95f0d527bbe92481dc9bdd9f366ecb1aca007247
[ira/wip.git] / source3 / nsswitch / winbindd_pam.c
1 /* 
2    Unix SMB/Netbios implementation.
3    Version 3.0
4
5    Winbind daemon - pam auth funcions
6
7    Copyright (C) Andrew Tridgell 2000
8    Copyright (C) Tim Potter 2001
9    Copyright (C) Andrew Bartlett 2001
10    
11    This program is free software; you can redistribute it and/or modify
12    it under the terms of the GNU General Public License as published by
13    the Free Software Foundation; either version 2 of the License, or
14    (at your option) any later version.
15    
16    This program is distributed in the hope that it will be useful,
17    but WITHOUT ANY WARRANTY; without even the implied warranty of
18    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
19    GNU General Public License for more details.
20    
21    You should have received a copy of the GNU General Public License
22    along with this program; if not, write to the Free Software
23    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
24 */
25
26 #include "winbindd.h"
27
28 /* Return a password structure from a username.  */
29
30 enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state) 
31 {
32         NTSTATUS result;
33         fstring name_domain, name_user;
34         int passlen;
35         unsigned char trust_passwd[16];
36         time_t last_change_time;
37         uint32 smb_uid_low;
38         NET_USER_INFO_3 info3;
39         struct cli_state *cli = NULL;
40         uchar chal[8];
41         TALLOC_CTX *mem_ctx;
42         DATA_BLOB lm_resp;
43         DATA_BLOB nt_resp;
44
45         extern pstring global_myname;
46
47         DEBUG(3, ("[%5d]: pam auth %s\n", state->pid,
48                   state->request.data.auth.user));
49
50         if (!(mem_ctx = talloc_init_named("winbind pam auth for %s", state->request.data.auth.user))) {
51                 DEBUG(0, ("winbindd_pam_auth: could not talloc_init()!\n"));
52                 return WINBINDD_ERROR;
53         }
54
55         /* Parse domain and username */
56         
57         if (!parse_domain_user(state->request.data.auth.user, name_domain, 
58                                name_user)) {
59                 DEBUG(5,("no domain seperator (%s) in username (%s) - failing fauth\n", lp_winbind_separator(), state->request.data.auth.user));
60                 talloc_destroy(mem_ctx);
61                 return WINBINDD_ERROR;
62         }
63
64         passlen = strlen(state->request.data.auth.pass);
65                 
66         if (!*state->request.data.auth.pass) {
67                 return WINBINDD_ERROR;
68                 talloc_destroy(mem_ctx);
69         } else {
70                 unsigned char local_lm_response[24];
71                 unsigned char local_nt_response[24];
72                 
73                 generate_random_buffer(chal, 8, False);
74                 SMBencrypt( (const uchar *)state->request.data.auth.pass, chal, local_lm_response);
75                 
76                 SMBNTencrypt((const uchar *)state->request.data.auth.pass, chal, local_nt_response);
77
78                 lm_resp = data_blob_talloc(mem_ctx, local_lm_response, sizeof(local_lm_response));
79                 nt_resp = data_blob_talloc(mem_ctx, local_nt_response, sizeof(local_nt_response));
80         }
81         
82         /*
83          * Get the machine account password for our primary domain
84          */
85
86         if (!secrets_fetch_trust_account_password(
87                 lp_workgroup(), trust_passwd, &last_change_time)) {
88                 DEBUG(0, ("winbindd_pam_auth: could not fetch trust account "
89                           "password for domain %s\n", lp_workgroup()));
90                 talloc_destroy(mem_ctx);
91                 return WINBINDD_ERROR;
92         }
93
94         /* We really don't care what LUID we give the user. */
95
96         generate_random_buffer( (unsigned char *)&smb_uid_low, 4, False);
97
98         ZERO_STRUCT(info3);
99
100         result = cm_get_netlogon_cli(lp_workgroup(), trust_passwd, &cli);
101
102         if (!NT_STATUS_IS_OK(result)) {
103                 DEBUG(3, ("could not open handle to NETLOGON pipe\n"));
104                 goto done;
105         }
106
107         result = cli_netlogon_sam_network_logon(cli, mem_ctx,
108                                                 name_user, name_domain, 
109                                                 global_myname, chal, 
110                                                 lm_resp, nt_resp, 
111                                                 &info3);
112         
113         uni_group_cache_store_netlogon(mem_ctx, &info3);
114 done:
115
116         if (cli) 
117                 cli_shutdown(cli);
118
119         talloc_destroy(mem_ctx);
120         
121         return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
122 }
123         
124 /* Challenge Response Authentication Protocol */
125
126 enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state) 
127 {
128         NTSTATUS result;
129         unsigned char trust_passwd[16];
130         time_t last_change_time;
131         NET_USER_INFO_3 info3;
132         struct cli_state *cli = NULL;
133         TALLOC_CTX *mem_ctx;
134
135         DATA_BLOB lm_resp, nt_resp;
136
137         extern pstring global_myname;
138
139         DEBUG(3, ("[%5d]: pam auth crap domain: %s user: %s\n", state->pid,
140                   state->request.data.auth_crap.user, state->request.data.auth_crap.user));
141
142         if (!(mem_ctx = talloc_init_named("winbind pam auth crap for %s", state->request.data.auth.user))) {
143                 DEBUG(0, ("winbindd_pam_auth_crap: could not talloc_init()!\n"));
144                 return WINBINDD_ERROR;
145         }
146
147         lm_resp = data_blob_talloc(mem_ctx, state->request.data.auth_crap.lm_resp, state->request.data.auth_crap.lm_resp_len);
148         nt_resp = data_blob_talloc(mem_ctx, state->request.data.auth_crap.nt_resp, state->request.data.auth_crap.nt_resp_len);
149         
150         /*
151          * Get the machine account password for our primary domain
152          */
153
154         if (!secrets_fetch_trust_account_password(
155                 lp_workgroup(), trust_passwd, &last_change_time)) {
156                 DEBUG(0, ("winbindd_pam_auth: could not fetch trust account "
157                           "password for domain %s\n", lp_workgroup()));
158                 talloc_destroy(mem_ctx);
159                 return WINBINDD_ERROR;
160         }
161
162         ZERO_STRUCT(info3);
163
164         result = cm_get_netlogon_cli(lp_workgroup(), trust_passwd, &cli);
165
166         if (!NT_STATUS_IS_OK(result)) {
167                 DEBUG(3, ("could not open handle to NETLOGON pipe\n"));
168                 goto done;
169         }
170
171         result = cli_netlogon_sam_network_logon(cli, mem_ctx,
172                                                 state->request.data.auth_crap.user, state->request.data.auth_crap.domain, 
173                                                 global_myname, state->request.data.auth_crap.chal, 
174                                                 lm_resp, nt_resp, 
175                                                 &info3);
176         
177         uni_group_cache_store_netlogon(mem_ctx, &info3);
178 done:
179         talloc_destroy(mem_ctx);
180
181         if (cli)
182                 cli_shutdown(cli);
183
184         return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
185 }
186
187 /* Change a user password */
188
189 enum winbindd_result winbindd_pam_chauthtok(struct winbindd_cli_state *state)
190 {
191         char *oldpass, *newpass;
192         fstring domain, user;
193         uchar nt_oldhash[16];
194         uchar lm_oldhash[16];
195
196         DEBUG(3, ("[%5d]: pam chauthtok %s\n", state->pid,
197                 state->request.data.chauthtok.user));
198
199         /* Setup crap */
200
201         if (state == NULL)
202                 return WINBINDD_ERROR;
203
204         if (!parse_domain_user(state->request.data.chauthtok.user, domain, user))
205                 return WINBINDD_ERROR;
206
207         oldpass = state->request.data.chauthtok.oldpass;
208         newpass = state->request.data.chauthtok.newpass;
209
210         nt_lm_owf_gen(oldpass, nt_oldhash, lm_oldhash);
211
212         /* Change password */
213
214 #if 0
215
216         /* XXX */
217
218         if (!msrpc_sam_ntchange_pwd(server_state.controller, domain, user,
219                 lm_oldhash, nt_oldhash, newpass)) {
220                 DEBUG(0, ("password change failed for user %s/%s\n", domain, user));
221                 return WINBINDD_ERROR;
222         }
223 #endif
224     
225         return WINBINDD_OK;
226 }