1 /*
2 Unix SMB/CIFS implementation.
3 async implementation of WINBINDD_PAM_AUTH_CRAP
4 Copyright (C) Volker Lendecke 2010
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
10
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
15
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
18 */
19
20 #include "includes.h"
21 #include "winbindd.h"
22 #include "rpc_client/util_netlogon.h"
23 #include "libcli/security/dom_sid.h"
24
25 struct winbindd_pam_auth_crap_state {
26 struct winbindd_response *response;
27 uint32_t flags;
28 };
29
30 static void winbindd_pam_auth_crap_done(struct tevent_req *subreq);
31
winbindd_pam_auth_crap_send(TALLOC_CTX * mem_ctx,struct tevent_context * ev,struct winbindd_cli_state * cli,struct winbindd_request * request)32 struct tevent_req *winbindd_pam_auth_crap_send(
33 TALLOC_CTX *mem_ctx,
34 struct tevent_context *ev,
35 struct winbindd_cli_state *cli,
36 struct winbindd_request *request)
37 {
38 struct tevent_req *req, *subreq;
39 struct winbindd_pam_auth_crap_state *state;
40 struct winbindd_domain *domain;
41 const char *auth_domain = NULL;
42
43 req = tevent_req_create(mem_ctx, &state,
44 struct winbindd_pam_auth_crap_state);
45 if (req == NULL) {
46 return NULL;
47 }
48
49 state->flags = request->flags;
50
51 if (state->flags & WBFLAG_PAM_AUTH_PAC) {
52 bool is_trusted = false;
53 uint16_t validation_level;
54 union netr_Validation *validation = NULL;
55 NTSTATUS status;
56
57 status = winbindd_pam_auth_pac_verify(cli,
58 &is_trusted,
59 &validation_level,
60 &validation);
61 if (tevent_req_nterror(req, status)) {
62 return tevent_req_post(req, ev);
63 }
64
65 state->response = talloc_zero(state,
66 struct winbindd_response);
67 if (tevent_req_nomem(state->response, req)) {
68 return tevent_req_post(req, ev);
69 }
70 state->response->result = WINBINDD_PENDING;
71 state->response->length = sizeof(struct winbindd_response);
72
73 status = append_auth_data(state->response,
74 state->response,
75 state->flags,
76 validation_level,
77 validation,
78 NULL, NULL);
79 TALLOC_FREE(validation);
80 if (tevent_req_nterror(req, status)) {
81 return tevent_req_post(req, ev);
82 }
83
84 if (is_trusted && (state->flags & WBFLAG_PAM_INFO3_TEXT)) {
85 bool ok;
86
87 ok = add_trusted_domain_from_auth(
88 state->response->data.auth.validation_level,
89 &state->response->data.auth.info3,
90 &state->response->data.auth.info6);
91 if (!ok) {
92 DBG_ERR("add_trusted_domain_from_auth failed\n");
93 tevent_req_nterror(req, NT_STATUS_LOGON_FAILURE);
94 return tevent_req_post(req, ev);
95 }
96 }
97
98 tevent_req_done(req);
99 return tevent_req_post(req, ev);
100 }
101
102 /* Ensure null termination */
103 request->data.auth_crap.user[
104 sizeof(request->data.auth_crap.user)-1] = '\0';
105 request->data.auth_crap.domain[
106 sizeof(request->data.auth_crap.domain)-1] = '\0';
107 request->data.auth_crap.workstation[
108 sizeof(request->data.auth_crap.workstation)-1] = '\0';
109
110 DEBUG(3, ("[%5lu]: pam auth crap domain: [%s] user: %s\n",
111 (unsigned long)cli->pid,
112 request->data.auth_crap.domain,
113 request->data.auth_crap.user));
114
115 if (!check_request_flags(request->flags)) {
116 tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
117 return tevent_req_post(req, ev);
118 }
119
120 auth_domain = request->data.auth_crap.domain;
121 if (auth_domain[0] == '\0') {
122 auth_domain = lp_workgroup();
123 }
124
125 domain = find_auth_domain(request->flags, auth_domain);
126 if (domain == NULL) {
127 tevent_req_nterror(req, NT_STATUS_NO_SUCH_USER);
128 return tevent_req_post(req, ev);
129 }
130
131 if (request->data.auth_crap.workstation[0] == '\0') {
132 fstrcpy(request->data.auth_crap.workstation, lp_netbios_name());
133 }
134
135 subreq = wb_domain_request_send(state, global_event_context(), domain,
136 request);
137 if (tevent_req_nomem(subreq, req)) {
138 return tevent_req_post(req, ev);
139 }
140 tevent_req_set_callback(subreq, winbindd_pam_auth_crap_done, req);
141 return req;
142 }
143
winbindd_pam_auth_crap_done(struct tevent_req * subreq)144 static void winbindd_pam_auth_crap_done(struct tevent_req *subreq)
145 {
146 struct tevent_req *req = tevent_req_callback_data(
147 subreq, struct tevent_req);
148 struct winbindd_pam_auth_crap_state *state = tevent_req_data(
149 req, struct winbindd_pam_auth_crap_state);
150 int res, err;
151
152 res = wb_domain_request_recv(subreq, state, &state->response, &err);
153 TALLOC_FREE(subreq);
154 if (res == -1) {
155 tevent_req_nterror(req, map_nt_error_from_unix(err));
156 return;
157 }
158
159 if (NT_STATUS_IS_OK(NT_STATUS(state->response->data.auth.nt_status)) &&
160 (state->flags & WBFLAG_PAM_INFO3_TEXT))
161 {
162 bool ok;
163
164 ok = add_trusted_domain_from_auth(
165 state->response->data.auth.validation_level,
166 &state->response->data.auth.info3,
167 &state->response->data.auth.info6);
168 if (!ok) {
169 DBG_ERR("add_trusted_domain_from_auth failed\n");
170 tevent_req_nterror(req, NT_STATUS_LOGON_FAILURE);
171 return;
172 }
173 }
174
175 tevent_req_done(req);
176 }
177
winbindd_pam_auth_crap_recv(struct tevent_req * req,struct winbindd_response * response)178 NTSTATUS winbindd_pam_auth_crap_recv(struct tevent_req *req,
179 struct winbindd_response *response)
180 {
181 struct winbindd_pam_auth_crap_state *state = tevent_req_data(
182 req, struct winbindd_pam_auth_crap_state);
183 NTSTATUS status;
184
185 if (tevent_req_is_nterror(req, &status)) {
186 set_auth_errors(response, status);
187 return status;
188 }
189
190 *response = *state->response;
191 response->result = WINBINDD_PENDING;
192 state->response = talloc_move(response, &state->response);
193 return NT_STATUS(response->data.auth.nt_status);
194 }
195