source3/auth/auth.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3    Password and authentication handling
   4    Copyright (C) Andrew Bartlett         2001-2002
   5
   6    This program is free software; you can redistribute it and/or modify
   7    it under the terms of the GNU General Public License as published by
   8    the Free Software Foundation; either version 3 of the License, or
   9    (at your option) any later version.
  10
  11    This program is distributed in the hope that it will be useful,
  12    but WITHOUT ANY WARRANTY; without even the implied warranty of
  13    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  14    GNU General Public License for more details.
  15
  16    You should have received a copy of the GNU General Public License
  17    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  18 */
  19
  20 #include "includes.h"
  21 #include "auth.h"
  22 #include "../lib/tsocket/tsocket.h"
  23
  24 #undef DBGC_CLASS
  25 #define DBGC_CLASS DBGC_AUTH
  26
  27 static_decl_auth;
  28
  29 static struct auth_init_function_entry *auth_backends = NULL;
  30
  31 static struct auth_init_function_entry *auth_find_backend_entry(const char *name);
  32
  33 NTSTATUS smb_register_auth(int version, const char *name, auth_init_function init)
  34 {
  35         struct auth_init_function_entry *entry = auth_backends;
  36
  37         if (version != AUTH_INTERFACE_VERSION) {
  38                 DEBUG(0,("Can't register auth_method!\n"
  39                          "You tried to register an auth module with AUTH_INTERFACE_VERSION %d, while this version of samba uses %d\n",
  40                          version,AUTH_INTERFACE_VERSION));
  41                 return NT_STATUS_OBJECT_TYPE_MISMATCH;
  42         }
  43
  44         if (!name || !init) {
  45                 return NT_STATUS_INVALID_PARAMETER;
  46         }
  47
  48         DEBUG(5,("Attempting to register auth backend %s\n", name));
  49
  50         if (auth_find_backend_entry(name)) {
  51                 DEBUG(0,("There already is an auth method registered with the name %s!\n", name));
  52                 return NT_STATUS_OBJECT_NAME_COLLISION;
  53         }
  54
  55         entry = SMB_XMALLOC_P(struct auth_init_function_entry);
  56         entry->name = smb_xstrdup(name);
  57         entry->init = init;
  58
  59         DLIST_ADD(auth_backends, entry);
  60         DEBUG(5,("Successfully added auth method '%s'\n", name));
  61         return NT_STATUS_OK;
  62 }
  63
  64 static struct auth_init_function_entry *auth_find_backend_entry(const char *name)
  65 {
  66         struct auth_init_function_entry *entry = auth_backends;
  67
  68         while(entry) {
  69                 if (strcmp(entry->name, name)==0) return entry;
  70                 entry = entry->next;
  71         }
  72
  73         return NULL;
  74 }
  75
  76 /****************************************************************************
  77  Try to get a challenge out of the various authentication modules.
  78  Returns a const char of length 8 bytes.
  79 ****************************************************************************/
  80
  81 NTSTATUS auth_get_ntlm_challenge(struct auth_context *auth_context,
  82                                  uint8_t chal[8])
  83 {
  84         uchar tmp[8];
  85
  86
  87         if (auth_context->challenge.length) {
  88                 DEBUG(5, ("get_ntlm_challenge (auth subsystem): returning previous challenge by module %s (normal)\n",
  89                           auth_context->challenge_set_by));
  90                 memcpy(chal, auth_context->challenge.data, 8);
  91                 return NT_STATUS_OK;
  92         }
  93
  94         generate_random_buffer(tmp, sizeof(tmp));
  95         auth_context->challenge = data_blob_talloc(auth_context,
  96                                                    tmp, sizeof(tmp));
  97
  98         auth_context->challenge_set_by = "random";
  99
 100         memcpy(chal, auth_context->challenge.data, 8);
 101         return NT_STATUS_OK;
 102 }
 103
 104
 105 /**
 106  * Check user is in correct domain (if required)
 107  *
 108  * @param user Only used to fill in the debug message
 109  *
 110  * @param domain The domain to be verified
 111  *
 112  * @return True if the user can connect with that domain,
 113  *         False otherwise.
 114 **/
 115
 116 static bool check_domain_match(const char *user, const char *domain)
 117 {
 118         /*
 119          * If we aren't serving to trusted domains, we must make sure that
 120          * the validation request comes from an account in the same domain
 121          * as the Samba server
 122          */
 123
 124         if (!lp_allow_trusted_domains() &&
 125             !(strequal("", domain) ||
 126               strequal(lp_workgroup(), domain) ||
 127               is_myname(domain))) {
 128                 DEBUG(1, ("check_domain_match: Attempt to connect as user %s from domain %s denied.\n", user, domain));
 129                 return False;
 130         } else {
 131                 return True;
 132         }
 133 }
 134
 135 /**
 136  * Check a user's Plaintext, LM or NTLM password.
 137  *
 138  * Check a user's password, as given in the user_info struct and return various
 139  * interesting details in the server_info struct.
 140  *
 141  * This function does NOT need to be in a become_root()/unbecome_root() pair
 142  * as it makes the calls itself when needed.
 143  *
 144  * The return value takes precedence over the contents of the server_info
 145  * struct.  When the return is other than NT_STATUS_OK the contents
 146  * of that structure is undefined.
 147  *
 148  * @param user_info Contains the user supplied components, including the passwords.
 149  *                  Must be created with make_user_info() or one of its wrappers.
 150  *
 151  * @param auth_context Supplies the challenges and some other data.
 152  *                  Must be created with make_auth_context(), and the challenges should be
 153  *                  filled in, either at creation or by calling the challenge geneation
 154  *                  function auth_get_challenge().
 155  *
 156  * @param server_info If successful, contains information about the authentication,
 157  *                    including a struct samu struct describing the user.
 158  *
 159  * @return An NTSTATUS with NT_STATUS_OK or an appropriate error.
 160  *
 161  **/
 162
 163 NTSTATUS auth_check_ntlm_password(const struct auth_context *auth_context,
 164                                   const struct auth_usersupplied_info *user_info,
 165                                   struct auth_serversupplied_info **server_info)
 166 {
 167         /* if all the modules say 'not for me' this is reasonable */
 168         NTSTATUS nt_status = NT_STATUS_NO_SUCH_USER;
 169         const char *unix_username;
 170         auth_methods *auth_method;
 171         TALLOC_CTX *mem_ctx;
 172
 173         if (!user_info || !auth_context || !server_info)
 174                 return NT_STATUS_LOGON_FAILURE;
 175
 176         DEBUG(3, ("check_ntlm_password:  Checking password for unmapped user [%s]\\[%s]@[%s] with the new password interface\n",
 177                   user_info->client.domain_name, user_info->client.account_name, user_info->workstation_name));
 178
 179         DEBUG(3, ("check_ntlm_password:  mapped user is: [%s]\\[%s]@[%s]\n",
 180                   user_info->mapped.domain_name, user_info->mapped.account_name, user_info->workstation_name));
 181
 182         if (auth_context->challenge.length != 8) {
 183                 DEBUG(0, ("check_ntlm_password:  Invalid challenge stored for this auth context - cannot continue\n"));
 184                 return NT_STATUS_LOGON_FAILURE;
 185         }
 186
 187         if (auth_context->challenge_set_by)
 188                 DEBUG(10, ("check_ntlm_password: auth_context challenge created by %s\n",
 189                                         auth_context->challenge_set_by));
 190
 191         DEBUG(10, ("challenge is: \n"));
 192         dump_data(5, auth_context->challenge.data, auth_context->challenge.length);
 193
 194 #ifdef DEBUG_PASSWORD
 195         DEBUG(100, ("user_info has passwords of length %d and %d\n",
 196                     (int)user_info->password.response.lanman.length, (int)user_info->password.response.nt.length));
 197         DEBUG(100, ("lm:\n"));
 198         dump_data(100, user_info->password.response.lanman.data, user_info->password.response.lanman.length);
 199         DEBUG(100, ("nt:\n"));
 200         dump_data(100, user_info->password.response.nt.data, user_info->password.response.nt.length);
 201 #endif
 202
 203         /* This needs to be sorted:  If it doesn't match, what should we do? */
 204         if (!check_domain_match(user_info->client.account_name, user_info->mapped.domain_name))
 205                 return NT_STATUS_LOGON_FAILURE;
 206
 207         for (auth_method = auth_context->auth_method_list;auth_method; auth_method = auth_method->next) {
 208                 NTSTATUS result;
 209
 210                 mem_ctx = talloc_init("%s authentication for user %s\\%s", auth_method->name,
 211                                       user_info->mapped.domain_name, user_info->client.account_name);
 212
 213                 result = auth_method->auth(auth_context, auth_method->private_data, mem_ctx, user_info, server_info);
 214
 215                 /* check if the module did anything */
 216                 if ( NT_STATUS_V(result) == NT_STATUS_V(NT_STATUS_NOT_IMPLEMENTED) ) {
 217                         DEBUG(10,("check_ntlm_password: %s had nothing to say\n", auth_method->name));
 218                         talloc_destroy(mem_ctx);
 219                         continue;
 220                 }
 221
 222                 nt_status = result;
 223
 224                 if (NT_STATUS_IS_OK(nt_status)) {
 225                         DEBUG(3, ("check_ntlm_password: %s authentication for user [%s] succeeded\n",
 226                                   auth_method->name, user_info->client.account_name));
 227                 } else {
 228                         DEBUG(5, ("check_ntlm_password: %s authentication for user [%s] FAILED with error %s\n",
 229                                   auth_method->name, user_info->client.account_name, nt_errstr(nt_status)));
 230                 }
 231
 232                 talloc_destroy(mem_ctx);
 233
 234                 if ( NT_STATUS_IS_OK(nt_status))
 235                 {
 236                                 break;
 237                 }
 238         }
 239
 240         /* successful authentication */
 241
 242         if (NT_STATUS_IS_OK(nt_status)) {
 243                 unix_username = (*server_info)->unix_name;
 244                 if (!(*server_info)->guest) {
 245                         const char *rhost;
 246
 247                         if (tsocket_address_is_inet(user_info->remote_host, "ip")) {
 248                                 rhost = tsocket_address_inet_addr_string(user_info->remote_host,
 249                                                                          talloc_tos());
 250                                 if (rhost == NULL) {
 251                                         return NT_STATUS_NO_MEMORY;
 252                                 }
 253                         } else {
 254                                 rhost = "127.0.0.1";
 255                         }
 256
 257                         /* We might not be root if we are an RPC call */
 258                         become_root();
 259                         nt_status = smb_pam_accountcheck(unix_username,
 260                                                          rhost);
 261                         unbecome_root();
 262
 263                         if (NT_STATUS_IS_OK(nt_status)) {
 264                                 DEBUG(5, ("check_ntlm_password:  PAM Account for user [%s] succeeded\n",
 265                                           unix_username));
 266                         } else {
 267                                 DEBUG(3, ("check_ntlm_password:  PAM Account for user [%s] FAILED with error %s\n",
 268                                           unix_username, nt_errstr(nt_status)));
 269                         }
 270                 }
 271
 272                 if (NT_STATUS_IS_OK(nt_status)) {
 273                         DEBUG((*server_info)->guest ? 5 : 2,
 274                               ("check_ntlm_password:  %sauthentication for user [%s] -> [%s] -> [%s] succeeded\n",
 275                                (*server_info)->guest ? "guest " : "",
 276                                user_info->client.account_name,
 277                                user_info->mapped.account_name,
 278                                unix_username));
 279                 }
 280
 281                 return nt_status;
 282         }
 283
 284         /* failed authentication; check for guest lapping */
 285
 286         DEBUG(2, ("check_ntlm_password:  Authentication for user [%s] -> [%s] FAILED with error %s\n",
 287                   user_info->client.account_name, user_info->mapped.account_name,
 288                   nt_errstr(nt_status)));
 289         ZERO_STRUCTP(server_info);
 290
 291         return nt_status;
 292 }
 293
 294 /***************************************************************************
 295  Clear out a auth_context, and destroy the attached TALLOC_CTX
 296 ***************************************************************************/
 297
 298 static int auth_context_destructor(void *ptr)
 299 {
 300         struct auth_context *ctx = talloc_get_type(ptr, struct auth_context);
 301         struct auth_methods *am;
 302
 303
 304         /* Free private data of context's authentication methods */
 305         for (am = ctx->auth_method_list; am; am = am->next) {
 306                 TALLOC_FREE(am->private_data);
 307         }
 308
 309         return 0;
 310 }
 311
 312 /***************************************************************************
 313  Make a auth_info struct
 314 ***************************************************************************/
 315
 316 static NTSTATUS make_auth_context(TALLOC_CTX *mem_ctx,
 317                                   struct auth_context **auth_context)
 318 {
 319         struct auth_context *ctx;
 320
 321         ctx = talloc_zero(mem_ctx, struct auth_context);
 322         if (!ctx) {
 323                 DEBUG(0,("make_auth_context: talloc failed!\n"));
 324                 return NT_STATUS_NO_MEMORY;
 325         }
 326
 327         talloc_set_destructor((TALLOC_CTX *)ctx, auth_context_destructor);
 328
 329         *auth_context = ctx;
 330         return NT_STATUS_OK;
 331 }
 332
 333 bool load_auth_module(struct auth_context *auth_context,
 334                       const char *module, auth_methods **ret)
 335 {
 336         static bool initialised_static_modules = False;
 337
 338         struct auth_init_function_entry *entry;
 339         char *module_name = smb_xstrdup(module);
 340         char *module_params = NULL;
 341         char *p;
 342         bool good = False;
 343
 344         /* Initialise static modules if not done so yet */
 345         if(!initialised_static_modules) {
 346                 static_init_auth;
 347                 initialised_static_modules = True;
 348         }
 349
 350         DEBUG(5,("load_auth_module: Attempting to find an auth method to match %s\n",
 351                  module));
 352
 353         p = strchr(module_name, ':');
 354         if (p) {
 355                 *p = 0;
 356                 module_params = p+1;
 357                 trim_char(module_params, ' ', ' ');
 358         }
 359
 360         trim_char(module_name, ' ', ' ');
 361
 362         entry = auth_find_backend_entry(module_name);
 363
 364         if (entry == NULL) {
 365                 if (NT_STATUS_IS_OK(smb_probe_module("auth", module_name))) {
 366                         entry = auth_find_backend_entry(module_name);
 367                 }
 368         }
 369
 370         if (entry != NULL) {
 371                 if (!NT_STATUS_IS_OK(entry->init(auth_context, module_params, ret))) {
 372                         DEBUG(0,("load_auth_module: auth method %s did not correctly init\n",
 373                                  module_name));
 374                 } else {
 375                         DEBUG(5,("load_auth_module: auth method %s has a valid init\n",
 376                                  module_name));
 377                         good = True;
 378                 }
 379         } else {
 380                 DEBUG(0,("load_auth_module: can't find auth method %s!\n", module_name));
 381         }
 382
 383         SAFE_FREE(module_name);
 384         return good;
 385 }
 386
 387 /***************************************************************************
 388  Make a auth_info struct for the auth subsystem
 389 ***************************************************************************/
 390
 391 static NTSTATUS make_auth_context_text_list(TALLOC_CTX *mem_ctx,
 392                                             struct auth_context **auth_context,
 393                                             char **text_list)
 394 {
 395         auth_methods *list = NULL;
 396         auth_methods *t, *method = NULL;
 397         NTSTATUS nt_status;
 398
 399         if (!text_list) {
 400                 DEBUG(2,("make_auth_context_text_list: No auth method list!?\n"));
 401                 return NT_STATUS_UNSUCCESSFUL;
 402         }
 403
 404         nt_status = make_auth_context(mem_ctx, auth_context);
 405
 406         if (!NT_STATUS_IS_OK(nt_status)) {
 407                 return nt_status;
 408         }
 409
 410         for (;*text_list; text_list++) {
 411                 if (load_auth_module(*auth_context, *text_list, &t)) {
 412                     DLIST_ADD_END(list, t, auth_methods *);
 413                 }
 414         }
 415
 416         (*auth_context)->auth_method_list = list;
 417
 418         /* Look for the first module to provide a prepare_gensec and
 419          * make_auth4_context hook, and set that if provided */
 420         for (method = (*auth_context)->auth_method_list; method; method = method->next) {
 421                 if (method->prepare_gensec && method->make_auth4_context) {
 422                         (*auth_context)->prepare_gensec = method->prepare_gensec;
 423                         (*auth_context)->make_auth4_context = method->make_auth4_context;
 424                         break;
 425                 }
 426         }
 427         return NT_STATUS_OK;
 428 }
 429
 430 /***************************************************************************
 431  Make a auth_context struct for the auth subsystem
 432 ***************************************************************************/
 433
 434 NTSTATUS make_auth_context_subsystem(TALLOC_CTX *mem_ctx,
 435                                      struct auth_context **auth_context)
 436 {
 437         char **auth_method_list = NULL;
 438         NTSTATUS nt_status;
 439
 440         if (lp_auth_methods()
 441             && !(auth_method_list = str_list_copy(talloc_tos(),
 442                               lp_auth_methods()))) {
 443                 return NT_STATUS_NO_MEMORY;
 444         }
 445
 446         if (auth_method_list == NULL) {
 447                 switch (lp_server_role())
 448                 {
 449                 case ROLE_DOMAIN_MEMBER:
 450                         DEBUG(5,("Making default auth method list for server role = 'domain member'\n"));
 451                         auth_method_list = str_list_make_v3(
 452                                 talloc_tos(), "guest sam winbind:ntdomain",
 453                                 NULL);
 454                         break;
 455                 case ROLE_DOMAIN_BDC:
 456                 case ROLE_DOMAIN_PDC:
 457                         DEBUG(5,("Making default auth method list for DC\n"));
 458                         auth_method_list = str_list_make_v3(
 459                                 talloc_tos(),
 460                                 "guest sam winbind:trustdomain",
 461                                 NULL);
 462                         break;
 463                 case ROLE_STANDALONE:
 464                         DEBUG(5,("Making default auth method list for server role = 'standalone server', encrypt passwords = yes\n"));
 465                         if (lp_encrypt_passwords()) {
 466                                 auth_method_list = str_list_make_v3(
 467                                                 talloc_tos(), "guest sam",
 468                                                 NULL);
 469                         } else {
 470                                 DEBUG(5,("Making default auth method list for server role = 'standalone server', encrypt passwords = no\n"));
 471                                 auth_method_list = str_list_make_v3(
 472                                         talloc_tos(), "guest unix", NULL);
 473                         }
 474                         break;
 475                 case ROLE_ACTIVE_DIRECTORY_DC:
 476                         DEBUG(5,("Making default auth method list for server role = 'active directory domain controller'\n"));
 477                         auth_method_list = str_list_make_v3(
 478                                 talloc_tos(),
 479                                 "samba4",
 480                                 NULL);
 481                         break;
 482                 default:
 483                         DEBUG(5,("Unknown auth method!\n"));
 484                         return NT_STATUS_UNSUCCESSFUL;
 485                 }
 486         } else {
 487                 DEBUG(5,("Using specified auth order\n"));
 488         }
 489
 490         nt_status = make_auth_context_text_list(mem_ctx, auth_context,
 491                                                 auth_method_list);
 492
 493         TALLOC_FREE(auth_method_list);
 494         return nt_status;
 495 }
 496
 497 /***************************************************************************
 498  Make a auth_info struct with a fixed challenge
 499 ***************************************************************************/
 500
 501 NTSTATUS make_auth_context_fixed(TALLOC_CTX *mem_ctx,
 502                                  struct auth_context **auth_context,
 503                                  uchar chal[8])
 504 {
 505         NTSTATUS nt_status;
 506         nt_status = make_auth_context_subsystem(mem_ctx, auth_context);
 507         if (!NT_STATUS_IS_OK(nt_status)) {
 508                 return nt_status;
 509         }
 510
 511         (*auth_context)->challenge = data_blob_talloc(*auth_context, chal, 8);
 512         (*auth_context)->challenge_set_by = "fixed";
 513         return nt_status;
 514 }
 515
 516