r4088: Get medieval on our ass about malloc.... :-). Take control of all our allocation
[tprouty/samba.git] / source / nsswitch / winbindd_pam.c
1 /*
2    Unix SMB/CIFS implementation.
3
4    Winbind daemon - pam auth funcions
5
6    Copyright (C) Andrew Tridgell 2000
7    Copyright (C) Tim Potter 2001
8    Copyright (C) Andrew Bartlett 2001-2002
9    
10    This program is free software; you can redistribute it and/or modify
11    it under the terms of the GNU General Public License as published by
12    the Free Software Foundation; either version 2 of the License, or
13    (at your option) any later version.
14    
15    This program is distributed in the hope that it will be useful,
16    but WITHOUT ANY WARRANTY; without even the implied warranty of
17    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
18    GNU General Public License for more details.
19    
20    You should have received a copy of the GNU General Public License
21    along with this program; if not, write to the Free Software
22    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
23 */
24
25 #include "includes.h"
26 #include "winbindd.h"
27 #undef DBGC_CLASS
28 #define DBGC_CLASS DBGC_WINBIND
29
30
31 static NTSTATUS append_info3_as_ndr(TALLOC_CTX *mem_ctx, 
32                                     struct winbindd_cli_state *state, 
33                                     NET_USER_INFO_3 *info3) 
34 {
35         prs_struct ps;
36         uint32 size;
37         if (!prs_init(&ps, 256 /* Random, non-zero number */, mem_ctx, MARSHALL)) {
38                 return NT_STATUS_NO_MEMORY;
39         }
40         if (!net_io_user_info3("", info3, &ps, 1, 3)) {
41                 prs_mem_free(&ps);
42                 return NT_STATUS_UNSUCCESSFUL;
43         }
44
45         size = prs_data_size(&ps);
46         state->response.extra_data = SMB_MALLOC(size);
47         if (!state->response.extra_data) {
48                 prs_mem_free(&ps);
49                 return NT_STATUS_NO_MEMORY;
50         }
51         memset( state->response.extra_data, '\0', size );
52         prs_copy_all_data_out(state->response.extra_data, &ps);
53         state->response.length += size;
54         prs_mem_free(&ps);
55         return NT_STATUS_OK;
56 }
57
58 static NTSTATUS check_info3_in_group(TALLOC_CTX *mem_ctx, 
59                                      NET_USER_INFO_3 *info3,
60                                      const char *group_sid) 
61 {
62         DOM_SID require_membership_of_sid;
63         DOM_SID *all_sids;
64         size_t num_all_sids = (2 + info3->num_groups2 + info3->num_other_sids);
65         size_t i, j = 0;
66
67         /* Parse the 'required group' SID */
68         
69         if (!group_sid || !group_sid[0]) {
70                 /* NO sid supplied, all users may access */
71                 return NT_STATUS_OK;
72         }
73         
74         if (!string_to_sid(&require_membership_of_sid, group_sid)) {
75                 DEBUG(0, ("check_info3_in_group: could not parse %s as a SID!", 
76                           group_sid));
77
78                 return NT_STATUS_INVALID_PARAMETER;
79         }
80
81         all_sids = TALLOC_ARRAY(mem_ctx, DOM_SID, num_all_sids);
82         if (!all_sids)
83                 return NT_STATUS_NO_MEMORY;
84
85         /* and create (by appending rids) the 'domain' sids */
86         
87         sid_copy(&all_sids[0], &(info3->dom_sid.sid));
88         
89         if (!sid_append_rid(&all_sids[0], info3->user_rid)) {
90                 DEBUG(3,("could not append user's primary RID 0x%x\n",
91                          info3->user_rid));                     
92                 
93                 return NT_STATUS_INVALID_PARAMETER;
94         }
95         j++;
96
97         sid_copy(&all_sids[1], &(info3->dom_sid.sid));
98                 
99         if (!sid_append_rid(&all_sids[1], info3->group_rid)) {
100                 DEBUG(3,("could not append additional group rid 0x%x\n",
101                          info3->group_rid));                    
102                 
103                 return NT_STATUS_INVALID_PARAMETER;
104         }
105         j++;    
106
107         for (i = 0; i < info3->num_groups2; i++) {
108         
109                 sid_copy(&all_sids[j], &(info3->dom_sid.sid));
110                 
111                 if (!sid_append_rid(&all_sids[j], info3->gids[i].g_rid)) {
112                         DEBUG(3,("could not append additional group rid 0x%x\n",
113                                 info3->gids[i].g_rid));                 
114                                 
115                         return NT_STATUS_INVALID_PARAMETER;
116                 }
117                 j++;
118         }
119
120         /* Copy 'other' sids.  We need to do sid filtering here to
121            prevent possible elevation of privileges.  See:
122
123            http://www.microsoft.com/windows2000/techinfo/administration/security/sidfilter.asp
124          */
125
126         for (i = 0; i < info3->num_other_sids; i++) {
127                 sid_copy(&all_sids[info3->num_groups2 + i + 2],
128                          &info3->other_sids[i].sid);
129                 j++;
130         }
131
132         for (i = 0; i < j; i++) {
133                 fstring sid1, sid2;
134                 DEBUG(10, ("User has SID: %s\n", 
135                            sid_to_string(sid1, &all_sids[i])));
136                 if (sid_equal(&require_membership_of_sid, &all_sids[i])) {
137                         DEBUG(10, ("SID %s matches %s - user permitted to authenticate!\n", 
138                                    sid_to_string(sid1, &require_membership_of_sid), sid_to_string(sid2, &all_sids[i])));
139                         return NT_STATUS_OK;
140                 }
141         }
142         
143         /* Do not distinguish this error from a wrong username/pw */
144
145         return NT_STATUS_LOGON_FAILURE;
146 }
147
148 /**********************************************************************
149  Authenticate a user with a clear text password
150 **********************************************************************/
151
152 enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state) 
153 {
154         NTSTATUS result;
155         fstring name_domain, name_user;
156         unsigned char trust_passwd[16];
157         time_t last_change_time;
158         uint32 sec_channel_type;
159         NET_USER_INFO_3 info3;
160         struct cli_state *cli = NULL;
161         uchar chal[8];
162         TALLOC_CTX *mem_ctx = NULL;
163         DATA_BLOB lm_resp;
164         DATA_BLOB nt_resp;
165         DOM_CRED ret_creds;
166         int attempts = 0;
167         unsigned char local_lm_response[24];
168         unsigned char local_nt_response[24];
169         struct winbindd_domain *contact_domain;
170         BOOL retry;
171
172         /* Ensure null termination */
173         state->request.data.auth.user[sizeof(state->request.data.auth.user)-1]='\0';
174
175         /* Ensure null termination */
176         state->request.data.auth.pass[sizeof(state->request.data.auth.pass)-1]='\0';
177
178         DEBUG(3, ("[%5lu]: pam auth %s\n", (unsigned long)state->pid,
179                   state->request.data.auth.user));
180
181         if (!(mem_ctx = talloc_init("winbind pam auth for %s", state->request.data.auth.user))) {
182                 DEBUG(0, ("winbindd_pam_auth: could not talloc_init()!\n"));
183                 result = NT_STATUS_NO_MEMORY;
184                 goto done;
185         }
186
187         /* Parse domain and username */
188         
189         parse_domain_user(state->request.data.auth.user, name_domain, name_user);
190
191         /* do password magic */
192         
193
194         generate_random_buffer(chal, 8);
195         if (lp_client_ntlmv2_auth()) {
196                 DATA_BLOB server_chal;
197                 DATA_BLOB names_blob;
198                 DATA_BLOB nt_response;
199                 DATA_BLOB lm_response;
200                 server_chal = data_blob_talloc(mem_ctx, chal, 8); 
201                 
202                 /* note that the 'workgroup' here is a best guess - we don't know
203                    the server's domain at this point.  The 'server name' is also
204                    dodgy... 
205                 */
206                 names_blob = NTLMv2_generate_names_blob(global_myname(), lp_workgroup());
207                 
208                 if (!SMBNTLMv2encrypt(name_user, name_domain, 
209                                       state->request.data.auth.pass, 
210                                       &server_chal, 
211                                       &names_blob,
212                                       &lm_response, &nt_response, NULL)) {
213                         data_blob_free(&names_blob);
214                         data_blob_free(&server_chal);
215                         DEBUG(0, ("winbindd_pam_auth: SMBNTLMv2encrypt() failed!\n"));
216                         result = NT_STATUS_NO_MEMORY;
217                         goto done;
218                 }
219                 data_blob_free(&names_blob);
220                 data_blob_free(&server_chal);
221                 lm_resp = data_blob_talloc(mem_ctx, lm_response.data, lm_response.length);
222                 nt_resp = data_blob_talloc(mem_ctx, nt_response.data, nt_response.length);
223                 data_blob_free(&lm_response);
224                 data_blob_free(&nt_response);
225
226         } else {
227                 if (lp_client_lanman_auth() 
228                     && SMBencrypt(state->request.data.auth.pass, 
229                                   chal, 
230                                   local_lm_response)) {
231                         lm_resp = data_blob_talloc(mem_ctx, 
232                                                    local_lm_response, 
233                                                    sizeof(local_lm_response));
234                 } else {
235                         lm_resp = data_blob(NULL, 0);
236                 }
237                 SMBNTencrypt(state->request.data.auth.pass, 
238                              chal,
239                              local_nt_response);
240
241                 nt_resp = data_blob_talloc(mem_ctx, 
242                                            local_nt_response, 
243                                            sizeof(local_nt_response));
244         }
245
246         
247         /* what domain should we contact? */
248         
249         if ( IS_DC ) {
250                 if (!(contact_domain = find_domain_from_name(name_domain))) {
251                         DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n", 
252                                   state->request.data.auth.user, name_domain, name_user, name_domain)); 
253                         result = NT_STATUS_NO_SUCH_USER;
254                         goto done;
255                 }
256                 
257         } else {
258                 if (is_myname(name_domain)) {
259                         DEBUG(3, ("Authentication for domain %s (local domain to this server) not supported at this stage\n", name_domain));
260                         result =  NT_STATUS_NO_SUCH_USER;
261                         goto done;
262                 }
263
264                 if (!(contact_domain = find_our_domain())) {
265                         DEBUG(1, ("Authentication for [%s] -> [%s]\\[%s] in our domain failed - we can't find our domain!\n", 
266                                   state->request.data.auth.user, name_domain, name_user)); 
267                         result = NT_STATUS_NO_SUCH_USER;
268                         goto done;
269                 }
270         }
271
272         if ( !get_trust_pw(contact_domain->name, trust_passwd, &last_change_time, &sec_channel_type) ) {
273                 result = NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
274                 goto done;
275         }
276
277         /* check authentication loop */
278
279         do {
280                 ZERO_STRUCT(info3);
281                 ZERO_STRUCT(ret_creds);
282                 retry = False;
283         
284                 /* Don't shut this down - it belongs to the connection cache code */
285                 result = cm_get_netlogon_cli(contact_domain, trust_passwd, 
286                                              sec_channel_type, False, &cli);
287
288                 if (!NT_STATUS_IS_OK(result)) {
289                         DEBUG(3, ("could not open handle to NETLOGON pipe\n"));
290                         goto done;
291                 }
292
293                 result = cli_netlogon_sam_network_logon(cli, mem_ctx,
294                                                         &ret_creds,
295                                                         name_user, name_domain, 
296                                                         global_myname(), chal, 
297                                                         lm_resp, nt_resp,
298                                                         &info3);
299                 attempts += 1;
300                 
301                 /* We have to try a second time as cm_get_netlogon_cli
302                    might not yet have noticed that the DC has killed
303                    our connection. */
304
305                 if ( cli->fd == -1 ) {
306                         retry = True;
307                         continue;
308                 } 
309                 
310                 /* if we get access denied, a possible cuase was that we had and open
311                    connection to the DC, but someone changed our machine account password
312                    out from underneath us using 'net rpc changetrustpw' */
313                    
314                 if ( NT_STATUS_V(result) == NT_STATUS_V(NT_STATUS_ACCESS_DENIED) ) {
315                         DEBUG(3,("winbindd_pam_auth: sam_logon returned ACCESS_DENIED.  Maybe the trust account "
316                                 "password was changed and we didn't know it.  Killing connections to domain %s\n",
317                                 name_domain));
318                         winbindd_cm_flush();
319                         retry = True;
320                         cli = NULL;
321                 } 
322                 
323         } while ( (attempts < 2) && retry );
324
325         if (cli != NULL) {
326                 /* We might have come out of the loop above with cli == NULL,
327                    so don't dereference that. */
328                 clnt_deal_with_creds(cli->sess_key, &(cli->clnt_cred), &ret_creds);
329         }
330         
331         if (NT_STATUS_IS_OK(result)) {
332                 netsamlogon_cache_store( cli->mem_ctx, name_user, &info3 );
333                 wcache_invalidate_samlogon(find_domain_from_name(name_domain), &info3);
334
335                 /* Check if the user is in the right group */
336
337                 if (!NT_STATUS_IS_OK(result = check_info3_in_group(mem_ctx, &info3, state->request.data.auth.require_membership_of_sid))) {
338                         DEBUG(3, ("User %s is not in the required group (%s), so plaintext authentication is rejected\n",
339                                   state->request.data.auth.user, 
340                                   state->request.data.auth.require_membership_of_sid));
341                 }
342         }
343
344 done:
345         /* give us a more useful (more correct?) error code */
346         if ((NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) || (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)))) {
347                 result = NT_STATUS_NO_LOGON_SERVERS;
348         }
349         
350         state->response.data.auth.nt_status = NT_STATUS_V(result);
351         fstrcpy(state->response.data.auth.nt_status_string, nt_errstr(result));
352
353         /* we might have given a more useful error above */
354         if (!*state->response.data.auth.error_string) 
355                 fstrcpy(state->response.data.auth.error_string, get_friendly_nt_error_msg(result));
356         state->response.data.auth.pam_error = nt_status_to_pam(result);
357
358         DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2, ("Plain-text authentication for user %s returned %s (PAM: %d)\n", 
359               state->request.data.auth.user, 
360               state->response.data.auth.nt_status_string,
361               state->response.data.auth.pam_error));          
362
363         if ( NT_STATUS_IS_OK(result) &&
364              (state->request.flags & WBFLAG_PAM_AFS_TOKEN) ) {
365
366                 char *afsname = SMB_STRDUP(lp_afs_username_map());
367                 char *cell;
368
369                 if (afsname == NULL) goto no_token;
370
371                 afsname = realloc_string_sub(afsname, "%D", name_domain);
372                 afsname = realloc_string_sub(afsname, "%u", name_user);
373                 afsname = realloc_string_sub(afsname, "%U", name_user);
374
375                 if (afsname == NULL) goto no_token;
376
377                 strlower_m(afsname);
378
379                 cell = strchr(afsname, '@');
380
381                 if (cell == NULL) goto no_token;
382
383                 *cell = '\0';
384                 cell += 1;
385
386                 /* Append an AFS token string */
387                 state->response.extra_data =
388                         afs_createtoken_str(afsname, cell);
389
390                 if (state->response.extra_data != NULL)
391                         state->response.length +=
392                                 strlen(state->response.extra_data)+1;
393
394         no_token:
395                 SAFE_FREE(afsname);
396         }
397                 
398         if (mem_ctx) 
399                 talloc_destroy(mem_ctx);
400         
401         return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
402 }
403
404 /**********************************************************************
405  Challenge Response Authentication Protocol 
406 **********************************************************************/
407
408 enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state) 
409 {
410         NTSTATUS result;
411         unsigned char trust_passwd[16];
412         time_t last_change_time;
413         uint32 sec_channel_type;
414         NET_USER_INFO_3 info3;
415         struct cli_state *cli = NULL;
416         TALLOC_CTX *mem_ctx = NULL;
417         const char *name_user = NULL;
418         const char *name_domain = NULL;
419         const char *workstation;
420         struct winbindd_domain *contact_domain;
421         DOM_CRED ret_creds;
422         int attempts = 0;
423         BOOL retry;
424
425         DATA_BLOB lm_resp, nt_resp;
426
427         if (!state->privileged) {
428                 char *error_string = NULL;
429                 DEBUG(2, ("winbindd_pam_auth_crap: non-privileged access denied.  !\n"));
430                 DEBUGADD(2, ("winbindd_pam_auth_crap: Ensure permissions on %s are set correctly.\n", 
431                              get_winbind_priv_pipe_dir()));
432                 /* send a better message than ACCESS_DENIED */
433                 asprintf(&error_string, "winbind client not authorized to use winbindd_pam_auth_crap.  Ensure permissions on %s are set correctly.",
434                          get_winbind_priv_pipe_dir());
435                 fstrcpy(state->response.data.auth.error_string, error_string);
436                 SAFE_FREE(error_string);
437                 result =  NT_STATUS_ACCESS_DENIED;
438                 goto done;
439         }
440
441         /* Ensure null termination */
442         state->request.data.auth_crap.user[sizeof(state->request.data.auth_crap.user)-1]=0;
443         state->request.data.auth_crap.domain[sizeof(state->request.data.auth_crap.domain)-1]=0;
444
445         if (!(mem_ctx = talloc_init("winbind pam auth crap for %s", state->request.data.auth_crap.user))) {
446                 DEBUG(0, ("winbindd_pam_auth_crap: could not talloc_init()!\n"));
447                 result = NT_STATUS_NO_MEMORY;
448                 goto done;
449         }
450
451         name_user = state->request.data.auth_crap.user;
452
453         if (*state->request.data.auth_crap.domain) {
454                 name_domain = state->request.data.auth_crap.domain;
455         } else if (lp_winbind_use_default_domain()) {
456                 name_domain = lp_workgroup();
457         } else {
458                 DEBUG(5,("no domain specified with username (%s) - failing auth\n", 
459                          name_user));
460                 result = NT_STATUS_NO_SUCH_USER;
461                 goto done;
462         }
463
464         DEBUG(3, ("[%5lu]: pam auth crap domain: %s user: %s\n", (unsigned long)state->pid,
465                   name_domain, name_user));
466            
467         if (*state->request.data.auth_crap.workstation) {
468                 workstation = state->request.data.auth_crap.workstation;
469         } else {
470                 workstation = global_myname();
471         }
472
473         if (state->request.data.auth_crap.lm_resp_len > sizeof(state->request.data.auth_crap.lm_resp)
474                 || state->request.data.auth_crap.nt_resp_len > sizeof(state->request.data.auth_crap.nt_resp)) {
475                 DEBUG(0, ("winbindd_pam_auth_crap: invalid password length %u/%u\n", 
476                           state->request.data.auth_crap.lm_resp_len, 
477                           state->request.data.auth_crap.nt_resp_len));
478                 result = NT_STATUS_INVALID_PARAMETER;
479                 goto done;
480         }
481
482         lm_resp = data_blob_talloc(mem_ctx, state->request.data.auth_crap.lm_resp, state->request.data.auth_crap.lm_resp_len);
483         nt_resp = data_blob_talloc(mem_ctx, state->request.data.auth_crap.nt_resp, state->request.data.auth_crap.nt_resp_len);
484         
485
486         /* what domain should we contact? */
487         
488         if ( IS_DC ) {
489                 if (!(contact_domain = find_domain_from_name(name_domain))) {
490                         DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n", 
491                                   state->request.data.auth_crap.user, name_domain, name_user, name_domain)); 
492                         result = NT_STATUS_NO_SUCH_USER;
493                         goto done;
494                 }
495                 
496         } else {
497                 if (is_myname(name_domain)) {
498                         DEBUG(3, ("Authentication for domain %s (local domain to this server) not supported at this stage\n", name_domain));
499                         result =  NT_STATUS_NO_SUCH_USER;
500                         goto done;
501                 }
502
503                 if (!(contact_domain = find_our_domain())) {
504                         DEBUG(1, ("Authenticatoin for [%s] -> [%s]\\[%s] in our domain failed - we can't find our domain!\n", 
505                                   state->request.data.auth_crap.user, name_domain, name_user)); 
506                         result = NT_STATUS_NO_SUCH_USER;
507                         goto done;
508                 }
509         }
510                 
511         if ( !get_trust_pw(contact_domain->name, trust_passwd, &last_change_time, &sec_channel_type) ) {
512                 result = NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
513                 goto done;
514         }
515
516         do {
517                 ZERO_STRUCT(info3);
518                 ZERO_STRUCT(ret_creds);
519                 retry = False;
520
521                 /* Don't shut this down - it belongs to the connection cache code */
522                 result = cm_get_netlogon_cli(contact_domain, trust_passwd, sec_channel_type, False, &cli);
523
524                 if (!NT_STATUS_IS_OK(result)) {
525                         DEBUG(3, ("could not open handle to NETLOGON pipe (error: %s)\n",
526                                   nt_errstr(result)));
527                         goto done;
528                 }
529
530                 result = cli_netlogon_sam_network_logon(cli, mem_ctx,
531                                                         &ret_creds,
532                                                         name_user, name_domain,
533                                                         workstation,
534                                                         state->request.data.auth_crap.chal, 
535                                                         lm_resp, nt_resp, 
536                                                         &info3);
537
538                 attempts += 1;
539
540                 /* We have to try a second time as cm_get_netlogon_cli
541                    might not yet have noticed that the DC has killed
542                    our connection. */
543
544                 if ( cli->fd == -1 ) {
545                         retry = True;
546                         continue;
547                 } 
548
549                 /* if we get access denied, a possible cause was that we had and open
550                    connection to the DC, but someone changed our machine account password
551                    out from underneath us using 'net rpc changetrustpw' */
552                    
553                 if ( NT_STATUS_V(result) == NT_STATUS_V(NT_STATUS_ACCESS_DENIED) ) {
554                         DEBUG(3,("winbindd_pam_auth_crap: sam_logon returned ACCESS_DENIED.  Maybe the trust account "
555                                 "password was changed and we didn't know it.  Killing connections to domain %s\n",
556                                 contact_domain->name));
557                         winbindd_cm_flush();
558                         retry = True;
559                         cli = NULL;
560                 } 
561                 
562         } while ( (attempts < 2) && retry );
563
564         if (cli != NULL) {
565                 /* We might have come out of the loop above with cli == NULL,
566                    so don't dereference that. */
567                 clnt_deal_with_creds(cli->sess_key, &(cli->clnt_cred), &ret_creds);
568         }
569
570         if (NT_STATUS_IS_OK(result)) {
571                 netsamlogon_cache_store( cli->mem_ctx, name_user, &info3 );
572                 wcache_invalidate_samlogon(find_domain_from_name(name_domain), &info3);
573                 
574                 if (!NT_STATUS_IS_OK(result = check_info3_in_group(mem_ctx, &info3, state->request.data.auth_crap.require_membership_of_sid))) {
575                         DEBUG(3, ("User %s is not in the required group (%s), so plaintext authentication is rejected\n",
576                                   state->request.data.auth_crap.user, 
577                                   state->request.data.auth_crap.require_membership_of_sid));
578                         goto done;
579                 }
580
581                 if (state->request.flags & WBFLAG_PAM_INFO3_NDR) {
582                         result = append_info3_as_ndr(mem_ctx, state, &info3);
583                 } else if (state->request.flags & WBFLAG_PAM_UNIX_NAME) {
584                         /* ntlm_auth should return the unix username, per 
585                            'winbind use default domain' settings and the like */
586                         
587                         fstring username_out;
588                         const char *nt_username, *nt_domain;
589                         if (!(nt_username = unistr2_tdup(mem_ctx, &(info3.uni_user_name)))) {
590                                 /* If the server didn't give us one, just use the one we sent them */
591                                 nt_username = name_user;
592                         }
593                         
594                         if (!(nt_domain = unistr2_tdup(mem_ctx, &(info3.uni_logon_dom)))) {
595                                 /* If the server didn't give us one, just use the one we sent them */
596                                 nt_domain = name_domain;
597                         }
598
599                         fill_domain_username(username_out, nt_domain, nt_username);
600
601                         DEBUG(5, ("Setting unix username to [%s]\n", username_out));
602
603                         state->response.extra_data = SMB_STRDUP(username_out);
604                         if (!state->response.extra_data) {
605                                 result = NT_STATUS_NO_MEMORY;
606                                 goto done;
607                         }
608                         state->response.length +=  strlen(state->response.extra_data)+1;
609                 }
610                 
611                 if (state->request.flags & WBFLAG_PAM_USER_SESSION_KEY) {
612                         memcpy(state->response.data.auth.user_session_key, info3.user_sess_key, sizeof(state->response.data.auth.user_session_key) /* 16 */);
613                 }
614                 if (state->request.flags & WBFLAG_PAM_LMKEY) {
615                         memcpy(state->response.data.auth.first_8_lm_hash, info3.padding, sizeof(state->response.data.auth.first_8_lm_hash) /* 8 */);
616                 }
617         }
618
619 done:
620         /* give us a more useful (more correct?) error code */
621         if ((NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) || (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)))) {
622                 result = NT_STATUS_NO_LOGON_SERVERS;
623         }
624
625         if (state->request.flags & WBFLAG_PAM_NT_STATUS_SQUASH) {
626                 result = nt_status_squash(result);
627         }
628         
629         state->response.data.auth.nt_status = NT_STATUS_V(result);
630         fstrcpy(state->response.data.auth.nt_status_string, nt_errstr(result));
631         
632         /* we might have given a more useful error above */
633         if (!*state->response.data.auth.error_string) 
634                 fstrcpy(state->response.data.auth.error_string, get_friendly_nt_error_msg(result));
635         state->response.data.auth.pam_error = nt_status_to_pam(result);
636
637         DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2, 
638               ("NTLM CRAP authentication for user [%s]\\[%s] returned %s (PAM: %d)\n", 
639                name_domain,
640                name_user,
641                state->response.data.auth.nt_status_string,
642                state->response.data.auth.pam_error));         
643
644         if (mem_ctx) 
645                 talloc_destroy(mem_ctx);
646         
647         return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
648 }
649
650 /* Change a user password */
651
652 enum winbindd_result winbindd_pam_chauthtok(struct winbindd_cli_state *state)
653 {
654         NTSTATUS result;
655         char *oldpass, *newpass;
656         fstring domain, user;
657         CLI_POLICY_HND *hnd;
658         TALLOC_CTX *mem_ctx;
659         struct winbindd_domain *contact_domain;
660
661         DEBUG(3, ("[%5lu]: pam chauthtok %s\n", (unsigned long)state->pid,
662                 state->request.data.chauthtok.user));
663
664         if (!(mem_ctx = talloc_init("winbind password change for %s", 
665                                     state->request.data.chauthtok.user))) {
666                 DEBUG(0, ("winbindd_pam_auth_crap: could not talloc_init()!\n"));
667                 result = NT_STATUS_NO_MEMORY;
668                 goto done;
669         }
670
671         /* Setup crap */
672
673         if (state == NULL)
674                 return WINBINDD_ERROR;
675
676         parse_domain_user(state->request.data.chauthtok.user, domain, user);
677
678         if (!(contact_domain = find_domain_from_name(domain))) {
679                 DEBUG(3, ("Cannot change password for [%s] -> [%s]\\[%s] as %s is not a trusted domain\n", 
680                           state->request.data.chauthtok.user, domain, user, domain)); 
681                 result = NT_STATUS_NO_SUCH_USER;
682                 goto done;
683         }
684
685         /* Change password */
686
687         oldpass = state->request.data.chauthtok.oldpass;
688         newpass = state->request.data.chauthtok.newpass;
689
690         /* Get sam handle */
691
692         if (!NT_STATUS_IS_OK(result = cm_get_sam_handle(contact_domain, &hnd)) ) {
693                 DEBUG(1, ("could not get SAM handle on DC for %s\n", domain));
694                 goto done;
695         }
696
697         result = cli_samr_chgpasswd_user(hnd->cli, mem_ctx, user, newpass, oldpass);
698
699 done:    
700         state->response.data.auth.nt_status = NT_STATUS_V(result);
701         fstrcpy(state->response.data.auth.nt_status_string, nt_errstr(result));
702         fstrcpy(state->response.data.auth.error_string, nt_errstr(result));
703         state->response.data.auth.pam_error = nt_status_to_pam(result);
704
705         DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2, 
706               ("Password change for user [%s]\\[%s] returned %s (PAM: %d)\n", 
707                domain,
708                user,
709                state->response.data.auth.nt_status_string,
710                state->response.data.auth.pam_error));         
711
712         if (mem_ctx)
713                 talloc_destroy(mem_ctx);
714
715         return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
716 }