summaryrefslogtreecommitdiff
path: root/source3/auth
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2002-01-17 08:45:58 +0000
committerAndrew Bartlett <abartlet@samba.org>2002-01-17 08:45:58 +0000
commitc311d24ce32d2a8aa244f126bcec67ec03549727 (patch)
treebc4eff2b737df9d499bdbc89ee783b8886da269d /source3/auth
parent350161d44b07d8e66a2fb073fa7e9ee0f8ab0c45 (diff)
downloadsamba-c311d24ce32d2a8aa244f126bcec67ec03549727.tar.gz
samba-c311d24ce32d2a8aa244f126bcec67ec03549727.tar.bz2
samba-c311d24ce32d2a8aa244f126bcec67ec03549727.zip
A nice *big* change to the fundemental way we do things.
Samba (ab)uses the returns from getpwnam() a lot - in particular it keeps them around for a long time - often past the next call... This adds a getpwnam_alloc and a getpwuid_alloc to the collection. These function as expected, returning a malloced structure that can be free()ed with passwd_free(&passwd). This patch also cuts down on the number of calls to getpwnam - mostly by taking advantage of the fact that the passdb interface is already case-insensiteve. With this patch most of the recursive cases have been removed (that I know of) and the problems are reduced further by not using the sys_ interface in the new code. This means that pointers to the cache won't be affected. (This is a tempoary HACK, I intend to kill the password cache entirly). The only change I'm a little worried about is the change to rpc_server/srv_samr_nt.c for private groups. In this case we are getting groups from the new group mapping DB. Do we still need to check for private groups? I've toned down the check to a case sensitve match with the new code, but we might be able to kill it entirly. I've also added a make_modifyable_passwd() function, that copies a passwd struct into the form that the old sys_getpw* code provided. As far as I can tell this is only actually used in the pass_check.c crazies, where I moved the final 'special case' for shadow passwords (out of _Get_Pwnam()). The matching case for getpwent() is dealt with already, in lib/util_getent.c Also included in here is a small change to register the [homes] share at vuid creation rather than just in one varient of the session setup. (This picks up the SPNEGO cases). The home directory is now stored on the vuid, and I am hoping this might provide a saner way to do %H substitions. TODO: Kill off remaining Get_Pwnam_Modify calls (they are not needed), change the remaining sys_getpwnam() callers to use getpwnam_alloc() and move Get_Pwnam to return an allocated struct. Andrew Bartlett (This used to be commit 1d86c7f94230bc53daebd4d2cd829da6292e05da)
Diffstat (limited to 'source3/auth')
-rw-r--r--source3/auth/auth_unix.c2
-rw-r--r--source3/auth/auth_util.c6
-rw-r--r--source3/auth/pass_check.c24
3 files changed, 26 insertions, 6 deletions
diff --git a/source3/auth/auth_unix.c b/source3/auth/auth_unix.c
index 69c24b8213..73a4c51b4f 100644
--- a/source3/auth/auth_unix.c
+++ b/source3/auth/auth_unix.c
@@ -96,7 +96,7 @@ static NTSTATUS check_unix_security(const struct auth_context *auth_context,
pass = Get_Pwnam(user_info->internal_username.str);
- /** This call assumes a ASCII password, no charset transformation is
+ /** @todo This call assumes a ASCII password, no charset transformation is
done. We may need to revisit this **/
nt_status = pass_check(pass,
pass ? pass->pw_name : user_info->internal_username.str,
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index d2748e30d4..643c2e1996 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -554,16 +554,18 @@ void free_server_info(auth_serversupplied_info **server_info)
BOOL make_server_info_guest(auth_serversupplied_info **server_info)
{
- struct passwd *pass = sys_getpwnam(lp_guestaccount());
+ struct passwd *pass = getpwnam_alloc(lp_guestaccount());
if (pass) {
if (!make_server_info_pw(server_info, pass)) {
+ passwd_free(&pass);
return False;
}
(*server_info)->guest = True;
+ passwd_free(&pass);
return True;
}
- DEBUG(0,("make_server_info_guest: sys_getpwnam() failed on guest account!\n"));
+ DEBUG(0,("make_server_info_guest: getpwnam_alloc() failed on guest account!\n"));
return False;
}
diff --git a/source3/auth/pass_check.c b/source3/auth/pass_check.c
index 77839e4bb0..0101e0fe18 100644
--- a/source3/auth/pass_check.c
+++ b/source3/auth/pass_check.c
@@ -589,9 +589,10 @@ match is found and is used to update the encrypted password file
return NT_STATUS_OK on correct match, appropriate error otherwise
****************************************************************************/
-NTSTATUS pass_check(struct passwd *pass, char *user, char *password,
+NTSTATUS pass_check(const struct passwd *input_pass, char *user, char *password,
int pwlen, BOOL (*fn) (char *, char *), BOOL run_cracker)
{
+ struct passwd *pass;
pstring pass2;
int level = lp_passwordlevel();
@@ -620,15 +621,17 @@ NTSTATUS pass_check(struct passwd *pass, char *user, char *password,
DEBUG(4, ("pass_check: Checking (PAM) password for user %s (l=%d)\n", user, pwlen));
-#else /* Not using PAM or Kerebos */
+#else /* Not using PAM */
DEBUG(4, ("pass_check: Checking password for user %s (l=%d)\n", user, pwlen));
- if (!pass) {
+ if (!input_pass) {
DEBUG(3, ("Couldn't find user %s\n", user));
return NT_STATUS_NO_SUCH_USER;
}
+ pass = make_modifyable_passwd(input_pass);
+
#ifdef HAVE_GETSPNAM
{
struct spwd *spass;
@@ -662,6 +665,15 @@ NTSTATUS pass_check(struct passwd *pass, char *user, char *password,
}
#endif
+#ifdef HAVE_GETPWANAM
+ {
+ struct passwd_adjunct *pwret;
+ pwret = getpwanam(s);
+ if (pwret && pwret->pwa_passwd)
+ pstrcpy(pass->pw_passwd,pwret->pwa_passwd);
+ }
+#endif
+
#ifdef OSF1_ENH_SEC
{
struct pr_passwd *mypasswd;
@@ -698,22 +710,27 @@ NTSTATUS pass_check(struct passwd *pass, char *user, char *password,
this_salt[2] = 0;
#endif
+ /* Copy into global for the convenience of looping code */
fstrcpy(this_crypted, pass->pw_passwd);
if (!*this_crypted) {
if (!lp_null_passwords()) {
DEBUG(2, ("Disallowing %s with null password\n",
this_user));
+ passwd_free(&pass);
return NT_STATUS_LOGON_FAILURE;
}
if (!*password) {
DEBUG(3,
("Allowing access to %s with null password\n",
this_user));
+ passwd_free(&pass);
return NT_STATUS_OK;
}
}
+ passwd_free(&pass);
+
#endif /* defined(WITH_PAM) */
/* try it as it came to us */
@@ -736,6 +753,7 @@ NTSTATUS pass_check(struct passwd *pass, char *user, char *password,
* need to proceed as we know it hasn't been case modified by the
* client */
if (strhasupper(password) && strhaslower(password)) {
+ passwd_free(&pass);
return nt_status;
}