summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndreas Schneider <asn@samba.org>2011-06-08 18:55:37 +0200
committerAndrew Bartlett <abartlet@samba.org>2011-07-04 18:28:02 +1000
commit7e46a84bb769c2e781e2650b4227b05ee3cb9635 (patch)
tree43e3d5397c37d018d116dec3a96146a2788eb903
parent45f70db01070cfb0cdfb6ae0e8ee64da2bf42fc0 (diff)
downloadsamba-7e46a84bb769c2e781e2650b4227b05ee3cb9635.tar.gz
samba-7e46a84bb769c2e781e2650b4227b05ee3cb9635.tar.bz2
samba-7e46a84bb769c2e781e2650b4227b05ee3cb9635.zip
s3-auth: Pass the remote_address down to user_info.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
-rw-r--r--source3/auth/auth.c16
-rw-r--r--source3/auth/auth_compat.c45
-rw-r--r--source3/auth/auth_ntlmssp.c4
-rw-r--r--source3/auth/auth_util.c19
-rw-r--r--source3/auth/proto.h16
-rw-r--r--source3/auth/user_info.c5
-rw-r--r--source3/rpc_server/netlogon/srv_netlog_nt.c2
-rw-r--r--source3/smbd/password.c16
-rw-r--r--source3/smbd/sesssetup.c12
-rw-r--r--source3/winbindd/winbindd_pam.c15
10 files changed, 121 insertions, 29 deletions
diff --git a/source3/auth/auth.c b/source3/auth/auth.c
index dbe337faa8..0f661a953f 100644
--- a/source3/auth/auth.c
+++ b/source3/auth/auth.c
@@ -19,7 +19,7 @@
#include "includes.h"
#include "auth.h"
-#include "smbd/globals.h"
+#include "../lib/tsocket/tsocket.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_AUTH
@@ -284,11 +284,19 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context,
if (NT_STATUS_IS_OK(nt_status)) {
unix_username = (*server_info)->unix_name;
if (!(*server_info)->guest) {
+ char *rhost;
+ int rc;
+
+ rhost = tsocket_address_inet_addr_string(user_info->remote_host,
+ talloc_tos());
+ if (rhost == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
/* We might not be root if we are an RPC call */
become_root();
- nt_status = smb_pam_accountcheck(
- unix_username,
- smbd_server_conn->client_id.name);
+ nt_status = smb_pam_accountcheck(unix_username,
+ rhost);
unbecome_root();
if (NT_STATUS_IS_OK(nt_status)) {
diff --git a/source3/auth/auth_compat.c b/source3/auth/auth_compat.c
index 0ae712a517..e7225a2756 100644
--- a/source3/auth/auth_compat.c
+++ b/source3/auth/auth_compat.c
@@ -19,6 +19,7 @@
#include "includes.h"
#include "auth.h"
+#include "../lib/tsocket/tsocket.h"
extern struct auth_context *negprot_global_auth_context;
extern bool global_encrypted_passwords_negotiated;
@@ -36,6 +37,7 @@ return True if the password is correct, False otherwise
****************************************************************************/
NTSTATUS check_plaintext_password(const char *smb_name,
+ const struct tsocket_address *remote_address,
DATA_BLOB plaintext_blob,
struct auth_serversupplied_info **server_info)
{
@@ -54,7 +56,9 @@ NTSTATUS check_plaintext_password(const char *smb_name,
chal);
if (!make_user_info_for_reply(&user_info,
- smb_name, lp_workgroup(), chal,
+ smb_name, lp_workgroup(),
+ remote_address,
+ chal,
plaintext_blob)) {
return NT_STATUS_NO_MEMORY;
}
@@ -70,6 +74,7 @@ NTSTATUS check_plaintext_password(const char *smb_name,
static NTSTATUS pass_check_smb(struct auth_context *actx,
const char *smb_name,
const char *domain,
+ const struct tsocket_address *remote_address,
DATA_BLOB lm_pwd,
DATA_BLOB nt_pwd)
@@ -82,6 +87,7 @@ static NTSTATUS pass_check_smb(struct auth_context *actx,
}
make_user_info_for_reply_enc(&user_info, smb_name,
domain,
+ remote_address,
lm_pwd,
nt_pwd);
nt_status = actx->check_ntlm_password(actx, user_info, &server_info);
@@ -97,7 +103,9 @@ return True if the password is correct, False otherwise
bool password_ok(struct auth_context *actx, bool global_encrypted,
const char *session_workgroup,
- const char *smb_name, DATA_BLOB password_blob)
+ const char *smb_name,
+ const struct tsocket_address *remote_address,
+ DATA_BLOB password_blob)
{
DATA_BLOB null_password = data_blob_null;
@@ -110,24 +118,47 @@ bool password_ok(struct auth_context *actx, bool global_encrypted,
* Vista sends NTLMv2 here - we need to try the client given workgroup.
*/
if (session_workgroup) {
- if (NT_STATUS_IS_OK(pass_check_smb(actx, smb_name, session_workgroup, null_password, password_blob))) {
+ if (NT_STATUS_IS_OK(pass_check_smb(actx,
+ smb_name,
+ session_workgroup,
+ remote_address,
+ null_password,
+ password_blob))) {
return True;
}
- if (NT_STATUS_IS_OK(pass_check_smb(actx, smb_name, session_workgroup, password_blob, null_password))) {
+ if (NT_STATUS_IS_OK(pass_check_smb(actx,
+ smb_name,
+ session_workgroup,
+ remote_address,
+ password_blob,
+ null_password))) {
return True;
}
}
- if (NT_STATUS_IS_OK(pass_check_smb(actx, smb_name, lp_workgroup(), null_password, password_blob))) {
+ if (NT_STATUS_IS_OK(pass_check_smb(actx,
+ smb_name,
+ lp_workgroup(),
+ remote_address,
+ null_password,
+ password_blob))) {
return True;
}
- if (NT_STATUS_IS_OK(pass_check_smb(actx, smb_name, lp_workgroup(), password_blob, null_password))) {
+ if (NT_STATUS_IS_OK(pass_check_smb(actx,
+ smb_name,
+ lp_workgroup(),
+ remote_address,
+ password_blob,
+ null_password))) {
return True;
}
} else {
struct auth_serversupplied_info *server_info = NULL;
- NTSTATUS nt_status = check_plaintext_password(smb_name, password_blob, &server_info);
+ NTSTATUS nt_status = check_plaintext_password(smb_name,
+ remote_address,
+ password_blob,
+ &server_info);
TALLOC_FREE(server_info);
if (NT_STATUS_IS_OK(nt_status)) {
return True;
diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c
index 54f7e6d5fc..2d1aef18f0 100644
--- a/source3/auth/auth_ntlmssp.c
+++ b/source3/auth/auth_ntlmssp.c
@@ -25,7 +25,6 @@
#include "../libcli/auth/ntlmssp.h"
#include "ntlmssp_wrap.h"
#include "../librpc/gen_ndr/netlogon.h"
-#include "smbd/smbd.h"
#include "../lib/tsocket/tsocket.h"
NTSTATUS auth_ntlmssp_steal_session_info(TALLOC_CTX *mem_ctx,
@@ -122,10 +121,11 @@ static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state,
lp_load(get_dyn_CONFIGFILE(), false, false, true, true);
- nt_status = make_user_info_map(&user_info,
+ nt_status = make_user_info_map(&user_info,
auth_ntlmssp_state->ntlmssp_state->user,
auth_ntlmssp_state->ntlmssp_state->domain,
auth_ntlmssp_state->ntlmssp_state->client.netbios_name,
+ auth_ntlmssp_state->remote_address,
auth_ntlmssp_state->ntlmssp_state->lm_resp.data ? &auth_ntlmssp_state->ntlmssp_state->lm_resp : NULL,
auth_ntlmssp_state->ntlmssp_state->nt_resp.data ? &auth_ntlmssp_state->ntlmssp_state->nt_resp : NULL,
NULL, NULL, NULL,
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 64c290eb04..dd126929e9 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -89,6 +89,7 @@ NTSTATUS make_user_info_map(struct auth_usersupplied_info **user_info,
const char *smb_name,
const char *client_domain,
const char *workstation_name,
+ const struct tsocket_address *remote_address,
DATA_BLOB *lm_pwd,
DATA_BLOB *nt_pwd,
const struct samr_Password *lm_interactive_pwd,
@@ -137,7 +138,7 @@ NTSTATUS make_user_info_map(struct auth_usersupplied_info **user_info,
result = make_user_info(user_info, smb_name, internal_username,
client_domain, domain, workstation_name,
- lm_pwd, nt_pwd,
+ remote_address, lm_pwd, nt_pwd,
lm_interactive_pwd, nt_interactive_pwd,
plaintext, password_state);
if (NT_STATUS_IS_OK(result)) {
@@ -158,6 +159,7 @@ bool make_user_info_netlogon_network(struct auth_usersupplied_info **user_info,
const char *smb_name,
const char *client_domain,
const char *workstation_name,
+ const struct tsocket_address *remote_address,
uint32 logon_parameters,
const uchar *lm_network_pwd,
int lm_pwd_len,
@@ -172,6 +174,7 @@ bool make_user_info_netlogon_network(struct auth_usersupplied_info **user_info,
status = make_user_info_map(user_info,
smb_name, client_domain,
workstation_name,
+ remote_address,
lm_pwd_len ? &lm_blob : NULL,
nt_pwd_len ? &nt_blob : NULL,
NULL, NULL, NULL,
@@ -196,6 +199,7 @@ bool make_user_info_netlogon_interactive(struct auth_usersupplied_info **user_in
const char *smb_name,
const char *client_domain,
const char *workstation_name,
+ const struct tsocket_address *remote_address,
uint32 logon_parameters,
const uchar chal[8],
const uchar lm_interactive_pwd[16],
@@ -271,6 +275,7 @@ bool make_user_info_netlogon_interactive(struct auth_usersupplied_info **user_in
nt_status = make_user_info_map(
user_info,
smb_name, client_domain, workstation_name,
+ remote_address,
lm_interactive_pwd ? &local_lm_blob : NULL,
nt_interactive_pwd ? &local_nt_blob : NULL,
lm_interactive_pwd ? &lm_pwd : NULL,
@@ -296,6 +301,7 @@ bool make_user_info_netlogon_interactive(struct auth_usersupplied_info **user_in
bool make_user_info_for_reply(struct auth_usersupplied_info **user_info,
const char *smb_name,
const char *client_domain,
+ const struct tsocket_address *remote_address,
const uint8 chal[8],
DATA_BLOB plaintext_password)
{
@@ -342,6 +348,7 @@ bool make_user_info_for_reply(struct auth_usersupplied_info **user_info,
ret = make_user_info_map(
user_info, smb_name, client_domain,
get_remote_machine_name(),
+ remote_address,
local_lm_blob.data ? &local_lm_blob : NULL,
local_nt_blob.data ? &local_nt_blob : NULL,
NULL, NULL,
@@ -363,12 +370,14 @@ bool make_user_info_for_reply(struct auth_usersupplied_info **user_info,
NTSTATUS make_user_info_for_reply_enc(struct auth_usersupplied_info **user_info,
const char *smb_name,
- const char *client_domain,
+ const char *client_domain,
+ const struct tsocket_address *remote_address,
DATA_BLOB lm_resp, DATA_BLOB nt_resp)
{
return make_user_info_map(user_info, smb_name,
client_domain,
- get_remote_machine_name(),
+ get_remote_machine_name(),
+ remote_address,
lm_resp.data && (lm_resp.length > 0) ? &lm_resp : NULL,
nt_resp.data && (nt_resp.length > 0) ? &nt_resp : NULL,
NULL, NULL, NULL,
@@ -379,7 +388,8 @@ NTSTATUS make_user_info_for_reply_enc(struct auth_usersupplied_info **user_info,
Create a guest user_info blob, for anonymous authenticaion.
****************************************************************************/
-bool make_user_info_guest(struct auth_usersupplied_info **user_info)
+bool make_user_info_guest(const struct tsocket_address *remote_address,
+ struct auth_usersupplied_info **user_info)
{
NTSTATUS nt_status;
@@ -387,6 +397,7 @@ bool make_user_info_guest(struct auth_usersupplied_info **user_info)
"","",
"","",
"",
+ remote_address,
NULL, NULL,
NULL, NULL,
NULL,
diff --git a/source3/auth/proto.h b/source3/auth/proto.h
index a4330155d1..2839793472 100644
--- a/source3/auth/proto.h
+++ b/source3/auth/proto.h
@@ -51,11 +51,14 @@ NTSTATUS auth_builtin_init(void);
/* The following definitions come from auth/auth_compat.c */
NTSTATUS check_plaintext_password(const char *smb_name,
+ const struct tsocket_address *remote_address,
DATA_BLOB plaintext_password,
struct auth_serversupplied_info **server_info);
bool password_ok(struct auth_context *actx, bool global_encrypted,
const char *session_workgroup,
- const char *smb_name, DATA_BLOB password_blob);
+ const char *smb_name,
+ const struct tsocket_address *remote_address,
+ DATA_BLOB password_blob);
/* The following definitions come from auth/auth_domain.c */
@@ -94,11 +97,13 @@ NTSTATUS auth_server_init(void);
NTSTATUS auth_unix_init(void);
/* The following definitions come from auth/auth_util.c */
+struct tsocket_address;
NTSTATUS make_user_info_map(struct auth_usersupplied_info **user_info,
const char *smb_name,
const char *client_domain,
const char *workstation_name,
+ const struct tsocket_address *remote_address,
DATA_BLOB *lm_pwd,
DATA_BLOB *nt_pwd,
const struct samr_Password *lm_interactive_pwd,
@@ -109,6 +114,7 @@ bool make_user_info_netlogon_network(struct auth_usersupplied_info **user_info,
const char *smb_name,
const char *client_domain,
const char *workstation_name,
+ const struct tsocket_address *remote_address,
uint32 logon_parameters,
const uchar *lm_network_pwd,
int lm_pwd_len,
@@ -118,6 +124,7 @@ bool make_user_info_netlogon_interactive(struct auth_usersupplied_info **user_in
const char *smb_name,
const char *client_domain,
const char *workstation_name,
+ const struct tsocket_address *remote_address,
uint32 logon_parameters,
const uchar chal[8],
const uchar lm_interactive_pwd[16],
@@ -126,13 +133,17 @@ bool make_user_info_netlogon_interactive(struct auth_usersupplied_info **user_in
bool make_user_info_for_reply(struct auth_usersupplied_info **user_info,
const char *smb_name,
const char *client_domain,
+ const struct tsocket_address *remote_address,
const uint8 chal[8],
DATA_BLOB plaintext_password);
NTSTATUS make_user_info_for_reply_enc(struct auth_usersupplied_info **user_info,
const char *smb_name,
const char *client_domain,
+ const struct tsocket_address *remote_address,
DATA_BLOB lm_resp, DATA_BLOB nt_resp);
-bool make_user_info_guest(struct auth_usersupplied_info **user_info) ;
+bool make_user_info_guest(const struct tsocket_address *remote_address,
+ struct auth_usersupplied_info **user_info);
+
struct samu;
NTSTATUS make_server_info_sam(struct auth_serversupplied_info **server_info,
struct samu *sampass);
@@ -192,6 +203,7 @@ NTSTATUS make_user_info(struct auth_usersupplied_info **ret_user_info,
const char *client_domain,
const char *domain,
const char *workstation_name,
+ const struct tsocket_address *remote_address,
const DATA_BLOB *lm_pwd,
const DATA_BLOB *nt_pwd,
const struct samr_Password *lm_interactive_pwd,
diff --git a/source3/auth/user_info.c b/source3/auth/user_info.c
index 606381b0e3..6b9841220f 100644
--- a/source3/auth/user_info.c
+++ b/source3/auth/user_info.c
@@ -20,6 +20,7 @@
#include "includes.h"
#include "auth.h"
#include "librpc/gen_ndr/samr.h"
+#include "../lib/tsocket/tsocket.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_AUTH
@@ -46,6 +47,7 @@ NTSTATUS make_user_info(struct auth_usersupplied_info **ret_user_info,
const char *client_domain,
const char *domain,
const char *workstation_name,
+ const struct tsocket_address *remote_address,
const DATA_BLOB *lm_pwd,
const DATA_BLOB *nt_pwd,
const struct samr_Password *lm_interactive_pwd,
@@ -84,6 +86,9 @@ NTSTATUS make_user_info(struct auth_usersupplied_info **ret_user_info,
user_info->workstation_name = talloc_strdup(user_info, workstation_name);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(user_info->workstation_name, user_info);
+ user_info->remote_host = tsocket_address_copy(remote_address, user_info);
+ NT_STATUS_HAVE_NO_MEMORY_AND_FREE(user_info->remote_host, user_info);
+
DEBUG(5,("making blobs for %s's user_info struct\n", internal_username));
if (lm_pwd && lm_pwd->data) {
diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
index e52dd85352..cabc7088ee 100644
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
@@ -1523,6 +1523,7 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
if (!make_user_info_netlogon_network(&user_info,
nt_username, nt_domain,
wksname,
+ p->remote_address,
logon->network->identity_info.parameter_control,
logon->network->lm.data,
logon->network->lm.length,
@@ -1555,6 +1556,7 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
if (!make_user_info_netlogon_interactive(&user_info,
nt_username, nt_domain,
nt_workstation,
+ p->remote_address,
logon->password->identity_info.parameter_control,
chal,
logon->password->lmpassword.hash,
diff --git a/source3/smbd/password.c b/source3/smbd/password.c
index 69b37596c5..6a3b6ddf2f 100644
--- a/source3/smbd/password.c
+++ b/source3/smbd/password.c
@@ -495,7 +495,9 @@ static char *validate_group(struct smbd_server_connection *sconn,
if (user_ok(user, snum) &&
password_ok(actx, enc,
get_session_workgroup(sconn),
- user,password)) {
+ user,
+ sconn->remote_address,
+ password)) {
endnetgrent();
return(user);
}
@@ -561,7 +563,9 @@ static char *validate_group(struct smbd_server_connection *sconn,
if (user_ok(member,snum) &&
password_ok(actx, enc,
get_session_workgroup(sconn),
- member,password)) {
+ member,
+ sconn->remote_address,
+ password)) {
char *name = talloc_strdup(talloc_tos(),
member);
SAFE_FREE(member_list);
@@ -642,7 +646,9 @@ bool authorise_login(struct smbd_server_connection *sconn,
if (password_ok(actx, enc,
get_session_workgroup(sconn),
- user2,password)) {
+ user2,
+ sconn->remote_address,
+ password)) {
ok = True;
strlcpy(user,user2,sizeof(fstring));
DEBUG(3,("authorise_login: ACCEPTED: session "
@@ -693,7 +699,9 @@ bool authorise_login(struct smbd_server_connection *sconn,
if (user_ok(user2,snum) &&
password_ok(actx, enc,
get_session_workgroup(sconn),
- user2,password)) {
+ user2,
+ sconn->remote_address,
+ password)) {
ok = True;
strlcpy(user,user2,sizeof(fstring));
DEBUG(3,("authorise_login: ACCEPTED: "
diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
index 7d111e3219..de766308da 100644
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -140,7 +140,8 @@ static void reply_sesssetup_blob(struct smb_request *req,
Do a 'guest' logon, getting back the
****************************************************************************/
-static NTSTATUS check_guest_password(struct auth_serversupplied_info **server_info)
+static NTSTATUS check_guest_password(const struct tsocket_address *remote_address,
+ struct auth_serversupplied_info **server_info)
{
struct auth_context *auth_context;
struct auth_usersupplied_info *user_info = NULL;
@@ -155,7 +156,7 @@ static NTSTATUS check_guest_password(struct auth_serversupplied_info **server_in
return nt_status;
}
- if (!make_user_info_guest(&user_info)) {
+ if (!make_user_info_guest(remote_address, &user_info)) {
TALLOC_FREE(auth_context);
return NT_STATUS_NO_MEMORY;
}
@@ -1577,7 +1578,7 @@ void reply_sesssetup_and_X(struct smb_request *req)
if (!*user) {
- nt_status = check_guest_password(&server_info);
+ nt_status = check_guest_password(sconn->remote_address, &server_info);
} else if (doencrypt) {
struct auth_context *negprot_auth_context = NULL;
@@ -1592,6 +1593,7 @@ void reply_sesssetup_and_X(struct smb_request *req)
}
nt_status = make_user_info_for_reply_enc(&user_info, user,
domain,
+ sconn->remote_address,
lm_resp, nt_resp);
if (NT_STATUS_IS_OK(nt_status)) {
nt_status = negprot_auth_context->check_ntlm_password(
@@ -1612,7 +1614,9 @@ void reply_sesssetup_and_X(struct smb_request *req)
plaintext_auth_context, chal);
if (!make_user_info_for_reply(&user_info,
- user, domain, chal,
+ user, domain,
+ sconn->remote_address,
+ chal,
plaintext_password)) {
nt_status = NT_STATUS_NO_MEMORY;
}
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 21b237a1f1..7417bf42cb 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -37,6 +37,7 @@
#include "../librpc/gen_ndr/krb5pac.h"
#include "passdb/machine_sid.h"
#include "auth.h"
+#include "../lib/tsocket/tsocket.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_WINBIND
@@ -1115,10 +1116,20 @@ static NTSTATUS winbindd_dual_auth_passdb(TALLOC_CTX *mem_ctx,
struct netr_SamInfo3 **pinfo3)
{
struct auth_usersupplied_info *user_info = NULL;
+ struct tsocket_address *local;
NTSTATUS status;
-
+ int rc;
+
+ rc = tsocket_address_inet_from_strings(mem_ctx,
+ "ip",
+ "127.0.0.1",
+ 0,
+ &local);
+ if (rc < 0) {
+ return NT_STATUS_NO_MEMORY;
+ }
status = make_user_info(&user_info, user, user, domain, domain,
- lp_netbios_name(), lm_resp, nt_resp, NULL, NULL,
+ lp_netbios_name(), local, lm_resp, nt_resp, NULL, NULL,
NULL, AUTH_PASSWORD_RESPONSE);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(10, ("make_user_info failed: %s\n", nt_errstr(status)));