diff options
Diffstat (limited to 'nsswitch/libwbclient/wbc_pam_async.c')
| -rw-r--r-- | nsswitch/libwbclient/wbc_pam_async.c | 483 |
1 files changed, 483 insertions, 0 deletions
diff --git a/nsswitch/libwbclient/wbc_pam_async.c b/nsswitch/libwbclient/wbc_pam_async.c new file mode 100644 index 0000000000..f551f7473d --- /dev/null +++ b/nsswitch/libwbclient/wbc_pam_async.c @@ -0,0 +1,483 @@ +/* + Unix SMB/CIFS implementation. + + Winbind client API + + Copyright (C) 2009 Kai Blin <kai@samba.org> + + This library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 3 of the License, or (at your option) any later version. + + This library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Library General Public License for more details. + + You should have received a copy of the GNU Lesser General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +/* Required Headers */ + +#include "replace.h" +#include "libwbclient.h" +#include "../winbind_client.h" + +/* FIXME: Currently this is still a copy of the same function from wbc_pam.c */ +static wbcErr wbc_create_auth_info(TALLOC_CTX *mem_ctx, + const struct winbindd_response *resp, + struct wbcAuthUserInfo **_i) +{ + wbcErr wbc_status = WBC_ERR_SUCCESS; + struct wbcAuthUserInfo *i; + struct wbcDomainSid domain_sid; + char *p; + uint32_t sn = 0; + uint32_t j; + + i = talloc(mem_ctx, struct wbcAuthUserInfo); + BAIL_ON_PTR_ERROR(i, wbc_status); + + i->user_flags = resp->data.auth.info3.user_flgs; + + i->account_name = talloc_strdup(i, resp->data.auth.info3.user_name); + BAIL_ON_PTR_ERROR(i->account_name, wbc_status); + i->user_principal= NULL; + i->full_name = talloc_strdup(i, resp->data.auth.info3.full_name); + BAIL_ON_PTR_ERROR(i->full_name, wbc_status); + i->domain_name = talloc_strdup(i, resp->data.auth.info3.logon_dom); + BAIL_ON_PTR_ERROR(i->domain_name, wbc_status); + i->dns_domain_name= NULL; + + i->acct_flags = resp->data.auth.info3.acct_flags; + memcpy(i->user_session_key, + resp->data.auth.user_session_key, + sizeof(i->user_session_key)); + memcpy(i->lm_session_key, + resp->data.auth.first_8_lm_hash, + sizeof(i->lm_session_key)); + + i->logon_count = resp->data.auth.info3.logon_count; + i->bad_password_count = resp->data.auth.info3.bad_pw_count; + + i->logon_time = resp->data.auth.info3.logon_time; + i->logoff_time = resp->data.auth.info3.logoff_time; + i->kickoff_time = resp->data.auth.info3.kickoff_time; + i->pass_last_set_time = resp->data.auth.info3.pass_last_set_time; + i->pass_can_change_time = resp->data.auth.info3.pass_can_change_time; + i->pass_must_change_time= resp->data.auth.info3.pass_must_change_time; + + i->logon_server = talloc_strdup(i, resp->data.auth.info3.logon_srv); + BAIL_ON_PTR_ERROR(i->logon_server, wbc_status); + i->logon_script = talloc_strdup(i, resp->data.auth.info3.logon_script); + BAIL_ON_PTR_ERROR(i->logon_script, wbc_status); + i->profile_path = talloc_strdup(i, resp->data.auth.info3.profile_path); + BAIL_ON_PTR_ERROR(i->profile_path, wbc_status); + i->home_directory= talloc_strdup(i, resp->data.auth.info3.home_dir); + BAIL_ON_PTR_ERROR(i->home_directory, wbc_status); + i->home_drive = talloc_strdup(i, resp->data.auth.info3.dir_drive); + BAIL_ON_PTR_ERROR(i->home_drive, wbc_status); + + i->num_sids = 2; + i->num_sids += resp->data.auth.info3.num_groups; + i->num_sids += resp->data.auth.info3.num_other_sids; + + i->sids = talloc_array(i, struct wbcSidWithAttr, i->num_sids); + BAIL_ON_PTR_ERROR(i->sids, wbc_status); + + wbc_status = wbcStringToSid(resp->data.auth.info3.dom_sid, + &domain_sid); + BAIL_ON_WBC_ERROR(wbc_status); + +#define _SID_COMPOSE(s, d, r, a) { \ + (s).sid = d; \ + if ((s).sid.num_auths < WBC_MAXSUBAUTHS) { \ + (s).sid.sub_auths[(s).sid.num_auths++] = r; \ + } else { \ + wbc_status = WBC_ERR_INVALID_SID; \ + BAIL_ON_WBC_ERROR(wbc_status); \ + } \ + (s).attributes = a; \ +} while (0) + + sn = 0; + _SID_COMPOSE(i->sids[sn], domain_sid, + resp->data.auth.info3.user_rid, + 0); + sn++; + _SID_COMPOSE(i->sids[sn], domain_sid, + resp->data.auth.info3.group_rid, + 0); + sn++; + + p = (char *)resp->extra_data.data; + if (!p) { + wbc_status = WBC_ERR_INVALID_RESPONSE; + BAIL_ON_WBC_ERROR(wbc_status); + } + + for (j=0; j < resp->data.auth.info3.num_groups; j++) { + uint32_t rid; + uint32_t attrs; + int ret; + char *s = p; + char *e = strchr(p, '\n'); + if (!e) { + wbc_status = WBC_ERR_INVALID_RESPONSE; + BAIL_ON_WBC_ERROR(wbc_status); + } + e[0] = '\0'; + p = &e[1]; + + ret = sscanf(s, "0x%08X:0x%08X", &rid, &attrs); + if (ret != 2) { + wbc_status = WBC_ERR_INVALID_RESPONSE; + BAIL_ON_WBC_ERROR(wbc_status); + } + + _SID_COMPOSE(i->sids[sn], domain_sid, + rid, attrs); + sn++; + } + + for (j=0; j < resp->data.auth.info3.num_other_sids; j++) { + uint32_t attrs; + int ret; + char *s = p; + char *a; + char *e = strchr(p, '\n'); + if (!e) { + wbc_status = WBC_ERR_INVALID_RESPONSE; + BAIL_ON_WBC_ERROR(wbc_status); + } + e[0] = '\0'; + p = &e[1]; + + e = strchr(s, ':'); + if (!e) { + wbc_status = WBC_ERR_INVALID_RESPONSE; + BAIL_ON_WBC_ERROR(wbc_status); + } + e[0] = '\0'; + a = &e[1]; + + ret = sscanf(a, "0x%08X", + &attrs); + if (ret != 1) { + wbc_status = WBC_ERR_INVALID_RESPONSE; + BAIL_ON_WBC_ERROR(wbc_status); + } + + wbc_status = wbcStringToSid(s, &i->sids[sn].sid); + BAIL_ON_WBC_ERROR(wbc_status); + + i->sids[sn].attributes = attrs; + sn++; + } + + i->num_sids = sn; + + *_i = i; + i = NULL; +done: + talloc_free(i); + return wbc_status; +} + +/* FIXME: Currently this is still a copy of the same function from wbc_pam.c */ +static wbcErr wbc_create_error_info(const struct winbindd_response *resp, + struct wbcAuthErrorInfo **_e) +{ + wbcErr wbc_status = WBC_ERR_SUCCESS; + struct wbcAuthErrorInfo *e; + + e = talloc(NULL, struct wbcAuthErrorInfo); + BAIL_ON_PTR_ERROR(e, wbc_status); + + e->nt_status = resp->data.auth.nt_status; + e->pam_error = resp->data.auth.pam_error; + e->nt_string = talloc_strdup(e, resp->data.auth.nt_status_string); + BAIL_ON_PTR_ERROR(e->nt_string, wbc_status); + + e->display_string = talloc_strdup(e, resp->data.auth.error_string); + BAIL_ON_PTR_ERROR(e->display_string, wbc_status); + + *_e = e; + e = NULL; + +done: + talloc_free(e); + return wbc_status; +} + +struct wbc_authenticate_user_ex_state { + struct winbindd_request req; + struct tevent_context *ev; + struct wb_context *wb_ctx; + const struct wbcAuthUserParams *params; + struct wbcAuthUserInfo *info; + struct wbcAuthErrorInfo *error; +}; + +static void wbcAuthenticateUserEx_got_info(struct tevent_req *subreq); +static void wbcAuthenticateUserEx_done(struct tevent_req *subreq); + +struct tevent_req *wbcAuthenticateUserEx_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct wb_context *wb_ctx, + const struct wbcAuthUserParams *params) +{ + struct tevent_req *req, *subreq; + struct wbc_authenticate_user_ex_state *state; + + req = tevent_req_create(mem_ctx, &state, + struct wbc_authenticate_user_ex_state); + if (req == NULL) { + return NULL; + } + + state->ev = ev; + state->wb_ctx = wb_ctx; + state->params = params; + + if (!params) { + tevent_req_error(req, WBC_ERR_INVALID_PARAM); + return tevent_req_post(req, ev); + } + + if (!params->account_name) { + tevent_req_error(req, WBC_ERR_INVALID_PARAM); + return tevent_req_post(req, ev); + } + + ZERO_STRUCT(state->req); + + if (params->flags) { + state->req.flags = params->flags; + } + + switch (params->level) { + case WBC_AUTH_USER_LEVEL_PLAIN: + state->req.cmd = WINBINDD_PAM_AUTH; + state->req.flags |= WBFLAG_PAM_INFO3_TEXT | + WBFLAG_PAM_USER_SESSION_KEY | + WBFLAG_PAM_LMKEY; + + if (!params->password.plaintext) { + tevent_req_error(req, WBC_ERR_INVALID_PARAM); + return tevent_req_post(req, ev); + } + + strncpy(state->req.data.auth.pass, + params->password.plaintext, + sizeof(state->req.data.auth.pass)-1); + + if (params->domain_name && params->domain_name[0]) { + /* We need to get the winbind separator :-( */ + subreq = wbcInfo_send(state, ev, wb_ctx); + if (tevent_req_nomem(subreq, req)) { + return tevent_req_post(req, ev); + } + + tevent_req_set_callback(subreq, + wbcAuthenticateUserEx_got_info, + req); + return req; + } else { + strncpy(state->req.data.auth.user, + params->account_name, + sizeof(state->req.data.auth.user)-1); + } + + break; + + case WBC_AUTH_USER_LEVEL_HASH: + tevent_req_error(req, WBC_ERR_NOT_IMPLEMENTED); + return tevent_req_post(req, ev); + /* Make some static code checkers happy */ + break; + + case WBC_AUTH_USER_LEVEL_RESPONSE: + state->req.cmd = WINBINDD_PAM_AUTH_CRAP; + state->req.flags |= WBFLAG_PAM_INFO3_TEXT | + WBFLAG_PAM_USER_SESSION_KEY | + WBFLAG_PAM_LMKEY; + + if (params->password.response.lm_length && + !params->password.response.lm_data) { + tevent_req_error(req, WBC_ERR_INVALID_PARAM); + return tevent_req_post(req, ev); + } + if (params->password.response.lm_length == 0 && + params->password.response.lm_data) { + tevent_req_error(req, WBC_ERR_INVALID_PARAM); + return tevent_req_post(req, ev); + } + + if (params->password.response.nt_length && + !params->password.response.nt_data) { + tevent_req_error(req, WBC_ERR_INVALID_PARAM); + return tevent_req_post(req, ev); + } + if (params->password.response.nt_length == 0&& + params->password.response.nt_data) { + tevent_req_error(req, WBC_ERR_INVALID_PARAM); + return tevent_req_post(req, ev); + } + + strncpy(state->req.data.auth_crap.user, + params->account_name, + sizeof(state->req.data.auth_crap.user)-1); + if (params->domain_name) { + strncpy(state->req.data.auth_crap.domain, + params->domain_name, + sizeof(state->req.data.auth_crap.domain)-1); + } + if (params->workstation_name) { + strncpy(state->req.data.auth_crap.workstation, + params->workstation_name, + sizeof(state->req.data.auth_crap.workstation)-1); + } + + state->req.data.auth_crap.logon_parameters = + params->parameter_control; + + memcpy(state->req.data.auth_crap.chal, + params->password.response.challenge, + sizeof(state->req.data.auth_crap.chal)); + + state->req.data.auth_crap.lm_resp_len = + MIN(params->password.response.lm_length, + sizeof(state->req.data.auth_crap.lm_resp)); + state->req.data.auth_crap.nt_resp_len = + MIN(params->password.response.nt_length, + sizeof(state->req.data.auth_crap.nt_resp)); + if (params->password.response.lm_data) { + memcpy(state->req.data.auth_crap.lm_resp, + params->password.response.lm_data, + state->req.data.auth_crap.lm_resp_len); + } + if (params->password.response.nt_data) { + memcpy(state->req.data.auth_crap.nt_resp, + params->password.response.nt_data, + state->req.data.auth_crap.nt_resp_len); + } + break; + default: + tevent_req_error(req, WBC_ERR_INVALID_PARAM); + return tevent_req_post(req, ev); + break; + } + + subreq = wb_trans_send(state, ev, wb_ctx, false, &state->req); + if (tevent_req_nomem(subreq, req)) { + return tevent_req_post(req, ev); + } + + tevent_req_set_callback(subreq, wbcAuthenticateUserEx_done, req); + return req; +} + +static void wbcAuthenticateUserEx_got_info(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data( + subreq, struct tevent_req); + struct wbc_authenticate_user_ex_state *state = tevent_req_data( + req, struct wbc_authenticate_user_ex_state); + char *version_string; + char separator; + wbcErr wbc_status; + + wbc_status = wbcInfo_recv(subreq, state, &separator, &version_string); + TALLOC_FREE(subreq); + if (!WBC_ERROR_IS_OK(wbc_status)) { + tevent_req_error(req, wbc_status); + return; + } + + snprintf(state->req.data.auth.user, + sizeof(state->req.data.auth.user)-1, + "%s%c%s", + state->params->domain_name, + separator, + state->params->account_name); + + subreq = wb_trans_send(state, state->ev, state->wb_ctx, false, + &state->req); + if (tevent_req_nomem(subreq, req)) { + return; + } + + tevent_req_set_callback(subreq, wbcAuthenticateUserEx_done, req); + return; +} + +static void wbcAuthenticateUserEx_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data( + subreq, struct tevent_req); + struct wbc_authenticate_user_ex_state *state = tevent_req_data( + req, struct wbc_authenticate_user_ex_state); + struct winbindd_response *resp; + wbcErr wbc_status; + + ZERO_STRUCT(resp); + + wbc_status = wb_trans_recv(subreq, state, &resp); + TALLOC_FREE(subreq); + if (!WBC_ERROR_IS_OK(wbc_status)) { + tevent_req_error(req, wbc_status); + goto done; + } + + if (resp->data.auth.nt_status != 0) { + wbc_status = wbc_create_error_info(resp, &state->error); + if (!WBC_ERROR_IS_OK(wbc_status)) { + tevent_req_error(req, wbc_status); + goto done; + } + + tevent_req_error(req, WBC_ERR_AUTH_ERROR); + goto done; + } + + wbc_status = wbc_create_auth_info(state, resp, &state->info); + if (!WBC_ERROR_IS_OK(wbc_status)) { + tevent_req_error(req, wbc_status); + goto done; + } + +done: + TALLOC_FREE(resp); +} + +wbcErr wbcAuthenticateUserEx_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + struct wbcAuthUserInfo **info, + struct wbcAuthErrorInfo **error) +{ + struct wbc_authenticate_user_ex_state *state = tevent_req_data( + req, struct wbc_authenticate_user_ex_state); + wbcErr wbc_status; + + if (error) { + *error = NULL; + } + + if (tevent_req_is_wbcerr(req, &wbc_status)) { + tevent_req_received(req); + if (error) { + *error = talloc_steal(mem_ctx, state->error); + } + return wbc_status; + } + + if (info) { + *info = talloc_steal(mem_ctx, state->info); + } + + tevent_req_received(req); + return wbc_status; +} |