2 Unix SMB/CIFS implementation.
4 Winbind daemon - pam auth funcions
6 Copyright (C) Andrew Tridgell 2000
7 Copyright (C) Tim Potter 2001
8 Copyright (C) Andrew Bartlett 2001-2002
9 Copyright (C) Guenther Deschner 2005
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 3 of the License, or
14 (at your option) any later version.
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
21 You should have received a copy of the GNU General Public License
22 along with this program. If not, see <http://www.gnu.org/licenses/>.
28 #define DBGC_CLASS DBGC_WINBIND
30 #define LOGON_KRB5_FAIL_CLOCK_SKEW 0x02000000
32 static NTSTATUS append_info3_as_txt(TALLOC_CTX *mem_ctx,
33 struct winbindd_cli_state *state,
34 struct netr_SamInfo3 *info3)
40 state->response.data.auth.info3.logon_time =
41 nt_time_to_unix(info3->base.last_logon);
42 state->response.data.auth.info3.logoff_time =
43 nt_time_to_unix(info3->base.last_logoff);
44 state->response.data.auth.info3.kickoff_time =
45 nt_time_to_unix(info3->base.acct_expiry);
46 state->response.data.auth.info3.pass_last_set_time =
47 nt_time_to_unix(info3->base.last_password_change);
48 state->response.data.auth.info3.pass_can_change_time =
49 nt_time_to_unix(info3->base.allow_password_change);
50 state->response.data.auth.info3.pass_must_change_time =
51 nt_time_to_unix(info3->base.force_password_change);
53 state->response.data.auth.info3.logon_count = info3->base.logon_count;
54 state->response.data.auth.info3.bad_pw_count = info3->base.bad_password_count;
56 state->response.data.auth.info3.user_rid = info3->base.rid;
57 state->response.data.auth.info3.group_rid = info3->base.primary_gid;
58 sid_to_fstring(state->response.data.auth.info3.dom_sid, info3->base.domain_sid);
60 state->response.data.auth.info3.num_groups = info3->base.groups.count;
61 state->response.data.auth.info3.user_flgs = info3->base.user_flags;
63 state->response.data.auth.info3.acct_flags = info3->base.acct_flags;
64 state->response.data.auth.info3.num_other_sids = info3->sidcount;
66 fstrcpy(state->response.data.auth.info3.user_name,
67 info3->base.account_name.string);
68 fstrcpy(state->response.data.auth.info3.full_name,
69 info3->base.full_name.string);
70 fstrcpy(state->response.data.auth.info3.logon_script,
71 info3->base.logon_script.string);
72 fstrcpy(state->response.data.auth.info3.profile_path,
73 info3->base.profile_path.string);
74 fstrcpy(state->response.data.auth.info3.home_dir,
75 info3->base.home_directory.string);
76 fstrcpy(state->response.data.auth.info3.dir_drive,
77 info3->base.home_drive.string);
79 fstrcpy(state->response.data.auth.info3.logon_srv,
80 info3->base.logon_server.string);
81 fstrcpy(state->response.data.auth.info3.logon_dom,
82 info3->base.domain.string);
84 ex = talloc_strdup(mem_ctx, "");
85 NT_STATUS_HAVE_NO_MEMORY(ex);
87 for (i=0; i < info3->base.groups.count; i++) {
88 ex = talloc_asprintf_append_buffer(ex, "0x%08X:0x%08X\n",
89 info3->base.groups.rids[i].rid,
90 info3->base.groups.rids[i].attributes);
91 NT_STATUS_HAVE_NO_MEMORY(ex);
94 for (i=0; i < info3->sidcount; i++) {
97 sid = dom_sid_string(mem_ctx, info3->sids[i].sid);
98 NT_STATUS_HAVE_NO_MEMORY(sid);
100 ex = talloc_asprintf_append_buffer(ex, "%s:0x%08X\n",
102 info3->sids[i].attributes);
103 NT_STATUS_HAVE_NO_MEMORY(ex);
108 size = talloc_get_size(ex);
110 SAFE_FREE(state->response.extra_data.data);
111 state->response.extra_data.data = SMB_MALLOC(size);
112 if (!state->response.extra_data.data) {
113 return NT_STATUS_NO_MEMORY;
115 memcpy(state->response.extra_data.data, ex, size);
118 state->response.length += size;
123 static NTSTATUS append_info3_as_ndr(TALLOC_CTX *mem_ctx,
124 struct winbindd_cli_state *state,
125 struct netr_SamInfo3 *info3)
128 enum ndr_err_code ndr_err;
130 ndr_err = ndr_push_struct_blob(&blob, mem_ctx, NULL, info3,
131 (ndr_push_flags_fn_t)ndr_push_netr_SamInfo3);
132 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
133 DEBUG(0,("append_info3_as_ndr: failed to append\n"));
134 return ndr_map_error2ntstatus(ndr_err);
137 SAFE_FREE(state->response.extra_data.data);
138 state->response.extra_data.data = SMB_MALLOC(blob.length);
139 if (!state->response.extra_data.data) {
140 data_blob_free(&blob);
141 return NT_STATUS_NO_MEMORY;
144 memset(state->response.extra_data.data, '\0', blob.length);
145 memcpy(state->response.extra_data.data, blob.data, blob.length);
146 state->response.length += blob.length;
148 data_blob_free(&blob);
153 static NTSTATUS append_unix_username(TALLOC_CTX *mem_ctx,
154 struct winbindd_cli_state *state,
155 const struct netr_SamInfo3 *info3,
156 const char *name_domain,
157 const char *name_user)
159 /* We've been asked to return the unix username, per
160 'winbind use default domain' settings and the like */
162 const char *nt_username, *nt_domain;
164 nt_domain = talloc_strdup(mem_ctx, info3->base.domain.string);
166 /* If the server didn't give us one, just use the one
168 nt_domain = name_domain;
171 nt_username = talloc_strdup(mem_ctx, info3->base.account_name.string);
173 /* If the server didn't give us one, just use the one
175 nt_username = name_user;
178 fill_domain_username(state->response.data.auth.unix_username,
179 nt_domain, nt_username, true);
181 DEBUG(5,("Setting unix username to [%s]\n",
182 state->response.data.auth.unix_username));
187 static NTSTATUS append_afs_token(TALLOC_CTX *mem_ctx,
188 struct winbindd_cli_state *state,
189 const struct netr_SamInfo3 *info3,
190 const char *name_domain,
191 const char *name_user)
193 char *afsname = NULL;
196 afsname = talloc_strdup(mem_ctx, lp_afs_username_map());
197 if (afsname == NULL) {
198 return NT_STATUS_NO_MEMORY;
201 afsname = talloc_string_sub(mem_ctx,
202 lp_afs_username_map(),
204 afsname = talloc_string_sub(mem_ctx, afsname,
206 afsname = talloc_string_sub(mem_ctx, afsname,
213 sid_copy(&user_sid, info3->base.domain_sid);
214 sid_append_rid(&user_sid, info3->base.rid);
215 sid_to_fstring(sidstr, &user_sid);
216 afsname = talloc_string_sub(mem_ctx, afsname,
220 if (afsname == NULL) {
221 return NT_STATUS_NO_MEMORY;
226 DEBUG(10, ("Generating token for user %s\n", afsname));
228 cell = strchr(afsname, '@');
231 return NT_STATUS_NO_MEMORY;
237 /* Append an AFS token string */
238 SAFE_FREE(state->response.extra_data.data);
239 state->response.extra_data.data =
240 afs_createtoken_str(afsname, cell);
242 if (state->response.extra_data.data != NULL) {
243 state->response.length +=
244 strlen((const char *)state->response.extra_data.data)+1;
250 static NTSTATUS check_info3_in_group(TALLOC_CTX *mem_ctx,
251 struct netr_SamInfo3 *info3,
252 const char *group_sid)
254 * Check whether a user belongs to a group or list of groups.
256 * @param mem_ctx talloc memory context.
257 * @param info3 user information, including group membership info.
258 * @param group_sid One or more groups , separated by commas.
260 * @return NT_STATUS_OK on success,
261 * NT_STATUS_LOGON_FAILURE if the user does not belong,
262 * or other NT_STATUS_IS_ERR(status) for other kinds of failure.
265 DOM_SID *require_membership_of_sid;
266 size_t num_require_membership_of_sid;
271 struct nt_user_token *token;
272 TALLOC_CTX *frame = NULL;
275 /* Parse the 'required group' SID */
277 if (!group_sid || !group_sid[0]) {
278 /* NO sid supplied, all users may access */
282 if (!(token = TALLOC_ZERO_P(mem_ctx, struct nt_user_token))) {
283 DEBUG(0, ("talloc failed\n"));
284 return NT_STATUS_NO_MEMORY;
287 num_require_membership_of_sid = 0;
288 require_membership_of_sid = NULL;
292 frame = talloc_stackframe();
293 while (next_token_talloc(frame, &p, &req_sid, ",")) {
294 if (!string_to_sid(&sid, req_sid)) {
295 DEBUG(0, ("check_info3_in_group: could not parse %s "
296 "as a SID!", req_sid));
298 return NT_STATUS_INVALID_PARAMETER;
301 status = add_sid_to_array(mem_ctx, &sid,
302 &require_membership_of_sid,
303 &num_require_membership_of_sid);
304 if (!NT_STATUS_IS_OK(status)) {
305 DEBUG(0, ("add_sid_to_array failed\n"));
313 status = sid_array_from_info3(mem_ctx, info3,
317 if (!NT_STATUS_IS_OK(status)) {
321 if (!NT_STATUS_IS_OK(status = add_aliases(get_global_sam_sid(),
323 || !NT_STATUS_IS_OK(status = add_aliases(&global_sid_Builtin,
325 DEBUG(3, ("could not add aliases: %s\n",
330 debug_nt_user_token(DBGC_CLASS, 10, token);
332 for (i=0; i<num_require_membership_of_sid; i++) {
333 DEBUG(10, ("Checking SID %s\n", sid_string_dbg(
334 &require_membership_of_sid[i])));
335 if (nt_token_check_sid(&require_membership_of_sid[i],
337 DEBUG(10, ("Access ok\n"));
342 /* Do not distinguish this error from a wrong username/pw */
344 return NT_STATUS_LOGON_FAILURE;
347 struct winbindd_domain *find_auth_domain(struct winbindd_cli_state *state,
348 const char *domain_name)
350 struct winbindd_domain *domain;
353 domain = find_domain_from_name_noinit(domain_name);
354 if (domain == NULL) {
355 DEBUG(3, ("Authentication for domain [%s] refused "
356 "as it is not a trusted domain\n",
362 if (is_myname(domain_name)) {
363 DEBUG(3, ("Authentication for domain %s (local domain "
364 "to this server) not supported at this "
365 "stage\n", domain_name));
369 /* we can auth against trusted domains */
370 if (state->request.flags & WBFLAG_PAM_CONTACT_TRUSTDOM) {
371 domain = find_domain_from_name_noinit(domain_name);
372 if (domain == NULL) {
373 DEBUG(3, ("Authentication for domain [%s] skipped "
374 "as it is not a trusted domain\n",
381 return find_our_domain();
384 static void fill_in_password_policy(struct winbindd_response *r,
385 const struct samr_DomInfo1 *p)
387 r->data.auth.policy.min_length_password =
388 p->min_password_length;
389 r->data.auth.policy.password_history =
390 p->password_history_length;
391 r->data.auth.policy.password_properties =
392 p->password_properties;
393 r->data.auth.policy.expire =
394 nt_time_to_unix_abs((NTTIME *)&(p->max_password_age));
395 r->data.auth.policy.min_passwordage =
396 nt_time_to_unix_abs((NTTIME *)&(p->min_password_age));
399 static NTSTATUS fillup_password_policy(struct winbindd_domain *domain,
400 struct winbindd_cli_state *state)
402 struct winbindd_methods *methods;
403 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
404 struct samr_DomInfo1 password_policy;
406 if ( !winbindd_can_contact_domain( domain ) ) {
407 DEBUG(5,("fillup_password_policy: No inbound trust to "
408 "contact domain %s\n", domain->name));
409 return NT_STATUS_NOT_SUPPORTED;
412 methods = domain->methods;
414 status = methods->password_policy(domain, state->mem_ctx, &password_policy);
415 if (NT_STATUS_IS_ERR(status)) {
419 fill_in_password_policy(&state->response, &password_policy);
424 static NTSTATUS get_max_bad_attempts_from_lockout_policy(struct winbindd_domain *domain,
426 uint16 *lockout_threshold)
428 struct winbindd_methods *methods;
429 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
430 struct samr_DomInfo12 lockout_policy;
432 *lockout_threshold = 0;
434 methods = domain->methods;
436 status = methods->lockout_policy(domain, mem_ctx, &lockout_policy);
437 if (NT_STATUS_IS_ERR(status)) {
441 *lockout_threshold = lockout_policy.lockout_threshold;
446 static NTSTATUS get_pwd_properties(struct winbindd_domain *domain,
448 uint32 *password_properties)
450 struct winbindd_methods *methods;
451 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
452 struct samr_DomInfo1 password_policy;
454 *password_properties = 0;
456 methods = domain->methods;
458 status = methods->password_policy(domain, mem_ctx, &password_policy);
459 if (NT_STATUS_IS_ERR(status)) {
463 *password_properties = password_policy.password_properties;
470 static const char *generate_krb5_ccache(TALLOC_CTX *mem_ctx,
473 bool *internal_ccache)
475 /* accept FILE and WRFILE as krb5_cc_type from the client and then
476 * build the full ccname string based on the user's uid here -
479 const char *gen_cc = NULL;
481 *internal_ccache = true;
487 if (!type || type[0] == '\0') {
491 if (strequal(type, "FILE")) {
492 gen_cc = talloc_asprintf(mem_ctx, "FILE:/tmp/krb5cc_%d", uid);
493 } else if (strequal(type, "WRFILE")) {
494 gen_cc = talloc_asprintf(mem_ctx, "WRFILE:/tmp/krb5cc_%d", uid);
496 DEBUG(10,("we don't allow to set a %s type ccache\n", type));
500 *internal_ccache = false;
504 gen_cc = talloc_strdup(mem_ctx, "MEMORY:winbindd_pam_ccache");
507 if (gen_cc == NULL) {
508 DEBUG(0,("out of memory\n"));
512 DEBUG(10,("using ccache: %s %s\n", gen_cc, *internal_ccache ? "(internal)":""));
517 static void setup_return_cc_name(struct winbindd_cli_state *state, const char *cc)
519 const char *type = state->request.data.auth.krb5_cc_type;
521 state->response.data.auth.krb5ccname[0] = '\0';
523 if (type[0] == '\0') {
527 if (!strequal(type, "FILE") &&
528 !strequal(type, "WRFILE")) {
529 DEBUG(10,("won't return krbccname for a %s type ccache\n",
534 fstrcpy(state->response.data.auth.krb5ccname, cc);
539 static uid_t get_uid_from_state(struct winbindd_cli_state *state)
543 uid = state->request.data.auth.uid;
546 DEBUG(1,("invalid uid: '%d'\n", uid));
552 /**********************************************************************
553 Authenticate a user with a clear text password using Kerberos and fill up
555 **********************************************************************/
557 static NTSTATUS winbindd_raw_kerberos_login(struct winbindd_domain *domain,
558 struct winbindd_cli_state *state,
559 struct netr_SamInfo3 **info3)
562 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
563 krb5_error_code krb5_ret;
564 const char *cc = NULL;
565 const char *principal_s = NULL;
566 const char *service = NULL;
568 fstring name_domain, name_user;
569 time_t ticket_lifetime = 0;
570 time_t renewal_until = 0;
573 time_t time_offset = 0;
574 bool internal_ccache = true;
581 * prepare a krb5_cc_cache string for the user */
583 uid = get_uid_from_state(state);
585 DEBUG(0,("no valid uid\n"));
588 cc = generate_krb5_ccache(state->mem_ctx,
589 state->request.data.auth.krb5_cc_type,
590 state->request.data.auth.uid,
593 return NT_STATUS_NO_MEMORY;
598 * get kerberos properties */
600 if (domain->private_data) {
601 ads = (ADS_STRUCT *)domain->private_data;
602 time_offset = ads->auth.time_offset;
607 * do kerberos auth and setup ccache as the user */
609 parse_domain_user(state->request.data.auth.user, name_domain, name_user);
611 realm = domain->alt_name;
614 principal_s = talloc_asprintf(state->mem_ctx, "%s@%s", name_user, realm);
615 if (principal_s == NULL) {
616 return NT_STATUS_NO_MEMORY;
619 service = talloc_asprintf(state->mem_ctx, "%s/%s@%s", KRB5_TGS_NAME, realm, realm);
620 if (service == NULL) {
621 return NT_STATUS_NO_MEMORY;
624 /* if this is a user ccache, we need to act as the user to let the krb5
625 * library handle the chown, etc. */
627 /************************ ENTERING NON-ROOT **********************/
629 if (!internal_ccache) {
630 set_effective_uid(uid);
631 DEBUG(10,("winbindd_raw_kerberos_login: uid is %d\n", uid));
634 result = kerberos_return_info3_from_pac(state->mem_ctx,
636 state->request.data.auth.pass,
643 WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
645 if (!internal_ccache) {
646 gain_root_privilege();
649 /************************ RETURNED TO ROOT **********************/
651 if (!NT_STATUS_IS_OK(result)) {
655 DEBUG(10,("winbindd_raw_kerberos_login: winbindd validated ticket of %s\n",
658 /* if we had a user's ccache then return that string for the pam
661 if (!internal_ccache) {
663 setup_return_cc_name(state, cc);
665 result = add_ccache_to_list(principal_s,
668 state->request.data.auth.user,
676 if (!NT_STATUS_IS_OK(result)) {
677 DEBUG(10,("winbindd_raw_kerberos_login: failed to add ccache to list: %s\n",
682 /* need to delete the memory cred cache, it is not used anymore */
684 krb5_ret = ads_kdestroy(cc);
686 DEBUG(3,("winbindd_raw_kerberos_login: "
687 "could not destroy krb5 credential cache: "
688 "%s\n", error_message(krb5_ret)));
697 /* we could have created a new credential cache with a valid tgt in it
698 * but we werent able to get or verify the service ticket for this
699 * local host and therefor didn't get the PAC, we need to remove that
700 * cache entirely now */
702 krb5_ret = ads_kdestroy(cc);
704 DEBUG(3,("winbindd_raw_kerberos_login: "
705 "could not destroy krb5 credential cache: "
706 "%s\n", error_message(krb5_ret)));
709 if (!NT_STATUS_IS_OK(remove_ccache(state->request.data.auth.user))) {
710 DEBUG(3,("winbindd_raw_kerberos_login: "
711 "could not remove ccache for user %s\n",
712 state->request.data.auth.user));
717 return NT_STATUS_NOT_SUPPORTED;
718 #endif /* HAVE_KRB5 */
721 /****************************************************************
722 ****************************************************************/
724 static bool check_request_flags(uint32_t flags)
726 uint32_t flags_edata = WBFLAG_PAM_AFS_TOKEN |
727 WBFLAG_PAM_INFO3_TEXT |
728 WBFLAG_PAM_INFO3_NDR;
730 if ( ( (flags & flags_edata) == WBFLAG_PAM_AFS_TOKEN) ||
731 ( (flags & flags_edata) == WBFLAG_PAM_INFO3_NDR) ||
732 ( (flags & flags_edata) == WBFLAG_PAM_INFO3_TEXT)||
733 !(flags & flags_edata) ) {
737 DEBUG(1,("check_request_flags: invalid request flags[0x%08X]\n",flags));
742 /****************************************************************
743 ****************************************************************/
745 static NTSTATUS append_data(struct winbindd_cli_state *state,
746 struct netr_SamInfo3 *info3,
747 const char *name_domain,
748 const char *name_user)
751 uint32_t flags = state->request.flags;
753 if (flags & WBFLAG_PAM_USER_SESSION_KEY) {
754 memcpy(state->response.data.auth.user_session_key,
756 sizeof(state->response.data.auth.user_session_key)
760 if (flags & WBFLAG_PAM_LMKEY) {
761 memcpy(state->response.data.auth.first_8_lm_hash,
762 info3->base.LMSessKey.key,
763 sizeof(state->response.data.auth.first_8_lm_hash)
767 if (flags & WBFLAG_PAM_INFO3_TEXT) {
768 result = append_info3_as_txt(state->mem_ctx, state, info3);
769 if (!NT_STATUS_IS_OK(result)) {
770 DEBUG(10,("Failed to append INFO3 (TXT): %s\n",
776 /* currently, anything from here on potentially overwrites extra_data. */
778 if (flags & WBFLAG_PAM_INFO3_NDR) {
779 result = append_info3_as_ndr(state->mem_ctx, state, info3);
780 if (!NT_STATUS_IS_OK(result)) {
781 DEBUG(10,("Failed to append INFO3 (NDR): %s\n",
787 if (flags & WBFLAG_PAM_UNIX_NAME) {
788 result = append_unix_username(state->mem_ctx, state, info3,
789 name_domain, name_user);
790 if (!NT_STATUS_IS_OK(result)) {
791 DEBUG(10,("Failed to append Unix Username: %s\n",
797 if (flags & WBFLAG_PAM_AFS_TOKEN) {
798 result = append_afs_token(state->mem_ctx, state, info3,
799 name_domain, name_user);
800 if (!NT_STATUS_IS_OK(result)) {
801 DEBUG(10,("Failed to append AFS token: %s\n",
810 void winbindd_pam_auth(struct winbindd_cli_state *state)
812 struct winbindd_domain *domain;
813 fstring name_domain, name_user;
814 char *mapped_user = NULL;
816 NTSTATUS name_map_status = NT_STATUS_UNSUCCESSFUL;
818 /* Ensure null termination */
819 state->request.data.auth.user
820 [sizeof(state->request.data.auth.user)-1]='\0';
822 /* Ensure null termination */
823 state->request.data.auth.pass
824 [sizeof(state->request.data.auth.pass)-1]='\0';
826 DEBUG(3, ("[%5lu]: pam auth %s\n", (unsigned long)state->pid,
827 state->request.data.auth.user));
829 if (!check_request_flags(state->request.flags)) {
830 result = NT_STATUS_INVALID_PARAMETER_MIX;
834 /* Parse domain and username */
836 name_map_status = normalize_name_unmap(state->mem_ctx,
837 state->request.data.auth.user,
840 /* If the name normalization didnt' actually do anything,
841 just use the original name */
843 if (!NT_STATUS_IS_OK(name_map_status) &&
844 !NT_STATUS_EQUAL(name_map_status, NT_STATUS_FILE_RENAMED))
846 mapped_user = state->request.data.auth.user;
849 if (!canonicalize_username(mapped_user, name_domain, name_user)) {
850 result = NT_STATUS_NO_SUCH_USER;
854 domain = find_auth_domain(state, name_domain);
856 if (domain == NULL) {
857 result = NT_STATUS_NO_SUCH_USER;
861 sendto_domain(state, domain);
864 set_auth_errors(&state->response, result);
865 DEBUG(5, ("Plain text authentication for %s returned %s "
867 state->request.data.auth.user,
868 state->response.data.auth.nt_status_string,
869 state->response.data.auth.pam_error));
870 request_error(state);
873 NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain,
874 struct winbindd_cli_state *state,
875 struct netr_SamInfo3 **info3)
877 NTSTATUS result = NT_STATUS_LOGON_FAILURE;
878 uint16 max_allowed_bad_attempts;
879 fstring name_domain, name_user;
881 enum lsa_SidType type;
882 uchar new_nt_pass[NT_HASH_LEN];
883 const uint8 *cached_nt_pass;
884 const uint8 *cached_salt;
885 struct netr_SamInfo3 *my_info3;
886 time_t kickoff_time, must_change_time;
887 bool password_good = false;
889 struct winbindd_tdc_domain *tdc_domain = NULL;
896 DEBUG(10,("winbindd_dual_pam_auth_cached\n"));
898 /* Parse domain and username */
900 parse_domain_user(state->request.data.auth.user, name_domain, name_user);
903 if (!lookup_cached_name(state->mem_ctx,
908 DEBUG(10,("winbindd_dual_pam_auth_cached: no such user in the cache\n"));
909 return NT_STATUS_NO_SUCH_USER;
912 if (type != SID_NAME_USER) {
913 DEBUG(10,("winbindd_dual_pam_auth_cached: not a user (%s)\n", sid_type_lookup(type)));
914 return NT_STATUS_LOGON_FAILURE;
917 result = winbindd_get_creds(domain,
923 if (!NT_STATUS_IS_OK(result)) {
924 DEBUG(10,("winbindd_dual_pam_auth_cached: failed to get creds: %s\n", nt_errstr(result)));
930 E_md4hash(state->request.data.auth.pass, new_nt_pass);
932 dump_data_pw("new_nt_pass", new_nt_pass, NT_HASH_LEN);
933 dump_data_pw("cached_nt_pass", cached_nt_pass, NT_HASH_LEN);
935 dump_data_pw("cached_salt", cached_salt, NT_HASH_LEN);
939 /* In this case we didn't store the nt_hash itself,
940 but the MD5 combination of salt + nt_hash. */
941 uchar salted_hash[NT_HASH_LEN];
942 E_md5hash(cached_salt, new_nt_pass, salted_hash);
944 password_good = (memcmp(cached_nt_pass, salted_hash, NT_HASH_LEN) == 0) ?
947 /* Old cached cred - direct store of nt_hash (bad bad bad !). */
948 password_good = (memcmp(cached_nt_pass, new_nt_pass, NT_HASH_LEN) == 0) ?
954 /* User *DOES* know the password, update logon_time and reset
957 my_info3->base.user_flags |= NETLOGON_CACHED_ACCOUNT;
959 if (my_info3->base.acct_flags & ACB_AUTOLOCK) {
960 return NT_STATUS_ACCOUNT_LOCKED_OUT;
963 if (my_info3->base.acct_flags & ACB_DISABLED) {
964 return NT_STATUS_ACCOUNT_DISABLED;
967 if (my_info3->base.acct_flags & ACB_WSTRUST) {
968 return NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT;
971 if (my_info3->base.acct_flags & ACB_SVRTRUST) {
972 return NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT;
975 if (my_info3->base.acct_flags & ACB_DOMTRUST) {
976 return NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT;
979 if (!(my_info3->base.acct_flags & ACB_NORMAL)) {
980 DEBUG(0,("winbindd_dual_pam_auth_cached: whats wrong with that one?: 0x%08x\n",
981 my_info3->base.acct_flags));
982 return NT_STATUS_LOGON_FAILURE;
985 kickoff_time = nt_time_to_unix(my_info3->base.acct_expiry);
986 if (kickoff_time != 0 && time(NULL) > kickoff_time) {
987 return NT_STATUS_ACCOUNT_EXPIRED;
990 must_change_time = nt_time_to_unix(my_info3->base.force_password_change);
991 if (must_change_time != 0 && must_change_time < time(NULL)) {
992 /* we allow grace logons when the password has expired */
993 my_info3->base.user_flags |= NETLOGON_GRACE_LOGON;
994 /* return NT_STATUS_PASSWORD_EXPIRED; */
999 if ((state->request.flags & WBFLAG_PAM_KRB5) &&
1000 ((tdc_domain = wcache_tdc_fetch_domain(state->mem_ctx, name_domain)) != NULL) &&
1001 (tdc_domain->trust_type & NETR_TRUST_TYPE_UPLEVEL)) {
1004 const char *cc = NULL;
1006 const char *principal_s = NULL;
1007 const char *service = NULL;
1008 bool internal_ccache = false;
1010 uid = get_uid_from_state(state);
1012 DEBUG(0,("winbindd_dual_pam_auth_cached: invalid uid\n"));
1013 return NT_STATUS_INVALID_PARAMETER;
1016 cc = generate_krb5_ccache(state->mem_ctx,
1017 state->request.data.auth.krb5_cc_type,
1018 state->request.data.auth.uid,
1021 return NT_STATUS_NO_MEMORY;
1024 realm = domain->alt_name;
1027 principal_s = talloc_asprintf(state->mem_ctx, "%s@%s", name_user, realm);
1028 if (principal_s == NULL) {
1029 return NT_STATUS_NO_MEMORY;
1032 service = talloc_asprintf(state->mem_ctx, "%s/%s@%s", KRB5_TGS_NAME, realm, realm);
1033 if (service == NULL) {
1034 return NT_STATUS_NO_MEMORY;
1037 if (!internal_ccache) {
1039 setup_return_cc_name(state, cc);
1041 result = add_ccache_to_list(principal_s,
1044 state->request.data.auth.user,
1048 time(NULL) + lp_winbind_cache_time(),
1049 time(NULL) + WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
1052 if (!NT_STATUS_IS_OK(result)) {
1053 DEBUG(10,("winbindd_dual_pam_auth_cached: failed "
1054 "to add ccache to list: %s\n",
1055 nt_errstr(result)));
1059 #endif /* HAVE_KRB5 */
1061 /* FIXME: we possibly should handle logon hours as well (does xp when
1062 * offline?) see auth/auth_sam.c:sam_account_ok for details */
1064 unix_to_nt_time(&my_info3->base.last_logon, time(NULL));
1065 my_info3->base.bad_password_count = 0;
1067 result = winbindd_update_creds_by_info3(domain,
1069 state->request.data.auth.user,
1070 state->request.data.auth.pass,
1072 if (!NT_STATUS_IS_OK(result)) {
1073 DEBUG(1,("winbindd_dual_pam_auth_cached: failed to update creds: %s\n",
1074 nt_errstr(result)));
1078 return NT_STATUS_OK;
1082 /* User does *NOT* know the correct password, modify info3 accordingly */
1084 /* failure of this is not critical */
1085 result = get_max_bad_attempts_from_lockout_policy(domain, state->mem_ctx, &max_allowed_bad_attempts);
1086 if (!NT_STATUS_IS_OK(result)) {
1087 DEBUG(10,("winbindd_dual_pam_auth_cached: failed to get max_allowed_bad_attempts. "
1088 "Won't be able to honour account lockout policies\n"));
1091 /* increase counter */
1092 my_info3->base.bad_password_count++;
1094 if (max_allowed_bad_attempts == 0) {
1099 if (my_info3->base.bad_password_count >= max_allowed_bad_attempts) {
1101 uint32 password_properties;
1103 result = get_pwd_properties(domain, state->mem_ctx, &password_properties);
1104 if (!NT_STATUS_IS_OK(result)) {
1105 DEBUG(10,("winbindd_dual_pam_auth_cached: failed to get password properties.\n"));
1108 if ((my_info3->base.rid != DOMAIN_USER_RID_ADMIN) ||
1109 (password_properties & DOMAIN_PASSWORD_LOCKOUT_ADMINS)) {
1110 my_info3->base.acct_flags |= ACB_AUTOLOCK;
1115 result = winbindd_update_creds_by_info3(domain,
1117 state->request.data.auth.user,
1121 if (!NT_STATUS_IS_OK(result)) {
1122 DEBUG(0,("winbindd_dual_pam_auth_cached: failed to update creds %s\n",
1123 nt_errstr(result)));
1126 return NT_STATUS_LOGON_FAILURE;
1129 NTSTATUS winbindd_dual_pam_auth_kerberos(struct winbindd_domain *domain,
1130 struct winbindd_cli_state *state,
1131 struct netr_SamInfo3 **info3)
1133 struct winbindd_domain *contact_domain;
1134 fstring name_domain, name_user;
1137 DEBUG(10,("winbindd_dual_pam_auth_kerberos\n"));
1139 /* Parse domain and username */
1141 parse_domain_user(state->request.data.auth.user, name_domain, name_user);
1143 /* what domain should we contact? */
1146 if (!(contact_domain = find_domain_from_name(name_domain))) {
1147 DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
1148 state->request.data.auth.user, name_domain, name_user, name_domain));
1149 result = NT_STATUS_NO_SUCH_USER;
1154 if (is_myname(name_domain)) {
1155 DEBUG(3, ("Authentication for domain %s (local domain to this server) not supported at this stage\n", name_domain));
1156 result = NT_STATUS_NO_SUCH_USER;
1160 contact_domain = find_domain_from_name(name_domain);
1161 if (contact_domain == NULL) {
1162 DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
1163 state->request.data.auth.user, name_domain, name_user, name_domain));
1165 contact_domain = find_our_domain();
1169 if (contact_domain->initialized &&
1170 contact_domain->active_directory) {
1174 if (!contact_domain->initialized) {
1175 init_dc_connection(contact_domain);
1178 if (!contact_domain->active_directory) {
1179 DEBUG(3,("krb5 auth requested but domain is not Active Directory\n"));
1180 return NT_STATUS_INVALID_LOGON_TYPE;
1183 result = winbindd_raw_kerberos_login(contact_domain, state, info3);
1188 typedef NTSTATUS (*netlogon_fn_t)(struct rpc_pipe_client *cli,
1189 TALLOC_CTX *mem_ctx,
1190 uint32 logon_parameters,
1192 const char *username,
1194 const char *workstation,
1195 const uint8 chal[8],
1196 DATA_BLOB lm_response,
1197 DATA_BLOB nt_response,
1198 struct netr_SamInfo3 **info3);
1200 NTSTATUS winbindd_dual_pam_auth_samlogon(struct winbindd_domain *domain,
1201 struct winbindd_cli_state *state,
1202 struct netr_SamInfo3 **info3)
1205 struct rpc_pipe_client *netlogon_pipe;
1210 unsigned char local_lm_response[24];
1211 unsigned char local_nt_response[24];
1212 struct winbindd_domain *contact_domain;
1213 fstring name_domain, name_user;
1216 struct netr_SamInfo3 *my_info3 = NULL;
1220 DEBUG(10,("winbindd_dual_pam_auth_samlogon\n"));
1222 /* Parse domain and username */
1224 parse_domain_user(state->request.data.auth.user, name_domain, name_user);
1226 /* do password magic */
1229 generate_random_buffer(chal, 8);
1230 if (lp_client_ntlmv2_auth()) {
1231 DATA_BLOB server_chal;
1232 DATA_BLOB names_blob;
1233 DATA_BLOB nt_response;
1234 DATA_BLOB lm_response;
1235 server_chal = data_blob_talloc(state->mem_ctx, chal, 8);
1237 /* note that the 'workgroup' here is a best guess - we don't know
1238 the server's domain at this point. The 'server name' is also
1241 names_blob = NTLMv2_generate_names_blob(global_myname(), lp_workgroup());
1243 if (!SMBNTLMv2encrypt(name_user, name_domain,
1244 state->request.data.auth.pass,
1247 &lm_response, &nt_response, NULL)) {
1248 data_blob_free(&names_blob);
1249 data_blob_free(&server_chal);
1250 DEBUG(0, ("winbindd_pam_auth: SMBNTLMv2encrypt() failed!\n"));
1251 result = NT_STATUS_NO_MEMORY;
1254 data_blob_free(&names_blob);
1255 data_blob_free(&server_chal);
1256 lm_resp = data_blob_talloc(state->mem_ctx, lm_response.data,
1257 lm_response.length);
1258 nt_resp = data_blob_talloc(state->mem_ctx, nt_response.data,
1259 nt_response.length);
1260 data_blob_free(&lm_response);
1261 data_blob_free(&nt_response);
1264 if (lp_client_lanman_auth()
1265 && SMBencrypt(state->request.data.auth.pass,
1267 local_lm_response)) {
1268 lm_resp = data_blob_talloc(state->mem_ctx,
1270 sizeof(local_lm_response));
1272 lm_resp = data_blob_null;
1274 SMBNTencrypt(state->request.data.auth.pass,
1278 nt_resp = data_blob_talloc(state->mem_ctx,
1280 sizeof(local_nt_response));
1283 /* what domain should we contact? */
1286 if (!(contact_domain = find_domain_from_name(name_domain))) {
1287 DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
1288 state->request.data.auth.user, name_domain, name_user, name_domain));
1289 result = NT_STATUS_NO_SUCH_USER;
1294 if (is_myname(name_domain)) {
1295 DEBUG(3, ("Authentication for domain %s (local domain to this server) not supported at this stage\n", name_domain));
1296 result = NT_STATUS_NO_SUCH_USER;
1300 contact_domain = find_our_domain();
1303 /* check authentication loop */
1306 netlogon_fn_t logon_fn;
1308 ZERO_STRUCTP(my_info3);
1311 result = cm_connect_netlogon(contact_domain, &netlogon_pipe);
1313 if (!NT_STATUS_IS_OK(result)) {
1314 DEBUG(3, ("could not open handle to NETLOGON pipe\n"));
1318 /* It is really important to try SamLogonEx here,
1319 * because in a clustered environment, we want to use
1320 * one machine account from multiple physical
1323 * With a normal SamLogon call, we must keep the
1324 * credentials chain updated and intact between all
1325 * users of the machine account (which would imply
1326 * cross-node communication for every NTLM logon).
1328 * (The credentials chain is not per NETLOGON pipe
1329 * connection, but globally on the server/client pair
1332 * When using SamLogonEx, the credentials are not
1333 * supplied, but the session key is implied by the
1334 * wrapping SamLogon context.
1336 * -- abartlet 21 April 2008
1339 logon_fn = contact_domain->can_do_samlogon_ex
1340 ? rpccli_netlogon_sam_network_logon_ex
1341 : rpccli_netlogon_sam_network_logon;
1343 result = logon_fn(netlogon_pipe,
1346 contact_domain->dcname, /* server name */
1347 name_user, /* user name */
1348 name_domain, /* target domain */
1349 global_myname(), /* workstation */
1356 if ((NT_STATUS_V(result) == DCERPC_FAULT_OP_RNG_ERROR)
1357 && contact_domain->can_do_samlogon_ex) {
1358 DEBUG(3, ("Got a DC that can not do NetSamLogonEx, "
1359 "retrying with NetSamLogon\n"));
1360 contact_domain->can_do_samlogon_ex = false;
1365 /* We have to try a second time as cm_connect_netlogon
1366 might not yet have noticed that the DC has killed
1369 if (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)) {
1374 /* if we get access denied, a possible cause was that we had
1375 and open connection to the DC, but someone changed our
1376 machine account password out from underneath us using 'net
1377 rpc changetrustpw' */
1379 if ( NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) ) {
1380 DEBUG(3,("winbindd_pam_auth: sam_logon returned "
1381 "ACCESS_DENIED. Maybe the trust account "
1382 "password was changed and we didn't know it. "
1383 "Killing connections to domain %s\n",
1385 invalidate_cm_connection(&contact_domain->conn);
1389 } while ( (attempts < 2) && retry );
1391 /* handle the case where a NT4 DC does not fill in the acct_flags in
1392 * the samlogon reply info3. When accurate info3 is required by the
1393 * caller, we look up the account flags ourselve - gd */
1395 if ((state->request.flags & WBFLAG_PAM_INFO3_TEXT) &&
1396 NT_STATUS_IS_OK(result) && (my_info3->base.acct_flags == 0)) {
1398 struct rpc_pipe_client *samr_pipe;
1399 POLICY_HND samr_domain_handle, user_pol;
1400 union samr_UserInfo *info = NULL;
1401 NTSTATUS status_tmp;
1404 status_tmp = cm_connect_sam(contact_domain, state->mem_ctx,
1405 &samr_pipe, &samr_domain_handle);
1407 if (!NT_STATUS_IS_OK(status_tmp)) {
1408 DEBUG(3, ("could not open handle to SAMR pipe: %s\n",
1409 nt_errstr(status_tmp)));
1413 status_tmp = rpccli_samr_OpenUser(samr_pipe, state->mem_ctx,
1414 &samr_domain_handle,
1415 MAXIMUM_ALLOWED_ACCESS,
1419 if (!NT_STATUS_IS_OK(status_tmp)) {
1420 DEBUG(3, ("could not open user handle on SAMR pipe: %s\n",
1421 nt_errstr(status_tmp)));
1425 status_tmp = rpccli_samr_QueryUserInfo(samr_pipe, state->mem_ctx,
1430 if (!NT_STATUS_IS_OK(status_tmp)) {
1431 DEBUG(3, ("could not query user info on SAMR pipe: %s\n",
1432 nt_errstr(status_tmp)));
1433 rpccli_samr_Close(samr_pipe, state->mem_ctx, &user_pol);
1437 acct_flags = info->info16.acct_flags;
1439 if (acct_flags == 0) {
1440 rpccli_samr_Close(samr_pipe, state->mem_ctx, &user_pol);
1444 my_info3->base.acct_flags = acct_flags;
1446 DEBUG(10,("successfully retrieved acct_flags 0x%x\n", acct_flags));
1448 rpccli_samr_Close(samr_pipe, state->mem_ctx, &user_pol);
1456 enum winbindd_result winbindd_dual_pam_auth(struct winbindd_domain *domain,
1457 struct winbindd_cli_state *state)
1459 NTSTATUS result = NT_STATUS_LOGON_FAILURE;
1460 NTSTATUS krb5_result = NT_STATUS_OK;
1461 fstring name_domain, name_user;
1463 fstring domain_user;
1464 struct netr_SamInfo3 *info3 = NULL;
1465 NTSTATUS name_map_status = NT_STATUS_UNSUCCESSFUL;
1467 /* Ensure null termination */
1468 state->request.data.auth.user[sizeof(state->request.data.auth.user)-1]='\0';
1470 /* Ensure null termination */
1471 state->request.data.auth.pass[sizeof(state->request.data.auth.pass)-1]='\0';
1473 DEBUG(3, ("[%5lu]: dual pam auth %s\n", (unsigned long)state->pid,
1474 state->request.data.auth.user));
1476 if (!check_request_flags(state->request.flags)) {
1477 result = NT_STATUS_INVALID_PARAMETER_MIX;
1481 /* Parse domain and username */
1483 name_map_status = normalize_name_unmap(state->mem_ctx,
1484 state->request.data.auth.user,
1487 /* If the name normalization didnt' actually do anything,
1488 just use the original name */
1490 if (!NT_STATUS_IS_OK(name_map_status) &&
1491 !NT_STATUS_EQUAL(name_map_status, NT_STATUS_FILE_RENAMED))
1493 mapped_user = state->request.data.auth.user;
1496 parse_domain_user(mapped_user, name_domain, name_user);
1498 if ( mapped_user != state->request.data.auth.user ) {
1499 fstr_sprintf( domain_user, "%s\\%s", name_domain, name_user );
1500 safe_strcpy( state->request.data.auth.user, domain_user,
1501 sizeof(state->request.data.auth.user)-1 );
1504 if (domain->online == false) {
1505 result = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
1506 if (domain->startup) {
1507 /* Logons are very important to users. If we're offline and
1508 we get a request within the first 30 seconds of startup,
1509 try very hard to find a DC and go online. */
1511 DEBUG(10,("winbindd_dual_pam_auth: domain: %s offline and auth "
1512 "request in startup mode.\n", domain->name ));
1514 winbindd_flush_negative_conn_cache(domain);
1515 result = init_dc_connection(domain);
1519 DEBUG(10,("winbindd_dual_pam_auth: domain: %s last was %s\n", domain->name, domain->online ? "online":"offline"));
1521 /* Check for Kerberos authentication */
1522 if (domain->online && (state->request.flags & WBFLAG_PAM_KRB5)) {
1524 result = winbindd_dual_pam_auth_kerberos(domain, state, &info3);
1525 /* save for later */
1526 krb5_result = result;
1529 if (NT_STATUS_IS_OK(result)) {
1530 DEBUG(10,("winbindd_dual_pam_auth_kerberos succeeded\n"));
1531 goto process_result;
1533 DEBUG(10,("winbindd_dual_pam_auth_kerberos failed: %s\n", nt_errstr(result)));
1536 if (NT_STATUS_EQUAL(result, NT_STATUS_NO_LOGON_SERVERS) ||
1537 NT_STATUS_EQUAL(result, NT_STATUS_IO_TIMEOUT) ||
1538 NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
1539 DEBUG(10,("winbindd_dual_pam_auth_kerberos setting domain to offline\n"));
1540 set_domain_offline( domain );
1544 /* there are quite some NT_STATUS errors where there is no
1545 * point in retrying with a samlogon, we explictly have to take
1546 * care not to increase the bad logon counter on the DC */
1548 if (NT_STATUS_EQUAL(result, NT_STATUS_ACCOUNT_DISABLED) ||
1549 NT_STATUS_EQUAL(result, NT_STATUS_ACCOUNT_EXPIRED) ||
1550 NT_STATUS_EQUAL(result, NT_STATUS_ACCOUNT_LOCKED_OUT) ||
1551 NT_STATUS_EQUAL(result, NT_STATUS_INVALID_LOGON_HOURS) ||
1552 NT_STATUS_EQUAL(result, NT_STATUS_INVALID_WORKSTATION) ||
1553 NT_STATUS_EQUAL(result, NT_STATUS_LOGON_FAILURE) ||
1554 NT_STATUS_EQUAL(result, NT_STATUS_NO_SUCH_USER) ||
1555 NT_STATUS_EQUAL(result, NT_STATUS_PASSWORD_EXPIRED) ||
1556 NT_STATUS_EQUAL(result, NT_STATUS_PASSWORD_MUST_CHANGE) ||
1557 NT_STATUS_EQUAL(result, NT_STATUS_WRONG_PASSWORD)) {
1558 goto process_result;
1561 if (state->request.flags & WBFLAG_PAM_FALLBACK_AFTER_KRB5) {
1562 DEBUG(3,("falling back to samlogon\n"));
1570 /* Check for Samlogon authentication */
1571 if (domain->online) {
1572 result = winbindd_dual_pam_auth_samlogon(domain, state, &info3);
1574 if (NT_STATUS_IS_OK(result)) {
1575 DEBUG(10,("winbindd_dual_pam_auth_samlogon succeeded\n"));
1576 /* add the Krb5 err if we have one */
1577 if ( NT_STATUS_EQUAL(krb5_result, NT_STATUS_TIME_DIFFERENCE_AT_DC ) ) {
1578 info3->base.user_flags |= LOGON_KRB5_FAIL_CLOCK_SKEW;
1580 goto process_result;
1583 DEBUG(10,("winbindd_dual_pam_auth_samlogon failed: %s\n",
1584 nt_errstr(result)));
1586 if (NT_STATUS_EQUAL(result, NT_STATUS_NO_LOGON_SERVERS) ||
1587 NT_STATUS_EQUAL(result, NT_STATUS_IO_TIMEOUT) ||
1588 NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND))
1590 DEBUG(10,("winbindd_dual_pam_auth_samlogon setting domain to offline\n"));
1591 set_domain_offline( domain );
1595 if (domain->online) {
1596 /* We're still online - fail. */
1602 /* Check for Cached logons */
1603 if (!domain->online && (state->request.flags & WBFLAG_PAM_CACHED_LOGIN) &&
1604 lp_winbind_offline_logon()) {
1606 result = winbindd_dual_pam_auth_cached(domain, state, &info3);
1608 if (NT_STATUS_IS_OK(result)) {
1609 DEBUG(10,("winbindd_dual_pam_auth_cached succeeded\n"));
1610 goto process_result;
1612 DEBUG(10,("winbindd_dual_pam_auth_cached failed: %s\n", nt_errstr(result)));
1619 if (NT_STATUS_IS_OK(result)) {
1623 /* In all codepaths where result == NT_STATUS_OK info3 must have
1624 been initialized. */
1626 result = NT_STATUS_INTERNAL_ERROR;
1630 wcache_invalidate_samlogon(find_domain_from_name(name_domain), info3);
1631 netsamlogon_cache_store(name_user, info3);
1633 /* save name_to_sid info as early as possible (only if
1634 this is our primary domain so we don't invalidate
1635 the cache entry by storing the seq_num for the wrong
1637 if ( domain->primary ) {
1638 sid_compose(&user_sid, info3->base.domain_sid,
1640 cache_name2sid(domain, name_domain, name_user,
1641 SID_NAME_USER, &user_sid);
1644 /* Check if the user is in the right group */
1646 if (!NT_STATUS_IS_OK(result = check_info3_in_group(state->mem_ctx, info3,
1647 state->request.data.auth.require_membership_of_sid))) {
1648 DEBUG(3, ("User %s is not in the required group (%s), so plaintext authentication is rejected\n",
1649 state->request.data.auth.user,
1650 state->request.data.auth.require_membership_of_sid));
1654 result = append_data(state, info3, name_domain, name_user);
1655 if (!NT_STATUS_IS_OK(result)) {
1659 if ((state->request.flags & WBFLAG_PAM_CACHED_LOGIN)) {
1661 /* Store in-memory creds for single-signon using ntlm_auth. */
1662 result = winbindd_add_memory_creds(state->request.data.auth.user,
1663 get_uid_from_state(state),
1664 state->request.data.auth.pass);
1666 if (!NT_STATUS_IS_OK(result)) {
1667 DEBUG(10,("Failed to store memory creds: %s\n", nt_errstr(result)));
1671 if (lp_winbind_offline_logon()) {
1672 result = winbindd_store_creds(domain,
1674 state->request.data.auth.user,
1675 state->request.data.auth.pass,
1677 if (!NT_STATUS_IS_OK(result)) {
1679 /* Release refcount. */
1680 winbindd_delete_memory_creds(state->request.data.auth.user);
1682 DEBUG(10,("Failed to store creds: %s\n", nt_errstr(result)));
1689 if (state->request.flags & WBFLAG_PAM_GET_PWD_POLICY) {
1690 struct winbindd_domain *our_domain = find_our_domain();
1692 /* This is not entirely correct I believe, but it is
1693 consistent. Only apply the password policy settings
1694 too warn users for our own domain. Cannot obtain these
1695 from trusted DCs all the time so don't do it at all.
1698 result = NT_STATUS_NOT_SUPPORTED;
1699 if (our_domain == domain ) {
1700 result = fillup_password_policy(our_domain, state);
1703 if (!NT_STATUS_IS_OK(result)
1704 && !NT_STATUS_EQUAL(result, NT_STATUS_NOT_SUPPORTED) )
1706 DEBUG(10,("Failed to get password policies for domain %s: %s\n",
1707 domain->name, nt_errstr(result)));
1712 result = NT_STATUS_OK;
1716 /* give us a more useful (more correct?) error code */
1717 if ((NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) ||
1718 (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)))) {
1719 result = NT_STATUS_NO_LOGON_SERVERS;
1722 set_auth_errors(&state->response, result);
1724 DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2, ("Plain-text authentication for user %s returned %s (PAM: %d)\n",
1725 state->request.data.auth.user,
1726 state->response.data.auth.nt_status_string,
1727 state->response.data.auth.pam_error));
1729 return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
1733 /**********************************************************************
1734 Challenge Response Authentication Protocol
1735 **********************************************************************/
1737 void winbindd_pam_auth_crap(struct winbindd_cli_state *state)
1739 struct winbindd_domain *domain = NULL;
1740 const char *domain_name = NULL;
1743 if (!check_request_flags(state->request.flags)) {
1744 result = NT_STATUS_INVALID_PARAMETER_MIX;
1748 if (!state->privileged) {
1749 char *error_string = NULL;
1750 DEBUG(2, ("winbindd_pam_auth_crap: non-privileged access "
1752 DEBUGADD(2, ("winbindd_pam_auth_crap: Ensure permissions "
1753 "on %s are set correctly.\n",
1754 get_winbind_priv_pipe_dir()));
1755 /* send a better message than ACCESS_DENIED */
1756 error_string = talloc_asprintf(state->mem_ctx,
1757 "winbind client not authorized "
1758 "to use winbindd_pam_auth_crap."
1759 " Ensure permissions on %s "
1760 "are set correctly.",
1761 get_winbind_priv_pipe_dir());
1762 fstrcpy(state->response.data.auth.error_string, error_string);
1763 result = NT_STATUS_ACCESS_DENIED;
1767 /* Ensure null termination */
1768 state->request.data.auth_crap.user
1769 [sizeof(state->request.data.auth_crap.user)-1]=0;
1770 state->request.data.auth_crap.domain
1771 [sizeof(state->request.data.auth_crap.domain)-1]=0;
1773 DEBUG(3, ("[%5lu]: pam auth crap domain: [%s] user: %s\n",
1774 (unsigned long)state->pid,
1775 state->request.data.auth_crap.domain,
1776 state->request.data.auth_crap.user));
1778 if (*state->request.data.auth_crap.domain != '\0') {
1779 domain_name = state->request.data.auth_crap.domain;
1780 } else if (lp_winbind_use_default_domain()) {
1781 domain_name = lp_workgroup();
1784 if (domain_name != NULL)
1785 domain = find_auth_domain(state, domain_name);
1787 if (domain != NULL) {
1788 sendto_domain(state, domain);
1792 result = NT_STATUS_NO_SUCH_USER;
1795 set_auth_errors(&state->response, result);
1796 DEBUG(5, ("CRAP authentication for %s\\%s returned %s (PAM: %d)\n",
1797 state->request.data.auth_crap.domain,
1798 state->request.data.auth_crap.user,
1799 state->response.data.auth.nt_status_string,
1800 state->response.data.auth.pam_error));
1801 request_error(state);
1806 enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
1807 struct winbindd_cli_state *state)
1810 struct netr_SamInfo3 *info3 = NULL;
1811 struct rpc_pipe_client *netlogon_pipe;
1812 const char *name_user = NULL;
1813 const char *name_domain = NULL;
1814 const char *workstation;
1815 struct winbindd_domain *contact_domain;
1819 DATA_BLOB lm_resp, nt_resp;
1821 /* This is child-only, so no check for privileged access is needed
1824 /* Ensure null termination */
1825 state->request.data.auth_crap.user[sizeof(state->request.data.auth_crap.user)-1]=0;
1826 state->request.data.auth_crap.domain[sizeof(state->request.data.auth_crap.domain)-1]=0;
1828 if (!check_request_flags(state->request.flags)) {
1829 result = NT_STATUS_INVALID_PARAMETER_MIX;
1833 name_user = state->request.data.auth_crap.user;
1835 if (*state->request.data.auth_crap.domain) {
1836 name_domain = state->request.data.auth_crap.domain;
1837 } else if (lp_winbind_use_default_domain()) {
1838 name_domain = lp_workgroup();
1840 DEBUG(5,("no domain specified with username (%s) - failing auth\n",
1842 result = NT_STATUS_NO_SUCH_USER;
1846 DEBUG(3, ("[%5lu]: pam auth crap domain: %s user: %s\n", (unsigned long)state->pid,
1847 name_domain, name_user));
1849 if (*state->request.data.auth_crap.workstation) {
1850 workstation = state->request.data.auth_crap.workstation;
1852 workstation = global_myname();
1855 if (state->request.data.auth_crap.lm_resp_len > sizeof(state->request.data.auth_crap.lm_resp)
1856 || state->request.data.auth_crap.nt_resp_len > sizeof(state->request.data.auth_crap.nt_resp)) {
1857 DEBUG(0, ("winbindd_pam_auth_crap: invalid password length %u/%u\n",
1858 state->request.data.auth_crap.lm_resp_len,
1859 state->request.data.auth_crap.nt_resp_len));
1860 result = NT_STATUS_INVALID_PARAMETER;
1864 lm_resp = data_blob_talloc(state->mem_ctx, state->request.data.auth_crap.lm_resp,
1865 state->request.data.auth_crap.lm_resp_len);
1866 nt_resp = data_blob_talloc(state->mem_ctx, state->request.data.auth_crap.nt_resp,
1867 state->request.data.auth_crap.nt_resp_len);
1869 /* what domain should we contact? */
1872 if (!(contact_domain = find_domain_from_name(name_domain))) {
1873 DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
1874 state->request.data.auth_crap.user, name_domain, name_user, name_domain));
1875 result = NT_STATUS_NO_SUCH_USER;
1879 if (is_myname(name_domain)) {
1880 DEBUG(3, ("Authentication for domain %s (local domain to this server) not supported at this stage\n", name_domain));
1881 result = NT_STATUS_NO_SUCH_USER;
1884 contact_domain = find_our_domain();
1888 netlogon_fn_t logon_fn;
1892 netlogon_pipe = NULL;
1893 result = cm_connect_netlogon(contact_domain, &netlogon_pipe);
1895 if (!NT_STATUS_IS_OK(result)) {
1896 DEBUG(3, ("could not open handle to NETLOGON pipe (error: %s)\n",
1897 nt_errstr(result)));
1901 logon_fn = contact_domain->can_do_samlogon_ex
1902 ? rpccli_netlogon_sam_network_logon_ex
1903 : rpccli_netlogon_sam_network_logon;
1905 result = logon_fn(netlogon_pipe,
1907 state->request.data.auth_crap.logon_parameters,
1908 contact_domain->dcname,
1911 /* Bug #3248 - found by Stefan Burkei. */
1912 workstation, /* We carefully set this above so use it... */
1913 state->request.data.auth_crap.chal,
1918 if ((NT_STATUS_V(result) == DCERPC_FAULT_OP_RNG_ERROR)
1919 && contact_domain->can_do_samlogon_ex) {
1920 DEBUG(3, ("Got a DC that can not do NetSamLogonEx, "
1921 "retrying with NetSamLogon\n"));
1922 contact_domain->can_do_samlogon_ex = false;
1929 /* We have to try a second time as cm_connect_netlogon
1930 might not yet have noticed that the DC has killed
1933 if (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)) {
1938 /* if we get access denied, a possible cause was that we had and open
1939 connection to the DC, but someone changed our machine account password
1940 out from underneath us using 'net rpc changetrustpw' */
1942 if ( NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) ) {
1943 DEBUG(3,("winbindd_pam_auth: sam_logon returned "
1944 "ACCESS_DENIED. Maybe the trust account "
1945 "password was changed and we didn't know it. "
1946 "Killing connections to domain %s\n",
1948 invalidate_cm_connection(&contact_domain->conn);
1952 } while ( (attempts < 2) && retry );
1954 if (NT_STATUS_IS_OK(result)) {
1956 wcache_invalidate_samlogon(find_domain_from_name(name_domain), info3);
1957 netsamlogon_cache_store(name_user, info3);
1959 /* Check if the user is in the right group */
1961 if (!NT_STATUS_IS_OK(result = check_info3_in_group(state->mem_ctx, info3,
1962 state->request.data.auth_crap.require_membership_of_sid))) {
1963 DEBUG(3, ("User %s is not in the required group (%s), so "
1964 "crap authentication is rejected\n",
1965 state->request.data.auth_crap.user,
1966 state->request.data.auth_crap.require_membership_of_sid));
1970 result = append_data(state, info3, name_domain, name_user);
1971 if (!NT_STATUS_IS_OK(result)) {
1978 /* give us a more useful (more correct?) error code */
1979 if ((NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) ||
1980 (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)))) {
1981 result = NT_STATUS_NO_LOGON_SERVERS;
1984 if (state->request.flags & WBFLAG_PAM_NT_STATUS_SQUASH) {
1985 result = nt_status_squash(result);
1988 set_auth_errors(&state->response, result);
1990 DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2,
1991 ("NTLM CRAP authentication for user [%s]\\[%s] returned %s (PAM: %d)\n",
1994 state->response.data.auth.nt_status_string,
1995 state->response.data.auth.pam_error));
1997 return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
2000 /* Change a user password */
2002 void winbindd_pam_chauthtok(struct winbindd_cli_state *state)
2004 fstring domain, user;
2006 struct winbindd_domain *contact_domain;
2007 NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
2009 DEBUG(3, ("[%5lu]: pam chauthtok %s\n", (unsigned long)state->pid,
2010 state->request.data.chauthtok.user));
2014 nt_status = normalize_name_unmap(state->mem_ctx,
2015 state->request.data.chauthtok.user,
2018 /* Update the chauthtok name if we did any mapping */
2020 if (NT_STATUS_IS_OK(nt_status) ||
2021 NT_STATUS_EQUAL(nt_status, NT_STATUS_FILE_RENAMED))
2023 fstrcpy(state->request.data.chauthtok.user, mapped_user);
2026 /* Must pass in state->...chauthtok.user because
2027 canonicalize_username() assumes an fstring(). Since
2028 we have already copied it (if necessary), this is ok. */
2030 if (!canonicalize_username(state->request.data.chauthtok.user, domain, user)) {
2031 set_auth_errors(&state->response, NT_STATUS_NO_SUCH_USER);
2032 DEBUG(5, ("winbindd_pam_chauthtok: canonicalize_username %s failed with %s"
2034 state->request.data.auth.user,
2035 state->response.data.auth.nt_status_string,
2036 state->response.data.auth.pam_error));
2037 request_error(state);
2041 contact_domain = find_domain_from_name(domain);
2042 if (!contact_domain) {
2043 set_auth_errors(&state->response, NT_STATUS_NO_SUCH_USER);
2044 DEBUG(3, ("Cannot change password for [%s] -> [%s]\\[%s] as %s is not a trusted domain\n",
2045 state->request.data.chauthtok.user, domain, user, domain));
2046 request_error(state);
2050 sendto_domain(state, contact_domain);
2053 enum winbindd_result winbindd_dual_pam_chauthtok(struct winbindd_domain *contact_domain,
2054 struct winbindd_cli_state *state)
2057 char *newpass = NULL;
2059 struct rpc_pipe_client *cli;
2060 bool got_info = false;
2061 struct samr_DomInfo1 *info = NULL;
2062 struct samr_ChangeReject *reject = NULL;
2063 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
2064 fstring domain, user;
2066 DEBUG(3, ("[%5lu]: dual pam chauthtok %s\n", (unsigned long)state->pid,
2067 state->request.data.auth.user));
2069 if (!parse_domain_user(state->request.data.chauthtok.user, domain, user)) {
2073 /* Change password */
2075 oldpass = state->request.data.chauthtok.oldpass;
2076 newpass = state->request.data.chauthtok.newpass;
2078 /* Initialize reject reason */
2079 state->response.data.auth.reject_reason = Undefined;
2081 /* Get sam handle */
2083 result = cm_connect_sam(contact_domain, state->mem_ctx, &cli,
2085 if (!NT_STATUS_IS_OK(result)) {
2086 DEBUG(1, ("could not get SAM handle on DC for %s\n", domain));
2090 result = rpccli_samr_chgpasswd_user3(cli, state->mem_ctx,
2097 /* Windows 2003 returns NT_STATUS_PASSWORD_RESTRICTION */
2099 if (NT_STATUS_EQUAL(result, NT_STATUS_PASSWORD_RESTRICTION) ) {
2101 fill_in_password_policy(&state->response, info);
2103 state->response.data.auth.reject_reason =
2109 /* only fallback when the chgpasswd_user3 call is not supported */
2110 if ((NT_STATUS_EQUAL(result, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR))) ||
2111 (NT_STATUS_EQUAL(result, NT_STATUS_NOT_SUPPORTED)) ||
2112 (NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED))) {
2114 DEBUG(10,("Password change with chgpasswd_user3 failed with: %s, retrying chgpasswd_user2\n",
2115 nt_errstr(result)));
2117 result = rpccli_samr_chgpasswd_user2(cli, state->mem_ctx, user, newpass, oldpass);
2119 /* Windows 2000 returns NT_STATUS_ACCOUNT_RESTRICTION.
2120 Map to the same status code as Windows 2003. */
2122 if ( NT_STATUS_EQUAL(NT_STATUS_ACCOUNT_RESTRICTION, result ) ) {
2123 result = NT_STATUS_PASSWORD_RESTRICTION;
2129 if (NT_STATUS_IS_OK(result) && (state->request.flags & WBFLAG_PAM_CACHED_LOGIN)) {
2131 /* Update the single sign-on memory creds. */
2132 result = winbindd_replace_memory_creds(state->request.data.chauthtok.user,
2135 /* When we login from gdm or xdm and password expires,
2136 * we change password, but there are no memory crendentials
2137 * So, winbindd_replace_memory_creds() returns
2138 * NT_STATUS_OBJECT_NAME_NOT_FOUND. This is not a failure.
2141 if (NT_STATUS_EQUAL(result, NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
2142 result = NT_STATUS_OK;
2145 if (!NT_STATUS_IS_OK(result)) {
2146 DEBUG(10,("Failed to replace memory creds: %s\n", nt_errstr(result)));
2147 goto process_result;
2150 if (lp_winbind_offline_logon()) {
2151 result = winbindd_update_creds_by_name(contact_domain,
2152 state->mem_ctx, user,
2154 /* Again, this happens when we login from gdm or xdm
2155 * and the password expires, *BUT* cached crendentials
2156 * doesn't exist. winbindd_update_creds_by_name()
2157 * returns NT_STATUS_NO_SUCH_USER.
2158 * This is not a failure.
2161 if (NT_STATUS_EQUAL(result, NT_STATUS_NO_SUCH_USER)) {
2162 result = NT_STATUS_OK;
2165 if (!NT_STATUS_IS_OK(result)) {
2166 DEBUG(10,("Failed to store creds: %s\n", nt_errstr(result)));
2167 goto process_result;
2172 if (!NT_STATUS_IS_OK(result) && !got_info && contact_domain) {
2174 NTSTATUS policy_ret;
2176 policy_ret = fillup_password_policy(contact_domain, state);
2178 /* failure of this is non critical, it will just provide no
2179 * additional information to the client why the change has
2180 * failed - Guenther */
2182 if (!NT_STATUS_IS_OK(policy_ret)) {
2183 DEBUG(10,("Failed to get password policies: %s\n", nt_errstr(policy_ret)));
2184 goto process_result;
2190 set_auth_errors(&state->response, result);
2192 DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2,
2193 ("Password change for user [%s]\\[%s] returned %s (PAM: %d)\n",
2196 state->response.data.auth.nt_status_string,
2197 state->response.data.auth.pam_error));
2199 return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
2202 void winbindd_pam_logoff(struct winbindd_cli_state *state)
2204 struct winbindd_domain *domain;
2205 fstring name_domain, user;
2206 uid_t caller_uid = (uid_t)-1;
2207 uid_t request_uid = state->request.data.logoff.uid;
2209 DEBUG(3, ("[%5lu]: pam logoff %s\n", (unsigned long)state->pid,
2210 state->request.data.logoff.user));
2212 /* Ensure null termination */
2213 state->request.data.logoff.user
2214 [sizeof(state->request.data.logoff.user)-1]='\0';
2216 state->request.data.logoff.krb5ccname
2217 [sizeof(state->request.data.logoff.krb5ccname)-1]='\0';
2219 if (request_uid == (gid_t)-1) {
2223 if (!canonicalize_username(state->request.data.logoff.user, name_domain, user)) {
2227 if ((domain = find_auth_domain(state, name_domain)) == NULL) {
2231 if ((sys_getpeereid(state->sock, &caller_uid)) != 0) {
2232 DEBUG(1,("winbindd_pam_logoff: failed to check peerid: %s\n",
2237 switch (caller_uid) {
2241 /* root must be able to logoff any user - gd */
2242 state->request.data.logoff.uid = request_uid;
2245 if (caller_uid != request_uid) {
2246 DEBUG(1,("winbindd_pam_logoff: caller requested invalid uid\n"));
2249 state->request.data.logoff.uid = caller_uid;
2253 sendto_domain(state, domain);
2257 set_auth_errors(&state->response, NT_STATUS_NO_SUCH_USER);
2258 DEBUG(5, ("Pam Logoff for %s returned %s "
2260 state->request.data.logoff.user,
2261 state->response.data.auth.nt_status_string,
2262 state->response.data.auth.pam_error));
2263 request_error(state);
2267 enum winbindd_result winbindd_dual_pam_logoff(struct winbindd_domain *domain,
2268 struct winbindd_cli_state *state)
2270 NTSTATUS result = NT_STATUS_NOT_SUPPORTED;
2272 DEBUG(3, ("[%5lu]: pam dual logoff %s\n", (unsigned long)state->pid,
2273 state->request.data.logoff.user));
2275 if (!(state->request.flags & WBFLAG_PAM_KRB5)) {
2276 result = NT_STATUS_OK;
2277 goto process_result;
2280 if (state->request.data.logoff.krb5ccname[0] == '\0') {
2281 result = NT_STATUS_OK;
2282 goto process_result;
2287 if (state->request.data.logoff.uid < 0) {
2288 DEBUG(0,("winbindd_pam_logoff: invalid uid\n"));
2289 goto process_result;
2292 /* what we need here is to find the corresponding krb5 ccache name *we*
2293 * created for a given username and destroy it */
2295 if (!ccache_entry_exists(state->request.data.logoff.user)) {
2296 result = NT_STATUS_OK;
2297 DEBUG(10,("winbindd_pam_logoff: no entry found.\n"));
2298 goto process_result;
2301 if (!ccache_entry_identical(state->request.data.logoff.user,
2302 state->request.data.logoff.uid,
2303 state->request.data.logoff.krb5ccname)) {
2304 DEBUG(0,("winbindd_pam_logoff: cached entry differs.\n"));
2305 goto process_result;
2308 result = remove_ccache(state->request.data.logoff.user);
2309 if (!NT_STATUS_IS_OK(result)) {
2310 DEBUG(0,("winbindd_pam_logoff: failed to remove ccache: %s\n",
2311 nt_errstr(result)));
2312 goto process_result;
2316 result = NT_STATUS_NOT_SUPPORTED;
2321 winbindd_delete_memory_creds(state->request.data.logoff.user);
2323 set_auth_errors(&state->response, result);
2325 return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
2328 /* Change user password with auth crap*/
2330 void winbindd_pam_chng_pswd_auth_crap(struct winbindd_cli_state *state)
2332 struct winbindd_domain *domain = NULL;
2333 const char *domain_name = NULL;
2335 /* Ensure null termination */
2336 state->request.data.chng_pswd_auth_crap.user[
2337 sizeof(state->request.data.chng_pswd_auth_crap.user)-1]=0;
2338 state->request.data.chng_pswd_auth_crap.domain[
2339 sizeof(state->request.data.chng_pswd_auth_crap.domain)-1]=0;
2341 DEBUG(3, ("[%5lu]: pam change pswd auth crap domain: %s user: %s\n",
2342 (unsigned long)state->pid,
2343 state->request.data.chng_pswd_auth_crap.domain,
2344 state->request.data.chng_pswd_auth_crap.user));
2346 if (*state->request.data.chng_pswd_auth_crap.domain != '\0') {
2347 domain_name = state->request.data.chng_pswd_auth_crap.domain;
2348 } else if (lp_winbind_use_default_domain()) {
2349 domain_name = lp_workgroup();
2352 if (domain_name != NULL)
2353 domain = find_domain_from_name(domain_name);
2355 if (domain != NULL) {
2356 DEBUG(7, ("[%5lu]: pam auth crap changing pswd in domain: "
2357 "%s\n", (unsigned long)state->pid,domain->name));
2358 sendto_domain(state, domain);
2362 set_auth_errors(&state->response, NT_STATUS_NO_SUCH_USER);
2363 DEBUG(5, ("CRAP change password for %s\\%s returned %s (PAM: %d)\n",
2364 state->request.data.chng_pswd_auth_crap.domain,
2365 state->request.data.chng_pswd_auth_crap.user,
2366 state->response.data.auth.nt_status_string,
2367 state->response.data.auth.pam_error));
2368 request_error(state);
2372 enum winbindd_result winbindd_dual_pam_chng_pswd_auth_crap(struct winbindd_domain *domainSt, struct winbindd_cli_state *state)
2375 DATA_BLOB new_nt_password;
2376 DATA_BLOB old_nt_hash_enc;
2377 DATA_BLOB new_lm_password;
2378 DATA_BLOB old_lm_hash_enc;
2379 fstring domain,user;
2381 struct winbindd_domain *contact_domain = domainSt;
2382 struct rpc_pipe_client *cli;
2384 /* Ensure null termination */
2385 state->request.data.chng_pswd_auth_crap.user[
2386 sizeof(state->request.data.chng_pswd_auth_crap.user)-1]=0;
2387 state->request.data.chng_pswd_auth_crap.domain[
2388 sizeof(state->request.data.chng_pswd_auth_crap.domain)-1]=0;
2392 DEBUG(3, ("[%5lu]: pam change pswd auth crap domain: %s user: %s\n",
2393 (unsigned long)state->pid,
2394 state->request.data.chng_pswd_auth_crap.domain,
2395 state->request.data.chng_pswd_auth_crap.user));
2397 if (lp_winbind_offline_logon()) {
2398 DEBUG(0,("Refusing password change as winbind offline logons are enabled. "));
2399 DEBUGADD(0,("Changing passwords here would risk inconsistent logons\n"));
2400 result = NT_STATUS_ACCESS_DENIED;
2404 if (*state->request.data.chng_pswd_auth_crap.domain) {
2405 fstrcpy(domain,state->request.data.chng_pswd_auth_crap.domain);
2407 parse_domain_user(state->request.data.chng_pswd_auth_crap.user,
2411 DEBUG(3,("no domain specified with username (%s) - "
2413 state->request.data.chng_pswd_auth_crap.user));
2414 result = NT_STATUS_NO_SUCH_USER;
2419 if (!*domain && lp_winbind_use_default_domain()) {
2420 fstrcpy(domain,(char *)lp_workgroup());
2424 fstrcpy(user, state->request.data.chng_pswd_auth_crap.user);
2427 DEBUG(3, ("[%5lu]: pam auth crap domain: %s user: %s\n",
2428 (unsigned long)state->pid, domain, user));
2430 /* Change password */
2431 new_nt_password = data_blob_talloc(
2433 state->request.data.chng_pswd_auth_crap.new_nt_pswd,
2434 state->request.data.chng_pswd_auth_crap.new_nt_pswd_len);
2436 old_nt_hash_enc = data_blob_talloc(
2438 state->request.data.chng_pswd_auth_crap.old_nt_hash_enc,
2439 state->request.data.chng_pswd_auth_crap.old_nt_hash_enc_len);
2441 if(state->request.data.chng_pswd_auth_crap.new_lm_pswd_len > 0) {
2442 new_lm_password = data_blob_talloc(
2444 state->request.data.chng_pswd_auth_crap.new_lm_pswd,
2445 state->request.data.chng_pswd_auth_crap.new_lm_pswd_len);
2447 old_lm_hash_enc = data_blob_talloc(
2449 state->request.data.chng_pswd_auth_crap.old_lm_hash_enc,
2450 state->request.data.chng_pswd_auth_crap.old_lm_hash_enc_len);
2452 new_lm_password.length = 0;
2453 old_lm_hash_enc.length = 0;
2456 /* Get sam handle */
2458 result = cm_connect_sam(contact_domain, state->mem_ctx, &cli, &dom_pol);
2459 if (!NT_STATUS_IS_OK(result)) {
2460 DEBUG(1, ("could not get SAM handle on DC for %s\n", domain));
2464 result = rpccli_samr_chng_pswd_auth_crap(
2465 cli, state->mem_ctx, user, new_nt_password, old_nt_hash_enc,
2466 new_lm_password, old_lm_hash_enc);
2470 set_auth_errors(&state->response, result);
2472 DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2,
2473 ("Password change for user [%s]\\[%s] returned %s (PAM: %d)\n",
2475 state->response.data.auth.nt_status_string,
2476 state->response.data.auth.pam_error));
2478 return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
git.samba.org / ab / samba.git / .git / blob