diff options
author | Luke Leighton <lkcl@samba.org> | 1999-11-20 20:54:29 +0000 |
---|---|---|
committer | Luke Leighton <lkcl@samba.org> | 1999-11-20 20:54:29 +0000 |
commit | 24a069eac302069559c6347b24276e7f1a04cc91 (patch) | |
tree | d49a94cde47a03b2b8d2c988f418f3cf1de01876 | |
parent | a56bea383b4813f77478f9859dc33c90a564f540 (diff) | |
download | samba-24a069eac302069559c6347b24276e7f1a04cc91.tar.gz samba-24a069eac302069559c6347b24276e7f1a04cc91.tar.bz2 samba-24a069eac302069559c6347b24276e7f1a04cc91.zip |
modified domain_client_validate to take trust account name / type. this
is to pass DOMAIN_NAME$ and SEC_CHAN_DOMAIN instead of WKSTA_NAME$ and
SEC_CHAN_WKSTA.
modified check_domain_security to determine if domain name is own domain,
and to use wksta trust account if so, otherwise check "trusting domains"
parameter and use inter-domain trust account if so, otherwise return
False.
(This used to be commit 97ec74e1fa99d773812d2df402251fafb76b181c)
-rw-r--r-- | source3/include/proto.h | 4 | ||||
-rw-r--r-- | source3/lib/sids.c | 3 | ||||
-rw-r--r-- | source3/lib/util_pwdb.c | 3 | ||||
-rw-r--r-- | source3/lib/util_str.c | 34 | ||||
-rw-r--r-- | source3/smbd/chgpasswd.c | 3 | ||||
-rw-r--r-- | source3/smbd/password.c | 15 | ||||
-rw-r--r-- | source3/smbd/reply.c | 61 |
7 files changed, 108 insertions, 15 deletions
diff --git a/source3/include/proto.h b/source3/include/proto.h index e56cfbee48..f83485d455 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -624,6 +624,7 @@ void string_free(char **s); BOOL string_set(char **dest,const char *src); void string_sub(char *s,const char *pattern,const char *insert); void all_string_sub(char *s,const char *pattern,const char *insert); +void split_at_first_component(char *path, char *front, char sep, char *back); void split_at_last_component(char *path, char *front, char sep, char *back); char *bit_field_to_str(uint32 type, struct field_info *bs); char *enum_field_to_str(uint32 type, struct field_info *bs, BOOL first_default); @@ -4027,7 +4028,8 @@ struct cli_state *server_cryptkey(void); BOOL server_validate(char *user, char *domain, char *pass, int passlen, char *ntpass, int ntpasslen); -BOOL domain_client_validate( char *user, char *domain, +BOOL domain_client_validate( char *user, char *domain, char *server_list, + char *acct_name, uint16 acct_type, char *smb_apasswd, int smb_apasslen, char *smb_ntpasswd, int smb_ntpasslen); diff --git a/source3/lib/sids.c b/source3/lib/sids.c index 052c05cb01..c18734c705 100644 --- a/source3/lib/sids.c +++ b/source3/lib/sids.c @@ -139,7 +139,8 @@ BOOL get_member_domain_sid(void) } } - return get_domain_sids(NULL, &global_member_sid, lp_passwordserver()); + return get_domain_sids(global_myname, NULL, + &global_member_sid, lp_passwordserver()); } diff --git a/source3/lib/util_pwdb.c b/source3/lib/util_pwdb.c index f27cce8fba..d80ec5f689 100644 --- a/source3/lib/util_pwdb.c +++ b/source3/lib/util_pwdb.c @@ -634,7 +634,8 @@ BOOL pwdb_initialise(BOOL is_server) { srvs = lp_passwordserver(); } - if (!get_domain_sids(&global_member_sid, &global_sam_sid, srvs)) + if (!get_domain_sids(global_myname, &global_member_sid, + &global_sam_sid, srvs)) { return False; } diff --git a/source3/lib/util_str.c b/source3/lib/util_str.c index 43e3224df4..a25043df78 100644 --- a/source3/lib/util_str.c +++ b/source3/lib/util_str.c @@ -1066,6 +1066,38 @@ void all_string_sub(char *s,const char *pattern,const char *insert) /**************************************************************************** splits out the front and back at a separator. ****************************************************************************/ +void split_at_first_component(char *path, char *front, char sep, char *back) +{ + char *p = strchr(path, sep); + + if (p != NULL) + { + *p = 0; + } + if (front != NULL) + { + pstrcpy(front, path); + } + if (p != NULL) + { + if (back != NULL) + { + pstrcpy(back, p+1); + } + *p = sep; + } + else + { + if (back != NULL) + { + back[0] = 0; + } + } +} + +/**************************************************************************** + splits out the front and back at a separator. +****************************************************************************/ void split_at_last_component(char *path, char *front, char sep, char *back) { char *p = strrchr(path, sep); @@ -1084,7 +1116,7 @@ void split_at_last_component(char *path, char *front, char sep, char *back) { pstrcpy(back, p+1); } - *p = '\\'; + *p = sep; } else { diff --git a/source3/smbd/chgpasswd.c b/source3/smbd/chgpasswd.c index a21b598238..3d31db7fb5 100644 --- a/source3/smbd/chgpasswd.c +++ b/source3/smbd/chgpasswd.c @@ -626,6 +626,7 @@ BOOL check_oem_password(char *user, uchar new_p16[16]; uchar unenc_old_pw[16]; char no_pw[2]; + uint32 len; BOOL nt_pass_set = (ntdata != NULL && nthash != NULL); @@ -682,7 +683,7 @@ BOOL check_oem_password(char *user, */ SamOEMhash( (uchar *)lmdata, (uchar *)smbpw->smb_passwd, True); - if (!decode_pw_buffer(lmdata, new_passwd, new_passwd_size, nt_pass_set)) + if (!decode_pw_buffer(lmdata, new_passwd, new_passwd_size, &len)) { return False; } diff --git a/source3/smbd/password.c b/source3/smbd/password.c index 1612b8264f..f74cc49eca 100644 --- a/source3/smbd/password.c +++ b/source3/smbd/password.c @@ -1095,7 +1095,8 @@ use this machine as the password server.\n")); key from the workstation trust account password. ************************************************************************/ -BOOL domain_client_validate( char *user, char *domain, +BOOL domain_client_validate( char *user, char *domain, char *server_list, + char *acct_name, uint16 acct_type, char *smb_apasswd, int smb_apasslen, char *smb_ntpasswd, int smb_ntpasslen) { @@ -1108,6 +1109,10 @@ BOOL domain_client_validate( char *user, char *domain, NET_USER_INFO_3 info3; struct cli_state cli; uint32 smb_uid_low; + fstring trust_acct; + + fstrcpy(trust_acct, acct_name); + fstrcat(trust_acct, "$"); /* * Check that the requested domain is not our own machine name. @@ -1126,7 +1131,7 @@ BOOL domain_client_validate( char *user, char *domain, */ if(((smb_apasslen != 24) && (smb_apasslen != 0)) || - ((smb_ntpasslen != 24) && (smb_ntpasslen != 0))) + ((smb_ntpasslen <= 24) && (smb_ntpasslen != 0))) { /* * Not encrypted - do so. @@ -1158,7 +1163,7 @@ BOOL domain_client_validate( char *user, char *domain, /* * Get the workstation trust account password. */ - if (!trust_get_passwd( trust_passwd, global_myworkgroup, global_myname)) + if (!trust_get_passwd( trust_passwd, domain, acct_name)) { return False; } @@ -1171,7 +1176,7 @@ BOOL domain_client_validate( char *user, char *domain, * see if they were valid. */ - if (!cli_connect_serverlist(&cli, lp_passwordserver())) + if (!cli_connect_serverlist(&cli, server_list)) { DEBUG(0,("domain_client_validate: Domain password server not available.\n")); return False; @@ -1192,7 +1197,7 @@ BOOL domain_client_validate( char *user, char *domain, } if(cli_nt_setup_creds(&cli, nt_pipe_fnum, - cli.mach_acct, global_myname, trust_passwd, SEC_CHAN_WKSTA) != 0x0) + trust_acct, global_myname, trust_passwd, acct_type) != 0x0) { DEBUG(0,("domain_client_validate: unable to setup the PDC credentials to machine \ %s. Error was : %s.\n", cli.desthost, cli_errstr(&cli))); diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c index 0c4fb2003c..79b24a986c 100644 --- a/source3/smbd/reply.c +++ b/source3/smbd/reply.c @@ -39,6 +39,7 @@ extern BOOL case_preserve; extern BOOL short_case_preserve; extern pstring sesssetup_user; extern fstring global_myworkgroup; +extern fstring global_myname; extern int Client; extern int global_oplock_break; uint32 global_client_caps = 0; @@ -501,12 +502,62 @@ static BOOL check_domain_security(char *orig_user, char *domain, char *smb_apasswd, int smb_apasslen, char *smb_ntpasswd, int smb_ntpasslen) { - if(lp_security() != SEC_DOMAIN) - return False; + fstring acct_name; + uint16 acct_type = 0; + + char *server_list = NULL; + pstring srv_list; + char *trusted_list = lp_trusted_domains(); + + if (lp_security() == SEC_SHARE || lp_security() == SEC_SERVER) + { + return False; + } + + if (lp_security() == SEC_DOMAIN) + { + fstrcpy(acct_name, global_myname); + acct_type = SEC_CHAN_WKSTA; + if (strequal(lp_workgroup(), domain)) + { + DEBUG(10,("local domain server list: %s\n", server_list)); + pstrcpy(srv_list, lp_passwordserver()); + server_list = srv_list; + } + } + + if (server_list == NULL) + { + pstring tmp; + if (next_token(&trusted_list, tmp, NULL, sizeof(tmp))) + { + do + { + fstring trust_dom; + split_at_first_component(tmp, trust_dom, '=', srv_list); + + if (strequal(domain, trust_dom)) + { + DEBUG(10,("trusted domain server list: %s\n", server_list)); + fstrcpy(acct_name, global_myworkgroup); + acct_type = SEC_CHAN_DOMAIN; + server_list = srv_list; + break; + } + + } while (next_token(NULL, tmp, NULL, sizeof(tmp))); + } + } + + if (server_list == NULL) + { + return False; + } - return domain_client_validate(orig_user, domain, - smb_apasswd, smb_apasslen, - smb_ntpasswd, smb_ntpasslen); + return domain_client_validate(orig_user, domain, server_list, + acct_name, acct_type, + smb_apasswd, smb_apasslen, + smb_ntpasswd, smb_ntpasslen); } /**************************************************************************** |