diff options
| author | Gerald Carter <jerry@samba.org> | 2000-11-13 23:03:34 +0000 |
|---|---|---|
| committer | Gerald Carter <jerry@samba.org> | 2000-11-13 23:03:34 +0000 |
| commit | 9fede0dc0dbad51528cd1384023d24549c3f0ba4 (patch) | |
| tree | 0f3a045da16581462aa3dce6e7221ee12924954b /source3/smbd | |
| parent | 8f338ee3dd5d3b68b36c021a22b624678ea116f6 (diff) | |
| download | samba-9fede0dc0dbad51528cd1384023d24549c3f0ba4.tar.gz samba-9fede0dc0dbad51528cd1384023d24549c3f0ba4.tar.bz2 samba-9fede0dc0dbad51528cd1384023d24549c3f0ba4.zip | |
Large commit which restructures the local password storage API.
Currently the only backend which works is smbpasswd (tdb, LDAP, and NIS+)
are broken, but they were somewhat broken before. :)
The following functions implement the storage manipulation interface
/*The following definitions come from passdb/pdb_smbpasswd.c */
BOOL pdb_setsampwent (BOOL update);
void pdb_endsampwent (void);
SAM_ACCOUNT* pdb_getsampwent (void);
SAM_ACCOUNT* pdb_getsampwnam (char *username);
SAM_ACCOUNT* pdb_getsampwuid (uid_t uid);
SAM_ACCOUNT* pdb_getsampwrid (uint32 rid);
BOOL pdb_add_sam_account (SAM_ACCOUNT *sampass);
BOOL pdb_update_sam_account (SAM_ACCOUNT *sampass, BOOL override);
BOOL pdb_delete_sam_account (char* username);
There is also a host of pdb_set..() and pdb_get..() functions for
manipulating SAM_ACCOUNT struct members. Note that the struct
passdb_ops {} has gone away. Also notice that struct smb_passwd
(formally in smb.h) has been moved to passdb/pdb_smbpasswd.c
and is not accessed outisde of static internal functions in this
file. All local password searches should make use of the the SAM_ACCOUNT
struct and the previously mentioned functions.
I'll write some documentation for this later. The next step is to fix
the TDB passdb backend, then work on spliting the backends out into
share libraries, and finally get the LDAP backend going.
What works and may not:
o domain logons from Win9x works
o domain logons from WinNT 4 works
o user and group enumeration
as implemented by Tim works
o file and print access works
o changing password from
Win9x & NT ummm...i'll fix this tonight :)
If I broke anything else, just yell and I'll fix it. I think it
should be fairly quite.
-- jerry
(This used to be commit 0b92d0838ebdbe24f34f17e313ecbf61a0301389)
Diffstat (limited to 'source3/smbd')
| -rw-r--r-- | source3/smbd/chgpasswd.c | 186 | ||||
| -rw-r--r-- | source3/smbd/lanman.c | 12 | ||||
| -rw-r--r-- | source3/smbd/password.c | 104 | ||||
| -rw-r--r-- | source3/smbd/reply.c | 18 | ||||
| -rw-r--r-- | source3/smbd/server.c | 2 | ||||
| -rw-r--r-- | source3/smbd/uid.c | 2 |
6 files changed, 168 insertions, 156 deletions
diff --git a/source3/smbd/chgpasswd.c b/source3/smbd/chgpasswd.c index 1f1ee96713..ba68557fdf 100644 --- a/source3/smbd/chgpasswd.c +++ b/source3/smbd/chgpasswd.c @@ -52,6 +52,7 @@ #include "includes.h" extern int DEBUGLEVEL; +extern struct passdb_ops pdb_ops; #if ALLOW_CHANGE_PASSWORD @@ -541,62 +542,64 @@ BOOL chgpasswd(char *name, char *oldpass, char *newpass, BOOL as_root) ************************************************************/ BOOL check_lanman_password(char *user, uchar * pass1, - uchar * pass2, struct smb_passwd **psmbpw) + uchar * pass2, SAM_ACCOUNT **hnd) { static uchar null_pw[16]; uchar unenc_new_pw[16]; uchar unenc_old_pw[16]; - struct smb_passwd *smbpw; - - *psmbpw = NULL; + SAM_ACCOUNT *sampass = NULL; + uint16 acct_ctrl; + BYTE *lanman_pw; become_root(); - smbpw = getsmbpwnam(user); + sampass = pdb_getsampwnam(user); unbecome_root(); - if (smbpw == NULL) + if (sampass == NULL) { - DEBUG(0, - ("check_lanman_password: getsmbpwnam returned NULL\n")); + DEBUG(0,("check_lanman_password: getsampwnam returned NULL\n")); return False; } + + acct_ctrl = pdb_get_acct_ctrl (sampass); + lanman_pw = pdb_get_lanman_passwd (sampass); - if (smbpw->acct_ctrl & ACB_DISABLED) + if (acct_ctrl & ACB_DISABLED) { - DEBUG(0, - ("check_lanman_password: account %s disabled.\n", + DEBUG(0,("check_lanman_password: account %s disabled.\n", user)); return False; } - if ((smbpw->smb_passwd == NULL) && (smbpw->acct_ctrl & ACB_PWNOTREQ)) + if ((lanman_pw == NULL) && (acct_ctrl & ACB_PWNOTREQ)) { uchar no_pw[14]; memset(no_pw, '\0', 14); E_P16(no_pw, null_pw); - smbpw->smb_passwd = null_pw; + pdb_set_lanman_passwd (sampass, null_pw); } - else if (smbpw->smb_passwd == NULL) + else if (lanman_pw == NULL) { DEBUG(0, ("check_lanman_password: no lanman password !\n")); return False; } /* Get the new lanman hash. */ - D_P16(smbpw->smb_passwd, pass2, unenc_new_pw); + D_P16(lanman_pw, pass2, unenc_new_pw); /* Use this to get the old lanman hash. */ D_P16(unenc_new_pw, pass1, unenc_old_pw); /* Check that the two old passwords match. */ - if (memcmp(smbpw->smb_passwd, unenc_old_pw, 16)) + if (memcmp(lanman_pw, unenc_old_pw, 16)) { - DEBUG(0, - ("check_lanman_password: old password doesn't match.\n")); + DEBUG(0,("check_lanman_password: old password doesn't match.\n")); return False; } - *psmbpw = smbpw; + /* this saves the pointer for the caller */ + *hnd = sampass; + return True; } @@ -606,50 +609,52 @@ BOOL check_lanman_password(char *user, uchar * pass1, no longer be valid. ************************************************************/ -BOOL change_lanman_password(struct smb_passwd *smbpw, uchar * pass1, +BOOL change_lanman_password(SAM_ACCOUNT *sampass, uchar * pass1, uchar * pass2) { static uchar null_pw[16]; uchar unenc_new_pw[16]; BOOL ret; + uint16 acct_ctrl; + BYTE *pwd; - if (smbpw == NULL) + if (sampass == NULL) { - DEBUG(0, - ("change_lanman_password: no smb password entry.\n")); + DEBUG(0,("change_lanman_password: no smb password entry.\n")); return False; } + acct_ctrl = pdb_get_acct_ctrl(sampass); + pwd = pdb_get_lanman_passwd(sampass); - if (smbpw->acct_ctrl & ACB_DISABLED) + if (acct_ctrl & ACB_DISABLED) { - DEBUG(0, - ("change_lanman_password: account %s disabled.\n", - smbpw->smb_name)); + DEBUG(0,("change_lanman_password: account %s disabled.\n", + pdb_get_username(sampass))); return False; } - if ((smbpw->smb_passwd == NULL) && (smbpw->acct_ctrl & ACB_PWNOTREQ)) + if ((pwd == NULL) && (acct_ctrl & ACB_PWNOTREQ)) { uchar no_pw[14]; memset(no_pw, '\0', 14); E_P16(no_pw, null_pw); - smbpw->smb_passwd = null_pw; + pdb_set_lanman_passwd(sampass, null_pw); } - else if (smbpw->smb_passwd == NULL) + else if (pwd == NULL) { - DEBUG(0, ("change_lanman_password: no lanman password !\n")); + DEBUG(0,("change_lanman_password: no lanman password !\n")); return False; } /* Get the new lanman hash. */ - D_P16(smbpw->smb_passwd, pass2, unenc_new_pw); + D_P16(pwd, pass2, unenc_new_pw); - smbpw->smb_passwd = unenc_new_pw; - smbpw->smb_nt_passwd = NULL; /* We lose the NT hash. Sorry. */ + pdb_set_lanman_passwd(sampass, unenc_new_pw); + pdb_set_nt_passwd (sampass, NULL); /* We lose the NT hash. Sorry. */ - /* Now write it into the file. */ + /* Now flush the sam_passwd struct to persistent storage */ become_root(); - ret = mod_smbpwd_entry(smbpw, False); + ret = pdb_update_sam_account (sampass, False); unbecome_root(); return ret; @@ -663,10 +668,9 @@ BOOL pass_oem_change(char *user, uchar * ntdata, uchar * nthash) { fstring new_passwd; - struct smb_passwd *sampw; + SAM_ACCOUNT *sampass = NULL; BOOL ret = check_oem_password(user, lmdata, lmhash, ntdata, nthash, - &sampw, - new_passwd, sizeof(new_passwd)); + &sampass, new_passwd, sizeof(new_passwd)); /* * At this point we have the new case-sensitive plaintext @@ -684,7 +688,7 @@ BOOL pass_oem_change(char *user, if (ret) { - ret = change_oem_password(sampw, new_passwd, False); + ret = change_oem_password(sampass, new_passwd, False); } memset(new_passwd, 0, sizeof(new_passwd)); @@ -702,12 +706,14 @@ BOOL pass_oem_change(char *user, BOOL check_oem_password(char *user, uchar * lmdata, uchar * lmhash, uchar * ntdata, uchar * nthash, - struct smb_passwd **psmbpw, char *new_passwd, + SAM_ACCOUNT **hnd, char *new_passwd, int new_passwd_size) { static uchar null_pw[16]; static uchar null_ntpw[16]; - struct smb_passwd *smbpw = NULL; + SAM_ACCOUNT *sampass = NULL; + BYTE *lanman_pw, *nt_pw; + uint16 acct_ctrl; int new_pw_len; uchar new_ntp16[16]; uchar unenc_old_ntpw[16]; @@ -718,20 +724,19 @@ BOOL check_oem_password(char *user, BOOL nt_pass_set = (ntdata != NULL && nthash != NULL); become_root(); - *psmbpw = smbpw = getsmbpwnam(user); + *hnd = sampass = pdb_getsampwnam(user); unbecome_root(); - if (smbpw == NULL) + if (sampass == NULL) { DEBUG(0, ("check_oem_password: getsmbpwnam returned NULL\n")); return False; } - - if (smbpw->acct_ctrl & ACB_DISABLED) + acct_ctrl = pdb_get_acct_ctrl(sampass); + + if (acct_ctrl & ACB_DISABLED) { - DEBUG(0, - ("check_lanman_password: account %s disabled.\n", - user)); + DEBUG(0,("check_lanman_password: account %s disabled.\n", user)); return False; } @@ -740,31 +745,33 @@ BOOL check_oem_password(char *user, no_pw[1] = 0; nt_lm_owf_gen(no_pw, null_ntpw, null_pw); + /* save pointers to passwords so we don't have to keep looking them up */ + lanman_pw = pdb_get_lanman_passwd(sampass); + nt_pw = pdb_get_nt_passwd (sampass); + /* check for null passwords */ - if (smbpw->smb_passwd == NULL) + if (lanman_pw == NULL) { - if (smbpw->acct_ctrl & ACB_PWNOTREQ) + if (acct_ctrl & ACB_PWNOTREQ) { - smbpw->smb_passwd = null_pw; + pdb_set_lanman_passwd(sampass, null_pw); } else { - DEBUG(0, - ("check_oem_password: no lanman password !\n")); + DEBUG(0,("check_oem_password: no lanman password !\n")); return False; } } - if (smbpw->smb_nt_passwd == NULL && nt_pass_set) + if (pdb_get_nt_passwd(sampass) == NULL && nt_pass_set) { - if (smbpw->acct_ctrl & ACB_PWNOTREQ) + if (acct_ctrl & ACB_PWNOTREQ) { - smbpw->smb_nt_passwd = null_pw; + pdb_set_nt_passwd(sampass, null_pw); } else { - DEBUG(0, - ("check_oem_password: no ntlm password !\n")); + DEBUG(0,("check_oem_password: no ntlm password !\n")); return False; } } @@ -772,7 +779,7 @@ BOOL check_oem_password(char *user, /* * Call the hash function to get the new password. */ - SamOEMhash((uchar *) lmdata, (uchar *) smbpw->smb_passwd, True); + SamOEMhash((uchar *) lmdata, (uchar *)lanman_pw, True); /* * The length of the new password is in the last 4 bytes of @@ -782,8 +789,7 @@ BOOL check_oem_password(char *user, new_pw_len = IVAL(lmdata, 512); if (new_pw_len < 0 || new_pw_len > new_passwd_size - 1) { - DEBUG(0, - ("check_oem_password: incorrect password length (%d).\n", + DEBUG(0,("check_oem_password: incorrect password length (%d).\n", new_pw_len)); return False; } @@ -796,9 +802,7 @@ BOOL check_oem_password(char *user, int uni_pw_len = new_pw_len; char *pw; new_pw_len /= 2; - pw = - dos_unistrn2((uint16 *)(&lmdata[512 - uni_pw_len]), - new_pw_len); + pw = dos_unistrn2((uint16 *)(&lmdata[512 - uni_pw_len]),new_pw_len); memcpy(new_passwd, pw, new_pw_len + 1); } else @@ -822,10 +826,9 @@ BOOL check_oem_password(char *user, */ D_P16(new_p16, lmhash, unenc_old_pw); - if (memcmp(smbpw->smb_passwd, unenc_old_pw, 16)) + if (memcmp(lanman_pw, unenc_old_pw, 16)) { - DEBUG(0, - ("check_oem_password: old lm password doesn't match.\n")); + DEBUG(0,("check_oem_password: old lm password doesn't match.\n")); return False; } @@ -843,17 +846,15 @@ BOOL check_oem_password(char *user, D_P16(new_ntp16, lmhash, unenc_old_pw); D_P16(new_ntp16, nthash, unenc_old_ntpw); - if (memcmp(smbpw->smb_passwd, unenc_old_pw, 16)) + if (memcmp(lanman_pw, unenc_old_pw, 16)) { - DEBUG(0, - ("check_oem_password: old lm password doesn't match.\n")); + DEBUG(0,("check_oem_password: old lm password doesn't match.\n")); return False; } - if (memcmp(smbpw->smb_nt_passwd, unenc_old_ntpw, 16)) + if (memcmp(nt_pw, unenc_old_ntpw, 16)) { - DEBUG(0, - ("check_oem_password: old nt password doesn't match.\n")); + DEBUG(0,("check_oem_password: old nt password doesn't match.\n")); return False; } #ifdef DEBUG_PASSWORD @@ -869,7 +870,7 @@ BOOL check_oem_password(char *user, override = True, override XXXXXXXXXX'd password ************************************************************/ -BOOL change_oem_password(struct smb_passwd *smbpw, char *new_passwd, +BOOL change_oem_password(SAM_ACCOUNT *hnd, char *new_passwd, BOOL override) { int ret; @@ -878,12 +879,12 @@ BOOL change_oem_password(struct smb_passwd *smbpw, char *new_passwd, nt_lm_owf_gen(new_passwd, new_nt_p16, new_p16); - smbpw->smb_passwd = new_p16; - smbpw->smb_nt_passwd = new_nt_p16; + pdb_set_lanman_passwd (hnd, new_p16); + pdb_set_nt_passwd (hnd, new_nt_p16); /* Now write it into the file. */ become_root(); - ret = mod_smbpwd_entry(smbpw, override); + ret = pdb_update_sam_account (hnd, override); unbecome_root(); memset(new_passwd, '\0', strlen(new_passwd)); @@ -896,45 +897,42 @@ BOOL change_oem_password(struct smb_passwd *smbpw, char *new_passwd, ***********************************************************/ BOOL check_plaintext_password(char *user, char *old_passwd, - int old_passwd_size, struct smb_passwd **psmbpw) + int old_passwd_size, SAM_ACCOUNT **hnd) { - struct smb_passwd *smbpw = NULL; + SAM_ACCOUNT *sampass = NULL; uchar old_pw[16], old_ntpw[16]; become_root(); - *psmbpw = smbpw = getsmbpwnam(user); + *hnd = sampass = pdb_getsampwnam(user); unbecome_root(); - if (smbpw == NULL) + if (sampass == NULL) { - DEBUG(0, - ("check_plaintext_password: getsmbpwnam returned NULL\n")); + DEBUG(0,("check_plaintext_password: getsmbpwnam returned NULL\n")); return False; } - if (smbpw->acct_ctrl & ACB_DISABLED) + if (pdb_get_acct_ctrl(sampass) & ACB_DISABLED) { - DEBUG(0, - ("check_plaintext_password: account %s disabled.\n", - user)); + DEBUG(0,("check_plaintext_password: account %s disabled.\n", user)); return (False); } nt_lm_owf_gen(old_passwd, old_ntpw, old_pw); #ifdef DEBUG_PASSWORD - DEBUG(100, ("check_plaintext_password: smbpw->smb_nt_passwd \n")); - dump_data(100, smbpw->smb_nt_passwd, 16); + DEBUG(100, ("check_plaintext_password: nt_passwd \n")); + dump_data(100, pdb_get_nt_passwd(sampass), 16); DEBUG(100, ("check_plaintext_password: old_ntpw \n")); dump_data(100, old_ntpw, 16); - DEBUG(100, ("check_plaintext_password: smbpw->smb_passwd \n")); - dump_data(100, smbpw->smb_passwd, 16); + DEBUG(100, ("check_plaintext_password: lanman_passwd \n")); + dump_data(100, pdb_get_lanman_passwd, 16); DEBUG(100, ("check_plaintext_password: old_pw\n")); dump_data(100, old_pw, 16); #endif - if (memcmp(smbpw->smb_nt_passwd, old_ntpw, 16) - && memcmp(smbpw->smb_passwd, old_pw, 16)) + if (memcmp(pdb_get_nt_passwd(sampass), old_ntpw, 16) + && memcmp(pdb_get_lanman_passwd(sampass), old_pw, 16)) return (False); else return (True); diff --git a/source3/smbd/lanman.c b/source3/smbd/lanman.c index 944a187ccc..fe6b22a9bf 100644 --- a/source3/smbd/lanman.c +++ b/source3/smbd/lanman.c @@ -1733,7 +1733,7 @@ static BOOL api_SetUserPassword(connection_struct *conn,uint16 vuid, char *param { fstring saved_pass2; - struct smb_passwd *smbpw = NULL; + SAM_ACCOUNT *sampass; /* * Save the new password as change_oem_password overwrites it @@ -1742,8 +1742,8 @@ static BOOL api_SetUserPassword(connection_struct *conn,uint16 vuid, char *param fstrcpy(saved_pass2, pass2); - if (check_plaintext_password(user,pass1,strlen(pass1),&smbpw) && - change_oem_password(smbpw,pass2,False)) + if (check_plaintext_password(user,pass1,strlen(pass1),&sampass) && + change_oem_password(sampass,pass2,False)) { SSVAL(*rparam,0,NERR_Success); @@ -1784,10 +1784,10 @@ static BOOL api_SetUserPassword(connection_struct *conn,uint16 vuid, char *param if(SVAL(*rparam,0) != NERR_Success) { - struct smb_passwd *sampw = NULL; + SAM_ACCOUNT *hnd = NULL; - if(check_lanman_password(user,(unsigned char *)pass1,(unsigned char *)pass2, &sampw) && - change_lanman_password(sampw,(unsigned char *)pass1,(unsigned char *)pass2)) + if(check_lanman_password(user,(unsigned char *)pass1,(unsigned char *)pass2, &hnd) && + change_lanman_password(hnd,(unsigned char *)pass1,(unsigned char *)pass2)) { SSVAL(*rparam,0,NERR_Success); } diff --git a/source3/smbd/password.c b/source3/smbd/password.c index 55c7f0709b..934b3155f3 100644 --- a/source3/smbd/password.c +++ b/source3/smbd/password.c @@ -289,15 +289,15 @@ update the encrypted smbpasswd file from the plaintext username and password *****************************************************************************/ static BOOL update_smbpassword_file(char *user, char *password) { - struct smb_passwd *smbpw; - BOOL ret; + SAM_ACCOUNT *sampass = NULL; + BOOL ret; become_root(); - smbpw = getsmbpwnam(user); + sampass = pdb_getsampwnam(user); unbecome_root(); - if(smbpw == NULL) { - DEBUG(0,("getsmbpwnam returned NULL\n")); + if(sampass == NULL) { + DEBUG(0,("pdb_getsampwnam returned NULL\n")); return False; } @@ -305,11 +305,11 @@ static BOOL update_smbpassword_file(char *user, char *password) * Remove the account disabled flag - we are updating the * users password from a login. */ - smbpw->acct_ctrl &= ~ACB_DISABLED; + pdb_set_acct_ctrl(sampass, pdb_get_acct_ctrl(sampass) & ~ACB_DISABLED); /* Here, the flag is one, because we want to ignore the XXXXXXX'd out password */ - ret = change_oem_password( smbpw, password, True); + ret = change_oem_password( sampass, password, True); if (ret == False) { DEBUG(3,("change_oem_password returned False\n")); } @@ -317,10 +317,6 @@ static BOOL update_smbpassword_file(char *user, char *password) return ret; } - - - - /**************************************************************************** core of smb password checking routine. ****************************************************************************/ @@ -367,19 +363,22 @@ BOOL smb_password_check(char *password, unsigned char *part_passwd, unsigned cha Do a specific test for an smb password being correct, given a smb_password and the lanman and NT responses. ****************************************************************************/ -BOOL smb_password_ok(struct smb_passwd *smb_pass, uchar chal[8], +BOOL smb_password_ok(SAM_ACCOUNT *sampass, uchar chal[8], uchar lm_pass[24], uchar nt_pass[24]) { uchar challenge[8]; + char* user_name; + BYTE *nt_pw, *lm_pw; - if (!lm_pass || !smb_pass) return(False); + if (!lm_pass || !sampass) + return(False); - DEBUG(4,("Checking SMB password for user %s\n", - smb_pass->smb_name)); + user_name = pdb_get_username(sampass); + + DEBUG(4,("Checking SMB password for user %s\n",user_name)); - if(smb_pass->acct_ctrl & ACB_DISABLED) { - DEBUG(1,("account for user %s was disabled.\n", - smb_pass->smb_name)); + if(pdb_get_acct_ctrl(sampass) & ACB_DISABLED) { + DEBUG(1,("account for user %s was disabled.\n", user_name)); return(False); } @@ -398,35 +397,36 @@ BOOL smb_password_ok(struct smb_passwd *smb_pass, uchar chal[8], memcpy(challenge, chal, 8); } - if ((Protocol >= PROTOCOL_NT1) && (smb_pass->smb_nt_passwd != NULL)) { + nt_pw = pdb_get_nt_passwd(sampass); + + if ((Protocol >= PROTOCOL_NT1) && (nt_pw != NULL)) { /* We have the NT MD4 hash challenge available - see if we can use it (ie. does it exist in the smbpasswd file). */ DEBUG(4,("smb_password_ok: Checking NT MD4 password\n")); - if (smb_password_check((char *)nt_pass, - (uchar *)smb_pass->smb_nt_passwd, - challenge)) { + if (smb_password_check((char *)nt_pass, (uchar *)nt_pw, challenge)) + { DEBUG(4,("NT MD4 password check succeeded\n")); return(True); } DEBUG(4,("NT MD4 password check failed\n")); } - /* Try against the lanman password. smb_pass->smb_passwd == NULL means - no password, allow access. */ + /* Try against the lanman password. pdb_get_lanman_passwd(sampass) == NULL + means no password, allow access. */ DEBUG(4,("Checking LM MD4 password\n")); - if((smb_pass->smb_passwd == NULL) && - (smb_pass->acct_ctrl & ACB_PWNOTREQ)) { - DEBUG(4,("no password required for user %s\n", - smb_pass->smb_name)); + lm_pw = pdb_get_lanman_passwd(sampass); + + if((lm_pw == NULL) && (pdb_get_acct_ctrl(sampass) & ACB_PWNOTREQ)) + { + DEBUG(4,("no password required for user %s\n",user_name)); return True; } - if((smb_pass->smb_passwd != NULL) && - smb_password_check((char *)lm_pass, - (uchar *)smb_pass->smb_passwd, challenge)) { + if((lm_pw != NULL) && smb_password_check((char *)lm_pass,(uchar *)lm_pw, challenge)) + { DEBUG(4,("LM MD4 password check succeeded\n")); return(True); } @@ -443,18 +443,19 @@ SMB hash return True if the password is correct, False otherwise ****************************************************************************/ -BOOL pass_check_smb(char *user, char *domain, - uchar *chal, uchar *lm_pwd, uchar *nt_pwd, - struct passwd *pwd) +BOOL pass_check_smb(char *user, char *domain, uchar *chal, + uchar *lm_pwd, uchar *nt_pwd, struct passwd *pwd) { struct passwd *pass; - struct smb_passwd *smb_pass; + SAM_ACCOUNT *sampass; if (!lm_pwd || !nt_pwd) { return(False); } + /* FIXME! this code looks to be unnecessary now that the passdb + validates that the username exists and has a valid uid */ if (pwd != NULL && user == NULL) { pass = (struct passwd *) pwd; @@ -462,6 +463,8 @@ BOOL pass_check_smb(char *user, char *domain, } else { + /* I don't get this call here. I think it should be moved. + Need to check on it. --jerry */ pass = smb_getpwnam(user,True); } @@ -471,38 +474,45 @@ BOOL pass_check_smb(char *user, char *domain, return(False); } - smb_pass = getsmbpwnam(user); - - if (smb_pass == NULL) + /* get the account information */ + sampass = pdb_getsampwnam(user); + if (sampass == NULL) { - DEBUG(1,("Couldn't find user '%s' in smb_passwd file.\n", user)); + DEBUG(1,("Couldn't find user '%s' in passdb file.\n", user)); return(False); } /* Quit if the account was disabled. */ - if(smb_pass->acct_ctrl & ACB_DISABLED) { + if(pdb_get_acct_ctrl(sampass) & ACB_DISABLED) { DEBUG(1,("Account for user '%s' was disabled.\n", user)); return(False); } - /* Ensure the uid's match */ + /* Ensure the uid's match + FIXME! This also seems unnecessary --jerry */ +#if 0 /* GWC */ if (smb_pass->smb_userid != pass->pw_uid) { DEBUG(0,("Error : UNIX and SMB uids in password files do not match for user '%s'!\n", user)); return(False); } +#endif - if (smb_pass->acct_ctrl & ACB_PWNOTREQ) { - if (lp_null_passwords()) { - DEBUG(3,("Account for user '%s' has no password and null passwords are allowed.\n", smb_pass->smb_name)); + if (pdb_get_acct_ctrl(sampass) & ACB_PWNOTREQ) + { + if (lp_null_passwords()) + { + DEBUG(3,("Account for user '%s' has no password and null passwords are allowed.\n", user)); return(True); - } else { - DEBUG(3,("Account for user '%s' has no password and null passwords are NOT allowed.\n", smb_pass->smb_name)); + } + else + { + DEBUG(3,("Account for user '%s' has no password and null passwords are NOT allowed.\n", user)); return(False); } } - if (smb_password_ok(smb_pass, chal, lm_pwd, nt_pwd)) + if (smb_password_ok(sampass, chal, lm_pwd, nt_pwd)) { return(True); } diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c index 4fd9f9c42d..fa8aa11277 100644 --- a/source3/smbd/reply.c +++ b/source3/smbd/reply.c @@ -439,16 +439,19 @@ static int session_trust_account(connection_struct *conn, char *inbuf, char *out char *smb_passwd, int smb_passlen, char *smb_nt_passwd, int smb_nt_passlen) { - struct smb_passwd *smb_trust_acct = NULL; /* check if trust account exists */ + /* check if trust account exists */ + SAM_ACCOUNT *sam_trust_acct = NULL; + uint16 acct_ctrl; + if (lp_security() == SEC_USER) { - smb_trust_acct = getsmbpwnam(user); + sam_trust_acct = pdb_getsampwnam(user); } else { DEBUG(0,("session_trust_account: Trust account %s only supported with security = user\n", user)); SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES); return(ERROR(0, NT_STATUS_LOGON_FAILURE)); } - if (smb_trust_acct == NULL) { + if (sam_trust_acct == NULL) { /* lkclXXXX: workstation entry doesn't exist */ DEBUG(0,("session_trust_account: Trust account %s user doesn't exist\n",user)); SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES); @@ -460,25 +463,26 @@ static int session_trust_account(connection_struct *conn, char *inbuf, char *out return(ERROR(0, NT_STATUS_LOGON_FAILURE)); } - if (!smb_password_ok(smb_trust_acct, NULL, (unsigned char *)smb_passwd, (unsigned char *)smb_nt_passwd)) { + if (!smb_password_ok(sam_trust_acct, NULL, (unsigned char *)smb_passwd, (unsigned char *)smb_nt_passwd)) { DEBUG(0,("session_trust_account: Trust Account %s - password failed\n", user)); SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES); return(ERROR(0, NT_STATUS_LOGON_FAILURE)); } - if (smb_trust_acct->acct_ctrl & ACB_DOMTRUST) { + acct_ctrl = pdb_get_acct_ctrl(sam_trust_acct); + if (acct_ctrl & ACB_DOMTRUST) { DEBUG(0,("session_trust_account: Domain trust account %s denied by server\n",user)); SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES); return(ERROR(0, NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT)); } - if (smb_trust_acct->acct_ctrl & ACB_SVRTRUST) { + if (acct_ctrl & ACB_SVRTRUST) { DEBUG(0,("session_trust_account: Server trust account %s denied by server\n",user)); SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES); return(ERROR(0, NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT)); } - if (smb_trust_acct->acct_ctrl & ACB_WSTRUST) { + if (acct_ctrl & ACB_WSTRUST) { DEBUG(4,("session_trust_account: Wksta trust account %s denied by server\n", user)); SSVAL(outbuf, smb_flg2, FLAGS2_32_BIT_ERROR_CODES); return(ERROR(0, NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT)); diff --git a/source3/smbd/server.c b/source3/smbd/server.c index e4dd661ea5..823536f2ab 100644 --- a/source3/smbd/server.c +++ b/source3/smbd/server.c @@ -729,7 +729,7 @@ static void usage(char *pname) exit(1); } - if(!initialize_password_db()) { + if(!initialize_password_db(False)) { exit(1); } diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c index c181b9a00f..d82edcbfae 100644 --- a/source3/smbd/uid.c +++ b/source3/smbd/uid.c @@ -243,8 +243,8 @@ BOOL unbecome_authenticated_pipe_user(pipes_struct *p) return pop_sec_ctx(); } -/* Temporarily become a root user. Must match with unbecome_root(). */ +/* Temporarily become a root user. Must match with unbecome_root(). */ void become_root(void) { push_sec_ctx(); |