summaryrefslogtreecommitdiff
path: root/source3/nsswitch
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2001-10-31 10:46:25 +0000
committerAndrew Bartlett <abartlet@samba.org>2001-10-31 10:46:25 +0000
commit60f0627afb167faad57385d44f0b587186a7ac2b (patch)
treef7a03b2e1b90d1234c48fffaeaf92986060a0e77 /source3/nsswitch
parent83575bd3868ef3993107460d2c8e05f382eae351 (diff)
downloadsamba-60f0627afb167faad57385d44f0b587186a7ac2b.tar.gz
samba-60f0627afb167faad57385d44f0b587186a7ac2b.tar.bz2
samba-60f0627afb167faad57385d44f0b587186a7ac2b.zip
This is a farily large patch (3300 lines) and reworks most of the AuthRewrite
code. In particular this assists tpot in some of his work, becouse it provides the connection between the authenticaion and the vuid generation. Major Changes: - Fully malloc'ed structures. - Massive rework of the code so that all structures are made and destroyed using malloc and free, rather than hanging around on the stack. - SAM_ACCOUNT unix uids and gids are now pointers to the same, to allow them to be declared 'invalid' without the chance that people might get ROOT by default. - kill off some of the "DOMAIN\user" lookups. These can be readded at a more appropriate place (probably domain_client_validate.c) in the future. They don't belong in session setups. - Massive introduction of DATA_BLOB structures, particularly for passwords. - Use NTLMSSP flags to tell the backend what its getting, rather than magic lenghths. - Fix winbind back up again, but tpot is redoing this soon anyway. - Abstract much of the work in srv_netlog_nt back into auth helper functions. This is a LARGE change, and any assistance is testing it is appriciated. Domain logons are still broken (as far as I can tell) but other functionality seems intact. Needs testing with a wide variety of MS clients. Andrew Bartlett (This used to be commit f70fb819b2f57bd57232b51808345e2319d52f6c)
Diffstat (limited to 'source3/nsswitch')
-rw-r--r--source3/nsswitch/winbindd_pam.c87
1 files changed, 15 insertions, 72 deletions
diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c
index 5cf819a19d..59623b9f04 100644
--- a/source3/nsswitch/winbindd_pam.c
+++ b/source3/nsswitch/winbindd_pam.c
@@ -60,12 +60,8 @@ enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state)
unsigned char trust_passwd[16];
time_t last_change_time;
- unsigned char local_lm_response[24];
- unsigned char local_nt_response[24];
-
- auth_usersupplied_info user_info;
- auth_serversupplied_info server_info;
- AUTH_STR theirdomain, smb_username, wksta_name;
+ auth_usersupplied_info *user_info;
+ auth_serversupplied_info *server_info;
DEBUG(3, ("[%5d]: pam auth %s\n", state->pid,
state->request.data.auth.user));
@@ -82,37 +78,10 @@ enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state)
passlen = strlen(state->request.data.auth.pass);
- ZERO_STRUCT(user_info);
- ZERO_STRUCT(theirdomain);
- ZERO_STRUCT(smb_username);
- ZERO_STRUCT(wksta_name);
-
- theirdomain.str = name_domain;
- theirdomain.len = strlen(theirdomain.str);
-
- user_info.requested_domain = theirdomain;
- user_info.domain = theirdomain;
-
- user_info.smb_username.str = name_user;
- user_info.smb_username.len = strlen(name_user);
-
- user_info.unix_username.str = name_user;
- user_info.unix_username.len = strlen(name_user);
-
- user_info.wksta_name.str = global_myname;
- user_info.wksta_name.len = strlen(user_info.wksta_name.str);
-
- user_info.wksta_name = wksta_name;
-
- generate_random_buffer( user_info.chal, 8, False);
-
if (state->request.data.auth.pass[0]) {
- SMBencrypt((uchar *)state->request.data.auth.pass, user_info.chal, local_lm_response);
- user_info.lm_resp.buffer = (uint8 *)local_lm_response;
- user_info.lm_resp.len = 24;
- SMBNTencrypt((uchar *)state->request.data.auth.pass, user_info.chal, local_nt_response);
- user_info.nt_resp.buffer = (uint8 *)local_nt_response;
- user_info.nt_resp.len = 24;
+ make_user_info_for_winbind(&user_info,
+ name_user, name_domain,
+ state->request.data.auth.pass);
} else {
return WINBINDD_ERROR;
}
@@ -137,11 +106,11 @@ enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state)
for each authentication performed. This can theoretically
be optimised to use an already open IPC$ connection. */
- result = domain_client_validate(&user_info, &server_info,
+ result = domain_client_validate(user_info, &server_info,
auth_dc, trust_passwd,
last_change_time);
- free_serversupplied_info(&server_info); /* No info needed */
+ free_server_info(&server_info); /* No info needed */
return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
}
@@ -154,9 +123,8 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state)
fstring name_domain, name_user, auth_dc;
unsigned char trust_passwd[16];
time_t last_change_time;
- auth_usersupplied_info user_info;
- auth_serversupplied_info server_info;
- AUTH_STR theirdomain, smb_username, wksta_name;
+ auth_usersupplied_info *user_info;
+ auth_serversupplied_info *server_info;
DEBUG(3, ("[%5d]: pam auth crap %s\n", state->pid,
state->request.data.auth_crap.user));
@@ -166,36 +134,11 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state)
parse_domain_user(state->request.data.auth_crap.user, name_domain,
name_user);
- ZERO_STRUCT(user_info);
- ZERO_STRUCT(theirdomain);
- ZERO_STRUCT(smb_username);
- ZERO_STRUCT(wksta_name);
+ make_user_info_winbind_crap(&user_info, name_user,
+ name_domain, state->request.data.auth_crap.chal,
+ (uchar *)state->request.data.auth_crap.lm_resp, 24,
+ (uchar *)state->request.data.auth_crap.nt_resp, 24);
- theirdomain.str = name_domain;
- theirdomain.len = strlen(theirdomain.str);
-
- user_info.requested_domain = theirdomain;
- user_info.domain = theirdomain;
-
- user_info.smb_username.str = name_user;
- user_info.smb_username.len = strlen(name_user);
-
- user_info.unix_username.str = name_user;
- user_info.unix_username.len = strlen(name_user);
-
- user_info.wksta_name.str = global_myname;
- user_info.wksta_name.len = strlen(user_info.wksta_name.str);
-
- user_info.wksta_name = wksta_name;
-
- memcpy(user_info.chal, state->request.data.auth_crap.chal, 8);
-
- user_info.lm_resp.buffer = (uchar *)state->request.data.auth_crap.lm_resp;
- user_info.nt_resp.buffer = (uchar *)state->request.data.auth_crap.nt_resp;
-
- user_info.lm_resp.len = 24;
- user_info.nt_resp.len = 24;
-
/*
* Get the machine account password for our primary domain
*/
@@ -216,11 +159,11 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state)
for each authentication performed. This can theoretically
be optimised to use an already open IPC$ connection. */
- result = domain_client_validate(&user_info, &server_info,
+ result = domain_client_validate(user_info, &server_info,
auth_dc, trust_passwd,
last_change_time);
- free_serversupplied_info(&server_info); /* No info needed */
+ free_server_info(&server_info); /* No info needed */
return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
}