00e1f46fd9a0c2fa4e703d865a8e102e3c1a8489
[ira/wip.git] / source3 / nsswitch / libwbclient / wbc_pam.c
1 /*
2    Unix SMB/CIFS implementation.
3
4    Winbind client API
5
6    Copyright (C) Gerald (Jerry) Carter 2007
7
8    This library is free software; you can redistribute it and/or
9    modify it under the terms of the GNU Lesser General Public
10    License as published by the Free Software Foundation; either
11    version 3 of the License, or (at your option) any later version.
12
13    This library is distributed in the hope that it will be useful,
14    but WITHOUT ANY WARRANTY; without even the implied warranty of
15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
16    Library General Public License for more details.
17
18    You should have received a copy of the GNU Lesser General Public License
19    along with this program.  If not, see <http://www.gnu.org/licenses/>.
20 */
21
22 /* Required Headers */
23
24 #include "libwbclient.h"
25
26 /** @brief Authenticate a username/password pair
27  *
28  * @param username     Name of user to authenticate
29  * @param password     Clear text password os user
30  *
31  * @return #wbcErr
32  **/
33
34 wbcErr wbcAuthenticateUser(const char *username,
35                            const char *password)
36 {
37         wbcErr wbc_status = WBC_ERR_SUCCESS;
38         struct wbcAuthUserParams params;
39
40         ZERO_STRUCT(params);
41
42         params.account_name             = username;
43         params.level                    = WBC_AUTH_USER_LEVEL_PLAIN;
44         params.password.plaintext       = password;
45
46         wbc_status = wbcAuthenticateUserEx(&params, NULL, NULL);
47         BAIL_ON_WBC_ERROR(wbc_status);
48
49 done:
50         return wbc_status;
51 }
52
53 static wbcErr wbc_create_auth_info(TALLOC_CTX *mem_ctx,
54                                    const struct winbindd_response *resp,
55                                    struct wbcAuthUserInfo **_i)
56 {
57         wbcErr wbc_status = WBC_ERR_SUCCESS;
58         struct wbcAuthUserInfo *i;
59         struct wbcDomainSid domain_sid;
60         char *p;
61         uint32_t sn = 0;
62         uint32_t j;
63
64         i = talloc(mem_ctx, struct wbcAuthUserInfo);
65         BAIL_ON_PTR_ERROR(i, wbc_status);
66
67         i->user_flags   = resp->data.auth.info3.user_flgs;
68
69         i->account_name = talloc_strdup(i, resp->data.auth.info3.user_name);
70         BAIL_ON_PTR_ERROR(i->account_name, wbc_status);
71         i->user_principal= NULL;
72         i->full_name    = talloc_strdup(i, resp->data.auth.info3.full_name);
73         BAIL_ON_PTR_ERROR(i->full_name, wbc_status);
74         i->domain_name  = talloc_strdup(i, resp->data.auth.info3.logon_dom);
75         BAIL_ON_PTR_ERROR(i->domain_name, wbc_status);
76         i->dns_domain_name= NULL;
77
78         i->acct_flags   = resp->data.auth.info3.acct_flags;
79         memcpy(i->user_session_key,
80                resp->data.auth.user_session_key,
81                sizeof(i->user_session_key));
82         memcpy(i->lm_session_key,
83                resp->data.auth.first_8_lm_hash,
84                sizeof(i->lm_session_key));
85
86         i->logon_count          = resp->data.auth.info3.logon_count;
87         i->bad_password_count   = resp->data.auth.info3.bad_pw_count;
88
89         i->logon_time           = resp->data.auth.info3.logon_time;
90         i->logoff_time          = resp->data.auth.info3.logoff_time;
91         i->kickoff_time         = resp->data.auth.info3.kickoff_time;
92         i->pass_last_set_time   = resp->data.auth.info3.pass_last_set_time;
93         i->pass_can_change_time = resp->data.auth.info3.pass_can_change_time;
94         i->pass_must_change_time= resp->data.auth.info3.pass_must_change_time;
95
96         i->logon_server = talloc_strdup(i, resp->data.auth.info3.logon_srv);
97         BAIL_ON_PTR_ERROR(i->logon_server, wbc_status);
98         i->logon_script = talloc_strdup(i, resp->data.auth.info3.logon_script);
99         BAIL_ON_PTR_ERROR(i->logon_script, wbc_status);
100         i->profile_path = talloc_strdup(i, resp->data.auth.info3.profile_path);
101         BAIL_ON_PTR_ERROR(i->profile_path, wbc_status);
102         i->home_directory= talloc_strdup(i, resp->data.auth.info3.home_dir);
103         BAIL_ON_PTR_ERROR(i->home_directory, wbc_status);
104         i->home_drive   = talloc_strdup(i, resp->data.auth.info3.dir_drive);
105         BAIL_ON_PTR_ERROR(i->home_drive, wbc_status);
106
107         i->num_sids     = 2;
108         i->num_sids     += resp->data.auth.info3.num_groups;
109         i->num_sids     += resp->data.auth.info3.num_other_sids;
110
111         i->sids = talloc_array(i, struct wbcSidWithAttr, i->num_sids);
112         BAIL_ON_PTR_ERROR(i->sids, wbc_status);
113
114         wbc_status = wbcStringToSid(resp->data.auth.info3.dom_sid,
115                                     &domain_sid);
116         BAIL_ON_WBC_ERROR(wbc_status);
117
118 #define _SID_COMPOSE(s, d, r, a) { \
119         (s).sid = d; \
120         if ((s).sid.num_auths < MAXSUBAUTHS) { \
121                 (s).sid.sub_auths[(s).sid.num_auths++] = r; \
122         } else { \
123                 wbc_status = WBC_ERR_INVALID_SID; \
124                 BAIL_ON_WBC_ERROR(wbc_status); \
125         } \
126         (s).attributes = a; \
127 } while (0)
128
129         sn = 0;
130         _SID_COMPOSE(i->sids[sn], domain_sid,
131                      resp->data.auth.info3.user_rid,
132                      0);
133         sn++;
134         _SID_COMPOSE(i->sids[sn], domain_sid,
135                      resp->data.auth.info3.group_rid,
136                      0);
137         sn++;
138
139         p = (char *)resp->extra_data.data;
140         if (!p) {
141                 wbc_status = WBC_ERR_INVALID_RESPONSE;
142                 BAIL_ON_WBC_ERROR(wbc_status);
143         }
144
145         for (j=0; j < resp->data.auth.info3.num_groups; j++) {
146                 uint32_t rid;
147                 uint32_t attrs;
148                 int ret;
149                 char *s = p;
150                 char *e = strchr(p, '\n');
151                 if (!e) {
152                         wbc_status = WBC_ERR_INVALID_RESPONSE;
153                         BAIL_ON_WBC_ERROR(wbc_status);
154                 }
155                 e[0] = '\0';
156                 p = &e[1];
157
158                 ret = sscanf(s, "0x%08X:0x%08X", &rid, &attrs);
159                 if (ret != 2) {
160                         wbc_status = WBC_ERR_INVALID_RESPONSE;
161                         BAIL_ON_WBC_ERROR(wbc_status);
162                 }
163
164                 _SID_COMPOSE(i->sids[sn], domain_sid,
165                              rid, attrs);
166                 sn++;
167         }
168
169         for (j=0; j < resp->data.auth.info3.num_other_sids; j++) {
170                 uint32_t attrs;
171                 int ret;
172                 char *s = p;
173                 char *a;
174                 char *e = strchr(p, '\n');
175                 if (!e) {
176                         wbc_status = WBC_ERR_INVALID_RESPONSE;
177                         BAIL_ON_WBC_ERROR(wbc_status);
178                 }
179                 e[0] = '\0';
180                 p = &e[1];
181
182                 e = strchr(s, ':');
183                 if (!e) {
184                         wbc_status = WBC_ERR_INVALID_RESPONSE;
185                         BAIL_ON_WBC_ERROR(wbc_status);
186                 }
187                 e[0] = '\0';
188                 a = &e[1];
189
190                 ret = sscanf(a, "0x%08X",
191                              &attrs);
192                 if (ret != 1) {
193                         wbc_status = WBC_ERR_INVALID_RESPONSE;
194                         BAIL_ON_WBC_ERROR(wbc_status);
195                 }
196
197                 wbc_status = wbcStringToSid(s, &i->sids[sn].sid);
198                 BAIL_ON_WBC_ERROR(wbc_status);
199
200                 i->sids[sn].attributes = attrs;
201                 sn++;
202         }
203
204         i->num_sids = sn;
205
206         *_i = i;
207         i = NULL;
208 done:
209         talloc_free(i);
210         return wbc_status;
211 }
212
213 static wbcErr wbc_create_error_info(TALLOC_CTX *mem_ctx,
214                                   const struct winbindd_response *resp,
215                                   struct wbcAuthErrorInfo **_e)
216 {
217         wbcErr wbc_status = WBC_ERR_SUCCESS;
218         struct wbcAuthErrorInfo *e;
219
220         e = talloc(mem_ctx, struct wbcAuthErrorInfo);
221         BAIL_ON_PTR_ERROR(e, wbc_status);
222
223         e->nt_status = resp->data.auth.nt_status;
224         e->pam_error = resp->data.auth.pam_error;
225         e->nt_string = talloc_strdup(e, resp->data.auth.nt_status_string);
226         BAIL_ON_PTR_ERROR(e->nt_string, wbc_status);
227
228         e->display_string = talloc_strdup(e, resp->data.auth.error_string);
229         BAIL_ON_PTR_ERROR(e->display_string, wbc_status);
230
231         *_e = e;
232         e = NULL;
233
234 done:
235         talloc_free(e);
236         return wbc_status;
237 }
238
239 /** @brief Authenticate with more detailed information
240  *
241  * @param params       Input parameters, WBC_AUTH_USER_LEVEL_HASH
242  *                     is not supported yet
243  * @param info         Output details on WBC_ERR_SUCCESS
244  * @param error        Output details on WBC_ERR_AUTH_ERROR
245  *
246  * @return #wbcErr
247  **/
248
249 wbcErr wbcAuthenticateUserEx(const struct wbcAuthUserParams *params,
250                              struct wbcAuthUserInfo **info,
251                              struct wbcAuthErrorInfo **error)
252 {
253         wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE;
254         int cmd = 0;
255         struct winbindd_request request;
256         struct winbindd_response response;
257
258         ZERO_STRUCT(request);
259         ZERO_STRUCT(response);
260
261         if (error) {
262                 *error = NULL;
263         }
264
265         if (!params) {
266                 wbc_status = WBC_ERR_INVALID_PARAM;
267                 BAIL_ON_WBC_ERROR(wbc_status);
268         }
269
270         if (!params->account_name) {
271                 wbc_status = WBC_ERR_INVALID_PARAM;
272                 BAIL_ON_WBC_ERROR(wbc_status);
273         }
274
275         /* Initialize request */
276
277         switch (params->level) {
278         case WBC_AUTH_USER_LEVEL_PLAIN:
279                 cmd = WINBINDD_PAM_AUTH;
280                 request.flags = WBFLAG_PAM_INFO3_TEXT |
281                                 WBFLAG_PAM_USER_SESSION_KEY |
282                                 WBFLAG_PAM_LMKEY;
283
284                 if (!params->password.plaintext) {
285                         wbc_status = WBC_ERR_INVALID_PARAM;
286                         BAIL_ON_WBC_ERROR(wbc_status);
287                 }
288
289                 if (params->domain_name && params->domain_name[0]) {
290                         /* We need to get the winbind separator :-( */
291                         struct winbindd_response sep_response;
292
293                         ZERO_STRUCT(sep_response);
294
295                         wbc_status = wbcRequestResponse(WINBINDD_INFO,
296                                                         NULL, &sep_response);
297                         BAIL_ON_WBC_ERROR(wbc_status);
298
299                         snprintf(request.data.auth.user,
300                                  sizeof(request.data.auth.user)-1,
301                                  "%s%c%s",
302                                  params->domain_name,
303                                  sep_response.data.info.winbind_separator,
304                                  params->account_name);
305                 } else {
306                         strncpy(request.data.auth.user,
307                                 params->account_name,
308                                 sizeof(request.data.auth.user)-1);
309                 }
310                 strncpy(request.data.auth.pass,
311                         params->password.plaintext,
312                         sizeof(request.data.auth.user)-1);
313                 break;
314
315         case WBC_AUTH_USER_LEVEL_HASH:
316                 wbc_status = WBC_ERR_NOT_IMPLEMENTED;
317                 BAIL_ON_WBC_ERROR(wbc_status);
318                 break;
319
320         case WBC_AUTH_USER_LEVEL_RESPONSE:
321                 cmd = WINBINDD_PAM_AUTH_CRAP;
322                 request.flags = WBFLAG_PAM_INFO3_TEXT |
323                                 WBFLAG_PAM_USER_SESSION_KEY |
324                                 WBFLAG_PAM_LMKEY;
325
326                 if (params->password.response.lm_length &&
327                     !params->password.response.lm_data) {
328                         wbc_status = WBC_ERR_INVALID_PARAM;
329                         BAIL_ON_WBC_ERROR(wbc_status);
330                 }
331                 if (params->password.response.lm_length == 0 &&
332                     params->password.response.lm_data) {
333                         wbc_status = WBC_ERR_INVALID_PARAM;
334                         BAIL_ON_WBC_ERROR(wbc_status);
335                 }
336
337                 if (params->password.response.nt_length &&
338                     !params->password.response.nt_data) {
339                         wbc_status = WBC_ERR_INVALID_PARAM;
340                         BAIL_ON_WBC_ERROR(wbc_status);
341                 }
342                 if (params->password.response.nt_length == 0&&
343                     params->password.response.nt_data) {
344                         wbc_status = WBC_ERR_INVALID_PARAM;
345                         BAIL_ON_WBC_ERROR(wbc_status);
346                 }
347
348                 strncpy(request.data.auth_crap.user,
349                         params->account_name,
350                         sizeof(request.data.auth_crap.user)-1);
351                 if (params->domain_name) {
352                         strncpy(request.data.auth_crap.domain,
353                                 params->domain_name,
354                                 sizeof(request.data.auth_crap.domain)-1);
355                 }
356                 if (params->workstation_name) {
357                         strncpy(request.data.auth_crap.workstation,
358                                 params->workstation_name,
359                                 sizeof(request.data.auth_crap.workstation)-1);
360                 }
361
362                 request.data.auth_crap.logon_parameters =
363                                 params->parameter_control;
364
365                 memcpy(request.data.auth_crap.chal,
366                        params->password.response.challenge,
367                        sizeof(request.data.auth_crap.chal));
368
369                 request.data.auth_crap.lm_resp_len =
370                                 MIN(params->password.response.lm_length,
371                                     sizeof(request.data.auth_crap.lm_resp));
372                 request.data.auth_crap.nt_resp_len =
373                                 MIN(params->password.response.nt_length,
374                                     sizeof(request.data.auth_crap.nt_resp));
375                 if (params->password.response.lm_data) {
376                         memcpy(request.data.auth_crap.lm_resp,
377                                params->password.response.lm_data,
378                                request.data.auth_crap.lm_resp_len);
379                 }
380                 if (params->password.response.nt_data) {
381                         memcpy(request.data.auth_crap.nt_resp,
382                                params->password.response.nt_data,
383                                request.data.auth_crap.nt_resp_len);
384                 }
385                 break;
386         default:
387                 break;
388         }
389
390         if (cmd == 0) {
391                 wbc_status = WBC_ERR_INVALID_PARAM;
392                 BAIL_ON_WBC_ERROR(wbc_status);
393         }
394
395         wbc_status = wbcRequestResponse(cmd,
396                                         &request,
397                                         &response);
398         if (response.data.auth.nt_status != 0) {
399                 if (error) {
400                         wbc_status = wbc_create_error_info(NULL,
401                                                            &response,
402                                                            error);
403                         BAIL_ON_WBC_ERROR(wbc_status);
404                 }
405
406                 wbc_status = WBC_ERR_AUTH_ERROR;
407                 BAIL_ON_WBC_ERROR(wbc_status);
408         }
409         BAIL_ON_WBC_ERROR(wbc_status);
410
411         if (info) {
412                 wbc_status = wbc_create_auth_info(NULL,
413                                                   &response,
414                                                   info);
415                 BAIL_ON_WBC_ERROR(wbc_status);
416         }
417
418 done:
419
420         return wbc_status;
421 }
422
423 /** @brief Trigger a verification of the trust credentials of a specific domain
424  *
425  * @param *domain      The name of the domain, only NULL for the default domain is
426  *                     supported yet. Other values than NULL will result in
427  *                     WBC_ERR_NOT_IMPLEMENTED.
428  * @param error        Output details on WBC_ERR_AUTH_ERROR
429  *
430  * @return #wbcErr
431  *
432  **/
433 wbcErr wbcCheckTrustCredentials(const char *domain,
434                                 struct wbcAuthErrorInfo **error)
435 {
436         struct winbindd_request request;
437         struct winbindd_response response;
438         wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE;
439         const char *name_str;
440
441         if (domain) {
442                 /*
443                  * the current protocol doesn't support
444                  * specifying a domain
445                  */
446                 wbc_status = WBC_ERR_NOT_IMPLEMENTED;
447                 BAIL_ON_WBC_ERROR(wbc_status);
448         }
449
450         ZERO_STRUCT(request);
451         ZERO_STRUCT(response);
452
453         /* Send request */
454
455         wbc_status = wbcRequestResponse(WINBINDD_CHECK_MACHACC,
456                                         &request,
457                                         &response);
458         if (response.data.auth.nt_status != 0) {
459                 if (error) {
460                         wbc_status = wbc_create_error_info(NULL,
461                                                            &response,
462                                                            error);
463                         BAIL_ON_WBC_ERROR(wbc_status);
464                 }
465
466                 wbc_status = WBC_ERR_AUTH_ERROR;
467                 BAIL_ON_WBC_ERROR(wbc_status);
468         }
469         BAIL_ON_WBC_ERROR(wbc_status);
470
471  done:
472         return wbc_status;
473 }