genrand.c: Changed SMB_PASSWD_FILE to lp_smb_passwd_file().

password.c: Started the initial code for domain_client_validate(). All bracketed with #ifdef DOMAIN_CLIENT for now. reply.c: Call to domain_client_validate(). All bracketed with #ifdef DOMAIN_CLIENT for now. smbpass.c: New code to get/set machine passwords. Tidied up nesting of lock calls. Jeremy. (This used to be commit 89fe059a6816f32d2cc5c4c04c4089b60590e7e6)
author: Jeremy Allison <jra@samba.org> 1998-04-23 18:54:57 +0000
committer: Jeremy Allison <jra@samba.org> 1998-04-23 18:54:57 +0000
commit: a85f5bc268a1c13334b86ac3a44a026359c09371 (patch)
tree: 3b7e688003d1037600a9f12b1947fcb5e42645d3 /source3/smbd
parent: da4e61efad7c7c18595bec32dbb21a2045dadd2e (diff)
download: samba-a85f5bc268a1c13334b86ac3a44a026359c09371.tar.gz
samba-a85f5bc268a1c13334b86ac3a44a026359c09371.tar.bz2
samba-a85f5bc268a1c13334b86ac3a44a026359c09371.zip
2 files changed, 128 insertions, 54 deletions
diff --git a/source3/smbd/password.c b/source3/smbd/password.c
index c347f2de0d..04a1795e7f 100644
--- a/source3/smbd/password.c
+++ b/source3/smbd/password.c
@@ -31,6 +31,8 @@ extern int Protocol;
 /* users from session setup */
 static pstring session_users="";
 
+extern pstring myname;
+
 /* these are kept here to keep the string_combinations function simple */
 static char this_user[100]="";
 static char this_salt[100]="";
@@ -1860,3 +1862,74 @@ use this machine as the password server.\n"));
 
 	return(True);
 }
+
+#ifdef DOMAIN_CLIENT
+BOOL domain_client_validate( char *user, char *domain, 
+                             char *smb_apasswd, int smb_apasslen, 
+                             char *smb_ntpasswd, int smb_ntpasslen)
+{
+  unsigned char local_lm_hash[21];
+  unsigned char local_nt_hash[21];
+  unsigned char local_challenge[8];
+  unsigned char local_lm_response[24];
+  unsigned char local_nt_reponse[24];
+  BOOL encrypted = True;
+
+  /* 
+   * Check that the requested domain is not our own machine name.
+   * If it is, we should never check the PDC here, we use our own local
+   * password file.
+   */
+
+  if(strequal( domain, myname)) {
+    DEBUG(3,("domain_client_validate: Requested domain was for this machine.\n"));
+    return False;
+  }
+
+  /*
+   * Next, check that the passwords given were encrypted.
+   */
+
+  if(smb_apasslen != 24 || smb_ntpasslen != 24) {
+
+    /*
+     * Not encrypted - do so.
+     */
+
+    DEBUG(3,("domain_client_validate: User passwords not in encrypted format.\n"));
+    encrypted = False;
+    memset(local_lm_hash, '\0', sizeof(local_lm_hash));
+    E_P16((uchar *) smb_apasswd, local_lm_hash);
+    memset(local_nt_hash, '\0', sizeof(local_nt_hash));
+    E_md4hash((uchar *) smb_ntpasswd, local_nt_hash);
+    generate_random_buffer( local_challenge, 8, False);
+    E_P24(local_lm_hash, local_challenge, local_lm_response);
+    E_P24(local_nt_hash, local_challenge, local_nt_reponse);
+    smb_apasslen = 24;
+    smb_ntpasslen = 24;
+    smb_apasswd = (char *)local_lm_response;
+    smb_ntpasswd = (char *)local_nt_reponse;
+  } else {
+
+    /*
+     * Encrypted - get the challenge we sent for these
+     * responses.
+     */
+
+    if (!last_challenge(local_challenge)) {
+      DEBUG(0,("domain_client_validate: no challenge done - password failed\n"));
+      return False;
+    }
+  }
+
+  /*
+   * At this point, smb_apasswd points to the lanman response to
+   * the challenge in local_challenge, and smb_ntpasswd points to
+   * the NT response to the challenge in local_challenge. Ship
+   * these over the secure channel to a domain controller and
+   * see if they were valid.
+   */
+
+  return False;
+}
+#endif /* DOMAIN_CLIENT */
diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index 2f3b3660fc..4472aa16e6 100644
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -377,65 +377,66 @@ static int session_trust_account(char *inbuf, char *outbuf, char *user,
                                 char *smb_passwd, int smb_passlen,
                                 char *smb_nt_passwd, int smb_nt_passlen)
 {
-        struct smb_passwd *smb_trust_acct = NULL; /* check if trust account exists */
-        if (lp_security() == SEC_USER)
-        {
-                smb_trust_acct = getsmbpwnam(user);
-        }
-        else
-        {
-                DEBUG(3,("Trust account %s only supported with security = user\n", user));
-                SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES);
-                return(ERROR(0, 0xc0000000|NT_STATUS_LOGON_FAILURE));
-        }
+  struct smb_passwd *smb_trust_acct = NULL; /* check if trust account exists */
+  if (lp_security() == SEC_USER)
+  {
+    smb_trust_acct = getsmbpwnam(user);
+  }
+  else
+  {
+    DEBUG(0,("session_trust_account: Trust account %s only supported with security = user\n", user));
+    SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES);
+    return(ERROR(0, 0xc0000000|NT_STATUS_LOGON_FAILURE));
+  }
 
-        if (smb_trust_acct == NULL)
-        {
-                /* lkclXXXX: workstation entry doesn't exist */
-                DEBUG(4,("Trust account %s user doesn't exist\n",user));
-                SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES);
-                return(ERROR(0, 0xc0000000|NT_STATUS_NO_SUCH_USER));
-        }
-        else
-        {
-                if ((smb_passlen != 24) || (smb_nt_passlen != 24))
-                {
-                        DEBUG(4,("Trust account %s - password length wrong.\n", user));
-                        SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES);
-                        return(ERROR(0, 0xc0000000|NT_STATUS_LOGON_FAILURE));
-                }
+  if (smb_trust_acct == NULL)
+  {
+    /* lkclXXXX: workstation entry doesn't exist */
+    DEBUG(0,("session_trust_account: Trust account %s user doesn't exist\n",user));
+    SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES);
+    return(ERROR(0, 0xc0000000|NT_STATUS_NO_SUCH_USER));
+  }
+  else
+  {
+    if ((smb_passlen != 24) || (smb_nt_passlen != 24))
+    {
+      DEBUG(0,("session_trust_account: Trust account %s - password length wrong.\n", user));
+      SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES);
+      return(ERROR(0, 0xc0000000|NT_STATUS_LOGON_FAILURE));
+    }
 
-                if (!smb_password_ok(smb_trust_acct, smb_passwd, smb_nt_passwd))
-                {
-                        DEBUG(4,("Trust Account %s - password failed\n", user));
-                        SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES);
-                        return(ERROR(0, 0xc0000000|NT_STATUS_LOGON_FAILURE));
-                }
+    if (!smb_password_ok(smb_trust_acct, smb_passwd, smb_nt_passwd))
+    {
+      DEBUG(0,("session_trust_account: Trust Account %s - password failed\n", user));
+      SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES);
+      return(ERROR(0, 0xc0000000|NT_STATUS_LOGON_FAILURE));
+    }
 
-                if (IS_BITS_SET_ALL(smb_trust_acct->acct_ctrl, ACB_DOMTRUST))
-                {
-                        DEBUG(4,("Domain trust account %s denied by server\n",user));
-                        SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES);
-                        return(ERROR(0, 0xc0000000|NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT));
-                }
+    if (IS_BITS_SET_ALL(smb_trust_acct->acct_ctrl, ACB_DOMTRUST))
+    {
+      DEBUG(0,("session_trust_account: Domain trust account %s denied by server\n",user));
+      SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES);
+      return(ERROR(0, 0xc0000000|NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT));
+    }
 
-                if (IS_BITS_SET_ALL(smb_trust_acct->acct_ctrl, ACB_SVRTRUST))
-                {
-                        DEBUG(4,("Server trust account %s denied by server\n",user));
-                        SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES);
-                        return(ERROR(0, 0xc0000000|NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT));
-                }
-                if (IS_BITS_SET_ALL(smb_trust_acct->acct_ctrl, ACB_WSTRUST))
-                {
-                        DEBUG(4,("Wksta trust account %s denied by server\n", user));
-                        SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES);
-                        return(ERROR(0, 0xc0000000|NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT));
-                }
-        }
+    if (IS_BITS_SET_ALL(smb_trust_acct->acct_ctrl, ACB_SVRTRUST))
+    {
+      DEBUG(0,("session_trust_account: Server trust account %s denied by server\n",user));
+      SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES);
+      return(ERROR(0, 0xc0000000|NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT));
+    }
+
+    if (IS_BITS_SET_ALL(smb_trust_acct->acct_ctrl, ACB_WSTRUST))
+    {
+      DEBUG(4,("session_trust_account: Wksta trust account %s denied by server\n", user));
+      SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES);
+      return(ERROR(0, 0xc0000000|NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT));
+    }
+  }
 
-        /* don't know what to do: indicate logon failure */
-        SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES);
-        return(ERROR(0, 0xc0000000|NT_STATUS_LOGON_FAILURE));
+  /* don't know what to do: indicate logon failure */
+  SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES);
+  return(ERROR(0, 0xc0000000|NT_STATUS_LOGON_FAILURE));
 }
author	Jeremy Allison <jra@samba.org>	1998-04-23 18:54:57 +0000
committer	Jeremy Allison <jra@samba.org>	1998-04-23 18:54:57 +0000
commit	a85f5bc268a1c13334b86ac3a44a026359c09371 (patch)
tree	3b7e688003d1037600a9f12b1947fcb5e42645d3 /source3/smbd
parent	da4e61efad7c7c18595bec32dbb21a2045dadd2e (diff)
download	samba-a85f5bc268a1c13334b86ac3a44a026359c09371.tar.gz samba-a85f5bc268a1c13334b86ac3a44a026359c09371.tar.bz2 samba-a85f5bc268a1c13334b86ac3a44a026359c09371.zip