diff options
author | Günther Deschner <gd@samba.org> | 2010-07-06 17:02:33 +0200 |
---|---|---|
committer | Günther Deschner <gd@samba.org> | 2010-07-07 16:49:26 +0200 |
commit | 0da5e153787b461ea9ba5ac5353a0046a5a26e07 (patch) | |
tree | c51dbb5c5f403ff301c02df29431e47ef4b039c7 /source3 | |
parent | 519d17e451399f09f154dc581a22e74162ff7807 (diff) | |
download | samba-0da5e153787b461ea9ba5ac5353a0046a5a26e07.tar.gz samba-0da5e153787b461ea9ba5ac5353a0046a5a26e07.tar.bz2 samba-0da5e153787b461ea9ba5ac5353a0046a5a26e07.zip |
s3-winbindd: route samr chgpwd ops for own domain over internal samr pipe as well.
Guenther
Diffstat (limited to 'source3')
-rw-r--r-- | source3/winbindd/winbindd_cm.c | 8 | ||||
-rw-r--r-- | source3/winbindd/winbindd_pam.c | 91 | ||||
-rw-r--r-- | source3/winbindd/winbindd_proto.h | 7 | ||||
-rw-r--r-- | source3/winbindd/winbindd_samr.c | 8 |
4 files changed, 45 insertions, 69 deletions
diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c index fa1b78cb4f..b300357190 100644 --- a/source3/winbindd/winbindd_cm.c +++ b/source3/winbindd/winbindd_cm.c @@ -2078,6 +2078,14 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, char *machine_account = NULL; char *domain_name = NULL; + if (strequal(domain->name, get_global_sam_name())) { + result = open_internal_samr_conn(mem_ctx, domain, cli, sam_handle); + if (!NT_STATUS_IS_OK(result)) { + return result; + } + return NT_STATUS_OK; + } + result = init_dc_connection_rpc(domain); if (!NT_STATUS_IS_OK(result)) { return result; diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c index ef8d464008..bf113e8cce 100644 --- a/source3/winbindd/winbindd_pam.c +++ b/source3/winbindd/winbindd_pam.c @@ -31,7 +31,6 @@ #include "rpc_client/cli_netlogon.h" #include "smb_krb5.h" #include "../lib/crypto/arcfour.h" -#include "rpc_server/srv_samr_util.h" #include "../libcli/security/dom_sid.h" #undef DBGC_CLASS @@ -1896,13 +1895,15 @@ enum winbindd_result winbindd_dual_pam_chauthtok(struct winbindd_domain *contact char *oldpass; char *newpass = NULL; struct policy_handle dom_pol; - struct rpc_pipe_client *cli; + struct rpc_pipe_client *cli = NULL; bool got_info = false; struct samr_DomInfo1 *info = NULL; struct userPwdChangeFailureInformation *reject = NULL; NTSTATUS result = NT_STATUS_UNSUCCESSFUL; fstring domain, user; + ZERO_STRUCT(dom_pol); + DEBUG(3, ("[%5lu]: dual pam chauthtok %s\n", (unsigned long)state->pid, state->request->data.auth.user)); @@ -1918,53 +1919,6 @@ enum winbindd_result winbindd_dual_pam_chauthtok(struct winbindd_domain *contact /* Initialize reject reason */ state->response->data.auth.reject_reason = Undefined; - if (strequal(domain, get_global_sam_name())) { - struct samr_CryptPassword new_nt_password; - struct samr_CryptPassword new_lm_password; - struct samr_Password old_nt_hash_enc; - struct samr_Password old_lanman_hash_enc; - enum samPwdChangeReason rejectReason; - - uchar old_nt_hash[16]; - uchar old_lanman_hash[16]; - uchar new_nt_hash[16]; - uchar new_lanman_hash[16]; - - contact_domain = NULL; - - E_md4hash(oldpass, old_nt_hash); - E_md4hash(newpass, new_nt_hash); - - if (lp_client_lanman_auth() && - E_deshash(newpass, new_lanman_hash) && - E_deshash(oldpass, old_lanman_hash)) { - - /* E_deshash returns false for 'long' passwords (> 14 - DOS chars). This allows us to match Win2k, which - does not store a LM hash for these passwords (which - would reduce the effective password length to 14) */ - - encode_pw_buffer(new_lm_password.data, newpass, STR_UNICODE); - arcfour_crypt(new_lm_password.data, old_nt_hash, 516); - E_old_pw_hash(new_nt_hash, old_lanman_hash, old_lanman_hash_enc.hash); - } else { - ZERO_STRUCT(new_lm_password); - ZERO_STRUCT(old_lanman_hash_enc); - } - - encode_pw_buffer(new_nt_password.data, newpass, STR_UNICODE); - - arcfour_crypt(new_nt_password.data, old_nt_hash, 516); - E_old_pw_hash(new_nt_hash, old_nt_hash, old_nt_hash_enc.hash); - - result = pass_oem_change( - user, - new_lm_password.data, old_lanman_hash_enc.hash, - new_nt_password.data, old_nt_hash_enc.hash, - &rejectReason); - goto done; - } - /* Get sam handle */ result = cm_connect_sam(contact_domain, state->mem_ctx, &cli, @@ -2060,6 +2014,16 @@ done: process_result: + if (strequal(contact_domain->name, get_global_sam_name())) { + /* FIXME: internal rpc pipe does not cache handles yet */ + if (cli) { + if (is_valid_policy_hnd(&dom_pol)) { + rpccli_samr_Close(cli, state->mem_ctx, &dom_pol); + } + TALLOC_FREE(cli); + } + } + set_auth_errors(state->response, result); DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2, @@ -2144,7 +2108,9 @@ enum winbindd_result winbindd_dual_pam_chng_pswd_auth_crap(struct winbindd_domai fstring domain,user; struct policy_handle dom_pol; struct winbindd_domain *contact_domain = domainSt; - struct rpc_pipe_client *cli; + struct rpc_pipe_client *cli = NULL; + + ZERO_STRUCT(dom_pol); /* Ensure null termination */ state->request->data.chng_pswd_auth_crap.user[ @@ -2192,21 +2158,6 @@ enum winbindd_result winbindd_dual_pam_chng_pswd_auth_crap(struct winbindd_domai DEBUG(3, ("[%5lu]: pam auth crap domain: %s user: %s\n", (unsigned long)state->pid, domain, user)); - if (strequal(domain, get_global_sam_name())) { - enum samPwdChangeReason reject_reason; - - result = pass_oem_change( - user, - state->request->data.chng_pswd_auth_crap.new_lm_pswd, - state->request->data.chng_pswd_auth_crap.old_lm_hash_enc, - state->request->data.chng_pswd_auth_crap.new_nt_pswd, - state->request->data.chng_pswd_auth_crap.old_nt_hash_enc, - &reject_reason); - DEBUG(10, ("pass_oem_change returned %s\n", - nt_errstr(result))); - goto done; - } - /* Change password */ new_nt_password = data_blob_const( state->request->data.chng_pswd_auth_crap.new_nt_pswd, @@ -2243,6 +2194,16 @@ enum winbindd_result winbindd_dual_pam_chng_pswd_auth_crap(struct winbindd_domai done: + if (strequal(contact_domain->name, get_global_sam_name())) { + /* FIXME: internal rpc pipe does not cache handles yet */ + if (cli) { + if (is_valid_policy_hnd(&dom_pol)) { + rpccli_samr_Close(cli, state->mem_ctx, &dom_pol); + } + TALLOC_FREE(cli); + } + } + set_auth_errors(state->response, result); DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2, diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h index caa1cac0ef..a26a9df889 100644 --- a/source3/winbindd/winbindd_proto.h +++ b/source3/winbindd/winbindd_proto.h @@ -875,4 +875,11 @@ NTSTATUS winbindd_pam_chng_pswd_auth_crap_recv( struct tevent_req *req, struct winbindd_response *response); +/* The following definitions come from winbindd/winbindd_samr.c */ + +NTSTATUS open_internal_samr_conn(TALLOC_CTX *mem_ctx, + struct winbindd_domain *domain, + struct rpc_pipe_client **samr_pipe, + struct policy_handle *samr_domain_hnd); + #endif /* _WINBINDD_PROTO_H_ */ diff --git a/source3/winbindd/winbindd_samr.c b/source3/winbindd/winbindd_samr.c index 0c077aa32d..f8004d976f 100644 --- a/source3/winbindd/winbindd_samr.c +++ b/source3/winbindd/winbindd_samr.c @@ -77,10 +77,10 @@ done: return NT_STATUS_OK; } -static NTSTATUS open_internal_samr_conn(TALLOC_CTX *mem_ctx, - struct winbindd_domain *domain, - struct rpc_pipe_client **samr_pipe, - struct policy_handle *samr_domain_hnd) +NTSTATUS open_internal_samr_conn(TALLOC_CTX *mem_ctx, + struct winbindd_domain *domain, + struct rpc_pipe_client **samr_pipe, + struct policy_handle *samr_domain_hnd) { NTSTATUS status; struct policy_handle samr_connect_hnd; |