source4/auth/sam.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3    Password and authentication handling
   4    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2001-2004
   5    Copyright (C) Gerald Carter                             2003
   6    Copyright (C) Stefan Metzmacher                         2005
   7
   8    This program is free software; you can redistribute it and/or modify
   9    it under the terms of the GNU General Public License as published by
  10    the Free Software Foundation; either version 3 of the License, or
  11    (at your option) any later version.
  12
  13    This program is distributed in the hope that it will be useful,
  14    but WITHOUT ANY WARRANTY; without even the implied warranty of
  15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16    GNU General Public License for more details.
  17
  18    You should have received a copy of the GNU General Public License
  19    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  20 */
  21
  22 #include "includes.h"
  23 #include "system/time.h"
  24 #include "auth/auth.h"
  25 #include <ldb.h>
  26 #include "../lib/util/util_ldb.h"
  27 #include "dsdb/samdb/samdb.h"
  28 #include "libcli/security/security.h"
  29 #include "libcli/ldap/ldap.h"
  30 #include "librpc/gen_ndr/ndr_netlogon.h"
  31 #include "librpc/gen_ndr/ndr_security.h"
  32 #include "param/param.h"
  33 #include "auth/auth_sam.h"
  34
  35 #define KRBTGT_ATTRS \
  36         /* required for the krb5 kdc */         \
  37         "objectClass",                          \
  38         "sAMAccountName",                       \
  39         "userPrincipalName",                    \
  40         "servicePrincipalName",                 \
  41         "msDS-KeyVersionNumber",                \
  42         "supplementalCredentials",              \
  43                                                 \
  44         /* passwords */                         \
  45         "dBCSPwd",                              \
  46         "unicodePwd",                           \
  47                                                 \
  48         "userAccountControl",                   \
  49         "objectSid",                            \
  50                                                 \
  51         "pwdLastSet",                           \
  52         "accountExpires"
  53
  54 const char *krbtgt_attrs[] = {
  55         KRBTGT_ATTRS
  56 };
  57
  58 const char *server_attrs[] = {
  59         KRBTGT_ATTRS
  60 };
  61
  62 const char *user_attrs[] = {
  63         KRBTGT_ATTRS,
  64
  65         "logonHours",
  66
  67         /* check 'allowed workstations' */
  68         "userWorkstations",
  69
  70         /* required for server_info, not access control: */
  71         "displayName",
  72         "scriptPath",
  73         "profilePath",
  74         "homeDirectory",
  75         "homeDrive",
  76         "lastLogon",
  77         "lastLogoff",
  78         "accountExpires",
  79         "badPwdCount",
  80         "logonCount",
  81         "primaryGroupID",
  82         "memberOf",
  83         NULL,
  84 };
  85
  86 /****************************************************************************
  87  Check if a user is allowed to logon at this time. Note this is the
  88  servers local time, as logon hours are just specified as a weekly
  89  bitmask.
  90 ****************************************************************************/
  91
  92 static bool logon_hours_ok(struct ldb_message *msg, const char *name_for_logs)
  93 {
  94         /* In logon hours first bit is Sunday from 12AM to 1AM */
  95         const struct ldb_val *hours;
  96         struct tm *utctime;
  97         time_t lasttime;
  98         const char *asct;
  99         uint8_t bitmask, bitpos;
 100
 101         hours = ldb_msg_find_ldb_val(msg, "logonHours");
 102         if (!hours) {
 103                 DEBUG(5,("logon_hours_ok: No hours restrictions for user %s\n", name_for_logs));
 104                 return true;
 105         }
 106
 107         if (hours->length != 168/8) {
 108                 DEBUG(5,("logon_hours_ok: malformed logon hours restrictions for user %s\n", name_for_logs));
 109                 return true;
 110         }
 111
 112         lasttime = time(NULL);
 113         utctime = gmtime(&lasttime);
 114         if (!utctime) {
 115                 DEBUG(1, ("logon_hours_ok: failed to get gmtime. Failing logon for user %s\n",
 116                         name_for_logs));
 117                 return false;
 118         }
 119
 120         /* find the corresponding byte and bit */
 121         bitpos = (utctime->tm_wday * 24 + utctime->tm_hour) % 168;
 122         bitmask = 1 << (bitpos % 8);
 123
 124         if (! (hours->data[bitpos/8] & bitmask)) {
 125                 struct tm *t = localtime(&lasttime);
 126                 if (!t) {
 127                         asct = "INVALID TIME";
 128                 } else {
 129                         asct = asctime(t);
 130                         if (!asct) {
 131                                 asct = "INVALID TIME";
 132                         }
 133                 }
 134
 135                 DEBUG(1, ("logon_hours_ok: Account for user %s not allowed to "
 136                           "logon at this time (%s).\n",
 137                           name_for_logs, asct ));
 138                 return false;
 139         }
 140
 141         asct = asctime(utctime);
 142         DEBUG(5,("logon_hours_ok: user %s allowed to logon at this time (%s)\n",
 143                 name_for_logs, asct ? asct : "UNKNOWN TIME" ));
 144
 145         return true;
 146 }
 147
 148 /****************************************************************************
 149  Do a specific test for a SAM_ACCOUNT being vaild for this connection
 150  (ie not disabled, expired and the like).
 151 ****************************************************************************/
 152 _PUBLIC_ NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx,
 153                                      struct ldb_context *sam_ctx,
 154                                      uint32_t logon_parameters,
 155                                      struct ldb_dn *domain_dn,
 156                                      struct ldb_message *msg,
 157                                      const char *logon_workstation,
 158                                      const char *name_for_logs,
 159                                      bool allow_domain_trust,
 160                                      bool password_change)
 161 {
 162         uint16_t acct_flags;
 163         const char *workstation_list;
 164         NTTIME acct_expiry;
 165         NTTIME must_change_time;
 166
 167         NTTIME now;
 168         DEBUG(4,("authsam_account_ok: Checking SMB password for user %s\n", name_for_logs));
 169
 170         acct_flags = samdb_result_acct_flags(sam_ctx, mem_ctx, msg, domain_dn);
 171
 172         acct_expiry = samdb_result_account_expires(msg);
 173
 174         /* Check for when we must change this password, taking the
 175          * userAccountControl flags into account */
 176         must_change_time = samdb_result_force_password_change(sam_ctx, mem_ctx,
 177                                                               domain_dn, msg);
 178
 179         workstation_list = samdb_result_string(msg, "userWorkstations", NULL);
 180
 181         /* Quit if the account was disabled. */
 182         if (acct_flags & ACB_DISABLED) {
 183                 DEBUG(1,("authsam_account_ok: Account for user '%s' was disabled.\n", name_for_logs));
 184                 return NT_STATUS_ACCOUNT_DISABLED;
 185         }
 186
 187         /* Quit if the account was locked out. */
 188         if (acct_flags & ACB_AUTOLOCK) {
 189                 DEBUG(1,("authsam_account_ok: Account for user %s was locked out.\n", name_for_logs));
 190                 return NT_STATUS_ACCOUNT_LOCKED_OUT;
 191         }
 192
 193         /* Test account expire time */
 194         unix_to_nt_time(&now, time(NULL));
 195         if (now > acct_expiry) {
 196                 DEBUG(1,("authsam_account_ok: Account for user '%s' has expired.\n", name_for_logs));
 197                 DEBUG(3,("authsam_account_ok: Account expired at '%s'.\n",
 198                          nt_time_string(mem_ctx, acct_expiry)));
 199                 return NT_STATUS_ACCOUNT_EXPIRED;
 200         }
 201
 202         /* check for immediate expiry "must change at next logon" (but not if this is a password change request) */
 203         if ((must_change_time == 0) && !password_change) {
 204                 DEBUG(1,("sam_account_ok: Account for user '%s' password must change!.\n",
 205                          name_for_logs));
 206                 return NT_STATUS_PASSWORD_MUST_CHANGE;
 207         }
 208
 209         /* check for expired password (but not if this is a password change request) */
 210         if ((must_change_time < now) && !password_change) {
 211                 DEBUG(1,("sam_account_ok: Account for user '%s' password expired!.\n",
 212                          name_for_logs));
 213                 DEBUG(1,("sam_account_ok: Password expired at '%s' unix time.\n",
 214                          nt_time_string(mem_ctx, must_change_time)));
 215                 return NT_STATUS_PASSWORD_EXPIRED;
 216         }
 217
 218         /* Test workstation. Workstation list is comma separated. */
 219         if (logon_workstation && workstation_list && *workstation_list) {
 220                 bool invalid_ws = true;
 221                 int i;
 222                 const char **workstations = (const char **)str_list_make(mem_ctx, workstation_list, ",");
 223
 224                 for (i = 0; workstations && workstations[i]; i++) {
 225                         DEBUG(10,("sam_account_ok: checking for workstation match '%s' and '%s'\n",
 226                                   workstations[i], logon_workstation));
 227
 228                         if (strequal(workstations[i], logon_workstation)) {
 229                                 invalid_ws = false;
 230                                 break;
 231                         }
 232                 }
 233
 234                 talloc_free(workstations);
 235
 236                 if (invalid_ws) {
 237                         return NT_STATUS_INVALID_WORKSTATION;
 238                 }
 239         }
 240
 241         if (!logon_hours_ok(msg, name_for_logs)) {
 242                 return NT_STATUS_INVALID_LOGON_HOURS;
 243         }
 244
 245         if (!allow_domain_trust) {
 246                 if (acct_flags & ACB_DOMTRUST) {
 247                         DEBUG(2,("sam_account_ok: Domain trust account %s denied by server\n", name_for_logs));
 248                         return NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT;
 249                 }
 250         }
 251         if (!(logon_parameters & MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT)) {
 252                 if (acct_flags & ACB_SVRTRUST) {
 253                         DEBUG(2,("sam_account_ok: Server trust account %s denied by server\n", name_for_logs));
 254                         return NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT;
 255                 }
 256         }
 257         if (!(logon_parameters & MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT)) {
 258                 if (acct_flags & ACB_WSTRUST) {
 259                         DEBUG(4,("sam_account_ok: Wksta trust account %s denied by server\n", name_for_logs));
 260                         return NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT;
 261                 }
 262         }
 263
 264         return NT_STATUS_OK;
 265 }
 266
 267 _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, struct ldb_context *sam_ctx,
 268                                            const char *netbios_name,
 269                                            const char *domain_name,
 270                                            struct ldb_dn *domain_dn,
 271                                            struct ldb_message *msg,
 272                                            DATA_BLOB user_sess_key, DATA_BLOB lm_sess_key,
 273                                            struct auth_serversupplied_info **_server_info)
 274 {
 275         struct auth_serversupplied_info *server_info;
 276         int group_ret = 0;
 277         /* find list of sids */
 278         struct dom_sid **groupSIDs = NULL;
 279         struct dom_sid *account_sid;
 280         struct dom_sid *primary_group_sid;
 281         const char *str;
 282         int i;
 283         uint_t rid;
 284         TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
 285         struct ldb_message_element *el;
 286
 287         server_info = talloc(tmp_ctx, struct auth_serversupplied_info);
 288         NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info, tmp_ctx);
 289
 290         el = ldb_msg_find_element(msg, "memberOf");
 291         if (el != NULL) {
 292                 group_ret = el->num_values;
 293                 groupSIDs = talloc_array(server_info, struct dom_sid *, group_ret);
 294                 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(groupSIDs, tmp_ctx);
 295         }
 296
 297         /* TODO Note: this is incomplete. We need to unroll some
 298          * nested groups, but not aliases */
 299         for (i = 0; i < group_ret; i++) {
 300                 struct ldb_dn *dn;
 301                 const struct ldb_val *v;
 302                 enum ndr_err_code ndr_err;
 303
 304                 dn = ldb_dn_from_ldb_val(tmp_ctx, sam_ctx, &el->values[i]);
 305                 if (dn == NULL) {
 306                         talloc_free(tmp_ctx);
 307                         return NT_STATUS_INTERNAL_DB_CORRUPTION;
 308                 }
 309                 v = ldb_dn_get_extended_component(dn, "SID");
 310                 groupSIDs[i] = talloc(groupSIDs, struct dom_sid);
 311                 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(groupSIDs[i], tmp_ctx);
 312
 313                 ndr_err = ndr_pull_struct_blob(v, groupSIDs[i], NULL, groupSIDs[i],
 314                                                (ndr_pull_flags_fn_t)ndr_pull_dom_sid);
 315                 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
 316                         talloc_free(tmp_ctx);
 317                         return NT_STATUS_INTERNAL_DB_CORRUPTION;
 318                 }
 319         }
 320
 321         account_sid = samdb_result_dom_sid(server_info, msg, "objectSid");
 322         NT_STATUS_HAVE_NO_MEMORY_AND_FREE(account_sid, tmp_ctx);
 323
 324         primary_group_sid = dom_sid_dup(server_info, account_sid);
 325         NT_STATUS_HAVE_NO_MEMORY_AND_FREE(primary_group_sid, tmp_ctx);
 326
 327         rid = samdb_result_uint(msg, "primaryGroupID", ~0);
 328         if (rid == ~0) {
 329                 if (group_ret > 0) {
 330                         primary_group_sid = groupSIDs[0];
 331                 } else {
 332                         primary_group_sid = NULL;
 333                 }
 334         } else {
 335                 primary_group_sid->sub_auths[primary_group_sid->num_auths-1] = rid;
 336         }
 337
 338         server_info->account_sid = account_sid;
 339         server_info->primary_group_sid = primary_group_sid;
 340
 341         server_info->n_domain_groups = group_ret;
 342         server_info->domain_groups = groupSIDs;
 343
 344         server_info->account_name = talloc_steal(server_info, samdb_result_string(msg, "sAMAccountName", NULL));
 345
 346         server_info->domain_name = talloc_strdup(server_info, domain_name);
 347         NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->domain_name, tmp_ctx);
 348
 349         str = samdb_result_string(msg, "displayName", "");
 350         server_info->full_name = talloc_strdup(server_info, str);
 351         NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->full_name, tmp_ctx);
 352
 353         str = samdb_result_string(msg, "scriptPath", "");
 354         server_info->logon_script = talloc_strdup(server_info, str);
 355         NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->logon_script, tmp_ctx);
 356
 357         str = samdb_result_string(msg, "profilePath", "");
 358         server_info->profile_path = talloc_strdup(server_info, str);
 359         NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->profile_path, tmp_ctx);
 360
 361         str = samdb_result_string(msg, "homeDirectory", "");
 362         server_info->home_directory = talloc_strdup(server_info, str);
 363         NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->home_directory, tmp_ctx);
 364
 365         str = samdb_result_string(msg, "homeDrive", "");
 366         server_info->home_drive = talloc_strdup(server_info, str);
 367         NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->home_drive, tmp_ctx);
 368
 369         server_info->logon_server = talloc_strdup(server_info, netbios_name);
 370         NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->logon_server, tmp_ctx);
 371
 372         server_info->last_logon = samdb_result_nttime(msg, "lastLogon", 0);
 373         server_info->last_logoff = samdb_result_nttime(msg, "lastLogoff", 0);
 374         server_info->acct_expiry = samdb_result_account_expires(msg);
 375         server_info->last_password_change = samdb_result_nttime(msg, "pwdLastSet", 0);
 376
 377         server_info->allow_password_change
 378                 = samdb_result_allow_password_change(sam_ctx, mem_ctx,
 379                                                      domain_dn, msg, "pwdLastSet");
 380         server_info->force_password_change
 381                 = samdb_result_force_password_change(sam_ctx, mem_ctx,
 382                                                      domain_dn, msg);
 383
 384         server_info->logon_count = samdb_result_uint(msg, "logonCount", 0);
 385         server_info->bad_password_count = samdb_result_uint(msg, "badPwdCount", 0);
 386
 387         server_info->acct_flags = samdb_result_acct_flags(sam_ctx, mem_ctx,
 388                                                           msg, domain_dn);
 389
 390         server_info->user_session_key = user_sess_key;
 391         server_info->lm_session_key = lm_sess_key;
 392
 393         server_info->authenticated = true;
 394
 395         *_server_info = talloc_steal(mem_ctx, server_info);
 396
 397         return NT_STATUS_OK;
 398 }
 399
 400 NTSTATUS sam_get_results_principal(struct ldb_context *sam_ctx,
 401                                    TALLOC_CTX *mem_ctx, const char *principal,
 402                                    struct ldb_dn **domain_dn,
 403                                    struct ldb_message **msg)
 404 {
 405         struct ldb_dn *user_dn;
 406         NTSTATUS nt_status;
 407         TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
 408         int ret;
 409
 410         if (!tmp_ctx) {
 411                 return NT_STATUS_NO_MEMORY;
 412         }
 413
 414         nt_status = crack_user_principal_name(sam_ctx, tmp_ctx, principal, &user_dn, domain_dn);
 415         if (!NT_STATUS_IS_OK(nt_status)) {
 416                 talloc_free(tmp_ctx);
 417                 return nt_status;
 418         }
 419
 420         /* pull the user attributes */
 421         ret = gendb_search_single_extended_dn(sam_ctx, tmp_ctx, user_dn, LDB_SCOPE_BASE,
 422                                               msg, user_attrs, "(objectClass=*)");
 423         if (ret != LDB_SUCCESS) {
 424                 talloc_free(tmp_ctx);
 425                 return NT_STATUS_INTERNAL_DB_CORRUPTION;
 426         }
 427         talloc_steal(mem_ctx, *msg);
 428         talloc_steal(mem_ctx, *domain_dn);
 429         talloc_free(tmp_ctx);
 430
 431         return NT_STATUS_OK;
 432 }