NTSTATUS samba_kdc_get_pac_blob(TALLOC_CTX *mem_ctx, struct hdb_entry_ex *client, DATA_BLOB **_pac_blob) { struct samba_kdc_entry *p = talloc_get_type(client->ctx, struct samba_kdc_entry); struct auth_user_info_dc *user_info_dc; DATA_BLOB *pac_blob; NTSTATUS nt_status; /* The user account may be set not to want the PAC */ if ( ! samba_princ_needs_pac(client)) { *_pac_blob = NULL; return NT_STATUS_OK; } pac_blob = talloc_zero(mem_ctx, DATA_BLOB); if (!pac_blob) { return NT_STATUS_NO_MEMORY; } nt_status = authsam_make_user_info_dc(mem_ctx, p->kdc_db_ctx->samdb, lpcfg_netbios_name(p->kdc_db_ctx->lp_ctx), lpcfg_sam_name(p->kdc_db_ctx->lp_ctx), p->realm_dn, p->msg, data_blob(NULL, 0), data_blob(NULL, 0), &user_info_dc); if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(0, ("Getting user info for PAC failed: %s\n", nt_errstr(nt_status))); return nt_status; } nt_status = samba_get_logon_info_pac_blob(mem_ctx, user_info_dc, pac_blob); if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(0, ("Building PAC failed: %s\n", nt_errstr(nt_status))); return nt_status; } *_pac_blob = pac_blob; return NT_STATUS_OK; }
int mit_samba_kpasswd_change_password(struct mit_samba_context *ctx, char *pwd, krb5_db_entry *db_entry) { NTSTATUS status; NTSTATUS result = NT_STATUS_UNSUCCESSFUL; TALLOC_CTX *tmp_ctx; DATA_BLOB password; enum samPwdChangeReason reject_reason; struct samr_DomInfo1 *dominfo; const char *error_string = NULL; struct auth_user_info_dc *user_info_dc; struct samba_kdc_entry *p; krb5_error_code code = 0; #ifdef DEBUG_PASSWORD DEBUG(1,("mit_samba_kpasswd_change_password called with: %s\n", pwd)); #endif tmp_ctx = talloc_named(ctx, 0, "mit_samba_kpasswd_change_password"); if (tmp_ctx == NULL) { return ENOMEM; } p = (struct samba_kdc_entry *)db_entry->e_data; status = authsam_make_user_info_dc(tmp_ctx, ctx->db_ctx->samdb, lpcfg_netbios_name(ctx->db_ctx->lp_ctx), lpcfg_sam_name(ctx->db_ctx->lp_ctx), p->realm_dn, p->msg, data_blob(NULL, 0), data_blob(NULL, 0), &user_info_dc); if (!NT_STATUS_IS_OK(status)) { DEBUG(1,("authsam_make_user_info_dc failed: %s\n", nt_errstr(status))); talloc_free(tmp_ctx); return EINVAL; } status = auth_generate_session_info(tmp_ctx, ctx->db_ctx->lp_ctx, ctx->db_ctx->samdb, user_info_dc, 0, /* session_info_flags */ &ctx->session_info); if (!NT_STATUS_IS_OK(status)) { DEBUG(1,("auth_generate_session_info failed: %s\n", nt_errstr(status))); talloc_free(tmp_ctx); return EINVAL; } /* password is expected as UTF16 */ if (!convert_string_talloc(tmp_ctx, CH_UTF8, CH_UTF16, pwd, strlen(pwd), &password.data, &password.length)) { DEBUG(1,("convert_string_talloc failed\n")); talloc_free(tmp_ctx); return EINVAL; } status = samdb_kpasswd_change_password(tmp_ctx, ctx->db_ctx->lp_ctx, ctx->db_ctx->ev_ctx, ctx->db_ctx->samdb, ctx->session_info, &password, &reject_reason, &dominfo, &error_string, &result); if (!NT_STATUS_IS_OK(status)) { DEBUG(1,("samdb_kpasswd_change_password failed: %s\n", nt_errstr(status))); code = KADM5_PASS_Q_GENERIC; krb5_set_error_message(ctx->context, code, "%s", error_string); goto out; } if (!NT_STATUS_IS_OK(result)) { code = mit_samba_change_pwd_error(ctx->context, result, reject_reason, dominfo); } out: talloc_free(tmp_ctx); return code; }
static NTSTATUS authsam_check_password_internals(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx, const struct auth_usersupplied_info *user_info, struct auth_user_info_dc **user_info_dc) { NTSTATUS nt_status; const char *account_name = user_info->mapped.account_name; struct ldb_message *msg; struct ldb_dn *domain_dn; DATA_BLOB user_sess_key, lm_sess_key; TALLOC_CTX *tmp_ctx; if (ctx->auth_ctx->sam_ctx == NULL) { DEBUG(0, ("No SAM available, cannot log in users\n")); return NT_STATUS_INVALID_SYSTEM_SERVICE; } if (!account_name || !*account_name) { /* 'not for me' */ return NT_STATUS_NOT_IMPLEMENTED; } tmp_ctx = talloc_new(mem_ctx); if (!tmp_ctx) { return NT_STATUS_NO_MEMORY; } domain_dn = ldb_get_default_basedn(ctx->auth_ctx->sam_ctx); if (domain_dn == NULL) { talloc_free(tmp_ctx); return NT_STATUS_NO_SUCH_DOMAIN; } nt_status = authsam_search_account(tmp_ctx, ctx->auth_ctx->sam_ctx, account_name, domain_dn, &msg); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(tmp_ctx); return nt_status; } nt_status = authsam_authenticate(ctx->auth_ctx, tmp_ctx, ctx->auth_ctx->sam_ctx, domain_dn, msg, user_info, &user_sess_key, &lm_sess_key); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(tmp_ctx); return nt_status; } nt_status = authsam_make_user_info_dc(tmp_ctx, ctx->auth_ctx->sam_ctx, lpcfg_netbios_name(ctx->auth_ctx->lp_ctx), lpcfg_sam_name(ctx->auth_ctx->lp_ctx), domain_dn, msg, user_sess_key, lm_sess_key, user_info_dc); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(tmp_ctx); return nt_status; } talloc_steal(mem_ctx, *user_info_dc); talloc_free(tmp_ctx); return NT_STATUS_OK; }
static NTSTATUS authsam_check_password_internals(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx, const struct auth_usersupplied_info *user_info, struct auth_user_info_dc **user_info_dc, bool *authoritative) { NTSTATUS nt_status; const char *account_name = user_info->mapped.account_name; struct ldb_message *msg; struct ldb_dn *domain_dn; DATA_BLOB user_sess_key, lm_sess_key; TALLOC_CTX *tmp_ctx; const char *p = NULL; if (ctx->auth_ctx->sam_ctx == NULL) { DEBUG(0, ("No SAM available, cannot log in users\n")); return NT_STATUS_INVALID_SYSTEM_SERVICE; } if (!account_name || !*account_name) { /* 'not for me' */ return NT_STATUS_NOT_IMPLEMENTED; } tmp_ctx = talloc_new(mem_ctx); if (!tmp_ctx) { return NT_STATUS_NO_MEMORY; } domain_dn = ldb_get_default_basedn(ctx->auth_ctx->sam_ctx); if (domain_dn == NULL) { talloc_free(tmp_ctx); return NT_STATUS_NO_SUCH_DOMAIN; } p = strchr_m(account_name, '@'); if (p != NULL) { const char *nt4_domain = NULL; const char *nt4_account = NULL; bool is_my_domain = false; nt_status = crack_name_to_nt4_name(mem_ctx, ctx->auth_ctx->sam_ctx, /* * DRSUAPI_DS_NAME_FORMAT_UPN_FOR_LOGON ? */ DRSUAPI_DS_NAME_FORMAT_USER_PRINCIPAL, account_name, &nt4_domain, &nt4_account); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(tmp_ctx); return NT_STATUS_NO_SUCH_USER; } is_my_domain = lpcfg_is_mydomain(ctx->auth_ctx->lp_ctx, nt4_domain); if (!is_my_domain) { /* * This is a user within our forest, * but in a different domain, * we're not authoritative */ talloc_free(tmp_ctx); return NT_STATUS_NOT_IMPLEMENTED; } /* * Let's use the NT4 account name for the lookup. */ account_name = nt4_account; } nt_status = authsam_search_account(tmp_ctx, ctx->auth_ctx->sam_ctx, account_name, domain_dn, &msg); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(tmp_ctx); return nt_status; } nt_status = authsam_authenticate(ctx->auth_ctx, tmp_ctx, ctx->auth_ctx->sam_ctx, domain_dn, msg, user_info, &user_sess_key, &lm_sess_key, authoritative); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(tmp_ctx); return nt_status; } nt_status = authsam_make_user_info_dc(tmp_ctx, ctx->auth_ctx->sam_ctx, lpcfg_netbios_name(ctx->auth_ctx->lp_ctx), lpcfg_sam_name(ctx->auth_ctx->lp_ctx), lpcfg_sam_dnsname(ctx->auth_ctx->lp_ctx), domain_dn, msg, user_sess_key, lm_sess_key, user_info_dc); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(tmp_ctx); return nt_status; } talloc_steal(mem_ctx, *user_info_dc); talloc_free(tmp_ctx); return NT_STATUS_OK; }