diff options
author | Andrew Bartlett <abartlet@samba.org> | 2006-01-10 09:15:57 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 13:50:00 -0500 |
commit | 1d95bcf3f884072e3d719aa719d46a8ad688d34c (patch) | |
tree | 9ac77d5af47db8f78cc1d83afbdbbc7569271c37 | |
parent | 7d6c9bf2b2c9eae5e04ab469324f26eb9c67d397 (diff) | |
download | samba-1d95bcf3f884072e3d719aa719d46a8ad688d34c.tar.gz samba-1d95bcf3f884072e3d719aa719d46a8ad688d34c.tar.bz2 samba-1d95bcf3f884072e3d719aa719d46a8ad688d34c.zip |
r12816: Ugly hacks to the auth_unix code to make a SYSTEM token for root. If
we are going to try and have a 'real' NT token for these users, it is
going to get messy fast. I want to go down the idmap road, but we
don't have the infrustucure for that yet.
Andrew Bartlett
(This used to be commit c90d5e82ff4836765f328b2acf20fd09ec91189b)
-rw-r--r-- | source4/auth/auth_unix.c | 150 | ||||
-rw-r--r-- | source4/auth/auth_util.c | 2 |
2 files changed, 90 insertions, 62 deletions
diff --git a/source4/auth/auth_unix.c b/source4/auth/auth_unix.c index 26f2ed464f..f673beb43d 100644 --- a/source4/auth/auth_unix.c +++ b/source4/auth/auth_unix.c @@ -23,37 +23,53 @@ #include "includes.h" #include "auth/auth.h" #include "system/passwd.h" /* needed by some systems for struct passwd */ +#include "lib/socket/socket.h" /* TODO: look at how to best fill in parms retrieveing a struct passwd info * except in case USER_INFO_DONT_CHECK_UNIX_ACCOUNT is set */ static NTSTATUS authunix_make_server_info(TALLOC_CTX *mem_ctx, const struct auth_usersupplied_info *user_info, + struct passwd *pwd, struct auth_serversupplied_info **_server_info) { struct auth_serversupplied_info *server_info; + NTSTATUS status; - server_info = talloc(mem_ctx, struct auth_serversupplied_info); - NT_STATUS_HAVE_NO_MEMORY(server_info); - - server_info->authenticated = True; - - server_info->account_name = talloc_strdup(server_info, talloc_strdup(mem_ctx, user_info->mapped.account_name)); - NT_STATUS_HAVE_NO_MEMORY(server_info->account_name); - - server_info->domain_name = talloc_strdup(server_info, talloc_strdup(mem_ctx, "unix")); - NT_STATUS_HAVE_NO_MEMORY(server_info->domain_name); - + /* This is a real, real hack */ + if (pwd->pw_uid == 0) { + status = auth_system_server_info(mem_ctx, &server_info); + if (!NT_STATUS_IS_OK(status)) { + return status; + } - /* is this correct? */ - server_info->account_sid = NULL; - server_info->primary_group_sid = NULL; - server_info->n_domain_groups = 0; - server_info->domain_groups = NULL; + server_info->account_name = talloc_steal(server_info, pwd->pw_name); + NT_STATUS_HAVE_NO_MEMORY(server_info->account_name); + + server_info->domain_name = talloc_strdup(server_info, "unix"); + NT_STATUS_HAVE_NO_MEMORY(server_info->domain_name); + } else { + server_info = talloc(mem_ctx, struct auth_serversupplied_info); + NT_STATUS_HAVE_NO_MEMORY(server_info); + + server_info->authenticated = True; + + server_info->account_name = talloc_steal(server_info, pwd->pw_name); + NT_STATUS_HAVE_NO_MEMORY(server_info->account_name); + + server_info->domain_name = talloc_strdup(server_info, "unix"); + NT_STATUS_HAVE_NO_MEMORY(server_info->domain_name); + + /* This isn't in any way correct.. */ + server_info->account_sid = NULL; + server_info->primary_group_sid = NULL; + server_info->n_domain_groups = 0; + server_info->domain_groups = NULL; + } server_info->user_session_key = data_blob(NULL,0); server_info->lm_session_key = data_blob(NULL,0); - server_info->full_name = talloc_strdup(server_info, ""); + server_info->full_name = talloc_steal(server_info, pwd->pw_gecos); NT_STATUS_HAVE_NO_MEMORY(server_info->full_name); server_info->logon_script = talloc_strdup(server_info, ""); NT_STATUS_HAVE_NO_MEMORY(server_info->logon_script); @@ -79,6 +95,44 @@ static NTSTATUS authunix_make_server_info(TALLOC_CTX *mem_ctx, return NT_STATUS_OK; } +static NTSTATUS talloc_getpwnam(TALLOC_CTX *ctx, const char *username, struct passwd **pws) +{ + struct passwd *ret; + struct passwd *from; + + *pws = NULL; + + ret = talloc(ctx, struct passwd); + NT_STATUS_HAVE_NO_MEMORY(ret); + + from = getpwnam(username); + if (!from) { + return NT_STATUS_NO_SUCH_USER; + } + + ret->pw_name = talloc_strdup(ctx, from->pw_name); + NT_STATUS_HAVE_NO_MEMORY(ret->pw_name); + + ret->pw_passwd = talloc_strdup(ctx, from->pw_passwd); + NT_STATUS_HAVE_NO_MEMORY(ret->pw_passwd); + + ret->pw_uid = from->pw_uid; + ret->pw_gid = from->pw_gid; + ret->pw_gecos = talloc_strdup(ctx, from->pw_gecos); + NT_STATUS_HAVE_NO_MEMORY(ret->pw_gecos); + + ret->pw_dir = talloc_strdup(ctx, from->pw_dir); + NT_STATUS_HAVE_NO_MEMORY(ret->pw_dir); + + ret->pw_shell = talloc_strdup(ctx, from->pw_shell); + NT_STATUS_HAVE_NO_MEMORY(ret->pw_shell); + + *pws = ret; + + return NT_STATUS_OK; +} + + #ifdef HAVE_SECURITY_PAM_APPL_H #include <security/pam_appl.h> @@ -367,7 +421,7 @@ static NTSTATUS smb_pam_setcred(pam_handle_t *pamh, const char * user) return pam_to_nt_status(pam_error); } -static NTSTATUS check_unix_password(TALLOC_CTX *ctx, const struct auth_usersupplied_info *user_info) +static NTSTATUS check_unix_password(TALLOC_CTX *ctx, const struct auth_usersupplied_info *user_info, struct passwd **pws) { struct smb_pam_user_info *info; struct pam_conv *pamconv; @@ -395,9 +449,8 @@ static NTSTATUS check_unix_password(TALLOC_CTX *ctx, const struct auth_usersuppl * if true set up a crack name routine. */ - nt_status = smb_pam_start(&pamh, user_info->mapped.account_name, user_info->remote_host, pamconv); + nt_status = smb_pam_start(&pamh, user_info->mapped.account_name, user_info->remote_host ? user_info->remote_host->addr : NULL, pamconv); if (!NT_STATUS_IS_OK(nt_status)) { - smb_pam_end(pamh); return nt_status; } @@ -423,48 +476,16 @@ static NTSTATUS check_unix_password(TALLOC_CTX *ctx, const struct auth_usersuppl } smb_pam_end(pamh); - return NT_STATUS_OK; -} - -#else - -static NTSTATUS talloc_getpwnam(TALLOC_CTX *ctx, char *username, struct passwd **pws) -{ - struct passwd *ret; - struct passwd *from; - - *pws = NULL; - - ret = talloc(ctx, struct passwd); - NT_STATUS_HAVE_NO_MEMORY(ret); - from = getpwnam(username); - if (!from) { - return NT_STATUS_NO_SUCH_USER; + nt_status = talloc_getpwnam(ctx, user_info->mapped.account_name, pws); + if (!NT_STATUS_IS_OK(nt_status)) { + return nt_status; } - ret->pw_name = talloc_strdup(ctx, from->pw_name); - NT_STATUS_HAVE_NO_MEMORY(ret->pw_name); - - ret->pw_passwd = talloc_strdup(ctx, from->pw_passwd); - NT_STATUS_HAVE_NO_MEMORY(ret->pw_passwd); - - ret->pw_uid = from->pw_uid; - ret->pw_gid = from->pw_gid; - ret->pw_gecos = talloc_strdup(ctx, from->pw_gecos); - NT_STATUS_HAVE_NO_MEMORY(ret->pw_gecos); - - ret->pw_dir = talloc_strdup(ctx, from->pw_dir); - NT_STATUS_HAVE_NO_MEMORY(ret->pw_dir); - - ret->pw_shell = talloc_strdup(ctx, from->pw_shell); - NT_STATUS_HAVE_NO_MEMORY(ret->pw_shell); - - *pws = ret; - - return NT_STATUS_OK; + return NT_STATUS_OK; } +#else /**************************************************************************** core of password checking routine @@ -563,7 +584,7 @@ static NTSTATUS password_check(const char *username, const char *password, #endif /* HAVE_BIGCRYPT && HAVE_CRYPT && USE_BOTH_CRYPT_CALLS */ } -static NTSTATUS check_unix_password(TALLOC_CTX *ctx, const struct auth_usersupplied_info *user_info) +static NTSTATUS check_unix_password(TALLOC_CTX *ctx, const struct auth_usersupplied_info *user_info, struct passwd **ret_passwd) { char *username; char *password; @@ -574,6 +595,8 @@ static NTSTATUS check_unix_password(TALLOC_CTX *ctx, const struct auth_usersuppl NTSTATUS nt_status; int level = lp_passwordlevel(); + *ret_passwd = NULL; + username = talloc_strdup(ctx, user_info->mapped.account_name); password = talloc_strdup(ctx, user_info->password.plaintext); @@ -679,13 +702,15 @@ static NTSTATUS check_unix_password(TALLOC_CTX *ctx, const struct auth_usersuppl } if (password == NULL) { DEBUG(3, ("Allowing access to %s with null password\n", username)); + *ret_passwd = pwd; return NT_STATUS_OK; } } /* try it as it came to us */ nt_status = password_check(username, password, crypted, salt); - if NT_STATUS_IS_OK(nt_status) { + if (NT_STATUS_IS_OK(nt_status)) { + *ret_passwd = pwd; return nt_status; } else if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_WRONG_PASSWORD)) { @@ -714,6 +739,7 @@ static NTSTATUS check_unix_password(TALLOC_CTX *ctx, const struct auth_usersuppl strlower(pwcopy); nt_status = password_check(username, pwcopy, crypted, salt); if NT_STATUS_IS_OK(nt_status) { + *ret_passwd = pwd; return nt_status; } } @@ -728,6 +754,7 @@ static NTSTATUS check_unix_password(TALLOC_CTX *ctx, const struct auth_usersuppl #if 0 if (NT_STATUS_IS_OK(nt_status = string_combinations(pwcopy, password_check, level))) { + *ret_passwd = pwd; return nt_status; } #endif @@ -747,6 +774,7 @@ static NTSTATUS authunix_check_password(struct auth_method_context *ctx, { TALLOC_CTX *check_ctx; NTSTATUS nt_status; + struct passwd *pwd; if (! user_info->mapped.account_name || ! *user_info->mapped.account_name) { /* 'not for me' */ @@ -762,13 +790,13 @@ static NTSTATUS authunix_check_password(struct auth_method_context *ctx, return NT_STATUS_NO_MEMORY; } - nt_status = check_unix_password(check_ctx, user_info); + nt_status = check_unix_password(check_ctx, user_info, &pwd); if ( ! NT_STATUS_IS_OK(nt_status)) { talloc_free(check_ctx); return nt_status; } - nt_status = authunix_make_server_info(mem_ctx, user_info, server_info); + nt_status = authunix_make_server_info(mem_ctx, user_info, pwd, server_info); if ( ! NT_STATUS_IS_OK(nt_status)) { talloc_free(check_ctx); return nt_status; diff --git a/source4/auth/auth_util.c b/source4/auth/auth_util.c index 5660787ee8..d068f56775 100644 --- a/source4/auth/auth_util.c +++ b/source4/auth/auth_util.c @@ -491,7 +491,7 @@ NTSTATUS auth_system_server_info(TALLOC_CTX *mem_ctx, struct auth_serversupplied server_info->acct_flags = ACB_NORMAL; - server_info->authenticated = False; + server_info->authenticated = True; *_server_info = server_info; |