968ffcd9ca39a366b62561593b30d3b2fc4a7c62
[kai/samba.git] / source3 / winbindd / winbindd_pam.c
1 /*
2    Unix SMB/CIFS implementation.
3
4    Winbind daemon - pam auth funcions
5
6    Copyright (C) Andrew Tridgell 2000
7    Copyright (C) Tim Potter 2001
8    Copyright (C) Andrew Bartlett 2001-2002
9    Copyright (C) Guenther Deschner 2005
10
11    This program is free software; you can redistribute it and/or modify
12    it under the terms of the GNU General Public License as published by
13    the Free Software Foundation; either version 3 of the License, or
14    (at your option) any later version.
15
16    This program is distributed in the hope that it will be useful,
17    but WITHOUT ANY WARRANTY; without even the implied warranty of
18    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
19    GNU General Public License for more details.
20
21    You should have received a copy of the GNU General Public License
22    along with this program.  If not, see <http://www.gnu.org/licenses/>.
23 */
24
25 #include "includes.h"
26 #include "winbindd.h"
27 #include "../libcli/auth/libcli_auth.h"
28 #include "../librpc/gen_ndr/cli_samr.h"
29 #include "rpc_client/cli_samr.h"
30 #include "../librpc/gen_ndr/ndr_netlogon.h"
31 #include "rpc_client/cli_netlogon.h"
32 #include "smb_krb5.h"
33 #include "../lib/crypto/arcfour.h"
34 #include "../libcli/security/dom_sid.h"
35 #include "ads.h"
36 #include "../librpc/gen_ndr/krb5pac.h"
37
38 #undef DBGC_CLASS
39 #define DBGC_CLASS DBGC_WINBIND
40
41 #define LOGON_KRB5_FAIL_CLOCK_SKEW      0x02000000
42
43 static NTSTATUS append_info3_as_txt(TALLOC_CTX *mem_ctx,
44                                     struct winbindd_cli_state *state,
45                                     struct netr_SamInfo3 *info3)
46 {
47         char *ex;
48         uint32_t i;
49
50         state->response->data.auth.info3.logon_time =
51                 nt_time_to_unix(info3->base.last_logon);
52         state->response->data.auth.info3.logoff_time =
53                 nt_time_to_unix(info3->base.last_logoff);
54         state->response->data.auth.info3.kickoff_time =
55                 nt_time_to_unix(info3->base.acct_expiry);
56         state->response->data.auth.info3.pass_last_set_time =
57                 nt_time_to_unix(info3->base.last_password_change);
58         state->response->data.auth.info3.pass_can_change_time =
59                 nt_time_to_unix(info3->base.allow_password_change);
60         state->response->data.auth.info3.pass_must_change_time =
61                 nt_time_to_unix(info3->base.force_password_change);
62
63         state->response->data.auth.info3.logon_count = info3->base.logon_count;
64         state->response->data.auth.info3.bad_pw_count = info3->base.bad_password_count;
65
66         state->response->data.auth.info3.user_rid = info3->base.rid;
67         state->response->data.auth.info3.group_rid = info3->base.primary_gid;
68         sid_to_fstring(state->response->data.auth.info3.dom_sid, info3->base.domain_sid);
69
70         state->response->data.auth.info3.num_groups = info3->base.groups.count;
71         state->response->data.auth.info3.user_flgs = info3->base.user_flags;
72
73         state->response->data.auth.info3.acct_flags = info3->base.acct_flags;
74         state->response->data.auth.info3.num_other_sids = info3->sidcount;
75
76         fstrcpy(state->response->data.auth.info3.user_name,
77                 info3->base.account_name.string);
78         fstrcpy(state->response->data.auth.info3.full_name,
79                 info3->base.full_name.string);
80         fstrcpy(state->response->data.auth.info3.logon_script,
81                 info3->base.logon_script.string);
82         fstrcpy(state->response->data.auth.info3.profile_path,
83                 info3->base.profile_path.string);
84         fstrcpy(state->response->data.auth.info3.home_dir,
85                 info3->base.home_directory.string);
86         fstrcpy(state->response->data.auth.info3.dir_drive,
87                 info3->base.home_drive.string);
88
89         fstrcpy(state->response->data.auth.info3.logon_srv,
90                 info3->base.logon_server.string);
91         fstrcpy(state->response->data.auth.info3.logon_dom,
92                 info3->base.domain.string);
93
94         ex = talloc_strdup(state->mem_ctx, "");
95         NT_STATUS_HAVE_NO_MEMORY(ex);
96
97         for (i=0; i < info3->base.groups.count; i++) {
98                 ex = talloc_asprintf_append_buffer(ex, "0x%08X:0x%08X\n",
99                                                    info3->base.groups.rids[i].rid,
100                                                    info3->base.groups.rids[i].attributes);
101                 NT_STATUS_HAVE_NO_MEMORY(ex);
102         }
103
104         for (i=0; i < info3->sidcount; i++) {
105                 char *sid;
106
107                 sid = dom_sid_string(mem_ctx, info3->sids[i].sid);
108                 NT_STATUS_HAVE_NO_MEMORY(sid);
109
110                 ex = talloc_asprintf_append_buffer(ex, "%s:0x%08X\n",
111                                                    sid,
112                                                    info3->sids[i].attributes);
113                 NT_STATUS_HAVE_NO_MEMORY(ex);
114
115                 talloc_free(sid);
116         }
117
118         state->response->extra_data.data = ex;
119         state->response->length += talloc_get_size(ex);
120
121         return NT_STATUS_OK;
122 }
123
124 static NTSTATUS append_info3_as_ndr(TALLOC_CTX *mem_ctx,
125                                     struct winbindd_cli_state *state,
126                                     struct netr_SamInfo3 *info3)
127 {
128         DATA_BLOB blob;
129         enum ndr_err_code ndr_err;
130
131         ndr_err = ndr_push_struct_blob(&blob, mem_ctx, info3,
132                                        (ndr_push_flags_fn_t)ndr_push_netr_SamInfo3);
133         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
134                 DEBUG(0,("append_info3_as_ndr: failed to append\n"));
135                 return ndr_map_error2ntstatus(ndr_err);
136         }
137
138         state->response->extra_data.data = blob.data;
139         state->response->length += blob.length;
140
141         return NT_STATUS_OK;
142 }
143
144 static NTSTATUS append_unix_username(TALLOC_CTX *mem_ctx,
145                                      struct winbindd_cli_state *state,
146                                      const struct netr_SamInfo3 *info3,
147                                      const char *name_domain,
148                                      const char *name_user)
149 {
150         /* We've been asked to return the unix username, per
151            'winbind use default domain' settings and the like */
152
153         const char *nt_username, *nt_domain;
154
155         nt_domain = talloc_strdup(mem_ctx, info3->base.domain.string);
156         if (!nt_domain) {
157                 /* If the server didn't give us one, just use the one
158                  * we sent them */
159                 nt_domain = name_domain;
160         }
161
162         nt_username = talloc_strdup(mem_ctx, info3->base.account_name.string);
163         if (!nt_username) {
164                 /* If the server didn't give us one, just use the one
165                  * we sent them */
166                 nt_username = name_user;
167         }
168
169         fill_domain_username(state->response->data.auth.unix_username,
170                              nt_domain, nt_username, true);
171
172         DEBUG(5,("Setting unix username to [%s]\n",
173                 state->response->data.auth.unix_username));
174
175         return NT_STATUS_OK;
176 }
177
178 static NTSTATUS append_afs_token(TALLOC_CTX *mem_ctx,
179                                  struct winbindd_cli_state *state,
180                                  const struct netr_SamInfo3 *info3,
181                                  const char *name_domain,
182                                  const char *name_user)
183 {
184         char *afsname = NULL;
185         char *cell;
186         char *token;
187
188         afsname = talloc_strdup(mem_ctx, lp_afs_username_map());
189         if (afsname == NULL) {
190                 return NT_STATUS_NO_MEMORY;
191         }
192
193         afsname = talloc_string_sub(mem_ctx,
194                                     lp_afs_username_map(),
195                                     "%D", name_domain);
196         afsname = talloc_string_sub(mem_ctx, afsname,
197                                     "%u", name_user);
198         afsname = talloc_string_sub(mem_ctx, afsname,
199                                     "%U", name_user);
200
201         {
202                 struct dom_sid user_sid;
203                 fstring sidstr;
204
205                 sid_compose(&user_sid, info3->base.domain_sid,
206                             info3->base.rid);
207                 sid_to_fstring(sidstr, &user_sid);
208                 afsname = talloc_string_sub(mem_ctx, afsname,
209                                             "%s", sidstr);
210         }
211
212         if (afsname == NULL) {
213                 return NT_STATUS_NO_MEMORY;
214         }
215
216         strlower_m(afsname);
217
218         DEBUG(10, ("Generating token for user %s\n", afsname));
219
220         cell = strchr(afsname, '@');
221
222         if (cell == NULL) {
223                 return NT_STATUS_NO_MEMORY;
224         }
225
226         *cell = '\0';
227         cell += 1;
228
229         token = afs_createtoken_str(afsname, cell);
230         if (token == NULL) {
231                 return NT_STATUS_OK;
232         }
233         state->response->extra_data.data = talloc_strdup(state->mem_ctx,
234                                                          token);
235         if (state->response->extra_data.data == NULL) {
236                 return NT_STATUS_NO_MEMORY;
237         }
238         state->response->length +=
239                 strlen((const char *)state->response->extra_data.data)+1;
240
241         return NT_STATUS_OK;
242 }
243
244 static NTSTATUS check_info3_in_group(struct netr_SamInfo3 *info3,
245                                      const char *group_sid)
246 /**
247  * Check whether a user belongs to a group or list of groups.
248  *
249  * @param mem_ctx talloc memory context.
250  * @param info3 user information, including group membership info.
251  * @param group_sid One or more groups , separated by commas.
252  *
253  * @return NT_STATUS_OK on success,
254  *    NT_STATUS_LOGON_FAILURE if the user does not belong,
255  *    or other NT_STATUS_IS_ERR(status) for other kinds of failure.
256  */
257 {
258         struct dom_sid *require_membership_of_sid;
259         uint32_t num_require_membership_of_sid;
260         char *req_sid;
261         const char *p;
262         struct dom_sid sid;
263         size_t i;
264         struct security_token *token;
265         TALLOC_CTX *frame = talloc_stackframe();
266         NTSTATUS status;
267
268         /* Parse the 'required group' SID */
269
270         if (!group_sid || !group_sid[0]) {
271                 /* NO sid supplied, all users may access */
272                 return NT_STATUS_OK;
273         }
274
275         token = talloc_zero(talloc_tos(), struct security_token);
276         if (token == NULL) {
277                 DEBUG(0, ("talloc failed\n"));
278                 TALLOC_FREE(frame);
279                 return NT_STATUS_NO_MEMORY;
280         }
281
282         num_require_membership_of_sid = 0;
283         require_membership_of_sid = NULL;
284
285         p = group_sid;
286
287         while (next_token_talloc(talloc_tos(), &p, &req_sid, ",")) {
288                 if (!string_to_sid(&sid, req_sid)) {
289                         DEBUG(0, ("check_info3_in_group: could not parse %s "
290                                   "as a SID!", req_sid));
291                         TALLOC_FREE(frame);
292                         return NT_STATUS_INVALID_PARAMETER;
293                 }
294
295                 status = add_sid_to_array(talloc_tos(), &sid,
296                                           &require_membership_of_sid,
297                                           &num_require_membership_of_sid);
298                 if (!NT_STATUS_IS_OK(status)) {
299                         DEBUG(0, ("add_sid_to_array failed\n"));
300                         TALLOC_FREE(frame);
301                         return status;
302                 }
303         }
304
305         status = sid_array_from_info3(talloc_tos(), info3,
306                                       &token->sids,
307                                       &token->num_sids,
308                                       true, false);
309         if (!NT_STATUS_IS_OK(status)) {
310                 TALLOC_FREE(frame);
311                 return status;
312         }
313
314         if (!NT_STATUS_IS_OK(status = add_aliases(get_global_sam_sid(),
315                                                   token))
316             || !NT_STATUS_IS_OK(status = add_aliases(&global_sid_Builtin,
317                                                      token))) {
318                 DEBUG(3, ("could not add aliases: %s\n",
319                           nt_errstr(status)));
320                 TALLOC_FREE(frame);
321                 return status;
322         }
323
324         debug_nt_user_token(DBGC_CLASS, 10, token);
325
326         for (i=0; i<num_require_membership_of_sid; i++) {
327                 DEBUG(10, ("Checking SID %s\n", sid_string_dbg(
328                                    &require_membership_of_sid[i])));
329                 if (nt_token_check_sid(&require_membership_of_sid[i],
330                                        token)) {
331                         DEBUG(10, ("Access ok\n"));
332                         TALLOC_FREE(frame);
333                         return NT_STATUS_OK;
334                 }
335         }
336
337         /* Do not distinguish this error from a wrong username/pw */
338
339         TALLOC_FREE(frame);
340         return NT_STATUS_LOGON_FAILURE;
341 }
342
343 struct winbindd_domain *find_auth_domain(uint8_t flags,
344                                          const char *domain_name)
345 {
346         struct winbindd_domain *domain;
347
348         if (IS_DC) {
349                 domain = find_domain_from_name_noinit(domain_name);
350                 if (domain == NULL) {
351                         DEBUG(3, ("Authentication for domain [%s] refused "
352                                   "as it is not a trusted domain\n",
353                                   domain_name));
354                 }
355                 return domain;
356         }
357
358         if (strequal(domain_name, get_global_sam_name())) {
359                 return find_domain_from_name_noinit(domain_name);
360         }
361
362         /* we can auth against trusted domains */
363         if (flags & WBFLAG_PAM_CONTACT_TRUSTDOM) {
364                 domain = find_domain_from_name_noinit(domain_name);
365                 if (domain == NULL) {
366                         DEBUG(3, ("Authentication for domain [%s] skipped "
367                                   "as it is not a trusted domain\n",
368                                   domain_name));
369                 } else {
370                         return domain;
371                 }
372         }
373
374         return find_our_domain();
375 }
376
377 static void fill_in_password_policy(struct winbindd_response *r,
378                                     const struct samr_DomInfo1 *p)
379 {
380         r->data.auth.policy.min_length_password =
381                 p->min_password_length;
382         r->data.auth.policy.password_history =
383                 p->password_history_length;
384         r->data.auth.policy.password_properties =
385                 p->password_properties;
386         r->data.auth.policy.expire      =
387                 nt_time_to_unix_abs((NTTIME *)&(p->max_password_age));
388         r->data.auth.policy.min_passwordage =
389                 nt_time_to_unix_abs((NTTIME *)&(p->min_password_age));
390 }
391
392 static NTSTATUS fillup_password_policy(struct winbindd_domain *domain,
393                                        struct winbindd_cli_state *state)
394 {
395         struct winbindd_methods *methods;
396         NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
397         struct samr_DomInfo1 password_policy;
398
399         if ( !winbindd_can_contact_domain( domain ) ) {
400                 DEBUG(5,("fillup_password_policy: No inbound trust to "
401                          "contact domain %s\n", domain->name));
402                 return NT_STATUS_NOT_SUPPORTED;
403         }
404
405         methods = domain->methods;
406
407         status = methods->password_policy(domain, state->mem_ctx, &password_policy);
408         if (NT_STATUS_IS_ERR(status)) {
409                 return status;
410         }
411
412         fill_in_password_policy(state->response, &password_policy);
413
414         return NT_STATUS_OK;
415 }
416
417 static NTSTATUS get_max_bad_attempts_from_lockout_policy(struct winbindd_domain *domain,
418                                                          TALLOC_CTX *mem_ctx,
419                                                          uint16 *lockout_threshold)
420 {
421         struct winbindd_methods *methods;
422         NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
423         struct samr_DomInfo12 lockout_policy;
424
425         *lockout_threshold = 0;
426
427         methods = domain->methods;
428
429         status = methods->lockout_policy(domain, mem_ctx, &lockout_policy);
430         if (NT_STATUS_IS_ERR(status)) {
431                 return status;
432         }
433
434         *lockout_threshold = lockout_policy.lockout_threshold;
435
436         return NT_STATUS_OK;
437 }
438
439 static NTSTATUS get_pwd_properties(struct winbindd_domain *domain,
440                                    TALLOC_CTX *mem_ctx,
441                                    uint32 *password_properties)
442 {
443         struct winbindd_methods *methods;
444         NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
445         struct samr_DomInfo1 password_policy;
446
447         *password_properties = 0;
448
449         methods = domain->methods;
450
451         status = methods->password_policy(domain, mem_ctx, &password_policy);
452         if (NT_STATUS_IS_ERR(status)) {
453                 return status;
454         }
455
456         *password_properties = password_policy.password_properties;
457
458         return NT_STATUS_OK;
459 }
460
461 #ifdef HAVE_KRB5
462
463 static const char *generate_krb5_ccache(TALLOC_CTX *mem_ctx,
464                                         const char *type,
465                                         uid_t uid,
466                                         const char **user_ccache_file)
467 {
468         /* accept FILE and WRFILE as krb5_cc_type from the client and then
469          * build the full ccname string based on the user's uid here -
470          * Guenther*/
471
472         const char *gen_cc = NULL;
473
474         if (uid != -1) {
475                 if (strequal(type, "FILE")) {
476                         gen_cc = talloc_asprintf(
477                                 mem_ctx, "FILE:/tmp/krb5cc_%d", uid);
478                 }
479                 if (strequal(type, "WRFILE")) {
480                         gen_cc = talloc_asprintf(
481                                 mem_ctx, "WRFILE:/tmp/krb5cc_%d", uid);
482                 }
483         }
484
485         *user_ccache_file = gen_cc;
486
487         if (gen_cc == NULL) {
488                 gen_cc = talloc_strdup(mem_ctx, "MEMORY:winbindd_pam_ccache");
489         }
490         if (gen_cc == NULL) {
491                 DEBUG(0,("out of memory\n"));
492                 return NULL;
493         }
494
495         DEBUG(10, ("using ccache: %s%s\n", gen_cc,
496                    (*user_ccache_file == NULL) ? " (internal)":""));
497
498         return gen_cc;
499 }
500
501 #endif
502
503 uid_t get_uid_from_request(struct winbindd_request *request)
504 {
505         uid_t uid;
506
507         uid = request->data.auth.uid;
508
509         if (uid < 0) {
510                 DEBUG(1,("invalid uid: '%u'\n", (unsigned int)uid));
511                 return -1;
512         }
513         return uid;
514 }
515
516 static uid_t get_uid_from_state(struct winbindd_cli_state *state)
517 {
518         return get_uid_from_request(state->request);
519 }
520
521 /**********************************************************************
522  Authenticate a user with a clear text password using Kerberos and fill up
523  ccache if required
524  **********************************************************************/
525
526 static NTSTATUS winbindd_raw_kerberos_login(struct winbindd_domain *domain,
527                                             struct winbindd_cli_state *state,
528                                             struct netr_SamInfo3 **info3)
529 {
530 #ifdef HAVE_KRB5
531         NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
532         krb5_error_code krb5_ret;
533         const char *cc = NULL;
534         const char *principal_s = NULL;
535         const char *service = NULL;
536         char *realm = NULL;
537         fstring name_domain, name_user;
538         time_t ticket_lifetime = 0;
539         time_t renewal_until = 0;
540         uid_t uid = -1;
541         ADS_STRUCT *ads;
542         time_t time_offset = 0;
543         const char *user_ccache_file;
544         struct PAC_LOGON_INFO *logon_info = NULL;
545
546         *info3 = NULL;
547
548         /* 1st step:
549          * prepare a krb5_cc_cache string for the user */
550
551         uid = get_uid_from_state(state);
552         if (uid == -1) {
553                 DEBUG(0,("no valid uid\n"));
554         }
555
556         cc = generate_krb5_ccache(state->mem_ctx,
557                                   state->request->data.auth.krb5_cc_type,
558                                   state->request->data.auth.uid,
559                                   &user_ccache_file);
560         if (cc == NULL) {
561                 return NT_STATUS_NO_MEMORY;
562         }
563
564
565         /* 2nd step:
566          * get kerberos properties */
567
568         if (domain->private_data) {
569                 ads = (ADS_STRUCT *)domain->private_data;
570                 time_offset = ads->auth.time_offset;
571         }
572
573
574         /* 3rd step:
575          * do kerberos auth and setup ccache as the user */
576
577         parse_domain_user(state->request->data.auth.user, name_domain, name_user);
578
579         realm = domain->alt_name;
580         strupper_m(realm);
581
582         principal_s = talloc_asprintf(state->mem_ctx, "%s@%s", name_user, realm);
583         if (principal_s == NULL) {
584                 return NT_STATUS_NO_MEMORY;
585         }
586
587         service = talloc_asprintf(state->mem_ctx, "%s/%s@%s", KRB5_TGS_NAME, realm, realm);
588         if (service == NULL) {
589                 return NT_STATUS_NO_MEMORY;
590         }
591
592         /* if this is a user ccache, we need to act as the user to let the krb5
593          * library handle the chown, etc. */
594
595         /************************ ENTERING NON-ROOT **********************/
596
597         if (user_ccache_file != NULL) {
598                 set_effective_uid(uid);
599                 DEBUG(10,("winbindd_raw_kerberos_login: uid is %d\n", uid));
600         }
601
602         result = kerberos_return_pac(state->mem_ctx,
603                                      principal_s,
604                                      state->request->data.auth.pass,
605                                      time_offset,
606                                      &ticket_lifetime,
607                                      &renewal_until,
608                                      cc,
609                                      true,
610                                      true,
611                                      WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
612                                      NULL,
613                                      &logon_info);
614         if (user_ccache_file != NULL) {
615                 gain_root_privilege();
616         }
617
618         /************************ RETURNED TO ROOT **********************/
619
620         if (!NT_STATUS_IS_OK(result)) {
621                 goto failed;
622         }
623
624         *info3 = &logon_info->info3;
625
626         DEBUG(10,("winbindd_raw_kerberos_login: winbindd validated ticket of %s\n",
627                 principal_s));
628
629         /* if we had a user's ccache then return that string for the pam
630          * environment */
631
632         if (user_ccache_file != NULL) {
633
634                 fstrcpy(state->response->data.auth.krb5ccname,
635                         user_ccache_file);
636
637                 result = add_ccache_to_list(principal_s,
638                                             cc,
639                                             service,
640                                             state->request->data.auth.user,
641                                             realm,
642                                             uid,
643                                             time(NULL),
644                                             ticket_lifetime,
645                                             renewal_until,
646                                             false);
647
648                 if (!NT_STATUS_IS_OK(result)) {
649                         DEBUG(10,("winbindd_raw_kerberos_login: failed to add ccache to list: %s\n",
650                                 nt_errstr(result)));
651                 }
652         } else {
653
654                 /* need to delete the memory cred cache, it is not used anymore */
655
656                 krb5_ret = ads_kdestroy(cc);
657                 if (krb5_ret) {
658                         DEBUG(3,("winbindd_raw_kerberos_login: "
659                                  "could not destroy krb5 credential cache: "
660                                  "%s\n", error_message(krb5_ret)));
661                 }
662
663         }
664
665         return NT_STATUS_OK;
666
667 failed:
668
669         /* we could have created a new credential cache with a valid tgt in it
670          * but we werent able to get or verify the service ticket for this
671          * local host and therefor didn't get the PAC, we need to remove that
672          * cache entirely now */
673
674         krb5_ret = ads_kdestroy(cc);
675         if (krb5_ret) {
676                 DEBUG(3,("winbindd_raw_kerberos_login: "
677                          "could not destroy krb5 credential cache: "
678                          "%s\n", error_message(krb5_ret)));
679         }
680
681         if (!NT_STATUS_IS_OK(remove_ccache(state->request->data.auth.user))) {
682                 DEBUG(3,("winbindd_raw_kerberos_login: "
683                           "could not remove ccache for user %s\n",
684                         state->request->data.auth.user));
685         }
686
687         return result;
688 #else
689         return NT_STATUS_NOT_SUPPORTED;
690 #endif /* HAVE_KRB5 */
691 }
692
693 /****************************************************************
694 ****************************************************************/
695
696 bool check_request_flags(uint32_t flags)
697 {
698         uint32_t flags_edata = WBFLAG_PAM_AFS_TOKEN |
699                                WBFLAG_PAM_INFO3_TEXT |
700                                WBFLAG_PAM_INFO3_NDR;
701
702         if ( ( (flags & flags_edata) == WBFLAG_PAM_AFS_TOKEN) ||
703              ( (flags & flags_edata) == WBFLAG_PAM_INFO3_NDR) ||
704              ( (flags & flags_edata) == WBFLAG_PAM_INFO3_TEXT)||
705               !(flags & flags_edata) ) {
706                 return true;
707         }
708
709         DEBUG(1, ("check_request_flags: invalid request flags[0x%08X]\n",
710                   flags));
711
712         return false;
713 }
714
715 /****************************************************************
716 ****************************************************************/
717
718 static NTSTATUS append_auth_data(struct winbindd_cli_state *state,
719                                  struct netr_SamInfo3 *info3,
720                                  const char *name_domain,
721                                  const char *name_user)
722 {
723         NTSTATUS result;
724         uint32_t flags = state->request->flags;
725
726         if (flags & WBFLAG_PAM_USER_SESSION_KEY) {
727                 memcpy(state->response->data.auth.user_session_key,
728                        info3->base.key.key,
729                        sizeof(state->response->data.auth.user_session_key)
730                        /* 16 */);
731         }
732
733         if (flags & WBFLAG_PAM_LMKEY) {
734                 memcpy(state->response->data.auth.first_8_lm_hash,
735                        info3->base.LMSessKey.key,
736                        sizeof(state->response->data.auth.first_8_lm_hash)
737                        /* 8 */);
738         }
739
740         if (flags & WBFLAG_PAM_UNIX_NAME) {
741                 result = append_unix_username(state->mem_ctx, state, info3,
742                                               name_domain, name_user);
743                 if (!NT_STATUS_IS_OK(result)) {
744                         DEBUG(10,("Failed to append Unix Username: %s\n",
745                                 nt_errstr(result)));
746                         return result;
747                 }
748         }
749
750         /* currently, anything from here on potentially overwrites extra_data. */
751
752         if (flags & WBFLAG_PAM_INFO3_NDR) {
753                 result = append_info3_as_ndr(state->mem_ctx, state, info3);
754                 if (!NT_STATUS_IS_OK(result)) {
755                         DEBUG(10,("Failed to append INFO3 (NDR): %s\n",
756                                 nt_errstr(result)));
757                         return result;
758                 }
759         }
760
761         if (flags & WBFLAG_PAM_INFO3_TEXT) {
762                 result = append_info3_as_txt(state->mem_ctx, state, info3);
763                 if (!NT_STATUS_IS_OK(result)) {
764                         DEBUG(10,("Failed to append INFO3 (TXT): %s\n",
765                                 nt_errstr(result)));
766                         return result;
767                 }
768         }
769
770         if (flags & WBFLAG_PAM_AFS_TOKEN) {
771                 result = append_afs_token(state->mem_ctx, state, info3,
772                                           name_domain, name_user);
773                 if (!NT_STATUS_IS_OK(result)) {
774                         DEBUG(10,("Failed to append AFS token: %s\n",
775                                 nt_errstr(result)));
776                         return result;
777                 }
778         }
779
780         return NT_STATUS_OK;
781 }
782
783 static NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain,
784                                               struct winbindd_cli_state *state,
785                                               struct netr_SamInfo3 **info3)
786 {
787         NTSTATUS result = NT_STATUS_LOGON_FAILURE;
788         uint16 max_allowed_bad_attempts;
789         fstring name_domain, name_user;
790         struct dom_sid sid;
791         enum lsa_SidType type;
792         uchar new_nt_pass[NT_HASH_LEN];
793         const uint8 *cached_nt_pass;
794         const uint8 *cached_salt;
795         struct netr_SamInfo3 *my_info3;
796         time_t kickoff_time, must_change_time;
797         bool password_good = false;
798 #ifdef HAVE_KRB5
799         struct winbindd_tdc_domain *tdc_domain = NULL;
800 #endif
801
802         *info3 = NULL;
803
804         ZERO_STRUCTP(info3);
805
806         DEBUG(10,("winbindd_dual_pam_auth_cached\n"));
807
808         /* Parse domain and username */
809
810         parse_domain_user(state->request->data.auth.user, name_domain, name_user);
811
812
813         if (!lookup_cached_name(name_domain,
814                                 name_user,
815                                 &sid,
816                                 &type)) {
817                 DEBUG(10,("winbindd_dual_pam_auth_cached: no such user in the cache\n"));
818                 return NT_STATUS_NO_SUCH_USER;
819         }
820
821         if (type != SID_NAME_USER) {
822                 DEBUG(10,("winbindd_dual_pam_auth_cached: not a user (%s)\n", sid_type_lookup(type)));
823                 return NT_STATUS_LOGON_FAILURE;
824         }
825
826         result = winbindd_get_creds(domain,
827                                     state->mem_ctx,
828                                     &sid,
829                                     &my_info3,
830                                     &cached_nt_pass,
831                                     &cached_salt);
832         if (!NT_STATUS_IS_OK(result)) {
833                 DEBUG(10,("winbindd_dual_pam_auth_cached: failed to get creds: %s\n", nt_errstr(result)));
834                 return result;
835         }
836
837         *info3 = my_info3;
838
839         E_md4hash(state->request->data.auth.pass, new_nt_pass);
840
841         dump_data_pw("new_nt_pass", new_nt_pass, NT_HASH_LEN);
842         dump_data_pw("cached_nt_pass", cached_nt_pass, NT_HASH_LEN);
843         if (cached_salt) {
844                 dump_data_pw("cached_salt", cached_salt, NT_HASH_LEN);
845         }
846
847         if (cached_salt) {
848                 /* In this case we didn't store the nt_hash itself,
849                    but the MD5 combination of salt + nt_hash. */
850                 uchar salted_hash[NT_HASH_LEN];
851                 E_md5hash(cached_salt, new_nt_pass, salted_hash);
852
853                 password_good = (memcmp(cached_nt_pass, salted_hash,
854                                         NT_HASH_LEN) == 0);
855         } else {
856                 /* Old cached cred - direct store of nt_hash (bad bad bad !). */
857                 password_good = (memcmp(cached_nt_pass, new_nt_pass,
858                                         NT_HASH_LEN) == 0);
859         }
860
861         if (password_good) {
862
863                 /* User *DOES* know the password, update logon_time and reset
864                  * bad_pw_count */
865
866                 my_info3->base.user_flags |= NETLOGON_CACHED_ACCOUNT;
867
868                 if (my_info3->base.acct_flags & ACB_AUTOLOCK) {
869                         return NT_STATUS_ACCOUNT_LOCKED_OUT;
870                 }
871
872                 if (my_info3->base.acct_flags & ACB_DISABLED) {
873                         return NT_STATUS_ACCOUNT_DISABLED;
874                 }
875
876                 if (my_info3->base.acct_flags & ACB_WSTRUST) {
877                         return NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT;
878                 }
879
880                 if (my_info3->base.acct_flags & ACB_SVRTRUST) {
881                         return NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT;
882                 }
883
884                 if (my_info3->base.acct_flags & ACB_DOMTRUST) {
885                         return NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT;
886                 }
887
888                 if (!(my_info3->base.acct_flags & ACB_NORMAL)) {
889                         DEBUG(0,("winbindd_dual_pam_auth_cached: whats wrong with that one?: 0x%08x\n",
890                                 my_info3->base.acct_flags));
891                         return NT_STATUS_LOGON_FAILURE;
892                 }
893
894                 kickoff_time = nt_time_to_unix(my_info3->base.acct_expiry);
895                 if (kickoff_time != 0 && time(NULL) > kickoff_time) {
896                         return NT_STATUS_ACCOUNT_EXPIRED;
897                 }
898
899                 must_change_time = nt_time_to_unix(my_info3->base.force_password_change);
900                 if (must_change_time != 0 && must_change_time < time(NULL)) {
901                         /* we allow grace logons when the password has expired */
902                         my_info3->base.user_flags |= NETLOGON_GRACE_LOGON;
903                         /* return NT_STATUS_PASSWORD_EXPIRED; */
904                         goto success;
905                 }
906
907 #ifdef HAVE_KRB5
908                 if ((state->request->flags & WBFLAG_PAM_KRB5) &&
909                     ((tdc_domain = wcache_tdc_fetch_domain(state->mem_ctx, name_domain)) != NULL) &&
910                     ((tdc_domain->trust_type & NETR_TRUST_TYPE_UPLEVEL) ||
911                     /* used to cope with the case winbindd starting without network. */
912                     !strequal(tdc_domain->domain_name, tdc_domain->dns_name))) {
913
914                         uid_t uid = -1;
915                         const char *cc = NULL;
916                         char *realm = NULL;
917                         const char *principal_s = NULL;
918                         const char *service = NULL;
919                         const char *user_ccache_file;
920
921                         uid = get_uid_from_state(state);
922                         if (uid == -1) {
923                                 DEBUG(0,("winbindd_dual_pam_auth_cached: invalid uid\n"));
924                                 return NT_STATUS_INVALID_PARAMETER;
925                         }
926
927                         cc = generate_krb5_ccache(state->mem_ctx,
928                                                 state->request->data.auth.krb5_cc_type,
929                                                 state->request->data.auth.uid,
930                                                 &user_ccache_file);
931                         if (cc == NULL) {
932                                 return NT_STATUS_NO_MEMORY;
933                         }
934
935                         realm = domain->alt_name;
936                         strupper_m(realm);
937
938                         principal_s = talloc_asprintf(state->mem_ctx, "%s@%s", name_user, realm);
939                         if (principal_s == NULL) {
940                                 return NT_STATUS_NO_MEMORY;
941                         }
942
943                         service = talloc_asprintf(state->mem_ctx, "%s/%s@%s", KRB5_TGS_NAME, realm, realm);
944                         if (service == NULL) {
945                                 return NT_STATUS_NO_MEMORY;
946                         }
947
948                         if (user_ccache_file != NULL) {
949
950                                 fstrcpy(state->response->data.auth.krb5ccname,
951                                         user_ccache_file);
952
953                                 result = add_ccache_to_list(principal_s,
954                                                             cc,
955                                                             service,
956                                                             state->request->data.auth.user,
957                                                             domain->alt_name,
958                                                             uid,
959                                                             time(NULL),
960                                                             time(NULL) + lp_winbind_cache_time(),
961                                                             time(NULL) + WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
962                                                             true);
963
964                                 if (!NT_STATUS_IS_OK(result)) {
965                                         DEBUG(10,("winbindd_dual_pam_auth_cached: failed "
966                                                 "to add ccache to list: %s\n",
967                                                 nt_errstr(result)));
968                                 }
969                         }
970                 }
971 #endif /* HAVE_KRB5 */
972  success:
973                 /* FIXME: we possibly should handle logon hours as well (does xp when
974                  * offline?) see auth/auth_sam.c:sam_account_ok for details */
975
976                 unix_to_nt_time(&my_info3->base.last_logon, time(NULL));
977                 my_info3->base.bad_password_count = 0;
978
979                 result = winbindd_update_creds_by_info3(domain,
980                                                         state->request->data.auth.user,
981                                                         state->request->data.auth.pass,
982                                                         my_info3);
983                 if (!NT_STATUS_IS_OK(result)) {
984                         DEBUG(1,("winbindd_dual_pam_auth_cached: failed to update creds: %s\n",
985                                 nt_errstr(result)));
986                         return result;
987                 }
988
989                 return NT_STATUS_OK;
990
991         }
992
993         /* User does *NOT* know the correct password, modify info3 accordingly */
994
995         /* failure of this is not critical */
996         result = get_max_bad_attempts_from_lockout_policy(domain, state->mem_ctx, &max_allowed_bad_attempts);
997         if (!NT_STATUS_IS_OK(result)) {
998                 DEBUG(10,("winbindd_dual_pam_auth_cached: failed to get max_allowed_bad_attempts. "
999                           "Won't be able to honour account lockout policies\n"));
1000         }
1001
1002         /* increase counter */
1003         my_info3->base.bad_password_count++;
1004
1005         if (max_allowed_bad_attempts == 0) {
1006                 goto failed;
1007         }
1008
1009         /* lockout user */
1010         if (my_info3->base.bad_password_count >= max_allowed_bad_attempts) {
1011
1012                 uint32 password_properties;
1013
1014                 result = get_pwd_properties(domain, state->mem_ctx, &password_properties);
1015                 if (!NT_STATUS_IS_OK(result)) {
1016                         DEBUG(10,("winbindd_dual_pam_auth_cached: failed to get password properties.\n"));
1017                 }
1018
1019                 if ((my_info3->base.rid != DOMAIN_RID_ADMINISTRATOR) ||
1020                     (password_properties & DOMAIN_PASSWORD_LOCKOUT_ADMINS)) {
1021                         my_info3->base.acct_flags |= ACB_AUTOLOCK;
1022                 }
1023         }
1024
1025 failed:
1026         result = winbindd_update_creds_by_info3(domain,
1027                                                 state->request->data.auth.user,
1028                                                 NULL,
1029                                                 my_info3);
1030
1031         if (!NT_STATUS_IS_OK(result)) {
1032                 DEBUG(0,("winbindd_dual_pam_auth_cached: failed to update creds %s\n",
1033                         nt_errstr(result)));
1034         }
1035
1036         return NT_STATUS_LOGON_FAILURE;
1037 }
1038
1039 static NTSTATUS winbindd_dual_pam_auth_kerberos(struct winbindd_domain *domain,
1040                                                 struct winbindd_cli_state *state,
1041                                                 struct netr_SamInfo3 **info3)
1042 {
1043         struct winbindd_domain *contact_domain;
1044         fstring name_domain, name_user;
1045         NTSTATUS result;
1046
1047         DEBUG(10,("winbindd_dual_pam_auth_kerberos\n"));
1048
1049         /* Parse domain and username */
1050
1051         parse_domain_user(state->request->data.auth.user, name_domain, name_user);
1052
1053         /* what domain should we contact? */
1054
1055         if ( IS_DC ) {
1056                 if (!(contact_domain = find_domain_from_name(name_domain))) {
1057                         DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
1058                                   state->request->data.auth.user, name_domain, name_user, name_domain));
1059                         result = NT_STATUS_NO_SUCH_USER;
1060                         goto done;
1061                 }
1062
1063         } else {
1064                 if (is_myname(name_domain)) {
1065                         DEBUG(3, ("Authentication for domain %s (local domain to this server) not supported at this stage\n", name_domain));
1066                         result =  NT_STATUS_NO_SUCH_USER;
1067                         goto done;
1068                 }
1069
1070                 contact_domain = find_domain_from_name(name_domain);
1071                 if (contact_domain == NULL) {
1072                         DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
1073                                   state->request->data.auth.user, name_domain, name_user, name_domain));
1074
1075                         contact_domain = find_our_domain();
1076                 }
1077         }
1078
1079         if (contact_domain->initialized &&
1080             contact_domain->active_directory) {
1081                 goto try_login;
1082         }
1083
1084         if (!contact_domain->initialized) {
1085                 init_dc_connection(contact_domain);
1086         }
1087
1088         if (!contact_domain->active_directory) {
1089                 DEBUG(3,("krb5 auth requested but domain is not Active Directory\n"));
1090                 return NT_STATUS_INVALID_LOGON_TYPE;
1091         }
1092 try_login:
1093         result = winbindd_raw_kerberos_login(contact_domain, state, info3);
1094 done:
1095         return result;
1096 }
1097
1098 static NTSTATUS winbindd_dual_auth_passdb(TALLOC_CTX *mem_ctx,
1099                                           const char *domain, const char *user,
1100                                           const DATA_BLOB *challenge,
1101                                           const DATA_BLOB *lm_resp,
1102                                           const DATA_BLOB *nt_resp,
1103                                           struct netr_SamInfo3 **pinfo3)
1104 {
1105         struct auth_usersupplied_info *user_info = NULL;
1106         NTSTATUS status;
1107
1108         status = make_user_info(&user_info, user, user, domain, domain,
1109                                 global_myname(), lm_resp, nt_resp, NULL, NULL,
1110                                 NULL, AUTH_PASSWORD_RESPONSE);
1111         if (!NT_STATUS_IS_OK(status)) {
1112                 DEBUG(10, ("make_user_info failed: %s\n", nt_errstr(status)));
1113                 return status;
1114         }
1115
1116         /* We don't want any more mapping of the username */
1117         user_info->mapped_state = True;
1118
1119         status = check_sam_security_info3(challenge, talloc_tos(), user_info,
1120                                           pinfo3);
1121         free_user_info(&user_info);
1122         DEBUG(10, ("Authenticated user %s\\%s successfully\n", domain, user));
1123         return NT_STATUS_OK;
1124 }
1125
1126 typedef NTSTATUS (*netlogon_fn_t)(struct rpc_pipe_client *cli,
1127                                   TALLOC_CTX *mem_ctx,
1128                                   uint32 logon_parameters,
1129                                   const char *server,
1130                                   const char *username,
1131                                   const char *domain,
1132                                   const char *workstation,
1133                                   const uint8 chal[8],
1134                                   DATA_BLOB lm_response,
1135                                   DATA_BLOB nt_response,
1136                                   struct netr_SamInfo3 **info3);
1137
1138 static NTSTATUS winbindd_dual_pam_auth_samlogon(struct winbindd_domain *domain,
1139                                                 struct winbindd_cli_state *state,
1140                                                 struct netr_SamInfo3 **info3)
1141 {
1142
1143         struct rpc_pipe_client *netlogon_pipe;
1144         uchar chal[8];
1145         DATA_BLOB lm_resp;
1146         DATA_BLOB nt_resp;
1147         int attempts = 0;
1148         unsigned char local_lm_response[24];
1149         unsigned char local_nt_response[24];
1150         fstring name_domain, name_user;
1151         bool retry;
1152         NTSTATUS result;
1153         struct netr_SamInfo3 *my_info3 = NULL;
1154
1155         *info3 = NULL;
1156
1157         DEBUG(10,("winbindd_dual_pam_auth_samlogon\n"));
1158
1159         /* Parse domain and username */
1160
1161         parse_domain_user(state->request->data.auth.user, name_domain, name_user);
1162
1163         /* do password magic */
1164
1165         generate_random_buffer(chal, sizeof(chal));
1166
1167         if (lp_client_ntlmv2_auth()) {
1168                 DATA_BLOB server_chal;
1169                 DATA_BLOB names_blob;
1170                 DATA_BLOB nt_response;
1171                 DATA_BLOB lm_response;
1172                 server_chal = data_blob_talloc(state->mem_ctx, chal, 8);
1173
1174                 /* note that the 'workgroup' here is a best guess - we don't know
1175                    the server's domain at this point.  The 'server name' is also
1176                    dodgy...
1177                 */
1178                 names_blob = NTLMv2_generate_names_blob(state->mem_ctx, global_myname(), lp_workgroup());
1179
1180                 if (!SMBNTLMv2encrypt(NULL, name_user, name_domain,
1181                                       state->request->data.auth.pass,
1182                                       &server_chal,
1183                                       &names_blob,
1184                                       &lm_response, &nt_response, NULL, NULL)) {
1185                         data_blob_free(&names_blob);
1186                         data_blob_free(&server_chal);
1187                         DEBUG(0, ("winbindd_pam_auth: SMBNTLMv2encrypt() failed!\n"));
1188                         result = NT_STATUS_NO_MEMORY;
1189                         goto done;
1190                 }
1191                 data_blob_free(&names_blob);
1192                 data_blob_free(&server_chal);
1193                 lm_resp = data_blob_talloc(state->mem_ctx, lm_response.data,
1194                                            lm_response.length);
1195                 nt_resp = data_blob_talloc(state->mem_ctx, nt_response.data,
1196                                            nt_response.length);
1197                 data_blob_free(&lm_response);
1198                 data_blob_free(&nt_response);
1199
1200         } else {
1201                 if (lp_client_lanman_auth()
1202                     && SMBencrypt(state->request->data.auth.pass,
1203                                   chal,
1204                                   local_lm_response)) {
1205                         lm_resp = data_blob_talloc(state->mem_ctx,
1206                                                    local_lm_response,
1207                                                    sizeof(local_lm_response));
1208                 } else {
1209                         lm_resp = data_blob_null;
1210                 }
1211                 SMBNTencrypt(state->request->data.auth.pass,
1212                              chal,
1213                              local_nt_response);
1214
1215                 nt_resp = data_blob_talloc(state->mem_ctx,
1216                                            local_nt_response,
1217                                            sizeof(local_nt_response));
1218         }
1219
1220         if (strequal(name_domain, get_global_sam_name())) {
1221                 DATA_BLOB chal_blob = data_blob_const(chal, sizeof(chal));
1222
1223                 result = winbindd_dual_auth_passdb(
1224                         state->mem_ctx, name_domain, name_user,
1225                         &chal_blob, &lm_resp, &nt_resp, info3);
1226                 goto done;
1227         }
1228
1229         /* check authentication loop */
1230
1231         do {
1232                 netlogon_fn_t logon_fn;
1233
1234                 ZERO_STRUCTP(my_info3);
1235                 retry = false;
1236
1237                 result = cm_connect_netlogon(domain, &netlogon_pipe);
1238
1239                 if (!NT_STATUS_IS_OK(result)) {
1240                         DEBUG(3, ("could not open handle to NETLOGON pipe\n"));
1241                         goto done;
1242                 }
1243
1244                 /* It is really important to try SamLogonEx here,
1245                  * because in a clustered environment, we want to use
1246                  * one machine account from multiple physical
1247                  * computers.
1248                  *
1249                  * With a normal SamLogon call, we must keep the
1250                  * credentials chain updated and intact between all
1251                  * users of the machine account (which would imply
1252                  * cross-node communication for every NTLM logon).
1253                  *
1254                  * (The credentials chain is not per NETLOGON pipe
1255                  * connection, but globally on the server/client pair
1256                  * by machine name).
1257                  *
1258                  * When using SamLogonEx, the credentials are not
1259                  * supplied, but the session key is implied by the
1260                  * wrapping SamLogon context.
1261                  *
1262                  *  -- abartlet 21 April 2008
1263                  */
1264
1265                 logon_fn = domain->can_do_samlogon_ex
1266                         ? rpccli_netlogon_sam_network_logon_ex
1267                         : rpccli_netlogon_sam_network_logon;
1268
1269                 result = logon_fn(netlogon_pipe,
1270                                   state->mem_ctx,
1271                                   0,
1272                                   domain->dcname,         /* server name */
1273                                   name_user,              /* user name */
1274                                   name_domain,            /* target domain */
1275                                   global_myname(),        /* workstation */
1276                                   chal,
1277                                   lm_resp,
1278                                   nt_resp,
1279                                   &my_info3);
1280                 attempts += 1;
1281
1282                 if ((NT_STATUS_V(result) == DCERPC_FAULT_OP_RNG_ERROR)
1283                     && domain->can_do_samlogon_ex) {
1284                         DEBUG(3, ("Got a DC that can not do NetSamLogonEx, "
1285                                   "retrying with NetSamLogon\n"));
1286                         domain->can_do_samlogon_ex = false;
1287                         continue;
1288                 }
1289
1290                 /* We have to try a second time as cm_connect_netlogon
1291                    might not yet have noticed that the DC has killed
1292                    our connection. */
1293
1294                 if (!rpccli_is_connected(netlogon_pipe)) {
1295                         continue;
1296                 }
1297
1298                 /* if we get access denied, a possible cause was that we had
1299                    and open connection to the DC, but someone changed our
1300                    machine account password out from underneath us using 'net
1301                    rpc changetrustpw' */
1302
1303                 if ( NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) ) {
1304                         DEBUG(3,("winbindd_pam_auth: sam_logon returned "
1305                                  "ACCESS_DENIED.  Maybe the trust account "
1306                                 "password was changed and we didn't know it. "
1307                                  "Killing connections to domain %s\n",
1308                                 name_domain));
1309                         invalidate_cm_connection(&domain->conn);
1310                         retry = true;
1311                 }
1312
1313         } while ( (attempts < 2) && retry );
1314
1315         /* handle the case where a NT4 DC does not fill in the acct_flags in
1316          * the samlogon reply info3. When accurate info3 is required by the
1317          * caller, we look up the account flags ourselve - gd */
1318
1319         if ((state->request->flags & WBFLAG_PAM_INFO3_TEXT) &&
1320             NT_STATUS_IS_OK(result) && (my_info3->base.acct_flags == 0)) {
1321
1322                 struct rpc_pipe_client *samr_pipe;
1323                 struct policy_handle samr_domain_handle, user_pol;
1324                 union samr_UserInfo *info = NULL;
1325                 NTSTATUS status_tmp;
1326                 uint32 acct_flags;
1327
1328                 status_tmp = cm_connect_sam(domain, state->mem_ctx,
1329                                             &samr_pipe, &samr_domain_handle);
1330
1331                 if (!NT_STATUS_IS_OK(status_tmp)) {
1332                         DEBUG(3, ("could not open handle to SAMR pipe: %s\n",
1333                                 nt_errstr(status_tmp)));
1334                         goto done;
1335                 }
1336
1337                 status_tmp = rpccli_samr_OpenUser(samr_pipe, state->mem_ctx,
1338                                                   &samr_domain_handle,
1339                                                   MAXIMUM_ALLOWED_ACCESS,
1340                                                   my_info3->base.rid,
1341                                                   &user_pol);
1342
1343                 if (!NT_STATUS_IS_OK(status_tmp)) {
1344                         DEBUG(3, ("could not open user handle on SAMR pipe: %s\n",
1345                                 nt_errstr(status_tmp)));
1346                         goto done;
1347                 }
1348
1349                 status_tmp = rpccli_samr_QueryUserInfo(samr_pipe, state->mem_ctx,
1350                                                        &user_pol,
1351                                                        16,
1352                                                        &info);
1353
1354                 if (!NT_STATUS_IS_OK(status_tmp)) {
1355                         DEBUG(3, ("could not query user info on SAMR pipe: %s\n",
1356                                 nt_errstr(status_tmp)));
1357                         rpccli_samr_Close(samr_pipe, state->mem_ctx, &user_pol);
1358                         goto done;
1359                 }
1360
1361                 acct_flags = info->info16.acct_flags;
1362
1363                 if (acct_flags == 0) {
1364                         rpccli_samr_Close(samr_pipe, state->mem_ctx, &user_pol);
1365                         goto done;
1366                 }
1367
1368                 my_info3->base.acct_flags = acct_flags;
1369
1370                 DEBUG(10,("successfully retrieved acct_flags 0x%x\n", acct_flags));
1371
1372                 rpccli_samr_Close(samr_pipe, state->mem_ctx, &user_pol);
1373         }
1374
1375         *info3 = my_info3;
1376 done:
1377         return result;
1378 }
1379
1380 enum winbindd_result winbindd_dual_pam_auth(struct winbindd_domain *domain,
1381                                             struct winbindd_cli_state *state)
1382 {
1383         NTSTATUS result = NT_STATUS_LOGON_FAILURE;
1384         NTSTATUS krb5_result = NT_STATUS_OK;
1385         fstring name_domain, name_user;
1386         char *mapped_user;
1387         fstring domain_user;
1388         struct netr_SamInfo3 *info3 = NULL;
1389         NTSTATUS name_map_status = NT_STATUS_UNSUCCESSFUL;
1390
1391         /* Ensure null termination */
1392         state->request->data.auth.user[sizeof(state->request->data.auth.user)-1]='\0';
1393
1394         /* Ensure null termination */
1395         state->request->data.auth.pass[sizeof(state->request->data.auth.pass)-1]='\0';
1396
1397         DEBUG(3, ("[%5lu]: dual pam auth %s\n", (unsigned long)state->pid,
1398                   state->request->data.auth.user));
1399
1400         /* Parse domain and username */
1401
1402         name_map_status = normalize_name_unmap(state->mem_ctx,
1403                                                state->request->data.auth.user,
1404                                                &mapped_user);
1405
1406         /* If the name normalization didnt' actually do anything,
1407            just use the original name */
1408
1409         if (!NT_STATUS_IS_OK(name_map_status) &&
1410             !NT_STATUS_EQUAL(name_map_status, NT_STATUS_FILE_RENAMED))
1411         {
1412                 mapped_user = state->request->data.auth.user;
1413         }
1414
1415         parse_domain_user(mapped_user, name_domain, name_user);
1416
1417         if ( mapped_user != state->request->data.auth.user ) {
1418                 fstr_sprintf( domain_user, "%s%c%s", name_domain,
1419                         *lp_winbind_separator(),
1420                         name_user );
1421                 safe_strcpy( state->request->data.auth.user, domain_user,
1422                              sizeof(state->request->data.auth.user)-1 );
1423         }
1424
1425         if (!domain->online) {
1426                 result = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
1427                 if (domain->startup) {
1428                         /* Logons are very important to users. If we're offline and
1429                            we get a request within the first 30 seconds of startup,
1430                            try very hard to find a DC and go online. */
1431
1432                         DEBUG(10,("winbindd_dual_pam_auth: domain: %s offline and auth "
1433                                 "request in startup mode.\n", domain->name ));
1434
1435                         winbindd_flush_negative_conn_cache(domain);
1436                         result = init_dc_connection(domain);
1437                 }
1438         }
1439
1440         DEBUG(10,("winbindd_dual_pam_auth: domain: %s last was %s\n", domain->name, domain->online ? "online":"offline"));
1441
1442         /* Check for Kerberos authentication */
1443         if (domain->online && (state->request->flags & WBFLAG_PAM_KRB5)) {
1444
1445                 result = winbindd_dual_pam_auth_kerberos(domain, state, &info3);
1446                 /* save for later */
1447                 krb5_result = result;
1448
1449
1450                 if (NT_STATUS_IS_OK(result)) {
1451                         DEBUG(10,("winbindd_dual_pam_auth_kerberos succeeded\n"));
1452                         goto process_result;
1453                 } else {
1454                         DEBUG(10,("winbindd_dual_pam_auth_kerberos failed: %s\n", nt_errstr(result)));
1455                 }
1456
1457                 if (NT_STATUS_EQUAL(result, NT_STATUS_NO_LOGON_SERVERS) ||
1458                     NT_STATUS_EQUAL(result, NT_STATUS_IO_TIMEOUT) ||
1459                     NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
1460                         DEBUG(10,("winbindd_dual_pam_auth_kerberos setting domain to offline\n"));
1461                         set_domain_offline( domain );
1462                         goto cached_logon;
1463                 }
1464
1465                 /* there are quite some NT_STATUS errors where there is no
1466                  * point in retrying with a samlogon, we explictly have to take
1467                  * care not to increase the bad logon counter on the DC */
1468
1469                 if (NT_STATUS_EQUAL(result, NT_STATUS_ACCOUNT_DISABLED) ||
1470                     NT_STATUS_EQUAL(result, NT_STATUS_ACCOUNT_EXPIRED) ||
1471                     NT_STATUS_EQUAL(result, NT_STATUS_ACCOUNT_LOCKED_OUT) ||
1472                     NT_STATUS_EQUAL(result, NT_STATUS_INVALID_LOGON_HOURS) ||
1473                     NT_STATUS_EQUAL(result, NT_STATUS_INVALID_WORKSTATION) ||
1474                     NT_STATUS_EQUAL(result, NT_STATUS_LOGON_FAILURE) ||
1475                     NT_STATUS_EQUAL(result, NT_STATUS_NO_SUCH_USER) ||
1476                     NT_STATUS_EQUAL(result, NT_STATUS_PASSWORD_EXPIRED) ||
1477                     NT_STATUS_EQUAL(result, NT_STATUS_PASSWORD_MUST_CHANGE) ||
1478                     NT_STATUS_EQUAL(result, NT_STATUS_WRONG_PASSWORD)) {
1479                         goto done;
1480                 }
1481
1482                 if (state->request->flags & WBFLAG_PAM_FALLBACK_AFTER_KRB5) {
1483                         DEBUG(3,("falling back to samlogon\n"));
1484                         goto sam_logon;
1485                 } else {
1486                         goto cached_logon;
1487                 }
1488         }
1489
1490 sam_logon:
1491         /* Check for Samlogon authentication */
1492         if (domain->online) {
1493                 result = winbindd_dual_pam_auth_samlogon(domain, state, &info3);
1494
1495                 if (NT_STATUS_IS_OK(result)) {
1496                         DEBUG(10,("winbindd_dual_pam_auth_samlogon succeeded\n"));
1497                         /* add the Krb5 err if we have one */
1498                         if ( NT_STATUS_EQUAL(krb5_result, NT_STATUS_TIME_DIFFERENCE_AT_DC ) ) {
1499                                 info3->base.user_flags |= LOGON_KRB5_FAIL_CLOCK_SKEW;
1500                         }
1501                         goto process_result;
1502                 }
1503
1504                 DEBUG(10,("winbindd_dual_pam_auth_samlogon failed: %s\n",
1505                           nt_errstr(result)));
1506
1507                 if (NT_STATUS_EQUAL(result, NT_STATUS_NO_LOGON_SERVERS) ||
1508                     NT_STATUS_EQUAL(result, NT_STATUS_IO_TIMEOUT) ||
1509                     NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND))
1510                 {
1511                         DEBUG(10,("winbindd_dual_pam_auth_samlogon setting domain to offline\n"));
1512                         set_domain_offline( domain );
1513                         goto cached_logon;
1514                 }
1515
1516                         if (domain->online) {
1517                                 /* We're still online - fail. */
1518                                 goto done;
1519                         }
1520         }
1521
1522 cached_logon:
1523         /* Check for Cached logons */
1524         if (!domain->online && (state->request->flags & WBFLAG_PAM_CACHED_LOGIN) &&
1525             lp_winbind_offline_logon()) {
1526
1527                 result = winbindd_dual_pam_auth_cached(domain, state, &info3);
1528
1529                 if (NT_STATUS_IS_OK(result)) {
1530                         DEBUG(10,("winbindd_dual_pam_auth_cached succeeded\n"));
1531                         goto process_result;
1532                 } else {
1533                         DEBUG(10,("winbindd_dual_pam_auth_cached failed: %s\n", nt_errstr(result)));
1534                         goto done;
1535                 }
1536         }
1537
1538 process_result:
1539
1540         if (NT_STATUS_IS_OK(result)) {
1541
1542                 struct dom_sid user_sid;
1543
1544                 /* In all codepaths where result == NT_STATUS_OK info3 must have
1545                    been initialized. */
1546                 if (!info3) {
1547                         result = NT_STATUS_INTERNAL_ERROR;
1548                         goto done;
1549                 }
1550
1551                 wcache_invalidate_samlogon(find_domain_from_name(name_domain), info3);
1552                 netsamlogon_cache_store(name_user, info3);
1553
1554                 /* save name_to_sid info as early as possible (only if
1555                    this is our primary domain so we don't invalidate
1556                    the cache entry by storing the seq_num for the wrong
1557                    domain). */
1558                 if ( domain->primary ) {
1559                         sid_compose(&user_sid, info3->base.domain_sid,
1560                                     info3->base.rid);
1561                         cache_name2sid(domain, name_domain, name_user,
1562                                        SID_NAME_USER, &user_sid);
1563                 }
1564
1565                 /* Check if the user is in the right group */
1566
1567                 result = check_info3_in_group(
1568                         info3,
1569                         state->request->data.auth.require_membership_of_sid);
1570                 if (!NT_STATUS_IS_OK(result)) {
1571                         DEBUG(3, ("User %s is not in the required group (%s), so plaintext authentication is rejected\n",
1572                                   state->request->data.auth.user,
1573                                   state->request->data.auth.require_membership_of_sid));
1574                         goto done;
1575                 }
1576
1577                 result = append_auth_data(state, info3, name_domain,
1578                                           name_user);
1579                 if (!NT_STATUS_IS_OK(result)) {
1580                         goto done;
1581                 }
1582
1583                 if ((state->request->flags & WBFLAG_PAM_CACHED_LOGIN)
1584                     && lp_winbind_offline_logon()) {
1585
1586                         result = winbindd_store_creds(domain,
1587                                                       state->request->data.auth.user,
1588                                                       state->request->data.auth.pass,
1589                                                       info3);
1590                 }
1591
1592                 if (state->request->flags & WBFLAG_PAM_GET_PWD_POLICY) {
1593                         struct winbindd_domain *our_domain = find_our_domain();
1594
1595                         /* This is not entirely correct I believe, but it is
1596                            consistent.  Only apply the password policy settings
1597                            too warn users for our own domain.  Cannot obtain these
1598                            from trusted DCs all the  time so don't do it at all.
1599                            -- jerry */
1600
1601                         result = NT_STATUS_NOT_SUPPORTED;
1602                         if (our_domain == domain ) {
1603                                 result = fillup_password_policy(our_domain, state);
1604                         }
1605
1606                         if (!NT_STATUS_IS_OK(result)
1607                             && !NT_STATUS_EQUAL(result, NT_STATUS_NOT_SUPPORTED) )
1608                         {
1609                                 DEBUG(10,("Failed to get password policies for domain %s: %s\n",
1610                                           domain->name, nt_errstr(result)));
1611                                 goto done;
1612                         }
1613                 }
1614
1615                 result = NT_STATUS_OK;
1616         }
1617
1618 done:
1619         /* give us a more useful (more correct?) error code */
1620         if ((NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) ||
1621             (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)))) {
1622                 result = NT_STATUS_NO_LOGON_SERVERS;
1623         }
1624
1625         set_auth_errors(state->response, result);
1626
1627         DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2, ("Plain-text authentication for user %s returned %s (PAM: %d)\n",
1628               state->request->data.auth.user,
1629               state->response->data.auth.nt_status_string,
1630               state->response->data.auth.pam_error));
1631
1632         return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
1633 }
1634
1635 enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
1636                                                  struct winbindd_cli_state *state)
1637 {
1638         NTSTATUS result;
1639         struct netr_SamInfo3 *info3 = NULL;
1640         struct rpc_pipe_client *netlogon_pipe;
1641         const char *name_user = NULL;
1642         const char *name_domain = NULL;
1643         const char *workstation;
1644         int attempts = 0;
1645         bool retry;
1646
1647         DATA_BLOB lm_resp, nt_resp;
1648
1649         /* This is child-only, so no check for privileged access is needed
1650            anymore */
1651
1652         /* Ensure null termination */
1653         state->request->data.auth_crap.user[sizeof(state->request->data.auth_crap.user)-1]=0;
1654         state->request->data.auth_crap.domain[sizeof(state->request->data.auth_crap.domain)-1]=0;
1655
1656         name_user = state->request->data.auth_crap.user;
1657         name_domain = state->request->data.auth_crap.domain;
1658         workstation = state->request->data.auth_crap.workstation;
1659
1660         DEBUG(3, ("[%5lu]: pam auth crap domain: %s user: %s\n", (unsigned long)state->pid,
1661                   name_domain, name_user));
1662
1663         if (state->request->data.auth_crap.lm_resp_len > sizeof(state->request->data.auth_crap.lm_resp)
1664                 || state->request->data.auth_crap.nt_resp_len > sizeof(state->request->data.auth_crap.nt_resp)) {
1665                 if (!(state->request->flags & WBFLAG_BIG_NTLMV2_BLOB) ||
1666                      state->request->extra_len != state->request->data.auth_crap.nt_resp_len) {
1667                         DEBUG(0, ("winbindd_pam_auth_crap: invalid password length %u/%u\n",
1668                                   state->request->data.auth_crap.lm_resp_len,
1669                                   state->request->data.auth_crap.nt_resp_len));
1670                         result = NT_STATUS_INVALID_PARAMETER;
1671                         goto done;
1672                 }
1673         }
1674
1675         lm_resp = data_blob_talloc(state->mem_ctx, state->request->data.auth_crap.lm_resp,
1676                                         state->request->data.auth_crap.lm_resp_len);
1677
1678         if (state->request->flags & WBFLAG_BIG_NTLMV2_BLOB) {
1679                 nt_resp = data_blob_talloc(state->mem_ctx,
1680                                            state->request->extra_data.data,
1681                                            state->request->data.auth_crap.nt_resp_len);
1682         } else {
1683                 nt_resp = data_blob_talloc(state->mem_ctx,
1684                                            state->request->data.auth_crap.nt_resp,
1685                                            state->request->data.auth_crap.nt_resp_len);
1686         }
1687
1688         if (strequal(name_domain, get_global_sam_name())) {
1689                 DATA_BLOB chal_blob = data_blob_const(
1690                         state->request->data.auth_crap.chal,
1691                         sizeof(state->request->data.auth_crap.chal));
1692
1693                 result = winbindd_dual_auth_passdb(
1694                         state->mem_ctx, name_domain, name_user,
1695                         &chal_blob, &lm_resp, &nt_resp, &info3);
1696                 goto process_result;
1697         }
1698
1699         do {
1700                 netlogon_fn_t logon_fn;
1701
1702                 retry = false;
1703
1704                 netlogon_pipe = NULL;
1705                 result = cm_connect_netlogon(domain, &netlogon_pipe);
1706
1707                 if (!NT_STATUS_IS_OK(result)) {
1708                         DEBUG(3, ("could not open handle to NETLOGON pipe (error: %s)\n",
1709                                   nt_errstr(result)));
1710                         goto done;
1711                 }
1712
1713                 logon_fn = domain->can_do_samlogon_ex
1714                         ? rpccli_netlogon_sam_network_logon_ex
1715                         : rpccli_netlogon_sam_network_logon;
1716
1717                 result = logon_fn(netlogon_pipe,
1718                                   state->mem_ctx,
1719                                   state->request->data.auth_crap.logon_parameters,
1720                                   domain->dcname,
1721                                   name_user,
1722                                   name_domain,
1723                                   /* Bug #3248 - found by Stefan Burkei. */
1724                                   workstation, /* We carefully set this above so use it... */
1725                                   state->request->data.auth_crap.chal,
1726                                   lm_resp,
1727                                   nt_resp,
1728                                   &info3);
1729
1730                 if ((NT_STATUS_V(result) == DCERPC_FAULT_OP_RNG_ERROR)
1731                     && domain->can_do_samlogon_ex) {
1732                         DEBUG(3, ("Got a DC that can not do NetSamLogonEx, "
1733                                   "retrying with NetSamLogon\n"));
1734                         domain->can_do_samlogon_ex = false;
1735                         continue;
1736                 }
1737
1738                 attempts += 1;
1739
1740                 /* We have to try a second time as cm_connect_netlogon
1741                    might not yet have noticed that the DC has killed
1742                    our connection. */
1743
1744                 if (!rpccli_is_connected(netlogon_pipe)) {
1745                         continue;
1746                 }
1747
1748                 /* if we get access denied, a possible cause was that we had and open
1749                    connection to the DC, but someone changed our machine account password
1750                    out from underneath us using 'net rpc changetrustpw' */
1751
1752                 if ( NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) ) {
1753                         DEBUG(3,("winbindd_pam_auth: sam_logon returned "
1754                                  "ACCESS_DENIED.  Maybe the trust account "
1755                                 "password was changed and we didn't know it. "
1756                                  "Killing connections to domain %s\n",
1757                                 name_domain));
1758                         invalidate_cm_connection(&domain->conn);
1759                         retry = true;
1760                 }
1761
1762         } while ( (attempts < 2) && retry );
1763
1764 process_result:
1765
1766         if (NT_STATUS_IS_OK(result)) {
1767
1768                 wcache_invalidate_samlogon(find_domain_from_name(name_domain), info3);
1769                 netsamlogon_cache_store(name_user, info3);
1770
1771                 /* Check if the user is in the right group */
1772
1773                 result = check_info3_in_group(
1774                         info3,
1775                         state->request->data.auth_crap.require_membership_of_sid);
1776                 if (!NT_STATUS_IS_OK(result)) {
1777                         DEBUG(3, ("User %s is not in the required group (%s), so "
1778                                   "crap authentication is rejected\n",
1779                                   state->request->data.auth_crap.user,
1780                                   state->request->data.auth_crap.require_membership_of_sid));
1781                         goto done;
1782                 }
1783
1784                 result = append_auth_data(state, info3, name_domain,
1785                                           name_user);
1786                 if (!NT_STATUS_IS_OK(result)) {
1787                         goto done;
1788                 }
1789         }
1790
1791 done:
1792
1793         /* give us a more useful (more correct?) error code */
1794         if ((NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) ||
1795             (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)))) {
1796                 result = NT_STATUS_NO_LOGON_SERVERS;
1797         }
1798
1799         if (state->request->flags & WBFLAG_PAM_NT_STATUS_SQUASH) {
1800                 result = nt_status_squash(result);
1801         }
1802
1803         set_auth_errors(state->response, result);
1804
1805         DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2,
1806               ("NTLM CRAP authentication for user [%s]\\[%s] returned %s (PAM: %d)\n",
1807                name_domain,
1808                name_user,
1809                state->response->data.auth.nt_status_string,
1810                state->response->data.auth.pam_error));
1811
1812         return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
1813 }
1814
1815 enum winbindd_result winbindd_dual_pam_chauthtok(struct winbindd_domain *contact_domain,
1816                                                  struct winbindd_cli_state *state)
1817 {
1818         char *oldpass;
1819         char *newpass = NULL;
1820         struct policy_handle dom_pol;
1821         struct rpc_pipe_client *cli = NULL;
1822         bool got_info = false;
1823         struct samr_DomInfo1 *info = NULL;
1824         struct userPwdChangeFailureInformation *reject = NULL;
1825         NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1826         fstring domain, user;
1827
1828         ZERO_STRUCT(dom_pol);
1829
1830         DEBUG(3, ("[%5lu]: dual pam chauthtok %s\n", (unsigned long)state->pid,
1831                   state->request->data.auth.user));
1832
1833         if (!parse_domain_user(state->request->data.chauthtok.user, domain, user)) {
1834                 goto done;
1835         }
1836
1837         /* Change password */
1838
1839         oldpass = state->request->data.chauthtok.oldpass;
1840         newpass = state->request->data.chauthtok.newpass;
1841
1842         /* Initialize reject reason */
1843         state->response->data.auth.reject_reason = Undefined;
1844
1845         /* Get sam handle */
1846
1847         result = cm_connect_sam(contact_domain, state->mem_ctx, &cli,
1848                                 &dom_pol);
1849         if (!NT_STATUS_IS_OK(result)) {
1850                 DEBUG(1, ("could not get SAM handle on DC for %s\n", domain));
1851                 goto done;
1852         }
1853
1854         result = rpccli_samr_chgpasswd_user3(cli, state->mem_ctx,
1855                                              user,
1856                                              newpass,
1857                                              oldpass,
1858                                              &info,
1859                                              &reject);
1860
1861         /* Windows 2003 returns NT_STATUS_PASSWORD_RESTRICTION */
1862
1863         if (NT_STATUS_EQUAL(result, NT_STATUS_PASSWORD_RESTRICTION) ) {
1864
1865                 fill_in_password_policy(state->response, info);
1866
1867                 state->response->data.auth.reject_reason =
1868                         reject->extendedFailureReason;
1869
1870                 got_info = true;
1871         }
1872
1873         /* atm the pidl generated rpccli_samr_ChangePasswordUser3 function will
1874          * return with NT_STATUS_BUFFER_TOO_SMALL for w2k dcs as w2k just
1875          * returns with 4byte error code (NT_STATUS_NOT_SUPPORTED) which is too
1876          * short to comply with the samr_ChangePasswordUser3 idl - gd */
1877
1878         /* only fallback when the chgpasswd_user3 call is not supported */
1879         if ((NT_STATUS_EQUAL(result, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR))) ||
1880                    (NT_STATUS_EQUAL(result, NT_STATUS_NOT_SUPPORTED)) ||
1881                    (NT_STATUS_EQUAL(result, NT_STATUS_BUFFER_TOO_SMALL)) ||
1882                    (NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED))) {
1883
1884                 DEBUG(10,("Password change with chgpasswd_user3 failed with: %s, retrying chgpasswd_user2\n",
1885                         nt_errstr(result)));
1886
1887                 result = rpccli_samr_chgpasswd_user2(cli, state->mem_ctx, user, newpass, oldpass);
1888
1889                 /* Windows 2000 returns NT_STATUS_ACCOUNT_RESTRICTION.
1890                    Map to the same status code as Windows 2003. */
1891
1892                 if ( NT_STATUS_EQUAL(NT_STATUS_ACCOUNT_RESTRICTION, result ) ) {
1893                         result = NT_STATUS_PASSWORD_RESTRICTION;
1894                 }
1895         }
1896
1897 done:
1898
1899         if (NT_STATUS_IS_OK(result)
1900             && (state->request->flags & WBFLAG_PAM_CACHED_LOGIN)
1901             && lp_winbind_offline_logon()) {
1902                 result = winbindd_update_creds_by_name(contact_domain, user,
1903                                                        newpass);
1904                 /* Again, this happens when we login from gdm or xdm
1905                  * and the password expires, *BUT* cached crendentials
1906                  * doesn't exist. winbindd_update_creds_by_name()
1907                  * returns NT_STATUS_NO_SUCH_USER.
1908                  * This is not a failure.
1909                  * --- BoYang
1910                  * */
1911                 if (NT_STATUS_EQUAL(result, NT_STATUS_NO_SUCH_USER)) {
1912                         result = NT_STATUS_OK;
1913                 }
1914
1915                 if (!NT_STATUS_IS_OK(result)) {
1916                         DEBUG(10, ("Failed to store creds: %s\n",
1917                                    nt_errstr(result)));
1918                         goto process_result;
1919                 }
1920         }
1921
1922         if (!NT_STATUS_IS_OK(result) && !got_info && contact_domain) {
1923
1924                 NTSTATUS policy_ret;
1925
1926                 policy_ret = fillup_password_policy(contact_domain, state);
1927
1928                 /* failure of this is non critical, it will just provide no
1929                  * additional information to the client why the change has
1930                  * failed - Guenther */
1931
1932                 if (!NT_STATUS_IS_OK(policy_ret)) {
1933                         DEBUG(10,("Failed to get password policies: %s\n", nt_errstr(policy_ret)));
1934                         goto process_result;
1935                 }
1936         }
1937
1938 process_result:
1939
1940         if (strequal(contact_domain->name, get_global_sam_name())) {
1941                 /* FIXME: internal rpc pipe does not cache handles yet */
1942                 if (cli) {
1943                         if (is_valid_policy_hnd(&dom_pol)) {
1944                                 rpccli_samr_Close(cli, state->mem_ctx, &dom_pol);
1945                         }
1946                         TALLOC_FREE(cli);
1947                 }
1948         }
1949
1950         set_auth_errors(state->response, result);
1951
1952         DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2,
1953               ("Password change for user [%s]\\[%s] returned %s (PAM: %d)\n",
1954                domain,
1955                user,
1956                state->response->data.auth.nt_status_string,
1957                state->response->data.auth.pam_error));
1958
1959         return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
1960 }
1961
1962 enum winbindd_result winbindd_dual_pam_logoff(struct winbindd_domain *domain,
1963                                               struct winbindd_cli_state *state)
1964 {
1965         NTSTATUS result = NT_STATUS_NOT_SUPPORTED;
1966
1967         DEBUG(3, ("[%5lu]: pam dual logoff %s\n", (unsigned long)state->pid,
1968                 state->request->data.logoff.user));
1969
1970         if (!(state->request->flags & WBFLAG_PAM_KRB5)) {
1971                 result = NT_STATUS_OK;
1972                 goto process_result;
1973         }
1974
1975         if (state->request->data.logoff.krb5ccname[0] == '\0') {
1976                 result = NT_STATUS_OK;
1977                 goto process_result;
1978         }
1979
1980 #ifdef HAVE_KRB5
1981
1982         if (state->request->data.logoff.uid < 0) {
1983                 DEBUG(0,("winbindd_pam_logoff: invalid uid\n"));
1984                 goto process_result;
1985         }
1986
1987         /* what we need here is to find the corresponding krb5 ccache name *we*
1988          * created for a given username and destroy it */
1989
1990         if (!ccache_entry_exists(state->request->data.logoff.user)) {
1991                 result = NT_STATUS_OK;
1992                 DEBUG(10,("winbindd_pam_logoff: no entry found.\n"));
1993                 goto process_result;
1994         }
1995
1996         if (!ccache_entry_identical(state->request->data.logoff.user,
1997                                         state->request->data.logoff.uid,
1998                                         state->request->data.logoff.krb5ccname)) {
1999                 DEBUG(0,("winbindd_pam_logoff: cached entry differs.\n"));
2000                 goto process_result;
2001         }
2002
2003         result = remove_ccache(state->request->data.logoff.user);
2004         if (!NT_STATUS_IS_OK(result)) {
2005                 DEBUG(0,("winbindd_pam_logoff: failed to remove ccache: %s\n",
2006                         nt_errstr(result)));
2007                 goto process_result;
2008         }
2009
2010 #else
2011         result = NT_STATUS_NOT_SUPPORTED;
2012 #endif
2013
2014 process_result:
2015
2016
2017         set_auth_errors(state->response, result);
2018
2019         return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
2020 }
2021
2022 /* Change user password with auth crap*/
2023
2024 enum winbindd_result winbindd_dual_pam_chng_pswd_auth_crap(struct winbindd_domain *domainSt, struct winbindd_cli_state *state)
2025 {
2026         NTSTATUS result;
2027         DATA_BLOB new_nt_password;
2028         DATA_BLOB old_nt_hash_enc;
2029         DATA_BLOB new_lm_password;
2030         DATA_BLOB old_lm_hash_enc;
2031         fstring  domain,user;
2032         struct policy_handle dom_pol;
2033         struct winbindd_domain *contact_domain = domainSt;
2034         struct rpc_pipe_client *cli = NULL;
2035
2036         ZERO_STRUCT(dom_pol);
2037
2038         /* Ensure null termination */
2039         state->request->data.chng_pswd_auth_crap.user[
2040                 sizeof(state->request->data.chng_pswd_auth_crap.user)-1]=0;
2041         state->request->data.chng_pswd_auth_crap.domain[
2042                 sizeof(state->request->data.chng_pswd_auth_crap.domain)-1]=0;
2043         *domain = 0;
2044         *user = 0;
2045
2046         DEBUG(3, ("[%5lu]: pam change pswd auth crap domain: %s user: %s\n",
2047                   (unsigned long)state->pid,
2048                   state->request->data.chng_pswd_auth_crap.domain,
2049                   state->request->data.chng_pswd_auth_crap.user));
2050
2051         if (lp_winbind_offline_logon()) {
2052                 DEBUG(0,("Refusing password change as winbind offline logons are enabled. "));
2053                 DEBUGADD(0,("Changing passwords here would risk inconsistent logons\n"));
2054                 result = NT_STATUS_ACCESS_DENIED;
2055                 goto done;
2056         }
2057
2058         if (*state->request->data.chng_pswd_auth_crap.domain) {
2059                 fstrcpy(domain,state->request->data.chng_pswd_auth_crap.domain);
2060         } else {
2061                 parse_domain_user(state->request->data.chng_pswd_auth_crap.user,
2062                                   domain, user);
2063
2064                 if(!*domain) {
2065                         DEBUG(3,("no domain specified with username (%s) - "
2066                                  "failing auth\n",
2067                                  state->request->data.chng_pswd_auth_crap.user));
2068                         result = NT_STATUS_NO_SUCH_USER;
2069                         goto done;
2070                 }
2071         }
2072
2073         if (!*domain && lp_winbind_use_default_domain()) {
2074                 fstrcpy(domain,(char *)lp_workgroup());
2075         }
2076
2077         if(!*user) {
2078                 fstrcpy(user, state->request->data.chng_pswd_auth_crap.user);
2079         }
2080
2081         DEBUG(3, ("[%5lu]: pam auth crap domain: %s user: %s\n",
2082                   (unsigned long)state->pid, domain, user));
2083
2084         /* Change password */
2085         new_nt_password = data_blob_const(
2086                 state->request->data.chng_pswd_auth_crap.new_nt_pswd,
2087                 state->request->data.chng_pswd_auth_crap.new_nt_pswd_len);
2088
2089         old_nt_hash_enc = data_blob_const(
2090                 state->request->data.chng_pswd_auth_crap.old_nt_hash_enc,
2091                 state->request->data.chng_pswd_auth_crap.old_nt_hash_enc_len);
2092
2093         if(state->request->data.chng_pswd_auth_crap.new_lm_pswd_len > 0)        {
2094                 new_lm_password = data_blob_const(
2095                         state->request->data.chng_pswd_auth_crap.new_lm_pswd,
2096                         state->request->data.chng_pswd_auth_crap.new_lm_pswd_len);
2097
2098                 old_lm_hash_enc = data_blob_const(
2099                         state->request->data.chng_pswd_auth_crap.old_lm_hash_enc,
2100                         state->request->data.chng_pswd_auth_crap.old_lm_hash_enc_len);
2101         } else {
2102                 new_lm_password.length = 0;
2103                 old_lm_hash_enc.length = 0;
2104         }
2105
2106         /* Get sam handle */
2107
2108         result = cm_connect_sam(contact_domain, state->mem_ctx, &cli, &dom_pol);
2109         if (!NT_STATUS_IS_OK(result)) {
2110                 DEBUG(1, ("could not get SAM handle on DC for %s\n", domain));
2111                 goto done;
2112         }
2113
2114         result = rpccli_samr_chng_pswd_auth_crap(
2115                 cli, state->mem_ctx, user, new_nt_password, old_nt_hash_enc,
2116                 new_lm_password, old_lm_hash_enc);
2117
2118  done:
2119
2120         if (strequal(contact_domain->name, get_global_sam_name())) {
2121                 /* FIXME: internal rpc pipe does not cache handles yet */
2122                 if (cli) {
2123                         if (is_valid_policy_hnd(&dom_pol)) {
2124                                 rpccli_samr_Close(cli, state->mem_ctx, &dom_pol);
2125                         }
2126                         TALLOC_FREE(cli);
2127                 }
2128         }
2129
2130         set_auth_errors(state->response, result);
2131
2132         DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2,
2133               ("Password change for user [%s]\\[%s] returned %s (PAM: %d)\n",
2134                domain, user,
2135                state->response->data.auth.nt_status_string,
2136                state->response->data.auth.pam_error));
2137
2138         return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
2139 }