search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
ctdb-tests: nfs_iterate_test() marks RPC service down
[samba4-gss.git] / nsswitch / libwbclient / wbc_pam.c
blob909f3fae6b4516427e6495cb302335c3c8c5be4a
1 /*
2 Unix SMB/CIFS implementation.
3
4 Winbind client API
5
6 Copyright (C) Gerald (Jerry) Carter 2007
7 Copyright (C) Guenther Deschner 2008
8 Copyright (C) Volker Lendecke 2009
9
10 This library is free software; you can redistribute it and/or
11 modify it under the terms of the GNU Lesser General Public
12 License as published by the Free Software Foundation; either
13 version 3 of the License, or (at your option) any later version.
14
15 This library is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
18 Library General Public License for more details.
19
20 You should have received a copy of the GNU Lesser General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 /* Required Headers */
25
26 #include "replace.h"
27 #include "libwbclient.h"
28 #include "../winbind_client.h"
29
30 /* Authenticate a username/password pair */
31 _PUBLIC_
32 wbcErr wbcCtxAuthenticateUser(struct wbcContext *ctx,
33 const char *username, const char *password)
34 {
35 wbcErr wbc_status = WBC_ERR_SUCCESS;
36 struct wbcAuthUserParams params;
37
38 ZERO_STRUCT(params);
39
40 params.account_name = username;
41 params.level = WBC_AUTH_USER_LEVEL_PLAIN;
42 params.password.plaintext = password;
43
44 wbc_status = wbcCtxAuthenticateUserEx(ctx, &params, NULL, NULL);
45 BAIL_ON_WBC_ERROR(wbc_status);
46
47 done:
48 return wbc_status;
49 }
50
51 _PUBLIC_
52 wbcErr wbcAuthenticateUser(const char *username, const char *password)
53 {
54 return wbcCtxAuthenticateUser(NULL, username, password);
55 }
56
57 static bool sid_attr_compose(struct wbcSidWithAttr *s,
58 const struct wbcDomainSid *d,
59 uint32_t rid, uint32_t attr)
60 {
61 if (d->num_auths >= WBC_MAXSUBAUTHS) {
62 return false;
63 }
64 s->sid = *d;
65 s->sid.sub_auths[s->sid.num_auths++] = rid;
66 s->attributes = attr;
67 return true;
68 }
69
70 static void wbcAuthUserInfoDestructor(void *ptr)
71 {
72 struct wbcAuthUserInfo *i = (struct wbcAuthUserInfo *)ptr;
73 free(i->account_name);
74 free(i->user_principal);
75 free(i->full_name);
76 free(i->domain_name);
77 free(i->dns_domain_name);
78 free(i->logon_server);
79 free(i->logon_script);
80 free(i->profile_path);
81 free(i->home_directory);
82 free(i->home_drive);
83 free(i->sids);
84 }
85
86 static wbcErr wbc_create_auth_info(const struct winbindd_response *resp,
87 struct wbcAuthUserInfo **_i)
88 {
89 wbcErr wbc_status = WBC_ERR_SUCCESS;
90 struct wbcAuthUserInfo *i;
91 struct wbcDomainSid domain_sid;
92 char *p;
93 uint32_t sn = 0;
94 uint32_t j;
95
96 i = (struct wbcAuthUserInfo *)wbcAllocateMemory(
97 1, sizeof(struct wbcAuthUserInfo),
98 wbcAuthUserInfoDestructor);
99 BAIL_ON_PTR_ERROR(i, wbc_status);
100
101 i->user_flags = resp->data.auth.info3.user_flgs;
102
103 i->account_name = strdup(resp->data.auth.info3.user_name);
104 BAIL_ON_PTR_ERROR(i->account_name, wbc_status);
105 if (resp->data.auth.validation_level == 6) {
106 i->user_principal = strdup(resp->data.auth.info6.principal_name);
107 BAIL_ON_PTR_ERROR(i->user_principal, wbc_status);
108 } else {
109 i->user_principal = NULL;
110 }
111 i->full_name = strdup(resp->data.auth.info3.full_name);
112 BAIL_ON_PTR_ERROR(i->full_name, wbc_status);
113 i->domain_name = strdup(resp->data.auth.info3.logon_dom);
114 BAIL_ON_PTR_ERROR(i->domain_name, wbc_status);
115 if (resp->data.auth.validation_level == 6) {
116 i->dns_domain_name = strdup(resp->data.auth.info6.dns_domainname);
117 BAIL_ON_PTR_ERROR(i->dns_domain_name, wbc_status);
118 } else {
119 i->dns_domain_name = NULL;
120 }
121
122 i->acct_flags = resp->data.auth.info3.acct_flags;
123 memcpy(i->user_session_key,
124 resp->data.auth.user_session_key,
125 sizeof(i->user_session_key));
126 memcpy(i->lm_session_key,
127 resp->data.auth.first_8_lm_hash,
128 sizeof(i->lm_session_key));
129
130 i->logon_count = resp->data.auth.info3.logon_count;
131 i->bad_password_count = resp->data.auth.info3.bad_pw_count;
132
133 i->logon_time = resp->data.auth.info3.logon_time;
134 i->logoff_time = resp->data.auth.info3.logoff_time;
135 i->kickoff_time = resp->data.auth.info3.kickoff_time;
136 i->pass_last_set_time = resp->data.auth.info3.pass_last_set_time;
137 i->pass_can_change_time = resp->data.auth.info3.pass_can_change_time;
138 i->pass_must_change_time= resp->data.auth.info3.pass_must_change_time;
139
140 i->logon_server = strdup(resp->data.auth.info3.logon_srv);
141 BAIL_ON_PTR_ERROR(i->logon_server, wbc_status);
142 i->logon_script = strdup(resp->data.auth.info3.logon_script);
143 BAIL_ON_PTR_ERROR(i->logon_script, wbc_status);
144 i->profile_path = strdup(resp->data.auth.info3.profile_path);
145 BAIL_ON_PTR_ERROR(i->profile_path, wbc_status);
146 i->home_directory= strdup(resp->data.auth.info3.home_dir);
147 BAIL_ON_PTR_ERROR(i->home_directory, wbc_status);
148 i->home_drive = strdup(resp->data.auth.info3.dir_drive);
149 BAIL_ON_PTR_ERROR(i->home_drive, wbc_status);
150
151 i->num_sids = 2;
152 i->num_sids += resp->data.auth.info3.num_groups;
153 i->num_sids += resp->data.auth.info3.num_other_sids;
154
155 i->sids = (struct wbcSidWithAttr *)calloc(
156 sizeof(struct wbcSidWithAttr), i->num_sids);
157 BAIL_ON_PTR_ERROR(i->sids, wbc_status);
158
159 wbc_status = wbcStringToSid(resp->data.auth.info3.dom_sid,
160 &domain_sid);
161 BAIL_ON_WBC_ERROR(wbc_status);
162
163 sn = 0;
164 if (!sid_attr_compose(&i->sids[sn], &domain_sid,
165 resp->data.auth.info3.user_rid, 0)) {
166 wbc_status = WBC_ERR_INVALID_SID;
167 goto done;
168 }
169 sn++;
170 if (!sid_attr_compose(&i->sids[sn], &domain_sid,
171 resp->data.auth.info3.group_rid, 0)) {
172 wbc_status = WBC_ERR_INVALID_SID;
173 goto done;
174 }
175 sn++;
176
177 p = (char *)resp->extra_data.data;
178 if (!p) {
179 wbc_status = WBC_ERR_INVALID_RESPONSE;
180 BAIL_ON_WBC_ERROR(wbc_status);
181 }
182
183 for (j=0; j < resp->data.auth.info3.num_groups; j++) {
184 uint32_t rid;
185 uint32_t attrs;
186 int ret;
187 char *s = p;
188 char *e = strchr(p, '\n');
189 if (!e) {
190 wbc_status = WBC_ERR_INVALID_RESPONSE;
191 BAIL_ON_WBC_ERROR(wbc_status);
192 }
193 e[0] = '\0';
194 p = &e[1];
195
196 ret = sscanf(s, "0x%08X:0x%08X", &rid, &attrs);
197 if (ret != 2) {
198 wbc_status = WBC_ERR_INVALID_RESPONSE;
199 BAIL_ON_WBC_ERROR(wbc_status);
200 }
201
202 if (!sid_attr_compose(&i->sids[sn], &domain_sid,
203 rid, attrs)) {
204 wbc_status = WBC_ERR_INVALID_SID;
205 goto done;
206 }
207 sn++;
208 }
209
210 for (j=0; j < resp->data.auth.info3.num_other_sids; j++) {
211 uint32_t attrs;
212 int ret;
213 char *s = p;
214 char *a;
215 char *e = strchr(p, '\n');
216 if (!e) {
217 wbc_status = WBC_ERR_INVALID_RESPONSE;
218 BAIL_ON_WBC_ERROR(wbc_status);
219 }
220 e[0] = '\0';
221 p = &e[1];
222
223 e = strchr(s, ':');
224 if (!e) {
225 wbc_status = WBC_ERR_INVALID_RESPONSE;
226 BAIL_ON_WBC_ERROR(wbc_status);
227 }
228 e[0] = '\0';
229 a = &e[1];
230
231 ret = sscanf(a, "0x%08X",
232 &attrs);
233 if (ret != 1) {
234 wbc_status = WBC_ERR_INVALID_RESPONSE;
235 BAIL_ON_WBC_ERROR(wbc_status);
236 }
237
238 wbc_status = wbcStringToSid(s, &i->sids[sn].sid);
239 BAIL_ON_WBC_ERROR(wbc_status);
240
241 i->sids[sn].attributes = attrs;
242 sn++;
243 }
244
245 i->num_sids = sn;
246
247 *_i = i;
248 i = NULL;
249 done:
250 wbcFreeMemory(i);
251 return wbc_status;
252 }
253
254 static void wbcAuthErrorInfoDestructor(void *ptr)
255 {
256 struct wbcAuthErrorInfo *e = (struct wbcAuthErrorInfo *)ptr;
257 free(e->nt_string);
258 free(e->display_string);
259 }
260
261 static wbcErr wbc_create_error_info(const struct winbindd_response *resp,
262 struct wbcAuthErrorInfo **_e)
263 {
264 wbcErr wbc_status = WBC_ERR_SUCCESS;
265 struct wbcAuthErrorInfo *e;
266
267 e = (struct wbcAuthErrorInfo *)wbcAllocateMemory(
268 1, sizeof(struct wbcAuthErrorInfo),
269 wbcAuthErrorInfoDestructor);
270 BAIL_ON_PTR_ERROR(e, wbc_status);
271
272 e->nt_status = resp->data.auth.nt_status;
273 e->pam_error = resp->data.auth.pam_error;
274 e->authoritative = resp->data.auth.authoritative;
275 e->nt_string = strdup(resp->data.auth.nt_status_string);
276 BAIL_ON_PTR_ERROR(e->nt_string, wbc_status);
277
278 e->display_string = strdup(resp->data.auth.error_string);
279 BAIL_ON_PTR_ERROR(e->display_string, wbc_status);
280
281 *_e = e;
282 e = NULL;
283
284 done:
285 wbcFreeMemory(e);
286 return wbc_status;
287 }
288
289 static wbcErr wbc_create_password_policy_info(const struct winbindd_response *resp,
290 struct wbcUserPasswordPolicyInfo **_i)
291 {
292 wbcErr wbc_status = WBC_ERR_SUCCESS;
293 struct wbcUserPasswordPolicyInfo *i;
294
295 i = (struct wbcUserPasswordPolicyInfo *)wbcAllocateMemory(
296 1, sizeof(struct wbcUserPasswordPolicyInfo), NULL);
297 BAIL_ON_PTR_ERROR(i, wbc_status);
298
299 i->min_passwordage = resp->data.auth.policy.min_passwordage;
300 i->min_length_password = resp->data.auth.policy.min_length_password;
301 i->password_history = resp->data.auth.policy.password_history;
302 i->password_properties = resp->data.auth.policy.password_properties;
303 i->expire = resp->data.auth.policy.expire;
304
305 *_i = i;
306 i = NULL;
307
308 done:
309 wbcFreeMemory(i);
310 return wbc_status;
311 }
312
313 static void wbcLogonUserInfoDestructor(void *ptr)
314 {
315 struct wbcLogonUserInfo *i = (struct wbcLogonUserInfo *)ptr;
316 wbcFreeMemory(i->info);
317 wbcFreeMemory(i->blobs);
318 }
319
320 static wbcErr wbc_create_logon_info(struct winbindd_response *resp,
321 struct wbcLogonUserInfo **_i)
322 {
323 wbcErr wbc_status = WBC_ERR_SUCCESS;
324 struct wbcLogonUserInfo *i;
325
326 i = (struct wbcLogonUserInfo *)wbcAllocateMemory(
327 1, sizeof(struct wbcLogonUserInfo),
328 wbcLogonUserInfoDestructor);
329 BAIL_ON_PTR_ERROR(i, wbc_status);
330
331 wbc_status = wbc_create_auth_info(resp, &i->info);
332 BAIL_ON_WBC_ERROR(wbc_status);
333
334 if (resp->data.auth.krb5ccname[0] != '\0') {
335 wbc_status = wbcAddNamedBlob(&i->num_blobs,
336 &i->blobs,
337 "krb5ccname",
338 0,
339 (uint8_t *)resp->data.auth.krb5ccname,
340 strlen(resp->data.auth.krb5ccname)+1);
341 BAIL_ON_WBC_ERROR(wbc_status);
342 }
343
344 if (resp->data.auth.unix_username[0] != '\0') {
345 wbc_status = wbcAddNamedBlob(&i->num_blobs,
346 &i->blobs,
347 "unix_username",
348 0,
349 (uint8_t *)resp->data.auth.unix_username,
350 strlen(resp->data.auth.unix_username)+1);
351 BAIL_ON_WBC_ERROR(wbc_status);
352 }
353
354 *_i = i;
355 i = NULL;
356 done:
357 wbcFreeMemory(i);
358 return wbc_status;
359 }
360
361
362 /* Authenticate with more detailed information */
363 _PUBLIC_
364 wbcErr wbcCtxAuthenticateUserEx(struct wbcContext *ctx,
365 const struct wbcAuthUserParams *params,
366 struct wbcAuthUserInfo **info,
367 struct wbcAuthErrorInfo **error)
368 {
369 wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE;
370 int cmd = 0;
371 struct winbindd_request request;
372 struct winbindd_response response;
373
374 ZERO_STRUCT(request);
375 ZERO_STRUCT(response);
376
377 if (error) {
378 *error = NULL;
379 }
380
381 if (!params) {
382 wbc_status = WBC_ERR_INVALID_PARAM;
383 BAIL_ON_WBC_ERROR(wbc_status);
384 }
385
386 if (params->level != WBC_AUTH_USER_LEVEL_PAC && !params->account_name) {
387 wbc_status = WBC_ERR_INVALID_PARAM;
388 BAIL_ON_WBC_ERROR(wbc_status);
389 }
390
391 /* Initialize request */
392
393 switch (params->level) {
394 case WBC_AUTH_USER_LEVEL_PLAIN:
395 cmd = WINBINDD_PAM_AUTH;
396 request.flags = WBFLAG_PAM_INFO3_TEXT |
397 WBFLAG_PAM_USER_SESSION_KEY |
398 WBFLAG_PAM_LMKEY;
399
400 if (!params->password.plaintext) {
401 wbc_status = WBC_ERR_INVALID_PARAM;
402 BAIL_ON_WBC_ERROR(wbc_status);
403 }
404
405 if (params->domain_name && params->domain_name[0]) {
406 /* We need to get the winbind separator :-( */
407 struct winbindd_response sep_response;
408
409 ZERO_STRUCT(sep_response);
410
411 wbc_status = wbcRequestResponse(ctx, WINBINDD_INFO,
412 NULL, &sep_response);
413 BAIL_ON_WBC_ERROR(wbc_status);
414
415 snprintf(request.data.auth.user,
416 sizeof(request.data.auth.user)-1,
417 "%s%c%s",
418 params->domain_name,
419 sep_response.data.info.winbind_separator,
420 params->account_name);
421 winbindd_free_response(&sep_response);
422 } else {
423 strncpy(request.data.auth.user,
424 params->account_name,
425 sizeof(request.data.auth.user)-1);
426 }
427
428 strncpy(request.data.auth.pass,
429 params->password.plaintext,
430 sizeof(request.data.auth.pass)-1);
431 break;
432
433 case WBC_AUTH_USER_LEVEL_HASH:
434 wbc_status = WBC_ERR_NOT_IMPLEMENTED;
435 BAIL_ON_WBC_ERROR(wbc_status);
436 break;
437
438 case WBC_AUTH_USER_LEVEL_RESPONSE:
439 cmd = WINBINDD_PAM_AUTH_CRAP;
440 request.flags = WBFLAG_PAM_INFO3_TEXT |
441 WBFLAG_PAM_USER_SESSION_KEY |
442 WBFLAG_PAM_LMKEY;
443
444 if (params->password.response.lm_length &&
445 !params->password.response.lm_data) {
446 wbc_status = WBC_ERR_INVALID_PARAM;
447 BAIL_ON_WBC_ERROR(wbc_status);
448 }
449 if (params->password.response.lm_length == 0 &&
450 params->password.response.lm_data) {
451 wbc_status = WBC_ERR_INVALID_PARAM;
452 BAIL_ON_WBC_ERROR(wbc_status);
453 }
454
455 if (params->password.response.nt_length &&
456 !params->password.response.nt_data) {
457 wbc_status = WBC_ERR_INVALID_PARAM;
458 BAIL_ON_WBC_ERROR(wbc_status);
459 }
460 if (params->password.response.nt_length == 0&&
461 params->password.response.nt_data) {
462 wbc_status = WBC_ERR_INVALID_PARAM;
463 BAIL_ON_WBC_ERROR(wbc_status);
464 }
465
466 strncpy(request.data.auth_crap.user,
467 params->account_name,
468 sizeof(request.data.auth_crap.user)-1);
469 if (params->domain_name) {
470 strncpy(request.data.auth_crap.domain,
471 params->domain_name,
472 sizeof(request.data.auth_crap.domain)-1);
473 }
474 if (params->workstation_name) {
475 strncpy(request.data.auth_crap.workstation,
476 params->workstation_name,
477 sizeof(request.data.auth_crap.workstation)-1);
478 }
479
480 request.data.auth_crap.logon_parameters =
481 params->parameter_control;
482
483 memcpy(request.data.auth_crap.chal,
484 params->password.response.challenge,
485 sizeof(request.data.auth_crap.chal));
486
487 request.data.auth_crap.lm_resp_len =
488 MIN(params->password.response.lm_length,
489 sizeof(request.data.auth_crap.lm_resp));
490 if (params->password.response.lm_data) {
491 memcpy(request.data.auth_crap.lm_resp,
492 params->password.response.lm_data,
493 request.data.auth_crap.lm_resp_len);
494 }
495 request.data.auth_crap.nt_resp_len = params->password.response.nt_length;
496 if (params->password.response.nt_length > sizeof(request.data.auth_crap.nt_resp)) {
497 request.flags |= WBFLAG_BIG_NTLMV2_BLOB;
498 request.extra_len = params->password.response.nt_length;
499 request.extra_data.data = (char *)malloc(
500 request.extra_len);
501 if (request.extra_data.data == NULL) {
502 wbc_status = WBC_ERR_NO_MEMORY;
503 BAIL_ON_WBC_ERROR(wbc_status);
504 }
505 memcpy(request.extra_data.data,
506 params->password.response.nt_data,
507 request.data.auth_crap.nt_resp_len);
508 } else if (params->password.response.nt_data) {
509 memcpy(request.data.auth_crap.nt_resp,
510 params->password.response.nt_data,
511 request.data.auth_crap.nt_resp_len);
512 }
513 break;
514
515 case WBC_AUTH_USER_LEVEL_PAC:
516 cmd = WINBINDD_PAM_AUTH_CRAP;
517 request.flags = WBFLAG_PAM_AUTH_PAC | WBFLAG_PAM_INFO3_TEXT;
518 request.extra_data.data = malloc(params->password.pac.length);
519 if (request.extra_data.data == NULL) {
520 wbc_status = WBC_ERR_NO_MEMORY;
521 BAIL_ON_WBC_ERROR(wbc_status);
522 }
523 memcpy(request.extra_data.data, params->password.pac.data,
524 params->password.pac.length);
525 request.extra_len = params->password.pac.length;
526 break;
527
528 default:
529 break;
530 }
531
532 if (cmd == 0) {
533 wbc_status = WBC_ERR_INVALID_PARAM;
534 BAIL_ON_WBC_ERROR(wbc_status);
535 }
536
537 if (params->flags) {
538 request.flags |= params->flags;
539 }
540
541 if (cmd == WINBINDD_PAM_AUTH_CRAP) {
542 wbc_status = wbcRequestResponsePriv(ctx, cmd,
543 &request, &response);
544 } else {
545 wbc_status = wbcRequestResponse(ctx, cmd,
546 &request, &response);
547 }
548 if (response.data.auth.nt_status != 0) {
549 if (error) {
550 wbc_status = wbc_create_error_info(&response,
551 error);
552 BAIL_ON_WBC_ERROR(wbc_status);
553 }
554
555 wbc_status = WBC_ERR_AUTH_ERROR;
556 BAIL_ON_WBC_ERROR(wbc_status);
557 }
558 BAIL_ON_WBC_ERROR(wbc_status);
559
560 if (info) {
561 wbc_status = wbc_create_auth_info(&response, info);
562 BAIL_ON_WBC_ERROR(wbc_status);
563 }
564
565 done:
566 winbindd_free_response(&response);
567
568 free(request.extra_data.data);
569
570 return wbc_status;
571 }
572
573 _PUBLIC_
574 wbcErr wbcAuthenticateUserEx(const struct wbcAuthUserParams *params,
575 struct wbcAuthUserInfo **info,
576 struct wbcAuthErrorInfo **error)
577 {
578 return wbcCtxAuthenticateUserEx(NULL, params, info, error);
579 }
580
581 /* Trigger a verification of the trust credentials of a specific domain */
582 _PUBLIC_
583 wbcErr wbcCtxCheckTrustCredentials(struct wbcContext *ctx, const char *domain,
584 struct wbcAuthErrorInfo **error)
585 {
586 struct winbindd_request request;
587 struct winbindd_response response;
588 wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE;
589
590 ZERO_STRUCT(request);
591 ZERO_STRUCT(response);
592
593 if (domain) {
594 strncpy(request.domain_name, domain,
595 sizeof(request.domain_name)-1);
596 }
597
598 /* Send request */
599
600 wbc_status = wbcRequestResponsePriv(ctx, WINBINDD_CHECK_MACHACC,
601 &request, &response);
602 if (response.data.auth.nt_status != 0) {
603 if (error) {
604 wbc_status = wbc_create_error_info(&response,
605 error);
606 BAIL_ON_WBC_ERROR(wbc_status);
607 }
608
609 wbc_status = WBC_ERR_AUTH_ERROR;
610 BAIL_ON_WBC_ERROR(wbc_status);
611 }
612 BAIL_ON_WBC_ERROR(wbc_status);
613
614 done:
615 return wbc_status;
616 }
617
618 _PUBLIC_
619 wbcErr wbcCheckTrustCredentials(const char *domain,
620 struct wbcAuthErrorInfo **error)
621 {
622 return wbcCtxCheckTrustCredentials(NULL, domain, error);
623 }
624
625 /* Trigger a change of the trust credentials for a specific domain */
626 _PUBLIC_
627 wbcErr wbcCtxChangeTrustCredentialsAt(struct wbcContext *ctx,
628 const char *domain,
629 const char *dcname,
630 struct wbcAuthErrorInfo **error)
631 {
632 struct winbindd_request request;
633 struct winbindd_response response;
634 wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE;
635
636 ZERO_STRUCT(request);
637 ZERO_STRUCT(response);
638
639 if (domain) {
640 strncpy(request.domain_name, domain,
641 sizeof(request.domain_name)-1);
642 }
643
644 if (dcname != NULL) {
645 strncpy(request.data.init_conn.dcname, dcname,
646 sizeof(request.data.init_conn.dcname)-1);
647 }
648
649 /* Send request */
650
651 wbc_status = wbcRequestResponsePriv(ctx, WINBINDD_CHANGE_MACHACC,
652 &request, &response);
653 if (response.data.auth.nt_status != 0) {
654 if (error) {
655 wbc_status = wbc_create_error_info(&response,
656 error);
657 BAIL_ON_WBC_ERROR(wbc_status);
658 }
659
660 wbc_status = WBC_ERR_AUTH_ERROR;
661 BAIL_ON_WBC_ERROR(wbc_status);
662 }
663 BAIL_ON_WBC_ERROR(wbc_status);
664
665 done:
666 return wbc_status;
667 }
668
669 _PUBLIC_
670 wbcErr wbcChangeTrustCredentialsAt(const char *domain,
671 const char *dcname,
672 struct wbcAuthErrorInfo **error)
673 {
674 return wbcCtxChangeTrustCredentialsAt(NULL, domain, dcname, error);
675 }
676
677 _PUBLIC_
678 wbcErr wbcCtxChangeTrustCredentials(struct wbcContext *ctx,
679 const char *domain,
680 struct wbcAuthErrorInfo **error)
681 {
682 return wbcCtxChangeTrustCredentialsAt(ctx, domain, NULL, error);
683 }
684
685 _PUBLIC_
686 wbcErr wbcChangeTrustCredentials(const char *domain,
687 struct wbcAuthErrorInfo **error)
688 {
689 return wbcCtxChangeTrustCredentials(NULL, domain, error);
690 }
691
692 /*
693 * Trigger a no-op NETLOGON call. Lightweight version of
694 * wbcCheckTrustCredentials
695 */
696 _PUBLIC_
697 wbcErr wbcCtxPingDc(struct wbcContext *ctx, const char *domain,
698 struct wbcAuthErrorInfo **error)
699 {
700 return wbcCtxPingDc2(ctx, domain, error, NULL);
701 }
702
703 _PUBLIC_
704 wbcErr wbcPingDc(const char *domain, struct wbcAuthErrorInfo **error)
705 {
706 return wbcPingDc2(domain, error, NULL);
707 }
708
709 /*
710 * Trigger a no-op NETLOGON call. Lightweight version of
711 * wbcCheckTrustCredentials, optionally return attempted DC
712 */
713 _PUBLIC_
714 wbcErr wbcCtxPingDc2(struct wbcContext *ctx, const char *domain,
715 struct wbcAuthErrorInfo **error, char **dcname)
716 {
717 struct winbindd_request request;
718 struct winbindd_response response;
719 wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE;
720
721 ZERO_STRUCT(request);
722 ZERO_STRUCT(response);
723
724 if (domain) {
725 strncpy(request.domain_name, domain,
726 sizeof(request.domain_name)-1);
727 }
728
729 /* Send request */
730
731 wbc_status = wbcRequestResponse(ctx, WINBINDD_PING_DC,
732 &request,
733 &response);
734
735 if (dcname && response.extra_data.data) {
736 size_t len;
737
738 len = response.length - sizeof(struct winbindd_response);
739 *dcname = wbcAllocateMemory(1, len, NULL);
740 BAIL_ON_PTR_ERROR(*dcname, wbc_status);
741
742 strlcpy(*dcname, response.extra_data.data, len);
743 }
744
745 if (response.data.auth.nt_status != 0) {
746 if (error) {
747 wbc_status = wbc_create_error_info(&response,
748 error);
749 BAIL_ON_WBC_ERROR(wbc_status);
750 }
751
752 wbc_status = WBC_ERR_AUTH_ERROR;
753 BAIL_ON_WBC_ERROR(wbc_status);
754 }
755 BAIL_ON_WBC_ERROR(wbc_status);
756
757 done:
758 winbindd_free_response(&response);
759 return wbc_status;
760 }
761
762 _PUBLIC_
763 wbcErr wbcPingDc2(const char *domain, struct wbcAuthErrorInfo **error,
764 char **dcname)
765 {
766 return wbcCtxPingDc2(NULL, domain, error, dcname);
767 }
768
769 /* Trigger an extended logoff notification to Winbind for a specific user */
770 _PUBLIC_
771 wbcErr wbcCtxLogoffUserEx(struct wbcContext *ctx,
772 const struct wbcLogoffUserParams *params,
773 struct wbcAuthErrorInfo **error)
774 {
775 struct winbindd_request request;
776 struct winbindd_response response;
777 wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE;
778 size_t i;
779
780 /* validate input */
781
782 if (!params || !params->username) {
783 wbc_status = WBC_ERR_INVALID_PARAM;
784 BAIL_ON_WBC_ERROR(wbc_status);
785 }
786
787 if ((params->num_blobs > 0) && (params->blobs == NULL)) {
788 wbc_status = WBC_ERR_INVALID_PARAM;
789 BAIL_ON_WBC_ERROR(wbc_status);
790 }
791 if ((params->num_blobs == 0) && (params->blobs != NULL)) {
792 wbc_status = WBC_ERR_INVALID_PARAM;
793 BAIL_ON_WBC_ERROR(wbc_status);
794 }
795
796 ZERO_STRUCT(request);
797 ZERO_STRUCT(response);
798
799 strncpy(request.data.logoff.user, params->username,
800 sizeof(request.data.logoff.user)-1);
801
802 for (i=0; i<params->num_blobs; i++) {
803
804 if (strcasecmp(params->blobs[i].name, "ccfilename") == 0) {
805 if (params->blobs[i].blob.data) {
806 strncpy(request.data.logoff.krb5ccname,
807 (const char *)params->blobs[i].blob.data,
808 sizeof(request.data.logoff.krb5ccname) - 1);
809 }
810 continue;
811 }
812
813 if (strcasecmp(params->blobs[i].name, "user_uid") == 0) {
814 if (params->blobs[i].blob.data) {
815 memcpy(&request.data.logoff.uid,
816 params->blobs[i].blob.data,
817 MIN(params->blobs[i].blob.length,
818 sizeof(request.data.logoff.uid)));
819 }
820 continue;
821 }
822
823 if (strcasecmp(params->blobs[i].name, "flags") == 0) {
824 if (params->blobs[i].blob.data) {
825 memcpy(&request.flags,
826 params->blobs[i].blob.data,
827 MIN(params->blobs[i].blob.length,
828 sizeof(request.flags)));
829 }
830 continue;
831 }
832 }
833
834 /* Send request */
835
836 wbc_status = wbcRequestResponse(ctx, WINBINDD_PAM_LOGOFF,
837 &request,
838 &response);
839
840 /* Take the response above and return it to the caller */
841 if (response.data.auth.nt_status != 0) {
842 if (error) {
843 wbc_status = wbc_create_error_info(&response,
844 error);
845 BAIL_ON_WBC_ERROR(wbc_status);
846 }
847
848 wbc_status = WBC_ERR_AUTH_ERROR;
849 BAIL_ON_WBC_ERROR(wbc_status);
850 }
851 BAIL_ON_WBC_ERROR(wbc_status);
852
853 done:
854 return wbc_status;
855 }
856
857 _PUBLIC_
858 wbcErr wbcLogoffUserEx(const struct wbcLogoffUserParams *params,
859 struct wbcAuthErrorInfo **error)
860 {
861 return wbcCtxLogoffUserEx(NULL, params, error);
862 }
863
864 /* Trigger a logoff notification to Winbind for a specific user */
865 _PUBLIC_
866 wbcErr wbcCtxLogoffUser(struct wbcContext *ctx,
867 const char *username, uid_t uid,
868 const char *ccfilename)
869 {
870 struct winbindd_request request;
871 struct winbindd_response response;
872 wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE;
873
874 /* validate input */
875
876 if (!username) {
877 wbc_status = WBC_ERR_INVALID_PARAM;
878 BAIL_ON_WBC_ERROR(wbc_status);
879 }
880
881 ZERO_STRUCT(request);
882 ZERO_STRUCT(response);
883
884 strncpy(request.data.logoff.user, username,
885 sizeof(request.data.logoff.user)-1);
886 request.data.logoff.uid = uid;
887
888 if (ccfilename) {
889 strncpy(request.data.logoff.krb5ccname, ccfilename,
890 sizeof(request.data.logoff.krb5ccname)-1);
891 }
892
893 /* Send request */
894
895 wbc_status = wbcRequestResponse(ctx, WINBINDD_PAM_LOGOFF,
896 &request,
897 &response);
898
899 /* Take the response above and return it to the caller */
900
901 done:
902 return wbc_status;
903 }
904
905 _PUBLIC_
906 wbcErr wbcLogoffUser(const char *username,
907 uid_t uid,
908 const char *ccfilename)
909 {
910 return wbcCtxLogoffUser(NULL, username, uid, ccfilename);
911 }
912
913 /* Change a password for a user with more detailed information upon failure */
914 _PUBLIC_
915 wbcErr wbcCtxChangeUserPasswordEx(struct wbcContext *ctx,
916 const struct wbcChangePasswordParams *params,
917 struct wbcAuthErrorInfo **error,
918 enum wbcPasswordChangeRejectReason *reject_reason,
919 struct wbcUserPasswordPolicyInfo **policy)
920 {
921 struct winbindd_request request;
922 struct winbindd_response response;
923 wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE;
924 int cmd = 0;
925
926 /* validate input */
927
928 if (!params->account_name) {
929 wbc_status = WBC_ERR_INVALID_PARAM;
930 goto done;
931 }
932
933 if (error) {
934 *error = NULL;
935 }
936
937 if (policy) {
938 *policy = NULL;
939 }
940
941 if (reject_reason) {
942 *reject_reason = -1;
943 }
944
945 ZERO_STRUCT(request);
946 ZERO_STRUCT(response);
947
948 switch (params->level) {
949 case WBC_CHANGE_PASSWORD_LEVEL_PLAIN:
950 cmd = WINBINDD_PAM_CHAUTHTOK;
951
952 if (!params->account_name) {
953 wbc_status = WBC_ERR_INVALID_PARAM;
954 goto done;
955 }
956
957 strncpy(request.data.chauthtok.user, params->account_name,
958 sizeof(request.data.chauthtok.user) - 1);
959
960 if (params->old_password.plaintext) {
961 strncpy(request.data.chauthtok.oldpass,
962 params->old_password.plaintext,
963 sizeof(request.data.chauthtok.oldpass) - 1);
964 }
965
966 if (params->new_password.plaintext) {
967 strncpy(request.data.chauthtok.newpass,
968 params->new_password.plaintext,
969 sizeof(request.data.chauthtok.newpass) - 1);
970 }
971 break;
972
973 case WBC_CHANGE_PASSWORD_LEVEL_RESPONSE:
974 cmd = WINBINDD_PAM_CHNG_PSWD_AUTH_CRAP;
975
976 if (!params->account_name || !params->domain_name) {
977 wbc_status = WBC_ERR_INVALID_PARAM;
978 goto done;
979 }
980
981 if (params->old_password.response.old_lm_hash_enc_length &&
982 !params->old_password.response.old_lm_hash_enc_data) {
983 wbc_status = WBC_ERR_INVALID_PARAM;
984 goto done;
985 }
986
987 if (params->old_password.response.old_lm_hash_enc_length == 0 &&
988 params->old_password.response.old_lm_hash_enc_data) {
989 wbc_status = WBC_ERR_INVALID_PARAM;
990 goto done;
991 }
992
993 if (params->old_password.response.old_nt_hash_enc_length &&
994 !params->old_password.response.old_nt_hash_enc_data) {
995 wbc_status = WBC_ERR_INVALID_PARAM;
996 goto done;
997 }
998
999 if (params->old_password.response.old_nt_hash_enc_length == 0 &&
1000 params->old_password.response.old_nt_hash_enc_data) {
1001 wbc_status = WBC_ERR_INVALID_PARAM;
1002 goto done;
1003 }
1004
1005 if (params->new_password.response.lm_length &&
1006 !params->new_password.response.lm_data) {
1007 wbc_status = WBC_ERR_INVALID_PARAM;
1008 goto done;
1009 }
1010
1011 if (params->new_password.response.lm_length == 0 &&
1012 params->new_password.response.lm_data) {
1013 wbc_status = WBC_ERR_INVALID_PARAM;
1014 goto done;
1015 }
1016
1017 if (params->new_password.response.nt_length &&
1018 !params->new_password.response.nt_data) {
1019 wbc_status = WBC_ERR_INVALID_PARAM;
1020 goto done;
1021 }
1022
1023 if (params->new_password.response.nt_length == 0 &&
1024 params->new_password.response.nt_data) {
1025 wbc_status = WBC_ERR_INVALID_PARAM;
1026 goto done;
1027 }
1028
1029 strncpy(request.data.chng_pswd_auth_crap.user,
1030 params->account_name,
1031 sizeof(request.data.chng_pswd_auth_crap.user) - 1);
1032
1033 strncpy(request.data.chng_pswd_auth_crap.domain,
1034 params->domain_name,
1035 sizeof(request.data.chng_pswd_auth_crap.domain) - 1);
1036
1037 if (params->new_password.response.nt_data) {
1038 request.data.chng_pswd_auth_crap.new_nt_pswd_len =
1039 params->new_password.response.nt_length;
1040 memcpy(request.data.chng_pswd_auth_crap.new_nt_pswd,
1041 params->new_password.response.nt_data,
1042 request.data.chng_pswd_auth_crap.new_nt_pswd_len);
1043 }
1044
1045 if (params->new_password.response.lm_data) {
1046 request.data.chng_pswd_auth_crap.new_lm_pswd_len =
1047 params->new_password.response.lm_length;
1048 memcpy(request.data.chng_pswd_auth_crap.new_lm_pswd,
1049 params->new_password.response.lm_data,
1050 request.data.chng_pswd_auth_crap.new_lm_pswd_len);
1051 }
1052
1053 if (params->old_password.response.old_nt_hash_enc_data) {
1054 request.data.chng_pswd_auth_crap.old_nt_hash_enc_len =
1055 params->old_password.response.old_nt_hash_enc_length;
1056 memcpy(request.data.chng_pswd_auth_crap.old_nt_hash_enc,
1057 params->old_password.response.old_nt_hash_enc_data,
1058 request.data.chng_pswd_auth_crap.old_nt_hash_enc_len);
1059 }
1060
1061 if (params->old_password.response.old_lm_hash_enc_data) {
1062 request.data.chng_pswd_auth_crap.old_lm_hash_enc_len =
1063 params->old_password.response.old_lm_hash_enc_length;
1064 memcpy(request.data.chng_pswd_auth_crap.old_lm_hash_enc,
1065 params->old_password.response.old_lm_hash_enc_data,
1066 request.data.chng_pswd_auth_crap.old_lm_hash_enc_len);
1067 }
1068
1069 break;
1070 default:
1071 wbc_status = WBC_ERR_INVALID_PARAM;
1072 goto done;
1073 break;
1074 }
1075
1076 /* Send request */
1077
1078 wbc_status = wbcRequestResponse(ctx, cmd,
1079 &request,
1080 &response);
1081 if (WBC_ERROR_IS_OK(wbc_status)) {
1082 goto done;
1083 }
1084
1085 /* Take the response above and return it to the caller */
1086
1087 if (response.data.auth.nt_status != 0) {
1088 if (error) {
1089 wbc_status = wbc_create_error_info(&response,
1090 error);
1091 BAIL_ON_WBC_ERROR(wbc_status);
1092 }
1093
1094 }
1095
1096 if (policy) {
1097 wbc_status = wbc_create_password_policy_info(&response,
1098 policy);
1099 BAIL_ON_WBC_ERROR(wbc_status);
1100 }
1101
1102 if (reject_reason) {
1103 *reject_reason = response.data.auth.reject_reason;
1104 }
1105
1106 wbc_status = WBC_ERR_PWD_CHANGE_FAILED;
1107 BAIL_ON_WBC_ERROR(wbc_status);
1108
1109 done:
1110 return wbc_status;
1111 }
1112
1113 _PUBLIC_
1114 wbcErr wbcChangeUserPasswordEx(const struct wbcChangePasswordParams *params,
1115 struct wbcAuthErrorInfo **error,
1116 enum wbcPasswordChangeRejectReason *reject_reason,
1117 struct wbcUserPasswordPolicyInfo **policy)
1118 {
1119 return wbcCtxChangeUserPasswordEx(NULL, params, error,
1120 reject_reason, policy);
1121 }
1122
1123 /* Change a password for a user */
1124 _PUBLIC_
1125 wbcErr wbcCtxChangeUserPassword(struct wbcContext *ctx,
1126 const char *username,
1127 const char *old_password,
1128 const char *new_password)
1129 {
1130 wbcErr wbc_status = WBC_ERR_SUCCESS;
1131 struct wbcChangePasswordParams params;
1132
1133 ZERO_STRUCT(params);
1134
1135 params.account_name = username;
1136 params.level = WBC_CHANGE_PASSWORD_LEVEL_PLAIN;
1137 params.old_password.plaintext = old_password;
1138 params.new_password.plaintext = new_password;
1139
1140 wbc_status = wbcCtxChangeUserPasswordEx(ctx, &params,
1141 NULL,
1142 NULL,
1143 NULL);
1144 BAIL_ON_WBC_ERROR(wbc_status);
1145
1146 done:
1147 return wbc_status;
1148 }
1149
1150 _PUBLIC_
1151 wbcErr wbcChangeUserPassword(const char *username,
1152 const char *old_password,
1153 const char *new_password)
1154 {
1155 return wbcCtxChangeUserPassword(NULL, username,
1156 old_password, new_password);
1157 }
1158
1159 /* Logon a User */
1160 _PUBLIC_
1161 wbcErr wbcCtxLogonUser(struct wbcContext *ctx,
1162 const struct wbcLogonUserParams *params,
1163 struct wbcLogonUserInfo **info,
1164 struct wbcAuthErrorInfo **error,
1165 struct wbcUserPasswordPolicyInfo **policy)
1166 {
1167 wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE;
1168 struct winbindd_request request;
1169 struct winbindd_response response;
1170 uint32_t i;
1171
1172 ZERO_STRUCT(request);
1173 ZERO_STRUCT(response);
1174
1175 if (info) {
1176 *info = NULL;
1177 }
1178 if (error) {
1179 *error = NULL;
1180 }
1181 if (policy) {
1182 *policy = NULL;
1183 }
1184
1185 if (!params) {
1186 wbc_status = WBC_ERR_INVALID_PARAM;
1187 BAIL_ON_WBC_ERROR(wbc_status);
1188 }
1189
1190 if (!params->username) {
1191 wbc_status = WBC_ERR_INVALID_PARAM;
1192 BAIL_ON_WBC_ERROR(wbc_status);
1193 }
1194
1195 if ((params->num_blobs > 0) && (params->blobs == NULL)) {
1196 wbc_status = WBC_ERR_INVALID_PARAM;
1197 BAIL_ON_WBC_ERROR(wbc_status);
1198 }
1199 if ((params->num_blobs == 0) && (params->blobs != NULL)) {
1200 wbc_status = WBC_ERR_INVALID_PARAM;
1201 BAIL_ON_WBC_ERROR(wbc_status);
1202 }
1203
1204 /* Initialize request */
1205
1206 request.flags = WBFLAG_PAM_INFO3_TEXT |
1207 WBFLAG_PAM_USER_SESSION_KEY |
1208 WBFLAG_PAM_LMKEY;
1209
1210 if (!params->password) {
1211 wbc_status = WBC_ERR_INVALID_PARAM;
1212 BAIL_ON_WBC_ERROR(wbc_status);
1213 }
1214
1215 strncpy(request.data.auth.user,
1216 params->username,
1217 sizeof(request.data.auth.user)-1);
1218
1219 strncpy(request.data.auth.pass,
1220 params->password,
1221 sizeof(request.data.auth.pass)-1);
1222
1223 for (i=0; i<params->num_blobs; i++) {
1224
1225 if (strcasecmp(params->blobs[i].name, "krb5_cc_type") == 0) {
1226 if (params->blobs[i].blob.data) {
1227 strncpy(request.data.auth.krb5_cc_type,
1228 (const char *)params->blobs[i].blob.data,
1229 sizeof(request.data.auth.krb5_cc_type) - 1);
1230 }
1231 continue;
1232 }
1233
1234 if (strcasecmp(params->blobs[i].name, "user_uid") == 0) {
1235 if (params->blobs[i].blob.data) {
1236 memcpy(&request.data.auth.uid,
1237 params->blobs[i].blob.data,
1238 MIN(sizeof(request.data.auth.uid),
1239 params->blobs[i].blob.length));
1240 }
1241 continue;
1242 }
1243
1244 if (strcasecmp(params->blobs[i].name, "flags") == 0) {
1245 if (params->blobs[i].blob.data) {
1246 uint32_t flags;
1247 memcpy(&flags,
1248 params->blobs[i].blob.data,
1249 MIN(sizeof(flags),
1250 params->blobs[i].blob.length));
1251 request.flags |= flags;
1252 }
1253 continue;
1254 }
1255
1256 if (strcasecmp(params->blobs[i].name, "membership_of") == 0) {
1257 if (params->blobs[i].blob.data &&
1258 params->blobs[i].blob.data[0] > 0) {
1259 strncpy(request.data.auth.require_membership_of_sid,
1260 (const char *)params->blobs[i].blob.data,
1261 sizeof(request.data.auth.require_membership_of_sid) - 1);
1262 }
1263 continue;
1264 }
1265 }
1266
1267 wbc_status = wbcRequestResponse(ctx, WINBINDD_PAM_AUTH,
1268 &request,
1269 &response);
1270
1271 if (response.data.auth.nt_status != 0) {
1272 if (error) {
1273 wbc_status = wbc_create_error_info(&response,
1274 error);
1275 BAIL_ON_WBC_ERROR(wbc_status);
1276 }
1277
1278 wbc_status = WBC_ERR_AUTH_ERROR;
1279 BAIL_ON_WBC_ERROR(wbc_status);
1280 }
1281 BAIL_ON_WBC_ERROR(wbc_status);
1282
1283 if (info) {
1284 wbc_status = wbc_create_logon_info(&response,
1285 info);
1286 BAIL_ON_WBC_ERROR(wbc_status);
1287 }
1288
1289 if (policy) {
1290 wbc_status = wbc_create_password_policy_info(&response,
1291 policy);
1292 BAIL_ON_WBC_ERROR(wbc_status);
1293 }
1294
1295 done:
1296 winbindd_free_response(&response);
1297
1298 return wbc_status;
1299 }
1300
1301 _PUBLIC_
1302 wbcErr wbcLogonUser(const struct wbcLogonUserParams *params,
1303 struct wbcLogonUserInfo **info,
1304 struct wbcAuthErrorInfo **error,
1305 struct wbcUserPasswordPolicyInfo **policy)
1306 {
1307 return wbcCtxLogonUser(NULL, params, info, error, policy);
1308 }
1309
1310 static void wbcCredentialCacheInfoDestructor(void *ptr)
1311 {
1312 struct wbcCredentialCacheInfo *i =
1313 (struct wbcCredentialCacheInfo *)ptr;
1314 wbcFreeMemory(i->blobs);
1315 }
1316
1317 /* Authenticate a user with cached credentials */
1318 _PUBLIC_
1319 wbcErr wbcCtxCredentialCache(struct wbcContext *ctx,
1320 struct wbcCredentialCacheParams *params,
1321 struct wbcCredentialCacheInfo **info,
1322 struct wbcAuthErrorInfo **error)
1323 {
1324 wbcErr status = WBC_ERR_UNKNOWN_FAILURE;
1325 struct wbcCredentialCacheInfo *result = NULL;
1326 struct winbindd_request request;
1327 struct winbindd_response response;
1328 struct wbcNamedBlob *initial_blob = NULL;
1329 struct wbcNamedBlob *challenge_blob = NULL;
1330 size_t i;
1331
1332 ZERO_STRUCT(request);
1333 ZERO_STRUCT(response);
1334
1335 *info = NULL;
1336
1337 if (error != NULL) {
1338 *error = NULL;
1339 }
1340 if ((params == NULL)
1341 || (params->account_name == NULL)
1342 || (params->level != WBC_CREDENTIAL_CACHE_LEVEL_NTLMSSP)) {
1343 status = WBC_ERR_INVALID_PARAM;
1344 goto fail;
1345 }
1346
1347 for (i=0; i<params->num_blobs; i++) {
1348 /*
1349 * Older callers used to provide the NEGOTIATE request
1350 * as "initial_blob", but it was completely ignored by winbindd.
1351 *
1352 * So we keep ignoring it.
1353 *
1354 * A new callers that is capable to support "new_spnego",
1355 * will provide the NEGOTIATE request as "negotiate_blob"
1356 * instead.
1357 */
1358 if (strcasecmp(params->blobs[i].name, "negotiate_blob") == 0) {
1359 if (initial_blob != NULL) {
1360 status = WBC_ERR_INVALID_PARAM;
1361 goto fail;
1362 }
1363 initial_blob = &params->blobs[i];
1364 continue;
1365 }
1366 if (strcasecmp(params->blobs[i].name, "challenge_blob") == 0) {
1367 if (challenge_blob != NULL) {
1368 status = WBC_ERR_INVALID_PARAM;
1369 goto fail;
1370 }
1371 challenge_blob = &params->blobs[i];
1372 continue;
1373 }
1374 }
1375
1376 if (params->domain_name != NULL) {
1377 status = wbcRequestResponse(ctx, WINBINDD_INFO,
1378 NULL, &response);
1379 if (!WBC_ERROR_IS_OK(status)) {
1380 goto fail;
1381 }
1382 snprintf(request.data.ccache_ntlm_auth.user,
1383 sizeof(request.data.ccache_ntlm_auth.user)-1,
1384 "%s%c%s", params->domain_name,
1385 response.data.info.winbind_separator,
1386 params->account_name);
1387 } else {
1388 strncpy(request.data.ccache_ntlm_auth.user,
1389 params->account_name,
1390 sizeof(request.data.ccache_ntlm_auth.user)-1);
1391 }
1392 request.data.ccache_ntlm_auth.uid = getuid();
1393
1394 request.data.ccache_ntlm_auth.initial_blob_len = 0;
1395 request.data.ccache_ntlm_auth.challenge_blob_len = 0;
1396 request.extra_len = 0;
1397
1398 if (initial_blob != NULL) {
1399 request.data.ccache_ntlm_auth.initial_blob_len =
1400 initial_blob->blob.length;
1401 request.extra_len += initial_blob->blob.length;
1402 }
1403 if (challenge_blob != NULL) {
1404 request.data.ccache_ntlm_auth.challenge_blob_len =
1405 challenge_blob->blob.length;
1406 request.extra_len += challenge_blob->blob.length;
1407 }
1408
1409 if (request.extra_len != 0) {
1410 request.extra_data.data = (char *)malloc(request.extra_len);
1411 if (request.extra_data.data == NULL) {
1412 status = WBC_ERR_NO_MEMORY;
1413 goto fail;
1414 }
1415 }
1416 if (initial_blob != NULL) {
1417 memcpy(request.extra_data.data,
1418 initial_blob->blob.data, initial_blob->blob.length);
1419 }
1420 if (challenge_blob != NULL) {
1421 memcpy(request.extra_data.data
1422 + request.data.ccache_ntlm_auth.initial_blob_len,
1423 challenge_blob->blob.data,
1424 challenge_blob->blob.length);
1425 }
1426
1427 status = wbcRequestResponse(ctx, WINBINDD_CCACHE_NTLMAUTH,
1428 &request, &response);
1429 if (!WBC_ERROR_IS_OK(status)) {
1430 goto fail;
1431 }
1432
1433 result = (struct wbcCredentialCacheInfo *)wbcAllocateMemory(
1434 1, sizeof(struct wbcCredentialCacheInfo),
1435 wbcCredentialCacheInfoDestructor);
1436 if (result == NULL) {
1437 status = WBC_ERR_NO_MEMORY;
1438 goto fail;
1439 }
1440 result->num_blobs = 0;
1441 result->blobs = NULL;
1442 status = wbcAddNamedBlob(&result->num_blobs, &result->blobs,
1443 "auth_blob", 0,
1444 (uint8_t *)response.extra_data.data,
1445 response.data.ccache_ntlm_auth.auth_blob_len);
1446 if (!WBC_ERROR_IS_OK(status)) {
1447 goto fail;
1448 }
1449 status = wbcAddNamedBlob(
1450 &result->num_blobs, &result->blobs, "session_key", 0,
1451 response.data.ccache_ntlm_auth.session_key,
1452 sizeof(response.data.ccache_ntlm_auth.session_key));
1453 if (!WBC_ERROR_IS_OK(status)) {
1454 goto fail;
1455 }
1456 if (response.data.ccache_ntlm_auth.new_spnego) {
1457 status = wbcAddNamedBlob(
1458 &result->num_blobs, &result->blobs, "new_spnego", 0,
1459 &response.data.ccache_ntlm_auth.new_spnego,
1460 sizeof(response.data.ccache_ntlm_auth.new_spnego));
1461 if (!WBC_ERROR_IS_OK(status)) {
1462 goto fail;
1463 }
1464 }
1465
1466 *info = result;
1467 result = NULL;
1468 status = WBC_ERR_SUCCESS;
1469 fail:
1470 free(request.extra_data.data);
1471 winbindd_free_response(&response);
1472 wbcFreeMemory(result);
1473 return status;
1474 }
1475
1476 _PUBLIC_
1477 wbcErr wbcCredentialCache(struct wbcCredentialCacheParams *params,
1478 struct wbcCredentialCacheInfo **info,
1479 struct wbcAuthErrorInfo **error)
1480 {
1481 return wbcCtxCredentialCache(NULL, params, info, error);
1482 }
1483
1484 /* Authenticate a user with cached credentials */
1485 _PUBLIC_
1486 wbcErr wbcCtxCredentialSave(struct wbcContext *ctx,
1487 const char *user, const char *password)
1488 {
1489 struct winbindd_request request;
1490 struct winbindd_response response;
1491
1492 ZERO_STRUCT(request);
1493 ZERO_STRUCT(response);
1494
1495 strncpy(request.data.ccache_save.user, user,
1496 sizeof(request.data.ccache_save.user)-1);
1497 strncpy(request.data.ccache_save.pass, password,
1498 sizeof(request.data.ccache_save.pass)-1);
1499 request.data.ccache_save.uid = getuid();
1500
1501 return wbcRequestResponse(ctx, WINBINDD_CCACHE_SAVE, &request, &response);
1502 }
1503
1504 _PUBLIC_
1505 wbcErr wbcCredentialSave(const char *user, const char *password)
1506 {
1507 return wbcCtxCredentialSave(NULL, user, password);
1508 }
GSS-enabled samba4