This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
+ the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "includes.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_AUTH
-/** List of various built-in authentication modules */
-
-static const struct auth_init_function_entry builtin_auth_init_functions[] = {
- { "guest", auth_init_guest },
- { "rhosts", auth_init_rhosts },
- { "hostsequiv", auth_init_hostsequiv },
- { "sam", auth_init_sam },
- { "samstrict", auth_init_samstrict },
- { "unix", auth_init_unix },
- { "smbserver", auth_init_smbserver },
- { "ntdomain", auth_init_ntdomain },
- { "trustdomain", auth_init_trustdomain },
- { "winbind", auth_init_winbind },
-#ifdef DEVELOPER
- { "name_to_ntstatus", auth_init_name_to_ntstatus },
- { "fixed_challenge", auth_init_fixed_challenge },
-#endif
- { "plugin", auth_init_plugin },
- { NULL, NULL}
-};
+static_decl_auth;
+
+static struct auth_init_function_entry *backends = NULL;
+
+static struct auth_init_function_entry *auth_find_backend_entry(const char *name);
+
+NTSTATUS smb_register_auth(int version, const char *name, auth_init_function init)
+{
+ struct auth_init_function_entry *entry = backends;
+
+ if (version != AUTH_INTERFACE_VERSION) {
+ DEBUG(0,("Can't register auth_method!\n"
+ "You tried to register an auth module with AUTH_INTERFACE_VERSION %d, while this version of samba uses %d\n",
+ version,AUTH_INTERFACE_VERSION));
+ return NT_STATUS_OBJECT_TYPE_MISMATCH;
+ }
+
+ if (!name || !init) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ DEBUG(5,("Attempting to register auth backend %s\n", name));
+
+ if (auth_find_backend_entry(name)) {
+ DEBUG(0,("There already is an auth method registered with the name %s!\n", name));
+ return NT_STATUS_OBJECT_NAME_COLLISION;
+ }
+
+ entry = SMB_XMALLOC_P(struct auth_init_function_entry);
+ entry->name = smb_xstrdup(name);
+ entry->init = init;
+
+ DLIST_ADD(backends, entry);
+ DEBUG(5,("Successfully added auth method '%s'\n", name));
+ return NT_STATUS_OK;
+}
+
+static struct auth_init_function_entry *auth_find_backend_entry(const char *name)
+{
+ struct auth_init_function_entry *entry = backends;
+
+ while(entry) {
+ if (strcmp(entry->name, name)==0) return entry;
+ entry = entry->next;
+ }
+
+ return NULL;
+}
/****************************************************************************
Try to get a challenge out of the various authentication modules.
static const uint8 *get_ntlm_challenge(struct auth_context *auth_context)
{
- DATA_BLOB challenge = data_blob(NULL, 0);
+ DATA_BLOB challenge = data_blob_null;
const char *challenge_set_by = NULL;
auth_methods *auth_method;
TALLOC_CTX *mem_ctx;
return auth_context->challenge.data;
}
+ auth_context->challenge_may_be_modified = False;
+
for (auth_method = auth_context->auth_method_list; auth_method; auth_method = auth_method->next) {
if (auth_method->get_chal == NULL) {
DEBUG(5, ("auth_get_challenge: module %s did not want to specify a challenge\n", auth_method->name));
DEBUG(3, ("auth_get_challenge: getting challenge from authentication method %s FAILED.\n",
auth_method->name));
} else {
- DEBUG(5, ("auth_get_challenge: sucessfully got challenge from module %s\n", auth_method->name));
+ DEBUG(5, ("auth_get_challenge: successfully got challenge from module %s\n", auth_method->name));
auth_context->challenge = challenge;
challenge_set_by = auth_method->name;
auth_context->challenge_set_method = auth_method;
if (!challenge_set_by) {
uchar chal[8];
- generate_random_buffer(chal, sizeof(chal), False);
+ generate_random_buffer(chal, sizeof(chal));
auth_context->challenge = data_blob_talloc(auth_context->mem_ctx,
chal, sizeof(chal));
challenge_set_by = "random";
+ auth_context->challenge_may_be_modified = True;
}
DEBUG(5, ("auth_context challenge created by %s\n", challenge_set_by));
* False otherwise.
**/
-static BOOL check_domain_match(const char *user, const char *domain)
+static bool check_domain_match(const char *user, const char *domain)
{
/*
* If we aren't serving to trusted domains, we must make sure that
* function auth_get_challenge().
*
* @param server_info If successful, contains information about the authentication,
- * including a SAM_ACCOUNT struct describing the user.
+ * including a struct samu struct describing the user.
*
* @return An NTSTATUS with NT_STATUS_OK or an appropriate error.
*
const struct auth_usersupplied_info *user_info,
struct auth_serversupplied_info **server_info)
{
-
- NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
- const char *pdb_username;
+ /* if all the modules say 'not for me' this is reasonable */
+ NTSTATUS nt_status = NT_STATUS_NO_SUCH_USER;
+ const char *unix_username;
auth_methods *auth_method;
TALLOC_CTX *mem_ctx;
return NT_STATUS_LOGON_FAILURE;
DEBUG(3, ("check_ntlm_password: Checking password for unmapped user [%s]\\[%s]@[%s] with the new password interface\n",
- user_info->client_domain.str, user_info->smb_name.str, user_info->wksta_name.str));
+ user_info->client_domain, user_info->smb_name, user_info->wksta_name));
DEBUG(3, ("check_ntlm_password: mapped user is: [%s]\\[%s]@[%s]\n",
- user_info->domain.str, user_info->internal_username.str, user_info->wksta_name.str));
+ user_info->domain, user_info->internal_username, user_info->wksta_name));
if (auth_context->challenge.length != 8) {
DEBUG(0, ("check_ntlm_password: Invalid challenge stored for this auth context - cannot continue\n"));
#ifdef DEBUG_PASSWORD
DEBUG(100, ("user_info has passwords of length %d and %d\n",
- user_info->lm_resp.length, user_info->nt_resp.length));
+ (int)user_info->lm_resp.length, (int)user_info->nt_resp.length));
DEBUG(100, ("lm:\n"));
dump_data(100, user_info->lm_resp.data, user_info->lm_resp.length);
DEBUG(100, ("nt:\n"));
#endif
/* This needs to be sorted: If it doesn't match, what should we do? */
- if (!check_domain_match(user_info->smb_name.str, user_info->domain.str))
+ if (!check_domain_match(user_info->smb_name, user_info->domain))
return NT_STATUS_LOGON_FAILURE;
for (auth_method = auth_context->auth_method_list;auth_method; auth_method = auth_method->next) {
+ NTSTATUS result;
+
mem_ctx = talloc_init("%s authentication for user %s\\%s", auth_method->name,
- user_info->domain.str, user_info->smb_name.str);
+ user_info->domain, user_info->smb_name);
+
+ result = auth_method->auth(auth_context, auth_method->private_data, mem_ctx, user_info, server_info);
+
+ /* check if the module did anything */
+ if ( NT_STATUS_V(result) == NT_STATUS_V(NT_STATUS_NOT_IMPLEMENTED) ) {
+ DEBUG(10,("check_ntlm_password: %s had nothing to say\n", auth_method->name));
+ talloc_destroy(mem_ctx);
+ continue;
+ }
+
+ nt_status = result;
- nt_status = auth_method->auth(auth_context, auth_method->private_data, mem_ctx, user_info, server_info);
if (NT_STATUS_IS_OK(nt_status)) {
- DEBUG(3, ("check_ntlm_password: %s authentication for user [%s] suceeded\n",
- auth_method->name, user_info->smb_name.str));
+ DEBUG(3, ("check_ntlm_password: %s authentication for user [%s] succeeded\n",
+ auth_method->name, user_info->smb_name));
} else {
DEBUG(5, ("check_ntlm_password: %s authentication for user [%s] FAILED with error %s\n",
- auth_method->name, user_info->smb_name.str, nt_errstr(nt_status)));
+ auth_method->name, user_info->smb_name, nt_errstr(nt_status)));
}
talloc_destroy(mem_ctx);
- if (NT_STATUS_IS_OK(nt_status))
- break;
+ if ( NT_STATUS_IS_OK(nt_status))
+ {
+ break;
+ }
}
- /* This is one of the few places the *relies* (rather than just sets defaults
- on the value of lp_security(). This needs to change. A new paramater
- perhaps? */
- if (lp_security() >= SEC_SERVER)
- smb_user_control(user_info, *server_info, nt_status);
-
+ /* successful authentication */
+
if (NT_STATUS_IS_OK(nt_status)) {
- pdb_username = pdb_get_username((*server_info)->sam_account);
+ unix_username = (*server_info)->unix_name;
if (!(*server_info)->guest) {
/* We might not be root if we are an RPC call */
become_root();
- nt_status = smb_pam_accountcheck(pdb_username);
+ nt_status = smb_pam_accountcheck(unix_username);
unbecome_root();
if (NT_STATUS_IS_OK(nt_status)) {
- DEBUG(5, ("check_ntlm_password: PAM Account for user [%s] suceeded\n",
- pdb_username));
+ DEBUG(5, ("check_ntlm_password: PAM Account for user [%s] succeeded\n",
+ unix_username));
} else {
DEBUG(3, ("check_ntlm_password: PAM Account for user [%s] FAILED with error %s\n",
- pdb_username, nt_errstr(nt_status)));
+ unix_username, nt_errstr(nt_status)));
}
}
if (NT_STATUS_IS_OK(nt_status)) {
DEBUG((*server_info)->guest ? 5 : 2,
- ("check_ntlm_password: %sauthentication for user [%s] -> [%s] -> [%s] suceeded\n",
+ ("check_ntlm_password: %sauthentication for user [%s] -> [%s] -> [%s] succeeded\n",
(*server_info)->guest ? "guest " : "",
- user_info->smb_name.str,
- user_info->internal_username.str,
- pdb_username));
+ user_info->smb_name,
+ user_info->internal_username,
+ unix_username));
}
+
+ return nt_status;
}
-
- if (!NT_STATUS_IS_OK(nt_status)) {
- DEBUG(2, ("check_ntlm_password: Authentication for user [%s] -> [%s] FAILED with error %s\n",
- user_info->smb_name.str, user_info->internal_username.str,
- nt_errstr(nt_status)));
- ZERO_STRUCTP(server_info);
- }
+
+ /* failed authentication; check for guest lapping */
+
+ DEBUG(2, ("check_ntlm_password: Authentication for user [%s] -> [%s] FAILED with error %s\n",
+ user_info->smb_name, user_info->internal_username,
+ nt_errstr(nt_status)));
+ ZERO_STRUCTP(server_info);
+
return nt_status;
}
static void free_auth_context(struct auth_context **auth_context)
{
- if (*auth_context != NULL)
+ auth_methods *auth_method;
+
+ if (*auth_context) {
+ /* Free private data of context's authentication methods */
+ for (auth_method = (*auth_context)->auth_method_list; auth_method; auth_method = auth_method->next) {
+ TALLOC_FREE(auth_method->private_data);
+ }
+
talloc_destroy((*auth_context)->mem_ctx);
- *auth_context = NULL;
+ *auth_context = NULL;
+ }
}
/***************************************************************************
mem_ctx = talloc_init("authentication context");
- *auth_context = talloc(mem_ctx, sizeof(**auth_context));
+ *auth_context = TALLOC_P(mem_ctx, struct auth_context);
if (!*auth_context) {
DEBUG(0,("make_auth_context: talloc failed!\n"));
talloc_destroy(mem_ctx);
return NT_STATUS_OK;
}
+bool load_auth_module(struct auth_context *auth_context,
+ const char *module, auth_methods **ret)
+{
+ static bool initialised_static_modules = False;
+
+ struct auth_init_function_entry *entry;
+ char *module_name = smb_xstrdup(module);
+ char *module_params = NULL;
+ char *p;
+ bool good = False;
+
+ /* Initialise static modules if not done so yet */
+ if(!initialised_static_modules) {
+ static_init_auth;
+ initialised_static_modules = True;
+ }
+
+ DEBUG(5,("load_auth_module: Attempting to find an auth method to match %s\n",
+ module));
+
+ p = strchr(module_name, ':');
+ if (p) {
+ *p = 0;
+ module_params = p+1;
+ trim_char(module_params, ' ', ' ');
+ }
+
+ trim_char(module_name, ' ', ' ');
+
+ entry = auth_find_backend_entry(module_name);
+
+ if (entry == NULL) {
+ if (NT_STATUS_IS_OK(smb_probe_module("auth", module_name))) {
+ entry = auth_find_backend_entry(module_name);
+ }
+ }
+
+ if (entry != NULL) {
+ if (!NT_STATUS_IS_OK(entry->init(auth_context, module_params, ret))) {
+ DEBUG(0,("load_auth_module: auth method %s did not correctly init\n",
+ module_name));
+ } else {
+ DEBUG(5,("load_auth_module: auth method %s has a valid init\n",
+ module_name));
+ good = True;
+ }
+ } else {
+ DEBUG(0,("load_auth_module: can't find auth method %s!\n", module_name));
+ }
+
+ SAFE_FREE(module_name);
+ return good;
+}
+
/***************************************************************************
Make a auth_info struct for the auth subsystem
***************************************************************************/
{
auth_methods *list = NULL;
auth_methods *t = NULL;
- auth_methods *tmp;
- int i;
NTSTATUS nt_status;
if (!text_list) {
if (!NT_STATUS_IS_OK(nt_status = make_auth_context(auth_context)))
return nt_status;
-
- for (;*text_list; text_list++) {
- DEBUG(5,("make_auth_context_text_list: Attempting to find an auth method to match %s\n",
- *text_list));
- for (i = 0; builtin_auth_init_functions[i].name; i++) {
- char *module_name = smb_xstrdup(*text_list);
- char *module_params = NULL;
- char *p;
-
- p = strchr(module_name, ':');
- if (p) {
- *p = 0;
- module_params = p+1;
- trim_string(module_params, " ", " ");
- }
- trim_string(module_name, " ", " ");
-
- if (strequal(builtin_auth_init_functions[i].name, module_name)) {
- DEBUG(5,("make_auth_context_text_list: Found auth method %s (at pos %d)\n", *text_list, i));
- if (NT_STATUS_IS_OK(builtin_auth_init_functions[i].init(*auth_context, module_params, &t))) {
- DEBUG(5,("make_auth_context_text_list: auth method %s has a valid init\n",
- *text_list));
- DLIST_ADD_END(list, t, tmp);
- } else {
- DEBUG(0,("make_auth_context_text_list: auth method %s did not correctly init\n",
- *text_list));
- }
- break;
- }
- SAFE_FREE(module_name);
+ for (;*text_list; text_list++) {
+ if (load_auth_module(*auth_context, *text_list, &t)) {
+ DLIST_ADD_END(list, t, auth_methods *);
}
}
char **auth_method_list = NULL;
NTSTATUS nt_status;
- if (lp_auth_methods() && !str_list_copy(&auth_method_list, lp_auth_methods())) {
+ if (lp_auth_methods()
+ && !str_list_copy(talloc_tos(), &auth_method_list,
+ lp_auth_methods())) {
return NT_STATUS_NO_MEMORY;
}
{
case SEC_DOMAIN:
DEBUG(5,("Making default auth method list for security=domain\n"));
- auth_method_list = str_list_make("guest sam winbind ntdomain", NULL);
+ auth_method_list = str_list_make(
+ talloc_tos(), "guest sam winbind:ntdomain",
+ NULL);
break;
case SEC_SERVER:
DEBUG(5,("Making default auth method list for security=server\n"));
- auth_method_list = str_list_make("guest sam smbserver", NULL);
+ auth_method_list = str_list_make(
+ talloc_tos(), "guest sam smbserver",
+ NULL);
break;
case SEC_USER:
if (lp_encrypted_passwords()) {
- DEBUG(5,("Making default auth method list for security=user, encrypt passwords = yes\n"));
- auth_method_list = str_list_make("guest sam", NULL);
+ if ((lp_server_role() == ROLE_DOMAIN_PDC) || (lp_server_role() == ROLE_DOMAIN_BDC)) {
+ DEBUG(5,("Making default auth method list for DC, security=user, encrypt passwords = yes\n"));
+ auth_method_list = str_list_make(
+ talloc_tos(),
+ "guest sam winbind:trustdomain",
+ NULL);
+ } else {
+ DEBUG(5,("Making default auth method list for standalone security=user, encrypt passwords = yes\n"));
+ auth_method_list = str_list_make(
+ talloc_tos(), "guest sam",
+ NULL);
+ }
} else {
DEBUG(5,("Making default auth method list for security=user, encrypt passwords = no\n"));
- auth_method_list = str_list_make("guest unix", NULL);
+ auth_method_list = str_list_make(
+ talloc_tos(), "guest unix", NULL);
}
break;
case SEC_SHARE:
if (lp_encrypted_passwords()) {
DEBUG(5,("Making default auth method list for security=share, encrypt passwords = yes\n"));
- auth_method_list = str_list_make("guest sam", NULL);
+ auth_method_list = str_list_make(
+ talloc_tos(), "guest sam", NULL);
} else {
DEBUG(5,("Making default auth method list for security=share, encrypt passwords = no\n"));
- auth_method_list = str_list_make("guest unix", NULL);
+ auth_method_list = str_list_make(
+ talloc_tos(), "guest unix", NULL);
}
break;
case SEC_ADS:
DEBUG(5,("Making default auth method list for security=ADS\n"));
- auth_method_list = str_list_make("guest sam ads winbind ntdomain", NULL);
+ auth_method_list = str_list_make(
+ talloc_tos(), "guest sam winbind:ntdomain",
+ NULL);
break;
default:
DEBUG(5,("Unknown auth method!\n"));
DEBUG(5,("Using specified auth order\n"));
}
- if (!NT_STATUS_IS_OK(nt_status = make_auth_context_text_list(auth_context, auth_method_list))) {
- str_list_free(&auth_method_list);
- return nt_status;
- }
-
- str_list_free(&auth_method_list);
+ nt_status = make_auth_context_text_list(auth_context,
+ auth_method_list);
+
+ TALLOC_FREE(auth_method_list);
return nt_status;
}
return nt_status;
}
- (*auth_context)->challenge = data_blob(chal, 8);
+ (*auth_context)->challenge = data_blob_talloc((*auth_context)->mem_ctx, chal, 8);
(*auth_context)->challenge_set_by = "fixed";
return nt_status;
}
git.samba.org / kai / samba.git / blobdiff