summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGerald Carter <jerry@samba.org>2003-06-30 17:24:59 +0000
committerGerald Carter <jerry@samba.org>2003-06-30 17:24:59 +0000
commitf2659351017a8b2ec12548a3967cdf2767738e08 (patch)
treef552a2a0cea5192d7aa01af3daac2beb43eb9b50
parent1d8cd8faf620cb068d740d8fad7968525d45e83a (diff)
downloadsamba-f2659351017a8b2ec12548a3967cdf2767738e08.tar.gz
samba-f2659351017a8b2ec12548a3967cdf2767738e08.tar.bz2
samba-f2659351017a8b2ec12548a3967cdf2767738e08.zip
* rename samstrict auth method to sam
* rename original sam auth method to sam_ignoredomain * remove samstrict_dc auth method (now covered by 'sam') * fix wbinfo -a '...' and getent passwd bugs when running winbindd on a samba PDC (reported by Volker) (This used to be commit 52166faee793d337e045d64f7cb27ea7ac895f60)
-rw-r--r--source3/auth/auth_sam.c85
-rw-r--r--source3/auth/auth_util.c4
-rw-r--r--source3/include/smb_macros.h7
-rw-r--r--source3/nsswitch/winbindd_group.c11
-rw-r--r--source3/nsswitch/winbindd_pam.c151
-rw-r--r--source3/nsswitch/winbindd_user.c11
6 files changed, 132 insertions, 137 deletions
diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c
index 161376616b..1690e4d5e1 100644
--- a/source3/auth/auth_sam.c
+++ b/source3/auth/auth_sam.c
@@ -4,6 +4,7 @@
Copyright (C) Andrew Tridgell 1992-2000
Copyright (C) Luke Kenneth Casson Leighton 1996-2000
Copyright (C) Andrew Bartlett 2001
+ Copyright (C) Gerald Carter 2003
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -470,14 +471,14 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context,
}
/* module initialisation */
-static NTSTATUS auth_init_sam(struct auth_context *auth_context, const char *param, auth_methods **auth_method)
+static NTSTATUS auth_init_sam_ignoredomain(struct auth_context *auth_context, const char *param, auth_methods **auth_method)
{
if (!make_auth_methods(auth_context, auth_method)) {
return NT_STATUS_NO_MEMORY;
}
(*auth_method)->auth = check_sam_security;
- (*auth_method)->name = "sam";
+ (*auth_method)->name = "sam_ignoredomain";
return NT_STATUS_OK;
}
@@ -492,83 +493,55 @@ static NTSTATUS check_samstrict_security(const struct auth_context *auth_context
const auth_usersupplied_info *user_info,
auth_serversupplied_info **server_info)
{
+ BOOL is_local_name, is_my_domain;
if (!user_info || !auth_context) {
return NT_STATUS_LOGON_FAILURE;
}
- /* If we are a domain member, we must not
- attempt to check the password locally,
- unless it is one of our aliases. */
+ is_local_name = is_myname(user_info->domain.str);
+ is_my_domain = strequal(user_info->domain.str, lp_workgroup());
+
+ /* check whether or not we service this domain/workgroup name */
- if (!is_myname(user_info->domain.str)) {
- DEBUG(7,("The requested user domain is not the local server name. [%s]\\[%s]\n",
- user_info->domain.str,user_info->internal_username.str));
- return NT_STATUS_NO_SUCH_USER;
+ switch ( lp_server_role() ) {
+ case ROLE_STANDALONE:
+ case ROLE_DOMAIN_MEMBER:
+ if ( !is_local_name ) {
+ DEBUG(6,("check_samstrict_security: %s is not one of my local names (%s)\n",
+ user_info->domain.str, (lp_server_role() == ROLE_DOMAIN_MEMBER
+ ? "ROLE_DOMAIN_MEMBER" : "ROLE_STANDALONE") ));
+ return NT_STATUS_NOT_IMPLEMENTED;
+ }
+ case ROLE_DOMAIN_PDC:
+ case ROLE_DOMAIN_BDC:
+ if ( !is_local_name && !is_my_domain ) {
+ DEBUG(6,("check_samstrict_security: %s is not one of my local names or domain name (DC)\n",
+ user_info->domain.str));
+ return NT_STATUS_NOT_IMPLEMENTED;
+ }
+ default: /* name is ok */
+ break;
}
return check_sam_security(auth_context, my_private_data, mem_ctx, user_info, server_info);
}
/* module initialisation */
-static NTSTATUS auth_init_samstrict(struct auth_context *auth_context, const char *param, auth_methods **auth_method)
+static NTSTATUS auth_init_sam(struct auth_context *auth_context, const char *param, auth_methods **auth_method)
{
if (!make_auth_methods(auth_context, auth_method)) {
return NT_STATUS_NO_MEMORY;
}
(*auth_method)->auth = check_samstrict_security;
- (*auth_method)->name = "samstrict";
- return NT_STATUS_OK;
-}
-
-/****************************************************************************
-Check SAM security (above) but with a few extra checks if we're a DC.
-****************************************************************************/
-
-static NTSTATUS check_samstrict_dc_security(const struct auth_context *auth_context,
- void *my_private_data,
- TALLOC_CTX *mem_ctx,
- const auth_usersupplied_info *user_info,
- auth_serversupplied_info **server_info)
-{
-
- if (!user_info || !auth_context) {
- return NT_STATUS_LOGON_FAILURE;
- }
-
- /* If we are a PDC we must not check the password here
- unless it is one of our aliases, empty
- or equal to our domain name. Other names may be
- Trusted domains.
- */
-
- if ((!is_myworkgroup(user_info->domain.str))&&
- (!is_myname(user_info->domain.str))) {
- DEBUG(7,("The requested user domain is not the local server name or our domain. [%s]\\[%s]\n",
- user_info->domain.str,user_info->internal_username.str));
- return NT_STATUS_NO_SUCH_USER;
- }
-
- return check_sam_security(auth_context, my_private_data, mem_ctx, user_info, server_info);
-}
-
-/* module initialisation */
-static NTSTATUS auth_init_samstrict_dc(struct auth_context *auth_context, const char *param, auth_methods **auth_method)
-{
- if (!make_auth_methods(auth_context, auth_method)) {
- return NT_STATUS_NO_MEMORY;
- }
-
- (*auth_method)->auth = check_samstrict_dc_security;
- (*auth_method)->name = "samstrict_dc";
+ (*auth_method)->name = "sam";
return NT_STATUS_OK;
}
NTSTATUS auth_sam_init(void)
{
- smb_register_auth(AUTH_INTERFACE_VERSION, "samstrict_dc", auth_init_samstrict_dc);
- smb_register_auth(AUTH_INTERFACE_VERSION, "samstrict", auth_init_samstrict);
smb_register_auth(AUTH_INTERFACE_VERSION, "sam", auth_init_sam);
+ smb_register_auth(AUTH_INTERFACE_VERSION, "sam_ignoredomain", auth_init_sam_ignoredomain);
return NT_STATUS_OK;
}
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 71fdb0050b..1538fc50a1 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -216,8 +216,8 @@ NTSTATUS make_user_info_map(auth_usersupplied_info **user_info,
/* do what win2k does. Always map unknown domains to our own
and let the "passdb backend" handle unknown users */
- if ( !is_trusted_domain(domain) )
- domain = lp_workgroup();
+ if ( !is_trusted_domain(domain) )
+ domain = get_global_sam_name();
/* we know that it is a trusted domain (and we are allowing them) or it is our domain */
diff --git a/source3/include/smb_macros.h b/source3/include/smb_macros.h
index 7fcf872b60..40b114a6b9 100644
--- a/source3/include/smb_macros.h
+++ b/source3/include/smb_macros.h
@@ -248,4 +248,11 @@ copy an IP address from one buffer to another
#define dos_format(fname) string_replace(fname,'/','\\')
+/*****************************************************************************
+ Check to see if we are a DO for this domain
+*****************************************************************************/
+
+#define IS_DC_FOR_DOMAIN(x) ( (lp_server_role()==ROLE_DOMAIN_PDC || lp_server_role()==ROLE_DOMAIN_BDC) \
+ && strequal((x), lp_workgroup()) )
+
#endif /* _SMB_MACROS_H */
diff --git a/source3/nsswitch/winbindd_group.c b/source3/nsswitch/winbindd_group.c
index 265297ca08..70c8de6ee9 100644
--- a/source3/nsswitch/winbindd_group.c
+++ b/source3/nsswitch/winbindd_group.c
@@ -5,6 +5,7 @@
Copyright (C) Tim Potter 2000
Copyright (C) Jeremy Allison 2001.
+ Copyright (C) Gerald (Jerry) Carter 2003.
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -216,9 +217,7 @@ enum winbindd_result winbindd_getgrnam(struct winbindd_cli_state *state)
/* don't handle our own domain if we are a DC. This code handles cases where
the account doesn't exist anywhere and gets passed on down the NSS layer */
- if ( ((lp_server_role() == ROLE_DOMAIN_PDC) || (lp_server_role()==ROLE_DOMAIN_BDC)) &&
- strequal(name_domain, lp_workgroup()) )
- {
+ if ( IS_DC_FOR_DOMAIN(domain->name) ) {
DEBUG(7,("winbindd_getgrnam: rejecting getpwnam() for %s\\%s since I am on the PDC for this domain\n",
name_domain, name_group));
return WINBINDD_ERROR;
@@ -370,6 +369,12 @@ enum winbindd_result winbindd_setgrent(struct winbindd_cli_state *state)
for (domain = domain_list(); domain != NULL; domain = domain->next) {
struct getent_state *domain_state;
+
+ /* don't add our domaina if we are a PDC */
+
+ if ( IS_DC_FOR_DOMAIN(domain->name) )
+ continue;
+
/* Create a state record for this domain */
if ((domain_state = (struct getent_state *)
diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c
index a3b0849721..3099944301 100644
--- a/source3/nsswitch/winbindd_pam.c
+++ b/source3/nsswitch/winbindd_pam.c
@@ -1,4 +1,4 @@
-/*
+/*
Unix SMB/CIFS implementation.
Winbind daemon - pam auth funcions
@@ -53,7 +53,61 @@ static NTSTATUS append_info3_as_ndr(TALLOC_CTX *mem_ctx,
return NT_STATUS_OK;
}
-/* Return a password structure from a username. */
+/*******************************************************************
+ wrapper around retreiving the trsut account password
+*******************************************************************/
+
+static BOOL get_trust_pw(const char *domain, uint8 ret_pwd[16],
+ time_t *pass_last_set_time, uint32 *channel)
+{
+ DOM_SID sid;
+ char *pwd;
+
+ if ( lp_server_role()==ROLE_DOMAIN_MEMBER || strequal(domain, lp_workgroup()) )
+ {
+ /*
+ * Get the machine account password for the domain to contact.
+ * This is either our own domain for a workstation, or possibly
+ * any domain for a PDC with trusted domains.
+ */
+
+ if ( !secrets_fetch_trust_account_password (domain, ret_pwd,
+ pass_last_set_time, channel) )
+ {
+ DEBUG(0, ("get_trust_pw: could not fetch trust account "
+ "password for my domain %s\n", domain));
+ return False;
+ }
+
+ return True;
+ }
+ else if ( lp_allow_trusted_domains() )
+ {
+ /* if we are not a domain member, then we must be a DC and
+ this must be a trusted domain */
+
+ if ( !secrets_fetch_trusted_domain_password(domain, &pwd, &sid,
+ pass_last_set_time) )
+ {
+ DEBUG(0, ("get_trust_pw: could not fetch trust account "
+ "password for trusted domain %s\n", domain));
+ return False;
+ }
+
+ *channel = SEC_CHAN_DOMAIN;
+ E_md4hash(pwd, ret_pwd);
+ SAFE_FREE(pwd);
+
+ return True;
+ }
+
+ /* Failure */
+ return False;
+}
+
+/**********************************************************************
+ Authenticate a user with a clear test password
+**********************************************************************/
enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state)
{
@@ -70,6 +124,8 @@ enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state)
DATA_BLOB nt_resp;
DOM_CRED ret_creds;
int attempts = 0;
+ unsigned char local_lm_response[24];
+ unsigned char local_nt_response[24];
/* Ensure null termination */
state->request.data.auth.user[sizeof(state->request.data.auth.user)-1]='\0';
@@ -95,38 +151,29 @@ enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state)
goto done;
}
- {
- unsigned char local_lm_response[24];
- unsigned char local_nt_response[24];
-
- generate_random_buffer(chal, 8, False);
- SMBencrypt(state->request.data.auth.pass, chal, local_lm_response);
+ /* do password magic */
+
+ generate_random_buffer(chal, 8, False);
+ SMBencrypt(state->request.data.auth.pass, chal, local_lm_response);
- SMBNTencrypt(state->request.data.auth.pass, chal, local_nt_response);
+ SMBNTencrypt(state->request.data.auth.pass, chal, local_nt_response);
- lm_resp = data_blob_talloc(mem_ctx, local_lm_response, sizeof(local_lm_response));
- nt_resp = data_blob_talloc(mem_ctx, local_nt_response, sizeof(local_nt_response));
- }
+ lm_resp = data_blob_talloc(mem_ctx, local_lm_response, sizeof(local_lm_response));
+ nt_resp = data_blob_talloc(mem_ctx, local_nt_response, sizeof(local_nt_response));
- /*
- * Get the machine account password for our primary domain
- */
-
- if (!secrets_fetch_trust_account_password(
- lp_workgroup(), trust_passwd, &last_change_time,
- &sec_channel_type)) {
- DEBUG(0, ("winbindd_pam_auth: could not fetch trust account "
- "password for domain %s\n", lp_workgroup()));
+ if ( !get_trust_pw(name_domain, trust_passwd, &last_change_time, &sec_channel_type) ) {
result = NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
goto done;
}
+ /* check authentication loop */
+
do {
ZERO_STRUCT(info3);
ZERO_STRUCT(ret_creds);
/* Don't shut this down - it belongs to the connection cache code */
- result = cm_get_netlogon_cli(lp_workgroup(), trust_passwd,
+ result = cm_get_netlogon_cli(name_domain, trust_passwd,
sec_channel_type, False, &cli);
if (!NT_STATUS_IS_OK(result)) {
@@ -173,8 +220,10 @@ done:
return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
}
-
-/* Challenge Response Authentication Protocol */
+
+/**********************************************************************
+ Challenge Response Authentication Protocol
+**********************************************************************/
enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state)
{
@@ -187,7 +236,6 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state)
TALLOC_CTX *mem_ctx = NULL;
char *user = NULL;
const char *domain = NULL;
- const char *contact_domain;
const char *workstation;
DOM_CRED ret_creds;
int attempts = 0;
@@ -235,52 +283,10 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state)
DEBUG(3, ("[%5d]: pam auth crap domain: %s user: %s\n", state->pid,
domain, user));
-
- /* check our role as a domain member first */
- if ( lp_server_role() == ROLE_DOMAIN_MEMBER ) {
- if ( !lp_allow_trusted_domains() && !strequal(domain, lp_workgroup()) ) {
- DEBUG(5,("winbindd_pam_auth_crap: failing autghentication becuase of disallowed trust domains\n"));
- result = NT_STATUS_LOGON_FAILURE;
- goto done;
- }
-
- contact_domain = domain;
-
- /*
- * Get the machine account password for the domain to contact.
- * This is either our own domain for a workstation, or possibly
- * any domain for a PDC with trusted domains.
- */
-
- if (!secrets_fetch_trust_account_password (contact_domain,
- trust_passwd,
- &last_change_time,
- &sec_channel_type)) {
- DEBUG(0, ("winbindd_pam_auth_crap: could not fetch trust account "
- "password for domain %s\n", contact_domain));
- result = NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
- goto done;
- }
- }
- else if ( lp_allow_trusted_domains() ) {
- /* if we are not a domain member, then we must be a DC. Must never
- see a logon for our domain */
- DOM_SID sid;
- char *pwd;
- contact_domain = domain;
-
- if (!secrets_fetch_trusted_domain_password (contact_domain,
- &pwd, &sid,
- &last_change_time)) {
- DEBUG(0, ("winbindd_pam_auth_crap: could not fetch trust account "
- "password for domain %s\n", contact_domain));
- result = NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
- goto done;
- }
- sec_channel_type = SEC_CHAN_DOMAIN;
- E_md4hash(pwd, trust_passwd);
- SAFE_FREE(pwd);
-
+
+ if ( !get_trust_pw(domain, trust_passwd, &last_change_time, &sec_channel_type) ) {
+ result = NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+ goto done;
}
if (*state->request.data.auth_crap.workstation) {
@@ -310,8 +316,7 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state)
ZERO_STRUCT(ret_creds);
/* Don't shut this down - it belongs to the connection cache code */
- result = cm_get_netlogon_cli(contact_domain, trust_passwd,
- sec_channel_type, False, &cli);
+ result = cm_get_netlogon_cli(domain, trust_passwd, sec_channel_type, False, &cli);
if (!NT_STATUS_IS_OK(result)) {
DEBUG(3, ("could not open handle to NETLOGON pipe (error: %s)\n",
diff --git a/source3/nsswitch/winbindd_user.c b/source3/nsswitch/winbindd_user.c
index 518f335f27..9d9360a6fa 100644
--- a/source3/nsswitch/winbindd_user.c
+++ b/source3/nsswitch/winbindd_user.c
@@ -5,6 +5,7 @@
Copyright (C) Tim Potter 2000
Copyright (C) Jeremy Allison 2001.
+ Copyright (C) Gerald (Jerry) Carter 2003.
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -118,9 +119,7 @@ enum winbindd_result winbindd_getpwnam(struct winbindd_cli_state *state)
/* don't handle our own domain if we are a DC. This code handles cases where
the account doesn't exist anywhere and gets passed on down the NSS layer */
- if ( ((lp_server_role() == ROLE_DOMAIN_PDC) || (lp_server_role()==ROLE_DOMAIN_BDC)) &&
- strequal(name_domain, lp_workgroup()) )
- {
+ if ( IS_DC_FOR_DOMAIN(domain->name) ) {
DEBUG(7,("winbindd_getpwnam: rejecting getpwnam() for %s\\%s since I am on the PDC for this domain\n",
name_domain, name_user));
return WINBINDD_ERROR;
@@ -296,6 +295,12 @@ enum winbindd_result winbindd_setpwent(struct winbindd_cli_state *state)
for(domain = domain_list(); domain != NULL; domain = domain->next) {
struct getent_state *domain_state;
+
+ /* don't add our domaina if we are a PDC */
+
+ if ( IS_DC_FOR_DOMAIN( domain->name ) )
+ continue;
+
/* Create a state record for this domain */
if ((domain_state = (struct getent_state *)