source3/auth/auth_wbc.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    Winbind client authentication mechanism designed to defer all
   5    authentication to the winbind daemon.
   6
   7    Copyright (C) Tim Potter 2000
   8    Copyright (C) Andrew Bartlett 2001 - 2002
   9    Copyright (C) Dan Sledz 2009
  10
  11    This program is free software; you can redistribute it and/or modify
  12    it under the terms of the GNU General Public License as published by
  13    the Free Software Foundation; either version 3 of the License, or
  14    (at your option) any later version.
  15
  16    This program is distributed in the hope that it will be useful,
  17    but WITHOUT ANY WARRANTY; without even the implied warranty of
  18    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  19    GNU General Public License for more details.
  20
  21    You should have received a copy of the GNU General Public License
  22    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  23 */
  24
  25 /* This auth module is very similar to auth_winbind with 3 distinct
  26  * differences.
  27  *
  28  *      1) Does not fallback to another auth module if winbindd is unavailable
  29  *      2) Does not validate the domain of the user
  30  *      3) Handles unencrypted passwords
  31  *
  32  * The purpose of this module is to defer all authentication decisions (ie:
  33  * local user vs NIS vs LDAP vs AD; encrypted vs plaintext) to the wbc
  34  * compatible daemon.  This centeralizes all authentication decisions to a
  35  * single provider.
  36  *
  37  * This auth backend is most useful when used in conjunction with pdb_wbc_sam.
  38  */
  39
  40 #include "includes.h"
  41
  42 #undef DBGC_CLASS
  43 #define DBGC_CLASS DBGC_AUTH
  44
  45 /* Authenticate a user with a challenge/response */
  46
  47 static NTSTATUS check_wbc_security(const struct auth_context *auth_context,
  48                                        void *my_private_data,
  49                                        TALLOC_CTX *mem_ctx,
  50                                        const struct auth_usersupplied_info *user_info,
  51                                        struct auth_serversupplied_info **server_info)
  52 {
  53         NTSTATUS nt_status;
  54         wbcErr wbc_status;
  55         struct wbcAuthUserParams params;
  56         struct wbcAuthUserInfo *info = NULL;
  57         struct wbcAuthErrorInfo *err = NULL;
  58
  59         if (!user_info || !auth_context || !server_info) {
  60                 return NT_STATUS_INVALID_PARAMETER;
  61         }
  62
  63         ZERO_STRUCT(params);
  64
  65         /* Send off request */
  66
  67         DEBUG(10, ("Check auth for: [%s]", user_info->mapped.account_name));
  68
  69         params.account_name     = user_info->client.account_name;
  70         params.domain_name      = user_info->mapped.domain_name;
  71         params.workstation_name = user_info->workstation_name;
  72
  73         params.flags            = 0;
  74         params.parameter_control= user_info->logon_parameters;
  75
  76         /* Handle plaintext */
  77         switch (user_info->password_state) {
  78         case AUTH_PASSWORD_PLAIN:
  79         {
  80                 DEBUG(3,("Checking plaintext password for %s.\n",
  81                          user_info->mapped.account_name));
  82                 params.level = WBC_AUTH_USER_LEVEL_PLAIN;
  83
  84                 params.password.plaintext = user_info->password.plaintext;
  85         }
  86         case AUTH_PASSWORD_RESPONSE:
  87         case AUTH_PASSWORD_HASH:
  88         {
  89                 DEBUG(3,("Checking encrypted password for %s.\n",
  90                          user_info->mapped.account_name));
  91                 params.level = WBC_AUTH_USER_LEVEL_RESPONSE;
  92
  93                 memcpy(params.password.response.challenge,
  94                     auth_context->challenge.data,
  95                     sizeof(params.password.response.challenge));
  96
  97                 if (user_info->password.response.nt.length != 0) {
  98                         params.password.response.nt_length =
  99                                 user_info->password.response.nt.length;
 100                         params.password.response.nt_data =
 101                                 user_info->password.response.nt.data;
 102                 }
 103                 if (user_info->password.response.lanman.length != 0) {
 104                         params.password.response.lm_length =
 105                                 user_info->password.response.lanman.length;
 106                         params.password.response.lm_data =
 107                                 user_info->password.response.lanman.data;
 108                 }
 109         default:
 110                 DEBUG(0,("user_info constructed for user '%s' was invalid - password_state=%u invalid.\n",user_info->mapped.account_name, user_info->password_state));
 111                 return NT_STATUS_INTERNAL_ERROR;
 112         }
 113 #if 0 /* If ever implemented in libwbclient */
 114         case AUTH_PASSWORD_HASH:
 115         {
 116                 DEBUG(3,("Checking logon (hash) password for %s.\n",
 117                          user_info->mapped.account_name));
 118                 params.level = WBC_AUTH_USER_LEVEL_HASH;
 119
 120                 if (user_info->password.hash.nt) {
 121                         memcpy(params.password.hash.nt_hash, user_info->password.hash.nt, sizeof(* user_info->password.hash.nt));
 122                 } else {
 123                         memset(params.password.hash.nt_hash, '\0', sizeof(params.password.hash.nt_hash));
 124                 }
 125
 126                 if (user_info->password.hash.lanman) {
 127                         memcpy(params.password.hash.lm_hash, user_info->password.hash.lanman, sizeof(* user_info->password.hash.lanman));
 128                 } else {
 129                         memset(params.password.hash.lm_hash, '\0', sizeof(params.password.hash.lm_hash));
 130                 }
 131
 132         }
 133 #endif
 134         }
 135
 136         /* we are contacting the privileged pipe */
 137         become_root();
 138         wbc_status = wbcAuthenticateUserEx(&params, &info, &err);
 139         unbecome_root();
 140
 141         if (!WBC_ERROR_IS_OK(wbc_status)) {
 142                 DEBUG(10,("wbcAuthenticateUserEx failed (%d): %s\n",
 143                         wbc_status, wbcErrorString(wbc_status)));
 144         }
 145
 146         if (wbc_status == WBC_ERR_NO_MEMORY) {
 147                 return NT_STATUS_NO_MEMORY;
 148         }
 149
 150         if (wbc_status == WBC_ERR_AUTH_ERROR) {
 151                 nt_status = NT_STATUS(err->nt_status);
 152                 wbcFreeMemory(err);
 153                 return nt_status;
 154         }
 155
 156         if (!WBC_ERROR_IS_OK(wbc_status)) {
 157                 return NT_STATUS_LOGON_FAILURE;
 158         }
 159
 160         DEBUG(10,("wbcAuthenticateUserEx succeeded\n"));
 161
 162         nt_status = make_server_info_wbcAuthUserInfo(mem_ctx,
 163                                                      user_info->client.account_name,
 164                                                      user_info->mapped.domain_name,
 165                                                      info, server_info);
 166         wbcFreeMemory(info);
 167         if (!NT_STATUS_IS_OK(nt_status)) {
 168                 return nt_status;
 169         }
 170
 171         (*server_info)->nss_token |= user_info->was_mapped;
 172
 173         return nt_status;
 174 }
 175
 176 /* module initialisation */
 177 static NTSTATUS auth_init_wbc(struct auth_context *auth_context, const char *param, auth_methods **auth_method)
 178 {
 179         struct auth_methods *result;
 180
 181         result = TALLOC_ZERO_P(auth_context, struct auth_methods);
 182         if (result == NULL) {
 183                 return NT_STATUS_NO_MEMORY;
 184         }
 185         result->name = "wbc";
 186         result->auth = check_wbc_security;
 187
 188         *auth_method = result;
 189         return NT_STATUS_OK;
 190 }
 191
 192 NTSTATUS auth_wbc_init(void)
 193 {
 194         return smb_register_auth(AUTH_INTERFACE_VERSION, "wbc", auth_init_wbc);
 195 }