27RCSID(
"$Id: e5979d7068b522547de8d4fbac40e0e664e4f4b7 $")
29#include <freeradius-devel/server/base.h>
30#include <freeradius-devel/server/module_rlm.h>
31#include <freeradius-devel/unlang/call_env.h>
32#include <freeradius-devel/unlang/xlat_func.h>
33#include <freeradius-devel/util/debug.h>
34#include <freeradius-devel/unlang/xlat.h>
35#include <freeradius-devel/util/dcursor.h>
36#include <freeradius-devel/util/skip.h>
37#include <freeradius-devel/util/value.h>
104 struct wbcContext *wb_ctx;
107 gid_t *wb_groups = NULL;
109 char const *domain = NULL;
110 size_t domain_len = 0;
112 char *username_buff = NULL;
113 size_t backslash = 0;
127 domain = env->
domain.vb_strvalue;
128 domain_len = env->
domain.vb_length;
135 RWDEBUG(
"Searching group with plain username, this will probably fail");
136 RWDEBUG(
"Ensure winbind domain is correctly set");
142 wbctx = winbind_slab_reserve(t->
slab);
144 RERROR(
"Unable to get winbind context");
151 err = wbcCtxGetGroups(wb_ctx,
username, &num_groups, &wb_groups);
153 case WBC_ERR_SUCCESS:
159 RDEBUG2(
"Successfully retrieved user's groups");
162 case WBC_ERR_WINBIND_NOT_AVAILABLE:
163 RERROR(
"Failed retrieving groups: Unable to contact winbindd");
166 case WBC_ERR_DOMAIN_NOT_FOUND:
168 REDEBUG(
"Failed retrieving groups: User or Domain not found");
171 case WBC_ERR_UNKNOWN_USER:
172 REDEBUG(
"Failed retrieving groups: User cannot be found");
176 REDEBUG(
"Failed retrieving groups: %s", wbcErrorString(
err));
193 if (domain_len > 0) backslash = domain_len - 1;
195 for (i = 0; i < num_groups; i++) {
200 err = wbcCtxGetgrgid(wb_ctx, wb_groups[i], &group);
201 if (
err != WBC_ERR_SUCCESS) {
202 REDEBUG(
"Failed resolving GID %i: %s", wb_groups[i], wbcErrorString(
err));
203 if (wb_groups[i] == UINT32_MAX) {
204 REDEBUG(
"GID appears to be winbind placeholder value, idmap likely failed");
209 RDEBUG3(
"Resolved GID %i to name \"%s\"", wb_groups[i], group->gr_name);
212 if ((backslash < strlen(group->gr_name)) && (group->gr_name[backslash] ==
'\\')) {
213 group_name = group->gr_name + backslash + 1;
214 }
else if ((group_name = strchr(group->gr_name,
'\\'))) {
216 backslash = group_name - (group->gr_name - 1);
218 group_name = group->gr_name;
222 RDEBUG3(
"Checking plain group name \"%s\"", group_name);
224 RDEBUG2(
"Found matching group: %s", group_name);
227 wbcFreeMemory(group);
233 if (!rcode)
RWDEBUG2(
"No groups found that match");
236 wbcFreeMemory(wb_groups);
237 winbind_slab_release(wbctx);
267 char const *p = arg->vb_strvalue;
300 struct wbcAuthErrorInfo *err_info = NULL;
305 wbctx = winbind_slab_reserve(t->
slab);
307 RERROR(
"Ping failed - Unable to get winbind context");
315 err = wbcCtxPingDc2(wbctx->
ctx, domain ? domain->vb_strvalue : NULL, &err_info, &dc);
319 if (WBC_ERROR_IS_OK(
err)) {
320 RDEBUG2(
"Ping succeeded to DC %s after %pVms", dc,
325 char const *err_str = wbcErrorString(
err);
328 RERROR(
"Ping failed (%s) to DC %s after %pVms%s%s", err_str, dc,
330 err_info->display_string ?
" - " :
"",
331 err_info->display_string ? err_info->display_string :
"");
337 if (dc) wbcFreeMemory(dc);
338 if (err_info) wbcFreeMemory(err_info);
339 winbind_slab_release(wbctx);
351 wbcCtxFree(wbctx->
ctx);
360 wbctx->
ctx = wbcCtxCreate();
382 if (!
inst->auth_type) {
383 WARN(
"Failed to find 'authenticate %s {...}' section. Winbind authentication will likely not work",
410 REDEBUG2(
"No %s found in the request; not doing winbind authentication.",
415 if (!
inst->auth_type) {
416 WARN(
"No 'authenticate %s {...}' section or 'Auth-Type = %s' set. Cannot setup Winbind authentication",
442 REDEBUG(
"User-Password must not be empty");
452 RDEBUG2(
"Login attempt with password");
461 RDEBUG2(
"User authenticated successfully using winbind");
472 .pair.dflt =
"User-Password", .pair.dflt_quote =
T_BARE_WORD },
481 tmpl_t *parsed_tmpl = NULL;
482 struct wbcInterfaceDetails *wb_info = NULL;
488 NULL, t_rules) < 0)
return -1;
495 struct wbcContext *wb_ctx;
497 cf_log_warn(ci,
"winbind domain unspecified; trying to get it from winbind");
499 wb_ctx = wbcCtxCreate();
502 cf_log_err(ci,
"Unable to get libwbclient context, cannot get domain");
506 err = wbcCtxInterfaceDetails(wb_ctx, &wb_info);
509 if (
err != WBC_ERR_SUCCESS) {
510 cf_log_err(ci,
"libwbclient returned wbcErr code %d; unable to get domain name.",
err);
511 cf_log_err(ci,
"Is winbind running and does the winbind_privileged socket have");
516 if (!wb_info->netbios_domain) {
517 cf_log_err(ci,
"winbind returned blank domain name");
526 wbcFreeMemory(wb_info);
530 cf_log_info(ci,
"Using winbind_domain '%s'", parsed_tmpl->name);
533 wbcFreeMemory(wb_info);
536 *(
void **)
out = parsed_tmpl;
537 return parsed_tmpl ? 0 : -1;
547 .pair.dflt =
"User-Password", .pair.dflt_quote =
T_BARE_WORD },
610 ERROR(
"Connection handle pool instantiation failed");
unlang_action_t
Returned by unlang_op_t calls, determine the next action of the interpreter.
int do_auth_wbclient_pap(request_t *request, winbind_auth_call_env_t *env, rlm_winbind_thread_t *t)
PAP authentication direct to winbind via Samba's libwbclient library.
#define CALL_ENV_TERMINATOR
#define FR_CALL_ENV_METHOD_OUT(_inst)
Helper macro for populating the size/type fields of a call_env_method_t from the output structure typ...
call_env_parser_t const * env
Parsing rules for call method env.
#define FR_CALL_ENV_SUBSECTION(_name, _name2, _flags, _subcs)
Specify a call_env_parser_t which defines a nested subsection.
@ CALL_ENV_FLAG_ATTRIBUTE
Tmpl MUST contain an attribute reference.
@ CALL_ENV_FLAG_PARSE_ONLY
The result of parsing will not be evaluated at runtime.
@ CALL_ENV_FLAG_SECRET
The value is a secret, and should not be logged.
@ CALL_ENV_FLAG_REQUIRED
Associated conf pair or section is required.
@ CALL_ENV_FLAG_BARE_WORD_ATTRIBUTE
bare words are treated as an attribute, but strings may be xlats.
#define FR_CALL_ENV_OFFSET(_name, _cast_type, _flags, _struct, _field)
Specify a call_env_parser_t which writes out runtime results to the specified field.
#define FR_CALL_ENV_PARSE_ONLY_OFFSET(_name, _cast_type, _flags, _struct, _parse_field)
Specify a call_env_parser_t which writes out the result of the parsing phase to the field specified.
#define CONF_PARSER_TERMINATOR
#define FR_CONF_OFFSET(_name, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
#define FR_CONF_POINTER(_name, _type, _flags, _res_p)
conf_parser_t which parses a single CONF_PAIR producing a single global result
#define FR_CONF_OFFSET_SUBSECTION(_name, _flags, _struct, _field, _subcs)
conf_parser_t which populates a sub-struct using a CONF_SECTION
@ CONF_FLAG_SUBSECTION
Instead of putting the information into a configuration structure, the configuration file routines MA...
Defines a CONF_PAIR to C data type mapping.
Common header for all CONF_* types.
Configuration AVP similar to a fr_pair_t.
A section grouping multiple CONF_PAIR.
fr_token_t cf_pair_value_quote(CONF_PAIR const *pair)
Return the value (rhs) quoting of a pair.
CONF_PAIR * cf_item_to_pair(CONF_ITEM const *ci)
Cast a CONF_ITEM to a CONF_PAIR.
char const * cf_pair_value(CONF_PAIR const *pair)
Return the value of a CONF_PAIR.
#define cf_log_err(_cf, _fmt,...)
#define cf_log_info(_cf, _fmt,...)
#define cf_log_perr(_cf, _fmt,...)
#define cf_log_warn(_cf, _fmt,...)
static int fr_dcursor_append(fr_dcursor_t *cursor, void *v)
Insert a single item at the end of the list.
fr_dict_attr_t const ** out
Where to write a pointer to the resolved fr_dict_attr_t.
fr_dict_t const ** out
Where to write a pointer to the loaded/resolved fr_dict_t.
#define DICT_AUTOLOAD_TERMINATOR
fr_dict_enum_value_t const * fr_dict_enum_by_name(fr_dict_attr_t const *da, char const *name, ssize_t len)
Specifies an attribute which must be present for the module to function.
Specifies a dictionary which must be loaded/loadable for the module to function.
#define MODULE_MAGIC_INIT
Stop people using different module/library/server versions together.
static xlat_action_t winbind_group_xlat(TALLOC_CTX *ctx, fr_dcursor_t *out, xlat_ctx_t const *xctx, request_t *request, fr_value_box_list_t *in)
Check if the user is a member of a particular winbind group.
#define REXDENT()
Exdent (unindent) R* messages by one level.
#define RDEBUG_ENABLED3
True if request debug level 1-3 messages are enabled.
#define RWDEBUG2(fmt,...)
#define REDEBUG2(fmt,...)
#define RINDENT()
Indent R* messages by one level.
@ FR_TYPE_STRING
String of printable characters.
@ FR_TYPE_UINT32
32 Bit unsigned integer.
@ FR_TYPE_BOOL
A truth value.
int strcasecmp(char *s1, char *s2)
void * env_data
Per call environment data.
module_instance_t const * mi
Instance of the module being instantiated.
void * thread
Thread specific instance data.
fr_event_list_t * el
Event list to register any IO handlers and timers against.
void * thread
Thread instance data.
module_instance_t const * mi
Instance of the module being instantiated.
module_instance_t * mi
Instance of the module being instantiated.
Temporary structure to hold arguments for module calls.
Temporary structure to hold arguments for instantiation calls.
Temporary structure to hold arguments for thread_instantiation calls.
xlat_t * module_rlm_xlat_register(TALLOC_CTX *ctx, module_inst_ctx_t const *mctx, char const *name, xlat_func_t func, fr_type_t return_type)
bool module_rlm_section_type_set(request_t *request, fr_dict_attr_t const *type_da, fr_dict_enum_value_t const *enumv)
Set the next section type if it's not already set.
module_t common
Common fields presented by all modules.
fr_pair_t * fr_pair_find_by_da(fr_pair_list_t const *list, fr_pair_t const *prev, fr_dict_attr_t const *da)
Find the first pair with a matching da.
static const conf_parser_t config[]
#define RETURN_UNLANG_INVALID
#define RETURN_UNLANG_REJECT
#define RETURN_UNLANG_NOOP
static int domain_call_env_parse(TALLOC_CTX *ctx, void *out, tmpl_rules_t const *t_rules, CONF_ITEM *ci, UNUSED call_env_ctx_t const *cec, UNUSED call_env_parser_t const *rule)
static const call_env_method_t winbind_autz_method_env
static xlat_arg_parser_t const winbind_group_xlat_arg[]
static int winbind_ctx_alloc(winbind_ctx_t *wbctx, UNUSED void *uctx)
fr_dict_attr_autoload_t rlm_winbind_dict_attr[]
static const call_env_method_t winbind_auth_method_env
static const conf_parser_t group_config[]
static fr_dict_t const * dict_freeradius
static fr_dict_attr_t const * attr_expr_bool_enum
static int mod_bootstrap(module_inst_ctx_t const *mctx)
Bootstrap this module.
static xlat_action_t winbind_ping_xlat(TALLOC_CTX *ctx, fr_dcursor_t *out, xlat_ctx_t const *xctx, request_t *request, fr_value_box_list_t *in)
Ping a specific domain.
static fr_dict_attr_t const * attr_auth_type
static unlang_action_t mod_authorize(unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request)
Authorize for libwbclient/winbind authentication.
static conf_parser_t reuse_winbind_config[]
static int _mod_ctx_free(winbind_ctx_t *wbctx)
static const call_env_method_t winbind_group_xlat_call_env
static int mod_thread_instantiate(module_thread_inst_ctx_t const *mctx)
static unlang_action_t mod_authenticate(unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request)
Authenticate the user via libwbclient and winbind.
static bool winbind_check_group(rlm_winbind_t const *inst, request_t *request, char const *name, winbind_group_xlat_call_env_t *env, rlm_winbind_thread_t *t)
Group comparison for Winbind-Group.
static const conf_parser_t module_config[]
fr_dict_autoload_t rlm_winbind_dict[]
static xlat_arg_parser_t const winbind_ping_xlat_arg[]
static int mod_thread_detach(module_thread_inst_ctx_t const *mctx)
static int mod_instantiate(module_inst_ctx_t const *mctx)
Instantiate this module.
rlm_winbind_t const * inst
Instance of rlm_winbind.
winbind_slab_list_t * slab
Slab list for winbind handles.
#define FR_SBUFF_IN(_start, _len_or_end)
#define FR_SBUFF_IN_STR(_start)
#define SECTION_NAME(_name1, _name2)
Define a section name consisting of a verb and a noun.
char const * name
Instance name e.g. user_database.
CONF_SECTION * conf
Module's instance configuration.
size_t inst_size
Size of the module's instance data.
void * data
Module's instance data.
void * boot
Data allocated during the boostrap phase.
#define MODULE_BINDING_TERMINATOR
Terminate a module binding list.
Named methods exported by a module.
ssize_t tmpl_afrom_substr(TALLOC_CTX *ctx, tmpl_t **out, fr_sbuff_t *in, fr_token_t quote, fr_sbuff_parse_rules_t const *p_rules, tmpl_rules_t const *t_rules))
Convert an arbitrary string into a tmpl_t.
static fr_dict_attr_t const * tmpl_attr_tail_da(tmpl_t const *vpt)
Return the last attribute reference da.
Optional arguments passed to vp_tmpl functions.
#define fr_skip_whitespace(_p)
Skip whitespace ('\t', '\n', '\v', '\f', '\r', ' ')
#define FR_SLAB_CONFIG_CONF_PARSER
conf_parser_t entries to populate user configurable slab values
eap_aka_sim_process_conf_t * inst
#define fr_time()
Allow us to arbitrarily manipulate time.
Stores an attribute, a value and various bits of other data.
char * talloc_typed_asprintf(TALLOC_CTX *ctx, char const *fmt,...)
Call talloc vasprintf, setting the type on the new chunk correctly.
#define talloc_get_type_abort_const
static size_t talloc_strlen(char const *s)
Returns the length of a talloc array containing a string.
#define fr_time_sub(_a, _b)
Subtract one time from another.
unsigned int required
Argument must be present, and non-empty.
#define XLAT_ARG_PARSER_TERMINATOR
@ XLAT_ACTION_FAIL
An xlat function failed.
@ XLAT_ACTION_DONE
We're done evaluating this level of nesting.
Definition for a single argument consumend by an xlat function.
#define fr_strerror_printf(_fmt,...)
Log to thread local error buffer.
int fr_value_box_strdup(TALLOC_CTX *ctx, fr_value_box_t *dst, fr_dict_attr_t const *enumv, char const *src, bool tainted)
Copy a nul terminated string to a fr_value_box_t.
#define fr_value_box_alloc(_ctx, _type, _enumv)
Allocate a value box of a specific type.
#define fr_box_time_delta_msec(_val)
static size_t char ** out
void * env_data
Expanded call env data.
module_ctx_t const * mctx
Synthesised module calling ctx.
int xlat_func_args_set(xlat_t *x, xlat_arg_parser_t const args[])
Register the arguments of an xlat.
void xlat_func_call_env_set(xlat_t *x, call_env_method_t const *env_method)
Register call environment of an xlat.
1.9.8