diff options
author | Luke Leighton <lkcl@samba.org> | 1999-03-19 15:49:22 +0000 |
---|---|---|
committer | Luke Leighton <lkcl@samba.org> | 1999-03-19 15:49:22 +0000 |
commit | bd76e02ec43124e5666868e272b9b4bcfbccc99b (patch) | |
tree | c2e51879a56ca9809be2d28955761a9bf14dcd08 /source3/smbd | |
parent | f19e894577e1aa45f0915293e4ae14cb8a45a8d2 (diff) | |
download | samba-bd76e02ec43124e5666868e272b9b4bcfbccc99b.tar.gz samba-bd76e02ec43124e5666868e272b9b4bcfbccc99b.tar.bz2 samba-bd76e02ec43124e5666868e272b9b4bcfbccc99b.zip |
going to start adding inter-domain trust logons soon.
(This used to be commit f9f594c03e220a0d902c5c3c5835948348b19fee)
Diffstat (limited to 'source3/smbd')
-rw-r--r-- | source3/smbd/password.c | 253 |
1 files changed, 130 insertions, 123 deletions
diff --git a/source3/smbd/password.c b/source3/smbd/password.c index e1a4e66c40..68d75b933f 100644 --- a/source3/smbd/password.c +++ b/source3/smbd/password.c @@ -1018,151 +1018,158 @@ use this machine as the password server.\n")); /*********************************************************************** Do the same as security=server, but using NT Domain calls and a session - key from the machine password. + key from the workstation trust account password. ************************************************************************/ BOOL domain_client_validate( char *user, char *domain, char *smb_apasswd, int smb_apasslen, char *smb_ntpasswd, int smb_ntpasslen) { - uint16 nt_pipe_fnum; - unsigned char local_challenge[8]; - unsigned char local_lm_response[24]; - unsigned char local_nt_reponse[24]; - unsigned char trust_passwd[16]; - NET_ID_INFO_CTR ctr; - NET_USER_INFO_3 info3; - struct cli_state cli; - uint32 smb_uid_low; - - /* - * Check that the requested domain is not our own machine name. - * If it is, we should never check the PDC here, we use our own local - * password file. - */ - - if(strequal( domain, global_myname)) { - DEBUG(3,("domain_client_validate: Requested domain was for this machine.\n")); - return False; - } - - /* - * Next, check that the passwords given were encrypted. - */ - - if(((smb_apasslen != 24) && (smb_apasslen != 0)) || - ((smb_ntpasslen != 24) && (smb_ntpasslen != 0))) { - - /* - * Not encrypted - do so. - */ + uint16 nt_pipe_fnum; + unsigned char local_challenge[8]; + unsigned char local_lm_response[24]; + unsigned char local_nt_reponse[24]; + unsigned char trust_passwd[16]; + NET_ID_INFO_CTR ctr; + NET_USER_INFO_3 info3; + struct cli_state cli; + uint32 smb_uid_low; + + /* + * Check that the requested domain is not our own machine name. + * If it is, we should never check the PDC here, we use our own local + * password file. + */ + + if(strequal( domain, global_myname)) + { + DEBUG(3,("domain_client_validate: Requested domain was for this machine.\n")); + return False; + } - DEBUG(3,("domain_client_validate: User passwords not in encrypted format.\n")); - generate_random_buffer( local_challenge, 8, False); - SMBencrypt( (uchar *)smb_apasswd, local_challenge, local_lm_response); - SMBNTencrypt((uchar *)smb_ntpasswd, local_challenge, local_nt_reponse); - smb_apasslen = 24; - smb_ntpasslen = 24; - smb_apasswd = (char *)local_lm_response; - smb_ntpasswd = (char *)local_nt_reponse; - } else { + /* + * Next, check that the passwords given were encrypted. + */ - /* - * Encrypted - get the challenge we sent for these - * responses. - */ + if(((smb_apasslen != 24) && (smb_apasslen != 0)) || + ((smb_ntpasslen != 24) && (smb_ntpasslen != 0))) + { + /* + * Not encrypted - do so. + */ + + DEBUG(3,("domain_client_validate: User passwords not in encrypted format.\n")); + generate_random_buffer( local_challenge, 8, False); + SMBencrypt( (uchar *)smb_apasswd, local_challenge, local_lm_response); + SMBNTencrypt((uchar *)smb_ntpasswd, local_challenge, local_nt_reponse); + smb_apasslen = 24; + smb_ntpasslen = 24; + smb_apasswd = (char *)local_lm_response; + smb_ntpasswd = (char *)local_nt_reponse; + } + else + { + /* + * Encrypted - get the challenge we sent for these + * responses. + */ - if (!last_challenge(local_challenge)) { - DEBUG(0,("domain_client_validate: no challenge done - password failed\n")); - return False; - } - } + if (!last_challenge(local_challenge)) + { + DEBUG(0,("domain_client_validate: no challenge done - password failed\n")); + return False; + } + } - /* - * Get the machine account password. - */ - if (!trust_get_passwd( trust_passwd, global_myworkgroup, global_myname)) - { - return False; - } + /* + * Get the workstation trust account password. + */ + if (!trust_get_passwd( trust_passwd, global_myworkgroup, global_myname)) + { + return False; + } - /* - * At this point, smb_apasswd points to the lanman response to - * the challenge in local_challenge, and smb_ntpasswd points to - * the NT response to the challenge in local_challenge. Ship - * these over the secure channel to a domain controller and - * see if they were valid. - */ + /* + * At this point, smb_apasswd points to the lanman response to + * the challenge in local_challenge, and smb_ntpasswd points to + * the NT response to the challenge in local_challenge. Ship + * these over the secure channel to a domain controller and + * see if they were valid. + */ if (!cli_connect_serverlist(&cli, lp_passwordserver())) { - DEBUG(0,("domain_client_validate: Domain password server not available.\n")); - return False; - } + DEBUG(0,("domain_client_validate: Domain password server not available.\n")); + return False; + } - /* - * Ok - we have an anonymous connection to the IPC$ share. - * Now start the NT Domain stuff :-). - */ + /* + * Ok - we have an anonymous connection to the IPC$ share. + * Now start the NT Domain stuff :-). + */ + + if(cli_nt_session_open(&cli, PIPE_NETLOGON, &nt_pipe_fnum) == False) { + DEBUG(0,("domain_client_validate: unable to open the domain client session to \ + machine %s. Error was : %s.\n", cli.desthost, cli_errstr(&cli))); + cli_nt_session_close(&cli, nt_pipe_fnum); + cli_ulogoff(&cli); + cli_shutdown(&cli); + return False; + } - if(cli_nt_session_open(&cli, PIPE_NETLOGON, &nt_pipe_fnum) == False) { - DEBUG(0,("domain_client_validate: unable to open the domain client session to \ -machine %s. Error was : %s.\n", cli.desthost, cli_errstr(&cli))); - cli_nt_session_close(&cli, nt_pipe_fnum); - cli_ulogoff(&cli); - cli_shutdown(&cli); - return False; - } + if(cli_nt_setup_creds(&cli, nt_pipe_fnum, + cli.mach_acct, trust_passwd, SEC_CHAN_WKSTA) == False) + { + DEBUG(0,("domain_client_validate: unable to setup the PDC credentials to machine \ + %s. Error was : %s.\n", cli.desthost, cli_errstr(&cli))); + cli_nt_session_close(&cli, nt_pipe_fnum); + cli_ulogoff(&cli); + cli_shutdown(&cli); + return False; + } - if(cli_nt_setup_creds(&cli, nt_pipe_fnum, - cli.mach_acct, trust_passwd, SEC_CHAN_WKSTA) == False) - { - DEBUG(0,("domain_client_validate: unable to setup the PDC credentials to machine \ -%s. Error was : %s.\n", cli.desthost, cli_errstr(&cli))); - cli_nt_session_close(&cli, nt_pipe_fnum); - cli_ulogoff(&cli); - cli_shutdown(&cli); - return False; - } + /* We really don't care what LUID we give the user. */ + generate_random_buffer( (unsigned char *)&smb_uid_low, 4, False); - /* We really don't care what LUID we give the user. */ - generate_random_buffer( (unsigned char *)&smb_uid_low, 4, False); - - if(cli_nt_login_network(&cli, nt_pipe_fnum, domain, user, smb_uid_low, (char *)local_challenge, - ((smb_apasslen != 0) ? smb_apasswd : NULL), - ((smb_ntpasslen != 0) ? smb_ntpasswd : NULL), - &ctr, &info3) == False) { - DEBUG(0,("domain_client_validate: unable to validate password for user %s in domain \ -%s to Domain controller %s. Error was %s.\n", user, domain, cli.desthost, cli_errstr(&cli))); - cli_nt_session_close(&cli, nt_pipe_fnum); - cli_ulogoff(&cli); - cli_shutdown(&cli); - return False; - } + if (!cli_nt_login_network(&cli, nt_pipe_fnum, domain, user, smb_uid_low, (char *)local_challenge, + ((smb_apasslen != 0) ? smb_apasswd : NULL), + ((smb_ntpasslen != 0) ? smb_ntpasswd : NULL), + &ctr, &info3)) + { + DEBUG(0,("domain_client_validate: unable to validate password for user %s in domain \ + %s to Domain controller %s. Error was %s.\n", user, domain, cli.desthost, cli_errstr(&cli))); + cli_nt_session_close(&cli, nt_pipe_fnum); + cli_ulogoff(&cli); + cli_shutdown(&cli); + return False; + } - /* - * Here, if we really want it, we have lots of info about the user in info3. - */ + /* + * Here, if we really want it, we have lots of info about the user in info3. + * LKCLXXXX - really important to check things like "is this user acct + * locked out / disabled" etc!!!! + */ #if 0 - /* - * We don't actually need to do this - plus it fails currently with - * NT_STATUS_INVALID_INFO_CLASS - we need to know *exactly* what to - * send here. JRA. - */ + /* + * We don't actually need to do this - plus it fails currently with + * NT_STATUS_INVALID_INFO_CLASS - we need to know *exactly* what to + * send here. JRA. + */ - if(cli_nt_logoff(&cli, nt_pipe_fnum, &ctr) == False) { - DEBUG(0,("domain_client_validate: unable to log off user %s in domain \ -%s to Domain controller %s. Error was %s.\n", user, domain, cli.desthost, cli_errstr(&cli))); - cli_nt_session_close(&cli, nt_pipe_fnum); - cli_ulogoff(&cli); - cli_shutdown(&cli); - return False; - } + if (!cli_nt_logoff(&cli, nt_pipe_fnum, &ctr)) + { + DEBUG(0,("domain_client_validate: unable to log off user %s in domain \ + %s to Domain controller %s. Error was %s.\n", user, domain, cli.desthost, cli_errstr(&cli))); + cli_nt_session_close(&cli, nt_pipe_fnum); + cli_ulogoff(&cli); + cli_shutdown(&cli); + return False; + } #endif /* 0 */ - cli_nt_session_close(&cli, nt_pipe_fnum); - cli_ulogoff(&cli); - cli_shutdown(&cli); - return True; + cli_nt_session_close(&cli, nt_pipe_fnum); + cli_ulogoff(&cli); + cli_shutdown(&cli); + return True; } |