summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>1998-11-07 05:32:37 +0000
committerJeremy Allison <jra@samba.org>1998-11-07 05:32:37 +0000
commit548b417d404a2653ebb5918b0c169ccdfafe856f (patch)
tree9e76b99787bc8ac79d60ab770b86b8b84906ee89
parentf7580666de5fdd830178f97971d6fe3fa1238b34 (diff)
downloadsamba-548b417d404a2653ebb5918b0c169ccdfafe856f.tar.gz
samba-548b417d404a2653ebb5918b0c169ccdfafe856f.tar.bz2
samba-548b417d404a2653ebb5918b0c169ccdfafe856f.zip
codepages/codepage_def.936: Updated comment.
param/loadparm.c: Removed "networkstation user login", "domain controller", and "domain sid" parameters. passdb/passdb.c: Removed "networkstation user login" code and changed bug test code to only check once for a bad password server. This will stop the complaints of many "bad login" audit records in NT PDC logs. utils/smbpasswd.c: Removed check for "domain controller". Jeremy. (This used to be commit d6e6e936b5dd90dd8fc38d9404efbe5c546c15e5)
-rw-r--r--source3/codepages/codepage_def.9362
-rw-r--r--source3/param/loadparm.c11
-rw-r--r--source3/passdb/passdb.c8
-rw-r--r--source3/smbd/password.c162
-rw-r--r--source3/utils/smbpasswd.c6
5 files changed, 80 insertions, 109 deletions
diff --git a/source3/codepages/codepage_def.936 b/source3/codepages/codepage_def.936
index 25a317ffea..400b60a633 100644
--- a/source3/codepages/codepage_def.936
+++ b/source3/codepages/codepage_def.936
@@ -14,7 +14,7 @@
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
#
-# Codepage definition file for IBM Code Page 949 - MS-DOS Simplified Chinese.
+# Codepage definition file for IBM Code Page 936 - MS-DOS Simplified Chinese.
# defines lower->upper mapping.
# Written by Jeremy Allison <jallison@whistle.com>
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 37e53f437e..fcdc2ae68d 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -145,7 +145,6 @@ typedef struct
char *szNISHomeMapName;
char *szAnnounceVersion; /* This is initialised in init_globals */
char *szNetbiosAliases;
- char *szDomainSID;
char *szDomainOtherSIDs;
char *szDomainGroups;
char *szDriverFile;
@@ -207,7 +206,6 @@ typedef struct
BOOL bWINSproxy;
BOOL bLocalMaster;
BOOL bPreferredMaster;
- BOOL bDomainController;
BOOL bDomainMaster;
BOOL bDomainLogons;
BOOL bEncryptPasswords;
@@ -226,7 +224,6 @@ typedef struct
BOOL bNISHomeMap;
BOOL bTimeServer;
BOOL bBindInterfacesOnly;
- BOOL bNetWkstaUserLogon;
BOOL bUnixPasswdSync;
BOOL bPasswdChatDebug;
BOOL bOleLockingCompat;
@@ -577,7 +574,6 @@ static struct parm_struct parm_table[] =
{"read bmpx", P_BOOL, P_GLOBAL, &Globals.bReadbmpx, NULL, NULL, 0},
{"read raw", P_BOOL, P_GLOBAL, &Globals.bReadRaw, NULL, NULL, 0},
{"write raw", P_BOOL, P_GLOBAL, &Globals.bWriteRaw, NULL, NULL, 0},
- {"networkstation user login", P_BOOL,P_GLOBAL, &Globals.bNetWkstaUserLogon,NULL, NULL, 0},
{"nt smb support", P_BOOL, P_GLOBAL, &Globals.bNTSmbSupport, NULL, NULL, 0},
{"nt pipe support", P_BOOL, P_GLOBAL, &Globals.bNTPipeSupport, NULL, NULL, 0},
{"announce version", P_STRING, P_GLOBAL, &Globals.szAnnounceVersion, NULL, NULL, 0},
@@ -659,9 +655,7 @@ static struct parm_struct parm_table[] =
{"stat cache", P_BOOL, P_GLOBAL, &Globals.bStatCache, NULL, NULL, 0},
{"Domain Options", P_SEP, P_SEPARATOR},
- {"domain sid", P_USTRING, P_GLOBAL, &Globals.szDomainSID, NULL, NULL, 0},
{"domain groups", P_STRING, P_GLOBAL, &Globals.szDomainGroups, NULL, NULL, 0},
- {"domain controller",P_BOOL , P_GLOBAL, &Globals.bDomainController,NULL, NULL, 0},
{"domain admin group",P_STRING, P_GLOBAL, &Globals.szDomainAdminGroup, NULL, NULL, 0},
{"domain guest group",P_STRING, P_GLOBAL, &Globals.szDomainGuestGroup, NULL, NULL, 0},
{"domain admin users",P_STRING, P_GLOBAL, &Globals.szDomainAdminUsers, NULL, NULL, 0},
@@ -866,8 +860,6 @@ static void init_globals(void)
Globals.client_code_page = DEFAULT_CLIENT_CODE_PAGE;
Globals.bTimeServer = False;
Globals.bBindInterfacesOnly = False;
- Globals.bNetWkstaUserLogon = False; /* This is now set to false by default as
- the code in password.c protects us from this bug. */
Globals.bUnixPasswdSync = False;
Globals.bPasswdChatDebug = False;
Globals.bOleLockingCompat = True;
@@ -1105,7 +1097,6 @@ FN_GLOBAL_STRING(lp_netbios_aliases,&Globals.szNetbiosAliases)
FN_GLOBAL_STRING(lp_driverfile,&Globals.szDriverFile)
FN_GLOBAL_STRING(lp_panic_action,&Globals.szPanicAction)
-FN_GLOBAL_STRING(lp_domain_sid,&Globals.szDomainSID)
FN_GLOBAL_STRING(lp_domain_groups,&Globals.szDomainGroups)
FN_GLOBAL_STRING(lp_domain_admin_group,&Globals.szDomainAdminGroup)
FN_GLOBAL_STRING(lp_domain_guest_group,&Globals.szDomainGuestGroup)
@@ -1142,7 +1133,6 @@ FN_GLOBAL_BOOL(lp_wins_support,&Globals.bWINSsupport)
FN_GLOBAL_BOOL(lp_we_are_a_wins_server,&Globals.bWINSsupport)
FN_GLOBAL_BOOL(lp_wins_proxy,&Globals.bWINSproxy)
FN_GLOBAL_BOOL(lp_local_master,&Globals.bLocalMaster)
-FN_GLOBAL_BOOL(lp_domain_controller,&Globals.bDomainController)
FN_GLOBAL_BOOL(lp_domain_master,&Globals.bDomainMaster)
FN_GLOBAL_BOOL(lp_domain_logons,&Globals.bDomainLogons)
FN_GLOBAL_BOOL(lp_preferred_master,&Globals.bPreferredMaster)
@@ -1163,7 +1153,6 @@ FN_GLOBAL_BOOL(lp_unix_realname,&Globals.bUnixRealname)
FN_GLOBAL_BOOL(lp_nis_home_map,&Globals.bNISHomeMap)
static FN_GLOBAL_BOOL(lp_time_server,&Globals.bTimeServer)
FN_GLOBAL_BOOL(lp_bind_interfaces_only,&Globals.bBindInterfacesOnly)
-FN_GLOBAL_BOOL(lp_net_wksta_user_logon,&Globals.bNetWkstaUserLogon)
FN_GLOBAL_BOOL(lp_unix_password_sync,&Globals.bUnixPasswdSync)
FN_GLOBAL_BOOL(lp_passwd_chat_debug,&Globals.bPasswdChatDebug)
FN_GLOBAL_BOOL(lp_ole_locking_compat,&Globals.bOleLockingCompat)
diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c
index aae59b32f6..f29a9ff570 100644
--- a/source3/passdb/passdb.c
+++ b/source3/passdb/passdb.c
@@ -875,13 +875,11 @@ BOOL pdb_generate_sam_sid(void)
}
/*
- * The file contains no data - we may need to generate our
- * own sid. Try the lp_domain_sid() first.
+ * The file contains no data - we need to generate our
+ * own sid.
*/
- if(*lp_domain_sid())
- fstrcpy( sid_string, lp_domain_sid());
- else {
+ {
/*
* Generate the new sid data & turn it into a string.
*/
diff --git a/source3/smbd/password.c b/source3/smbd/password.c
index 95560df66b..d49ea7c562 100644
--- a/source3/smbd/password.c
+++ b/source3/smbd/password.c
@@ -1036,114 +1036,98 @@ BOOL server_validate(char *user, char *domain,
char *pass, int passlen,
char *ntpass, int ntpasslen)
{
- struct cli_state *cli;
- extern fstring local_machine;
- static unsigned char badpass[24];
- cli = server_client();
+ struct cli_state *cli;
+ extern fstring local_machine;
+ static unsigned char badpass[24];
+ static BOOL tested_password_server = False;
+ static BOOL bad_password_server = False;
- if (!cli->initialised) {
- DEBUG(1,("password server %s is not connected\n", cli->desthost));
- return(False);
- }
+ cli = server_client();
- if(badpass[0] == 0) {
- memset(badpass, 0x1f, sizeof(badpass));
- }
+ if (!cli->initialised) {
+ DEBUG(1,("password server %s is not connected\n", cli->desthost));
+ return(False);
+ }
- if((passlen == sizeof(badpass)) && !memcmp(badpass, pass, passlen)) {
- /* Very unlikely, our random bad password is the same as the users
- password. */
- memset(badpass, badpass[0]+1, sizeof(badpass));
- }
+ if(badpass[0] == 0)
+ memset(badpass, 0x1f, sizeof(badpass));
- /*
- * Attempt a session setup with a totally incorrect password.
- * If this succeeds with the guest bit *NOT* set then the password
- * server is broken and is not correctly setting the guest bit. We
- * need to detect this as some versions of NT4.x are broken. JRA.
- */
+ if((passlen == sizeof(badpass)) && !memcmp(badpass, pass, passlen)) {
+ /*
+ * Very unlikely, our random bad password is the same as the users
+ * password. */
+ memset(badpass, badpass[0]+1, sizeof(badpass));
+ }
- if (cli_session_setup(cli, user, (char *)badpass, sizeof(badpass),
- (char *)badpass, sizeof(badpass), domain)) {
- if ((SVAL(cli->inbuf,smb_vwv2) & 1) == 0) {
- DEBUG(0,("server_validate: password server %s allows users as non-guest \
-with a bad password.\n", cli->desthost));
- DEBUG(0,("server_validate: This is broken (and insecure) behaviour. Please do not \
-use this machine as the password server.\n"));
- cli_ulogoff(cli);
- return False;
- }
- cli_ulogoff(cli);
- }
+ /*
+ * Attempt a session setup with a totally incorrect password.
+ * If this succeeds with the guest bit *NOT* set then the password
+ * server is broken and is not correctly setting the guest bit. We
+ * need to detect this as some versions of NT4.x are broken. JRA.
+ */
- /*
- * Now we know the password server will correctly set the guest bit, or is
- * not guest enabled, we can try with the real password.
- */
+ if(!tested_password_server) {
+ if (cli_session_setup(cli, user, (char *)badpass, sizeof(badpass),
+ (char *)badpass, sizeof(badpass), domain)) {
- if (!cli_session_setup(cli, user, pass, passlen, ntpass, ntpasslen, domain)) {
- DEBUG(1,("password server %s rejected the password\n", cli->desthost));
- return False;
- }
+ /*
+ * We connected to the password server so we
+ * can say we've tested it.
+ */
+ tested_password_server = True;
- /* if logged in as guest then reject */
- if ((SVAL(cli->inbuf,smb_vwv2) & 1) != 0) {
- DEBUG(1,("password server %s gave us guest only\n", cli->desthost));
- cli_ulogoff(cli);
- return(False);
- }
+ if ((SVAL(cli->inbuf,smb_vwv2) & 1) == 0) {
+ DEBUG(0,("server_validate: password server %s allows users as non-guest \
+with a bad password.\n", cli->desthost));
+ DEBUG(0,("server_validate: This is broken (and insecure) behaviour. Please do not \
+use this machine as the password server.\n"));
+ cli_ulogoff(cli);
/*
- * This patch from Rob Nielsen <ran@adc.com> makes doing
- * the NetWksaUserLogon a dynamic, rather than compile-time
- * parameter, defaulting to on. This is somewhat dangerous
- * as it allows people to turn off this neccessary check,
- * but so many people have had problems with this that I
- * think it is a neccessary change. JRA.
+ * Password server has the bug.
*/
+ bad_password_server = True;
+ return False;
+ }
+ cli_ulogoff(cli);
+ }
+ } else {
- if (lp_net_wksta_user_logon()) {
- DEBUG(3,("trying NetWkstaUserLogon with password server %s\n", cli->desthost));
+ /*
+ * We have already tested the password server.
+ * Fail immediately if it has the bug.
+ */
- if (!cli_send_tconX(cli, "IPC$", "IPC", "", 1)) {
- DEBUG(0,("password server %s refused IPC$ connect\n", cli->desthost));
- cli_ulogoff(cli);
- return False;
- }
+ if(bad_password_server) {
+ DEBUG(0,("server_validate: [1] password server %s allows users as non-guest \
+with a bad password.\n", cli->desthost));
+ DEBUG(0,("server_validate: [1] This is broken (and insecure) behaviour. Please do not \
+use this machine as the password server.\n"));
+ return False;
+ }
+ }
- if (!cli_NetWkstaUserLogon(cli,user,local_machine)) {
- DEBUG(0,("password server %s failed NetWkstaUserLogon\n", cli->desthost));
- cli_tdis(cli);
- cli_ulogoff(cli);
- return False;
- }
+ /*
+ * Now we know the password server will correctly set the guest bit, or is
+ * not guest enabled, we can try with the real password.
+ */
- if (cli->privilages == 0) {
- DEBUG(0,("password server %s gave guest privilages\n", cli->desthost));
- cli_tdis(cli);
- cli_ulogoff(cli);
- return False;
- }
+ if (!cli_session_setup(cli, user, pass, passlen, ntpass, ntpasslen, domain)) {
+ DEBUG(1,("password server %s rejected the password\n", cli->desthost));
+ return False;
+ }
- if (!strequal(cli->eff_name, user)) {
- DEBUG(0,("password server %s gave different username %s\n",
- cli->desthost,
- cli->eff_name));
- cli_tdis(cli);
- cli_ulogoff(cli);
- return False;
- }
- cli_tdis(cli);
- }
- else {
- DEBUG(3,("skipping NetWkstaUserLogon with password server %s\n", cli->desthost));
- }
+ /* if logged in as guest then reject */
+ if ((SVAL(cli->inbuf,smb_vwv2) & 1) != 0) {
+ DEBUG(1,("password server %s gave us guest only\n", cli->desthost));
+ cli_ulogoff(cli);
+ return(False);
+ }
- DEBUG(3,("password server %s accepted the password\n", cli->desthost));
- cli_ulogoff(cli);
+ cli_ulogoff(cli);
- return(True);
+ return(True);
}
/***********************************************************************
diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c
index 147e3492af..b27bbbbd3b 100644
--- a/source3/utils/smbpasswd.c
+++ b/source3/utils/smbpasswd.c
@@ -60,9 +60,9 @@ static int join_domain( char *domain, char *remote)
domain if we are locally set up as a domain
controller. */
- if(lp_domain_controller() && strequal(lp_workgroup(), domain)) {
- fprintf(stderr, "%s: Cannot join domain %s as we already configured as \
-domain controller for that domain.\n", prog_name, domain);
+ if(strequal(remote, global_myname)) {
+ fprintf(stderr, "%s: Cannot join domain %s as the domain controller name is our own. \
+We cannot be a domain controller for a domain and also be a domain member.\n", prog_name, domain);
return 1;
}