NTSTATUS samba_kdc_get_pac_blob(TALLOC_CTX *mem_ctx,
struct hdb_entry_ex *client,
DATA_BLOB **_pac_blob)
{
struct samba_kdc_entry *p = talloc_get_type(client->ctx, struct samba_kdc_entry);
struct auth_user_info_dc *user_info_dc;
DATA_BLOB *pac_blob;
NTSTATUS nt_status;
/* The user account may be set not to want the PAC */
if ( ! samba_princ_needs_pac(client)) {
*_pac_blob = NULL;
return NT_STATUS_OK;
}
pac_blob = talloc_zero(mem_ctx, DATA_BLOB);
if (!pac_blob) {
return NT_STATUS_NO_MEMORY;
}
nt_status = authsam_make_user_info_dc(mem_ctx, p->kdc_db_ctx->samdb,
lpcfg_netbios_name(p->kdc_db_ctx->lp_ctx),
lpcfg_sam_name(p->kdc_db_ctx->lp_ctx),
p->realm_dn,
p->msg,
data_blob(NULL, 0),
data_blob(NULL, 0),
&user_info_dc);
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(0, ("Getting user info for PAC failed: %s\n",
nt_errstr(nt_status)));
return nt_status;
}
nt_status = samba_get_logon_info_pac_blob(mem_ctx, user_info_dc, pac_blob);
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(0, ("Building PAC failed: %s\n",
nt_errstr(nt_status)));
return nt_status;
}
*_pac_blob = pac_blob;
return NT_STATUS_OK;
}
int mit_samba_kpasswd_change_password(struct mit_samba_context *ctx,
char *pwd,
krb5_db_entry *db_entry)
{
NTSTATUS status;
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
TALLOC_CTX *tmp_ctx;
DATA_BLOB password;
enum samPwdChangeReason reject_reason;
struct samr_DomInfo1 *dominfo;
const char *error_string = NULL;
struct auth_user_info_dc *user_info_dc;
struct samba_kdc_entry *p;
krb5_error_code code = 0;
#ifdef DEBUG_PASSWORD
DEBUG(1,("mit_samba_kpasswd_change_password called with: %s\n", pwd));
#endif
tmp_ctx = talloc_named(ctx, 0, "mit_samba_kpasswd_change_password");
if (tmp_ctx == NULL) {
return ENOMEM;
}
p = (struct samba_kdc_entry *)db_entry->e_data;
status = authsam_make_user_info_dc(tmp_ctx,
ctx->db_ctx->samdb,
lpcfg_netbios_name(ctx->db_ctx->lp_ctx),
lpcfg_sam_name(ctx->db_ctx->lp_ctx),
p->realm_dn,
p->msg,
data_blob(NULL, 0),
data_blob(NULL, 0),
&user_info_dc);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1,("authsam_make_user_info_dc failed: %s\n",
nt_errstr(status)));
talloc_free(tmp_ctx);
return EINVAL;
}
status = auth_generate_session_info(tmp_ctx,
ctx->db_ctx->lp_ctx,
ctx->db_ctx->samdb,
user_info_dc,
0, /* session_info_flags */
&ctx->session_info);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1,("auth_generate_session_info failed: %s\n",
nt_errstr(status)));
talloc_free(tmp_ctx);
return EINVAL;
}
/* password is expected as UTF16 */
if (!convert_string_talloc(tmp_ctx, CH_UTF8, CH_UTF16,
pwd, strlen(pwd),
&password.data, &password.length)) {
DEBUG(1,("convert_string_talloc failed\n"));
talloc_free(tmp_ctx);
return EINVAL;
}
status = samdb_kpasswd_change_password(tmp_ctx,
ctx->db_ctx->lp_ctx,
ctx->db_ctx->ev_ctx,
ctx->db_ctx->samdb,
ctx->session_info,
&password,
&reject_reason,
&dominfo,
&error_string,
&result);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1,("samdb_kpasswd_change_password failed: %s\n",
nt_errstr(status)));
code = KADM5_PASS_Q_GENERIC;
krb5_set_error_message(ctx->context, code, "%s", error_string);
goto out;
}
if (!NT_STATUS_IS_OK(result)) {
code = mit_samba_change_pwd_error(ctx->context,
result,
reject_reason,
dominfo);
}
out:
talloc_free(tmp_ctx);
return code;
}
static NTSTATUS authsam_check_password_internals(struct auth_method_context *ctx,
TALLOC_CTX *mem_ctx,
const struct auth_usersupplied_info *user_info,
struct auth_user_info_dc **user_info_dc)
{
NTSTATUS nt_status;
const char *account_name = user_info->mapped.account_name;
struct ldb_message *msg;
struct ldb_dn *domain_dn;
DATA_BLOB user_sess_key, lm_sess_key;
TALLOC_CTX *tmp_ctx;
if (ctx->auth_ctx->sam_ctx == NULL) {
DEBUG(0, ("No SAM available, cannot log in users\n"));
return NT_STATUS_INVALID_SYSTEM_SERVICE;
}
if (!account_name || !*account_name) {
/* 'not for me' */
return NT_STATUS_NOT_IMPLEMENTED;
}
tmp_ctx = talloc_new(mem_ctx);
if (!tmp_ctx) {
return NT_STATUS_NO_MEMORY;
}
domain_dn = ldb_get_default_basedn(ctx->auth_ctx->sam_ctx);
if (domain_dn == NULL) {
talloc_free(tmp_ctx);
return NT_STATUS_NO_SUCH_DOMAIN;
}
nt_status = authsam_search_account(tmp_ctx, ctx->auth_ctx->sam_ctx, account_name, domain_dn, &msg);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(tmp_ctx);
return nt_status;
}
nt_status = authsam_authenticate(ctx->auth_ctx, tmp_ctx, ctx->auth_ctx->sam_ctx, domain_dn, msg, user_info,
&user_sess_key, &lm_sess_key);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(tmp_ctx);
return nt_status;
}
nt_status = authsam_make_user_info_dc(tmp_ctx, ctx->auth_ctx->sam_ctx, lpcfg_netbios_name(ctx->auth_ctx->lp_ctx),
lpcfg_sam_name(ctx->auth_ctx->lp_ctx),
domain_dn,
msg,
user_sess_key, lm_sess_key,
user_info_dc);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(tmp_ctx);
return nt_status;
}
talloc_steal(mem_ctx, *user_info_dc);
talloc_free(tmp_ctx);
return NT_STATUS_OK;
}
static NTSTATUS authsam_check_password_internals(struct auth_method_context *ctx,
TALLOC_CTX *mem_ctx,
const struct auth_usersupplied_info *user_info,
struct auth_user_info_dc **user_info_dc,
bool *authoritative)
{
NTSTATUS nt_status;
const char *account_name = user_info->mapped.account_name;
struct ldb_message *msg;
struct ldb_dn *domain_dn;
DATA_BLOB user_sess_key, lm_sess_key;
TALLOC_CTX *tmp_ctx;
const char *p = NULL;
if (ctx->auth_ctx->sam_ctx == NULL) {
DEBUG(0, ("No SAM available, cannot log in users\n"));
return NT_STATUS_INVALID_SYSTEM_SERVICE;
}
if (!account_name || !*account_name) {
/* 'not for me' */
return NT_STATUS_NOT_IMPLEMENTED;
}
tmp_ctx = talloc_new(mem_ctx);
if (!tmp_ctx) {
return NT_STATUS_NO_MEMORY;
}
domain_dn = ldb_get_default_basedn(ctx->auth_ctx->sam_ctx);
if (domain_dn == NULL) {
talloc_free(tmp_ctx);
return NT_STATUS_NO_SUCH_DOMAIN;
}
p = strchr_m(account_name, '@');
if (p != NULL) {
const char *nt4_domain = NULL;
const char *nt4_account = NULL;
bool is_my_domain = false;
nt_status = crack_name_to_nt4_name(mem_ctx,
ctx->auth_ctx->sam_ctx,
/*
* DRSUAPI_DS_NAME_FORMAT_UPN_FOR_LOGON ?
*/
DRSUAPI_DS_NAME_FORMAT_USER_PRINCIPAL,
account_name,
&nt4_domain, &nt4_account);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(tmp_ctx);
return NT_STATUS_NO_SUCH_USER;
}
is_my_domain = lpcfg_is_mydomain(ctx->auth_ctx->lp_ctx, nt4_domain);
if (!is_my_domain) {
/*
* This is a user within our forest,
* but in a different domain,
* we're not authoritative
*/
talloc_free(tmp_ctx);
return NT_STATUS_NOT_IMPLEMENTED;
}
/*
* Let's use the NT4 account name for the lookup.
*/
account_name = nt4_account;
}
nt_status = authsam_search_account(tmp_ctx, ctx->auth_ctx->sam_ctx, account_name, domain_dn, &msg);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(tmp_ctx);
return nt_status;
}
nt_status = authsam_authenticate(ctx->auth_ctx, tmp_ctx, ctx->auth_ctx->sam_ctx, domain_dn, msg, user_info,
&user_sess_key, &lm_sess_key, authoritative);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(tmp_ctx);
return nt_status;
}
nt_status = authsam_make_user_info_dc(tmp_ctx, ctx->auth_ctx->sam_ctx,
lpcfg_netbios_name(ctx->auth_ctx->lp_ctx),
lpcfg_sam_name(ctx->auth_ctx->lp_ctx),
lpcfg_sam_dnsname(ctx->auth_ctx->lp_ctx),
domain_dn,
msg,
user_sess_key, lm_sess_key,
user_info_dc);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(tmp_ctx);
return nt_status;
}
talloc_steal(mem_ctx, *user_info_dc);
talloc_free(tmp_ctx);
return NT_STATUS_OK;
}
