This patch does a number of things, mostly smaller than they look :-)

In particuar, it moves the domain_client_validate stuff out of
auth_domain.c to somwhere where they (I hope) they can be shared
with winbind better.  (This may need some work)

The main purpose of this patch was however to improve some of the
internal documentation and to correctly place become_root()/unbecome_root()
calls within the code.

Finally this patch moves some more of auth.c into other files, auth_unix.c
in this case.

Andrew Bartlett
(This used to be commit ea1c547ac880def29f150de2172c95213509350e)

1 files changed, 363 insertions, 0 deletions

diff --git a/source3/libsmb/domain_client_validate.c b/source3/libsmb/domain_client_validate.c
new file mode 100644
index 0000000000..de5df84e9b
--- /dev/null
+++ b/source3/libsmb/domain_client_validate.c
@@ -0,0 +1,363 @@
+/* 
+   Unix SMB/Netbios implementation.
+   Version 1.9.
+   Authenticate against a remote domain
+   Copyright (C) Andrew Tridgell 1992-1998
+   Copyright (C) Andrew Bartlett 2001
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 2 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program; if not, write to the Free Software
+   Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+#include "includes.h"
+
+extern int DEBUGLEVEL;
+extern struct in_addr ipzero;
+
+extern pstring global_myname;
+
+/***********************************************************************
+ Connect to a remote machine for domain security authentication
+ given a name or IP address.
+ ***********************************************************************/
+
+static BOOL connect_to_domain_password_server(struct cli_state *pcli, 
+					      char *server, unsigned char *trust_passwd)
+{
+	struct in_addr dest_ip;
+	fstring remote_machine;
+
+	if(cli_initialise(pcli) == NULL) {
+		DEBUG(0,("connect_to_domain_password_server: unable to initialize client connection.\n"));
+		return False;
+	}
+
+	if (is_ipaddress(server)) {
+		struct in_addr to_ip;
+	  
+		/* we shouldn't have 255.255.255.255 forthe IP address of 
+		   a password server anyways */
+		if ((to_ip.s_addr=inet_addr(server)) == 0xFFFFFFFF) {
+			DEBUG (0,("connect_to_domain_password_server: inet_addr(%s) returned 0xFFFFFFFF!\n", server));
+			return False;
+		}
+
+		if (!name_status_find(0x20, to_ip, remote_machine)) {
+			DEBUG(0, ("connect_to_domain_password_server: Can't "
+				  "resolve name for IP %s\n", server));
+			return False;
+		}
+	} else {
+		fstrcpy(remote_machine, server);
+	}
+
+	standard_sub_basic(remote_machine);
+	strupper(remote_machine);
+
+	if(!resolve_name( remote_machine, &dest_ip, 0x20)) {
+		DEBUG(1,("connect_to_domain_password_server: Can't resolve address for %s\n", remote_machine));
+		cli_shutdown(pcli);
+		return False;
+	}
+  
+	if (ismyip(dest_ip)) {
+		DEBUG(1,("connect_to_domain_password_server: Password server loop - not using password server %s\n",
+			 remote_machine));
+		cli_shutdown(pcli);
+		return False;
+	}
+  
+	if (!cli_connect(pcli, remote_machine, &dest_ip)) {
+		DEBUG(0,("connect_to_domain_password_server: unable to connect to SMB server on \
+machine %s. Error was : %s.\n", remote_machine, cli_errstr(pcli) ));
+		cli_shutdown(pcli);
+		return False;
+	}
+  
+	if (!attempt_netbios_session_request(pcli, global_myname, remote_machine, &dest_ip)) {
+		DEBUG(0,("connect_to_password_server: machine %s rejected the NetBIOS \
+session request. Error was : %s.\n", remote_machine, cli_errstr(pcli) ));
+		return False;
+	}
+  
+	pcli->protocol = PROTOCOL_NT1;
+
+	if (!cli_negprot(pcli)) {
+		DEBUG(0,("connect_to_domain_password_server: machine %s rejected the negotiate protocol. \
+Error was : %s.\n", remote_machine, cli_errstr(pcli) ));
+		cli_shutdown(pcli);
+		return False;
+	}
+
+	if (pcli->protocol != PROTOCOL_NT1) {
+		DEBUG(0,("connect_to_domain_password_server: machine %s didn't negotiate NT protocol.\n",
+			 remote_machine));
+		cli_shutdown(pcli);
+		return False;
+	}
+
+	/*
+	 * Do an anonymous session setup.
+	 */
+
+	if (!cli_session_setup(pcli, "", "", 0, "", 0, "")) {
+		DEBUG(0,("connect_to_domain_password_server: machine %s rejected the session setup. \
+Error was : %s.\n", remote_machine, cli_errstr(pcli) ));
+		cli_shutdown(pcli);
+		return False;
+	}
+
+	if (!(pcli->sec_mode & 1)) {
+		DEBUG(1,("connect_to_domain_password_server: machine %s isn't in user level security mode\n",
+			 remote_machine));
+		cli_shutdown(pcli);
+		return False;
+	}
+
+	if (!cli_send_tconX(pcli, "IPC$", "IPC", "", 1)) {
+		DEBUG(0,("connect_to_domain_password_server: machine %s rejected the tconX on the IPC$ share. \
+Error was : %s.\n", remote_machine, cli_errstr(pcli) ));
+		cli_shutdown(pcli);
+		return False;
+	}
+
+	/*
+	 * We now have an anonymous connection to IPC$ on the domain password server.
+	 */
+
+	/*
+	 * Even if the connect succeeds we need to setup the netlogon
+	 * pipe here. We do this as we may just have changed the domain
+	 * account password on the PDC and yet we may be talking to
+	 * a BDC that doesn't have this replicated yet. In this case
+	 * a successful connect to a DC needs to take the netlogon connect
+	 * into account also. This patch from "Bjart Kvarme" <bjart.kvarme@usit.uio.no>.
+	 */
+
+	if(cli_nt_session_open(pcli, PIPE_NETLOGON) == False) {
+		DEBUG(0,("connect_to_domain_password_server: unable to open the domain client session to \
+machine %s. Error was : %s.\n", remote_machine, cli_errstr(pcli)));
+		cli_nt_session_close(pcli);
+		cli_ulogoff(pcli);
+		cli_shutdown(pcli);
+		return False;
+	}
+
+	if (cli_nt_setup_creds(pcli, trust_passwd) == False) {
+		DEBUG(0,("connect_to_domain_password_server: unable to setup the PDC credentials to machine \
+%s. Error was : %s.\n", remote_machine, cli_errstr(pcli)));
+		cli_nt_session_close(pcli);
+		cli_ulogoff(pcli);
+		cli_shutdown(pcli);
+		return(False);
+	}
+
+	return True;
+}
+
+/***********************************************************************
+ Utility function to attempt a connection to an IP address of a DC.
+************************************************************************/
+
+static BOOL attempt_connect_to_dc(struct cli_state *pcli, struct in_addr *ip, 
+				  unsigned char *trust_passwd)
+{
+	fstring dc_name;
+
+	/*
+	 * Ignore addresses we have already tried.
+	 */
+
+	if (ip_equal(ipzero, *ip))
+		return False;
+
+	if (!lookup_pdc_name(global_myname, lp_workgroup(), ip, dc_name))
+		return False;
+
+	return connect_to_domain_password_server(pcli, dc_name, trust_passwd);
+}
+
+/***********************************************************************
+ We have been asked to dynamcially determine the IP addresses of
+ the PDC and BDC's for this DOMAIN, and query them in turn.
+************************************************************************/
+static BOOL find_connect_pdc(struct cli_state *pcli, 
+			     unsigned char *trust_passwd, 
+			     time_t last_change_time)
+{
+	struct in_addr *ip_list = NULL;
+	int count = 0;
+	int i;
+	BOOL connected_ok = False;
+	time_t time_now = time(NULL);
+	BOOL use_pdc_only = False;
+
+	/*
+	 * If the time the machine password has changed
+	 * was less than an hour ago then we need to contact
+	 * the PDC only, as we cannot be sure domain replication
+	 * has yet taken place. Bug found by Gerald (way to go
+	 * Gerald !). JRA.
+	 */
+
+	if (time_now - last_change_time < 3600)
+		use_pdc_only = True;
+
+	if (!get_dc_list(use_pdc_only, lp_workgroup(), &ip_list, &count))
+		return False;
+
+	/*
+	 * Firstly try and contact a PDC/BDC who has the same
+	 * network address as any of our interfaces.
+	 */
+	for(i = 0; i < count; i++) {
+		if(!is_local_net(ip_list[i]))
+			continue;
+
+		if((connected_ok = attempt_connect_to_dc(pcli, &ip_list[i], trust_passwd))) 
+			break;
+		
+		ip_list[i] = ipzero; /* Tried and failed. */
+	}
+
+	/*
+	 * Secondly try and contact a random PDC/BDC.
+	 */
+	if(!connected_ok) {
+		i = (sys_random() % count);
+
+		if (!(connected_ok = attempt_connect_to_dc(pcli, &ip_list[i], trust_passwd)))
+			ip_list[i] = ipzero; /* Tried and failed. */
+	}
+
+	/*
+	 * Finally go through the IP list in turn, ignoring any addresses
+	 * we have already tried.
+	 */
+	if(!connected_ok) {
+		/*
+		 * Try and connect to any of the other IP addresses in the PDC/BDC list.
+		 * Note that from a WINS server the #1 IP address is the PDC.
+		 */
+		for(i = 0; i < count; i++) {
+			if((connected_ok = attempt_connect_to_dc(pcli, &ip_list[i], trust_passwd)))
+				break;
+		}
+	}
+
+	if(ip_list != NULL)
+		free((char *)ip_list);
+
+
+	return connected_ok;
+}
+
+/***********************************************************************
+ Do the same as security=server, but using NT Domain calls and a session
+ key from the machine password.  If the server parameter is specified
+ use it, otherwise figure out a server from the 'password server' param.
+************************************************************************/
+
+uint32 domain_client_validate(const auth_usersupplied_info *user_info, 
+			      auth_serversupplied_info *server_info, 
+			      char *server, unsigned char *trust_passwd,
+			      time_t last_change_time)
+{
+	fstring remote_machine;
+	NET_ID_INFO_CTR ctr;
+	NET_USER_INFO_3 info3;
+	struct cli_state cli;
+	uint32 smb_uid_low;
+	BOOL connected_ok = False;
+	uint32 nt_status;
+
+	/* 
+	 * Check that the requested domain is not our own machine name.
+	 * If it is, we should never check the PDC here, we use our own local
+	 * password file.
+	 */
+
+	if(strequal(user_info->domain.str, global_myname)) {
+		DEBUG(3,("domain_client_validate: Requested domain was for this machine.\n"));
+		return NT_STATUS_LOGON_FAILURE;
+	}
+
+	/*
+	 * At this point, smb_apasswd points to the lanman response to
+	 * the challenge in local_challenge, and smb_ntpasswd points to
+	 * the NT response to the challenge in local_challenge. Ship
+	 * these over the secure channel to a domain controller and
+	 * see if they were valid.
+	 */
+
+	ZERO_STRUCT(cli);
+
+	while (!connected_ok &&
+	       next_token(&server,remote_machine,LIST_SEP,sizeof(remote_machine))) {
+		if(strequal(remote_machine, "*")) {
+			connected_ok = find_connect_pdc(&cli, trust_passwd, last_change_time);
+		} else {
+			connected_ok = connect_to_domain_password_server(&cli, remote_machine, trust_passwd);
+		}
+	}
+
+	if (!connected_ok) {
+		DEBUG(0,("domain_client_validate: Domain password server not available.\n"));
+		cli_shutdown(&cli);
+		return NT_STATUS_LOGON_FAILURE;
+	}
+
+	/* We really don't care what LUID we give the user. */
+	generate_random_buffer( (unsigned char *)&smb_uid_low, 4, False);
+
+	ZERO_STRUCT(info3);
+
+	if (!cli_nt_login_network(&cli, user_info, smb_uid_low, &ctr, &info3)) {
+		nt_status = cli_nt_error(&cli);
+		DEBUG(0,("domain_client_validate: unable to validate password for user %s in domain \
+%s to Domain controller %s. Error was %s.\n", user_info->smb_username.str, user_info->domain.str, remote_machine, cli_errstr(&cli)));
+	} else {
+		nt_status = NT_STATUS_NOPROBLEMO;
+	}
+
+	/*
+	 * Here, if we really want it, we have lots of info about the user in info3.
+	 */
+
+#if 0
+	/* 
+	 * We don't actually need to do this - plus it fails currently with
+	 * NT_STATUS_INVALID_INFO_CLASS - we need to know *exactly* what to
+	 * send here. JRA.
+	 */
+
+	if (nt_status == NT_STATUS_NOPROBLMO) {
+		if(cli_nt_logoff(&cli, &ctr) == False) {
+			DEBUG(0,("domain_client_validate: unable to log off user %s in domain \
+%s to Domain controller %s. Error was %s.\n", user, domain, remote_machine, cli_errstr(&cli)));        
+			nt_status = NT_STATUS_LOGON_FAILURE;
+		}
+	}
+#endif /* 0 */
+
+	/* Note - once the cli stream is shutdown the mem_ctx used
+	   to allocate the other_sids and gids structures has been deleted - so
+	   these pointers are no longer valid..... */
+
+	cli_nt_session_close(&cli);
+	cli_ulogoff(&cli);
+	cli_shutdown(&cli);
+	return nt_status;
+}
+