This is another rather major change to the samba authenticaion

subystem.

The particular aim is to modularized the interface - so that we
can have arbitrary password back-ends.

This code adds one such back-end, a 'winbind' module to authenticate
against the winbind_auth_crap functionality.  While fully-functional
this code is mainly useful as a demonstration, because we don't get
back the info3 as we would for direct ntdomain authentication.

This commit introduced the new 'auth methods' parameter, in the
spirit of the 'auth order' discussed on the lists.  It is renamed
because not all the methods may be consulted, even if previous
methods fail - they may not have a suitable challenge for example.

Also, we have a 'local' authentication method, for old-style
'unix if plaintext, sam if encrypted' authentication and a
'guest' module to handle guest logins in a single place.

While this current design is not ideal, I feel that it does
provide a better infrastructure than the current design, and can
be built upon.

The following parameters have changed:
 - use rhosts =

  This has been replaced by the 'rhosts' authentication method,
 and can be specified like 'auth methods = guest rhosts'

 - hosts equiv =

  This needs both this parameter and an 'auth methods' entry
  to be effective.  (auth methods = guest hostsequiv ....)

 - plaintext to smbpasswd =

  This is replaced by specifying 'sam' rather than 'local'
  in the auth methods.

The security = parameter is unchanged, and now provides defaults
for the 'auth methods' parameter.

The available auth methods are:

guest
rhosts
hostsequiv
sam (passdb direct hash access)
unix (PAM, crypt() etc)
local (the combination of the above, based on encryption)
smbserver (old security=server)
ntdomain (old security=domain)
winbind (use winbind to cache DC connections)


Assistance in testing, or the production of new and interesting
authentication modules is always appreciated.

Andrew Bartlett
(This used to be commit 8d31eae52a9757739711dbb82035a4dfe6b40c99)

1 files changed, 85 insertions, 38 deletions

diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
index b3e9b7be8f..c9db359569 100644
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -23,6 +23,7 @@
 #include "includes.h"
 
 uint32 global_client_caps = 0;
+static auth_authsupplied_info *ntlmssp_auth_info;
 
 /****************************************************************************
  Add the standard 'Samba' signature to the end of the session setup.
@@ -37,6 +38,31 @@ static void add_signature(char *outbuf)
 	set_message_end(outbuf,p);
 }
 
+/****************************************************************************
+ Do a 'guest' logon, getting back the 
+****************************************************************************/
+static NTSTATUS check_guest_password(auth_serversupplied_info **server_info) 
+{
+
+	auth_authsupplied_info *auth_info;
+	auth_usersupplied_info *user_info = NULL;
+	
+	NTSTATUS nt_status;
+	char chal[8];
+
+	ZERO_STRUCT(chal);
+
+	DEBUG(3,("Got anonymous request\n"));
+
+	make_user_info_guest(&user_info);
+	make_auth_info_fixed(&auth_info, chal);
+	
+	nt_status = check_password(user_info, auth_info, server_info);
+	free_auth_info(&auth_info);
+	return nt_status;
+}
+
+
 #if HAVE_KRB5
 /****************************************************************************
 reply to a session setup spnego negotiate packet for kerberos
@@ -189,7 +215,7 @@ static int reply_spnego_negotiate(connection_struct *conn,
 	int i;
 	uint32 ntlmssp_command, neg_flags;
 	DATA_BLOB sess_key, chal, spnego_chal;
-	uint8 cryptkey[8];
+	DATA_BLOB cryptkey;
 	BOOL got_kerberos = False;
 
 	/* parse out the OIDs and the first sec blob */
@@ -238,10 +264,12 @@ static int reply_spnego_negotiate(connection_struct *conn,
 
 	DEBUG(3,("Got neg_flags=%08x\n", neg_flags));
 
-	if (!last_challenge(cryptkey)) {
-		return ERROR_NT(NT_STATUS_LOGON_FAILURE);
+	if (!make_auth_info_subsystem(&ntlmssp_auth_info)) {
+		return ERROR_NT(NT_STATUS_NO_MEMORY);
 	}
 
+	cryptkey = auth_get_challange(ntlmssp_auth_info);
+
 	/* Give them the challenge. For now, ignore neg_flags and just
 	   return the flags we want. Obviously this is not correct */
 	
@@ -255,7 +283,7 @@ static int reply_spnego_negotiate(connection_struct *conn,
 		  0,
 		  0x30, /* ?? */
 		  neg_flags,
-		  cryptkey, 8,
+		  cryptkey.data, cryptkey.length,
 		  0, 0, 0,
 		  0x3000); /* ?? */
 
@@ -268,6 +296,7 @@ static int reply_spnego_negotiate(connection_struct *conn,
 	reply_sesssetup_blob(conn, outbuf, spnego_chal);
 
 	data_blob_free(&chal);
+	data_blob_free(&cryptkey);
 	data_blob_free(&spnego_chal);
 
 	/* and tell smbd that we have already replied to this packet */
@@ -286,11 +315,9 @@ static int reply_spnego_auth(connection_struct *conn, char *inbuf, char *outbuf,
 	char *workgroup, *user, *machine;
 	DATA_BLOB lmhash, nthash, sess_key;
 	DATA_BLOB plaintext_password = data_blob(NULL, 0);
-	DATA_BLOB sec_blob;
 	uint32 ntlmssp_command, neg_flags;
 	NTSTATUS nt_status;
 	int sess_vuid;
-	char chal[8];
 
 	auth_usersupplied_info *user_info = NULL;
 	auth_serversupplied_info *server_info = NULL;
@@ -327,26 +354,19 @@ static int reply_spnego_auth(connection_struct *conn, char *inbuf, char *outbuf,
 	file_save("lmhash1.dat", lmhash.data, lmhash.length);
 #endif
 
-	if (!last_challenge(chal)) {
-		DEBUG(0,("Encrypted login but no challange set!\n"));
-		return ERROR_NT(NT_STATUS_LOGON_FAILURE);
-	}
-	sec_blob = data_blob(chal, 8);
-	if (!sec_blob.data) {
-		return ERROR_NT(NT_STATUS_NO_MEMORY);
-	}
-	
 	if (!make_user_info_map(&user_info, 
 				user, workgroup, 
-				machine, sec_blob,
+				machine, 
 				lmhash, nthash,
 				plaintext_password, 
 				neg_flags, True)) {
 		return ERROR_NT(NT_STATUS_NO_MEMORY);
 	}
 	
-	nt_status = check_password(user_info, &server_info); 
+	nt_status = check_password(user_info, ntlmssp_auth_info, &server_info); 
 	
+	free_auth_info(&ntlmssp_auth_info);
+
 	free_user_info(&user_info);
 	
 	data_blob_free(&lmhash);
@@ -383,18 +403,17 @@ static int reply_spnego_anonymous(connection_struct *conn, char *inbuf, char *ou
 				  int length, int bufsize)
 {
 	int sess_vuid;
-	auth_usersupplied_info *user_info = NULL;
 	auth_serversupplied_info *server_info = NULL;
-
 	NTSTATUS nt_status;
 
-	DEBUG(3,("Got anonymous request\n"));
-
-	make_user_info_guest(&user_info);
+	nt_status = check_guest_password(&server_info);
 
-	nt_status = check_password(user_info, &server_info);
+	if (!NT_STATUS_IS_OK(nt_status)) {
+		return ERROR_NT(nt_status_squash(nt_status));
+	}
 
 	sess_vuid = register_vuid(server_info, lp_guestaccount());
+
 	free_server_info(&server_info);
   
 	if (sess_vuid == -1) {
@@ -490,6 +509,7 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf,
 	extern int max_send;
 
 	auth_usersupplied_info *user_info = NULL;
+	extern auth_authsupplied_info *negprot_global_auth_info;
 	auth_serversupplied_info *server_info = NULL;
 
 	NTSTATUS nt_status;
@@ -523,16 +543,12 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf,
 			lm_resp = data_blob(smb_buf(inbuf), passlen1);
 		} else {
 			plaintext_password = data_blob(smb_buf(inbuf), passlen1+1);
-			if (!plaintext_password.data) {
-				DEBUG(0,("reply_sesssetup_and_X: malloc failed for plaintext_password!\n"));
-				return ERROR_NT(NT_STATUS_NO_MEMORY);
-			} else {
-				/* Ensure null termination */
-				plaintext_password.data[passlen1] = 0;
-			}
+			/* Ensure null termination */
+			plaintext_password.data[passlen1] = 0;
 		}
 
 		srvstr_pull(inbuf, user, smb_buf(inbuf)+passlen1, sizeof(user), -1, STR_TERMINATE);
+		*domain = 0;
   
 	} else {
 		uint16 passlen1 = SVAL(inbuf,smb_vwv7);
@@ -645,15 +661,41 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf,
 		*user = 0;
 	}
 	
-	if (!make_user_info_for_reply(&user_info, 
-				      user, domain, 
-				      lm_resp, nt_resp,
-				      plaintext_password, doencrypt)) {
-		return ERROR_NT(NT_STATUS_NO_MEMORY);
+	if (!*user) {
+
+		nt_status = check_guest_password(&server_info);
+
+	} else if (doencrypt) {
+		if (!make_user_info_for_reply_enc(&user_info, 
+						  user, domain, 
+						  lm_resp, nt_resp,
+						  plaintext_password)) {
+			return ERROR_NT(NT_STATUS_NO_MEMORY);
+		}
+		
+		nt_status = check_password(user_info, negprot_global_auth_info, &server_info); 
+
+	} else {
+		auth_authsupplied_info *plaintext_auth_info = NULL;
+		DATA_BLOB chal;
+		if (!make_auth_info_subsystem(&plaintext_auth_info)) {
+			return ERROR_NT(NT_STATUS_NO_MEMORY);
+		}
+
+		chal = auth_get_challange(plaintext_auth_info);
+
+		if (!make_user_info_for_reply(&user_info, 
+					      user, domain, chal.data,
+					      plaintext_password)) {
+			return ERROR_NT(NT_STATUS_NO_MEMORY);
+		}
+		
+		nt_status = check_password(user_info, plaintext_auth_info, &server_info); 
+		
+		data_blob_free(&chal);
+		free_auth_info(&plaintext_auth_info);
 	}
-	
-	nt_status = check_password(user_info, &server_info); 
-	
+
 	free_user_info(&user_info);
 	
 	data_blob_free(&lm_resp);
@@ -726,3 +768,8 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf,
 	END_PROFILE(SMBsesssetupX);
 	return chain_reply(inbuf,outbuf,length,bufsize);
 }
+
+
+
+
+