s3-talloc Change TALLOC_ZERO_P() to talloc_zero()
[kai/samba.git] / source3 / auth / auth_wbc.c
1 /*
2    Unix SMB/CIFS implementation.
3
4    Winbind client authentication mechanism designed to defer all
5    authentication to the winbind daemon.
6
7    Copyright (C) Tim Potter 2000
8    Copyright (C) Andrew Bartlett 2001 - 2002
9    Copyright (C) Dan Sledz 2009
10
11    This program is free software; you can redistribute it and/or modify
12    it under the terms of the GNU General Public License as published by
13    the Free Software Foundation; either version 3 of the License, or
14    (at your option) any later version.
15
16    This program is distributed in the hope that it will be useful,
17    but WITHOUT ANY WARRANTY; without even the implied warranty of
18    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
19    GNU General Public License for more details.
20
21    You should have received a copy of the GNU General Public License
22    along with this program.  If not, see <http://www.gnu.org/licenses/>.
23 */
24
25 /* This auth module is very similar to auth_winbind with 3 distinct
26  * differences.
27  *
28  *      1) Does not fallback to another auth module if winbindd is unavailable
29  *      2) Does not validate the domain of the user
30  *      3) Handles unencrypted passwords
31  *
32  * The purpose of this module is to defer all authentication decisions (ie:
33  * local user vs NIS vs LDAP vs AD; encrypted vs plaintext) to the wbc
34  * compatible daemon.  This centeralizes all authentication decisions to a
35  * single provider.
36  *
37  * This auth backend is most useful when used in conjunction with pdb_wbc_sam.
38  */
39
40 #include "includes.h"
41 #include "auth.h"
42 #include "nsswitch/libwbclient/wbclient.h"
43
44 #undef DBGC_CLASS
45 #define DBGC_CLASS DBGC_AUTH
46
47 /* Authenticate a user with a challenge/response */
48
49 static NTSTATUS check_wbc_security(const struct auth_context *auth_context,
50                                        void *my_private_data,
51                                        TALLOC_CTX *mem_ctx,
52                                        const struct auth_usersupplied_info *user_info,
53                                        struct auth_serversupplied_info **server_info)
54 {
55         NTSTATUS nt_status;
56         wbcErr wbc_status;
57         struct wbcAuthUserParams params;
58         struct wbcAuthUserInfo *info = NULL;
59         struct wbcAuthErrorInfo *err = NULL;
60
61         if (!user_info || !auth_context || !server_info) {
62                 return NT_STATUS_INVALID_PARAMETER;
63         }
64
65         ZERO_STRUCT(params);
66
67         /* Send off request */
68
69         DEBUG(10, ("Check auth for: [%s]", user_info->mapped.account_name));
70
71         params.account_name     = user_info->client.account_name;
72         params.domain_name      = user_info->mapped.domain_name;
73         params.workstation_name = user_info->workstation_name;
74
75         params.flags            = 0;
76         params.parameter_control= user_info->logon_parameters;
77
78         /* Handle plaintext */
79         switch (user_info->password_state) {
80         case AUTH_PASSWORD_PLAIN:
81         {
82                 DEBUG(3,("Checking plaintext password for %s.\n",
83                          user_info->mapped.account_name));
84                 params.level = WBC_AUTH_USER_LEVEL_PLAIN;
85
86                 params.password.plaintext = user_info->password.plaintext;
87                 break;
88         }
89         case AUTH_PASSWORD_RESPONSE:
90         case AUTH_PASSWORD_HASH:
91         {
92                 DEBUG(3,("Checking encrypted password for %s.\n",
93                          user_info->mapped.account_name));
94                 params.level = WBC_AUTH_USER_LEVEL_RESPONSE;
95
96                 memcpy(params.password.response.challenge,
97                     auth_context->challenge.data,
98                     sizeof(params.password.response.challenge));
99
100                 if (user_info->password.response.nt.length != 0) {
101                         params.password.response.nt_length =
102                                 user_info->password.response.nt.length;
103                         params.password.response.nt_data =
104                                 user_info->password.response.nt.data;
105                 }
106                 if (user_info->password.response.lanman.length != 0) {
107                         params.password.response.lm_length =
108                                 user_info->password.response.lanman.length;
109                         params.password.response.lm_data =
110                                 user_info->password.response.lanman.data;
111                 }
112                 break;
113         }
114         default:
115                 DEBUG(0,("user_info constructed for user '%s' was invalid - password_state=%u invalid.\n",user_info->mapped.account_name, user_info->password_state));
116                 return NT_STATUS_INTERNAL_ERROR;
117 #if 0 /* If ever implemented in libwbclient */
118         case AUTH_PASSWORD_HASH:
119         {
120                 DEBUG(3,("Checking logon (hash) password for %s.\n",
121                          user_info->mapped.account_name));
122                 params.level = WBC_AUTH_USER_LEVEL_HASH;
123
124                 if (user_info->password.hash.nt) {
125                         memcpy(params.password.hash.nt_hash, user_info->password.hash.nt, sizeof(* user_info->password.hash.nt));
126                 } else {
127                         memset(params.password.hash.nt_hash, '\0', sizeof(params.password.hash.nt_hash));
128                 }
129
130                 if (user_info->password.hash.lanman) {
131                         memcpy(params.password.hash.lm_hash, user_info->password.hash.lanman, sizeof(* user_info->password.hash.lanman));
132                 } else {
133                         memset(params.password.hash.lm_hash, '\0', sizeof(params.password.hash.lm_hash));
134                 }
135
136         }
137 #endif
138         }
139
140         /* we are contacting the privileged pipe */
141         become_root();
142         wbc_status = wbcAuthenticateUserEx(&params, &info, &err);
143         unbecome_root();
144
145         if (!WBC_ERROR_IS_OK(wbc_status)) {
146                 DEBUG(10,("wbcAuthenticateUserEx failed (%d): %s\n",
147                         wbc_status, wbcErrorString(wbc_status)));
148         }
149
150         if (wbc_status == WBC_ERR_NO_MEMORY) {
151                 return NT_STATUS_NO_MEMORY;
152         }
153
154         if (wbc_status == WBC_ERR_AUTH_ERROR) {
155                 nt_status = NT_STATUS(err->nt_status);
156                 wbcFreeMemory(err);
157                 return nt_status;
158         }
159
160         if (!WBC_ERROR_IS_OK(wbc_status)) {
161                 return NT_STATUS_LOGON_FAILURE;
162         }
163
164         DEBUG(10,("wbcAuthenticateUserEx succeeded\n"));
165
166         nt_status = make_server_info_wbcAuthUserInfo(mem_ctx,
167                                                      user_info->client.account_name,
168                                                      user_info->mapped.domain_name,
169                                                      info, server_info);
170         wbcFreeMemory(info);
171         if (!NT_STATUS_IS_OK(nt_status)) {
172                 return nt_status;
173         }
174
175         (*server_info)->nss_token |= user_info->was_mapped;
176
177         return nt_status;
178 }
179
180 /* module initialisation */
181 static NTSTATUS auth_init_wbc(struct auth_context *auth_context, const char *param, auth_methods **auth_method)
182 {
183         struct auth_methods *result;
184
185         result = talloc_zero(auth_context, struct auth_methods);
186         if (result == NULL) {
187                 return NT_STATUS_NO_MEMORY;
188         }
189         result->name = "wbc";
190         result->auth = check_wbc_security;
191
192         *auth_method = result;
193         return NT_STATUS_OK;
194 }
195
196 NTSTATUS auth_wbc_init(void)
197 {
198         return smb_register_auth(AUTH_INTERFACE_VERSION, "wbc", auth_init_wbc);
199 }