Fix up workstaion and kickoff time checks, moved to auth_smbpasswd.c where

they can have general effect.

Fixed up workstaion support in the rest of samba, so that we can do these
checks.

Pass through the workstation for cli_net_logon(), if supplied.
(This used to be commit 7f04a139b2ee34b4c282590509cdf21395815a7a)

2 files changed, 55 insertions, 13 deletions

diff --git a/source3/auth/auth.c b/source3/auth/auth.c
index 0101aa65a2..5b6b2d4c42 100644
--- a/source3/auth/auth.c
+++ b/source3/auth/auth.c
@@ -25,8 +25,6 @@
 
 extern int DEBUGLEVEL;
 
-extern pstring global_myname;
-
 /****************************************************************************
  Check user is in correct domain if required
 ****************************************************************************/
@@ -63,7 +61,8 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info,
 	NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
 	BOOL done_pam = False;
 	
-	DEBUG(3, ("check_password:  Checking password for smb user %s with the new password interface\n", user_info->smb_username.str));
+	DEBUG(3, ("check_password:  Checking password for smb user %s\\%s@%s with the new password interface\n", 
+		  user_info->smb_username.str, user_info->requested_domain.str, user_info->wksta_name.str));
   	if (!check_domain_match(user_info->smb_username.str, user_info->domain.str)) {
 		return NT_STATUS_LOGON_FAILURE;
 	}
@@ -122,7 +121,8 @@ return True if the password is correct, False otherwise
 ****************************************************************************/
 
 NTSTATUS pass_check_smb_with_chal(char *smb_user, char *unix_user, 
-                                  char *domain, uchar chal[8], 
+                                  char *domain, char* workstation, 
+				  uchar chal[8], 
 				  uchar *lm_pwd, int lm_pwd_len,
 				  uchar *nt_pwd, int nt_pwd_len)
 {
@@ -158,8 +158,8 @@ NTSTATUS pass_check_smb_with_chal(char *smb_user, char *unix_user,
 	user_info.unix_username = unix_username;
 	user_info.smb_username = smb_username;
 
-	user_info.wksta_name.str = client_name();
-	user_info.wksta_name.len = strlen(client_name());
+	wksta_name.str = workstation;
+	wksta_name.len = strlen(workstation);
 
 	user_info.wksta_name = wksta_name;
 
@@ -204,7 +204,8 @@ NTSTATUS pass_check_smb_with_chal(char *smb_user, char *unix_user,
 	return check_password(&user_info, &server_info);
 }
 
-NTSTATUS pass_check_smb(char *smb_user, char *unix_user, char *domain,
+NTSTATUS pass_check_smb(char *smb_user, char *unix_user, 
+			char *domain, char *workstation,
 			uchar *lm_pwd, int lm_pwd_len,
 			uchar *nt_pwd, int nt_pwd_len)
 {
@@ -214,7 +215,8 @@ NTSTATUS pass_check_smb(char *smb_user, char *unix_user, char *domain,
 		generate_random_buffer( chal, 8, False);
 	}
 
-	return pass_check_smb_with_chal(smb_user, unix_user, domain, chal, 
+	return pass_check_smb_with_chal(smb_user, unix_user, 
+					domain, workstation, chal, 
 					lm_pwd, lm_pwd_len,
 					nt_pwd, nt_pwd_len);
 
@@ -227,6 +229,7 @@ return True if the password is correct, False otherwise
 ****************************************************************************/
 BOOL password_ok(char *user, char *password, int pwlen)
 {
+	extern fstring remote_machine;
 
 	/* 
 	 *  This hack must die!  But until I rewrite the rest of samba
@@ -240,11 +243,11 @@ BOOL password_ok(char *user, char *password, int pwlen)
 	
 	/* The password could be either NTLM or plain LM.  Try NTLM first, but fall-through as
 	   required. */
-	if (NT_STATUS_IS_OK(pass_check_smb(user, NULL, lp_workgroup(), NULL, 0, (unsigned char *)password, pwlen))) {
+	if (NT_STATUS_IS_OK(pass_check_smb(user, NULL, remote_machine, lp_workgroup(), NULL, 0, (unsigned char *)password, pwlen))) {
 		return True;
 	}
 
-	if (NT_STATUS_IS_OK(pass_check_smb(user, NULL, lp_workgroup(), (unsigned char *)password, pwlen, NULL, 0))) {
+	if (NT_STATUS_IS_OK(pass_check_smb(user, NULL, remote_machine, lp_workgroup(), (unsigned char *)password, pwlen, NULL, 0))) {
 		return True;
 	}
 
diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c
index 111a35e068..b61fde4206 100644
--- a/source3/auth/auth_sam.c
+++ b/source3/auth/auth_sam.c
@@ -112,9 +112,9 @@ static BOOL smb_pwd_check_ntlmv2(const uchar *password, size_t pwd_len,
 NTSTATUS smb_password_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_info *user_info, auth_serversupplied_info *server_info)
 {
 	uint8 *nt_pw, *lm_pw;
-	uint16	acct_ctrl;
-
-	acct_ctrl = pdb_get_acct_ctrl(sampass);
+	uint16	acct_ctrl = pdb_get_acct_ctrl(sampass);
+	char *workstation_list;
+	time_t kickoff_time;
 	
 	/* Quit if the account was disabled. */
 	if(acct_ctrl & ACB_DISABLED) {
@@ -122,6 +122,45 @@ NTSTATUS smb_password_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_info *use
 		return(NT_STATUS_ACCOUNT_DISABLED);
 	}
 
+	/* Test account expire time */
+	
+	kickoff_time = pdb_get_kickoff_time(sampass);
+	if (kickoff_time != (time_t)-1) {
+		if (time(NULL) > kickoff_time) {
+			return NT_STATUS_ACCOUNT_EXPIRED;
+		}
+	}
+		
+	/* Test workstation. Workstation list is comma separated. */
+	
+	workstation_list = strdup(pdb_get_workstations(sampass));
+	
+	if (workstation_list) {
+		if (*workstation_list) {
+			BOOL invalid_ws = True;
+			char *s = workstation_list;
+			
+			fstring tok;
+			
+			while (next_token(&s, tok, ",", sizeof(tok))) {
+				DEBUG(10,("checking for workstation match %s and %s (len=%d)\n",
+					  tok, user_info->wksta_name.str, user_info->wksta_name.len));
+				if(strequal(tok, user_info->wksta_name.str)) {
+					invalid_ws = False;
+					break;
+				}
+			}
+			
+			free(workstation_list);		
+			if (invalid_ws) 
+				return NT_STATUS_INVALID_WORKSTATION;
+		} else {
+			free(workstation_list);
+		}
+	} else {
+		return NT_STATUS_NO_MEMORY;
+	}
+	
 	if (acct_ctrl & ACB_PWNOTREQ) 
 	{
 		if (lp_null_passwords())