diff options
| author | Gerald Carter <jerry@samba.org> | 2000-11-13 23:03:34 +0000 |
|---|---|---|
| committer | Gerald Carter <jerry@samba.org> | 2000-11-13 23:03:34 +0000 |
| commit | 9fede0dc0dbad51528cd1384023d24549c3f0ba4 (patch) | |
| tree | 0f3a045da16581462aa3dce6e7221ee12924954b /source3/rpc_server/srv_netlog.c | |
| parent | 8f338ee3dd5d3b68b36c021a22b624678ea116f6 (diff) | |
| download | samba-9fede0dc0dbad51528cd1384023d24549c3f0ba4.tar.gz samba-9fede0dc0dbad51528cd1384023d24549c3f0ba4.tar.bz2 samba-9fede0dc0dbad51528cd1384023d24549c3f0ba4.zip | |
Large commit which restructures the local password storage API.
Currently the only backend which works is smbpasswd (tdb, LDAP, and NIS+)
are broken, but they were somewhat broken before. :)
The following functions implement the storage manipulation interface
/*The following definitions come from passdb/pdb_smbpasswd.c */
BOOL pdb_setsampwent (BOOL update);
void pdb_endsampwent (void);
SAM_ACCOUNT* pdb_getsampwent (void);
SAM_ACCOUNT* pdb_getsampwnam (char *username);
SAM_ACCOUNT* pdb_getsampwuid (uid_t uid);
SAM_ACCOUNT* pdb_getsampwrid (uint32 rid);
BOOL pdb_add_sam_account (SAM_ACCOUNT *sampass);
BOOL pdb_update_sam_account (SAM_ACCOUNT *sampass, BOOL override);
BOOL pdb_delete_sam_account (char* username);
There is also a host of pdb_set..() and pdb_get..() functions for
manipulating SAM_ACCOUNT struct members. Note that the struct
passdb_ops {} has gone away. Also notice that struct smb_passwd
(formally in smb.h) has been moved to passdb/pdb_smbpasswd.c
and is not accessed outisde of static internal functions in this
file. All local password searches should make use of the the SAM_ACCOUNT
struct and the previously mentioned functions.
I'll write some documentation for this later. The next step is to fix
the TDB passdb backend, then work on spliting the backends out into
share libraries, and finally get the LDAP backend going.
What works and may not:
o domain logons from Win9x works
o domain logons from WinNT 4 works
o user and group enumeration
as implemented by Tim works
o file and print access works
o changing password from
Win9x & NT ummm...i'll fix this tonight :)
If I broke anything else, just yell and I'll fix it. I think it
should be fairly quite.
-- jerry
(This used to be commit 0b92d0838ebdbe24f34f17e313ecbf61a0301389)
Diffstat (limited to 'source3/rpc_server/srv_netlog.c')
| -rw-r--r-- | source3/rpc_server/srv_netlog.c | 177 |
1 files changed, 83 insertions, 94 deletions
diff --git a/source3/rpc_server/srv_netlog.c b/source3/rpc_server/srv_netlog.c index 9f5d84ee1f..8e2b3819cb 100644 --- a/source3/rpc_server/srv_netlog.c +++ b/source3/rpc_server/srv_netlog.c @@ -264,7 +264,8 @@ static BOOL net_reply_sam_logoff(NET_Q_SAM_LOGOFF *q_s, prs_struct *rdata, static BOOL get_md4pw(char *md4pw, char *mach_name, char *mach_acct) { - struct smb_passwd *smb_pass; + SAM_ACCOUNT *sampass = NULL; + BYTE *pass = NULL; #if 0 /* @@ -285,13 +286,13 @@ static BOOL get_md4pw(char *md4pw, char *mach_name, char *mach_acct) #endif /* 0 */ become_root(); - smb_pass = getsmbpwnam(mach_acct); + sampass = pdb_getsampwnam(mach_acct); unbecome_root(); - if ((smb_pass) != NULL && !(smb_pass->acct_ctrl & ACB_DISABLED) && - (smb_pass->smb_nt_passwd != NULL)) + if ((sampass) != NULL && !(pdb_get_acct_ctrl(sampass) & ACB_DISABLED) && + ((pass=pdb_get_nt_passwd(sampass)) != NULL)) { - memcpy(md4pw, smb_pass->smb_nt_passwd, 16); + memcpy(md4pw, pass, 16); dump_data(5, md4pw, 16); return True; @@ -425,7 +426,7 @@ static BOOL api_net_srv_pwset(pipes_struct *p) uint32 status = NT_STATUS_WRONG_PASSWORD; DOM_CRED srv_cred; pstring mach_acct; - struct smb_passwd *smb_pass; + SAM_ACCOUNT *sampass; BOOL ret; user_struct *vuser; prs_struct *data = &p->in_data.data; @@ -454,10 +455,10 @@ static BOOL api_net_srv_pwset(pipes_struct *p) DEBUG(3,("Server Password Set Wksta:[%s]\n", mach_acct)); become_root(); - smb_pass = getsmbpwnam(mach_acct); + sampass = pdb_getsampwnam(mach_acct); unbecome_root(); - if (smb_pass != NULL) { + if (sampass != NULL) { unsigned char pwd[16]; int i; @@ -469,12 +470,12 @@ static BOOL api_net_srv_pwset(pipes_struct *p) cred_hash3( pwd, q_a.pwd, vuser->dc.sess_key, 0); /* lies! nt and lm passwords are _not_ the same: don't care */ - smb_pass->smb_passwd = pwd; - smb_pass->smb_nt_passwd = pwd; - smb_pass->acct_ctrl = ACB_WSTRUST; + pdb_set_lanman_passwd (sampass, pwd); + pdb_set_nt_passwd (sampass, pwd); + pdb_set_acct_ctrl (sampass, ACB_WSTRUST); - become_root(); - ret = mod_smbpwd_entry(smb_pass,False); + become_root(); + ret = pdb_update_sam_account (sampass,False); unbecome_root(); if (ret) { @@ -542,8 +543,8 @@ static BOOL api_net_sam_logoff(pipes_struct *p) net_login_interactive: *************************************************************************/ -static uint32 net_login_interactive(NET_ID_INFO_1 *id1, struct smb_passwd *smb_pass, - user_struct *vuser) +static uint32 net_login_interactive(NET_ID_INFO_1 *id1, SAM_ACCOUNT *sampass, + user_struct *vuser) { uint32 status = 0x0; @@ -579,8 +580,8 @@ static uint32 net_login_interactive(NET_ID_INFO_1 *id1, struct smb_passwd *smb_p dump_data(100, nt_pwd, 16); #endif - if (memcmp(smb_pass->smb_passwd , lm_pwd, 16) != 0 || - memcmp(smb_pass->smb_nt_passwd, nt_pwd, 16) != 0) + if (memcmp(pdb_get_lanman_passwd(sampass) ,lm_pwd, 16) != 0 || + memcmp(pdb_get_nt_passwd(sampass) ,nt_pwd, 16) != 0) { status = NT_STATUS_WRONG_PASSWORD; } @@ -592,8 +593,10 @@ static uint32 net_login_interactive(NET_ID_INFO_1 *id1, struct smb_passwd *smb_p net_login_network: *************************************************************************/ -static uint32 net_login_network(NET_ID_INFO_2 *id2, struct smb_passwd *smb_pass) +static uint32 net_login_network(NET_ID_INFO_2 *id2, SAM_ACCOUNT *sampass) { + BYTE *nt_pwd, *lanman_pwd; + DEBUG(5,("net_login_network: lm_len: %d nt_len: %d\n", id2->hdr_lm_chal_resp.str_str_len, id2->hdr_nt_chal_resp.str_str_len)); @@ -601,11 +604,12 @@ static uint32 net_login_network(NET_ID_INFO_2 *id2, struct smb_passwd *smb_pass) /* JRA. Check the NT password first if it exists - this is a higher quality password, if it exists and it doesn't match - fail. */ + nt_pwd = pdb_get_nt_passwd (sampass); + lanman_pwd = pdb_get_lanman_passwd (sampass); if (id2->hdr_nt_chal_resp.str_str_len == 24 && - smb_pass->smb_nt_passwd != NULL) + nt_pwd != NULL) { - if(smb_password_check((char *)id2->nt_chal_resp.buffer, - smb_pass->smb_nt_passwd, + if(smb_password_check((char *)id2->nt_chal_resp.buffer, nt_pwd, id2->lm_chal)) return 0x0; else @@ -622,8 +626,7 @@ static uint32 net_login_network(NET_ID_INFO_2 *id2, struct smb_passwd *smb_pass) if (id2->hdr_lm_chal_resp.str_str_len == 24 && smb_password_check((char *)id2->lm_chal_resp.buffer, - smb_pass->smb_passwd, - id2->lm_chal)) + lanman_pwd, id2->lm_chal)) { return 0x0; } @@ -646,21 +649,20 @@ static BOOL api_net_sam_logon(pipes_struct *p) NET_USER_INFO_3 usr_info; uint32 status = 0x0; DOM_CRED srv_cred; - struct smb_passwd *smb_pass = NULL; + SAM_ACCOUNT *sampass = NULL; + uint16 acct_ctrl; UNISTR2 *uni_samlogon_user = NULL; fstring nt_username; - struct passwd *pw; - prs_struct *data = &p->in_data.data; - prs_struct *rdata = &p->out_data.rdata; - + prs_struct *data = &p->in_data.data; + prs_struct *rdata = &p->out_data.rdata; user_struct *vuser = NULL; if ((vuser = get_valid_user_struct(vuid)) == NULL) return False; - memset(&q_l, '\0', sizeof(q_l)); - memset(&ctr, '\0', sizeof(ctr)); - memset(&usr_info, '\0', sizeof(usr_info)); + ZERO_STRUCT(q_l); + ZERO_STRUCT(ctr); + ZERO_STRUCT(usr_info); q_l.sam_id.ctr = &ctr; @@ -682,8 +684,7 @@ static BOOL api_net_sam_logon(pipes_struct *p) case INTERACTIVE_LOGON_TYPE: uni_samlogon_user = &q_l.sam_id.ctr->auth.id1.uni_user_name; - DEBUG(3,("SAM Logon (Interactive). Domain:[%s]. ", - lp_workgroup())); + DEBUG(3,("SAM Logon (Interactive). Domain:[%s]. ", lp_workgroup())); break; case NET_LOGON_TYPE: uni_samlogon_user = &q_l.sam_id.ctr->auth.id2.uni_user_name; @@ -699,7 +700,8 @@ static BOOL api_net_sam_logon(pipes_struct *p) /* check username exists */ - if (status == 0) { + if (status == 0) + { pstrcpy(nt_username, dos_unistrn2(uni_samlogon_user->buffer, uni_samlogon_user->uni_str_len)); @@ -709,40 +711,37 @@ static BOOL api_net_sam_logon(pipes_struct *p) * Convert to a UNIX username. */ map_username(nt_username); - - /* - * Do any case conversions. - */ - pw=Get_Pwnam(nt_username, True); + /* get the account information */ become_root(); - smb_pass = getsmbpwnam(nt_username); + sampass = pdb_getsampwnam(nt_username); unbecome_root(); - if (smb_pass == NULL) + acct_ctrl = pdb_get_acct_ctrl(sampass); + if (sampass == NULL) status = NT_STATUS_NO_SUCH_USER; - else if (smb_pass->acct_ctrl & ACB_PWNOTREQ) + else if (acct_ctrl & ACB_PWNOTREQ) status = 0; - else if (smb_pass->acct_ctrl & ACB_DISABLED) + else if (acct_ctrl & ACB_DISABLED) status = NT_STATUS_ACCOUNT_DISABLED; } /* Validate password - if required. */ - if ((status == 0) && !(smb_pass->acct_ctrl & ACB_PWNOTREQ)) { + if ((status == 0) && !(acct_ctrl & ACB_PWNOTREQ)) { switch (q_l.sam_id.logon_level) { case INTERACTIVE_LOGON_TYPE: /* interactive login. */ status = net_login_interactive(&q_l.sam_id.ctr->auth.id1, - smb_pass, vuser); + sampass, vuser); break; case NET_LOGON_TYPE: /* network login. lm challenge and 24 byte responses */ - status = net_login_network(&q_l.sam_id.ctr->auth.id2, smb_pass); + status = net_login_network(&q_l.sam_id.ctr->auth.id2, sampass); break; } } - + /* lkclXXXX this is the point at which, if the login was successful, that the SAM Local Security Authority should record that the user is logged in to the domain. @@ -753,49 +752,47 @@ static BOOL api_net_sam_logon(pipes_struct *p) if (status == 0) { DOM_GID *gids = NULL; int num_gids = 0; - NTTIME dummy_time; - pstring logon_script; - pstring profile_path; - pstring home_dir; - pstring home_drive; pstring my_name; pstring my_workgroup; pstring domain_groups; - uint32 r_uid; - uint32 r_gid; - fstring full_name; /* set up pointer indicating user/password failed to be found */ usr_info.ptr_user_info = 0; - - dummy_time.low = 0xffffffff; - dummy_time.high = 0x7fffffff; - + /* XXXX hack to get standard_sub_basic() to use sam logon username */ /* possibly a better way would be to do a become_user() call */ + + /* + * All this information should be filled in from the + * passdb information + */ sam_logon_in_ssb = True; pstrcpy(samlogon_user, nt_username); - pstrcpy(logon_script, lp_logon_script()); - standard_sub_advanced(-1, nt_username, "", pw->pw_gid, logon_script); +#if 0 + gid = pdb_get_gid(sampass); - pstrcpy(profile_path, lp_logon_path()); - standard_sub_advanced(-1, nt_username, "", pw->pw_gid, profile_path); - - pstrcpy(my_workgroup, lp_workgroup()); + pstrcpy(str, pdb_get_logon_script(sampass)); + standard_sub_advanced(-1, nt_username, "", gid, str); + pdb_set_logon_script(sampass, str); + + pstrcpy(str, pdb_get_profile_path(sampass)); + standard_sub_advanced(-1, nt_username, "", gid, str); + pdb_set_profile_path(sampass, str); + + pstrcpy(str, pdb_get_homedir(sampass)); + standard_sub_advanced(-1, nt_username, "", gid, str); + pdb_set_homedir(sampass, str); - pstrcpy(home_drive, lp_logon_drive()); - standard_sub_advanced(-1, nt_username, "", pw->pw_gid, home_drive); + fstrcpy(full_name, "<Full Name>"); + if (lp_unix_realname()) + fstrcpy(full_name, pdb_get_fullname(sampass)); +#endif - pstrcpy(home_dir, lp_logon_home()); - standard_sub_advanced(-1, nt_username, "", pw->pw_gid, home_dir); - + pstrcpy(my_workgroup, lp_workgroup()); pstrcpy(my_name, global_myname); strupper(my_name); - fstrcpy(full_name, "<Full Name>"); - if (lp_unix_realname()) - fstrcpy(full_name, pw->pw_gecos); /* * This is the point at which we get the group @@ -815,40 +812,32 @@ static BOOL api_net_sam_logon(pipes_struct *p) sam_logon_in_ssb = False; + /* + * This next call is where the 'domain admin users' parameter + * gets mapped. I'm leaving it out for now. The user and group rid + * has already been mapped into the SAM_ACCOUNT struct. I don't + * think this should be overridden here. The correct solution + * is proper group memberships and mapping. --jerry + */ +#if 0 if (pdb_name_to_rid(nt_username, &r_uid, &r_gid)) - init_net_user_info3(&usr_info, - &dummy_time, /* logon_time */ - &dummy_time, /* logoff_time */ - &dummy_time, /* kickoff_time */ - &dummy_time, /* pass_last_set_time */ - &dummy_time, /* pass_can_change_time */ - &dummy_time, /* pass_must_change_time */ - - nt_username , /* user_name */ - full_name, /* full_name */ - logon_script , /* logon_script */ - profile_path , /* profile_path */ - home_dir , /* home_dir */ - home_drive , /* dir_drive */ - +#endif + init_net_user_info3(&usr_info, sampass, 0, /* logon_count */ 0, /* bad_pw_count */ - - r_uid , /* RID user_id */ - r_gid , /* RID group_id */ num_gids, /* uint32 num_groups */ gids , /* DOM_GID *gids */ 0x20 , /* uint32 user_flgs (?) */ - NULL, /* char sess_key[16] */ - my_name , /* char *logon_srv */ my_workgroup, /* char *logon_dom */ - &global_sam_sid, /* DOM_SID *dom_sid */ NULL); /* char *other_sids */ + +#if 0 else status = NT_STATUS_NO_SUCH_USER; +#endif /* Free any allocated groups array. */ if(gids) |