diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2001-08-12 11:19:57 +0000 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2001-08-12 11:19:57 +0000 |
| commit | 6ad80352dd2523c310258de3211a2af0f1763d2a (patch) | |
| tree | 7058ea9d3faf2c4f72a9b7edcca6d4ac856108b9 /source3/auth/auth.c | |
| parent | 9644bf74bd90ef5b9c016434408be1acaa311978 (diff) | |
| download | samba-6ad80352dd2523c310258de3211a2af0f1763d2a.tar.gz samba-6ad80352dd2523c310258de3211a2af0f1763d2a.tar.bz2 samba-6ad80352dd2523c310258de3211a2af0f1763d2a.zip | |
This patch does a number of things, mostly smaller than they look :-)
In particuar, it moves the domain_client_validate stuff out of
auth_domain.c to somwhere where they (I hope) they can be shared
with winbind better. (This may need some work)
The main purpose of this patch was however to improve some of the
internal documentation and to correctly place become_root()/unbecome_root()
calls within the code.
Finally this patch moves some more of auth.c into other files, auth_unix.c
in this case.
Andrew Bartlett
(This used to be commit ea1c547ac880def29f150de2172c95213509350e)
Diffstat (limited to 'source3/auth/auth.c')
| -rw-r--r-- | source3/auth/auth.c | 83 |
1 files changed, 23 insertions, 60 deletions
diff --git a/source3/auth/auth.c b/source3/auth/auth.c index 94008e4d00..bbcf34e8ca 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -27,46 +27,6 @@ extern int DEBUGLEVEL; extern pstring global_myname; - -/**************************************************************************** -update the encrypted smbpasswd file from the plaintext username and password - -this ugly hack needs to die, but not quite yet... -*****************************************************************************/ -static BOOL update_smbpassword_file(char *user, char *password) -{ - SAM_ACCOUNT *sampass = NULL; - BOOL ret; - - pdb_init_sam(&sampass); - - become_root(); - ret = pdb_getsampwnam(sampass, user); - unbecome_root(); - - if(ret == False) { - DEBUG(0,("update_smbpassword_file: pdb_getsampwnam failed to locate %s\n", user)); - pdb_free_sam(sampass); - return False; - } - - /* - * Remove the account disabled flag - we are updating the - * users password from a login. - */ - pdb_set_acct_ctrl(sampass, pdb_get_acct_ctrl(sampass) & ~ACB_DISABLED); - - /* Here, the flag is one, because we want to ignore the - XXXXXXX'd out password */ - ret = change_oem_password( sampass, password, True); - if (ret == False) { - DEBUG(3,("change_oem_password returned False\n")); - } - - pdb_free_sam(sampass); - return ret; -} - /**************************************************************************** Check user is in correct domain if required ****************************************************************************/ @@ -88,21 +48,29 @@ static BOOL check_domain_match(char *user, char *domain) } } +/**************************************************************************** + Check a users password, as given in the user-info struct and return various + interesting details in the server_info struct. + + This functions does NOT need to be in a become_root()/unbecome_root() pair + as it makes the calls itself when needed. +****************************************************************************/ uint32 check_password(const auth_usersupplied_info *user_info, auth_serversupplied_info *server_info) { uint32 nt_status = NT_STATUS_LOGON_FAILURE; - + BOOL done_pam = False; + DEBUG(3, ("check_password: Checking password for user %s with the new password interface\n", user_info->smb_username.str)); - if (check_hosts_equiv(user_info->smb_username.str)) { - nt_status = NT_STATUS_NOPROBLEMO; - } - if (!check_domain_match(user_info->smb_username.str, user_info->domain.str)) { return NT_STATUS_LOGON_FAILURE; } + if (nt_status != NT_STATUS_NOPROBLEMO) { + nt_status = check_rhosts_security(user_info, server_info); + } + if ((lp_security() == SEC_DOMAIN) && (nt_status != NT_STATUS_NOPROBLEMO)) { nt_status = check_domain_security(user_info, server_info); } @@ -115,28 +83,23 @@ uint32 check_password(const auth_usersupplied_info *user_info, auth_serversuppli smb_user_control(user_info->smb_username.str, nt_status); } - if ((nt_status != NT_STATUS_NOPROBLEMO) - && (user_info->plaintext_password.len > 0) - && (!lp_plaintext_to_smbpasswd())) { - return (pass_check(user_info->smb_username.str, - user_info->plaintext_password.str, - user_info->plaintext_password.len, - lp_update_encrypted() ? - update_smbpassword_file : NULL) - ? NT_STATUS_NOPROBLEMO : NT_STATUS_LOGON_FAILURE); - } - if (nt_status != NT_STATUS_NOPROBLEMO) { - nt_status = check_smbpasswd_security(user_info, server_info); + if ((user_info->plaintext_password.len > 0) + && (!lp_plaintext_to_smbpasswd())) { + nt_status = check_unix_security(user_info, server_info); + done_pam = True; + } else { + nt_status = check_smbpasswd_security(user_info, server_info); + } } - - if (nt_status == NT_STATUS_NOPROBLEMO) { + + if ((nt_status == NT_STATUS_NOPROBLEMO) && !done_pam) { /* We might not be root if we are an RPC call */ become_root(); nt_status = smb_pam_accountcheck(user_info->smb_username.str); unbecome_root(); } - + if (nt_status == NT_STATUS_NOPROBLEMO) { DEBUG(5, ("check_password: Password for user %s suceeded\n", user_info->smb_username.str)); } else { |