summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTim Potter <tpot@samba.org>2001-11-05 00:21:17 +0000
committerTim Potter <tpot@samba.org>2001-11-05 00:21:17 +0000
commit93fb9f76e2a78d131901c4f11c4a6ed30a4afa9d (patch)
tree84e7078658e78cd76c168d6b541290e7a53d8727
parentc87c3526992212096d4ecdf200a5346e05bfb328 (diff)
downloadsamba-93fb9f76e2a78d131901c4f11c4a6ed30a4afa9d.tar.gz
samba-93fb9f76e2a78d131901c4f11c4a6ed30a4afa9d.tar.bz2
samba-93fb9f76e2a78d131901c4f11c4a6ed30a4afa9d.zip
Use cli_nt_login_network() instead of domain_client_validate() to perform
pam authentication. This allows us to link in less other crap. Authenticating with a challenge/response doesn't seem to work though - we always get back NT_STATUS_WRONG_PASSWORD. (This used to be commit d85aa1ce83327dda6aa3dcd9bbab9cf6979dda1e)
-rw-r--r--source3/Makefile.in4
-rw-r--r--source3/nsswitch/winbindd_cm.c30
-rw-r--r--source3/nsswitch/winbindd_pam.c96
-rw-r--r--source3/nsswitch/winbindd_proto.h1
4 files changed, 88 insertions, 43 deletions
diff --git a/source3/Makefile.in b/source3/Makefile.in
index 4bced02721..615887389c 100644
--- a/source3/Makefile.in
+++ b/source3/Makefile.in
@@ -398,8 +398,8 @@ WINBINDD_OBJ1 = \
nsswitch/winbindd_cm.o
NECESSARY_BECAUSE_SAMBA_DEPENDENCIES_ARE_SO_BROKEN_OBJ = \
- libsmb/domain_client_validate.o smbd/auth_util.o \
- rpc_client/cli_netlogon.o rpc_client/cli_login.o
+ rpc_client/cli_netlogon.o rpc_client/cli_login.o \
+ smbd/auth_util.o
WINBINDD_OBJ = \
$(WINBINDD_OBJ1) $(NOPROTO_OBJ) $(PASSDB_OBJ) \
diff --git a/source3/nsswitch/winbindd_cm.c b/source3/nsswitch/winbindd_cm.c
index 4f0974fe06..c41ed5ac62 100644
--- a/source3/nsswitch/winbindd_cm.c
+++ b/source3/nsswitch/winbindd_cm.c
@@ -513,3 +513,33 @@ CLI_POLICY_HND *cm_get_sam_group_handle(char *domain, DOM_SID *domain_sid,
return &hnd;
}
+
+/* Get a handle on a netlogon pipe */
+
+struct cli_state *cm_get_netlogon_cli(char *domain, unsigned char *trust_passwd)
+{
+ struct winbindd_cm_conn conn;
+ NTSTATUS result;
+
+ /* Open an initial conection */
+
+ ZERO_STRUCT(conn);
+
+ if (!cm_open_connection(domain, PIPE_NETLOGON, &conn)) {
+ DEBUG(3, ("Could not open a connection to %s\n", domain));
+ return NULL;
+ }
+
+ result = cli_nt_setup_creds(conn.cli, trust_passwd);
+
+ if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(0, ("error connecting to domain password server: %s\n",
+ get_nt_error_msg(result)));
+ cli_shutdown(conn.cli);
+ return NULL;
+ }
+
+ /* We only want the client handle from this structure */
+
+ return conn.cli;
+}
diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c
index 22f102269d..aa248aadaf 100644
--- a/source3/nsswitch/winbindd_pam.c
+++ b/source3/nsswitch/winbindd_pam.c
@@ -53,13 +53,15 @@ static void parse_domain_user(char *domuser, fstring domain, fstring user)
enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state)
{
NTSTATUS result;
- fstring name_domain, name_user, auth_dc;
+ fstring name_domain, name_user;
int passlen;
unsigned char trust_passwd[16];
time_t last_change_time;
-
auth_usersupplied_info *user_info;
- auth_serversupplied_info *server_info;
+ uint32 smb_uid_low;
+ NET_USER_INFO_3 info3;
+ NET_ID_INFO_CTR ctr;
+ struct cli_state *cli;
DEBUG(3, ("[%5d]: pam auth %s\n", state->pid,
state->request.data.auth.user));
@@ -76,39 +78,41 @@ enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state)
passlen = strlen(state->request.data.auth.pass);
- if (state->request.data.auth.pass[0]) {
- make_user_info_for_winbind(&user_info,
- name_user, name_domain,
- state->request.data.auth.pass);
- } else {
+ if (state->request.data.auth.pass[0])
+ make_user_info_winbind(&user_info,
+ name_user, name_domain,
+ state->request.data.auth.pass);
+ else
return WINBINDD_ERROR;
- }
/*
* Get the machine account password for our primary domain
*/
- if (!secrets_fetch_trust_account_password(lp_workgroup(), trust_passwd, &last_change_time))
- {
- DEBUG(0, ("winbindd_pam_auth: could not fetch trust account password for domain %s\n", lp_workgroup()));
+ if (!secrets_fetch_trust_account_password(
+ lp_workgroup(), trust_passwd, &last_change_time)) {
+ DEBUG(0, ("winbindd_pam_auth: could not fetch trust account "
+ "password for domain %s\n", lp_workgroup()));
return WINBINDD_ERROR;
}
- if (!cm_get_dc_name(lp_workgroup(), auth_dc)) {
- DEBUG(3, ("Could not find dc for workgroup %s\n",
- lp_workgroup()));
+ /* We really don't care what LUID we give the user. */
+
+ generate_random_buffer( (unsigned char *)&smb_uid_low, 4, False);
+
+ ZERO_STRUCT(info3);
+
+ if (!(cli = cm_get_netlogon_cli(lp_workgroup(), trust_passwd))) {
+ DEBUG(3, ("could not open handle to NETLOGON pipe\n"));
return WINBINDD_ERROR;
}
- /* So domain_client_validate() actually opens a new connection
- for each authentication performed. This can theoretically
- be optimised to use an already open IPC$ connection. */
+ result = cli_nt_login_network(cli, user_info, smb_uid_low,
+ &ctr, &info3);
- result = domain_client_validate(user_info, &server_info,
- auth_dc, trust_passwd,
- last_change_time);
+ free_user_info(&user_info);
- free_server_info(&server_info); /* No info needed */
+ cli_shutdown(cli);
return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
}
@@ -118,11 +122,15 @@ enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state)
enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state)
{
NTSTATUS result;
- fstring name_domain, name_user, auth_dc;
+ fstring name_domain, name_user;
unsigned char trust_passwd[16];
time_t last_change_time;
+
auth_usersupplied_info *user_info;
- auth_serversupplied_info *server_info;
+ uint32 smb_uid_low;
+ NET_USER_INFO_3 info3;
+ NET_ID_INFO_CTR ctr;
+ struct cli_state *cli;
DEBUG(3, ("[%5d]: pam auth crap %s\n", state->pid,
state->request.data.auth_crap.user));
@@ -132,36 +140,42 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state)
parse_domain_user(state->request.data.auth_crap.user, name_domain,
name_user);
- make_user_info_winbind_crap(&user_info, name_user,
- name_domain, state->request.data.auth_crap.chal,
- (uchar *)state->request.data.auth_crap.lm_resp, 24,
- (uchar *)state->request.data.auth_crap.nt_resp, 24);
+ make_user_info_winbind_crap(
+ &user_info, name_user,
+ name_domain, state->request.data.auth_crap.chal,
+ (uchar *)state->request.data.auth_crap.lm_resp,
+ state->request.data.auth_crap.lm_resp_len,
+ (uchar *)state->request.data.auth_crap.nt_resp,
+ state->request.data.auth_crap.nt_resp_len);
/*
* Get the machine account password for our primary domain
*/
- if (!secrets_fetch_trust_account_password(lp_workgroup(), trust_passwd, &last_change_time))
- {
- DEBUG(0, ("winbindd_pam_auth: could not fetch trust account password for domain %s\n", lp_workgroup()));
+ if (!secrets_fetch_trust_account_password(
+ lp_workgroup(), trust_passwd, &last_change_time)) {
+ DEBUG(0, ("winbindd_pam_auth: could not fetch trust account "
+ "password for domain %s\n", lp_workgroup()));
return WINBINDD_ERROR;
}
- if (!cm_get_dc_name(lp_workgroup(), auth_dc)) {
- DEBUG(3, ("Could not find dc for workgroup %s\n",
- lp_workgroup()));
+ /* We really don't care what LUID we give the user. */
+
+ generate_random_buffer( (unsigned char *)&smb_uid_low, 4, False);
+
+ ZERO_STRUCT(info3);
+
+ if (!(cli = cm_get_netlogon_cli(lp_workgroup(), trust_passwd))) {
+ DEBUG(3, ("could not open handle to NETLOGON pipe\n"));
return WINBINDD_ERROR;
}
- /* So domain_client_validate() actually opens a new connection
- for each authentication performed. This can theoretically
- be optimised to use an already open IPC$ connection. */
+ result = cli_nt_login_network(cli, user_info, smb_uid_low,
+ &ctr, &info3);
- result = domain_client_validate(user_info, &server_info,
- auth_dc, trust_passwd,
- last_change_time);
+ free_user_info(&user_info);
- free_server_info(&server_info); /* No info needed */
+ cli_shutdown(cli);
return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
}
diff --git a/source3/nsswitch/winbindd_proto.h b/source3/nsswitch/winbindd_proto.h
index 8e80b1da71..682bf81a54 100644
--- a/source3/nsswitch/winbindd_proto.h
+++ b/source3/nsswitch/winbindd_proto.h
@@ -55,6 +55,7 @@ CLI_POLICY_HND *cm_get_sam_user_handle(char *domain, DOM_SID *domain_sid,
uint32 user_rid);
CLI_POLICY_HND *cm_get_sam_group_handle(char *domain, DOM_SID *domain_sid,
uint32 group_rid);
+struct cli_state *cm_get_netlogon_cli(char *domain, unsigned char *trust_passwd);
/* The following definitions come from nsswitch/winbindd_group.c */