dsdb: Rework samdb_result_acct_flags to use either userAccountControl or msDS-User...
[bbaumbach/samba-autobuild/.git] / source4 / auth / sam.c
index fcb125660b30ff51d72aaf5471cdb6581d8e962a..1c3b81ad0c652ae38f95bf4d4ebb9933ab026068 100644 (file)
@@ -28,6 +28,8 @@
 #include "libcli/security/security.h"
 #include "auth/auth_sam.h"
 #include "dsdb/common/util.h"
+#include "libcli/ldap/ldap_ndr.h"
+#include "param/param.h"
 
 #define KRBTGT_ATTRS \
        /* required for the krb5 kdc */         \
        "msDS-SecondaryKrbTgtNumber",           \
        "msDS-SupportedEncryptionTypes",        \
        "supplementalCredentials",              \
+       "msDS-AllowedToDelegateTo",             \
                                                \
        /* passwords */                         \
        "dBCSPwd",                              \
        "unicodePwd",                           \
                                                \
-       "userAccountControl",                   \
+       "userAccountControl",                   \
+       "msDS-User-Account-Control-Computed",   \
        "objectSid",                            \
                                                \
        "pwdLastSet",                           \
@@ -66,7 +70,7 @@ const char *user_attrs[] = {
        /* check 'allowed workstations' */
        "userWorkstations",
                       
-       /* required for server_info, not access control: */
+       /* required for user_info_dc, not access control: */
        "displayName",
        "scriptPath",
        "profilePath",
@@ -162,11 +166,12 @@ _PUBLIC_ NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx,
        const char *workstation_list;
        NTTIME acct_expiry;
        NTTIME must_change_time;
+       struct timeval tv_now = timeval_current();
+       NTTIME now = timeval_to_nttime(&tv_now);
 
-       NTTIME now;
        DEBUG(4,("authsam_account_ok: Checking SMB password for user %s\n", name_for_logs));
 
-       acct_flags = samdb_result_acct_flags(sam_ctx, mem_ctx, msg, domain_dn);
+       acct_flags = samdb_result_acct_flags(msg, "msDS-User-Account-Control-Computed");
        
        acct_expiry = samdb_result_account_expires(msg);
 
@@ -190,7 +195,6 @@ _PUBLIC_ NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx,
        }
 
        /* Test account expire time */
-       unix_to_nt_time(&now, time(NULL));
        if (now > acct_expiry) {
                DEBUG(2,("authsam_account_ok: Account for user '%s' has expired.\n", name_for_logs));
                DEBUG(3,("authsam_account_ok: Account expired at '%s'.\n", 
@@ -218,8 +222,8 @@ _PUBLIC_ NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx,
        if (logon_workstation && workstation_list && *workstation_list) {
                bool invalid_ws = true;
                int i;
-               const char **workstations = (const char **)str_list_make(mem_ctx, workstation_list, ",");
-               
+               char **workstations = str_list_make(mem_ctx, workstation_list, ",");
+
                for (i = 0; workstations && workstations[i]; i++) {
                        DEBUG(10,("sam_account_ok: checking for workstation match '%s' and '%s'\n",
                                  workstations[i], logon_workstation));
@@ -265,7 +269,7 @@ _PUBLIC_ NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx,
        return NT_STATUS_OK;
 }
 
-_PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx,
+_PUBLIC_ NTSTATUS authsam_make_user_info_dc(TALLOC_CTX *mem_ctx,
                                           struct ldb_context *sam_ctx,
                                           const char *netbios_name,
                                           const char *domain_name,
@@ -273,55 +277,77 @@ _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx,
                                           struct ldb_message *msg,
                                           DATA_BLOB user_sess_key,
                                           DATA_BLOB lm_sess_key,
-                                          struct auth_serversupplied_info **_server_info)
+                                          struct auth_user_info_dc **_user_info_dc)
 {
        NTSTATUS status;
-       struct auth_serversupplied_info *server_info;
+       struct auth_user_info_dc *user_info_dc;
+       struct auth_user_info *info;
        const char *str, *filter;
        /* SIDs for the account and his primary group */
        struct dom_sid *account_sid;
-       struct dom_sid *primary_group_sid;
        const char *primary_group_string;
        const char *primary_group_dn;
        DATA_BLOB primary_group_blob;
        /* SID structures for the expanded group memberships */
-       struct dom_sid **groupSIDs = NULL;
-       unsigned int num_groupSIDs = 0, i;
+       struct dom_sid *sids = NULL;
+       unsigned int num_sids = 0, i;
        struct dom_sid *domain_sid;
        TALLOC_CTX *tmp_ctx;
        struct ldb_message_element *el;
 
-       server_info = talloc(mem_ctx, struct auth_serversupplied_info);
-       NT_STATUS_HAVE_NO_MEMORY(server_info);
+       user_info_dc = talloc(mem_ctx, struct auth_user_info_dc);
+       NT_STATUS_HAVE_NO_MEMORY(user_info_dc);
 
-       tmp_ctx = talloc_new(server_info);
-       NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info, server_info);
+       tmp_ctx = talloc_new(user_info_dc);
+       if (user_info_dc == NULL) {
+               TALLOC_FREE(user_info_dc);
+               return NT_STATUS_NO_MEMORY;
+       }
 
-       account_sid = samdb_result_dom_sid(server_info, msg, "objectSid");
-       NT_STATUS_HAVE_NO_MEMORY_AND_FREE(account_sid, server_info);
+       sids = talloc_array(user_info_dc, struct dom_sid, 2);
+       if (sids == NULL) {
+               TALLOC_FREE(user_info_dc);
+               return NT_STATUS_NO_MEMORY;
+       }
+
+       num_sids = 2;
+
+       account_sid = samdb_result_dom_sid(user_info_dc, msg, "objectSid");
+       if (account_sid == NULL) {
+               TALLOC_FREE(user_info_dc);
+               return NT_STATUS_NO_MEMORY;
+       }
 
        status = dom_sid_split_rid(tmp_ctx, account_sid, &domain_sid, NULL);
        if (!NT_STATUS_IS_OK(status)) {
-               talloc_free(server_info);
+               talloc_free(user_info_dc);
                return status;
        }
 
-       primary_group_sid = dom_sid_add_rid(server_info,
-                                           domain_sid,
-                                           ldb_msg_find_attr_as_uint(msg, "primaryGroupID", ~0));
-       NT_STATUS_HAVE_NO_MEMORY_AND_FREE(primary_group_sid, server_info);
+       sids[PRIMARY_USER_SID_INDEX] = *account_sid;
+       sids[PRIMARY_GROUP_SID_INDEX] = *domain_sid;
+       sid_append_rid(&sids[PRIMARY_GROUP_SID_INDEX], ldb_msg_find_attr_as_uint(msg, "primaryGroupID", ~0));
 
        /* Filter out builtin groups from this token.  We will search
         * for builtin groups later, and not include them in the PAC
         * on SamLogon validation info */
        filter = talloc_asprintf(tmp_ctx, "(&(objectClass=group)(!(groupType:1.2.840.113556.1.4.803:=%u))(groupType:1.2.840.113556.1.4.803:=%u))", GROUP_TYPE_BUILTIN_LOCAL_GROUP, GROUP_TYPE_SECURITY_ENABLED);
-       NT_STATUS_HAVE_NO_MEMORY_AND_FREE(filter, server_info);
+       if (filter == NULL) {
+               TALLOC_FREE(user_info_dc);
+               return NT_STATUS_NO_MEMORY;
+       }
 
-       primary_group_string = dom_sid_string(tmp_ctx, primary_group_sid);
-       NT_STATUS_HAVE_NO_MEMORY_AND_FREE(primary_group_string, server_info);
+       primary_group_string = dom_sid_string(tmp_ctx, &sids[PRIMARY_GROUP_SID_INDEX]);
+       if (primary_group_string == NULL) {
+               TALLOC_FREE(user_info_dc);
+               return NT_STATUS_NO_MEMORY;
+       }
 
        primary_group_dn = talloc_asprintf(tmp_ctx, "<SID=%s>", primary_group_string);
-       NT_STATUS_HAVE_NO_MEMORY_AND_FREE(primary_group_dn, server_info);
+       if (primary_group_dn == NULL) {
+               TALLOC_FREE(user_info_dc);
+               return NT_STATUS_NO_MEMORY;
+       }
 
        primary_group_blob = data_blob_string_const(primary_group_dn);
 
@@ -335,9 +361,9 @@ _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx,
         * 'only childs' flag to true
         */
        status = dsdb_expand_nested_groups(sam_ctx, &primary_group_blob, true, filter,
-                                          server_info, &groupSIDs, &num_groupSIDs);
+                                          user_info_dc, &sids, &num_sids);
        if (!NT_STATUS_IS_OK(status)) {
-               talloc_free(server_info);
+               talloc_free(user_info_dc);
                return status;
        }
 
@@ -348,122 +374,141 @@ _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx,
                 * them, as long as they meet the filter - so only
                 * domain groups, not builtin groups */
                status = dsdb_expand_nested_groups(sam_ctx, &el->values[i], false, filter,
-                                                  server_info, &groupSIDs, &num_groupSIDs);
+                                                  user_info_dc, &sids, &num_sids);
                if (!NT_STATUS_IS_OK(status)) {
-                       talloc_free(server_info);
+                       talloc_free(user_info_dc);
                        return status;
                }
        }
 
-       server_info->account_sid = account_sid;
-       server_info->primary_group_sid = primary_group_sid;
-       
-       server_info->domain_groups = groupSIDs;
-       server_info->n_domain_groups = num_groupSIDs;
+       user_info_dc->sids = sids;
+       user_info_dc->num_sids = num_sids;
+
+       user_info_dc->info = info = talloc_zero(user_info_dc, struct auth_user_info);
+       NT_STATUS_HAVE_NO_MEMORY(user_info_dc->info);
 
-       server_info->account_name = talloc_steal(server_info,
+       info->account_name = talloc_steal(info,
                ldb_msg_find_attr_as_string(msg, "sAMAccountName", NULL));
 
-       server_info->domain_name = talloc_strdup(server_info, domain_name);
-       NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->domain_name,
-               server_info);
+       info->domain_name = talloc_strdup(info, domain_name);
+       if (info->domain_name == NULL) {
+               TALLOC_FREE(user_info_dc);
+               return NT_STATUS_NO_MEMORY;
+       }
 
        str = ldb_msg_find_attr_as_string(msg, "displayName", "");
-       server_info->full_name = talloc_strdup(server_info, str);
-       NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->full_name, server_info);
+       info->full_name = talloc_strdup(info, str);
+       if (info->full_name == NULL) {
+               TALLOC_FREE(user_info_dc);
+               return NT_STATUS_NO_MEMORY;
+       }
 
        str = ldb_msg_find_attr_as_string(msg, "scriptPath", "");
-       server_info->logon_script = talloc_strdup(server_info, str);
-       NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->logon_script,
-               server_info);
+       info->logon_script = talloc_strdup(info, str);
+       if (info->logon_script == NULL) {
+               TALLOC_FREE(user_info_dc);
+               return NT_STATUS_NO_MEMORY;
+       }
 
        str = ldb_msg_find_attr_as_string(msg, "profilePath", "");
-       server_info->profile_path = talloc_strdup(server_info, str);
-       NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->profile_path,
-               server_info);
+       info->profile_path = talloc_strdup(info, str);
+       if (info->profile_path == NULL) {
+               TALLOC_FREE(user_info_dc);
+               return NT_STATUS_NO_MEMORY;
+       }
 
        str = ldb_msg_find_attr_as_string(msg, "homeDirectory", "");
-       server_info->home_directory = talloc_strdup(server_info, str);
-       NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->home_directory,
-               server_info);
+       info->home_directory = talloc_strdup(info, str);
+       if (info->home_directory == NULL) {
+               TALLOC_FREE(user_info_dc);
+               return NT_STATUS_NO_MEMORY;
+       }
 
        str = ldb_msg_find_attr_as_string(msg, "homeDrive", "");
-       server_info->home_drive = talloc_strdup(server_info, str);
-       NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->home_drive, server_info);
+       info->home_drive = talloc_strdup(info, str);
+       if (info->home_drive == NULL) {
+               TALLOC_FREE(user_info_dc);
+               return NT_STATUS_NO_MEMORY;
+       }
 
-       server_info->logon_server = talloc_strdup(server_info, netbios_name);
-       NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->logon_server,
-               server_info);
+       info->logon_server = talloc_strdup(info, netbios_name);
+       if (info->logon_server == NULL) {
+               TALLOC_FREE(user_info_dc);
+               return NT_STATUS_NO_MEMORY;
+       }
 
-       server_info->last_logon = samdb_result_nttime(msg, "lastLogon", 0);
-       server_info->last_logoff = samdb_result_last_logoff(msg);
-       server_info->acct_expiry = samdb_result_account_expires(msg);
-       server_info->last_password_change = samdb_result_nttime(msg,
+       info->last_logon = samdb_result_nttime(msg, "lastLogon", 0);
+       info->last_logoff = samdb_result_last_logoff(msg);
+       info->acct_expiry = samdb_result_account_expires(msg);
+       info->last_password_change = samdb_result_nttime(msg,
                "pwdLastSet", 0);
-       server_info->allow_password_change
+       info->allow_password_change
                = samdb_result_allow_password_change(sam_ctx, mem_ctx, 
                        domain_dn, msg, "pwdLastSet");
-       server_info->force_password_change
+       info->force_password_change
                = samdb_result_force_password_change(sam_ctx, mem_ctx,
                        domain_dn, msg);
-       server_info->logon_count = ldb_msg_find_attr_as_uint(msg, "logonCount", 0);
-       server_info->bad_password_count = ldb_msg_find_attr_as_uint(msg, "badPwdCount",
+       info->logon_count = ldb_msg_find_attr_as_uint(msg, "logonCount", 0);
+       info->bad_password_count = ldb_msg_find_attr_as_uint(msg, "badPwdCount",
                0);
 
-       server_info->acct_flags = samdb_result_acct_flags(sam_ctx, mem_ctx, 
-                                                         msg, domain_dn);
+       info->acct_flags = samdb_result_acct_flags(msg, "msDS-User-Account-Control-Computed");
 
-       server_info->user_session_key = data_blob_talloc(server_info,
+       user_info_dc->user_session_key = data_blob_talloc(user_info_dc,
                                                         user_sess_key.data,
                                                         user_sess_key.length);
        if (user_sess_key.data) {
-               NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->user_session_key.data,
-                                                 server_info);
+               if (user_info_dc->user_session_key.data == NULL) {
+                       TALLOC_FREE(user_info_dc);
+                       return NT_STATUS_NO_MEMORY;
+               }
        }
-       server_info->lm_session_key = data_blob_talloc(server_info,
+       user_info_dc->lm_session_key = data_blob_talloc(user_info_dc,
                                                       lm_sess_key.data,
                                                       lm_sess_key.length);
        if (lm_sess_key.data) {
-               NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->lm_session_key.data,
-                                                 server_info);
+               if (user_info_dc->lm_session_key.data == NULL) {
+                       TALLOC_FREE(user_info_dc);
+                       return NT_STATUS_NO_MEMORY;
+               }
        }
 
-       if (server_info->acct_flags & ACB_SVRTRUST) {
+       if (info->acct_flags & ACB_SVRTRUST) {
                /* the SID_NT_ENTERPRISE_DCS SID gets added into the
                   PAC */
-               server_info->domain_groups = talloc_realloc(server_info,
-                                                           server_info->domain_groups,
-                                                           struct dom_sid *,
-                                                           server_info->n_domain_groups+1);
-               NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->domain_groups, server_info);
-               server_info->domain_groups[server_info->n_domain_groups] =
-                       dom_sid_parse_talloc(server_info->domain_groups,
-                                            SID_NT_ENTERPRISE_DCS);
-               NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->domain_groups[server_info->n_domain_groups],
-                                                 server_info);
-               server_info->n_domain_groups++;
-       }
-
-       if ((server_info->acct_flags & (ACB_PARTIAL_SECRETS_ACCOUNT | ACB_WSTRUST)) ==
+               user_info_dc->sids = talloc_realloc(user_info_dc,
+                                                  user_info_dc->sids,
+                                                  struct dom_sid,
+                                                  user_info_dc->num_sids+1);
+               if (user_info_dc->sids == NULL) {
+                       TALLOC_FREE(user_info_dc);
+                       return NT_STATUS_NO_MEMORY;
+               }
+               user_info_dc->sids[user_info_dc->num_sids] = global_sid_Enterprise_DCs;
+               user_info_dc->num_sids++;
+       }
+
+       if ((info->acct_flags & (ACB_PARTIAL_SECRETS_ACCOUNT | ACB_WSTRUST)) ==
            (ACB_PARTIAL_SECRETS_ACCOUNT | ACB_WSTRUST)) {
                /* the DOMAIN_RID_ENTERPRISE_READONLY_DCS PAC */
-               server_info->domain_groups = talloc_realloc(server_info,
-                                                           server_info->domain_groups,
-                                                           struct dom_sid *,
-                                                           server_info->n_domain_groups+1);
-               NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->domain_groups, server_info);
-               server_info->domain_groups[server_info->n_domain_groups] =
-                       dom_sid_add_rid(server_info->domain_groups, domain_sid,
-                               DOMAIN_RID_ENTERPRISE_READONLY_DCS);
-               NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->domain_groups[server_info->n_domain_groups],
-                                                 server_info);
-               server_info->n_domain_groups++;
+               user_info_dc->sids = talloc_realloc(user_info_dc,
+                                                  user_info_dc->sids,
+                                                  struct dom_sid,
+                                                  user_info_dc->num_sids+1);
+               if (user_info_dc->sids == NULL) {
+                       TALLOC_FREE(user_info_dc);
+                       return NT_STATUS_NO_MEMORY;
+               }
+               user_info_dc->sids[user_info_dc->num_sids] = *domain_sid;
+               sid_append_rid(&user_info_dc->sids[user_info_dc->num_sids],
+                           DOMAIN_RID_ENTERPRISE_READONLY_DCS);
+               user_info_dc->num_sids++;
        }
 
-       server_info->authenticated = true;
+       info->authenticated = true;
 
        talloc_free(tmp_ctx);
-       *_server_info = server_info;
+       *_user_info_dc = user_info_dc;
 
        return NT_STATUS_OK;
 }
@@ -492,7 +537,9 @@ NTSTATUS sam_get_results_principal(struct ldb_context *sam_ctx,
        
        /* pull the user attributes */
        ret = dsdb_search_one(sam_ctx, tmp_ctx, msg, user_dn,
-                             LDB_SCOPE_BASE, attrs, DSDB_SEARCH_SHOW_EXTENDED_DN, "(objectClass=*)");
+                             LDB_SCOPE_BASE, attrs,
+                             DSDB_SEARCH_SHOW_EXTENDED_DN | DSDB_SEARCH_NO_GLOBAL_CATALOG,
+                             "(objectClass=*)");
        if (ret != LDB_SUCCESS) {
                talloc_free(tmp_ctx);
                return NT_STATUS_INTERNAL_DB_CORRUPTION;
@@ -503,3 +550,87 @@ NTSTATUS sam_get_results_principal(struct ldb_context *sam_ctx,
        
        return NT_STATUS_OK;
 }
+
+/* Used in the gensec_gssapi and gensec_krb5 server-side code, where the PAC isn't available, and for tokenGroups in the DSDB stack.
+
+ Supply either a principal or a DN
+*/
+NTSTATUS authsam_get_user_info_dc_principal(TALLOC_CTX *mem_ctx,
+                                          struct loadparm_context *lp_ctx,
+                                          struct ldb_context *sam_ctx,
+                                          const char *principal,
+                                          struct ldb_dn *user_dn,
+                                          struct auth_user_info_dc **user_info_dc)
+{
+       NTSTATUS nt_status;
+       DATA_BLOB user_sess_key = data_blob(NULL, 0);
+       DATA_BLOB lm_sess_key = data_blob(NULL, 0);
+
+       struct ldb_message *msg;
+       struct ldb_dn *domain_dn;
+
+       TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
+       if (!tmp_ctx) {
+               return NT_STATUS_NO_MEMORY;
+       }
+
+       if (principal) {
+               nt_status = sam_get_results_principal(sam_ctx, tmp_ctx, principal,
+                                                     user_attrs, &domain_dn, &msg);
+               if (!NT_STATUS_IS_OK(nt_status)) {
+                       talloc_free(tmp_ctx);
+                       return nt_status;
+               }
+       } else if (user_dn) {
+               struct dom_sid *user_sid, *domain_sid;
+               int ret;
+               /* pull the user attributes */
+               ret = dsdb_search_one(sam_ctx, tmp_ctx, &msg, user_dn,
+                                     LDB_SCOPE_BASE, user_attrs,
+                                     DSDB_SEARCH_SHOW_EXTENDED_DN | DSDB_SEARCH_NO_GLOBAL_CATALOG,
+                                     "(objectClass=*)");
+               if (ret == LDB_ERR_NO_SUCH_OBJECT) {
+                       talloc_free(tmp_ctx);
+                       return NT_STATUS_NO_SUCH_USER;
+               } else if (ret != LDB_SUCCESS) {
+                       talloc_free(tmp_ctx);
+                       return NT_STATUS_INTERNAL_DB_CORRUPTION;
+               }
+
+               user_sid = samdb_result_dom_sid(msg, msg, "objectSid");
+
+               nt_status = dom_sid_split_rid(tmp_ctx, user_sid, &domain_sid, NULL);
+               if (!NT_STATUS_IS_OK(nt_status)) {
+                       return nt_status;
+               }
+
+               domain_dn = samdb_search_dn(sam_ctx, mem_ctx, NULL,
+                                         "(&(objectSid=%s)(objectClass=domain))",
+                                           ldap_encode_ndr_dom_sid(tmp_ctx, domain_sid));
+               if (!domain_dn) {
+                       DEBUG(3, ("authsam_get_user_info_dc_principal: Failed to find domain with: SID %s\n",
+                                 dom_sid_string(tmp_ctx, domain_sid)));
+                       return NT_STATUS_NO_SUCH_USER;
+               }
+
+       } else {
+               return NT_STATUS_INVALID_PARAMETER;
+       }
+
+       nt_status = authsam_make_user_info_dc(tmp_ctx, sam_ctx,
+                                            lpcfg_netbios_name(lp_ctx),
+                                            lpcfg_workgroup(lp_ctx),
+                                            domain_dn,
+                                            msg,
+                                            user_sess_key, lm_sess_key,
+                                            user_info_dc);
+       if (!NT_STATUS_IS_OK(nt_status)) {
+               talloc_free(tmp_ctx);
+               return nt_status;
+       }
+
+       talloc_steal(mem_ctx, *user_info_dc);
+       talloc_free(tmp_ctx);
+
+       return NT_STATUS_OK;
+}