d52d4e27031791f0b9d3927dd29af0dc05fa5e57
[kai/samba.git] / source3 / winbindd / winbindd_pam.c
1 /*
2    Unix SMB/CIFS implementation.
3
4    Winbind daemon - pam auth funcions
5
6    Copyright (C) Andrew Tridgell 2000
7    Copyright (C) Tim Potter 2001
8    Copyright (C) Andrew Bartlett 2001-2002
9    Copyright (C) Guenther Deschner 2005
10
11    This program is free software; you can redistribute it and/or modify
12    it under the terms of the GNU General Public License as published by
13    the Free Software Foundation; either version 3 of the License, or
14    (at your option) any later version.
15
16    This program is distributed in the hope that it will be useful,
17    but WITHOUT ANY WARRANTY; without even the implied warranty of
18    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
19    GNU General Public License for more details.
20
21    You should have received a copy of the GNU General Public License
22    along with this program.  If not, see <http://www.gnu.org/licenses/>.
23 */
24
25 #include "includes.h"
26 #include "winbindd.h"
27 #include "../libcli/auth/libcli_auth.h"
28 #include "../librpc/gen_ndr/cli_samr.h"
29 #include "rpc_client/cli_samr.h"
30 #include "../librpc/gen_ndr/ndr_netlogon.h"
31 #include "rpc_client/cli_netlogon.h"
32 #include "smb_krb5.h"
33 #include "../lib/crypto/arcfour.h"
34 #include "../libcli/security/security.h"
35 #include "ads.h"
36 #include "../librpc/gen_ndr/krb5pac.h"
37
38 #undef DBGC_CLASS
39 #define DBGC_CLASS DBGC_WINBIND
40
41 #define LOGON_KRB5_FAIL_CLOCK_SKEW      0x02000000
42
43 static NTSTATUS append_info3_as_txt(TALLOC_CTX *mem_ctx,
44                                     struct winbindd_response *resp,
45                                     struct netr_SamInfo3 *info3)
46 {
47         char *ex;
48         uint32_t i;
49
50         resp->data.auth.info3.logon_time =
51                 nt_time_to_unix(info3->base.last_logon);
52         resp->data.auth.info3.logoff_time =
53                 nt_time_to_unix(info3->base.last_logoff);
54         resp->data.auth.info3.kickoff_time =
55                 nt_time_to_unix(info3->base.acct_expiry);
56         resp->data.auth.info3.pass_last_set_time =
57                 nt_time_to_unix(info3->base.last_password_change);
58         resp->data.auth.info3.pass_can_change_time =
59                 nt_time_to_unix(info3->base.allow_password_change);
60         resp->data.auth.info3.pass_must_change_time =
61                 nt_time_to_unix(info3->base.force_password_change);
62
63         resp->data.auth.info3.logon_count = info3->base.logon_count;
64         resp->data.auth.info3.bad_pw_count = info3->base.bad_password_count;
65
66         resp->data.auth.info3.user_rid = info3->base.rid;
67         resp->data.auth.info3.group_rid = info3->base.primary_gid;
68         sid_to_fstring(resp->data.auth.info3.dom_sid, info3->base.domain_sid);
69
70         resp->data.auth.info3.num_groups = info3->base.groups.count;
71         resp->data.auth.info3.user_flgs = info3->base.user_flags;
72
73         resp->data.auth.info3.acct_flags = info3->base.acct_flags;
74         resp->data.auth.info3.num_other_sids = info3->sidcount;
75
76         fstrcpy(resp->data.auth.info3.user_name,
77                 info3->base.account_name.string);
78         fstrcpy(resp->data.auth.info3.full_name,
79                 info3->base.full_name.string);
80         fstrcpy(resp->data.auth.info3.logon_script,
81                 info3->base.logon_script.string);
82         fstrcpy(resp->data.auth.info3.profile_path,
83                 info3->base.profile_path.string);
84         fstrcpy(resp->data.auth.info3.home_dir,
85                 info3->base.home_directory.string);
86         fstrcpy(resp->data.auth.info3.dir_drive,
87                 info3->base.home_drive.string);
88
89         fstrcpy(resp->data.auth.info3.logon_srv,
90                 info3->base.logon_server.string);
91         fstrcpy(resp->data.auth.info3.logon_dom,
92                 info3->base.domain.string);
93
94         ex = talloc_strdup(mem_ctx, "");
95         NT_STATUS_HAVE_NO_MEMORY(ex);
96
97         for (i=0; i < info3->base.groups.count; i++) {
98                 ex = talloc_asprintf_append_buffer(ex, "0x%08X:0x%08X\n",
99                                                    info3->base.groups.rids[i].rid,
100                                                    info3->base.groups.rids[i].attributes);
101                 NT_STATUS_HAVE_NO_MEMORY(ex);
102         }
103
104         for (i=0; i < info3->sidcount; i++) {
105                 char *sid;
106
107                 sid = dom_sid_string(mem_ctx, info3->sids[i].sid);
108                 NT_STATUS_HAVE_NO_MEMORY(sid);
109
110                 ex = talloc_asprintf_append_buffer(ex, "%s:0x%08X\n",
111                                                    sid,
112                                                    info3->sids[i].attributes);
113                 NT_STATUS_HAVE_NO_MEMORY(ex);
114
115                 talloc_free(sid);
116         }
117
118         resp->extra_data.data = ex;
119         resp->length += talloc_get_size(ex);
120
121         return NT_STATUS_OK;
122 }
123
124 static NTSTATUS append_info3_as_ndr(TALLOC_CTX *mem_ctx,
125                                     struct winbindd_response *resp,
126                                     struct netr_SamInfo3 *info3)
127 {
128         DATA_BLOB blob;
129         enum ndr_err_code ndr_err;
130
131         ndr_err = ndr_push_struct_blob(&blob, mem_ctx, info3,
132                                        (ndr_push_flags_fn_t)ndr_push_netr_SamInfo3);
133         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
134                 DEBUG(0,("append_info3_as_ndr: failed to append\n"));
135                 return ndr_map_error2ntstatus(ndr_err);
136         }
137
138         resp->extra_data.data = blob.data;
139         resp->length += blob.length;
140
141         return NT_STATUS_OK;
142 }
143
144 static NTSTATUS append_unix_username(TALLOC_CTX *mem_ctx,
145                                      struct winbindd_response *resp,
146                                      const struct netr_SamInfo3 *info3,
147                                      const char *name_domain,
148                                      const char *name_user)
149 {
150         /* We've been asked to return the unix username, per
151            'winbind use default domain' settings and the like */
152
153         const char *nt_username, *nt_domain;
154
155         nt_domain = talloc_strdup(mem_ctx, info3->base.domain.string);
156         if (!nt_domain) {
157                 /* If the server didn't give us one, just use the one
158                  * we sent them */
159                 nt_domain = name_domain;
160         }
161
162         nt_username = talloc_strdup(mem_ctx, info3->base.account_name.string);
163         if (!nt_username) {
164                 /* If the server didn't give us one, just use the one
165                  * we sent them */
166                 nt_username = name_user;
167         }
168
169         fill_domain_username(resp->data.auth.unix_username,
170                              nt_domain, nt_username, true);
171
172         DEBUG(5, ("Setting unix username to [%s]\n",
173                   resp->data.auth.unix_username));
174
175         return NT_STATUS_OK;
176 }
177
178 static NTSTATUS append_afs_token(TALLOC_CTX *mem_ctx,
179                                  struct winbindd_response *resp,
180                                  const struct netr_SamInfo3 *info3,
181                                  const char *name_domain,
182                                  const char *name_user)
183 {
184         char *afsname = NULL;
185         char *cell;
186         char *token;
187
188         afsname = talloc_strdup(mem_ctx, lp_afs_username_map());
189         if (afsname == NULL) {
190                 return NT_STATUS_NO_MEMORY;
191         }
192
193         afsname = talloc_string_sub(mem_ctx,
194                                     lp_afs_username_map(),
195                                     "%D", name_domain);
196         afsname = talloc_string_sub(mem_ctx, afsname,
197                                     "%u", name_user);
198         afsname = talloc_string_sub(mem_ctx, afsname,
199                                     "%U", name_user);
200
201         {
202                 struct dom_sid user_sid;
203                 fstring sidstr;
204
205                 sid_compose(&user_sid, info3->base.domain_sid,
206                             info3->base.rid);
207                 sid_to_fstring(sidstr, &user_sid);
208                 afsname = talloc_string_sub(mem_ctx, afsname,
209                                             "%s", sidstr);
210         }
211
212         if (afsname == NULL) {
213                 return NT_STATUS_NO_MEMORY;
214         }
215
216         strlower_m(afsname);
217
218         DEBUG(10, ("Generating token for user %s\n", afsname));
219
220         cell = strchr(afsname, '@');
221
222         if (cell == NULL) {
223                 return NT_STATUS_NO_MEMORY;
224         }
225
226         *cell = '\0';
227         cell += 1;
228
229         token = afs_createtoken_str(afsname, cell);
230         if (token == NULL) {
231                 return NT_STATUS_OK;
232         }
233         resp->extra_data.data = talloc_strdup(mem_ctx, token);
234         if (resp->extra_data.data == NULL) {
235                 return NT_STATUS_NO_MEMORY;
236         }
237         resp->length += strlen((const char *)resp->extra_data.data)+1;
238
239         return NT_STATUS_OK;
240 }
241
242 static NTSTATUS check_info3_in_group(struct netr_SamInfo3 *info3,
243                                      const char *group_sid)
244 /**
245  * Check whether a user belongs to a group or list of groups.
246  *
247  * @param mem_ctx talloc memory context.
248  * @param info3 user information, including group membership info.
249  * @param group_sid One or more groups , separated by commas.
250  *
251  * @return NT_STATUS_OK on success,
252  *    NT_STATUS_LOGON_FAILURE if the user does not belong,
253  *    or other NT_STATUS_IS_ERR(status) for other kinds of failure.
254  */
255 {
256         struct dom_sid *require_membership_of_sid;
257         uint32_t num_require_membership_of_sid;
258         char *req_sid;
259         const char *p;
260         struct dom_sid sid;
261         size_t i;
262         struct security_token *token;
263         TALLOC_CTX *frame = talloc_stackframe();
264         NTSTATUS status;
265
266         /* Parse the 'required group' SID */
267
268         if (!group_sid || !group_sid[0]) {
269                 /* NO sid supplied, all users may access */
270                 return NT_STATUS_OK;
271         }
272
273         token = talloc_zero(talloc_tos(), struct security_token);
274         if (token == NULL) {
275                 DEBUG(0, ("talloc failed\n"));
276                 TALLOC_FREE(frame);
277                 return NT_STATUS_NO_MEMORY;
278         }
279
280         num_require_membership_of_sid = 0;
281         require_membership_of_sid = NULL;
282
283         p = group_sid;
284
285         while (next_token_talloc(talloc_tos(), &p, &req_sid, ",")) {
286                 if (!string_to_sid(&sid, req_sid)) {
287                         DEBUG(0, ("check_info3_in_group: could not parse %s "
288                                   "as a SID!", req_sid));
289                         TALLOC_FREE(frame);
290                         return NT_STATUS_INVALID_PARAMETER;
291                 }
292
293                 status = add_sid_to_array(talloc_tos(), &sid,
294                                           &require_membership_of_sid,
295                                           &num_require_membership_of_sid);
296                 if (!NT_STATUS_IS_OK(status)) {
297                         DEBUG(0, ("add_sid_to_array failed\n"));
298                         TALLOC_FREE(frame);
299                         return status;
300                 }
301         }
302
303         status = sid_array_from_info3(talloc_tos(), info3,
304                                       &token->sids,
305                                       &token->num_sids,
306                                       true, false);
307         if (!NT_STATUS_IS_OK(status)) {
308                 TALLOC_FREE(frame);
309                 return status;
310         }
311
312         if (!NT_STATUS_IS_OK(status = add_aliases(get_global_sam_sid(),
313                                                   token))
314             || !NT_STATUS_IS_OK(status = add_aliases(&global_sid_Builtin,
315                                                      token))) {
316                 DEBUG(3, ("could not add aliases: %s\n",
317                           nt_errstr(status)));
318                 TALLOC_FREE(frame);
319                 return status;
320         }
321
322         security_token_debug(DBGC_CLASS, 10, token);
323
324         for (i=0; i<num_require_membership_of_sid; i++) {
325                 DEBUG(10, ("Checking SID %s\n", sid_string_dbg(
326                                    &require_membership_of_sid[i])));
327                 if (nt_token_check_sid(&require_membership_of_sid[i],
328                                        token)) {
329                         DEBUG(10, ("Access ok\n"));
330                         TALLOC_FREE(frame);
331                         return NT_STATUS_OK;
332                 }
333         }
334
335         /* Do not distinguish this error from a wrong username/pw */
336
337         TALLOC_FREE(frame);
338         return NT_STATUS_LOGON_FAILURE;
339 }
340
341 struct winbindd_domain *find_auth_domain(uint8_t flags,
342                                          const char *domain_name)
343 {
344         struct winbindd_domain *domain;
345
346         if (IS_DC) {
347                 domain = find_domain_from_name_noinit(domain_name);
348                 if (domain == NULL) {
349                         DEBUG(3, ("Authentication for domain [%s] refused "
350                                   "as it is not a trusted domain\n",
351                                   domain_name));
352                 }
353                 return domain;
354         }
355
356         if (strequal(domain_name, get_global_sam_name())) {
357                 return find_domain_from_name_noinit(domain_name);
358         }
359
360         /* we can auth against trusted domains */
361         if (flags & WBFLAG_PAM_CONTACT_TRUSTDOM) {
362                 domain = find_domain_from_name_noinit(domain_name);
363                 if (domain == NULL) {
364                         DEBUG(3, ("Authentication for domain [%s] skipped "
365                                   "as it is not a trusted domain\n",
366                                   domain_name));
367                 } else {
368                         return domain;
369                 }
370         }
371
372         return find_our_domain();
373 }
374
375 static void fill_in_password_policy(struct winbindd_response *r,
376                                     const struct samr_DomInfo1 *p)
377 {
378         r->data.auth.policy.min_length_password =
379                 p->min_password_length;
380         r->data.auth.policy.password_history =
381                 p->password_history_length;
382         r->data.auth.policy.password_properties =
383                 p->password_properties;
384         r->data.auth.policy.expire      =
385                 nt_time_to_unix_abs((NTTIME *)&(p->max_password_age));
386         r->data.auth.policy.min_passwordage =
387                 nt_time_to_unix_abs((NTTIME *)&(p->min_password_age));
388 }
389
390 static NTSTATUS fillup_password_policy(struct winbindd_domain *domain,
391                                        struct winbindd_cli_state *state)
392 {
393         struct winbindd_methods *methods;
394         NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
395         struct samr_DomInfo1 password_policy;
396
397         if ( !winbindd_can_contact_domain( domain ) ) {
398                 DEBUG(5,("fillup_password_policy: No inbound trust to "
399                          "contact domain %s\n", domain->name));
400                 return NT_STATUS_NOT_SUPPORTED;
401         }
402
403         methods = domain->methods;
404
405         status = methods->password_policy(domain, state->mem_ctx, &password_policy);
406         if (NT_STATUS_IS_ERR(status)) {
407                 return status;
408         }
409
410         fill_in_password_policy(state->response, &password_policy);
411
412         return NT_STATUS_OK;
413 }
414
415 static NTSTATUS get_max_bad_attempts_from_lockout_policy(struct winbindd_domain *domain,
416                                                          TALLOC_CTX *mem_ctx,
417                                                          uint16 *lockout_threshold)
418 {
419         struct winbindd_methods *methods;
420         NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
421         struct samr_DomInfo12 lockout_policy;
422
423         *lockout_threshold = 0;
424
425         methods = domain->methods;
426
427         status = methods->lockout_policy(domain, mem_ctx, &lockout_policy);
428         if (NT_STATUS_IS_ERR(status)) {
429                 return status;
430         }
431
432         *lockout_threshold = lockout_policy.lockout_threshold;
433
434         return NT_STATUS_OK;
435 }
436
437 static NTSTATUS get_pwd_properties(struct winbindd_domain *domain,
438                                    TALLOC_CTX *mem_ctx,
439                                    uint32 *password_properties)
440 {
441         struct winbindd_methods *methods;
442         NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
443         struct samr_DomInfo1 password_policy;
444
445         *password_properties = 0;
446
447         methods = domain->methods;
448
449         status = methods->password_policy(domain, mem_ctx, &password_policy);
450         if (NT_STATUS_IS_ERR(status)) {
451                 return status;
452         }
453
454         *password_properties = password_policy.password_properties;
455
456         return NT_STATUS_OK;
457 }
458
459 #ifdef HAVE_KRB5
460
461 static const char *generate_krb5_ccache(TALLOC_CTX *mem_ctx,
462                                         const char *type,
463                                         uid_t uid,
464                                         const char **user_ccache_file)
465 {
466         /* accept FILE and WRFILE as krb5_cc_type from the client and then
467          * build the full ccname string based on the user's uid here -
468          * Guenther*/
469
470         const char *gen_cc = NULL;
471
472         if (uid != -1) {
473                 if (strequal(type, "FILE")) {
474                         gen_cc = talloc_asprintf(
475                                 mem_ctx, "FILE:/tmp/krb5cc_%d", uid);
476                 }
477                 if (strequal(type, "WRFILE")) {
478                         gen_cc = talloc_asprintf(
479                                 mem_ctx, "WRFILE:/tmp/krb5cc_%d", uid);
480                 }
481         }
482
483         *user_ccache_file = gen_cc;
484
485         if (gen_cc == NULL) {
486                 gen_cc = talloc_strdup(mem_ctx, "MEMORY:winbindd_pam_ccache");
487         }
488         if (gen_cc == NULL) {
489                 DEBUG(0,("out of memory\n"));
490                 return NULL;
491         }
492
493         DEBUG(10, ("using ccache: %s%s\n", gen_cc,
494                    (*user_ccache_file == NULL) ? " (internal)":""));
495
496         return gen_cc;
497 }
498
499 #endif
500
501 uid_t get_uid_from_request(struct winbindd_request *request)
502 {
503         uid_t uid;
504
505         uid = request->data.auth.uid;
506
507         if (uid < 0) {
508                 DEBUG(1,("invalid uid: '%u'\n", (unsigned int)uid));
509                 return -1;
510         }
511         return uid;
512 }
513
514 static uid_t get_uid_from_state(struct winbindd_cli_state *state)
515 {
516         return get_uid_from_request(state->request);
517 }
518
519 /**********************************************************************
520  Authenticate a user with a clear text password using Kerberos and fill up
521  ccache if required
522  **********************************************************************/
523
524 static NTSTATUS winbindd_raw_kerberos_login(struct winbindd_domain *domain,
525                                             struct winbindd_cli_state *state,
526                                             struct netr_SamInfo3 **info3)
527 {
528 #ifdef HAVE_KRB5
529         NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
530         krb5_error_code krb5_ret;
531         const char *cc = NULL;
532         const char *principal_s = NULL;
533         const char *service = NULL;
534         char *realm = NULL;
535         fstring name_domain, name_user;
536         time_t ticket_lifetime = 0;
537         time_t renewal_until = 0;
538         uid_t uid = -1;
539         ADS_STRUCT *ads;
540         time_t time_offset = 0;
541         const char *user_ccache_file;
542         struct PAC_LOGON_INFO *logon_info = NULL;
543
544         *info3 = NULL;
545
546         /* 1st step:
547          * prepare a krb5_cc_cache string for the user */
548
549         uid = get_uid_from_state(state);
550         if (uid == -1) {
551                 DEBUG(0,("no valid uid\n"));
552         }
553
554         cc = generate_krb5_ccache(state->mem_ctx,
555                                   state->request->data.auth.krb5_cc_type,
556                                   state->request->data.auth.uid,
557                                   &user_ccache_file);
558         if (cc == NULL) {
559                 return NT_STATUS_NO_MEMORY;
560         }
561
562
563         /* 2nd step:
564          * get kerberos properties */
565
566         if (domain->private_data) {
567                 ads = (ADS_STRUCT *)domain->private_data;
568                 time_offset = ads->auth.time_offset;
569         }
570
571
572         /* 3rd step:
573          * do kerberos auth and setup ccache as the user */
574
575         parse_domain_user(state->request->data.auth.user, name_domain, name_user);
576
577         realm = domain->alt_name;
578         strupper_m(realm);
579
580         principal_s = talloc_asprintf(state->mem_ctx, "%s@%s", name_user, realm);
581         if (principal_s == NULL) {
582                 return NT_STATUS_NO_MEMORY;
583         }
584
585         service = talloc_asprintf(state->mem_ctx, "%s/%s@%s", KRB5_TGS_NAME, realm, realm);
586         if (service == NULL) {
587                 return NT_STATUS_NO_MEMORY;
588         }
589
590         /* if this is a user ccache, we need to act as the user to let the krb5
591          * library handle the chown, etc. */
592
593         /************************ ENTERING NON-ROOT **********************/
594
595         if (user_ccache_file != NULL) {
596                 set_effective_uid(uid);
597                 DEBUG(10,("winbindd_raw_kerberos_login: uid is %d\n", uid));
598         }
599
600         result = kerberos_return_pac(state->mem_ctx,
601                                      principal_s,
602                                      state->request->data.auth.pass,
603                                      time_offset,
604                                      &ticket_lifetime,
605                                      &renewal_until,
606                                      cc,
607                                      true,
608                                      true,
609                                      WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
610                                      NULL,
611                                      &logon_info);
612         if (user_ccache_file != NULL) {
613                 gain_root_privilege();
614         }
615
616         /************************ RETURNED TO ROOT **********************/
617
618         if (!NT_STATUS_IS_OK(result)) {
619                 goto failed;
620         }
621
622         *info3 = &logon_info->info3;
623
624         DEBUG(10,("winbindd_raw_kerberos_login: winbindd validated ticket of %s\n",
625                 principal_s));
626
627         /* if we had a user's ccache then return that string for the pam
628          * environment */
629
630         if (user_ccache_file != NULL) {
631
632                 fstrcpy(state->response->data.auth.krb5ccname,
633                         user_ccache_file);
634
635                 result = add_ccache_to_list(principal_s,
636                                             cc,
637                                             service,
638                                             state->request->data.auth.user,
639                                             realm,
640                                             uid,
641                                             time(NULL),
642                                             ticket_lifetime,
643                                             renewal_until,
644                                             false);
645
646                 if (!NT_STATUS_IS_OK(result)) {
647                         DEBUG(10,("winbindd_raw_kerberos_login: failed to add ccache to list: %s\n",
648                                 nt_errstr(result)));
649                 }
650         } else {
651
652                 /* need to delete the memory cred cache, it is not used anymore */
653
654                 krb5_ret = ads_kdestroy(cc);
655                 if (krb5_ret) {
656                         DEBUG(3,("winbindd_raw_kerberos_login: "
657                                  "could not destroy krb5 credential cache: "
658                                  "%s\n", error_message(krb5_ret)));
659                 }
660
661         }
662
663         return NT_STATUS_OK;
664
665 failed:
666
667         /* we could have created a new credential cache with a valid tgt in it
668          * but we werent able to get or verify the service ticket for this
669          * local host and therefor didn't get the PAC, we need to remove that
670          * cache entirely now */
671
672         krb5_ret = ads_kdestroy(cc);
673         if (krb5_ret) {
674                 DEBUG(3,("winbindd_raw_kerberos_login: "
675                          "could not destroy krb5 credential cache: "
676                          "%s\n", error_message(krb5_ret)));
677         }
678
679         if (!NT_STATUS_IS_OK(remove_ccache(state->request->data.auth.user))) {
680                 DEBUG(3,("winbindd_raw_kerberos_login: "
681                           "could not remove ccache for user %s\n",
682                         state->request->data.auth.user));
683         }
684
685         return result;
686 #else
687         return NT_STATUS_NOT_SUPPORTED;
688 #endif /* HAVE_KRB5 */
689 }
690
691 /****************************************************************
692 ****************************************************************/
693
694 bool check_request_flags(uint32_t flags)
695 {
696         uint32_t flags_edata = WBFLAG_PAM_AFS_TOKEN |
697                                WBFLAG_PAM_INFO3_TEXT |
698                                WBFLAG_PAM_INFO3_NDR;
699
700         if ( ( (flags & flags_edata) == WBFLAG_PAM_AFS_TOKEN) ||
701              ( (flags & flags_edata) == WBFLAG_PAM_INFO3_NDR) ||
702              ( (flags & flags_edata) == WBFLAG_PAM_INFO3_TEXT)||
703               !(flags & flags_edata) ) {
704                 return true;
705         }
706
707         DEBUG(1, ("check_request_flags: invalid request flags[0x%08X]\n",
708                   flags));
709
710         return false;
711 }
712
713 /****************************************************************
714 ****************************************************************/
715
716 static NTSTATUS append_auth_data(TALLOC_CTX *mem_ctx,
717                                  struct winbindd_response *resp,
718                                  uint32_t request_flags,
719                                  struct netr_SamInfo3 *info3,
720                                  const char *name_domain,
721                                  const char *name_user)
722 {
723         NTSTATUS result;
724
725         if (request_flags & WBFLAG_PAM_USER_SESSION_KEY) {
726                 memcpy(resp->data.auth.user_session_key,
727                        info3->base.key.key,
728                        sizeof(resp->data.auth.user_session_key)
729                        /* 16 */);
730         }
731
732         if (request_flags & WBFLAG_PAM_LMKEY) {
733                 memcpy(resp->data.auth.first_8_lm_hash,
734                        info3->base.LMSessKey.key,
735                        sizeof(resp->data.auth.first_8_lm_hash)
736                        /* 8 */);
737         }
738
739         if (request_flags & WBFLAG_PAM_UNIX_NAME) {
740                 result = append_unix_username(mem_ctx, resp,
741                                               info3, name_domain, name_user);
742                 if (!NT_STATUS_IS_OK(result)) {
743                         DEBUG(10,("Failed to append Unix Username: %s\n",
744                                 nt_errstr(result)));
745                         return result;
746                 }
747         }
748
749         /* currently, anything from here on potentially overwrites extra_data. */
750
751         if (request_flags & WBFLAG_PAM_INFO3_NDR) {
752                 result = append_info3_as_ndr(mem_ctx, resp, info3);
753                 if (!NT_STATUS_IS_OK(result)) {
754                         DEBUG(10,("Failed to append INFO3 (NDR): %s\n",
755                                 nt_errstr(result)));
756                         return result;
757                 }
758         }
759
760         if (request_flags & WBFLAG_PAM_INFO3_TEXT) {
761                 result = append_info3_as_txt(mem_ctx, resp, info3);
762                 if (!NT_STATUS_IS_OK(result)) {
763                         DEBUG(10,("Failed to append INFO3 (TXT): %s\n",
764                                 nt_errstr(result)));
765                         return result;
766                 }
767         }
768
769         if (request_flags & WBFLAG_PAM_AFS_TOKEN) {
770                 result = append_afs_token(mem_ctx, resp,
771                                           info3, name_domain, name_user);
772                 if (!NT_STATUS_IS_OK(result)) {
773                         DEBUG(10,("Failed to append AFS token: %s\n",
774                                 nt_errstr(result)));
775                         return result;
776                 }
777         }
778
779         return NT_STATUS_OK;
780 }
781
782 static NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain,
783                                               struct winbindd_cli_state *state,
784                                               struct netr_SamInfo3 **info3)
785 {
786         NTSTATUS result = NT_STATUS_LOGON_FAILURE;
787         uint16 max_allowed_bad_attempts;
788         fstring name_domain, name_user;
789         struct dom_sid sid;
790         enum lsa_SidType type;
791         uchar new_nt_pass[NT_HASH_LEN];
792         const uint8 *cached_nt_pass;
793         const uint8 *cached_salt;
794         struct netr_SamInfo3 *my_info3;
795         time_t kickoff_time, must_change_time;
796         bool password_good = false;
797 #ifdef HAVE_KRB5
798         struct winbindd_tdc_domain *tdc_domain = NULL;
799 #endif
800
801         *info3 = NULL;
802
803         ZERO_STRUCTP(info3);
804
805         DEBUG(10,("winbindd_dual_pam_auth_cached\n"));
806
807         /* Parse domain and username */
808
809         parse_domain_user(state->request->data.auth.user, name_domain, name_user);
810
811
812         if (!lookup_cached_name(name_domain,
813                                 name_user,
814                                 &sid,
815                                 &type)) {
816                 DEBUG(10,("winbindd_dual_pam_auth_cached: no such user in the cache\n"));
817                 return NT_STATUS_NO_SUCH_USER;
818         }
819
820         if (type != SID_NAME_USER) {
821                 DEBUG(10,("winbindd_dual_pam_auth_cached: not a user (%s)\n", sid_type_lookup(type)));
822                 return NT_STATUS_LOGON_FAILURE;
823         }
824
825         result = winbindd_get_creds(domain,
826                                     state->mem_ctx,
827                                     &sid,
828                                     &my_info3,
829                                     &cached_nt_pass,
830                                     &cached_salt);
831         if (!NT_STATUS_IS_OK(result)) {
832                 DEBUG(10,("winbindd_dual_pam_auth_cached: failed to get creds: %s\n", nt_errstr(result)));
833                 return result;
834         }
835
836         *info3 = my_info3;
837
838         E_md4hash(state->request->data.auth.pass, new_nt_pass);
839
840         dump_data_pw("new_nt_pass", new_nt_pass, NT_HASH_LEN);
841         dump_data_pw("cached_nt_pass", cached_nt_pass, NT_HASH_LEN);
842         if (cached_salt) {
843                 dump_data_pw("cached_salt", cached_salt, NT_HASH_LEN);
844         }
845
846         if (cached_salt) {
847                 /* In this case we didn't store the nt_hash itself,
848                    but the MD5 combination of salt + nt_hash. */
849                 uchar salted_hash[NT_HASH_LEN];
850                 E_md5hash(cached_salt, new_nt_pass, salted_hash);
851
852                 password_good = (memcmp(cached_nt_pass, salted_hash,
853                                         NT_HASH_LEN) == 0);
854         } else {
855                 /* Old cached cred - direct store of nt_hash (bad bad bad !). */
856                 password_good = (memcmp(cached_nt_pass, new_nt_pass,
857                                         NT_HASH_LEN) == 0);
858         }
859
860         if (password_good) {
861
862                 /* User *DOES* know the password, update logon_time and reset
863                  * bad_pw_count */
864
865                 my_info3->base.user_flags |= NETLOGON_CACHED_ACCOUNT;
866
867                 if (my_info3->base.acct_flags & ACB_AUTOLOCK) {
868                         return NT_STATUS_ACCOUNT_LOCKED_OUT;
869                 }
870
871                 if (my_info3->base.acct_flags & ACB_DISABLED) {
872                         return NT_STATUS_ACCOUNT_DISABLED;
873                 }
874
875                 if (my_info3->base.acct_flags & ACB_WSTRUST) {
876                         return NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT;
877                 }
878
879                 if (my_info3->base.acct_flags & ACB_SVRTRUST) {
880                         return NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT;
881                 }
882
883                 if (my_info3->base.acct_flags & ACB_DOMTRUST) {
884                         return NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT;
885                 }
886
887                 if (!(my_info3->base.acct_flags & ACB_NORMAL)) {
888                         DEBUG(0,("winbindd_dual_pam_auth_cached: whats wrong with that one?: 0x%08x\n",
889                                 my_info3->base.acct_flags));
890                         return NT_STATUS_LOGON_FAILURE;
891                 }
892
893                 kickoff_time = nt_time_to_unix(my_info3->base.acct_expiry);
894                 if (kickoff_time != 0 && time(NULL) > kickoff_time) {
895                         return NT_STATUS_ACCOUNT_EXPIRED;
896                 }
897
898                 must_change_time = nt_time_to_unix(my_info3->base.force_password_change);
899                 if (must_change_time != 0 && must_change_time < time(NULL)) {
900                         /* we allow grace logons when the password has expired */
901                         my_info3->base.user_flags |= NETLOGON_GRACE_LOGON;
902                         /* return NT_STATUS_PASSWORD_EXPIRED; */
903                         goto success;
904                 }
905
906 #ifdef HAVE_KRB5
907                 if ((state->request->flags & WBFLAG_PAM_KRB5) &&
908                     ((tdc_domain = wcache_tdc_fetch_domain(state->mem_ctx, name_domain)) != NULL) &&
909                     ((tdc_domain->trust_type & NETR_TRUST_TYPE_UPLEVEL) ||
910                     /* used to cope with the case winbindd starting without network. */
911                     !strequal(tdc_domain->domain_name, tdc_domain->dns_name))) {
912
913                         uid_t uid = -1;
914                         const char *cc = NULL;
915                         char *realm = NULL;
916                         const char *principal_s = NULL;
917                         const char *service = NULL;
918                         const char *user_ccache_file;
919
920                         uid = get_uid_from_state(state);
921                         if (uid == -1) {
922                                 DEBUG(0,("winbindd_dual_pam_auth_cached: invalid uid\n"));
923                                 return NT_STATUS_INVALID_PARAMETER;
924                         }
925
926                         cc = generate_krb5_ccache(state->mem_ctx,
927                                                 state->request->data.auth.krb5_cc_type,
928                                                 state->request->data.auth.uid,
929                                                 &user_ccache_file);
930                         if (cc == NULL) {
931                                 return NT_STATUS_NO_MEMORY;
932                         }
933
934                         realm = domain->alt_name;
935                         strupper_m(realm);
936
937                         principal_s = talloc_asprintf(state->mem_ctx, "%s@%s", name_user, realm);
938                         if (principal_s == NULL) {
939                                 return NT_STATUS_NO_MEMORY;
940                         }
941
942                         service = talloc_asprintf(state->mem_ctx, "%s/%s@%s", KRB5_TGS_NAME, realm, realm);
943                         if (service == NULL) {
944                                 return NT_STATUS_NO_MEMORY;
945                         }
946
947                         if (user_ccache_file != NULL) {
948
949                                 fstrcpy(state->response->data.auth.krb5ccname,
950                                         user_ccache_file);
951
952                                 result = add_ccache_to_list(principal_s,
953                                                             cc,
954                                                             service,
955                                                             state->request->data.auth.user,
956                                                             domain->alt_name,
957                                                             uid,
958                                                             time(NULL),
959                                                             time(NULL) + lp_winbind_cache_time(),
960                                                             time(NULL) + WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
961                                                             true);
962
963                                 if (!NT_STATUS_IS_OK(result)) {
964                                         DEBUG(10,("winbindd_dual_pam_auth_cached: failed "
965                                                 "to add ccache to list: %s\n",
966                                                 nt_errstr(result)));
967                                 }
968                         }
969                 }
970 #endif /* HAVE_KRB5 */
971  success:
972                 /* FIXME: we possibly should handle logon hours as well (does xp when
973                  * offline?) see auth/auth_sam.c:sam_account_ok for details */
974
975                 unix_to_nt_time(&my_info3->base.last_logon, time(NULL));
976                 my_info3->base.bad_password_count = 0;
977
978                 result = winbindd_update_creds_by_info3(domain,
979                                                         state->request->data.auth.user,
980                                                         state->request->data.auth.pass,
981                                                         my_info3);
982                 if (!NT_STATUS_IS_OK(result)) {
983                         DEBUG(1,("winbindd_dual_pam_auth_cached: failed to update creds: %s\n",
984                                 nt_errstr(result)));
985                         return result;
986                 }
987
988                 return NT_STATUS_OK;
989
990         }
991
992         /* User does *NOT* know the correct password, modify info3 accordingly */
993
994         /* failure of this is not critical */
995         result = get_max_bad_attempts_from_lockout_policy(domain, state->mem_ctx, &max_allowed_bad_attempts);
996         if (!NT_STATUS_IS_OK(result)) {
997                 DEBUG(10,("winbindd_dual_pam_auth_cached: failed to get max_allowed_bad_attempts. "
998                           "Won't be able to honour account lockout policies\n"));
999         }
1000
1001         /* increase counter */
1002         my_info3->base.bad_password_count++;
1003
1004         if (max_allowed_bad_attempts == 0) {
1005                 goto failed;
1006         }
1007
1008         /* lockout user */
1009         if (my_info3->base.bad_password_count >= max_allowed_bad_attempts) {
1010
1011                 uint32 password_properties;
1012
1013                 result = get_pwd_properties(domain, state->mem_ctx, &password_properties);
1014                 if (!NT_STATUS_IS_OK(result)) {
1015                         DEBUG(10,("winbindd_dual_pam_auth_cached: failed to get password properties.\n"));
1016                 }
1017
1018                 if ((my_info3->base.rid != DOMAIN_RID_ADMINISTRATOR) ||
1019                     (password_properties & DOMAIN_PASSWORD_LOCKOUT_ADMINS)) {
1020                         my_info3->base.acct_flags |= ACB_AUTOLOCK;
1021                 }
1022         }
1023
1024 failed:
1025         result = winbindd_update_creds_by_info3(domain,
1026                                                 state->request->data.auth.user,
1027                                                 NULL,
1028                                                 my_info3);
1029
1030         if (!NT_STATUS_IS_OK(result)) {
1031                 DEBUG(0,("winbindd_dual_pam_auth_cached: failed to update creds %s\n",
1032                         nt_errstr(result)));
1033         }
1034
1035         return NT_STATUS_LOGON_FAILURE;
1036 }
1037
1038 static NTSTATUS winbindd_dual_pam_auth_kerberos(struct winbindd_domain *domain,
1039                                                 struct winbindd_cli_state *state,
1040                                                 struct netr_SamInfo3 **info3)
1041 {
1042         struct winbindd_domain *contact_domain;
1043         fstring name_domain, name_user;
1044         NTSTATUS result;
1045
1046         DEBUG(10,("winbindd_dual_pam_auth_kerberos\n"));
1047
1048         /* Parse domain and username */
1049
1050         parse_domain_user(state->request->data.auth.user, name_domain, name_user);
1051
1052         /* what domain should we contact? */
1053
1054         if ( IS_DC ) {
1055                 if (!(contact_domain = find_domain_from_name(name_domain))) {
1056                         DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
1057                                   state->request->data.auth.user, name_domain, name_user, name_domain));
1058                         result = NT_STATUS_NO_SUCH_USER;
1059                         goto done;
1060                 }
1061
1062         } else {
1063                 if (is_myname(name_domain)) {
1064                         DEBUG(3, ("Authentication for domain %s (local domain to this server) not supported at this stage\n", name_domain));
1065                         result =  NT_STATUS_NO_SUCH_USER;
1066                         goto done;
1067                 }
1068
1069                 contact_domain = find_domain_from_name(name_domain);
1070                 if (contact_domain == NULL) {
1071                         DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
1072                                   state->request->data.auth.user, name_domain, name_user, name_domain));
1073
1074                         contact_domain = find_our_domain();
1075                 }
1076         }
1077
1078         if (contact_domain->initialized &&
1079             contact_domain->active_directory) {
1080                 goto try_login;
1081         }
1082
1083         if (!contact_domain->initialized) {
1084                 init_dc_connection(contact_domain);
1085         }
1086
1087         if (!contact_domain->active_directory) {
1088                 DEBUG(3,("krb5 auth requested but domain is not Active Directory\n"));
1089                 return NT_STATUS_INVALID_LOGON_TYPE;
1090         }
1091 try_login:
1092         result = winbindd_raw_kerberos_login(contact_domain, state, info3);
1093 done:
1094         return result;
1095 }
1096
1097 static NTSTATUS winbindd_dual_auth_passdb(TALLOC_CTX *mem_ctx,
1098                                           const char *domain, const char *user,
1099                                           const DATA_BLOB *challenge,
1100                                           const DATA_BLOB *lm_resp,
1101                                           const DATA_BLOB *nt_resp,
1102                                           struct netr_SamInfo3 **pinfo3)
1103 {
1104         struct auth_usersupplied_info *user_info = NULL;
1105         NTSTATUS status;
1106
1107         status = make_user_info(&user_info, user, user, domain, domain,
1108                                 global_myname(), lm_resp, nt_resp, NULL, NULL,
1109                                 NULL, AUTH_PASSWORD_RESPONSE);
1110         if (!NT_STATUS_IS_OK(status)) {
1111                 DEBUG(10, ("make_user_info failed: %s\n", nt_errstr(status)));
1112                 return status;
1113         }
1114
1115         /* We don't want any more mapping of the username */
1116         user_info->mapped_state = True;
1117
1118         status = check_sam_security_info3(challenge, talloc_tos(), user_info,
1119                                           pinfo3);
1120         free_user_info(&user_info);
1121         DEBUG(10, ("Authenticaticating user %s\\%s returned %s\n", domain,
1122                    user, nt_errstr(status)));
1123         return status;
1124 }
1125
1126 typedef NTSTATUS (*netlogon_fn_t)(struct rpc_pipe_client *cli,
1127                                   TALLOC_CTX *mem_ctx,
1128                                   uint32 logon_parameters,
1129                                   const char *server,
1130                                   const char *username,
1131                                   const char *domain,
1132                                   const char *workstation,
1133                                   const uint8 chal[8],
1134                                   DATA_BLOB lm_response,
1135                                   DATA_BLOB nt_response,
1136                                   struct netr_SamInfo3 **info3);
1137
1138 static NTSTATUS winbindd_dual_pam_auth_samlogon(struct winbindd_domain *domain,
1139                                                 struct winbindd_cli_state *state,
1140                                                 struct netr_SamInfo3 **info3)
1141 {
1142
1143         struct rpc_pipe_client *netlogon_pipe;
1144         uchar chal[8];
1145         DATA_BLOB lm_resp;
1146         DATA_BLOB nt_resp;
1147         int attempts = 0;
1148         unsigned char local_lm_response[24];
1149         unsigned char local_nt_response[24];
1150         fstring name_domain, name_user;
1151         bool retry;
1152         NTSTATUS result;
1153         struct netr_SamInfo3 *my_info3 = NULL;
1154
1155         *info3 = NULL;
1156
1157         DEBUG(10,("winbindd_dual_pam_auth_samlogon\n"));
1158
1159         /* Parse domain and username */
1160
1161         parse_domain_user(state->request->data.auth.user, name_domain, name_user);
1162
1163         /* do password magic */
1164
1165         generate_random_buffer(chal, sizeof(chal));
1166
1167         if (lp_client_ntlmv2_auth()) {
1168                 DATA_BLOB server_chal;
1169                 DATA_BLOB names_blob;
1170                 DATA_BLOB nt_response;
1171                 DATA_BLOB lm_response;
1172                 server_chal = data_blob_talloc(state->mem_ctx, chal, 8);
1173
1174                 /* note that the 'workgroup' here is a best guess - we don't know
1175                    the server's domain at this point.  The 'server name' is also
1176                    dodgy...
1177                 */
1178                 names_blob = NTLMv2_generate_names_blob(state->mem_ctx, global_myname(), lp_workgroup());
1179
1180                 if (!SMBNTLMv2encrypt(NULL, name_user, name_domain,
1181                                       state->request->data.auth.pass,
1182                                       &server_chal,
1183                                       &names_blob,
1184                                       &lm_response, &nt_response, NULL, NULL)) {
1185                         data_blob_free(&names_blob);
1186                         data_blob_free(&server_chal);
1187                         DEBUG(0, ("winbindd_pam_auth: SMBNTLMv2encrypt() failed!\n"));
1188                         result = NT_STATUS_NO_MEMORY;
1189                         goto done;
1190                 }
1191                 data_blob_free(&names_blob);
1192                 data_blob_free(&server_chal);
1193                 lm_resp = data_blob_talloc(state->mem_ctx, lm_response.data,
1194                                            lm_response.length);
1195                 nt_resp = data_blob_talloc(state->mem_ctx, nt_response.data,
1196                                            nt_response.length);
1197                 data_blob_free(&lm_response);
1198                 data_blob_free(&nt_response);
1199
1200         } else {
1201                 if (lp_client_lanman_auth()
1202                     && SMBencrypt(state->request->data.auth.pass,
1203                                   chal,
1204                                   local_lm_response)) {
1205                         lm_resp = data_blob_talloc(state->mem_ctx,
1206                                                    local_lm_response,
1207                                                    sizeof(local_lm_response));
1208                 } else {
1209                         lm_resp = data_blob_null;
1210                 }
1211                 SMBNTencrypt(state->request->data.auth.pass,
1212                              chal,
1213                              local_nt_response);
1214
1215                 nt_resp = data_blob_talloc(state->mem_ctx,
1216                                            local_nt_response,
1217                                            sizeof(local_nt_response));
1218         }
1219
1220         if (strequal(name_domain, get_global_sam_name())) {
1221                 DATA_BLOB chal_blob = data_blob_const(chal, sizeof(chal));
1222
1223                 result = winbindd_dual_auth_passdb(
1224                         state->mem_ctx, name_domain, name_user,
1225                         &chal_blob, &lm_resp, &nt_resp, info3);
1226                 goto done;
1227         }
1228
1229         /* check authentication loop */
1230
1231         do {
1232                 netlogon_fn_t logon_fn;
1233
1234                 ZERO_STRUCTP(my_info3);
1235                 retry = false;
1236
1237                 result = cm_connect_netlogon(domain, &netlogon_pipe);
1238
1239                 if (!NT_STATUS_IS_OK(result)) {
1240                         DEBUG(3, ("could not open handle to NETLOGON pipe\n"));
1241                         goto done;
1242                 }
1243
1244                 /* It is really important to try SamLogonEx here,
1245                  * because in a clustered environment, we want to use
1246                  * one machine account from multiple physical
1247                  * computers.
1248                  *
1249                  * With a normal SamLogon call, we must keep the
1250                  * credentials chain updated and intact between all
1251                  * users of the machine account (which would imply
1252                  * cross-node communication for every NTLM logon).
1253                  *
1254                  * (The credentials chain is not per NETLOGON pipe
1255                  * connection, but globally on the server/client pair
1256                  * by machine name).
1257                  *
1258                  * When using SamLogonEx, the credentials are not
1259                  * supplied, but the session key is implied by the
1260                  * wrapping SamLogon context.
1261                  *
1262                  *  -- abartlet 21 April 2008
1263                  */
1264
1265                 logon_fn = domain->can_do_samlogon_ex
1266                         ? rpccli_netlogon_sam_network_logon_ex
1267                         : rpccli_netlogon_sam_network_logon;
1268
1269                 result = logon_fn(netlogon_pipe,
1270                                   state->mem_ctx,
1271                                   0,
1272                                   domain->dcname,         /* server name */
1273                                   name_user,              /* user name */
1274                                   name_domain,            /* target domain */
1275                                   global_myname(),        /* workstation */
1276                                   chal,
1277                                   lm_resp,
1278                                   nt_resp,
1279                                   &my_info3);
1280                 attempts += 1;
1281
1282                 if ((NT_STATUS_V(result) == DCERPC_FAULT_OP_RNG_ERROR)
1283                     && domain->can_do_samlogon_ex) {
1284                         DEBUG(3, ("Got a DC that can not do NetSamLogonEx, "
1285                                   "retrying with NetSamLogon\n"));
1286                         domain->can_do_samlogon_ex = false;
1287                         continue;
1288                 }
1289
1290                 /* We have to try a second time as cm_connect_netlogon
1291                    might not yet have noticed that the DC has killed
1292                    our connection. */
1293
1294                 if (!rpccli_is_connected(netlogon_pipe)) {
1295                         continue;
1296                 }
1297
1298                 /* if we get access denied, a possible cause was that we had
1299                    and open connection to the DC, but someone changed our
1300                    machine account password out from underneath us using 'net
1301                    rpc changetrustpw' */
1302
1303                 if ( NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) ) {
1304                         DEBUG(3,("winbindd_pam_auth: sam_logon returned "
1305                                  "ACCESS_DENIED.  Maybe the trust account "
1306                                 "password was changed and we didn't know it. "
1307                                  "Killing connections to domain %s\n",
1308                                 name_domain));
1309                         invalidate_cm_connection(&domain->conn);
1310                         retry = true;
1311                 }
1312
1313         } while ( (attempts < 2) && retry );
1314
1315         /* handle the case where a NT4 DC does not fill in the acct_flags in
1316          * the samlogon reply info3. When accurate info3 is required by the
1317          * caller, we look up the account flags ourselve - gd */
1318
1319         if ((state->request->flags & WBFLAG_PAM_INFO3_TEXT) &&
1320             NT_STATUS_IS_OK(result) && (my_info3->base.acct_flags == 0)) {
1321
1322                 struct rpc_pipe_client *samr_pipe;
1323                 struct policy_handle samr_domain_handle, user_pol;
1324                 union samr_UserInfo *info = NULL;
1325                 NTSTATUS status_tmp;
1326                 uint32 acct_flags;
1327
1328                 status_tmp = cm_connect_sam(domain, state->mem_ctx,
1329                                             &samr_pipe, &samr_domain_handle);
1330
1331                 if (!NT_STATUS_IS_OK(status_tmp)) {
1332                         DEBUG(3, ("could not open handle to SAMR pipe: %s\n",
1333                                 nt_errstr(status_tmp)));
1334                         goto done;
1335                 }
1336
1337                 status_tmp = rpccli_samr_OpenUser(samr_pipe, state->mem_ctx,
1338                                                   &samr_domain_handle,
1339                                                   MAXIMUM_ALLOWED_ACCESS,
1340                                                   my_info3->base.rid,
1341                                                   &user_pol);
1342
1343                 if (!NT_STATUS_IS_OK(status_tmp)) {
1344                         DEBUG(3, ("could not open user handle on SAMR pipe: %s\n",
1345                                 nt_errstr(status_tmp)));
1346                         goto done;
1347                 }
1348
1349                 status_tmp = rpccli_samr_QueryUserInfo(samr_pipe, state->mem_ctx,
1350                                                        &user_pol,
1351                                                        16,
1352                                                        &info);
1353
1354                 if (!NT_STATUS_IS_OK(status_tmp)) {
1355                         DEBUG(3, ("could not query user info on SAMR pipe: %s\n",
1356                                 nt_errstr(status_tmp)));
1357                         rpccli_samr_Close(samr_pipe, state->mem_ctx, &user_pol);
1358                         goto done;
1359                 }
1360
1361                 acct_flags = info->info16.acct_flags;
1362
1363                 if (acct_flags == 0) {
1364                         rpccli_samr_Close(samr_pipe, state->mem_ctx, &user_pol);
1365                         goto done;
1366                 }
1367
1368                 my_info3->base.acct_flags = acct_flags;
1369
1370                 DEBUG(10,("successfully retrieved acct_flags 0x%x\n", acct_flags));
1371
1372                 rpccli_samr_Close(samr_pipe, state->mem_ctx, &user_pol);
1373         }
1374
1375         *info3 = my_info3;
1376 done:
1377         return result;
1378 }
1379
1380 enum winbindd_result winbindd_dual_pam_auth(struct winbindd_domain *domain,
1381                                             struct winbindd_cli_state *state)
1382 {
1383         NTSTATUS result = NT_STATUS_LOGON_FAILURE;
1384         NTSTATUS krb5_result = NT_STATUS_OK;
1385         fstring name_domain, name_user;
1386         char *mapped_user;
1387         fstring domain_user;
1388         struct netr_SamInfo3 *info3 = NULL;
1389         NTSTATUS name_map_status = NT_STATUS_UNSUCCESSFUL;
1390
1391         /* Ensure null termination */
1392         state->request->data.auth.user[sizeof(state->request->data.auth.user)-1]='\0';
1393
1394         /* Ensure null termination */
1395         state->request->data.auth.pass[sizeof(state->request->data.auth.pass)-1]='\0';
1396
1397         DEBUG(3, ("[%5lu]: dual pam auth %s\n", (unsigned long)state->pid,
1398                   state->request->data.auth.user));
1399
1400         /* Parse domain and username */
1401
1402         name_map_status = normalize_name_unmap(state->mem_ctx,
1403                                                state->request->data.auth.user,
1404                                                &mapped_user);
1405
1406         /* If the name normalization didnt' actually do anything,
1407            just use the original name */
1408
1409         if (!NT_STATUS_IS_OK(name_map_status) &&
1410             !NT_STATUS_EQUAL(name_map_status, NT_STATUS_FILE_RENAMED))
1411         {
1412                 mapped_user = state->request->data.auth.user;
1413         }
1414
1415         parse_domain_user(mapped_user, name_domain, name_user);
1416
1417         if ( mapped_user != state->request->data.auth.user ) {
1418                 fstr_sprintf( domain_user, "%s%c%s", name_domain,
1419                         *lp_winbind_separator(),
1420                         name_user );
1421                 safe_strcpy( state->request->data.auth.user, domain_user,
1422                              sizeof(state->request->data.auth.user)-1 );
1423         }
1424
1425         if (!domain->online) {
1426                 result = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
1427                 if (domain->startup) {
1428                         /* Logons are very important to users. If we're offline and
1429                            we get a request within the first 30 seconds of startup,
1430                            try very hard to find a DC and go online. */
1431
1432                         DEBUG(10,("winbindd_dual_pam_auth: domain: %s offline and auth "
1433                                 "request in startup mode.\n", domain->name ));
1434
1435                         winbindd_flush_negative_conn_cache(domain);
1436                         result = init_dc_connection(domain);
1437                 }
1438         }
1439
1440         DEBUG(10,("winbindd_dual_pam_auth: domain: %s last was %s\n", domain->name, domain->online ? "online":"offline"));
1441
1442         /* Check for Kerberos authentication */
1443         if (domain->online && (state->request->flags & WBFLAG_PAM_KRB5)) {
1444
1445                 result = winbindd_dual_pam_auth_kerberos(domain, state, &info3);
1446                 /* save for later */
1447                 krb5_result = result;
1448
1449
1450                 if (NT_STATUS_IS_OK(result)) {
1451                         DEBUG(10,("winbindd_dual_pam_auth_kerberos succeeded\n"));
1452                         goto process_result;
1453                 } else {
1454                         DEBUG(10,("winbindd_dual_pam_auth_kerberos failed: %s\n", nt_errstr(result)));
1455                 }
1456
1457                 if (NT_STATUS_EQUAL(result, NT_STATUS_NO_LOGON_SERVERS) ||
1458                     NT_STATUS_EQUAL(result, NT_STATUS_IO_TIMEOUT) ||
1459                     NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
1460                         DEBUG(10,("winbindd_dual_pam_auth_kerberos setting domain to offline\n"));
1461                         set_domain_offline( domain );
1462                         goto cached_logon;
1463                 }
1464
1465                 /* there are quite some NT_STATUS errors where there is no
1466                  * point in retrying with a samlogon, we explictly have to take
1467                  * care not to increase the bad logon counter on the DC */
1468
1469                 if (NT_STATUS_EQUAL(result, NT_STATUS_ACCOUNT_DISABLED) ||
1470                     NT_STATUS_EQUAL(result, NT_STATUS_ACCOUNT_EXPIRED) ||
1471                     NT_STATUS_EQUAL(result, NT_STATUS_ACCOUNT_LOCKED_OUT) ||
1472                     NT_STATUS_EQUAL(result, NT_STATUS_INVALID_LOGON_HOURS) ||
1473                     NT_STATUS_EQUAL(result, NT_STATUS_INVALID_WORKSTATION) ||
1474                     NT_STATUS_EQUAL(result, NT_STATUS_LOGON_FAILURE) ||
1475                     NT_STATUS_EQUAL(result, NT_STATUS_NO_SUCH_USER) ||
1476                     NT_STATUS_EQUAL(result, NT_STATUS_PASSWORD_EXPIRED) ||
1477                     NT_STATUS_EQUAL(result, NT_STATUS_PASSWORD_MUST_CHANGE) ||
1478                     NT_STATUS_EQUAL(result, NT_STATUS_WRONG_PASSWORD)) {
1479                         goto done;
1480                 }
1481
1482                 if (state->request->flags & WBFLAG_PAM_FALLBACK_AFTER_KRB5) {
1483                         DEBUG(3,("falling back to samlogon\n"));
1484                         goto sam_logon;
1485                 } else {
1486                         goto cached_logon;
1487                 }
1488         }
1489
1490 sam_logon:
1491         /* Check for Samlogon authentication */
1492         if (domain->online) {
1493                 result = winbindd_dual_pam_auth_samlogon(domain, state, &info3);
1494
1495                 if (NT_STATUS_IS_OK(result)) {
1496                         DEBUG(10,("winbindd_dual_pam_auth_samlogon succeeded\n"));
1497                         /* add the Krb5 err if we have one */
1498                         if ( NT_STATUS_EQUAL(krb5_result, NT_STATUS_TIME_DIFFERENCE_AT_DC ) ) {
1499                                 info3->base.user_flags |= LOGON_KRB5_FAIL_CLOCK_SKEW;
1500                         }
1501                         goto process_result;
1502                 }
1503
1504                 DEBUG(10,("winbindd_dual_pam_auth_samlogon failed: %s\n",
1505                           nt_errstr(result)));
1506
1507                 if (NT_STATUS_EQUAL(result, NT_STATUS_NO_LOGON_SERVERS) ||
1508                     NT_STATUS_EQUAL(result, NT_STATUS_IO_TIMEOUT) ||
1509                     NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND))
1510                 {
1511                         DEBUG(10,("winbindd_dual_pam_auth_samlogon setting domain to offline\n"));
1512                         set_domain_offline( domain );
1513                         goto cached_logon;
1514                 }
1515
1516                         if (domain->online) {
1517                                 /* We're still online - fail. */
1518                                 goto done;
1519                         }
1520         }
1521
1522 cached_logon:
1523         /* Check for Cached logons */
1524         if (!domain->online && (state->request->flags & WBFLAG_PAM_CACHED_LOGIN) &&
1525             lp_winbind_offline_logon()) {
1526
1527                 result = winbindd_dual_pam_auth_cached(domain, state, &info3);
1528
1529                 if (NT_STATUS_IS_OK(result)) {
1530                         DEBUG(10,("winbindd_dual_pam_auth_cached succeeded\n"));
1531                         goto process_result;
1532                 } else {
1533                         DEBUG(10,("winbindd_dual_pam_auth_cached failed: %s\n", nt_errstr(result)));
1534                         goto done;
1535                 }
1536         }
1537
1538 process_result:
1539
1540         if (NT_STATUS_IS_OK(result)) {
1541
1542                 struct dom_sid user_sid;
1543
1544                 /* In all codepaths where result == NT_STATUS_OK info3 must have
1545                    been initialized. */
1546                 if (!info3) {
1547                         result = NT_STATUS_INTERNAL_ERROR;
1548                         goto done;
1549                 }
1550
1551                 wcache_invalidate_samlogon(find_domain_from_name(name_domain), info3);
1552                 netsamlogon_cache_store(name_user, info3);
1553
1554                 /* save name_to_sid info as early as possible (only if
1555                    this is our primary domain so we don't invalidate
1556                    the cache entry by storing the seq_num for the wrong
1557                    domain). */
1558                 if ( domain->primary ) {
1559                         sid_compose(&user_sid, info3->base.domain_sid,
1560                                     info3->base.rid);
1561                         cache_name2sid(domain, name_domain, name_user,
1562                                        SID_NAME_USER, &user_sid);
1563                 }
1564
1565                 /* Check if the user is in the right group */
1566
1567                 result = check_info3_in_group(
1568                         info3,
1569                         state->request->data.auth.require_membership_of_sid);
1570                 if (!NT_STATUS_IS_OK(result)) {
1571                         DEBUG(3, ("User %s is not in the required group (%s), so plaintext authentication is rejected\n",
1572                                   state->request->data.auth.user,
1573                                   state->request->data.auth.require_membership_of_sid));
1574                         goto done;
1575                 }
1576
1577                 result = append_auth_data(state->mem_ctx, state->response,
1578                                           state->request->flags, info3,
1579                                           name_domain, name_user);
1580                 if (!NT_STATUS_IS_OK(result)) {
1581                         goto done;
1582                 }
1583
1584                 if ((state->request->flags & WBFLAG_PAM_CACHED_LOGIN)
1585                     && lp_winbind_offline_logon()) {
1586
1587                         result = winbindd_store_creds(domain,
1588                                                       state->request->data.auth.user,
1589                                                       state->request->data.auth.pass,
1590                                                       info3);
1591                 }
1592
1593                 if (state->request->flags & WBFLAG_PAM_GET_PWD_POLICY) {
1594                         struct winbindd_domain *our_domain = find_our_domain();
1595
1596                         /* This is not entirely correct I believe, but it is
1597                            consistent.  Only apply the password policy settings
1598                            too warn users for our own domain.  Cannot obtain these
1599                            from trusted DCs all the  time so don't do it at all.
1600                            -- jerry */
1601
1602                         result = NT_STATUS_NOT_SUPPORTED;
1603                         if (our_domain == domain ) {
1604                                 result = fillup_password_policy(our_domain, state);
1605                         }
1606
1607                         if (!NT_STATUS_IS_OK(result)
1608                             && !NT_STATUS_EQUAL(result, NT_STATUS_NOT_SUPPORTED) )
1609                         {
1610                                 DEBUG(10,("Failed to get password policies for domain %s: %s\n",
1611                                           domain->name, nt_errstr(result)));
1612                                 goto done;
1613                         }
1614                 }
1615
1616                 result = NT_STATUS_OK;
1617         }
1618
1619 done:
1620         /* give us a more useful (more correct?) error code */
1621         if ((NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) ||
1622             (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)))) {
1623                 result = NT_STATUS_NO_LOGON_SERVERS;
1624         }
1625
1626         set_auth_errors(state->response, result);
1627
1628         DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2, ("Plain-text authentication for user %s returned %s (PAM: %d)\n",
1629               state->request->data.auth.user,
1630               state->response->data.auth.nt_status_string,
1631               state->response->data.auth.pam_error));
1632
1633         return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
1634 }
1635
1636 enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
1637                                                  struct winbindd_cli_state *state)
1638 {
1639         NTSTATUS result;
1640         struct netr_SamInfo3 *info3 = NULL;
1641         struct rpc_pipe_client *netlogon_pipe;
1642         const char *name_user = NULL;
1643         const char *name_domain = NULL;
1644         const char *workstation;
1645         int attempts = 0;
1646         bool retry;
1647
1648         DATA_BLOB lm_resp, nt_resp;
1649
1650         /* This is child-only, so no check for privileged access is needed
1651            anymore */
1652
1653         /* Ensure null termination */
1654         state->request->data.auth_crap.user[sizeof(state->request->data.auth_crap.user)-1]=0;
1655         state->request->data.auth_crap.domain[sizeof(state->request->data.auth_crap.domain)-1]=0;
1656
1657         name_user = state->request->data.auth_crap.user;
1658         name_domain = state->request->data.auth_crap.domain;
1659         workstation = state->request->data.auth_crap.workstation;
1660
1661         DEBUG(3, ("[%5lu]: pam auth crap domain: %s user: %s\n", (unsigned long)state->pid,
1662                   name_domain, name_user));
1663
1664         if (state->request->data.auth_crap.lm_resp_len > sizeof(state->request->data.auth_crap.lm_resp)
1665                 || state->request->data.auth_crap.nt_resp_len > sizeof(state->request->data.auth_crap.nt_resp)) {
1666                 if (!(state->request->flags & WBFLAG_BIG_NTLMV2_BLOB) ||
1667                      state->request->extra_len != state->request->data.auth_crap.nt_resp_len) {
1668                         DEBUG(0, ("winbindd_pam_auth_crap: invalid password length %u/%u\n",
1669                                   state->request->data.auth_crap.lm_resp_len,
1670                                   state->request->data.auth_crap.nt_resp_len));
1671                         result = NT_STATUS_INVALID_PARAMETER;
1672                         goto done;
1673                 }
1674         }
1675
1676         lm_resp = data_blob_talloc(state->mem_ctx, state->request->data.auth_crap.lm_resp,
1677                                         state->request->data.auth_crap.lm_resp_len);
1678
1679         if (state->request->flags & WBFLAG_BIG_NTLMV2_BLOB) {
1680                 nt_resp = data_blob_talloc(state->mem_ctx,
1681                                            state->request->extra_data.data,
1682                                            state->request->data.auth_crap.nt_resp_len);
1683         } else {
1684                 nt_resp = data_blob_talloc(state->mem_ctx,
1685                                            state->request->data.auth_crap.nt_resp,
1686                                            state->request->data.auth_crap.nt_resp_len);
1687         }
1688
1689         if (strequal(name_domain, get_global_sam_name())) {
1690                 DATA_BLOB chal_blob = data_blob_const(
1691                         state->request->data.auth_crap.chal,
1692                         sizeof(state->request->data.auth_crap.chal));
1693
1694                 result = winbindd_dual_auth_passdb(
1695                         state->mem_ctx, name_domain, name_user,
1696                         &chal_blob, &lm_resp, &nt_resp, &info3);
1697                 goto process_result;
1698         }
1699
1700         do {
1701                 netlogon_fn_t logon_fn;
1702
1703                 retry = false;
1704
1705                 netlogon_pipe = NULL;
1706                 result = cm_connect_netlogon(domain, &netlogon_pipe);
1707
1708                 if (!NT_STATUS_IS_OK(result)) {
1709                         DEBUG(3, ("could not open handle to NETLOGON pipe (error: %s)\n",
1710                                   nt_errstr(result)));
1711                         goto done;
1712                 }
1713
1714                 logon_fn = domain->can_do_samlogon_ex
1715                         ? rpccli_netlogon_sam_network_logon_ex
1716                         : rpccli_netlogon_sam_network_logon;
1717
1718                 result = logon_fn(netlogon_pipe,
1719                                   state->mem_ctx,
1720                                   state->request->data.auth_crap.logon_parameters,
1721                                   domain->dcname,
1722                                   name_user,
1723                                   name_domain,
1724                                   /* Bug #3248 - found by Stefan Burkei. */
1725                                   workstation, /* We carefully set this above so use it... */
1726                                   state->request->data.auth_crap.chal,
1727                                   lm_resp,
1728                                   nt_resp,
1729                                   &info3);
1730
1731                 if ((NT_STATUS_V(result) == DCERPC_FAULT_OP_RNG_ERROR)
1732                     && domain->can_do_samlogon_ex) {
1733                         DEBUG(3, ("Got a DC that can not do NetSamLogonEx, "
1734                                   "retrying with NetSamLogon\n"));
1735                         domain->can_do_samlogon_ex = false;
1736                         continue;
1737                 }
1738
1739                 attempts += 1;
1740
1741                 /* We have to try a second time as cm_connect_netlogon
1742                    might not yet have noticed that the DC has killed
1743                    our connection. */
1744
1745                 if (!rpccli_is_connected(netlogon_pipe)) {
1746                         continue;
1747                 }
1748
1749                 /* if we get access denied, a possible cause was that we had and open
1750                    connection to the DC, but someone changed our machine account password
1751                    out from underneath us using 'net rpc changetrustpw' */
1752
1753                 if ( NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) ) {
1754                         DEBUG(3,("winbindd_pam_auth: sam_logon returned "
1755                                  "ACCESS_DENIED.  Maybe the trust account "
1756                                 "password was changed and we didn't know it. "
1757                                  "Killing connections to domain %s\n",
1758                                 name_domain));
1759                         invalidate_cm_connection(&domain->conn);
1760                         retry = true;
1761                 }
1762
1763         } while ( (attempts < 2) && retry );
1764
1765 process_result:
1766
1767         if (NT_STATUS_IS_OK(result)) {
1768
1769                 wcache_invalidate_samlogon(find_domain_from_name(name_domain), info3);
1770                 netsamlogon_cache_store(name_user, info3);
1771
1772                 /* Check if the user is in the right group */
1773
1774                 result = check_info3_in_group(
1775                         info3,
1776                         state->request->data.auth_crap.require_membership_of_sid);
1777                 if (!NT_STATUS_IS_OK(result)) {
1778                         DEBUG(3, ("User %s is not in the required group (%s), so "
1779                                   "crap authentication is rejected\n",
1780                                   state->request->data.auth_crap.user,
1781                                   state->request->data.auth_crap.require_membership_of_sid));
1782                         goto done;
1783                 }
1784
1785                 result = append_auth_data(state->mem_ctx, state->response,
1786                                           state->request->flags, info3,
1787                                           name_domain, name_user);
1788                 if (!NT_STATUS_IS_OK(result)) {
1789                         goto done;
1790                 }
1791         }
1792
1793 done:
1794
1795         /* give us a more useful (more correct?) error code */
1796         if ((NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) ||
1797             (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)))) {
1798                 result = NT_STATUS_NO_LOGON_SERVERS;
1799         }
1800
1801         if (state->request->flags & WBFLAG_PAM_NT_STATUS_SQUASH) {
1802                 result = nt_status_squash(result);
1803         }
1804
1805         set_auth_errors(state->response, result);
1806
1807         DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2,
1808               ("NTLM CRAP authentication for user [%s]\\[%s] returned %s (PAM: %d)\n",
1809                name_domain,
1810                name_user,
1811                state->response->data.auth.nt_status_string,
1812                state->response->data.auth.pam_error));
1813
1814         return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
1815 }
1816
1817 enum winbindd_result winbindd_dual_pam_chauthtok(struct winbindd_domain *contact_domain,
1818                                                  struct winbindd_cli_state *state)
1819 {
1820         char *oldpass;
1821         char *newpass = NULL;
1822         struct policy_handle dom_pol;
1823         struct rpc_pipe_client *cli = NULL;
1824         bool got_info = false;
1825         struct samr_DomInfo1 *info = NULL;
1826         struct userPwdChangeFailureInformation *reject = NULL;
1827         NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1828         fstring domain, user;
1829
1830         ZERO_STRUCT(dom_pol);
1831
1832         DEBUG(3, ("[%5lu]: dual pam chauthtok %s\n", (unsigned long)state->pid,
1833                   state->request->data.auth.user));
1834
1835         if (!parse_domain_user(state->request->data.chauthtok.user, domain, user)) {
1836                 goto done;
1837         }
1838
1839         /* Change password */
1840
1841         oldpass = state->request->data.chauthtok.oldpass;
1842         newpass = state->request->data.chauthtok.newpass;
1843
1844         /* Initialize reject reason */
1845         state->response->data.auth.reject_reason = Undefined;
1846
1847         /* Get sam handle */
1848
1849         result = cm_connect_sam(contact_domain, state->mem_ctx, &cli,
1850                                 &dom_pol);
1851         if (!NT_STATUS_IS_OK(result)) {
1852                 DEBUG(1, ("could not get SAM handle on DC for %s\n", domain));
1853                 goto done;
1854         }
1855
1856         result = rpccli_samr_chgpasswd_user3(cli, state->mem_ctx,
1857                                              user,
1858                                              newpass,
1859                                              oldpass,
1860                                              &info,
1861                                              &reject);
1862
1863         /* Windows 2003 returns NT_STATUS_PASSWORD_RESTRICTION */
1864
1865         if (NT_STATUS_EQUAL(result, NT_STATUS_PASSWORD_RESTRICTION) ) {
1866
1867                 fill_in_password_policy(state->response, info);
1868
1869                 state->response->data.auth.reject_reason =
1870                         reject->extendedFailureReason;
1871
1872                 got_info = true;
1873         }
1874
1875         /* atm the pidl generated rpccli_samr_ChangePasswordUser3 function will
1876          * return with NT_STATUS_BUFFER_TOO_SMALL for w2k dcs as w2k just
1877          * returns with 4byte error code (NT_STATUS_NOT_SUPPORTED) which is too
1878          * short to comply with the samr_ChangePasswordUser3 idl - gd */
1879
1880         /* only fallback when the chgpasswd_user3 call is not supported */
1881         if ((NT_STATUS_EQUAL(result, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR))) ||
1882                    (NT_STATUS_EQUAL(result, NT_STATUS_NOT_SUPPORTED)) ||
1883                    (NT_STATUS_EQUAL(result, NT_STATUS_BUFFER_TOO_SMALL)) ||
1884                    (NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED))) {
1885
1886                 DEBUG(10,("Password change with chgpasswd_user3 failed with: %s, retrying chgpasswd_user2\n",
1887                         nt_errstr(result)));
1888
1889                 result = rpccli_samr_chgpasswd_user2(cli, state->mem_ctx, user, newpass, oldpass);
1890
1891                 /* Windows 2000 returns NT_STATUS_ACCOUNT_RESTRICTION.
1892                    Map to the same status code as Windows 2003. */
1893
1894                 if ( NT_STATUS_EQUAL(NT_STATUS_ACCOUNT_RESTRICTION, result ) ) {
1895                         result = NT_STATUS_PASSWORD_RESTRICTION;
1896                 }
1897         }
1898
1899 done:
1900
1901         if (NT_STATUS_IS_OK(result)
1902             && (state->request->flags & WBFLAG_PAM_CACHED_LOGIN)
1903             && lp_winbind_offline_logon()) {
1904                 result = winbindd_update_creds_by_name(contact_domain, user,
1905                                                        newpass);
1906                 /* Again, this happens when we login from gdm or xdm
1907                  * and the password expires, *BUT* cached crendentials
1908                  * doesn't exist. winbindd_update_creds_by_name()
1909                  * returns NT_STATUS_NO_SUCH_USER.
1910                  * This is not a failure.
1911                  * --- BoYang
1912                  * */
1913                 if (NT_STATUS_EQUAL(result, NT_STATUS_NO_SUCH_USER)) {
1914                         result = NT_STATUS_OK;
1915                 }
1916
1917                 if (!NT_STATUS_IS_OK(result)) {
1918                         DEBUG(10, ("Failed to store creds: %s\n",
1919                                    nt_errstr(result)));
1920                         goto process_result;
1921                 }
1922         }
1923
1924         if (!NT_STATUS_IS_OK(result) && !got_info && contact_domain) {
1925
1926                 NTSTATUS policy_ret;
1927
1928                 policy_ret = fillup_password_policy(contact_domain, state);
1929
1930                 /* failure of this is non critical, it will just provide no
1931                  * additional information to the client why the change has
1932                  * failed - Guenther */
1933
1934                 if (!NT_STATUS_IS_OK(policy_ret)) {
1935                         DEBUG(10,("Failed to get password policies: %s\n", nt_errstr(policy_ret)));
1936                         goto process_result;
1937                 }
1938         }
1939
1940 process_result:
1941
1942         if (strequal(contact_domain->name, get_global_sam_name())) {
1943                 /* FIXME: internal rpc pipe does not cache handles yet */
1944                 if (cli) {
1945                         if (is_valid_policy_hnd(&dom_pol)) {
1946                                 rpccli_samr_Close(cli, state->mem_ctx, &dom_pol);
1947                         }
1948                         TALLOC_FREE(cli);
1949                 }
1950         }
1951
1952         set_auth_errors(state->response, result);
1953
1954         DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2,
1955               ("Password change for user [%s]\\[%s] returned %s (PAM: %d)\n",
1956                domain,
1957                user,
1958                state->response->data.auth.nt_status_string,
1959                state->response->data.auth.pam_error));
1960
1961         return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
1962 }
1963
1964 enum winbindd_result winbindd_dual_pam_logoff(struct winbindd_domain *domain,
1965                                               struct winbindd_cli_state *state)
1966 {
1967         NTSTATUS result = NT_STATUS_NOT_SUPPORTED;
1968
1969         DEBUG(3, ("[%5lu]: pam dual logoff %s\n", (unsigned long)state->pid,
1970                 state->request->data.logoff.user));
1971
1972         if (!(state->request->flags & WBFLAG_PAM_KRB5)) {
1973                 result = NT_STATUS_OK;
1974                 goto process_result;
1975         }
1976
1977         if (state->request->data.logoff.krb5ccname[0] == '\0') {
1978                 result = NT_STATUS_OK;
1979                 goto process_result;
1980         }
1981
1982 #ifdef HAVE_KRB5
1983
1984         if (state->request->data.logoff.uid < 0) {
1985                 DEBUG(0,("winbindd_pam_logoff: invalid uid\n"));
1986                 goto process_result;
1987         }
1988
1989         /* what we need here is to find the corresponding krb5 ccache name *we*
1990          * created for a given username and destroy it */
1991
1992         if (!ccache_entry_exists(state->request->data.logoff.user)) {
1993                 result = NT_STATUS_OK;
1994                 DEBUG(10,("winbindd_pam_logoff: no entry found.\n"));
1995                 goto process_result;
1996         }
1997
1998         if (!ccache_entry_identical(state->request->data.logoff.user,
1999                                         state->request->data.logoff.uid,
2000                                         state->request->data.logoff.krb5ccname)) {
2001                 DEBUG(0,("winbindd_pam_logoff: cached entry differs.\n"));
2002                 goto process_result;
2003         }
2004
2005         result = remove_ccache(state->request->data.logoff.user);
2006         if (!NT_STATUS_IS_OK(result)) {
2007                 DEBUG(0,("winbindd_pam_logoff: failed to remove ccache: %s\n",
2008                         nt_errstr(result)));
2009                 goto process_result;
2010         }
2011
2012 #else
2013         result = NT_STATUS_NOT_SUPPORTED;
2014 #endif
2015
2016 process_result:
2017
2018
2019         set_auth_errors(state->response, result);
2020
2021         return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
2022 }
2023
2024 /* Change user password with auth crap*/
2025
2026 enum winbindd_result winbindd_dual_pam_chng_pswd_auth_crap(struct winbindd_domain *domainSt, struct winbindd_cli_state *state)
2027 {
2028         NTSTATUS result;
2029         DATA_BLOB new_nt_password;
2030         DATA_BLOB old_nt_hash_enc;
2031         DATA_BLOB new_lm_password;
2032         DATA_BLOB old_lm_hash_enc;
2033         fstring  domain,user;
2034         struct policy_handle dom_pol;
2035         struct winbindd_domain *contact_domain = domainSt;
2036         struct rpc_pipe_client *cli = NULL;
2037
2038         ZERO_STRUCT(dom_pol);
2039
2040         /* Ensure null termination */
2041         state->request->data.chng_pswd_auth_crap.user[
2042                 sizeof(state->request->data.chng_pswd_auth_crap.user)-1]=0;
2043         state->request->data.chng_pswd_auth_crap.domain[
2044                 sizeof(state->request->data.chng_pswd_auth_crap.domain)-1]=0;
2045         *domain = 0;
2046         *user = 0;
2047
2048         DEBUG(3, ("[%5lu]: pam change pswd auth crap domain: %s user: %s\n",
2049                   (unsigned long)state->pid,
2050                   state->request->data.chng_pswd_auth_crap.domain,
2051                   state->request->data.chng_pswd_auth_crap.user));
2052
2053         if (lp_winbind_offline_logon()) {
2054                 DEBUG(0,("Refusing password change as winbind offline logons are enabled. "));
2055                 DEBUGADD(0,("Changing passwords here would risk inconsistent logons\n"));
2056                 result = NT_STATUS_ACCESS_DENIED;
2057                 goto done;
2058         }
2059
2060         if (*state->request->data.chng_pswd_auth_crap.domain) {
2061                 fstrcpy(domain,state->request->data.chng_pswd_auth_crap.domain);
2062         } else {
2063                 parse_domain_user(state->request->data.chng_pswd_auth_crap.user,
2064                                   domain, user);
2065
2066                 if(!*domain) {
2067                         DEBUG(3,("no domain specified with username (%s) - "
2068                                  "failing auth\n",
2069                                  state->request->data.chng_pswd_auth_crap.user));
2070                         result = NT_STATUS_NO_SUCH_USER;
2071                         goto done;
2072                 }
2073         }
2074
2075         if (!*domain && lp_winbind_use_default_domain()) {
2076                 fstrcpy(domain,(char *)lp_workgroup());
2077         }
2078
2079         if(!*user) {
2080                 fstrcpy(user, state->request->data.chng_pswd_auth_crap.user);
2081         }
2082
2083         DEBUG(3, ("[%5lu]: pam auth crap domain: %s user: %s\n",
2084                   (unsigned long)state->pid, domain, user));
2085
2086         /* Change password */
2087         new_nt_password = data_blob_const(
2088                 state->request->data.chng_pswd_auth_crap.new_nt_pswd,
2089                 state->request->data.chng_pswd_auth_crap.new_nt_pswd_len);
2090
2091         old_nt_hash_enc = data_blob_const(
2092                 state->request->data.chng_pswd_auth_crap.old_nt_hash_enc,
2093                 state->request->data.chng_pswd_auth_crap.old_nt_hash_enc_len);
2094
2095         if(state->request->data.chng_pswd_auth_crap.new_lm_pswd_len > 0)        {
2096                 new_lm_password = data_blob_const(
2097                         state->request->data.chng_pswd_auth_crap.new_lm_pswd,
2098                         state->request->data.chng_pswd_auth_crap.new_lm_pswd_len);
2099
2100                 old_lm_hash_enc = data_blob_const(
2101                         state->request->data.chng_pswd_auth_crap.old_lm_hash_enc,
2102                         state->request->data.chng_pswd_auth_crap.old_lm_hash_enc_len);
2103         } else {
2104                 new_lm_password.length = 0;
2105                 old_lm_hash_enc.length = 0;
2106         }
2107
2108         /* Get sam handle */
2109
2110         result = cm_connect_sam(contact_domain, state->mem_ctx, &cli, &dom_pol);
2111         if (!NT_STATUS_IS_OK(result)) {
2112                 DEBUG(1, ("could not get SAM handle on DC for %s\n", domain));
2113                 goto done;
2114         }
2115
2116         result = rpccli_samr_chng_pswd_auth_crap(
2117                 cli, state->mem_ctx, user, new_nt_password, old_nt_hash_enc,
2118                 new_lm_password, old_lm_hash_enc);
2119
2120  done:
2121
2122         if (strequal(contact_domain->name, get_global_sam_name())) {
2123                 /* FIXME: internal rpc pipe does not cache handles yet */
2124                 if (cli) {
2125                         if (is_valid_policy_hnd(&dom_pol)) {
2126                                 rpccli_samr_Close(cli, state->mem_ctx, &dom_pol);
2127                         }
2128                         TALLOC_FREE(cli);
2129                 }
2130         }
2131
2132         set_auth_errors(state->response, result);
2133
2134         DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2,
2135               ("Password change for user [%s]\\[%s] returned %s (PAM: %d)\n",
2136                domain, user,
2137                state->response->data.auth.nt_status_string,
2138                state->response->data.auth.pam_error));
2139
2140         return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
2141 }