diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2010-06-01 21:52:01 +1000 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2010-08-14 11:58:13 +1000 |
| commit | 23994e1b53b8528007f6325ce5f286712ec021be (patch) | |
| tree | c0e69e1401576756560bf71b73c3725312b7d866 /source3/auth/auth_util.c | |
| parent | 272e49e85c47d88ef0a84bce88e6f8d984f2eae4 (diff) | |
| download | samba-23994e1b53b8528007f6325ce5f286712ec021be.tar.gz samba-23994e1b53b8528007f6325ce5f286712ec021be.tar.bz2 samba-23994e1b53b8528007f6325ce5f286712ec021be.zip | |
s3:auth Make Samba3 use the new common struct auth_usersupplied_info
This common structure will make it much easier to produce an auth
module for s3compat that calls Samba4's auth subsystem.
In order the make the link work properly (and not map twice), we mark
both that we did try and map the user, as well as if we changed the
user during the mapping.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
Diffstat (limited to 'source3/auth/auth_util.c')
| -rw-r--r-- | source3/auth/auth_util.c | 79 |
1 files changed, 41 insertions, 38 deletions
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 16fa421f8b..371087e449 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -86,10 +86,10 @@ NTSTATUS make_user_info_map(struct auth_usersupplied_info **user_info, const char *workstation_name, DATA_BLOB *lm_pwd, DATA_BLOB *nt_pwd, - DATA_BLOB *lm_interactive_pwd, - DATA_BLOB *nt_interactive_pwd, - DATA_BLOB *plaintext, - bool encrypted) + const struct samr_Password *lm_interactive_pwd, + const struct samr_Password *nt_interactive_pwd, + const char *plaintext, + enum auth_password_state password_state) { const char *domain; NTSTATUS result; @@ -131,8 +131,11 @@ NTSTATUS make_user_info_map(struct auth_usersupplied_info **user_info, client_domain, domain, workstation_name, lm_pwd, nt_pwd, lm_interactive_pwd, nt_interactive_pwd, - plaintext, encrypted); + plaintext, password_state); if (NT_STATUS_IS_OK(result)) { + /* We have tried mapping */ + (*user_info)->mapped_state = True; + /* did we actually map the user to a different name? */ (*user_info)->was_mapped = was_mapped; } return result; @@ -164,7 +167,7 @@ bool make_user_info_netlogon_network(struct auth_usersupplied_info **user_info, lm_pwd_len ? &lm_blob : NULL, nt_pwd_len ? &nt_blob : NULL, NULL, NULL, NULL, - True); + AUTH_PASSWORD_RESPONSE); if (NT_STATUS_IS_OK(status)) { (*user_info)->logon_parameters = logon_parameters; @@ -191,8 +194,8 @@ bool make_user_info_netlogon_interactive(struct auth_usersupplied_info **user_in const uchar nt_interactive_pwd[16], const uchar *dc_sess_key) { - unsigned char lm_pwd[16]; - unsigned char nt_pwd[16]; + struct samr_Password lm_pwd; + struct samr_Password nt_pwd; unsigned char local_lm_response[24]; unsigned char local_nt_response[24]; unsigned char key[16]; @@ -200,42 +203,42 @@ bool make_user_info_netlogon_interactive(struct auth_usersupplied_info **user_in memcpy(key, dc_sess_key, 16); if (lm_interactive_pwd) - memcpy(lm_pwd, lm_interactive_pwd, sizeof(lm_pwd)); + memcpy(lm_pwd.hash, lm_interactive_pwd, sizeof(lm_pwd.hash)); if (nt_interactive_pwd) - memcpy(nt_pwd, nt_interactive_pwd, sizeof(nt_pwd)); + memcpy(nt_pwd.hash, nt_interactive_pwd, sizeof(nt_pwd.hash)); #ifdef DEBUG_PASSWORD DEBUG(100,("key:")); dump_data(100, key, sizeof(key)); DEBUG(100,("lm owf password:")); - dump_data(100, lm_pwd, sizeof(lm_pwd)); + dump_data(100, lm_pwd.hash, sizeof(lm_pwd.hash)); DEBUG(100,("nt owf password:")); - dump_data(100, nt_pwd, sizeof(nt_pwd)); + dump_data(100, nt_pwd.hash, sizeof(nt_pwd.hash)); #endif if (lm_interactive_pwd) - arcfour_crypt(lm_pwd, key, sizeof(lm_pwd)); + arcfour_crypt(lm_pwd.hash, key, sizeof(lm_pwd.hash)); if (nt_interactive_pwd) - arcfour_crypt(nt_pwd, key, sizeof(nt_pwd)); + arcfour_crypt(nt_pwd.hash, key, sizeof(nt_pwd.hash)); #ifdef DEBUG_PASSWORD DEBUG(100,("decrypt of lm owf password:")); - dump_data(100, lm_pwd, sizeof(lm_pwd)); + dump_data(100, lm_pwd.hash, sizeof(lm_pwd)); DEBUG(100,("decrypt of nt owf password:")); - dump_data(100, nt_pwd, sizeof(nt_pwd)); + dump_data(100, nt_pwd.hash, sizeof(nt_pwd)); #endif if (lm_interactive_pwd) - SMBOWFencrypt(lm_pwd, chal, + SMBOWFencrypt(lm_pwd.hash, chal, local_lm_response); if (nt_interactive_pwd) - SMBOWFencrypt(nt_pwd, chal, + SMBOWFencrypt(nt_pwd.hash, chal, local_nt_response); /* Password info paranoia */ @@ -247,23 +250,14 @@ bool make_user_info_netlogon_interactive(struct auth_usersupplied_info **user_in DATA_BLOB local_lm_blob; DATA_BLOB local_nt_blob; - DATA_BLOB lm_interactive_blob; - DATA_BLOB nt_interactive_blob; - if (lm_interactive_pwd) { local_lm_blob = data_blob(local_lm_response, sizeof(local_lm_response)); - lm_interactive_blob = data_blob(lm_pwd, - sizeof(lm_pwd)); - ZERO_STRUCT(lm_pwd); } if (nt_interactive_pwd) { local_nt_blob = data_blob(local_nt_response, sizeof(local_nt_response)); - nt_interactive_blob = data_blob(nt_pwd, - sizeof(nt_pwd)); - ZERO_STRUCT(nt_pwd); } nt_status = make_user_info_map( @@ -271,9 +265,9 @@ bool make_user_info_netlogon_interactive(struct auth_usersupplied_info **user_in smb_name, client_domain, workstation_name, lm_interactive_pwd ? &local_lm_blob : NULL, nt_interactive_pwd ? &local_nt_blob : NULL, - lm_interactive_pwd ? &lm_interactive_blob : NULL, - nt_interactive_pwd ? &nt_interactive_blob : NULL, - NULL, True); + lm_interactive_pwd ? &lm_pwd : NULL, + nt_interactive_pwd ? &nt_pwd : NULL, + NULL, AUTH_PASSWORD_HASH); if (NT_STATUS_IS_OK(nt_status)) { (*user_info)->logon_parameters = logon_parameters; @@ -282,8 +276,6 @@ bool make_user_info_netlogon_interactive(struct auth_usersupplied_info **user_in ret = NT_STATUS_IS_OK(nt_status) ? True : False; data_blob_free(&local_lm_blob); data_blob_free(&local_nt_blob); - data_blob_free(&lm_interactive_blob); - data_blob_free(&nt_interactive_blob); return ret; } } @@ -303,14 +295,13 @@ bool make_user_info_for_reply(struct auth_usersupplied_info **user_info, DATA_BLOB local_lm_blob; DATA_BLOB local_nt_blob; NTSTATUS ret = NT_STATUS_UNSUCCESSFUL; - + char *plaintext_password_string; /* * Not encrypted - do so. */ DEBUG(5,("make_user_info_for_reply: User passwords not in encrypted " "format.\n")); - if (plaintext_password.data && plaintext_password.length) { unsigned char local_lm_response[24]; @@ -333,14 +324,26 @@ bool make_user_info_for_reply(struct auth_usersupplied_info **user_info, local_nt_blob = data_blob_null; } + plaintext_password_string = talloc_strndup(talloc_tos(), + (const char *)plaintext_password.data, + plaintext_password.length); + if (!plaintext_password_string) { + return False; + } + ret = make_user_info_map( user_info, smb_name, client_domain, get_remote_machine_name(), local_lm_blob.data ? &local_lm_blob : NULL, local_nt_blob.data ? &local_nt_blob : NULL, NULL, NULL, - plaintext_password.data && plaintext_password.length ? &plaintext_password : NULL, - False); + plaintext_password_string, + AUTH_PASSWORD_PLAIN); + + if (plaintext_password_string) { + memset(plaintext_password_string, '\0', strlen(plaintext_password_string)); + talloc_free(plaintext_password_string); + } data_blob_free(&local_lm_blob); return NT_STATUS_IS_OK(ret) ? True : False; @@ -361,7 +364,7 @@ NTSTATUS make_user_info_for_reply_enc(struct auth_usersupplied_info **user_info, lm_resp.data && (lm_resp.length > 0) ? &lm_resp : NULL, nt_resp.data && (nt_resp.length > 0) ? &nt_resp : NULL, NULL, NULL, NULL, - True); + AUTH_PASSWORD_RESPONSE); } /**************************************************************************** @@ -379,7 +382,7 @@ bool make_user_info_guest(struct auth_usersupplied_info **user_info) NULL, NULL, NULL, NULL, NULL, - True); + AUTH_PASSWORD_RESPONSE); return NT_STATUS_IS_OK(nt_status) ? True : False; } |