diff options
author | Luke Leighton <lkcl@samba.org> | 1999-12-12 20:03:42 +0000 |
---|---|---|
committer | Luke Leighton <lkcl@samba.org> | 1999-12-12 20:03:42 +0000 |
commit | 4f8a24522c683761c6f2ee23dba56f6c7913377b (patch) | |
tree | fef9baa89fc7695fe462cbace85a0f4276845d53 /source3/smbd | |
parent | 0ce128e3550794d4dbbd1def00e87c020f72c992 (diff) | |
download | samba-4f8a24522c683761c6f2ee23dba56f6c7913377b.tar.gz samba-4f8a24522c683761c6f2ee23dba56f6c7913377b.tar.bz2 samba-4f8a24522c683761c6f2ee23dba56f6c7913377b.zip |
final part of "first" phase converting over to msrpc daemon architecture.
done a minimal amout of clean-up in the Makefile, removing unnecessary
modules from the link stage. this is not complete, yet, and will
involve some changes, for example to smbd, to remove dependencies on
the password database API that shouldn't be there. for example,
smbd should not ever call getsmbpwXXX() it should call the Samr or Lsa
API.
this first implementation has minor problems with not reinstantiating
the same services as the caller. the "homes" service is a good example.
(This used to be commit caa50525220b0d0250fa139367593c2de2c12135)
Diffstat (limited to 'source3/smbd')
-rw-r--r-- | source3/smbd/password.c | 129 | ||||
-rw-r--r-- | source3/smbd/reply.c | 38 | ||||
-rw-r--r-- | source3/smbd/server.c | 11 |
3 files changed, 3 insertions, 175 deletions
diff --git a/source3/smbd/password.c b/source3/smbd/password.c index 91f727701c..fa46a74c14 100644 --- a/source3/smbd/password.c +++ b/source3/smbd/password.c @@ -606,132 +606,3 @@ use this machine as the password server.\n")); return(True); } -/*********************************************************************** - Do the same as security=server, but using NT Domain calls and a session - key from the workstation trust account password. -************************************************************************/ - -BOOL domain_client_validate( char *user, char *domain, - char *acct_name, uint16 acct_type, - char *smb_apasswd, int smb_apasslen, - char *smb_ntpasswd, int smb_ntpasslen, - uchar user_sess_key[16]) -{ - unsigned char local_challenge[8]; - unsigned char local_lm_response[24]; - unsigned char local_nt_reponse[24]; - unsigned char trust_passwd[16]; - NET_ID_INFO_CTR ctr; - NET_USER_INFO_3 info3; - uint32 smb_uid_low; - fstring trust_acct; - fstring srv_name; - - fstrcpy(trust_acct, acct_name); - fstrcat(trust_acct, "$"); - - /* - * Check that the requested domain is not our own machine name. - * If it is, we should never check the PDC here, we use our own local - * password file. - */ - - if(strequal( domain, global_myname)) - { - DEBUG(3,("domain_client_validate: Requested domain was for this machine.\n")); - return False; - } - - if (!get_any_dc_name(domain, srv_name)) - { - DEBUG(3,("domain_client_validate: could not find domain %s\n", - domain)); - return False; - } - - /* - * Next, check that the passwords given were encrypted. - */ - - if(((smb_apasslen != 24) && (smb_apasslen != 0)) || - ((smb_ntpasslen <= 24) && (smb_ntpasslen != 0))) - { - /* - * Not encrypted - do so. - */ - - DEBUG(3,("domain_client_validate: User passwords not in encrypted format.\n")); - generate_random_buffer( local_challenge, 8, False); - SMBencrypt( (uchar *)smb_apasswd, local_challenge, local_lm_response); - SMBNTencrypt((uchar *)smb_ntpasswd, local_challenge, local_nt_reponse); - smb_apasslen = 24; - smb_ntpasslen = 24; - smb_apasswd = (char *)local_lm_response; - smb_ntpasswd = (char *)local_nt_reponse; - } - else - { - /* - * Encrypted - get the challenge we sent for these - * responses. - */ - - if (!last_challenge(local_challenge)) - { - DEBUG(0,("domain_client_validate: no challenge done - password failed\n")); - return False; - } - } - - /* - * Get the workstation trust account password. - */ - if (!trust_get_passwd( trust_passwd, domain, acct_name)) - { - return False; - } - - /* - * At this point, smb_apasswd points to the lanman response to - * the challenge in local_challenge, and smb_ntpasswd points to - * the NT response to the challenge in local_challenge. Ship - * these over the secure channel to a domain controller and - * see if they were valid. - */ - - /* - * Ok - we have an anonymous connection to the IPC$ share. - * Now start the NT Domain stuff :-). - */ - - if(cli_nt_setup_creds(srv_name, global_myname, trust_acct, - trust_passwd, acct_type) != 0x0) - { - DEBUG(0,("domain_client_validate: unable to setup the PDC credentials to machine \ - %s.\n", srv_name)); - return False; - } - - /* We really don't care what LUID we give the user. */ - generate_random_buffer( (unsigned char *)&smb_uid_low, 4, False); - - if (!cli_nt_login_network(srv_name, global_myname, - domain, user, - smb_uid_low, (char *)local_challenge, - ((smb_apasslen != 0) ? smb_apasswd : NULL), - ((smb_ntpasslen != 0) ? smb_ntpasswd : NULL), - &ctr, &info3)) - { - DEBUG(0,("domain_client_validate: unable to validate password for user %s in domain \ - %s to Domain controller %s.\n", user, domain, srv_name)); - return False; - } - - /* - * Here, if we really want it, we have lots of info about the user in info3. - * LKCLXXXX - really important to check things like "is this user acct - * locked out / disabled" etc!!!! - */ - - return True; -} diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c index 81f2a9beb9..10146c1287 100644 --- a/source3/smbd/reply.c +++ b/source3/smbd/reply.c @@ -496,41 +496,6 @@ static BOOL check_server_security(char *orig_user, char *domain, } /**************************************************************************** - Check for a valid username and password in security=domain mode. -****************************************************************************/ - -static BOOL check_domain_security(char *orig_user, char *domain, - char *smb_apasswd, int smb_apasslen, - char *smb_ntpasswd, int smb_ntpasslen, - uchar user_sess_key[16]) -{ - fstring acct_name; - uint16 acct_type = 0; - - if (lp_security() == SEC_SHARE || lp_security() == SEC_SERVER) - { - return False; - } - - if (lp_security() == SEC_DOMAIN && strequal(domain, global_myworkgroup)) - { - fstrcpy(acct_name, global_myname); - acct_type = SEC_CHAN_WKSTA; - } - else - { - fstrcpy(acct_name, global_myworkgroup); - acct_type = SEC_CHAN_DOMAIN; - } - - return domain_client_validate(orig_user, domain, - acct_name, acct_type, - smb_apasswd, smb_apasslen, - smb_ntpasswd, smb_ntpasslen, - user_sess_key); -} - -/**************************************************************************** reply to a session setup command ****************************************************************************/ @@ -552,6 +517,7 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf,int static BOOL done_sesssetup = False; BOOL doencrypt = SMBENCRYPT(); char *domain = ""; + uchar last_chal[8]; *smb_apasswd = 0; *smb_ntpasswd = 0; @@ -736,7 +702,9 @@ user %s attempted down-level SMB connection\n", user)); !check_server_security(orig_user, domain, smb_apasswd, smb_apasslen, smb_ntpasswd, smb_ntpasslen) && + !last_challenge(last_chal) && !check_domain_security(orig_user, domain, + last_chal, smb_apasswd, smb_apasslen, smb_ntpasswd, smb_ntpasslen, user_sess_key) && !check_hosts_equiv(user) diff --git a/source3/smbd/server.c b/source3/smbd/server.c index f6ea8ecb65..bdb2827483 100644 --- a/source3/smbd/server.c +++ b/source3/smbd/server.c @@ -480,7 +480,6 @@ static void init_structs(void) { exit_server("could not allocate policy handles\n"); } - init_printer_hnd(); /* for SPOOLSS handles */ init_dptrs(); init_dfs_table(); } @@ -678,16 +677,6 @@ static void usage(char *pname) } #endif /* WITH_SSL */ - start_msrpc_agent("lsarpc"); - add_msrpc_command_processor( "samr", "lsass", api_samr_rpc ); - add_msrpc_command_processor( "srvsvc", "ntsvcs", api_srvsvc_rpc ); - add_msrpc_command_processor( "wkssvc", "ntsvcs", api_wkssvc_rpc ); - add_msrpc_command_processor( "browser", "ntsvcs", api_brs_rpc ); - add_msrpc_command_processor( "svcctl", "ntsvcs", api_svcctl_rpc ); - add_msrpc_command_processor( "NETLOGON", "lsass", api_netlog_rpc ); - add_msrpc_command_processor( "winreg", "winreg", api_reg_rpc ); - add_msrpc_command_processor( "spoolss", "spoolss", api_spoolss_rpc ); - codepage_initialise(lp_client_code_page()); if (!pwdb_initialise(True)) |