diff options
author | Jeremy Allison <jra@samba.org> | 2003-09-08 20:42:33 +0000 |
---|---|---|
committer | Jeremy Allison <jra@samba.org> | 2003-09-08 20:42:33 +0000 |
commit | 07c90e499e5e02db94d4ca3f3d303b2b1952ace9 (patch) | |
tree | ef421200bd6fa88cea4eff8d32518dfbb4459720 | |
parent | 5daacc87b514ec4fe2e50f159a6a422a85a77324 (diff) | |
download | samba-07c90e499e5e02db94d4ca3f3d303b2b1952ace9.tar.gz samba-07c90e499e5e02db94d4ca3f3d303b2b1952ace9.tar.bz2 samba-07c90e499e5e02db94d4ca3f3d303b2b1952ace9.zip |
Tidy up some formatting. Get ready for allowing bad password lockout. (based
on a patch posted from Richard Renard <rrenard@idealx.com>.
Jeremy.
(This used to be commit abf54b58e95a949cb883d4485853dc560489c03f)
-rw-r--r-- | source3/auth/auth_sam.c | 87 | ||||
-rw-r--r-- | source3/locking/locking.c | 32 |
2 files changed, 56 insertions, 63 deletions
diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index fb66d53cd4..ce97bd7df2 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -27,8 +27,9 @@ #define DBGC_CLASS DBGC_AUTH /**************************************************************************** -core of smb password checking routine. + Core of smb password checking routine. ****************************************************************************/ + static BOOL smb_pwd_check_ntlmv1(const DATA_BLOB *nt_response, const uchar *part_passwd, const DATA_BLOB *sec_blob, @@ -54,8 +55,7 @@ static BOOL smb_pwd_check_ntlmv1(const DATA_BLOB *nt_response, } SMBOWFencrypt(part_passwd, sec_blob->data, p24); - if (user_sess_key != NULL) - { + if (user_sess_key != NULL) { SMBsesskeygen_ntv1(part_passwd, NULL, user_sess_key); } @@ -74,12 +74,11 @@ static BOOL smb_pwd_check_ntlmv1(const DATA_BLOB *nt_response, return (memcmp(p24, nt_response->data, 24) == 0); } - /**************************************************************************** -core of smb password checking routine. (NTLMv2, LMv2) - -Note: The same code works with both NTLMv2 and LMv2. + Core of smb password checking routine. (NTLMv2, LMv2) + Note: The same code works with both NTLMv2 and LMv2. ****************************************************************************/ + static BOOL smb_pwd_check_ntlmv2(const DATA_BLOB *ntv2_response, const uchar *part_passwd, const DATA_BLOB *sec_blob, @@ -92,8 +91,7 @@ static BOOL smb_pwd_check_ntlmv2(const DATA_BLOB *ntv2_response, uchar client_response[16]; DATA_BLOB client_key_data; - if (part_passwd == NULL) - { + if (part_passwd == NULL) { DEBUG(10,("No password set - DISALLOWING access\n")); /* No password set - always False */ return False; @@ -121,8 +119,7 @@ static BOOL smb_pwd_check_ntlmv2(const DATA_BLOB *ntv2_response, } SMBOWFencrypt_ntv2(kr, sec_blob, &client_key_data, value_from_encryption); - if (user_sess_key != NULL) - { + if (user_sess_key != NULL) { SMBsesskeygen_ntv2(kr, value_from_encryption, user_sess_key); } @@ -142,11 +139,11 @@ static BOOL smb_pwd_check_ntlmv2(const DATA_BLOB *ntv2_response, return (memcmp(value_from_encryption, client_response, 16) == 0); } - /**************************************************************************** Do a specific test for an smb password being correct, given a smb_password and the lanman and NT responses. ****************************************************************************/ + static NTSTATUS sam_password_ok(const struct auth_context *auth_context, TALLOC_CTX *mem_ctx, SAM_ACCOUNT *sampass, @@ -158,15 +155,11 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, uint32 auth_flags; acct_ctrl = pdb_get_acct_ctrl(sampass); - if (acct_ctrl & ACB_PWNOTREQ) - { - if (lp_null_passwords()) - { + if (acct_ctrl & ACB_PWNOTREQ) { + if (lp_null_passwords()) { DEBUG(3,("Account for user '%s' has no password and null passwords are allowed.\n", pdb_get_username(sampass))); return(NT_STATUS_OK); - } - else - { + } else { DEBUG(3,("Account for user '%s' has no password and null passwords are NOT allowed.\n", pdb_get_username(sampass))); return(NT_STATUS_LOGON_FAILURE); } @@ -191,8 +184,7 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, nt_pw, &auth_context->challenge, user_info->smb_name.str, user_info->client_domain.str, - user_sess_key)) - { + user_sess_key)) { return NT_STATUS_OK; } @@ -201,9 +193,7 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, nt_pw, &auth_context->challenge, user_info->smb_name.str, "", - user_sess_key)) - - { + user_sess_key)) { return NT_STATUS_OK; } else { DEBUG(3,("sam_password_ok: NTLMv2 password check failed\n")); @@ -218,8 +208,7 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, DEBUG(4,("sam_password_ok: Checking NT MD4 password\n")); if (smb_pwd_check_ntlmv1(&user_info->nt_resp, nt_pw, &auth_context->challenge, - user_sess_key)) - { + user_sess_key)) { return NT_STATUS_OK; } else { DEBUG(3,("sam_password_ok: NT MD4 password check failed for user %s\n",pdb_get_username(sampass))); @@ -247,8 +236,7 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, DEBUG(4,("sam_password_ok: Checking LM password\n")); if (smb_pwd_check_ntlmv1(&user_info->lm_resp, lm_pw, &auth_context->challenge, - user_sess_key)) - { + user_sess_key)) { return NT_STATUS_OK; } } @@ -268,8 +256,7 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, nt_pw, &auth_context->challenge, user_info->smb_name.str, user_info->client_domain.str, - user_sess_key)) - { + user_sess_key)) { return NT_STATUS_OK; } @@ -278,8 +265,7 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, nt_pw, &auth_context->challenge, user_info->smb_name.str, "", - user_sess_key)) - { + user_sess_key)) { return NT_STATUS_OK; } @@ -287,12 +273,10 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, - I think this is related to Win9X pass-though authentication */ DEBUG(4,("sam_password_ok: Checking NT MD4 password in LM field\n")); - if (lp_ntlm_auth()) - { + if (lp_ntlm_auth()) { if (smb_pwd_check_ntlmv1(&user_info->lm_resp, nt_pw, &auth_context->challenge, - user_sess_key)) - { + user_sess_key)) { return NT_STATUS_OK; } DEBUG(3,("sam_password_ok: LM password, NT MD4 password in LM field and LMv2 failed for user %s\n",pdb_get_username(sampass))); @@ -313,6 +297,7 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, Do a specific test for a SAM_ACCOUNT being vaild for this connection (ie not disabled, expired and the like). ****************************************************************************/ + static NTSTATUS sam_account_ok(TALLOC_CTX *mem_ctx, SAM_ACCOUNT *sampass, const auth_usersupplied_info *user_info) @@ -325,16 +310,22 @@ static NTSTATUS sam_account_ok(TALLOC_CTX *mem_ctx, /* Quit if the account was disabled. */ if (acct_ctrl & ACB_DISABLED) { - DEBUG(1,("Account for user '%s' was disabled.\n", pdb_get_username(sampass))); + DEBUG(1,("sam_account_ok: Account for user '%s' was disabled.\n", pdb_get_username(sampass))); return NT_STATUS_ACCOUNT_DISABLED; } + /* Quit if the account was locked out. */ + if (acct_ctrl & ACB_AUTOLOCK) { + DEBUG(1,("sam_account_ok: Account for user %s was locked out.\n", pdb_get_username(sampass))); + return NT_STATUS_ACCOUNT_LOCKED_OUT; + } + /* Test account expire time */ kickoff_time = pdb_get_kickoff_time(sampass); if (kickoff_time != 0 && time(NULL) > kickoff_time) { - DEBUG(1,("Account for user '%s' has expired.\n", pdb_get_username(sampass))); - DEBUG(3,("Account expired at '%ld' unix time.\n", (long)kickoff_time)); + DEBUG(1,("sam_account_ok: Account for user '%s' has expired.\n", pdb_get_username(sampass))); + DEBUG(3,("sam_account_ok: Account expired at '%ld' unix time.\n", (long)kickoff_time)); return NT_STATUS_ACCOUNT_EXPIRED; } @@ -344,14 +335,14 @@ static NTSTATUS sam_account_ok(TALLOC_CTX *mem_ctx, /* check for immediate expiry "must change at next logon" */ if (must_change_time == 0 && last_set_time != 0) { - DEBUG(1,("Account for user '%s' password must change!.\n", pdb_get_username(sampass))); + DEBUG(1,("sam_account_ok: Account for user '%s' password must change!.\n", pdb_get_username(sampass))); return NT_STATUS_PASSWORD_MUST_CHANGE; } /* check for expired password */ if (must_change_time < time(NULL) && must_change_time != 0) { - DEBUG(1,("Account for user '%s' password expired!.\n", pdb_get_username(sampass))); - DEBUG(1,("Password expired at '%s' (%ld) unix time.\n", http_timestring(must_change_time), (long)must_change_time)); + DEBUG(1,("sam_account_ok: Account for user '%s' password expired!.\n", pdb_get_username(sampass))); + DEBUG(1,("sam_account_ok: Password expired at '%s' (%ld) unix time.\n", http_timestring(must_change_time), (long)must_change_time)); return NT_STATUS_PASSWORD_EXPIRED; } } @@ -359,8 +350,8 @@ static NTSTATUS sam_account_ok(TALLOC_CTX *mem_ctx, /* Test workstation. Workstation list is comma separated. */ workstation_list = talloc_strdup(mem_ctx, pdb_get_workstations(sampass)); - - if (!workstation_list) return NT_STATUS_NO_MEMORY; + if (!workstation_list) + return NT_STATUS_NO_MEMORY; if (*workstation_list) { BOOL invalid_ws = True; @@ -369,7 +360,7 @@ static NTSTATUS sam_account_ok(TALLOC_CTX *mem_ctx, fstring tok; while (next_token(&s, tok, ",", sizeof(tok))) { - DEBUG(10,("checking for workstation match %s and %s (len=%d)\n", + DEBUG(10,("sam_account_ok: checking for workstation match %s and %s (len=%d)\n", tok, user_info->wksta_name.str, user_info->wksta_name.len)); if(strequal(tok, user_info->wksta_name.str)) { invalid_ws = False; @@ -399,7 +390,6 @@ static NTSTATUS sam_account_ok(TALLOC_CTX *mem_ctx, return NT_STATUS_OK; } - /**************************************************************************** check if a username/password is OK assuming the password is a 24 byte SMB hash supplied in the user_info structure @@ -434,9 +424,8 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context, ret = pdb_getsampwnam(sampass, user_info->internal_username.str); unbecome_root(); - if (ret == False) - { - DEBUG(3,("Couldn't find user '%s' in passdb file.\n", user_info->internal_username.str)); + if (ret == False) { + DEBUG(3,("check_sam_security: Couldn't find user '%s' in passdb file.\n", user_info->internal_username.str)); pdb_free_sam(&sampass); return NT_STATUS_NO_SUCH_USER; } diff --git a/source3/locking/locking.c b/source3/locking/locking.c index 4475f1446f..91bc20af90 100644 --- a/source3/locking/locking.c +++ b/source3/locking/locking.c @@ -419,10 +419,10 @@ int get_share_modes(connection_struct *conn, struct locking_data *data; int num_share_modes; share_mode_entry *shares = NULL; - + TDB_DATA key = locking_key(dev, inode); *pp_shares = NULL; - dbuf = tdb_fetch(tdb, locking_key(dev, inode)); + dbuf = tdb_fetch(tdb, key); if (!dbuf.dptr) return 0; @@ -469,7 +469,7 @@ int get_share_modes(connection_struct *conn, /* The record has shrunk a bit */ dbuf.dsize -= del_count * sizeof(share_mode_entry); - if (tdb_store(tdb, locking_key(dev, inode), dbuf, TDB_REPLACE) == -1) { + if (tdb_store(tdb, key, dbuf, TDB_REPLACE) == -1) { SAFE_FREE(shares); SAFE_FREE(dbuf.dptr); return 0; @@ -544,12 +544,13 @@ ssize_t del_share_entry( SMB_DEV_T dev, SMB_INO_T inode, int i, del_count=0; share_mode_entry *shares; ssize_t count = 0; + TDB_DATA key = locking_key(dev, inode); if (ppse) *ppse = NULL; /* read in the existing share modes */ - dbuf = tdb_fetch(tdb, locking_key(dev, inode)); + dbuf = tdb_fetch(tdb, key); if (!dbuf.dptr) return -1; @@ -590,10 +591,10 @@ ssize_t del_share_entry( SMB_DEV_T dev, SMB_INO_T inode, /* store it back in the database */ if (data->u.num_share_mode_entries == 0) { - if (tdb_delete(tdb, locking_key(dev, inode)) == -1) + if (tdb_delete(tdb, key) == -1) count = -1; } else { - if (tdb_store(tdb, locking_key(dev, inode), dbuf, TDB_REPLACE) == -1) + if (tdb_store(tdb, key, dbuf, TDB_REPLACE) == -1) count = -1; } } @@ -630,10 +631,11 @@ BOOL set_share_mode(files_struct *fsp, uint16 port, uint16 op_type) struct locking_data *data; char *p=NULL; int size; + TDB_DATA key = locking_key_fsp(fsp); BOOL ret = True; /* read in the existing share modes if any */ - dbuf = tdb_fetch(tdb, locking_key_fsp(fsp)); + dbuf = tdb_fetch(tdb, key); if (!dbuf.dptr) { size_t offset; /* we'll need to create a new record */ @@ -658,7 +660,7 @@ BOOL set_share_mode(files_struct *fsp, uint16 port, uint16 op_type) fill_share_mode(p + sizeof(*data), fsp, port, op_type); dbuf.dptr = p; dbuf.dsize = size; - if (tdb_store(tdb, locking_key_fsp(fsp), dbuf, TDB_REPLACE) == -1) + if (tdb_store(tdb, key, dbuf, TDB_REPLACE) == -1) ret = False; print_share_mode_table((struct locking_data *)p); @@ -688,7 +690,7 @@ BOOL set_share_mode(files_struct *fsp, uint16 port, uint16 op_type) SAFE_FREE(dbuf.dptr); dbuf.dptr = p; dbuf.dsize = size; - if (tdb_store(tdb, locking_key_fsp(fsp), dbuf, TDB_REPLACE) == -1) + if (tdb_store(tdb, key, dbuf, TDB_REPLACE) == -1) ret = False; print_share_mode_table((struct locking_data *)p); SAFE_FREE(p); @@ -709,9 +711,10 @@ static BOOL mod_share_mode( SMB_DEV_T dev, SMB_INO_T inode, share_mode_entry *en share_mode_entry *shares; BOOL need_store=False; BOOL ret = True; + TDB_DATA key = locking_key(dev, inode); /* read in the existing share modes */ - dbuf = tdb_fetch(tdb, locking_key(dev, inode)); + dbuf = tdb_fetch(tdb, key); if (!dbuf.dptr) return False; @@ -729,10 +732,10 @@ static BOOL mod_share_mode( SMB_DEV_T dev, SMB_INO_T inode, share_mode_entry *en /* if the mod fn was called then store it back */ if (need_store) { if (data->u.num_share_mode_entries == 0) { - if (tdb_delete(tdb, locking_key(dev, inode)) == -1) + if (tdb_delete(tdb, key) == -1) ret = False; } else { - if (tdb_store(tdb, locking_key(dev, inode), dbuf, TDB_REPLACE) == -1) + if (tdb_store(tdb, key, dbuf, TDB_REPLACE) == -1) ret = False; } } @@ -808,9 +811,10 @@ BOOL modify_delete_flag( SMB_DEV_T dev, SMB_INO_T inode, BOOL delete_on_close) struct locking_data *data; int i; share_mode_entry *shares; + TDB_DATA key = locking_key(dev, inode); /* read in the existing share modes */ - dbuf = tdb_fetch(tdb, locking_key(dev, inode)); + dbuf = tdb_fetch(tdb, key); if (!dbuf.dptr) return False; @@ -826,7 +830,7 @@ BOOL modify_delete_flag( SMB_DEV_T dev, SMB_INO_T inode, BOOL delete_on_close) /* store it back */ if (data->u.num_share_mode_entries) { - if (tdb_store(tdb, locking_key(dev,inode), dbuf, TDB_REPLACE)==-1) { + if (tdb_store(tdb, key, dbuf, TDB_REPLACE)==-1) { SAFE_FREE(dbuf.dptr); return False; } |