search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
ctdb-scripts: Move connection tracking to 10.interface
[samba4-gss.git] / source4 / auth / ntlm / auth_sam.c
blobe3eef793cd135a0b043fde1a38dd93d795e55037
1 /*
2 Unix SMB/CIFS implementation.
3 Password and authentication handling
4 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2001-2009
5 Copyright (C) Gerald Carter 2003
6 Copyright (C) Stefan Metzmacher 2005-2010
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
12
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
17
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
20 */
21
22 #include "includes.h"
23 #include "system/time.h"
24 #include <ldb.h>
25 #include "libcli/ldap/ldap_ndr.h"
26 #include "libcli/security/security.h"
27 #include "auth/auth.h"
28 #include "../libcli/auth/ntlm_check.h"
29 #include "auth/ntlm/auth_proto.h"
30 #include "auth/auth_sam.h"
31 #include "dsdb/gmsa/util.h"
32 #include "dsdb/samdb/samdb.h"
33 #include "dsdb/samdb/ldb_modules/util.h"
34 #include "dsdb/common/util.h"
35 #include "param/param.h"
36 #include "librpc/gen_ndr/ndr_irpc_c.h"
37 #include "librpc/gen_ndr/ndr_winbind_c.h"
38 #include "lib/crypto/gkdi.h"
39 #include "lib/messaging/irpc.h"
40 #include "libcli/auth/libcli_auth.h"
41 #include "libds/common/roles.h"
42 #include "lib/util/tevent_ntstatus.h"
43 #include "system/kerberos.h"
44 #include "auth/kerberos/kerberos.h"
45 #include "kdc/authn_policy_util.h"
46 #include "kdc/db-glue.h"
47
48 #undef DBGC_CLASS
49 #define DBGC_CLASS DBGC_AUTH
50
51 NTSTATUS auth_sam_init(void);
52
53 extern const char *user_attrs[];
54 extern const char *domain_ref_attrs[];
55
56 /****************************************************************************
57 Do a specific test for an smb password being correct, given a smb_password and
58 the lanman and NT responses.
59 ****************************************************************************/
60 static NTSTATUS authsam_password_ok(struct auth4_context *auth_context,
61 TALLOC_CTX *mem_ctx,
62 const struct samr_Password *nt_pwd,
63 struct smb_krb5_context *smb_krb5_context,
64 const DATA_BLOB *stored_aes_256_key,
65 const krb5_data *salt,
66 const struct auth_usersupplied_info *user_info,
67 DATA_BLOB *user_sess_key,
68 DATA_BLOB *lm_sess_key)
69 {
70 NTSTATUS status;
71
72 switch (user_info->password_state) {
73 case AUTH_PASSWORD_PLAIN:
74 {
75 const struct auth_usersupplied_info *user_info_temp;
76
77 if (nt_pwd == NULL && stored_aes_256_key != NULL && user_info->password.plaintext != NULL) {
78 bool pw_equal;
79 int krb5_ret;
80 DATA_BLOB supplied_aes_256_key;
81 krb5_keyblock key;
82 krb5_data cleartext_data = {
83 .data = user_info->password.plaintext,
84 .length = strlen(user_info->password.plaintext)
85 };
86
87 *lm_sess_key = data_blob_null;
88 *user_sess_key = data_blob_null;
89
90 krb5_ret = smb_krb5_create_key_from_string(smb_krb5_context->krb5_context,
91 NULL,
92 salt,
93 &cleartext_data,
94 ENCTYPE_AES256_CTS_HMAC_SHA1_96,
95 &key);
96 if (krb5_ret) {
97 DBG_ERR("generation of a aes256-cts-hmac-sha1-96 key for password comparison failed: %s\n",
98 smb_get_krb5_error_message(smb_krb5_context->krb5_context,
99 krb5_ret, mem_ctx));
100 return NT_STATUS_INTERNAL_ERROR;
101 }
102
103 supplied_aes_256_key = data_blob_const(KRB5_KEY_DATA(&key),
104 KRB5_KEY_LENGTH(&key));
105
106 pw_equal = data_blob_equal_const_time(&supplied_aes_256_key,
107 stored_aes_256_key);
108
109 krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &key);
110 if (!pw_equal) {
111 return NT_STATUS_WRONG_PASSWORD;
112 }
113 return NT_STATUS_OK;
114 }
115
116 status = encrypt_user_info(mem_ctx, auth_context,
117 AUTH_PASSWORD_HASH,
118 user_info, &user_info_temp);
119 if (!NT_STATUS_IS_OK(status)) {
120 DEBUG(1, ("Failed to convert plaintext password to password HASH: %s\n", nt_errstr(status)));
121 return status;
122 }
123 user_info = user_info_temp;
124
125 FALL_THROUGH;
126 }
127 case AUTH_PASSWORD_HASH:
128 *lm_sess_key = data_blob(NULL, 0);
129 *user_sess_key = data_blob(NULL, 0);
130 status = hash_password_check(mem_ctx,
131 false,
132 lpcfg_ntlm_auth(auth_context->lp_ctx),
133 NULL,
134 user_info->password.hash.nt,
135 user_info->mapped.account_name,
136 NULL, nt_pwd);
137 NT_STATUS_NOT_OK_RETURN(status);
138 break;
139
140 case AUTH_PASSWORD_RESPONSE:
141 status = ntlm_password_check(mem_ctx,
142 false,
143 lpcfg_ntlm_auth(auth_context->lp_ctx),
144 user_info->logon_parameters,
145 &auth_context->challenge.data,
146 &user_info->password.response.lanman,
147 &user_info->password.response.nt,
148 user_info->mapped.account_name,
149 user_info->client.account_name,
150 user_info->client.domain_name,
151 NULL, nt_pwd,
152 user_sess_key, lm_sess_key);
153 NT_STATUS_NOT_OK_RETURN(status);
154 break;
155 }
156
157 return NT_STATUS_OK;
158 }
159
160 static void auth_sam_trigger_zero_password(TALLOC_CTX *mem_ctx,
161 struct imessaging_context *msg_ctx,
162 struct tevent_context *event_ctx,
163 struct netr_SendToSamBase *send_to_sam)
164 {
165 struct dcerpc_binding_handle *irpc_handle;
166 struct winbind_SendToSam r;
167 struct tevent_req *req;
168 TALLOC_CTX *tmp_ctx;
169
170 tmp_ctx = talloc_new(mem_ctx);
171 if (tmp_ctx == NULL) {
172 return;
173 }
174
175 irpc_handle = irpc_binding_handle_by_name(tmp_ctx, msg_ctx,
176 "winbind_server",
177 &ndr_table_winbind);
178 if (irpc_handle == NULL) {
179 DEBUG(1,(__location__ ": Unable to get binding handle for winbind\n"));
180 TALLOC_FREE(tmp_ctx);
181 return;
182 }
183
184 r.in.message = *send_to_sam;
185
186 /*
187 * This seem to rely on the current IRPC implementation,
188 * which delivers the message in the _send function.
189 *
190 * TODO: we need a ONE_WAY IRPC handle and register
191 * a callback and wait for it to be triggered!
192 */
193 req = dcerpc_winbind_SendToSam_r_send(tmp_ctx,
194 event_ctx,
195 irpc_handle,
196 &r);
197
198 /* we aren't interested in a reply */
199 talloc_free(req);
200 TALLOC_FREE(tmp_ctx);
201
202 }
203
204 /*
205 send a message to the drepl server telling it to initiate a
206 REPL_SECRET getncchanges extended op to fetch the users secrets
207 */
208 static void auth_sam_trigger_repl_secret(TALLOC_CTX *mem_ctx,
209 struct imessaging_context *msg_ctx,
210 struct tevent_context *event_ctx,
211 struct ldb_dn *user_dn)
212 {
213 struct dcerpc_binding_handle *irpc_handle;
214 struct drepl_trigger_repl_secret r;
215 struct tevent_req *req;
216 TALLOC_CTX *tmp_ctx;
217
218 tmp_ctx = talloc_new(mem_ctx);
219 if (tmp_ctx == NULL) {
220 return;
221 }
222
223 irpc_handle = irpc_binding_handle_by_name(tmp_ctx, msg_ctx,
224 "dreplsrv",
225 &ndr_table_irpc);
226 if (irpc_handle == NULL) {
227 DEBUG(1,(__location__ ": Unable to get binding handle for dreplsrv\n"));
228 TALLOC_FREE(tmp_ctx);
229 return;
230 }
231
232 r.in.user_dn = ldb_dn_get_linearized(user_dn);
233
234 /*
235 * This seem to rely on the current IRPC implementation,
236 * which delivers the message in the _send function.
237 *
238 * TODO: we need a ONE_WAY IRPC handle and register
239 * a callback and wait for it to be triggered!
240 */
241 req = dcerpc_drepl_trigger_repl_secret_r_send(tmp_ctx,
242 event_ctx,
243 irpc_handle,
244 &r);
245
246 /* we aren't interested in a reply */
247 talloc_free(req);
248 TALLOC_FREE(tmp_ctx);
249 }
250
251 static const struct samr_Password *hide_invalid_nthash(const struct samr_Password *in)
252 {
253 /*
254 * This is the result of:
255 *
256 * E_md4hash("", zero_string_hash.hash);
257 */
258 static const struct samr_Password zero_string_hash = {
259 .hash = {
260 0x31, 0xd6, 0xcf, 0xe0, 0xd1, 0x6a, 0xe9, 0x31,
261 0xb7, 0x3c, 0x59, 0xd7, 0xe0, 0xc0, 0x89, 0xc0,
262 }
263 };
264
265 if (in == NULL) {
266 return NULL;
267 }
268
269 /*
270 * Skip over any all-zero hashes in the history. No known software
271 * stores these but just to be sure
272 */
273 if (all_zero(in->hash, sizeof(in->hash))) {
274 return NULL;
275 }
276
277 /*
278 * This looks odd, but the password_hash module in the past has written
279 * this in the rare situation where (somehow) we didn't have an old NT
280 * hash (one of the old LM-only set paths)
281 *
282 * mem_equal_const_time() is used to avoid a timing attack
283 * when comparing secret data in the server with this constant
284 * value.
285 */
286 if (mem_equal_const_time(in->hash, zero_string_hash.hash, 16)) {
287 in = NULL;
288 }
289
290 return in;
291 }
292
293 /*
294 * Check that a password is OK, and update badPwdCount if required.
295 */
296
297 static NTSTATUS authsam_password_check_and_record(struct auth4_context *auth_context,
298 TALLOC_CTX *mem_ctx,
299 struct ldb_dn *domain_dn,
300 struct ldb_message *msg,
301 const struct auth_usersupplied_info *user_info,
302 DATA_BLOB *user_sess_key,
303 DATA_BLOB *lm_sess_key,
304 bool *authoritative)
305 {
306 NTSTATUS nt_status;
307 NTSTATUS auth_status;
308 TALLOC_CTX *tmp_ctx;
309 int i, ret;
310 int history_len = 0;
311 struct ldb_context *sam_ctx = auth_context->sam_ctx;
312 const char * const attrs[] = { "pwdHistoryLength", NULL };
313 struct ldb_message *dom_msg;
314 struct samr_Password *nt_pwd;
315 DATA_BLOB _aes_256_key = data_blob_null;
316 DATA_BLOB *aes_256_key = NULL;
317 krb5_data _salt = { .data = NULL, .length = 0 };
318 krb5_data *salt = NULL;
319 DATA_BLOB salt_data = data_blob_null;
320 struct smb_krb5_context *smb_krb5_context = NULL;
321 const struct ldb_val *sc_val;
322 uint32_t userAccountControl = 0;
323 uint32_t current_kvno = 0;
324 bool am_rodc;
325 NTTIME now;
326 bool time_ok;
327
328 time_ok = dsdb_gmsa_current_time(sam_ctx, &now);
329 if (!time_ok) {
330 return NT_STATUS_INTERNAL_ERROR;
331 }
332
333 tmp_ctx = talloc_new(mem_ctx);
334 if (tmp_ctx == NULL) {
335 return NT_STATUS_NO_MEMORY;
336 }
337
338 /*
339 * This call does more than what it appears to do, it also
340 * checks for the account lockout.
341 *
342 * It is done here so that all parts of Samba that read the
343 * password refuse to even operate on it if the account is
344 * locked out, to avoid mistakes like CVE-2013-4496.
345 */
346 nt_status = samdb_result_passwords(tmp_ctx, auth_context->lp_ctx,
347 msg, &nt_pwd);
348 if (!NT_STATUS_IS_OK(nt_status)) {
349 TALLOC_FREE(tmp_ctx);
350 return nt_status;
351 }
352
353 userAccountControl = ldb_msg_find_attr_as_uint(msg,
354 "userAccountControl",
355 0);
356
357 sc_val = ldb_msg_find_ldb_val(msg, "supplementalCredentials");
358
359 if (nt_pwd == NULL && sc_val == NULL) {
360 if (samdb_rodc(auth_context->sam_ctx, &am_rodc) == LDB_SUCCESS && am_rodc) {
361 /*
362 * we don't have passwords for this
363 * account. We are an RODC, and this account
364 * may be one for which we either are denied
365 * REPL_SECRET replication or we haven't yet
366 * done the replication. We return
367 * NT_STATUS_NOT_IMPLEMENTED which tells the
368 * auth code to try the next authentication
369 * mechanism. We also send a message to our
370 * drepl server to tell it to try and
371 * replicate the secrets for this account.
372 *
373 * TODO: Should we only trigger this is detected
374 * there's a chance that the password might be
375 * replicated, we should be able to detect this
376 * based on msDS-NeverRevealGroup.
377 */
378 auth_sam_trigger_repl_secret(auth_context,
379 auth_context->msg_ctx,
380 auth_context->event_ctx,
381 msg->dn);
382 TALLOC_FREE(tmp_ctx);
383 return NT_STATUS_NOT_IMPLEMENTED;
384 }
385 }
386
387 /*
388 * If we don't have an NT password, pull a kerberos key
389 * instead for plaintext.
390 */
391 if (nt_pwd == NULL &&
392 sc_val != NULL &&
393 user_info->password_state == AUTH_PASSWORD_PLAIN)
394 {
395 krb5_error_code krb5_ret;
396
397 krb5_ret = smb_krb5_init_context(tmp_ctx,
398 auth_context->lp_ctx,
399 &smb_krb5_context);
400 if (krb5_ret != 0) {
401 DBG_ERR("Failed to setup krb5_context: %s!\n",
402 error_message(krb5_ret));
403 return NT_STATUS_INTERNAL_ERROR;
404 }
405
406 /*
407 * Get the current salt from the record
408 */
409
410 krb5_ret = dsdb_extract_aes_256_key(smb_krb5_context->krb5_context,
411 tmp_ctx,
412 sam_ctx,
413 msg,
414 userAccountControl,
415 NULL, /* kvno */
416 &current_kvno, /* kvno_out */
417 &_aes_256_key,
418 &salt_data);
419 if (krb5_ret == 0) {
420 aes_256_key = &_aes_256_key;
421
422 _salt.data = (char *)salt_data.data;
423 _salt.length = salt_data.length;
424 salt = &_salt;
425 }
426 }
427
428 auth_status = authsam_password_ok(auth_context,
429 tmp_ctx,
430 nt_pwd,
431 smb_krb5_context,
432 aes_256_key,
433 salt,
434 user_info,
435 user_sess_key, lm_sess_key);
436
437 if (NT_STATUS_IS_OK(auth_status)) {
438 if (user_sess_key->data) {
439 talloc_steal(mem_ctx, user_sess_key->data);
440 }
441 if (lm_sess_key->data) {
442 talloc_steal(mem_ctx, lm_sess_key->data);
443 }
444 TALLOC_FREE(tmp_ctx);
445 return NT_STATUS_OK;
446 }
447 *user_sess_key = data_blob_null;
448 *lm_sess_key = data_blob_null;
449
450 if (!NT_STATUS_EQUAL(auth_status, NT_STATUS_WRONG_PASSWORD)) {
451 TALLOC_FREE(tmp_ctx);
452 return auth_status;
453 }
454
455 /*
456 * We only continue if this was a wrong password and we'll
457 * return NT_STATUS_WRONG_PASSWORD in most cases, except for a
458 * (default) 60 min grace period for previous NTLM password
459 */
460
461 /* pull the domain password property attributes */
462 ret = dsdb_search_one(sam_ctx, tmp_ctx, &dom_msg, domain_dn, LDB_SCOPE_BASE,
463 attrs, 0, "objectClass=domain");
464 if (ret == LDB_SUCCESS) {
465 history_len = ldb_msg_find_attr_as_uint(dom_msg, "pwdHistoryLength", 0);
466 } else if (ret == LDB_ERR_NO_SUCH_OBJECT) {
467 DEBUG(3,("Couldn't find domain %s: %s!\n",
468 ldb_dn_get_linearized(domain_dn),
469 ldb_errstring(sam_ctx)));
470 } else {
471 DEBUG(3,("error finding domain %s: %s!\n",
472 ldb_dn_get_linearized(domain_dn),
473 ldb_errstring(sam_ctx)));
474 }
475
476 for (i = 1; i < MIN(history_len, 3); i++) {
477 const struct samr_Password *nt_history_pwd = NULL;
478 NTTIME pwdLastSet;
479 int allowed_period_mins;
480 NTTIME allowed_period;
481 bool is_gmsa;
482
483 /* Reset these variables back to starting as empty */
484 aes_256_key = NULL;
485 salt = NULL;
486
487 /*
488 * Obtain the i'th old password from the NT password
489 * history for this user.
490 *
491 * We avoid issues with salts (which are not
492 * recorded for historical AES256 keys) by using the
493 * ntPwdHistory in preference.
494 */
495 nt_status = samdb_result_passwords_from_history(tmp_ctx,
496 auth_context->lp_ctx,
497 msg, i,
498 NULL,
499 &nt_history_pwd);
500
501 /*
502 * Belts and braces: note that
503 * samdb_result_passwords_from_history() currently
504 * does not fail for missing attributes, it only sets
505 * nt_history_pwd = NULL, so "break" and fall down to
506 * the bad password count update if this happens
507 */
508 if (!NT_STATUS_IS_OK(nt_status)) {
509 break;
510 }
511
512 nt_history_pwd = hide_invalid_nthash(nt_history_pwd);
513
514 /*
515 * We don't have an NT hash from the
516 * ntPwdHistory, but we can still perform the
517 * password check with the AES256
518 * key.
519 *
520 * However, this is the second preference as
521 * it will fail if the account was renamed
522 * prior to a password change (as we won't
523 * have the correct salt available to
524 * calculate the AES256 key).
525 */
526
527 if (nt_history_pwd == NULL && sc_val != NULL &&
528 user_info->password_state == AUTH_PASSWORD_PLAIN &&
529 current_kvno >= i)
530 {
531 krb5_error_code krb5_ret;
532 const uint32_t request_kvno = current_kvno - i;
533
534 /*
535 * Confirm we have a krb5_context set up
536 */
537 if (smb_krb5_context == NULL) {
538 /*
539 * We get here if we had a unicodePwd
540 * for the current password, no
541 * ntPwdHistory, a valid previous
542 * Kerberos history AND are processing
543 * a simple bind.
544 *
545 * This really is a corner case so
546 * favour cleaner code over trying to
547 * allow for an old password. It is
548 * more likely this is just a new
549 * account.
550 *
551 * "break" out of the loop and fall down
552 * to the bad password update
553 */
554 break;
555 }
556
557 /*
558 * Get the current salt from the record
559 */
560
561 krb5_ret = dsdb_extract_aes_256_key(smb_krb5_context->krb5_context,
562 tmp_ctx,
563 sam_ctx,
564 msg,
565 userAccountControl,
566 &request_kvno, /* kvno */
567 NULL, /* kvno_out */
568 &_aes_256_key,
569 &salt_data);
570 if (krb5_ret != 0) {
571 break;
572 }
573
574 aes_256_key = &_aes_256_key;
575
576 _salt.data = (char *)salt_data.data;
577 _salt.length = salt_data.length;
578 salt = &_salt;
579
580 } else if (nt_history_pwd == NULL) {
581 /*
582 * If we don't find element 'i' in the
583 * ntPwdHistory and can not fall back to the
584 * kerberos hash, we won't find 'i+1' ...
585 */
586 break;
587 }
588
589 auth_status = authsam_password_ok(auth_context, tmp_ctx,
590 nt_history_pwd,
591 smb_krb5_context,
592 aes_256_key,
593 salt,
594 user_info,
595 user_sess_key,
596 lm_sess_key);
597
598 if (!NT_STATUS_IS_OK(auth_status)) {
599 /*
600 * If this was not a correct password, try the next
601 * one from the history
602 */
603 *user_sess_key = data_blob_null;
604 *lm_sess_key = data_blob_null;
605 continue;
606 }
607
608 if (i != 1) {
609 /*
610 * The authentication was OK, but not against
611 * the previous password, which is stored at index 1.
612 *
613 * We just return the original wrong password.
614 * This skips the update of the bad pwd count,
615 * because this is almost certainly user error
616 * (or automatic login on a computer using a cached
617 * password from before the password change),
618 * not an attack.
619 */
620 TALLOC_FREE(tmp_ctx);
621 return NT_STATUS_WRONG_PASSWORD;
622 }
623
624 if (user_info->flags & USER_INFO_INTERACTIVE_LOGON) {
625 /*
626 * The authentication was OK against the previous password,
627 * but it's not a NTLM network authentication,
628 * LDAP simple bind or something similar.
629 *
630 * We just return the original wrong password.
631 * This skips the update of the bad pwd count,
632 * because this is almost certainly user error
633 * (or automatic login on a computer using a cached
634 * password from before the password change),
635 * not an attack.
636 */
637 TALLOC_FREE(tmp_ctx);
638 return NT_STATUS_WRONG_PASSWORD;
639 }
640
641 /*
642 * If the password was OK, it's a NTLM network authentication
643 * and it was the previous password.
644 *
645 * Now we see if it is within the grace period,
646 * so that we don't break cached sessions on other computers
647 * before the user can lock and unlock their other screens
648 * (resetting their cached password).
649 *
650 */
651
652 /* Is the account a Group Managed Service Account? */
653 is_gmsa = dsdb_account_is_gmsa(sam_ctx, msg);
654 if (is_gmsa) {
655 /*
656 * For Group Managed Service Accounts, the previous
657 * password is allowed for five minutes after a password
658 * change.
659 */
660 allowed_period_mins = gkdi_max_clock_skew_mins;
661 } else {
662 /*
663 * See http://support.microsoft.com/kb/906305
664 * OldPasswordAllowedPeriod ("old password allowed
665 * period") is specified in minutes. The default is 60.
666 */
667 allowed_period_mins = lpcfg_old_password_allowed_period(
668 auth_context->lp_ctx);
669 }
670 /*
671 * NTTIME uses 100ns units
672 */
673 allowed_period = (NTTIME) allowed_period_mins *
674 60 * 1000*1000*10;
675 pwdLastSet = samdb_result_nttime(msg, "pwdLastSet", 0);
676
677 if (now < pwdLastSet) {
678 /*
679 * time jump?
680 *
681 * We just return the original wrong password.
682 * This skips the update of the bad pwd count,
683 * because this is almost certainly user error
684 * (or automatic login on a computer using a cached
685 * password from before the password change),
686 * not an attack.
687 */
688 TALLOC_FREE(tmp_ctx);
689 return NT_STATUS_WRONG_PASSWORD;
690 }
691
692 if ((now - pwdLastSet) >= allowed_period) {
693 /*
694 * The allowed period is over.
695 *
696 * We just return the original wrong password.
697 * This skips the update of the bad pwd count,
698 * because this is almost certainly user error
699 * (or automatic login on a computer using a cached
700 * password from before the password change),
701 * not an attack.
702 */
703 TALLOC_FREE(tmp_ctx);
704 return NT_STATUS_WRONG_PASSWORD;
705 }
706
707 /*
708 * We finally allow the authentication with the
709 * previous password within the allowed period.
710 */
711 if (user_sess_key->data) {
712 talloc_steal(mem_ctx, user_sess_key->data);
713 }
714 if (lm_sess_key->data) {
715 talloc_steal(mem_ctx, lm_sess_key->data);
716 }
717
718 TALLOC_FREE(tmp_ctx);
719 return auth_status;
720 }
721
722 /*
723 * If we are not in the allowed period or match an old password,
724 * we didn't return early. Now update the badPwdCount et al.
725 */
726 nt_status = authsam_update_bad_pwd_count(auth_context->sam_ctx,
727 msg, domain_dn);
728 if (!NT_STATUS_IS_OK(nt_status)) {
729 /*
730 * We need to return the original
731 * NT_STATUS_WRONG_PASSWORD error, so there isn't
732 * anything more we can do than write something into
733 * the log
734 */
735 DEBUG(0, ("Failed to note bad password for user [%s]: %s\n",
736 user_info->mapped.account_name,
737 nt_errstr(nt_status)));
738 }
739
740 if (samdb_rodc(auth_context->sam_ctx, &am_rodc) == LDB_SUCCESS && am_rodc) {
741 *authoritative = false;
742 }
743
744 TALLOC_FREE(tmp_ctx);
745
746 if (NT_STATUS_IS_OK(nt_status)) {
747 nt_status = NT_STATUS_WRONG_PASSWORD;
748 }
749 return nt_status;
750 }
751
752 static NTSTATUS authsam_check_netlogon_trust(TALLOC_CTX *mem_ctx,
753 struct ldb_context *sam_ctx,
754 struct loadparm_context *lp_ctx,
755 const struct auth_usersupplied_info *user_info,
756 const struct auth_user_info_dc *user_info_dc,
757 struct authn_audit_info **server_audit_info_out)
758 {
759 TALLOC_CTX *tmp_ctx = NULL;
760
761 static const char *authn_policy_silo_attrs[] = {
762 "msDS-AssignedAuthNPolicy",
763 "msDS-AssignedAuthNPolicySilo",
764 "objectClass", /* used to determine which set of policy
765 * attributes apply. */
766 NULL,
767 };
768
769 const struct authn_server_policy *authn_server_policy = NULL;
770
771 struct dom_sid_buf netlogon_trust_sid_buf;
772 const char *netlogon_trust_sid_str = NULL;
773 struct ldb_dn *netlogon_trust_dn = NULL;
774 struct ldb_message *netlogon_trust_msg = NULL;
775
776 int ret;
777
778 /* Have we established a secure channel? */
779 if (user_info->netlogon_trust_account.secure_channel_type == SEC_CHAN_NULL) {
780 return NT_STATUS_OK;
781 }
782
783 if (!authn_policy_silos_and_policies_in_effect(sam_ctx)) {
784 return NT_STATUS_OK;
785 }
786
787 /*
788 * We have established a secure channel, and we should have the machine
789 * account’s SID.
790 */
791 SMB_ASSERT(user_info->netlogon_trust_account.sid != NULL);
792
793 tmp_ctx = talloc_new(mem_ctx);
794 if (tmp_ctx == NULL) {
795 return NT_STATUS_NO_MEMORY;
796 }
797
798 netlogon_trust_sid_str = dom_sid_str_buf(user_info->netlogon_trust_account.sid,
799 &netlogon_trust_sid_buf);
800
801 netlogon_trust_dn = ldb_dn_new_fmt(tmp_ctx, sam_ctx,
802 "<SID=%s>",
803 netlogon_trust_sid_str);
804 if (netlogon_trust_dn == NULL) {
805 talloc_free(tmp_ctx);
806 return NT_STATUS_NO_MEMORY;
807 }
808
809 /*
810 * Look up the machine account to see if it has an applicable
811 * authentication policy.
812 */
813 ret = dsdb_search_one(sam_ctx,
814 tmp_ctx,
815 &netlogon_trust_msg,
816 netlogon_trust_dn,
817 LDB_SCOPE_BASE,
818 authn_policy_silo_attrs,
819 0,
820 NULL);
821 if (ret) {
822 talloc_free(tmp_ctx);
823 return dsdb_ldb_err_to_ntstatus(ret);
824 }
825
826 ret = authn_policy_server(sam_ctx,
827 tmp_ctx,
828 netlogon_trust_msg,
829 &authn_server_policy);
830 if (ret) {
831 talloc_free(tmp_ctx);
832 return NT_STATUS_INTERNAL_ERROR;
833 }
834
835 if (authn_server_policy != NULL) {
836 struct authn_audit_info *server_audit_info = NULL;
837 NTSTATUS status;
838
839 /*
840 * An authentication policy applies to the machine
841 * account. Carry out the access check.
842 */
843 status = authn_policy_authenticate_to_service(tmp_ctx,
844 sam_ctx,
845 lp_ctx,
846 AUTHN_POLICY_AUTH_TYPE_NTLM,
847 user_info_dc,
848 NULL /* device_info */,
849 /*
850 * It seems that claims go ignored for
851 * SamLogon (see SamLogonTests —
852 * test_samlogon_allowed_to_computer_silo).
853 */
854 (struct auth_claims) {},
855 authn_server_policy,
856 (struct authn_policy_flags) {},
857 &server_audit_info);
858 if (server_audit_info != NULL) {
859 *server_audit_info_out = talloc_move(mem_ctx, &server_audit_info);
860 }
861 if (!NT_STATUS_IS_OK(status)) {
862 talloc_free(tmp_ctx);
863 return status;
864 }
865 }
866
867 return NT_STATUS_OK;
868 }
869
870 static NTSTATUS authsam_authenticate(struct auth4_context *auth_context,
871 TALLOC_CTX *mem_ctx,
872 struct ldb_dn *domain_dn,
873 struct ldb_message *msg,
874 const struct auth_usersupplied_info *user_info,
875 const struct auth_user_info_dc *user_info_dc,
876 DATA_BLOB *user_sess_key, DATA_BLOB *lm_sess_key,
877 struct authn_audit_info **client_audit_info_out,
878 struct authn_audit_info **server_audit_info_out,
879 bool *authoritative)
880 {
881 NTSTATUS nt_status;
882 int ret;
883 bool interactive = (user_info->password_state == AUTH_PASSWORD_HASH);
884 uint32_t acct_flags = samdb_result_acct_flags(msg, NULL);
885 struct netr_SendToSamBase *send_to_sam = NULL;
886 const struct authn_ntlm_client_policy *authn_client_policy = NULL;
887 struct ldb_context *sam_ctx = auth_context->sam_ctx;
888 TALLOC_CTX *tmp_ctx = NULL;
889 NTTIME now;
890 bool time_ok;
891
892 time_ok = dsdb_gmsa_current_time(sam_ctx, &now);
893 if (!time_ok) {
894 return NT_STATUS_INTERNAL_ERROR;
895 }
896
897 tmp_ctx = talloc_new(mem_ctx);
898 if (!tmp_ctx) {
899 return NT_STATUS_NO_MEMORY;
900 }
901
902 /* You can only do an interactive login to normal accounts */
903 if (user_info->flags & USER_INFO_INTERACTIVE_LOGON) {
904 if (!(acct_flags & ACB_NORMAL)) {
905 TALLOC_FREE(tmp_ctx);
906 return NT_STATUS_NO_SUCH_USER;
907 }
908 if (acct_flags & ACB_SMARTCARD_REQUIRED) {
909 if (acct_flags & ACB_DISABLED) {
910 DEBUG(2,("authsam_authenticate: Account for user '%s' "
911 "was disabled.\n",
912 user_info->mapped.account_name));
913 TALLOC_FREE(tmp_ctx);
914 return NT_STATUS_ACCOUNT_DISABLED;
915 }
916 DEBUG(2,("authsam_authenticate: Account for user '%s' "
917 "requires interactive smartcard logon.\n",
918 user_info->mapped.account_name));
919 TALLOC_FREE(tmp_ctx);
920 return NT_STATUS_SMARTCARD_LOGON_REQUIRED;
921 }
922 }
923
924 /* See whether an authentication policy applies to the client. */
925 ret = authn_policy_ntlm_client(auth_context->sam_ctx,
926 tmp_ctx,
927 msg,
928 &authn_client_policy);
929 if (ret) {
930 TALLOC_FREE(tmp_ctx);
931 return NT_STATUS_INTERNAL_ERROR;
932 }
933
934 nt_status = authn_policy_ntlm_apply_device_restriction(mem_ctx,
935 authn_client_policy,
936 client_audit_info_out);
937 if (!NT_STATUS_IS_OK(nt_status)) {
938 /*
939 * As we didn’t get far enough to check the server policy, only
940 * the client policy will be referenced in the authentication
941 * log message.
942 */
943 TALLOC_FREE(tmp_ctx);
944 return nt_status;
945 }
946
947 nt_status = authsam_password_check_and_record(auth_context, tmp_ctx,
948 domain_dn, msg,
949 user_info,
950 user_sess_key, lm_sess_key,
951 authoritative);
952 if (!NT_STATUS_IS_OK(nt_status)) {
953 TALLOC_FREE(tmp_ctx);
954 return nt_status;
955 }
956
957 nt_status = authsam_check_netlogon_trust(mem_ctx,
958 auth_context->sam_ctx,
959 auth_context->lp_ctx,
960 user_info,
961 user_info_dc,
962 server_audit_info_out);
963 if (!NT_STATUS_IS_OK(nt_status)) {
964 TALLOC_FREE(tmp_ctx);
965 return nt_status;
966 }
967
968 nt_status = authsam_account_ok(tmp_ctx, auth_context->sam_ctx,
969 now,
970 user_info->logon_parameters,
971 domain_dn,
972 msg,
973 user_info->workstation_name,
974 user_info->mapped.account_name,
975 false, false);
976 if (!NT_STATUS_IS_OK(nt_status)) {
977 TALLOC_FREE(tmp_ctx);
978 return nt_status;
979 }
980
981 nt_status = authsam_logon_success_accounting(auth_context->sam_ctx,
982 msg, domain_dn,
983 interactive,
984 tmp_ctx,
985 &send_to_sam);
986
987 if (send_to_sam != NULL) {
988 auth_sam_trigger_zero_password(tmp_ctx,
989 auth_context->msg_ctx,
990 auth_context->event_ctx,
991 send_to_sam);
992 }
993
994 if (!NT_STATUS_IS_OK(nt_status)) {
995 TALLOC_FREE(tmp_ctx);
996 return nt_status;
997 }
998
999 if (user_sess_key && user_sess_key->data) {
1000 talloc_steal(mem_ctx, user_sess_key->data);
1001 }
1002 if (lm_sess_key && lm_sess_key->data) {
1003 talloc_steal(mem_ctx, lm_sess_key->data);
1004 }
1005
1006 TALLOC_FREE(tmp_ctx);
1007 return nt_status;
1008 }
1009
1010
1011
1012 static NTSTATUS authsam_check_password_internals(struct auth_method_context *ctx,
1013 TALLOC_CTX *mem_ctx,
1014 const struct auth_usersupplied_info *user_info,
1015 struct auth_user_info_dc **user_info_dc,
1016 struct authn_audit_info **client_audit_info_out,
1017 struct authn_audit_info **server_audit_info_out,
1018 bool *authoritative)
1019 {
1020 NTSTATUS nt_status;
1021 int result;
1022 const char *account_name = user_info->mapped.account_name;
1023 struct ldb_message *msg;
1024 struct ldb_dn *domain_dn;
1025 DATA_BLOB user_sess_key, lm_sess_key;
1026 TALLOC_CTX *tmp_ctx;
1027 const char *p = NULL;
1028 struct auth_user_info_dc *reparented = NULL;
1029 struct authn_audit_info *client_audit_info = NULL;
1030 struct authn_audit_info *server_audit_info = NULL;
1031
1032 if (ctx->auth_ctx->sam_ctx == NULL) {
1033 DEBUG(0, ("No SAM available, cannot log in users\n"));
1034 return NT_STATUS_INVALID_SYSTEM_SERVICE;
1035 }
1036
1037 if (!account_name || !*account_name) {
1038 /* 'not for me' */
1039 return NT_STATUS_NOT_IMPLEMENTED;
1040 }
1041
1042 tmp_ctx = talloc_new(mem_ctx);
1043 if (!tmp_ctx) {
1044 return NT_STATUS_NO_MEMORY;
1045 }
1046
1047 domain_dn = ldb_get_default_basedn(ctx->auth_ctx->sam_ctx);
1048 if (domain_dn == NULL) {
1049 talloc_free(tmp_ctx);
1050 return NT_STATUS_NO_SUCH_DOMAIN;
1051 }
1052
1053 /*
1054 * If we have not already mapped this user, then now is a good
1055 * time to do so, before we look it up. We used to do this
1056 * earlier, but in a multi-forest environment we want to do
1057 * this mapping at the final domain.
1058 *
1059 * However, on the flip side we may have already mapped the
1060 * user if this was an LDAP simple bind, in which case we
1061 * really, really want to get back to exactly the same account
1062 * we got the DN for.
1063 */
1064 if (!user_info->cracknames_called) {
1065 p = strchr_m(account_name, '@');
1066 } else {
1067 /*
1068 * This is slightly nicer than double-indenting the
1069 * block below
1070 */
1071 p = NULL;
1072 }
1073
1074 if (p != NULL) {
1075 const char *nt4_domain = NULL;
1076 const char *nt4_account = NULL;
1077 bool is_my_domain = false;
1078
1079 nt_status = crack_name_to_nt4_name(mem_ctx,
1080 ctx->auth_ctx->sam_ctx,
1081 /*
1082 * DRSUAPI_DS_NAME_FORMAT_UPN_FOR_LOGON ?
1083 */
1084 DRSUAPI_DS_NAME_FORMAT_USER_PRINCIPAL,
1085 account_name,
1086 &nt4_domain, &nt4_account);
1087 if (!NT_STATUS_IS_OK(nt_status)) {
1088 talloc_free(tmp_ctx);
1089 return NT_STATUS_NO_SUCH_USER;
1090 }
1091
1092 is_my_domain = lpcfg_is_mydomain(ctx->auth_ctx->lp_ctx, nt4_domain);
1093 if (!is_my_domain) {
1094 /*
1095 * This is a user within our forest,
1096 * but in a different domain,
1097 * we're not authoritative
1098 */
1099 talloc_free(tmp_ctx);
1100 return NT_STATUS_NOT_IMPLEMENTED;
1101 }
1102
1103 /*
1104 * Let's use the NT4 account name for the lookup.
1105 */
1106 account_name = nt4_account;
1107 }
1108
1109 nt_status = authsam_search_account(tmp_ctx, ctx->auth_ctx->sam_ctx, account_name, domain_dn, &msg);
1110 if (!NT_STATUS_IS_OK(nt_status)) {
1111 talloc_free(tmp_ctx);
1112 return nt_status;
1113 }
1114
1115 nt_status = authsam_make_user_info_dc(tmp_ctx, ctx->auth_ctx->sam_ctx,
1116 lpcfg_netbios_name(ctx->auth_ctx->lp_ctx),
1117 lpcfg_sam_name(ctx->auth_ctx->lp_ctx),
1118 lpcfg_sam_dnsname(ctx->auth_ctx->lp_ctx),
1119 domain_dn,
1120 msg,
1121 data_blob_null, data_blob_null,
1122 user_info_dc);
1123 if (!NT_STATUS_IS_OK(nt_status)) {
1124 talloc_free(tmp_ctx);
1125 return nt_status;
1126 }
1127
1128 result = dsdb_is_protected_user(ctx->auth_ctx->sam_ctx,
1129 (*user_info_dc)->sids,
1130 (*user_info_dc)->num_sids);
1131 /*
1132 * We also consider an error result (a negative value) as denying the
1133 * authentication.
1134 */
1135 if (result != 0) {
1136 talloc_free(tmp_ctx);
1137 return NT_STATUS_ACCOUNT_RESTRICTION;
1138 }
1139
1140 nt_status = authsam_authenticate(ctx->auth_ctx,
1141 tmp_ctx,
1142 domain_dn,
1143 msg,
1144 user_info,
1145 *user_info_dc,
1146 &user_sess_key,
1147 &lm_sess_key,
1148 &client_audit_info,
1149 &server_audit_info,
1150 authoritative);
1151 if (client_audit_info != NULL) {
1152 *client_audit_info_out = talloc_move(mem_ctx, &client_audit_info);
1153 }
1154 if (server_audit_info != NULL) {
1155 *server_audit_info_out = talloc_move(mem_ctx, &server_audit_info);
1156 }
1157 if (!NT_STATUS_IS_OK(nt_status)) {
1158 talloc_free(tmp_ctx);
1159 return nt_status;
1160 }
1161
1162 (*user_info_dc)->user_session_key = data_blob_talloc(*user_info_dc,
1163 user_sess_key.data,
1164 user_sess_key.length);
1165 if (user_sess_key.data) {
1166 if ((*user_info_dc)->user_session_key.data == NULL) {
1167 TALLOC_FREE(tmp_ctx);
1168 return NT_STATUS_NO_MEMORY;
1169 }
1170 }
1171
1172 (*user_info_dc)->lm_session_key = data_blob_talloc(*user_info_dc,
1173 lm_sess_key.data,
1174 lm_sess_key.length);
1175 if (lm_sess_key.data) {
1176 if ((*user_info_dc)->lm_session_key.data == NULL) {
1177 TALLOC_FREE(tmp_ctx);
1178 return NT_STATUS_NO_MEMORY;
1179 }
1180 }
1181
1182 /*
1183 * Release our handle to *user_info_dc. {client,server}_audit_info_out,
1184 * if non-NULL, becomes the new parent.
1185 */
1186 reparented = talloc_reparent(tmp_ctx, mem_ctx, *user_info_dc);
1187 if (reparented == NULL) {
1188 talloc_free(tmp_ctx);
1189 return NT_STATUS_INTERNAL_ERROR;
1190 }
1191
1192 talloc_free(tmp_ctx);
1193
1194 return NT_STATUS_OK;
1195 }
1196
1197 struct authsam_check_password_state {
1198 struct auth_user_info_dc *user_info_dc;
1199 struct authn_audit_info *client_audit_info;
1200 struct authn_audit_info *server_audit_info;
1201 bool authoritative;
1202 };
1203
1204 static struct tevent_req *authsam_check_password_send(
1205 TALLOC_CTX *mem_ctx,
1206 struct tevent_context *ev,
1207 struct auth_method_context *ctx,
1208 const struct auth_usersupplied_info *user_info)
1209 {
1210 struct tevent_req *req = NULL;
1211 struct authsam_check_password_state *state = NULL;
1212 NTSTATUS status;
1213
1214 req = tevent_req_create(
1215 mem_ctx, &state, struct authsam_check_password_state);
1216 if (req == NULL) {
1217 return NULL;
1218 }
1219 /*
1220 * authsam_check_password_internals() sets this to false in
1221 * the rodc case, otherwise it leaves it untouched. Default to
1222 * "we're authoritative".
1223 */
1224 state->authoritative = true;
1225
1226 status = authsam_check_password_internals(
1227 ctx,
1228 state,
1229 user_info,
1230 &state->user_info_dc,
1231 &state->client_audit_info,
1232 &state->server_audit_info,
1233 &state->authoritative);
1234 if (tevent_req_nterror(req, status)) {
1235 return tevent_req_post(req, ev);
1236 }
1237
1238 tevent_req_done(req);
1239 return tevent_req_post(req, ev);
1240 }
1241
1242 static NTSTATUS authsam_check_password_recv(
1243 struct tevent_req *req,
1244 TALLOC_CTX *mem_ctx,
1245 struct auth_user_info_dc **interim_info,
1246 const struct authn_audit_info **client_audit_info,
1247 const struct authn_audit_info **server_audit_info,
1248 bool *authoritative)
1249 {
1250 struct authsam_check_password_state *state = tevent_req_data(
1251 req, struct authsam_check_password_state);
1252 NTSTATUS status;
1253
1254 *authoritative = state->authoritative;
1255
1256 *client_audit_info = talloc_reparent(state, mem_ctx, state->client_audit_info);
1257 state->client_audit_info = NULL;
1258
1259 *server_audit_info = talloc_reparent(state, mem_ctx, state->server_audit_info);
1260 state->server_audit_info = NULL;
1261
1262 if (tevent_req_is_nterror(req, &status)) {
1263 tevent_req_received(req);
1264 return status;
1265 }
1266 /*
1267 * Release our handle to state->user_info_dc.
1268 * {client,server}_audit_info, if non-NULL, becomes the new parent.
1269 */
1270 *interim_info = talloc_reparent(state, mem_ctx, state->user_info_dc);
1271 state->user_info_dc = NULL;
1272
1273 tevent_req_received(req);
1274 return NT_STATUS_OK;
1275 }
1276
1277 static NTSTATUS authsam_ignoredomain_want_check(struct auth_method_context *ctx,
1278 TALLOC_CTX *mem_ctx,
1279 const struct auth_usersupplied_info *user_info)
1280 {
1281 if (!user_info->mapped.account_name || !*user_info->mapped.account_name) {
1282 return NT_STATUS_NOT_IMPLEMENTED;
1283 }
1284
1285 return NT_STATUS_OK;
1286 }
1287
1288 /****************************************************************************
1289 Check SAM security (above) but with a few extra checks.
1290 ****************************************************************************/
1291 static NTSTATUS authsam_want_check(struct auth_method_context *ctx,
1292 TALLOC_CTX *mem_ctx,
1293 const struct auth_usersupplied_info *user_info)
1294 {
1295 const char *effective_domain = user_info->mapped.domain_name;
1296 bool is_local_name = false;
1297 bool is_my_domain = false;
1298 const char *p = NULL;
1299 struct dsdb_trust_routing_table *trt = NULL;
1300 const struct lsa_TrustDomainInfoInfoEx *tdo = NULL;
1301 NTSTATUS status;
1302
1303 if (!user_info->mapped.account_name || !*user_info->mapped.account_name) {
1304 return NT_STATUS_NOT_IMPLEMENTED;
1305 }
1306
1307 if (effective_domain == NULL) {
1308 effective_domain = "";
1309 }
1310
1311 is_local_name = lpcfg_is_myname(ctx->auth_ctx->lp_ctx,
1312 effective_domain);
1313
1314 /* check whether or not we service this domain/workgroup name */
1315 switch (lpcfg_server_role(ctx->auth_ctx->lp_ctx)) {
1316 case ROLE_STANDALONE:
1317 return NT_STATUS_OK;
1318
1319 case ROLE_DOMAIN_MEMBER:
1320 if (is_local_name) {
1321 return NT_STATUS_OK;
1322 }
1323
1324 DBG_DEBUG("%s is not one of my local names (DOMAIN_MEMBER)\n",
1325 effective_domain);
1326 return NT_STATUS_NOT_IMPLEMENTED;
1327
1328 case ROLE_ACTIVE_DIRECTORY_DC:
1329 /* handled later */
1330 break;
1331
1332 default:
1333 DBG_ERR("lpcfg_server_role() has an undefined value\n");
1334 return NT_STATUS_INVALID_SERVER_STATE;
1335 }
1336
1337 /*
1338 * Now we handle the AD DC case...
1339 */
1340
1341 is_my_domain = lpcfg_is_my_domain_or_realm(ctx->auth_ctx->lp_ctx,
1342 effective_domain);
1343 if (is_my_domain) {
1344 return NT_STATUS_OK;
1345 }
1346
1347 if (user_info->cracknames_called) {
1348 /*
1349 * The caller already did a cracknames call.
1350 */
1351 DBG_DEBUG("%s is not own domain name (DC)\n",
1352 effective_domain);
1353 return NT_STATUS_NOT_IMPLEMENTED;
1354 }
1355
1356 if (!strequal(effective_domain, "")) {
1357 DBG_DEBUG("%s is not own domain name (DC)\n",
1358 effective_domain);
1359 return NT_STATUS_NOT_IMPLEMENTED;
1360 }
1361
1362 p = strchr_m(user_info->mapped.account_name, '@');
1363 if (p == NULL) {
1364 /*
1365 * An empty to domain name should be handled
1366 * as the local domain name.
1367 */
1368 return NT_STATUS_OK;
1369 }
1370
1371 effective_domain = p + 1;
1372 is_my_domain = lpcfg_is_my_domain_or_realm(ctx->auth_ctx->lp_ctx,
1373 effective_domain);
1374 if (is_my_domain) {
1375 return NT_STATUS_OK;
1376 }
1377
1378 if (strequal(effective_domain, "")) {
1379 DBG_DEBUG("authsam_check_password: upn without realm (DC)\n");
1380 return NT_STATUS_NOT_IMPLEMENTED;
1381 }
1382
1383 /*
1384 * as last option we check the routing table if the
1385 * domain is within our forest.
1386 */
1387 status = dsdb_trust_routing_table_load(ctx->auth_ctx->sam_ctx,
1388 mem_ctx, &trt);
1389 if (!NT_STATUS_IS_OK(status)) {
1390 DBG_ERR("authsam_check_password: dsdb_trust_routing_table_load() %s\n",
1391 nt_errstr(status));
1392 return status;
1393 }
1394
1395 tdo = dsdb_trust_routing_by_name(trt, effective_domain);
1396 if (tdo == NULL) {
1397 DBG_DEBUG("%s is not a known TLN (DC)\n",
1398 effective_domain);
1399 TALLOC_FREE(trt);
1400 return NT_STATUS_NOT_IMPLEMENTED;
1401 }
1402
1403 if (!(tdo->trust_attributes & LSA_TRUST_ATTRIBUTE_WITHIN_FOREST)) {
1404 DBG_DEBUG("%s is not a TLN in our forest (DC)\n",
1405 effective_domain);
1406 TALLOC_FREE(trt);
1407 return NT_STATUS_NOT_IMPLEMENTED;
1408 }
1409
1410 /*
1411 * This principal is within our forest.
1412 * we'll later do a crack_name_to_nt4_name()
1413 * to check if it's in our domain.
1414 */
1415 TALLOC_FREE(trt);
1416 return NT_STATUS_OK;
1417 }
1418
1419 static const struct auth_operations sam_ignoredomain_ops = {
1420 .name = "sam_ignoredomain",
1421 .want_check = authsam_ignoredomain_want_check,
1422 .check_password_send = authsam_check_password_send,
1423 .check_password_recv = authsam_check_password_recv,
1424 };
1425
1426 static const struct auth_operations sam_ops = {
1427 .name = "sam",
1428 .want_check = authsam_want_check,
1429 .check_password_send = authsam_check_password_send,
1430 .check_password_recv = authsam_check_password_recv,
1431 };
1432
1433 _PUBLIC_ NTSTATUS auth4_sam_init(TALLOC_CTX *);
1434 _PUBLIC_ NTSTATUS auth4_sam_init(TALLOC_CTX *ctx)
1435 {
1436 NTSTATUS ret;
1437
1438 ret = auth_register(ctx, &sam_ops);
1439 if (!NT_STATUS_IS_OK(ret)) {
1440 DEBUG(0,("Failed to register 'sam' auth backend!\n"));
1441 return ret;
1442 }
1443
1444 ret = auth_register(ctx, &sam_ignoredomain_ops);
1445 if (!NT_STATUS_IS_OK(ret)) {
1446 DEBUG(0,("Failed to register 'sam_ignoredomain' auth backend!\n"));
1447 return ret;
1448 }
1449
1450 return ret;
1451 }
GSS-enabled samba4