/* Trigger a change of the trust credentials for a specific domain */
wbcErr wbcCtxChangeTrustCredentials(struct wbcContext *ctx, const char *domain,
struct wbcAuthErrorInfo **error)
{
struct winbindd_request request;
struct winbindd_response response;
wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE;
ZERO_STRUCT(request);
ZERO_STRUCT(response);
if (domain) {
strncpy(request.domain_name, domain,
sizeof(request.domain_name)-1);
}
/* Send request */
wbc_status = wbcRequestResponsePriv(ctx, WINBINDD_CHANGE_MACHACC,
&request, &response);
if (response.data.auth.nt_status != 0) {
if (error) {
wbc_status = wbc_create_error_info(&response,
error);
BAIL_ON_WBC_ERROR(wbc_status);
}
wbc_status = WBC_ERR_AUTH_ERROR;
BAIL_ON_WBC_ERROR(wbc_status);
}
BAIL_ON_WBC_ERROR(wbc_status);
done:
return wbc_status;
}
/*
* Trigger a no-op NETLOGON call. Lightweight version of
* wbcCheckTrustCredentials, optionally return attempted DC
*/
wbcErr wbcPingDc2(const char *domain, struct wbcAuthErrorInfo **error,
char **dcname)
{
struct winbindd_request request;
struct winbindd_response response;
wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE;
if (domain) {
/*
* the current protocol doesn't support
* specifying a domain
*/
wbc_status = WBC_ERR_NOT_IMPLEMENTED;
BAIL_ON_WBC_ERROR(wbc_status);
}
ZERO_STRUCT(request);
ZERO_STRUCT(response);
/* Send request */
wbc_status = wbcRequestResponse(WINBINDD_PING_DC,
&request,
&response);
if (dcname && response.extra_data.data) {
size_t len;
len = response.length - sizeof(struct winbindd_response);
*dcname = wbcAllocateMemory(1, len, NULL);
BAIL_ON_PTR_ERROR(*dcname, wbc_status);
strlcpy(*dcname, response.extra_data.data, len);
}
if (response.data.auth.nt_status != 0) {
if (error) {
wbc_status = wbc_create_error_info(&response,
error);
BAIL_ON_WBC_ERROR(wbc_status);
}
wbc_status = WBC_ERR_AUTH_ERROR;
BAIL_ON_WBC_ERROR(wbc_status);
}
BAIL_ON_WBC_ERROR(wbc_status);
done:
return wbc_status;
}
/*
* Trigger a no-op NETLOGON call. Lightweight version of
* wbcCheckTrustCredentials, optionally return attempted DC
*/
wbcErr wbcCtxPingDc2(struct wbcContext *ctx, const char *domain,
struct wbcAuthErrorInfo **error, char **dcname)
{
struct winbindd_request request;
struct winbindd_response response;
wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE;
ZERO_STRUCT(request);
ZERO_STRUCT(response);
if (domain) {
strncpy(request.domain_name, domain,
sizeof(request.domain_name)-1);
}
/* Send request */
wbc_status = wbcRequestResponse(ctx, WINBINDD_PING_DC,
&request,
&response);
if (dcname && response.extra_data.data) {
size_t len;
len = response.length - sizeof(struct winbindd_response);
*dcname = wbcAllocateMemory(1, len, NULL);
BAIL_ON_PTR_ERROR(*dcname, wbc_status);
strlcpy(*dcname, response.extra_data.data, len);
}
if (response.data.auth.nt_status != 0) {
if (error) {
wbc_status = wbc_create_error_info(&response,
error);
BAIL_ON_WBC_ERROR(wbc_status);
}
wbc_status = WBC_ERR_AUTH_ERROR;
BAIL_ON_WBC_ERROR(wbc_status);
}
BAIL_ON_WBC_ERROR(wbc_status);
done:
return wbc_status;
}
/* Change a password for a user with more detailed information upon failure */
wbcErr wbcCtxChangeUserPasswordEx(struct wbcContext *ctx,
const struct wbcChangePasswordParams *params,
struct wbcAuthErrorInfo **error,
enum wbcPasswordChangeRejectReason *reject_reason,
struct wbcUserPasswordPolicyInfo **policy)
{
struct winbindd_request request;
struct winbindd_response response;
wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE;
int cmd = 0;
/* validate input */
if (!params->account_name) {
wbc_status = WBC_ERR_INVALID_PARAM;
goto done;
}
if (error) {
*error = NULL;
}
if (policy) {
*policy = NULL;
}
if (reject_reason) {
*reject_reason = -1;
}
ZERO_STRUCT(request);
ZERO_STRUCT(response);
switch (params->level) {
case WBC_CHANGE_PASSWORD_LEVEL_PLAIN:
cmd = WINBINDD_PAM_CHAUTHTOK;
if (!params->account_name) {
wbc_status = WBC_ERR_INVALID_PARAM;
goto done;
}
strncpy(request.data.chauthtok.user, params->account_name,
sizeof(request.data.chauthtok.user) - 1);
if (params->old_password.plaintext) {
strncpy(request.data.chauthtok.oldpass,
params->old_password.plaintext,
sizeof(request.data.chauthtok.oldpass) - 1);
}
if (params->new_password.plaintext) {
strncpy(request.data.chauthtok.newpass,
params->new_password.plaintext,
sizeof(request.data.chauthtok.newpass) - 1);
}
break;
case WBC_CHANGE_PASSWORD_LEVEL_RESPONSE:
cmd = WINBINDD_PAM_CHNG_PSWD_AUTH_CRAP;
if (!params->account_name || !params->domain_name) {
wbc_status = WBC_ERR_INVALID_PARAM;
goto done;
}
if (params->old_password.response.old_lm_hash_enc_length &&
!params->old_password.response.old_lm_hash_enc_data) {
wbc_status = WBC_ERR_INVALID_PARAM;
goto done;
}
if (params->old_password.response.old_lm_hash_enc_length == 0 &&
params->old_password.response.old_lm_hash_enc_data) {
wbc_status = WBC_ERR_INVALID_PARAM;
goto done;
}
if (params->old_password.response.old_nt_hash_enc_length &&
!params->old_password.response.old_nt_hash_enc_data) {
wbc_status = WBC_ERR_INVALID_PARAM;
goto done;
}
if (params->old_password.response.old_nt_hash_enc_length == 0 &&
params->old_password.response.old_nt_hash_enc_data) {
wbc_status = WBC_ERR_INVALID_PARAM;
goto done;
}
if (params->new_password.response.lm_length &&
!params->new_password.response.lm_data) {
wbc_status = WBC_ERR_INVALID_PARAM;
goto done;
}
if (params->new_password.response.lm_length == 0 &&
params->new_password.response.lm_data) {
wbc_status = WBC_ERR_INVALID_PARAM;
goto done;
}
if (params->new_password.response.nt_length &&
!params->new_password.response.nt_data) {
wbc_status = WBC_ERR_INVALID_PARAM;
goto done;
}
if (params->new_password.response.nt_length == 0 &&
params->new_password.response.nt_data) {
wbc_status = WBC_ERR_INVALID_PARAM;
goto done;
}
strncpy(request.data.chng_pswd_auth_crap.user,
params->account_name,
sizeof(request.data.chng_pswd_auth_crap.user) - 1);
strncpy(request.data.chng_pswd_auth_crap.domain,
params->domain_name,
sizeof(request.data.chng_pswd_auth_crap.domain) - 1);
if (params->new_password.response.nt_data) {
request.data.chng_pswd_auth_crap.new_nt_pswd_len =
params->new_password.response.nt_length;
memcpy(request.data.chng_pswd_auth_crap.new_nt_pswd,
params->new_password.response.nt_data,
request.data.chng_pswd_auth_crap.new_nt_pswd_len);
}
if (params->new_password.response.lm_data) {
request.data.chng_pswd_auth_crap.new_lm_pswd_len =
params->new_password.response.lm_length;
memcpy(request.data.chng_pswd_auth_crap.new_lm_pswd,
params->new_password.response.lm_data,
request.data.chng_pswd_auth_crap.new_lm_pswd_len);
}
if (params->old_password.response.old_nt_hash_enc_data) {
request.data.chng_pswd_auth_crap.old_nt_hash_enc_len =
params->old_password.response.old_nt_hash_enc_length;
memcpy(request.data.chng_pswd_auth_crap.old_nt_hash_enc,
params->old_password.response.old_nt_hash_enc_data,
request.data.chng_pswd_auth_crap.old_nt_hash_enc_len);
}
if (params->old_password.response.old_lm_hash_enc_data) {
request.data.chng_pswd_auth_crap.old_lm_hash_enc_len =
params->old_password.response.old_lm_hash_enc_length;
memcpy(request.data.chng_pswd_auth_crap.old_lm_hash_enc,
params->old_password.response.old_lm_hash_enc_data,
request.data.chng_pswd_auth_crap.old_lm_hash_enc_len);
}
break;
default:
wbc_status = WBC_ERR_INVALID_PARAM;
goto done;
break;
}
/* Send request */
wbc_status = wbcRequestResponse(ctx, cmd,
&request,
&response);
if (WBC_ERROR_IS_OK(wbc_status)) {
goto done;
}
/* Take the response above and return it to the caller */
if (response.data.auth.nt_status != 0) {
if (error) {
wbc_status = wbc_create_error_info(&response,
error);
BAIL_ON_WBC_ERROR(wbc_status);
}
}
if (policy) {
wbc_status = wbc_create_password_policy_info(&response,
policy);
BAIL_ON_WBC_ERROR(wbc_status);
}
if (reject_reason) {
*reject_reason = response.data.auth.reject_reason;
}
wbc_status = WBC_ERR_PWD_CHANGE_FAILED;
BAIL_ON_WBC_ERROR(wbc_status);
done:
return wbc_status;
}
/* Trigger an extended logoff notification to Winbind for a specific user */
wbcErr wbcCtxLogoffUserEx(struct wbcContext *ctx,
const struct wbcLogoffUserParams *params,
struct wbcAuthErrorInfo **error)
{
struct winbindd_request request;
struct winbindd_response response;
wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE;
size_t i;
/* validate input */
if (!params || !params->username) {
wbc_status = WBC_ERR_INVALID_PARAM;
BAIL_ON_WBC_ERROR(wbc_status);
}
if ((params->num_blobs > 0) && (params->blobs == NULL)) {
wbc_status = WBC_ERR_INVALID_PARAM;
BAIL_ON_WBC_ERROR(wbc_status);
}
if ((params->num_blobs == 0) && (params->blobs != NULL)) {
wbc_status = WBC_ERR_INVALID_PARAM;
BAIL_ON_WBC_ERROR(wbc_status);
}
ZERO_STRUCT(request);
ZERO_STRUCT(response);
strncpy(request.data.logoff.user, params->username,
sizeof(request.data.logoff.user)-1);
for (i=0; i<params->num_blobs; i++) {
if (strcasecmp(params->blobs[i].name, "ccfilename") == 0) {
if (params->blobs[i].blob.data) {
strncpy(request.data.logoff.krb5ccname,
(const char *)params->blobs[i].blob.data,
sizeof(request.data.logoff.krb5ccname) - 1);
}
continue;
}
if (strcasecmp(params->blobs[i].name, "user_uid") == 0) {
if (params->blobs[i].blob.data) {
memcpy(&request.data.logoff.uid,
params->blobs[i].blob.data,
MIN(params->blobs[i].blob.length,
sizeof(request.data.logoff.uid)));
}
continue;
}
if (strcasecmp(params->blobs[i].name, "flags") == 0) {
if (params->blobs[i].blob.data) {
memcpy(&request.flags,
params->blobs[i].blob.data,
MIN(params->blobs[i].blob.length,
sizeof(request.flags)));
}
continue;
}
}
/* Send request */
wbc_status = wbcRequestResponse(ctx, WINBINDD_PAM_LOGOFF,
&request,
&response);
/* Take the response above and return it to the caller */
if (response.data.auth.nt_status != 0) {
if (error) {
wbc_status = wbc_create_error_info(&response,
error);
BAIL_ON_WBC_ERROR(wbc_status);
}
wbc_status = WBC_ERR_AUTH_ERROR;
BAIL_ON_WBC_ERROR(wbc_status);
}
BAIL_ON_WBC_ERROR(wbc_status);
done:
return wbc_status;
}
/* Authenticate with more detailed information */
wbcErr wbcCtxAuthenticateUserEx(struct wbcContext *ctx,
const struct wbcAuthUserParams *params,
struct wbcAuthUserInfo **info,
struct wbcAuthErrorInfo **error)
{
wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE;
int cmd = 0;
struct winbindd_request request;
struct winbindd_response response;
ZERO_STRUCT(request);
ZERO_STRUCT(response);
if (error) {
*error = NULL;
}
if (!params) {
wbc_status = WBC_ERR_INVALID_PARAM;
BAIL_ON_WBC_ERROR(wbc_status);
}
if (params->level != WBC_AUTH_USER_LEVEL_PAC && !params->account_name) {
wbc_status = WBC_ERR_INVALID_PARAM;
BAIL_ON_WBC_ERROR(wbc_status);
}
/* Initialize request */
switch (params->level) {
case WBC_AUTH_USER_LEVEL_PLAIN:
cmd = WINBINDD_PAM_AUTH;
request.flags = WBFLAG_PAM_INFO3_TEXT |
WBFLAG_PAM_USER_SESSION_KEY |
WBFLAG_PAM_LMKEY;
if (!params->password.plaintext) {
wbc_status = WBC_ERR_INVALID_PARAM;
BAIL_ON_WBC_ERROR(wbc_status);
}
if (params->domain_name && params->domain_name[0]) {
/* We need to get the winbind separator :-( */
struct winbindd_response sep_response;
ZERO_STRUCT(sep_response);
wbc_status = wbcRequestResponse(ctx, WINBINDD_INFO,
NULL, &sep_response);
BAIL_ON_WBC_ERROR(wbc_status);
snprintf(request.data.auth.user,
sizeof(request.data.auth.user)-1,
"%s%c%s",
params->domain_name,
sep_response.data.info.winbind_separator,
params->account_name);
} else {
strncpy(request.data.auth.user,
params->account_name,
sizeof(request.data.auth.user)-1);
}
strncpy(request.data.auth.pass,
params->password.plaintext,
sizeof(request.data.auth.pass)-1);
break;
case WBC_AUTH_USER_LEVEL_HASH:
wbc_status = WBC_ERR_NOT_IMPLEMENTED;
BAIL_ON_WBC_ERROR(wbc_status);
break;
case WBC_AUTH_USER_LEVEL_RESPONSE:
cmd = WINBINDD_PAM_AUTH_CRAP;
request.flags = WBFLAG_PAM_INFO3_TEXT |
WBFLAG_PAM_USER_SESSION_KEY |
WBFLAG_PAM_LMKEY;
if (params->password.response.lm_length &&
!params->password.response.lm_data) {
wbc_status = WBC_ERR_INVALID_PARAM;
BAIL_ON_WBC_ERROR(wbc_status);
}
if (params->password.response.lm_length == 0 &&
params->password.response.lm_data) {
wbc_status = WBC_ERR_INVALID_PARAM;
BAIL_ON_WBC_ERROR(wbc_status);
}
if (params->password.response.nt_length &&
!params->password.response.nt_data) {
wbc_status = WBC_ERR_INVALID_PARAM;
BAIL_ON_WBC_ERROR(wbc_status);
}
if (params->password.response.nt_length == 0&&
params->password.response.nt_data) {
wbc_status = WBC_ERR_INVALID_PARAM;
BAIL_ON_WBC_ERROR(wbc_status);
}
strncpy(request.data.auth_crap.user,
params->account_name,
sizeof(request.data.auth_crap.user)-1);
if (params->domain_name) {
strncpy(request.data.auth_crap.domain,
params->domain_name,
sizeof(request.data.auth_crap.domain)-1);
}
if (params->workstation_name) {
strncpy(request.data.auth_crap.workstation,
params->workstation_name,
sizeof(request.data.auth_crap.workstation)-1);
}
request.data.auth_crap.logon_parameters =
params->parameter_control;
memcpy(request.data.auth_crap.chal,
params->password.response.challenge,
sizeof(request.data.auth_crap.chal));
request.data.auth_crap.lm_resp_len =
MIN(params->password.response.lm_length,
sizeof(request.data.auth_crap.lm_resp));
if (params->password.response.lm_data) {
memcpy(request.data.auth_crap.lm_resp,
params->password.response.lm_data,
request.data.auth_crap.lm_resp_len);
}
request.data.auth_crap.nt_resp_len = params->password.response.nt_length;
if (params->password.response.nt_length > sizeof(request.data.auth_crap.nt_resp)) {
request.flags |= WBFLAG_BIG_NTLMV2_BLOB;
request.extra_len = params->password.response.nt_length;
request.extra_data.data = (char *)malloc(
request.extra_len);
if (request.extra_data.data == NULL) {
wbc_status = WBC_ERR_NO_MEMORY;
BAIL_ON_WBC_ERROR(wbc_status);
}
memcpy(request.extra_data.data,
params->password.response.nt_data,
request.data.auth_crap.nt_resp_len);
} else if (params->password.response.nt_data) {
memcpy(request.data.auth_crap.nt_resp,
params->password.response.nt_data,
request.data.auth_crap.nt_resp_len);
}
break;
case WBC_AUTH_USER_LEVEL_PAC:
cmd = WINBINDD_PAM_AUTH_CRAP;
request.flags = WBFLAG_PAM_AUTH_PAC | WBFLAG_PAM_INFO3_TEXT;
request.extra_data.data = malloc(params->password.pac.length);
if (request.extra_data.data == NULL) {
wbc_status = WBC_ERR_NO_MEMORY;
BAIL_ON_WBC_ERROR(wbc_status);
}
memcpy(request.extra_data.data, params->password.pac.data,
params->password.pac.length);
request.extra_len = params->password.pac.length;
break;
default:
break;
}
if (cmd == 0) {
wbc_status = WBC_ERR_INVALID_PARAM;
BAIL_ON_WBC_ERROR(wbc_status);
}
if (params->flags) {
request.flags |= params->flags;
}
if (cmd == WINBINDD_PAM_AUTH_CRAP) {
wbc_status = wbcRequestResponsePriv(ctx, cmd,
&request, &response);
} else {
wbc_status = wbcRequestResponse(ctx, cmd,
&request, &response);
}
if (response.data.auth.nt_status != 0) {
if (error) {
wbc_status = wbc_create_error_info(&response,
error);
BAIL_ON_WBC_ERROR(wbc_status);
}
wbc_status = WBC_ERR_AUTH_ERROR;
BAIL_ON_WBC_ERROR(wbc_status);
}
BAIL_ON_WBC_ERROR(wbc_status);
if (info) {
wbc_status = wbc_create_auth_info(&response, info);
BAIL_ON_WBC_ERROR(wbc_status);
}
done:
winbindd_free_response(&response);
free(request.extra_data.data);
return wbc_status;
}
/* Logon a User */
wbcErr wbcCtxLogonUser(struct wbcContext *ctx,
const struct wbcLogonUserParams *params,
struct wbcLogonUserInfo **info,
struct wbcAuthErrorInfo **error,
struct wbcUserPasswordPolicyInfo **policy)
{
wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE;
struct winbindd_request request;
struct winbindd_response response;
uint32_t i;
ZERO_STRUCT(request);
ZERO_STRUCT(response);
if (info) {
*info = NULL;
}
if (error) {
*error = NULL;
}
if (policy) {
*policy = NULL;
}
if (!params) {
wbc_status = WBC_ERR_INVALID_PARAM;
BAIL_ON_WBC_ERROR(wbc_status);
}
if (!params->username) {
wbc_status = WBC_ERR_INVALID_PARAM;
BAIL_ON_WBC_ERROR(wbc_status);
}
if ((params->num_blobs > 0) && (params->blobs == NULL)) {
wbc_status = WBC_ERR_INVALID_PARAM;
BAIL_ON_WBC_ERROR(wbc_status);
}
if ((params->num_blobs == 0) && (params->blobs != NULL)) {
wbc_status = WBC_ERR_INVALID_PARAM;
BAIL_ON_WBC_ERROR(wbc_status);
}
/* Initialize request */
request.flags = WBFLAG_PAM_INFO3_TEXT |
WBFLAG_PAM_USER_SESSION_KEY |
WBFLAG_PAM_LMKEY;
if (!params->password) {
wbc_status = WBC_ERR_INVALID_PARAM;
BAIL_ON_WBC_ERROR(wbc_status);
}
strncpy(request.data.auth.user,
params->username,
sizeof(request.data.auth.user)-1);
strncpy(request.data.auth.pass,
params->password,
sizeof(request.data.auth.pass)-1);
for (i=0; i<params->num_blobs; i++) {
if (strcasecmp(params->blobs[i].name, "krb5_cc_type") == 0) {
if (params->blobs[i].blob.data) {
strncpy(request.data.auth.krb5_cc_type,
(const char *)params->blobs[i].blob.data,
sizeof(request.data.auth.krb5_cc_type) - 1);
}
continue;
}
if (strcasecmp(params->blobs[i].name, "user_uid") == 0) {
if (params->blobs[i].blob.data) {
memcpy(&request.data.auth.uid,
params->blobs[i].blob.data,
MIN(sizeof(request.data.auth.uid),
params->blobs[i].blob.length));
}
continue;
}
if (strcasecmp(params->blobs[i].name, "flags") == 0) {
if (params->blobs[i].blob.data) {
uint32_t flags;
memcpy(&flags,
params->blobs[i].blob.data,
MIN(sizeof(flags),
params->blobs[i].blob.length));
request.flags |= flags;
}
continue;
}
if (strcasecmp(params->blobs[i].name, "membership_of") == 0) {
if (params->blobs[i].blob.data &&
params->blobs[i].blob.data[0] > 0) {
strncpy(request.data.auth.require_membership_of_sid,
(const char *)params->blobs[i].blob.data,
sizeof(request.data.auth.require_membership_of_sid) - 1);
}
continue;
}
}
wbc_status = wbcRequestResponse(ctx, WINBINDD_PAM_AUTH,
&request,
&response);
if (response.data.auth.nt_status != 0) {
if (error) {
wbc_status = wbc_create_error_info(&response,
error);
BAIL_ON_WBC_ERROR(wbc_status);
}
wbc_status = WBC_ERR_AUTH_ERROR;
BAIL_ON_WBC_ERROR(wbc_status);
}
BAIL_ON_WBC_ERROR(wbc_status);
if (info) {
wbc_status = wbc_create_logon_info(&response,
info);
BAIL_ON_WBC_ERROR(wbc_status);
}
if (policy) {
wbc_status = wbc_create_password_policy_info(&response,
policy);
BAIL_ON_WBC_ERROR(wbc_status);
}
done:
winbindd_free_response(&response);
return wbc_status;
}