static NTSTATUS check_winbind_security(const struct auth_context *auth_context, void *my_private_data, TALLOC_CTX *mem_ctx, const auth_usersupplied_info *user_info, auth_serversupplied_info **server_info) { struct winbindd_request request; struct winbindd_response response; NSS_STATUS result; NTSTATUS nt_status; NET_USER_INFO_3 info3; if (!user_info) { return NT_STATUS_INVALID_PARAMETER; } if (!auth_context) { DEBUG(3,("Password for user %s cannot be checked because we have no auth_info to get the challenge from.\n", user_info->internal_username.str)); return NT_STATUS_INVALID_PARAMETER; } if (strequal(user_info->domain.str, get_global_sam_name())) { DEBUG(3,("check_winbind_security: Not using winbind, requested domain [%s] was for this SAM.\n", user_info->domain.str)); return NT_STATUS_NOT_IMPLEMENTED; } /* Send off request */ ZERO_STRUCT(request); ZERO_STRUCT(response); request.flags = WBFLAG_PAM_INFO3_NDR; fstrcpy(request.data.auth_crap.user, user_info->smb_name.str); fstrcpy(request.data.auth_crap.domain, user_info->domain.str); fstrcpy(request.data.auth_crap.workstation, user_info->wksta_name.str); memcpy(request.data.auth_crap.chal, auth_context->challenge.data, sizeof(request.data.auth_crap.chal)); request.data.auth_crap.lm_resp_len = MIN(user_info->lm_resp.length, sizeof(request.data.auth_crap.lm_resp)); request.data.auth_crap.nt_resp_len = MIN(user_info->nt_resp.length, sizeof(request.data.auth_crap.nt_resp)); memcpy(request.data.auth_crap.lm_resp, user_info->lm_resp.data, request.data.auth_crap.lm_resp_len); memcpy(request.data.auth_crap.nt_resp, user_info->nt_resp.data, request.data.auth_crap.nt_resp_len); /* we are contacting the privileged pipe */ become_root(); result = winbindd_request(WINBINDD_PAM_AUTH_CRAP, &request, &response); unbecome_root(); if ( result == NSS_STATUS_UNAVAIL ) { struct auth_methods *auth_method = my_private_data; if ( auth_method ) return auth_method->auth(auth_context, auth_method->private_data, mem_ctx, user_info, server_info); else /* log an error since this should not happen */ DEBUG(0,("check_winbind_security: ERROR! my_private_data == NULL!\n")); } nt_status = NT_STATUS(response.data.auth.nt_status); if (result == NSS_STATUS_SUCCESS && response.extra_data) { if (NT_STATUS_IS_OK(nt_status)) { if (NT_STATUS_IS_OK(nt_status = get_info3_from_ndr(mem_ctx, &response, &info3))) { nt_status = make_server_info_info3(mem_ctx, user_info->internal_username.str, user_info->smb_name.str, user_info->domain.str, server_info, &info3); } } } else if (NT_STATUS_IS_OK(nt_status)) { nt_status = NT_STATUS_NO_LOGON_SERVERS; } SAFE_FREE(response.extra_data); return nt_status; }
/* Authenticate a user with a challenge/response using the samba3 winbind protocol */ static NTSTATUS winbind_check_password_samba3(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx, const struct auth_usersupplied_info *user_info, struct auth_serversupplied_info **server_info) { struct winbindd_request request; struct winbindd_response response; NSS_STATUS result; NTSTATUS nt_status; struct netr_SamInfo3 info3; /* Send off request */ const struct auth_usersupplied_info *user_info_temp; nt_status = encrypt_user_info(mem_ctx, ctx->auth_ctx, AUTH_PASSWORD_RESPONSE, user_info, &user_info_temp); if (!NT_STATUS_IS_OK(nt_status)) { return nt_status; } user_info = user_info_temp; ZERO_STRUCT(request); ZERO_STRUCT(response); request.flags = WBFLAG_PAM_INFO3_NDR; request.data.auth_crap.logon_parameters = user_info->logon_parameters; safe_strcpy(request.data.auth_crap.user, user_info->client.account_name, sizeof(fstring)); safe_strcpy(request.data.auth_crap.domain, user_info->client.domain_name, sizeof(fstring)); safe_strcpy(request.data.auth_crap.workstation, user_info->workstation_name, sizeof(fstring)); memcpy(request.data.auth_crap.chal, ctx->auth_ctx->challenge.data.data, sizeof(request.data.auth_crap.chal)); request.data.auth_crap.lm_resp_len = MIN(user_info->password.response.lanman.length, sizeof(request.data.auth_crap.lm_resp)); request.data.auth_crap.nt_resp_len = MIN(user_info->password.response.nt.length, sizeof(request.data.auth_crap.nt_resp)); memcpy(request.data.auth_crap.lm_resp, user_info->password.response.lanman.data, request.data.auth_crap.lm_resp_len); memcpy(request.data.auth_crap.nt_resp, user_info->password.response.nt.data, request.data.auth_crap.nt_resp_len); result = winbindd_request_response(WINBINDD_PAM_AUTH_CRAP, &request, &response); nt_status = NT_STATUS(response.data.auth.nt_status); NT_STATUS_NOT_OK_RETURN(nt_status); if (result == NSS_STATUS_SUCCESS && response.extra_data.data) { union netr_Validation validation; nt_status = get_info3_from_ndr(mem_ctx, lp_iconv_convenience(ctx->auth_ctx->lp_ctx), &response, &info3); SAFE_FREE(response.extra_data.data); NT_STATUS_NOT_OK_RETURN(nt_status); validation.sam3 = &info3; nt_status = make_server_info_netlogon_validation(mem_ctx, user_info->client.account_name, 3, &validation, server_info); return nt_status; } else if (result == NSS_STATUS_SUCCESS && !response.extra_data.data) { DEBUG(0, ("Winbindd authenticated the user [%s]\\[%s], " "but did not include the required info3 reply!\n", user_info->client.domain_name, user_info->client.account_name)); return NT_STATUS_INSUFFICIENT_LOGON_INFO; } else if (NT_STATUS_IS_OK(nt_status)) { DEBUG(1, ("Winbindd authentication for [%s]\\[%s] failed, " "but no error code is available!\n", user_info->client.domain_name, user_info->client.account_name)); return NT_STATUS_NO_LOGON_SERVERS; } return nt_status; }