
201         struct in_addr *ip_list = NULL;
202         int count = 0;
203         int i;
204         BOOL connected_ok = False;
205         time_t time_now = time(NULL);
206         BOOL use_pdc_only = False;
207
208         /*
209          * If the time the machine password has changed
210          * was less than an hour ago then we need to contact
211          * the PDC only, as we cannot be sure domain replication
212          * has yet taken place. Bug found by Gerald (way to go
213          * Gerald !). JRA.
214          */
215
216         if (time_now - last_change_time < 3600)
217                 use_pdc_only = True;
218
219         if (!get_dc_list(use_pdc_only, lp_workgroup(), &ip_list, &count))
220                 return False;
221
222         /*
223          * Firstly try and contact a PDC/BDC who has the same
224          * network address as any of our interfaces.
225          */
226         for(i = 0; i < count; i++) {
227                 if(!is_local_net(ip_list[i]))
228                         continue;
229
230                 if((connected_ok = attempt_connect_to_dc(pcli, &ip_list[i], trust_passwd))) 
231                         break;
232                 
233                 zero_ip(&ip_list[i]); /* Tried and failed. */
234         }
235
236         /*
237          * Secondly try and contact a random PDC/BDC.
238          */
239         if(!connected_ok) {
240                 i = (sys_random() % count);
241
242                 if (!(connected_ok = attempt_connect_to_dc(pcli, &ip_list[i], trust_passwd)))
243                         zero_ip(&ip_list[i]); /* Tried and failed. */
244         }
245
246         /*
247          * Finally go through the IP list in turn, ignoring any addresses
248          * we have already tried.
249          */
250         if(!connected_ok) {
251                 /*
252                  * Try and connect to any of the other IP addresses in the PDC/BDC list.
253                  * Note that from a WINS server the #1 IP address is the PDC.
254                  */
255                 for(i = 0; i < count; i++) {
256                         if((connected_ok = attempt_connect_to_dc(pcli, &ip_list[i], trust_passwd)))
257                                 break;
258                 }
259         }
260
261         SAFE_FREE(ip_list);
262
263
264         return connected_ok;
265 }
266
267 /***********************************************************************
268  Do the same as security=server, but using NT Domain calls and a session
269  key from the machine password.  If the server parameter is specified
270  use it, otherwise figure out a server from the 'password server' param.
271 ************************************************************************/
272
273 static NTSTATUS domain_client_validate(const auth_usersupplied_info *user_info, 
274                                        uchar chal[8],
275                                        auth_serversupplied_info **server_info, 
276                                        char *server, unsigned char *trust_passwd,
277                                        time_t last_change_time)
278 {
279         fstring remote_machine;
280         NET_ID_INFO_CTR ctr;
281         NET_USER_INFO_3 info3;
282         struct cli_state cli;
283         uint32 smb_uid_low;
284         BOOL connected_ok = False;
285         NTSTATUS status;
286         struct passwd *pass;
287
288         /* 
289          * Check that the requested domain is not our own machine name.
290          * If it is, we should never check the PDC here, we use our own local
291          * password file.
292          */
293
294         if(strequal(user_info->domain.str, global_myname)) {
295                 DEBUG(3,("domain_client_validate: Requested domain was for this machine.\n"));
296                 return NT_STATUS_LOGON_FAILURE;
297         }
298
299         /*
300          * At this point, smb_apasswd points to the lanman response to
301          * the challenge in local_challenge, and smb_ntpasswd points to
302          * the NT response to the challenge in local_challenge. Ship
303          * these over the secure channel to a domain controller and
304          * see if they were valid.
305          */
306
307         ZERO_STRUCT(cli);
308
309         while (!connected_ok &&
310                next_token(&server,remote_machine,LIST_SEP,sizeof(remote_machine))) {
311                 if(strequal(remote_machine, "*")) {
312                         connected_ok = find_connect_pdc(&cli, trust_passwd, last_change_time);
313                 } else {
314                         connected_ok = connect_to_domain_password_server(&cli, remote_machine, trust_passwd);
315                 }
316         }
317
318         if (!connected_ok) {
319                 DEBUG(0,("domain_client_validate: Domain password server not available.\n"));
320                 cli_shutdown(&cli);
321                 return NT_STATUS_LOGON_FAILURE;
322         }
323
324         /* We really don't care what LUID we give the user. */
325         generate_random_buffer( (unsigned char *)&smb_uid_low, 4, False);
326
327         ZERO_STRUCT(info3);
328
329         /*
330          * If this call succeeds, we now have lots of info about the user
331          * in the info3 structure.  
332          */
333
334         status = cli_nt_login_network(&cli, user_info, chal, smb_uid_low, 
335                                       &ctr, &info3);
336         
337         if (!NT_STATUS_IS_OK(status)) {
338                 DEBUG(0,("domain_client_validate: unable to validate password "
339                          "for user %s in domain %s to Domain controller %s. "
340                          "Error was %s.\n", user_info->smb_name.str,
341                          user_info->domain.str, cli.srv_name_slash, 
342                          get_nt_error_msg(status)));
343         } else {
344                 char *dom_user;
345
346                 /* Check DOMAIN\username first to catch winbind users, then
347                    just the username for local users. */
348
349                 asprintf(&dom_user, "%s%s%s", user_info->domain.str,
350                          lp_winbind_separator(),
351                          user_info->internal_username.str);
352
353                 if (!(pass = Get_Pwnam(dom_user)))
354                         pass = Get_Pwnam(user_info->internal_username.str);
355
356                 free(dom_user);
357
358                 if (pass) {
359                         make_server_info_pw(server_info, pass);
360                         if (!server_info) {
361                                 status = NT_STATUS_NO_MEMORY;
362                         }
363                 } else {
364                         status = NT_STATUS_NO_SUCH_USER;
365                 }
366         }
367
368         /* Store the user group information in the server_info returned to the caller. */
369         
370         if (NT_STATUS_IS_OK(status) && (info3.num_groups2 != 0)) {
371                 DOM_SID domain_sid;
372                 int i;
373                 NT_USER_TOKEN *ptok;
374                 auth_serversupplied_info *pserver_info = *server_info;
375
376                 if ((pserver_info->ptok = malloc( sizeof(NT_USER_TOKEN) ) ) == NULL) {
377                         DEBUG(0, ("domain_client_validate: out of memory allocating rid group membership\n"));
378                         status = NT_STATUS_NO_MEMORY;
379                         free_server_info(server_info);
380                         goto done;
381                 }
382
383                 ptok = pserver_info->ptok;
384                 ptok->num_sids = (size_t)info3.num_groups2;
385
386                 if ((ptok->user_sids = (DOM_SID *)malloc( sizeof(DOM_SID) * ptok->num_sids )) == NULL) {
387                         DEBUG(0, ("domain_client_validate: Out of memory allocating group SIDS\n"));
388                         status = NT_STATUS_NO_MEMORY;
389                         free_server_info(server_info);
390                         goto done;
391                 }
392  
393                 if (!secrets_fetch_domain_sid(lp_workgroup(), &domain_sid)) {
394                         DEBUG(0, ("domain_client_validate: unable to fetch domain sid.\n"));
395                         status = NT_STATUS_NO_MEMORY;
396                         free_server_info(server_info);
397                         goto done;
398                 }
399  
400                 for (i = 0; i < ptok->num_sids; i++) {
401                         sid_copy(&ptok->user_sids[i], &domain_sid);
402                         sid_append_rid(&ptok->user_sids[i], info3.gids[i].g_rid);
403                 }
404         }
405
406 #if 0
407         /* 
408          * We don't actually need to do this - plus it fails currently with
409          * NT_STATUS_INVALID_INFO_CLASS - we need to know *exactly* what to
410          * send here. JRA.
411          */
412
413         if (NT_STATUS_IS_OK(status)) {
414                 if(cli_nt_logoff(&cli, &ctr) == False) {
415                         DEBUG(0,("domain_client_validate: unable to log off user %s in domain \
416 %s to Domain controller %s. Error was %s.\n", user, domain, remote_machine, cli_errstr(&cli)));        
417                         status = NT_STATUS_LOGON_FAILURE;
418                 }
419         }
420 #endif /* 0 */
421
422   done:
423
424         /* Note - once the cli stream is shutdown the mem_ctx used
425            to allocate the other_sids and gids structures has been deleted - so
426            these pointers are no longer valid..... */
427
428         cli_nt_session_close(&cli);
429         cli_ulogoff(&cli);
430         cli_shutdown(&cli);
431         return status;
432 }
433
434 /****************************************************************************
435  Check for a valid username and password in security=domain mode.
436 ****************************************************************************/
437
438 static NTSTATUS check_ntdomain_security(void *my_private_data,
439                                         const auth_usersupplied_info *user_info, 
440                                         const auth_authsupplied_info *auth_info,
441                                         auth_serversupplied_info **server_info)
442 {
443         NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
444         char *p, *pserver;
445         unsigned char trust_passwd[16];
446         time_t last_change_time;
447
448         become_root();
449
450         /*
451          * Get the machine account password for our primary domain
452          */
453
454         if (!secrets_fetch_trust_account_password(lp_workgroup(), trust_passwd, &last_change_time))
455         {
456                 DEBUG(0, ("check_domain_security: could not fetch trust account password for domain %s\n", lp_workgroup()));
457                 unbecome_root();
458                 return NT_STATUS_LOGON_FAILURE;
459         }
460
461         unbecome_root();
462
463         /* Test if machine password is expired and need to be changed */
464         if (time(NULL) > last_change_time + lp_machine_password_timeout())
465         {
466                 global_machine_password_needs_changing = True;
467         }
468
469         /*
470          * Treat each name in the 'password server =' line as a potential
471          * PDC/BDC. Contact each in turn and try and authenticate.
472          */
473
474         pserver = lp_passwordserver();
475         if (! *pserver) pserver = "*";
476         p = pserver;
477
478         nt_status = domain_client_validate(user_info, (uchar *)auth_info->challange.data,server_info, 
479                                            p, trust_passwd, last_change_time);
480
481         return nt_status;
482 }
483
484 BOOL auth_init_ntdomain(auth_methods **auth_method) 
485 {
486         if (!make_auth_methods(auth_method)) {
487                 return False;
488         }
489
490         (*auth_method)->auth = check_ntdomain_security;
491         return True;
492 }