summaryrefslogtreecommitdiff
path: root/source3/smbd
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>1997-11-10 19:23:17 +0000
committerJeremy Allison <jra@samba.org>1997-11-10 19:23:17 +0000
commit77aec4ae6307c0ad0b843bbf23d64ccb1aaf7476 (patch)
tree92e15c7219e20ad5e58833b83f1387feb3e1125e /source3/smbd
parentcc512947c9e1744c5541252c7cc934ebcd2e6961 (diff)
downloadsamba-77aec4ae6307c0ad0b843bbf23d64ccb1aaf7476.tar.gz
samba-77aec4ae6307c0ad0b843bbf23d64ccb1aaf7476.tar.bz2
samba-77aec4ae6307c0ad0b843bbf23d64ccb1aaf7476.zip
Rolled back tree state to 11:59pm 8th November 1997 EST to
remove problems. Jeremy (This used to be commit 4a36ac236c2ad634f05efcd0179875d09988614a)
Diffstat (limited to 'source3/smbd')
-rw-r--r--source3/smbd/password.c140
-rw-r--r--source3/smbd/reply.c89
-rw-r--r--source3/smbd/server.c93
3 files changed, 212 insertions, 110 deletions
diff --git a/source3/smbd/password.c b/source3/smbd/password.c
index 7dd2133406..185fc68f5a 100644
--- a/source3/smbd/password.c
+++ b/source3/smbd/password.c
@@ -21,7 +21,7 @@
#include "includes.h"
-#ifdef NETGROUP
+#if (defined(NETGROUP) && defined (AUTOMOUNT))
#include "rpcsvc/ypclnt.h"
#endif
@@ -1475,3 +1475,141 @@ BOOL check_hosts_equiv(char *user)
return(False);
}
+
+static struct cli_state cli;
+
+/****************************************************************************
+return the client state structure
+****************************************************************************/
+struct cli_state *server_client(void)
+{
+ return &cli;
+}
+
+/****************************************************************************
+support for server level security
+****************************************************************************/
+struct cli_state *server_cryptkey(void)
+{
+ fstring desthost;
+ struct in_addr dest_ip;
+ extern fstring local_machine;
+ char *p;
+
+ if (!cli_initialise(&cli))
+ return NULL;
+
+ for (p=strtok(lp_passwordserver(),LIST_SEP); p ; p = strtok(NULL,LIST_SEP)) {
+ fstrcpy(desthost,p);
+ standard_sub_basic(desthost);
+ strupper(desthost);
+
+ dest_ip = *interpret_addr2(desthost);
+ if (zero_ip(dest_ip)) {
+ DEBUG(1,("Can't resolve address for %s\n",p));
+ continue;
+ }
+
+ if (ismyip(dest_ip)) {
+ DEBUG(1,("Password server loop - disabling password server %s\n",p));
+ continue;
+ }
+
+ if (cli_connect(&cli, desthost, &dest_ip)) {
+ DEBUG(3,("connected to password server %s\n",p));
+ break;
+ }
+ }
+
+ if (!p) {
+ DEBUG(1,("password server not available\n"));
+ cli_shutdown(&cli);
+ return NULL;
+ }
+
+ if (!cli_session_request(&cli, desthost, 0x20, local_machine)) {
+ DEBUG(1,("%s rejected the session\n",desthost));
+ cli_shutdown(&cli);
+ return NULL;
+ }
+
+ DEBUG(3,("got session\n"));
+
+ if (!cli_negprot(&cli)) {
+ DEBUG(1,("%s rejected the negprot\n",desthost));
+ cli_shutdown(&cli);
+ return NULL;
+ }
+
+ if (cli.protocol < PROTOCOL_LANMAN2 ||
+ !(cli.sec_mode & 1)) {
+ DEBUG(1,("%s isn't in user level security mode\n",desthost));
+ cli_shutdown(&cli);
+ return NULL;
+ }
+
+ DEBUG(3,("password server OK\n"));
+
+ return &cli;
+}
+
+/****************************************************************************
+validate a password with the password server
+****************************************************************************/
+BOOL server_validate(char *user, char *domain,
+ char *pass, int passlen,
+ char *ntpass, int ntpasslen)
+{
+ extern fstring local_machine;
+
+ if (!cli.initialised) {
+ DEBUG(1,("password server %s is not connected\n", cli.desthost));
+ return(False);
+ }
+
+ if (!cli_session_setup(&cli, user, pass, passlen, ntpass, ntpasslen, domain)) {
+ DEBUG(1,("password server %s rejected the password\n", cli.desthost));
+ return False;
+ }
+
+ /* if logged in as guest then reject */
+ if ((SVAL(cli.inbuf,smb_vwv2) & 1) != 0) {
+ DEBUG(1,("password server %s gave us guest only\n", cli.desthost));
+ return(False);
+ }
+
+
+ if (!cli_send_tconX(&cli, "IPC$", "IPC", "", 1)) {
+ DEBUG(1,("password server %s refused IPC$ connect\n", cli.desthost));
+ return False;
+ }
+
+
+ if (!cli_NetWkstaUserLogon(&cli,user,local_machine)) {
+ DEBUG(1,("password server %s failed NetWkstaUserLogon\n", cli.desthost));
+ cli_tdis(&cli);
+ return False;
+ }
+
+ if (cli.privilages == 0) {
+ DEBUG(1,("password server %s gave guest privilages\n", cli.desthost));
+ cli_tdis(&cli);
+ return False;
+ }
+
+ if (!strequal(cli.eff_name, user)) {
+ DEBUG(1,("password server %s gave different username %s\n",
+ cli.desthost,
+ cli.eff_name));
+ cli_tdis(&cli);
+ return False;
+ }
+
+ DEBUG(3,("password server %s accepted the password\n", cli.desthost));
+
+ cli_tdis(&cli);
+
+ return(True);
+}
+
+
diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index 532fc583c2..78dad6f02f 100644
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -395,7 +395,6 @@ int reply_sesssetup_and_X(char *inbuf,char *outbuf,int length,int bufsize)
static BOOL done_sesssetup = False;
BOOL doencrypt = SMBENCRYPT();
char *domain = "";
- struct cli_state *pwd_srv = NULL;
*smb_apasswd = 0;
*smb_ntpasswd = 0;
@@ -519,17 +518,19 @@ int reply_sesssetup_and_X(char *inbuf,char *outbuf,int length,int bufsize)
if (!smb_pass)
{
/* lkclXXXX: if workstation entry doesn't exist, indicate logon failure */
- DEBUG(4,("Workstation trust account %s doesn't exist\n",user));
- SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES); /* PAXX: Someone please unhack this */
- return(ERROR(0, 0xc0000000|NT_STATUS_LOGON_FAILURE)); /* decimal 109; critical NT error */
+ DEBUG(4,("Workstation trust account %s doesn't exist.",user));
+ SSVAL(outbuf, smb_flg2, 0xc003); /* PAXX: Someone please unhack this */
+ CVAL(outbuf, smb_reh) = 1; /* PAXX: Someone please unhack this */
+ return(ERROR(NT_STATUS_LOGON_FAILURE, 0xc000)); /* decimal 109 NT error, 0xc000 */
}
else
{
/* PAXX: This is the NO LOGON workstation trust account stuff */
/* lkclXXXX: if the workstation *does* exist, indicate failure differently! */
- DEBUG(4,("No Workstation trust account %s\n",user));
- SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES); /* PAXX: Someone please unhack this */
- return(ERROR(0, 0xc0000000|NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT)); /* decimal 409; critical NT error */
+ DEBUG(4,("No Workstation trust account %s",user));
+ SSVAL(outbuf, smb_flg2, 0xc003); /* PAXX: Someone please unhack this */
+ CVAL(outbuf, smb_reh) = 1; /* PAXX: Someone please unhack this */
+ return(ERROR(NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT, 0xc000)); /* decimal 409 NT error, 0xc000 */
}
computer_id = True;
@@ -562,59 +563,43 @@ int reply_sesssetup_and_X(char *inbuf,char *outbuf,int length,int bufsize)
*/
if(!guest && strequal(user,lp_guestaccount(-1)) && (*smb_apasswd == 0))
- {
guest = True;
- }
-
- if (!guest && !(lp_security() == SEC_SERVER &&
- ((pwd_srv = pwd_server_connection()) != NULL) &&
- server_validate(pwd_srv, user, domain,
- smb_apasswd, smb_apasslen,
- smb_ntpasswd, smb_ntpasslen)) &&
- !check_hosts_equiv(user))
- {
- /* now check if it's a valid username/password */
- /* If an NT password was supplied try and validate with that
- first. This is superior as the passwords are mixed case
- 128 length unicode */
+ if (!guest && !(lp_security() == SEC_SERVER &&
+ server_validate(user, domain,
+ smb_apasswd, smb_apasslen,
+ smb_ntpasswd, smb_ntpasslen)) &&
+ !check_hosts_equiv(user))
+ {
- if (smb_ntpasslen)
- {
- /* check the NT password, if there is one. */
- if(!password_ok(user,smb_ntpasswd,smb_ntpasslen,NULL))
- {
- DEBUG(0,("NT Password did not match ! Defaulting to Lanman\n"));
- }
- else
- {
- valid_nt_password = True;
- }
- }
-
- /* check the LM password instead */
- if (!valid_nt_password && !password_ok(user,smb_apasswd,smb_apasslen,NULL))
- {
- if (!computer_id && lp_security() >= SEC_USER)
- {
+ /* now check if it's a valid username/password */
+ /* If an NT password was supplied try and validate with that
+ first. This is superior as the passwords are mixed case
+ 128 length unicode */
+ if(smb_ntpasslen)
+ {
+ if(!password_ok(user,smb_ntpasswd,smb_ntpasslen,NULL))
+ DEBUG(0,("NT Password did not match ! Defaulting to Lanman\n"));
+ else
+ valid_nt_password = True;
+ }
+ if (!valid_nt_password && !password_ok(user,smb_apasswd,smb_apasslen,NULL))
+ {
+ if (!computer_id && lp_security() >= SEC_USER) {
#if (GUEST_SESSSETUP == 0)
- return(ERROR(ERRSRV,ERRbadpw));
+ return(ERROR(ERRSRV,ERRbadpw));
#endif
#if (GUEST_SESSSETUP == 1)
- if (Get_Pwnam(user,True))
- return(ERROR(ERRSRV,ERRbadpw));
+ if (Get_Pwnam(user,True))
+ return(ERROR(ERRSRV,ERRbadpw));
#endif
- }
-
- /* no lm or nt password specified: username doesn't exist. allow guest access */
- if (*smb_apasswd || !Get_Pwnam(user,True))
- {
- strcpy(user, lp_guestaccount(-1));
- DEBUG(3,("Registered username %s for guest access\n",user));
- guest = True;
- }
- }
+ }
+ if (*smb_apasswd || !Get_Pwnam(user,True))
+ strcpy(user,lp_guestaccount(-1));
+ DEBUG(3,("Registered username %s for guest access\n",user));
+ guest = True;
}
+ }
if (!Get_Pwnam(user,True)) {
DEBUG(3,("No such user %s - using guest account\n",user));
diff --git a/source3/smbd/server.c b/source3/smbd/server.c
index a42b4deea2..908cf984b8 100644
--- a/source3/smbd/server.c
+++ b/source3/smbd/server.c
@@ -25,7 +25,6 @@
pstring servicesf = CONFIGFILE;
extern pstring debugf;
extern pstring sesssetup_user;
-extern pstring local_machine;
extern fstring myworkgroup;
char *InBuffer = NULL;
@@ -115,21 +114,6 @@ static int find_free_connection(int hash);
#define IS_DOS_SYSTEM(test_mode) (((test_mode) & aSYSTEM) != 0)
#define IS_DOS_HIDDEN(test_mode) (((test_mode) & aHIDDEN) != 0)
-/* use this to validate user against a password server. "security = server" */
-static struct cli_state pwd_srv;
-
-/****************************************************************************
- for use in reply.c, to access the password server connection.
-****************************************************************************/
-struct cli_state *pwd_server_connection(void)
-{
- if (pwd_srv.initialised)
- {
- return &pwd_srv;
- }
- return NULL;
-}
-
/****************************************************************************
when exiting, take the whole family
****************************************************************************/
@@ -2273,30 +2257,21 @@ int error_packet(char *inbuf,char *outbuf,int error_class,uint32 error_code,int
{
int outsize = set_message(outbuf,0,0,True);
int cmd;
- int flgs2;
- cmd = CVAL(inbuf,smb_com);
- flgs2 = SVAL(outbuf,smb_flg2);
+ cmd = CVAL(inbuf,smb_com);
- if ((flgs2 & FLAGS2_32_BIT_ERROR_CODES) == FLAGS2_32_BIT_ERROR_CODES)
- {
- SIVAL(outbuf,smb_rcls,error_code);
-
- DEBUG(3,("%s 32 bit error packet at line %d cmd=%d (%s) eclass=%08x [%s]\n",
- timestring(), line, cmd, smb_fn_name(cmd), error_code, smb_errstr(outbuf)));
- }
- else
- {
- CVAL(outbuf,smb_rcls) = error_class;
- SSVAL(outbuf,smb_err,error_code);
-
- DEBUG(3,("%s error packet at line %d cmd=%d (%s) eclass=%d ecode=%d\n",
- timestring(), line, cmd, smb_fn_name(cmd), error_class, error_code));
- }
+ CVAL(outbuf,smb_rcls) = error_class;
+ SSVAL(outbuf,smb_err,error_code);
+ DEBUG(3,("%s error packet at line %d cmd=%d (%s) eclass=%d ecode=%d\n",
+ timestring(),
+ line,
+ (int)CVAL(inbuf,smb_com),
+ smb_fn_name(CVAL(inbuf,smb_com)),
+ error_class,
+ error_code));
+
if (errno != 0)
- {
- DEBUG(3,("error string = %s\n", strerror(errno)));
- }
+ DEBUG(3,("error string = %s\n",strerror(errno)));
return(outsize);
}
@@ -2353,13 +2328,12 @@ static int sig_cld()
**************************************************************************/
static int sig_pipe()
{
+ struct cli_state *cli;
BlockSignals(True,SIGPIPE);
- if (pwd_srv.initialised)
- {
+ if ((cli = server_client()) && cli->initialised) {
DEBUG(3,("lost connection to password server\n"));
- cli_shutdown(&pwd_srv);
-
+ cli_shutdown(cli);
#ifndef DONT_REINSTALL_SIG
signal(SIGPIPE, SIGNAL_CAST sig_pipe);
#endif
@@ -3710,27 +3684,29 @@ int reply_lanman2(char *outbuf)
int secword=0;
BOOL doencrypt = SMBENCRYPT();
time_t t = time(NULL);
+ struct cli_state *cli = NULL;
char cryptkey[8];
char crypt_len = 0;
- if (lp_security() == SEC_SERVER && server_cryptkey(&pwd_srv, local_machine))
- {
+ if (lp_security() == SEC_SERVER) {
+ cli = server_cryptkey();
+ }
+
+ if (cli) {
DEBUG(3,("using password server validation\n"));
- doencrypt = ((pwd_srv.sec_mode & 2) != 0);
+ doencrypt = ((cli->sec_mode & 2) != 0);
}
if (lp_security()>=SEC_USER) secword |= 1;
if (doencrypt) secword |= 2;
- if (doencrypt)
- {
+ if (doencrypt) {
crypt_len = 8;
- if (pwd_srv.initialised)
- {
+ if (!cli) {
generate_next_challenge(cryptkey);
} else {
- memcpy(cryptkey, pwd_srv.cryptkey, 8);
- set_challenge(pwd_srv.cryptkey);
+ memcpy(cryptkey, cli->cryptkey, 8);
+ set_challenge(cli->cryptkey);
}
}
@@ -3775,14 +3751,16 @@ int reply_nt1(char *outbuf)
char cryptkey[8];
char crypt_len = 0;
- if (lp_security() == SEC_SERVER && server_cryptkey(&pwd_srv, local_machine))
- {
+ if (lp_security() == SEC_SERVER) {
+ cli = server_cryptkey();
+ }
+
+ if (cli) {
DEBUG(3,("using password server validation\n"));
- doencrypt = ((pwd_srv.sec_mode & 2) != 0);
+ doencrypt = ((cli->sec_mode & 2) != 0);
}
- if (doencrypt)
- {
+ if (doencrypt) {
crypt_len = 8;
if (!cli) {
generate_next_challenge(cryptkey);
@@ -4884,14 +4862,15 @@ static void process(void)
if (keepalive && (counter-last_keepalive)>keepalive)
{
+ struct cli_state *cli = server_client();
if (!send_keepalive(Client)) {
DEBUG(2,("%s Keepalive failed - exiting\n",timestring()));
return;
}
/* also send a keepalive to the password server if its still
connected */
- if (pwd_srv.initialised)
- send_keepalive(pwd_srv.fd);
+ if (cli && cli->initialised)
+ send_keepalive(cli->fd);
last_keepalive = counter;
}