summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>1998-04-23 18:54:57 +0000
committerJeremy Allison <jra@samba.org>1998-04-23 18:54:57 +0000
commita85f5bc268a1c13334b86ac3a44a026359c09371 (patch)
tree3b7e688003d1037600a9f12b1947fcb5e42645d3
parentda4e61efad7c7c18595bec32dbb21a2045dadd2e (diff)
downloadsamba-a85f5bc268a1c13334b86ac3a44a026359c09371.tar.gz
samba-a85f5bc268a1c13334b86ac3a44a026359c09371.tar.bz2
samba-a85f5bc268a1c13334b86ac3a44a026359c09371.zip
genrand.c: Changed SMB_PASSWD_FILE to lp_smb_passwd_file().
password.c: Started the initial code for domain_client_validate(). All bracketed with #ifdef DOMAIN_CLIENT for now. reply.c: Call to domain_client_validate(). All bracketed with #ifdef DOMAIN_CLIENT for now. smbpass.c: New code to get/set machine passwords. Tidied up nesting of lock calls. Jeremy. (This used to be commit 89fe059a6816f32d2cc5c4c04c4089b60590e7e6)
-rw-r--r--source3/include/proto.h10
-rw-r--r--source3/lib/genrand.c2
-rw-r--r--source3/passdb/smbpass.c255
-rw-r--r--source3/smbd/password.c73
-rw-r--r--source3/smbd/reply.c109
5 files changed, 359 insertions, 90 deletions
diff --git a/source3/include/proto.h b/source3/include/proto.h
index da1293fa69..9bba68df48 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -1525,6 +1525,9 @@ struct cli_state *server_cryptkey(void);
BOOL server_validate(char *user, char *domain,
char *pass, int passlen,
char *ntpass, int ntpasslen);
+BOOL domain_client_validate( char *user, char *domain,
+ char *smb_apasswd, int smb_apasslen,
+ char *smb_ntpasswd, int smb_ntpasslen);
/*The following definitions come from pcap.c */
@@ -1713,8 +1716,6 @@ char *smb_errstr(char *inbuf);
/*The following definitions come from smbpass.c */
-int pw_file_lock(int fd, int type, int secs);
-int pw_file_unlock(int fd);
void *startsmbpwent(BOOL update);
void endsmbpwent(void *vp);
struct smb_passwd *getsmbpwent(void *vp);
@@ -1725,6 +1726,11 @@ struct smb_passwd *getsmbpwuid(unsigned int uid);
char *encode_acct_ctrl(uint16 acct_ctrl);
BOOL add_smbpwd_entry(struct smb_passwd *newpwd);
BOOL mod_smbpwd_entry(struct smb_passwd* pwd);
+void *machine_password_lock( char *doman, char *name, BOOL update);
+BOOL machine_password_unlock( void *token );
+BOOL get_machine_account_password( void *mach_tok, unsigned char *ret_pwd,
+ time_t *last_change_time);
+BOOL set_machine_account_password( void *mach_tok, unsigned char *md4_new_pwd);
/*The following definitions come from status.c */
diff --git a/source3/lib/genrand.c b/source3/lib/genrand.c
index e20f054504..3eae47486f 100644
--- a/source3/lib/genrand.c
+++ b/source3/lib/genrand.c
@@ -143,7 +143,7 @@ static uint32 do_reseed(unsigned char *md4_outbuf)
/* possibly add in some secret file contents */
do_filehash("/etc/shadow", &md4_inbuf[0]);
- do_filehash(SMB_PASSWD_FILE, &md4_inbuf[16]);
+ do_filehash(lp_smb_passwd_file(), &md4_inbuf[16]);
/* add in the root encrypted password. On any system where security is taken
seriously this will be secret */
diff --git a/source3/passdb/smbpass.c b/source3/passdb/smbpass.c
index f247cc100e..f3b38c43e7 100644
--- a/source3/passdb/smbpass.c
+++ b/source3/passdb/smbpass.c
@@ -38,7 +38,7 @@ static void gotalarm_sig(void)
seconds.
****************************************************************/
-static int do_pw_lock(int fd, int waitsecs, int type)
+static BOOL do_pw_lock(int fd, int waitsecs, int type)
{
struct flock lock;
int ret;
@@ -60,9 +60,10 @@ static int do_pw_lock(int fd, int waitsecs, int type)
if (gotalarm) {
DEBUG(0, ("do_pw_lock: failed to %s SMB passwd file.\n",
type == F_UNLCK ? "unlock" : "lock"));
- return -1;
+ return False;
}
- return ret;
+
+ return ((ret == 0) ? True : False);
}
static int pw_file_lock_depth;
@@ -71,35 +72,41 @@ static int pw_file_lock_depth;
Lock an fd. Abandon after waitsecs seconds.
****************************************************************/
-int pw_file_lock(int fd, int type, int secs)
+static BOOL pw_file_lock(int fd, int type, int secs, int *plock_depth)
{
if (fd < 0)
- return (-1);
+ return False;
+
+ (*plock_depth)++;
+
if(pw_file_lock_depth == 0) {
if (do_pw_lock(fd, secs, type)) {
- return -1;
+ DEBUG(10,("pw_file_lock: locking file failed, error = %s.\n",
+ strerror(errno)));
+ return False;
}
}
- pw_file_lock_depth++;
-
- return fd;
+ return True;
}
/***************************************************************
Unlock an fd. Abandon after waitsecs seconds.
****************************************************************/
-int pw_file_unlock(int fd)
+static BOOL pw_file_unlock(int fd, int *plock_depth)
{
- int ret = 0;
+ BOOL ret;
- if(pw_file_lock_depth == 1)
- ret = do_pw_lock(fd, 5, F_UNLCK);
+ if(*plock_depth == 1)
+ ret = do_pw_lock(fd, 5, F_UNLCK);
- pw_file_lock_depth--;
+ (*plock_depth)--;
- return ret;
+ if(ret == False)
+ DEBUG(10,("pw_file_unlock: unlocking file failed, error = %s.\n",
+ strerror(errno)));
+ return ret;
}
/***************************************************************
@@ -128,7 +135,7 @@ void *startsmbpwent(BOOL update)
/* Set a 16k buffer to do more efficient reads */
setvbuf(fp, s_readbuf, _IOFBF, sizeof(s_readbuf));
- if ((pw_file_lock(fileno(fp), F_RDLCK | (update ? F_WRLCK : 0), 5)) < 0) {
+ if ((pw_file_lock(fileno(fp), F_RDLCK | (update ? F_WRLCK : 0), 5, &pw_file_lock_depth)) == False) {
DEBUG(0, ("startsmbpwent: unable to lock file %s\n", pfile));
fclose(fp);
return NULL;
@@ -149,7 +156,7 @@ void endsmbpwent(void *vp)
{
FILE *fp = (FILE *)vp;
- pw_file_unlock(fileno(fp));
+ pw_file_unlock(fileno(fp), &pw_file_lock_depth);
fclose(fp);
DEBUG(7, ("endsmbpwent: closed password file.\n"));
}
@@ -764,7 +771,9 @@ BOOL mod_smbpwd_entry(struct smb_passwd* pwd)
/* Set a 16k buffer to do more efficient reads */
setvbuf(fp, readbuf, _IOFBF, sizeof(readbuf));
- if ((lockfd = pw_file_lock(fileno(fp), F_RDLCK | F_WRLCK, 5)) < 0) {
+ lockfd = fileno(fp);
+
+ if (pw_file_lock(lockfd, F_RDLCK | F_WRLCK, 5, &pw_file_lock_depth) == False) {
DEBUG(0, ("mod_smbpwd_entry: unable to lock file %s\n", pfile));
fclose(fp);
return False;
@@ -782,10 +791,10 @@ BOOL mod_smbpwd_entry(struct smb_passwd* pwd)
linebuf[0] = '\0';
- fgets(linebuf, 256, fp);
+ fgets(linebuf, sizeof(linebuf), fp);
if (ferror(fp)) {
+ pw_file_unlock(lockfd, &pw_file_lock_depth);
fclose(fp);
- pw_file_unlock(lockfd);
return False;
}
@@ -861,8 +870,8 @@ BOOL mod_smbpwd_entry(struct smb_passwd* pwd)
if (!isdigit(*p)) {
DEBUG(0, ("mod_smbpwd_entry: malformed password entry (uid not number)\n"));
+ pw_file_unlock(lockfd, &pw_file_lock_depth);
fclose(fp);
- pw_file_unlock(lockfd);
return False;
}
@@ -870,8 +879,8 @@ BOOL mod_smbpwd_entry(struct smb_passwd* pwd)
p++;
if (*p != ':') {
DEBUG(0, ("mod_smbpwd_entry: malformed password entry (no : after uid)\n"));
+ pw_file_unlock(lockfd, &pw_file_lock_depth);
fclose(fp);
- pw_file_unlock(lockfd);
return False;
}
@@ -888,28 +897,28 @@ BOOL mod_smbpwd_entry(struct smb_passwd* pwd)
if (*p == '*' || *p == 'X') {
/* Password deliberately invalid - end here. */
DEBUG(10, ("get_smbpwd_entry: entry invalidated for user %s\n", user_name));
+ pw_file_unlock(lockfd, &pw_file_lock_depth);
fclose(fp);
- pw_file_unlock(lockfd);
return False;
}
if (linebuf_len < (PTR_DIFF(p, linebuf) + 33)) {
DEBUG(0, ("mod_smbpwd_entry: malformed password entry (passwd too short)\n"));
+ pw_file_unlock(lockfd,&pw_file_lock_depth);
fclose(fp);
- pw_file_unlock(lockfd);
return (False);
}
if (p[32] != ':') {
DEBUG(0, ("mod_smbpwd_entry: malformed password entry (no terminating :)\n"));
+ pw_file_unlock(lockfd,&pw_file_lock_depth);
fclose(fp);
- pw_file_unlock(lockfd);
return False;
}
if (*p == '*' || *p == 'X') {
+ pw_file_unlock(lockfd,&pw_file_lock_depth);
fclose(fp);
- pw_file_unlock(lockfd);
return False;
}
@@ -919,15 +928,15 @@ BOOL mod_smbpwd_entry(struct smb_passwd* pwd)
the lanman password. */
if (linebuf_len < (PTR_DIFF(p, linebuf) + 33)) {
DEBUG(0, ("mod_smbpwd_entry: malformed password entry (passwd too short)\n"));
+ pw_file_unlock(lockfd,&pw_file_lock_depth);
fclose(fp);
- pw_file_unlock(lockfd);
return (False);
}
if (p[32] != ':') {
DEBUG(0, ("mod_smbpwd_entry: malformed password entry (no terminating :)\n"));
+ pw_file_unlock(lockfd,&pw_file_lock_depth);
fclose(fp);
- pw_file_unlock(lockfd);
return False;
}
@@ -989,23 +998,23 @@ BOOL mod_smbpwd_entry(struct smb_passwd* pwd)
if (lseek(fd, pwd_seekpos - 1, SEEK_SET) != pwd_seekpos - 1) {
DEBUG(0, ("mod_smbpwd_entry: seek fail on file %s.\n", pfile));
+ pw_file_unlock(lockfd,&pw_file_lock_depth);
fclose(fp);
- pw_file_unlock(lockfd);
return False;
}
/* Sanity check - ensure the character is a ':' */
if (read(fd, &c, 1) != 1) {
DEBUG(0, ("mod_smbpwd_entry: read fail on file %s.\n", pfile));
+ pw_file_unlock(lockfd,&pw_file_lock_depth);
fclose(fp);
- pw_file_unlock(lockfd);
return False;
}
if (c != ':') {
DEBUG(0, ("mod_smbpwd_entry: check on passwd file %s failed.\n", pfile));
+ pw_file_unlock(lockfd,&pw_file_lock_depth);
fclose(fp);
- pw_file_unlock(lockfd);
return False;
}
@@ -1053,12 +1062,192 @@ BOOL mod_smbpwd_entry(struct smb_passwd* pwd)
if (write(fd, ascii_p16, wr_len) != wr_len) {
DEBUG(0, ("mod_smbpwd_entry: write failed in passwd file %s\n", pfile));
+ pw_file_unlock(lockfd,&pw_file_lock_depth);
fclose(fp);
- pw_file_unlock(lockfd);
return False;
}
+ pw_file_unlock(lockfd,&pw_file_lock_depth);
fclose(fp);
- pw_file_unlock(lockfd);
return True;
}
+
+#ifdef DOMAIN_CLIENT
+
+static int mach_passwd_lock_depth;
+
+/************************************************************************
+ Routine to lock the machine account password file for a domain.
+************************************************************************/
+
+void *machine_password_lock( char *domain, char *name, BOOL update)
+{
+ FILE *fp;
+ pstring mac_file;
+ unsigned int mac_file_len;
+ char *p;
+
+ if(mach_passwd_lock_depth == 0) {
+ pstrcpy(mac_file, lp_smb_passwd_file());
+ p = strrchr(mac_file, '/');
+ if(p != NULL)
+ *++p = '\0';
+ mac_file_len = strlen(mac_file);
+ if(sizeof(pstring) - mac_file_len - strlen(domain) - strlen(name) - 6) {
+ DEBUG(0,("machine_password_lock: path %s too long to add machine details.\n",
+ mac_file));
+ return NULL;
+ }
+
+ strcat(mac_file, domain);
+ strcat(mac_file, ".");
+ strcat(mac_file, name);
+ strcat(mac_file, ".mac");
+
+ if((fp = fopen(mac_file, "r+b")) == 0) {
+ DEBUG(0,("machine_password_lock: cannot open file %s. Error was %s.\n",
+ mac_file, strerror(errno) ));
+ return NULL;
+ }
+
+ chmod(mac_file, 0600);
+ }
+
+ if(pw_file_lock(fileno(fp), F_RDLCK | (update ? F_WRLCK : 0),
+ 60, &mach_passwd_lock_depth) == False) {
+ DEBUG(0,("machine_password_lock: cannot lock file %s.\n", mac_file));
+ fclose(fp);
+ return NULL;
+ }
+
+ return (void *)fp;
+}
+
+/************************************************************************
+ Routine to unlock the machine account password file for a domain.
+************************************************************************/
+
+BOOL machine_password_unlock( void *token )
+{
+ FILE *fp = (FILE *)token;
+ BOOL ret = pw_file_unlock(fileno(fp), &mach_passwd_lock_depth);
+ if(mach_passwd_lock_depth == 0)
+ fclose(fp);
+ return ret;
+}
+
+/************************************************************************
+ Routine to get the machine account password for a domain.
+ The user of this function must have locked the machine password file.
+************************************************************************/
+
+BOOL get_machine_account_password( void *mach_tok, unsigned char *ret_pwd,
+ time_t *last_change_time)
+{
+ FILE *fp = (FILE *)mach_tok;
+ char linebuf[256];
+ char *p;
+ int i;
+
+ linebuf[0] = '\0';
+
+ *last_change_time = (time_t)0;
+ memset(ret_pwd, '\0', 16);
+
+ if(fseek( fp, 0L, SEEK_SET) == -1) {
+ DEBUG(0,("get_machine_account_password: Failed to seek to start of file. Error was %s.\n",
+ strerror(errno) ));
+ return False;
+ }
+
+ fgets(linebuf, sizeof(linebuf), fp);
+ if(ferror(fp)) {
+ DEBUG(0,("get_machine_account_password: Failed to read password. Error was %s.\n",
+ strerror(errno) ));
+ return False;
+ }
+
+ /*
+ * The length of the line read
+ * must be 45 bytes ( <---XXXX 32 bytes-->:TLC-12345678
+ */
+
+ if(strlen(linebuf) != 45) {
+ DEBUG(0,("get_machine_account_password: Malformed machine password file (wrong length).\n"));
+#ifdef DEBUG_PASSWORD
+ DEBUG(100,("get_machine_account_password: line = |%s|\n", linebuf));
+#endif
+ return False;
+ }
+
+ /*
+ * Get the hex password.
+ */
+
+ if (!gethexpwd((char *)linebuf, (char *)ret_pwd) || linebuf[32] != ':' ||
+ strncmp(&linebuf[33], "TLC-", 4)) {
+ DEBUG(0,("get_machine_account_password: Malformed machine password file (incorrect format).\n"));
+#ifdef DEBUG_PASSWORD
+ DEBUG(100,("get_machine_account_password: line = |%s|\n", linebuf));
+#endif
+ return False;
+ }
+
+ /*
+ * Get the last changed time.
+ */
+ p = &linebuf[37];
+
+ for(i = 0; i < 8; i++) {
+ if(p[i] == '\0' || !isxdigit(p[i])) {
+ DEBUG(0,("get_machine_account_password: Malformed machine password file (no timestamp).\n"));
+#ifdef DEBUG_PASSWORD
+ DEBUG(100,("get_machine_account_password: line = |%s|\n", linebuf));
+#endif
+ return False;
+ }
+ }
+
+ /*
+ * p points at 8 characters of hex digits -
+ * read into a time_t as the seconds since
+ * 1970 that the password was last changed.
+ */
+
+ *last_change_time = (time_t)strtol(p, NULL, 16);
+
+ return True;
+}
+
+/************************************************************************
+ Routine to get the machine account password for a domain.
+ The user of this function must have locked the machine password file.
+************************************************************************/
+
+BOOL set_machine_account_password( void *mach_tok, unsigned char *md4_new_pwd)
+{
+ char linebuf[64];
+ int i;
+ FILE *fp = (FILE *)mach_tok;
+
+ if(fseek( fp, 0L, SEEK_SET) == -1) {
+ DEBUG(0,("set_machine_account_password: Failed to seek to start of file. Error was %s.\n",
+ strerror(errno) ));
+ return False;
+ }
+
+ for (i = 0; i < 16; i++)
+ sprintf(&linebuf[(i*2)], "%02X", md4_new_pwd[i]);
+
+ sprintf(&linebuf[32], ":TLC-%08X\n", (unsigned)time(NULL));
+
+ if(fwrite( linebuf, 1, 45, fp)!= 45) {
+ DEBUG(0,("set_machine_account_password: Failed to write file. Warning - the machine \
+machine account is now invalid. Please recreate. Error was %s.\n", strerror(errno) ));
+ return False;
+ }
+
+ fflush(fp);
+ return True;
+}
+#endif /* DOMAIN_CLIENT */
diff --git a/source3/smbd/password.c b/source3/smbd/password.c
index c347f2de0d..04a1795e7f 100644
--- a/source3/smbd/password.c
+++ b/source3/smbd/password.c
@@ -31,6 +31,8 @@ extern int Protocol;
/* users from session setup */
static pstring session_users="";
+extern pstring myname;
+
/* these are kept here to keep the string_combinations function simple */
static char this_user[100]="";
static char this_salt[100]="";
@@ -1860,3 +1862,74 @@ use this machine as the password server.\n"));
return(True);
}
+
+#ifdef DOMAIN_CLIENT
+BOOL domain_client_validate( char *user, char *domain,
+ char *smb_apasswd, int smb_apasslen,
+ char *smb_ntpasswd, int smb_ntpasslen)
+{
+ unsigned char local_lm_hash[21];
+ unsigned char local_nt_hash[21];
+ unsigned char local_challenge[8];
+ unsigned char local_lm_response[24];
+ unsigned char local_nt_reponse[24];
+ BOOL encrypted = True;
+
+ /*
+ * Check that the requested domain is not our own machine name.
+ * If it is, we should never check the PDC here, we use our own local
+ * password file.
+ */
+
+ if(strequal( domain, myname)) {
+ DEBUG(3,("domain_client_validate: Requested domain was for this machine.\n"));
+ return False;
+ }
+
+ /*
+ * Next, check that the passwords given were encrypted.
+ */
+
+ if(smb_apasslen != 24 || smb_ntpasslen != 24) {
+
+ /*
+ * Not encrypted - do so.
+ */
+
+ DEBUG(3,("domain_client_validate: User passwords not in encrypted format.\n"));
+ encrypted = False;
+ memset(local_lm_hash, '\0', sizeof(local_lm_hash));
+ E_P16((uchar *) smb_apasswd, local_lm_hash);
+ memset(local_nt_hash, '\0', sizeof(local_nt_hash));
+ E_md4hash((uchar *) smb_ntpasswd, local_nt_hash);
+ generate_random_buffer( local_challenge, 8, False);
+ E_P24(local_lm_hash, local_challenge, local_lm_response);
+ E_P24(local_nt_hash, local_challenge, local_nt_reponse);
+ smb_apasslen = 24;
+ smb_ntpasslen = 24;
+ smb_apasswd = (char *)local_lm_response;
+ smb_ntpasswd = (char *)local_nt_reponse;
+ } else {
+
+ /*
+ * Encrypted - get the challenge we sent for these
+ * responses.
+ */
+
+ if (!last_challenge(local_challenge)) {
+ DEBUG(0,("domain_client_validate: no challenge done - password failed\n"));
+ return False;
+ }
+ }
+
+ /*
+ * At this point, smb_apasswd points to the lanman response to
+ * the challenge in local_challenge, and smb_ntpasswd points to
+ * the NT response to the challenge in local_challenge. Ship
+ * these over the secure channel to a domain controller and
+ * see if they were valid.
+ */
+
+ return False;
+}
+#endif /* DOMAIN_CLIENT */
diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index 2f3b3660fc..4472aa16e6 100644
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -377,65 +377,66 @@ static int session_trust_account(char *inbuf, char *outbuf, char *user,
char *smb_passwd, int smb_passlen,
char *smb_nt_passwd, int smb_nt_passlen)
{
- struct smb_passwd *smb_trust_acct = NULL; /* check if trust account exists */
- if (lp_security() == SEC_USER)
- {
- smb_trust_acct = getsmbpwnam(user);
- }
- else
- {
- DEBUG(3,("Trust account %s only supported with security = user\n", user));
- SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES);
- return(ERROR(0, 0xc0000000|NT_STATUS_LOGON_FAILURE));
- }
+ struct smb_passwd *smb_trust_acct = NULL; /* check if trust account exists */
+ if (lp_security() == SEC_USER)
+ {
+ smb_trust_acct = getsmbpwnam(user);
+ }
+ else
+ {
+ DEBUG(0,("session_trust_account: Trust account %s only supported with security = user\n", user));
+ SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES);
+ return(ERROR(0, 0xc0000000|NT_STATUS_LOGON_FAILURE));
+ }
- if (smb_trust_acct == NULL)
- {
- /* lkclXXXX: workstation entry doesn't exist */
- DEBUG(4,("Trust account %s user doesn't exist\n",user));
- SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES);
- return(ERROR(0, 0xc0000000|NT_STATUS_NO_SUCH_USER));
- }
- else
- {
- if ((smb_passlen != 24) || (smb_nt_passlen != 24))
- {
- DEBUG(4,("Trust account %s - password length wrong.\n", user));
- SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES);
- return(ERROR(0, 0xc0000000|NT_STATUS_LOGON_FAILURE));
- }
+ if (smb_trust_acct == NULL)
+ {
+ /* lkclXXXX: workstation entry doesn't exist */
+ DEBUG(0,("session_trust_account: Trust account %s user doesn't exist\n",user));
+ SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES);
+ return(ERROR(0, 0xc0000000|NT_STATUS_NO_SUCH_USER));
+ }
+ else
+ {
+ if ((smb_passlen != 24) || (smb_nt_passlen != 24))
+ {
+ DEBUG(0,("session_trust_account: Trust account %s - password length wrong.\n", user));
+ SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES);
+ return(ERROR(0, 0xc0000000|NT_STATUS_LOGON_FAILURE));
+ }
- if (!smb_password_ok(smb_trust_acct, smb_passwd, smb_nt_passwd))
- {
- DEBUG(4,("Trust Account %s - password failed\n", user));
- SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES);
- return(ERROR(0, 0xc0000000|NT_STATUS_LOGON_FAILURE));
- }
+ if (!smb_password_ok(smb_trust_acct, smb_passwd, smb_nt_passwd))
+ {
+ DEBUG(0,("session_trust_account: Trust Account %s - password failed\n", user));
+ SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES);
+ return(ERROR(0, 0xc0000000|NT_STATUS_LOGON_FAILURE));
+ }
- if (IS_BITS_SET_ALL(smb_trust_acct->acct_ctrl, ACB_DOMTRUST))
- {
- DEBUG(4,("Domain trust account %s denied by server\n",user));
- SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES);
- return(ERROR(0, 0xc0000000|NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT));
- }
+ if (IS_BITS_SET_ALL(smb_trust_acct->acct_ctrl, ACB_DOMTRUST))
+ {
+ DEBUG(0,("session_trust_account: Domain trust account %s denied by server\n",user));
+ SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES);
+ return(ERROR(0, 0xc0000000|NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT));
+ }
- if (IS_BITS_SET_ALL(smb_trust_acct->acct_ctrl, ACB_SVRTRUST))
- {
- DEBUG(4,("Server trust account %s denied by server\n",user));
- SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES);
- return(ERROR(0, 0xc0000000|NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT));
- }
- if (IS_BITS_SET_ALL(smb_trust_acct->acct_ctrl, ACB_WSTRUST))
- {
- DEBUG(4,("Wksta trust account %s denied by server\n", user));
- SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES);
- return(ERROR(0, 0xc0000000|NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT));
- }
- }
+ if (IS_BITS_SET_ALL(smb_trust_acct->acct_ctrl, ACB_SVRTRUST))
+ {
+ DEBUG(0,("session_trust_account: Server trust account %s denied by server\n",user));
+ SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES);
+ return(ERROR(0, 0xc0000000|NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT));
+ }
+
+ if (IS_BITS_SET_ALL(smb_trust_acct->acct_ctrl, ACB_WSTRUST))
+ {
+ DEBUG(4,("session_trust_account: Wksta trust account %s denied by server\n", user));
+ SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES);
+ return(ERROR(0, 0xc0000000|NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT));
+ }
+ }
- /* don't know what to do: indicate logon failure */
- SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES);
- return(ERROR(0, 0xc0000000|NT_STATUS_LOGON_FAILURE));
+ /* don't know what to do: indicate logon failure */
+ SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES);
+ return(ERROR(0, 0xc0000000|NT_STATUS_LOGON_FAILURE));
}