r11573: Adding Andrew Bartlett's patch to make machine account

logons work if the client gives the MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT
or MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT flags. This changes
the auth module interface to 2 (from 1). The effect of this is
that clients can access resources as a machine account if they
set these flags. This is the same as Windows (think of a VPN
where the vpn client authenticates itself to a VPN server
using machine account credentials - the vpn server checks
that the machine password was valid by performing a machine
account check with the PDC in the same was as it would a
user account check. I may add in a restriction (parameter)
to allow this behaviour to be turned off (as it was previously).
That may be on by default.
Andrew Bartlett please review this change carefully.
Jeremy.
(This used to be commit d1caef866326346fb191f8129d13d98379f18cd8)

3 files changed, 16 insertions, 10 deletions

diff --git a/source3/include/auth.h b/source3/include/auth.h
index 7282f4d38b..f3dae1108b 100644
--- a/source3/include/auth.h
+++ b/source3/include/auth.h
@@ -21,15 +21,12 @@
 */
 
 /* AUTH_STR - string */
-typedef struct normal_string
-{
+typedef struct normal_string {
 	int len;
 	char *str;
 } AUTH_STR;
 
-typedef struct auth_usersupplied_info
-{
-	
+typedef struct auth_usersupplied_info {
  	DATA_BLOB lm_resp;
 	DATA_BLOB nt_resp;
  	DATA_BLOB lm_interactive_pwd;
@@ -44,6 +41,8 @@ typedef struct auth_usersupplied_info
 	AUTH_STR           smb_name;        /* username before mapping */
 	AUTH_STR           wksta_name;           /* workstation name (netbios calling name) unicode string */
 	
+	uint32 logon_parameters;
+
 } auth_usersupplied_info;
 
 #define SAM_FILL_NAME  0x01
@@ -52,8 +51,7 @@ typedef struct auth_usersupplied_info
 #define SAM_FILL_UNIX  0x08
 #define SAM_FILL_ALL (SAM_FILL_NAME | SAM_FILL_INFO3 | SAM_FILL_SAM | SAM_FILL_UNIX)
 
-typedef struct auth_serversupplied_info 
-{
+typedef struct auth_serversupplied_info {
 	BOOL guest;
 
 	uid_t uid;
@@ -144,14 +142,14 @@ struct auth_init_function_entry {
 	struct auth_init_function_entry *prev, *next;
 };
 
-typedef struct auth_ntlmssp_state
-{
+typedef struct auth_ntlmssp_state {
 	TALLOC_CTX *mem_ctx;
 	struct auth_context *auth_context;
 	struct auth_serversupplied_info *server_info;
 	struct ntlmssp_state *ntlmssp_state;
 } AUTH_NTLMSSP_STATE;
 
-#define AUTH_INTERFACE_VERSION 1
+/* Changed from 1 -> 2 to add the logon_parameters field. */
+#define AUTH_INTERFACE_VERSION 2
 
 #endif /* _SMBAUTH_H_ */
diff --git a/source3/include/libsmbclient.h b/source3/include/libsmbclient.h
index 2d7d96c2dd..46896d68e4 100644
--- a/source3/include/libsmbclient.h
+++ b/source3/include/libsmbclient.h
@@ -339,6 +339,11 @@ typedef int (*smbc_remove_cached_srv_fn)(SMBCCTX * c, SMBCSRV *srv);
 typedef int (*smbc_purge_cached_fn)     (SMBCCTX * c);
 
 
+/* close was renamed to close_fn, because close is often a macro.
+ * Allow backward compatability where this is not the case  */
+#ifndef close
+#define close close_fn
+#endif
 
 
 /**@ingroup structure
diff --git a/source3/include/rpc_netlogon.h b/source3/include/rpc_netlogon.h
index b004e26397..c73cd03f10 100644
--- a/source3/include/rpc_netlogon.h
+++ b/source3/include/rpc_netlogon.h
@@ -95,6 +95,9 @@
 #define SE_GROUP_LOGON_ID 		0xC0000000
 #define SE_GROUP_RESOURCE 		0x20000000
 
+/* Flags for controlling the behaviour of a particular logon */
+#define MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT	( 0x020 )
+#define MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT	( 0x800 )
 
 #if 0
 /* I think this is correct - it's what gets parsed on the wire. JRA. */