s3-talloc Change TALLOC_ZERO_P() to talloc_zero()
[nivanova/samba-autobuild/.git] / source3 / auth / auth_winbind.c
1 /* 
2    Unix SMB/CIFS implementation.
3
4    Winbind authentication mechnism
5
6    Copyright (C) Tim Potter 2000
7    Copyright (C) Andrew Bartlett 2001 - 2002
8
9    This program is free software; you can redistribute it and/or modify
10    it under the terms of the GNU General Public License as published by
11    the Free Software Foundation; either version 3 of the License, or
12    (at your option) any later version.
13
14    This program is distributed in the hope that it will be useful,
15    but WITHOUT ANY WARRANTY; without even the implied warranty of
16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
17    GNU General Public License for more details.
18
19    You should have received a copy of the GNU General Public License
20    along with this program.  If not, see <http://www.gnu.org/licenses/>.
21 */
22
23 #include "includes.h"
24 #include "auth.h"
25 #include "nsswitch/libwbclient/wbclient.h"
26
27 #undef DBGC_CLASS
28 #define DBGC_CLASS DBGC_AUTH
29
30 /* Authenticate a user with a challenge/response */
31
32 static NTSTATUS check_winbind_security(const struct auth_context *auth_context,
33                                        void *my_private_data, 
34                                        TALLOC_CTX *mem_ctx,
35                                        const struct auth_usersupplied_info *user_info,
36                                        struct auth_serversupplied_info **server_info)
37 {
38         NTSTATUS nt_status;
39         wbcErr wbc_status;
40         struct wbcAuthUserParams params;
41         struct wbcAuthUserInfo *info = NULL;
42         struct wbcAuthErrorInfo *err = NULL;
43
44         ZERO_STRUCT(params);
45
46         if (!user_info) {
47                 return NT_STATUS_INVALID_PARAMETER;
48         }
49
50         DEBUG(10, ("Check auth for: [%s]\n", user_info->mapped.account_name));
51
52         if (!auth_context) {
53                 DEBUG(3,("Password for user %s cannot be checked because we have no auth_info to get the challenge from.\n", 
54                          user_info->mapped.account_name));
55                 return NT_STATUS_INVALID_PARAMETER;
56         }               
57
58         if (strequal(user_info->mapped.domain_name, get_global_sam_name())) {
59                 DEBUG(3,("check_winbind_security: Not using winbind, requested domain [%s] was for this SAM.\n",
60                         user_info->mapped.domain_name));
61                 return NT_STATUS_NOT_IMPLEMENTED;
62         }
63
64         /* Send off request */
65
66         params.account_name     = user_info->client.account_name;
67         params.domain_name      = user_info->mapped.domain_name;
68         params.workstation_name = user_info->workstation_name;
69
70         params.flags            = 0;
71         params.parameter_control= user_info->logon_parameters;
72
73         params.level            = WBC_AUTH_USER_LEVEL_RESPONSE;
74
75         memcpy(params.password.response.challenge,
76                auth_context->challenge.data,
77                sizeof(params.password.response.challenge));
78
79         if (user_info->password.response.nt.length != 0) {
80                 params.password.response.nt_length =
81                         user_info->password.response.nt.length;
82                 params.password.response.nt_data =
83                         user_info->password.response.nt.data;
84         }
85         if (user_info->password.response.lanman.length != 0) {
86                 params.password.response.lm_length =
87                         user_info->password.response.lanman.length;
88                 params.password.response.lm_data =
89                         user_info->password.response.lanman.data;
90         }
91
92         /* we are contacting the privileged pipe */
93         become_root();
94         wbc_status = wbcAuthenticateUserEx(&params, &info, &err);
95         unbecome_root();
96
97         if (!WBC_ERROR_IS_OK(wbc_status)) {
98                 DEBUG(10,("check_winbind_security: wbcAuthenticateUserEx failed: %s\n",
99                         wbcErrorString(wbc_status)));
100         }
101
102         if (wbc_status == WBC_ERR_NO_MEMORY) {
103                 return NT_STATUS_NO_MEMORY;
104         }
105
106         if (wbc_status == WBC_ERR_WINBIND_NOT_AVAILABLE) {
107                 struct auth_methods *auth_method =
108                         (struct auth_methods *)my_private_data;
109
110                 if ( auth_method )
111                         return auth_method->auth(auth_context, auth_method->private_data, 
112                                 mem_ctx, user_info, server_info);
113                 return NT_STATUS_LOGON_FAILURE;
114         }
115
116         if (wbc_status == WBC_ERR_AUTH_ERROR) {
117                 nt_status = NT_STATUS(err->nt_status);
118                 wbcFreeMemory(err);
119                 return nt_status;
120         }
121
122         if (!WBC_ERROR_IS_OK(wbc_status)) {
123                 return NT_STATUS_LOGON_FAILURE;
124         }
125
126         nt_status = make_server_info_wbcAuthUserInfo(mem_ctx,
127                                                      user_info->client.account_name,
128                                                      user_info->mapped.domain_name,
129                                                      info, server_info);
130         wbcFreeMemory(info);
131         if (!NT_STATUS_IS_OK(nt_status)) {
132                 return nt_status;
133         }
134
135         (*server_info)->nss_token |= user_info->was_mapped;
136
137         return nt_status;
138 }
139
140 /* module initialisation */
141 static NTSTATUS auth_init_winbind(struct auth_context *auth_context, const char *param, auth_methods **auth_method) 
142 {
143         struct auth_methods *result;
144
145         result = talloc_zero(auth_context, struct auth_methods);
146         if (result == NULL) {
147                 return NT_STATUS_NO_MEMORY;
148         }
149         result->name = "winbind";
150         result->auth = check_winbind_security;
151
152         if (param && *param) {
153                 /* we load the 'fallback' module - if winbind isn't here, call this
154                    module */
155                 auth_methods *priv;
156                 if (!load_auth_module(auth_context, param, &priv)) {
157                         return NT_STATUS_UNSUCCESSFUL;
158                 }
159                 result->private_data = (void *)priv;
160         }
161
162         *auth_method = result;
163         return NT_STATUS_OK;
164 }
165
166 NTSTATUS auth_winbind_init(void)
167 {
168         return smb_register_auth(AUTH_INTERFACE_VERSION, "winbind", auth_init_winbind);
169 }