summaryrefslogtreecommitdiff
path: root/source4
diff options
context:
space:
mode:
Diffstat (limited to 'source4')
-rw-r--r--source4/include/structs.h1
-rw-r--r--source4/winbind/config.mk1
-rw-r--r--source4/winbind/wb_pam_auth.c265
-rw-r--r--source4/winbind/wb_samba3_cmd.c78
4 files changed, 326 insertions, 19 deletions
diff --git a/source4/include/structs.h b/source4/include/structs.h
index 142d28990e..e67eca5c5c 100644
--- a/source4/include/structs.h
+++ b/source4/include/structs.h
@@ -107,6 +107,7 @@ struct netr_Authenticator;
union netr_Validation;
struct netr_SamBaseInfo;
struct netr_SamInfo3;
+struct netr_UserSessionKey;
struct iface_struct;
diff --git a/source4/winbind/config.mk b/source4/winbind/config.mk
index f949f87106..a33a886bcc 100644
--- a/source4/winbind/config.mk
+++ b/source4/winbind/config.mk
@@ -11,6 +11,7 @@ INIT_OBJ_FILES = \
winbind/wb_samba3_cmd.o \
winbind/wb_init_domain.o \
winbind/wb_connect_lsa.o \
+ winbind/wb_pam_auth.o \
winbind/wb_async_helpers.o
REQUIRED_SUBSYSTEMS = RPC_NDR_LSA
# End MODULE server_service_winbind
diff --git a/source4/winbind/wb_pam_auth.c b/source4/winbind/wb_pam_auth.c
new file mode 100644
index 0000000000..2a3873ce6e
--- /dev/null
+++ b/source4/winbind/wb_pam_auth.c
@@ -0,0 +1,265 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ Authenticate a user
+
+ Copyright (C) Volker Lendecke 2005
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+#include "includes.h"
+#include "libcli/composite/composite.h"
+#include "winbind/wb_async_helpers.h"
+#include "winbind/wb_server.h"
+#include "smbd/service_stream.h"
+#include "libcli/auth/credentials.h"
+
+struct pam_auth_crap_state {
+ struct composite_context *ctx;
+ struct wbsrv_domain *domain;
+ const char *domain_name;
+ const char *user_name;
+ const char *workstation;
+ DATA_BLOB chal, nt_resp, lm_resp;
+
+ struct creds_CredentialState *creds_state;
+ struct netr_Authenticator auth, auth2;
+ struct netr_NetworkInfo ninfo;
+ struct netr_LogonSamLogon r;
+
+ struct netr_UserSessionKey user_session_key;
+ struct netr_LMSessionKey lm_key;
+ DATA_BLOB info3;
+};
+
+static struct rpc_request *send_samlogon(struct pam_auth_crap_state *state);
+static void pam_auth_crap_recv_init(struct composite_context *ctx);
+static void pam_auth_crap_recv_samlogon(struct rpc_request *req);
+
+struct composite_context *wb_pam_auth_crap_send(struct wbsrv_call *call,
+ const char *domain,
+ const char *user,
+ const char *workstation,
+ DATA_BLOB chal,
+ DATA_BLOB nt_resp,
+ DATA_BLOB lm_resp)
+{
+ struct composite_context *result, *ctx;
+ struct pam_auth_crap_state *state;
+ struct wbsrv_service *service = call->wbconn->listen_socket->service;
+
+ result = talloc(NULL, struct composite_context);
+ if (result == NULL) goto failed;
+ result->state = COMPOSITE_STATE_IN_PROGRESS;
+ result->event_ctx = call->event_ctx;
+ result->async.fn = NULL;
+
+ state = talloc(result, struct pam_auth_crap_state);
+ if (state == NULL) goto failed;
+ state->ctx = result;
+ result->private_data = state;
+
+ state->domain = service->domains;
+
+ state->domain_name = talloc_strdup(state, domain);
+ if (state->domain_name == NULL) goto failed;
+
+ state->user_name = talloc_strdup(state, user);
+ if (state->user_name == NULL) goto failed;
+
+ state->workstation = talloc_strdup(state, workstation);
+ if (state->workstation == NULL) goto failed;
+
+ state->chal = data_blob_talloc(state, chal.data, chal.length);
+ if ((chal.data != NULL) && (state->chal.data == NULL)) goto failed;
+
+ state->nt_resp = data_blob_talloc(state, nt_resp.data, nt_resp.length);
+ if ((nt_resp.data != NULL) &&
+ (state->nt_resp.data == NULL)) goto failed;
+
+ state->lm_resp = data_blob_talloc(state, lm_resp.data, lm_resp.length);
+ if ((lm_resp.data != NULL) &&
+ (state->lm_resp.data == NULL)) goto failed;
+
+ if (state->domain->initialized) {
+ struct rpc_request *req = send_samlogon(state);
+ if (req == NULL) goto failed;
+ req->async.callback = pam_auth_crap_recv_samlogon;
+ req->async.private = state;
+ return result;
+ }
+
+ ctx = wb_init_domain_send(state->domain, result->event_ctx,
+ call->wbconn->conn->msg_ctx);
+ if (ctx == NULL) goto failed;
+ ctx->async.fn = pam_auth_crap_recv_init;
+ ctx->async.private_data = state;
+ return result;
+
+ failed:
+ talloc_free(result);
+ return NULL;
+}
+
+static void pam_auth_crap_recv_init(struct composite_context *ctx)
+{
+ struct pam_auth_crap_state *state =
+ talloc_get_type(ctx->async.private_data,
+ struct pam_auth_crap_state);
+ struct rpc_request *req;
+
+ state->ctx->status = wb_init_domain_recv(ctx);
+ if (!composite_is_ok(state->ctx)) return;
+
+ req = send_samlogon(state);
+ composite_continue_rpc(state->ctx, req,
+ pam_auth_crap_recv_samlogon, state);
+}
+
+struct rpc_request *send_samlogon(struct pam_auth_crap_state *state)
+{
+ state->creds_state = cli_credentials_get_netlogon_creds(
+ state->domain->schannel_creds);
+ creds_client_authenticator(state->creds_state, &state->auth);
+
+ state->ninfo.identity_info.account_name.string = state->user_name;
+ state->ninfo.identity_info.domain_name.string = state->domain_name;
+ state->ninfo.identity_info.parameter_control = 0;
+ state->ninfo.identity_info.logon_id_low = 0;
+ state->ninfo.identity_info.logon_id_high = 0;
+ state->ninfo.identity_info.workstation.string = state->workstation;
+
+ SMB_ASSERT(state->chal.length == sizeof(state->ninfo.challenge));
+ memcpy(state->ninfo.challenge, state->chal.data,
+ sizeof(state->ninfo.challenge));
+
+ state->ninfo.nt.length = state->nt_resp.length;
+ state->ninfo.nt.data = state->nt_resp.data;
+ state->ninfo.lm.length = state->lm_resp.length;
+ state->ninfo.lm.data = state->lm_resp.data;
+
+ state->r.in.server_name = talloc_asprintf(
+ state, "\\\\%s",
+ dcerpc_server_name(state->domain->netlogon_pipe));
+ if (state->r.in.server_name == NULL) return NULL;
+
+ state->r.in.workstation = cli_credentials_get_workstation(
+ state->domain->schannel_creds);
+ state->r.in.credential = &state->auth;
+ state->r.in.return_authenticator = &state->auth2;
+ state->r.in.logon_level = 2;
+ state->r.in.validation_level = 3;
+ state->r.in.logon.network = &state->ninfo;
+ state->r.out.return_authenticator = NULL;
+
+ return dcerpc_netr_LogonSamLogon_send(state->domain->netlogon_pipe,
+ state, &state->r);
+}
+
+static void pam_auth_crap_recv_samlogon(struct rpc_request *req)
+{
+ struct pam_auth_crap_state *state =
+ talloc_get_type(req->async.private,
+ struct pam_auth_crap_state);
+ struct netr_SamBaseInfo *base;
+ DATA_BLOB tmp_blob;
+
+ state->ctx->status = dcerpc_ndr_request_recv(req);
+ if (!composite_is_ok(state->ctx)) return;
+ state->ctx->status = state->r.out.result;
+ if (!composite_is_ok(state->ctx)) return;
+
+ if ((state->r.out.return_authenticator == NULL) ||
+ (!creds_client_check(state->creds_state,
+ &state->r.out.return_authenticator->cred))) {
+ DEBUG(0, ("Credentials check failed!\n"));
+ composite_error(state->ctx, NT_STATUS_ACCESS_DENIED);
+ return;
+ }
+
+ creds_decrypt_samlogon(state->creds_state,
+ state->r.in.validation_level,
+ &state->r.out.validation);
+
+ state->ctx->status = ndr_push_struct_blob(
+ &tmp_blob, state, state->r.out.validation.sam3,
+ (ndr_push_flags_fn_t)ndr_push_netr_SamInfo3);
+ if (!composite_is_ok(state->ctx)) return;
+
+ state->info3 = data_blob_talloc(state, NULL, tmp_blob.length+4);
+ if (composite_nomem(state->info3.data, state->ctx)) return;
+
+ SIVAL(state->info3.data, 0, 1);
+ memcpy(state->info3.data+4, tmp_blob.data, tmp_blob.length);
+
+ base = NULL;
+ switch(state->r.in.validation_level) {
+ case 2:
+ base = &state->r.out.validation.sam2->base;
+ break;
+ case 3:
+ base = &state->r.out.validation.sam3->base;
+ break;
+ case 6:
+ base = &state->r.out.validation.sam6->base;
+ break;
+ }
+ if (base == NULL) {
+ composite_error(state->ctx, NT_STATUS_INTERNAL_ERROR);
+ return;
+ }
+
+ state->user_session_key = base->key;
+ state->lm_key = base->LMSessKey;
+
+ composite_done(state->ctx);
+}
+
+NTSTATUS wb_pam_auth_crap_recv(struct composite_context *c,
+ TALLOC_CTX *mem_ctx,
+ DATA_BLOB *info3,
+ struct netr_UserSessionKey *user_session_key,
+ struct netr_LMSessionKey *lm_key)
+{
+ NTSTATUS status = composite_wait(c);
+ if (NT_STATUS_IS_OK(status)) {
+ struct pam_auth_crap_state *state =
+ talloc_get_type(c->private_data,
+ struct pam_auth_crap_state);
+ info3->length = state->info3.length;
+ info3->data = talloc_steal(mem_ctx, state->info3.data);
+ *user_session_key = state->user_session_key;
+ *lm_key = state->lm_key;
+ }
+ talloc_free(c);
+ return status;
+}
+
+NTSTATUS wb_pam_auth_crap(struct wbsrv_call *call,
+ const char *domain, const char *user,
+ const char *workstation,
+ DATA_BLOB chal, DATA_BLOB nt_resp,
+ DATA_BLOB lm_resp, TALLOC_CTX *mem_ctx,
+ DATA_BLOB *info3,
+ struct netr_UserSessionKey *user_session_key,
+ struct netr_LMSessionKey *lm_key)
+{
+ struct composite_context *c =
+ wb_pam_auth_crap_send(call, domain, user, workstation,
+ chal, nt_resp, lm_resp);
+ return wb_pam_auth_crap_recv(c, mem_ctx, info3, user_session_key,
+ lm_key);
+}
diff --git a/source4/winbind/wb_samba3_cmd.c b/source4/winbind/wb_samba3_cmd.c
index 64d75016bb..37415e4993 100644
--- a/source4/winbind/wb_samba3_cmd.c
+++ b/source4/winbind/wb_samba3_cmd.c
@@ -179,38 +179,47 @@ static void lookupname_recv_sid(struct composite_context *ctx)
NTSTATUS wbsrv_samba3_pam_auth(struct wbsrv_samba3_call *s3call)
{
- struct wbsrv_service *service =
- s3call->call->wbconn->listen_socket->service;
-
s3call->response.result = WINBINDD_ERROR;
return NT_STATUS_OK;
}
NTSTATUS wbsrv_samba3_pam_auth_crap(struct wbsrv_samba3_call *s3call)
{
+#if 0
struct wbsrv_service *service =
s3call->call->wbconn->listen_socket->service;
+ struct wbsrv_domain *domain;
struct creds_CredentialState *creds_state;
struct netr_Authenticator auth, auth2;
struct netr_NetworkInfo ninfo;
struct netr_LogonSamLogon r;
NTSTATUS status;
- TALLOC_CTX *mem_ctx = talloc_new(s3call);
+ TALLOC_CTX *mem_ctx;
+
+ DEBUG(5, ("wbsrv_samba3_pam_auth_crap called\n"));
+
+ mem_ctx = talloc_new(s3call);
if (!mem_ctx) {
return NT_STATUS_NO_MEMORY;
}
+ domain = service->domains;
+
ZERO_STRUCT(auth2);
- creds_state = cli_credentials_get_netlogon_creds(service->domains->schannel_creds);
+ creds_state =
+ cli_credentials_get_netlogon_creds(domain->schannel_creds);
creds_client_authenticator(creds_state, &auth);
- ninfo.identity_info.account_name.string = s3call->request.data.auth_crap.user;
- ninfo.identity_info.domain_name.string = s3call->request.data.auth_crap.domain;
+ ninfo.identity_info.account_name.string =
+ s3call->request.data.auth_crap.user;
+ ninfo.identity_info.domain_name.string =
+ s3call->request.data.auth_crap.domain;
ninfo.identity_info.parameter_control = 0;
ninfo.identity_info.logon_id_low = 0;
ninfo.identity_info.logon_id_high = 0;
- ninfo.identity_info.workstation.string = s3call->request.data.auth_crap.workstation;
+ ninfo.identity_info.workstation.string =
+ s3call->request.data.auth_crap.workstation;
memcpy(ninfo.challenge, s3call->request.data.auth_crap.chal,
sizeof(ninfo.challenge));
ninfo.nt.length = s3call->request.data.auth_crap.nt_resp_len;
@@ -218,8 +227,11 @@ NTSTATUS wbsrv_samba3_pam_auth_crap(struct wbsrv_samba3_call *s3call)
ninfo.lm.length = s3call->request.data.auth_crap.lm_resp_len;
ninfo.lm.data = s3call->request.data.auth_crap.lm_resp;
- r.in.server_name = talloc_asprintf(mem_ctx, "\\\\%s", dcerpc_server_name(service->domains->netlogon_pipe));
- r.in.workstation = cli_credentials_get_workstation(service->domains->schannel_creds);
+ r.in.server_name =
+ talloc_asprintf(mem_ctx, "\\\\%s",
+ dcerpc_server_name(domain->netlogon_pipe));
+ r.in.workstation =
+ cli_credentials_get_workstation(domain->schannel_creds);
r.in.credential = &auth;
r.in.return_authenticator = &auth2;
r.in.logon_level = 2;
@@ -227,14 +239,15 @@ NTSTATUS wbsrv_samba3_pam_auth_crap(struct wbsrv_samba3_call *s3call)
r.in.logon.network = &ninfo;
r.out.return_authenticator = NULL;
- status = dcerpc_netr_LogonSamLogon(service->domains->netlogon_pipe, mem_ctx, &r);
+ status = dcerpc_netr_LogonSamLogon(domain->netlogon_pipe, mem_ctx, &r);
if (!r.out.return_authenticator ||
- !creds_client_check(creds_state, &r.out.return_authenticator->cred)) {
+ !creds_client_check(creds_state,
+ &r.out.return_authenticator->cred)) {
DEBUG(0, ("Credentials check failed!\n"));
status = NT_STATUS_ACCESS_DENIED;
}
if (NT_STATUS_IS_OK(status)) {
- struct netr_SamBaseInfo *base;
+ struct netr_SamBaseInfo *base = NULL;
switch (r.in.validation_level) {
case 2:
base = &r.out.validation.sam2->base;
@@ -254,10 +267,12 @@ NTSTATUS wbsrv_samba3_pam_auth_crap(struct wbsrv_samba3_call *s3call)
if ((s3call->request.flags & WBFLAG_PAM_INFO3_NDR)
&& (r.in.validation_level == 3)) {
DATA_BLOB tmp_blob, tmp_blob2;
- status = ndr_push_struct_blob(&tmp_blob, mem_ctx, r.out.validation.sam3,
- (ndr_push_flags_fn_t)ndr_push_netr_SamInfo3);
+ status = ndr_push_struct_blob(
+ &tmp_blob, mem_ctx, r.out.validation.sam3,
+ (ndr_push_flags_fn_t)ndr_push_netr_SamInfo3);
if (NT_STATUS_IS_OK(status)) {
- tmp_blob2 = data_blob_talloc(mem_ctx, NULL, tmp_blob.length + 4);
+ tmp_blob2 = data_blob_talloc(
+ mem_ctx, NULL, tmp_blob.length + 4);
if (!tmp_blob2.data) {
status = NT_STATUS_NO_MEMORY;
}
@@ -265,9 +280,11 @@ NTSTATUS wbsrv_samba3_pam_auth_crap(struct wbsrv_samba3_call *s3call)
/* Ugly Samba3 winbind pipe compatability */
if (NT_STATUS_IS_OK(status)) {
SIVAL(tmp_blob2.data, 0, 1);
- memcpy(tmp_blob2.data + 4, tmp_blob.data, tmp_blob.length);
+ memcpy(tmp_blob2.data + 4, tmp_blob.data,
+ tmp_blob.length);
}
- s3call->response.extra_data = talloc_steal(s3call, tmp_blob2.data);
+ s3call->response.extra_data =
+ talloc_steal(s3call, tmp_blob2.data);
s3call->response.length += tmp_blob2.length;
}
if (s3call->request.flags & WBFLAG_PAM_USER_SESSION_KEY) {
@@ -276,7 +293,8 @@ NTSTATUS wbsrv_samba3_pam_auth_crap(struct wbsrv_samba3_call *s3call)
}
if (s3call->request.flags & WBFLAG_PAM_LMKEY) {
memcpy(s3call->response.data.auth.first_8_lm_hash,
- base->LMSessKey.key, sizeof(s3call->response.data.auth.first_8_lm_hash) /* 8 */);
+ base->LMSessKey.key,
+ sizeof(s3call->response.data.auth.first_8_lm_hash) /* 8 */);
}
}
@@ -294,4 +312,26 @@ NTSTATUS wbsrv_samba3_pam_auth_crap(struct wbsrv_samba3_call *s3call)
nt_errstr(status));
s3call->response.data.auth.pam_error = nt_status_to_pam(status);
return NT_STATUS_OK;
+#else
+ DATA_BLOB chal, nt_resp, lm_resp;
+ DATA_BLOB info3;
+ struct netr_UserSessionKey user_session_key;
+ struct netr_LMSessionKey lm_key;
+
+ DEBUG(5, ("wbsrv_samba3_pam_auth_crap called\n"));
+
+ chal.data = s3call->request.data.auth_crap.chal;
+ chal.length = sizeof(s3call->request.data.auth_crap.chal);
+ nt_resp.data = s3call->request.data.auth_crap.nt_resp;
+ nt_resp.length = s3call->request.data.auth_crap.nt_resp_len;
+ lm_resp.data = s3call->request.data.auth_crap.lm_resp;
+ lm_resp.length = s3call->request.data.auth_crap.lm_resp_len;
+
+ return wb_pam_auth_crap(s3call->call,
+ s3call->request.data.auth_crap.user,
+ s3call->request.data.auth_crap.domain,
+ s3call->request.data.auth_crap.workstation,
+ chal, nt_resp, lm_resp,
+ s3call, &info3, &user_session_key, &lm_key);
+#endif
}