r11573: Adding Andrew Bartlett's patch to make machine account

logons work if the client gives the MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT or MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT flags. This changes the auth module interface to 2 (from 1). The effect of this is that clients can access resources as a machine account if they set these flags. This is the same as Windows (think of a VPN where the vpn client authenticates itself to a VPN server using machine account credentials - the vpn server checks that the machine password was valid by performing a machine account check with the PDC in the same was as it would a user account check. I may add in a restriction (parameter) to allow this behaviour to be turned off (as it was previously). That may be on by default. Andrew Bartlett please review this change carefully. Jeremy. (This used to be commit d1caef866326346fb191f8129d13d98379f18cd8)
author: Jeremy Allison <jra@samba.org> 2005-11-08 06:19:34 +0000
committer: Gerald (Jerry) Carter <jerry@samba.org> 2007-10-10 11:05:20 -0500
commit: fcceedd67c29bae6941949a16ebef37e95dab601 (patch)
tree: 17233b5fb3522134c86ed4a3dd05e1f79a8f3a9f /source3/auth
parent: c3d673e5712b254ea6e3eef10041f3a30b70a983 (diff)
download: samba-fcceedd67c29bae6941949a16ebef37e95dab601.tar.gz
samba-fcceedd67c29bae6941949a16ebef37e95dab601.tar.bz2
samba-fcceedd67c29bae6941949a16ebef37e95dab601.zip
5 files changed, 36 insertions, 17 deletions
diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c
index 8d29367835..94b138e55b 100644
--- a/source3/auth/auth_domain.c
+++ b/source3/auth/auth_domain.c
@@ -218,15 +218,16 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx,
          */
 
 	nt_status = rpccli_netlogon_sam_network_logon(netlogon_pipe,
-					mem_ctx,
-					dc_name,                   /* server name */
-					user_info->smb_name.str,   /* user name logging on. */
-					user_info->domain.str,     /* domain name */
-					user_info->wksta_name.str, /* workstation name */
-					chal,                      /* 8 byte challenge. */
-					user_info->lm_resp,        /* lanman 24 byte response */
-					user_info->nt_resp,        /* nt 24 byte response */
-					&info3);                   /* info3 out */
+						      mem_ctx,
+						      user_info->logon_parameters,/* flags such as 'allow workstation logon' */ 
+						      dc_name,                    /* server name */
+						      user_info->smb_name.str,    /* user name logging on. */
+						      user_info->domain.str,      /* domain name */
+						      user_info->wksta_name.str,  /* workstation name */
+						      chal,                       /* 8 byte challenge. */
+						      user_info->lm_resp,         /* lanman 24 byte response */
+						      user_info->nt_resp,         /* nt 24 byte response */
+						      &info3);                    /* info3 out */
 
 	/* Let go as soon as possible so we avoid any potential deadlocks
 	   with winbind lookup up users or groups. */
diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c
index 738af73f49..2fef8f1e9b 100644
--- a/source3/auth/auth_ntlmssp.c
+++ b/source3/auth/auth_ntlmssp.c
@@ -101,6 +101,8 @@ static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state,
 				       NULL, NULL, NULL,
 				       True);
 
+	user_info->logon_parameters = MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT;
+
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		return nt_status;
 	}
diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c
index bb4df707ef..c92cecdde5 100644
--- a/source3/auth/auth_sam.c
+++ b/source3/auth/auth_sam.c
@@ -208,15 +208,18 @@ static NTSTATUS sam_account_ok(TALLOC_CTX *mem_ctx,
 	}
 	
 	if (acct_ctrl & ACB_SVRTRUST) {
-		DEBUG(2,("sam_account_ok: Server trust account %s denied by server\n", pdb_get_username(sampass)));
-		return NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT;
+		if (!(user_info->logon_parameters & MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT)) {
+			DEBUG(2,("sam_account_ok: Server trust account %s denied by server\n", pdb_get_username(sampass)));
+			return NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT;
+		}
 	}
-	
+
 	if (acct_ctrl & ACB_WSTRUST) {
-		DEBUG(4,("sam_account_ok: Wksta trust account %s denied by server\n", pdb_get_username(sampass)));
-		return NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT;
+		if (!(user_info->logon_parameters & MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT)) {
+			DEBUG(2,("sam_account_ok: Wksta trust account %s denied by server\n", pdb_get_username(sampass)));
+			return NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT;
+		}
 	}
-	
 	return NT_STATUS_OK;
 }
 
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 49122bd441..6a92c8782e 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -164,6 +164,8 @@ static NTSTATUS make_user_info(auth_usersupplied_info **user_info,
 
 	(*user_info)->encrypted = encrypted;
 
+	(*user_info)->logon_parameters = 0;
+
 	DEBUG(10,("made an %sencrypted user_info for %s (%s)\n", encrypted ? "":"un" , internal_username, smb_name));
 
 	return NT_STATUS_OK;
@@ -223,6 +225,7 @@ BOOL make_user_info_netlogon_network(auth_usersupplied_info **user_info,
 				     const char *smb_name, 
 				     const char *client_domain, 
 				     const char *wksta_name, 
+				     uint32 logon_parameters,
 				     const uchar *lm_network_pwd, int lm_pwd_len,
 				     const uchar *nt_network_pwd, int nt_pwd_len)
 {
@@ -238,9 +241,12 @@ BOOL make_user_info_netlogon_network(auth_usersupplied_info **user_info,
 				       nt_pwd_len ? &nt_blob : NULL,
 				       NULL, NULL, NULL,
 				       True);
-	
+
+	if (NT_STATUS_IS_OK(nt_status)) {
+		(*user_info)->logon_parameters = logon_parameters;
+	}
 	ret = NT_STATUS_IS_OK(nt_status) ? True : False;
-		
+
 	data_blob_free(&lm_blob);
 	data_blob_free(&nt_blob);
 	return ret;
@@ -255,6 +261,7 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info,
 					 const char *smb_name, 
 					 const char *client_domain, 
 					 const char *wksta_name, 
+					 uint32 logon_parameters,
 					 const uchar chal[8], 
 					 const uchar lm_interactive_pwd[16], 
 					 const uchar nt_interactive_pwd[16], 
@@ -337,6 +344,10 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info,
 		                               NULL,
 		                               True);
 
+		if (NT_STATUS_IS_OK(nt_status)) {
+			(*user_info)->logon_parameters = logon_parameters;
+		}
+
 		ret = NT_STATUS_IS_OK(nt_status) ? True : False;
 		data_blob_free(&local_lm_blob);
 		data_blob_free(&local_nt_blob);
diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c
index 0c263b6ab3..ad72bd9a1f 100644
--- a/source3/auth/auth_winbind.c
+++ b/source3/auth/auth_winbind.c
@@ -88,6 +88,8 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context,
 
 	request.flags = WBFLAG_PAM_INFO3_NDR;
 
+	request.data.auth_crap.logon_parameters = user_info->logon_parameters;
+
 	fstrcpy(request.data.auth_crap.user, 
 			  user_info->smb_name.str);
 	fstrcpy(request.data.auth_crap.domain,
author	Jeremy Allison <jra@samba.org>	2005-11-08 06:19:34 +0000
committer	Gerald (Jerry) Carter <jerry@samba.org>	2007-10-10 11:05:20 -0500
commit	fcceedd67c29bae6941949a16ebef37e95dab601 (patch)
tree	17233b5fb3522134c86ed4a3dd05e1f79a8f3a9f /source3/auth
parent	c3d673e5712b254ea6e3eef10041f3a30b70a983 (diff)
download	samba-fcceedd67c29bae6941949a16ebef37e95dab601.tar.gz samba-fcceedd67c29bae6941949a16ebef37e95dab601.tar.bz2 samba-fcceedd67c29bae6941949a16ebef37e95dab601.zip