enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state) { NTSTATUS result; unsigned char trust_passwd[16]; time_t last_change_time; uint32 sec_channel_type; NET_USER_INFO_3 info3; struct cli_state *cli = NULL; TALLOC_CTX *mem_ctx = NULL; char *name_user = NULL; const char *name_domain = NULL; const char *workstation; struct winbindd_domain *contact_domain; DOM_CRED ret_creds; int attempts = 0; BOOL retry; DATA_BLOB lm_resp, nt_resp; if (!state->privileged) { char *error_string = NULL; DEBUG(2, ("winbindd_pam_auth_crap: non-privileged access denied. !\n")); DEBUGADD(2, ("winbindd_pam_auth_crap: Ensure permissions on %s are set correctly.\n", get_winbind_priv_pipe_dir())); /* send a better message than ACCESS_DENIED */ asprintf(&error_string, "winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on %s are set correctly.", get_winbind_priv_pipe_dir()); push_utf8_fstring(state->response.data.auth.error_string, error_string); SAFE_FREE(error_string); result = NT_STATUS_ACCESS_DENIED; goto done; } /* Ensure null termination */ state->request.data.auth_crap.user[sizeof(state->request.data.auth_crap.user)-1]=0; state->request.data.auth_crap.domain[sizeof(state->request.data.auth_crap.domain)-1]=0; if (!(mem_ctx = talloc_init("winbind pam auth crap for (utf8) %s", state->request.data.auth_crap.user))) { DEBUG(0, ("winbindd_pam_auth_crap: could not talloc_init()!\n")); result = NT_STATUS_NO_MEMORY; goto done; } if (pull_utf8_talloc(mem_ctx, &name_user, state->request.data.auth_crap.user) == (size_t)-1) { DEBUG(0, ("winbindd_pam_auth_crap: pull_utf8_talloc failed!\n")); result = NT_STATUS_UNSUCCESSFUL; goto done; } if (*state->request.data.auth_crap.domain) { char *dom = NULL; if (pull_utf8_talloc(mem_ctx, &dom, state->request.data.auth_crap.domain) == (size_t)-1) { DEBUG(0, ("winbindd_pam_auth_crap: pull_utf8_talloc failed!\n")); result = NT_STATUS_UNSUCCESSFUL; goto done; } name_domain = dom; } else if (lp_winbind_use_default_domain()) { name_domain = lp_workgroup(); } else { DEBUG(5,("no domain specified with username (%s) - failing auth\n", name_user)); result = NT_STATUS_NO_SUCH_USER; goto done; } DEBUG(3, ("[%5lu]: pam auth crap domain: %s user: %s\n", (unsigned long)state->pid, name_domain, name_user)); if (*state->request.data.auth_crap.workstation) { char *wrk = NULL; if (pull_utf8_talloc(mem_ctx, &wrk, state->request.data.auth_crap.workstation) == (size_t)-1) { DEBUG(0, ("winbindd_pam_auth_crap: pull_utf8_talloc failed!\n")); result = NT_STATUS_UNSUCCESSFUL; goto done; } workstation = wrk; } else { workstation = global_myname(); } if (state->request.data.auth_crap.lm_resp_len > sizeof(state->request.data.auth_crap.lm_resp) || state->request.data.auth_crap.nt_resp_len > sizeof(state->request.data.auth_crap.nt_resp)) { DEBUG(0, ("winbindd_pam_auth_crap: invalid password length %u/%u\n", state->request.data.auth_crap.lm_resp_len, state->request.data.auth_crap.nt_resp_len)); result = NT_STATUS_INVALID_PARAMETER; goto done; } lm_resp = data_blob_talloc(mem_ctx, state->request.data.auth_crap.lm_resp, state->request.data.auth_crap.lm_resp_len); nt_resp = data_blob_talloc(mem_ctx, state->request.data.auth_crap.nt_resp, state->request.data.auth_crap.nt_resp_len); /* what domain should we contact? */ if ( IS_DC ) { if (!(contact_domain = find_domain_from_name(name_domain))) { DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n", state->request.data.auth_crap.user, name_domain, name_user, name_domain)); result = NT_STATUS_NO_SUCH_USER; goto done; } } else { if (is_myname(name_domain)) { DEBUG(3, ("Authentication for domain %s (local domain to this server) not supported at this stage\n", name_domain)); result = NT_STATUS_NO_SUCH_USER; goto done; } if (!(contact_domain = find_our_domain())) { DEBUG(1, ("Authenticatoin for [%s] -> [%s]\\[%s] in our domain failed - we can't find our domain!\n", state->request.data.auth_crap.user, name_domain, name_user)); result = NT_STATUS_NO_SUCH_USER; goto done; } } if ( !get_trust_pw(contact_domain->name, trust_passwd, &last_change_time, &sec_channel_type) ) { result = NT_STATUS_CANT_ACCESS_DOMAIN_INFO; goto done; } do { ZERO_STRUCT(info3); ZERO_STRUCT(ret_creds); retry = False; /* Don't shut this down - it belongs to the connection cache code */ result = cm_get_netlogon_cli(contact_domain, trust_passwd, sec_channel_type, False, &cli); if (!NT_STATUS_IS_OK(result)) { DEBUG(3, ("could not open handle to NETLOGON pipe (error: %s)\n", nt_errstr(result))); goto done; } result = cli_netlogon_sam_network_logon(cli, mem_ctx, &ret_creds, name_user, name_domain, workstation, state->request.data.auth_crap.chal, lm_resp, nt_resp, &info3); attempts += 1; /* We have to try a second time as cm_get_netlogon_cli might not yet have noticed that the DC has killed our connection. */ if ( cli->fd == -1 ) { retry = True; continue; } /* if we get access denied, a possible cause was that we had and open connection to the DC, but someone changed our machine account password out from underneath us using 'net rpc changetrustpw' */ if ( NT_STATUS_V(result) == NT_STATUS_V(NT_STATUS_ACCESS_DENIED) ) { DEBUG(3,("winbindd_pam_auth_crap: sam_logon returned ACCESS_DENIED. Maybe the trust account " "password was changed and we didn't know it. Killing connections to domain %s\n", contact_domain->name)); winbindd_cm_flush(); retry = True; cli = NULL; } } while ( (attempts < 2) && retry ); if (cli != NULL) { /* We might have come out of the loop above with cli == NULL, so don't dereference that. */ clnt_deal_with_creds(cli->sess_key, &(cli->clnt_cred), &ret_creds); } if (NT_STATUS_IS_OK(result)) { netsamlogon_cache_store( cli->mem_ctx, &info3 ); wcache_invalidate_samlogon(find_domain_from_name(name_domain), &info3); if (!NT_STATUS_IS_OK(result = check_info3_in_group(mem_ctx, &info3, state->request.data.auth_crap.required_membership_sid))) { DEBUG(3, ("User %s is not in the required group (%s), so plaintext authentication is rejected\n", state->request.data.auth_crap.user, state->request.data.auth_crap.required_membership_sid)); goto done; } if (state->request.flags & WBFLAG_PAM_INFO3_NDR) { result = append_info3_as_ndr(mem_ctx, state, &info3); } else if (state->request.flags & WBFLAG_PAM_UNIX_NAME) { /* ntlm_auth should return the unix username, per 'winbind use default domain' settings and the like */ fstring username_out; const char *nt_username, *nt_domain; if (!(nt_username = unistr2_tdup(mem_ctx, &(info3.uni_user_name)))) { /* If the server didn't give us one, just use the one we sent them */ nt_username = name_user; } if (!(nt_domain = unistr2_tdup(mem_ctx, &(info3.uni_logon_dom)))) { /* If the server didn't give us one, just use the one we sent them */ nt_domain = name_domain; } fill_domain_username(username_out, nt_domain, nt_username); DEBUG(5, ("Setting unix username to [%s]\n", username_out)); /* this interface is in UTF8 */ if (push_utf8_allocate((char **)&state->response.extra_data, username_out) == -1) { result = NT_STATUS_NO_MEMORY; goto done; } state->response.length += strlen(state->response.extra_data)+1; } if (state->request.flags & WBFLAG_PAM_USER_SESSION_KEY) { memcpy(state->response.data.auth.user_session_key, info3.user_sess_key, sizeof(state->response.data.auth.user_session_key) /* 16 */); } if (state->request.flags & WBFLAG_PAM_LMKEY) { memcpy(state->response.data.auth.first_8_lm_hash, info3.padding, sizeof(state->response.data.auth.first_8_lm_hash) /* 8 */); } } done: /* give us a more useful (more correct?) error code */ if ((NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) || (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)))) { result = NT_STATUS_NO_LOGON_SERVERS; } if (state->request.flags & WBFLAG_PAM_NT_STATUS_SQUASH) { result = nt_status_squash(result); } state->response.data.auth.nt_status = NT_STATUS_V(result); push_utf8_fstring(state->response.data.auth.nt_status_string, nt_errstr(result)); /* we might have given a more useful error above */ if (!*state->response.data.auth.error_string) push_utf8_fstring(state->response.data.auth.error_string, get_friendly_nt_error_msg(result)); state->response.data.auth.pam_error = nt_status_to_pam(result); DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2, ("NTLM CRAP authentication for user [%s]\\[%s] returned %s (PAM: %d)\n", name_domain, name_user, state->response.data.auth.nt_status_string, state->response.data.auth.pam_error)); if (mem_ctx) talloc_destroy(mem_ctx); return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR; }
WERROR cli_srvsvc_net_share_enum(struct cli_state *cli, TALLOC_CTX *mem_ctx, uint32 info_level, SRV_SHARE_INFO_CTR *ctr, int preferred_len, ENUM_HND *hnd) { prs_struct qbuf, rbuf; SRV_Q_NET_SHARE_ENUM q; SRV_R_NET_SHARE_ENUM r; WERROR result = W_ERROR(ERRgeneral); int i; ZERO_STRUCT(q); ZERO_STRUCT(r); /* Initialise parse structures */ prs_init(&qbuf, MAX_PDU_FRAG_LEN, mem_ctx, MARSHALL); prs_init(&rbuf, 0, mem_ctx, UNMARSHALL); /* Initialise input parameters */ init_srv_q_net_share_enum( &q, cli->srv_name_slash, info_level, preferred_len, hnd); /* Marshall data and send request */ if (!srv_io_q_net_share_enum("", &q, &qbuf, 0) || !rpc_api_pipe_req(cli, SRV_NET_SHARE_ENUM_ALL, &qbuf, &rbuf)) goto done; /* Unmarshall response */ if (!srv_io_r_net_share_enum("", &r, &rbuf, 0)) goto done; result = r.status; if (!W_ERROR_IS_OK(result)) goto done; /* Oh yuck yuck yuck - we have to copy all the info out of the SRV_SHARE_INFO_CTR in the SRV_R_NET_SHARE_ENUM as when we do a prs_mem_free() it will all be invalidated. The various share info structures suck badly too. This really is gross. */ ZERO_STRUCTP(ctr); if (!r.ctr.num_entries) goto done; ctr->info_level = info_level; ctr->num_entries = r.ctr.num_entries; switch(info_level) { case 1: ctr->share.info1 = (SRV_SHARE_INFO_1 *)talloc( mem_ctx, sizeof(SRV_SHARE_INFO_1) * ctr->num_entries); memset(ctr->share.info1, 0, sizeof(SRV_SHARE_INFO_1)); for (i = 0; i < ctr->num_entries; i++) { SRV_SHARE_INFO_1 *info1 = &ctr->share.info1[i]; char *s; /* Copy pointer crap */ memcpy(&info1->info_1, &r.ctr.share.info1[i].info_1, sizeof(SH_INFO_1)); /* Duplicate strings */ s = unistr2_tdup(mem_ctx, &r.ctr.share.info1[i].info_1_str.uni_netname); if (s) init_unistr2(&info1->info_1_str.uni_netname, s, UNI_STR_TERMINATE); s = unistr2_tdup(mem_ctx, &r.ctr.share.info1[i].info_1_str.uni_remark); if (s) init_unistr2(&info1->info_1_str.uni_remark, s, UNI_STR_TERMINATE); } break; case 2: ctr->share.info2 = (SRV_SHARE_INFO_2 *)talloc( mem_ctx, sizeof(SRV_SHARE_INFO_2) * ctr->num_entries); memset(ctr->share.info2, 0, sizeof(SRV_SHARE_INFO_2)); for (i = 0; i < ctr->num_entries; i++) { SRV_SHARE_INFO_2 *info2 = &ctr->share.info2[i]; char *s; /* Copy pointer crap */ memcpy(&info2->info_2, &r.ctr.share.info2[i].info_2, sizeof(SH_INFO_2)); /* Duplicate strings */ s = unistr2_tdup(mem_ctx, &r.ctr.share.info2[i].info_2_str.uni_netname); if (s) init_unistr2(&info2->info_2_str.uni_netname, s, UNI_STR_TERMINATE); s = unistr2_tdup(mem_ctx, &r.ctr.share.info2[i].info_2_str.uni_remark); if (s) init_unistr2(&info2->info_2_str.uni_remark, s, UNI_STR_TERMINATE); s = unistr2_tdup(mem_ctx, &r.ctr.share.info2[i].info_2_str.uni_path); if (s) init_unistr2(&info2->info_2_str.uni_path, s, UNI_STR_TERMINATE); s = unistr2_tdup(mem_ctx, &r.ctr.share.info2[i].info_2_str.uni_passwd); if (s) init_unistr2(&info2->info_2_str.uni_passwd, s, UNI_STR_TERMINATE); } break; } done: prs_mem_free(&qbuf); prs_mem_free(&rbuf); return result; }
/* Lookup user information from a rid or username. */ static NTSTATUS query_user(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, const DOM_SID *user_sid, WINBIND_USERINFO *user_info) { CLI_POLICY_HND *hnd = NULL; NTSTATUS result = NT_STATUS_UNSUCCESSFUL; POLICY_HND dom_pol, user_pol; BOOL got_dom_pol = False, got_user_pol = False; SAM_USERINFO_CTR *ctr; int retry; fstring sid_string; uint32 user_rid; NET_USER_INFO_3 *user; DEBUG(3,("rpc: query_user rid=%s\n", sid_to_string(sid_string, user_sid))); if (!sid_peek_check_rid(&domain->sid, user_sid, &user_rid)) { goto done; } /* try netsamlogon cache first */ if ( (user = netsamlogon_cache_get( mem_ctx, user_sid )) != NULL ) { DEBUG(5,("query_user: Cache lookup succeeded for %s\n", sid_string_static(user_sid))); user_info->user_sid = rid_to_talloced_sid( domain, mem_ctx, user_rid ); user_info->group_sid = rid_to_talloced_sid( domain, mem_ctx, user->group_rid ); user_info->acct_name = unistr2_tdup(mem_ctx, &user->uni_user_name); user_info->full_name = unistr2_tdup(mem_ctx, &user->uni_full_name); SAFE_FREE(user); return NT_STATUS_OK; } /* no cache; hit the wire */ retry = 0; do { /* Get sam handle; if we fail here there is no hope */ if (!NT_STATUS_IS_OK(result = cm_get_sam_handle(domain, &hnd))) goto done; /* Get domain handle */ result = cli_samr_open_domain(hnd->cli, mem_ctx, &hnd->pol, SEC_RIGHTS_MAXIMUM_ALLOWED, &domain->sid, &dom_pol); } while (!NT_STATUS_IS_OK(result) && (retry++ < 1) && hnd && hnd->cli && hnd->cli->fd == -1); if (!NT_STATUS_IS_OK(result)) goto done; got_dom_pol = True; /* Get user handle */ result = cli_samr_open_user(hnd->cli, mem_ctx, &dom_pol, SEC_RIGHTS_MAXIMUM_ALLOWED, user_rid, &user_pol); if (!NT_STATUS_IS_OK(result)) goto done; got_user_pol = True; /* Get user info */ result = cli_samr_query_userinfo(hnd->cli, mem_ctx, &user_pol, 0x15, &ctr); if (!NT_STATUS_IS_OK(result)) goto done; cli_samr_close(hnd->cli, mem_ctx, &user_pol); got_user_pol = False; user_info->user_sid = rid_to_talloced_sid(domain, mem_ctx, user_rid); user_info->group_sid = rid_to_talloced_sid(domain, mem_ctx, ctr->info.id21->group_rid); user_info->acct_name = unistr2_tdup(mem_ctx, &ctr->info.id21->uni_user_name); user_info->full_name = unistr2_tdup(mem_ctx, &ctr->info.id21->uni_full_name); done: /* Clean up policy handles */ if (got_user_pol) cli_samr_close(hnd->cli, mem_ctx, &user_pol); if (got_dom_pol) cli_samr_close(hnd->cli, mem_ctx, &dom_pol); return result; }
WERROR cli_srvsvc_net_file_enum(struct cli_state *cli, TALLOC_CTX *mem_ctx, uint32 file_level, const char *user_name, SRV_FILE_INFO_CTR *ctr, int preferred_len, ENUM_HND *hnd) { prs_struct qbuf, rbuf; SRV_Q_NET_FILE_ENUM q; SRV_R_NET_FILE_ENUM r; WERROR result = W_ERROR(ERRgeneral); int i; ZERO_STRUCT(q); ZERO_STRUCT(r); /* Initialise parse structures */ prs_init(&qbuf, MAX_PDU_FRAG_LEN, mem_ctx, MARSHALL); prs_init(&rbuf, 0, mem_ctx, UNMARSHALL); /* Initialise input parameters */ init_srv_q_net_file_enum(&q, cli->srv_name_slash, NULL, user_name, file_level, ctr, preferred_len, hnd); /* Marshall data and send request */ if (!srv_io_q_net_file_enum("", &q, &qbuf, 0) || !rpc_api_pipe_req(cli, SRV_NET_FILE_ENUM, &qbuf, &rbuf)) goto done; /* Unmarshall response */ if (!srv_io_r_net_file_enum("", &r, &rbuf, 0)) goto done; result = r.status; if (!W_ERROR_IS_OK(result)) goto done; /* copy the data over to the ctr */ ZERO_STRUCTP(ctr); ctr->switch_value = file_level; ctr->num_entries = ctr->num_entries2 = r.ctr.num_entries; switch(file_level) { case 3: ctr->file.info3 = (SRV_FILE_INFO_3 *)talloc( mem_ctx, sizeof(SRV_FILE_INFO_3) * ctr->num_entries); memset(ctr->file.info3, 0, sizeof(SRV_FILE_INFO_3) * ctr->num_entries); for (i = 0; i < r.ctr.num_entries; i++) { SRV_FILE_INFO_3 *info3 = &ctr->file.info3[i]; char *s; /* Copy pointer crap */ memcpy(&info3->info_3, &r.ctr.file.info3[i].info_3, sizeof(FILE_INFO_3)); /* Duplicate strings */ s = unistr2_tdup(mem_ctx, &r.ctr.file.info3[i].info_3_str.uni_path_name); if (s) init_unistr2(&info3->info_3_str.uni_path_name, s, UNI_STR_TERMINATE); s = unistr2_tdup(mem_ctx, &r.ctr.file.info3[i].info_3_str.uni_user_name); if (s) init_unistr2(&info3->info_3_str.uni_user_name, s, UNI_STR_TERMINATE); } break; } done: prs_mem_free(&qbuf); prs_mem_free(&rbuf); return result; }