summaryrefslogtreecommitdiff
path: root/source3/winbindd
diff options
context:
space:
mode:
authorGünther Deschner <gd@samba.org>2010-07-06 17:02:33 +0200
committerGünther Deschner <gd@samba.org>2010-07-07 16:49:26 +0200
commit0da5e153787b461ea9ba5ac5353a0046a5a26e07 (patch)
treec51dbb5c5f403ff301c02df29431e47ef4b039c7 /source3/winbindd
parent519d17e451399f09f154dc581a22e74162ff7807 (diff)
downloadsamba-0da5e153787b461ea9ba5ac5353a0046a5a26e07.tar.gz
samba-0da5e153787b461ea9ba5ac5353a0046a5a26e07.tar.bz2
samba-0da5e153787b461ea9ba5ac5353a0046a5a26e07.zip
s3-winbindd: route samr chgpwd ops for own domain over internal samr pipe as well.
Guenther
Diffstat (limited to 'source3/winbindd')
-rw-r--r--source3/winbindd/winbindd_cm.c8
-rw-r--r--source3/winbindd/winbindd_pam.c91
-rw-r--r--source3/winbindd/winbindd_proto.h7
-rw-r--r--source3/winbindd/winbindd_samr.c8
4 files changed, 45 insertions, 69 deletions
diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index fa1b78cb4f..b300357190 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -2078,6 +2078,14 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
char *machine_account = NULL;
char *domain_name = NULL;
+ if (strequal(domain->name, get_global_sam_name())) {
+ result = open_internal_samr_conn(mem_ctx, domain, cli, sam_handle);
+ if (!NT_STATUS_IS_OK(result)) {
+ return result;
+ }
+ return NT_STATUS_OK;
+ }
+
result = init_dc_connection_rpc(domain);
if (!NT_STATUS_IS_OK(result)) {
return result;
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index ef8d464008..bf113e8cce 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -31,7 +31,6 @@
#include "rpc_client/cli_netlogon.h"
#include "smb_krb5.h"
#include "../lib/crypto/arcfour.h"
-#include "rpc_server/srv_samr_util.h"
#include "../libcli/security/dom_sid.h"
#undef DBGC_CLASS
@@ -1896,13 +1895,15 @@ enum winbindd_result winbindd_dual_pam_chauthtok(struct winbindd_domain *contact
char *oldpass;
char *newpass = NULL;
struct policy_handle dom_pol;
- struct rpc_pipe_client *cli;
+ struct rpc_pipe_client *cli = NULL;
bool got_info = false;
struct samr_DomInfo1 *info = NULL;
struct userPwdChangeFailureInformation *reject = NULL;
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
fstring domain, user;
+ ZERO_STRUCT(dom_pol);
+
DEBUG(3, ("[%5lu]: dual pam chauthtok %s\n", (unsigned long)state->pid,
state->request->data.auth.user));
@@ -1918,53 +1919,6 @@ enum winbindd_result winbindd_dual_pam_chauthtok(struct winbindd_domain *contact
/* Initialize reject reason */
state->response->data.auth.reject_reason = Undefined;
- if (strequal(domain, get_global_sam_name())) {
- struct samr_CryptPassword new_nt_password;
- struct samr_CryptPassword new_lm_password;
- struct samr_Password old_nt_hash_enc;
- struct samr_Password old_lanman_hash_enc;
- enum samPwdChangeReason rejectReason;
-
- uchar old_nt_hash[16];
- uchar old_lanman_hash[16];
- uchar new_nt_hash[16];
- uchar new_lanman_hash[16];
-
- contact_domain = NULL;
-
- E_md4hash(oldpass, old_nt_hash);
- E_md4hash(newpass, new_nt_hash);
-
- if (lp_client_lanman_auth() &&
- E_deshash(newpass, new_lanman_hash) &&
- E_deshash(oldpass, old_lanman_hash)) {
-
- /* E_deshash returns false for 'long' passwords (> 14
- DOS chars). This allows us to match Win2k, which
- does not store a LM hash for these passwords (which
- would reduce the effective password length to 14) */
-
- encode_pw_buffer(new_lm_password.data, newpass, STR_UNICODE);
- arcfour_crypt(new_lm_password.data, old_nt_hash, 516);
- E_old_pw_hash(new_nt_hash, old_lanman_hash, old_lanman_hash_enc.hash);
- } else {
- ZERO_STRUCT(new_lm_password);
- ZERO_STRUCT(old_lanman_hash_enc);
- }
-
- encode_pw_buffer(new_nt_password.data, newpass, STR_UNICODE);
-
- arcfour_crypt(new_nt_password.data, old_nt_hash, 516);
- E_old_pw_hash(new_nt_hash, old_nt_hash, old_nt_hash_enc.hash);
-
- result = pass_oem_change(
- user,
- new_lm_password.data, old_lanman_hash_enc.hash,
- new_nt_password.data, old_nt_hash_enc.hash,
- &rejectReason);
- goto done;
- }
-
/* Get sam handle */
result = cm_connect_sam(contact_domain, state->mem_ctx, &cli,
@@ -2060,6 +2014,16 @@ done:
process_result:
+ if (strequal(contact_domain->name, get_global_sam_name())) {
+ /* FIXME: internal rpc pipe does not cache handles yet */
+ if (cli) {
+ if (is_valid_policy_hnd(&dom_pol)) {
+ rpccli_samr_Close(cli, state->mem_ctx, &dom_pol);
+ }
+ TALLOC_FREE(cli);
+ }
+ }
+
set_auth_errors(state->response, result);
DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2,
@@ -2144,7 +2108,9 @@ enum winbindd_result winbindd_dual_pam_chng_pswd_auth_crap(struct winbindd_domai
fstring domain,user;
struct policy_handle dom_pol;
struct winbindd_domain *contact_domain = domainSt;
- struct rpc_pipe_client *cli;
+ struct rpc_pipe_client *cli = NULL;
+
+ ZERO_STRUCT(dom_pol);
/* Ensure null termination */
state->request->data.chng_pswd_auth_crap.user[
@@ -2192,21 +2158,6 @@ enum winbindd_result winbindd_dual_pam_chng_pswd_auth_crap(struct winbindd_domai
DEBUG(3, ("[%5lu]: pam auth crap domain: %s user: %s\n",
(unsigned long)state->pid, domain, user));
- if (strequal(domain, get_global_sam_name())) {
- enum samPwdChangeReason reject_reason;
-
- result = pass_oem_change(
- user,
- state->request->data.chng_pswd_auth_crap.new_lm_pswd,
- state->request->data.chng_pswd_auth_crap.old_lm_hash_enc,
- state->request->data.chng_pswd_auth_crap.new_nt_pswd,
- state->request->data.chng_pswd_auth_crap.old_nt_hash_enc,
- &reject_reason);
- DEBUG(10, ("pass_oem_change returned %s\n",
- nt_errstr(result)));
- goto done;
- }
-
/* Change password */
new_nt_password = data_blob_const(
state->request->data.chng_pswd_auth_crap.new_nt_pswd,
@@ -2243,6 +2194,16 @@ enum winbindd_result winbindd_dual_pam_chng_pswd_auth_crap(struct winbindd_domai
done:
+ if (strequal(contact_domain->name, get_global_sam_name())) {
+ /* FIXME: internal rpc pipe does not cache handles yet */
+ if (cli) {
+ if (is_valid_policy_hnd(&dom_pol)) {
+ rpccli_samr_Close(cli, state->mem_ctx, &dom_pol);
+ }
+ TALLOC_FREE(cli);
+ }
+ }
+
set_auth_errors(state->response, result);
DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2,
diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h
index caa1cac0ef..a26a9df889 100644
--- a/source3/winbindd/winbindd_proto.h
+++ b/source3/winbindd/winbindd_proto.h
@@ -875,4 +875,11 @@ NTSTATUS winbindd_pam_chng_pswd_auth_crap_recv(
struct tevent_req *req,
struct winbindd_response *response);
+/* The following definitions come from winbindd/winbindd_samr.c */
+
+NTSTATUS open_internal_samr_conn(TALLOC_CTX *mem_ctx,
+ struct winbindd_domain *domain,
+ struct rpc_pipe_client **samr_pipe,
+ struct policy_handle *samr_domain_hnd);
+
#endif /* _WINBINDD_PROTO_H_ */
diff --git a/source3/winbindd/winbindd_samr.c b/source3/winbindd/winbindd_samr.c
index 0c077aa32d..f8004d976f 100644
--- a/source3/winbindd/winbindd_samr.c
+++ b/source3/winbindd/winbindd_samr.c
@@ -77,10 +77,10 @@ done:
return NT_STATUS_OK;
}
-static NTSTATUS open_internal_samr_conn(TALLOC_CTX *mem_ctx,
- struct winbindd_domain *domain,
- struct rpc_pipe_client **samr_pipe,
- struct policy_handle *samr_domain_hnd)
+NTSTATUS open_internal_samr_conn(TALLOC_CTX *mem_ctx,
+ struct winbindd_domain *domain,
+ struct rpc_pipe_client **samr_pipe,
+ struct policy_handle *samr_domain_hnd)
{
NTSTATUS status;
struct policy_handle samr_connect_hnd;