summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTim Potter <tpot@samba.org>2001-09-12 06:39:50 +0000
committerTim Potter <tpot@samba.org>2001-09-12 06:39:50 +0000
commitb800a36b1c81fb37ca963acdc49978ff065fb0d7 (patch)
tree4fe3edd68f6bbf7db66c75aa8c5c29b79d4dd01a
parent39d7983a470cc3470dd7126de35697d965817cb6 (diff)
downloadsamba-b800a36b1c81fb37ca963acdc49978ff065fb0d7.tar.gz
samba-b800a36b1c81fb37ca963acdc49978ff065fb0d7.tar.bz2
samba-b800a36b1c81fb37ca963acdc49978ff065fb0d7.zip
Some patches to authentication:
- the usersupplied_info now contains a smb_username (as it comes across on the wire) and a unix_username (after being passed through mapping functions) - when doing security={server,domain} use the smb_username, otherwise use the unix_username (This used to be commit d34fd8ec0716127c7a68eeb8e77d1ae8cc07b547)
-rw-r--r--source3/auth/auth.c33
-rw-r--r--source3/auth/auth_rhosts.c2
-rw-r--r--source3/auth/auth_sam.c2
-rw-r--r--source3/auth/auth_unix.c6
-rw-r--r--source3/include/auth.h4
-rw-r--r--source3/libsmb/domain_client_validate.c1
-rw-r--r--source3/nsswitch/winbindd_pam.c8
-rw-r--r--source3/rpc_server/srv_netlog_nt.c2
-rw-r--r--source3/rpc_server/srv_pipe.c2
-rw-r--r--source3/smbd/auth.c33
-rw-r--r--source3/smbd/auth_rhosts.c2
-rw-r--r--source3/smbd/auth_smbpasswd.c2
-rw-r--r--source3/smbd/auth_unix.c6
-rw-r--r--source3/smbd/reply.c5
14 files changed, 63 insertions, 45 deletions
diff --git a/source3/auth/auth.c b/source3/auth/auth.c
index b707c38c62..0101aa65a2 100644
--- a/source3/auth/auth.c
+++ b/source3/auth/auth.c
@@ -63,7 +63,7 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info,
NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
BOOL done_pam = False;
- DEBUG(3, ("check_password: Checking password for user %s with the new password interface\n", user_info->smb_username.str));
+ DEBUG(3, ("check_password: Checking password for smb user %s with the new password interface\n", user_info->smb_username.str));
if (!check_domain_match(user_info->smb_username.str, user_info->domain.str)) {
return NT_STATUS_LOGON_FAILURE;
}
@@ -81,7 +81,7 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info,
}
if (lp_security() >= SEC_SERVER) {
- smb_user_control(user_info->smb_username.str, nt_status);
+ smb_user_control(user_info->unix_username.str, nt_status);
}
if (!NT_STATUS_IS_OK(nt_status)) {
@@ -97,14 +97,14 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info,
if (NT_STATUS_IS_OK(nt_status) && !done_pam) {
/* We might not be root if we are an RPC call */
become_root();
- nt_status = smb_pam_accountcheck(user_info->smb_username.str);
+ nt_status = smb_pam_accountcheck(user_info->unix_username.str);
unbecome_root();
}
if (NT_STATUS_IS_OK(nt_status)) {
- DEBUG(5, ("check_password: Password for user %s suceeded\n", user_info->smb_username.str));
+ DEBUG(5, ("check_password: Password for smb user %s suceeded\n", user_info->smb_username.str));
} else {
- DEBUG(3, ("check_password: Password for user %s FAILED with error %s\n", user_info->smb_username.str, get_nt_error_msg(nt_status)));
+ DEBUG(3, ("check_password: Password for smb user %s FAILED with error %s\n", user_info->smb_username.str, get_nt_error_msg(nt_status)));
}
return nt_status;
@@ -121,14 +121,16 @@ SMB hash
return True if the password is correct, False otherwise
****************************************************************************/
-NTSTATUS pass_check_smb_with_chal(char *user, char *domain, uchar chal[8],
+NTSTATUS pass_check_smb_with_chal(char *smb_user, char *unix_user,
+ char *domain, uchar chal[8],
uchar *lm_pwd, int lm_pwd_len,
uchar *nt_pwd, int nt_pwd_len)
{
auth_usersupplied_info user_info;
auth_serversupplied_info server_info;
- AUTH_STR ourdomain, theirdomain, smb_username, wksta_name;
+ AUTH_STR ourdomain, theirdomain, unix_username, smb_username,
+ wksta_name;
ZERO_STRUCT(user_info);
ZERO_STRUCT(ourdomain);
@@ -145,10 +147,15 @@ NTSTATUS pass_check_smb_with_chal(char *user, char *domain, uchar chal[8],
user_info.requested_domain = theirdomain;
user_info.domain = ourdomain;
- smb_username.str = user;
+ smb_username.str = smb_user;
smb_username.len = strlen(smb_username.str);
- user_info.requested_username = smb_username; /* For the time-being */
+ /* If unix user is NULL, use smb user */
+
+ unix_username.str = unix_user ? unix_user : smb_user;
+ unix_username.len = strlen(unix_username.str);
+
+ user_info.unix_username = unix_username;
user_info.smb_username = smb_username;
user_info.wksta_name.str = client_name();
@@ -197,7 +204,7 @@ NTSTATUS pass_check_smb_with_chal(char *user, char *domain, uchar chal[8],
return check_password(&user_info, &server_info);
}
-NTSTATUS pass_check_smb(char *user, char *domain,
+NTSTATUS pass_check_smb(char *smb_user, char *unix_user, char *domain,
uchar *lm_pwd, int lm_pwd_len,
uchar *nt_pwd, int nt_pwd_len)
{
@@ -207,7 +214,7 @@ NTSTATUS pass_check_smb(char *user, char *domain,
generate_random_buffer( chal, 8, False);
}
- return pass_check_smb_with_chal(user, domain, chal,
+ return pass_check_smb_with_chal(smb_user, unix_user, domain, chal,
lm_pwd, lm_pwd_len,
nt_pwd, nt_pwd_len);
@@ -233,11 +240,11 @@ BOOL password_ok(char *user, char *password, int pwlen)
/* The password could be either NTLM or plain LM. Try NTLM first, but fall-through as
required. */
- if (NT_STATUS_IS_OK(pass_check_smb(user, lp_workgroup(), NULL, 0, (unsigned char *)password, pwlen))) {
+ if (NT_STATUS_IS_OK(pass_check_smb(user, NULL, lp_workgroup(), NULL, 0, (unsigned char *)password, pwlen))) {
return True;
}
- if (NT_STATUS_IS_OK(pass_check_smb(user, lp_workgroup(), (unsigned char *)password, pwlen, NULL, 0))) {
+ if (NT_STATUS_IS_OK(pass_check_smb(user, NULL, lp_workgroup(), (unsigned char *)password, pwlen, NULL, 0))) {
return True;
}
diff --git a/source3/auth/auth_rhosts.c b/source3/auth/auth_rhosts.c
index b447bed5d1..2492a2a68b 100644
--- a/source3/auth/auth_rhosts.c
+++ b/source3/auth/auth_rhosts.c
@@ -174,7 +174,7 @@ NTSTATUS check_rhosts_security(const auth_usersupplied_info *user_info,
NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
become_root();
- if (check_hosts_equiv(user_info->smb_username.str)) {
+ if (check_hosts_equiv(user_info->unix_username.str)) {
nt_status = NT_STATUS_OK;
}
unbecome_root();
diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c
index 33b0623643..111a35e068 100644
--- a/source3/auth/auth_sam.c
+++ b/source3/auth/auth_sam.c
@@ -152,7 +152,7 @@ NTSTATUS smb_password_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_info *use
if (smb_pwd_check_ntlmv2( user_info->nt_resp.buffer,
user_info->nt_resp.len,
nt_pw,
- user_info->chal, user_info->requested_username.str,
+ user_info->chal, user_info->smb_username.str,
user_info->requested_domain.str,
(char *)server_info->session_key))
{
diff --git a/source3/auth/auth_unix.c b/source3/auth/auth_unix.c
index 1708320961..ea32a65457 100644
--- a/source3/auth/auth_unix.c
+++ b/source3/auth/auth_unix.c
@@ -73,9 +73,11 @@ NTSTATUS check_unix_security(const auth_usersupplied_info *user_info, auth_serve
NTSTATUS nt_status;
become_root();
- nt_status = (pass_check(user_info->smb_username.str, user_info->plaintext_password.str,
+ nt_status = (pass_check(user_info->unix_username.str,
+ user_info->plaintext_password.str,
user_info->plaintext_password.len,
- lp_update_encrypted() ? update_smbpassword_file : NULL)
+ lp_update_encrypted() ?
+ update_smbpassword_file : NULL)
? NT_STATUS_OK : NT_STATUS_LOGON_FAILURE);
unbecome_root();
diff --git a/source3/include/auth.h b/source3/include/auth.h
index 028f8303da..91230e4b6e 100644
--- a/source3/include/auth.h
+++ b/source3/include/auth.h
@@ -71,8 +71,8 @@ typedef struct usersupplied_info
AUTH_STR requested_domain; /* domain name string */
AUTH_STR domain; /* domain name after mapping */
- AUTH_STR requested_username;
- AUTH_STR smb_username; /* user name string (after mapping) */
+ AUTH_STR unix_username; /* username after mapping */
+ AUTH_STR smb_username; /* username before mapping */
AUTH_STR wksta_name; /* workstation name (netbios calling name) unicode string */
} auth_usersupplied_info;
diff --git a/source3/libsmb/domain_client_validate.c b/source3/libsmb/domain_client_validate.c
index a6890f1027..b23ab01c1d 100644
--- a/source3/libsmb/domain_client_validate.c
+++ b/source3/libsmb/domain_client_validate.c
@@ -362,4 +362,3 @@ NTSTATUS domain_client_validate(const auth_usersupplied_info *user_info,
cli_shutdown(&cli);
return status;
}
-
diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c
index 0408c3a2fb..262a9d7a33 100644
--- a/source3/nsswitch/winbindd_pam.c
+++ b/source3/nsswitch/winbindd_pam.c
@@ -96,8 +96,8 @@ enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state)
user_info.smb_username.str = name_user;
user_info.smb_username.len = strlen(name_user);
- user_info.requested_username.str = name_user;
- user_info.requested_username.len = strlen(name_user);
+ user_info.unix_username.str = name_user;
+ user_info.unix_username.len = strlen(name_user);
user_info.wksta_name.str = global_myname;
user_info.wksta_name.len = strlen(user_info.wksta_name.str);
@@ -172,8 +172,8 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state)
user_info.smb_username.str = name_user;
user_info.smb_username.len = strlen(name_user);
- user_info.requested_username.str = name_user;
- user_info.requested_username.len = strlen(name_user);
+ user_info.unix_username.str = name_user;
+ user_info.unix_username.len = strlen(name_user);
user_info.wksta_name.str = global_myname;
user_info.wksta_name.len = strlen(user_info.wksta_name.str);
diff --git a/source3/rpc_server/srv_netlog_nt.c b/source3/rpc_server/srv_netlog_nt.c
index fd137e6038..26da5ac061 100644
--- a/source3/rpc_server/srv_netlog_nt.c
+++ b/source3/rpc_server/srv_netlog_nt.c
@@ -505,7 +505,7 @@ static NTSTATUS _net_logon_any(NET_ID_INFO_CTR *ctr, char *user, char *domain, c
smb_username.str = user;
smb_username.len = strlen(smb_username.str);
- user_info.requested_username = smb_username; /* For the time-being */
+ user_info.unix_username = smb_username; /* For the time-being */
user_info.smb_username = smb_username;
#if 0
diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
index 3570969efc..4a09410e81 100644
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -368,7 +368,7 @@ static BOOL api_pipe_ntlmssp_verify(pipes_struct *p, RPC_AUTH_NTLMSSP_RESP *ntlm
become_root();
p->ntlmssp_auth_validated =
- NT_STATUS_IS_OK(pass_check_smb_with_chal(pipe_user_name, domain,
+ NT_STATUS_IS_OK(pass_check_smb_with_chal(pipe_user_name, NULL, domain,
(uchar*)p->challenge,
lm_owf, lm_pw_len,
nt_owf, nt_pw_len));
diff --git a/source3/smbd/auth.c b/source3/smbd/auth.c
index b707c38c62..0101aa65a2 100644
--- a/source3/smbd/auth.c
+++ b/source3/smbd/auth.c
@@ -63,7 +63,7 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info,
NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
BOOL done_pam = False;
- DEBUG(3, ("check_password: Checking password for user %s with the new password interface\n", user_info->smb_username.str));
+ DEBUG(3, ("check_password: Checking password for smb user %s with the new password interface\n", user_info->smb_username.str));
if (!check_domain_match(user_info->smb_username.str, user_info->domain.str)) {
return NT_STATUS_LOGON_FAILURE;
}
@@ -81,7 +81,7 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info,
}
if (lp_security() >= SEC_SERVER) {
- smb_user_control(user_info->smb_username.str, nt_status);
+ smb_user_control(user_info->unix_username.str, nt_status);
}
if (!NT_STATUS_IS_OK(nt_status)) {
@@ -97,14 +97,14 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info,
if (NT_STATUS_IS_OK(nt_status) && !done_pam) {
/* We might not be root if we are an RPC call */
become_root();
- nt_status = smb_pam_accountcheck(user_info->smb_username.str);
+ nt_status = smb_pam_accountcheck(user_info->unix_username.str);
unbecome_root();
}
if (NT_STATUS_IS_OK(nt_status)) {
- DEBUG(5, ("check_password: Password for user %s suceeded\n", user_info->smb_username.str));
+ DEBUG(5, ("check_password: Password for smb user %s suceeded\n", user_info->smb_username.str));
} else {
- DEBUG(3, ("check_password: Password for user %s FAILED with error %s\n", user_info->smb_username.str, get_nt_error_msg(nt_status)));
+ DEBUG(3, ("check_password: Password for smb user %s FAILED with error %s\n", user_info->smb_username.str, get_nt_error_msg(nt_status)));
}
return nt_status;
@@ -121,14 +121,16 @@ SMB hash
return True if the password is correct, False otherwise
****************************************************************************/
-NTSTATUS pass_check_smb_with_chal(char *user, char *domain, uchar chal[8],
+NTSTATUS pass_check_smb_with_chal(char *smb_user, char *unix_user,
+ char *domain, uchar chal[8],
uchar *lm_pwd, int lm_pwd_len,
uchar *nt_pwd, int nt_pwd_len)
{
auth_usersupplied_info user_info;
auth_serversupplied_info server_info;
- AUTH_STR ourdomain, theirdomain, smb_username, wksta_name;
+ AUTH_STR ourdomain, theirdomain, unix_username, smb_username,
+ wksta_name;
ZERO_STRUCT(user_info);
ZERO_STRUCT(ourdomain);
@@ -145,10 +147,15 @@ NTSTATUS pass_check_smb_with_chal(char *user, char *domain, uchar chal[8],
user_info.requested_domain = theirdomain;
user_info.domain = ourdomain;
- smb_username.str = user;
+ smb_username.str = smb_user;
smb_username.len = strlen(smb_username.str);
- user_info.requested_username = smb_username; /* For the time-being */
+ /* If unix user is NULL, use smb user */
+
+ unix_username.str = unix_user ? unix_user : smb_user;
+ unix_username.len = strlen(unix_username.str);
+
+ user_info.unix_username = unix_username;
user_info.smb_username = smb_username;
user_info.wksta_name.str = client_name();
@@ -197,7 +204,7 @@ NTSTATUS pass_check_smb_with_chal(char *user, char *domain, uchar chal[8],
return check_password(&user_info, &server_info);
}
-NTSTATUS pass_check_smb(char *user, char *domain,
+NTSTATUS pass_check_smb(char *smb_user, char *unix_user, char *domain,
uchar *lm_pwd, int lm_pwd_len,
uchar *nt_pwd, int nt_pwd_len)
{
@@ -207,7 +214,7 @@ NTSTATUS pass_check_smb(char *user, char *domain,
generate_random_buffer( chal, 8, False);
}
- return pass_check_smb_with_chal(user, domain, chal,
+ return pass_check_smb_with_chal(smb_user, unix_user, domain, chal,
lm_pwd, lm_pwd_len,
nt_pwd, nt_pwd_len);
@@ -233,11 +240,11 @@ BOOL password_ok(char *user, char *password, int pwlen)
/* The password could be either NTLM or plain LM. Try NTLM first, but fall-through as
required. */
- if (NT_STATUS_IS_OK(pass_check_smb(user, lp_workgroup(), NULL, 0, (unsigned char *)password, pwlen))) {
+ if (NT_STATUS_IS_OK(pass_check_smb(user, NULL, lp_workgroup(), NULL, 0, (unsigned char *)password, pwlen))) {
return True;
}
- if (NT_STATUS_IS_OK(pass_check_smb(user, lp_workgroup(), (unsigned char *)password, pwlen, NULL, 0))) {
+ if (NT_STATUS_IS_OK(pass_check_smb(user, NULL, lp_workgroup(), (unsigned char *)password, pwlen, NULL, 0))) {
return True;
}
diff --git a/source3/smbd/auth_rhosts.c b/source3/smbd/auth_rhosts.c
index b447bed5d1..2492a2a68b 100644
--- a/source3/smbd/auth_rhosts.c
+++ b/source3/smbd/auth_rhosts.c
@@ -174,7 +174,7 @@ NTSTATUS check_rhosts_security(const auth_usersupplied_info *user_info,
NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
become_root();
- if (check_hosts_equiv(user_info->smb_username.str)) {
+ if (check_hosts_equiv(user_info->unix_username.str)) {
nt_status = NT_STATUS_OK;
}
unbecome_root();
diff --git a/source3/smbd/auth_smbpasswd.c b/source3/smbd/auth_smbpasswd.c
index 33b0623643..111a35e068 100644
--- a/source3/smbd/auth_smbpasswd.c
+++ b/source3/smbd/auth_smbpasswd.c
@@ -152,7 +152,7 @@ NTSTATUS smb_password_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_info *use
if (smb_pwd_check_ntlmv2( user_info->nt_resp.buffer,
user_info->nt_resp.len,
nt_pw,
- user_info->chal, user_info->requested_username.str,
+ user_info->chal, user_info->smb_username.str,
user_info->requested_domain.str,
(char *)server_info->session_key))
{
diff --git a/source3/smbd/auth_unix.c b/source3/smbd/auth_unix.c
index 1708320961..ea32a65457 100644
--- a/source3/smbd/auth_unix.c
+++ b/source3/smbd/auth_unix.c
@@ -73,9 +73,11 @@ NTSTATUS check_unix_security(const auth_usersupplied_info *user_info, auth_serve
NTSTATUS nt_status;
become_root();
- nt_status = (pass_check(user_info->smb_username.str, user_info->plaintext_password.str,
+ nt_status = (pass_check(user_info->unix_username.str,
+ user_info->plaintext_password.str,
user_info->plaintext_password.len,
- lp_update_encrypted() ? update_smbpassword_file : NULL)
+ lp_update_encrypted() ?
+ update_smbpassword_file : NULL)
? NT_STATUS_OK : NT_STATUS_LOGON_FAILURE);
unbecome_root();
diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index c2d38a1076..9e88f58fa6 100644
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -462,7 +462,7 @@ static int session_trust_account(connection_struct *conn, char *inbuf, char *out
smb_username.str = user;
smb_username.len = strlen(smb_username.str);
- user_info.requested_username = smb_username; /* For the time-being */
+ user_info.unix_username = smb_username; /* For the time-being */
user_info.smb_username = smb_username;
user_info.wksta_name = wksta_name;
@@ -776,7 +776,8 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf,int
add_session_user(user);
if (!guest) {
- valid_password = NT_STATUS_IS_OK(pass_check_smb(user, domain,
+ valid_password = NT_STATUS_IS_OK(pass_check_smb(orig_user, user,
+ domain,
(unsigned char *)smb_apasswd,
smb_apasslen,
(unsigned char *)smb_ntpasswd,