8865170b147d6f1e6dcacd991ce9beb2513a51b9
[ira/wip.git] / source4 / auth / sam.c
1 /* 
2    Unix SMB/CIFS implementation.
3    Password and authentication handling
4    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2001-2004
5    Copyright (C) Gerald Carter                             2003
6    Copyright (C) Stefan Metzmacher                         2005
7    
8    This program is free software; you can redistribute it and/or modify
9    it under the terms of the GNU General Public License as published by
10    the Free Software Foundation; either version 3 of the License, or
11    (at your option) any later version.
12    
13    This program is distributed in the hope that it will be useful,
14    but WITHOUT ANY WARRANTY; without even the implied warranty of
15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
16    GNU General Public License for more details.
17    
18    You should have received a copy of the GNU General Public License
19    along with this program.  If not, see <http://www.gnu.org/licenses/>.
20 */
21
22 #include "includes.h"
23 #include "system/time.h"
24 #include "auth/auth.h"
25 #include <ldb.h>
26 #include "../lib/util/util_ldb.h"
27 #include "dsdb/samdb/samdb.h"
28 #include "libcli/security/security.h"
29 #include "libcli/ldap/ldap.h"
30 #include "librpc/gen_ndr/ndr_netlogon.h"
31 #include "librpc/gen_ndr/ndr_security.h"
32 #include "param/param.h"
33 #include "auth/auth_sam.h"
34
35 #define KRBTGT_ATTRS \
36         /* required for the krb5 kdc */         \
37         "objectClass",                          \
38         "sAMAccountName",                       \
39         "userPrincipalName",                    \
40         "servicePrincipalName",                 \
41         "msDS-KeyVersionNumber",                \
42         "supplementalCredentials",              \
43                                                 \
44         /* passwords */                         \
45         "dBCSPwd",                              \
46         "unicodePwd",                           \
47                                                 \
48         "userAccountControl",                   \
49         "objectSid",                            \
50                                                 \
51         "pwdLastSet",                           \
52         "accountExpires"                        
53
54 const char *krbtgt_attrs[] = {
55         KRBTGT_ATTRS
56 };
57
58 const char *server_attrs[] = {
59         KRBTGT_ATTRS
60 };
61
62 const char *user_attrs[] = {
63         KRBTGT_ATTRS,
64
65         "logonHours",
66
67         /* check 'allowed workstations' */
68         "userWorkstations",
69                        
70         /* required for server_info, not access control: */
71         "displayName",
72         "scriptPath",
73         "profilePath",
74         "homeDirectory",
75         "homeDrive",
76         "lastLogon",
77         "lastLogoff",
78         "accountExpires",
79         "badPwdCount",
80         "logonCount",
81         "primaryGroupID",
82         "memberOf",
83         NULL,
84 };
85
86 /****************************************************************************
87  Check if a user is allowed to logon at this time. Note this is the
88  servers local time, as logon hours are just specified as a weekly
89  bitmask.
90 ****************************************************************************/
91                                                                                                               
92 static bool logon_hours_ok(struct ldb_message *msg, const char *name_for_logs)
93 {
94         /* In logon hours first bit is Sunday from 12AM to 1AM */
95         const struct ldb_val *hours;
96         struct tm *utctime;
97         time_t lasttime;
98         const char *asct;
99         uint8_t bitmask, bitpos;
100
101         hours = ldb_msg_find_ldb_val(msg, "logonHours");
102         if (!hours) {
103                 DEBUG(5,("logon_hours_ok: No hours restrictions for user %s\n", name_for_logs));
104                 return true;
105         }
106
107         if (hours->length != 168/8) {
108                 DEBUG(5,("logon_hours_ok: malformed logon hours restrictions for user %s\n", name_for_logs));
109                 return true;            
110         }
111
112         lasttime = time(NULL);
113         utctime = gmtime(&lasttime);
114         if (!utctime) {
115                 DEBUG(1, ("logon_hours_ok: failed to get gmtime. Failing logon for user %s\n",
116                         name_for_logs));
117                 return false;
118         }
119
120         /* find the corresponding byte and bit */
121         bitpos = (utctime->tm_wday * 24 + utctime->tm_hour) % 168;
122         bitmask = 1 << (bitpos % 8);
123
124         if (! (hours->data[bitpos/8] & bitmask)) {
125                 struct tm *t = localtime(&lasttime);
126                 if (!t) {
127                         asct = "INVALID TIME";
128                 } else {
129                         asct = asctime(t);
130                         if (!asct) {
131                                 asct = "INVALID TIME";
132                         }
133                 }
134                 
135                 DEBUG(1, ("logon_hours_ok: Account for user %s not allowed to "
136                           "logon at this time (%s).\n",
137                           name_for_logs, asct ));
138                 return false;
139         }
140
141         asct = asctime(utctime);
142         DEBUG(5,("logon_hours_ok: user %s allowed to logon at this time (%s)\n",
143                 name_for_logs, asct ? asct : "UNKNOWN TIME" ));
144
145         return true;
146 }
147
148 /****************************************************************************
149  Do a specific test for a SAM_ACCOUNT being vaild for this connection 
150  (ie not disabled, expired and the like).
151 ****************************************************************************/
152 _PUBLIC_ NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx,
153                                      struct ldb_context *sam_ctx,
154                                      uint32_t logon_parameters,
155                                      struct ldb_dn *domain_dn,
156                                      struct ldb_message *msg,
157                                      const char *logon_workstation,
158                                      const char *name_for_logs,
159                                      bool allow_domain_trust,
160                                      bool password_change)
161 {
162         uint16_t acct_flags;
163         const char *workstation_list;
164         NTTIME acct_expiry;
165         NTTIME must_change_time;
166
167         NTTIME now;
168         DEBUG(4,("authsam_account_ok: Checking SMB password for user %s\n", name_for_logs));
169
170         acct_flags = samdb_result_acct_flags(sam_ctx, mem_ctx, msg, domain_dn);
171         
172         acct_expiry = samdb_result_account_expires(msg);
173
174         /* Check for when we must change this password, taking the
175          * userAccountControl flags into account */
176         must_change_time = samdb_result_force_password_change(sam_ctx, mem_ctx, 
177                                                               domain_dn, msg);
178
179         workstation_list = samdb_result_string(msg, "userWorkstations", NULL);
180
181         /* Quit if the account was disabled. */
182         if (acct_flags & ACB_DISABLED) {
183                 DEBUG(1,("authsam_account_ok: Account for user '%s' was disabled.\n", name_for_logs));
184                 return NT_STATUS_ACCOUNT_DISABLED;
185         }
186
187         /* Quit if the account was locked out. */
188         if (acct_flags & ACB_AUTOLOCK) {
189                 DEBUG(1,("authsam_account_ok: Account for user %s was locked out.\n", name_for_logs));
190                 return NT_STATUS_ACCOUNT_LOCKED_OUT;
191         }
192
193         /* Test account expire time */
194         unix_to_nt_time(&now, time(NULL));
195         if (now > acct_expiry) {
196                 DEBUG(1,("authsam_account_ok: Account for user '%s' has expired.\n", name_for_logs));
197                 DEBUG(3,("authsam_account_ok: Account expired at '%s'.\n", 
198                          nt_time_string(mem_ctx, acct_expiry)));
199                 return NT_STATUS_ACCOUNT_EXPIRED;
200         }
201
202         /* check for immediate expiry "must change at next logon" (but not if this is a password change request) */
203         if ((must_change_time == 0) && !password_change) {
204                 DEBUG(1,("sam_account_ok: Account for user '%s' password must change!.\n", 
205                          name_for_logs));
206                 return NT_STATUS_PASSWORD_MUST_CHANGE;
207         }
208
209         /* check for expired password (but not if this is a password change request) */
210         if ((must_change_time < now) && !password_change) {
211                 DEBUG(1,("sam_account_ok: Account for user '%s' password expired!.\n", 
212                          name_for_logs));
213                 DEBUG(1,("sam_account_ok: Password expired at '%s' unix time.\n", 
214                          nt_time_string(mem_ctx, must_change_time)));
215                 return NT_STATUS_PASSWORD_EXPIRED;
216         }
217
218         /* Test workstation. Workstation list is comma separated. */
219         if (logon_workstation && workstation_list && *workstation_list) {
220                 bool invalid_ws = true;
221                 int i;
222                 const char **workstations = (const char **)str_list_make(mem_ctx, workstation_list, ",");
223                 
224                 for (i = 0; workstations && workstations[i]; i++) {
225                         DEBUG(10,("sam_account_ok: checking for workstation match '%s' and '%s'\n",
226                                   workstations[i], logon_workstation));
227
228                         if (strequal(workstations[i], logon_workstation)) {
229                                 invalid_ws = false;
230                                 break;
231                         }
232                 }
233
234                 talloc_free(workstations);
235
236                 if (invalid_ws) {
237                         return NT_STATUS_INVALID_WORKSTATION;
238                 }
239         }
240         
241         if (!logon_hours_ok(msg, name_for_logs)) {
242                 return NT_STATUS_INVALID_LOGON_HOURS;
243         }
244         
245         if (!allow_domain_trust) {
246                 if (acct_flags & ACB_DOMTRUST) {
247                         DEBUG(2,("sam_account_ok: Domain trust account %s denied by server\n", name_for_logs));
248                         return NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT;
249                 }
250         }
251         if (!(logon_parameters & MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT)) {
252                 if (acct_flags & ACB_SVRTRUST) {
253                         DEBUG(2,("sam_account_ok: Server trust account %s denied by server\n", name_for_logs));
254                         return NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT;
255                 }
256         }
257         if (!(logon_parameters & MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT)) {
258                 if (acct_flags & ACB_WSTRUST) {
259                         DEBUG(4,("sam_account_ok: Wksta trust account %s denied by server\n", name_for_logs));
260                         return NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT;
261                 }
262         }
263
264         return NT_STATUS_OK;
265 }
266
267 _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, struct ldb_context *sam_ctx,
268                                            const char *netbios_name,
269                                            const char *domain_name,
270                                            struct ldb_dn *domain_dn, 
271                                            struct ldb_message *msg,
272                                            DATA_BLOB user_sess_key, DATA_BLOB lm_sess_key,
273                                            struct auth_serversupplied_info **_server_info)
274 {
275         struct auth_serversupplied_info *server_info;
276         int group_ret = 0;
277         /* find list of sids */
278         struct dom_sid **groupSIDs = NULL;
279         struct dom_sid *account_sid;
280         struct dom_sid *primary_group_sid;
281         const char *str;
282         int i;
283         uint_t rid;
284         TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);      
285         struct ldb_message_element *el;
286
287         server_info = talloc(tmp_ctx, struct auth_serversupplied_info);
288         NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info, tmp_ctx);
289         
290         el = ldb_msg_find_element(msg, "memberOf");
291         if (el != NULL) {
292                 group_ret = el->num_values;
293                 groupSIDs = talloc_array(server_info, struct dom_sid *, group_ret);
294                 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(groupSIDs, tmp_ctx);
295         }
296
297         /* TODO Note: this is incomplete. We need to unroll some
298          * nested groups, but not aliases */
299         for (i = 0; i < group_ret; i++) {
300                 struct ldb_dn *dn;
301                 const struct ldb_val *v;
302                 enum ndr_err_code ndr_err;
303
304                 dn = ldb_dn_from_ldb_val(tmp_ctx, sam_ctx, &el->values[i]);
305                 if (dn == NULL) {
306                         talloc_free(tmp_ctx);
307                         return NT_STATUS_INTERNAL_DB_CORRUPTION;
308                 }
309                 v = ldb_dn_get_extended_component(dn, "SID");
310                 groupSIDs[i] = talloc(groupSIDs, struct dom_sid);
311                 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(groupSIDs[i], tmp_ctx);
312
313                 ndr_err = ndr_pull_struct_blob(v, groupSIDs[i], NULL, groupSIDs[i], 
314                                                (ndr_pull_flags_fn_t)ndr_pull_dom_sid);
315                 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
316                         talloc_free(tmp_ctx);
317                         return NT_STATUS_INTERNAL_DB_CORRUPTION;
318                 }
319         }
320
321         account_sid = samdb_result_dom_sid(server_info, msg, "objectSid");
322         NT_STATUS_HAVE_NO_MEMORY_AND_FREE(account_sid, tmp_ctx);
323
324         primary_group_sid = dom_sid_dup(server_info, account_sid);
325         NT_STATUS_HAVE_NO_MEMORY_AND_FREE(primary_group_sid, tmp_ctx);
326
327         rid = samdb_result_uint(msg, "primaryGroupID", ~0);
328         if (rid == ~0) {
329                 if (group_ret > 0) {
330                         primary_group_sid = groupSIDs[0];
331                 } else {
332                         primary_group_sid = NULL;
333                 }
334         } else {
335                 primary_group_sid->sub_auths[primary_group_sid->num_auths-1] = rid;
336         }
337
338         server_info->account_sid = account_sid;
339         server_info->primary_group_sid = primary_group_sid;
340         
341         server_info->n_domain_groups = group_ret;
342         server_info->domain_groups = groupSIDs;
343
344         server_info->account_name = talloc_steal(server_info, samdb_result_string(msg, "sAMAccountName", NULL));
345
346         server_info->domain_name = talloc_strdup(server_info, domain_name);
347         NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->domain_name, tmp_ctx);
348
349         str = samdb_result_string(msg, "displayName", "");
350         server_info->full_name = talloc_strdup(server_info, str);
351         NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->full_name, tmp_ctx);
352
353         str = samdb_result_string(msg, "scriptPath", "");
354         server_info->logon_script = talloc_strdup(server_info, str);
355         NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->logon_script, tmp_ctx);
356
357         str = samdb_result_string(msg, "profilePath", "");
358         server_info->profile_path = talloc_strdup(server_info, str);
359         NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->profile_path, tmp_ctx);
360
361         str = samdb_result_string(msg, "homeDirectory", "");
362         server_info->home_directory = talloc_strdup(server_info, str);
363         NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->home_directory, tmp_ctx);
364
365         str = samdb_result_string(msg, "homeDrive", "");
366         server_info->home_drive = talloc_strdup(server_info, str);
367         NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->home_drive, tmp_ctx);
368
369         server_info->logon_server = talloc_strdup(server_info, netbios_name);
370         NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->logon_server, tmp_ctx);
371
372         server_info->last_logon = samdb_result_nttime(msg, "lastLogon", 0);
373         server_info->last_logoff = samdb_result_nttime(msg, "lastLogoff", 0);
374         server_info->acct_expiry = samdb_result_account_expires(msg);
375         server_info->last_password_change = samdb_result_nttime(msg, "pwdLastSet", 0);
376
377         server_info->allow_password_change
378                 = samdb_result_allow_password_change(sam_ctx, mem_ctx, 
379                                                      domain_dn, msg, "pwdLastSet");
380         server_info->force_password_change
381                 = samdb_result_force_password_change(sam_ctx, mem_ctx, 
382                                                      domain_dn, msg);
383         
384         server_info->logon_count = samdb_result_uint(msg, "logonCount", 0);
385         server_info->bad_password_count = samdb_result_uint(msg, "badPwdCount", 0);
386
387         server_info->acct_flags = samdb_result_acct_flags(sam_ctx, mem_ctx, 
388                                                           msg, domain_dn);
389
390         server_info->user_session_key = user_sess_key;
391         server_info->lm_session_key = lm_sess_key;
392
393         server_info->authenticated = true;
394
395         *_server_info = talloc_steal(mem_ctx, server_info);
396
397         return NT_STATUS_OK;
398 }
399
400 NTSTATUS sam_get_results_principal(struct ldb_context *sam_ctx,
401                                    TALLOC_CTX *mem_ctx, const char *principal,
402                                    const char **attrs,
403                                    struct ldb_dn **domain_dn,
404                                    struct ldb_message **msg)
405 {                          
406         struct ldb_dn *user_dn;
407         NTSTATUS nt_status;
408         TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
409         int ret;
410
411         if (!tmp_ctx) {
412                 return NT_STATUS_NO_MEMORY;
413         }
414
415         nt_status = crack_user_principal_name(sam_ctx, tmp_ctx, principal, 
416                                               &user_dn, domain_dn);
417         if (!NT_STATUS_IS_OK(nt_status)) {
418                 talloc_free(tmp_ctx);
419                 return nt_status;
420         }
421         
422         /* pull the user attributes */
423         ret = gendb_search_single_extended_dn(sam_ctx, tmp_ctx, user_dn, LDB_SCOPE_BASE,
424                                               msg, attrs, "(objectClass=*)");
425         if (ret != LDB_SUCCESS) {
426                 talloc_free(tmp_ctx);
427                 return NT_STATUS_INTERNAL_DB_CORRUPTION;
428         }
429         talloc_steal(mem_ctx, *msg);
430         talloc_steal(mem_ctx, *domain_dn);
431         talloc_free(tmp_ctx);
432         
433         return NT_STATUS_OK;
434 }