mech-winbind.c revision 08a96e22ba98b71c925310e824b1e35707dd4daf
/*
* NTLM and Negotiate authentication mechanisms,
* using Samba winbind daemon
*
* Copyright (c) 2007 Dmitry Butskoy <dmitry@butskoy.name>
*
* This software is released under the MIT license.
*/
#include "common.h"
#include "mech.h"
#include "str.h"
#include "buffer.h"
#include "base64.h"
#include "istream.h"
#include "ostream.h"
#include <stdlib.h>
#include <unistd.h>
#define DEFAULT_WINBIND_HELPER_PATH "/usr/bin/ntlm_auth"
enum helper_result {
HR_OK = 0, /* OK or continue */
HR_FAIL = -1, /* authentication failed */
HR_RESTART = -2 /* FAIL + try to restart helper */
};
struct winbind_helper {
const char *param;
struct istream *in_pipe;
struct ostream *out_pipe;
};
struct winbind_auth_request {
struct auth_request auth_request;
struct winbind_helper *winbind;
bool continued;
};
static struct winbind_helper winbind_ntlm_context = {
"--helper-protocol=squid-2.5-ntlmssp", NULL, NULL
};
static struct winbind_helper winbind_spnego_context = {
"--helper-protocol=gss-spnego", NULL, NULL
};
static void winbind_helper_disconnect(struct winbind_helper *winbind)
{
if (winbind->in_pipe != NULL)
i_stream_destroy(&winbind->in_pipe);
if (winbind->out_pipe != NULL)
o_stream_destroy(&winbind->out_pipe);
}
static void winbind_helper_connect(struct winbind_helper *winbind)
{
int infd[2], outfd[2];
pid_t pid;
if (winbind->in_pipe != NULL)
return;
if (pipe(infd) < 0) {
i_error("pipe() failed: %m");
return;
}
if (pipe(outfd) < 0) {
(void)close(infd[0]); (void)close(infd[1]);
return;
}
pid = fork();
if (pid < 0) {
i_error("fork() failed: %m");
(void)close(infd[0]); (void)close(infd[1]);
(void)close(outfd[0]); (void)close(outfd[1]);
return;
}
if (pid == 0) {
/* child */
const char *helper_path, *args[3];
(void)close(infd[0]);
(void)close(outfd[1]);
if (dup2(outfd[0], STDIN_FILENO) < 0 ||
dup2(infd[1], STDOUT_FILENO) < 0)
i_fatal("dup2() failed: %m");
helper_path = getenv("WINBIND_HELPER_PATH");
if (helper_path == NULL)
helper_path = DEFAULT_WINBIND_HELPER_PATH;
args[0] = helper_path;
args[1] = winbind->param;
args[2] = NULL;
execv(args[0], (void *)args);
i_fatal("execv(%s) failed: %m", args[0]);
}
/* parent */
(void)close(infd[1]);
(void)close(outfd[0]);
winbind->in_pipe =
i_stream_create_fd(infd[0], AUTH_CLIENT_MAX_LINE_LENGTH, TRUE);
winbind->out_pipe =
o_stream_create_fd(outfd[1], (size_t)-1, TRUE);
}
static enum helper_result
do_auth_continue(struct auth_request *auth_request,
const unsigned char *data, size_t data_size)
{
struct winbind_auth_request *request =
(struct winbind_auth_request *)auth_request;
struct istream *in_pipe = request->winbind->in_pipe;
string_t *str;
char *answer;
const char **token;
bool gss_spnego = request->winbind == &winbind_spnego_context;
if (request->winbind->in_pipe == NULL)
return HR_RESTART;
str = t_str_new(MAX_BASE64_ENCODED_SIZE(data_size + 1) + 4);
str_printfa(str, "%s ", request->continued ? "KK" : "YR");
base64_encode(data, data_size, str);
str_append_c(str, '\n');
if (o_stream_send_str(request->winbind->out_pipe, str_c(str)) < 0 ||
o_stream_flush(request->winbind->out_pipe) < 0) {
auth_request_log_error(auth_request, "winbind",
"write(out_pipe) failed: %m");
return HR_RESTART;
}
request->continued = FALSE;
while ((answer = i_stream_read_next_line(in_pipe)) == NULL) {
if (in_pipe->stream_errno != 0)
break;
}
if (answer == NULL) {
auth_request_log_error(auth_request, "winbind",
"read(in_pipe) failed: %m");
return HR_RESTART;
}
token = t_strsplit_spaces(answer, " ");
if (token[0] == NULL ||
(token[1] == NULL && strcmp(token[0], "BH") != 0) ||
(token[2] == NULL && gss_spnego)) {
auth_request_log_error(auth_request, "winbind",
"Invalid input from helper: %s", answer);
return HR_RESTART;
}
/*
* NTLM:
* The child's reply contains 2 parts:
* - The code: TT, AF or NA
* - The argument:
* For TT it's the blob to send to the client, coded in base64
* For AF it's user or DOMAIN\user
* For NA it's the NT error code
*
* GSS-SPNEGO:
* The child's reply contains 3 parts:
* - The code: TT, AF or NA
* - The blob to send to the client, coded in base64
* - The argument:
* For TT it's a dummy '*'
* For AF it's DOMAIN\user
* For NA it's the NT error code
*/
if (strcmp(token[0], "TT") == 0) {
buffer_t *buf;
buf = t_base64_decode_str(token[1]);
auth_request->callback(auth_request,
AUTH_CLIENT_RESULT_CONTINUE,
buf->data, buf->used);
request->continued = TRUE;
return HR_OK;
} else if (strcmp(token[0], "NA") == 0) {
const char *error = gss_spnego ? token[2] : token[1];
auth_request_log_info(auth_request, "winbind",
"user not authenticated: %s", error);
return HR_FAIL;
} else if (strcmp(token[0], "AF") == 0) {
const char *user, *p, *error;
user = gss_spnego ? token[2] : token[1];
p = strchr(user, '\\');
if (p != NULL) {
/* change "DOMAIN\user" to uniform style
"user@DOMAIN" */
user = t_strconcat(p+1, "@",
t_strdup_until(user, p), NULL);
}
if (!auth_request_set_username(auth_request, user, &error)) {
auth_request_log_info(auth_request, "winbind",
"%s", error);
return HR_FAIL;
}
if (gss_spnego && strcmp(token[1], "*") != 0) {
buffer_t *buf;
buf = t_base64_decode_str(token[1]);
auth_request_success(&request->auth_request,
buf->data, buf->used);
} else {
auth_request_success(&request->auth_request, NULL, 0);
}
return HR_OK;
} else if (strcmp(token[0], "BH") == 0) {
auth_request_log_info(auth_request, "winbind",
"ntlm_auth reports broken helper: %s",
token[1] != NULL ? token[1] : "");
return HR_RESTART;
} else {
auth_request_log_error(auth_request, "winbind",
"Invalid input from helper: %s", answer);
return HR_RESTART;
}
}
static void
mech_winbind_auth_continue(struct auth_request *auth_request,
const unsigned char *data, size_t data_size)
{
struct winbind_auth_request *request =
(struct winbind_auth_request *)auth_request;
enum helper_result res;
res = do_auth_continue(auth_request, data, data_size);
if (res != HR_OK) {
if (res == HR_RESTART)
winbind_helper_disconnect(request->winbind);
auth_request_fail(auth_request);
}
}
static struct auth_request *do_auth_new(struct winbind_helper *winbind)
{
struct winbind_auth_request *request;
pool_t pool;
pool = pool_alloconly_create("winbind_auth_request", 1024);
request = p_new(pool, struct winbind_auth_request, 1);
request->auth_request.pool = pool;
request->winbind = winbind;
winbind_helper_connect(request->winbind);
return &request->auth_request;
}
static struct auth_request *mech_winbind_ntlm_auth_new(void)
{
return do_auth_new(&winbind_ntlm_context);
}
static struct auth_request *mech_winbind_spnego_auth_new(void)
{
return do_auth_new(&winbind_spnego_context);
}
const struct mech_module mech_winbind_ntlm = {
"NTLM",
MEMBER(flags) MECH_SEC_DICTIONARY | MECH_SEC_ACTIVE,
MEMBER(passdb_need_plain) FALSE,
MEMBER(passdb_need_credentials) FALSE,
MEMBER(passdb_need_set_credentials) FALSE,
mech_winbind_ntlm_auth_new,
mech_generic_auth_initial,
mech_winbind_auth_continue,
mech_generic_auth_free
};
const struct mech_module mech_winbind_spnego = {
"GSS-SPNEGO",
MEMBER(flags) 0,
MEMBER(passdb_need_plain) FALSE,
MEMBER(passdb_need_credentials) FALSE,
MEMBER(passdb_need_set_credentials) FALSE,
mech_winbind_spnego_auth_new,
mech_generic_auth_initial,
mech_winbind_auth_continue,
mech_generic_auth_free
};