source3/auth/auth_domain.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3    Authenticate against a remote domain
   4    Copyright (C) Andrew Tridgell 1992-1998
   5    Copyright (C) Andrew Bartlett 2001
   6
   7    This program is free software; you can redistribute it and/or modify
   8    it under the terms of the GNU General Public License as published by
   9    the Free Software Foundation; either version 2 of the License, or
  10    (at your option) any later version.
  11
  12    This program is distributed in the hope that it will be useful,
  13    but WITHOUT ANY WARRANTY; without even the implied warranty of
  14    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  15    GNU General Public License for more details.
  16
  17    You should have received a copy of the GNU General Public License
  18    along with this program; if not, write to the Free Software
  19    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  20 */
  21
  22 #include "includes.h"
  23
  24 #undef DBGC_CLASS
  25 #define DBGC_CLASS DBGC_AUTH
  26
  27 extern BOOL global_machine_password_needs_changing;
  28
  29 /**
  30  * Connect to a remote server for (inter)domain security authenticaion.
  31  *
  32  * @param cli the cli to return containing the active connection
  33  * @param server either a machine name or text IP address to
  34  *               connect to.
  35  * @param setup_creds_as domain account to setup credentials as
  36  * @param sec_chan a switch value to distinguish between domain
  37  *                 member and interdomain authentication
  38  * @param trust_passwd the trust password to establish the
  39  *                     credentials with.
  40  *
  41  **/
  42
  43 static NTSTATUS connect_to_domain_password_server(struct cli_state **cli,
  44                                                 const char *domain,
  45                                                 const char *dc_name,
  46                                                 struct in_addr dc_ip,
  47                                                 struct rpc_pipe_client **pipe_ret,
  48                                                 BOOL *retry)
  49 {
  50         NTSTATUS result;
  51         struct rpc_pipe_client *netlogon_pipe = NULL;
  52
  53         *pipe_ret = NULL;
  54
  55         /* TODO: Send a SAMLOGON request to determine whether this is a valid
  56            logonserver.  We can avoid a 30-second timeout if the DC is down
  57            if the SAMLOGON request fails as it is only over UDP. */
  58
  59         /* we use a mutex to prevent two connections at once - when a
  60            Win2k PDC get two connections where one hasn't completed a
  61            session setup yet it will send a TCP reset to the first
  62            connection (tridge) */
  63
  64         /*
  65          * With NT4.x DC's *all* authentication must be serialized to avoid
  66          * ACCESS_DENIED errors if 2 auths are done from the same machine. JRA.
  67          */
  68
  69         if (!grab_server_mutex(dc_name)) {
  70                 return NT_STATUS_NO_LOGON_SERVERS;
  71         }
  72
  73         /* Attempt connection */
  74         *retry = True;
  75         result = cli_full_connection(cli, global_myname(), dc_name, &dc_ip, 0,
  76                 "IPC$", "IPC", "", "", "", 0, Undefined, retry);
  77
  78         if (!NT_STATUS_IS_OK(result)) {
  79                 /* map to something more useful */
  80                 if (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)) {
  81                         result = NT_STATUS_NO_LOGON_SERVERS;
  82                 }
  83
  84                 release_server_mutex();
  85                 return result;
  86         }
  87
  88         /*
  89          * We now have an anonymous connection to IPC$ on the domain password server.
  90          */
  91
  92         /*
  93          * Even if the connect succeeds we need to setup the netlogon
  94          * pipe here. We do this as we may just have changed the domain
  95          * account password on the PDC and yet we may be talking to
  96          * a BDC that doesn't have this replicated yet. In this case
  97          * a successful connect to a DC needs to take the netlogon connect
  98          * into account also. This patch from "Bjart Kvarme" <bjart.kvarme@usit.uio.no>.
  99          */
 100
 101         /* open the netlogon pipe. */
 102         if (lp_client_schannel()) {
 103                 /* We also setup the creds chain in the open_schannel call. */
 104                 netlogon_pipe = cli_rpc_pipe_open_schannel(*cli, PI_NETLOGON,
 105                                         PIPE_AUTH_LEVEL_PRIVACY, domain, &result);
 106         } else {
 107                 netlogon_pipe = cli_rpc_pipe_open_noauth(*cli, PI_NETLOGON, &result);
 108         }
 109
 110         if(!netlogon_pipe) {
 111                 DEBUG(0,("connect_to_domain_password_server: unable to open the domain client session to \
 112 machine %s. Error was : %s.\n", dc_name, nt_errstr(result)));
 113                 cli_shutdown(*cli);
 114                 release_server_mutex();
 115                 return result;
 116         }
 117
 118         if (!lp_client_schannel()) {
 119                 /* We need to set up a creds chain on an unauthenticated netlogon pipe. */
 120                 uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS;
 121                 uint32 sec_chan_type = 0;
 122                 char machine_pwd[16];
 123
 124                 if (!get_trust_pw(domain, machine_pwd, &sec_chan_type)) {
 125                         DEBUG(0, ("connect_to_domain_password_server: could not fetch "
 126                         "trust account password for domain '%s'\n",
 127                                 domain));
 128                         cli_shutdown(*cli);
 129                         release_server_mutex();
 130                         return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
 131                 }
 132
 133                 result = rpccli_netlogon_setup_creds(netlogon_pipe,
 134                                         dc_name,
 135                                         domain,
 136                                         global_myname(),
 137                                         machine_pwd,
 138                                         sec_chan_type,
 139                                         &neg_flags);
 140
 141                 if (!NT_STATUS_IS_OK(result)) {
 142                         cli_shutdown(*cli);
 143                         release_server_mutex();
 144                         return result;
 145                 }
 146         }
 147
 148         if(!netlogon_pipe) {
 149                 DEBUG(0,("connect_to_domain_password_server: unable to open the domain client session to \
 150 machine %s. Error was : %s.\n", dc_name, cli_errstr(*cli)));
 151                 cli_shutdown(*cli);
 152                 release_server_mutex();
 153                 return NT_STATUS_NO_LOGON_SERVERS;
 154         }
 155
 156         /* We exit here with the mutex *locked*. JRA */
 157
 158         *pipe_ret = netlogon_pipe;
 159
 160         return NT_STATUS_OK;
 161 }
 162
 163 /***********************************************************************
 164  Do the same as security=server, but using NT Domain calls and a session
 165  key from the machine password.  If the server parameter is specified
 166  use it, otherwise figure out a server from the 'password server' param.
 167 ************************************************************************/
 168
 169 static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx,
 170                                         const auth_usersupplied_info *user_info,
 171                                         const char *domain,
 172                                         uchar chal[8],
 173                                         auth_serversupplied_info **server_info,
 174                                         const char *dc_name,
 175                                         struct in_addr dc_ip)
 176
 177 {
 178         NET_USER_INFO_3 info3;
 179         struct cli_state *cli = NULL;
 180         struct rpc_pipe_client *netlogon_pipe = NULL;
 181         NTSTATUS nt_status = NT_STATUS_NO_LOGON_SERVERS;
 182         int i;
 183         BOOL retry = True;
 184
 185         /*
 186          * At this point, smb_apasswd points to the lanman response to
 187          * the challenge in local_challenge, and smb_ntpasswd points to
 188          * the NT response to the challenge in local_challenge. Ship
 189          * these over the secure channel to a domain controller and
 190          * see if they were valid.
 191          */
 192
 193         /* rety loop for robustness */
 194
 195         for (i = 0; !NT_STATUS_IS_OK(nt_status) && retry && (i < 3); i++) {
 196                 nt_status = connect_to_domain_password_server(&cli,
 197                                                         domain,
 198                                                         dc_name,
 199                                                         dc_ip,
 200                                                         &netlogon_pipe,
 201                                                         &retry);
 202         }
 203
 204         if ( !NT_STATUS_IS_OK(nt_status) ) {
 205                 DEBUG(0,("domain_client_validate: Domain password server not available.\n"));
 206                 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCESS_DENIED)) {
 207                         return NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE;
 208                 }
 209                 return nt_status;
 210         }
 211
 212         ZERO_STRUCT(info3);
 213
 214         /*
 215          * If this call succeeds, we now have lots of info about the user
 216          * in the info3 structure.
 217          */
 218
 219         nt_status = rpccli_netlogon_sam_network_logon(netlogon_pipe,
 220                                         mem_ctx,
 221                                         dc_name,                   /* server name */
 222                                         user_info->smb_name.str,   /* user name logging on. */
 223                                         user_info->domain.str,     /* domain name */
 224                                         user_info->wksta_name.str, /* workstation name */
 225                                         chal,                      /* 8 byte challenge. */
 226                                         user_info->lm_resp,        /* lanman 24 byte response */
 227                                         user_info->nt_resp,        /* nt 24 byte response */
 228                                         &info3);                   /* info3 out */
 229
 230         /* Let go as soon as possible so we avoid any potential deadlocks
 231            with winbind lookup up users or groups. */
 232
 233         release_server_mutex();
 234
 235         if (!NT_STATUS_IS_OK(nt_status)) {
 236                 DEBUG(0,("domain_client_validate: unable to validate password "
 237                          "for user %s in domain %s to Domain controller %s. "
 238                          "Error was %s.\n", user_info->smb_name.str,
 239                          user_info->domain.str, dc_name,
 240                          nt_errstr(nt_status)));
 241
 242                 /* map to something more useful */
 243                 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_UNSUCCESSFUL)) {
 244                         nt_status = NT_STATUS_NO_LOGON_SERVERS;
 245                 }
 246         } else {
 247                 nt_status = make_server_info_info3(mem_ctx,
 248                                                 user_info->internal_username.str,
 249                                                 user_info->smb_name.str,
 250                                                 domain,
 251                                                 server_info,
 252                                                 &info3);
 253         }
 254
 255         /* Note - once the cli stream is shutdown the mem_ctx used
 256            to allocate the other_sids and gids structures has been deleted - so
 257            these pointers are no longer valid..... */
 258
 259         cli_shutdown(cli);
 260         return nt_status;
 261 }
 262
 263 /****************************************************************************
 264  Check for a valid username and password in security=domain mode.
 265 ****************************************************************************/
 266
 267 static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context,
 268                                         void *my_private_data,
 269                                         TALLOC_CTX *mem_ctx,
 270                                         const auth_usersupplied_info *user_info,
 271                                         auth_serversupplied_info **server_info)
 272 {
 273         NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
 274         const char *domain = lp_workgroup();
 275         fstring dc_name;
 276         struct in_addr dc_ip;
 277
 278         if ( lp_server_role() != ROLE_DOMAIN_MEMBER ) {
 279                 DEBUG(0,("check_ntdomain_security: Configuration error!  Cannot use "
 280                         "ntdomain auth method when not a member of a domain.\n"));
 281                 return NT_STATUS_NOT_IMPLEMENTED;
 282         }
 283
 284         if (!user_info || !server_info || !auth_context) {
 285                 DEBUG(1,("check_ntdomain_security: Critical variables not present.  Failing.\n"));
 286                 return NT_STATUS_INVALID_PARAMETER;
 287         }
 288
 289         /*
 290          * Check that the requested domain is not our own machine name.
 291          * If it is, we should never check the PDC here, we use our own local
 292          * password file.
 293          */
 294
 295         if(strequal(get_global_sam_name(), user_info->domain.str)) {
 296                 DEBUG(3,("check_ntdomain_security: Requested domain was for this machine.\n"));
 297                 return NT_STATUS_NOT_IMPLEMENTED;
 298         }
 299
 300         /* we need our DC to send the net_sam_logon() request to */
 301
 302         if ( !get_dc_name(domain, NULL, dc_name, &dc_ip) ) {
 303                 DEBUG(5,("check_ntdomain_security: unable to locate a DC for domain %s\n",
 304                         user_info->domain.str));
 305                 return NT_STATUS_NO_LOGON_SERVERS;
 306         }
 307
 308         nt_status = domain_client_validate(mem_ctx,
 309                                         user_info,
 310                                         domain,
 311                                         (uchar *)auth_context->challenge.data,
 312                                         server_info,
 313                                         dc_name,
 314                                         dc_ip);
 315
 316         return nt_status;
 317 }
 318
 319 /* module initialisation */
 320 static NTSTATUS auth_init_ntdomain(struct auth_context *auth_context, const char* param, auth_methods **auth_method)
 321 {
 322         if (!make_auth_methods(auth_context, auth_method)) {
 323                 return NT_STATUS_NO_MEMORY;
 324         }
 325
 326         (*auth_method)->name = "ntdomain";
 327         (*auth_method)->auth = check_ntdomain_security;
 328         return NT_STATUS_OK;
 329 }
 330
 331
 332 /****************************************************************************
 333  Check for a valid username and password in a trusted domain
 334 ****************************************************************************/
 335
 336 static NTSTATUS check_trustdomain_security(const struct auth_context *auth_context,
 337                                            void *my_private_data,
 338                                            TALLOC_CTX *mem_ctx,
 339                                            const auth_usersupplied_info *user_info,
 340                                            auth_serversupplied_info **server_info)
 341 {
 342         NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
 343         unsigned char trust_md4_password[16];
 344         char *trust_password;
 345         time_t last_change_time;
 346         DOM_SID sid;
 347         fstring dc_name;
 348         struct in_addr dc_ip;
 349
 350         if (!user_info || !server_info || !auth_context) {
 351                 DEBUG(1,("check_trustdomain_security: Critical variables not present.  Failing.\n"));
 352                 return NT_STATUS_INVALID_PARAMETER;
 353         }
 354
 355         /*
 356          * Check that the requested domain is not our own machine name or domain name.
 357          */
 358
 359         if( strequal(get_global_sam_name(), user_info->domain.str)) {
 360                 DEBUG(3,("check_trustdomain_security: Requested domain [%s] was for this machine.\n",
 361                         user_info->domain.str));
 362                 return NT_STATUS_NOT_IMPLEMENTED;
 363         }
 364
 365         /* No point is bothering if this is not a trusted domain.
 366            This return makes "map to guest = bad user" work again.
 367            The logic is that if we know nothing about the domain, that
 368            user is not known to us and does not exist */
 369
 370         if ( !is_trusted_domain( user_info->domain.str ) )
 371                 return NT_STATUS_NOT_IMPLEMENTED;
 372
 373         /*
 374          * Get the trusted account password for the trusted domain
 375          * No need to become_root() as secrets_init() is done at startup.
 376          */
 377
 378         if (!secrets_fetch_trusted_domain_password(user_info->domain.str, &trust_password,
 379                                 &sid, &last_change_time)) {
 380                 DEBUG(0, ("check_trustdomain_security: could not fetch trust account password for domain %s\n", user_info->domain.str));
 381                 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
 382         }
 383
 384 #ifdef DEBUG_PASSWORD
 385         DEBUG(100, ("Trust password for domain %s is %s\n", user_info->domain.str, trust_password));
 386 #endif
 387         E_md4hash(trust_password, trust_md4_password);
 388         SAFE_FREE(trust_password);
 389
 390 #if 0
 391         /* Test if machine password is expired and need to be changed */
 392         if (time(NULL) > last_change_time + lp_machine_password_timeout())
 393         {
 394                 global_machine_password_needs_changing = True;
 395         }
 396 #endif
 397
 398         /* use get_dc_name() for consistency even through we know that it will be
 399            a netbios name */
 400
 401         if ( !get_dc_name(user_info->domain.str, NULL, dc_name, &dc_ip) ) {
 402                 DEBUG(5,("check_trustdomain_security: unable to locate a DC for domain %s\n",
 403                         user_info->domain.str));
 404                 return NT_STATUS_NO_LOGON_SERVERS;
 405         }
 406
 407         nt_status = domain_client_validate(mem_ctx,
 408                                         user_info,
 409                                         user_info->domain.str,
 410                                         (uchar *)auth_context->challenge.data,
 411                                         server_info,
 412                                         dc_name,
 413                                         dc_ip);
 414
 415         return nt_status;
 416 }
 417
 418 /* module initialisation */
 419 static NTSTATUS auth_init_trustdomain(struct auth_context *auth_context, const char* param, auth_methods **auth_method)
 420 {
 421         if (!make_auth_methods(auth_context, auth_method)) {
 422                 return NT_STATUS_NO_MEMORY;
 423         }
 424
 425         (*auth_method)->name = "trustdomain";
 426         (*auth_method)->auth = check_trustdomain_security;
 427         return NT_STATUS_OK;
 428 }
 429
 430 NTSTATUS auth_domain_init(void)
 431 {
 432         smb_register_auth(AUTH_INTERFACE_VERSION, "trustdomain", auth_init_trustdomain);
 433         smb_register_auth(AUTH_INTERFACE_VERSION, "ntdomain", auth_init_ntdomain);
 434         return NT_STATUS_OK;
 435 }