54cc64375954139515069513afe7a7df6be06a64
[sfrench/samba-autobuild/.git] / source4 / auth / ntlm / auth_sam.c
1 /* 
2    Unix SMB/CIFS implementation.
3    Password and authentication handling
4    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2001-2009
5    Copyright (C) Gerald Carter                             2003
6    Copyright (C) Stefan Metzmacher                         2005
7    
8    This program is free software; you can redistribute it and/or modify
9    it under the terms of the GNU General Public License as published by
10    the Free Software Foundation; either version 3 of the License, or
11    (at your option) any later version.
12    
13    This program is distributed in the hope that it will be useful,
14    but WITHOUT ANY WARRANTY; without even the implied warranty of
15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
16    GNU General Public License for more details.
17    
18    You should have received a copy of the GNU General Public License
19    along with this program.  If not, see <http://www.gnu.org/licenses/>.
20 */
21
22 #include "includes.h"
23 #include "system/time.h"
24 #include <ldb.h>
25 #include "libcli/ldap/ldap_ndr.h"
26 #include "libcli/security/security.h"
27 #include "auth/auth.h"
28 #include "../libcli/auth/ntlm_check.h"
29 #include "auth/ntlm/auth_proto.h"
30 #include "auth/auth_sam.h"
31 #include "dsdb/samdb/samdb.h"
32 #include "dsdb/common/util.h"
33 #include "param/param.h"
34 #include "librpc/gen_ndr/ndr_irpc_c.h"
35 #include "lib/messaging/irpc.h"
36 #include "libcli/auth/libcli_auth.h"
37 #include "libds/common/roles.h"
38
39 NTSTATUS auth_sam_init(void);
40
41 extern const char *user_attrs[];
42 extern const char *domain_ref_attrs[];
43
44 /****************************************************************************
45  Look for the specified user in the sam, return ldb result structures
46 ****************************************************************************/
47
48 static NTSTATUS authsam_search_account(TALLOC_CTX *mem_ctx, struct ldb_context *sam_ctx,
49                                        const char *account_name,
50                                        struct ldb_dn *domain_dn,
51                                        struct ldb_message **ret_msg)
52 {
53         int ret;
54
55         /* pull the user attributes */
56         ret = dsdb_search_one(sam_ctx, mem_ctx, ret_msg, domain_dn, LDB_SCOPE_SUBTREE,
57                               user_attrs,
58                               DSDB_SEARCH_SHOW_EXTENDED_DN,
59                               "(&(sAMAccountName=%s)(objectclass=user))",
60                               ldb_binary_encode_string(mem_ctx, account_name));
61         if (ret == LDB_ERR_NO_SUCH_OBJECT) {
62                 DEBUG(3,("sam_search_user: Couldn't find user [%s] in samdb, under %s\n", 
63                          account_name, ldb_dn_get_linearized(domain_dn)));
64                 return NT_STATUS_NO_SUCH_USER;          
65         }
66         if (ret != LDB_SUCCESS) {
67                 return NT_STATUS_INTERNAL_DB_CORRUPTION;
68         }
69         
70         return NT_STATUS_OK;
71 }
72
73 /****************************************************************************
74  Do a specific test for an smb password being correct, given a smb_password and
75  the lanman and NT responses.
76 ****************************************************************************/
77 static NTSTATUS authsam_password_ok(struct auth4_context *auth_context,
78                                     TALLOC_CTX *mem_ctx,
79                                     uint16_t acct_flags,
80                                     const struct samr_Password *lm_pwd, 
81                                     const struct samr_Password *nt_pwd,
82                                     const struct auth_usersupplied_info *user_info, 
83                                     DATA_BLOB *user_sess_key, 
84                                     DATA_BLOB *lm_sess_key)
85 {
86         NTSTATUS status;
87
88         switch (user_info->password_state) {
89         case AUTH_PASSWORD_PLAIN: 
90         {
91                 const struct auth_usersupplied_info *user_info_temp;    
92                 status = encrypt_user_info(mem_ctx, auth_context, 
93                                            AUTH_PASSWORD_HASH, 
94                                            user_info, &user_info_temp);
95                 if (!NT_STATUS_IS_OK(status)) {
96                         DEBUG(1, ("Failed to convert plaintext password to password HASH: %s\n", nt_errstr(status)));
97                         return status;
98                 }
99                 user_info = user_info_temp;
100
101                 /*fall through*/
102         }
103         case AUTH_PASSWORD_HASH:
104                 *lm_sess_key = data_blob(NULL, 0);
105                 *user_sess_key = data_blob(NULL, 0);
106                 status = hash_password_check(mem_ctx, 
107                                              lpcfg_lanman_auth(auth_context->lp_ctx),
108                                              user_info->password.hash.lanman,
109                                              user_info->password.hash.nt,
110                                              user_info->mapped.account_name,
111                                              lm_pwd, nt_pwd);
112                 NT_STATUS_NOT_OK_RETURN(status);
113                 break;
114                 
115         case AUTH_PASSWORD_RESPONSE:
116                 status = ntlm_password_check(mem_ctx, 
117                                              lpcfg_lanman_auth(auth_context->lp_ctx),
118                                                  lpcfg_ntlm_auth(auth_context->lp_ctx),
119                                              user_info->logon_parameters, 
120                                              &auth_context->challenge.data, 
121                                              &user_info->password.response.lanman, 
122                                              &user_info->password.response.nt,
123                                              user_info->mapped.account_name,
124                                              user_info->client.account_name, 
125                                              user_info->client.domain_name, 
126                                              lm_pwd, nt_pwd,
127                                              user_sess_key, lm_sess_key);
128                 NT_STATUS_NOT_OK_RETURN(status);
129                 break;
130         }
131
132         return NT_STATUS_OK;
133 }
134
135
136 /*
137   send a message to the drepl server telling it to initiate a
138   REPL_SECRET getncchanges extended op to fetch the users secrets
139  */
140 static void auth_sam_trigger_repl_secret(struct auth4_context *auth_context,
141                                          struct ldb_dn *user_dn)
142 {
143         struct dcerpc_binding_handle *irpc_handle;
144         struct drepl_trigger_repl_secret r;
145         struct tevent_req *req;
146         TALLOC_CTX *tmp_ctx;
147
148         tmp_ctx = talloc_new(auth_context);
149         if (tmp_ctx == NULL) {
150                 return;
151         }
152
153         irpc_handle = irpc_binding_handle_by_name(tmp_ctx, auth_context->msg_ctx,
154                                                   "dreplsrv",
155                                                   &ndr_table_irpc);
156         if (irpc_handle == NULL) {
157                 DEBUG(1,(__location__ ": Unable to get binding handle for dreplsrv\n"));
158                 TALLOC_FREE(tmp_ctx);
159                 return;
160         }
161
162         r.in.user_dn = ldb_dn_get_linearized(user_dn);
163
164         /*
165          * This seem to rely on the current IRPC implementation,
166          * which delivers the message in the _send function.
167          *
168          * TODO: we need a ONE_WAY IRPC handle and register
169          * a callback and wait for it to be triggered!
170          */
171         req = dcerpc_drepl_trigger_repl_secret_r_send(tmp_ctx,
172                                                       auth_context->event_ctx,
173                                                       irpc_handle,
174                                                       &r);
175
176         /* we aren't interested in a reply */
177         talloc_free(req);
178         TALLOC_FREE(tmp_ctx);
179 }
180
181
182 /*
183  * Check that a password is OK, and update badPwdCount if required.
184  */
185
186 static NTSTATUS authsam_password_check_and_record(struct auth4_context *auth_context,
187                                                   TALLOC_CTX *mem_ctx,
188                                                   struct ldb_dn *domain_dn,
189                                                   struct ldb_message *msg,
190                                                   uint16_t acct_flags,
191                                                   const struct auth_usersupplied_info *user_info,
192                                                   DATA_BLOB *user_sess_key,
193                                                   DATA_BLOB *lm_sess_key,
194                                                   bool *authoritative)
195 {
196         NTSTATUS nt_status;
197         NTSTATUS auth_status;
198         TALLOC_CTX *tmp_ctx;
199         int i, ret;
200         int history_len = 0;
201         struct ldb_context *sam_ctx = auth_context->sam_ctx;
202         const char * const attrs[] = { "pwdHistoryLength", NULL };
203         struct ldb_message *dom_msg;
204         struct samr_Password *lm_pwd;
205         struct samr_Password *nt_pwd;
206
207         tmp_ctx = talloc_new(mem_ctx);
208         if (tmp_ctx == NULL) {
209                 return NT_STATUS_NO_MEMORY;
210         }
211
212         /*
213          * This call does more than what it appears to do, it also
214          * checks for the account lockout.
215          *
216          * It is done here so that all parts of Samba that read the
217          * password refuse to even operate on it if the account is
218          * locked out, to avoid mistakes like CVE-2013-4496.
219          */
220         nt_status = samdb_result_passwords(tmp_ctx, auth_context->lp_ctx,
221                                            msg, &lm_pwd, &nt_pwd);
222         if (!NT_STATUS_IS_OK(nt_status)) {
223                 TALLOC_FREE(tmp_ctx);
224                 return nt_status;
225         }
226
227         if (lm_pwd == NULL && nt_pwd == NULL) {
228                 bool am_rodc;
229                 if (samdb_rodc(auth_context->sam_ctx, &am_rodc) == LDB_SUCCESS && am_rodc) {
230                         /*
231                          * we don't have passwords for this
232                          * account. We are an RODC, and this account
233                          * may be one for which we either are denied
234                          * REPL_SECRET replication or we haven't yet
235                          * done the replication. We return
236                          * NT_STATUS_NOT_IMPLEMENTED which tells the
237                          * auth code to try the next authentication
238                          * mechanism. We also send a message to our
239                          * drepl server to tell it to try and
240                          * replicate the secrets for this account.
241                          *
242                          * TODO: Should we only trigger this is detected
243                          * there's a chance that the password might be
244                          * replicated, we should be able to detect this
245                          * based on msDS-NeverRevealGroup.
246                          */
247                         auth_sam_trigger_repl_secret(auth_context, msg->dn);
248                         TALLOC_FREE(tmp_ctx);
249                         return NT_STATUS_NOT_IMPLEMENTED;
250                 }
251         }
252
253         auth_status = authsam_password_ok(auth_context, tmp_ctx,
254                                           acct_flags,
255                                           lm_pwd, nt_pwd,
256                                           user_info,
257                                           user_sess_key, lm_sess_key);
258         if (NT_STATUS_IS_OK(auth_status)) {
259                 if (user_sess_key->data) {
260                         talloc_steal(mem_ctx, user_sess_key->data);
261                 }
262                 if (lm_sess_key->data) {
263                         talloc_steal(mem_ctx, lm_sess_key->data);
264                 }
265                 TALLOC_FREE(tmp_ctx);
266                 return NT_STATUS_OK;
267         }
268         *user_sess_key = data_blob_null;
269         *lm_sess_key = data_blob_null;
270
271         if (!NT_STATUS_EQUAL(auth_status, NT_STATUS_WRONG_PASSWORD)) {
272                 TALLOC_FREE(tmp_ctx);
273                 return auth_status;
274         }
275
276         /*
277          * We only continue if this was a wrong password
278          * and we'll always return NT_STATUS_WRONG_PASSWORD
279          * no matter what error happens.
280          */
281
282         /* pull the domain password property attributes */
283         ret = dsdb_search_one(sam_ctx, tmp_ctx, &dom_msg, domain_dn, LDB_SCOPE_BASE,
284                               attrs, 0, "objectClass=domain");
285         if (ret == LDB_SUCCESS) {
286                 history_len = ldb_msg_find_attr_as_uint(dom_msg, "pwdHistoryLength", 0);
287         } else if (ret == LDB_ERR_NO_SUCH_OBJECT) {
288                 DEBUG(3,("Couldn't find domain %s: %s!\n",
289                          ldb_dn_get_linearized(domain_dn),
290                          ldb_errstring(sam_ctx)));
291         } else {
292                 DEBUG(3,("error finding domain %s: %s!\n",
293                          ldb_dn_get_linearized(domain_dn),
294                          ldb_errstring(sam_ctx)));
295         }
296
297         for (i = 1; i < MIN(history_len, 3); i++) {
298                 struct samr_Password zero_string_hash;
299                 struct samr_Password zero_string_des_hash;
300                 struct samr_Password *nt_history_pwd = NULL;
301                 struct samr_Password *lm_history_pwd = NULL;
302                 NTTIME pwdLastSet;
303                 struct timeval tv_now;
304                 NTTIME now;
305                 int allowed_period_mins;
306                 NTTIME allowed_period;
307
308                 nt_status = samdb_result_passwords_from_history(tmp_ctx,
309                                                         auth_context->lp_ctx,
310                                                         msg, i,
311                                                         &lm_history_pwd,
312                                                         &nt_history_pwd);
313                 if (!NT_STATUS_IS_OK(nt_status)) {
314                         /*
315                          * If we don't find element 'i' we won't find
316                          * 'i+1' ...
317                          */
318                         break;
319                 }
320
321                 /*
322                  * We choose to avoid any issues
323                  * around different LM and NT history
324                  * lengths by only checking the NT
325                  * history
326                  */
327                 if (nt_history_pwd == NULL) {
328                         /*
329                          * If we don't find element 'i' we won't find
330                          * 'i+1' ...
331                          */
332                         break;
333                 }
334
335                 /* Skip over all-zero hashes in the history */
336                 if (all_zero(nt_history_pwd->hash,
337                              sizeof(nt_history_pwd->hash))) {
338                         continue;
339                 }
340
341                 /*
342                  * This looks odd, but the password_hash module writes this in if
343                  * (somehow) we didn't have an old NT hash
344                  */
345
346                 E_md4hash("", zero_string_hash.hash);
347                 if (memcmp(nt_history_pwd->hash, zero_string_hash.hash, 16) == 0) {
348                         continue;
349                 }
350
351                 E_deshash("", zero_string_des_hash.hash);
352                 if (!lm_history_pwd || memcmp(lm_history_pwd->hash, zero_string_des_hash.hash, 16) == 0) {
353                         lm_history_pwd = NULL;
354                 }
355
356                 auth_status = authsam_password_ok(auth_context, tmp_ctx,
357                                                   acct_flags,
358                                                   lm_history_pwd,
359                                                   nt_history_pwd,
360                                                   user_info,
361                                                   user_sess_key,
362                                                   lm_sess_key);
363                 if (!NT_STATUS_IS_OK(auth_status)) {
364                         /*
365                          * If this was not a correct password, try the next
366                          * one from the history
367                          */
368                         *user_sess_key = data_blob_null;
369                         *lm_sess_key = data_blob_null;
370                         continue;
371                 }
372
373                 if (i != 1) {
374                         /*
375                          * The authentication was OK, but not against
376                          * the previous password, which is stored at index 1.
377                          *
378                          * We just return the original wrong password.
379                          * This skips the update of the bad pwd count,
380                          * because this is almost certainly user error
381                          * (or automatic login on a computer using a cached
382                          * password from before the password change),
383                          * not an attack.
384                          */
385                         TALLOC_FREE(tmp_ctx);
386                         return NT_STATUS_WRONG_PASSWORD;
387                 }
388
389                 if (user_info->password_state != AUTH_PASSWORD_RESPONSE) {
390                         /*
391                          * The authentication was OK against the previous password,
392                          * but it's not a NTLM network authentication.
393                          *
394                          * We just return the original wrong password.
395                          * This skips the update of the bad pwd count,
396                          * because this is almost certainly user error
397                          * (or automatic login on a computer using a cached
398                          * password from before the password change),
399                          * not an attack.
400                          */
401                         TALLOC_FREE(tmp_ctx);
402                         return NT_STATUS_WRONG_PASSWORD;
403                 }
404
405                 /*
406                  * If the password was OK, it's a NTLM network authentication
407                  * and it was the previous password.
408                  *
409                  * Now we see if it is within the grace period,
410                  * so that we don't break cached sessions on other computers
411                  * before the user can lock and unlock their other screens
412                  * (resetting their cached password).
413                  *
414                  * See http://support.microsoft.com/kb/906305
415                  * OldPasswordAllowedPeriod ("old password allowed period")
416                  * is specified in minutes. The default is 60.
417                  */
418                 allowed_period_mins = lpcfg_old_password_allowed_period(auth_context->lp_ctx);
419                 /*
420                  * NTTIME uses 100ns units
421                  */
422                 allowed_period = allowed_period_mins * 60 * 1000*1000*10;
423                 pwdLastSet = samdb_result_nttime(msg, "pwdLastSet", 0);
424                 tv_now = timeval_current();
425                 now = timeval_to_nttime(&tv_now);
426
427                 if (now < pwdLastSet) {
428                         /*
429                          * time jump?
430                          *
431                          * We just return the original wrong password.
432                          * This skips the update of the bad pwd count,
433                          * because this is almost certainly user error
434                          * (or automatic login on a computer using a cached
435                          * password from before the password change),
436                          * not an attack.
437                          */
438                         TALLOC_FREE(tmp_ctx);
439                         return NT_STATUS_WRONG_PASSWORD;
440                 }
441
442                 if ((now - pwdLastSet) >= allowed_period) {
443                         /*
444                          * The allowed period is over.
445                          *
446                          * We just return the original wrong password.
447                          * This skips the update of the bad pwd count,
448                          * because this is almost certainly user error
449                          * (or automatic login on a computer using a cached
450                          * password from before the password change),
451                          * not an attack.
452                          */
453                         TALLOC_FREE(tmp_ctx);
454                         return NT_STATUS_WRONG_PASSWORD;
455                 }
456
457                 /*
458                  * We finally allow the authentication with the
459                  * previous password within the allowed period.
460                  */
461                 if (user_sess_key->data) {
462                         talloc_steal(mem_ctx, user_sess_key->data);
463                 }
464                 if (lm_sess_key->data) {
465                         talloc_steal(mem_ctx, lm_sess_key->data);
466                 }
467
468                 TALLOC_FREE(tmp_ctx);
469                 return auth_status;
470         }
471
472         /*
473          * If we are not in the allowed period or match an old password,
474          * we didn't return early. Now update the badPwdCount et al.
475          */
476         nt_status = authsam_update_bad_pwd_count(auth_context->sam_ctx,
477                                                  msg, domain_dn);
478         if (!NT_STATUS_IS_OK(nt_status)) {
479                 /*
480                  * We need to return the original
481                  * NT_STATUS_WRONG_PASSWORD error, so there isn't
482                  * anything more we can do than write something into
483                  * the log
484                  */
485                 DEBUG(0, ("Failed to note bad password for user [%s]: %s\n",
486                           user_info->mapped.account_name,
487                           nt_errstr(nt_status)));
488         }
489
490         TALLOC_FREE(tmp_ctx);
491         return NT_STATUS_WRONG_PASSWORD;
492 }
493
494 static NTSTATUS authsam_authenticate(struct auth4_context *auth_context,
495                                      TALLOC_CTX *mem_ctx, struct ldb_context *sam_ctx,
496                                      struct ldb_dn *domain_dn,
497                                      struct ldb_message *msg,
498                                      const struct auth_usersupplied_info *user_info,
499                                      DATA_BLOB *user_sess_key, DATA_BLOB *lm_sess_key,
500                                      bool *authoritative)
501 {
502         NTSTATUS nt_status;
503         bool interactive = (user_info->password_state == AUTH_PASSWORD_HASH);
504         uint32_t acct_flags = samdb_result_acct_flags(msg, NULL);
505         TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
506         if (!tmp_ctx) {
507                 return NT_STATUS_NO_MEMORY;
508         }
509
510         /* You can only do an interactive login to normal accounts */
511         if (user_info->flags & USER_INFO_INTERACTIVE_LOGON) {
512                 if (!(acct_flags & ACB_NORMAL)) {
513                         TALLOC_FREE(tmp_ctx);
514                         return NT_STATUS_NO_SUCH_USER;
515                 }
516                 if (acct_flags & ACB_SMARTCARD_REQUIRED) {
517                         if (acct_flags & ACB_DISABLED) {
518                                 DEBUG(2,("authsam_authenticate: Account for user '%s' "
519                                          "was disabled.\n",
520                                          user_info->mapped.account_name));
521                                 TALLOC_FREE(tmp_ctx);
522                                 return NT_STATUS_ACCOUNT_DISABLED;
523                         }
524                         DEBUG(2,("authsam_authenticate: Account for user '%s' "
525                                  "requires interactive smartcard logon.\n",
526                                  user_info->mapped.account_name));
527                         TALLOC_FREE(tmp_ctx);
528                         return NT_STATUS_SMARTCARD_LOGON_REQUIRED;
529                 }
530         }
531
532         nt_status = authsam_password_check_and_record(auth_context, tmp_ctx,
533                                                       domain_dn, msg, acct_flags,
534                                                       user_info,
535                                                       user_sess_key, lm_sess_key,
536                                                       authoritative);
537         if (!NT_STATUS_IS_OK(nt_status)) {
538                 TALLOC_FREE(tmp_ctx);
539                 return nt_status;
540         }
541
542         nt_status = authsam_account_ok(tmp_ctx, auth_context->sam_ctx,
543                                        user_info->logon_parameters,
544                                        domain_dn,
545                                        msg,
546                                        user_info->workstation_name,
547                                        user_info->mapped.account_name,
548                                        false, false);
549         if (!NT_STATUS_IS_OK(nt_status)) {
550                 TALLOC_FREE(tmp_ctx);
551                 return nt_status;
552         }
553
554         nt_status = authsam_logon_success_accounting(auth_context->sam_ctx,
555                                                      msg, domain_dn,
556                                                      interactive);
557         if (!NT_STATUS_IS_OK(nt_status)) {
558                 TALLOC_FREE(tmp_ctx);
559                 return nt_status;
560         }
561
562         if (user_sess_key && user_sess_key->data) {
563                 talloc_steal(mem_ctx, user_sess_key->data);
564         }
565         if (lm_sess_key && lm_sess_key->data) {
566                 talloc_steal(mem_ctx, lm_sess_key->data);
567         }
568
569         TALLOC_FREE(tmp_ctx);
570         return nt_status;
571 }
572
573
574
575 static NTSTATUS authsam_check_password_internals(struct auth_method_context *ctx,
576                                                  TALLOC_CTX *mem_ctx,
577                                                  const struct auth_usersupplied_info *user_info, 
578                                                  struct auth_user_info_dc **user_info_dc,
579                                                  bool *authoritative)
580 {
581         NTSTATUS nt_status;
582         const char *account_name = user_info->mapped.account_name;
583         struct ldb_message *msg;
584         struct ldb_dn *domain_dn;
585         DATA_BLOB user_sess_key, lm_sess_key;
586         TALLOC_CTX *tmp_ctx;
587         const char *p = NULL;
588
589         if (ctx->auth_ctx->sam_ctx == NULL) {
590                 DEBUG(0, ("No SAM available, cannot log in users\n"));
591                 return NT_STATUS_INVALID_SYSTEM_SERVICE;
592         }
593
594         if (!account_name || !*account_name) {
595                 /* 'not for me' */
596                 return NT_STATUS_NOT_IMPLEMENTED;
597         }
598
599         tmp_ctx = talloc_new(mem_ctx);
600         if (!tmp_ctx) {
601                 return NT_STATUS_NO_MEMORY;
602         }
603
604         domain_dn = ldb_get_default_basedn(ctx->auth_ctx->sam_ctx);
605         if (domain_dn == NULL) {
606                 talloc_free(tmp_ctx);
607                 return NT_STATUS_NO_SUCH_DOMAIN;
608         }
609
610         p = strchr_m(account_name, '@');
611         if (p != NULL) {
612                 const char *nt4_domain = NULL;
613                 const char *nt4_account = NULL;
614                 bool is_my_domain = false;
615
616                 nt_status = crack_name_to_nt4_name(mem_ctx,
617                                                    ctx->auth_ctx->event_ctx,
618                                                    ctx->auth_ctx->lp_ctx,
619                                                    /*
620                                                     * DRSUAPI_DS_NAME_FORMAT_UPN_FOR_LOGON ?
621                                                     */
622                                                    DRSUAPI_DS_NAME_FORMAT_USER_PRINCIPAL,
623                                                    account_name,
624                                                    &nt4_domain, &nt4_account);
625                 if (!NT_STATUS_IS_OK(nt_status)) {
626                         talloc_free(tmp_ctx);
627                         return NT_STATUS_NO_SUCH_USER;
628                 }
629
630                 is_my_domain = lpcfg_is_mydomain(ctx->auth_ctx->lp_ctx, nt4_domain);
631                 if (!is_my_domain) {
632                         /*
633                          * This is a user within our forest,
634                          * but in a different domain,
635                          * we're not authoritative
636                          */
637                         talloc_free(tmp_ctx);
638                         return NT_STATUS_NOT_IMPLEMENTED;
639                 }
640
641                 /*
642                  * Let's use the NT4 account name for the lookup.
643                  */
644                 account_name = nt4_account;
645         }
646
647         nt_status = authsam_search_account(tmp_ctx, ctx->auth_ctx->sam_ctx, account_name, domain_dn, &msg);
648         if (!NT_STATUS_IS_OK(nt_status)) {
649                 talloc_free(tmp_ctx);
650                 return nt_status;
651         }
652
653         nt_status = authsam_authenticate(ctx->auth_ctx, tmp_ctx, ctx->auth_ctx->sam_ctx, domain_dn, msg, user_info,
654                                          &user_sess_key, &lm_sess_key, authoritative);
655         if (!NT_STATUS_IS_OK(nt_status)) {
656                 talloc_free(tmp_ctx);
657                 return nt_status;
658         }
659
660         nt_status = authsam_make_user_info_dc(tmp_ctx, ctx->auth_ctx->sam_ctx,
661                                              lpcfg_netbios_name(ctx->auth_ctx->lp_ctx),
662                                              lpcfg_sam_name(ctx->auth_ctx->lp_ctx),
663                                              lpcfg_sam_dnsname(ctx->auth_ctx->lp_ctx),
664                                              domain_dn,
665                                              msg,
666                                              user_sess_key, lm_sess_key,
667                                              user_info_dc);
668         if (!NT_STATUS_IS_OK(nt_status)) {
669                 talloc_free(tmp_ctx);
670                 return nt_status;
671         }
672
673         talloc_steal(mem_ctx, *user_info_dc);
674         talloc_free(tmp_ctx);
675
676         return NT_STATUS_OK;
677 }
678
679 static NTSTATUS authsam_ignoredomain_want_check(struct auth_method_context *ctx,
680                                                 TALLOC_CTX *mem_ctx,
681                                                 const struct auth_usersupplied_info *user_info)
682 {
683         if (!user_info->mapped.account_name || !*user_info->mapped.account_name) {
684                 return NT_STATUS_NOT_IMPLEMENTED;
685         }
686
687         return NT_STATUS_OK;
688 }
689
690 /****************************************************************************
691 Check SAM security (above) but with a few extra checks.
692 ****************************************************************************/
693 static NTSTATUS authsam_want_check(struct auth_method_context *ctx,
694                                    TALLOC_CTX *mem_ctx,
695                                    const struct auth_usersupplied_info *user_info)
696 {
697         const char *effective_domain = user_info->mapped.domain_name;
698         bool is_local_name = false;
699         bool is_my_domain = false;
700         const char *p = NULL;
701         struct dsdb_trust_routing_table *trt = NULL;
702         const struct lsa_TrustDomainInfoInfoEx *tdo = NULL;
703         NTSTATUS status;
704
705         if (!user_info->mapped.account_name || !*user_info->mapped.account_name) {
706                 return NT_STATUS_NOT_IMPLEMENTED;
707         }
708
709         is_local_name = lpcfg_is_myname(ctx->auth_ctx->lp_ctx,
710                                         effective_domain);
711
712         /* check whether or not we service this domain/workgroup name */
713         switch (lpcfg_server_role(ctx->auth_ctx->lp_ctx)) {
714         case ROLE_STANDALONE:
715                 return NT_STATUS_OK;
716
717         case ROLE_DOMAIN_MEMBER:
718                 if (is_local_name) {
719                         return NT_STATUS_OK;
720                 }
721
722                 DBG_DEBUG("%s is not one of my local names (DOMAIN_MEMBER)\n",
723                           effective_domain);
724                 return NT_STATUS_NOT_IMPLEMENTED;
725
726         case ROLE_ACTIVE_DIRECTORY_DC:
727                 /* handled later */
728                 break;
729
730         default:
731                 DBG_ERR("lpcfg_server_role() has an undefined value\n");
732                 return NT_STATUS_INVALID_SERVER_STATE;
733         }
734
735         /*
736          * Now we handle the AD DC case...
737          */
738
739         is_my_domain = lpcfg_is_my_domain_or_realm(ctx->auth_ctx->lp_ctx,
740                                                    effective_domain);
741         if (is_my_domain) {
742                 return NT_STATUS_OK;
743         }
744
745         if (user_info->mapped_state) {
746                 /*
747                  * The caller already did a cracknames call.
748                  */
749                 DBG_DEBUG("%s is not one domain name (DC)\n",
750                           effective_domain);
751                 return NT_STATUS_NOT_IMPLEMENTED;
752         }
753
754         if (effective_domain != NULL && !strequal(effective_domain, "")) {
755                 DBG_DEBUG("%s is not one domain name (DC)\n",
756                           effective_domain);
757                 return NT_STATUS_NOT_IMPLEMENTED;
758         }
759
760         p = strchr_m(user_info->mapped.account_name, '@');
761         if (p == NULL) {
762                 if (effective_domain == NULL) {
763                         return NT_STATUS_OK;
764                 }
765                 DEBUG(6,("authsam_check_password: '' without upn not handled (DC)\n"));
766                 return NT_STATUS_NOT_IMPLEMENTED;
767         }
768
769         effective_domain = p + 1;
770         is_my_domain = lpcfg_is_my_domain_or_realm(ctx->auth_ctx->lp_ctx,
771                                                    effective_domain);
772         if (is_my_domain) {
773                 return NT_STATUS_OK;
774         }
775
776         if (strequal(effective_domain, "")) {
777                 DBG_DEBUG("authsam_check_password: upn without realm (DC)\n");
778                 return NT_STATUS_NOT_IMPLEMENTED;
779         }
780
781         /*
782          * as last option we check the routing table if the
783          * domain is within our forest.
784          */
785         status = dsdb_trust_routing_table_load(ctx->auth_ctx->sam_ctx,
786                                                mem_ctx, &trt);
787         if (!NT_STATUS_IS_OK(status)) {
788                 DBG_ERR("authsam_check_password: dsdb_trust_routing_table_load() %s\n",
789                          nt_errstr(status));
790                 return status;
791         }
792
793         tdo = dsdb_trust_routing_by_name(trt, effective_domain);
794         if (tdo == NULL) {
795                 DBG_DEBUG("%s is not a known TLN (DC)\n",
796                           effective_domain);
797                 TALLOC_FREE(trt);
798                 return NT_STATUS_NOT_IMPLEMENTED;
799         }
800
801         if (!(tdo->trust_attributes & LSA_TRUST_ATTRIBUTE_WITHIN_FOREST)) {
802                 DBG_DEBUG("%s is not a TLN in our forest (DC)\n",
803                           effective_domain);
804                 TALLOC_FREE(trt);
805                 return NT_STATUS_NOT_IMPLEMENTED;
806         }
807
808         /*
809          * This principal is within our forest.
810          * we'll later do a crack_name_to_nt4_name()
811          * to check if it's in our domain.
812          */
813         TALLOC_FREE(trt);
814         return NT_STATUS_OK;
815 }
816
817 static NTSTATUS authsam_failtrusts_want_check(struct auth_method_context *ctx,
818                                               TALLOC_CTX *mem_ctx,
819                                               const struct auth_usersupplied_info *user_info)
820 {
821         const char *effective_domain = user_info->mapped.domain_name;
822         struct dsdb_trust_routing_table *trt = NULL;
823         const struct lsa_TrustDomainInfoInfoEx *tdo = NULL;
824         NTSTATUS status;
825
826         /* check whether or not we service this domain/workgroup name */
827         switch (lpcfg_server_role(ctx->auth_ctx->lp_ctx)) {
828         case ROLE_ACTIVE_DIRECTORY_DC:
829                 /* handled later */
830                 break;
831
832         default:
833                 DBG_ERR("lpcfg_server_role() has an undefined value\n");
834                 return NT_STATUS_NOT_IMPLEMENTED;
835         }
836
837         /*
838          * Now we handle the AD DC case...
839          */
840         if (!user_info->mapped.account_name || !*user_info->mapped.account_name) {
841                 return NT_STATUS_NOT_IMPLEMENTED;
842         }
843
844         if (effective_domain == NULL || strequal(effective_domain, "")) {
845                 const char *p = NULL;
846
847                 p = strchr_m(user_info->mapped.account_name, '@');
848                 if (p != NULL) {
849                         effective_domain = p + 1;
850                 }
851         }
852
853         if (effective_domain == NULL || strequal(effective_domain, "")) {
854                 DBG_DEBUG("%s is not a trusted domain\n",
855                           effective_domain);
856                 return NT_STATUS_NOT_IMPLEMENTED;
857         }
858
859         /*
860          * as last option we check the routing table if the
861          * domain is within our forest.
862          */
863         status = dsdb_trust_routing_table_load(ctx->auth_ctx->sam_ctx,
864                                                mem_ctx, &trt);
865         if (!NT_STATUS_IS_OK(status)) {
866                 DBG_ERR("authsam_check_password: dsdb_trust_routing_table_load() %s\n",
867                          nt_errstr(status));
868                 return status;
869         }
870
871         tdo = dsdb_trust_routing_by_name(trt, effective_domain);
872         if (tdo == NULL) {
873                 DBG_DEBUG("%s is not a known TLN (DC)\n",
874                           effective_domain);
875                 TALLOC_FREE(trt);
876                 return NT_STATUS_NOT_IMPLEMENTED;
877         }
878
879         /*
880          * We now about the domain...
881          */
882         TALLOC_FREE(trt);
883         return NT_STATUS_OK;
884 }
885
886 static NTSTATUS authsam_failtrusts_check_password(struct auth_method_context *ctx,
887                                                   TALLOC_CTX *mem_ctx,
888                                                   const struct auth_usersupplied_info *user_info,
889                                                   struct auth_user_info_dc **user_info_dc,
890                                                   bool *authoritative)
891 {
892         /*
893          * This should a good error for now,
894          * until this module gets removed
895          * and we have a full async path
896          * to winbind.
897          */
898         return NT_STATUS_NO_TRUST_LSA_SECRET;
899 }
900
901 /* Wrapper for the auth subsystem pointer */
902 static NTSTATUS authsam_get_user_info_dc_principal_wrapper(TALLOC_CTX *mem_ctx,
903                                                           struct auth4_context *auth_context,
904                                                           const char *principal,
905                                                           struct ldb_dn *user_dn,
906                                                           struct auth_user_info_dc **user_info_dc)
907 {
908         return authsam_get_user_info_dc_principal(mem_ctx, auth_context->lp_ctx, auth_context->sam_ctx,
909                                                  principal, user_dn, user_info_dc);
910 }
911 static const struct auth_operations sam_ignoredomain_ops = {
912         .name                      = "sam_ignoredomain",
913         .want_check                = authsam_ignoredomain_want_check,
914         .check_password            = authsam_check_password_internals,
915         .get_user_info_dc_principal = authsam_get_user_info_dc_principal_wrapper,
916 };
917
918 static const struct auth_operations sam_ops = {
919         .name                      = "sam",
920         .want_check                = authsam_want_check,
921         .check_password            = authsam_check_password_internals,
922         .get_user_info_dc_principal = authsam_get_user_info_dc_principal_wrapper,
923 };
924
925 static const struct auth_operations sam_failtrusts_ops = {
926         .name                      = "sam_failtrusts",
927         .want_check                = authsam_failtrusts_want_check,
928         .check_password            = authsam_failtrusts_check_password,
929 };
930
931 _PUBLIC_ NTSTATUS auth4_sam_init(TALLOC_CTX *);
932 _PUBLIC_ NTSTATUS auth4_sam_init(TALLOC_CTX *ctx)
933 {
934         NTSTATUS ret;
935
936         ret = auth_register(ctx, &sam_ops);
937         if (!NT_STATUS_IS_OK(ret)) {
938                 DEBUG(0,("Failed to register 'sam' auth backend!\n"));
939                 return ret;
940         }
941
942         ret = auth_register(ctx, &sam_ignoredomain_ops);
943         if (!NT_STATUS_IS_OK(ret)) {
944                 DEBUG(0,("Failed to register 'sam_ignoredomain' auth backend!\n"));
945                 return ret;
946         }
947
948         ret = auth_register(ctx, &sam_failtrusts_ops);
949         if (!NT_STATUS_IS_OK(ret)) {
950                 DEBUG(0,("Failed to register 'sam_failtrusts' auth backend!\n"));
951                 return ret;
952         }
953
954         return ret;
955 }