summaryrefslogtreecommitdiff
path: root/source3/auth
diff options
context:
space:
mode:
authorSimo Sorce <idra@samba.org>2010-08-26 17:57:26 -0400
committerGünther Deschner <gd@samba.org>2010-08-30 14:17:06 +0200
commitb9772a4886fa5137574a1ba0734fa1e30343283b (patch)
tree974e03dde0693ed74e380e9bb6f14c8cae0a5ad7 /source3/auth
parentfc79f358eb6a1dd7ed2e5f5b1e31fb664a182595 (diff)
downloadsamba-b9772a4886fa5137574a1ba0734fa1e30343283b.tar.gz
samba-b9772a4886fa5137574a1ba0734fa1e30343283b.tar.bz2
samba-b9772a4886fa5137574a1ba0734fa1e30343283b.zip
s3-auth: Add helper function to retrieve the unix user from a kerberos ticket
Signed-off-by: Günther Deschner <gd@samba.org>
Diffstat (limited to 'source3/auth')
-rw-r--r--source3/auth/user_krb5.c172
1 files changed, 172 insertions, 0 deletions
diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c
new file mode 100644
index 0000000000..2cdcdcc1c3
--- /dev/null
+++ b/source3/auth/user_krb5.c
@@ -0,0 +1,172 @@
+/*
+ Unix SMB/CIFS implementation.
+ Authentication utility functions
+ Copyright (C) Simo Sorce 2010
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_AUTH
+
+#ifdef HAVE_KRB5
+NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
+ const char *cli_name,
+ const char *princ_name,
+ struct PAC_LOGON_INFO *logon_info,
+ bool *is_mapped,
+ bool *mapped_to_guest,
+ char **ntuser,
+ char **ntdomain,
+ char **username,
+ struct passwd **_pw)
+{
+ NTSTATUS status;
+ char *domain = NULL;
+ char *realm = NULL;
+ char *user = NULL;
+ char *p;
+ fstring fuser;
+ fstring unixuser;
+ struct passwd *pw = NULL;
+
+ DEBUG(3, ("Kerberos ticket principal name is [%s]\n", princ_name));
+
+ p = strchr_m(princ_name, '@');
+ if (!p) {
+ DEBUG(3, ("[%s] Doesn't look like a valid principal\n",
+ princ_name));
+ return NT_STATUS_LOGON_FAILURE;
+ }
+
+ user = talloc_strndup(mem_ctx, princ_name, p - princ_name);
+ if (!user) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ realm = talloc_strdup(talloc_tos(), p + 1);
+ if (!realm) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ if (!strequal(realm, lp_realm())) {
+ DEBUG(3, ("Ticket for foreign realm %s@%s\n", user, realm));
+ if (!lp_allow_trusted_domains()) {
+ return NT_STATUS_LOGON_FAILURE;
+ }
+ }
+
+ if (logon_info && logon_info->info3.base.domain.string) {
+ domain = talloc_strdup(mem_ctx,
+ logon_info->info3.base.domain.string);
+ if (!domain) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ DEBUG(10, ("Domain is [%s] (using PAC)\n", domain));
+ } else {
+
+ /* If we have winbind running, we can (and must) shorten the
+ username by using the short netbios name. Otherwise we will
+ have inconsistent user names. With Kerberos, we get the
+ fully qualified realm, with ntlmssp we get the short
+ name. And even w2k3 does use ntlmssp if you for example
+ connect to an ip address. */
+
+ wbcErr wbc_status;
+ struct wbcDomainInfo *info = NULL;
+
+ DEBUG(10, ("Mapping [%s] to short name using winbindd\n",
+ realm));
+
+ wbc_status = wbcDomainInfo(realm, &info);
+
+ if (WBC_ERROR_IS_OK(wbc_status)) {
+ domain = talloc_strdup(mem_ctx,
+ info->short_name);
+ wbcFreeMemory(info);
+ } else {
+ DEBUG(3, ("Could not find short name: %s\n",
+ wbcErrorString(wbc_status)));
+ domain = talloc_strdup(mem_ctx, realm);
+ }
+ if (!domain) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ DEBUG(10, ("Domain is [%s] (using Winbind)\n", domain));
+ }
+
+ /* We have to use fstring for this - map_username requires it. */
+ fstr_sprintf(fuser, "%s%c%s", domain, *lp_winbind_separator(), user);
+
+ *is_mapped = map_username(fuser);
+
+ pw = smb_getpwnam(mem_ctx, fuser, unixuser, true);
+ if (pw) {
+ /* if a real user check pam account restrictions */
+ /* only really perfomed if "obey pam restriction" is true */
+ /* do this before an eventual mapping to guest occurs */
+ status = smb_pam_accountcheck(pw->pw_name, cli_name);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1, ("PAM account restrictions prevent user "
+ "[%s] login\n", unixuser));
+ return status;
+ }
+ }
+ if (!pw) {
+
+ /* this was originally the behavior of Samba 2.2, if a user
+ did not have a local uid but has been authenticated, then
+ map them to a guest account */
+
+ if (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_UID) {
+ *mapped_to_guest = true;
+ fstrcpy(fuser, lp_guestaccount());
+ pw = smb_getpwnam(mem_ctx, fuser, unixuser, true);
+ }
+
+ /* extra sanity check that the guest account is valid */
+ if (!pw) {
+ DEBUG(1, ("Username %s is invalid on this system\n",
+ fuser));
+ return NT_STATUS_LOGON_FAILURE;
+ }
+ }
+
+ *username = talloc_strdup(mem_ctx, unixuser);
+ if (!*username) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ *ntuser = user;
+ *ntdomain = domain;
+ *_pw = pw;
+
+ return NT_STATUS_OK;
+}
+#else /* HAVE_KRB5 */
+NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
+ const char *cli_name,
+ const char *princ_name,
+ struct PAC_LOGON_INFO *logon_info,
+ bool *is_mapped,
+ bool *mapped_to_guest,
+ char **ntuser,
+ char **ntdomain,
+ char **username,
+ struct passwd **_pw)
+{
+ return NT_STATUS_NOT_IMPLEMENTED;
+}
+#endif /* HAVE_KRB5 */