Context Navigation

source: vendor/3.6.0/source3/auth/auth_util.c

Visit:

Last change on this file was 740, checked in by Silvan Scherrer, 13 years ago
Samba Server: update vendor to 3.6.0
File size: 38.7 KB

Line
1	/*
2	Unix SMB/CIFS implementation.
3	Authentication utility functions
4	Copyright (C) Andrew Tridgell 1992-1998
5	Copyright (C) Andrew Bartlett 2001
6	Copyright (C) Jeremy Allison 2000-2001
7	Copyright (C) Rafal Szczesniak 2002
8	Copyright (C) Volker Lendecke 2006
9
10	This program is free software; you can redistribute it and/or modify
11	it under the terms of the GNU General Public License as published by
12	the Free Software Foundation; either version 3 of the License, or
13	(at your option) any later version.
14
15	This program is distributed in the hope that it will be useful,
16	but WITHOUT ANY WARRANTY; without even the implied warranty of
17	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18	GNU General Public License for more details.
19
20	You should have received a copy of the GNU General Public License
21	along with this program. If not, see <http://www.gnu.org/licenses/>.
22	*/
23
24	#include "includes.h"
25	#include "auth.h"
26	#include "../libcli/auth/libcli_auth.h"
27	#include "../lib/crypto/arcfour.h"
28	#include "rpc_client/init_lsa.h"
29	#include "../libcli/security/security.h"
30	#include "../lib/util/util_pw.h"
31	#include "lib/winbind_util.h"
32	#include "passdb.h"
33
34	#undef DBGC_CLASS
35	#define DBGC_CLASS DBGC_AUTH
36
37	/****************************************************************************
38	Create a UNIX user on demand.
39	****************************************************************************/
40
41	static int _smb_create_user(const char domain, const char unix_username, const char *homedir)
42	{
43	TALLOC_CTX *ctx = talloc_tos();
44	char *add_script;
45	int ret;
46
47	add_script = talloc_strdup(ctx, lp_adduser_script());
48	if (!add_script \|\| !*add_script) {
49	return -1;
50	}
51	add_script = talloc_all_string_sub(ctx,
52	add_script,
53	"%u",
54	unix_username);
55	if (!add_script) {
56	return -1;
57	}
58	if (domain) {
59	add_script = talloc_all_string_sub(ctx,
60	add_script,
61	"%D",
62	domain);
63	if (!add_script) {
64	return -1;
65	}
66	}
67	if (homedir) {
68	add_script = talloc_all_string_sub(ctx,
69	add_script,
70	"%H",
71	homedir);
72	if (!add_script) {
73	return -1;
74	}
75	}
76	ret = smbrun(add_script,NULL);
77	flush_pwnam_cache();
78	DEBUG(ret ? 0 : 3,
79	("smb_create_user: Running the command `%s' gave %d\n",
80	add_script,ret));
81	return ret;
82	}
83
84	/****************************************************************************
85	Create an auth_usersupplied_data structure after appropriate mapping.
86	****************************************************************************/
87
88	NTSTATUS make_user_info_map(struct auth_usersupplied_info **user_info,
89	const char *smb_name,
90	const char *client_domain,
91	const char *workstation_name,
92	DATA_BLOB *lm_pwd,
93	DATA_BLOB *nt_pwd,
94	const struct samr_Password *lm_interactive_pwd,
95	const struct samr_Password *nt_interactive_pwd,
96	const char *plaintext,
97	enum auth_password_state password_state)
98	{
99	const char *domain;
100	NTSTATUS result;
101	bool was_mapped;
102	char *internal_username = NULL;
103
104	was_mapped = map_username(talloc_tos(), smb_name, &internal_username);
105	if (!internal_username) {
106	return NT_STATUS_NO_MEMORY;
107	}
108
109	DEBUG(5, ("Mapping user [%s]\\[%s] from workstation [%s]\n",
110	client_domain, smb_name, workstation_name));
111
112	domain = client_domain;
113
114	/* If you connect to a Windows domain member using a bogus domain name,
115	* the Windows box will map the BOGUS\user to SAMNAME\user. Thus, if
116	* the Windows box is a DC the name will become DOMAIN\user and be
117	* authenticated against AD, if the Windows box is a member server but
118	* not a DC the name will become WORKSTATION\user. A standalone
119	* non-domain member box will also map to WORKSTATION\user.
120	* This also deals with the client passing in a "" domain */
121
122	if (!is_trusted_domain(domain) &&
123	!strequal(domain, my_sam_name()))
124	{
125	if (lp_map_untrusted_to_domain())
126	domain = my_sam_name();
127	else
128	domain = get_global_sam_name();
129	DEBUG(5, ("Mapped domain from [%s] to [%s] for user [%s] from "
130	"workstation [%s]\n",
131	client_domain, domain, smb_name, workstation_name));
132	}
133
134	/* We know that the given domain is trusted (and we are allowing them),
135	* it is our global SAM name, or for legacy behavior it is our
136	* primary domain name */
137
138	result = make_user_info(user_info, smb_name, internal_username,
139	client_domain, domain, workstation_name,
140	lm_pwd, nt_pwd,
141	lm_interactive_pwd, nt_interactive_pwd,
142	plaintext, password_state);
143	if (NT_STATUS_IS_OK(result)) {
144	/* We have tried mapping */
145	(*user_info)->mapped_state = True;
146	/* did we actually map the user to a different name? */
147	(*user_info)->was_mapped = was_mapped;
148	}
149	return result;
150	}
151
152	/****************************************************************************
153	Create an auth_usersupplied_data, making the DATA_BLOBs here.
154	Decrypt and encrypt the passwords.
155	****************************************************************************/
156
157	bool make_user_info_netlogon_network(struct auth_usersupplied_info **user_info,
158	const char *smb_name,
159	const char *client_domain,
160	const char *workstation_name,
161	uint32 logon_parameters,
162	const uchar *lm_network_pwd,
163	int lm_pwd_len,
164	const uchar *nt_network_pwd,
165	int nt_pwd_len)
166	{
167	bool ret;
168	NTSTATUS status;
169	DATA_BLOB lm_blob = data_blob(lm_network_pwd, lm_pwd_len);
170	DATA_BLOB nt_blob = data_blob(nt_network_pwd, nt_pwd_len);
171
172	status = make_user_info_map(user_info,
173	smb_name, client_domain,
174	workstation_name,
175	lm_pwd_len ? &lm_blob : NULL,
176	nt_pwd_len ? &nt_blob : NULL,
177	NULL, NULL, NULL,
178	AUTH_PASSWORD_RESPONSE);
179
180	if (NT_STATUS_IS_OK(status)) {
181	(*user_info)->logon_parameters = logon_parameters;
182	}
183	ret = NT_STATUS_IS_OK(status) ? True : False;
184
185	data_blob_free(&lm_blob);
186	data_blob_free(&nt_blob);
187	return ret;
188	}
189
190	/****************************************************************************
191	Create an auth_usersupplied_data, making the DATA_BLOBs here.
192	Decrypt and encrypt the passwords.
193	****************************************************************************/
194
195	bool make_user_info_netlogon_interactive(struct auth_usersupplied_info **user_info,
196	const char *smb_name,
197	const char *client_domain,
198	const char *workstation_name,
199	uint32 logon_parameters,
200	const uchar chal[8],
201	const uchar lm_interactive_pwd[16],
202	const uchar nt_interactive_pwd[16],
203	const uchar *dc_sess_key)
204	{
205	struct samr_Password lm_pwd;
206	struct samr_Password nt_pwd;
207	unsigned char local_lm_response[24];
208	unsigned char local_nt_response[24];
209	unsigned char key[16];
210
211	memcpy(key, dc_sess_key, 16);
212
213	if (lm_interactive_pwd)
214	memcpy(lm_pwd.hash, lm_interactive_pwd, sizeof(lm_pwd.hash));
215
216	if (nt_interactive_pwd)
217	memcpy(nt_pwd.hash, nt_interactive_pwd, sizeof(nt_pwd.hash));
218
219	#ifdef DEBUG_PASSWORD
220	DEBUG(100,("key:"));
221	dump_data(100, key, sizeof(key));
222
223	DEBUG(100,("lm owf password:"));
224	dump_data(100, lm_pwd.hash, sizeof(lm_pwd.hash));
225
226	DEBUG(100,("nt owf password:"));
227	dump_data(100, nt_pwd.hash, sizeof(nt_pwd.hash));
228	#endif
229
230	if (lm_interactive_pwd)
231	arcfour_crypt(lm_pwd.hash, key, sizeof(lm_pwd.hash));
232
233	if (nt_interactive_pwd)
234	arcfour_crypt(nt_pwd.hash, key, sizeof(nt_pwd.hash));
235
236	#ifdef DEBUG_PASSWORD
237	DEBUG(100,("decrypt of lm owf password:"));
238	dump_data(100, lm_pwd.hash, sizeof(lm_pwd));
239
240	DEBUG(100,("decrypt of nt owf password:"));
241	dump_data(100, nt_pwd.hash, sizeof(nt_pwd));
242	#endif
243
244	if (lm_interactive_pwd)
245	SMBOWFencrypt(lm_pwd.hash, chal,
246	local_lm_response);
247
248	if (nt_interactive_pwd)
249	SMBOWFencrypt(nt_pwd.hash, chal,
250	local_nt_response);
251
252	/* Password info paranoia */
253	ZERO_STRUCT(key);
254
255	{
256	bool ret;
257	NTSTATUS nt_status;
258	DATA_BLOB local_lm_blob;
259	DATA_BLOB local_nt_blob;
260
261	if (lm_interactive_pwd) {
262	local_lm_blob = data_blob(local_lm_response,
263	sizeof(local_lm_response));
264	}
265
266	if (nt_interactive_pwd) {
267	local_nt_blob = data_blob(local_nt_response,
268	sizeof(local_nt_response));
269	}
270
271	nt_status = make_user_info_map(
272	user_info,
273	smb_name, client_domain, workstation_name,
274	lm_interactive_pwd ? &local_lm_blob : NULL,
275	nt_interactive_pwd ? &local_nt_blob : NULL,
276	lm_interactive_pwd ? &lm_pwd : NULL,
277	nt_interactive_pwd ? &nt_pwd : NULL,
278	NULL, AUTH_PASSWORD_HASH);
279
280	if (NT_STATUS_IS_OK(nt_status)) {
281	(*user_info)->logon_parameters = logon_parameters;
282	}
283
284	ret = NT_STATUS_IS_OK(nt_status) ? True : False;
285	data_blob_free(&local_lm_blob);
286	data_blob_free(&local_nt_blob);
287	return ret;
288	}
289	}
290
291
292	/****************************************************************************
293	Create an auth_usersupplied_data structure
294	****************************************************************************/
295
296	bool make_user_info_for_reply(struct auth_usersupplied_info **user_info,
297	const char *smb_name,
298	const char *client_domain,
299	const uint8 chal[8],
300	DATA_BLOB plaintext_password)
301	{
302
303	DATA_BLOB local_lm_blob;
304	DATA_BLOB local_nt_blob;
305	NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
306	char *plaintext_password_string;
307	/*
308	* Not encrypted - do so.
309	*/
310
311	DEBUG(5,("make_user_info_for_reply: User passwords not in encrypted "
312	"format.\n"));
313	if (plaintext_password.data && plaintext_password.length) {
314	unsigned char local_lm_response[24];
315
316	#ifdef DEBUG_PASSWORD
317	DEBUG(10,("Unencrypted password (len %d):\n",
318	(int)plaintext_password.length));
319	dump_data(100, plaintext_password.data,
320	plaintext_password.length);
321	#endif
322
323	SMBencrypt( (const char *)plaintext_password.data,
324	(const uchar*)chal, local_lm_response);
325	local_lm_blob = data_blob(local_lm_response, 24);
326
327	/* We can't do an NT hash here, as the password needs to be
328	case insensitive */
329	local_nt_blob = data_blob_null;
330	} else {
331	local_lm_blob = data_blob_null;
332	local_nt_blob = data_blob_null;
333	}
334
335	plaintext_password_string = talloc_strndup(talloc_tos(),
336	(const char *)plaintext_password.data,
337	plaintext_password.length);
338	if (!plaintext_password_string) {
339	return False;
340	}
341
342	ret = make_user_info_map(
343	user_info, smb_name, client_domain,
344	get_remote_machine_name(),
345	local_lm_blob.data ? &local_lm_blob : NULL,
346	local_nt_blob.data ? &local_nt_blob : NULL,
347	NULL, NULL,
348	plaintext_password_string,
349	AUTH_PASSWORD_PLAIN);
350
351	if (plaintext_password_string) {
352	memset(plaintext_password_string, '\0', strlen(plaintext_password_string));
353	talloc_free(plaintext_password_string);
354	}
355
356	data_blob_free(&local_lm_blob);
357	return NT_STATUS_IS_OK(ret) ? True : False;
358	}
359
360	/****************************************************************************
361	Create an auth_usersupplied_data structure
362	****************************************************************************/
363
364	NTSTATUS make_user_info_for_reply_enc(struct auth_usersupplied_info **user_info,
365	const char *smb_name,
366	const char *client_domain,
367	DATA_BLOB lm_resp, DATA_BLOB nt_resp)
368	{
369	return make_user_info_map(user_info, smb_name,
370	client_domain,
371	get_remote_machine_name(),
372	lm_resp.data && (lm_resp.length > 0) ? &lm_resp : NULL,
373	nt_resp.data && (nt_resp.length > 0) ? &nt_resp : NULL,
374	NULL, NULL, NULL,
375	AUTH_PASSWORD_RESPONSE);
376	}
377
378	/****************************************************************************
379	Create a guest user_info blob, for anonymous authenticaion.
380	****************************************************************************/
381
382	bool make_user_info_guest(struct auth_usersupplied_info **user_info)
383	{
384	NTSTATUS nt_status;
385
386	nt_status = make_user_info(user_info,
387	"","",
388	"","",
389	"",
390	NULL, NULL,
391	NULL, NULL,
392	NULL,
393	AUTH_PASSWORD_RESPONSE);
394
395	return NT_STATUS_IS_OK(nt_status) ? True : False;
396	}
397
398	static NTSTATUS log_nt_token(struct security_token *token)
399	{
400	TALLOC_CTX *frame = talloc_stackframe();
401	char *command;
402	char *group_sidstr;
403	size_t i;
404
405	if ((lp_log_nt_token_command() == NULL) \|\|
406	(strlen(lp_log_nt_token_command()) == 0)) {
407	TALLOC_FREE(frame);
408	return NT_STATUS_OK;
409	}
410
411	group_sidstr = talloc_strdup(frame, "");
412	for (i=1; i<token->num_sids; i++) {
413	group_sidstr = talloc_asprintf(
414	frame, "%s %s", group_sidstr,
415	sid_string_talloc(frame, &token->sids[i]));
416	}
417
418	command = talloc_string_sub(
419	frame, lp_log_nt_token_command(),
420	"%s", sid_string_talloc(frame, &token->sids[0]));
421	command = talloc_string_sub(frame, command, "%t", group_sidstr);
422
423	if (command == NULL) {
424	TALLOC_FREE(frame);
425	return NT_STATUS_NO_MEMORY;
426	}
427
428	DEBUG(8, ("running command: [%s]\n", command));
429	if (smbrun(command, NULL) != 0) {
430	DEBUG(0, ("Could not log NT token\n"));
431	TALLOC_FREE(frame);
432	return NT_STATUS_ACCESS_DENIED;
433	}
434
435	TALLOC_FREE(frame);
436	return NT_STATUS_OK;
437	}
438
439	/*
440	* Create the token to use from server_info->info3 and
441	* server_info->sids (the info3/sam groups). Find the unix gids.
442	*/
443
444	NTSTATUS create_local_token(struct auth_serversupplied_info *server_info)
445	{
446	struct security_token *t;
447	NTSTATUS status;
448	size_t i;
449	struct dom_sid tmp_sid;
450	struct wbcUnixId *ids;
451
452	/*
453	* If winbind is not around, we can not make much use of the SIDs the
454	* domain controller provided us with. Likewise if the user name was
455	* mapped to some local unix user.
456	*/
457
458	if (((lp_server_role() == ROLE_DOMAIN_MEMBER) && !winbind_ping()) \|\|
459	(server_info->nss_token)) {
460	status = create_token_from_username(server_info,
461	server_info->unix_name,
462	server_info->guest,
463	&server_info->utok.uid,
464	&server_info->utok.gid,
465	&server_info->unix_name,
466	&server_info->security_token);
467
468	} else {
469	status = create_local_nt_token_from_info3(server_info,
470	server_info->guest,
471	server_info->info3,
472	&server_info->extra,
473	&server_info->security_token);
474	}
475
476	if (!NT_STATUS_IS_OK(status)) {
477	return status;
478	}
479
480	/* Convert the SIDs to gids. */
481
482	server_info->utok.ngroups = 0;
483	server_info->utok.groups = NULL;
484
485	t = server_info->security_token;
486
487	ids = TALLOC_ARRAY(talloc_tos(), struct wbcUnixId,
488	t->num_sids);
489	if (ids == NULL) {
490	return NT_STATUS_NO_MEMORY;
491	}
492
493	if (!sids_to_unix_ids(t->sids, t->num_sids, ids)) {
494	TALLOC_FREE(ids);
495	return NT_STATUS_NO_MEMORY;
496	}
497
498	/* Start at index 1, where the groups start. */
499
500	for (i=1; i<t->num_sids; i++) {
501
502	if (ids[i].type != WBC_ID_TYPE_GID) {
503	DEBUG(10, ("Could not convert SID %s to gid, "
504	"ignoring it\n",
505	sid_string_dbg(&t->sids[i])));
506	continue;
507	}
508	if (!add_gid_to_array_unique(server_info, ids[i].id.gid,
509	&server_info->utok.groups,
510	&server_info->utok.ngroups)) {
511	return NT_STATUS_NO_MEMORY;
512	}
513	}
514
515	/*
516	* Add the "Unix Group" SID for each gid to catch mapped groups
517	* and their Unix equivalent. This is to solve the backwards
518	* compatibility problem of 'valid users = +ntadmin' where
519	* ntadmin has been paired with "Domain Admins" in the group
520	* mapping table. Otherwise smb.conf would need to be changed
521	* to 'valid user = "Domain Admins"'. --jerry
522	*
523	* For consistency we also add the "Unix User" SID,
524	* so that the complete unix token is represented within
525	* the nt token.
526	*/
527
528	uid_to_unix_users_sid(server_info->utok.uid, &tmp_sid);
529
530	add_sid_to_array_unique(server_info->security_token, &tmp_sid,
531	&server_info->security_token->sids,
532	&server_info->security_token->num_sids);
533
534	for ( i=0; i<server_info->utok.ngroups; i++ ) {
535	gid_to_unix_groups_sid(server_info->utok.groups[i], &tmp_sid);
536	add_sid_to_array_unique(server_info->security_token, &tmp_sid,
537	&server_info->security_token->sids,
538	&server_info->security_token->num_sids);
539	}
540
541	security_token_debug(DBGC_AUTH, 10, server_info->security_token);
542	debug_unix_user_token(DBGC_AUTH, 10,
543	server_info->utok.uid,
544	server_info->utok.gid,
545	server_info->utok.ngroups,
546	server_info->utok.groups);
547
548	status = log_nt_token(server_info->security_token);
549	return status;
550	}
551
552	/***************************************************************************
553	Make (and fill) a server_info struct from a 'struct passwd' by conversion
554	to a struct samu
555	***************************************************************************/
556
557	NTSTATUS make_server_info_pw(struct auth_serversupplied_info **server_info,
558	char *unix_username,
559	struct passwd *pwd)
560	{
561	NTSTATUS status;
562	struct samu *sampass = NULL;
563	char *qualified_name = NULL;
564	TALLOC_CTX *mem_ctx = NULL;
565	struct dom_sid u_sid;
566	enum lsa_SidType type;
567	struct auth_serversupplied_info *result;
568
569	/*
570	* The SID returned in server_info->sam_account is based
571	* on our SAM sid even though for a pure UNIX account this should
572	* not be the case as it doesn't really exist in the SAM db.
573	* This causes lookups on "[in]valid users" to fail as they
574	* will lookup this name as a "Unix User" SID to check against
575	* the user token. Fix this by adding the "Unix User"\unix_username
576	* SID to the sid array. The correct fix should probably be
577	* changing the server_info->sam_account user SID to be a
578	* S-1-22 Unix SID, but this might break old configs where
579	* plaintext passwords were used with no SAM backend.
580	*/
581
582	mem_ctx = talloc_init("make_server_info_pw_tmp");
583	if (!mem_ctx) {
584	return NT_STATUS_NO_MEMORY;
585	}
586
587	qualified_name = talloc_asprintf(mem_ctx, "%s\\%s",
588	unix_users_domain_name(),
589	unix_username );
590	if (!qualified_name) {
591	TALLOC_FREE(mem_ctx);
592	return NT_STATUS_NO_MEMORY;
593	}
594
595	if (!lookup_name(mem_ctx, qualified_name, LOOKUP_NAME_ALL,
596	NULL, NULL,
597	&u_sid, &type)) {
598	TALLOC_FREE(mem_ctx);
599	return NT_STATUS_NO_SUCH_USER;
600	}
601
602	TALLOC_FREE(mem_ctx);
603
604	if (type != SID_NAME_USER) {
605	return NT_STATUS_NO_SUCH_USER;
606	}
607
608	if ( !(sampass = samu_new( NULL )) ) {
609	return NT_STATUS_NO_MEMORY;
610	}
611
612	status = samu_set_unix( sampass, pwd );
613	if (!NT_STATUS_IS_OK(status)) {
614	return status;
615	}
616
617	/* In pathological cases the above call can set the account
618	* name to the DOMAIN\username form. Reset the account name
619	* using unix_username */
620	pdb_set_username(sampass, unix_username, PDB_SET);
621
622	/* set the user sid to be the calculated u_sid */
623	pdb_set_user_sid(sampass, &u_sid, PDB_SET);
624
625	result = make_server_info(NULL);
626	if (result == NULL) {
627	TALLOC_FREE(sampass);
628	return NT_STATUS_NO_MEMORY;
629	}
630
631	status = samu_to_SamInfo3(result, sampass, global_myname(),
632	&result->info3, &result->extra);
633	TALLOC_FREE(sampass);
634	if (!NT_STATUS_IS_OK(status)) {
635	DEBUG(10, ("Failed to convert samu to info3: %s\n",
636	nt_errstr(status)));
637	TALLOC_FREE(result);
638	return status;
639	}
640
641	result->unix_name = talloc_strdup(result, unix_username);
642	result->sanitized_username = sanitize_username(result, unix_username);
643
644	if ((result->unix_name == NULL)
645	\|\| (result->sanitized_username == NULL)) {
646	TALLOC_FREE(result);
647	return NT_STATUS_NO_MEMORY;
648	}
649
650	result->utok.uid = pwd->pw_uid;
651	result->utok.gid = pwd->pw_gid;
652
653	*server_info = result;
654
655	return NT_STATUS_OK;
656	}
657
658	static NTSTATUS get_guest_info3(TALLOC_CTX *mem_ctx,
659	struct netr_SamInfo3 *info3)
660	{
661	const char *guest_account = lp_guestaccount();
662	struct dom_sid domain_sid;
663	struct passwd *pwd;
664	const char *tmp;
665
666	pwd = Get_Pwnam_alloc(mem_ctx, guest_account);
667	if (pwd == NULL) {
668	DEBUG(0,("SamInfo3_for_guest: Unable to locate guest "
669	"account [%s]!\n", guest_account));
670	return NT_STATUS_NO_SUCH_USER;
671	}
672
673	/* Set acount name */
674	tmp = talloc_strdup(mem_ctx, pwd->pw_name);
675	if (tmp == NULL) {
676	return NT_STATUS_NO_MEMORY;
677	}
678	init_lsa_String(&info3->base.account_name, tmp);
679
680	/* Set domain name */
681	tmp = talloc_strdup(mem_ctx, get_global_sam_name());
682	if (tmp == NULL) {
683	return NT_STATUS_NO_MEMORY;
684	}
685	init_lsa_StringLarge(&info3->base.domain, tmp);
686
687	/* Domain sid */
688	sid_copy(&domain_sid, get_global_sam_sid());
689
690	info3->base.domain_sid = dom_sid_dup(mem_ctx, &domain_sid);
691	if (info3->base.domain_sid == NULL) {
692	return NT_STATUS_NO_MEMORY;
693	}
694
695	/* Guest rid */
696	info3->base.rid = DOMAIN_RID_GUEST;
697
698	/* Primary gid */
699	info3->base.primary_gid = BUILTIN_RID_GUESTS;
700
701	TALLOC_FREE(pwd);
702	return NT_STATUS_OK;
703	}
704
705	/***************************************************************************
706	Make (and fill) a user_info struct for a guest login.
707	This must succeed for smbd to start. If there is no mapping entry for
708	the guest gid, then create one.
709	***************************************************************************/
710
711	static NTSTATUS make_new_server_info_guest(struct auth_serversupplied_info **server_info)
712	{
713	static const char zeros[16] = {0};
714	const char *guest_account = lp_guestaccount();
715	const char *domain = global_myname();
716	struct netr_SamInfo3 info3;
717	TALLOC_CTX *tmp_ctx;
718	NTSTATUS status;
719	fstring tmp;
720
721	tmp_ctx = talloc_stackframe();
722	if (tmp_ctx == NULL) {
723	return NT_STATUS_NO_MEMORY;
724	}
725
726	ZERO_STRUCT(info3);
727
728	status = get_guest_info3(tmp_ctx, &info3);
729	if (!NT_STATUS_IS_OK(status)) {
730	goto done;
731	}
732
733	status = make_server_info_info3(tmp_ctx,
734	guest_account,
735	domain,
736	server_info,
737	&info3);
738	if (!NT_STATUS_IS_OK(status)) {
739	goto done;
740	}
741
742	(*server_info)->guest = True;
743
744	status = create_local_token(*server_info);
745	if (!NT_STATUS_IS_OK(status)) {
746	DEBUG(10, ("create_local_token failed: %s\n",
747	nt_errstr(status)));
748	goto done;
749	}
750
751	/* annoying, but the Guest really does have a session key, and it is
752	all zeros! */
753	(*server_info)->user_session_key = data_blob(zeros, sizeof(zeros));
754	(*server_info)->lm_session_key = data_blob(zeros, sizeof(zeros));
755
756	alpha_strcpy(tmp, (*server_info)->info3->base.account_name.string,
757	". _-$", sizeof(tmp));
758	(server_info)->sanitized_username = talloc_strdup(server_info, tmp);
759
760	status = NT_STATUS_OK;
761	done:
762	TALLOC_FREE(tmp_ctx);
763	return NT_STATUS_OK;
764	}
765
766	/***************************************************************************
767	Make (and fill) a auth_session_info struct for a system user login.
768	This must succeed for smbd to start.
769	***************************************************************************/
770
771	static NTSTATUS make_new_session_info_system(TALLOC_CTX *mem_ctx,
772	struct auth_serversupplied_info **session_info)
773	{
774	struct passwd *pwd;
775	NTSTATUS status;
776
777	pwd = getpwuid_alloc(mem_ctx, sec_initial_uid());
778	if (pwd == NULL) {
779	return NT_STATUS_NO_SUCH_USER;
780	}
781
782	status = make_serverinfo_from_username(mem_ctx,
783	pwd->pw_name,
784	false,
785	session_info);
786	TALLOC_FREE(pwd);
787	if (!NT_STATUS_IS_OK(status)) {
788	return status;
789	}
790
791	(*session_info)->system = true;
792
793	status = add_sid_to_array_unique((*session_info)->security_token->sids,
794	&global_sid_System,
795	&(*session_info)->security_token->sids,
796	&(*session_info)->security_token->num_sids);
797	if (!NT_STATUS_IS_OK(status)) {
798	TALLOC_FREE((*session_info));
799	return status;
800	}
801
802	return NT_STATUS_OK;
803	}
804
805	/****************************************************************************
806	Fake a auth_serversupplied_info just from a username
807	****************************************************************************/
808
809	NTSTATUS make_serverinfo_from_username(TALLOC_CTX *mem_ctx,
810	const char *username,
811	bool is_guest,
812	struct auth_serversupplied_info **presult)
813	{
814	struct auth_serversupplied_info *result;
815	struct passwd *pwd;
816	NTSTATUS status;
817
818	pwd = Get_Pwnam_alloc(talloc_tos(), username);
819	if (pwd == NULL) {
820	return NT_STATUS_NO_SUCH_USER;
821	}
822
823	status = make_server_info_pw(&result, pwd->pw_name, pwd);
824
825	TALLOC_FREE(pwd);
826
827	if (!NT_STATUS_IS_OK(status)) {
828	return status;
829	}
830
831	result->nss_token = true;
832	result->guest = is_guest;
833
834	status = create_local_token(result);
835
836	if (!NT_STATUS_IS_OK(status)) {
837	TALLOC_FREE(result);
838	return status;
839	}
840
841	*presult = talloc_steal(mem_ctx, result);
842	return NT_STATUS_OK;
843	}
844
845
846	struct auth_serversupplied_info copy_serverinfo(TALLOC_CTX mem_ctx,
847	const struct auth_serversupplied_info *src)
848	{
849	struct auth_serversupplied_info *dst;
850
851	dst = make_server_info(mem_ctx);
852	if (dst == NULL) {
853	return NULL;
854	}
855
856	dst->guest = src->guest;
857	dst->system = src->system;
858	dst->utok.uid = src->utok.uid;
859	dst->utok.gid = src->utok.gid;
860	dst->utok.ngroups = src->utok.ngroups;
861	if (src->utok.ngroups != 0) {
862	dst->utok.groups = (gid_t *)TALLOC_MEMDUP(
863	dst, src->utok.groups,
864	sizeof(gid_t)*dst->utok.ngroups);
865	} else {
866	dst->utok.groups = NULL;
867	}
868
869	if (src->security_token) {
870	dst->security_token = dup_nt_token(dst, src->security_token);
871	if (!dst->security_token) {
872	TALLOC_FREE(dst);
873	return NULL;
874	}
875	}
876
877	dst->user_session_key = data_blob_talloc( dst, src->user_session_key.data,
878	src->user_session_key.length);
879
880	dst->lm_session_key = data_blob_talloc(dst, src->lm_session_key.data,
881	src->lm_session_key.length);
882
883	dst->info3 = copy_netr_SamInfo3(dst, src->info3);
884	if (!dst->info3) {
885	TALLOC_FREE(dst);
886	return NULL;
887	}
888	dst->extra = src->extra;
889
890	dst->unix_name = talloc_strdup(dst, src->unix_name);
891	if (!dst->unix_name) {
892	TALLOC_FREE(dst);
893	return NULL;
894	}
895
896	dst->sanitized_username = talloc_strdup(dst, src->sanitized_username);
897	if (!dst->sanitized_username) {
898	TALLOC_FREE(dst);
899	return NULL;
900	}
901
902	return dst;
903	}
904
905	/*
906	* Set a new session key. Used in the rpc server where we have to override the
907	* SMB level session key with SystemLibraryDTC
908	*/
909
910	bool session_info_set_session_key(struct auth_serversupplied_info *info,
911	DATA_BLOB session_key)
912	{
913	TALLOC_FREE(info->user_session_key.data);
914
915	info->user_session_key = data_blob_talloc(
916	info, session_key.data, session_key.length);
917
918	return (info->user_session_key.data != NULL);
919	}
920
921	static struct auth_serversupplied_info *guest_info = NULL;
922
923	bool init_guest_info(void)
924	{
925	if (guest_info != NULL)
926	return True;
927
928	return NT_STATUS_IS_OK(make_new_server_info_guest(&guest_info));
929	}
930
931	NTSTATUS make_server_info_guest(TALLOC_CTX *mem_ctx,
932	struct auth_serversupplied_info **server_info)
933	{
934	*server_info = copy_serverinfo(mem_ctx, guest_info);
935	return (*server_info != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
936	}
937
938	static struct auth_serversupplied_info *system_info = NULL;
939
940	NTSTATUS init_system_info(void)
941	{
942	if (system_info != NULL)
943	return NT_STATUS_OK;
944
945	return make_new_session_info_system(NULL, &system_info);
946	}
947
948	NTSTATUS make_session_info_system(TALLOC_CTX *mem_ctx,
949	struct auth_serversupplied_info **session_info)
950	{
951	if (system_info == NULL) return NT_STATUS_UNSUCCESSFUL;
952	*session_info = copy_serverinfo(mem_ctx, system_info);
953	return (*session_info != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
954	}
955
956	const struct auth_serversupplied_info *get_session_info_system(void)
957	{
958	return system_info;
959	}
960
961	bool copy_current_user(struct current_user dst, struct current_user src)
962	{
963	gid_t *groups;
964	struct security_token *nt_token;
965
966	groups = (gid_t *)memdup(src->ut.groups,
967	sizeof(gid_t) * src->ut.ngroups);
968	if ((src->ut.ngroups != 0) && (groups == NULL)) {
969	return False;
970	}
971
972	nt_token = dup_nt_token(NULL, src->nt_user_token);
973	if (nt_token == NULL) {
974	SAFE_FREE(groups);
975	return False;
976	}
977
978	dst->conn = src->conn;
979	dst->vuid = src->vuid;
980	dst->ut.uid = src->ut.uid;
981	dst->ut.gid = src->ut.gid;
982	dst->ut.ngroups = src->ut.ngroups;
983	dst->ut.groups = groups;
984	dst->nt_user_token = nt_token;
985	return True;
986	}
987
988	/***************************************************************************
989	Purely internal function for make_server_info_info3
990	***************************************************************************/
991
992	static NTSTATUS check_account(TALLOC_CTX mem_ctx, const char domain,
993	const char username, char *found_username,
994	struct passwd **pwd,
995	bool *username_was_mapped)
996	{
997	char *orig_dom_user = NULL;
998	char *dom_user = NULL;
999	char *lower_username = NULL;
1000	char *real_username = NULL;
1001	struct passwd *passwd;
1002
1003	lower_username = talloc_strdup(mem_ctx, username);
1004	if (!lower_username) {
1005	return NT_STATUS_NO_MEMORY;
1006	}
1007	strlower_m( lower_username );
1008
1009	orig_dom_user = talloc_asprintf(mem_ctx,
1010	"%s%c%s",
1011	domain,
1012	*lp_winbind_separator(),
1013	lower_username);
1014	if (!orig_dom_user) {
1015	return NT_STATUS_NO_MEMORY;
1016	}
1017
1018	/* Get the passwd struct. Try to create the account if necessary. */
1019
1020	*username_was_mapped = map_username(mem_ctx, orig_dom_user, &dom_user);
1021	if (!dom_user) {
1022	return NT_STATUS_NO_MEMORY;
1023	}
1024
1025	passwd = smb_getpwnam(mem_ctx, dom_user, &real_username, True );
1026	if (!passwd) {
1027	DEBUG(3, ("Failed to find authenticated user %s via "
1028	"getpwnam(), denying access.\n", dom_user));
1029	return NT_STATUS_NO_SUCH_USER;
1030	}
1031
1032	if (!real_username) {
1033	return NT_STATUS_NO_MEMORY;
1034	}
1035
1036	*pwd = passwd;
1037
1038	/* This is pointless -- there is no suport for differing
1039	unix and windows names. Make sure to always store the
1040	one we actually looked up and succeeded. Have I mentioned
1041	why I hate the 'winbind use default domain' parameter?
1042	--jerry */
1043
1044	*found_username = talloc_strdup( mem_ctx, real_username );
1045
1046	return NT_STATUS_OK;
1047	}
1048
1049	/****************************************************************************
1050	Wrapper to allow the getpwnam() call to strip the domain name and
1051	try again in case a local UNIX user is already there. Also run through
1052	the username if we fallback to the username only.
1053	****************************************************************************/
1054
1055	struct passwd smb_getpwnam( TALLOC_CTX mem_ctx, const char *domuser,
1056	char **p_save_username, bool create )
1057	{
1058	struct passwd *pw = NULL;
1059	char *p = NULL;
1060	char *username = NULL;
1061
1062	/* we only save a copy of the username it has been mangled
1063	by winbindd use default domain */
1064	*p_save_username = NULL;
1065
1066	/* don't call map_username() here since it has to be done higher
1067	up the stack so we don't call it multiple times */
1068
1069	username = talloc_strdup(mem_ctx, domuser);
1070	if (!username) {
1071	return NULL;
1072	}
1073
1074	p = strchr_m( username, *lp_winbind_separator() );
1075
1076	/* code for a DOMAIN\user string */
1077
1078	if ( p ) {
1079	pw = Get_Pwnam_alloc( mem_ctx, domuser );
1080	if ( pw ) {
1081	/* make sure we get the case of the username correct */
1082	/* work around 'winbind use default domain = yes' */
1083
1084	if ( !strchr_m( pw->pw_name, *lp_winbind_separator() ) ) {
1085	char *domain;
1086
1087	/* split the domain and username into 2 strings */
1088	*p = '\0';
1089	domain = username;
1090
1091	*p_save_username = talloc_asprintf(mem_ctx,
1092	"%s%c%s",
1093	domain,
1094	*lp_winbind_separator(),
1095	pw->pw_name);
1096	if (!*p_save_username) {
1097	TALLOC_FREE(pw);
1098	return NULL;
1099	}
1100	} else {
1101	*p_save_username = talloc_strdup(mem_ctx, pw->pw_name);
1102	}
1103
1104	/* whew -- done! */
1105	return pw;
1106	}
1107
1108	/* setup for lookup of just the username */
1109	/* remember that p and username are overlapping memory */
1110
1111	p++;
1112	username = talloc_strdup(mem_ctx, p);
1113	if (!username) {
1114	return NULL;
1115	}
1116	}
1117
1118	/* just lookup a plain username */
1119
1120	pw = Get_Pwnam_alloc(mem_ctx, username);
1121
1122	/* Create local user if requested but only if winbindd
1123	is not running. We need to protect against cases
1124	where winbindd is failing and then prematurely
1125	creating users in /etc/passwd */
1126
1127	if ( !pw && create && !winbind_ping() ) {
1128	/* Don't add a machine account. */
1129	if (username[strlen(username)-1] == '$')
1130	return NULL;
1131
1132	_smb_create_user(NULL, username, NULL);
1133	pw = Get_Pwnam_alloc(mem_ctx, username);
1134	}
1135
1136	/* one last check for a valid passwd struct */
1137
1138	if (pw) {
1139	*p_save_username = talloc_strdup(mem_ctx, pw->pw_name);
1140	}
1141	return pw;
1142	}
1143
1144	/***************************************************************************
1145	Make a server_info struct from the info3 returned by a domain logon
1146	***************************************************************************/
1147
1148	NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
1149	const char *sent_nt_username,
1150	const char *domain,
1151	struct auth_serversupplied_info **server_info,
1152	struct netr_SamInfo3 *info3)
1153	{
1154	static const char zeros[16] = {0, };
1155
1156	NTSTATUS nt_status = NT_STATUS_OK;
1157	char *found_username = NULL;
1158	const char *nt_domain;
1159	const char *nt_username;
1160	bool username_was_mapped;
1161	struct passwd *pwd;
1162	struct auth_serversupplied_info *result;
1163	struct dom_sid *group_sid;
1164	struct netr_SamInfo3 *i3;
1165
1166	/*
1167	Here is where we should check the list of
1168	trusted domains, and verify that the SID
1169	matches.
1170	*/
1171
1172	nt_username = talloc_strdup(mem_ctx, info3->base.account_name.string);
1173	if (!nt_username) {
1174	/* If the server didn't give us one, just use the one we sent
1175	* them */
1176	nt_username = sent_nt_username;
1177	}
1178
1179	nt_domain = talloc_strdup(mem_ctx, info3->base.domain.string);
1180	if (!nt_domain) {
1181	/* If the server didn't give us one, just use the one we sent
1182	* them */
1183	nt_domain = domain;
1184	}
1185
1186	/* If getpwnam() fails try the add user script (2.2.x behavior).
1187
1188	We use the _unmapped_ username here in an attempt to provide
1189	consistent username mapping behavior between kerberos and NTLM[SSP]
1190	authentication in domain mode security. I.E. Username mapping
1191	should be applied to the fully qualified username
1192	(e.g. DOMAIN\user) and not just the login name. Yes this means we
1193	called map_username() unnecessarily in make_user_info_map() but
1194	that is how the current code is designed. Making the change here
1195	is the least disruptive place. -- jerry */
1196
1197	/* this call will try to create the user if necessary */
1198
1199	nt_status = check_account(mem_ctx, nt_domain, sent_nt_username,
1200	&found_username, &pwd,
1201	&username_was_mapped);
1202
1203	if (!NT_STATUS_IS_OK(nt_status)) {
1204	return nt_status;
1205	}
1206
1207	result = make_server_info(NULL);
1208	if (result == NULL) {
1209	DEBUG(4, ("make_server_info failed!\n"));
1210	return NT_STATUS_NO_MEMORY;
1211	}
1212
1213	result->unix_name = talloc_strdup(result, found_username);
1214
1215	result->sanitized_username = sanitize_username(result,
1216	result->unix_name);
1217	if (result->sanitized_username == NULL) {
1218	TALLOC_FREE(result);
1219	return NT_STATUS_NO_MEMORY;
1220	}
1221
1222	/* copy in the info3 */
1223	result->info3 = i3 = copy_netr_SamInfo3(result, info3);
1224	if (result->info3 == NULL) {
1225	TALLOC_FREE(result);
1226	return NT_STATUS_NO_MEMORY;
1227	}
1228
1229	/* Fill in the unix info we found on the way */
1230	result->utok.uid = pwd->pw_uid;
1231	result->utok.gid = pwd->pw_gid;
1232
1233	/* We can't just trust that the primary group sid sent us is something
1234	* we can really use. Obtain the useable sid, and store the original
1235	* one as an additional group if it had to be replaced */
1236	nt_status = get_primary_group_sid(mem_ctx, found_username,
1237	&pwd, &group_sid);
1238	if (!NT_STATUS_IS_OK(nt_status)) {
1239	TALLOC_FREE(result);
1240	return nt_status;
1241	}
1242
1243	/* store and check if it is the same we got originally */
1244	sid_peek_rid(group_sid, &i3->base.primary_gid);
1245	if (i3->base.primary_gid != info3->base.primary_gid) {
1246	uint32_t n = i3->base.groups.count;
1247	/* not the same, store the original as an additional group */
1248	i3->base.groups.rids =
1249	talloc_realloc(i3, i3->base.groups.rids,
1250	struct samr_RidWithAttribute, n + 1);
1251	if (i3->base.groups.rids == NULL) {
1252	TALLOC_FREE(result);
1253	return NT_STATUS_NO_MEMORY;
1254	}
1255	i3->base.groups.rids[n].rid = info3->base.primary_gid;
1256	i3->base.groups.rids[n].attributes = SE_GROUP_ENABLED;
1257	i3->base.groups.count = n + 1;
1258	}
1259
1260	/* ensure we are never given NULL session keys */
1261
1262	if (memcmp(info3->base.key.key, zeros, sizeof(zeros)) == 0) {
1263	result->user_session_key = data_blob_null;
1264	} else {
1265	result->user_session_key = data_blob_talloc(
1266	result, info3->base.key.key,
1267	sizeof(info3->base.key.key));
1268	}
1269
1270	if (memcmp(info3->base.LMSessKey.key, zeros, 8) == 0) {
1271	result->lm_session_key = data_blob_null;
1272	} else {
1273	result->lm_session_key = data_blob_talloc(
1274	result, info3->base.LMSessKey.key,
1275	sizeof(info3->base.LMSessKey.key));
1276	}
1277
1278	result->nss_token \|= username_was_mapped;
1279
1280	*server_info = result;
1281
1282	return NT_STATUS_OK;
1283	}
1284
1285	/*****************************************************************************
1286	Make a server_info struct from the wbcAuthUserInfo returned by a domain logon
1287	******************************************************************************/
1288
1289	NTSTATUS make_server_info_wbcAuthUserInfo(TALLOC_CTX *mem_ctx,
1290	const char *sent_nt_username,
1291	const char *domain,
1292	const struct wbcAuthUserInfo *info,
1293	struct auth_serversupplied_info **server_info)
1294	{
1295	struct netr_SamInfo3 *info3;
1296
1297	info3 = wbcAuthUserInfo_to_netr_SamInfo3(mem_ctx, info);
1298	if (!info3) {
1299	return NT_STATUS_NO_MEMORY;
1300	}
1301
1302	return make_server_info_info3(mem_ctx,
1303	sent_nt_username, domain,
1304	server_info, info3);
1305	}
1306
1307	/**
1308	* Verify whether or not given domain is trusted.
1309	*
1310	* @param domain_name name of the domain to be verified
1311	* @return true if domain is one of the trusted ones or
1312	* false if otherwise
1313	**/
1314
1315	bool is_trusted_domain(const char* dom_name)
1316	{
1317	struct dom_sid trustdom_sid;
1318	bool ret;
1319
1320	/* no trusted domains for a standalone server */
1321
1322	if ( lp_server_role() == ROLE_STANDALONE )
1323	return False;
1324
1325	if (dom_name == NULL \|\| dom_name[0] == '\0') {
1326	return false;
1327	}
1328
1329	if (strequal(dom_name, get_global_sam_name())) {
1330	return false;
1331	}
1332
1333	/* if we are a DC, then check for a direct trust relationships */
1334
1335	if ( IS_DC ) {
1336	become_root();
1337	DEBUG (5,("is_trusted_domain: Checking for domain trust with "
1338	"[%s]\n", dom_name ));
1339	ret = pdb_get_trusteddom_pw(dom_name, NULL, NULL, NULL);
1340	unbecome_root();
1341	if (ret)
1342	return True;
1343	}
1344	else {
1345	wbcErr result;
1346
1347	/* If winbind is around, ask it */
1348
1349	result = wb_is_trusted_domain(dom_name);
1350
1351	if (result == WBC_ERR_SUCCESS) {
1352	return True;
1353	}
1354
1355	if (result == WBC_ERR_DOMAIN_NOT_FOUND) {
1356	/* winbind could not find the domain */
1357	return False;
1358	}
1359
1360	/* The only other possible result is that winbind is not up
1361	and running. We need to update the trustdom_cache
1362	ourselves */
1363
1364	update_trustdom_cache();
1365	}
1366
1367	/* now the trustdom cache should be available a DC could still
1368	* have a transitive trust so fall back to the cache of trusted
1369	* domains (like a domain member would use */
1370
1371	if ( trustdom_cache_fetch(dom_name, &trustdom_sid) ) {
1372	return True;
1373	}
1374
1375	return False;
1376	}
1377

Note: See TracBrowser for help on using the repository browser.

Download in other formats: