summaryrefslogtreecommitdiff
path: root/source3/smbd
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2001-09-16 06:35:35 +0000
committerAndrew Bartlett <abartlet@samba.org>2001-09-16 06:35:35 +0000
commitdec3cbcaf097a3d6fab9359e001279447a5f4def (patch)
tree6bfdbdcf71359c9126cc9c2d934e90a3d35106d9 /source3/smbd
parent9bae3609ac791b7cccdddc2cba4431d78eff60ef (diff)
downloadsamba-dec3cbcaf097a3d6fab9359e001279447a5f4def.tar.gz
samba-dec3cbcaf097a3d6fab9359e001279447a5f4def.tar.bz2
samba-dec3cbcaf097a3d6fab9359e001279447a5f4def.zip
Fix up workstaion and kickoff time checks, moved to auth_smbpasswd.c where
they can have general effect. Fixed up workstaion support in the rest of samba, so that we can do these checks. Pass through the workstation for cli_net_logon(), if supplied. (This used to be commit 7f04a139b2ee34b4c282590509cdf21395815a7a)
Diffstat (limited to 'source3/smbd')
-rw-r--r--source3/smbd/auth.c23
-rw-r--r--source3/smbd/auth_smbpasswd.c45
-rw-r--r--source3/smbd/reply.c11
3 files changed, 62 insertions, 17 deletions
diff --git a/source3/smbd/auth.c b/source3/smbd/auth.c
index 0101aa65a2..5b6b2d4c42 100644
--- a/source3/smbd/auth.c
+++ b/source3/smbd/auth.c
@@ -25,8 +25,6 @@
extern int DEBUGLEVEL;
-extern pstring global_myname;
-
/****************************************************************************
Check user is in correct domain if required
****************************************************************************/
@@ -63,7 +61,8 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info,
NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
BOOL done_pam = False;
- DEBUG(3, ("check_password: Checking password for smb user %s with the new password interface\n", user_info->smb_username.str));
+ DEBUG(3, ("check_password: Checking password for smb user %s\\%s@%s with the new password interface\n",
+ user_info->smb_username.str, user_info->requested_domain.str, user_info->wksta_name.str));
if (!check_domain_match(user_info->smb_username.str, user_info->domain.str)) {
return NT_STATUS_LOGON_FAILURE;
}
@@ -122,7 +121,8 @@ return True if the password is correct, False otherwise
****************************************************************************/
NTSTATUS pass_check_smb_with_chal(char *smb_user, char *unix_user,
- char *domain, uchar chal[8],
+ char *domain, char* workstation,
+ uchar chal[8],
uchar *lm_pwd, int lm_pwd_len,
uchar *nt_pwd, int nt_pwd_len)
{
@@ -158,8 +158,8 @@ NTSTATUS pass_check_smb_with_chal(char *smb_user, char *unix_user,
user_info.unix_username = unix_username;
user_info.smb_username = smb_username;
- user_info.wksta_name.str = client_name();
- user_info.wksta_name.len = strlen(client_name());
+ wksta_name.str = workstation;
+ wksta_name.len = strlen(workstation);
user_info.wksta_name = wksta_name;
@@ -204,7 +204,8 @@ NTSTATUS pass_check_smb_with_chal(char *smb_user, char *unix_user,
return check_password(&user_info, &server_info);
}
-NTSTATUS pass_check_smb(char *smb_user, char *unix_user, char *domain,
+NTSTATUS pass_check_smb(char *smb_user, char *unix_user,
+ char *domain, char *workstation,
uchar *lm_pwd, int lm_pwd_len,
uchar *nt_pwd, int nt_pwd_len)
{
@@ -214,7 +215,8 @@ NTSTATUS pass_check_smb(char *smb_user, char *unix_user, char *domain,
generate_random_buffer( chal, 8, False);
}
- return pass_check_smb_with_chal(smb_user, unix_user, domain, chal,
+ return pass_check_smb_with_chal(smb_user, unix_user,
+ domain, workstation, chal,
lm_pwd, lm_pwd_len,
nt_pwd, nt_pwd_len);
@@ -227,6 +229,7 @@ return True if the password is correct, False otherwise
****************************************************************************/
BOOL password_ok(char *user, char *password, int pwlen)
{
+ extern fstring remote_machine;
/*
* This hack must die! But until I rewrite the rest of samba
@@ -240,11 +243,11 @@ BOOL password_ok(char *user, char *password, int pwlen)
/* The password could be either NTLM or plain LM. Try NTLM first, but fall-through as
required. */
- if (NT_STATUS_IS_OK(pass_check_smb(user, NULL, lp_workgroup(), NULL, 0, (unsigned char *)password, pwlen))) {
+ if (NT_STATUS_IS_OK(pass_check_smb(user, NULL, remote_machine, lp_workgroup(), NULL, 0, (unsigned char *)password, pwlen))) {
return True;
}
- if (NT_STATUS_IS_OK(pass_check_smb(user, NULL, lp_workgroup(), (unsigned char *)password, pwlen, NULL, 0))) {
+ if (NT_STATUS_IS_OK(pass_check_smb(user, NULL, remote_machine, lp_workgroup(), (unsigned char *)password, pwlen, NULL, 0))) {
return True;
}
diff --git a/source3/smbd/auth_smbpasswd.c b/source3/smbd/auth_smbpasswd.c
index 111a35e068..b61fde4206 100644
--- a/source3/smbd/auth_smbpasswd.c
+++ b/source3/smbd/auth_smbpasswd.c
@@ -112,9 +112,9 @@ static BOOL smb_pwd_check_ntlmv2(const uchar *password, size_t pwd_len,
NTSTATUS smb_password_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_info *user_info, auth_serversupplied_info *server_info)
{
uint8 *nt_pw, *lm_pw;
- uint16 acct_ctrl;
-
- acct_ctrl = pdb_get_acct_ctrl(sampass);
+ uint16 acct_ctrl = pdb_get_acct_ctrl(sampass);
+ char *workstation_list;
+ time_t kickoff_time;
/* Quit if the account was disabled. */
if(acct_ctrl & ACB_DISABLED) {
@@ -122,6 +122,45 @@ NTSTATUS smb_password_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_info *use
return(NT_STATUS_ACCOUNT_DISABLED);
}
+ /* Test account expire time */
+
+ kickoff_time = pdb_get_kickoff_time(sampass);
+ if (kickoff_time != (time_t)-1) {
+ if (time(NULL) > kickoff_time) {
+ return NT_STATUS_ACCOUNT_EXPIRED;
+ }
+ }
+
+ /* Test workstation. Workstation list is comma separated. */
+
+ workstation_list = strdup(pdb_get_workstations(sampass));
+
+ if (workstation_list) {
+ if (*workstation_list) {
+ BOOL invalid_ws = True;
+ char *s = workstation_list;
+
+ fstring tok;
+
+ while (next_token(&s, tok, ",", sizeof(tok))) {
+ DEBUG(10,("checking for workstation match %s and %s (len=%d)\n",
+ tok, user_info->wksta_name.str, user_info->wksta_name.len));
+ if(strequal(tok, user_info->wksta_name.str)) {
+ invalid_ws = False;
+ break;
+ }
+ }
+
+ free(workstation_list);
+ if (invalid_ws)
+ return NT_STATUS_INVALID_WORKSTATION;
+ } else {
+ free(workstation_list);
+ }
+ } else {
+ return NT_STATUS_NO_MEMORY;
+ }
+
if (acct_ctrl & ACB_PWNOTREQ)
{
if (lp_null_passwords())
diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index a379bf1f7f..1559cd30df 100644
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -3,7 +3,8 @@
Version 1.9.
Main SMB reply routines
Copyright (C) Andrew Tridgell 1992-1998
-
+ Copyright (C) Andrew Bartlett 2001
+
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
@@ -41,6 +42,8 @@ extern int global_oplock_break;
uint32 global_client_caps = 0;
unsigned int smb_echo_count = 0;
+extern fstring remote_machine;
+
/****************************************************************************
report a possible attack via the password buffer overflow bug
****************************************************************************/
@@ -66,7 +69,7 @@ int reply_special(char *inbuf,char *outbuf)
int msg_type = CVAL(inbuf,0);
int msg_flags = CVAL(inbuf,1);
pstring name1,name2;
- extern fstring remote_machine;
+
extern fstring local_machine;
int len;
char name_type = 0;
@@ -637,7 +640,7 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf,int
}
- DEBUG(3,("sesssetupX:name=[%s]\n",user));
+ DEBUG(3,("sesssetupX:name=[%s]@[%s]\n",user, remote_machine));
/* If name ends in $ then I think it's asking about whether a */
/* computer with that name (minus the $) has access. For now */
@@ -720,7 +723,7 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf,int
if (!guest) {
NTSTATUS nt_status;
nt_status = pass_check_smb(orig_user, user,
- domain,
+ domain, remote_machine,
(unsigned char *)smb_apasswd,
smb_apasslen,
(unsigned char *)smb_ntpasswd,