summaryrefslogtreecommitdiff
path: root/source3/smbd
diff options
context:
space:
mode:
authorLuke Leighton <lkcl@samba.org>1999-11-20 20:54:29 +0000
committerLuke Leighton <lkcl@samba.org>1999-11-20 20:54:29 +0000
commit24a069eac302069559c6347b24276e7f1a04cc91 (patch)
treed49a94cde47a03b2b8d2c988f418f3cf1de01876 /source3/smbd
parenta56bea383b4813f77478f9859dc33c90a564f540 (diff)
downloadsamba-24a069eac302069559c6347b24276e7f1a04cc91.tar.gz
samba-24a069eac302069559c6347b24276e7f1a04cc91.tar.bz2
samba-24a069eac302069559c6347b24276e7f1a04cc91.zip
modified domain_client_validate to take trust account name / type. this
is to pass DOMAIN_NAME$ and SEC_CHAN_DOMAIN instead of WKSTA_NAME$ and SEC_CHAN_WKSTA. modified check_domain_security to determine if domain name is own domain, and to use wksta trust account if so, otherwise check "trusting domains" parameter and use inter-domain trust account if so, otherwise return False. (This used to be commit 97ec74e1fa99d773812d2df402251fafb76b181c)
Diffstat (limited to 'source3/smbd')
-rw-r--r--source3/smbd/chgpasswd.c3
-rw-r--r--source3/smbd/password.c15
-rw-r--r--source3/smbd/reply.c61
3 files changed, 68 insertions, 11 deletions
diff --git a/source3/smbd/chgpasswd.c b/source3/smbd/chgpasswd.c
index a21b598238..3d31db7fb5 100644
--- a/source3/smbd/chgpasswd.c
+++ b/source3/smbd/chgpasswd.c
@@ -626,6 +626,7 @@ BOOL check_oem_password(char *user,
uchar new_p16[16];
uchar unenc_old_pw[16];
char no_pw[2];
+ uint32 len;
BOOL nt_pass_set = (ntdata != NULL && nthash != NULL);
@@ -682,7 +683,7 @@ BOOL check_oem_password(char *user,
*/
SamOEMhash( (uchar *)lmdata, (uchar *)smbpw->smb_passwd, True);
- if (!decode_pw_buffer(lmdata, new_passwd, new_passwd_size, nt_pass_set))
+ if (!decode_pw_buffer(lmdata, new_passwd, new_passwd_size, &len))
{
return False;
}
diff --git a/source3/smbd/password.c b/source3/smbd/password.c
index 1612b8264f..f74cc49eca 100644
--- a/source3/smbd/password.c
+++ b/source3/smbd/password.c
@@ -1095,7 +1095,8 @@ use this machine as the password server.\n"));
key from the workstation trust account password.
************************************************************************/
-BOOL domain_client_validate( char *user, char *domain,
+BOOL domain_client_validate( char *user, char *domain, char *server_list,
+ char *acct_name, uint16 acct_type,
char *smb_apasswd, int smb_apasslen,
char *smb_ntpasswd, int smb_ntpasslen)
{
@@ -1108,6 +1109,10 @@ BOOL domain_client_validate( char *user, char *domain,
NET_USER_INFO_3 info3;
struct cli_state cli;
uint32 smb_uid_low;
+ fstring trust_acct;
+
+ fstrcpy(trust_acct, acct_name);
+ fstrcat(trust_acct, "$");
/*
* Check that the requested domain is not our own machine name.
@@ -1126,7 +1131,7 @@ BOOL domain_client_validate( char *user, char *domain,
*/
if(((smb_apasslen != 24) && (smb_apasslen != 0)) ||
- ((smb_ntpasslen != 24) && (smb_ntpasslen != 0)))
+ ((smb_ntpasslen <= 24) && (smb_ntpasslen != 0)))
{
/*
* Not encrypted - do so.
@@ -1158,7 +1163,7 @@ BOOL domain_client_validate( char *user, char *domain,
/*
* Get the workstation trust account password.
*/
- if (!trust_get_passwd( trust_passwd, global_myworkgroup, global_myname))
+ if (!trust_get_passwd( trust_passwd, domain, acct_name))
{
return False;
}
@@ -1171,7 +1176,7 @@ BOOL domain_client_validate( char *user, char *domain,
* see if they were valid.
*/
- if (!cli_connect_serverlist(&cli, lp_passwordserver()))
+ if (!cli_connect_serverlist(&cli, server_list))
{
DEBUG(0,("domain_client_validate: Domain password server not available.\n"));
return False;
@@ -1192,7 +1197,7 @@ BOOL domain_client_validate( char *user, char *domain,
}
if(cli_nt_setup_creds(&cli, nt_pipe_fnum,
- cli.mach_acct, global_myname, trust_passwd, SEC_CHAN_WKSTA) != 0x0)
+ trust_acct, global_myname, trust_passwd, acct_type) != 0x0)
{
DEBUG(0,("domain_client_validate: unable to setup the PDC credentials to machine \
%s. Error was : %s.\n", cli.desthost, cli_errstr(&cli)));
diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index 0c4fb2003c..79b24a986c 100644
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -39,6 +39,7 @@ extern BOOL case_preserve;
extern BOOL short_case_preserve;
extern pstring sesssetup_user;
extern fstring global_myworkgroup;
+extern fstring global_myname;
extern int Client;
extern int global_oplock_break;
uint32 global_client_caps = 0;
@@ -501,12 +502,62 @@ static BOOL check_domain_security(char *orig_user, char *domain,
char *smb_apasswd, int smb_apasslen,
char *smb_ntpasswd, int smb_ntpasslen)
{
- if(lp_security() != SEC_DOMAIN)
- return False;
+ fstring acct_name;
+ uint16 acct_type = 0;
+
+ char *server_list = NULL;
+ pstring srv_list;
+ char *trusted_list = lp_trusted_domains();
+
+ if (lp_security() == SEC_SHARE || lp_security() == SEC_SERVER)
+ {
+ return False;
+ }
+
+ if (lp_security() == SEC_DOMAIN)
+ {
+ fstrcpy(acct_name, global_myname);
+ acct_type = SEC_CHAN_WKSTA;
+ if (strequal(lp_workgroup(), domain))
+ {
+ DEBUG(10,("local domain server list: %s\n", server_list));
+ pstrcpy(srv_list, lp_passwordserver());
+ server_list = srv_list;
+ }
+ }
+
+ if (server_list == NULL)
+ {
+ pstring tmp;
+ if (next_token(&trusted_list, tmp, NULL, sizeof(tmp)))
+ {
+ do
+ {
+ fstring trust_dom;
+ split_at_first_component(tmp, trust_dom, '=', srv_list);
+
+ if (strequal(domain, trust_dom))
+ {
+ DEBUG(10,("trusted domain server list: %s\n", server_list));
+ fstrcpy(acct_name, global_myworkgroup);
+ acct_type = SEC_CHAN_DOMAIN;
+ server_list = srv_list;
+ break;
+ }
+
+ } while (next_token(NULL, tmp, NULL, sizeof(tmp)));
+ }
+ }
+
+ if (server_list == NULL)
+ {
+ return False;
+ }
- return domain_client_validate(orig_user, domain,
- smb_apasswd, smb_apasslen,
- smb_ntpasswd, smb_ntpasslen);
+ return domain_client_validate(orig_user, domain, server_list,
+ acct_name, acct_type,
+ smb_apasswd, smb_apasslen,
+ smb_ntpasswd, smb_ntpasslen);
}
/****************************************************************************