2 Unix SMB/CIFS implementation.
4 Winbind daemon - pam auth funcions
6 Copyright (C) Andrew Tridgell 2000
7 Copyright (C) Tim Potter 2001
8 Copyright (C) Andrew Bartlett 2001-2002
9 Copyright (C) Guenther Deschner 2005
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 3 of the License, or
14 (at your option) any later version.
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
21 You should have received a copy of the GNU General Public License
22 along with this program. If not, see <http://www.gnu.org/licenses/>.
27 #include "../libcli/auth/libcli_auth.h"
28 #include "../librpc/gen_ndr/ndr_samr_c.h"
29 #include "rpc_client/cli_pipe.h"
30 #include "rpc_client/cli_samr.h"
31 #include "../librpc/gen_ndr/ndr_netlogon.h"
32 #include "rpc_client/cli_netlogon.h"
34 #include "../lib/crypto/arcfour.h"
35 #include "../libcli/security/security.h"
37 #include "../librpc/gen_ndr/krb5pac.h"
38 #include "passdb/machine_sid.h"
40 #include "../lib/tsocket/tsocket.h"
41 #include "auth/kerberos/pac_utils.h"
42 #include "auth/gensec/gensec.h"
43 #include "librpc/crypto/gse_krb5.h"
44 #include "lib/afs/afs_funcs.h"
47 #define DBGC_CLASS DBGC_WINBIND
49 #define LOGON_KRB5_FAIL_CLOCK_SKEW 0x02000000
51 static NTSTATUS append_info3_as_txt(TALLOC_CTX *mem_ctx,
52 struct winbindd_response *resp,
53 struct netr_SamInfo3 *info3)
58 resp->data.auth.info3.logon_time =
59 nt_time_to_unix(info3->base.logon_time);
60 resp->data.auth.info3.logoff_time =
61 nt_time_to_unix(info3->base.logoff_time);
62 resp->data.auth.info3.kickoff_time =
63 nt_time_to_unix(info3->base.kickoff_time);
64 resp->data.auth.info3.pass_last_set_time =
65 nt_time_to_unix(info3->base.last_password_change);
66 resp->data.auth.info3.pass_can_change_time =
67 nt_time_to_unix(info3->base.allow_password_change);
68 resp->data.auth.info3.pass_must_change_time =
69 nt_time_to_unix(info3->base.force_password_change);
71 resp->data.auth.info3.logon_count = info3->base.logon_count;
72 resp->data.auth.info3.bad_pw_count = info3->base.bad_password_count;
74 resp->data.auth.info3.user_rid = info3->base.rid;
75 resp->data.auth.info3.group_rid = info3->base.primary_gid;
76 sid_to_fstring(resp->data.auth.info3.dom_sid, info3->base.domain_sid);
78 resp->data.auth.info3.num_groups = info3->base.groups.count;
79 resp->data.auth.info3.user_flgs = info3->base.user_flags;
81 resp->data.auth.info3.acct_flags = info3->base.acct_flags;
82 resp->data.auth.info3.num_other_sids = info3->sidcount;
84 fstrcpy(resp->data.auth.info3.user_name,
85 info3->base.account_name.string);
86 fstrcpy(resp->data.auth.info3.full_name,
87 info3->base.full_name.string);
88 fstrcpy(resp->data.auth.info3.logon_script,
89 info3->base.logon_script.string);
90 fstrcpy(resp->data.auth.info3.profile_path,
91 info3->base.profile_path.string);
92 fstrcpy(resp->data.auth.info3.home_dir,
93 info3->base.home_directory.string);
94 fstrcpy(resp->data.auth.info3.dir_drive,
95 info3->base.home_drive.string);
97 fstrcpy(resp->data.auth.info3.logon_srv,
98 info3->base.logon_server.string);
99 fstrcpy(resp->data.auth.info3.logon_dom,
100 info3->base.logon_domain.string);
102 ex = talloc_strdup(mem_ctx, "");
103 NT_STATUS_HAVE_NO_MEMORY(ex);
105 for (i=0; i < info3->base.groups.count; i++) {
106 ex = talloc_asprintf_append_buffer(ex, "0x%08X:0x%08X\n",
107 info3->base.groups.rids[i].rid,
108 info3->base.groups.rids[i].attributes);
109 NT_STATUS_HAVE_NO_MEMORY(ex);
112 for (i=0; i < info3->sidcount; i++) {
115 sid = dom_sid_string(mem_ctx, info3->sids[i].sid);
116 NT_STATUS_HAVE_NO_MEMORY(sid);
118 ex = talloc_asprintf_append_buffer(ex, "%s:0x%08X\n",
120 info3->sids[i].attributes);
121 NT_STATUS_HAVE_NO_MEMORY(ex);
126 resp->extra_data.data = ex;
127 resp->length += talloc_get_size(ex);
132 static NTSTATUS append_info3_as_ndr(TALLOC_CTX *mem_ctx,
133 struct winbindd_response *resp,
134 struct netr_SamInfo3 *info3)
137 enum ndr_err_code ndr_err;
139 ndr_err = ndr_push_struct_blob(&blob, mem_ctx, info3,
140 (ndr_push_flags_fn_t)ndr_push_netr_SamInfo3);
141 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
142 DEBUG(0,("append_info3_as_ndr: failed to append\n"));
143 return ndr_map_error2ntstatus(ndr_err);
146 resp->extra_data.data = blob.data;
147 resp->length += blob.length;
152 static NTSTATUS append_unix_username(TALLOC_CTX *mem_ctx,
153 struct winbindd_response *resp,
154 const struct netr_SamInfo3 *info3,
155 const char *name_domain,
156 const char *name_user)
158 /* We've been asked to return the unix username, per
159 'winbind use default domain' settings and the like */
161 const char *nt_username, *nt_domain;
163 nt_domain = talloc_strdup(mem_ctx, info3->base.logon_domain.string);
165 /* If the server didn't give us one, just use the one
167 nt_domain = name_domain;
170 nt_username = talloc_strdup(mem_ctx, info3->base.account_name.string);
172 /* If the server didn't give us one, just use the one
174 nt_username = name_user;
177 fill_domain_username(resp->data.auth.unix_username,
178 nt_domain, nt_username, true);
180 DEBUG(5, ("Setting unix username to [%s]\n",
181 resp->data.auth.unix_username));
186 static NTSTATUS append_afs_token(TALLOC_CTX *mem_ctx,
187 struct winbindd_response *resp,
188 const struct netr_SamInfo3 *info3,
189 const char *name_domain,
190 const char *name_user)
192 char *afsname = NULL;
196 afsname = talloc_strdup(mem_ctx, lp_afs_username_map());
197 if (afsname == NULL) {
198 return NT_STATUS_NO_MEMORY;
201 afsname = talloc_string_sub(mem_ctx,
202 lp_afs_username_map(),
204 afsname = talloc_string_sub(mem_ctx, afsname,
206 afsname = talloc_string_sub(mem_ctx, afsname,
210 struct dom_sid user_sid;
213 sid_compose(&user_sid, info3->base.domain_sid,
215 sid_to_fstring(sidstr, &user_sid);
216 afsname = talloc_string_sub(mem_ctx, afsname,
220 if (afsname == NULL) {
221 return NT_STATUS_NO_MEMORY;
224 if (!strlower_m(afsname)) {
225 return NT_STATUS_INVALID_PARAMETER;
228 DEBUG(10, ("Generating token for user %s\n", afsname));
230 cell = strchr(afsname, '@');
233 return NT_STATUS_NO_MEMORY;
239 token = afs_createtoken_str(afsname, cell);
243 resp->extra_data.data = talloc_strdup(mem_ctx, token);
244 if (resp->extra_data.data == NULL) {
245 return NT_STATUS_NO_MEMORY;
247 resp->length += strlen((const char *)resp->extra_data.data)+1;
252 static NTSTATUS check_info3_in_group(struct netr_SamInfo3 *info3,
253 const char *group_sid)
255 * Check whether a user belongs to a group or list of groups.
257 * @param mem_ctx talloc memory context.
258 * @param info3 user information, including group membership info.
259 * @param group_sid One or more groups , separated by commas.
261 * @return NT_STATUS_OK on success,
262 * NT_STATUS_LOGON_FAILURE if the user does not belong,
263 * or other NT_STATUS_IS_ERR(status) for other kinds of failure.
266 struct dom_sid *require_membership_of_sid;
267 uint32_t num_require_membership_of_sid;
272 struct security_token *token;
273 TALLOC_CTX *frame = talloc_stackframe();
276 /* Parse the 'required group' SID */
278 if (!group_sid || !group_sid[0]) {
279 /* NO sid supplied, all users may access */
284 token = talloc_zero(talloc_tos(), struct security_token);
286 DEBUG(0, ("talloc failed\n"));
288 return NT_STATUS_NO_MEMORY;
291 num_require_membership_of_sid = 0;
292 require_membership_of_sid = NULL;
296 while (next_token_talloc(talloc_tos(), &p, &req_sid, ",")) {
297 if (!string_to_sid(&sid, req_sid)) {
298 DEBUG(0, ("check_info3_in_group: could not parse %s "
299 "as a SID!", req_sid));
301 return NT_STATUS_INVALID_PARAMETER;
304 status = add_sid_to_array(talloc_tos(), &sid,
305 &require_membership_of_sid,
306 &num_require_membership_of_sid);
307 if (!NT_STATUS_IS_OK(status)) {
308 DEBUG(0, ("add_sid_to_array failed\n"));
314 status = sid_array_from_info3(talloc_tos(), info3,
318 if (!NT_STATUS_IS_OK(status)) {
323 if (!NT_STATUS_IS_OK(status = add_aliases(get_global_sam_sid(),
325 || !NT_STATUS_IS_OK(status = add_aliases(&global_sid_Builtin,
327 DEBUG(3, ("could not add aliases: %s\n",
333 security_token_debug(DBGC_CLASS, 10, token);
335 for (i=0; i<num_require_membership_of_sid; i++) {
336 DEBUG(10, ("Checking SID %s\n", sid_string_dbg(
337 &require_membership_of_sid[i])));
338 if (nt_token_check_sid(&require_membership_of_sid[i],
340 DEBUG(10, ("Access ok\n"));
346 /* Do not distinguish this error from a wrong username/pw */
349 return NT_STATUS_LOGON_FAILURE;
352 struct winbindd_domain *find_auth_domain(uint8_t flags,
353 const char *domain_name)
355 struct winbindd_domain *domain;
358 domain = find_domain_from_name_noinit(domain_name);
359 if (domain == NULL) {
360 DEBUG(3, ("Authentication for domain [%s] refused "
361 "as it is not a trusted domain\n",
367 if (strequal(domain_name, get_global_sam_name())) {
368 return find_domain_from_name_noinit(domain_name);
371 /* we can auth against trusted domains */
372 if (flags & WBFLAG_PAM_CONTACT_TRUSTDOM) {
373 domain = find_domain_from_name_noinit(domain_name);
374 if (domain == NULL) {
375 DEBUG(3, ("Authentication for domain [%s] skipped "
376 "as it is not a trusted domain\n",
383 return find_our_domain();
386 static void fill_in_password_policy(struct winbindd_response *r,
387 const struct samr_DomInfo1 *p)
389 r->data.auth.policy.min_length_password =
390 p->min_password_length;
391 r->data.auth.policy.password_history =
392 p->password_history_length;
393 r->data.auth.policy.password_properties =
394 p->password_properties;
395 r->data.auth.policy.expire =
396 nt_time_to_unix_abs((const NTTIME *)&(p->max_password_age));
397 r->data.auth.policy.min_passwordage =
398 nt_time_to_unix_abs((const NTTIME *)&(p->min_password_age));
401 static NTSTATUS fillup_password_policy(struct winbindd_domain *domain,
402 struct winbindd_response *response)
404 TALLOC_CTX *frame = talloc_stackframe();
405 struct winbindd_methods *methods;
407 struct samr_DomInfo1 password_policy;
409 if ( !winbindd_can_contact_domain( domain ) ) {
410 DEBUG(5,("fillup_password_policy: No inbound trust to "
411 "contact domain %s\n", domain->name));
412 status = NT_STATUS_NOT_SUPPORTED;
416 methods = domain->methods;
418 status = methods->password_policy(domain, talloc_tos(), &password_policy);
419 if (NT_STATUS_IS_ERR(status)) {
423 fill_in_password_policy(response, &password_policy);
430 static NTSTATUS get_max_bad_attempts_from_lockout_policy(struct winbindd_domain *domain,
432 uint16_t *lockout_threshold)
434 struct winbindd_methods *methods;
435 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
436 struct samr_DomInfo12 lockout_policy;
438 *lockout_threshold = 0;
440 methods = domain->methods;
442 status = methods->lockout_policy(domain, mem_ctx, &lockout_policy);
443 if (NT_STATUS_IS_ERR(status)) {
447 *lockout_threshold = lockout_policy.lockout_threshold;
452 static NTSTATUS get_pwd_properties(struct winbindd_domain *domain,
454 uint32_t *password_properties)
456 struct winbindd_methods *methods;
457 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
458 struct samr_DomInfo1 password_policy;
460 *password_properties = 0;
462 methods = domain->methods;
464 status = methods->password_policy(domain, mem_ctx, &password_policy);
465 if (NT_STATUS_IS_ERR(status)) {
469 *password_properties = password_policy.password_properties;
476 static const char *generate_krb5_ccache(TALLOC_CTX *mem_ctx,
479 const char **user_ccache_file)
481 /* accept FILE and WRFILE as krb5_cc_type from the client and then
482 * build the full ccname string based on the user's uid here -
485 const char *gen_cc = NULL;
488 if (strequal(type, "FILE")) {
489 gen_cc = talloc_asprintf(
490 mem_ctx, "FILE:/tmp/krb5cc_%d", uid);
492 if (strequal(type, "WRFILE")) {
493 gen_cc = talloc_asprintf(
494 mem_ctx, "WRFILE:/tmp/krb5cc_%d", uid);
496 if (strequal(type, "KEYRING")) {
497 gen_cc = talloc_asprintf(
498 mem_ctx, "KEYRING:persistent:%d", uid);
501 if (strnequal(type, "FILE:/", 6) ||
502 strnequal(type, "WRFILE:/", 8) ||
503 strnequal(type, "DIR:/", 5)) {
505 /* we allow only one "%u" substitution */
509 p = strchr(type, '%');
514 if (p != NULL && *p == 'u' && strchr(p, '%') == NULL) {
515 char uid_str[sizeof("18446744073709551615")];
517 snprintf(uid_str, sizeof(uid_str), "%u", uid);
519 gen_cc = talloc_string_sub2(mem_ctx,
523 /* remove_unsafe_characters */
527 /* allow_trailing_dollar */
534 *user_ccache_file = gen_cc;
536 if (gen_cc == NULL) {
537 gen_cc = talloc_strdup(mem_ctx, "MEMORY:winbindd_pam_ccache");
539 if (gen_cc == NULL) {
540 DEBUG(0,("out of memory\n"));
544 DEBUG(10, ("using ccache: %s%s\n", gen_cc,
545 (*user_ccache_file == NULL) ? " (internal)":""));
552 uid_t get_uid_from_request(struct winbindd_request *request)
556 uid = request->data.auth.uid;
559 DEBUG(1,("invalid uid: '%u'\n", (unsigned int)uid));
565 /**********************************************************************
566 Authenticate a user with a clear text password using Kerberos and fill up
568 **********************************************************************/
570 static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
571 struct winbindd_domain *domain,
574 const char *krb5_cc_type,
576 struct netr_SamInfo3 **info3,
580 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
581 krb5_error_code krb5_ret;
582 const char *cc = NULL;
583 const char *principal_s = NULL;
584 const char *service = NULL;
586 fstring name_domain, name_user;
587 time_t ticket_lifetime = 0;
588 time_t renewal_until = 0;
590 time_t time_offset = 0;
591 const char *user_ccache_file;
592 struct PAC_LOGON_INFO *logon_info = NULL;
593 struct PAC_DATA *pac_data = NULL;
594 struct PAC_DATA_CTR *pac_data_ctr = NULL;
595 const char *local_service;
597 struct netr_SamInfo3 *info3_copy = NULL;
601 if (domain->alt_name == NULL) {
602 return NT_STATUS_INVALID_PARAMETER;
606 * prepare a krb5_cc_cache string for the user */
609 DEBUG(0,("no valid uid\n"));
612 cc = generate_krb5_ccache(mem_ctx,
617 return NT_STATUS_NO_MEMORY;
622 * get kerberos properties */
624 if (domain->private_data) {
625 ads = (ADS_STRUCT *)domain->private_data;
626 time_offset = ads->auth.time_offset;
631 * do kerberos auth and setup ccache as the user */
633 parse_domain_user(user, name_domain, name_user);
635 realm = talloc_strdup(mem_ctx, domain->alt_name);
637 return NT_STATUS_NO_MEMORY;
640 if (!strupper_m(realm)) {
641 return NT_STATUS_INVALID_PARAMETER;
644 principal_s = talloc_asprintf(mem_ctx, "%s@%s", name_user, realm);
645 if (principal_s == NULL) {
646 return NT_STATUS_NO_MEMORY;
649 service = talloc_asprintf(mem_ctx, "%s/%s@%s", KRB5_TGS_NAME, realm, realm);
650 if (service == NULL) {
651 return NT_STATUS_NO_MEMORY;
654 local_service = talloc_asprintf(mem_ctx, "%s$@%s",
655 lp_netbios_name(), lp_realm());
656 if (local_service == NULL) {
657 return NT_STATUS_NO_MEMORY;
661 /* if this is a user ccache, we need to act as the user to let the krb5
662 * library handle the chown, etc. */
664 /************************ ENTERING NON-ROOT **********************/
666 if (user_ccache_file != NULL) {
667 set_effective_uid(uid);
668 DEBUG(10,("winbindd_raw_kerberos_login: uid is %d\n", uid));
671 result = kerberos_return_pac(mem_ctx,
680 WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
684 if (user_ccache_file != NULL) {
685 gain_root_privilege();
688 /************************ RETURNED TO ROOT **********************/
690 if (!NT_STATUS_IS_OK(result)) {
694 if (pac_data_ctr == NULL) {
698 pac_data = pac_data_ctr->pac_data;
699 if (pac_data == NULL) {
703 for (i=0; i < pac_data->num_buffers; i++) {
705 if (pac_data->buffers[i].type != PAC_TYPE_LOGON_INFO) {
709 logon_info = pac_data->buffers[i].info->logon_info.info;
711 return NT_STATUS_INVALID_PARAMETER;
717 if (logon_info == NULL) {
718 DEBUG(10,("Missing logon_info in ticket of %s\n",
720 return NT_STATUS_INVALID_PARAMETER;
723 DEBUG(10,("winbindd_raw_kerberos_login: winbindd validated ticket of %s\n",
726 result = create_info3_from_pac_logon_info(mem_ctx, logon_info, &info3_copy);
727 if (!NT_STATUS_IS_OK(result)) {
731 /* if we had a user's ccache then return that string for the pam
734 if (user_ccache_file != NULL) {
736 fstrcpy(krb5ccname, user_ccache_file);
738 result = add_ccache_to_list(principal_s,
750 if (!NT_STATUS_IS_OK(result)) {
751 DEBUG(10,("winbindd_raw_kerberos_login: failed to add ccache to list: %s\n",
756 /* need to delete the memory cred cache, it is not used anymore */
758 krb5_ret = ads_kdestroy(cc);
760 DEBUG(3,("winbindd_raw_kerberos_login: "
761 "could not destroy krb5 credential cache: "
762 "%s\n", error_message(krb5_ret)));
771 * Do not delete an existing valid credential cache, if the user
772 * e.g. enters a wrong password
774 if ((strequal(krb5_cc_type, "FILE") || strequal(krb5_cc_type, "WRFILE"))
775 && user_ccache_file != NULL) {
779 /* we could have created a new credential cache with a valid tgt in it
780 * but we werent able to get or verify the service ticket for this
781 * local host and therefor didn't get the PAC, we need to remove that
782 * cache entirely now */
784 krb5_ret = ads_kdestroy(cc);
786 DEBUG(3,("winbindd_raw_kerberos_login: "
787 "could not destroy krb5 credential cache: "
788 "%s\n", error_message(krb5_ret)));
791 if (!NT_STATUS_IS_OK(remove_ccache(user))) {
792 DEBUG(3,("winbindd_raw_kerberos_login: "
793 "could not remove ccache for user %s\n",
799 return NT_STATUS_NOT_SUPPORTED;
800 #endif /* HAVE_KRB5 */
803 /****************************************************************
804 ****************************************************************/
806 bool check_request_flags(uint32_t flags)
808 uint32_t flags_edata = WBFLAG_PAM_AFS_TOKEN |
809 WBFLAG_PAM_INFO3_TEXT |
810 WBFLAG_PAM_INFO3_NDR;
812 if ( ( (flags & flags_edata) == WBFLAG_PAM_AFS_TOKEN) ||
813 ( (flags & flags_edata) == WBFLAG_PAM_INFO3_NDR) ||
814 ( (flags & flags_edata) == WBFLAG_PAM_INFO3_TEXT)||
815 !(flags & flags_edata) ) {
819 DEBUG(1, ("check_request_flags: invalid request flags[0x%08X]\n",
825 /****************************************************************
826 ****************************************************************/
828 NTSTATUS append_auth_data(TALLOC_CTX *mem_ctx,
829 struct winbindd_response *resp,
830 uint32_t request_flags,
831 struct netr_SamInfo3 *info3,
832 const char *name_domain,
833 const char *name_user)
837 if (request_flags & WBFLAG_PAM_USER_SESSION_KEY) {
838 memcpy(resp->data.auth.user_session_key,
840 sizeof(resp->data.auth.user_session_key)
844 if (request_flags & WBFLAG_PAM_LMKEY) {
845 memcpy(resp->data.auth.first_8_lm_hash,
846 info3->base.LMSessKey.key,
847 sizeof(resp->data.auth.first_8_lm_hash)
851 if (request_flags & WBFLAG_PAM_UNIX_NAME) {
852 result = append_unix_username(mem_ctx, resp,
853 info3, name_domain, name_user);
854 if (!NT_STATUS_IS_OK(result)) {
855 DEBUG(10,("Failed to append Unix Username: %s\n",
861 /* currently, anything from here on potentially overwrites extra_data. */
863 if (request_flags & WBFLAG_PAM_INFO3_NDR) {
864 result = append_info3_as_ndr(mem_ctx, resp, info3);
865 if (!NT_STATUS_IS_OK(result)) {
866 DEBUG(10,("Failed to append INFO3 (NDR): %s\n",
872 if (request_flags & WBFLAG_PAM_INFO3_TEXT) {
873 result = append_info3_as_txt(mem_ctx, resp, info3);
874 if (!NT_STATUS_IS_OK(result)) {
875 DEBUG(10,("Failed to append INFO3 (TXT): %s\n",
881 if (request_flags & WBFLAG_PAM_AFS_TOKEN) {
882 result = append_afs_token(mem_ctx, resp,
883 info3, name_domain, name_user);
884 if (!NT_STATUS_IS_OK(result)) {
885 DEBUG(10,("Failed to append AFS token: %s\n",
894 static NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain,
895 struct winbindd_cli_state *state,
896 struct netr_SamInfo3 **info3)
898 NTSTATUS result = NT_STATUS_LOGON_FAILURE;
899 uint16_t max_allowed_bad_attempts;
900 fstring name_domain, name_user;
902 enum lsa_SidType type;
903 uchar new_nt_pass[NT_HASH_LEN];
904 const uint8_t *cached_nt_pass;
905 const uint8_t *cached_salt;
906 struct netr_SamInfo3 *my_info3;
907 time_t kickoff_time, must_change_time;
908 bool password_good = false;
910 struct winbindd_tdc_domain *tdc_domain = NULL;
917 DEBUG(10,("winbindd_dual_pam_auth_cached\n"));
919 /* Parse domain and username */
921 parse_domain_user(state->request->data.auth.user, name_domain, name_user);
924 if (!lookup_cached_name(name_domain,
928 DEBUG(10,("winbindd_dual_pam_auth_cached: no such user in the cache\n"));
929 return NT_STATUS_NO_SUCH_USER;
932 if (type != SID_NAME_USER) {
933 DEBUG(10,("winbindd_dual_pam_auth_cached: not a user (%s)\n", sid_type_lookup(type)));
934 return NT_STATUS_LOGON_FAILURE;
937 result = winbindd_get_creds(domain,
943 if (!NT_STATUS_IS_OK(result)) {
944 DEBUG(10,("winbindd_dual_pam_auth_cached: failed to get creds: %s\n", nt_errstr(result)));
950 E_md4hash(state->request->data.auth.pass, new_nt_pass);
952 dump_data_pw("new_nt_pass", new_nt_pass, NT_HASH_LEN);
953 dump_data_pw("cached_nt_pass", cached_nt_pass, NT_HASH_LEN);
955 dump_data_pw("cached_salt", cached_salt, NT_HASH_LEN);
959 /* In this case we didn't store the nt_hash itself,
960 but the MD5 combination of salt + nt_hash. */
961 uchar salted_hash[NT_HASH_LEN];
962 E_md5hash(cached_salt, new_nt_pass, salted_hash);
964 password_good = (memcmp(cached_nt_pass, salted_hash,
967 /* Old cached cred - direct store of nt_hash (bad bad bad !). */
968 password_good = (memcmp(cached_nt_pass, new_nt_pass,
974 /* User *DOES* know the password, update logon_time and reset
977 my_info3->base.user_flags |= NETLOGON_CACHED_ACCOUNT;
979 if (my_info3->base.acct_flags & ACB_AUTOLOCK) {
980 return NT_STATUS_ACCOUNT_LOCKED_OUT;
983 if (my_info3->base.acct_flags & ACB_DISABLED) {
984 return NT_STATUS_ACCOUNT_DISABLED;
987 if (my_info3->base.acct_flags & ACB_WSTRUST) {
988 return NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT;
991 if (my_info3->base.acct_flags & ACB_SVRTRUST) {
992 return NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT;
995 if (my_info3->base.acct_flags & ACB_DOMTRUST) {
996 return NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT;
999 if (!(my_info3->base.acct_flags & ACB_NORMAL)) {
1000 DEBUG(0,("winbindd_dual_pam_auth_cached: whats wrong with that one?: 0x%08x\n",
1001 my_info3->base.acct_flags));
1002 return NT_STATUS_LOGON_FAILURE;
1005 kickoff_time = nt_time_to_unix(my_info3->base.kickoff_time);
1006 if (kickoff_time != 0 && time(NULL) > kickoff_time) {
1007 return NT_STATUS_ACCOUNT_EXPIRED;
1010 must_change_time = nt_time_to_unix(my_info3->base.force_password_change);
1011 if (must_change_time != 0 && must_change_time < time(NULL)) {
1012 /* we allow grace logons when the password has expired */
1013 my_info3->base.user_flags |= NETLOGON_GRACE_LOGON;
1014 /* return NT_STATUS_PASSWORD_EXPIRED; */
1019 if ((state->request->flags & WBFLAG_PAM_KRB5) &&
1020 ((tdc_domain = wcache_tdc_fetch_domain(state->mem_ctx, name_domain)) != NULL) &&
1021 ((tdc_domain->trust_type & LSA_TRUST_TYPE_UPLEVEL) ||
1022 /* used to cope with the case winbindd starting without network. */
1023 !strequal(tdc_domain->domain_name, tdc_domain->dns_name))) {
1026 const char *cc = NULL;
1028 const char *principal_s = NULL;
1029 const char *service = NULL;
1030 const char *user_ccache_file;
1032 if (domain->alt_name == NULL) {
1033 return NT_STATUS_INVALID_PARAMETER;
1036 uid = get_uid_from_request(state->request);
1038 DEBUG(0,("winbindd_dual_pam_auth_cached: invalid uid\n"));
1039 return NT_STATUS_INVALID_PARAMETER;
1042 cc = generate_krb5_ccache(state->mem_ctx,
1043 state->request->data.auth.krb5_cc_type,
1044 state->request->data.auth.uid,
1047 return NT_STATUS_NO_MEMORY;
1050 realm = talloc_strdup(state->mem_ctx, domain->alt_name);
1051 if (realm == NULL) {
1052 return NT_STATUS_NO_MEMORY;
1055 if (!strupper_m(realm)) {
1056 return NT_STATUS_INVALID_PARAMETER;
1059 principal_s = talloc_asprintf(state->mem_ctx, "%s@%s", name_user, realm);
1060 if (principal_s == NULL) {
1061 return NT_STATUS_NO_MEMORY;
1064 service = talloc_asprintf(state->mem_ctx, "%s/%s@%s", KRB5_TGS_NAME, realm, realm);
1065 if (service == NULL) {
1066 return NT_STATUS_NO_MEMORY;
1069 if (user_ccache_file != NULL) {
1071 fstrcpy(state->response->data.auth.krb5ccname,
1074 result = add_ccache_to_list(principal_s,
1077 state->request->data.auth.user,
1078 state->request->data.auth.pass,
1082 time(NULL) + lp_winbind_cache_time(),
1083 time(NULL) + WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
1086 if (!NT_STATUS_IS_OK(result)) {
1087 DEBUG(10,("winbindd_dual_pam_auth_cached: failed "
1088 "to add ccache to list: %s\n",
1089 nt_errstr(result)));
1093 #endif /* HAVE_KRB5 */
1095 /* FIXME: we possibly should handle logon hours as well (does xp when
1096 * offline?) see auth/auth_sam.c:sam_account_ok for details */
1098 unix_to_nt_time(&my_info3->base.logon_time, time(NULL));
1099 my_info3->base.bad_password_count = 0;
1101 result = winbindd_update_creds_by_info3(domain,
1102 state->request->data.auth.user,
1103 state->request->data.auth.pass,
1105 if (!NT_STATUS_IS_OK(result)) {
1106 DEBUG(1,("winbindd_dual_pam_auth_cached: failed to update creds: %s\n",
1107 nt_errstr(result)));
1111 return NT_STATUS_OK;
1115 /* User does *NOT* know the correct password, modify info3 accordingly, but only if online */
1116 if (domain->online == false) {
1120 /* failure of this is not critical */
1121 result = get_max_bad_attempts_from_lockout_policy(domain, state->mem_ctx, &max_allowed_bad_attempts);
1122 if (!NT_STATUS_IS_OK(result)) {
1123 DEBUG(10,("winbindd_dual_pam_auth_cached: failed to get max_allowed_bad_attempts. "
1124 "Won't be able to honour account lockout policies\n"));
1127 /* increase counter */
1128 my_info3->base.bad_password_count++;
1130 if (max_allowed_bad_attempts == 0) {
1135 if (my_info3->base.bad_password_count >= max_allowed_bad_attempts) {
1137 uint32_t password_properties;
1139 result = get_pwd_properties(domain, state->mem_ctx, &password_properties);
1140 if (!NT_STATUS_IS_OK(result)) {
1141 DEBUG(10,("winbindd_dual_pam_auth_cached: failed to get password properties.\n"));
1144 if ((my_info3->base.rid != DOMAIN_RID_ADMINISTRATOR) ||
1145 (password_properties & DOMAIN_PASSWORD_LOCKOUT_ADMINS)) {
1146 my_info3->base.acct_flags |= ACB_AUTOLOCK;
1151 result = winbindd_update_creds_by_info3(domain,
1152 state->request->data.auth.user,
1156 if (!NT_STATUS_IS_OK(result)) {
1157 DEBUG(0,("winbindd_dual_pam_auth_cached: failed to update creds %s\n",
1158 nt_errstr(result)));
1161 return NT_STATUS_LOGON_FAILURE;
1164 static NTSTATUS winbindd_dual_pam_auth_kerberos(struct winbindd_domain *domain,
1165 struct winbindd_cli_state *state,
1166 struct netr_SamInfo3 **info3)
1168 struct winbindd_domain *contact_domain;
1169 fstring name_domain, name_user;
1172 DEBUG(10,("winbindd_dual_pam_auth_kerberos\n"));
1174 /* Parse domain and username */
1176 parse_domain_user(state->request->data.auth.user, name_domain, name_user);
1178 /* what domain should we contact? */
1181 if (!(contact_domain = find_domain_from_name(name_domain))) {
1182 DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
1183 state->request->data.auth.user, name_domain, name_user, name_domain));
1184 result = NT_STATUS_NO_SUCH_USER;
1189 if (is_myname(name_domain)) {
1190 DEBUG(3, ("Authentication for domain %s (local domain to this server) not supported at this stage\n", name_domain));
1191 result = NT_STATUS_NO_SUCH_USER;
1195 contact_domain = find_domain_from_name(name_domain);
1196 if (contact_domain == NULL) {
1197 DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
1198 state->request->data.auth.user, name_domain, name_user, name_domain));
1200 result = NT_STATUS_NO_SUCH_USER;
1205 if (contact_domain->initialized &&
1206 contact_domain->active_directory) {
1210 if (!contact_domain->initialized) {
1211 init_dc_connection(contact_domain, false);
1214 if (!contact_domain->active_directory) {
1215 DEBUG(3,("krb5 auth requested but domain is not Active Directory\n"));
1216 return NT_STATUS_INVALID_LOGON_TYPE;
1219 result = winbindd_raw_kerberos_login(
1220 state->mem_ctx, contact_domain,
1221 state->request->data.auth.user,
1222 state->request->data.auth.pass,
1223 state->request->data.auth.krb5_cc_type,
1224 get_uid_from_request(state->request),
1225 info3, state->response->data.auth.krb5ccname);
1230 static NTSTATUS winbindd_dual_auth_passdb(TALLOC_CTX *mem_ctx,
1231 uint32_t logon_parameters,
1232 const char *domain, const char *user,
1233 const DATA_BLOB *challenge,
1234 const DATA_BLOB *lm_resp,
1235 const DATA_BLOB *nt_resp,
1236 struct netr_SamInfo3 **pinfo3)
1238 struct auth_context *auth_context;
1239 struct auth_serversupplied_info *server_info;
1240 struct auth_usersupplied_info *user_info = NULL;
1241 struct tsocket_address *local;
1242 struct netr_SamInfo3 *info3;
1245 TALLOC_CTX *frame = talloc_stackframe();
1247 rc = tsocket_address_inet_from_strings(frame,
1254 return NT_STATUS_NO_MEMORY;
1256 status = make_user_info(frame, &user_info, user, user, domain, domain,
1257 lp_netbios_name(), local, lm_resp, nt_resp, NULL, NULL,
1258 NULL, AUTH_PASSWORD_RESPONSE);
1259 if (!NT_STATUS_IS_OK(status)) {
1260 DEBUG(10, ("make_user_info failed: %s\n", nt_errstr(status)));
1265 user_info->logon_parameters = logon_parameters;
1267 /* We don't want any more mapping of the username */
1268 user_info->mapped_state = True;
1270 /* We don't want to come back to winbindd or to do PAM account checks */
1271 user_info->flags |= USER_INFO_LOCAL_SAM_ONLY | USER_INFO_INFO3_AND_NO_AUTHZ;
1273 status = make_auth_context_fixed(frame, &auth_context, challenge->data);
1275 if (!NT_STATUS_IS_OK(status)) {
1276 DEBUG(0, ("Failed to test authentication with check_sam_security_info3: %s\n", nt_errstr(status)));
1281 status = auth_check_ntlm_password(mem_ctx,
1286 if (!NT_STATUS_IS_OK(status)) {
1291 info3 = talloc_zero(mem_ctx, struct netr_SamInfo3);
1292 if (info3 == NULL) {
1294 return NT_STATUS_NO_MEMORY;
1297 status = serverinfo_to_SamInfo3(server_info, info3);
1298 if (!NT_STATUS_IS_OK(status)) {
1301 DEBUG(0, ("serverinfo_to_SamInfo3 failed: %s\n",
1302 nt_errstr(status)));
1307 DEBUG(10, ("Authenticaticating user %s\\%s returned %s\n", domain,
1308 user, nt_errstr(status)));
1313 static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
1314 TALLOC_CTX *mem_ctx,
1315 uint32_t logon_parameters,
1316 const char *username,
1317 const char *password,
1318 const char *domainname,
1319 const char *workstation,
1320 const uint8_t chal[8],
1321 DATA_BLOB lm_response,
1322 DATA_BLOB nt_response,
1324 struct netr_SamInfo3 **info3)
1327 int netr_attempts = 0;
1332 struct rpc_pipe_client *netlogon_pipe;
1333 uint8_t authoritative = 0;
1336 ZERO_STRUCTP(info3);
1339 result = cm_connect_netlogon(domain, &netlogon_pipe);
1341 if (!NT_STATUS_IS_OK(result)) {
1342 DEBUG(3,("Could not open handle to NETLOGON pipe "
1343 "(error: %s, attempts: %d)\n",
1344 nt_errstr(result), netr_attempts));
1346 /* After the first retry always close the connection */
1347 if (netr_attempts > 0) {
1348 DEBUG(3, ("This is again a problem for this "
1349 "particular call, forcing the close "
1350 "of this connection\n"));
1351 invalidate_cm_connection(domain);
1354 /* After the second retry failover to the next DC */
1355 if (netr_attempts > 1) {
1357 * If the netlogon server is not reachable then
1358 * it is possible that the DC is rebuilding
1359 * sysvol and shutdown netlogon for that time.
1360 * We should failover to the next dc.
1362 DEBUG(3, ("This is the third problem for this "
1363 "particular call, adding DC to the "
1364 "negative cache list\n"));
1365 add_failed_connection_entry(domain->name,
1368 saf_delete(domain->name);
1371 /* Only allow 3 retries */
1372 if (netr_attempts < 3) {
1373 DEBUG(3, ("The connection to netlogon "
1374 "failed, retrying\n"));
1383 if (interactive && username != NULL && password != NULL) {
1384 result = rpccli_netlogon_password_logon(domain->conn.netlogon_creds,
1385 netlogon_pipe->binding_handle,
1392 NetlogonInteractiveInformation,
1395 result = rpccli_netlogon_network_logon(domain->conn.netlogon_creds,
1396 netlogon_pipe->binding_handle,
1411 * we increment this after the "feature negotiation"
1412 * for can_do_samlogon_ex and can_do_validation6
1416 /* We have to try a second time as cm_connect_netlogon
1417 might not yet have noticed that the DC has killed
1420 if (!rpccli_is_connected(netlogon_pipe)) {
1425 /* if we get access denied, a possible cause was that we had
1426 and open connection to the DC, but someone changed our
1427 machine account password out from underneath us using 'net
1428 rpc changetrustpw' */
1430 if ( NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) ) {
1431 DEBUG(1,("winbind_samlogon_retry_loop: sam_logon returned "
1432 "ACCESS_DENIED. Maybe the DC has Restrict "
1433 "NTLM set or the trust account "
1434 "password was changed and we didn't know it. "
1435 "Killing connections to domain %s\n",
1437 invalidate_cm_connection(domain);
1441 if (NT_STATUS_EQUAL(result, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
1443 * Got DCERPC_FAULT_OP_RNG_ERROR for SamLogon
1444 * (no Ex). This happens against old Samba
1445 * DCs, if LogonSamLogonEx() fails with an error
1446 * e.g. NT_STATUS_NO_SUCH_USER or NT_STATUS_WRONG_PASSWORD.
1448 * The server will log something like this:
1449 * api_net_sam_logon_ex: Failed to marshall NET_R_SAM_LOGON_EX.
1451 * This sets the whole connection into a fault_state mode
1452 * and all following request get NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE.
1454 * This also happens to our retry with LogonSamLogonWithFlags()
1455 * and LogonSamLogon().
1457 * In order to recover from this situation, we need to
1458 * drop the connection.
1460 invalidate_cm_connection(domain);
1461 result = NT_STATUS_LOGON_FAILURE;
1465 } while ( (attempts < 2) && retry );
1467 if (NT_STATUS_EQUAL(result, NT_STATUS_IO_TIMEOUT)) {
1468 DEBUG(3,("winbind_samlogon_retry_loop: sam_network_logon(ex) "
1469 "returned NT_STATUS_IO_TIMEOUT after the retry."
1470 "Killing connections to domain %s\n",
1472 invalidate_cm_connection(domain);
1477 static NTSTATUS winbindd_dual_pam_auth_samlogon(TALLOC_CTX *mem_ctx,
1478 struct winbindd_domain *domain,
1481 uint32_t request_flags,
1482 struct netr_SamInfo3 **info3)
1488 unsigned char local_nt_response[24];
1489 fstring name_domain, name_user;
1491 struct netr_SamInfo3 *my_info3 = NULL;
1495 DEBUG(10,("winbindd_dual_pam_auth_samlogon\n"));
1497 /* Parse domain and username */
1499 parse_domain_user(user, name_domain, name_user);
1501 /* do password magic */
1503 generate_random_buffer(chal, sizeof(chal));
1505 if (lp_client_ntlmv2_auth()) {
1506 DATA_BLOB server_chal;
1507 DATA_BLOB names_blob;
1508 server_chal = data_blob_const(chal, 8);
1510 /* note that the 'workgroup' here is for the local
1511 machine. The 'server name' must match the
1512 'workstation' passed to the actual SamLogon call.
1514 names_blob = NTLMv2_generate_names_blob(
1515 mem_ctx, lp_netbios_name(), lp_workgroup());
1517 if (!SMBNTLMv2encrypt(mem_ctx, name_user, name_domain,
1521 &lm_resp, &nt_resp, NULL, NULL)) {
1522 data_blob_free(&names_blob);
1523 DEBUG(0, ("winbindd_pam_auth: SMBNTLMv2encrypt() failed!\n"));
1524 result = NT_STATUS_NO_MEMORY;
1527 data_blob_free(&names_blob);
1529 lm_resp = data_blob_null;
1530 SMBNTencrypt(pass, chal, local_nt_response);
1532 nt_resp = data_blob_talloc(mem_ctx, local_nt_response,
1533 sizeof(local_nt_response));
1536 if (strequal(name_domain, get_global_sam_name())) {
1537 DATA_BLOB chal_blob = data_blob_const(chal, sizeof(chal));
1539 result = winbindd_dual_auth_passdb(
1540 mem_ctx, 0, name_domain, name_user,
1541 &chal_blob, &lm_resp, &nt_resp, info3);
1544 * We need to try the remote NETLOGON server if this is NOT_IMPLEMENTED
1546 if (!NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) {
1551 /* check authentication loop */
1553 result = winbind_samlogon_retry_loop(domain,
1563 true, /* interactive */
1565 if (!NT_STATUS_IS_OK(result)) {
1569 /* handle the case where a NT4 DC does not fill in the acct_flags in
1570 * the samlogon reply info3. When accurate info3 is required by the
1571 * caller, we look up the account flags ourselve - gd */
1573 if ((request_flags & WBFLAG_PAM_INFO3_TEXT) &&
1574 NT_STATUS_IS_OK(result) && (my_info3->base.acct_flags == 0)) {
1576 struct rpc_pipe_client *samr_pipe;
1577 struct policy_handle samr_domain_handle, user_pol;
1578 union samr_UserInfo *info = NULL;
1579 NTSTATUS status_tmp, result_tmp;
1580 uint32_t acct_flags;
1581 struct dcerpc_binding_handle *b;
1583 status_tmp = cm_connect_sam(domain, mem_ctx, false,
1584 &samr_pipe, &samr_domain_handle);
1586 if (!NT_STATUS_IS_OK(status_tmp)) {
1587 DEBUG(3, ("could not open handle to SAMR pipe: %s\n",
1588 nt_errstr(status_tmp)));
1592 b = samr_pipe->binding_handle;
1594 status_tmp = dcerpc_samr_OpenUser(b, mem_ctx,
1595 &samr_domain_handle,
1596 MAXIMUM_ALLOWED_ACCESS,
1601 if (!NT_STATUS_IS_OK(status_tmp)) {
1602 DEBUG(3, ("could not open user handle on SAMR pipe: %s\n",
1603 nt_errstr(status_tmp)));
1606 if (!NT_STATUS_IS_OK(result_tmp)) {
1607 DEBUG(3, ("could not open user handle on SAMR pipe: %s\n",
1608 nt_errstr(result_tmp)));
1612 status_tmp = dcerpc_samr_QueryUserInfo(b, mem_ctx,
1618 if (!NT_STATUS_IS_OK(status_tmp)) {
1619 DEBUG(3, ("could not query user info on SAMR pipe: %s\n",
1620 nt_errstr(status_tmp)));
1621 dcerpc_samr_Close(b, mem_ctx, &user_pol, &result_tmp);
1624 if (!NT_STATUS_IS_OK(result_tmp)) {
1625 DEBUG(3, ("could not query user info on SAMR pipe: %s\n",
1626 nt_errstr(result_tmp)));
1627 dcerpc_samr_Close(b, mem_ctx, &user_pol, &result_tmp);
1631 acct_flags = info->info16.acct_flags;
1633 if (acct_flags == 0) {
1634 dcerpc_samr_Close(b, mem_ctx, &user_pol, &result_tmp);
1638 my_info3->base.acct_flags = acct_flags;
1640 DEBUG(10,("successfully retrieved acct_flags 0x%x\n", acct_flags));
1642 dcerpc_samr_Close(b, mem_ctx, &user_pol, &result_tmp);
1650 enum winbindd_result winbindd_dual_pam_auth(struct winbindd_domain *domain,
1651 struct winbindd_cli_state *state)
1653 NTSTATUS result = NT_STATUS_LOGON_FAILURE;
1654 NTSTATUS krb5_result = NT_STATUS_OK;
1655 fstring name_domain, name_user;
1657 fstring domain_user;
1658 struct netr_SamInfo3 *info3 = NULL;
1659 NTSTATUS name_map_status = NT_STATUS_UNSUCCESSFUL;
1661 /* Ensure null termination */
1662 state->request->data.auth.user[sizeof(state->request->data.auth.user)-1]='\0';
1664 /* Ensure null termination */
1665 state->request->data.auth.pass[sizeof(state->request->data.auth.pass)-1]='\0';
1667 DEBUG(3, ("[%5lu]: dual pam auth %s\n", (unsigned long)state->pid,
1668 state->request->data.auth.user));
1670 /* Parse domain and username */
1672 name_map_status = normalize_name_unmap(state->mem_ctx,
1673 state->request->data.auth.user,
1676 /* If the name normalization didnt' actually do anything,
1677 just use the original name */
1679 if (!NT_STATUS_IS_OK(name_map_status) &&
1680 !NT_STATUS_EQUAL(name_map_status, NT_STATUS_FILE_RENAMED))
1682 mapped_user = state->request->data.auth.user;
1685 parse_domain_user(mapped_user, name_domain, name_user);
1687 if ( mapped_user != state->request->data.auth.user ) {
1688 fstr_sprintf( domain_user, "%s%c%s", name_domain,
1689 *lp_winbind_separator(),
1691 strlcpy( state->request->data.auth.user, domain_user,
1692 sizeof(state->request->data.auth.user));
1695 if (!domain->online) {
1696 result = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
1697 if (domain->startup) {
1698 /* Logons are very important to users. If we're offline and
1699 we get a request within the first 30 seconds of startup,
1700 try very hard to find a DC and go online. */
1702 DEBUG(10,("winbindd_dual_pam_auth: domain: %s offline and auth "
1703 "request in startup mode.\n", domain->name ));
1705 winbindd_flush_negative_conn_cache(domain);
1706 result = init_dc_connection(domain, false);
1710 DEBUG(10,("winbindd_dual_pam_auth: domain: %s last was %s\n", domain->name, domain->online ? "online":"offline"));
1712 /* Check for Kerberos authentication */
1713 if (domain->online && (state->request->flags & WBFLAG_PAM_KRB5)) {
1715 result = winbindd_dual_pam_auth_kerberos(domain, state, &info3);
1716 /* save for later */
1717 krb5_result = result;
1720 if (NT_STATUS_IS_OK(result)) {
1721 DEBUG(10,("winbindd_dual_pam_auth_kerberos succeeded\n"));
1722 goto process_result;
1724 DEBUG(10,("winbindd_dual_pam_auth_kerberos failed: %s\n", nt_errstr(result)));
1727 if (NT_STATUS_EQUAL(result, NT_STATUS_NO_LOGON_SERVERS) ||
1728 NT_STATUS_EQUAL(result, NT_STATUS_IO_TIMEOUT) ||
1729 NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
1730 DEBUG(10,("winbindd_dual_pam_auth_kerberos setting domain to offline\n"));
1731 set_domain_offline( domain );
1735 /* there are quite some NT_STATUS errors where there is no
1736 * point in retrying with a samlogon, we explictly have to take
1737 * care not to increase the bad logon counter on the DC */
1739 if (NT_STATUS_EQUAL(result, NT_STATUS_ACCOUNT_DISABLED) ||
1740 NT_STATUS_EQUAL(result, NT_STATUS_ACCOUNT_EXPIRED) ||
1741 NT_STATUS_EQUAL(result, NT_STATUS_ACCOUNT_LOCKED_OUT) ||
1742 NT_STATUS_EQUAL(result, NT_STATUS_INVALID_LOGON_HOURS) ||
1743 NT_STATUS_EQUAL(result, NT_STATUS_INVALID_WORKSTATION) ||
1744 NT_STATUS_EQUAL(result, NT_STATUS_LOGON_FAILURE) ||
1745 NT_STATUS_EQUAL(result, NT_STATUS_NO_SUCH_USER) ||
1746 NT_STATUS_EQUAL(result, NT_STATUS_PASSWORD_EXPIRED) ||
1747 NT_STATUS_EQUAL(result, NT_STATUS_PASSWORD_MUST_CHANGE) ||
1748 NT_STATUS_EQUAL(result, NT_STATUS_WRONG_PASSWORD)) {
1752 if (state->request->flags & WBFLAG_PAM_FALLBACK_AFTER_KRB5) {
1753 DEBUG(3,("falling back to samlogon\n"));
1761 /* Check for Samlogon authentication */
1762 if (domain->online) {
1763 result = winbindd_dual_pam_auth_samlogon(
1764 state->mem_ctx, domain,
1765 state->request->data.auth.user,
1766 state->request->data.auth.pass,
1767 state->request->flags,
1770 if (NT_STATUS_IS_OK(result)) {
1771 DEBUG(10,("winbindd_dual_pam_auth_samlogon succeeded\n"));
1772 /* add the Krb5 err if we have one */
1773 if ( NT_STATUS_EQUAL(krb5_result, NT_STATUS_TIME_DIFFERENCE_AT_DC ) ) {
1774 info3->base.user_flags |= LOGON_KRB5_FAIL_CLOCK_SKEW;
1776 goto process_result;
1779 DEBUG(10,("winbindd_dual_pam_auth_samlogon failed: %s\n",
1780 nt_errstr(result)));
1782 if (NT_STATUS_EQUAL(result, NT_STATUS_NO_LOGON_SERVERS) ||
1783 NT_STATUS_EQUAL(result, NT_STATUS_IO_TIMEOUT) ||
1784 NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND))
1786 DEBUG(10,("winbindd_dual_pam_auth_samlogon setting domain to offline\n"));
1787 set_domain_offline( domain );
1791 if (domain->online) {
1792 /* We're still online - fail. */
1798 /* Check for Cached logons */
1799 if (!domain->online && (state->request->flags & WBFLAG_PAM_CACHED_LOGIN) &&
1800 lp_winbind_offline_logon()) {
1802 result = winbindd_dual_pam_auth_cached(domain, state, &info3);
1804 if (NT_STATUS_IS_OK(result)) {
1805 DEBUG(10,("winbindd_dual_pam_auth_cached succeeded\n"));
1806 goto process_result;
1808 DEBUG(10,("winbindd_dual_pam_auth_cached failed: %s\n", nt_errstr(result)));
1815 if (NT_STATUS_IS_OK(result)) {
1817 struct dom_sid user_sid;
1819 /* In all codepaths where result == NT_STATUS_OK info3 must have
1820 been initialized. */
1822 result = NT_STATUS_INTERNAL_ERROR;
1826 sid_compose(&user_sid, info3->base.domain_sid,
1829 if (info3->base.full_name.string == NULL) {
1830 struct netr_SamInfo3 *cached_info3;
1832 cached_info3 = netsamlogon_cache_get(state->mem_ctx,
1834 if (cached_info3 != NULL &&
1835 cached_info3->base.full_name.string != NULL) {
1836 info3->base.full_name.string =
1837 talloc_strdup(info3,
1838 cached_info3->base.full_name.string);
1841 /* this might fail so we dont check the return code */
1842 wcache_query_user_fullname(domain,
1845 &info3->base.full_name.string);
1849 wcache_invalidate_samlogon(find_domain_from_name(name_domain),
1851 netsamlogon_cache_store(name_user, info3);
1853 /* save name_to_sid info as early as possible (only if
1854 this is our primary domain so we don't invalidate
1855 the cache entry by storing the seq_num for the wrong
1857 if ( domain->primary ) {
1858 cache_name2sid(domain, name_domain, name_user,
1859 SID_NAME_USER, &user_sid);
1862 /* Check if the user is in the right group */
1864 result = check_info3_in_group(
1866 state->request->data.auth.require_membership_of_sid);
1867 if (!NT_STATUS_IS_OK(result)) {
1868 DEBUG(3, ("User %s is not in the required group (%s), so plaintext authentication is rejected\n",
1869 state->request->data.auth.user,
1870 state->request->data.auth.require_membership_of_sid));
1874 result = append_auth_data(state->mem_ctx, state->response,
1875 state->request->flags, info3,
1876 name_domain, name_user);
1877 if (!NT_STATUS_IS_OK(result)) {
1881 if ((state->request->flags & WBFLAG_PAM_CACHED_LOGIN)
1882 && lp_winbind_offline_logon()) {
1884 result = winbindd_store_creds(domain,
1885 state->request->data.auth.user,
1886 state->request->data.auth.pass,
1890 if (state->request->flags & WBFLAG_PAM_GET_PWD_POLICY) {
1891 struct winbindd_domain *our_domain = find_our_domain();
1893 /* This is not entirely correct I believe, but it is
1894 consistent. Only apply the password policy settings
1895 too warn users for our own domain. Cannot obtain these
1896 from trusted DCs all the time so don't do it at all.
1899 result = NT_STATUS_NOT_SUPPORTED;
1900 if (our_domain == domain ) {
1901 result = fillup_password_policy(
1902 our_domain, state->response);
1905 if (!NT_STATUS_IS_OK(result)
1906 && !NT_STATUS_EQUAL(result, NT_STATUS_NOT_SUPPORTED) )
1908 DEBUG(10,("Failed to get password policies for domain %s: %s\n",
1909 domain->name, nt_errstr(result)));
1914 result = NT_STATUS_OK;
1918 /* give us a more useful (more correct?) error code */
1919 if ((NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) ||
1920 (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)))) {
1921 result = NT_STATUS_NO_LOGON_SERVERS;
1924 set_auth_errors(state->response, result);
1926 DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2, ("Plain-text authentication for user %s returned %s (PAM: %d)\n",
1927 state->request->data.auth.user,
1928 state->response->data.auth.nt_status_string,
1929 state->response->data.auth.pam_error));
1931 return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
1934 NTSTATUS winbind_dual_SamLogon(struct winbindd_domain *domain,
1935 TALLOC_CTX *mem_ctx,
1936 uint32_t logon_parameters,
1937 const char *name_user,
1938 const char *name_domain,
1939 const char *workstation,
1940 const uint8_t chal[8],
1941 DATA_BLOB lm_response,
1942 DATA_BLOB nt_response,
1943 struct netr_SamInfo3 **info3)
1947 if (strequal(name_domain, get_global_sam_name())) {
1948 DATA_BLOB chal_blob = data_blob_const(
1951 result = winbindd_dual_auth_passdb(
1954 name_domain, name_user,
1955 &chal_blob, &lm_response, &nt_response, info3);
1958 * We need to try the remote NETLOGON server if this is NOT_IMPLEMENTED
1960 if (!NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) {
1961 goto process_result;
1965 result = winbind_samlogon_retry_loop(domain,
1969 NULL, /* password */
1971 /* Bug #3248 - found by Stefan Burkei. */
1972 workstation, /* We carefully set this above so use it... */
1976 false, /* interactive */
1978 if (!NT_STATUS_IS_OK(result)) {
1984 if (NT_STATUS_IS_OK(result)) {
1985 struct dom_sid user_sid;
1987 sid_compose(&user_sid, (*info3)->base.domain_sid,
1988 (*info3)->base.rid);
1990 if ((*info3)->base.full_name.string == NULL) {
1991 struct netr_SamInfo3 *cached_info3;
1993 cached_info3 = netsamlogon_cache_get(mem_ctx,
1995 if (cached_info3 != NULL &&
1996 cached_info3->base.full_name.string != NULL) {
1997 (*info3)->base.full_name.string =
1998 talloc_strdup(*info3,
1999 cached_info3->base.full_name.string);
2002 /* this might fail so we dont check the return code */
2003 wcache_query_user_fullname(domain,
2006 &(*info3)->base.full_name.string);
2010 wcache_invalidate_samlogon(find_domain_from_name(name_domain),
2012 netsamlogon_cache_store(name_user, *info3);
2017 /* give us a more useful (more correct?) error code */
2018 if ((NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) ||
2019 (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)))) {
2020 result = NT_STATUS_NO_LOGON_SERVERS;
2023 DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2,
2024 ("NTLM CRAP authentication for user [%s]\\[%s] returned %s\n",
2027 nt_errstr(result)));
2032 enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
2033 struct winbindd_cli_state *state)
2036 struct netr_SamInfo3 *info3 = NULL;
2037 const char *name_user = NULL;
2038 const char *name_domain = NULL;
2039 const char *workstation;
2041 DATA_BLOB lm_resp, nt_resp;
2043 /* This is child-only, so no check for privileged access is needed
2046 /* Ensure null termination */
2047 state->request->data.auth_crap.user[sizeof(state->request->data.auth_crap.user)-1]=0;
2048 state->request->data.auth_crap.domain[sizeof(state->request->data.auth_crap.domain)-1]=0;
2050 name_user = state->request->data.auth_crap.user;
2051 name_domain = state->request->data.auth_crap.domain;
2052 workstation = state->request->data.auth_crap.workstation;
2054 DEBUG(3, ("[%5lu]: pam auth crap domain: %s user: %s\n", (unsigned long)state->pid,
2055 name_domain, name_user));
2057 if (state->request->data.auth_crap.lm_resp_len > sizeof(state->request->data.auth_crap.lm_resp)
2058 || state->request->data.auth_crap.nt_resp_len > sizeof(state->request->data.auth_crap.nt_resp)) {
2059 if (!(state->request->flags & WBFLAG_BIG_NTLMV2_BLOB) ||
2060 state->request->extra_len != state->request->data.auth_crap.nt_resp_len) {
2061 DEBUG(0, ("winbindd_pam_auth_crap: invalid password length %u/%u\n",
2062 state->request->data.auth_crap.lm_resp_len,
2063 state->request->data.auth_crap.nt_resp_len));
2064 result = NT_STATUS_INVALID_PARAMETER;
2069 lm_resp = data_blob_talloc(state->mem_ctx, state->request->data.auth_crap.lm_resp,
2070 state->request->data.auth_crap.lm_resp_len);
2072 if (state->request->flags & WBFLAG_BIG_NTLMV2_BLOB) {
2073 nt_resp = data_blob_talloc(state->mem_ctx,
2074 state->request->extra_data.data,
2075 state->request->data.auth_crap.nt_resp_len);
2077 nt_resp = data_blob_talloc(state->mem_ctx,
2078 state->request->data.auth_crap.nt_resp,
2079 state->request->data.auth_crap.nt_resp_len);
2082 result = winbind_dual_SamLogon(domain,
2084 state->request->data.auth_crap.logon_parameters,
2087 /* Bug #3248 - found by Stefan Burkei. */
2088 workstation, /* We carefully set this above so use it... */
2089 state->request->data.auth_crap.chal,
2093 if (!NT_STATUS_IS_OK(result)) {
2097 if (NT_STATUS_IS_OK(result)) {
2098 /* Check if the user is in the right group */
2100 result = check_info3_in_group(
2102 state->request->data.auth_crap.require_membership_of_sid);
2103 if (!NT_STATUS_IS_OK(result)) {
2104 DEBUG(3, ("User %s is not in the required group (%s), so "
2105 "crap authentication is rejected\n",
2106 state->request->data.auth_crap.user,
2107 state->request->data.auth_crap.require_membership_of_sid));
2111 result = append_auth_data(state->mem_ctx, state->response,
2112 state->request->flags, info3,
2113 name_domain, name_user);
2114 if (!NT_STATUS_IS_OK(result)) {
2121 if (state->request->flags & WBFLAG_PAM_NT_STATUS_SQUASH) {
2122 result = nt_status_squash(result);
2125 set_auth_errors(state->response, result);
2127 return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
2130 enum winbindd_result winbindd_dual_pam_chauthtok(struct winbindd_domain *contact_domain,
2131 struct winbindd_cli_state *state)
2134 char *newpass = NULL;
2135 struct policy_handle dom_pol;
2136 struct rpc_pipe_client *cli = NULL;
2137 bool got_info = false;
2138 struct samr_DomInfo1 *info = NULL;
2139 struct userPwdChangeFailureInformation *reject = NULL;
2140 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
2141 fstring domain, user;
2142 struct dcerpc_binding_handle *b = NULL;
2144 ZERO_STRUCT(dom_pol);
2146 DEBUG(3, ("[%5lu]: dual pam chauthtok %s\n", (unsigned long)state->pid,
2147 state->request->data.auth.user));
2149 if (!parse_domain_user(state->request->data.chauthtok.user, domain, user)) {
2153 /* Change password */
2155 oldpass = state->request->data.chauthtok.oldpass;
2156 newpass = state->request->data.chauthtok.newpass;
2158 /* Initialize reject reason */
2159 state->response->data.auth.reject_reason = Undefined;
2161 /* Get sam handle */
2163 result = cm_connect_sam(contact_domain, state->mem_ctx, true, &cli,
2165 if (!NT_STATUS_IS_OK(result)) {
2166 DEBUG(1, ("could not get SAM handle on DC for %s\n", domain));
2170 b = cli->binding_handle;
2172 result = rpccli_samr_chgpasswd_user3(cli, state->mem_ctx,
2179 /* Windows 2003 returns NT_STATUS_PASSWORD_RESTRICTION */
2181 if (NT_STATUS_EQUAL(result, NT_STATUS_PASSWORD_RESTRICTION) ) {
2183 fill_in_password_policy(state->response, info);
2185 state->response->data.auth.reject_reason =
2186 reject->extendedFailureReason;
2191 /* atm the pidl generated rpccli_samr_ChangePasswordUser3 function will
2192 * return with NT_STATUS_BUFFER_TOO_SMALL for w2k dcs as w2k just
2193 * returns with 4byte error code (NT_STATUS_NOT_SUPPORTED) which is too
2194 * short to comply with the samr_ChangePasswordUser3 idl - gd */
2196 /* only fallback when the chgpasswd_user3 call is not supported */
2197 if (NT_STATUS_EQUAL(result, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE) ||
2198 NT_STATUS_EQUAL(result, NT_STATUS_NOT_SUPPORTED) ||
2199 NT_STATUS_EQUAL(result, NT_STATUS_BUFFER_TOO_SMALL) ||
2200 NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) {
2202 DEBUG(10,("Password change with chgpasswd_user3 failed with: %s, retrying chgpasswd_user2\n",
2203 nt_errstr(result)));
2205 result = rpccli_samr_chgpasswd_user2(cli, state->mem_ctx, user, newpass, oldpass);
2207 /* Windows 2000 returns NT_STATUS_ACCOUNT_RESTRICTION.
2208 Map to the same status code as Windows 2003. */
2210 if ( NT_STATUS_EQUAL(NT_STATUS_ACCOUNT_RESTRICTION, result ) ) {
2211 result = NT_STATUS_PASSWORD_RESTRICTION;
2217 if (NT_STATUS_IS_OK(result)
2218 && (state->request->flags & WBFLAG_PAM_CACHED_LOGIN)
2219 && lp_winbind_offline_logon()) {
2220 result = winbindd_update_creds_by_name(contact_domain, user,
2222 /* Again, this happens when we login from gdm or xdm
2223 * and the password expires, *BUT* cached crendentials
2224 * doesn't exist. winbindd_update_creds_by_name()
2225 * returns NT_STATUS_NO_SUCH_USER.
2226 * This is not a failure.
2229 if (NT_STATUS_EQUAL(result, NT_STATUS_NO_SUCH_USER)) {
2230 result = NT_STATUS_OK;
2233 if (!NT_STATUS_IS_OK(result)) {
2234 DEBUG(10, ("Failed to store creds: %s\n",
2235 nt_errstr(result)));
2236 goto process_result;
2240 if (!NT_STATUS_IS_OK(result) && !got_info && contact_domain) {
2242 NTSTATUS policy_ret;
2244 policy_ret = fillup_password_policy(
2245 contact_domain, state->response);
2247 /* failure of this is non critical, it will just provide no
2248 * additional information to the client why the change has
2249 * failed - Guenther */
2251 if (!NT_STATUS_IS_OK(policy_ret)) {
2252 DEBUG(10,("Failed to get password policies: %s\n", nt_errstr(policy_ret)));
2253 goto process_result;
2259 if (strequal(contact_domain->name, get_global_sam_name())) {
2260 /* FIXME: internal rpc pipe does not cache handles yet */
2262 if (is_valid_policy_hnd(&dom_pol)) {
2264 dcerpc_samr_Close(b, state->mem_ctx, &dom_pol, &_result);
2270 set_auth_errors(state->response, result);
2272 DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2,
2273 ("Password change for user [%s]\\[%s] returned %s (PAM: %d)\n",
2276 state->response->data.auth.nt_status_string,
2277 state->response->data.auth.pam_error));
2279 return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
2282 enum winbindd_result winbindd_dual_pam_logoff(struct winbindd_domain *domain,
2283 struct winbindd_cli_state *state)
2285 NTSTATUS result = NT_STATUS_NOT_SUPPORTED;
2287 DEBUG(3, ("[%5lu]: pam dual logoff %s\n", (unsigned long)state->pid,
2288 state->request->data.logoff.user));
2290 if (!(state->request->flags & WBFLAG_PAM_KRB5)) {
2291 result = NT_STATUS_OK;
2292 goto process_result;
2295 if (state->request->data.logoff.krb5ccname[0] == '\0') {
2296 result = NT_STATUS_OK;
2297 goto process_result;
2302 if (state->request->data.logoff.uid < 0) {
2303 DEBUG(0,("winbindd_pam_logoff: invalid uid\n"));
2304 goto process_result;
2307 /* what we need here is to find the corresponding krb5 ccache name *we*
2308 * created for a given username and destroy it */
2310 if (!ccache_entry_exists(state->request->data.logoff.user)) {
2311 result = NT_STATUS_OK;
2312 DEBUG(10,("winbindd_pam_logoff: no entry found.\n"));
2313 goto process_result;
2316 if (!ccache_entry_identical(state->request->data.logoff.user,
2317 state->request->data.logoff.uid,
2318 state->request->data.logoff.krb5ccname)) {
2319 DEBUG(0,("winbindd_pam_logoff: cached entry differs.\n"));
2320 goto process_result;
2323 result = remove_ccache(state->request->data.logoff.user);
2324 if (!NT_STATUS_IS_OK(result)) {
2325 DEBUG(0,("winbindd_pam_logoff: failed to remove ccache: %s\n",
2326 nt_errstr(result)));
2327 goto process_result;
2331 * Remove any mlock'ed memory creds in the child
2332 * we might be using for krb5 ticket renewal.
2335 winbindd_delete_memory_creds(state->request->data.logoff.user);
2338 result = NT_STATUS_NOT_SUPPORTED;
2344 set_auth_errors(state->response, result);
2346 return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
2349 /* Change user password with auth crap*/
2351 enum winbindd_result winbindd_dual_pam_chng_pswd_auth_crap(struct winbindd_domain *domainSt, struct winbindd_cli_state *state)
2354 DATA_BLOB new_nt_password;
2355 DATA_BLOB old_nt_hash_enc;
2356 DATA_BLOB new_lm_password;
2357 DATA_BLOB old_lm_hash_enc;
2358 fstring domain,user;
2359 struct policy_handle dom_pol;
2360 struct winbindd_domain *contact_domain = domainSt;
2361 struct rpc_pipe_client *cli = NULL;
2362 struct dcerpc_binding_handle *b = NULL;
2364 ZERO_STRUCT(dom_pol);
2366 /* Ensure null termination */
2367 state->request->data.chng_pswd_auth_crap.user[
2368 sizeof(state->request->data.chng_pswd_auth_crap.user)-1]=0;
2369 state->request->data.chng_pswd_auth_crap.domain[
2370 sizeof(state->request->data.chng_pswd_auth_crap.domain)-1]=0;
2374 DEBUG(3, ("[%5lu]: pam change pswd auth crap domain: %s user: %s\n",
2375 (unsigned long)state->pid,
2376 state->request->data.chng_pswd_auth_crap.domain,
2377 state->request->data.chng_pswd_auth_crap.user));
2379 if (lp_winbind_offline_logon()) {
2380 DEBUG(0,("Refusing password change as winbind offline logons are enabled. "));
2381 DEBUGADD(0,("Changing passwords here would risk inconsistent logons\n"));
2382 result = NT_STATUS_ACCESS_DENIED;
2386 if (*state->request->data.chng_pswd_auth_crap.domain) {
2387 fstrcpy(domain,state->request->data.chng_pswd_auth_crap.domain);
2389 parse_domain_user(state->request->data.chng_pswd_auth_crap.user,
2393 DEBUG(3,("no domain specified with username (%s) - "
2395 state->request->data.chng_pswd_auth_crap.user));
2396 result = NT_STATUS_NO_SUCH_USER;
2401 if (!*domain && lp_winbind_use_default_domain()) {
2402 fstrcpy(domain,lp_workgroup());
2406 fstrcpy(user, state->request->data.chng_pswd_auth_crap.user);
2409 DEBUG(3, ("[%5lu]: pam auth crap domain: %s user: %s\n",
2410 (unsigned long)state->pid, domain, user));
2412 /* Change password */
2413 new_nt_password = data_blob_const(
2414 state->request->data.chng_pswd_auth_crap.new_nt_pswd,
2415 state->request->data.chng_pswd_auth_crap.new_nt_pswd_len);
2417 old_nt_hash_enc = data_blob_const(
2418 state->request->data.chng_pswd_auth_crap.old_nt_hash_enc,
2419 state->request->data.chng_pswd_auth_crap.old_nt_hash_enc_len);
2421 if(state->request->data.chng_pswd_auth_crap.new_lm_pswd_len > 0) {
2422 new_lm_password = data_blob_const(
2423 state->request->data.chng_pswd_auth_crap.new_lm_pswd,
2424 state->request->data.chng_pswd_auth_crap.new_lm_pswd_len);
2426 old_lm_hash_enc = data_blob_const(
2427 state->request->data.chng_pswd_auth_crap.old_lm_hash_enc,
2428 state->request->data.chng_pswd_auth_crap.old_lm_hash_enc_len);
2430 new_lm_password = data_blob_null;
2431 old_lm_hash_enc = data_blob_null;
2434 /* Get sam handle */
2436 result = cm_connect_sam(contact_domain, state->mem_ctx, true, &cli, &dom_pol);
2437 if (!NT_STATUS_IS_OK(result)) {
2438 DEBUG(1, ("could not get SAM handle on DC for %s\n", domain));
2442 b = cli->binding_handle;
2444 result = rpccli_samr_chng_pswd_auth_crap(
2445 cli, state->mem_ctx, user, new_nt_password, old_nt_hash_enc,
2446 new_lm_password, old_lm_hash_enc);
2450 if (strequal(contact_domain->name, get_global_sam_name())) {
2451 /* FIXME: internal rpc pipe does not cache handles yet */
2453 if (is_valid_policy_hnd(&dom_pol)) {
2455 dcerpc_samr_Close(b, state->mem_ctx, &dom_pol, &_result);
2461 set_auth_errors(state->response, result);
2463 DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2,
2464 ("Password change for user [%s]\\[%s] returned %s (PAM: %d)\n",
2466 state->response->data.auth.nt_status_string,
2467 state->response->data.auth.pam_error));
2469 return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
2473 static NTSTATUS extract_pac_vrfy_sigs(TALLOC_CTX *mem_ctx, DATA_BLOB pac_blob,
2474 struct PAC_LOGON_INFO **logon_info)
2476 krb5_context krbctx = NULL;
2477 krb5_error_code k5ret;
2479 krb5_kt_cursor cursor;
2480 krb5_keytab_entry entry;
2481 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
2484 ZERO_STRUCT(cursor);
2486 k5ret = krb5_init_context(&krbctx);
2488 DEBUG(1, ("Failed to initialize kerberos context: %s\n",
2489 error_message(k5ret)));
2490 status = krb5_to_nt_status(k5ret);
2494 k5ret = gse_krb5_get_server_keytab(krbctx, &keytab);
2496 DEBUG(1, ("Failed to get keytab: %s\n",
2497 error_message(k5ret)));
2498 status = krb5_to_nt_status(k5ret);
2502 k5ret = krb5_kt_start_seq_get(krbctx, keytab, &cursor);
2504 DEBUG(1, ("Failed to start seq: %s\n",
2505 error_message(k5ret)));
2506 status = krb5_to_nt_status(k5ret);
2510 k5ret = krb5_kt_next_entry(krbctx, keytab, &entry, &cursor);
2511 while (k5ret == 0) {
2512 status = kerberos_pac_logon_info(mem_ctx, pac_blob,
2514 KRB5_KT_KEY(&entry), NULL, 0,
2516 if (NT_STATUS_IS_OK(status)) {
2519 k5ret = smb_krb5_kt_free_entry(krbctx, &entry);
2520 k5ret = krb5_kt_next_entry(krbctx, keytab, &entry, &cursor);
2523 k5ret = krb5_kt_end_seq_get(krbctx, keytab, &cursor);
2525 DEBUG(1, ("Failed to end seq: %s\n",
2526 error_message(k5ret)));
2529 k5ret = krb5_kt_close(krbctx, keytab);
2531 DEBUG(1, ("Failed to close keytab: %s\n",
2532 error_message(k5ret)));
2535 krb5_free_context(krbctx);
2540 NTSTATUS winbindd_pam_auth_pac_send(struct winbindd_cli_state *state,
2541 struct netr_SamInfo3 **info3)
2543 struct winbindd_request *req = state->request;
2545 struct PAC_LOGON_INFO *logon_info = NULL;
2546 struct netr_SamInfo3 *info3_copy = NULL;
2549 pac_blob = data_blob_const(req->extra_data.data, req->extra_len);
2550 result = extract_pac_vrfy_sigs(state->mem_ctx, pac_blob, &logon_info);
2551 if (!NT_STATUS_IS_OK(result) &&
2552 !NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED)) {
2553 DEBUG(1, ("Error during PAC signature verification: %s\n",
2554 nt_errstr(result)));
2559 /* Signature verification succeeded, trust the PAC */
2560 result = create_info3_from_pac_logon_info(state->mem_ctx,
2563 if (!NT_STATUS_IS_OK(result)) {
2566 netsamlogon_cache_store(NULL, info3_copy);
2569 /* Try without signature verification */
2570 result = kerberos_pac_logon_info(state->mem_ctx, pac_blob, NULL,
2571 NULL, NULL, NULL, 0,
2573 if (!NT_STATUS_IS_OK(result)) {
2574 DEBUG(10, ("Could not extract PAC: %s\n",
2575 nt_errstr(result)));
2580 * Don't strictly need to copy here,
2581 * but it makes it explicit we're
2582 * returning a copy talloc'ed off
2583 * the state->mem_ctx.
2585 info3_copy = copy_netr_SamInfo3(state->mem_ctx,
2586 &logon_info->info3);
2587 if (info3_copy == NULL) {
2588 return NT_STATUS_NO_MEMORY;
2593 *info3 = info3_copy;
2595 return NT_STATUS_OK;
2597 #else /* HAVE_KRB5 */
2598 NTSTATUS winbindd_pam_auth_pac_send(struct winbindd_cli_state *state,
2599 struct netr_SamInfo3 **info3)
2601 return NT_STATUS_NO_SUCH_USER;
2603 #endif /* HAVE_KRB5 */