2 Unix SMB/CIFS implementation.
3 Authentication utility functions
4 Copyright (C) Andrew Tridgell 1992-1998
5 Copyright (C) Andrew Bartlett 2001
6 Copyright (C) Jeremy Allison 2000-2001
7 Copyright (C) Rafal Szczesniak 2002
8 Copyright (C) Volker Lendecke 2006
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
26 #include "../libcli/auth/libcli_auth.h"
27 #include "../lib/crypto/arcfour.h"
28 #include "rpc_client/init_lsa.h"
29 #include "../libcli/security/security.h"
30 #include "../lib/util/util_pw.h"
31 #include "lib/winbind_util.h"
35 #define DBGC_CLASS DBGC_AUTH
37 /****************************************************************************
38 Create a UNIX user on demand.
39 ****************************************************************************/
41 static int _smb_create_user(const char *domain, const char *unix_username, const char *homedir)
43 TALLOC_CTX *ctx = talloc_tos();
47 add_script = talloc_strdup(ctx, lp_adduser_script());
48 if (!add_script || !*add_script) {
51 add_script = talloc_all_string_sub(ctx,
59 add_script = talloc_all_string_sub(ctx,
68 add_script = talloc_all_string_sub(ctx,
76 ret = smbrun(add_script,NULL);
79 ("smb_create_user: Running the command `%s' gave %d\n",
84 /****************************************************************************
85 Create an auth_usersupplied_data structure after appropriate mapping.
86 ****************************************************************************/
88 NTSTATUS make_user_info_map(struct auth_usersupplied_info **user_info,
90 const char *client_domain,
91 const char *workstation_name,
94 const struct samr_Password *lm_interactive_pwd,
95 const struct samr_Password *nt_interactive_pwd,
96 const char *plaintext,
97 enum auth_password_state password_state)
102 char *internal_username = NULL;
104 was_mapped = map_username(talloc_tos(), smb_name, &internal_username);
105 if (!internal_username) {
106 return NT_STATUS_NO_MEMORY;
109 DEBUG(5, ("Mapping user [%s]\\[%s] from workstation [%s]\n",
110 client_domain, smb_name, workstation_name));
112 domain = client_domain;
114 /* If you connect to a Windows domain member using a bogus domain name,
115 * the Windows box will map the BOGUS\user to SAMNAME\user. Thus, if
116 * the Windows box is a DC the name will become DOMAIN\user and be
117 * authenticated against AD, if the Windows box is a member server but
118 * not a DC the name will become WORKSTATION\user. A standalone
119 * non-domain member box will also map to WORKSTATION\user.
120 * This also deals with the client passing in a "" domain */
122 if (!is_trusted_domain(domain) &&
123 !strequal(domain, my_sam_name()))
125 if (lp_map_untrusted_to_domain())
126 domain = my_sam_name();
128 domain = get_global_sam_name();
129 DEBUG(5, ("Mapped domain from [%s] to [%s] for user [%s] from "
130 "workstation [%s]\n",
131 client_domain, domain, smb_name, workstation_name));
134 /* We know that the given domain is trusted (and we are allowing them),
135 * it is our global SAM name, or for legacy behavior it is our
136 * primary domain name */
138 result = make_user_info(user_info, smb_name, internal_username,
139 client_domain, domain, workstation_name,
141 lm_interactive_pwd, nt_interactive_pwd,
142 plaintext, password_state);
143 if (NT_STATUS_IS_OK(result)) {
144 /* We have tried mapping */
145 (*user_info)->mapped_state = True;
146 /* did we actually map the user to a different name? */
147 (*user_info)->was_mapped = was_mapped;
152 /****************************************************************************
153 Create an auth_usersupplied_data, making the DATA_BLOBs here.
154 Decrypt and encrypt the passwords.
155 ****************************************************************************/
157 bool make_user_info_netlogon_network(struct auth_usersupplied_info **user_info,
158 const char *smb_name,
159 const char *client_domain,
160 const char *workstation_name,
161 uint32 logon_parameters,
162 const uchar *lm_network_pwd,
164 const uchar *nt_network_pwd,
169 DATA_BLOB lm_blob = data_blob(lm_network_pwd, lm_pwd_len);
170 DATA_BLOB nt_blob = data_blob(nt_network_pwd, nt_pwd_len);
172 status = make_user_info_map(user_info,
173 smb_name, client_domain,
175 lm_pwd_len ? &lm_blob : NULL,
176 nt_pwd_len ? &nt_blob : NULL,
178 AUTH_PASSWORD_RESPONSE);
180 if (NT_STATUS_IS_OK(status)) {
181 (*user_info)->logon_parameters = logon_parameters;
183 ret = NT_STATUS_IS_OK(status) ? True : False;
185 data_blob_free(&lm_blob);
186 data_blob_free(&nt_blob);
190 /****************************************************************************
191 Create an auth_usersupplied_data, making the DATA_BLOBs here.
192 Decrypt and encrypt the passwords.
193 ****************************************************************************/
195 bool make_user_info_netlogon_interactive(struct auth_usersupplied_info **user_info,
196 const char *smb_name,
197 const char *client_domain,
198 const char *workstation_name,
199 uint32 logon_parameters,
201 const uchar lm_interactive_pwd[16],
202 const uchar nt_interactive_pwd[16],
203 const uchar *dc_sess_key)
205 struct samr_Password lm_pwd;
206 struct samr_Password nt_pwd;
207 unsigned char local_lm_response[24];
208 unsigned char local_nt_response[24];
209 unsigned char key[16];
211 memcpy(key, dc_sess_key, 16);
213 if (lm_interactive_pwd)
214 memcpy(lm_pwd.hash, lm_interactive_pwd, sizeof(lm_pwd.hash));
216 if (nt_interactive_pwd)
217 memcpy(nt_pwd.hash, nt_interactive_pwd, sizeof(nt_pwd.hash));
219 #ifdef DEBUG_PASSWORD
221 dump_data(100, key, sizeof(key));
223 DEBUG(100,("lm owf password:"));
224 dump_data(100, lm_pwd.hash, sizeof(lm_pwd.hash));
226 DEBUG(100,("nt owf password:"));
227 dump_data(100, nt_pwd.hash, sizeof(nt_pwd.hash));
230 if (lm_interactive_pwd)
231 arcfour_crypt(lm_pwd.hash, key, sizeof(lm_pwd.hash));
233 if (nt_interactive_pwd)
234 arcfour_crypt(nt_pwd.hash, key, sizeof(nt_pwd.hash));
236 #ifdef DEBUG_PASSWORD
237 DEBUG(100,("decrypt of lm owf password:"));
238 dump_data(100, lm_pwd.hash, sizeof(lm_pwd));
240 DEBUG(100,("decrypt of nt owf password:"));
241 dump_data(100, nt_pwd.hash, sizeof(nt_pwd));
244 if (lm_interactive_pwd)
245 SMBOWFencrypt(lm_pwd.hash, chal,
248 if (nt_interactive_pwd)
249 SMBOWFencrypt(nt_pwd.hash, chal,
252 /* Password info paranoia */
258 DATA_BLOB local_lm_blob;
259 DATA_BLOB local_nt_blob;
261 if (lm_interactive_pwd) {
262 local_lm_blob = data_blob(local_lm_response,
263 sizeof(local_lm_response));
266 if (nt_interactive_pwd) {
267 local_nt_blob = data_blob(local_nt_response,
268 sizeof(local_nt_response));
271 nt_status = make_user_info_map(
273 smb_name, client_domain, workstation_name,
274 lm_interactive_pwd ? &local_lm_blob : NULL,
275 nt_interactive_pwd ? &local_nt_blob : NULL,
276 lm_interactive_pwd ? &lm_pwd : NULL,
277 nt_interactive_pwd ? &nt_pwd : NULL,
278 NULL, AUTH_PASSWORD_HASH);
280 if (NT_STATUS_IS_OK(nt_status)) {
281 (*user_info)->logon_parameters = logon_parameters;
284 ret = NT_STATUS_IS_OK(nt_status) ? True : False;
285 data_blob_free(&local_lm_blob);
286 data_blob_free(&local_nt_blob);
292 /****************************************************************************
293 Create an auth_usersupplied_data structure
294 ****************************************************************************/
296 bool make_user_info_for_reply(struct auth_usersupplied_info **user_info,
297 const char *smb_name,
298 const char *client_domain,
300 DATA_BLOB plaintext_password)
303 DATA_BLOB local_lm_blob;
304 DATA_BLOB local_nt_blob;
305 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
306 char *plaintext_password_string;
308 * Not encrypted - do so.
311 DEBUG(5,("make_user_info_for_reply: User passwords not in encrypted "
313 if (plaintext_password.data && plaintext_password.length) {
314 unsigned char local_lm_response[24];
316 #ifdef DEBUG_PASSWORD
317 DEBUG(10,("Unencrypted password (len %d):\n",
318 (int)plaintext_password.length));
319 dump_data(100, plaintext_password.data,
320 plaintext_password.length);
323 SMBencrypt( (const char *)plaintext_password.data,
324 (const uchar*)chal, local_lm_response);
325 local_lm_blob = data_blob(local_lm_response, 24);
327 /* We can't do an NT hash here, as the password needs to be
329 local_nt_blob = data_blob_null;
331 local_lm_blob = data_blob_null;
332 local_nt_blob = data_blob_null;
335 plaintext_password_string = talloc_strndup(talloc_tos(),
336 (const char *)plaintext_password.data,
337 plaintext_password.length);
338 if (!plaintext_password_string) {
342 ret = make_user_info_map(
343 user_info, smb_name, client_domain,
344 get_remote_machine_name(),
345 local_lm_blob.data ? &local_lm_blob : NULL,
346 local_nt_blob.data ? &local_nt_blob : NULL,
348 plaintext_password_string,
349 AUTH_PASSWORD_PLAIN);
351 if (plaintext_password_string) {
352 memset(plaintext_password_string, '\0', strlen(plaintext_password_string));
353 talloc_free(plaintext_password_string);
356 data_blob_free(&local_lm_blob);
357 return NT_STATUS_IS_OK(ret) ? True : False;
360 /****************************************************************************
361 Create an auth_usersupplied_data structure
362 ****************************************************************************/
364 NTSTATUS make_user_info_for_reply_enc(struct auth_usersupplied_info **user_info,
365 const char *smb_name,
366 const char *client_domain,
367 DATA_BLOB lm_resp, DATA_BLOB nt_resp)
369 return make_user_info_map(user_info, smb_name,
371 get_remote_machine_name(),
372 lm_resp.data && (lm_resp.length > 0) ? &lm_resp : NULL,
373 nt_resp.data && (nt_resp.length > 0) ? &nt_resp : NULL,
375 AUTH_PASSWORD_RESPONSE);
378 /****************************************************************************
379 Create a guest user_info blob, for anonymous authenticaion.
380 ****************************************************************************/
382 bool make_user_info_guest(struct auth_usersupplied_info **user_info)
386 nt_status = make_user_info(user_info,
393 AUTH_PASSWORD_RESPONSE);
395 return NT_STATUS_IS_OK(nt_status) ? True : False;
398 static NTSTATUS log_nt_token(struct security_token *token)
400 TALLOC_CTX *frame = talloc_stackframe();
405 if ((lp_log_nt_token_command() == NULL) ||
406 (strlen(lp_log_nt_token_command()) == 0)) {
411 group_sidstr = talloc_strdup(frame, "");
412 for (i=1; i<token->num_sids; i++) {
413 group_sidstr = talloc_asprintf(
414 frame, "%s %s", group_sidstr,
415 sid_string_talloc(frame, &token->sids[i]));
418 command = talloc_string_sub(
419 frame, lp_log_nt_token_command(),
420 "%s", sid_string_talloc(frame, &token->sids[0]));
421 command = talloc_string_sub(frame, command, "%t", group_sidstr);
423 if (command == NULL) {
425 return NT_STATUS_NO_MEMORY;
428 DEBUG(8, ("running command: [%s]\n", command));
429 if (smbrun(command, NULL) != 0) {
430 DEBUG(0, ("Could not log NT token\n"));
432 return NT_STATUS_ACCESS_DENIED;
440 * Create the token to use from server_info->info3 and
441 * server_info->sids (the info3/sam groups). Find the unix gids.
444 NTSTATUS create_local_token(TALLOC_CTX *mem_ctx,
445 const struct auth_serversupplied_info *server_info,
446 DATA_BLOB *session_key,
447 struct auth_serversupplied_info **session_info_out)
449 struct security_token *t;
452 struct dom_sid tmp_sid;
453 struct auth_serversupplied_info *session_info;
454 struct wbcUnixId *ids;
456 /* Ensure we can't possible take a code path leading to a
459 return NT_STATUS_LOGON_FAILURE;
462 session_info = copy_serverinfo(mem_ctx, server_info);
465 return NT_STATUS_NO_MEMORY;
469 data_blob_free(&session_info->session_key);
470 session_info->session_key = data_blob_talloc(session_info,
472 session_key->length);
473 if (!session_info->session_key.data && session_key->length) {
474 return NT_STATUS_NO_MEMORY;
478 if (session_info->security_token) {
479 /* Just copy the token, it has already been finalised
480 * (nasty hack to support a cached guest session_info,
481 * and a possible strategy for auth_samba4 to pass in
482 * a finalised session) */
483 *session_info_out = session_info;
488 * If winbind is not around, we can not make much use of the SIDs the
489 * domain controller provided us with. Likewise if the user name was
490 * mapped to some local unix user.
493 if (((lp_server_role() == ROLE_DOMAIN_MEMBER) && !winbind_ping()) ||
494 (session_info->nss_token)) {
495 status = create_token_from_username(session_info,
496 session_info->unix_name,
498 &session_info->utok.uid,
499 &session_info->utok.gid,
500 &session_info->unix_name,
501 &session_info->security_token);
504 status = create_local_nt_token_from_info3(session_info,
507 &session_info->extra,
508 &session_info->security_token);
511 if (!NT_STATUS_IS_OK(status)) {
515 /* Convert the SIDs to gids. */
517 session_info->utok.ngroups = 0;
518 session_info->utok.groups = NULL;
520 t = session_info->security_token;
522 ids = talloc_array(talloc_tos(), struct wbcUnixId,
525 return NT_STATUS_NO_MEMORY;
528 if (!sids_to_unix_ids(t->sids, t->num_sids, ids)) {
530 return NT_STATUS_NO_MEMORY;
533 /* Start at index 1, where the groups start. */
535 for (i=1; i<t->num_sids; i++) {
537 if (ids[i].type != WBC_ID_TYPE_GID) {
538 DEBUG(10, ("Could not convert SID %s to gid, "
540 sid_string_dbg(&t->sids[i])));
543 if (!add_gid_to_array_unique(session_info, ids[i].id.gid,
544 &session_info->utok.groups,
545 &session_info->utok.ngroups)) {
546 return NT_STATUS_NO_MEMORY;
551 * Add the "Unix Group" SID for each gid to catch mapped groups
552 * and their Unix equivalent. This is to solve the backwards
553 * compatibility problem of 'valid users = +ntadmin' where
554 * ntadmin has been paired with "Domain Admins" in the group
555 * mapping table. Otherwise smb.conf would need to be changed
556 * to 'valid user = "Domain Admins"'. --jerry
558 * For consistency we also add the "Unix User" SID,
559 * so that the complete unix token is represented within
563 uid_to_unix_users_sid(session_info->utok.uid, &tmp_sid);
565 add_sid_to_array_unique(session_info->security_token, &tmp_sid,
566 &session_info->security_token->sids,
567 &session_info->security_token->num_sids);
569 for ( i=0; i<session_info->utok.ngroups; i++ ) {
570 gid_to_unix_groups_sid(session_info->utok.groups[i], &tmp_sid);
571 add_sid_to_array_unique(session_info->security_token, &tmp_sid,
572 &session_info->security_token->sids,
573 &session_info->security_token->num_sids);
576 security_token_debug(DBGC_AUTH, 10, session_info->security_token);
577 debug_unix_user_token(DBGC_AUTH, 10,
578 session_info->utok.uid,
579 session_info->utok.gid,
580 session_info->utok.ngroups,
581 session_info->utok.groups);
583 status = log_nt_token(session_info->security_token);
584 if (!NT_STATUS_IS_OK(status)) {
588 *session_info_out = session_info;
592 /***************************************************************************
593 Make (and fill) a server_info struct from a 'struct passwd' by conversion
595 ***************************************************************************/
597 NTSTATUS make_server_info_pw(struct auth_serversupplied_info **server_info,
602 struct samu *sampass = NULL;
603 char *qualified_name = NULL;
604 TALLOC_CTX *mem_ctx = NULL;
605 struct dom_sid u_sid;
606 enum lsa_SidType type;
607 struct auth_serversupplied_info *result;
610 * The SID returned in server_info->sam_account is based
611 * on our SAM sid even though for a pure UNIX account this should
612 * not be the case as it doesn't really exist in the SAM db.
613 * This causes lookups on "[in]valid users" to fail as they
614 * will lookup this name as a "Unix User" SID to check against
615 * the user token. Fix this by adding the "Unix User"\unix_username
616 * SID to the sid array. The correct fix should probably be
617 * changing the server_info->sam_account user SID to be a
618 * S-1-22 Unix SID, but this might break old configs where
619 * plaintext passwords were used with no SAM backend.
622 mem_ctx = talloc_init("make_server_info_pw_tmp");
624 return NT_STATUS_NO_MEMORY;
627 qualified_name = talloc_asprintf(mem_ctx, "%s\\%s",
628 unix_users_domain_name(),
630 if (!qualified_name) {
631 TALLOC_FREE(mem_ctx);
632 return NT_STATUS_NO_MEMORY;
635 if (!lookup_name(mem_ctx, qualified_name, LOOKUP_NAME_ALL,
638 TALLOC_FREE(mem_ctx);
639 return NT_STATUS_NO_SUCH_USER;
642 TALLOC_FREE(mem_ctx);
644 if (type != SID_NAME_USER) {
645 return NT_STATUS_NO_SUCH_USER;
648 if ( !(sampass = samu_new( NULL )) ) {
649 return NT_STATUS_NO_MEMORY;
652 status = samu_set_unix( sampass, pwd );
653 if (!NT_STATUS_IS_OK(status)) {
657 /* In pathological cases the above call can set the account
658 * name to the DOMAIN\username form. Reset the account name
659 * using unix_username */
660 pdb_set_username(sampass, unix_username, PDB_SET);
662 /* set the user sid to be the calculated u_sid */
663 pdb_set_user_sid(sampass, &u_sid, PDB_SET);
665 result = make_server_info(NULL);
666 if (result == NULL) {
667 TALLOC_FREE(sampass);
668 return NT_STATUS_NO_MEMORY;
671 status = samu_to_SamInfo3(result, sampass, global_myname(),
672 &result->info3, &result->extra);
673 TALLOC_FREE(sampass);
674 if (!NT_STATUS_IS_OK(status)) {
675 DEBUG(10, ("Failed to convert samu to info3: %s\n",
681 result->unix_name = talloc_strdup(result, unix_username);
682 result->sanitized_username = sanitize_username(result, unix_username);
684 if ((result->unix_name == NULL)
685 || (result->sanitized_username == NULL)) {
687 return NT_STATUS_NO_MEMORY;
690 result->utok.uid = pwd->pw_uid;
691 result->utok.gid = pwd->pw_gid;
693 *server_info = result;
698 static NTSTATUS get_guest_info3(TALLOC_CTX *mem_ctx,
699 struct netr_SamInfo3 *info3)
701 const char *guest_account = lp_guestaccount();
702 struct dom_sid domain_sid;
706 pwd = Get_Pwnam_alloc(mem_ctx, guest_account);
708 DEBUG(0,("SamInfo3_for_guest: Unable to locate guest "
709 "account [%s]!\n", guest_account));
710 return NT_STATUS_NO_SUCH_USER;
713 /* Set acount name */
714 tmp = talloc_strdup(mem_ctx, pwd->pw_name);
716 return NT_STATUS_NO_MEMORY;
718 init_lsa_String(&info3->base.account_name, tmp);
720 /* Set domain name */
721 tmp = talloc_strdup(mem_ctx, get_global_sam_name());
723 return NT_STATUS_NO_MEMORY;
725 init_lsa_StringLarge(&info3->base.domain, tmp);
728 sid_copy(&domain_sid, get_global_sam_sid());
730 info3->base.domain_sid = dom_sid_dup(mem_ctx, &domain_sid);
731 if (info3->base.domain_sid == NULL) {
732 return NT_STATUS_NO_MEMORY;
736 info3->base.rid = DOMAIN_RID_GUEST;
739 info3->base.primary_gid = BUILTIN_RID_GUESTS;
745 /***************************************************************************
746 Make (and fill) a user_info struct for a guest login.
747 This *must* succeed for smbd to start. If there is no mapping entry for
748 the guest gid, then create one.
750 The resulting structure is a 'session_info' because
751 create_local_token() has already been called on it. This is quite
752 nasty, as the auth subsystem isn't expect this, but the behaviour is
754 ***************************************************************************/
756 static NTSTATUS make_new_server_info_guest(struct auth_serversupplied_info **session_info)
758 struct auth_serversupplied_info *server_info;
759 static const char zeros[16] = {0};
760 const char *guest_account = lp_guestaccount();
761 const char *domain = global_myname();
762 struct netr_SamInfo3 info3;
767 tmp_ctx = talloc_stackframe();
768 if (tmp_ctx == NULL) {
769 return NT_STATUS_NO_MEMORY;
774 status = get_guest_info3(tmp_ctx, &info3);
775 if (!NT_STATUS_IS_OK(status)) {
779 status = make_server_info_info3(tmp_ctx,
784 if (!NT_STATUS_IS_OK(status)) {
788 server_info->guest = True;
790 /* This should not be done here (we should produce a server
791 * info, and later construct a session info from it), but for
792 * now this does not change the previous behaviours */
793 status = create_local_token(tmp_ctx, server_info, NULL, session_info);
794 TALLOC_FREE(server_info);
795 if (!NT_STATUS_IS_OK(status)) {
796 DEBUG(10, ("create_local_token failed: %s\n",
800 talloc_steal(NULL, *session_info);
802 /* annoying, but the Guest really does have a session key, and it is
804 (*session_info)->session_key = data_blob(zeros, sizeof(zeros));
805 (*session_info)->lm_session_key = data_blob(zeros, sizeof(zeros));
807 alpha_strcpy(tmp, (*session_info)->info3->base.account_name.string,
808 ". _-$", sizeof(tmp));
809 (*session_info)->sanitized_username = talloc_strdup(*session_info, tmp);
811 status = NT_STATUS_OK;
813 TALLOC_FREE(tmp_ctx);
817 /***************************************************************************
818 Make (and fill) a auth_session_info struct for a system user login.
819 This *must* succeed for smbd to start.
820 ***************************************************************************/
822 static NTSTATUS make_new_session_info_system(TALLOC_CTX *mem_ctx,
823 struct auth_serversupplied_info **session_info)
828 pwd = getpwuid_alloc(mem_ctx, sec_initial_uid());
830 return NT_STATUS_NO_SUCH_USER;
833 status = make_session_info_from_username(mem_ctx,
838 if (!NT_STATUS_IS_OK(status)) {
842 (*session_info)->system = true;
844 status = add_sid_to_array_unique((*session_info)->security_token->sids,
846 &(*session_info)->security_token->sids,
847 &(*session_info)->security_token->num_sids);
848 if (!NT_STATUS_IS_OK(status)) {
849 TALLOC_FREE((*session_info));
856 /****************************************************************************
857 Fake a auth_serversupplied_info just from a username (as a
858 session_info structure, with create_local_token() already called on
860 ****************************************************************************/
862 NTSTATUS make_session_info_from_username(TALLOC_CTX *mem_ctx,
863 const char *username,
865 struct auth_serversupplied_info **session_info)
867 struct auth_serversupplied_info *result;
871 pwd = Get_Pwnam_alloc(talloc_tos(), username);
873 return NT_STATUS_NO_SUCH_USER;
876 status = make_server_info_pw(&result, pwd->pw_name, pwd);
880 if (!NT_STATUS_IS_OK(status)) {
884 result->nss_token = true;
885 result->guest = is_guest;
887 /* Now turn the server_info into a session_info with the full token etc */
888 status = create_local_token(mem_ctx, result, NULL, session_info);
894 struct auth_serversupplied_info *copy_serverinfo(TALLOC_CTX *mem_ctx,
895 const struct auth_serversupplied_info *src)
897 struct auth_serversupplied_info *dst;
899 dst = make_server_info(mem_ctx);
904 dst->guest = src->guest;
905 dst->system = src->system;
906 dst->utok.uid = src->utok.uid;
907 dst->utok.gid = src->utok.gid;
908 dst->utok.ngroups = src->utok.ngroups;
909 if (src->utok.ngroups != 0) {
910 dst->utok.groups = (gid_t *)talloc_memdup(
911 dst, src->utok.groups,
912 sizeof(gid_t)*dst->utok.ngroups);
914 dst->utok.groups = NULL;
917 if (src->security_token) {
918 dst->security_token = dup_nt_token(dst, src->security_token);
919 if (!dst->security_token) {
925 dst->session_key = data_blob_talloc( dst, src->session_key.data,
926 src->session_key.length);
928 dst->lm_session_key = data_blob_talloc(dst, src->lm_session_key.data,
929 src->lm_session_key.length);
931 dst->info3 = copy_netr_SamInfo3(dst, src->info3);
936 dst->extra = src->extra;
938 dst->unix_name = talloc_strdup(dst, src->unix_name);
939 if (!dst->unix_name) {
944 dst->sanitized_username = talloc_strdup(dst, src->sanitized_username);
945 if (!dst->sanitized_username) {
954 * Set a new session key. Used in the rpc server where we have to override the
955 * SMB level session key with SystemLibraryDTC
958 bool session_info_set_session_key(struct auth_serversupplied_info *info,
959 DATA_BLOB session_key)
961 TALLOC_FREE(info->session_key.data);
963 info->session_key = data_blob_talloc(
964 info, session_key.data, session_key.length);
966 return (info->session_key.data != NULL);
969 static struct auth_serversupplied_info *guest_info = NULL;
971 bool init_guest_info(void)
973 if (guest_info != NULL)
976 return NT_STATUS_IS_OK(make_new_server_info_guest(&guest_info));
979 NTSTATUS make_server_info_guest(TALLOC_CTX *mem_ctx,
980 struct auth_serversupplied_info **server_info)
982 *server_info = copy_serverinfo(mem_ctx, guest_info);
983 return (*server_info != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
986 static struct auth_serversupplied_info *system_info = NULL;
988 NTSTATUS init_system_info(void)
990 if (system_info != NULL)
993 return make_new_session_info_system(NULL, &system_info);
996 NTSTATUS make_session_info_system(TALLOC_CTX *mem_ctx,
997 struct auth_serversupplied_info **session_info)
999 if (system_info == NULL) return NT_STATUS_UNSUCCESSFUL;
1000 *session_info = copy_serverinfo(mem_ctx, system_info);
1001 return (*session_info != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
1004 const struct auth_serversupplied_info *get_session_info_system(void)
1009 bool copy_current_user(struct current_user *dst, struct current_user *src)
1012 struct security_token *nt_token;
1014 groups = (gid_t *)memdup(src->ut.groups,
1015 sizeof(gid_t) * src->ut.ngroups);
1016 if ((src->ut.ngroups != 0) && (groups == NULL)) {
1020 nt_token = dup_nt_token(NULL, src->nt_user_token);
1021 if (nt_token == NULL) {
1026 dst->conn = src->conn;
1027 dst->vuid = src->vuid;
1028 dst->ut.uid = src->ut.uid;
1029 dst->ut.gid = src->ut.gid;
1030 dst->ut.ngroups = src->ut.ngroups;
1031 dst->ut.groups = groups;
1032 dst->nt_user_token = nt_token;
1036 /***************************************************************************
1037 Purely internal function for make_server_info_info3
1038 ***************************************************************************/
1040 static NTSTATUS check_account(TALLOC_CTX *mem_ctx, const char *domain,
1041 const char *username, char **found_username,
1042 struct passwd **pwd,
1043 bool *username_was_mapped)
1045 char *orig_dom_user = NULL;
1046 char *dom_user = NULL;
1047 char *lower_username = NULL;
1048 char *real_username = NULL;
1049 struct passwd *passwd;
1051 lower_username = talloc_strdup(mem_ctx, username);
1052 if (!lower_username) {
1053 return NT_STATUS_NO_MEMORY;
1055 strlower_m( lower_username );
1057 orig_dom_user = talloc_asprintf(mem_ctx,
1060 *lp_winbind_separator(),
1062 if (!orig_dom_user) {
1063 return NT_STATUS_NO_MEMORY;
1066 /* Get the passwd struct. Try to create the account if necessary. */
1068 *username_was_mapped = map_username(mem_ctx, orig_dom_user, &dom_user);
1070 return NT_STATUS_NO_MEMORY;
1073 passwd = smb_getpwnam(mem_ctx, dom_user, &real_username, True );
1075 DEBUG(3, ("Failed to find authenticated user %s via "
1076 "getpwnam(), denying access.\n", dom_user));
1077 return NT_STATUS_NO_SUCH_USER;
1080 if (!real_username) {
1081 return NT_STATUS_NO_MEMORY;
1086 /* This is pointless -- there is no suport for differing
1087 unix and windows names. Make sure to always store the
1088 one we actually looked up and succeeded. Have I mentioned
1089 why I hate the 'winbind use default domain' parameter?
1092 *found_username = talloc_strdup( mem_ctx, real_username );
1094 return NT_STATUS_OK;
1097 /****************************************************************************
1098 Wrapper to allow the getpwnam() call to strip the domain name and
1099 try again in case a local UNIX user is already there. Also run through
1100 the username if we fallback to the username only.
1101 ****************************************************************************/
1103 struct passwd *smb_getpwnam( TALLOC_CTX *mem_ctx, const char *domuser,
1104 char **p_save_username, bool create )
1106 struct passwd *pw = NULL;
1108 char *username = NULL;
1110 /* we only save a copy of the username it has been mangled
1111 by winbindd use default domain */
1112 *p_save_username = NULL;
1114 /* don't call map_username() here since it has to be done higher
1115 up the stack so we don't call it multiple times */
1117 username = talloc_strdup(mem_ctx, domuser);
1122 p = strchr_m( username, *lp_winbind_separator() );
1124 /* code for a DOMAIN\user string */
1127 pw = Get_Pwnam_alloc( mem_ctx, domuser );
1129 /* make sure we get the case of the username correct */
1130 /* work around 'winbind use default domain = yes' */
1132 if ( !strchr_m( pw->pw_name, *lp_winbind_separator() ) ) {
1135 /* split the domain and username into 2 strings */
1139 *p_save_username = talloc_asprintf(mem_ctx,
1142 *lp_winbind_separator(),
1144 if (!*p_save_username) {
1149 *p_save_username = talloc_strdup(mem_ctx, pw->pw_name);
1156 /* setup for lookup of just the username */
1157 /* remember that p and username are overlapping memory */
1160 username = talloc_strdup(mem_ctx, p);
1166 /* just lookup a plain username */
1168 pw = Get_Pwnam_alloc(mem_ctx, username);
1170 /* Create local user if requested but only if winbindd
1171 is not running. We need to protect against cases
1172 where winbindd is failing and then prematurely
1173 creating users in /etc/passwd */
1175 if ( !pw && create && !winbind_ping() ) {
1176 /* Don't add a machine account. */
1177 if (username[strlen(username)-1] == '$')
1180 _smb_create_user(NULL, username, NULL);
1181 pw = Get_Pwnam_alloc(mem_ctx, username);
1184 /* one last check for a valid passwd struct */
1187 *p_save_username = talloc_strdup(mem_ctx, pw->pw_name);
1192 /***************************************************************************
1193 Make a server_info struct from the info3 returned by a domain logon
1194 ***************************************************************************/
1196 NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
1197 const char *sent_nt_username,
1199 struct auth_serversupplied_info **server_info,
1200 struct netr_SamInfo3 *info3)
1202 static const char zeros[16] = {0, };
1204 NTSTATUS nt_status = NT_STATUS_OK;
1205 char *found_username = NULL;
1206 const char *nt_domain;
1207 const char *nt_username;
1208 bool username_was_mapped;
1210 struct auth_serversupplied_info *result;
1211 struct dom_sid *group_sid;
1212 struct netr_SamInfo3 *i3;
1215 Here is where we should check the list of
1216 trusted domains, and verify that the SID
1220 nt_username = talloc_strdup(mem_ctx, info3->base.account_name.string);
1222 /* If the server didn't give us one, just use the one we sent
1224 nt_username = sent_nt_username;
1227 nt_domain = talloc_strdup(mem_ctx, info3->base.domain.string);
1229 /* If the server didn't give us one, just use the one we sent
1234 /* If getpwnam() fails try the add user script (2.2.x behavior).
1236 We use the _unmapped_ username here in an attempt to provide
1237 consistent username mapping behavior between kerberos and NTLM[SSP]
1238 authentication in domain mode security. I.E. Username mapping
1239 should be applied to the fully qualified username
1240 (e.g. DOMAIN\user) and not just the login name. Yes this means we
1241 called map_username() unnecessarily in make_user_info_map() but
1242 that is how the current code is designed. Making the change here
1243 is the least disruptive place. -- jerry */
1245 /* this call will try to create the user if necessary */
1247 nt_status = check_account(mem_ctx, nt_domain, sent_nt_username,
1248 &found_username, &pwd,
1249 &username_was_mapped);
1251 if (!NT_STATUS_IS_OK(nt_status)) {
1255 result = make_server_info(NULL);
1256 if (result == NULL) {
1257 DEBUG(4, ("make_server_info failed!\n"));
1258 return NT_STATUS_NO_MEMORY;
1261 result->unix_name = talloc_strdup(result, found_username);
1263 result->sanitized_username = sanitize_username(result,
1265 if (result->sanitized_username == NULL) {
1266 TALLOC_FREE(result);
1267 return NT_STATUS_NO_MEMORY;
1270 /* copy in the info3 */
1271 result->info3 = i3 = copy_netr_SamInfo3(result, info3);
1272 if (result->info3 == NULL) {
1273 TALLOC_FREE(result);
1274 return NT_STATUS_NO_MEMORY;
1277 /* Fill in the unix info we found on the way */
1278 result->utok.uid = pwd->pw_uid;
1279 result->utok.gid = pwd->pw_gid;
1281 /* We can't just trust that the primary group sid sent us is something
1282 * we can really use. Obtain the useable sid, and store the original
1283 * one as an additional group if it had to be replaced */
1284 nt_status = get_primary_group_sid(mem_ctx, found_username,
1286 if (!NT_STATUS_IS_OK(nt_status)) {
1287 TALLOC_FREE(result);
1291 /* store and check if it is the same we got originally */
1292 sid_peek_rid(group_sid, &i3->base.primary_gid);
1293 if (i3->base.primary_gid != info3->base.primary_gid) {
1294 uint32_t n = i3->base.groups.count;
1295 /* not the same, store the original as an additional group */
1296 i3->base.groups.rids =
1297 talloc_realloc(i3, i3->base.groups.rids,
1298 struct samr_RidWithAttribute, n + 1);
1299 if (i3->base.groups.rids == NULL) {
1300 TALLOC_FREE(result);
1301 return NT_STATUS_NO_MEMORY;
1303 i3->base.groups.rids[n].rid = info3->base.primary_gid;
1304 i3->base.groups.rids[n].attributes = SE_GROUP_ENABLED;
1305 i3->base.groups.count = n + 1;
1308 /* ensure we are never given NULL session keys */
1310 if (memcmp(info3->base.key.key, zeros, sizeof(zeros)) == 0) {
1311 result->session_key = data_blob_null;
1313 result->session_key = data_blob_talloc(
1314 result, info3->base.key.key,
1315 sizeof(info3->base.key.key));
1318 if (memcmp(info3->base.LMSessKey.key, zeros, 8) == 0) {
1319 result->lm_session_key = data_blob_null;
1321 result->lm_session_key = data_blob_talloc(
1322 result, info3->base.LMSessKey.key,
1323 sizeof(info3->base.LMSessKey.key));
1326 result->nss_token |= username_was_mapped;
1328 *server_info = result;
1330 return NT_STATUS_OK;
1333 /*****************************************************************************
1334 Make a server_info struct from the wbcAuthUserInfo returned by a domain logon
1335 ******************************************************************************/
1337 NTSTATUS make_server_info_wbcAuthUserInfo(TALLOC_CTX *mem_ctx,
1338 const char *sent_nt_username,
1340 const struct wbcAuthUserInfo *info,
1341 struct auth_serversupplied_info **server_info)
1343 struct netr_SamInfo3 *info3;
1345 info3 = wbcAuthUserInfo_to_netr_SamInfo3(mem_ctx, info);
1347 return NT_STATUS_NO_MEMORY;
1350 return make_server_info_info3(mem_ctx,
1351 sent_nt_username, domain,
1352 server_info, info3);
1356 * Verify whether or not given domain is trusted.
1358 * @param domain_name name of the domain to be verified
1359 * @return true if domain is one of the trusted ones or
1360 * false if otherwise
1363 bool is_trusted_domain(const char* dom_name)
1365 struct dom_sid trustdom_sid;
1368 /* no trusted domains for a standalone server */
1370 if ( lp_server_role() == ROLE_STANDALONE )
1373 if (dom_name == NULL || dom_name[0] == '\0') {
1377 if (strequal(dom_name, get_global_sam_name())) {
1381 /* if we are a DC, then check for a direct trust relationships */
1385 DEBUG (5,("is_trusted_domain: Checking for domain trust with "
1386 "[%s]\n", dom_name ));
1387 ret = pdb_get_trusteddom_pw(dom_name, NULL, NULL, NULL);
1395 /* If winbind is around, ask it */
1397 result = wb_is_trusted_domain(dom_name);
1399 if (result == WBC_ERR_SUCCESS) {
1403 if (result == WBC_ERR_DOMAIN_NOT_FOUND) {
1404 /* winbind could not find the domain */
1408 /* The only other possible result is that winbind is not up
1409 and running. We need to update the trustdom_cache
1412 update_trustdom_cache();
1415 /* now the trustdom cache should be available a DC could still
1416 * have a transitive trust so fall back to the cache of trusted
1417 * domains (like a domain member would use */
1419 if ( trustdom_cache_fetch(dom_name, &trustdom_sid) ) {
git.samba.org / samba.git / blob