summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2006-01-10 09:15:57 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 13:50:00 -0500
commit1d95bcf3f884072e3d719aa719d46a8ad688d34c (patch)
tree9ac77d5af47db8f78cc1d83afbdbbc7569271c37
parent7d6c9bf2b2c9eae5e04ab469324f26eb9c67d397 (diff)
downloadsamba-1d95bcf3f884072e3d719aa719d46a8ad688d34c.tar.gz
samba-1d95bcf3f884072e3d719aa719d46a8ad688d34c.tar.bz2
samba-1d95bcf3f884072e3d719aa719d46a8ad688d34c.zip
r12816: Ugly hacks to the auth_unix code to make a SYSTEM token for root. If
we are going to try and have a 'real' NT token for these users, it is going to get messy fast. I want to go down the idmap road, but we don't have the infrustucure for that yet. Andrew Bartlett (This used to be commit c90d5e82ff4836765f328b2acf20fd09ec91189b)
-rw-r--r--source4/auth/auth_unix.c150
-rw-r--r--source4/auth/auth_util.c2
2 files changed, 90 insertions, 62 deletions
diff --git a/source4/auth/auth_unix.c b/source4/auth/auth_unix.c
index 26f2ed464f..f673beb43d 100644
--- a/source4/auth/auth_unix.c
+++ b/source4/auth/auth_unix.c
@@ -23,37 +23,53 @@
#include "includes.h"
#include "auth/auth.h"
#include "system/passwd.h" /* needed by some systems for struct passwd */
+#include "lib/socket/socket.h"
/* TODO: look at how to best fill in parms retrieveing a struct passwd info
* except in case USER_INFO_DONT_CHECK_UNIX_ACCOUNT is set
*/
static NTSTATUS authunix_make_server_info(TALLOC_CTX *mem_ctx,
const struct auth_usersupplied_info *user_info,
+ struct passwd *pwd,
struct auth_serversupplied_info **_server_info)
{
struct auth_serversupplied_info *server_info;
+ NTSTATUS status;
- server_info = talloc(mem_ctx, struct auth_serversupplied_info);
- NT_STATUS_HAVE_NO_MEMORY(server_info);
-
- server_info->authenticated = True;
-
- server_info->account_name = talloc_strdup(server_info, talloc_strdup(mem_ctx, user_info->mapped.account_name));
- NT_STATUS_HAVE_NO_MEMORY(server_info->account_name);
-
- server_info->domain_name = talloc_strdup(server_info, talloc_strdup(mem_ctx, "unix"));
- NT_STATUS_HAVE_NO_MEMORY(server_info->domain_name);
-
+ /* This is a real, real hack */
+ if (pwd->pw_uid == 0) {
+ status = auth_system_server_info(mem_ctx, &server_info);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
- /* is this correct? */
- server_info->account_sid = NULL;
- server_info->primary_group_sid = NULL;
- server_info->n_domain_groups = 0;
- server_info->domain_groups = NULL;
+ server_info->account_name = talloc_steal(server_info, pwd->pw_name);
+ NT_STATUS_HAVE_NO_MEMORY(server_info->account_name);
+
+ server_info->domain_name = talloc_strdup(server_info, "unix");
+ NT_STATUS_HAVE_NO_MEMORY(server_info->domain_name);
+ } else {
+ server_info = talloc(mem_ctx, struct auth_serversupplied_info);
+ NT_STATUS_HAVE_NO_MEMORY(server_info);
+
+ server_info->authenticated = True;
+
+ server_info->account_name = talloc_steal(server_info, pwd->pw_name);
+ NT_STATUS_HAVE_NO_MEMORY(server_info->account_name);
+
+ server_info->domain_name = talloc_strdup(server_info, "unix");
+ NT_STATUS_HAVE_NO_MEMORY(server_info->domain_name);
+
+ /* This isn't in any way correct.. */
+ server_info->account_sid = NULL;
+ server_info->primary_group_sid = NULL;
+ server_info->n_domain_groups = 0;
+ server_info->domain_groups = NULL;
+ }
server_info->user_session_key = data_blob(NULL,0);
server_info->lm_session_key = data_blob(NULL,0);
- server_info->full_name = talloc_strdup(server_info, "");
+ server_info->full_name = talloc_steal(server_info, pwd->pw_gecos);
NT_STATUS_HAVE_NO_MEMORY(server_info->full_name);
server_info->logon_script = talloc_strdup(server_info, "");
NT_STATUS_HAVE_NO_MEMORY(server_info->logon_script);
@@ -79,6 +95,44 @@ static NTSTATUS authunix_make_server_info(TALLOC_CTX *mem_ctx,
return NT_STATUS_OK;
}
+static NTSTATUS talloc_getpwnam(TALLOC_CTX *ctx, const char *username, struct passwd **pws)
+{
+ struct passwd *ret;
+ struct passwd *from;
+
+ *pws = NULL;
+
+ ret = talloc(ctx, struct passwd);
+ NT_STATUS_HAVE_NO_MEMORY(ret);
+
+ from = getpwnam(username);
+ if (!from) {
+ return NT_STATUS_NO_SUCH_USER;
+ }
+
+ ret->pw_name = talloc_strdup(ctx, from->pw_name);
+ NT_STATUS_HAVE_NO_MEMORY(ret->pw_name);
+
+ ret->pw_passwd = talloc_strdup(ctx, from->pw_passwd);
+ NT_STATUS_HAVE_NO_MEMORY(ret->pw_passwd);
+
+ ret->pw_uid = from->pw_uid;
+ ret->pw_gid = from->pw_gid;
+ ret->pw_gecos = talloc_strdup(ctx, from->pw_gecos);
+ NT_STATUS_HAVE_NO_MEMORY(ret->pw_gecos);
+
+ ret->pw_dir = talloc_strdup(ctx, from->pw_dir);
+ NT_STATUS_HAVE_NO_MEMORY(ret->pw_dir);
+
+ ret->pw_shell = talloc_strdup(ctx, from->pw_shell);
+ NT_STATUS_HAVE_NO_MEMORY(ret->pw_shell);
+
+ *pws = ret;
+
+ return NT_STATUS_OK;
+}
+
+
#ifdef HAVE_SECURITY_PAM_APPL_H
#include <security/pam_appl.h>
@@ -367,7 +421,7 @@ static NTSTATUS smb_pam_setcred(pam_handle_t *pamh, const char * user)
return pam_to_nt_status(pam_error);
}
-static NTSTATUS check_unix_password(TALLOC_CTX *ctx, const struct auth_usersupplied_info *user_info)
+static NTSTATUS check_unix_password(TALLOC_CTX *ctx, const struct auth_usersupplied_info *user_info, struct passwd **pws)
{
struct smb_pam_user_info *info;
struct pam_conv *pamconv;
@@ -395,9 +449,8 @@ static NTSTATUS check_unix_password(TALLOC_CTX *ctx, const struct auth_usersuppl
* if true set up a crack name routine.
*/
- nt_status = smb_pam_start(&pamh, user_info->mapped.account_name, user_info->remote_host, pamconv);
+ nt_status = smb_pam_start(&pamh, user_info->mapped.account_name, user_info->remote_host ? user_info->remote_host->addr : NULL, pamconv);
if (!NT_STATUS_IS_OK(nt_status)) {
- smb_pam_end(pamh);
return nt_status;
}
@@ -423,48 +476,16 @@ static NTSTATUS check_unix_password(TALLOC_CTX *ctx, const struct auth_usersuppl
}
smb_pam_end(pamh);
- return NT_STATUS_OK;
-}
-
-#else
-
-static NTSTATUS talloc_getpwnam(TALLOC_CTX *ctx, char *username, struct passwd **pws)
-{
- struct passwd *ret;
- struct passwd *from;
-
- *pws = NULL;
-
- ret = talloc(ctx, struct passwd);
- NT_STATUS_HAVE_NO_MEMORY(ret);
- from = getpwnam(username);
- if (!from) {
- return NT_STATUS_NO_SUCH_USER;
+ nt_status = talloc_getpwnam(ctx, user_info->mapped.account_name, pws);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
}
- ret->pw_name = talloc_strdup(ctx, from->pw_name);
- NT_STATUS_HAVE_NO_MEMORY(ret->pw_name);
-
- ret->pw_passwd = talloc_strdup(ctx, from->pw_passwd);
- NT_STATUS_HAVE_NO_MEMORY(ret->pw_passwd);
-
- ret->pw_uid = from->pw_uid;
- ret->pw_gid = from->pw_gid;
- ret->pw_gecos = talloc_strdup(ctx, from->pw_gecos);
- NT_STATUS_HAVE_NO_MEMORY(ret->pw_gecos);
-
- ret->pw_dir = talloc_strdup(ctx, from->pw_dir);
- NT_STATUS_HAVE_NO_MEMORY(ret->pw_dir);
-
- ret->pw_shell = talloc_strdup(ctx, from->pw_shell);
- NT_STATUS_HAVE_NO_MEMORY(ret->pw_shell);
-
- *pws = ret;
-
- return NT_STATUS_OK;
+ return NT_STATUS_OK;
}
+#else
/****************************************************************************
core of password checking routine
@@ -563,7 +584,7 @@ static NTSTATUS password_check(const char *username, const char *password,
#endif /* HAVE_BIGCRYPT && HAVE_CRYPT && USE_BOTH_CRYPT_CALLS */
}
-static NTSTATUS check_unix_password(TALLOC_CTX *ctx, const struct auth_usersupplied_info *user_info)
+static NTSTATUS check_unix_password(TALLOC_CTX *ctx, const struct auth_usersupplied_info *user_info, struct passwd **ret_passwd)
{
char *username;
char *password;
@@ -574,6 +595,8 @@ static NTSTATUS check_unix_password(TALLOC_CTX *ctx, const struct auth_usersuppl
NTSTATUS nt_status;
int level = lp_passwordlevel();
+ *ret_passwd = NULL;
+
username = talloc_strdup(ctx, user_info->mapped.account_name);
password = talloc_strdup(ctx, user_info->password.plaintext);
@@ -679,13 +702,15 @@ static NTSTATUS check_unix_password(TALLOC_CTX *ctx, const struct auth_usersuppl
}
if (password == NULL) {
DEBUG(3, ("Allowing access to %s with null password\n", username));
+ *ret_passwd = pwd;
return NT_STATUS_OK;
}
}
/* try it as it came to us */
nt_status = password_check(username, password, crypted, salt);
- if NT_STATUS_IS_OK(nt_status) {
+ if (NT_STATUS_IS_OK(nt_status)) {
+ *ret_passwd = pwd;
return nt_status;
}
else if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_WRONG_PASSWORD)) {
@@ -714,6 +739,7 @@ static NTSTATUS check_unix_password(TALLOC_CTX *ctx, const struct auth_usersuppl
strlower(pwcopy);
nt_status = password_check(username, pwcopy, crypted, salt);
if NT_STATUS_IS_OK(nt_status) {
+ *ret_passwd = pwd;
return nt_status;
}
}
@@ -728,6 +754,7 @@ static NTSTATUS check_unix_password(TALLOC_CTX *ctx, const struct auth_usersuppl
#if 0
if (NT_STATUS_IS_OK(nt_status = string_combinations(pwcopy, password_check, level))) {
+ *ret_passwd = pwd;
return nt_status;
}
#endif
@@ -747,6 +774,7 @@ static NTSTATUS authunix_check_password(struct auth_method_context *ctx,
{
TALLOC_CTX *check_ctx;
NTSTATUS nt_status;
+ struct passwd *pwd;
if (! user_info->mapped.account_name || ! *user_info->mapped.account_name) {
/* 'not for me' */
@@ -762,13 +790,13 @@ static NTSTATUS authunix_check_password(struct auth_method_context *ctx,
return NT_STATUS_NO_MEMORY;
}
- nt_status = check_unix_password(check_ctx, user_info);
+ nt_status = check_unix_password(check_ctx, user_info, &pwd);
if ( ! NT_STATUS_IS_OK(nt_status)) {
talloc_free(check_ctx);
return nt_status;
}
- nt_status = authunix_make_server_info(mem_ctx, user_info, server_info);
+ nt_status = authunix_make_server_info(mem_ctx, user_info, pwd, server_info);
if ( ! NT_STATUS_IS_OK(nt_status)) {
talloc_free(check_ctx);
return nt_status;
diff --git a/source4/auth/auth_util.c b/source4/auth/auth_util.c
index 5660787ee8..d068f56775 100644
--- a/source4/auth/auth_util.c
+++ b/source4/auth/auth_util.c
@@ -491,7 +491,7 @@ NTSTATUS auth_system_server_info(TALLOC_CTX *mem_ctx, struct auth_serversupplied
server_info->acct_flags = ACB_NORMAL;
- server_info->authenticated = False;
+ server_info->authenticated = True;
*_server_info = server_info;