source/auth/auth_sam.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3    Password and authentication handling
   4    Copyright (C) Andrew Tridgell              1992-2000
   5    Copyright (C) Luke Kenneth Casson Leighton 1996-2000
   6    Copyright (C) Andrew Bartlett              2001-2003
   7    Copyright (C) Gerald Carter                2003
   8
   9    This program is free software; you can redistribute it and/or modify
  10    it under the terms of the GNU General Public License as published by
  11    the Free Software Foundation; either version 2 of the License, or
  12    (at your option) any later version.
  13
  14    This program is distributed in the hope that it will be useful,
  15    but WITHOUT ANY WARRANTY; without even the implied warranty of
  16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17    GNU General Public License for more details.
  18
  19    You should have received a copy of the GNU General Public License
  20    along with this program; if not, write to the Free Software
  21    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  22 */
  23
  24 #include "includes.h"
  25
  26 #undef DBGC_CLASS
  27 #define DBGC_CLASS DBGC_AUTH
  28
  29 /****************************************************************************
  30  Do a specific test for an smb password being correct, given a smb_password and
  31  the lanman and NT responses.
  32 ****************************************************************************/
  33
  34 static NTSTATUS sam_password_ok(const struct auth_context *auth_context,
  35                                 TALLOC_CTX *mem_ctx,
  36                                 SAM_ACCOUNT *sampass,
  37                                 const auth_usersupplied_info *user_info,
  38                                 DATA_BLOB *user_sess_key,
  39                                 DATA_BLOB *lm_sess_key)
  40 {
  41         uint16 acct_ctrl;
  42         const uint8 *lm_pw, *nt_pw;
  43         const char *username = pdb_get_username(sampass);
  44
  45         acct_ctrl = pdb_get_acct_ctrl(sampass);
  46         if (acct_ctrl & ACB_PWNOTREQ) {
  47                 if (lp_null_passwords()) {
  48                         DEBUG(3,("Account for user '%s' has no password and null passwords are allowed.\n", username));
  49                         return NT_STATUS_OK;
  50                 } else {
  51                         DEBUG(3,("Account for user '%s' has no password and null passwords are NOT allowed.\n", username));
  52                         return NT_STATUS_LOGON_FAILURE;
  53                 }
  54         }
  55
  56         lm_pw = pdb_get_lanman_passwd(sampass);
  57         nt_pw = pdb_get_nt_passwd(sampass);
  58
  59         return ntlm_password_check(mem_ctx, &auth_context->challenge,
  60                                    &user_info->lm_resp, &user_info->nt_resp,
  61                                    username,
  62                                    user_info->smb_name.str,
  63                                    user_info->client_domain.str,
  64                                    lm_pw, nt_pw, user_sess_key, lm_sess_key);
  65 }
  66
  67
  68 /****************************************************************************
  69  Do a specific test for a SAM_ACCOUNT being vaild for this connection
  70  (ie not disabled, expired and the like).
  71 ****************************************************************************/
  72
  73 static NTSTATUS sam_account_ok(TALLOC_CTX *mem_ctx,
  74                                SAM_ACCOUNT *sampass,
  75                                const auth_usersupplied_info *user_info)
  76 {
  77         uint16  acct_ctrl = pdb_get_acct_ctrl(sampass);
  78         char *workstation_list;
  79         time_t kickoff_time;
  80
  81         DEBUG(4,("sam_account_ok: Checking SMB password for user %s\n",pdb_get_username(sampass)));
  82
  83         /* Quit if the account was disabled. */
  84         if (acct_ctrl & ACB_DISABLED) {
  85                 DEBUG(1,("sam_account_ok: Account for user '%s' was disabled.\n", pdb_get_username(sampass)));
  86                 return NT_STATUS_ACCOUNT_DISABLED;
  87         }
  88
  89         /* Quit if the account was locked out. */
  90         if (acct_ctrl & ACB_AUTOLOCK) {
  91                 DEBUG(1,("sam_account_ok: Account for user %s was locked out.\n", pdb_get_username(sampass)));
  92                 return NT_STATUS_ACCOUNT_LOCKED_OUT;
  93         }
  94
  95         /* Test account expire time */
  96
  97         kickoff_time = pdb_get_kickoff_time(sampass);
  98         if (kickoff_time != 0 && time(NULL) > kickoff_time) {
  99                 DEBUG(1,("sam_account_ok: Account for user '%s' has expired.\n", pdb_get_username(sampass)));
 100                 DEBUG(3,("sam_account_ok: Account expired at '%ld' unix time.\n", (long)kickoff_time));
 101                 return NT_STATUS_ACCOUNT_EXPIRED;
 102         }
 103
 104         if (!(pdb_get_acct_ctrl(sampass) & ACB_PWNOEXP)) {
 105                 time_t must_change_time = pdb_get_pass_must_change_time(sampass);
 106                 time_t last_set_time = pdb_get_pass_last_set_time(sampass);
 107
 108                 /* check for immediate expiry "must change at next logon" */
 109                 if (must_change_time == 0 && last_set_time != 0) {
 110                         DEBUG(1,("sam_account_ok: Account for user '%s' password must change!.\n", pdb_get_username(sampass)));
 111                         return NT_STATUS_PASSWORD_MUST_CHANGE;
 112                 }
 113
 114                 /* check for expired password */
 115                 if (must_change_time < time(NULL) && must_change_time != 0) {
 116                         DEBUG(1,("sam_account_ok: Account for user '%s' password expired!.\n", pdb_get_username(sampass)));
 117                         DEBUG(1,("sam_account_ok: Password expired at '%s' (%ld) unix time.\n", http_timestring(must_change_time), (long)must_change_time));
 118                         return NT_STATUS_PASSWORD_EXPIRED;
 119                 }
 120         }
 121
 122         /* Test workstation. Workstation list is comma separated. */
 123
 124         workstation_list = talloc_strdup(mem_ctx, pdb_get_workstations(sampass));
 125         if (!workstation_list)
 126                 return NT_STATUS_NO_MEMORY;
 127
 128         if (*workstation_list) {
 129                 BOOL invalid_ws = True;
 130                 const char *s = workstation_list;
 131
 132                 fstring tok;
 133
 134                 while (next_token(&s, tok, ",", sizeof(tok))) {
 135                         DEBUG(10,("sam_account_ok: checking for workstation match %s and %s (len=%d)\n",
 136                                   tok, user_info->wksta_name.str, user_info->wksta_name.len));
 137                         if(strequal(tok, user_info->wksta_name.str)) {
 138                                 invalid_ws = False;
 139                                 break;
 140                         }
 141                 }
 142
 143                 if (invalid_ws)
 144                         return NT_STATUS_INVALID_WORKSTATION;
 145         }
 146
 147         if (acct_ctrl & ACB_DOMTRUST) {
 148                 DEBUG(2,("sam_account_ok: Domain trust account %s denied by server\n", pdb_get_username(sampass)));
 149                 return NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT;
 150         }
 151
 152         if (acct_ctrl & ACB_SVRTRUST) {
 153                 DEBUG(2,("sam_account_ok: Server trust account %s denied by server\n", pdb_get_username(sampass)));
 154                 return NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT;
 155         }
 156
 157         if (acct_ctrl & ACB_WSTRUST) {
 158                 DEBUG(4,("sam_account_ok: Wksta trust account %s denied by server\n", pdb_get_username(sampass)));
 159                 return NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT;
 160         }
 161
 162         return NT_STATUS_OK;
 163 }
 164
 165 /****************************************************************************
 166 check if a username/password is OK assuming the password is a 24 byte
 167 SMB hash supplied in the user_info structure
 168 return an NT_STATUS constant.
 169 ****************************************************************************/
 170
 171 static NTSTATUS check_sam_security(const struct auth_context *auth_context,
 172                                    void *my_private_data,
 173                                    TALLOC_CTX *mem_ctx,
 174                                    const auth_usersupplied_info *user_info,
 175                                    auth_serversupplied_info **server_info)
 176 {
 177         SAM_ACCOUNT *sampass=NULL;
 178         BOOL ret;
 179         NTSTATUS nt_status;
 180         DATA_BLOB user_sess_key = data_blob(NULL, 0);
 181         DATA_BLOB lm_sess_key = data_blob(NULL, 0);
 182         BOOL updated_autolock = False, updated_badpw = False;
 183
 184         if (!user_info || !auth_context) {
 185                 return NT_STATUS_UNSUCCESSFUL;
 186         }
 187
 188         /* Can't use the talloc version here, because the returned struct gets
 189            kept on the server_info */
 190         if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam(&sampass))) {
 191                 return nt_status;
 192         }
 193
 194         /* get the account information */
 195
 196         become_root();
 197         ret = pdb_getsampwnam(sampass, user_info->internal_username.str);
 198         unbecome_root();
 199
 200         if (ret == False) {
 201                 DEBUG(3,("check_sam_security: Couldn't find user '%s' in passdb file.\n", user_info->internal_username.str));
 202                 pdb_free_sam(&sampass);
 203                 return NT_STATUS_NO_SUCH_USER;
 204         }
 205
 206         /* see if autolock flag needs to be updated */
 207         if (pdb_get_acct_ctrl(sampass) & ACB_NORMAL)
 208                 pdb_update_autolock_flag(sampass, &updated_autolock);
 209         /* Quit if the account was locked out. */
 210         if (pdb_get_acct_ctrl(sampass) & ACB_AUTOLOCK) {
 211                 DEBUG(3,("check_sam_security: Account for user %s was locked out.\n", pdb_get_username(sampass)));
 212                 return NT_STATUS_ACCOUNT_LOCKED_OUT;
 213         }
 214
 215         nt_status = sam_password_ok(auth_context, mem_ctx, sampass,
 216                                     user_info, &user_sess_key, &lm_sess_key);
 217
 218         if (!NT_STATUS_IS_OK(nt_status)) {
 219                 if (NT_STATUS_EQUAL(nt_status,NT_STATUS_WRONG_PASSWORD) &&
 220                     pdb_get_acct_ctrl(sampass) &ACB_NORMAL) {
 221                         pdb_increment_bad_password_count(sampass);
 222                         updated_badpw = True;
 223                 } else {
 224                         pdb_update_bad_password_count(sampass,
 225                                                       &updated_badpw);
 226                 }
 227                 if (updated_autolock || updated_badpw){
 228                         become_root();
 229                         if(!pdb_update_sam_account(sampass))
 230                                 DEBUG(1, ("Failed to modify entry.\n"));
 231                         unbecome_root();
 232                 }
 233                 pdb_free_sam(&sampass);
 234                 return nt_status;
 235         }
 236
 237         if ((pdb_get_acct_ctrl(sampass) & ACB_NORMAL) &&
 238             (pdb_get_bad_password_count(sampass) > 0)){
 239                 pdb_set_bad_password_count(sampass, 0, PDB_CHANGED);
 240                 pdb_set_bad_password_time(sampass, 0, PDB_CHANGED);
 241                 updated_badpw = True;
 242         }
 243
 244         if (updated_autolock || updated_badpw){
 245                 become_root();
 246                 if(!pdb_update_sam_account(sampass))
 247                         DEBUG(1, ("Failed to modify entry.\n"));
 248                 unbecome_root();
 249         }
 250
 251         nt_status = sam_account_ok(mem_ctx, sampass, user_info);
 252
 253         if (!NT_STATUS_IS_OK(nt_status)) {
 254                 pdb_free_sam(&sampass);
 255                 return nt_status;
 256         }
 257
 258         if (!NT_STATUS_IS_OK(nt_status = make_server_info_sam(server_info, sampass))) {
 259                 DEBUG(0,("check_sam_security: make_server_info_sam() failed with '%s'\n", nt_errstr(nt_status)));
 260                 return nt_status;
 261         }
 262
 263         (*server_info)->nt_session_key = user_sess_key;
 264         (*server_info)->lm_session_key = lm_sess_key;
 265
 266         return nt_status;
 267 }
 268
 269 /* module initialisation */
 270 static NTSTATUS auth_init_sam_ignoredomain(struct auth_context *auth_context, const char *param, auth_methods **auth_method)
 271 {
 272         if (!make_auth_methods(auth_context, auth_method)) {
 273                 return NT_STATUS_NO_MEMORY;
 274         }
 275
 276         (*auth_method)->auth = check_sam_security;
 277         (*auth_method)->name = "sam_ignoredomain";
 278         return NT_STATUS_OK;
 279 }
 280
 281
 282 /****************************************************************************
 283 Check SAM security (above) but with a few extra checks.
 284 ****************************************************************************/
 285
 286 static NTSTATUS check_samstrict_security(const struct auth_context *auth_context,
 287                                          void *my_private_data,
 288                                          TALLOC_CTX *mem_ctx,
 289                                          const auth_usersupplied_info *user_info,
 290                                          auth_serversupplied_info **server_info)
 291 {
 292         BOOL is_local_name, is_my_domain;
 293
 294         if (!user_info || !auth_context) {
 295                 return NT_STATUS_LOGON_FAILURE;
 296         }
 297
 298         is_local_name = is_myname(user_info->domain.str);
 299         is_my_domain  = strequal(user_info->domain.str, lp_workgroup());
 300
 301         /* check whether or not we service this domain/workgroup name */
 302
 303         switch ( lp_server_role() ) {
 304                 case ROLE_STANDALONE:
 305                 case ROLE_DOMAIN_MEMBER:
 306                         if ( !is_local_name ) {
 307                                 DEBUG(6,("check_samstrict_security: %s is not one of my local names (%s)\n",
 308                                         user_info->domain.str, (lp_server_role() == ROLE_DOMAIN_MEMBER
 309                                         ? "ROLE_DOMAIN_MEMBER" : "ROLE_STANDALONE") ));
 310                                 return NT_STATUS_NOT_IMPLEMENTED;
 311                         }
 312                 case ROLE_DOMAIN_PDC:
 313                 case ROLE_DOMAIN_BDC:
 314                         if ( !is_local_name && !is_my_domain ) {
 315                                 DEBUG(6,("check_samstrict_security: %s is not one of my local names or domain name (DC)\n",
 316                                         user_info->domain.str));
 317                                 return NT_STATUS_NOT_IMPLEMENTED;
 318                         }
 319                 default: /* name is ok */
 320                         break;
 321         }
 322
 323         return check_sam_security(auth_context, my_private_data, mem_ctx, user_info, server_info);
 324 }
 325
 326 /* module initialisation */
 327 static NTSTATUS auth_init_sam(struct auth_context *auth_context, const char *param, auth_methods **auth_method)
 328 {
 329         if (!make_auth_methods(auth_context, auth_method)) {
 330                 return NT_STATUS_NO_MEMORY;
 331         }
 332
 333         (*auth_method)->auth = check_samstrict_security;
 334         (*auth_method)->name = "sam";
 335         return NT_STATUS_OK;
 336 }
 337
 338 NTSTATUS auth_sam_init(void)
 339 {
 340         smb_register_auth(AUTH_INTERFACE_VERSION, "sam", auth_init_sam);
 341         smb_register_auth(AUTH_INTERFACE_VERSION, "sam_ignoredomain", auth_init_sam_ignoredomain);
 342         return NT_STATUS_OK;
 343 }