source3/auth/auth_winbind.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    Winbind authentication mechnism
   5
   6    Copyright (C) Tim Potter 2000
   7    Copyright (C) Andrew Bartlett 2001 - 2002
   8
   9    This program is free software; you can redistribute it and/or modify
  10    it under the terms of the GNU General Public License as published by
  11    the Free Software Foundation; either version 3 of the License, or
  12    (at your option) any later version.
  13
  14    This program is distributed in the hope that it will be useful,
  15    but WITHOUT ANY WARRANTY; without even the implied warranty of
  16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17    GNU General Public License for more details.
  18
  19    You should have received a copy of the GNU General Public License
  20    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  21 */
  22
  23 #include "includes.h"
  24 #include "auth.h"
  25 #include "nsswitch/libwbclient/wbclient.h"
  26
  27 #undef DBGC_CLASS
  28 #define DBGC_CLASS DBGC_AUTH
  29
  30 /* Authenticate a user with a challenge/response */
  31
  32 static NTSTATUS check_winbind_security(const struct auth_context *auth_context,
  33                                        void *my_private_data,
  34                                        TALLOC_CTX *mem_ctx,
  35                                        const struct auth_usersupplied_info *user_info,
  36                                        struct auth_serversupplied_info **server_info)
  37 {
  38         NTSTATUS nt_status;
  39         wbcErr wbc_status;
  40         struct wbcAuthUserParams params;
  41         struct wbcAuthUserInfo *info = NULL;
  42         struct wbcAuthErrorInfo *err = NULL;
  43
  44         ZERO_STRUCT(params);
  45
  46         if (!user_info) {
  47                 return NT_STATUS_INVALID_PARAMETER;
  48         }
  49
  50         DEBUG(10, ("Check auth for: [%s]\n", user_info->mapped.account_name));
  51
  52         if (!auth_context) {
  53                 DEBUG(3,("Password for user %s cannot be checked because we have no auth_info to get the challenge from.\n",
  54                          user_info->mapped.account_name));
  55                 return NT_STATUS_INVALID_PARAMETER;
  56         }
  57
  58         if (strequal(user_info->mapped.domain_name, get_global_sam_name())) {
  59                 DEBUG(3,("check_winbind_security: Not using winbind, requested domain [%s] was for this SAM.\n",
  60                         user_info->mapped.domain_name));
  61                 return NT_STATUS_NOT_IMPLEMENTED;
  62         }
  63
  64         /* Send off request */
  65         params.account_name     = user_info->client.account_name;
  66         /*
  67          * We need to send the domain name from the client to the DC. With
  68          * NTLMv2 the domain name is part of the hashed second challenge,
  69          * if we change the domain name, the DC will fail to verify the
  70          * challenge cause we changed the domain name, this is like a
  71          * man in the middle attack.
  72          */
  73         params.domain_name      = user_info->client.domain_name;
  74         params.workstation_name = user_info->workstation_name;
  75
  76         params.flags            = 0;
  77         params.parameter_control= user_info->logon_parameters;
  78
  79         params.level            = WBC_AUTH_USER_LEVEL_RESPONSE;
  80
  81         memcpy(params.password.response.challenge,
  82                auth_context->challenge.data,
  83                sizeof(params.password.response.challenge));
  84
  85         if (user_info->password.response.nt.length != 0) {
  86                 params.password.response.nt_length =
  87                         user_info->password.response.nt.length;
  88                 params.password.response.nt_data =
  89                         user_info->password.response.nt.data;
  90         }
  91         if (user_info->password.response.lanman.length != 0) {
  92                 params.password.response.lm_length =
  93                         user_info->password.response.lanman.length;
  94                 params.password.response.lm_data =
  95                         user_info->password.response.lanman.data;
  96         }
  97
  98         /* we are contacting the privileged pipe */
  99         become_root();
 100         wbc_status = wbcAuthenticateUserEx(&params, &info, &err);
 101         unbecome_root();
 102
 103         if (!WBC_ERROR_IS_OK(wbc_status)) {
 104                 DEBUG(10,("check_winbind_security: wbcAuthenticateUserEx failed: %s\n",
 105                         wbcErrorString(wbc_status)));
 106         }
 107
 108         if (wbc_status == WBC_ERR_NO_MEMORY) {
 109                 return NT_STATUS_NO_MEMORY;
 110         }
 111
 112         if (wbc_status == WBC_ERR_WINBIND_NOT_AVAILABLE) {
 113                 struct auth_methods *auth_method =
 114                         (struct auth_methods *)my_private_data;
 115
 116                 if ( auth_method )
 117                         return auth_method->auth(auth_context, auth_method->private_data,
 118                                 mem_ctx, user_info, server_info);
 119                 return NT_STATUS_LOGON_FAILURE;
 120         }
 121
 122         if (wbc_status == WBC_ERR_AUTH_ERROR) {
 123                 nt_status = NT_STATUS(err->nt_status);
 124
 125                 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER) &&
 126                     (err->authoritative == 0)) {
 127                         /*
 128                          * Trigger a fallback to local SAM
 129                          */
 130                         nt_status = NT_STATUS_NOT_IMPLEMENTED;
 131                 }
 132
 133                 wbcFreeMemory(err);
 134                 return nt_status;
 135         }
 136
 137         if (!WBC_ERROR_IS_OK(wbc_status)) {
 138                 return NT_STATUS_LOGON_FAILURE;
 139         }
 140
 141         nt_status = make_server_info_wbcAuthUserInfo(mem_ctx,
 142                                                      user_info->client.account_name,
 143                                                      user_info->mapped.domain_name,
 144                                                      info, server_info);
 145         wbcFreeMemory(info);
 146         if (!NT_STATUS_IS_OK(nt_status)) {
 147                 return nt_status;
 148         }
 149
 150         (*server_info)->nss_token |= user_info->was_mapped;
 151
 152         return nt_status;
 153 }
 154
 155 /* module initialisation */
 156 static NTSTATUS auth_init_winbind(struct auth_context *auth_context, const char *param, auth_methods **auth_method)
 157 {
 158         struct auth_methods *result;
 159
 160         result = talloc_zero(auth_context, struct auth_methods);
 161         if (result == NULL) {
 162                 return NT_STATUS_NO_MEMORY;
 163         }
 164         result->name = "winbind";
 165         result->auth = check_winbind_security;
 166
 167         if (param && *param) {
 168                 /* we load the 'fallback' module - if winbind isn't here, call this
 169                    module */
 170                 auth_methods *priv;
 171                 if (!load_auth_module(auth_context, param, &priv)) {
 172                         return NT_STATUS_UNSUCCESSFUL;
 173                 }
 174                 result->private_data = (void *)priv;
 175         }
 176
 177         *auth_method = result;
 178         return NT_STATUS_OK;
 179 }
 180
 181 NTSTATUS auth_winbind_init(TALLOC_CTX *mem_ctx)
 182 {
 183         return smb_register_auth(AUTH_INTERFACE_VERSION, "winbind", auth_init_winbind);
 184 }