Fix up workstaion and kickoff time checks, moved to auth_smbpasswd.c where

they can have general effect.

Fixed up workstaion support in the rest of samba, so that we can do these
checks.

Pass through the workstation for cli_net_logon(), if supplied.
(This used to be commit 7f04a139b2ee34b4c282590509cdf21395815a7a)

2 files changed, 14 insertions, 49 deletions

diff --git a/source3/rpc_server/srv_netlog_nt.c b/source3/rpc_server/srv_netlog_nt.c
index 26da5ac061..ab5a0ff49e 100644
--- a/source3/rpc_server/srv_netlog_nt.c
+++ b/source3/rpc_server/srv_netlog_nt.c
@@ -6,6 +6,7 @@
  *  Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
  *  Copyright (C) Paul Ashton                       1997.
  *  Copyright (C) Jeremy Allison               1998-2001.
+ *  Copyirht  (C) Andrew Bartlett                   2001.
  *
  *  This program is free software; you can redistribute it and/or modify
  *  it under the terms of the GNU General Public License as published by
@@ -473,7 +474,7 @@ NTSTATUS _net_sam_logoff(pipes_struct *p, NET_Q_SAM_LOGOFF *q_u, NET_R_SAM_LOGOF
  _net_logon_any:  Use the new authentications subsystem to log in.
  *************************************************************************/
 
-static NTSTATUS _net_logon_any(NET_ID_INFO_CTR *ctr, char *user, char *domain, char *sess_key)
+static NTSTATUS _net_logon_any(NET_ID_INFO_CTR *ctr, char *user, char *domain, char *workstation, char *sess_key)
 {
 	NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
 
@@ -508,12 +509,10 @@ static NTSTATUS _net_logon_any(NET_ID_INFO_CTR *ctr, char *user, char *domain, c
 	user_info.unix_username = smb_username;  /* For the time-being */
 	user_info.smb_username = smb_username;
 
-#if 0
-	user_info.wksta_name.str = cleint_name();
-	user_info.wksta_name.len = strlen(client_name());
+	user_info.wksta_name.str = workstation;
+	user_info.wksta_name.len = strlen(workstation);
 
 	user_info.wksta_name = wksta_name;
-#endif
 
 	DEBUG(10,("_net_logon_any: Attempting validation level %d.\n", ctr->switch_value));
 	switch (ctr->switch_value) {
@@ -667,7 +666,7 @@ NTSTATUS _net_sam_logon(pipes_struct *p, NET_Q_SAM_LOGON *q_u, NET_R_SAM_LOGON *
 
 	DEBUG(10,("Attempting validation level %d for mapped username %s.\n", q_u->sam_id.ctr->switch_value, nt_username));
 
-	status = _net_logon_any(q_u->sam_id.ctr, nt_username, nt_domain, (char *)p->dc.sess_key);
+	status = _net_logon_any(q_u->sam_id.ctr, nt_username, nt_domain, nt_workstation, (char *)p->dc.sess_key);
 
 	/* Check account and password */
     
@@ -686,35 +685,6 @@ NTSTATUS _net_sam_logon(pipes_struct *p, NET_Q_SAM_LOGON *q_u, NET_R_SAM_LOGON *
 		return NT_STATUS_NO_SUCH_USER;
 	}
         
-        /* Test account expire time */
-
-        if (time(NULL) > sampass->kickoff_time)
-                return NT_STATUS_ACCOUNT_EXPIRED;
-        
-        /* Test workstation. Workstation list is comma separated. */
-        
-        if (sampass->workstations && *sampass->workstations) {
-                char *s = strdup(sampass->workstations);
-                BOOL invalid_ws = True;
-                fstring tok;
-
-                while(next_token(&s, tok, ",", sizeof(tok))) {
-                        if(strequal(tok, nt_workstation)) {
-                                invalid_ws = False;
-                                break;
-                        }
-                }
-
-                free(s);
-
-                if (invalid_ws) 
-                        return NT_STATUS_INVALID_WORKSTATION;
-        }
-        
-        /* Test logon hours. */
-        
-        /* Test must change password. */
-
 	/* This is the point at which, if the login was successful, that
            the SAM Local Security Authority should record that the user is
            logged in to the domain.  */
diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
index 4a09410e81..8629592c4c 100644
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -302,6 +302,7 @@ static BOOL api_pipe_ntlmssp_verify(pipes_struct *p, RPC_AUTH_NTLMSSP_RESP *ntlm
 		rpcstr_pull(domain, ntlmssp_resp->domain, sizeof(fstring), ntlmssp_resp->hdr_domain.str_str_len*2, 0);
 		rpcstr_pull(wks, ntlmssp_resp->wks, sizeof(fstring), ntlmssp_resp->hdr_wks.str_str_len*2, 0);
 	} else {
+		/* What charset are these meant to be in? */
 		fstrcpy(user_name, ntlmssp_resp->user);
 		fstrcpy(domain, ntlmssp_resp->domain);
 		fstrcpy(wks, ntlmssp_resp->wks);
@@ -328,24 +329,24 @@ static BOOL api_pipe_ntlmssp_verify(pipes_struct *p, RPC_AUTH_NTLMSSP_RESP *ntlm
 
 	if((strlen(user_name) == 0) && 
 	   (ntlmssp_resp->hdr_nt_resp.str_str_len==0))
-	  {
+	{
 		guest_user = True;
-
-        fstrcpy(pipe_user_name, lp_guestaccount(-1));
+		
+		fstrcpy(pipe_user_name, lp_guestaccount(-1));
 		DEBUG(100,("Null user in NTLMSSP verification. Using guest = %s\n", pipe_user_name));
 
 		smb_passwd_ptr = null_smb_passwd;
-
+		
 	} else {
 
 		/*
 		 * Pass the user through the NT -> unix user mapping
 		 * function.
 		 */
-
+		
 		fstrcpy(pipe_user_name, user_name);
 		(void)map_username(pipe_user_name);
-
+		
 	 	/* 
 		 * Do the length checking only if user is not NULL.
 		 */
@@ -368,7 +369,8 @@ static BOOL api_pipe_ntlmssp_verify(pipes_struct *p, RPC_AUTH_NTLMSSP_RESP *ntlm
 		become_root();
 
 		p->ntlmssp_auth_validated = 
-			NT_STATUS_IS_OK(pass_check_smb_with_chal(pipe_user_name, NULL, domain,
+			NT_STATUS_IS_OK(pass_check_smb_with_chal(pipe_user_name, NULL, 
+								 domain, wks, 
 								 (uchar*)p->challenge, 
 								 lm_owf, lm_pw_len, 
 								 nt_owf, nt_pw_len));
@@ -391,13 +393,6 @@ failed authentication on named pipe %s.\n", domain, pipe_user_name, wks, p->name
 
 		unbecome_root();
 
-	        /* Quit if the account was disabled. */
-	        if((pdb_get_acct_ctrl(sampass) & ACB_DISABLED) || !pdb_get_lanman_passwd(sampass)) {
-			DEBUG(1,("Account for user '%s' was disabled.\n", pipe_user_name));
-			pdb_free_sam(sampass);
-			return False;
- 	       }
- 
 		if(!pdb_get_nt_passwd(sampass)) {
 			DEBUG(1,("Account for user '%s' has no NT password hash.\n", pipe_user_name));
 			pdb_free_sam(sampass);