Context Navigation

source: branches/samba-3.0/source/auth/auth.c@ 223

Visit:

Last change on this file since 223 was 134, checked in by Paul Smedley, 17 years ago
Update source to 3.0.29
File size: 17.8 KB

Line
1	/*
2	Unix SMB/CIFS implementation.
3	Password and authentication handling
4	Copyright (C) Andrew Bartlett 2001-2002
5
6	This program is free software; you can redistribute it and/or modify
7	it under the terms of the GNU General Public License as published by
8	the Free Software Foundation; either version 2 of the License, or
9	(at your option) any later version.
10
11	This program is distributed in the hope that it will be useful,
12	but WITHOUT ANY WARRANTY; without even the implied warranty of
13	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14	GNU General Public License for more details.
15
16	You should have received a copy of the GNU General Public License
17	along with this program; if not, write to the Free Software
18	Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
19	*/
20
21	#include "includes.h"
22
23	#undef DBGC_CLASS
24	#define DBGC_CLASS DBGC_AUTH
25
26	static_decl_auth;
27
28	static struct auth_init_function_entry *backends = NULL;
29
30	static struct auth_init_function_entry auth_find_backend_entry(const char name);
31
32	NTSTATUS smb_register_auth(int version, const char *name, auth_init_function init)
33	{
34	struct auth_init_function_entry *entry = backends;
35
36	if (version != AUTH_INTERFACE_VERSION) {
37	DEBUG(0,("Can't register auth_method!\n"
38	"You tried to register an auth module with AUTH_INTERFACE_VERSION %d, while this version of samba uses %d\n",
39	version,AUTH_INTERFACE_VERSION));
40	return NT_STATUS_OBJECT_TYPE_MISMATCH;
41	}
42
43	if (!name \|\| !init) {
44	return NT_STATUS_INVALID_PARAMETER;
45	}
46
47	DEBUG(5,("Attempting to register auth backend %s\n", name));
48
49	if (auth_find_backend_entry(name)) {
50	DEBUG(0,("There already is an auth method registered with the name %s!\n", name));
51	return NT_STATUS_OBJECT_NAME_COLLISION;
52	}
53
54	entry = SMB_XMALLOC_P(struct auth_init_function_entry);
55	entry->name = smb_xstrdup(name);
56	entry->init = init;
57
58	DLIST_ADD(backends, entry);
59	DEBUG(5,("Successfully added auth method '%s'\n", name));
60	return NT_STATUS_OK;
61	}
62
63	static struct auth_init_function_entry auth_find_backend_entry(const char name)
64	{
65	struct auth_init_function_entry *entry = backends;
66
67	while(entry) {
68	if (strcmp(entry->name, name)==0) return entry;
69	entry = entry->next;
70	}
71
72	return NULL;
73	}
74
75	/****************************************************************************
76	Try to get a challenge out of the various authentication modules.
77	Returns a const char of length 8 bytes.
78	****************************************************************************/
79
80	static const uint8 get_ntlm_challenge(struct auth_context auth_context)
81	{
82	DATA_BLOB challenge = data_blob(NULL, 0);
83	const char *challenge_set_by = NULL;
84	auth_methods *auth_method;
85	TALLOC_CTX *mem_ctx;
86
87	if (auth_context->challenge.length) {
88	DEBUG(5, ("get_ntlm_challenge (auth subsystem): returning previous challenge by module %s (normal)\n",
89	auth_context->challenge_set_by));
90	return auth_context->challenge.data;
91	}
92
93	auth_context->challenge_may_be_modified = False;
94
95	for (auth_method = auth_context->auth_method_list; auth_method; auth_method = auth_method->next) {
96	if (auth_method->get_chal == NULL) {
97	DEBUG(5, ("auth_get_challenge: module %s did not want to specify a challenge\n", auth_method->name));
98	continue;
99	}
100
101	DEBUG(5, ("auth_get_challenge: getting challenge from module %s\n", auth_method->name));
102	if (challenge_set_by != NULL) {
103	DEBUG(1, ("auth_get_challenge: CONFIGURATION ERROR: authentication method %s has already specified a challenge. Challenge by %s ignored.\n",
104	challenge_set_by, auth_method->name));
105	continue;
106	}
107
108	mem_ctx = talloc_init("auth_get_challenge for module %s", auth_method->name);
109	if (!mem_ctx) {
110	smb_panic("talloc_init() failed!");
111	}
112
113	challenge = auth_method->get_chal(auth_context, &auth_method->private_data, mem_ctx);
114	if (!challenge.length) {
115	DEBUG(3, ("auth_get_challenge: getting challenge from authentication method %s FAILED.\n",
116	auth_method->name));
117	} else {
118	DEBUG(5, ("auth_get_challenge: successfully got challenge from module %s\n", auth_method->name));
119	auth_context->challenge = challenge;
120	challenge_set_by = auth_method->name;
121	auth_context->challenge_set_method = auth_method;
122	}
123	talloc_destroy(mem_ctx);
124	}
125
126	if (!challenge_set_by) {
127	uchar chal[8];
128
129	generate_random_buffer(chal, sizeof(chal));
130	auth_context->challenge = data_blob_talloc(auth_context->mem_ctx,
131	chal, sizeof(chal));
132
133	challenge_set_by = "random";
134	auth_context->challenge_may_be_modified = True;
135	}
136
137	DEBUG(5, ("auth_context challenge created by %s\n", challenge_set_by));
138	DEBUG(5, ("challenge is: \n"));
139	dump_data(5, (const char *)auth_context->challenge.data, auth_context->challenge.length);
140
141	SMB_ASSERT(auth_context->challenge.length == 8);
142
143	auth_context->challenge_set_by=challenge_set_by;
144
145	return auth_context->challenge.data;
146	}
147
148
149	/**
150	* Check user is in correct domain (if required)
151	*
152	* @param user Only used to fill in the debug message
153	*
154	* @param domain The domain to be verified
155	*
156	* @return True if the user can connect with that domain,
157	* False otherwise.
158	**/
159
160	static BOOL check_domain_match(const char user, const char domain)
161	{
162	/*
163	* If we aren't serving to trusted domains, we must make sure that
164	* the validation request comes from an account in the same domain
165	* as the Samba server
166	*/
167
168	if (!lp_allow_trusted_domains() &&
169	!(strequal("", domain) \|\|
170	strequal(lp_workgroup(), domain) \|\|
171	is_myname(domain))) {
172	DEBUG(1, ("check_domain_match: Attempt to connect as user %s from domain %s denied.\n", user, domain));
173	return False;
174	} else {
175	return True;
176	}
177	}
178
179	/**
180	* Check a user's Plaintext, LM or NTLM password.
181	*
182	* Check a user's password, as given in the user_info struct and return various
183	* interesting details in the server_info struct.
184	*
185	* This function does NOT need to be in a become_root()/unbecome_root() pair
186	* as it makes the calls itself when needed.
187	*
188	* The return value takes precedence over the contents of the server_info
189	* struct. When the return is other than NT_STATUS_OK the contents
190	* of that structure is undefined.
191	*
192	* @param user_info Contains the user supplied components, including the passwords.
193	* Must be created with make_user_info() or one of its wrappers.
194	*
195	* @param auth_context Supplies the challenges and some other data.
196	* Must be created with make_auth_context(), and the challenges should be
197	* filled in, either at creation or by calling the challenge geneation
198	* function auth_get_challenge().
199	*
200	* @param server_info If successful, contains information about the authentication,
201	* including a struct samu struct describing the user.
202	*
203	* @return An NTSTATUS with NT_STATUS_OK or an appropriate error.
204	*
205	**/
206
207	static NTSTATUS check_ntlm_password(const struct auth_context *auth_context,
208	const struct auth_usersupplied_info *user_info,
209	struct auth_serversupplied_info **server_info)
210	{
211	/* if all the modules say 'not for me' this is reasonable */
212	NTSTATUS nt_status = NT_STATUS_NO_SUCH_USER;
213	const char *unix_username;
214	auth_methods *auth_method;
215	TALLOC_CTX *mem_ctx;
216
217	if (!user_info \|\| !auth_context \|\| !server_info)
218	return NT_STATUS_LOGON_FAILURE;
219
220	DEBUG(3, ("check_ntlm_password: Checking password for unmapped user [%s]\\[%s]@[%s] with the new password interface\n",
221	user_info->client_domain, user_info->smb_name, user_info->wksta_name));
222
223	DEBUG(3, ("check_ntlm_password: mapped user is: [%s]\\[%s]@[%s]\n",
224	user_info->domain, user_info->internal_username, user_info->wksta_name));
225
226	if (auth_context->challenge.length != 8) {
227	DEBUG(0, ("check_ntlm_password: Invalid challenge stored for this auth context - cannot continue\n"));
228	return NT_STATUS_LOGON_FAILURE;
229	}
230
231	if (auth_context->challenge_set_by)
232	DEBUG(10, ("check_ntlm_password: auth_context challenge created by %s\n",
233	auth_context->challenge_set_by));
234
235	DEBUG(10, ("challenge is: \n"));
236	dump_data(5, (const char *)auth_context->challenge.data, auth_context->challenge.length);
237
238	#ifdef DEBUG_PASSWORD
239	DEBUG(100, ("user_info has passwords of length %d and %d\n",
240	(int)user_info->lm_resp.length, (int)user_info->nt_resp.length));
241	DEBUG(100, ("lm:\n"));
242	dump_data(100, (const char *)user_info->lm_resp.data, user_info->lm_resp.length);
243	DEBUG(100, ("nt:\n"));
244	dump_data(100, (const char *)user_info->nt_resp.data, user_info->nt_resp.length);
245	#endif
246
247	/* This needs to be sorted: If it doesn't match, what should we do? */
248	if (!check_domain_match(user_info->smb_name, user_info->domain))
249	return NT_STATUS_LOGON_FAILURE;
250
251	for (auth_method = auth_context->auth_method_list;auth_method; auth_method = auth_method->next) {
252	NTSTATUS result;
253
254	mem_ctx = talloc_init("%s authentication for user %s\\%s", auth_method->name,
255	user_info->domain, user_info->smb_name);
256
257	result = auth_method->auth(auth_context, auth_method->private_data, mem_ctx, user_info, server_info);
258
259	/* check if the module did anything */
260	if ( NT_STATUS_V(result) == NT_STATUS_V(NT_STATUS_NOT_IMPLEMENTED) ) {
261	DEBUG(10,("check_ntlm_password: %s had nothing to say\n", auth_method->name));
262	talloc_destroy(mem_ctx);
263	continue;
264	}
265
266	nt_status = result;
267
268	if (NT_STATUS_IS_OK(nt_status)) {
269	DEBUG(3, ("check_ntlm_password: %s authentication for user [%s] succeeded\n",
270	auth_method->name, user_info->smb_name));
271	} else {
272	DEBUG(5, ("check_ntlm_password: %s authentication for user [%s] FAILED with error %s\n",
273	auth_method->name, user_info->smb_name, nt_errstr(nt_status)));
274	}
275
276	talloc_destroy(mem_ctx);
277
278	if ( NT_STATUS_IS_OK(nt_status))
279	{
280	break;
281	}
282	}
283
284	/* successful authentication */
285
286	if (NT_STATUS_IS_OK(nt_status)) {
287	unix_username = (*server_info)->unix_name;
288	if (!(*server_info)->guest) {
289	/* We might not be root if we are an RPC call */
290	become_root();
291	nt_status = smb_pam_accountcheck(unix_username);
292	unbecome_root();
293
294	if (NT_STATUS_IS_OK(nt_status)) {
295	DEBUG(5, ("check_ntlm_password: PAM Account for user [%s] succeeded\n",
296	unix_username));
297	} else {
298	DEBUG(3, ("check_ntlm_password: PAM Account for user [%s] FAILED with error %s\n",
299	unix_username, nt_errstr(nt_status)));
300	}
301	}
302
303	if (NT_STATUS_IS_OK(nt_status)) {
304	DEBUG((*server_info)->guest ? 5 : 2,
305	("check_ntlm_password: %sauthentication for user [%s] -> [%s] -> [%s] succeeded\n",
306	(*server_info)->guest ? "guest " : "",
307	user_info->smb_name,
308	user_info->internal_username,
309	unix_username));
310	}
311
312	return nt_status;
313	}
314
315	/* failed authentication; check for guest lapping */
316
317	DEBUG(2, ("check_ntlm_password: Authentication for user [%s] -> [%s] FAILED with error %s\n",
318	user_info->smb_name, user_info->internal_username,
319	nt_errstr(nt_status)));
320	ZERO_STRUCTP(server_info);
321
322	return nt_status;
323	}
324
325	/***************************************************************************
326	Clear out a auth_context, and destroy the attached TALLOC_CTX
327	***************************************************************************/
328
329	static void free_auth_context(struct auth_context **auth_context)
330	{
331	auth_methods *auth_method;
332
333	if (*auth_context) {
334	/* Free private data of context's authentication methods */
335	for (auth_method = (*auth_context)->auth_method_list; auth_method; auth_method = auth_method->next) {
336	if (auth_method->free_private_data) {
337	auth_method->free_private_data (&auth_method->private_data);
338	auth_method->private_data = NULL;
339	}
340	}
341
342	talloc_destroy((*auth_context)->mem_ctx);
343	*auth_context = NULL;
344	}
345	}
346
347	/***************************************************************************
348	Make a auth_info struct
349	***************************************************************************/
350
351	static NTSTATUS make_auth_context(struct auth_context **auth_context)
352	{
353	TALLOC_CTX *mem_ctx;
354
355	mem_ctx = talloc_init("authentication context");
356
357	*auth_context = TALLOC_P(mem_ctx, struct auth_context);
358	if (!*auth_context) {
359	DEBUG(0,("make_auth_context: talloc failed!\n"));
360	talloc_destroy(mem_ctx);
361	return NT_STATUS_NO_MEMORY;
362	}
363	ZERO_STRUCTP(*auth_context);
364
365	(*auth_context)->mem_ctx = mem_ctx;
366	(*auth_context)->check_ntlm_password = check_ntlm_password;
367	(*auth_context)->get_ntlm_challenge = get_ntlm_challenge;
368	(*auth_context)->free = free_auth_context;
369
370	return NT_STATUS_OK;
371	}
372
373	BOOL load_auth_module(struct auth_context *auth_context,
374	const char module, auth_methods *ret)
375	{
376	static BOOL initialised_static_modules = False;
377
378	struct auth_init_function_entry *entry;
379	char *module_name = smb_xstrdup(module);
380	char *module_params = NULL;
381	char *p;
382	BOOL good = False;
383
384	/* Initialise static modules if not done so yet */
385	if(!initialised_static_modules) {
386	static_init_auth;
387	initialised_static_modules = True;
388	}
389
390	DEBUG(5,("load_auth_module: Attempting to find an auth method to match %s\n",
391	module));
392
393	p = strchr(module_name, ':');
394	if (p) {
395	*p = 0;
396	module_params = p+1;
397	trim_char(module_params, ' ', ' ');
398	}
399
400	trim_char(module_name, ' ', ' ');
401
402	entry = auth_find_backend_entry(module_name);
403
404	if (entry == NULL) {
405	if (NT_STATUS_IS_OK(smb_probe_module("auth", module_name))) {
406	entry = auth_find_backend_entry(module_name);
407	}
408	}
409
410	if (entry != NULL) {
411	if (!NT_STATUS_IS_OK(entry->init(auth_context, module_params, ret))) {
412	DEBUG(0,("load_auth_module: auth method %s did not correctly init\n",
413	module_name));
414	} else {
415	DEBUG(5,("load_auth_module: auth method %s has a valid init\n",
416	module_name));
417	good = True;
418	}
419	} else {
420	DEBUG(0,("load_auth_module: can't find auth method %s!\n", module_name));
421	}
422
423	SAFE_FREE(module_name);
424	return good;
425	}
426
427	/***************************************************************************
428	Make a auth_info struct for the auth subsystem
429	***************************************************************************/
430
431	static NTSTATUS make_auth_context_text_list(struct auth_context auth_context, char text_list)
432	{
433	auth_methods *list = NULL;
434	auth_methods *t = NULL;
435	NTSTATUS nt_status;
436
437	if (!text_list) {
438	DEBUG(2,("make_auth_context_text_list: No auth method list!?\n"));
439	return NT_STATUS_UNSUCCESSFUL;
440	}
441
442	if (!NT_STATUS_IS_OK(nt_status = make_auth_context(auth_context)))
443	return nt_status;
444
445	for (;*text_list; text_list++) {
446	if (load_auth_module(auth_context, text_list, &t)) {
447	DLIST_ADD_END(list, t, auth_methods *);
448	}
449	}
450
451	(*auth_context)->auth_method_list = list;
452
453	return nt_status;
454	}
455
456	/***************************************************************************
457	Make a auth_context struct for the auth subsystem
458	***************************************************************************/
459
460	NTSTATUS make_auth_context_subsystem(struct auth_context **auth_context)
461	{
462	char **auth_method_list = NULL;
463	NTSTATUS nt_status;
464
465	if (lp_auth_methods() && !str_list_copy(&auth_method_list, lp_auth_methods())) {
466	return NT_STATUS_NO_MEMORY;
467	}
468
469	if (auth_method_list == NULL) {
470	switch (lp_security())
471	{
472	case SEC_DOMAIN:
473	DEBUG(5,("Making default auth method list for security=domain\n"));
474	auth_method_list = str_list_make("guest sam winbind:ntdomain", NULL);
475	break;
476	case SEC_SERVER:
477	DEBUG(5,("Making default auth method list for security=server\n"));
478	auth_method_list = str_list_make("guest sam smbserver", NULL);
479	break;
480	case SEC_USER:
481	if (lp_encrypted_passwords()) {
482	if ((lp_server_role() == ROLE_DOMAIN_PDC) \|\| (lp_server_role() == ROLE_DOMAIN_BDC)) {
483	DEBUG(5,("Making default auth method list for DC, security=user, encrypt passwords = yes\n"));
484	auth_method_list = str_list_make("guest sam winbind:trustdomain", NULL);
485	} else {
486	DEBUG(5,("Making default auth method list for standalone security=user, encrypt passwords = yes\n"));
487	auth_method_list = str_list_make("guest sam", NULL);
488	}
489	} else {
490	DEBUG(5,("Making default auth method list for security=user, encrypt passwords = no\n"));
491	auth_method_list = str_list_make("guest unix", NULL);
492	}
493	break;
494	case SEC_SHARE:
495	if (lp_encrypted_passwords()) {
496	DEBUG(5,("Making default auth method list for security=share, encrypt passwords = yes\n"));
497	auth_method_list = str_list_make("guest sam", NULL);
498	} else {
499	DEBUG(5,("Making default auth method list for security=share, encrypt passwords = no\n"));
500	auth_method_list = str_list_make("guest unix", NULL);
501	}
502	break;
503	case SEC_ADS:
504	DEBUG(5,("Making default auth method list for security=ADS\n"));
505	auth_method_list = str_list_make("guest sam winbind:ntdomain", NULL);
506	break;
507	default:
508	DEBUG(5,("Unknown auth method!\n"));
509	return NT_STATUS_UNSUCCESSFUL;
510	}
511	} else {
512	DEBUG(5,("Using specified auth order\n"));
513	}
514
515	if (!NT_STATUS_IS_OK(nt_status = make_auth_context_text_list(auth_context, auth_method_list))) {
516	str_list_free(&auth_method_list);
517	return nt_status;
518	}
519
520	str_list_free(&auth_method_list);
521	return nt_status;
522	}
523
524	/***************************************************************************
525	Make a auth_info struct with a fixed challenge
526	***************************************************************************/
527
528	NTSTATUS make_auth_context_fixed(struct auth_context **auth_context, uchar chal[8])
529	{
530	NTSTATUS nt_status;
531	if (!NT_STATUS_IS_OK(nt_status = make_auth_context_subsystem(auth_context))) {
532	return nt_status;
533	}
534
535	(auth_context)->challenge = data_blob_talloc((auth_context)->mem_ctx, chal, 8);
536	(*auth_context)->challenge_set_by = "fixed";
537	return nt_status;
538	}
539
540

Note: See TracBrowser for help on using the repository browser.

Download in other formats: