Context Navigation

← Previous Revision
Latest Revision
Next Revision →
Blame
Revision Log

source: branches/samba-3.3.x/source/auth/auth.c@ 317

Visit:

Last change on this file since 317 was 206, checked in by Herwig Bauernfeind, 16 years ago
Import Samba 3.3 branch at 3.0.0 level (psmedley's port)
File size: 17.2 KB

Line
1	/*
2	Unix SMB/CIFS implementation.
3	Password and authentication handling
4	Copyright (C) Andrew Bartlett 2001-2002
5
6	This program is free software; you can redistribute it and/or modify
7	it under the terms of the GNU General Public License as published by
8	the Free Software Foundation; either version 3 of the License, or
9	(at your option) any later version.
10
11	This program is distributed in the hope that it will be useful,
12	but WITHOUT ANY WARRANTY; without even the implied warranty of
13	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14	GNU General Public License for more details.
15
16	You should have received a copy of the GNU General Public License
17	along with this program. If not, see <http://www.gnu.org/licenses/>.
18	*/
19
20	#include "includes.h"
21
22	#undef DBGC_CLASS
23	#define DBGC_CLASS DBGC_AUTH
24
25	static_decl_auth;
26
27	static struct auth_init_function_entry *backends = NULL;
28
29	static struct auth_init_function_entry auth_find_backend_entry(const char name);
30
31	NTSTATUS smb_register_auth(int version, const char *name, auth_init_function init)
32	{
33	struct auth_init_function_entry *entry = backends;
34
35	if (version != AUTH_INTERFACE_VERSION) {
36	DEBUG(0,("Can't register auth_method!\n"
37	"You tried to register an auth module with AUTH_INTERFACE_VERSION %d, while this version of samba uses %d\n",
38	version,AUTH_INTERFACE_VERSION));
39	return NT_STATUS_OBJECT_TYPE_MISMATCH;
40	}
41
42	if (!name \|\| !init) {
43	return NT_STATUS_INVALID_PARAMETER;
44	}
45
46	DEBUG(5,("Attempting to register auth backend %s\n", name));
47
48	if (auth_find_backend_entry(name)) {
49	DEBUG(0,("There already is an auth method registered with the name %s!\n", name));
50	return NT_STATUS_OBJECT_NAME_COLLISION;
51	}
52
53	entry = SMB_XMALLOC_P(struct auth_init_function_entry);
54	entry->name = smb_xstrdup(name);
55	entry->init = init;
56
57	DLIST_ADD(backends, entry);
58	DEBUG(5,("Successfully added auth method '%s'\n", name));
59	return NT_STATUS_OK;
60	}
61
62	static struct auth_init_function_entry auth_find_backend_entry(const char name)
63	{
64	struct auth_init_function_entry *entry = backends;
65
66	while(entry) {
67	if (strcmp(entry->name, name)==0) return entry;
68	entry = entry->next;
69	}
70
71	return NULL;
72	}
73
74	/****************************************************************************
75	Try to get a challenge out of the various authentication modules.
76	Returns a const char of length 8 bytes.
77	****************************************************************************/
78
79	static const uint8 get_ntlm_challenge(struct auth_context auth_context)
80	{
81	DATA_BLOB challenge = data_blob_null;
82	const char *challenge_set_by = NULL;
83	auth_methods *auth_method;
84	TALLOC_CTX *mem_ctx;
85
86	if (auth_context->challenge.length) {
87	DEBUG(5, ("get_ntlm_challenge (auth subsystem): returning previous challenge by module %s (normal)\n",
88	auth_context->challenge_set_by));
89	return auth_context->challenge.data;
90	}
91
92	auth_context->challenge_may_be_modified = False;
93
94	for (auth_method = auth_context->auth_method_list; auth_method; auth_method = auth_method->next) {
95	if (auth_method->get_chal == NULL) {
96	DEBUG(5, ("auth_get_challenge: module %s did not want to specify a challenge\n", auth_method->name));
97	continue;
98	}
99
100	DEBUG(5, ("auth_get_challenge: getting challenge from module %s\n", auth_method->name));
101	if (challenge_set_by != NULL) {
102	DEBUG(1, ("auth_get_challenge: CONFIGURATION ERROR: authentication method %s has already specified a challenge. Challenge by %s ignored.\n",
103	challenge_set_by, auth_method->name));
104	continue;
105	}
106
107	mem_ctx = talloc_init("auth_get_challenge for module %s", auth_method->name);
108	if (!mem_ctx) {
109	smb_panic("talloc_init() failed!");
110	}
111
112	challenge = auth_method->get_chal(auth_context, &auth_method->private_data, mem_ctx);
113	if (!challenge.length) {
114	DEBUG(3, ("auth_get_challenge: getting challenge from authentication method %s FAILED.\n",
115	auth_method->name));
116	} else {
117	DEBUG(5, ("auth_get_challenge: successfully got challenge from module %s\n", auth_method->name));
118	auth_context->challenge = challenge;
119	challenge_set_by = auth_method->name;
120	auth_context->challenge_set_method = auth_method;
121	}
122	talloc_destroy(mem_ctx);
123	}
124
125	if (!challenge_set_by) {
126	uchar chal[8];
127
128	generate_random_buffer(chal, sizeof(chal));
129	auth_context->challenge = data_blob_talloc(auth_context->mem_ctx,
130	chal, sizeof(chal));
131
132	challenge_set_by = "random";
133	auth_context->challenge_may_be_modified = True;
134	}
135
136	DEBUG(5, ("auth_context challenge created by %s\n", challenge_set_by));
137	DEBUG(5, ("challenge is: \n"));
138	dump_data(5, auth_context->challenge.data, auth_context->challenge.length);
139
140	SMB_ASSERT(auth_context->challenge.length == 8);
141
142	auth_context->challenge_set_by=challenge_set_by;
143
144	return auth_context->challenge.data;
145	}
146
147
148	/**
149	* Check user is in correct domain (if required)
150	*
151	* @param user Only used to fill in the debug message
152	*
153	* @param domain The domain to be verified
154	*
155	* @return True if the user can connect with that domain,
156	* False otherwise.
157	**/
158
159	static bool check_domain_match(const char user, const char domain)
160	{
161	/*
162	* If we aren't serving to trusted domains, we must make sure that
163	* the validation request comes from an account in the same domain
164	* as the Samba server
165	*/
166
167	if (!lp_allow_trusted_domains() &&
168	!(strequal("", domain) \|\|
169	strequal(lp_workgroup(), domain) \|\|
170	is_myname(domain))) {
171	DEBUG(1, ("check_domain_match: Attempt to connect as user %s from domain %s denied.\n", user, domain));
172	return False;
173	} else {
174	return True;
175	}
176	}
177
178	/**
179	* Check a user's Plaintext, LM or NTLM password.
180	*
181	* Check a user's password, as given in the user_info struct and return various
182	* interesting details in the server_info struct.
183	*
184	* This function does NOT need to be in a become_root()/unbecome_root() pair
185	* as it makes the calls itself when needed.
186	*
187	* The return value takes precedence over the contents of the server_info
188	* struct. When the return is other than NT_STATUS_OK the contents
189	* of that structure is undefined.
190	*
191	* @param user_info Contains the user supplied components, including the passwords.
192	* Must be created with make_user_info() or one of its wrappers.
193	*
194	* @param auth_context Supplies the challenges and some other data.
195	* Must be created with make_auth_context(), and the challenges should be
196	* filled in, either at creation or by calling the challenge geneation
197	* function auth_get_challenge().
198	*
199	* @param server_info If successful, contains information about the authentication,
200	* including a struct samu struct describing the user.
201	*
202	* @return An NTSTATUS with NT_STATUS_OK or an appropriate error.
203	*
204	**/
205
206	static NTSTATUS check_ntlm_password(const struct auth_context *auth_context,
207	const struct auth_usersupplied_info *user_info,
208	struct auth_serversupplied_info **server_info)
209	{
210	/* if all the modules say 'not for me' this is reasonable */
211	NTSTATUS nt_status = NT_STATUS_NO_SUCH_USER;
212	const char *unix_username;
213	auth_methods *auth_method;
214	TALLOC_CTX *mem_ctx;
215
216	if (!user_info \|\| !auth_context \|\| !server_info)
217	return NT_STATUS_LOGON_FAILURE;
218
219	DEBUG(3, ("check_ntlm_password: Checking password for unmapped user [%s]\\[%s]@[%s] with the new password interface\n",
220	user_info->client_domain, user_info->smb_name, user_info->wksta_name));
221
222	DEBUG(3, ("check_ntlm_password: mapped user is: [%s]\\[%s]@[%s]\n",
223	user_info->domain, user_info->internal_username, user_info->wksta_name));
224
225	if (auth_context->challenge.length != 8) {
226	DEBUG(0, ("check_ntlm_password: Invalid challenge stored for this auth context - cannot continue\n"));
227	return NT_STATUS_LOGON_FAILURE;
228	}
229
230	if (auth_context->challenge_set_by)
231	DEBUG(10, ("check_ntlm_password: auth_context challenge created by %s\n",
232	auth_context->challenge_set_by));
233
234	DEBUG(10, ("challenge is: \n"));
235	dump_data(5, auth_context->challenge.data, auth_context->challenge.length);
236
237	#ifdef DEBUG_PASSWORD
238	DEBUG(100, ("user_info has passwords of length %d and %d\n",
239	(int)user_info->lm_resp.length, (int)user_info->nt_resp.length));
240	DEBUG(100, ("lm:\n"));
241	dump_data(100, user_info->lm_resp.data, user_info->lm_resp.length);
242	DEBUG(100, ("nt:\n"));
243	dump_data(100, user_info->nt_resp.data, user_info->nt_resp.length);
244	#endif
245
246	/* This needs to be sorted: If it doesn't match, what should we do? */
247	if (!check_domain_match(user_info->smb_name, user_info->domain))
248	return NT_STATUS_LOGON_FAILURE;
249
250	for (auth_method = auth_context->auth_method_list;auth_method; auth_method = auth_method->next) {
251	NTSTATUS result;
252
253	mem_ctx = talloc_init("%s authentication for user %s\\%s", auth_method->name,
254	user_info->domain, user_info->smb_name);
255
256	result = auth_method->auth(auth_context, auth_method->private_data, mem_ctx, user_info, server_info);
257
258	/* check if the module did anything */
259	if ( NT_STATUS_V(result) == NT_STATUS_V(NT_STATUS_NOT_IMPLEMENTED) ) {
260	DEBUG(10,("check_ntlm_password: %s had nothing to say\n", auth_method->name));
261	talloc_destroy(mem_ctx);
262	continue;
263	}
264
265	nt_status = result;
266
267	if (NT_STATUS_IS_OK(nt_status)) {
268	DEBUG(3, ("check_ntlm_password: %s authentication for user [%s] succeeded\n",
269	auth_method->name, user_info->smb_name));
270	} else {
271	DEBUG(5, ("check_ntlm_password: %s authentication for user [%s] FAILED with error %s\n",
272	auth_method->name, user_info->smb_name, nt_errstr(nt_status)));
273	}
274
275	talloc_destroy(mem_ctx);
276
277	if ( NT_STATUS_IS_OK(nt_status))
278	{
279	break;
280	}
281	}
282
283	/* successful authentication */
284
285	if (NT_STATUS_IS_OK(nt_status)) {
286	unix_username = (*server_info)->unix_name;
287	if (!(*server_info)->guest) {
288	/* We might not be root if we are an RPC call */
289	become_root();
290	nt_status = smb_pam_accountcheck(unix_username);
291	unbecome_root();
292
293	if (NT_STATUS_IS_OK(nt_status)) {
294	DEBUG(5, ("check_ntlm_password: PAM Account for user [%s] succeeded\n",
295	unix_username));
296	} else {
297	DEBUG(3, ("check_ntlm_password: PAM Account for user [%s] FAILED with error %s\n",
298	unix_username, nt_errstr(nt_status)));
299	}
300	}
301
302	if (NT_STATUS_IS_OK(nt_status)) {
303	DEBUG((*server_info)->guest ? 5 : 2,
304	("check_ntlm_password: %sauthentication for user [%s] -> [%s] -> [%s] succeeded\n",
305	(*server_info)->guest ? "guest " : "",
306	user_info->smb_name,
307	user_info->internal_username,
308	unix_username));
309	}
310
311	return nt_status;
312	}
313
314	/* failed authentication; check for guest lapping */
315
316	DEBUG(2, ("check_ntlm_password: Authentication for user [%s] -> [%s] FAILED with error %s\n",
317	user_info->smb_name, user_info->internal_username,
318	nt_errstr(nt_status)));
319	ZERO_STRUCTP(server_info);
320
321	return nt_status;
322	}
323
324	/***************************************************************************
325	Clear out a auth_context, and destroy the attached TALLOC_CTX
326	***************************************************************************/
327
328	static void free_auth_context(struct auth_context **auth_context)
329	{
330	auth_methods *auth_method;
331
332	if (*auth_context) {
333	/* Free private data of context's authentication methods */
334	for (auth_method = (*auth_context)->auth_method_list; auth_method; auth_method = auth_method->next) {
335	TALLOC_FREE(auth_method->private_data);
336	}
337
338	talloc_destroy((*auth_context)->mem_ctx);
339	*auth_context = NULL;
340	}
341	}
342
343	/***************************************************************************
344	Make a auth_info struct
345	***************************************************************************/
346
347	static NTSTATUS make_auth_context(struct auth_context **auth_context)
348	{
349	TALLOC_CTX *mem_ctx;
350
351	mem_ctx = talloc_init("authentication context");
352
353	*auth_context = TALLOC_P(mem_ctx, struct auth_context);
354	if (!*auth_context) {
355	DEBUG(0,("make_auth_context: talloc failed!\n"));
356	talloc_destroy(mem_ctx);
357	return NT_STATUS_NO_MEMORY;
358	}
359	ZERO_STRUCTP(*auth_context);
360
361	(*auth_context)->mem_ctx = mem_ctx;
362	(*auth_context)->check_ntlm_password = check_ntlm_password;
363	(*auth_context)->get_ntlm_challenge = get_ntlm_challenge;
364	(*auth_context)->free = free_auth_context;
365
366	return NT_STATUS_OK;
367	}
368
369	bool load_auth_module(struct auth_context *auth_context,
370	const char module, auth_methods *ret)
371	{
372	static bool initialised_static_modules = False;
373
374	struct auth_init_function_entry *entry;
375	char *module_name = smb_xstrdup(module);
376	char *module_params = NULL;
377	char *p;
378	bool good = False;
379
380	/* Initialise static modules if not done so yet */
381	if(!initialised_static_modules) {
382	static_init_auth;
383	initialised_static_modules = True;
384	}
385
386	DEBUG(5,("load_auth_module: Attempting to find an auth method to match %s\n",
387	module));
388
389	p = strchr(module_name, ':');
390	if (p) {
391	*p = 0;
392	module_params = p+1;
393	trim_char(module_params, ' ', ' ');
394	}
395
396	trim_char(module_name, ' ', ' ');
397
398	entry = auth_find_backend_entry(module_name);
399
400	if (entry == NULL) {
401	if (NT_STATUS_IS_OK(smb_probe_module("auth", module_name))) {
402	entry = auth_find_backend_entry(module_name);
403	}
404	}
405
406	if (entry != NULL) {
407	if (!NT_STATUS_IS_OK(entry->init(auth_context, module_params, ret))) {
408	DEBUG(0,("load_auth_module: auth method %s did not correctly init\n",
409	module_name));
410	} else {
411	DEBUG(5,("load_auth_module: auth method %s has a valid init\n",
412	module_name));
413	good = True;
414	}
415	} else {
416	DEBUG(0,("load_auth_module: can't find auth method %s!\n", module_name));
417	}
418
419	SAFE_FREE(module_name);
420	return good;
421	}
422
423	/***************************************************************************
424	Make a auth_info struct for the auth subsystem
425	***************************************************************************/
426
427	static NTSTATUS make_auth_context_text_list(struct auth_context auth_context, char text_list)
428	{
429	auth_methods *list = NULL;
430	auth_methods *t = NULL;
431	NTSTATUS nt_status;
432
433	if (!text_list) {
434	DEBUG(2,("make_auth_context_text_list: No auth method list!?\n"));
435	return NT_STATUS_UNSUCCESSFUL;
436	}
437
438	if (!NT_STATUS_IS_OK(nt_status = make_auth_context(auth_context)))
439	return nt_status;
440
441	for (;*text_list; text_list++) {
442	if (load_auth_module(auth_context, text_list, &t)) {
443	DLIST_ADD_END(list, t, auth_methods *);
444	}
445	}
446
447	(*auth_context)->auth_method_list = list;
448
449	return nt_status;
450	}
451
452	/***************************************************************************
453	Make a auth_context struct for the auth subsystem
454	***************************************************************************/
455
456	NTSTATUS make_auth_context_subsystem(struct auth_context **auth_context)
457	{
458	char **auth_method_list = NULL;
459	NTSTATUS nt_status;
460
461	if (lp_auth_methods()
462	&& !str_list_copy(talloc_tos(), &auth_method_list,
463	lp_auth_methods())) {
464	return NT_STATUS_NO_MEMORY;
465	}
466
467	if (auth_method_list == NULL) {
468	switch (lp_security())
469	{
470	case SEC_DOMAIN:
471	DEBUG(5,("Making default auth method list for security=domain\n"));
472	auth_method_list = str_list_make(
473	talloc_tos(), "guest sam winbind:ntdomain",
474	NULL);
475	break;
476	case SEC_SERVER:
477	DEBUG(5,("Making default auth method list for security=server\n"));
478	auth_method_list = str_list_make(
479	talloc_tos(), "guest sam smbserver",
480	NULL);
481	break;
482	case SEC_USER:
483	if (lp_encrypted_passwords()) {
484	if ((lp_server_role() == ROLE_DOMAIN_PDC) \|\| (lp_server_role() == ROLE_DOMAIN_BDC)) {
485	DEBUG(5,("Making default auth method list for DC, security=user, encrypt passwords = yes\n"));
486	auth_method_list = str_list_make(
487	talloc_tos(),
488	"guest sam winbind:trustdomain",
489	NULL);
490	} else {
491	DEBUG(5,("Making default auth method list for standalone security=user, encrypt passwords = yes\n"));
492	auth_method_list = str_list_make(
493	talloc_tos(), "guest sam",
494	NULL);
495	}
496	} else {
497	DEBUG(5,("Making default auth method list for security=user, encrypt passwords = no\n"));
498	auth_method_list = str_list_make(
499	talloc_tos(), "guest unix", NULL);
500	}
501	break;
502	case SEC_SHARE:
503	if (lp_encrypted_passwords()) {
504	DEBUG(5,("Making default auth method list for security=share, encrypt passwords = yes\n"));
505	auth_method_list = str_list_make(
506	talloc_tos(), "guest sam", NULL);
507	} else {
508	DEBUG(5,("Making default auth method list for security=share, encrypt passwords = no\n"));
509	auth_method_list = str_list_make(
510	talloc_tos(), "guest unix", NULL);
511	}
512	break;
513	case SEC_ADS:
514	DEBUG(5,("Making default auth method list for security=ADS\n"));
515	auth_method_list = str_list_make(
516	talloc_tos(), "guest sam winbind:ntdomain",
517	NULL);
518	break;
519	default:
520	DEBUG(5,("Unknown auth method!\n"));
521	return NT_STATUS_UNSUCCESSFUL;
522	}
523	} else {
524	DEBUG(5,("Using specified auth order\n"));
525	}
526
527	nt_status = make_auth_context_text_list(auth_context,
528	auth_method_list);
529
530	TALLOC_FREE(auth_method_list);
531	return nt_status;
532	}
533
534	/***************************************************************************
535	Make a auth_info struct with a fixed challenge
536	***************************************************************************/
537
538	NTSTATUS make_auth_context_fixed(struct auth_context **auth_context, uchar chal[8])
539	{
540	NTSTATUS nt_status;
541	if (!NT_STATUS_IS_OK(nt_status = make_auth_context_subsystem(auth_context))) {
542	return nt_status;
543	}
544
545	(auth_context)->challenge = data_blob_talloc((auth_context)->mem_ctx, chal, 8);
546	(*auth_context)->challenge_set_by = "fixed";
547	return nt_status;
548	}
549
550

Note: See TracBrowser for help on using the repository browser.

Download in other formats: