dovecot: Added support for Samba's ntlm_auth helper. It's used f...
dovecot at dovecot.org
dovecot at dovecot.org
Mon Aug 6 21:12:55 EEST 2007
details: http://hg.dovecot.org/dovecot/rev/18f663e23c28
changeset: 6181:18f663e23c28
user: Timo Sirainen <tss at iki.fi>
date: Mon Aug 06 21:12:51 2007 +0300
description:
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
mechanism. If auth_ntlm_use_winbind=yes it's also used for NTLM mechanism.
Patch by Dmitry Butskoy.
diffstat:
7 files changed, 334 insertions(+), 2 deletions(-)
dovecot-example.conf | 8 +
src/auth/Makefile.am | 1
src/auth/mech-winbind.c | 304 ++++++++++++++++++++++++++++++++++++++++++
src/auth/mech.c | 14 +
src/master/auth-process.c | 3
src/master/master-settings.c | 4
src/master/master-settings.h | 2
diffs (truncated from 447 to 300 lines):
diff -r 6b0fe0f93896 -r 18f663e23c28 dovecot-example.conf
--- a/dovecot-example.conf Mon Aug 06 20:49:06 2007 +0300
+++ b/dovecot-example.conf Mon Aug 06 21:12:51 2007 +0300
@@ -788,9 +788,17 @@ protocol lda {
# default (usually /etc/krb5.keytab) if not specified.
#auth_krb5_keytab =
+# Do NTLM authentication using Samba's winbind daemon and ntlm_auth helper.
+# <doc/wiki/Authentication/Mechanisms/Winbind.txt>
+#auth_ntlm_use_winbind = no
+
+# Path for Samba's ntlm_auth helper binary.
+#auth_winbind_helper = /usr/bin/ntlm_auth
+
auth default {
# Space separated list of wanted authentication mechanisms:
# plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey
+ # gss-spnego
# NOTE: See also disable_plaintext_auth setting.
mechanisms = plain
diff -r 6b0fe0f93896 -r 18f663e23c28 src/auth/Makefile.am
--- a/src/auth/Makefile.am Mon Aug 06 20:49:06 2007 +0300
+++ b/src/auth/Makefile.am Mon Aug 06 21:12:51 2007 +0300
@@ -62,6 +62,7 @@ dovecot_auth_SOURCES = \
mech-gssapi.c \
mech-rpa.c \
mech-apop.c \
+ mech-winbind.c \
otp-skey-common.c \
plain-common.c \
passdb.c \
diff -r 6b0fe0f93896 -r 18f663e23c28 src/auth/mech-winbind.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/auth/mech-winbind.c Mon Aug 06 21:12:51 2007 +0300
@@ -0,0 +1,304 @@
+/*
+ * NTLM and Negotiate authentication mechanisms,
+ * using Samba winbind daemon
+ *
+ * Copyright (c) 2007 Dmitry Butskoy <dmitry at butskoy.name>
+ *
+ * This software is released under the MIT license.
+ */
+
+#include "common.h"
+#include "mech.h"
+#include "str.h"
+#include "buffer.h"
+#include "safe-memset.h"
+#include "base64.h"
+#include "istream.h"
+#include "ostream.h"
+
+#include <stdlib.h>
+#include <unistd.h>
+
+#define DEFAULT_WINBIND_HELPER "/usr/bin/ntlm_auth"
+
+enum helper_result {
+ HR_OK = 0, /* OK or continue */
+ HR_FAIL = -1, /* authentication failed */
+ HR_RESTART = -2 /* FAIL + try to restart helper */
+};
+
+struct winbind_helper {
+ const char *param;
+ struct istream *in_pipe;
+ struct ostream *out_pipe;
+};
+
+struct winbind_auth_request {
+ struct auth_request auth_request;
+
+ struct winbind_helper *winbind;
+ bool continued;
+};
+
+static struct winbind_helper winbind_ntlm_context = {
+ "--helper-protocol=squid-2.5-ntlmssp", NULL, NULL
+};
+static struct winbind_helper winbind_spnego_context = {
+ "--helper-protocol=gss-spnego", NULL, NULL
+};
+
+static void winbind_helper_disconnect(struct winbind_helper *winbind)
+{
+ if (winbind->in_pipe != NULL)
+ i_stream_destroy(&winbind->in_pipe);
+ if (winbind->out_pipe != NULL)
+ o_stream_destroy(&winbind->out_pipe);
+}
+
+static void winbind_helper_connect(struct winbind_helper *winbind)
+{
+ int infd[2], outfd[2];
+ pid_t pid;
+
+ i_assert(winbind->in_pipe == NULL);
+
+ if (pipe(infd) < 0) {
+ i_error("pipe() failed: %m");
+ return;
+ }
+ if (pipe(outfd) < 0) {
+ (void)close(infd[0]); (void)close(infd[1]);
+ return;
+ }
+
+ pid = fork();
+ if (pid < 0) {
+ i_error("fork() failed: %m");
+ (void)close(infd[0]); (void)close(infd[1]);
+ (void)close(outfd[0]); (void)close(outfd[1]);
+ return;
+ }
+
+ if (pid == 0) {
+ /* child */
+ const char *helper_path, *args[3];
+
+ (void)close(infd[0]);
+ (void)close(outfd[1]);
+
+ if (dup2(outfd[0], STDIN_FILENO) < 0 ||
+ dup2(infd[1], STDOUT_FILENO) < 0)
+ i_fatal("dup2() failed: %m");
+
+ helper_path = getenv("WINBIND_HELPER");
+ if (helper_path == NULL)
+ helper_path = DEFAULT_WINBIND_HELPER;
+
+ args[0] = helper_path;
+ args[1] = winbind->param;
+ args[2] = NULL;
+ execv(args[0], (void *)args);
+ i_fatal("execv(%s) failed: %m", args[0]);
+ }
+
+ /* parent */
+ (void)close(infd[1]);
+ (void)close(outfd[0]);
+
+ winbind->in_pipe =
+ i_stream_create_fd(infd[0], AUTH_CLIENT_MAX_LINE_LENGTH, TRUE);
+ winbind->out_pipe =
+ o_stream_create_fd(outfd[1], (size_t)-1, TRUE);
+}
+
+static enum helper_result
+do_auth_continue(struct auth_request *auth_request,
+ const unsigned char *data, size_t data_size)
+{
+ struct winbind_auth_request *request =
+ (struct winbind_auth_request *)auth_request;
+ struct istream *in_pipe = request->winbind->in_pipe;
+ string_t *str;
+ char *answer;
+ const char **token;
+ bool gss_spnego = request->winbind == &winbind_spnego_context;
+
+ if (request->winbind->in_pipe == NULL)
+ return HR_RESTART;
+
+ str = t_str_new(MAX_BASE64_ENCODED_SIZE(data_size + 1) + 4);
+ str_printfa(str, "%s ", request->continued ? "KK" : "YR");
+ base64_encode(data, data_size, str);
+ str_append_c(str, '\n');
+
+ if (o_stream_send_str(request->winbind->out_pipe, str_c(str)) < 0 ||
+ o_stream_flush(request->winbind->out_pipe) < 0) {
+ auth_request_log_error(auth_request, "winbind",
+ "write(out_pipe) failed: %m");
+ return HR_RESTART;
+ }
+ request->continued = FALSE;
+
+ while ((answer = i_stream_read_next_line(in_pipe)) == NULL) {
+ if (in_pipe->stream_errno != 0)
+ break;
+ }
+ if (answer == NULL) {
+ auth_request_log_error(auth_request, "winbind",
+ "read(in_pipe) failed: %m");
+ return HR_RESTART;
+ }
+
+ token = t_strsplit_spaces(answer, " ");
+ if (token[0] == NULL ||
+ (token[1] == NULL && strcmp(token[0], "BH") != 0) ||
+ (token[2] == NULL && gss_spnego)) {
+ auth_request_log_error(auth_request, "winbind",
+ "Invalid input from helper: %s", answer);
+ return HR_RESTART;
+ }
+
+ /*
+ * NTLM:
+ * The child's reply contains 2 parts:
+ * - The code: TT, AF or NA
+ * - The argument:
+ * For TT it's the blob to send to the client, coded in base64
+ * For AF it's user or DOMAIN\user
+ * For NA it's the NT error code
+ *
+ * GSS-SPNEGO:
+ * The child's reply contains 3 parts:
+ * - The code: TT, AF or NA
+ * - The blob to send to the client, coded in base64
+ * - The argument:
+ * For TT it's a dummy '*'
+ * For AF it's DOMAIN\user
+ * For NA it's the NT error code
+ */
+
+ if (strcmp(token[0], "TT") == 0) {
+ buffer_t *buf;
+
+ buf = t_base64_decode_str(token[1]);
+ auth_request->callback(auth_request,
+ AUTH_CLIENT_RESULT_CONTINUE,
+ buf->data, buf->used);
+ request->continued = TRUE;
+ return HR_OK;
+ } else if (strcmp(token[0], "NA") == 0) {
+ const char *error = gss_spnego ? token[2] : token[1];
+
+ auth_request_log_info(auth_request, "winbind",
+ "user not authenticated: %s", error);
+ return HR_FAIL;
+ } else if (strcmp(token[0], "AF") == 0) {
+ const char *user, *p, *error;
+
+ user = gss_spnego ? token[2] : token[1];
+
+ p = strchr(user, '\\');
+ if (p != NULL) {
+ /* change "DOMAIN\user" to uniform style
+ "user at DOMAIN" */
+ user = t_strconcat(p+1, "@",
+ t_strdup_until(user, p), NULL);
+ }
+
+ if (!auth_request_set_username(auth_request, user, &error)) {
+ auth_request_log_info(auth_request, "winbind",
+ "%s", error);
+ return HR_FAIL;
+ }
+
+ if (gss_spnego && strcmp(token[1], "*") != 0) {
+ buffer_t *buf;
+
+ buf = t_base64_decode_str(token[1]);
+ auth_request_success(&request->auth_request,
+ buf->data, buf->used);
+ } else {
+ auth_request_success(&request->auth_request, NULL, 0);
+ }
+ return HR_OK;
+ } else if (strcmp(token[0], "BH") == 0) {
+ auth_request_log_info(auth_request, "winbind",
+ "ntlm_auth reports broken helper: %s",
+ token[1] != NULL ? token[1] : "");
+ return HR_RESTART;
+ } else {
+ auth_request_log_error(auth_request, "winbind",
+ "Invalid input from helper: %s", answer);
+ return HR_RESTART;
+ }
+}
+
+static void
+mech_winbind_auth_continue(struct auth_request *auth_request,
+ const unsigned char *data, size_t data_size)
+{
+ struct winbind_auth_request *request =
+ (struct winbind_auth_request *)auth_request;
+ enum helper_result res;
+
+ res = do_auth_continue(auth_request, data, data_size);
+ if (res != HR_OK) {
+ if (res == HR_RESTART)
+ winbind_helper_disconnect(request->winbind);
+ auth_request_fail(auth_request);
+ }
+}
+
+static struct auth_request *do_auth_new(struct winbind_helper *winbind)
+{
+ struct winbind_auth_request *request;
+ pool_t pool;
+
+ pool = pool_alloconly_create("winbind_auth_request", 1024);
+ request = p_new(pool, struct winbind_auth_request, 1);
+ request->auth_request.pool = pool;
+
+ request->winbind = winbind;
+ winbind_helper_connect(request->winbind);
+ return &request->auth_request;
+}
More information about the dovecot-cvs
mailing list