summaryrefslogtreecommitdiff
path: root/source3/nsswitch
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2001-08-03 13:09:23 +0000
committerAndrew Bartlett <abartlet@samba.org>2001-08-03 13:09:23 +0000
commit986372901e85a79343ba32f590a4a3e7658d2565 (patch)
tree19c863631c1c0da0535adf090dbb4c566e7e9d3b /source3/nsswitch
parent8dad2a1310c6dc908934ac836377cbfed8f7a010 (diff)
downloadsamba-986372901e85a79343ba32f590a4a3e7658d2565.tar.gz
samba-986372901e85a79343ba32f590a4a3e7658d2565.tar.bz2
samba-986372901e85a79343ba32f590a4a3e7658d2565.zip
This is my 'Authentication Rewrite' version 1.01, mostly as submitted to
samba-technical a few weeks ago. The idea here is to standardize the checking of user names and passwords, thereby ensuring that all authtentications pass the same standards. The interface currently implemented in as nt_status = check_password(user_info, server_info) where user_info contains (mostly) the authentication data, and server_info contains things like the user-id they got, and their resolved user name. The current ugliness with the way the structures are created will be killed the next revision, when they will be created and malloced by creator functions. This patch also includes the first implementation of NTLMv2 in HEAD, but which needs some more testing. We also add a hack to allow plaintext passwords to be compared with smbpasswd, not the system password database. Finally, this patch probably reintroduces the PAM accounts bug we had in 2.2.0, I'll fix that once this hits the tree. (I've just finished testing it on a wide variety of platforms, so I want to get this patch in). (This used to be commit b30b6202f31d339b48d51c0d38174cafd1cfcd42)
Diffstat (limited to 'source3/nsswitch')
-rw-r--r--source3/nsswitch/winbindd_pam.c56
1 files changed, 48 insertions, 8 deletions
diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c
index 0cbc3166c8..558f418d94 100644
--- a/source3/nsswitch/winbindd_pam.c
+++ b/source3/nsswitch/winbindd_pam.c
@@ -23,6 +23,8 @@
#include "winbindd.h"
+extern pstring global_myname;
+
/* Copy of parse_domain_user from winbindd_util.c. Parse a string of the
form DOMAIN/user into a domain and a user */
@@ -50,10 +52,17 @@ static void parse_domain_user(char *domuser, fstring domain, fstring user)
enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state)
{
- BOOL result, user_exists;
+ BOOL result;
fstring name_domain, name_user;
int passlen;
+ unsigned char local_lm_response[24];
+ unsigned char local_nt_response[24];
+
+ auth_usersupplied_info user_info;
+ auth_serversupplied_info server_info;
+ AUTH_STR theirdomain, smb_username, wksta_name;
+
DEBUG(3, ("[%5d]: pam auth %s\n", state->pid,
state->request.data.auth.user));
@@ -68,17 +77,48 @@ enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state)
return WINBINDD_ERROR;
passlen = strlen(state->request.data.auth.pass);
-
+
+ ZERO_STRUCT(user_info);
+ ZERO_STRUCT(theirdomain);
+ ZERO_STRUCT(smb_username);
+ ZERO_STRUCT(wksta_name);
+
+ theirdomain.str = name_domain;
+ theirdomain.len = strlen(theirdomain.str);
+
+ user_info.requested_domain = theirdomain;
+ user_info.domain = theirdomain;
+
+ user_info.smb_username.str = name_user;
+ user_info.smb_username.len = strlen(name_user);
+
+ user_info.requested_username.str = name_user;
+ user_info.requested_username.len = strlen(name_user);
+
+ user_info.wksta_name.str = global_myname;
+ user_info.wksta_name.len = strlen(user_info.wksta_name.str);
+
+ user_info.wksta_name = wksta_name;
+
+ generate_random_buffer( user_info.chal, 8, False);
+
+ if (state->request.data.auth.pass) {
+ SMBencrypt((uchar *)state->request.data.auth.pass, user_info.chal, local_lm_response);
+ user_info.lm_resp.buffer = (uint8 *)local_lm_response;
+ user_info.lm_resp.len = 24;
+ SMBNTencrypt((uchar *)state->request.data.auth.pass, user_info.chal, local_nt_response);
+ user_info.nt_resp.buffer = (uint8 *)local_nt_response;
+ user_info.nt_resp.len = 24;
+ } else {
+ return WINBINDD_ERROR;
+ }
+
/* So domain_client_validate() actually opens a new connection
for each authentication performed. This can theoretically
be optimised to use an already open IPC$ connection. */
- result = domain_client_validate(name_user, name_domain,
- state->request.data.auth.pass,
- passlen,
- state->request.data.auth.pass,
- passlen, &user_exists,
- server_state.controller);
+ result = (domain_client_validate(&user_info, &server_info,
+ server_state.controller) == NT_STATUS_NOPROBLEMO);
return result ? WINBINDD_OK : WINBINDD_ERROR;
}