This is the 'winbind default domain' patch from Alexander Bokovoy
[ira/wip.git] / source3 / nsswitch / winbindd_pam.c
1 /* 
2    Unix SMB/Netbios implementation.
3    Version 3.0
4
5    Winbind daemon - pam auth funcions
6
7    Copyright (C) Andrew Tridgell 2000
8    Copyright (C) Tim Potter 2001
9    Copyright (C) Andrew Bartlett 2001
10    
11    This program is free software; you can redistribute it and/or modify
12    it under the terms of the GNU General Public License as published by
13    the Free Software Foundation; either version 2 of the License, or
14    (at your option) any later version.
15    
16    This program is distributed in the hope that it will be useful,
17    but WITHOUT ANY WARRANTY; without even the implied warranty of
18    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
19    GNU General Public License for more details.
20    
21    You should have received a copy of the GNU General Public License
22    along with this program; if not, write to the Free Software
23    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
24 */
25
26 #include "winbindd.h"
27
28 /* Return a password structure from a username.  */
29
30 enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state) 
31 {
32         NTSTATUS result;
33         fstring name_domain, name_user;
34         int passlen;
35         unsigned char trust_passwd[16];
36         time_t last_change_time;
37         uint32 smb_uid_low;
38         NET_USER_INFO_3 info3;
39         struct cli_state *cli = NULL;
40         uchar chal[8];
41         TALLOC_CTX *mem_ctx;
42         DATA_BLOB lm_resp;
43         DATA_BLOB nt_resp;
44
45         extern pstring global_myname;
46
47         DEBUG(3, ("[%5d]: pam auth %s\n", state->pid,
48                   state->request.data.auth.user));
49
50         if (!(mem_ctx = talloc_init_named("winbind pam auth for %s", state->request.data.auth.user))) {
51                 DEBUG(0, ("winbindd_pam_auth: could not talloc_init()!\n"));
52                 return WINBINDD_ERROR;
53         }
54
55         /* Parse domain and username */
56         
57         if (!parse_domain_user(state->request.data.auth.user, name_domain, 
58                                name_user)) {
59                 DEBUG(5,("no domain seperator (%s) in username (%s) - failing auth\n", lp_winbind_separator(), state->request.data.auth.user));
60                 talloc_destroy(mem_ctx);
61                 return WINBINDD_ERROR;
62         }
63
64         passlen = strlen(state->request.data.auth.pass);
65                 
66         if (!*state->request.data.auth.pass) {
67                 return WINBINDD_ERROR;
68                 talloc_destroy(mem_ctx);
69         } else {
70                 unsigned char local_lm_response[24];
71                 unsigned char local_nt_response[24];
72                 
73                 generate_random_buffer(chal, 8, False);
74                 SMBencrypt( (const uchar *)state->request.data.auth.pass, chal, local_lm_response);
75                 
76                 SMBNTencrypt((const uchar *)state->request.data.auth.pass, chal, local_nt_response);
77
78                 lm_resp = data_blob_talloc(mem_ctx, local_lm_response, sizeof(local_lm_response));
79                 nt_resp = data_blob_talloc(mem_ctx, local_nt_response, sizeof(local_nt_response));
80         }
81         
82         /*
83          * Get the machine account password for our primary domain
84          */
85
86         if (!secrets_fetch_trust_account_password(
87                 lp_workgroup(), trust_passwd, &last_change_time)) {
88                 DEBUG(0, ("winbindd_pam_auth: could not fetch trust account "
89                           "password for domain %s\n", lp_workgroup()));
90                 talloc_destroy(mem_ctx);
91                 return WINBINDD_ERROR;
92         }
93
94         /* We really don't care what LUID we give the user. */
95
96         generate_random_buffer( (unsigned char *)&smb_uid_low, 4, False);
97
98         ZERO_STRUCT(info3);
99
100         result = cm_get_netlogon_cli(lp_workgroup(), trust_passwd, &cli);
101
102         if (!NT_STATUS_IS_OK(result)) {
103                 DEBUG(3, ("could not open handle to NETLOGON pipe\n"));
104                 goto done;
105         }
106
107         result = cli_netlogon_sam_network_logon(cli, mem_ctx,
108                                                 name_user, name_domain, 
109                                                 global_myname, chal, 
110                                                 lm_resp, nt_resp, 
111                                                 &info3);
112         
113         uni_group_cache_store_netlogon(mem_ctx, &info3);
114 done:
115
116         if (cli) 
117                 cli_shutdown(cli);
118
119         talloc_destroy(mem_ctx);
120         
121         return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
122 }
123         
124 /* Challenge Response Authentication Protocol */
125
126 enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state) 
127 {
128         NTSTATUS result;
129         unsigned char trust_passwd[16];
130         time_t last_change_time;
131         NET_USER_INFO_3 info3;
132         struct cli_state *cli = NULL;
133         TALLOC_CTX *mem_ctx;
134         const char *domain = NULL;
135
136         DATA_BLOB lm_resp, nt_resp;
137
138         extern pstring global_myname;
139
140         DEBUG(3, ("[%5d]: pam auth crap domain: %s user: %s\n", state->pid,
141                   state->request.data.auth_crap.user, state->request.data.auth_crap.user));
142
143         if (!(mem_ctx = talloc_init_named("winbind pam auth crap for %s", state->request.data.auth.user))) {
144                 DEBUG(0, ("winbindd_pam_auth_crap: could not talloc_init()!\n"));
145                 return WINBINDD_ERROR;
146         }
147
148         if (*state->request.data.auth_crap.domain) {
149                 domain = talloc_strdup(mem_ctx, state->request.data.auth_crap.domain);
150         } else if (lp_winbind_use_default_domain()) {
151                 domain = talloc_strdup(mem_ctx, lp_workgroup());
152         } else {
153                 DEBUG(5,("no domain specified with username (%s) - failing auth\n", state->request.data.auth.user));
154                 talloc_destroy(mem_ctx);
155                 return WINBINDD_ERROR;
156         }
157
158         if (!domain) {
159                 DEBUG(0,("winbindd_pam_auth_crap: talloc_strdup failed!\n"));
160                 talloc_destroy(mem_ctx);
161                 return WINBINDD_ERROR;
162         }
163
164         lm_resp = data_blob_talloc(mem_ctx, state->request.data.auth_crap.lm_resp, state->request.data.auth_crap.lm_resp_len);
165         nt_resp = data_blob_talloc(mem_ctx, state->request.data.auth_crap.nt_resp, state->request.data.auth_crap.nt_resp_len);
166         
167         /*
168          * Get the machine account password for our primary domain
169          */
170
171         if (!secrets_fetch_trust_account_password(
172                 lp_workgroup(), trust_passwd, &last_change_time)) {
173                 DEBUG(0, ("winbindd_pam_auth: could not fetch trust account "
174                           "password for domain %s\n", lp_workgroup()));
175                 talloc_destroy(mem_ctx);
176                 return WINBINDD_ERROR;
177         }
178
179         ZERO_STRUCT(info3);
180
181         result = cm_get_netlogon_cli(lp_workgroup(), trust_passwd, &cli);
182
183         if (!NT_STATUS_IS_OK(result)) {
184                 DEBUG(3, ("could not open handle to NETLOGON pipe\n"));
185                 goto done;
186         }
187
188         result = cli_netlogon_sam_network_logon(cli, mem_ctx,
189                                                 state->request.data.auth_crap.user, domain,
190                                                 global_myname, state->request.data.auth_crap.chal, 
191                                                 lm_resp, nt_resp, 
192                                                 &info3);
193         
194         uni_group_cache_store_netlogon(mem_ctx, &info3);
195 done:
196         talloc_destroy(mem_ctx);
197
198         if (cli)
199                 cli_shutdown(cli);
200
201         return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
202 }
203
204 /* Change a user password */
205
206 enum winbindd_result winbindd_pam_chauthtok(struct winbindd_cli_state *state)
207 {
208         char *oldpass, *newpass;
209         fstring domain, user;
210         uchar nt_oldhash[16];
211         uchar lm_oldhash[16];
212
213         DEBUG(3, ("[%5d]: pam chauthtok %s\n", state->pid,
214                 state->request.data.chauthtok.user));
215
216         /* Setup crap */
217
218         if (state == NULL)
219                 return WINBINDD_ERROR;
220
221         if (!parse_domain_user(state->request.data.chauthtok.user, domain, user))
222                 return WINBINDD_ERROR;
223
224         oldpass = state->request.data.chauthtok.oldpass;
225         newpass = state->request.data.chauthtok.newpass;
226
227         nt_lm_owf_gen(oldpass, nt_oldhash, lm_oldhash);
228
229         /* Change password */
230
231 #if 0
232
233         /* XXX */
234
235         if (!msrpc_sam_ntchange_pwd(server_state.controller, domain, user,
236                 lm_oldhash, nt_oldhash, newpass)) {
237                 DEBUG(0, ("password change failed for user %s/%s\n", domain, user));
238                 return WINBINDD_ERROR;
239         }
240 #endif
241     
242         return WINBINDD_OK;
243 }