import HEAD into svn+ssh://svn.samba.org/home/svn/samba/trunk
[metze/old/v3-2-winbind-ndr.git] / source / nsswitch / winbindd_pam.c
1 /*
2    Unix SMB/CIFS implementation.
3
4    Winbind daemon - pam auth funcions
5
6    Copyright (C) Andrew Tridgell 2000
7    Copyright (C) Tim Potter 2001
8    Copyright (C) Andrew Bartlett 2001-2002
9    
10    This program is free software; you can redistribute it and/or modify
11    it under the terms of the GNU General Public License as published by
12    the Free Software Foundation; either version 2 of the License, or
13    (at your option) any later version.
14    
15    This program is distributed in the hope that it will be useful,
16    but WITHOUT ANY WARRANTY; without even the implied warranty of
17    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
18    GNU General Public License for more details.
19    
20    You should have received a copy of the GNU General Public License
21    along with this program; if not, write to the Free Software
22    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
23 */
24
25 #include "includes.h"
26 #include "winbindd.h"
27 #undef DBGC_CLASS
28 #define DBGC_CLASS DBGC_WINBIND
29
30
31 static NTSTATUS append_info3_as_ndr(TALLOC_CTX *mem_ctx, 
32                                     struct winbindd_cli_state *state, 
33                                     NET_USER_INFO_3 *info3) 
34 {
35         prs_struct ps;
36         uint32 size;
37         if (!prs_init(&ps, 256 /* Random, non-zero number */, mem_ctx, MARSHALL)) {
38                 return NT_STATUS_NO_MEMORY;
39         }
40         if (!net_io_user_info3("", info3, &ps, 1, 3)) {
41                 prs_mem_free(&ps);
42                 return NT_STATUS_UNSUCCESSFUL;
43         }
44
45         size = prs_data_size(&ps);
46         state->response.extra_data = malloc(size);
47         if (!state->response.extra_data) {
48                 prs_mem_free(&ps);
49                 return NT_STATUS_NO_MEMORY;
50         }
51         prs_copy_all_data_out(state->response.extra_data, &ps);
52         state->response.length += size;
53         prs_mem_free(&ps);
54         return NT_STATUS_OK;
55 }
56
57 /**********************************************************************
58  Authenticate a user with a clear test password
59 **********************************************************************/
60
61 enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state) 
62 {
63         NTSTATUS result;
64         fstring name_domain, name_user;
65         unsigned char trust_passwd[16];
66         time_t last_change_time;
67         uint32 sec_channel_type;
68         NET_USER_INFO_3 info3;
69         struct cli_state *cli = NULL;
70         uchar chal[8];
71         TALLOC_CTX *mem_ctx = NULL;
72         DATA_BLOB lm_resp;
73         DATA_BLOB nt_resp;
74         DOM_CRED ret_creds;
75         int attempts = 0;
76         unsigned char local_lm_response[24];
77         unsigned char local_nt_response[24];
78         struct winbindd_domain *contact_domain;
79         BOOL retry;
80
81         /* Ensure null termination */
82         state->request.data.auth.user[sizeof(state->request.data.auth.user)-1]='\0';
83
84         /* Ensure null termination */
85         state->request.data.auth.pass[sizeof(state->request.data.auth.pass)-1]='\0';
86
87         DEBUG(3, ("[%5lu]: pam auth %s\n", (unsigned long)state->pid,
88                   state->request.data.auth.user));
89
90         if (!(mem_ctx = talloc_init("winbind pam auth for %s", state->request.data.auth.user))) {
91                 DEBUG(0, ("winbindd_pam_auth: could not talloc_init()!\n"));
92                 result = NT_STATUS_NO_MEMORY;
93                 goto done;
94         }
95
96         /* Parse domain and username */
97         
98         parse_domain_user(state->request.data.auth.user, name_domain, name_user);
99
100         /* do password magic */
101         
102         generate_random_buffer(chal, 8, False);
103         SMBencrypt(state->request.data.auth.pass, chal, local_lm_response);
104                 
105         SMBNTencrypt(state->request.data.auth.pass, chal, local_nt_response);
106
107         lm_resp = data_blob_talloc(mem_ctx, local_lm_response, sizeof(local_lm_response));
108         nt_resp = data_blob_talloc(mem_ctx, local_nt_response, sizeof(local_nt_response));
109         
110         /* what domain should we contact? */
111         
112         if ( IS_DC ) {
113                 if (!(contact_domain = find_domain_from_name(name_domain))) {
114                         DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n", 
115                                   state->request.data.auth.user, name_domain, name_user, name_domain)); 
116                         result = NT_STATUS_NO_SUCH_USER;
117                         goto done;
118                 }
119                 
120         } else {
121                 if (is_myname(name_domain)) {
122                         DEBUG(3, ("Authentication for domain %s (local domain to this server) not supported at this stage\n", name_domain));
123                         result =  NT_STATUS_NO_SUCH_USER;
124                         goto done;
125                 }
126
127                 if (!(contact_domain = find_our_domain())) {
128                         DEBUG(1, ("Authenticatoin for [%s] -> [%s]\\[%s] in our domain failed - we can't find our domain!\n", 
129                                   state->request.data.auth.user, name_domain, name_user)); 
130                         result = NT_STATUS_NO_SUCH_USER;
131                         goto done;
132                 }
133         }
134
135         if ( !get_trust_pw(contact_domain->name, trust_passwd, &last_change_time, &sec_channel_type) ) {
136                 result = NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
137                 goto done;
138         }
139
140         /* check authentication loop */
141
142         do {
143                 ZERO_STRUCT(info3);
144                 ZERO_STRUCT(ret_creds);
145                 retry = False;
146         
147                 /* Don't shut this down - it belongs to the connection cache code */
148                 result = cm_get_netlogon_cli(contact_domain, trust_passwd, 
149                                              sec_channel_type, False, &cli);
150
151                 if (!NT_STATUS_IS_OK(result)) {
152                         DEBUG(3, ("could not open handle to NETLOGON pipe\n"));
153                         goto done;
154                 }
155
156                 result = cli_netlogon_sam_network_logon(cli, mem_ctx,
157                                                         &ret_creds,
158                                                         name_user, name_domain, 
159                                                         global_myname(), chal, 
160                                                         lm_resp, nt_resp,
161                                                         &info3);
162                 attempts += 1;
163                 
164                 /* We have to try a second time as cm_get_netlogon_cli
165                    might not yet have noticed that the DC has killed
166                    our connection. */
167
168                 if ( cli->fd == -1 ) {
169                         retry = True;
170                         continue;
171                 } 
172                 
173                 /* if we get access denied, a possible cuase was that we had and open
174                    connection to the DC, but someone changed our machine account password
175                    out from underneath us using 'net rpc changetrustpw' */
176                    
177                 if ( NT_STATUS_V(result) == NT_STATUS_V(NT_STATUS_ACCESS_DENIED) ) {
178                         DEBUG(3,("winbindd_pam_auth: sam_logon returned ACCESS_DENIED.  Maybe the trust account "
179                                 "password was changed and we didn't know it.  Killing connections to domain %s\n",
180                                 name_domain));
181                         winbindd_cm_flush();
182                         retry = True;
183                         cli = NULL;
184                 } 
185                 
186         } while ( (attempts < 2) && retry );
187         
188         clnt_deal_with_creds(cli->sess_key, &(cli->clnt_cred), &ret_creds);
189         
190         if (NT_STATUS_IS_OK(result)) {
191                 netsamlogon_cache_store( cli->mem_ctx, &info3 );
192                 wcache_invalidate_samlogon(find_domain_from_name(name_domain), &info3);
193         }
194    
195 done:
196         /* give us a more useful (more correct?) error code */
197         if ((NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) || (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)))) {
198                 result = NT_STATUS_NO_LOGON_SERVERS;
199         }
200         
201         state->response.data.auth.nt_status = NT_STATUS_V(result);
202         fstrcpy(state->response.data.auth.nt_status_string, nt_errstr(result));
203
204         /* we might have given a more useful error above */
205         if (!*state->response.data.auth.error_string) 
206                 fstrcpy(state->response.data.auth.error_string, get_friendly_nt_error_msg(result));
207         state->response.data.auth.pam_error = nt_status_to_pam(result);
208
209         DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2, ("Plain-text authentication for user %s returned %s (PAM: %d)\n", 
210               state->request.data.auth.user, 
211               state->response.data.auth.nt_status_string,
212               state->response.data.auth.pam_error));          
213
214         if ( NT_STATUS_IS_OK(result) &&
215              (state->request.flags & WBFLAG_PAM_AFS_TOKEN) ) {
216
217                 char *afsname = strdup(lp_afs_username_map());
218                 char *cell;
219
220                 if (afsname == NULL) goto no_token;
221
222                 afsname = realloc_string_sub(afsname, "%D", name_domain);
223                 afsname = realloc_string_sub(afsname, "%u", name_user);
224                 afsname = realloc_string_sub(afsname, "%U", name_user);
225
226                 if (afsname == NULL) goto no_token;
227
228                 strlower_m(afsname);
229
230                 cell = strchr(afsname, '@');
231
232                 if (cell == NULL) goto no_token;
233
234                 *cell = '\0';
235                 cell += 1;
236
237                 /* Append an AFS token string */
238                 state->response.extra_data =
239                         afs_createtoken_str(afsname, cell);
240
241                 if (state->response.extra_data != NULL)
242                         state->response.length +=
243                                 strlen(state->response.extra_data)+1;
244
245         no_token:
246                 SAFE_FREE(afsname);
247         }
248                 
249         if (mem_ctx) 
250                 talloc_destroy(mem_ctx);
251         
252         return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
253 }
254
255 /**********************************************************************
256  Challenge Response Authentication Protocol 
257 **********************************************************************/
258
259 enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state) 
260 {
261         NTSTATUS result;
262         unsigned char trust_passwd[16];
263         time_t last_change_time;
264         uint32 sec_channel_type;
265         NET_USER_INFO_3 info3;
266         struct cli_state *cli = NULL;
267         TALLOC_CTX *mem_ctx = NULL;
268         char *name_user = NULL;
269         const char *name_domain = NULL;
270         const char *workstation;
271         struct winbindd_domain *contact_domain;
272         DOM_CRED ret_creds;
273         int attempts = 0;
274         BOOL retry;
275
276         DATA_BLOB lm_resp, nt_resp;
277
278         if (!state->privileged) {
279                 char *error_string = NULL;
280                 DEBUG(2, ("winbindd_pam_auth_crap: non-privileged access denied.  !\n"));
281                 DEBUGADD(2, ("winbindd_pam_auth_crap: Ensure permissions on %s are set correctly.\n", 
282                              get_winbind_priv_pipe_dir()));
283                 /* send a better message than ACCESS_DENIED */
284                 asprintf(&error_string, "winbind client not authorized to use winbindd_pam_auth_crap.  Ensure permissions on %s are set correctly.",
285                          get_winbind_priv_pipe_dir());
286                 push_utf8_fstring(state->response.data.auth.error_string, error_string);
287                 SAFE_FREE(error_string);
288                 result =  NT_STATUS_ACCESS_DENIED;
289                 goto done;
290         }
291
292         /* Ensure null termination */
293         state->request.data.auth_crap.user[sizeof(state->request.data.auth_crap.user)-1]=0;
294         state->request.data.auth_crap.domain[sizeof(state->request.data.auth_crap.domain)-1]=0;
295
296         if (!(mem_ctx = talloc_init("winbind pam auth crap for (utf8) %s", state->request.data.auth_crap.user))) {
297                 DEBUG(0, ("winbindd_pam_auth_crap: could not talloc_init()!\n"));
298                 result = NT_STATUS_NO_MEMORY;
299                 goto done;
300         }
301
302         if (pull_utf8_talloc(mem_ctx, &name_user, state->request.data.auth_crap.user) == (size_t)-1) {
303                 DEBUG(0, ("winbindd_pam_auth_crap: pull_utf8_talloc failed!\n"));
304                 result = NT_STATUS_UNSUCCESSFUL;
305                 goto done;
306         }
307
308         if (*state->request.data.auth_crap.domain) {
309                 char *dom = NULL;
310                 if (pull_utf8_talloc(mem_ctx, &dom, state->request.data.auth_crap.domain) == (size_t)-1) {
311                         DEBUG(0, ("winbindd_pam_auth_crap: pull_utf8_talloc failed!\n"));
312                         result = NT_STATUS_UNSUCCESSFUL;
313                         goto done;
314                 }
315                 name_domain = dom;
316         } else if (lp_winbind_use_default_domain()) {
317                 name_domain = lp_workgroup();
318         } else {
319                 DEBUG(5,("no domain specified with username (%s) - failing auth\n", 
320                          name_user));
321                 result = NT_STATUS_NO_SUCH_USER;
322                 goto done;
323         }
324
325         DEBUG(3, ("[%5lu]: pam auth crap domain: %s user: %s\n", (unsigned long)state->pid,
326                   name_domain, name_user));
327            
328         if (*state->request.data.auth_crap.workstation) {
329                 char *wrk = NULL;
330                 if (pull_utf8_talloc(mem_ctx, &wrk, state->request.data.auth_crap.workstation) == (size_t)-1) {
331                         DEBUG(0, ("winbindd_pam_auth_crap: pull_utf8_talloc failed!\n"));
332                         result = NT_STATUS_UNSUCCESSFUL;
333                         goto done;
334                 }
335                 workstation = wrk;
336         } else {
337                 workstation = global_myname();
338         }
339
340         if (state->request.data.auth_crap.lm_resp_len > sizeof(state->request.data.auth_crap.lm_resp)
341                 || state->request.data.auth_crap.nt_resp_len > sizeof(state->request.data.auth_crap.nt_resp)) {
342                 DEBUG(0, ("winbindd_pam_auth_crap: invalid password length %u/%u\n", 
343                           state->request.data.auth_crap.lm_resp_len, 
344                           state->request.data.auth_crap.nt_resp_len));
345                 result = NT_STATUS_INVALID_PARAMETER;
346                 goto done;
347         }
348
349         lm_resp = data_blob_talloc(mem_ctx, state->request.data.auth_crap.lm_resp, state->request.data.auth_crap.lm_resp_len);
350         nt_resp = data_blob_talloc(mem_ctx, state->request.data.auth_crap.nt_resp, state->request.data.auth_crap.nt_resp_len);
351         
352
353         /* what domain should we contact? */
354         
355         if ( IS_DC ) {
356                 if (!(contact_domain = find_domain_from_name(name_domain))) {
357                         DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n", 
358                                   state->request.data.auth.user, name_domain, name_user, name_domain)); 
359                         result = NT_STATUS_NO_SUCH_USER;
360                         goto done;
361                 }
362                 
363         } else {
364                 if (is_myname(name_domain)) {
365                         DEBUG(3, ("Authentication for domain %s (local domain to this server) not supported at this stage\n", name_domain));
366                         result =  NT_STATUS_NO_SUCH_USER;
367                         goto done;
368                 }
369
370                 if (!(contact_domain = find_our_domain())) {
371                         DEBUG(1, ("Authenticatoin for [%s] -> [%s]\\[%s] in our domain failed - we can't find our domain!\n", 
372                                   state->request.data.auth.user, name_domain, name_user)); 
373                         result = NT_STATUS_NO_SUCH_USER;
374                         goto done;
375                 }
376         }
377                 
378         if ( !get_trust_pw(contact_domain->name, trust_passwd, &last_change_time, &sec_channel_type) ) {
379                 result = NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
380                 goto done;
381         }
382
383         do {
384                 ZERO_STRUCT(info3);
385                 ZERO_STRUCT(ret_creds);
386                 retry = False;
387
388                 /* Don't shut this down - it belongs to the connection cache code */
389                 result = cm_get_netlogon_cli(contact_domain, trust_passwd, sec_channel_type, False, &cli);
390
391                 if (!NT_STATUS_IS_OK(result)) {
392                         DEBUG(3, ("could not open handle to NETLOGON pipe (error: %s)\n",
393                                   nt_errstr(result)));
394                         goto done;
395                 }
396
397                 result = cli_netlogon_sam_network_logon(cli, mem_ctx,
398                                                         &ret_creds,
399                                                         name_user, name_domain,
400                                                         workstation,
401                                                         state->request.data.auth_crap.chal, 
402                                                         lm_resp, nt_resp, 
403                                                         &info3);
404
405                 attempts += 1;
406
407                 /* We have to try a second time as cm_get_netlogon_cli
408                    might not yet have noticed that the DC has killed
409                    our connection. */
410
411                 if ( cli->fd == -1 ) {
412                         retry = True;
413                         continue;
414                 } 
415
416                 /* if we get access denied, a possible cause was that we had and open
417                    connection to the DC, but someone changed our machine account password
418                    out from underneath us using 'net rpc changetrustpw' */
419                    
420                 if ( NT_STATUS_V(result) == NT_STATUS_V(NT_STATUS_ACCESS_DENIED) ) {
421                         DEBUG(3,("winbindd_pam_auth_crap: sam_logon returned ACCESS_DENIED.  Maybe the trust account "
422                                 "password was changed and we didn't know it.  Killing connections to domain %s\n",
423                                 contact_domain->name));
424                         winbindd_cm_flush();
425                         retry = True;
426                         cli = NULL;
427                 } 
428                 
429         } while ( (attempts < 2) && retry );
430
431         clnt_deal_with_creds(cli->sess_key, &(cli->clnt_cred), &ret_creds);
432         
433         if (NT_STATUS_IS_OK(result)) {
434                 netsamlogon_cache_store( cli->mem_ctx, &info3 );
435                 wcache_invalidate_samlogon(find_domain_from_name(name_domain), &info3);
436                 
437                 if (state->request.flags & WBFLAG_PAM_INFO3_NDR) {
438                         result = append_info3_as_ndr(mem_ctx, state, &info3);
439                 } else if (state->request.flags & WBFLAG_PAM_UNIX_NAME) {
440                         /* ntlm_auth should return the unix username, per 
441                            'winbind use default domain' settings and the like */
442                         
443                         fstring username_out;
444                         const char *nt_username, *nt_domain;
445                         if (!(nt_username = unistr2_tdup(mem_ctx, &(info3.uni_user_name)))) {
446                                 /* If the server didn't give us one, just use the one we sent them */
447                                 nt_username = name_user;
448                         }
449                         
450                         if (!(nt_domain = unistr2_tdup(mem_ctx, &(info3.uni_logon_dom)))) {
451                                 /* If the server didn't give us one, just use the one we sent them */
452                                 nt_domain = name_domain;
453                         }
454
455                         fill_domain_username(username_out, nt_domain, nt_username);
456
457                         DEBUG(5, ("Setting unix username to [%s]\n", username_out));
458
459                         /* this interface is in UTF8 */
460                         if (push_utf8_allocate((char **)&state->response.extra_data, username_out) == -1) {
461                                 result = NT_STATUS_NO_MEMORY;
462                                 goto done;
463                         }
464                         state->response.length +=  strlen(state->response.extra_data)+1;
465                 }
466                 
467                 if (state->request.flags & WBFLAG_PAM_NTKEY) {
468                         memcpy(state->response.data.auth.nt_session_key, info3.user_sess_key, sizeof(state->response.data.auth.nt_session_key) /* 16 */);
469                 }
470                 if (state->request.flags & WBFLAG_PAM_LMKEY) {
471                         memcpy(state->response.data.auth.first_8_lm_hash, info3.padding, sizeof(state->response.data.auth.first_8_lm_hash) /* 8 */);
472                 }
473         }
474
475 done:
476         /* give us a more useful (more correct?) error code */
477         if ((NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) || (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)))) {
478                 result = NT_STATUS_NO_LOGON_SERVERS;
479         }
480         
481         state->response.data.auth.nt_status = NT_STATUS_V(result);
482         push_utf8_fstring(state->response.data.auth.nt_status_string, nt_errstr(result));
483         
484         /* we might have given a more useful error above */
485         if (!*state->response.data.auth.error_string) 
486                 push_utf8_fstring(state->response.data.auth.error_string, get_friendly_nt_error_msg(result));
487         state->response.data.auth.pam_error = nt_status_to_pam(result);
488
489         DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2, 
490               ("NTLM CRAP authentication for user [%s]\\[%s] returned %s (PAM: %d)\n", 
491                name_domain,
492                name_user,
493                state->response.data.auth.nt_status_string,
494                state->response.data.auth.pam_error));         
495
496         if (mem_ctx) 
497                 talloc_destroy(mem_ctx);
498         
499         return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
500 }
501
502 /* Change a user password */
503
504 enum winbindd_result winbindd_pam_chauthtok(struct winbindd_cli_state *state)
505 {
506         NTSTATUS result;
507         char *oldpass, *newpass;
508         fstring domain, user;
509         CLI_POLICY_HND *hnd;
510         TALLOC_CTX *mem_ctx;
511         struct winbindd_domain *contact_domain;
512
513         DEBUG(3, ("[%5lu]: pam chauthtok %s\n", (unsigned long)state->pid,
514                 state->request.data.chauthtok.user));
515
516         if (!(mem_ctx = talloc_init("winbind password change for (utf8) %s", 
517                                     state->request.data.chauthtok.user))) {
518                 DEBUG(0, ("winbindd_pam_auth_crap: could not talloc_init()!\n"));
519                 result = NT_STATUS_NO_MEMORY;
520                 goto done;
521         }
522
523         /* Setup crap */
524
525         if (state == NULL)
526                 return WINBINDD_ERROR;
527
528         parse_domain_user(state->request.data.chauthtok.user, domain, user);
529
530         if (!(contact_domain = find_domain_from_name(domain))) {
531                 DEBUG(3, ("Cannot change password for [%s] -> [%s]\\[%s] as %s is not a trusted domain\n", 
532                           state->request.data.chauthtok.user, domain, user, domain)); 
533                 result = NT_STATUS_NO_SUCH_USER;
534                 goto done;
535         }
536
537         /* Change password */
538
539         oldpass = state->request.data.chauthtok.oldpass;
540         newpass = state->request.data.chauthtok.newpass;
541
542         /* Get sam handle */
543
544         if (!NT_STATUS_IS_OK(result = cm_get_sam_handle(contact_domain, &hnd)) ) {
545                 DEBUG(1, ("could not get SAM handle on DC for %s\n", domain));
546                 goto done;
547         }
548
549         result = cli_samr_chgpasswd_user(hnd->cli, mem_ctx, user, newpass, oldpass);
550
551 done:    
552         state->response.data.auth.nt_status = NT_STATUS_V(result);
553         fstrcpy(state->response.data.auth.nt_status_string, nt_errstr(result));
554         fstrcpy(state->response.data.auth.error_string, nt_errstr(result));
555         state->response.data.auth.pam_error = nt_status_to_pam(result);
556
557         DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2, 
558               ("Password change for user [%s]\\[%s] returned %s (PAM: %d)\n", 
559                domain,
560                user,
561                state->response.data.auth.nt_status_string,
562                state->response.data.auth.pam_error));         
563
564         if (mem_ctx)
565                 talloc_destroy(mem_ctx);
566
567         return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
568 }