2 Unix SMB/CIFS implementation.
3 Authenticate against a remote domain
4 Copyright (C) Andrew Tridgell 1992-1998
5 Copyright (C) Andrew Bartlett 2001
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 2 of the License, or
10 (at your option) any later version.
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with this program; if not, write to the Free Software
19 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
25 #define DBGC_CLASS DBGC_AUTH
27 BOOL global_machine_password_needs_changing = False;
29 extern pstring global_myname;
30 extern userdom_struct current_user_info;
32 static char *mutex_server_name;
34 static BOOL grab_server_mutex(const char *name)
36 mutex_server_name = strdup(name);
37 if (!mutex_server_name) {
38 DEBUG(0,("grab_server_mutex: malloc failed for %s\n", name));
41 if (!message_named_mutex(name, 20)) {
42 DEBUG(10,("grab_server_mutex: failed for %s\n", name));
43 SAFE_FREE(mutex_server_name);
50 static void release_server_mutex(void)
52 if (mutex_server_name) {
53 message_named_mutex_release(mutex_server_name);
54 SAFE_FREE(mutex_server_name);
59 * Connect to a remote server for domain security authenticaion.
61 * @param cli the cli to return containing the active connection
62 * @param server either a machine name or text IP address to
64 * @param trust_password the trust password to establish the
69 static NTSTATUS connect_to_domain_password_server(struct cli_state **cli,
71 const char *setup_creds_as,
73 const unsigned char *trust_passwd)
75 struct in_addr dest_ip;
76 fstring remote_machine;
79 if (is_ipaddress(server)) {
82 /* we shouldn't have 255.255.255.255 forthe IP address of
83 a password server anyways */
84 if ((to_ip.s_addr=inet_addr(server)) == 0xFFFFFFFF) {
85 DEBUG (0,("connect_to_domain_password_server: inet_addr(%s) returned 0xFFFFFFFF!\n", server));
86 return NT_STATUS_UNSUCCESSFUL;
89 if (!name_status_find("*", 0x20, 0x20, to_ip, remote_machine)) {
90 DEBUG(0, ("connect_to_domain_password_server: Can't "
91 "resolve name for IP %s\n", server));
92 return NT_STATUS_UNSUCCESSFUL;
95 fstrcpy(remote_machine, server);
98 standard_sub_basic(current_user_info.smb_name, remote_machine);
99 strupper(remote_machine);
101 if(!resolve_name( remote_machine, &dest_ip, 0x20)) {
102 DEBUG(1,("connect_to_domain_password_server: Can't resolve address for %s\n", remote_machine));
103 return NT_STATUS_UNSUCCESSFUL;
106 if (ismyip(dest_ip)) {
107 DEBUG(1,("connect_to_domain_password_server: Password server loop - not using password server %s\n",
109 return NT_STATUS_UNSUCCESSFUL;
112 /* TODO: Send a SAMLOGON request to determine whether this is a valid
113 logonserver. We can avoid a 30-second timeout if the DC is down
114 if the SAMLOGON request fails as it is only over UDP. */
116 /* we use a mutex to prevent two connections at once - when a NT PDC gets
117 two connections where one hasn't completed a negprot yet it will send a
118 TCP reset to the first connection (tridge) */
121 * With NT4.x DC's *all* authentication must be serialized to avoid
122 * ACCESS_DENIED errors if 2 auths are done from the same machine. JRA.
125 if (!grab_server_mutex(server))
126 return NT_STATUS_UNSUCCESSFUL;
128 /* Attempt connection */
129 result = cli_full_connection(cli, global_myname, server,
130 &dest_ip, 0, "IPC$", "IPC", "", "", "");
132 if (!NT_STATUS_IS_OK(result)) {
133 release_server_mutex();
138 * We now have an anonymous connection to IPC$ on the domain password server.
142 * Even if the connect succeeds we need to setup the netlogon
143 * pipe here. We do this as we may just have changed the domain
144 * account password on the PDC and yet we may be talking to
145 * a BDC that doesn't have this replicated yet. In this case
146 * a successful connect to a DC needs to take the netlogon connect
147 * into account also. This patch from "Bjart Kvarme" <bjart.kvarme@usit.uio.no>.
150 if(cli_nt_session_open(*cli, PIPE_NETLOGON) == False) {
151 DEBUG(0,("connect_to_domain_password_server: unable to open the domain client session to \
152 machine %s. Error was : %s.\n", remote_machine, cli_errstr(*cli)));
153 cli_nt_session_close(*cli);
156 release_server_mutex();
157 return NT_STATUS_UNSUCCESSFUL;
160 snprintf((*cli)->mach_acct, sizeof((*cli)->mach_acct) - 1, "%s$", setup_creds_as);
162 if (!(*cli)->mach_acct) {
163 release_server_mutex();
164 return NT_STATUS_NO_MEMORY;
167 result = new_cli_nt_setup_creds(*cli, sec_chan, trust_passwd);
169 if (!NT_STATUS_IS_OK(result)) {
170 DEBUG(0,("connect_to_domain_password_server: unable to setup the PDC credentials to machine \
171 %s. Error was : %s.\n", remote_machine, nt_errstr(result)));
172 cli_nt_session_close(*cli);
175 release_server_mutex();
179 /* We exit here with the mutex *locked*. JRA */
184 /***********************************************************************
185 Utility function to attempt a connection to an IP address of a DC.
186 ************************************************************************/
188 static NTSTATUS attempt_connect_to_dc(struct cli_state **cli,
191 const char *setup_creds_as,
193 const unsigned char *trust_passwd)
198 * Ignore addresses we have already tried.
202 return NT_STATUS_UNSUCCESSFUL;
204 if (!lookup_dc_name(global_myname, domain, ip, dc_name))
205 return NT_STATUS_UNSUCCESSFUL;
207 return connect_to_domain_password_server(cli, dc_name, setup_creds_as, sec_chan, trust_passwd);
210 /***********************************************************************
211 We have been asked to dynamcially determine the IP addresses of
212 the PDC and BDC's for DOMAIN, and query them in turn.
213 ************************************************************************/
214 static NTSTATUS find_connect_pdc(struct cli_state **cli,
216 const char *setup_creds_as,
218 unsigned char *trust_passwd,
219 time_t last_change_time)
221 struct in_addr *ip_list = NULL;
224 NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
225 time_t time_now = time(NULL);
226 BOOL use_pdc_only = False;
229 * If the time the machine password has changed
230 * was less than an hour ago then we need to contact
231 * the PDC only, as we cannot be sure domain replication
232 * has yet taken place. Bug found by Gerald (way to go
236 if (time_now - last_change_time < 3600)
239 if (!get_dc_list(use_pdc_only, domain, &ip_list, &count))
240 return NT_STATUS_UNSUCCESSFUL;
243 * Firstly try and contact a PDC/BDC who has the same
244 * network address as any of our interfaces.
246 for(i = 0; i < count; i++) {
247 if(!is_local_net(ip_list[i]))
250 if(NT_STATUS_IS_OK(nt_status =
251 attempt_connect_to_dc(cli, domain,
252 &ip_list[i], setup_creds_as,
253 sec_chan, trust_passwd)))
256 zero_ip(&ip_list[i]); /* Tried and failed. */
260 * Secondly try and contact a random PDC/BDC.
262 if(!NT_STATUS_IS_OK(nt_status)) {
263 i = (sys_random() % count);
265 if (!is_zero_ip(ip_list[i])) {
266 if (!NT_STATUS_IS_OK(nt_status =
267 attempt_connect_to_dc(cli, domain,
268 &ip_list[i], setup_creds_as,
269 sec_chan, trust_passwd)))
270 zero_ip(&ip_list[i]); /* Tried and failed. */
275 * Finally go through the IP list in turn, ignoring any addresses
276 * we have already tried.
278 if(!NT_STATUS_IS_OK(nt_status)) {
280 * Try and connect to any of the other IP addresses in the PDC/BDC list.
281 * Note that from a WINS server the #1 IP address is the PDC.
283 for(i = 0; i < count; i++) {
284 if (is_zero_ip(ip_list[i]))
287 if (NT_STATUS_IS_OK(nt_status = attempt_connect_to_dc(cli, domain,
288 &ip_list[i], setup_creds_as, sec_chan, trust_passwd)))
297 /***********************************************************************
298 Do the same as security=server, but using NT Domain calls and a session
299 key from the machine password. If the server parameter is specified
300 use it, otherwise figure out a server from the 'password server' param.
301 ************************************************************************/
303 static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx,
304 const auth_usersupplied_info *user_info,
307 auth_serversupplied_info **server_info,
308 char *server, char *setup_creds_as,
310 unsigned char *trust_passwd,
311 time_t last_change_time)
313 fstring remote_machine;
314 NET_USER_INFO_3 info3;
315 struct cli_state *cli = NULL;
316 NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
320 * At this point, smb_apasswd points to the lanman response to
321 * the challenge in local_challenge, and smb_ntpasswd points to
322 * the NT response to the challenge in local_challenge. Ship
323 * these over the secure channel to a domain controller and
324 * see if they were valid.
327 while (!NT_STATUS_IS_OK(nt_status) &&
328 next_token(&server,remote_machine,LIST_SEP,sizeof(remote_machine))) {
329 if(strequal(remote_machine, "*")) {
330 nt_status = find_connect_pdc(&cli, domain, setup_creds_as, sec_chan, trust_passwd, last_change_time);
332 nt_status = connect_to_domain_password_server(&cli, remote_machine, setup_creds_as, sec_chan, trust_passwd);
336 if (!NT_STATUS_IS_OK(nt_status)) {
337 DEBUG(0,("domain_client_validate: Domain password server not available.\n"));
344 * If this call succeeds, we now have lots of info about the user
345 * in the info3 structure.
348 nt_status = cli_netlogon_sam_network_logon(cli, mem_ctx,
349 user_info->smb_name.str, user_info->domain.str,
350 user_info->wksta_name.str, chal,
351 user_info->lm_resp, user_info->nt_resp,
354 if (!NT_STATUS_IS_OK(nt_status)) {
355 DEBUG(0,("domain_client_validate: unable to validate password "
356 "for user %s in domain %s to Domain controller %s. "
357 "Error was %s.\n", user_info->smb_name.str,
358 user_info->domain.str, cli->srv_name_slash,
359 nt_errstr(nt_status)));
363 /* Check DOMAIN\username first to catch winbind users, then
364 just the username for local users. */
366 dom_user = talloc_asprintf(mem_ctx, "%s%s%s", user_info->domain.str,
367 lp_winbind_separator(),
368 user_info->internal_username.str);
371 DEBUG(0, ("talloc_asprintf failed!\n"));
372 nt_status = NT_STATUS_NO_MEMORY;
375 if (!(pass = Get_Pwnam(dom_user)))
376 pass = Get_Pwnam(user_info->internal_username.str);
379 make_server_info_pw(server_info, pass);
381 nt_status = NT_STATUS_NO_MEMORY;
384 nt_status = NT_STATUS_NO_SUCH_USER;
389 /* Store the user group information in the server_info returned to the caller. */
391 if (NT_STATUS_IS_OK(nt_status) && (info3.num_groups2 != 0)) {
394 auth_serversupplied_info *pserver_info = *server_info;
396 if ((pserver_info->ptok = malloc( sizeof(NT_USER_TOKEN) ) ) == NULL) {
397 DEBUG(0, ("domain_client_validate: out of memory allocating rid group membership\n"));
398 nt_status = NT_STATUS_NO_MEMORY;
399 free_server_info(server_info);
403 ptok = pserver_info->ptok;
404 ptok->num_sids = (size_t)info3.num_groups2;
406 if ((ptok->user_sids = (DOM_SID *)malloc( sizeof(DOM_SID) * ptok->num_sids )) == NULL) {
407 DEBUG(0, ("domain_client_validate: Out of memory allocating group SIDS\n"));
408 nt_status = NT_STATUS_NO_MEMORY;
409 free_server_info(server_info);
413 for (i = 0; i < ptok->num_sids; i++) {
414 sid_copy(&ptok->user_sids[i], &info3.dom_sid.sid);
415 sid_append_rid(&ptok->user_sids[i], info3.gids[i].g_rid);
418 uni_group_cache_store_netlogon(mem_ctx, &info3);
423 * We don't actually need to do this - plus it fails currently with
424 * NT_STATUS_INVALID_INFO_CLASS - we need to know *exactly* what to
428 if (NT_STATUS_IS_OK(status)) {
429 if(cli_nt_logoff(&cli, &ctr) == False) {
430 DEBUG(0,("domain_client_validate: unable to log off user %s in domain \
431 %s to Domain controller %s. Error was %s.\n", user, domain, remote_machine, cli_errstr(&cli)));
432 nt_status = NT_STATUS_LOGON_FAILURE;
439 /* Note - once the cli stream is shutdown the mem_ctx used
440 to allocate the other_sids and gids structures has been deleted - so
441 these pointers are no longer valid..... */
443 cli_nt_session_close(cli);
446 release_server_mutex();
450 /****************************************************************************
451 Check for a valid username and password in security=domain mode.
452 ****************************************************************************/
454 static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context,
455 void *my_private_data,
457 const auth_usersupplied_info *user_info,
458 auth_serversupplied_info **server_info)
460 NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
461 char *password_server;
462 unsigned char trust_passwd[16];
463 time_t last_change_time;
464 char *domain = lp_workgroup();
466 if (!user_info || !server_info || !auth_context) {
467 DEBUG(1,("check_ntdomain_security: Critical variables not present. Failing.\n"));
468 return NT_STATUS_INVALID_PARAMETER;
472 * Check that the requested domain is not our own machine name.
473 * If it is, we should never check the PDC here, we use our own local
477 if(is_netbios_alias_or_name(user_info->domain.str)) {
478 DEBUG(3,("check_ntdomain_security: Requested domain was for this machine.\n"));
479 return NT_STATUS_LOGON_FAILURE;
483 * Get the machine account password for our primary domain
484 * No need to become_root() as secrets_init() is done at startup.
487 if (!secrets_fetch_trust_account_password(domain, trust_passwd, &last_change_time))
489 DEBUG(0, ("check_ntdomain_security: could not fetch trust account password for domain %s\n", lp_workgroup()));
490 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
493 /* Test if machine password is expired and need to be changed */
494 if (time(NULL) > last_change_time + lp_machine_password_timeout())
496 global_machine_password_needs_changing = True;
500 * Treat each name in the 'password server =' line as a potential
501 * PDC/BDC. Contact each in turn and try and authenticate.
504 password_server = lp_passwordserver();
506 nt_status = domain_client_validate(mem_ctx, user_info, domain,
507 (uchar *)auth_context->challenge.data,
509 password_server, global_myname, SEC_CHAN_WKSTA, trust_passwd, last_change_time);
513 /* module initialisation */
514 NTSTATUS auth_init_ntdomain(struct auth_context *auth_context, const char* param, auth_methods **auth_method)
516 if (!make_auth_methods(auth_context, auth_method)) {
517 return NT_STATUS_NO_MEMORY;
520 (*auth_method)->name = "ntdomain";
521 (*auth_method)->auth = check_ntdomain_security;
526 /****************************************************************************
527 Check for a valid username and password in a trusted domain
528 ****************************************************************************/
530 static NTSTATUS check_trustdomain_security(const struct auth_context *auth_context,
531 void *my_private_data,
533 const auth_usersupplied_info *user_info,
534 auth_serversupplied_info **server_info)
536 NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
537 unsigned char trust_md4_password[16];
538 char *trust_password;
539 time_t last_change_time;
542 if (!user_info || !server_info || !auth_context) {
543 DEBUG(1,("check_trustdomain_security: Critical variables not present. Failing.\n"));
544 return NT_STATUS_INVALID_PARAMETER;
548 * Check that the requested domain is not our own machine name.
549 * If it is, we should never check the PDC here, we use our own local
553 if(is_netbios_alias_or_name(user_info->domain.str)) {
554 DEBUG(3,("check_trustdomain_security: Requested domain was for this machine.\n"));
555 return NT_STATUS_LOGON_FAILURE;
559 * Check that the requested domain is not our own domain,
560 * If it is, we should use our own local password file.
563 if(strequal(lp_workgroup(), (user_info->domain.str))) {
564 DEBUG(3,("check_trustdomain_security: Requested domain was for this domain.\n"));
565 return NT_STATUS_LOGON_FAILURE;
569 * Get the trusted account password for the trusted domain
570 * No need to become_root() as secrets_init() is done at startup.
573 if (!secrets_fetch_trusted_domain_password(user_info->domain.str, &trust_password, &sid, &last_change_time))
575 DEBUG(0, ("check_trustdomain_security: could not fetch trust account password for domain %s\n", user_info->domain.str));
576 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
579 #ifdef DEBUG_PASSWORD
580 DEBUG(100, ("Trust password for domain %s is %s\n", user_info->domain.str, trust_password));
582 E_md4hash((uchar *)trust_password, trust_md4_password);
583 SAFE_FREE(trust_password);
586 /* Test if machine password is expired and need to be changed */
587 if (time(NULL) > last_change_time + lp_machine_password_timeout())
589 global_machine_password_needs_changing = True;
593 nt_status = domain_client_validate(mem_ctx, user_info, user_info->domain.str,
594 (uchar *)auth_context->challenge.data,
595 server_info, "*" /* Do a lookup */,
596 lp_workgroup(), SEC_CHAN_DOMAIN, trust_md4_password, last_change_time);
601 /* module initialisation */
602 NTSTATUS auth_init_trustdomain(struct auth_context *auth_context, const char* param, auth_methods **auth_method)
604 if (!make_auth_methods(auth_context, auth_method)) {
605 return NT_STATUS_NO_MEMORY;
608 (*auth_method)->name = "trustdomain";
609 (*auth_method)->auth = check_trustdomain_security;