2 Unix SMB/CIFS implementation.
3 Authentication utility functions
4 Copyright (C) Andrew Tridgell 1992-1998
5 Copyright (C) Andrew Bartlett 2001
6 Copyright (C) Jeremy Allison 2000-2001
7 Copyright (C) Rafal Szczesniak 2002
8 Copyright (C) Volker Lendecke 2006
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
27 #define DBGC_CLASS DBGC_AUTH
29 /****************************************************************************
30 Create a UNIX user on demand.
31 ****************************************************************************/
33 static int smb_create_user(const char *domain, const char *unix_username, const char *homedir)
35 TALLOC_CTX *ctx = talloc_tos();
39 add_script = talloc_strdup(ctx, lp_adduser_script());
40 if (!add_script || !*add_script) {
43 add_script = talloc_all_string_sub(ctx,
51 add_script = talloc_all_string_sub(ctx,
60 add_script = talloc_all_string_sub(ctx,
68 ret = smbrun(add_script,NULL);
71 ("smb_create_user: Running the command `%s' gave %d\n",
76 /****************************************************************************
77 Create an auth_usersupplied_data structure
78 ****************************************************************************/
80 static NTSTATUS make_user_info(auth_usersupplied_info **user_info,
82 const char *internal_username,
83 const char *client_domain,
85 const char *wksta_name,
86 DATA_BLOB *lm_pwd, DATA_BLOB *nt_pwd,
87 DATA_BLOB *lm_interactive_pwd, DATA_BLOB *nt_interactive_pwd,
92 DEBUG(5,("attempting to make a user_info for %s (%s)\n", internal_username, smb_name));
94 *user_info = SMB_MALLOC_P(auth_usersupplied_info);
95 if (*user_info == NULL) {
96 DEBUG(0,("malloc failed for user_info (size %lu)\n", (unsigned long)sizeof(*user_info)));
97 return NT_STATUS_NO_MEMORY;
100 ZERO_STRUCTP(*user_info);
102 DEBUG(5,("making strings for %s's user_info struct\n", internal_username));
104 (*user_info)->smb_name = SMB_STRDUP(smb_name);
105 if ((*user_info)->smb_name == NULL) {
106 free_user_info(user_info);
107 return NT_STATUS_NO_MEMORY;
110 (*user_info)->internal_username = SMB_STRDUP(internal_username);
111 if ((*user_info)->internal_username == NULL) {
112 free_user_info(user_info);
113 return NT_STATUS_NO_MEMORY;
116 (*user_info)->domain = SMB_STRDUP(domain);
117 if ((*user_info)->domain == NULL) {
118 free_user_info(user_info);
119 return NT_STATUS_NO_MEMORY;
122 (*user_info)->client_domain = SMB_STRDUP(client_domain);
123 if ((*user_info)->client_domain == NULL) {
124 free_user_info(user_info);
125 return NT_STATUS_NO_MEMORY;
128 (*user_info)->wksta_name = SMB_STRDUP(wksta_name);
129 if ((*user_info)->wksta_name == NULL) {
130 free_user_info(user_info);
131 return NT_STATUS_NO_MEMORY;
134 DEBUG(5,("making blobs for %s's user_info struct\n", internal_username));
137 (*user_info)->lm_resp = data_blob(lm_pwd->data, lm_pwd->length);
139 (*user_info)->nt_resp = data_blob(nt_pwd->data, nt_pwd->length);
140 if (lm_interactive_pwd)
141 (*user_info)->lm_interactive_pwd = data_blob(lm_interactive_pwd->data, lm_interactive_pwd->length);
142 if (nt_interactive_pwd)
143 (*user_info)->nt_interactive_pwd = data_blob(nt_interactive_pwd->data, nt_interactive_pwd->length);
146 (*user_info)->plaintext_password = data_blob(plaintext->data, plaintext->length);
148 (*user_info)->encrypted = encrypted;
150 (*user_info)->logon_parameters = 0;
152 DEBUG(10,("made an %sencrypted user_info for %s (%s)\n", encrypted ? "":"un" , internal_username, smb_name));
157 /****************************************************************************
158 Create an auth_usersupplied_data structure after appropriate mapping.
159 ****************************************************************************/
161 NTSTATUS make_user_info_map(auth_usersupplied_info **user_info,
162 const char *smb_name,
163 const char *client_domain,
164 const char *wksta_name,
165 DATA_BLOB *lm_pwd, DATA_BLOB *nt_pwd,
166 DATA_BLOB *lm_interactive_pwd, DATA_BLOB *nt_interactive_pwd,
167 DATA_BLOB *plaintext,
173 fstring internal_username;
174 fstrcpy(internal_username, smb_name);
175 was_mapped = map_username(internal_username);
177 DEBUG(5, ("make_user_info_map: Mapping user [%s]\\[%s] from workstation [%s]\n",
178 client_domain, smb_name, wksta_name));
180 /* don't allow "" as a domain, fixes a Win9X bug
181 where it doens't supply a domain for logon script
182 'net use' commands. */
184 if ( *client_domain )
185 domain = client_domain;
187 domain = lp_workgroup();
189 /* do what win2k does. Always map unknown domains to our own
190 and let the "passdb backend" handle unknown users. */
192 if ( !is_trusted_domain(domain) && !strequal(domain, get_global_sam_name()) )
193 domain = my_sam_name();
195 /* we know that it is a trusted domain (and we are allowing them) or it is our domain */
197 result = make_user_info(user_info, smb_name, internal_username,
198 client_domain, domain, wksta_name,
200 lm_interactive_pwd, nt_interactive_pwd,
201 plaintext, encrypted);
202 if (NT_STATUS_IS_OK(result)) {
203 (*user_info)->was_mapped = was_mapped;
208 /****************************************************************************
209 Create an auth_usersupplied_data, making the DATA_BLOBs here.
210 Decrypt and encrypt the passwords.
211 ****************************************************************************/
213 bool make_user_info_netlogon_network(auth_usersupplied_info **user_info,
214 const char *smb_name,
215 const char *client_domain,
216 const char *wksta_name,
217 uint32 logon_parameters,
218 const uchar *lm_network_pwd,
220 const uchar *nt_network_pwd,
225 DATA_BLOB lm_blob = data_blob(lm_network_pwd, lm_pwd_len);
226 DATA_BLOB nt_blob = data_blob(nt_network_pwd, nt_pwd_len);
228 status = make_user_info_map(user_info,
229 smb_name, client_domain,
231 lm_pwd_len ? &lm_blob : NULL,
232 nt_pwd_len ? &nt_blob : NULL,
236 if (NT_STATUS_IS_OK(status)) {
237 (*user_info)->logon_parameters = logon_parameters;
239 ret = NT_STATUS_IS_OK(status) ? True : False;
241 data_blob_free(&lm_blob);
242 data_blob_free(&nt_blob);
246 /****************************************************************************
247 Create an auth_usersupplied_data, making the DATA_BLOBs here.
248 Decrypt and encrypt the passwords.
249 ****************************************************************************/
251 bool make_user_info_netlogon_interactive(auth_usersupplied_info **user_info,
252 const char *smb_name,
253 const char *client_domain,
254 const char *wksta_name,
255 uint32 logon_parameters,
257 const uchar lm_interactive_pwd[16],
258 const uchar nt_interactive_pwd[16],
259 const uchar *dc_sess_key)
261 unsigned char lm_pwd[16];
262 unsigned char nt_pwd[16];
263 unsigned char local_lm_response[24];
264 unsigned char local_nt_response[24];
265 unsigned char key[16];
268 memcpy(key, dc_sess_key, 8);
270 if (lm_interactive_pwd)
271 memcpy(lm_pwd, lm_interactive_pwd, sizeof(lm_pwd));
273 if (nt_interactive_pwd)
274 memcpy(nt_pwd, nt_interactive_pwd, sizeof(nt_pwd));
276 #ifdef DEBUG_PASSWORD
278 dump_data(100, key, sizeof(key));
280 DEBUG(100,("lm owf password:"));
281 dump_data(100, lm_pwd, sizeof(lm_pwd));
283 DEBUG(100,("nt owf password:"));
284 dump_data(100, nt_pwd, sizeof(nt_pwd));
287 if (lm_interactive_pwd)
288 SamOEMhash(lm_pwd, key, sizeof(lm_pwd));
290 if (nt_interactive_pwd)
291 SamOEMhash(nt_pwd, key, sizeof(nt_pwd));
293 #ifdef DEBUG_PASSWORD
294 DEBUG(100,("decrypt of lm owf password:"));
295 dump_data(100, lm_pwd, sizeof(lm_pwd));
297 DEBUG(100,("decrypt of nt owf password:"));
298 dump_data(100, nt_pwd, sizeof(nt_pwd));
301 if (lm_interactive_pwd)
302 SMBOWFencrypt(lm_pwd, chal,
305 if (nt_interactive_pwd)
306 SMBOWFencrypt(nt_pwd, chal,
309 /* Password info paranoia */
315 DATA_BLOB local_lm_blob;
316 DATA_BLOB local_nt_blob;
318 DATA_BLOB lm_interactive_blob;
319 DATA_BLOB nt_interactive_blob;
321 if (lm_interactive_pwd) {
322 local_lm_blob = data_blob(local_lm_response,
323 sizeof(local_lm_response));
324 lm_interactive_blob = data_blob(lm_pwd,
329 if (nt_interactive_pwd) {
330 local_nt_blob = data_blob(local_nt_response,
331 sizeof(local_nt_response));
332 nt_interactive_blob = data_blob(nt_pwd,
337 nt_status = make_user_info_map(
339 smb_name, client_domain, wksta_name,
340 lm_interactive_pwd ? &local_lm_blob : NULL,
341 nt_interactive_pwd ? &local_nt_blob : NULL,
342 lm_interactive_pwd ? &lm_interactive_blob : NULL,
343 nt_interactive_pwd ? &nt_interactive_blob : NULL,
346 if (NT_STATUS_IS_OK(nt_status)) {
347 (*user_info)->logon_parameters = logon_parameters;
350 ret = NT_STATUS_IS_OK(nt_status) ? True : False;
351 data_blob_free(&local_lm_blob);
352 data_blob_free(&local_nt_blob);
353 data_blob_free(&lm_interactive_blob);
354 data_blob_free(&nt_interactive_blob);
360 /****************************************************************************
361 Create an auth_usersupplied_data structure
362 ****************************************************************************/
364 bool make_user_info_for_reply(auth_usersupplied_info **user_info,
365 const char *smb_name,
366 const char *client_domain,
368 DATA_BLOB plaintext_password)
371 DATA_BLOB local_lm_blob;
372 DATA_BLOB local_nt_blob;
373 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
376 * Not encrypted - do so.
379 DEBUG(5,("make_user_info_for_reply: User passwords not in encrypted "
382 if (plaintext_password.data) {
383 unsigned char local_lm_response[24];
385 #ifdef DEBUG_PASSWORD
386 DEBUG(10,("Unencrypted password (len %d):\n",
387 (int)plaintext_password.length));
388 dump_data(100, plaintext_password.data,
389 plaintext_password.length);
392 SMBencrypt( (const char *)plaintext_password.data,
393 (const uchar*)chal, local_lm_response);
394 local_lm_blob = data_blob(local_lm_response, 24);
396 /* We can't do an NT hash here, as the password needs to be
398 local_nt_blob = data_blob_null;
401 local_lm_blob = data_blob_null;
402 local_nt_blob = data_blob_null;
405 ret = make_user_info_map(
406 user_info, smb_name, client_domain,
407 get_remote_machine_name(),
408 local_lm_blob.data ? &local_lm_blob : NULL,
409 local_nt_blob.data ? &local_nt_blob : NULL,
411 plaintext_password.data ? &plaintext_password : NULL,
414 data_blob_free(&local_lm_blob);
415 return NT_STATUS_IS_OK(ret) ? True : False;
418 /****************************************************************************
419 Create an auth_usersupplied_data structure
420 ****************************************************************************/
422 NTSTATUS make_user_info_for_reply_enc(auth_usersupplied_info **user_info,
423 const char *smb_name,
424 const char *client_domain,
425 DATA_BLOB lm_resp, DATA_BLOB nt_resp)
427 return make_user_info_map(user_info, smb_name,
429 get_remote_machine_name(),
430 lm_resp.data ? &lm_resp : NULL,
431 nt_resp.data ? &nt_resp : NULL,
436 /****************************************************************************
437 Create a guest user_info blob, for anonymous authenticaion.
438 ****************************************************************************/
440 bool make_user_info_guest(auth_usersupplied_info **user_info)
444 nt_status = make_user_info(user_info,
453 return NT_STATUS_IS_OK(nt_status) ? True : False;
456 static int server_info_dtor(auth_serversupplied_info *server_info)
458 TALLOC_FREE(server_info->sam_account);
459 ZERO_STRUCTP(server_info);
463 /***************************************************************************
464 Make a server_info struct. Free with TALLOC_FREE().
465 ***************************************************************************/
467 static auth_serversupplied_info *make_server_info(TALLOC_CTX *mem_ctx)
469 struct auth_serversupplied_info *result;
471 result = TALLOC_ZERO_P(mem_ctx, auth_serversupplied_info);
472 if (result == NULL) {
473 DEBUG(0, ("talloc failed\n"));
477 talloc_set_destructor(result, server_info_dtor);
479 /* Initialise the uid and gid values to something non-zero
480 which may save us from giving away root access if there
481 is a bug in allocating these fields. */
488 /***************************************************************************
489 Make (and fill) a user_info struct from a struct samu
490 ***************************************************************************/
492 NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info,
493 struct samu *sampass)
498 auth_serversupplied_info *result;
501 DOM_SID unix_group_sid;
504 if ( !(result = make_server_info(NULL)) ) {
505 return NT_STATUS_NO_MEMORY;
508 if ( !(pwd = getpwnam_alloc(result, pdb_get_username(sampass))) ) {
509 DEBUG(1, ("User %s in passdb, but getpwnam() fails!\n",
510 pdb_get_username(sampass)));
512 return NT_STATUS_NO_SUCH_USER;
515 result->sam_account = sampass;
516 /* Ensure thaat the sampass will be freed with the result */
517 talloc_steal(result, sampass);
518 result->unix_name = pwd->pw_name;
519 /* Ensure that we keep pwd->pw_name, because we will free pwd below */
520 talloc_steal(result, pwd->pw_name);
521 result->gid = pwd->pw_gid;
522 result->uid = pwd->pw_uid;
526 status = pdb_enum_group_memberships(result, sampass,
527 &result->sids, &gids,
530 if (!NT_STATUS_IS_OK(status)) {
531 DEBUG(10, ("pdb_enum_group_memberships failed: %s\n",
533 result->sam_account = NULL; /* Don't free on error exit. */
538 /* Add the "Unix Group" SID for each gid to catch mapped groups
539 and their Unix equivalent. This is to solve the backwards
540 compatibility problem of 'valid users = +ntadmin' where
541 ntadmin has been paired with "Domain Admins" in the group
542 mapping table. Otherwise smb.conf would need to be changed
543 to 'valid user = "Domain Admins"'. --jerry */
545 num_gids = result->num_sids;
546 for ( i=0; i<num_gids; i++ ) {
547 if ( !gid_to_unix_groups_sid( gids[i], &unix_group_sid ) ) {
548 DEBUG(1,("make_server_info_sam: Failed to create SID "
549 "for gid %d!\n", gids[i]));
552 status = add_sid_to_array_unique(result, &unix_group_sid,
555 if (!NT_STATUS_IS_OK(status)) {
556 result->sam_account = NULL; /* Don't free on error exit. */
562 /* For now we throw away the gids and convert via sid_to_gid
563 * later. This needs fixing, but I'd like to get the code straight and
568 DEBUG(5,("make_server_info_sam: made server info for user %s -> %s\n",
569 pdb_get_username(sampass), result->unix_name));
571 *server_info = result;
576 static NTSTATUS log_nt_token(TALLOC_CTX *tmp_ctx, NT_USER_TOKEN *token)
582 if ((lp_log_nt_token_command() == NULL) ||
583 (strlen(lp_log_nt_token_command()) == 0)) {
587 group_sidstr = talloc_strdup(tmp_ctx, "");
588 for (i=1; i<token->num_sids; i++) {
589 group_sidstr = talloc_asprintf(
590 tmp_ctx, "%s %s", group_sidstr,
591 sid_string_talloc(tmp_ctx, &token->user_sids[i]));
594 command = talloc_string_sub(
595 tmp_ctx, lp_log_nt_token_command(),
596 "%s", sid_string_talloc(tmp_ctx, &token->user_sids[0]));
597 command = talloc_string_sub(tmp_ctx, command, "%t", group_sidstr);
599 if (command == NULL) {
600 return NT_STATUS_NO_MEMORY;
603 DEBUG(8, ("running command: [%s]\n", command));
604 if (smbrun(command, NULL) != 0) {
605 DEBUG(0, ("Could not log NT token\n"));
606 return NT_STATUS_ACCESS_DENIED;
613 * Create the token to use from server_info->sam_account and
614 * server_info->sids (the info3/sam groups). Find the unix gids.
617 NTSTATUS create_local_token(auth_serversupplied_info *server_info)
624 mem_ctx = talloc_new(NULL);
625 if (mem_ctx == NULL) {
626 DEBUG(0, ("talloc_new failed\n"));
627 return NT_STATUS_NO_MEMORY;
631 * If winbind is not around, we can not make much use of the SIDs the
632 * domain controller provided us with. Likewise if the user name was
633 * mapped to some local unix user.
636 if (((lp_server_role() == ROLE_DOMAIN_MEMBER) && !winbind_ping()) ||
637 (server_info->nss_token)) {
638 status = create_token_from_username(server_info,
639 server_info->unix_name,
643 &server_info->unix_name,
647 server_info->ptok = create_local_nt_token(
649 pdb_get_user_sid(server_info->sam_account),
651 server_info->num_sids, server_info->sids);
652 status = server_info->ptok ?
653 NT_STATUS_OK : NT_STATUS_NO_SUCH_USER;
656 if (!NT_STATUS_IS_OK(status)) {
657 TALLOC_FREE(mem_ctx);
661 /* Convert the SIDs to gids. */
663 server_info->n_groups = 0;
664 server_info->groups = NULL;
666 /* Start at index 1, where the groups start. */
668 for (i=1; i<server_info->ptok->num_sids; i++) {
670 DOM_SID *sid = &server_info->ptok->user_sids[i];
672 if (!sid_to_gid(sid, &gid)) {
673 DEBUG(10, ("Could not convert SID %s to gid, "
674 "ignoring it\n", sid_string_dbg(sid)));
677 add_gid_to_array_unique(server_info, gid, &server_info->groups,
678 &server_info->n_groups);
681 debug_nt_user_token(DBGC_AUTH, 10, server_info->ptok);
683 status = log_nt_token(mem_ctx, server_info->ptok);
685 TALLOC_FREE(mem_ctx);
690 * Create an artificial NT token given just a username. (Initially indended
693 * We go through lookup_name() to avoid problems we had with 'winbind use
698 * unmapped unix users: Go directly to nss to find the user's group.
700 * A passdb user: The list of groups is provided by pdb_enum_group_memberships.
702 * If the user is provided by winbind, the primary gid is set to "domain
703 * users" of the user's domain. For an explanation why this is necessary, see
704 * the thread starting at
705 * http://lists.samba.org/archive/samba-technical/2006-January/044803.html.
708 NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username,
710 uid_t *uid, gid_t *gid,
711 char **found_username,
712 struct nt_user_token **token)
714 NTSTATUS result = NT_STATUS_NO_SUCH_USER;
717 enum lsa_SidType type;
720 DOM_SID unix_group_sid;
721 size_t num_group_sids;
725 tmp_ctx = talloc_new(NULL);
726 if (tmp_ctx == NULL) {
727 DEBUG(0, ("talloc_new failed\n"));
728 return NT_STATUS_NO_MEMORY;
731 if (!lookup_name_smbconf(tmp_ctx, username, LOOKUP_NAME_ALL,
732 NULL, NULL, &user_sid, &type)) {
733 DEBUG(1, ("lookup_name_smbconf for %s failed\n", username));
737 if (type != SID_NAME_USER) {
738 DEBUG(1, ("%s is a %s, not a user\n", username,
739 sid_type_lookup(type)));
743 if (!sid_to_uid(&user_sid, uid)) {
744 DEBUG(1, ("sid_to_uid for %s (%s) failed\n",
745 username, sid_string_dbg(&user_sid)));
749 if (sid_check_is_in_our_domain(&user_sid)) {
752 /* This is a passdb user, so ask passdb */
754 struct samu *sam_acct = NULL;
756 if ( !(sam_acct = samu_new( tmp_ctx )) ) {
757 result = NT_STATUS_NO_MEMORY;
762 ret = pdb_getsampwsid(sam_acct, &user_sid);
766 DEBUG(1, ("pdb_getsampwsid(%s) for user %s failed\n",
767 sid_string_dbg(&user_sid), username));
768 DEBUGADD(1, ("Fall back to unix user %s\n", username));
772 result = pdb_enum_group_memberships(tmp_ctx, sam_acct,
775 if (!NT_STATUS_IS_OK(result)) {
776 DEBUG(10, ("enum_group_memberships failed for %s\n",
778 DEBUGADD(1, ("Fall back to unix user %s\n", username));
782 /* see the smb_panic() in pdb_default_enum_group_memberships */
783 SMB_ASSERT(num_group_sids > 0);
787 /* Ensure we're returning the found_username on the right context. */
788 *found_username = talloc_strdup(mem_ctx,
789 pdb_get_username(sam_acct));
791 } else if (sid_check_is_in_unix_users(&user_sid)) {
793 /* This is a unix user not in passdb. We need to ask nss
794 * directly, without consulting passdb */
799 * This goto target is used as a fallback for the passdb
800 * case. The concrete bug report is when passdb gave us an
806 uid_to_unix_users_sid(*uid, &user_sid);
808 pass = getpwuid_alloc(tmp_ctx, *uid);
810 DEBUG(1, ("getpwuid(%d) for user %s failed\n",
815 if (!getgroups_unix_user(tmp_ctx, username, pass->pw_gid,
816 &gids, &num_group_sids)) {
817 DEBUG(1, ("getgroups_unix_user for user %s failed\n",
822 if (num_group_sids) {
823 group_sids = TALLOC_ARRAY(tmp_ctx, DOM_SID, num_group_sids);
824 if (group_sids == NULL) {
825 DEBUG(1, ("TALLOC_ARRAY failed\n"));
826 result = NT_STATUS_NO_MEMORY;
833 for (i=0; i<num_group_sids; i++) {
834 gid_to_sid(&group_sids[i], gids[i]);
837 /* In getgroups_unix_user we always set the primary gid */
838 SMB_ASSERT(num_group_sids > 0);
842 /* Ensure we're returning the found_username on the right context. */
843 *found_username = talloc_strdup(mem_ctx, pass->pw_name);
846 /* This user is from winbind, force the primary gid to the
847 * user's "domain users" group. Under certain circumstances
848 * (user comes from NT4), this might be a loss of
849 * information. But we can not rely on winbind getting the
850 * correct info. AD might prohibit winbind looking up that
856 group_sids = TALLOC_ARRAY(tmp_ctx, DOM_SID, num_group_sids);
857 if (group_sids == NULL) {
858 DEBUG(1, ("TALLOC_ARRAY failed\n"));
859 result = NT_STATUS_NO_MEMORY;
863 sid_copy(&group_sids[0], &user_sid);
864 sid_split_rid(&group_sids[0], &dummy);
865 sid_append_rid(&group_sids[0], DOMAIN_GROUP_RID_USERS);
867 if (!sid_to_gid(&group_sids[0], gid)) {
868 DEBUG(1, ("sid_to_gid(%s) failed\n",
869 sid_string_dbg(&group_sids[0])));
875 /* Ensure we're returning the found_username on the right context. */
876 *found_username = talloc_strdup(mem_ctx, username);
879 /* Add the "Unix Group" SID for each gid to catch mapped groups
880 and their Unix equivalent. This is to solve the backwards
881 compatibility problem of 'valid users = +ntadmin' where
882 ntadmin has been paired with "Domain Admins" in the group
883 mapping table. Otherwise smb.conf would need to be changed
884 to 'valid user = "Domain Admins"'. --jerry */
886 num_gids = num_group_sids;
887 for ( i=0; i<num_gids; i++ ) {
890 /* don't pickup anything managed by Winbind */
892 if ( lp_idmap_gid(&low, &high) && (gids[i] >= low) && (gids[i] <= high) )
895 if ( !gid_to_unix_groups_sid( gids[i], &unix_group_sid ) ) {
896 DEBUG(1,("create_token_from_username: Failed to create SID "
897 "for gid %d!\n", gids[i]));
900 result = add_sid_to_array_unique(tmp_ctx, &unix_group_sid,
901 &group_sids, &num_group_sids);
902 if (!NT_STATUS_IS_OK(result)) {
907 /* Ensure we're creating the nt_token on the right context. */
908 *token = create_local_nt_token(mem_ctx, &user_sid,
909 is_guest, num_group_sids, group_sids);
911 if ((*token == NULL) || (*found_username == NULL)) {
912 result = NT_STATUS_NO_MEMORY;
916 result = NT_STATUS_OK;
918 TALLOC_FREE(tmp_ctx);
922 /***************************************************************************
923 Build upon create_token_from_username:
925 Expensive helper function to figure out whether a user given its name is
926 member of a particular group.
927 ***************************************************************************/
929 bool user_in_group_sid(const char *username, const DOM_SID *group_sid)
934 char *found_username;
935 struct nt_user_token *token;
940 mem_ctx = talloc_new(NULL);
941 if (mem_ctx == NULL) {
942 DEBUG(0, ("talloc_new failed\n"));
946 status = create_token_from_username(mem_ctx, username, False,
947 &uid, &gid, &found_username,
950 if (!NT_STATUS_IS_OK(status)) {
951 DEBUG(10, ("could not create token for %s\n", username));
955 result = nt_token_check_sid(group_sid, token);
957 TALLOC_FREE(mem_ctx);
962 bool user_in_group(const char *username, const char *groupname)
968 mem_ctx = talloc_new(NULL);
969 if (mem_ctx == NULL) {
970 DEBUG(0, ("talloc_new failed\n"));
974 ret = lookup_name(mem_ctx, groupname, LOOKUP_NAME_ALL,
975 NULL, NULL, &group_sid, NULL);
976 TALLOC_FREE(mem_ctx);
979 DEBUG(10, ("lookup_name for (%s) failed.\n", groupname));
983 return user_in_group_sid(username, &group_sid);
987 /***************************************************************************
988 Make (and fill) a server_info struct from a 'struct passwd' by conversion
990 ***************************************************************************/
992 NTSTATUS make_server_info_pw(auth_serversupplied_info **server_info,
997 struct samu *sampass = NULL;
999 char *qualified_name = NULL;
1000 TALLOC_CTX *mem_ctx = NULL;
1002 enum lsa_SidType type;
1003 auth_serversupplied_info *result;
1005 if ( !(sampass = samu_new( NULL )) ) {
1006 return NT_STATUS_NO_MEMORY;
1009 status = samu_set_unix( sampass, pwd );
1010 if (!NT_STATUS_IS_OK(status)) {
1014 result = make_server_info(NULL);
1015 if (result == NULL) {
1016 TALLOC_FREE(sampass);
1017 return NT_STATUS_NO_MEMORY;
1020 result->sam_account = sampass;
1021 result->unix_name = talloc_strdup(result, unix_username);
1022 result->uid = pwd->pw_uid;
1023 result->gid = pwd->pw_gid;
1025 status = pdb_enum_group_memberships(result, sampass,
1026 &result->sids, &gids,
1029 if (!NT_STATUS_IS_OK(status)) {
1030 DEBUG(10, ("pdb_enum_group_memberships failed: %s\n",
1031 nt_errstr(status)));
1032 TALLOC_FREE(result);
1037 * The SID returned in server_info->sam_account is based
1038 * on our SAM sid even though for a pure UNIX account this should
1039 * not be the case as it doesn't really exist in the SAM db.
1040 * This causes lookups on "[in]valid users" to fail as they
1041 * will lookup this name as a "Unix User" SID to check against
1042 * the user token. Fix this by adding the "Unix User"\unix_username
1043 * SID to the sid array. The correct fix should probably be
1044 * changing the server_info->sam_account user SID to be a
1045 * S-1-22 Unix SID, but this might break old configs where
1046 * plaintext passwords were used with no SAM backend.
1049 mem_ctx = talloc_init("make_server_info_pw_tmp");
1051 TALLOC_FREE(result);
1052 return NT_STATUS_NO_MEMORY;
1055 qualified_name = talloc_asprintf(mem_ctx, "%s\\%s",
1056 unix_users_domain_name(),
1058 if (!qualified_name) {
1059 TALLOC_FREE(result);
1060 TALLOC_FREE(mem_ctx);
1061 return NT_STATUS_NO_MEMORY;
1064 if (!lookup_name(mem_ctx, qualified_name, LOOKUP_NAME_ALL,
1067 TALLOC_FREE(result);
1068 TALLOC_FREE(mem_ctx);
1069 return NT_STATUS_NO_SUCH_USER;
1072 TALLOC_FREE(mem_ctx);
1074 if (type != SID_NAME_USER) {
1075 TALLOC_FREE(result);
1076 return NT_STATUS_NO_SUCH_USER;
1079 status = add_sid_to_array_unique(result, &u_sid,
1082 if (!NT_STATUS_IS_OK(status)) {
1083 TALLOC_FREE(result);
1087 /* For now we throw away the gids and convert via sid_to_gid
1088 * later. This needs fixing, but I'd like to get the code straight and
1092 *server_info = result;
1094 return NT_STATUS_OK;
1097 /***************************************************************************
1098 Make (and fill) a user_info struct for a guest login.
1099 This *must* succeed for smbd to start. If there is no mapping entry for
1100 the guest gid, then create one.
1101 ***************************************************************************/
1103 static NTSTATUS make_new_server_info_guest(auth_serversupplied_info **server_info)
1106 struct samu *sampass = NULL;
1112 if ( !(sampass = samu_new( NULL )) ) {
1113 return NT_STATUS_NO_MEMORY;
1116 sid_copy(&guest_sid, get_global_sam_sid());
1117 sid_append_rid(&guest_sid, DOMAIN_USER_RID_GUEST);
1120 ret = pdb_getsampwsid(sampass, &guest_sid);
1124 TALLOC_FREE(sampass);
1125 return NT_STATUS_NO_SUCH_USER;
1128 status = make_server_info_sam(server_info, sampass);
1129 if (!NT_STATUS_IS_OK(status)) {
1130 TALLOC_FREE(sampass);
1134 (*server_info)->guest = True;
1136 status = create_local_token(*server_info);
1137 if (!NT_STATUS_IS_OK(status)) {
1138 DEBUG(10, ("create_local_token failed: %s\n",
1139 nt_errstr(status)));
1143 /* annoying, but the Guest really does have a session key, and it is
1146 (*server_info)->user_session_key = data_blob(zeros, sizeof(zeros));
1147 (*server_info)->lm_session_key = data_blob(zeros, sizeof(zeros));
1149 alpha_strcpy(tmp, pdb_get_username(sampass), ". _-$", sizeof(tmp));
1150 (*server_info)->sanitized_username = talloc_strdup(*server_info, tmp);
1152 return NT_STATUS_OK;
1155 /****************************************************************************
1156 Fake a auth_serversupplied_info just from a username
1157 ****************************************************************************/
1159 NTSTATUS make_serverinfo_from_username(TALLOC_CTX *mem_ctx,
1160 const char *username,
1162 struct auth_serversupplied_info **presult)
1164 struct auth_serversupplied_info *result;
1167 result = make_server_info(mem_ctx);
1168 if (result == NULL) {
1169 return NT_STATUS_NO_MEMORY;
1172 result->nss_token = true;
1173 result->guest = is_guest;
1175 result->unix_name = talloc_strdup(result, username);
1176 if (result->unix_name == NULL) {
1177 TALLOC_FREE(result);
1178 return NT_STATUS_NO_MEMORY;
1181 status = create_local_token(result);
1183 if (!NT_STATUS_IS_OK(status)) {
1184 TALLOC_FREE(result);
1189 return NT_STATUS_OK;
1193 struct auth_serversupplied_info *copy_serverinfo(TALLOC_CTX *mem_ctx,
1194 auth_serversupplied_info *src)
1196 auth_serversupplied_info *dst;
1198 dst = make_server_info(mem_ctx);
1203 dst->guest = src->guest;
1204 dst->uid = src->uid;
1205 dst->gid = src->gid;
1206 dst->n_groups = src->n_groups;
1207 if (src->n_groups != 0) {
1208 dst->groups = (gid_t *)TALLOC_MEMDUP(
1209 dst, src->groups, sizeof(gid_t)*dst->n_groups);
1215 dst->ptok = dup_nt_token(dst, src->ptok);
1222 dst->user_session_key = data_blob_talloc( dst, src->user_session_key.data,
1223 src->user_session_key.length);
1225 dst->lm_session_key = data_blob_talloc(dst, src->lm_session_key.data,
1226 src->lm_session_key.length);
1228 dst->sam_account = samu_new(NULL);
1229 if (!dst->sam_account) {
1234 if (!pdb_copy_sam_account(dst->sam_account, src->sam_account)) {
1239 dst->pam_handle = NULL;
1240 dst->unix_name = talloc_strdup(dst, src->unix_name);
1241 if (!dst->unix_name) {
1246 dst->sanitized_username = talloc_strdup(dst, src->sanitized_username);
1247 if (!dst->sanitized_username) {
1255 static auth_serversupplied_info *guest_info = NULL;
1257 bool init_guest_info(void)
1259 if (guest_info != NULL)
1262 return NT_STATUS_IS_OK(make_new_server_info_guest(&guest_info));
1265 NTSTATUS make_server_info_guest(TALLOC_CTX *mem_ctx,
1266 auth_serversupplied_info **server_info)
1268 *server_info = copy_serverinfo(mem_ctx, guest_info);
1269 return (*server_info != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
1272 bool copy_current_user(struct current_user *dst, struct current_user *src)
1275 NT_USER_TOKEN *nt_token;
1277 groups = (gid_t *)memdup(src->ut.groups,
1278 sizeof(gid_t) * src->ut.ngroups);
1279 if ((src->ut.ngroups != 0) && (groups == NULL)) {
1283 nt_token = dup_nt_token(NULL, src->nt_user_token);
1284 if (nt_token == NULL) {
1289 dst->conn = src->conn;
1290 dst->vuid = src->vuid;
1291 dst->ut.uid = src->ut.uid;
1292 dst->ut.gid = src->ut.gid;
1293 dst->ut.ngroups = src->ut.ngroups;
1294 dst->ut.groups = groups;
1295 dst->nt_user_token = nt_token;
1299 /***************************************************************************
1300 Purely internal function for make_server_info_info3
1301 Fill the sam account from getpwnam
1302 ***************************************************************************/
1303 static NTSTATUS fill_sam_account(TALLOC_CTX *mem_ctx,
1305 const char *username,
1306 char **found_username,
1307 uid_t *uid, gid_t *gid,
1308 struct samu *account,
1309 bool *username_was_mapped)
1312 fstring dom_user, lower_username;
1313 fstring real_username;
1314 struct passwd *passwd;
1316 fstrcpy( lower_username, username );
1317 strlower_m( lower_username );
1319 fstr_sprintf(dom_user, "%s%c%s", domain, *lp_winbind_separator(),
1322 /* Get the passwd struct. Try to create the account is necessary. */
1324 *username_was_mapped = map_username( dom_user );
1326 if ( !(passwd = smb_getpwnam( NULL, dom_user, real_username, True )) )
1327 return NT_STATUS_NO_SUCH_USER;
1329 *uid = passwd->pw_uid;
1330 *gid = passwd->pw_gid;
1332 /* This is pointless -- there is no suport for differing
1333 unix and windows names. Make sure to always store the
1334 one we actually looked up and succeeded. Have I mentioned
1335 why I hate the 'winbind use default domain' parameter?
1338 *found_username = talloc_strdup( mem_ctx, real_username );
1340 DEBUG(5,("fill_sam_account: located username was [%s]\n", *found_username));
1342 nt_status = samu_set_unix( account, passwd );
1344 TALLOC_FREE(passwd);
1349 /****************************************************************************
1350 Wrapper to allow the getpwnam() call to strip the domain name and
1351 try again in case a local UNIX user is already there. Also run through
1352 the username if we fallback to the username only.
1353 ****************************************************************************/
1355 struct passwd *smb_getpwnam( TALLOC_CTX *mem_ctx, char *domuser,
1356 fstring save_username, bool create )
1358 struct passwd *pw = NULL;
1362 /* we only save a copy of the username it has been mangled
1363 by winbindd use default domain */
1365 save_username[0] = '\0';
1367 /* don't call map_username() here since it has to be done higher
1368 up the stack so we don't call it mutliple times */
1370 fstrcpy( username, domuser );
1372 p = strchr_m( username, *lp_winbind_separator() );
1374 /* code for a DOMAIN\user string */
1377 fstring strip_username;
1379 pw = Get_Pwnam_alloc( mem_ctx, domuser );
1381 /* make sure we get the case of the username correct */
1382 /* work around 'winbind use default domain = yes' */
1384 if ( !strchr_m( pw->pw_name, *lp_winbind_separator() ) ) {
1387 /* split the domain and username into 2 strings */
1391 fstr_sprintf(save_username, "%s%c%s", domain, *lp_winbind_separator(), pw->pw_name);
1394 fstrcpy( save_username, pw->pw_name );
1400 /* setup for lookup of just the username */
1401 /* remember that p and username are overlapping memory */
1404 fstrcpy( strip_username, p );
1405 fstrcpy( username, strip_username );
1408 /* just lookup a plain username */
1410 pw = Get_Pwnam_alloc(mem_ctx, username);
1412 /* Create local user if requested but only if winbindd
1413 is not running. We need to protect against cases
1414 where winbindd is failing and then prematurely
1415 creating users in /etc/passwd */
1417 if ( !pw && create && !winbind_ping() ) {
1418 /* Don't add a machine account. */
1419 if (username[strlen(username)-1] == '$')
1422 smb_create_user(NULL, username, NULL);
1423 pw = Get_Pwnam_alloc(mem_ctx, username);
1426 /* one last check for a valid passwd struct */
1429 fstrcpy( save_username, pw->pw_name );
1434 /***************************************************************************
1435 Make a server_info struct from the info3 returned by a domain logon
1436 ***************************************************************************/
1438 NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
1439 const char *sent_nt_username,
1441 auth_serversupplied_info **server_info,
1442 struct netr_SamInfo3 *info3)
1446 NTSTATUS nt_status = NT_STATUS_OK;
1447 char *found_username = NULL;
1448 const char *nt_domain;
1449 const char *nt_username;
1450 struct samu *sam_account = NULL;
1453 bool username_was_mapped;
1455 uid_t uid = (uid_t)-1;
1456 gid_t gid = (gid_t)-1;
1458 auth_serversupplied_info *result;
1461 Here is where we should check the list of
1462 trusted domains, and verify that the SID
1466 sid_copy(&user_sid, info3->base.domain_sid);
1467 if (!sid_append_rid(&user_sid, info3->base.rid)) {
1468 return NT_STATUS_INVALID_PARAMETER;
1471 sid_copy(&group_sid, info3->base.domain_sid);
1472 if (!sid_append_rid(&group_sid, info3->base.primary_gid)) {
1473 return NT_STATUS_INVALID_PARAMETER;
1476 nt_username = talloc_strdup(mem_ctx, info3->base.account_name.string);
1478 /* If the server didn't give us one, just use the one we sent
1480 nt_username = sent_nt_username;
1483 nt_domain = talloc_strdup(mem_ctx, info3->base.domain.string);
1485 /* If the server didn't give us one, just use the one we sent
1490 /* try to fill the SAM account.. If getpwnam() fails, then try the
1491 add user script (2.2.x behavior).
1493 We use the _unmapped_ username here in an attempt to provide
1494 consistent username mapping behavior between kerberos and NTLM[SSP]
1495 authentication in domain mode security. I.E. Username mapping
1496 should be applied to the fully qualified username
1497 (e.g. DOMAIN\user) and not just the login name. Yes this means we
1498 called map_username() unnecessarily in make_user_info_map() but
1499 that is how the current code is designed. Making the change here
1500 is the least disruptive place. -- jerry */
1502 if ( !(sam_account = samu_new( NULL )) ) {
1503 return NT_STATUS_NO_MEMORY;
1506 /* this call will try to create the user if necessary */
1508 nt_status = fill_sam_account(mem_ctx, nt_domain, sent_nt_username,
1509 &found_username, &uid, &gid, sam_account,
1510 &username_was_mapped);
1513 /* if we still don't have a valid unix account check for
1514 'map to guest = bad uid' */
1516 if (!NT_STATUS_IS_OK(nt_status)) {
1517 TALLOC_FREE( sam_account );
1518 if ( lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_UID ) {
1519 make_server_info_guest(NULL, server_info);
1520 return NT_STATUS_OK;
1525 if (!pdb_set_nt_username(sam_account, nt_username, PDB_CHANGED)) {
1526 TALLOC_FREE(sam_account);
1527 return NT_STATUS_NO_MEMORY;
1530 if (!pdb_set_username(sam_account, nt_username, PDB_CHANGED)) {
1531 TALLOC_FREE(sam_account);
1532 return NT_STATUS_NO_MEMORY;
1535 if (!pdb_set_domain(sam_account, nt_domain, PDB_CHANGED)) {
1536 TALLOC_FREE(sam_account);
1537 return NT_STATUS_NO_MEMORY;
1540 if (!pdb_set_user_sid(sam_account, &user_sid, PDB_CHANGED)) {
1541 TALLOC_FREE(sam_account);
1542 return NT_STATUS_UNSUCCESSFUL;
1545 if (!pdb_set_group_sid(sam_account, &group_sid, PDB_CHANGED)) {
1546 TALLOC_FREE(sam_account);
1547 return NT_STATUS_UNSUCCESSFUL;
1550 if (!pdb_set_fullname(sam_account,
1551 info3->base.full_name.string,
1553 TALLOC_FREE(sam_account);
1554 return NT_STATUS_NO_MEMORY;
1557 if (!pdb_set_logon_script(sam_account,
1558 info3->base.logon_script.string,
1560 TALLOC_FREE(sam_account);
1561 return NT_STATUS_NO_MEMORY;
1564 if (!pdb_set_profile_path(sam_account,
1565 info3->base.profile_path.string,
1567 TALLOC_FREE(sam_account);
1568 return NT_STATUS_NO_MEMORY;
1571 if (!pdb_set_homedir(sam_account,
1572 info3->base.home_directory.string,
1574 TALLOC_FREE(sam_account);
1575 return NT_STATUS_NO_MEMORY;
1578 if (!pdb_set_dir_drive(sam_account,
1579 info3->base.home_drive.string,
1581 TALLOC_FREE(sam_account);
1582 return NT_STATUS_NO_MEMORY;
1585 if (!pdb_set_acct_ctrl(sam_account, info3->base.acct_flags, PDB_CHANGED)) {
1586 TALLOC_FREE(sam_account);
1587 return NT_STATUS_NO_MEMORY;
1590 if (!pdb_set_pass_last_set_time(
1592 nt_time_to_unix(info3->base.last_password_change),
1594 TALLOC_FREE(sam_account);
1595 return NT_STATUS_NO_MEMORY;
1598 if (!pdb_set_pass_can_change_time(
1600 nt_time_to_unix(info3->base.allow_password_change),
1602 TALLOC_FREE(sam_account);
1603 return NT_STATUS_NO_MEMORY;
1606 if (!pdb_set_pass_must_change_time(
1608 nt_time_to_unix(info3->base.force_password_change),
1610 TALLOC_FREE(sam_account);
1611 return NT_STATUS_NO_MEMORY;
1614 result = make_server_info(NULL);
1615 if (result == NULL) {
1616 DEBUG(4, ("make_server_info failed!\n"));
1617 TALLOC_FREE(sam_account);
1618 return NT_STATUS_NO_MEMORY;
1621 /* save this here to _net_sam_logon() doesn't fail (it assumes a
1622 valid struct samu) */
1624 result->sam_account = sam_account;
1625 result->unix_name = talloc_strdup(result, found_username);
1627 /* Fill in the unix info we found on the way */
1632 /* Create a 'combined' list of all SIDs we might want in the SD */
1634 result->num_sids = 0;
1635 result->sids = NULL;
1637 nt_status = sid_array_from_info3(result, info3,
1641 if (!NT_STATUS_IS_OK(nt_status)) {
1642 TALLOC_FREE(result);
1646 result->login_server = talloc_strdup(result,
1647 info3->base.logon_server.string);
1649 /* ensure we are never given NULL session keys */
1653 if (memcmp(info3->base.key.key, zeros, sizeof(zeros)) == 0) {
1654 result->user_session_key = data_blob_null;
1656 result->user_session_key = data_blob_talloc(
1657 result, info3->base.key.key,
1658 sizeof(info3->base.key.key));
1661 if (memcmp(info3->base.LMSessKey.key, zeros, 8) == 0) {
1662 result->lm_session_key = data_blob_null;
1664 result->lm_session_key = data_blob_talloc(
1665 result, info3->base.LMSessKey.key,
1666 sizeof(info3->base.LMSessKey.key));
1669 result->nss_token |= username_was_mapped;
1671 *server_info = result;
1673 return NT_STATUS_OK;
1676 /*****************************************************************************
1677 Make a server_info struct from the wbcAuthUserInfo returned by a domain logon
1678 ******************************************************************************/
1680 NTSTATUS make_server_info_wbcAuthUserInfo(TALLOC_CTX *mem_ctx,
1681 const char *sent_nt_username,
1683 const struct wbcAuthUserInfo *info,
1684 auth_serversupplied_info **server_info)
1688 NTSTATUS nt_status = NT_STATUS_OK;
1689 char *found_username = NULL;
1690 const char *nt_domain;
1691 const char *nt_username;
1692 struct samu *sam_account = NULL;
1695 bool username_was_mapped;
1698 uid_t uid = (uid_t)-1;
1699 gid_t gid = (gid_t)-1;
1701 auth_serversupplied_info *result;
1703 result = make_server_info(NULL);
1704 if (result == NULL) {
1705 DEBUG(4, ("make_server_info failed!\n"));
1706 return NT_STATUS_NO_MEMORY;
1710 Here is where we should check the list of
1711 trusted domains, and verify that the SID
1715 memcpy(&user_sid, &info->sids[0].sid, sizeof(user_sid));
1716 memcpy(&group_sid, &info->sids[1].sid, sizeof(group_sid));
1718 if (info->account_name) {
1719 nt_username = talloc_strdup(result, info->account_name);
1721 /* If the server didn't give us one, just use the one we sent
1723 nt_username = talloc_strdup(result, sent_nt_username);
1726 TALLOC_FREE(result);
1727 return NT_STATUS_NO_MEMORY;
1730 if (info->domain_name) {
1731 nt_domain = talloc_strdup(result, info->domain_name);
1733 /* If the server didn't give us one, just use the one we sent
1735 nt_domain = talloc_strdup(result, domain);
1738 TALLOC_FREE(result);
1739 return NT_STATUS_NO_MEMORY;
1742 /* try to fill the SAM account.. If getpwnam() fails, then try the
1743 add user script (2.2.x behavior).
1745 We use the _unmapped_ username here in an attempt to provide
1746 consistent username mapping behavior between kerberos and NTLM[SSP]
1747 authentication in domain mode security. I.E. Username mapping
1748 should be applied to the fully qualified username
1749 (e.g. DOMAIN\user) and not just the login name. Yes this means we
1750 called map_username() unnecessarily in make_user_info_map() but
1751 that is how the current code is designed. Making the change here
1752 is the least disruptive place. -- jerry */
1754 if ( !(sam_account = samu_new( result )) ) {
1755 TALLOC_FREE(result);
1756 return NT_STATUS_NO_MEMORY;
1759 /* this call will try to create the user if necessary */
1761 nt_status = fill_sam_account(result, nt_domain, sent_nt_username,
1762 &found_username, &uid, &gid, sam_account,
1763 &username_was_mapped);
1765 /* if we still don't have a valid unix account check for
1766 'map to guest = bad uid' */
1768 if (!NT_STATUS_IS_OK(nt_status)) {
1769 TALLOC_FREE( result );
1770 if ( lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_UID ) {
1771 make_server_info_guest(NULL, server_info);
1772 return NT_STATUS_OK;
1777 if (!pdb_set_nt_username(sam_account, nt_username, PDB_CHANGED)) {
1778 TALLOC_FREE(result);
1779 return NT_STATUS_NO_MEMORY;
1782 if (!pdb_set_username(sam_account, nt_username, PDB_CHANGED)) {
1783 TALLOC_FREE(result);
1784 return NT_STATUS_NO_MEMORY;
1787 if (!pdb_set_domain(sam_account, nt_domain, PDB_CHANGED)) {
1788 TALLOC_FREE(result);
1789 return NT_STATUS_NO_MEMORY;
1792 if (!pdb_set_user_sid(sam_account, &user_sid, PDB_CHANGED)) {
1793 TALLOC_FREE(result);
1794 return NT_STATUS_UNSUCCESSFUL;
1797 if (!pdb_set_group_sid(sam_account, &group_sid, PDB_CHANGED)) {
1798 TALLOC_FREE(result);
1799 return NT_STATUS_UNSUCCESSFUL;
1802 if (!pdb_set_fullname(sam_account, info->full_name, PDB_CHANGED)) {
1803 TALLOC_FREE(result);
1804 return NT_STATUS_NO_MEMORY;
1807 if (!pdb_set_logon_script(sam_account, info->logon_script, PDB_CHANGED)) {
1808 TALLOC_FREE(result);
1809 return NT_STATUS_NO_MEMORY;
1812 if (!pdb_set_profile_path(sam_account, info->profile_path, PDB_CHANGED)) {
1813 TALLOC_FREE(result);
1814 return NT_STATUS_NO_MEMORY;
1817 if (!pdb_set_homedir(sam_account, info->home_directory, PDB_CHANGED)) {
1818 TALLOC_FREE(result);
1819 return NT_STATUS_NO_MEMORY;
1822 if (!pdb_set_dir_drive(sam_account, info->home_drive, PDB_CHANGED)) {
1823 TALLOC_FREE(result);
1824 return NT_STATUS_NO_MEMORY;
1827 if (!pdb_set_acct_ctrl(sam_account, info->acct_flags, PDB_CHANGED)) {
1828 TALLOC_FREE(result);
1829 return NT_STATUS_NO_MEMORY;
1832 if (!pdb_set_pass_last_set_time(
1834 nt_time_to_unix(info->pass_last_set_time),
1836 TALLOC_FREE(result);
1837 return NT_STATUS_NO_MEMORY;
1840 if (!pdb_set_pass_can_change_time(
1842 nt_time_to_unix(info->pass_can_change_time),
1844 TALLOC_FREE(result);
1845 return NT_STATUS_NO_MEMORY;
1848 if (!pdb_set_pass_must_change_time(
1850 nt_time_to_unix(info->pass_must_change_time),
1852 TALLOC_FREE(result);
1853 return NT_STATUS_NO_MEMORY;
1856 /* save this here to _net_sam_logon() doesn't fail (it assumes a
1857 valid struct samu) */
1859 result->sam_account = sam_account;
1860 result->unix_name = talloc_strdup(result, found_username);
1862 result->login_server = talloc_strdup(result, info->logon_server);
1864 /* Fill in the unix info we found on the way */
1869 /* Create a 'combined' list of all SIDs we might want in the SD */
1871 result->num_sids = info->num_sids - 2;
1872 result->sids = talloc_array(result, DOM_SID, result->num_sids);
1873 if (result->sids == NULL) {
1874 TALLOC_FREE(result);
1875 return NT_STATUS_NO_MEMORY;
1878 for (i=0; i < result->num_sids; i++) {
1879 memcpy(&result->sids[i], &info->sids[i+2].sid, sizeof(result->sids[i]));
1882 /* ensure we are never given NULL session keys */
1886 if (memcmp(info->user_session_key, zeros, sizeof(zeros)) == 0) {
1887 result->user_session_key = data_blob_null;
1889 result->user_session_key = data_blob_talloc(
1890 result, info->user_session_key,
1891 sizeof(info->user_session_key));
1894 if (memcmp(info->lm_session_key, zeros, 8) == 0) {
1895 result->lm_session_key = data_blob_null;
1897 result->lm_session_key = data_blob_talloc(
1898 result, info->lm_session_key,
1899 sizeof(info->lm_session_key));
1902 result->nss_token |= username_was_mapped;
1904 *server_info = result;
1906 return NT_STATUS_OK;
1909 /***************************************************************************
1910 Free a user_info struct
1911 ***************************************************************************/
1913 void free_user_info(auth_usersupplied_info **user_info)
1915 DEBUG(5,("attempting to free (and zero) a user_info structure\n"));
1916 if (*user_info != NULL) {
1917 if ((*user_info)->smb_name) {
1918 DEBUG(10,("structure was created for %s\n",
1919 (*user_info)->smb_name));
1921 SAFE_FREE((*user_info)->smb_name);
1922 SAFE_FREE((*user_info)->internal_username);
1923 SAFE_FREE((*user_info)->client_domain);
1924 SAFE_FREE((*user_info)->domain);
1925 SAFE_FREE((*user_info)->wksta_name);
1926 data_blob_free(&(*user_info)->lm_resp);
1927 data_blob_free(&(*user_info)->nt_resp);
1928 data_blob_clear_free(&(*user_info)->lm_interactive_pwd);
1929 data_blob_clear_free(&(*user_info)->nt_interactive_pwd);
1930 data_blob_clear_free(&(*user_info)->plaintext_password);
1931 ZERO_STRUCT(**user_info);
1933 SAFE_FREE(*user_info);
1936 /***************************************************************************
1937 Make an auth_methods struct
1938 ***************************************************************************/
1940 bool make_auth_methods(struct auth_context *auth_context, auth_methods **auth_method)
1942 if (!auth_context) {
1943 smb_panic("no auth_context supplied to "
1944 "make_auth_methods()!\n");
1948 smb_panic("make_auth_methods: pointer to auth_method pointer "
1952 *auth_method = TALLOC_P(auth_context->mem_ctx, auth_methods);
1953 if (!*auth_method) {
1954 DEBUG(0,("make_auth_method: malloc failed!\n"));
1957 ZERO_STRUCTP(*auth_method);
1963 * Verify whether or not given domain is trusted.
1965 * @param domain_name name of the domain to be verified
1966 * @return true if domain is one of the trusted once or
1967 * false if otherwise
1970 bool is_trusted_domain(const char* dom_name)
1972 DOM_SID trustdom_sid;
1975 /* no trusted domains for a standalone server */
1977 if ( lp_server_role() == ROLE_STANDALONE )
1980 /* if we are a DC, then check for a direct trust relationships */
1984 DEBUG (5,("is_trusted_domain: Checking for domain trust with "
1985 "[%s]\n", dom_name ));
1986 ret = pdb_get_trusteddom_pw(dom_name, NULL, NULL, NULL);
1994 /* If winbind is around, ask it */
1996 result = wb_is_trusted_domain(dom_name);
1998 if (result == WBC_ERR_SUCCESS) {
2002 if (result == WBC_ERR_DOMAIN_NOT_FOUND) {
2003 /* winbind could not find the domain */
2007 /* The only other possible result is that winbind is not up
2008 and running. We need to update the trustdom_cache
2011 update_trustdom_cache();
2014 /* now the trustdom cache should be available a DC could still
2015 * have a transitive trust so fall back to the cache of trusted
2016 * domains (like a domain member would use */
2018 if ( trustdom_cache_fetch(dom_name, &trustdom_sid) ) {