summaryrefslogtreecommitdiff
path: root/source3
diff options
context:
space:
mode:
authorVolker Lendecke <vl@samba.org>2010-04-11 15:27:49 +0200
committerVolker Lendecke <vl@samba.org>2010-04-13 21:21:34 +0200
commit577bceb19bed18db053456b2b686ba04df1d7456 (patch)
treeece99a22f4ca8353855bc2216718496febaf71b9 /source3
parent55838a8c021020c057b514cc97d5196eaa313764 (diff)
downloadsamba-577bceb19bed18db053456b2b686ba04df1d7456.tar.gz
samba-577bceb19bed18db053456b2b686ba04df1d7456.tar.bz2
samba-577bceb19bed18db053456b2b686ba04df1d7456.zip
s3-winbind: Authenticate SAM users
Diffstat (limited to 'source3')
-rw-r--r--source3/Makefile.in4
-rw-r--r--source3/winbindd/winbindd_pam.c76
2 files changed, 75 insertions, 5 deletions
diff --git a/source3/Makefile.in b/source3/Makefile.in
index 4de937aacd..f83450957e 100644
--- a/source3/Makefile.in
+++ b/source3/Makefile.in
@@ -1238,6 +1238,10 @@ WINBINDD_OBJ1 = \
winbindd/winbindd_remove_mapping.o \
winbindd/winbindd_set_hwm.o \
auth/token_util.o \
+ auth/check_samsec.o \
+ auth/server_info.o \
+ auth/server_info_sam.o \
+ auth/user_info.o \
../nsswitch/libwbclient/wb_reqtrans.o
WINBINDD_OBJ = \
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 1faa5c9c24..796bc3eaed 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -348,11 +348,8 @@ struct winbindd_domain *find_auth_domain(uint8_t flags,
return domain;
}
- if (is_myname(domain_name)) {
- DEBUG(3, ("Authentication for domain %s (local domain "
- "to this server) not supported at this "
- "stage\n", domain_name));
- return NULL;
+ if (strequal(domain_name, get_global_sam_name())) {
+ return find_domain_from_name_noinit(domain_name);
}
/* we can auth against trusted domains */
@@ -1179,6 +1176,53 @@ done:
return result;
}
+static NTSTATUS winbindd_dual_auth_passdb(TALLOC_CTX *mem_ctx,
+ const char *domain, const char *user,
+ const DATA_BLOB *challenge,
+ const DATA_BLOB *lm_resp,
+ const DATA_BLOB *nt_resp,
+ struct netr_SamInfo3 **pinfo3)
+{
+ struct auth_usersupplied_info *user_info = NULL;
+ struct auth_serversupplied_info *server_info = NULL;
+ struct netr_SamInfo3 *info3;
+ NTSTATUS status;
+
+ status = make_user_info(&user_info, user, user, domain, domain,
+ global_myname(), lm_resp, nt_resp, NULL, NULL,
+ NULL, True);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(10, ("make_user_info failed: %s\n", nt_errstr(status)));
+ return status;
+ }
+
+ status = check_sam_security(challenge, talloc_tos(), user_info,
+ &server_info);
+ free_user_info(&user_info);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(10, ("check_ntlm_password failed: %s\n",
+ nt_errstr(status)));
+ return status;
+ }
+
+ info3 = TALLOC_ZERO_P(mem_ctx, struct netr_SamInfo3);
+ if (info3 == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ status = serverinfo_to_SamInfo3(server_info, NULL, 0, info3);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(10, ("serverinfo_to_SamInfo3 failed: %s\n",
+ nt_errstr(status)));
+ return status;
+ }
+
+ DEBUG(10, ("Authenticated user %s\\%s successfully\n", domain, user));
+ *pinfo3 = info3;
+ return NT_STATUS_OK;
+}
+
typedef NTSTATUS (*netlogon_fn_t)(struct rpc_pipe_client *cli,
TALLOC_CTX *mem_ctx,
uint32 logon_parameters,
@@ -1273,6 +1317,15 @@ static NTSTATUS winbindd_dual_pam_auth_samlogon(struct winbindd_domain *domain,
sizeof(local_nt_response));
}
+ if (strequal(name_domain, get_global_sam_name())) {
+ DATA_BLOB chal_blob = data_blob_const(chal, sizeof(chal));
+
+ result = winbindd_dual_auth_passdb(
+ state->mem_ctx, name_domain, name_user,
+ &chal_blob, &lm_resp, &nt_resp, info3);
+ goto done;
+ }
+
/* check authentication loop */
do {
@@ -1849,6 +1902,17 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
state->request->data.auth_crap.nt_resp_len);
}
+ if (strequal(name_domain, get_global_sam_name())) {
+ DATA_BLOB chal_blob = data_blob_const(
+ state->request->data.auth_crap.chal,
+ sizeof(state->request->data.auth_crap.chal));
+
+ result = winbindd_dual_auth_passdb(
+ state->mem_ctx, name_domain, name_user,
+ &chal_blob, &lm_resp, &nt_resp, &info3);
+ goto process_result;
+ }
+
do {
netlogon_fn_t logon_fn;
@@ -1916,6 +1980,8 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
} while ( (attempts < 2) && retry );
+process_result:
+
if (NT_STATUS_IS_OK(result)) {
wcache_invalidate_samlogon(find_domain_from_name(name_domain), info3);