Context Navigation

source: vendor/3.6.9/source3/auth/auth_util.c

Visit:

Last change on this file was 746, checked in by Silvan Scherrer, 13 years ago
Samba Server: updated vendor to 3.6.9
File size: 40.2 KB

Line
1	/*
2	Unix SMB/CIFS implementation.
3	Authentication utility functions
4	Copyright (C) Andrew Tridgell 1992-1998
5	Copyright (C) Andrew Bartlett 2001
6	Copyright (C) Jeremy Allison 2000-2001
7	Copyright (C) Rafal Szczesniak 2002
8	Copyright (C) Volker Lendecke 2006
9
10	This program is free software; you can redistribute it and/or modify
11	it under the terms of the GNU General Public License as published by
12	the Free Software Foundation; either version 3 of the License, or
13	(at your option) any later version.
14
15	This program is distributed in the hope that it will be useful,
16	but WITHOUT ANY WARRANTY; without even the implied warranty of
17	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18	GNU General Public License for more details.
19
20	You should have received a copy of the GNU General Public License
21	along with this program. If not, see <http://www.gnu.org/licenses/>.
22	*/
23
24	#include "includes.h"
25	#include "auth.h"
26	#include "../libcli/auth/libcli_auth.h"
27	#include "../lib/crypto/arcfour.h"
28	#include "rpc_client/init_lsa.h"
29	#include "../libcli/security/security.h"
30	#include "../lib/util/util_pw.h"
31	#include "lib/winbind_util.h"
32	#include "passdb.h"
33
34	#undef DBGC_CLASS
35	#define DBGC_CLASS DBGC_AUTH
36
37	/****************************************************************************
38	Create a UNIX user on demand.
39	****************************************************************************/
40
41	static int _smb_create_user(const char domain, const char unix_username, const char *homedir)
42	{
43	TALLOC_CTX *ctx = talloc_tos();
44	char *add_script;
45	int ret;
46
47	add_script = talloc_strdup(ctx, lp_adduser_script());
48	if (!add_script \|\| !*add_script) {
49	return -1;
50	}
51	add_script = talloc_all_string_sub(ctx,
52	add_script,
53	"%u",
54	unix_username);
55	if (!add_script) {
56	return -1;
57	}
58	if (domain) {
59	add_script = talloc_all_string_sub(ctx,
60	add_script,
61	"%D",
62	domain);
63	if (!add_script) {
64	return -1;
65	}
66	}
67	if (homedir) {
68	add_script = talloc_all_string_sub(ctx,
69	add_script,
70	"%H",
71	homedir);
72	if (!add_script) {
73	return -1;
74	}
75	}
76	ret = smbrun(add_script,NULL);
77	flush_pwnam_cache();
78	DEBUG(ret ? 0 : 3,
79	("smb_create_user: Running the command `%s' gave %d\n",
80	add_script,ret));
81	return ret;
82	}
83
84	/****************************************************************************
85	Create an auth_usersupplied_data structure after appropriate mapping.
86	****************************************************************************/
87
88	NTSTATUS make_user_info_map(struct auth_usersupplied_info **user_info,
89	const char *smb_name,
90	const char *client_domain,
91	const char *workstation_name,
92	DATA_BLOB *lm_pwd,
93	DATA_BLOB *nt_pwd,
94	const struct samr_Password *lm_interactive_pwd,
95	const struct samr_Password *nt_interactive_pwd,
96	const char *plaintext,
97	enum auth_password_state password_state)
98	{
99	const char *domain;
100	NTSTATUS result;
101	bool was_mapped;
102	char *internal_username = NULL;
103
104	was_mapped = map_username(talloc_tos(), smb_name, &internal_username);
105	if (!internal_username) {
106	return NT_STATUS_NO_MEMORY;
107	}
108
109	DEBUG(5, ("Mapping user [%s]\\[%s] from workstation [%s]\n",
110	client_domain, smb_name, workstation_name));
111
112	domain = client_domain;
113
114	/* If you connect to a Windows domain member using a bogus domain name,
115	* the Windows box will map the BOGUS\user to SAMNAME\user. Thus, if
116	* the Windows box is a DC the name will become DOMAIN\user and be
117	* authenticated against AD, if the Windows box is a member server but
118	* not a DC the name will become WORKSTATION\user. A standalone
119	* non-domain member box will also map to WORKSTATION\user.
120	* This also deals with the client passing in a "" domain */
121
122	if (!is_trusted_domain(domain) &&
123	!strequal(domain, my_sam_name()))
124	{
125	if (lp_map_untrusted_to_domain())
126	domain = my_sam_name();
127	else
128	domain = get_global_sam_name();
129	DEBUG(5, ("Mapped domain from [%s] to [%s] for user [%s] from "
130	"workstation [%s]\n",
131	client_domain, domain, smb_name, workstation_name));
132	}
133
134	/* We know that the given domain is trusted (and we are allowing them),
135	* it is our global SAM name, or for legacy behavior it is our
136	* primary domain name */
137
138	result = make_user_info(user_info, smb_name, internal_username,
139	client_domain, domain, workstation_name,
140	lm_pwd, nt_pwd,
141	lm_interactive_pwd, nt_interactive_pwd,
142	plaintext, password_state);
143	if (NT_STATUS_IS_OK(result)) {
144	/* We have tried mapping */
145	(*user_info)->mapped_state = True;
146	/* did we actually map the user to a different name? */
147	(*user_info)->was_mapped = was_mapped;
148	}
149	return result;
150	}
151
152	/****************************************************************************
153	Create an auth_usersupplied_data, making the DATA_BLOBs here.
154	Decrypt and encrypt the passwords.
155	****************************************************************************/
156
157	bool make_user_info_netlogon_network(struct auth_usersupplied_info **user_info,
158	const char *smb_name,
159	const char *client_domain,
160	const char *workstation_name,
161	uint32 logon_parameters,
162	const uchar *lm_network_pwd,
163	int lm_pwd_len,
164	const uchar *nt_network_pwd,
165	int nt_pwd_len)
166	{
167	bool ret;
168	NTSTATUS status;
169	DATA_BLOB lm_blob = data_blob(lm_network_pwd, lm_pwd_len);
170	DATA_BLOB nt_blob = data_blob(nt_network_pwd, nt_pwd_len);
171
172	status = make_user_info_map(user_info,
173	smb_name, client_domain,
174	workstation_name,
175	lm_pwd_len ? &lm_blob : NULL,
176	nt_pwd_len ? &nt_blob : NULL,
177	NULL, NULL, NULL,
178	AUTH_PASSWORD_RESPONSE);
179
180	if (NT_STATUS_IS_OK(status)) {
181	(*user_info)->logon_parameters = logon_parameters;
182	}
183	ret = NT_STATUS_IS_OK(status) ? True : False;
184
185	data_blob_free(&lm_blob);
186	data_blob_free(&nt_blob);
187	return ret;
188	}
189
190	/****************************************************************************
191	Create an auth_usersupplied_data, making the DATA_BLOBs here.
192	Decrypt and encrypt the passwords.
193	****************************************************************************/
194
195	bool make_user_info_netlogon_interactive(struct auth_usersupplied_info **user_info,
196	const char *smb_name,
197	const char *client_domain,
198	const char *workstation_name,
199	uint32 logon_parameters,
200	const uchar chal[8],
201	const uchar lm_interactive_pwd[16],
202	const uchar nt_interactive_pwd[16],
203	const uchar *dc_sess_key)
204	{
205	struct samr_Password lm_pwd;
206	struct samr_Password nt_pwd;
207	unsigned char local_lm_response[24];
208	unsigned char local_nt_response[24];
209	unsigned char key[16];
210
211	memcpy(key, dc_sess_key, 16);
212
213	if (lm_interactive_pwd)
214	memcpy(lm_pwd.hash, lm_interactive_pwd, sizeof(lm_pwd.hash));
215
216	if (nt_interactive_pwd)
217	memcpy(nt_pwd.hash, nt_interactive_pwd, sizeof(nt_pwd.hash));
218
219	#ifdef DEBUG_PASSWORD
220	DEBUG(100,("key:"));
221	dump_data(100, key, sizeof(key));
222
223	DEBUG(100,("lm owf password:"));
224	dump_data(100, lm_pwd.hash, sizeof(lm_pwd.hash));
225
226	DEBUG(100,("nt owf password:"));
227	dump_data(100, nt_pwd.hash, sizeof(nt_pwd.hash));
228	#endif
229
230	if (lm_interactive_pwd)
231	arcfour_crypt(lm_pwd.hash, key, sizeof(lm_pwd.hash));
232
233	if (nt_interactive_pwd)
234	arcfour_crypt(nt_pwd.hash, key, sizeof(nt_pwd.hash));
235
236	#ifdef DEBUG_PASSWORD
237	DEBUG(100,("decrypt of lm owf password:"));
238	dump_data(100, lm_pwd.hash, sizeof(lm_pwd));
239
240	DEBUG(100,("decrypt of nt owf password:"));
241	dump_data(100, nt_pwd.hash, sizeof(nt_pwd));
242	#endif
243
244	if (lm_interactive_pwd)
245	SMBOWFencrypt(lm_pwd.hash, chal,
246	local_lm_response);
247
248	if (nt_interactive_pwd)
249	SMBOWFencrypt(nt_pwd.hash, chal,
250	local_nt_response);
251
252	/* Password info paranoia */
253	ZERO_STRUCT(key);
254
255	{
256	bool ret;
257	NTSTATUS nt_status;
258	DATA_BLOB local_lm_blob;
259	DATA_BLOB local_nt_blob;
260
261	if (lm_interactive_pwd) {
262	local_lm_blob = data_blob(local_lm_response,
263	sizeof(local_lm_response));
264	}
265
266	if (nt_interactive_pwd) {
267	local_nt_blob = data_blob(local_nt_response,
268	sizeof(local_nt_response));
269	}
270
271	nt_status = make_user_info_map(
272	user_info,
273	smb_name, client_domain, workstation_name,
274	lm_interactive_pwd ? &local_lm_blob : NULL,
275	nt_interactive_pwd ? &local_nt_blob : NULL,
276	lm_interactive_pwd ? &lm_pwd : NULL,
277	nt_interactive_pwd ? &nt_pwd : NULL,
278	NULL, AUTH_PASSWORD_HASH);
279
280	if (NT_STATUS_IS_OK(nt_status)) {
281	(*user_info)->logon_parameters = logon_parameters;
282	}
283
284	ret = NT_STATUS_IS_OK(nt_status) ? True : False;
285	data_blob_free(&local_lm_blob);
286	data_blob_free(&local_nt_blob);
287	return ret;
288	}
289	}
290
291
292	/****************************************************************************
293	Create an auth_usersupplied_data structure
294	****************************************************************************/
295
296	bool make_user_info_for_reply(struct auth_usersupplied_info **user_info,
297	const char *smb_name,
298	const char *client_domain,
299	const uint8 chal[8],
300	DATA_BLOB plaintext_password)
301	{
302
303	DATA_BLOB local_lm_blob;
304	DATA_BLOB local_nt_blob;
305	NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
306	char *plaintext_password_string;
307	/*
308	* Not encrypted - do so.
309	*/
310
311	DEBUG(5,("make_user_info_for_reply: User passwords not in encrypted "
312	"format.\n"));
313	if (plaintext_password.data && plaintext_password.length) {
314	unsigned char local_lm_response[24];
315
316	#ifdef DEBUG_PASSWORD
317	DEBUG(10,("Unencrypted password (len %d):\n",
318	(int)plaintext_password.length));
319	dump_data(100, plaintext_password.data,
320	plaintext_password.length);
321	#endif
322
323	SMBencrypt( (const char *)plaintext_password.data,
324	(const uchar*)chal, local_lm_response);
325	local_lm_blob = data_blob(local_lm_response, 24);
326
327	/* We can't do an NT hash here, as the password needs to be
328	case insensitive */
329	local_nt_blob = data_blob_null;
330	} else {
331	local_lm_blob = data_blob_null;
332	local_nt_blob = data_blob_null;
333	}
334
335	plaintext_password_string = talloc_strndup(talloc_tos(),
336	(const char *)plaintext_password.data,
337	plaintext_password.length);
338	if (!plaintext_password_string) {
339	return False;
340	}
341
342	ret = make_user_info_map(
343	user_info, smb_name, client_domain,
344	get_remote_machine_name(),
345	local_lm_blob.data ? &local_lm_blob : NULL,
346	local_nt_blob.data ? &local_nt_blob : NULL,
347	NULL, NULL,
348	plaintext_password_string,
349	AUTH_PASSWORD_PLAIN);
350
351	if (plaintext_password_string) {
352	memset(plaintext_password_string, '\0', strlen(plaintext_password_string));
353	talloc_free(plaintext_password_string);
354	}
355
356	data_blob_free(&local_lm_blob);
357	return NT_STATUS_IS_OK(ret) ? True : False;
358	}
359
360	/****************************************************************************
361	Create an auth_usersupplied_data structure
362	****************************************************************************/
363
364	NTSTATUS make_user_info_for_reply_enc(struct auth_usersupplied_info **user_info,
365	const char *smb_name,
366	const char *client_domain,
367	DATA_BLOB lm_resp, DATA_BLOB nt_resp)
368	{
369	return make_user_info_map(user_info, smb_name,
370	client_domain,
371	get_remote_machine_name(),
372	lm_resp.data && (lm_resp.length > 0) ? &lm_resp : NULL,
373	nt_resp.data && (nt_resp.length > 0) ? &nt_resp : NULL,
374	NULL, NULL, NULL,
375	AUTH_PASSWORD_RESPONSE);
376	}
377
378	/****************************************************************************
379	Create a guest user_info blob, for anonymous authenticaion.
380	****************************************************************************/
381
382	bool make_user_info_guest(struct auth_usersupplied_info **user_info)
383	{
384	NTSTATUS nt_status;
385
386	nt_status = make_user_info(user_info,
387	"","",
388	"","",
389	"",
390	NULL, NULL,
391	NULL, NULL,
392	NULL,
393	AUTH_PASSWORD_RESPONSE);
394
395	return NT_STATUS_IS_OK(nt_status) ? True : False;
396	}
397
398	static NTSTATUS log_nt_token(struct security_token *token)
399	{
400	TALLOC_CTX *frame = talloc_stackframe();
401	char *command;
402	char *group_sidstr;
403	size_t i;
404
405	if ((lp_log_nt_token_command() == NULL) \|\|
406	(strlen(lp_log_nt_token_command()) == 0)) {
407	TALLOC_FREE(frame);
408	return NT_STATUS_OK;
409	}
410
411	group_sidstr = talloc_strdup(frame, "");
412	for (i=1; i<token->num_sids; i++) {
413	group_sidstr = talloc_asprintf(
414	frame, "%s %s", group_sidstr,
415	sid_string_talloc(frame, &token->sids[i]));
416	}
417
418	command = talloc_string_sub(
419	frame, lp_log_nt_token_command(),
420	"%s", sid_string_talloc(frame, &token->sids[0]));
421	command = talloc_string_sub(frame, command, "%t", group_sidstr);
422
423	if (command == NULL) {
424	TALLOC_FREE(frame);
425	return NT_STATUS_NO_MEMORY;
426	}
427
428	DEBUG(8, ("running command: [%s]\n", command));
429	if (smbrun(command, NULL) != 0) {
430	DEBUG(0, ("Could not log NT token\n"));
431	TALLOC_FREE(frame);
432	return NT_STATUS_ACCESS_DENIED;
433	}
434
435	TALLOC_FREE(frame);
436	return NT_STATUS_OK;
437	}
438
439	/*
440	* Create the token to use from server_info->info3 and
441	* server_info->sids (the info3/sam groups). Find the unix gids.
442	*/
443
444	NTSTATUS create_local_token(struct auth_serversupplied_info *server_info)
445	{
446	struct security_token *t;
447	NTSTATUS status;
448	size_t i;
449	struct dom_sid tmp_sid;
450	struct wbcUnixId *ids;
451
452	/*
453	* If winbind is not around, we can not make much use of the SIDs the
454	* domain controller provided us with. Likewise if the user name was
455	* mapped to some local unix user.
456	*/
457
458	if (((lp_server_role() == ROLE_DOMAIN_MEMBER) && !winbind_ping()) \|\|
459	(server_info->nss_token)) {
460	status = create_token_from_username(server_info,
461	server_info->unix_name,
462	server_info->guest,
463	&server_info->utok.uid,
464	&server_info->utok.gid,
465	&server_info->unix_name,
466	&server_info->security_token);
467
468	} else {
469	status = create_local_nt_token_from_info3(server_info,
470	server_info->guest,
471	server_info->info3,
472	&server_info->extra,
473	&server_info->security_token);
474	}
475
476	if (!NT_STATUS_IS_OK(status)) {
477	return status;
478	}
479
480	/* Convert the SIDs to gids. */
481
482	server_info->utok.ngroups = 0;
483	server_info->utok.groups = NULL;
484
485	t = server_info->security_token;
486
487	ids = TALLOC_ARRAY(talloc_tos(), struct wbcUnixId,
488	t->num_sids);
489	if (ids == NULL) {
490	return NT_STATUS_NO_MEMORY;
491	}
492
493	if (!sids_to_unix_ids(t->sids, t->num_sids, ids)) {
494	TALLOC_FREE(ids);
495	return NT_STATUS_NO_MEMORY;
496	}
497
498	/* Start at index 1, where the groups start. */
499
500	for (i=1; i<t->num_sids; i++) {
501
502	if (ids[i].type != WBC_ID_TYPE_GID) {
503	DEBUG(10, ("Could not convert SID %s to gid, "
504	"ignoring it\n",
505	sid_string_dbg(&t->sids[i])));
506	continue;
507	}
508	if (!add_gid_to_array_unique(server_info, ids[i].id.gid,
509	&server_info->utok.groups,
510	&server_info->utok.ngroups)) {
511	return NT_STATUS_NO_MEMORY;
512	}
513	}
514
515	/*
516	* Add the "Unix Group" SID for each gid to catch mapped groups
517	* and their Unix equivalent. This is to solve the backwards
518	* compatibility problem of 'valid users = +ntadmin' where
519	* ntadmin has been paired with "Domain Admins" in the group
520	* mapping table. Otherwise smb.conf would need to be changed
521	* to 'valid user = "Domain Admins"'. --jerry
522	*
523	* For consistency we also add the "Unix User" SID,
524	* so that the complete unix token is represented within
525	* the nt token.
526	*/
527
528	uid_to_unix_users_sid(server_info->utok.uid, &tmp_sid);
529
530	add_sid_to_array_unique(server_info->security_token, &tmp_sid,
531	&server_info->security_token->sids,
532	&server_info->security_token->num_sids);
533
534	for ( i=0; i<server_info->utok.ngroups; i++ ) {
535	gid_to_unix_groups_sid(server_info->utok.groups[i], &tmp_sid);
536	add_sid_to_array_unique(server_info->security_token, &tmp_sid,
537	&server_info->security_token->sids,
538	&server_info->security_token->num_sids);
539	}
540
541	security_token_debug(DBGC_AUTH, 10, server_info->security_token);
542	debug_unix_user_token(DBGC_AUTH, 10,
543	server_info->utok.uid,
544	server_info->utok.gid,
545	server_info->utok.ngroups,
546	server_info->utok.groups);
547
548	status = log_nt_token(server_info->security_token);
549	return status;
550	}
551
552	/***************************************************************************
553	Make (and fill) a server_info struct from a 'struct passwd' by conversion
554	to a struct samu
555	***************************************************************************/
556
557	NTSTATUS make_server_info_pw(struct auth_serversupplied_info **server_info,
558	char *unix_username,
559	struct passwd *pwd)
560	{
561	NTSTATUS status;
562	struct samu *sampass = NULL;
563	char *qualified_name = NULL;
564	TALLOC_CTX *mem_ctx = NULL;
565	struct dom_sid u_sid;
566	enum lsa_SidType type;
567	struct auth_serversupplied_info *result;
568
569	/*
570	* The SID returned in server_info->sam_account is based
571	* on our SAM sid even though for a pure UNIX account this should
572	* not be the case as it doesn't really exist in the SAM db.
573	* This causes lookups on "[in]valid users" to fail as they
574	* will lookup this name as a "Unix User" SID to check against
575	* the user token. Fix this by adding the "Unix User"\unix_username
576	* SID to the sid array. The correct fix should probably be
577	* changing the server_info->sam_account user SID to be a
578	* S-1-22 Unix SID, but this might break old configs where
579	* plaintext passwords were used with no SAM backend.
580	*/
581
582	mem_ctx = talloc_init("make_server_info_pw_tmp");
583	if (!mem_ctx) {
584	return NT_STATUS_NO_MEMORY;
585	}
586
587	qualified_name = talloc_asprintf(mem_ctx, "%s\\%s",
588	unix_users_domain_name(),
589	unix_username );
590	if (!qualified_name) {
591	TALLOC_FREE(mem_ctx);
592	return NT_STATUS_NO_MEMORY;
593	}
594
595	if (!lookup_name(mem_ctx, qualified_name, LOOKUP_NAME_ALL,
596	NULL, NULL,
597	&u_sid, &type)) {
598	TALLOC_FREE(mem_ctx);
599	return NT_STATUS_NO_SUCH_USER;
600	}
601
602	TALLOC_FREE(mem_ctx);
603
604	if (type != SID_NAME_USER) {
605	return NT_STATUS_NO_SUCH_USER;
606	}
607
608	if ( !(sampass = samu_new( NULL )) ) {
609	return NT_STATUS_NO_MEMORY;
610	}
611
612	status = samu_set_unix( sampass, pwd );
613	if (!NT_STATUS_IS_OK(status)) {
614	return status;
615	}
616
617	/* In pathological cases the above call can set the account
618	* name to the DOMAIN\username form. Reset the account name
619	* using unix_username */
620	pdb_set_username(sampass, unix_username, PDB_SET);
621
622	/* set the user sid to be the calculated u_sid */
623	pdb_set_user_sid(sampass, &u_sid, PDB_SET);
624
625	result = make_server_info(NULL);
626	if (result == NULL) {
627	TALLOC_FREE(sampass);
628	return NT_STATUS_NO_MEMORY;
629	}
630
631	status = samu_to_SamInfo3(result, sampass, global_myname(),
632	&result->info3, &result->extra);
633	TALLOC_FREE(sampass);
634	if (!NT_STATUS_IS_OK(status)) {
635	DEBUG(10, ("Failed to convert samu to info3: %s\n",
636	nt_errstr(status)));
637	TALLOC_FREE(result);
638	return status;
639	}
640
641	result->unix_name = talloc_strdup(result, unix_username);
642	result->sanitized_username = sanitize_username(result, unix_username);
643
644	if ((result->unix_name == NULL)
645	\|\| (result->sanitized_username == NULL)) {
646	TALLOC_FREE(result);
647	return NT_STATUS_NO_MEMORY;
648	}
649
650	result->utok.uid = pwd->pw_uid;
651	result->utok.gid = pwd->pw_gid;
652
653	*server_info = result;
654
655	return NT_STATUS_OK;
656	}
657
658	static NTSTATUS get_system_info3(TALLOC_CTX *mem_ctx,
659	struct passwd *pwd,
660	struct netr_SamInfo3 *info3)
661	{
662	struct dom_sid domain_sid;
663	const char *tmp;
664
665	/* Set account name */
666	tmp = talloc_strdup(mem_ctx, pwd->pw_name);
667	if (tmp == NULL) {
668	return NT_STATUS_NO_MEMORY;
669	}
670	init_lsa_String(&info3->base.account_name, tmp);
671
672	/* Set domain name */
673	tmp = talloc_strdup(mem_ctx, get_global_sam_name());
674	if (tmp == NULL) {
675	return NT_STATUS_NO_MEMORY;
676	}
677	init_lsa_StringLarge(&info3->base.domain, tmp);
678
679	/* Domain sid */
680	sid_copy(&domain_sid, get_global_sam_sid());
681
682	info3->base.domain_sid = dom_sid_dup(mem_ctx, &domain_sid);
683	if (info3->base.domain_sid == NULL) {
684	return NT_STATUS_NO_MEMORY;
685	}
686
687	/* Admin rid */
688	info3->base.rid = DOMAIN_RID_ADMINISTRATOR;
689
690	/* Primary gid */
691	info3->base.primary_gid = BUILTIN_RID_ADMINISTRATORS;
692
693	return NT_STATUS_OK;
694	}
695
696	static NTSTATUS get_guest_info3(TALLOC_CTX *mem_ctx,
697	struct netr_SamInfo3 *info3)
698	{
699	const char *guest_account = lp_guestaccount();
700	struct dom_sid domain_sid;
701	struct passwd *pwd;
702	const char *tmp;
703
704	pwd = Get_Pwnam_alloc(mem_ctx, guest_account);
705	if (pwd == NULL) {
706	DEBUG(0,("SamInfo3_for_guest: Unable to locate guest "
707	"account [%s]!\n", guest_account));
708	return NT_STATUS_NO_SUCH_USER;
709	}
710
711	/* Set acount name */
712	tmp = talloc_strdup(mem_ctx, pwd->pw_name);
713	if (tmp == NULL) {
714	return NT_STATUS_NO_MEMORY;
715	}
716	init_lsa_String(&info3->base.account_name, tmp);
717
718	/* Set domain name */
719	tmp = talloc_strdup(mem_ctx, get_global_sam_name());
720	if (tmp == NULL) {
721	return NT_STATUS_NO_MEMORY;
722	}
723	init_lsa_StringLarge(&info3->base.domain, tmp);
724
725	/* Domain sid */
726	sid_copy(&domain_sid, get_global_sam_sid());
727
728	info3->base.domain_sid = dom_sid_dup(mem_ctx, &domain_sid);
729	if (info3->base.domain_sid == NULL) {
730	return NT_STATUS_NO_MEMORY;
731	}
732
733	/* Guest rid */
734	info3->base.rid = DOMAIN_RID_GUEST;
735
736	/* Primary gid */
737	info3->base.primary_gid = DOMAIN_RID_GUESTS;
738
739	TALLOC_FREE(pwd);
740	return NT_STATUS_OK;
741	}
742
743	/***************************************************************************
744	Make (and fill) a user_info struct for a guest login.
745	This must succeed for smbd to start. If there is no mapping entry for
746	the guest gid, then create one.
747	***************************************************************************/
748
749	static NTSTATUS make_new_server_info_guest(struct auth_serversupplied_info **server_info)
750	{
751	static const char zeros[16] = {0};
752	const char *guest_account = lp_guestaccount();
753	const char *domain = global_myname();
754	struct netr_SamInfo3 info3;
755	TALLOC_CTX *tmp_ctx;
756	NTSTATUS status;
757	fstring tmp;
758
759	tmp_ctx = talloc_stackframe();
760	if (tmp_ctx == NULL) {
761	return NT_STATUS_NO_MEMORY;
762	}
763
764	ZERO_STRUCT(info3);
765
766	status = get_guest_info3(tmp_ctx, &info3);
767	if (!NT_STATUS_IS_OK(status)) {
768	goto done;
769	}
770
771	status = make_server_info_info3(tmp_ctx,
772	guest_account,
773	domain,
774	server_info,
775	&info3);
776	if (!NT_STATUS_IS_OK(status)) {
777	goto done;
778	}
779
780	(*server_info)->guest = True;
781
782	status = create_local_token(*server_info);
783	if (!NT_STATUS_IS_OK(status)) {
784	DEBUG(10, ("create_local_token failed: %s\n",
785	nt_errstr(status)));
786	goto done;
787	}
788
789	/* annoying, but the Guest really does have a session key, and it is
790	all zeros! */
791	(*server_info)->user_session_key = data_blob(zeros, sizeof(zeros));
792	(*server_info)->lm_session_key = data_blob(zeros, sizeof(zeros));
793
794	alpha_strcpy(tmp, (*server_info)->info3->base.account_name.string,
795	". _-$", sizeof(tmp));
796	(server_info)->sanitized_username = talloc_strdup(server_info, tmp);
797
798	status = NT_STATUS_OK;
799	done:
800	TALLOC_FREE(tmp_ctx);
801	return status;
802	}
803
804	/****************************************************************************
805	Fake a auth_session_info just from a username (as a
806	session_info structure, with create_local_token() already called on
807	it.
808	****************************************************************************/
809
810	static NTSTATUS make_system_session_info_from_pw(TALLOC_CTX *mem_ctx,
811	struct passwd *pwd,
812	struct auth_serversupplied_info **server_info)
813	{
814	const char *domain = global_myname();
815	struct netr_SamInfo3 info3;
816	TALLOC_CTX *tmp_ctx;
817	NTSTATUS status;
818
819	tmp_ctx = talloc_stackframe();
820	if (tmp_ctx == NULL) {
821	return NT_STATUS_NO_MEMORY;
822	}
823
824	ZERO_STRUCT(info3);
825
826	status = get_system_info3(tmp_ctx, pwd, &info3);
827	if (!NT_STATUS_IS_OK(status)) {
828	DEBUG(0, ("Failed creating system info3 with %s\n",
829	nt_errstr(status)));
830	goto done;
831	}
832
833	status = make_server_info_info3(mem_ctx,
834	pwd->pw_name,
835	domain,
836	server_info,
837	&info3);
838	if (!NT_STATUS_IS_OK(status)) {
839	DEBUG(0, ("make_server_info_info3 failed with %s\n",
840	nt_errstr(status)));
841	goto done;
842	}
843
844	(*server_info)->nss_token = true;
845
846	/* Now turn the server_info into a session_info with the full token etc */
847	status = create_local_token(*server_info);
848	if (!NT_STATUS_IS_OK(status)) {
849	DEBUG(0, ("create_local_token failed: %s\n",
850	nt_errstr(status)));
851	goto done;
852	}
853
854	status = NT_STATUS_OK;
855	done:
856	TALLOC_FREE(tmp_ctx);
857	return status;
858	}
859
860	/***************************************************************************
861	Make (and fill) a auth_session_info struct for a system user login.
862	This must succeed for smbd to start.
863	***************************************************************************/
864
865	static NTSTATUS make_new_session_info_system(TALLOC_CTX *mem_ctx,
866	struct auth_serversupplied_info **session_info)
867	{
868	struct passwd *pwd;
869	NTSTATUS status;
870
871	pwd = getpwuid_alloc(mem_ctx, sec_initial_uid());
872	if (pwd == NULL) {
873	return NT_STATUS_NO_SUCH_USER;
874	}
875
876	status = make_system_session_info_from_pw(mem_ctx,
877	pwd,
878	session_info);
879	TALLOC_FREE(pwd);
880	if (!NT_STATUS_IS_OK(status)) {
881	return status;
882	}
883
884	(*session_info)->system = true;
885
886	status = add_sid_to_array_unique((*session_info)->security_token->sids,
887	&global_sid_System,
888	&(*session_info)->security_token->sids,
889	&(*session_info)->security_token->num_sids);
890	if (!NT_STATUS_IS_OK(status)) {
891	TALLOC_FREE((*session_info));
892	return status;
893	}
894
895	return NT_STATUS_OK;
896	}
897
898	/****************************************************************************
899	Fake a auth_serversupplied_info just from a username
900	****************************************************************************/
901
902	NTSTATUS make_serverinfo_from_username(TALLOC_CTX *mem_ctx,
903	const char *username,
904	bool is_guest,
905	struct auth_serversupplied_info **presult)
906	{
907	struct auth_serversupplied_info *result;
908	struct passwd *pwd;
909	NTSTATUS status;
910
911	pwd = Get_Pwnam_alloc(talloc_tos(), username);
912	if (pwd == NULL) {
913	return NT_STATUS_NO_SUCH_USER;
914	}
915
916	status = make_server_info_pw(&result, pwd->pw_name, pwd);
917
918	TALLOC_FREE(pwd);
919
920	if (!NT_STATUS_IS_OK(status)) {
921	return status;
922	}
923
924	result->nss_token = true;
925	result->guest = is_guest;
926
927	status = create_local_token(result);
928
929	if (!NT_STATUS_IS_OK(status)) {
930	TALLOC_FREE(result);
931	return status;
932	}
933
934	*presult = talloc_steal(mem_ctx, result);
935	return NT_STATUS_OK;
936	}
937
938
939	struct auth_serversupplied_info copy_serverinfo(TALLOC_CTX mem_ctx,
940	const struct auth_serversupplied_info *src)
941	{
942	struct auth_serversupplied_info *dst;
943
944	dst = make_server_info(mem_ctx);
945	if (dst == NULL) {
946	return NULL;
947	}
948
949	dst->guest = src->guest;
950	dst->system = src->system;
951	dst->utok.uid = src->utok.uid;
952	dst->utok.gid = src->utok.gid;
953	dst->utok.ngroups = src->utok.ngroups;
954	if (src->utok.ngroups != 0) {
955	dst->utok.groups = (gid_t *)TALLOC_MEMDUP(
956	dst, src->utok.groups,
957	sizeof(gid_t)*dst->utok.ngroups);
958	} else {
959	dst->utok.groups = NULL;
960	}
961
962	if (src->security_token) {
963	dst->security_token = dup_nt_token(dst, src->security_token);
964	if (!dst->security_token) {
965	TALLOC_FREE(dst);
966	return NULL;
967	}
968	}
969
970	dst->user_session_key = data_blob_talloc( dst, src->user_session_key.data,
971	src->user_session_key.length);
972
973	dst->lm_session_key = data_blob_talloc(dst, src->lm_session_key.data,
974	src->lm_session_key.length);
975
976	dst->info3 = copy_netr_SamInfo3(dst, src->info3);
977	if (!dst->info3) {
978	TALLOC_FREE(dst);
979	return NULL;
980	}
981	dst->extra = src->extra;
982
983	dst->unix_name = talloc_strdup(dst, src->unix_name);
984	if (!dst->unix_name) {
985	TALLOC_FREE(dst);
986	return NULL;
987	}
988
989	dst->sanitized_username = talloc_strdup(dst, src->sanitized_username);
990	if (!dst->sanitized_username) {
991	TALLOC_FREE(dst);
992	return NULL;
993	}
994
995	return dst;
996	}
997
998	/*
999	* Set a new session key. Used in the rpc server where we have to override the
1000	* SMB level session key with SystemLibraryDTC
1001	*/
1002
1003	bool session_info_set_session_key(struct auth_serversupplied_info *info,
1004	DATA_BLOB session_key)
1005	{
1006	TALLOC_FREE(info->user_session_key.data);
1007
1008	info->user_session_key = data_blob_talloc(
1009	info, session_key.data, session_key.length);
1010
1011	return (info->user_session_key.data != NULL);
1012	}
1013
1014	static struct auth_serversupplied_info *guest_info = NULL;
1015
1016	bool init_guest_info(void)
1017	{
1018	if (guest_info != NULL)
1019	return True;
1020
1021	return NT_STATUS_IS_OK(make_new_server_info_guest(&guest_info));
1022	}
1023
1024	NTSTATUS make_server_info_guest(TALLOC_CTX *mem_ctx,
1025	struct auth_serversupplied_info **server_info)
1026	{
1027	*server_info = copy_serverinfo(mem_ctx, guest_info);
1028	return (*server_info != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
1029	}
1030
1031	static struct auth_serversupplied_info *system_info = NULL;
1032
1033	NTSTATUS init_system_info(void)
1034	{
1035	if (system_info != NULL)
1036	return NT_STATUS_OK;
1037
1038	return make_new_session_info_system(NULL, &system_info);
1039	}
1040
1041	NTSTATUS make_session_info_system(TALLOC_CTX *mem_ctx,
1042	struct auth_serversupplied_info **session_info)
1043	{
1044	if (system_info == NULL) return NT_STATUS_UNSUCCESSFUL;
1045	*session_info = copy_serverinfo(mem_ctx, system_info);
1046	return (*session_info != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
1047	}
1048
1049	const struct auth_serversupplied_info *get_session_info_system(void)
1050	{
1051	return system_info;
1052	}
1053
1054	bool copy_current_user(struct current_user dst, struct current_user src)
1055	{
1056	gid_t *groups;
1057	struct security_token *nt_token;
1058
1059	groups = (gid_t *)memdup(src->ut.groups,
1060	sizeof(gid_t) * src->ut.ngroups);
1061	if ((src->ut.ngroups != 0) && (groups == NULL)) {
1062	return False;
1063	}
1064
1065	nt_token = dup_nt_token(NULL, src->nt_user_token);
1066	if (nt_token == NULL) {
1067	SAFE_FREE(groups);
1068	return False;
1069	}
1070
1071	dst->conn = src->conn;
1072	dst->vuid = src->vuid;
1073	dst->ut.uid = src->ut.uid;
1074	dst->ut.gid = src->ut.gid;
1075	dst->ut.ngroups = src->ut.ngroups;
1076	dst->ut.groups = groups;
1077	dst->nt_user_token = nt_token;
1078	return True;
1079	}
1080
1081	/***************************************************************************
1082	Purely internal function for make_server_info_info3
1083	***************************************************************************/
1084
1085	static NTSTATUS check_account(TALLOC_CTX mem_ctx, const char domain,
1086	const char username, char *found_username,
1087	struct passwd **pwd,
1088	bool *username_was_mapped)
1089	{
1090	char *orig_dom_user = NULL;
1091	char *dom_user = NULL;
1092	char *lower_username = NULL;
1093	char *real_username = NULL;
1094	struct passwd *passwd;
1095
1096	lower_username = talloc_strdup(mem_ctx, username);
1097	if (!lower_username) {
1098	return NT_STATUS_NO_MEMORY;
1099	}
1100	strlower_m( lower_username );
1101
1102	orig_dom_user = talloc_asprintf(mem_ctx,
1103	"%s%c%s",
1104	domain,
1105	*lp_winbind_separator(),
1106	lower_username);
1107	if (!orig_dom_user) {
1108	return NT_STATUS_NO_MEMORY;
1109	}
1110
1111	/* Get the passwd struct. Try to create the account if necessary. */
1112
1113	*username_was_mapped = map_username(mem_ctx, orig_dom_user, &dom_user);
1114	if (!dom_user) {
1115	return NT_STATUS_NO_MEMORY;
1116	}
1117
1118	passwd = smb_getpwnam(mem_ctx, dom_user, &real_username, True );
1119	if (!passwd) {
1120	DEBUG(3, ("Failed to find authenticated user %s via "
1121	"getpwnam(), denying access.\n", dom_user));
1122	return NT_STATUS_NO_SUCH_USER;
1123	}
1124
1125	if (!real_username) {
1126	return NT_STATUS_NO_MEMORY;
1127	}
1128
1129	*pwd = passwd;
1130
1131	/* This is pointless -- there is no suport for differing
1132	unix and windows names. Make sure to always store the
1133	one we actually looked up and succeeded. Have I mentioned
1134	why I hate the 'winbind use default domain' parameter?
1135	--jerry */
1136
1137	*found_username = talloc_strdup( mem_ctx, real_username );
1138
1139	return NT_STATUS_OK;
1140	}
1141
1142	/****************************************************************************
1143	Wrapper to allow the getpwnam() call to strip the domain name and
1144	try again in case a local UNIX user is already there. Also run through
1145	the username if we fallback to the username only.
1146	****************************************************************************/
1147
1148	struct passwd smb_getpwnam( TALLOC_CTX mem_ctx, const char *domuser,
1149	char **p_save_username, bool create )
1150	{
1151	struct passwd *pw = NULL;
1152	char *p = NULL;
1153	char *username = NULL;
1154
1155	/* we only save a copy of the username it has been mangled
1156	by winbindd use default domain */
1157	*p_save_username = NULL;
1158
1159	/* don't call map_username() here since it has to be done higher
1160	up the stack so we don't call it multiple times */
1161
1162	username = talloc_strdup(mem_ctx, domuser);
1163	if (!username) {
1164	return NULL;
1165	}
1166
1167	p = strchr_m( username, *lp_winbind_separator() );
1168
1169	/* code for a DOMAIN\user string */
1170
1171	if ( p ) {
1172	pw = Get_Pwnam_alloc( mem_ctx, domuser );
1173	if ( pw ) {
1174	/* make sure we get the case of the username correct */
1175	/* work around 'winbind use default domain = yes' */
1176
1177	if ( !strchr_m( pw->pw_name, *lp_winbind_separator() ) ) {
1178	char *domain;
1179
1180	/* split the domain and username into 2 strings */
1181	*p = '\0';
1182	domain = username;
1183
1184	*p_save_username = talloc_asprintf(mem_ctx,
1185	"%s%c%s",
1186	domain,
1187	*lp_winbind_separator(),
1188	pw->pw_name);
1189	if (!*p_save_username) {
1190	TALLOC_FREE(pw);
1191	return NULL;
1192	}
1193	} else {
1194	*p_save_username = talloc_strdup(mem_ctx, pw->pw_name);
1195	}
1196
1197	/* whew -- done! */
1198	return pw;
1199	}
1200
1201	/* setup for lookup of just the username */
1202	/* remember that p and username are overlapping memory */
1203
1204	p++;
1205	username = talloc_strdup(mem_ctx, p);
1206	if (!username) {
1207	return NULL;
1208	}
1209	}
1210
1211	/* just lookup a plain username */
1212
1213	pw = Get_Pwnam_alloc(mem_ctx, username);
1214
1215	/* Create local user if requested but only if winbindd
1216	is not running. We need to protect against cases
1217	where winbindd is failing and then prematurely
1218	creating users in /etc/passwd */
1219
1220	if ( !pw && create && !winbind_ping() ) {
1221	/* Don't add a machine account. */
1222	if (username[strlen(username)-1] == '$')
1223	return NULL;
1224
1225	_smb_create_user(NULL, username, NULL);
1226	pw = Get_Pwnam_alloc(mem_ctx, username);
1227	}
1228
1229	/* one last check for a valid passwd struct */
1230
1231	if (pw) {
1232	*p_save_username = talloc_strdup(mem_ctx, pw->pw_name);
1233	}
1234	return pw;
1235	}
1236
1237	/***************************************************************************
1238	Make a server_info struct from the info3 returned by a domain logon
1239	***************************************************************************/
1240
1241	NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
1242	const char *sent_nt_username,
1243	const char *domain,
1244	struct auth_serversupplied_info **server_info,
1245	struct netr_SamInfo3 *info3)
1246	{
1247	static const char zeros[16] = {0, };
1248
1249	NTSTATUS nt_status = NT_STATUS_OK;
1250	char *found_username = NULL;
1251	const char *nt_domain;
1252	const char *nt_username;
1253	struct dom_sid user_sid;
1254	struct dom_sid group_sid;
1255	bool username_was_mapped;
1256	struct passwd *pwd;
1257	struct auth_serversupplied_info *result;
1258
1259	/*
1260	Here is where we should check the list of
1261	trusted domains, and verify that the SID
1262	matches.
1263	*/
1264
1265	if (!sid_compose(&user_sid, info3->base.domain_sid, info3->base.rid)) {
1266	return NT_STATUS_INVALID_PARAMETER;
1267	}
1268
1269	if (!sid_compose(&group_sid, info3->base.domain_sid,
1270	info3->base.primary_gid)) {
1271	return NT_STATUS_INVALID_PARAMETER;
1272	}
1273
1274	nt_username = talloc_strdup(mem_ctx, info3->base.account_name.string);
1275	if (!nt_username) {
1276	/* If the server didn't give us one, just use the one we sent
1277	* them */
1278	nt_username = sent_nt_username;
1279	}
1280
1281	nt_domain = talloc_strdup(mem_ctx, info3->base.domain.string);
1282	if (!nt_domain) {
1283	/* If the server didn't give us one, just use the one we sent
1284	* them */
1285	nt_domain = domain;
1286	}
1287
1288	/* If getpwnam() fails try the add user script (2.2.x behavior).
1289
1290	We use the _unmapped_ username here in an attempt to provide
1291	consistent username mapping behavior between kerberos and NTLM[SSP]
1292	authentication in domain mode security. I.E. Username mapping
1293	should be applied to the fully qualified username
1294	(e.g. DOMAIN\user) and not just the login name. Yes this means we
1295	called map_username() unnecessarily in make_user_info_map() but
1296	that is how the current code is designed. Making the change here
1297	is the least disruptive place. -- jerry */
1298
1299	/* this call will try to create the user if necessary */
1300
1301	nt_status = check_account(mem_ctx, nt_domain, sent_nt_username,
1302	&found_username, &pwd,
1303	&username_was_mapped);
1304
1305	if (!NT_STATUS_IS_OK(nt_status)) {
1306	return nt_status;
1307	}
1308
1309	result = make_server_info(NULL);
1310	if (result == NULL) {
1311	DEBUG(4, ("make_server_info failed!\n"));
1312	return NT_STATUS_NO_MEMORY;
1313	}
1314
1315	result->unix_name = talloc_strdup(result, found_username);
1316
1317	result->sanitized_username = sanitize_username(result,
1318	result->unix_name);
1319	if (result->sanitized_username == NULL) {
1320	TALLOC_FREE(result);
1321	return NT_STATUS_NO_MEMORY;
1322	}
1323
1324	/* copy in the info3 */
1325	result->info3 = copy_netr_SamInfo3(result, info3);
1326	if (result->info3 == NULL) {
1327	TALLOC_FREE(result);
1328	return NT_STATUS_NO_MEMORY;
1329	}
1330
1331	/* Fill in the unix info we found on the way */
1332
1333	result->utok.uid = pwd->pw_uid;
1334	result->utok.gid = pwd->pw_gid;
1335
1336	/* ensure we are never given NULL session keys */
1337
1338	if (memcmp(info3->base.key.key, zeros, sizeof(zeros)) == 0) {
1339	result->user_session_key = data_blob_null;
1340	} else {
1341	result->user_session_key = data_blob_talloc(
1342	result, info3->base.key.key,
1343	sizeof(info3->base.key.key));
1344	}
1345
1346	if (memcmp(info3->base.LMSessKey.key, zeros, 8) == 0) {
1347	result->lm_session_key = data_blob_null;
1348	} else {
1349	result->lm_session_key = data_blob_talloc(
1350	result, info3->base.LMSessKey.key,
1351	sizeof(info3->base.LMSessKey.key));
1352	}
1353
1354	result->nss_token \|= username_was_mapped;
1355
1356	*server_info = result;
1357
1358	return NT_STATUS_OK;
1359	}
1360
1361	/*****************************************************************************
1362	Make a server_info struct from the wbcAuthUserInfo returned by a domain logon
1363	******************************************************************************/
1364
1365	NTSTATUS make_server_info_wbcAuthUserInfo(TALLOC_CTX *mem_ctx,
1366	const char *sent_nt_username,
1367	const char *domain,
1368	const struct wbcAuthUserInfo *info,
1369	struct auth_serversupplied_info **server_info)
1370	{
1371	struct netr_SamInfo3 *info3;
1372
1373	info3 = wbcAuthUserInfo_to_netr_SamInfo3(mem_ctx, info);
1374	if (!info3) {
1375	return NT_STATUS_NO_MEMORY;
1376	}
1377
1378	return make_server_info_info3(mem_ctx,
1379	sent_nt_username, domain,
1380	server_info, info3);
1381	}
1382
1383	/**
1384	* Verify whether or not given domain is trusted.
1385	*
1386	* @param domain_name name of the domain to be verified
1387	* @return true if domain is one of the trusted ones or
1388	* false if otherwise
1389	**/
1390
1391	bool is_trusted_domain(const char* dom_name)
1392	{
1393	struct dom_sid trustdom_sid;
1394	bool ret;
1395
1396	/* no trusted domains for a standalone server */
1397
1398	if ( lp_server_role() == ROLE_STANDALONE )
1399	return False;
1400
1401	if (dom_name == NULL \|\| dom_name[0] == '\0') {
1402	return false;
1403	}
1404
1405	if (strequal(dom_name, get_global_sam_name())) {
1406	return false;
1407	}
1408
1409	/* if we are a DC, then check for a direct trust relationships */
1410
1411	if ( IS_DC ) {
1412	become_root();
1413	DEBUG (5,("is_trusted_domain: Checking for domain trust with "
1414	"[%s]\n", dom_name ));
1415	ret = pdb_get_trusteddom_pw(dom_name, NULL, NULL, NULL);
1416	unbecome_root();
1417	if (ret)
1418	return True;
1419	}
1420	else {
1421	wbcErr result;
1422
1423	/* If winbind is around, ask it */
1424
1425	result = wb_is_trusted_domain(dom_name);
1426
1427	if (result == WBC_ERR_SUCCESS) {
1428	return True;
1429	}
1430
1431	if (result == WBC_ERR_DOMAIN_NOT_FOUND) {
1432	/* winbind could not find the domain */
1433	return False;
1434	}
1435
1436	/* The only other possible result is that winbind is not up
1437	and running. We need to update the trustdom_cache
1438	ourselves */
1439
1440	update_trustdom_cache();
1441	}
1442
1443	/* now the trustdom cache should be available a DC could still
1444	* have a transitive trust so fall back to the cache of trusted
1445	* domains (like a domain member would use */
1446
1447	if ( trustdom_cache_fetch(dom_name, &trustdom_sid) ) {
1448	return True;
1449	}
1450
1451	return False;
1452	}
1453

Note: See TracBrowser for help on using the repository browser.

Download in other formats: