diff options
author | Andrew Bartlett <abartlet@samba.org> | 2001-08-12 11:19:57 +0000 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2001-08-12 11:19:57 +0000 |
commit | 6ad80352dd2523c310258de3211a2af0f1763d2a (patch) | |
tree | 7058ea9d3faf2c4f72a9b7edcca6d4ac856108b9 /source3/smbd | |
parent | 9644bf74bd90ef5b9c016434408be1acaa311978 (diff) | |
download | samba-6ad80352dd2523c310258de3211a2af0f1763d2a.tar.gz samba-6ad80352dd2523c310258de3211a2af0f1763d2a.tar.bz2 samba-6ad80352dd2523c310258de3211a2af0f1763d2a.zip |
This patch does a number of things, mostly smaller than they look :-)
In particuar, it moves the domain_client_validate stuff out of
auth_domain.c to somwhere where they (I hope) they can be shared
with winbind better. (This may need some work)
The main purpose of this patch was however to improve some of the
internal documentation and to correctly place become_root()/unbecome_root()
calls within the code.
Finally this patch moves some more of auth.c into other files, auth_unix.c
in this case.
Andrew Bartlett
(This used to be commit ea1c547ac880def29f150de2172c95213509350e)
Diffstat (limited to 'source3/smbd')
-rw-r--r-- | source3/smbd/auth.c | 83 | ||||
-rw-r--r-- | source3/smbd/auth_domain.c | 374 | ||||
-rw-r--r-- | source3/smbd/auth_rhosts.c | 21 | ||||
-rw-r--r-- | source3/smbd/auth_smbpasswd.c | 10 | ||||
-rw-r--r-- | source3/smbd/auth_unix.c | 85 |
5 files changed, 153 insertions, 420 deletions
diff --git a/source3/smbd/auth.c b/source3/smbd/auth.c index 94008e4d00..bbcf34e8ca 100644 --- a/source3/smbd/auth.c +++ b/source3/smbd/auth.c @@ -27,46 +27,6 @@ extern int DEBUGLEVEL; extern pstring global_myname; - -/**************************************************************************** -update the encrypted smbpasswd file from the plaintext username and password - -this ugly hack needs to die, but not quite yet... -*****************************************************************************/ -static BOOL update_smbpassword_file(char *user, char *password) -{ - SAM_ACCOUNT *sampass = NULL; - BOOL ret; - - pdb_init_sam(&sampass); - - become_root(); - ret = pdb_getsampwnam(sampass, user); - unbecome_root(); - - if(ret == False) { - DEBUG(0,("update_smbpassword_file: pdb_getsampwnam failed to locate %s\n", user)); - pdb_free_sam(sampass); - return False; - } - - /* - * Remove the account disabled flag - we are updating the - * users password from a login. - */ - pdb_set_acct_ctrl(sampass, pdb_get_acct_ctrl(sampass) & ~ACB_DISABLED); - - /* Here, the flag is one, because we want to ignore the - XXXXXXX'd out password */ - ret = change_oem_password( sampass, password, True); - if (ret == False) { - DEBUG(3,("change_oem_password returned False\n")); - } - - pdb_free_sam(sampass); - return ret; -} - /**************************************************************************** Check user is in correct domain if required ****************************************************************************/ @@ -88,21 +48,29 @@ static BOOL check_domain_match(char *user, char *domain) } } +/**************************************************************************** + Check a users password, as given in the user-info struct and return various + interesting details in the server_info struct. + + This functions does NOT need to be in a become_root()/unbecome_root() pair + as it makes the calls itself when needed. +****************************************************************************/ uint32 check_password(const auth_usersupplied_info *user_info, auth_serversupplied_info *server_info) { uint32 nt_status = NT_STATUS_LOGON_FAILURE; - + BOOL done_pam = False; + DEBUG(3, ("check_password: Checking password for user %s with the new password interface\n", user_info->smb_username.str)); - if (check_hosts_equiv(user_info->smb_username.str)) { - nt_status = NT_STATUS_NOPROBLEMO; - } - if (!check_domain_match(user_info->smb_username.str, user_info->domain.str)) { return NT_STATUS_LOGON_FAILURE; } + if (nt_status != NT_STATUS_NOPROBLEMO) { + nt_status = check_rhosts_security(user_info, server_info); + } + if ((lp_security() == SEC_DOMAIN) && (nt_status != NT_STATUS_NOPROBLEMO)) { nt_status = check_domain_security(user_info, server_info); } @@ -115,28 +83,23 @@ uint32 check_password(const auth_usersupplied_info *user_info, auth_serversuppli smb_user_control(user_info->smb_username.str, nt_status); } - if ((nt_status != NT_STATUS_NOPROBLEMO) - && (user_info->plaintext_password.len > 0) - && (!lp_plaintext_to_smbpasswd())) { - return (pass_check(user_info->smb_username.str, - user_info->plaintext_password.str, - user_info->plaintext_password.len, - lp_update_encrypted() ? - update_smbpassword_file : NULL) - ? NT_STATUS_NOPROBLEMO : NT_STATUS_LOGON_FAILURE); - } - if (nt_status != NT_STATUS_NOPROBLEMO) { - nt_status = check_smbpasswd_security(user_info, server_info); + if ((user_info->plaintext_password.len > 0) + && (!lp_plaintext_to_smbpasswd())) { + nt_status = check_unix_security(user_info, server_info); + done_pam = True; + } else { + nt_status = check_smbpasswd_security(user_info, server_info); + } } - - if (nt_status == NT_STATUS_NOPROBLEMO) { + + if ((nt_status == NT_STATUS_NOPROBLEMO) && !done_pam) { /* We might not be root if we are an RPC call */ become_root(); nt_status = smb_pam_accountcheck(user_info->smb_username.str); unbecome_root(); } - + if (nt_status == NT_STATUS_NOPROBLEMO) { DEBUG(5, ("check_password: Password for user %s suceeded\n", user_info->smb_username.str)); } else { diff --git a/source3/smbd/auth_domain.c b/source3/smbd/auth_domain.c index e94ea13edc..a2e3c7a9b5 100644 --- a/source3/smbd/auth_domain.c +++ b/source3/smbd/auth_domain.c @@ -23,289 +23,39 @@ #include "includes.h" extern int DEBUGLEVEL; -extern struct in_addr ipzero; BOOL global_machine_password_needs_changing = False; -extern pstring global_myname; - -/*********************************************************************** - Connect to a remote machine for domain security authentication - given a name or IP address. - ***********************************************************************/ - -static BOOL connect_to_domain_password_server(struct cli_state *pcli, - char *server, unsigned char *trust_passwd) -{ - struct in_addr dest_ip; - fstring remote_machine; - - if(cli_initialise(pcli) == NULL) { - DEBUG(0,("connect_to_domain_password_server: unable to initialize client connection.\n")); - return False; - } - - if (is_ipaddress(server)) { - struct in_addr to_ip; - - /* we shouldn't have 255.255.255.255 forthe IP address of - a password server anyways */ - if ((to_ip.s_addr=inet_addr(server)) == 0xFFFFFFFF) { - DEBUG (0,("connect_to_domain_password_server: inet_addr(%s) returned 0xFFFFFFFF!\n", server)); - return False; - } - - if (!name_status_find(0x20, to_ip, remote_machine)) { - DEBUG(0, ("connect_to_domain_password_server: Can't " - "resolve name for IP %s\n", server)); - return False; - } - } else { - fstrcpy(remote_machine, server); - } - - standard_sub_basic(remote_machine); - strupper(remote_machine); - - if(!resolve_name( remote_machine, &dest_ip, 0x20)) { - DEBUG(1,("connect_to_domain_password_server: Can't resolve address for %s\n", remote_machine)); - cli_shutdown(pcli); - return False; - } - - if (ismyip(dest_ip)) { - DEBUG(1,("connect_to_domain_password_server: Password server loop - not using password server %s\n", - remote_machine)); - cli_shutdown(pcli); - return False; - } - - if (!cli_connect(pcli, remote_machine, &dest_ip)) { - DEBUG(0,("connect_to_domain_password_server: unable to connect to SMB server on \ -machine %s. Error was : %s.\n", remote_machine, cli_errstr(pcli) )); - cli_shutdown(pcli); - return False; - } - - if (!attempt_netbios_session_request(pcli, global_myname, remote_machine, &dest_ip)) { - DEBUG(0,("connect_to_password_server: machine %s rejected the NetBIOS \ -session request. Error was : %s.\n", remote_machine, cli_errstr(pcli) )); - return False; - } - - pcli->protocol = PROTOCOL_NT1; - - if (!cli_negprot(pcli)) { - DEBUG(0,("connect_to_domain_password_server: machine %s rejected the negotiate protocol. \ -Error was : %s.\n", remote_machine, cli_errstr(pcli) )); - cli_shutdown(pcli); - return False; - } - - if (pcli->protocol != PROTOCOL_NT1) { - DEBUG(0,("connect_to_domain_password_server: machine %s didn't negotiate NT protocol.\n", - remote_machine)); - cli_shutdown(pcli); - return False; - } - - /* - * Do an anonymous session setup. - */ - - if (!cli_session_setup(pcli, "", "", 0, "", 0, "")) { - DEBUG(0,("connect_to_domain_password_server: machine %s rejected the session setup. \ -Error was : %s.\n", remote_machine, cli_errstr(pcli) )); - cli_shutdown(pcli); - return False; - } - - if (!(pcli->sec_mode & 1)) { - DEBUG(1,("connect_to_domain_password_server: machine %s isn't in user level security mode\n", - remote_machine)); - cli_shutdown(pcli); - return False; - } - - if (!cli_send_tconX(pcli, "IPC$", "IPC", "", 1)) { - DEBUG(0,("connect_to_domain_password_server: machine %s rejected the tconX on the IPC$ share. \ -Error was : %s.\n", remote_machine, cli_errstr(pcli) )); - cli_shutdown(pcli); - return False; - } - - /* - * We now have an anonymous connection to IPC$ on the domain password server. - */ - - /* - * Even if the connect succeeds we need to setup the netlogon - * pipe here. We do this as we may just have changed the domain - * account password on the PDC and yet we may be talking to - * a BDC that doesn't have this replicated yet. In this case - * a successful connect to a DC needs to take the netlogon connect - * into account also. This patch from "Bjart Kvarme" <bjart.kvarme@usit.uio.no>. - */ - - if(cli_nt_session_open(pcli, PIPE_NETLOGON) == False) { - DEBUG(0,("connect_to_domain_password_server: unable to open the domain client session to \ -machine %s. Error was : %s.\n", remote_machine, cli_errstr(pcli))); - cli_nt_session_close(pcli); - cli_ulogoff(pcli); - cli_shutdown(pcli); - return False; - } - - if (cli_nt_setup_creds(pcli, trust_passwd) == False) { - DEBUG(0,("connect_to_domain_password_server: unable to setup the PDC credentials to machine \ -%s. Error was : %s.\n", remote_machine, cli_errstr(pcli))); - cli_nt_session_close(pcli); - cli_ulogoff(pcli); - cli_shutdown(pcli); - return(False); - } - - return True; -} - -/*********************************************************************** - Utility function to attempt a connection to an IP address of a DC. -************************************************************************/ - -static BOOL attempt_connect_to_dc(struct cli_state *pcli, struct in_addr *ip, - unsigned char *trust_passwd) -{ - fstring dc_name; - - /* - * Ignore addresses we have already tried. - */ - - if (ip_equal(ipzero, *ip)) - return False; - - if (!lookup_pdc_name(global_myname, lp_workgroup(), ip, dc_name)) - return False; - - return connect_to_domain_password_server(pcli, dc_name, trust_passwd); -} - -/*********************************************************************** - We have been asked to dynamcially determine the IP addresses of - the PDC and BDC's for this DOMAIN, and query them in turn. -************************************************************************/ -static BOOL find_connect_pdc(struct cli_state *pcli, - unsigned char *trust_passwd, - time_t last_change_time) -{ - struct in_addr *ip_list = NULL; - int count = 0; - int i; - BOOL connected_ok = False; - time_t time_now = time(NULL); - BOOL use_pdc_only = False; - - /* - * If the time the machine password has changed - * was less than an hour ago then we need to contact - * the PDC only, as we cannot be sure domain replication - * has yet taken place. Bug found by Gerald (way to go - * Gerald !). JRA. - */ - - if (time_now - last_change_time < 3600) - use_pdc_only = True; - - if (!get_dc_list(use_pdc_only, lp_workgroup(), &ip_list, &count)) - return False; - - /* - * Firstly try and contact a PDC/BDC who has the same - * network address as any of our interfaces. - */ - for(i = 0; i < count; i++) { - if(!is_local_net(ip_list[i])) - continue; - - if((connected_ok = attempt_connect_to_dc(pcli, &ip_list[i], trust_passwd))) - break; - - ip_list[i] = ipzero; /* Tried and failed. */ - } - - /* - * Secondly try and contact a random PDC/BDC. - */ - if(!connected_ok) { - i = (sys_random() % count); - - if (!(connected_ok = attempt_connect_to_dc(pcli, &ip_list[i], trust_passwd))) - ip_list[i] = ipzero; /* Tried and failed. */ - } - - /* - * Finally go through the IP list in turn, ignoring any addresses - * we have already tried. - */ - if(!connected_ok) { - /* - * Try and connect to any of the other IP addresses in the PDC/BDC list. - * Note that from a WINS server the #1 IP address is the PDC. - */ - for(i = 0; i < count; i++) { - if((connected_ok = attempt_connect_to_dc(pcli, &ip_list[i], trust_passwd))) - break; - } - } - - if(ip_list != NULL) - free((char *)ip_list); - - - return connected_ok; -} - -/*********************************************************************** - Do the same as security=server, but using NT Domain calls and a session - key from the machine password. If the server parameter is specified - use it, otherwise figure out a server from the 'password server' param. -************************************************************************/ +/**************************************************************************** + Check for a valid username and password in security=domain mode. +****************************************************************************/ -uint32 domain_client_validate(const auth_usersupplied_info *user_info, - auth_serversupplied_info *server_info, - char *server) +uint32 check_domain_security(const auth_usersupplied_info *user_info, + auth_serversupplied_info *server_info) { - unsigned char trust_passwd[16]; - fstring remote_machine; + uint32 nt_status = NT_STATUS_LOGON_FAILURE; char *p, *pserver; - NET_ID_INFO_CTR ctr; - NET_USER_INFO_3 info3; - struct cli_state cli; - uint32 smb_uid_low; - BOOL connected_ok = False; + unsigned char trust_passwd[16]; time_t last_change_time; - uint32 nt_status; - - /* - * Check that the requested domain is not our own machine name. - * If it is, we should never check the PDC here, we use our own local - * password file. - */ - if(strequal(user_info->domain.str, global_myname)) { - DEBUG(3,("domain_client_validate: Requested domain was for this machine.\n")); + if(lp_security() != SEC_DOMAIN) return NT_STATUS_LOGON_FAILURE; - } + + become_root(); /* * Get the machine account password for our primary domain */ + if (!secrets_fetch_trust_account_password(lp_workgroup(), trust_passwd, &last_change_time)) { DEBUG(0, ("domain_client_validate: could not fetch trust account password for domain %s\n", lp_workgroup())); + unbecome_root(); return NT_STATUS_LOGON_FAILURE; } + unbecome_root(); + /* Test if machine password is expired and need to be changed */ if (time(NULL) > last_change_time + lp_machine_password_timeout()) { @@ -313,102 +63,16 @@ uint32 domain_client_validate(const auth_usersupplied_info *user_info, } /* - * At this point, smb_apasswd points to the lanman response to - * the challenge in local_challenge, and smb_ntpasswd points to - * the NT response to the challenge in local_challenge. Ship - * these over the secure channel to a domain controller and - * see if they were valid. - */ - - ZERO_STRUCT(cli); - - /* * Treat each name in the 'password server =' line as a potential * PDC/BDC. Contact each in turn and try and authenticate. */ - if (server) { - p = server; - } else { - pserver = lp_passwordserver(); - if (! *pserver) pserver = "*"; - p = pserver; - } - - while (!connected_ok && - next_token(&p,remote_machine,LIST_SEP,sizeof(remote_machine))) { - if(strequal(remote_machine, "*")) { - connected_ok = find_connect_pdc(&cli, trust_passwd, last_change_time); - } else { - connected_ok = connect_to_domain_password_server(&cli, remote_machine, trust_passwd); - } - } - - if (!connected_ok) { - DEBUG(0,("domain_client_validate: Domain password server not available.\n")); - cli_shutdown(&cli); - return NT_STATUS_LOGON_FAILURE; - } - - /* We really don't care what LUID we give the user. */ - generate_random_buffer( (unsigned char *)&smb_uid_low, 4, False); - - ZERO_STRUCT(info3); - - cli_nt_login_network(&cli, user_info->domain.str, user_info->smb_username.str, smb_uid_low, user_info->chal, - user_info->lm_resp.buffer, user_info->lm_resp.len, - user_info->nt_resp.buffer, user_info->lm_resp.len, - &ctr, &info3); - - nt_status = cli_nt_error(&cli); - if (nt_status != NT_STATUS_NOPROBLEMO) { - DEBUG(0,("domain_client_validate: unable to validate password for user %s in domain \ -%s to Domain controller %s. Error was %s.\n", user_info->smb_username.str, user_info->domain.str, remote_machine, cli_errstr(&cli))); - } - - /* - * Here, if we really want it, we have lots of info about the user in info3. - */ - -#if 0 - /* - * We don't actually need to do this - plus it fails currently with - * NT_STATUS_INVALID_INFO_CLASS - we need to know *exactly* what to - * send here. JRA. - */ - - if (nt_status == NT_STATUS_NOPROBLMO) { - if(cli_nt_logoff(&cli, &ctr) == False) { - DEBUG(0,("domain_client_validate: unable to log off user %s in domain \ -%s to Domain controller %s. Error was %s.\n", user, domain, remote_machine, cli_errstr(&cli))); - nt_status = NT_STATUS_LOGON_FAILURE; - } - } -#endif /* 0 */ - - /* Note - once the cli stream is shutdown the mem_ctx used - to allocate the other_sids and gids structures has been deleted - so - these pointers are no longer valid..... */ - - cli_nt_session_close(&cli); - cli_ulogoff(&cli); - cli_shutdown(&cli); - return nt_status; -} - -/**************************************************************************** - Check for a valid username and password in security=domain mode. -****************************************************************************/ - -uint32 check_domain_security(const auth_usersupplied_info *user_info, - auth_serversupplied_info *server_info) -{ - uint32 nt_status = NT_STATUS_LOGON_FAILURE; - - if(lp_security() != SEC_DOMAIN) - return NT_STATUS_LOGON_FAILURE; + pserver = lp_passwordserver(); + if (! *pserver) pserver = "*"; + p = pserver; - nt_status = domain_client_validate(user_info, server_info, NULL); + nt_status = domain_client_validate(user_info, server_info, + p, trust_passwd, last_change_time); return nt_status; } diff --git a/source3/smbd/auth_rhosts.c b/source3/smbd/auth_rhosts.c index c1bee6247c..f11f9cf777 100644 --- a/source3/smbd/auth_rhosts.c +++ b/source3/smbd/auth_rhosts.c @@ -163,3 +163,24 @@ BOOL check_hosts_equiv(char *user) return(False); } + +/**************************************************************************** + Check for a valid .rhosts/hosts.equiv entry for this user +****************************************************************************/ + +uint32 check_rhosts_security(const auth_usersupplied_info *user_info, + auth_serversupplied_info *server_info) +{ + uint32 nt_status = NT_STATUS_LOGON_FAILURE; + + become_root(); + if (check_hosts_equiv(user_info->smb_username.str)) { + nt_status = NT_STATUS_NOPROBLEMO; + } + unbecome_root(); + + return nt_status; +} + + + diff --git a/source3/smbd/auth_smbpasswd.c b/source3/smbd/auth_smbpasswd.c index ce0b03d942..927a262dc6 100644 --- a/source3/smbd/auth_smbpasswd.c +++ b/source3/smbd/auth_smbpasswd.c @@ -208,7 +208,11 @@ uint32 check_smbpasswd_security(const auth_usersupplied_info *user_info, auth_se pdb_init_sam(&sampass); /* get the account information */ + + become_root(); ret = pdb_getsampwnam(sampass, user_info->smb_username.str); + unbecome_root(); + if (ret == False) { DEBUG(1,("Couldn't find user '%s' in passdb file.\n", user_info->smb_username.str)); @@ -216,11 +220,7 @@ uint32 check_smbpasswd_security(const auth_usersupplied_info *user_info, auth_se return(NT_STATUS_NO_SUCH_USER); } - if ((nt_status = smb_password_ok(sampass, user_info, server_info)) != NT_STATUS_NOPROBLEMO) - { - pdb_free_sam(sampass); - return(nt_status); - } + nt_status = smb_password_ok(sampass, user_info, server_info); pdb_free_sam(sampass); return nt_status; diff --git a/source3/smbd/auth_unix.c b/source3/smbd/auth_unix.c new file mode 100644 index 0000000000..89e670747f --- /dev/null +++ b/source3/smbd/auth_unix.c @@ -0,0 +1,85 @@ +/* + Unix SMB/Netbios implementation. + Version 2.2 + Password and authentication handling + Copyright (C) Andrew Bartlett 2001 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" + +extern int DEBUGLEVEL; + +/**************************************************************************** +update the encrypted smbpasswd file from the plaintext username and password + +this ugly hack needs to die, but not quite yet... +*****************************************************************************/ +static BOOL update_smbpassword_file(char *user, char *password) +{ + SAM_ACCOUNT *sampass = NULL; + BOOL ret; + + pdb_init_sam(&sampass); + + become_root(); + ret = pdb_getsampwnam(sampass, user); + unbecome_root(); + + if(ret == False) { + DEBUG(0,("pdb_getsampwnam returned NULL\n")); + pdb_free_sam(sampass); + return False; + } + + /* + * Remove the account disabled flag - we are updating the + * users password from a login. + */ + pdb_set_acct_ctrl(sampass, pdb_get_acct_ctrl(sampass) & ~ACB_DISABLED); + + /* Here, the flag is one, because we want to ignore the + XXXXXXX'd out password */ + ret = change_oem_password( sampass, password, True); + if (ret == False) { + DEBUG(3,("change_oem_password returned False\n")); + } + + pdb_free_sam(sampass); + return ret; +} + + +/**************************************************************************** +check if a username/password is OK assuming the password +in PLAIN TEXT +****************************************************************************/ + +uint32 check_unix_security(const auth_usersupplied_info *user_info, auth_serversupplied_info *server_info) +{ + uint32 nt_status; + + become_root(); + nt_status = (pass_check(user_info->smb_username.str, user_info->plaintext_password.str, + user_info->plaintext_password.len, + lp_update_encrypted() ? update_smbpassword_file : NULL) + ? NT_STATUS_NOPROBLEMO : NT_STATUS_LOGON_FAILURE); + unbecome_root(); + + return nt_status; +} + + |