示例#1
0
文件: wbclient.c 项目: runt18/samba
static bool test_wbc_authenticate_user_int(struct torture_context *tctx,
        const char *correct_password)
{
    struct wbcAuthUserParams params;
    struct wbcAuthUserInfo *info = NULL;
    struct wbcAuthErrorInfo *error = NULL;
    wbcErr ret;

    ret = wbcAuthenticateUser(cli_credentials_get_username(cmdline_credentials), correct_password);
    torture_assert_wbc_equal(tctx, ret, WBC_ERR_SUCCESS,
                             "wbcAuthenticateUser of %s failed",
                             cli_credentials_get_username(cmdline_credentials));

    ZERO_STRUCT(params);
    params.account_name		= cli_credentials_get_username(cmdline_credentials);
    params.level			= WBC_AUTH_USER_LEVEL_PLAIN;
    params.password.plaintext	= correct_password;

    ret = wbcAuthenticateUserEx(&params, &info, &error);
    torture_assert_wbc_equal(tctx, ret, WBC_ERR_SUCCESS,
                             "wbcAuthenticateUserEx of %s failed", params.account_name);
    wbcFreeMemory(info);
    info = NULL;

    wbcFreeMemory(error);
    error = NULL;

    params.password.plaintext       = "wrong";
    ret = wbcAuthenticateUserEx(&params, &info, &error);
    torture_assert_wbc_equal(tctx, ret, WBC_ERR_AUTH_ERROR,
                             "wbcAuthenticateUserEx for %s succeeded where it "
                             "should have failed", params.account_name);
    wbcFreeMemory(info);
    info = NULL;

    wbcFreeMemory(error);
    error = NULL;

    return true;
}
示例#2
0
文件: wbc_pam.c 项目: hef/samba
/* Authenticate a username/password pair */
wbcErr wbcAuthenticateUser(const char *username,
			   const char *password)
{
	wbcErr wbc_status = WBC_ERR_SUCCESS;
	struct wbcAuthUserParams params;

	ZERO_STRUCT(params);

	params.account_name		= username;
	params.level			= WBC_AUTH_USER_LEVEL_PLAIN;
	params.password.plaintext	= password;

	wbc_status = wbcAuthenticateUserEx(&params, NULL, NULL);
	BAIL_ON_WBC_ERROR(wbc_status);

done:
	return wbc_status;
}
示例#3
0
static bool wbinfo_auth_crap(char *username, const char *pass)
{
	wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE;
	struct wbcAuthUserParams params;
	struct wbcAuthUserInfo *info = NULL;
	struct wbcAuthErrorInfo *err = NULL;
	DATA_BLOB lm = data_blob_null;
	DATA_BLOB nt = data_blob_null;
	fstring name_user;
	fstring name_domain;

	parse_wbinfo_domain_user(username, name_domain, name_user);

	params.account_name	= name_user;
	params.domain_name	= name_domain;
	params.workstation_name	= NULL;

	params.flags		= 0;
	params.parameter_control= WBC_MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT |
				  WBC_MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT;

	params.level		= WBC_AUTH_USER_LEVEL_RESPONSE;

	generate_random_buffer(params.password.response.challenge, 8);

	if (lp_client_ntlmv2_auth()) {
		DATA_BLOB server_chal;
		DATA_BLOB names_blob;

		server_chal = data_blob(params.password.response.challenge, 8);

		/* Pretend this is a login to 'us', for blob purposes */
		names_blob = NTLMv2_generate_names_blob(global_myname(), lp_workgroup());

		if (!SMBNTLMv2encrypt(name_user, name_domain, pass, &server_chal,
				      &names_blob,
				      &lm, &nt, NULL)) {
			data_blob_free(&names_blob);
			data_blob_free(&server_chal);
			return false;
		}
		data_blob_free(&names_blob);
		data_blob_free(&server_chal);

	} else {
		if (lp_client_lanman_auth()) {
			bool ok;
			lm = data_blob(NULL, 24);
			ok = SMBencrypt(pass, params.password.response.challenge,
					lm.data);
			if (!ok) {
				data_blob_free(&lm);
			}
		}
		nt = data_blob(NULL, 24);
		SMBNTencrypt(pass, params.password.response.challenge,
			     nt.data);
	}

	params.password.response.nt_length	= nt.length;
	params.password.response.nt_data	= nt.data;
	params.password.response.lm_length	= lm.length;
	params.password.response.lm_data	= lm.data;

	wbc_status = wbcAuthenticateUserEx(&params, &info, &err);

	/* Display response */

	d_printf("challenge/response password authentication %s\n",
		 WBC_ERROR_IS_OK(wbc_status) ? "succeeded" : "failed");

	if (wbc_status == WBC_ERR_AUTH_ERROR) {
		d_fprintf(stderr, "error code was %s (0x%x)\nerror messsage was: %s\n", 
			 err->nt_string,
			 err->nt_status,
			 err->display_string);
		wbcFreeMemory(err);
	} else if (WBC_ERROR_IS_OK(wbc_status)) {
		wbcFreeMemory(info);
	}

	data_blob_free(&nt);
	data_blob_free(&lm);

	return WBC_ERROR_IS_OK(wbc_status);
}
示例#4
0
文件: auth_wbc.c 项目: endisd/samba
static NTSTATUS check_wbc_security(const struct auth_context *auth_context,
				       void *my_private_data,
				       TALLOC_CTX *mem_ctx,
				       const struct auth_usersupplied_info *user_info,
				       struct auth_serversupplied_info **server_info)
{
	NTSTATUS nt_status;
	wbcErr wbc_status;
	struct wbcAuthUserParams params;
	struct wbcAuthUserInfo *info = NULL;
	struct wbcAuthErrorInfo *err = NULL;

	if (!user_info || !auth_context || !server_info) {
		return NT_STATUS_INVALID_PARAMETER;
	}
	/* Send off request */

	params.account_name	= user_info->smb_name;
	params.domain_name	= user_info->domain;
	params.workstation_name	= user_info->wksta_name;

	params.flags		= 0;
	params.parameter_control= user_info->logon_parameters;

	/* Handle plaintext */
	if (!user_info->encrypted) {
		DEBUG(3,("Checking plaintext password for %s.\n",
			 user_info->internal_username));
		params.level = WBC_AUTH_USER_LEVEL_PLAIN;

		params.password.plaintext = (char *)user_info->plaintext_password.data;
	} else {
		DEBUG(3,("Checking encrypted password for %s.\n",
			 user_info->internal_username));
		params.level = WBC_AUTH_USER_LEVEL_RESPONSE;

		memcpy(params.password.response.challenge,
		    auth_context->challenge.data,
		    sizeof(params.password.response.challenge));

		params.password.response.nt_length = user_info->nt_resp.length;
		params.password.response.nt_data = user_info->nt_resp.data;
		params.password.response.lm_length = user_info->lm_resp.length;
		params.password.response.lm_data = user_info->lm_resp.data;

	}

	/* we are contacting the privileged pipe */
	become_root();
	wbc_status = wbcAuthenticateUserEx(&params, &info, &err);
	unbecome_root();

	if (!WBC_ERROR_IS_OK(wbc_status)) {
		DEBUG(10,("wbcAuthenticateUserEx failed (%d): %s\n",
			wbc_status, wbcErrorString(wbc_status)));
	}

	if (wbc_status == WBC_ERR_NO_MEMORY) {
		return NT_STATUS_NO_MEMORY;
	}

	if (wbc_status == WBC_ERR_AUTH_ERROR) {
		nt_status = NT_STATUS(err->nt_status);
		wbcFreeMemory(err);
		return nt_status;
	}

	if (!WBC_ERROR_IS_OK(wbc_status)) {
		return NT_STATUS_LOGON_FAILURE;
	}

	DEBUG(10,("wbcAuthenticateUserEx succeeded\n"));

	nt_status = make_server_info_wbcAuthUserInfo(mem_ctx,
						     user_info->smb_name,
						     user_info->domain,
						     info, server_info);
	wbcFreeMemory(info);
	if (!NT_STATUS_IS_OK(nt_status)) {
		return nt_status;
	}

	(*server_info)->nss_token |= user_info->was_mapped;

        return nt_status;
}
示例#5
0
static NTSTATUS check_winbind_security(const struct auth_context *auth_context,
                                       void *my_private_data,
                                       TALLOC_CTX *mem_ctx,
                                       const struct auth_usersupplied_info *user_info,
                                       struct auth_serversupplied_info **server_info)
{
    NTSTATUS nt_status;
    wbcErr wbc_status;
    struct wbcAuthUserParams params;
    struct wbcAuthUserInfo *info = NULL;
    struct wbcAuthErrorInfo *err = NULL;

    ZERO_STRUCT(params);

    if (!user_info) {
        return NT_STATUS_INVALID_PARAMETER;
    }

    DEBUG(10, ("Check auth for: [%s]\n", user_info->mapped.account_name));

    if (!auth_context) {
        DEBUG(3,("Password for user %s cannot be checked because we have no auth_info to get the challenge from.\n",
                 user_info->mapped.account_name));
        return NT_STATUS_INVALID_PARAMETER;
    }

    if (strequal(user_info->mapped.domain_name, get_global_sam_name())) {
        DEBUG(3,("check_winbind_security: Not using winbind, requested domain [%s] was for this SAM.\n",
                 user_info->mapped.domain_name));
        return NT_STATUS_NOT_IMPLEMENTED;
    }

    /* Send off request */
    params.account_name	= user_info->client.account_name;
    /*
     * We need to send the domain name from the client to the DC. With
     * NTLMv2 the domain name is part of the hashed second challenge,
     * if we change the domain name, the DC will fail to verify the
     * challenge cause we changed the domain name, this is like a
     * man in the middle attack.
     */
    params.domain_name	= user_info->client.domain_name;
    params.workstation_name	= user_info->workstation_name;

    params.flags		= 0;
    params.parameter_control= user_info->logon_parameters;

    params.level		= WBC_AUTH_USER_LEVEL_RESPONSE;

    memcpy(params.password.response.challenge,
           auth_context->challenge.data,
           sizeof(params.password.response.challenge));

    if (user_info->password.response.nt.length != 0) {
        params.password.response.nt_length =
            user_info->password.response.nt.length;
        params.password.response.nt_data =
            user_info->password.response.nt.data;
    }
    if (user_info->password.response.lanman.length != 0) {
        params.password.response.lm_length =
            user_info->password.response.lanman.length;
        params.password.response.lm_data =
            user_info->password.response.lanman.data;
    }

    /* we are contacting the privileged pipe */
    become_root();
    wbc_status = wbcAuthenticateUserEx(&params, &info, &err);
    unbecome_root();

    if (!WBC_ERROR_IS_OK(wbc_status)) {
        DEBUG(10,("check_winbind_security: wbcAuthenticateUserEx failed: %s\n",
                  wbcErrorString(wbc_status)));
    }

    if (wbc_status == WBC_ERR_NO_MEMORY) {
        return NT_STATUS_NO_MEMORY;
    }

    if (wbc_status == WBC_ERR_WINBIND_NOT_AVAILABLE) {
        struct auth_methods *auth_method =
            (struct auth_methods *)my_private_data;

        if ( auth_method )
            return auth_method->auth(auth_context, auth_method->private_data,
                                     mem_ctx, user_info, server_info);
        return NT_STATUS_LOGON_FAILURE;
    }

    if (wbc_status == WBC_ERR_AUTH_ERROR) {
        nt_status = NT_STATUS(err->nt_status);
        wbcFreeMemory(err);
        return nt_status;
    }

    if (!WBC_ERROR_IS_OK(wbc_status)) {
        return NT_STATUS_LOGON_FAILURE;
    }

    nt_status = make_server_info_wbcAuthUserInfo(mem_ctx,
                user_info->client.account_name,
                user_info->mapped.domain_name,
                info, server_info);
    wbcFreeMemory(info);
    if (!NT_STATUS_IS_OK(nt_status)) {
        return nt_status;
    }

    (*server_info)->nss_token |= user_info->was_mapped;

    return nt_status;
}
示例#6
0
/**
 * @brief Convert a principal (as returned by @c gss_display_name) to a UID
 *
 * @param[in]     name The principal of the user
 * @param[out]    uid The resulting UID
 *
 * @return true if successful, false otherwise
 */
bool principal2uid(char *principal, uid_t *uid, gid_t *gid)
#endif
{
#ifdef USE_NFSIDMAP
	uid_t gss_uid = ANON_UID;
	gid_t gss_gid = ANON_GID;
	const gid_t *gss_gidres = NULL;
	int rc;
	bool success;
	struct gsh_buffdesc princbuff = {
		.addr = principal,
		.len = strlen(principal)
	};
#endif

	if (nfs_param.nfsv4_param.use_getpwnam)
		return false;

#ifdef USE_NFSIDMAP
	PTHREAD_RWLOCK_rdlock(&idmapper_user_lock);
	success =
	    idmapper_lookup_by_uname(&princbuff, &gss_uid, &gss_gidres, true);
	if (success && gss_gidres)
		gss_gid = *gss_gidres;
	PTHREAD_RWLOCK_unlock(&idmapper_user_lock);
	if (unlikely(!success)) {
		if ((princbuff.len >= 4)
		    && (!memcmp(princbuff.addr, "nfs/", 4)
			|| !memcmp(princbuff.addr, "root/", 5)
			|| !memcmp(princbuff.addr, "host/", 5))) {
			/* NFSv4 specific features: RPCSEC_GSS will
			 * provide user like
			 *
			 * nfs/<host>
			 * root/<host>
			 * host/<host>
			 * choice is made to map them to root */
			/* This is a "root" request made from the
			   hostbased nfs principal, use root */
			*uid = 0;
			return true;
		}
		/* nfs4_gss_princ_to_ids required to extract uid/gid
		   from gss creds */
		rc = nfs4_gss_princ_to_ids("krb5", principal, &gss_uid,
					   &gss_gid);
		if (rc) {
#ifdef _MSPAC_SUPPORT
			bool found_uid = false;
			bool found_gid = false;

			if (gd->flags & SVC_RPC_GSS_FLAG_MSPAC) {
				struct wbcAuthUserParams params;
				wbcErr wbc_err;
				struct wbcAuthUserInfo *info;
				struct wbcAuthErrorInfo *error = NULL;

				memset(&params, 0, sizeof(params));
				params.level = WBC_AUTH_USER_LEVEL_PAC;
				params.password.pac.data =
				    (uint8_t *) gd->pac.ms_pac.value;
				params.password.pac.length =
				    gd->pac.ms_pac.length;

				wbc_err =
				    wbcAuthenticateUserEx(&params, &info,
							  &error);
				if (!WBC_ERROR_IS_OK(wbc_err)) {
					LogCrit(COMPONENT_IDMAPPER,
						"wbcAuthenticateUserEx returned %s",
						wbcErrorString(wbc_err));
					return false;
				}

				if (error) {
					LogCrit(COMPONENT_IDMAPPER,
						"nt_status: %s, display_string %s",
						error->nt_string,
						error->display_string);
					wbcFreeMemory(error);
					return false;
				}

				/* 1st SID is account sid, see wbclient.h */
				wbc_err =
				    wbcSidToUid(&info->sids[0].sid, &gss_uid);
				if (!WBC_ERROR_IS_OK(wbc_err)) {
					LogCrit(COMPONENT_IDMAPPER,
						"wbcSidToUid for uid returned %s",
						wbcErrorString(wbc_err));
					wbcFreeMemory(info);
					return false;
				}

				/* 2nd SID is primary_group sid, see
				   wbclient.h */
				wbc_err =
				    wbcSidToGid(&info->sids[1].sid, &gss_gid);
				if (!WBC_ERROR_IS_OK(wbc_err)) {
					LogCrit(COMPONENT_IDMAPPER,
						"wbcSidToUid for gid returned %s\n",
						wbcErrorString(wbc_err));
					wbcFreeMemory(info);
					return false;
				}
				wbcFreeMemory(info);
				found_uid = true;
				found_gid = true;
			}
#endif				/* _MSPAC_SUPPORT */
#ifdef _MSPAC_SUPPORT
			if ((found_uid == true) && (found_gid == true))
				goto principal_found;
#endif

			return false;
		}
#ifdef _MSPAC_SUPPORT
 principal_found:
#endif

		PTHREAD_RWLOCK_wrlock(&idmapper_user_lock);
		success =
		    idmapper_add_user(&princbuff, gss_uid, &gss_gid, true);
		PTHREAD_RWLOCK_unlock(&idmapper_user_lock);

		if (!success) {
			LogMajor(COMPONENT_IDMAPPER,
				 "idmapper_add_user(%s, %d, %d) failed",
				 principal, gss_uid, gss_gid);
		}
	}

	*uid = gss_uid;
	*gid = gss_gid;

	return true;
#else				/* !USE_NFSIDMAP */
	assert(!"prohibited by configuration");
	return false;
#endif
}
示例#7
0
static NTSTATUS check_winbind_security(const struct auth_context *auth_context,
				       void *my_private_data, 
				       TALLOC_CTX *mem_ctx,
				       const auth_usersupplied_info *user_info, 
				       auth_serversupplied_info **server_info)
{
	NTSTATUS nt_status;
	wbcErr wbc_status;
	struct wbcAuthUserParams params;
	struct wbcAuthUserInfo *info = NULL;
	struct wbcAuthErrorInfo *err = NULL;

	if (!user_info) {
		return NT_STATUS_INVALID_PARAMETER;
	}

	if (!auth_context) {
		DEBUG(3,("Password for user %s cannot be checked because we have no auth_info to get the challenge from.\n", 
			 user_info->internal_username));
		return NT_STATUS_INVALID_PARAMETER;
	}		

	if (strequal(user_info->domain, get_global_sam_name())) {
		DEBUG(3,("check_winbind_security: Not using winbind, requested domain [%s] was for this SAM.\n",
			user_info->domain));
		return NT_STATUS_NOT_IMPLEMENTED;
	}

	/* Send off request */

	params.account_name	= user_info->smb_name;
	params.domain_name	= user_info->domain;
	params.workstation_name	= user_info->wksta_name;

	params.flags		= 0;
	params.parameter_control= user_info->logon_parameters;

	params.level		= WBC_AUTH_USER_LEVEL_RESPONSE;

	memcpy(params.password.response.challenge,
	       auth_context->challenge.data,
	       sizeof(params.password.response.challenge));

	params.password.response.nt_length	= user_info->nt_resp.length;
	params.password.response.nt_data	= user_info->nt_resp.data;
	params.password.response.lm_length	= user_info->lm_resp.length;
	params.password.response.lm_data	= user_info->lm_resp.data;

	/* we are contacting the privileged pipe */
	become_root();
	wbc_status = wbcAuthenticateUserEx(&params, &info, &err);
	unbecome_root();

	if (!WBC_ERROR_IS_OK(wbc_status)) {
		DEBUG(10,("check_winbind_security: wbcAuthenticateUserEx failed: %s\n",
			wbcErrorString(wbc_status)));
	}

	if (wbc_status == WBC_ERR_NO_MEMORY) {
		return NT_STATUS_NO_MEMORY;
	}

	if (wbc_status == WBC_ERR_WINBIND_NOT_AVAILABLE) {
		struct auth_methods *auth_method =
			(struct auth_methods *)my_private_data;

		if ( auth_method )
			return auth_method->auth(auth_context, auth_method->private_data, 
				mem_ctx, user_info, server_info);
		else
			/* log an error since this should not happen */
			DEBUG(0,("check_winbind_security: ERROR!  my_private_data == NULL!\n"));
	}

	if (wbc_status == WBC_ERR_AUTH_ERROR) {
		nt_status = NT_STATUS(err->nt_status);
		wbcFreeMemory(err);
		return nt_status;
	}

	if (!WBC_ERROR_IS_OK(wbc_status)) {
		return NT_STATUS_LOGON_FAILURE;
	}

	nt_status = make_server_info_wbcAuthUserInfo(mem_ctx,
						     user_info->smb_name,
						     user_info->domain,
						     info, server_info);
	wbcFreeMemory(info);
	if (!NT_STATUS_IS_OK(nt_status)) {
		return nt_status;
	}

	(*server_info)->nss_token |= user_info->was_mapped;

        return nt_status;
}