diff options
| -rw-r--r-- | source3/Makefile.in | 12 | ||||
| -rw-r--r-- | source3/auth/auth.c | 275 | ||||
| -rw-r--r-- | source3/auth/auth_domain.c | 417 | ||||
| -rw-r--r-- | source3/auth/auth_rhosts.c | 165 | ||||
| -rw-r--r-- | source3/auth/auth_sam.c | 229 | ||||
| -rw-r--r-- | source3/auth/auth_server.c | 244 | ||||
| -rw-r--r-- | source3/auth/auth_util.c | 141 | ||||
| -rw-r--r-- | source3/include/auth.h | 95 | ||||
| -rw-r--r-- | source3/include/includes.h | 2 | ||||
| -rw-r--r-- | source3/nsswitch/winbindd_pam.c | 56 | ||||
| -rw-r--r-- | source3/param/loadparm.c | 8 | ||||
| -rw-r--r-- | source3/rpc_client/cli_login.c | 12 | ||||
| -rw-r--r-- | source3/rpc_parse/parse_misc.c | 2 | ||||
| -rw-r--r-- | source3/rpc_parse/parse_net.c | 26 | ||||
| -rw-r--r-- | source3/rpc_server/srv_netlog_nt.c | 225 | ||||
| -rw-r--r-- | source3/rpc_server/srv_pipe.c | 18 | ||||
| -rw-r--r-- | source3/smbd/auth.c | 275 | ||||
| -rw-r--r-- | source3/smbd/auth_domain.c | 417 | ||||
| -rw-r--r-- | source3/smbd/auth_rhosts.c | 165 | ||||
| -rw-r--r-- | source3/smbd/auth_server.c | 244 | ||||
| -rw-r--r-- | source3/smbd/auth_smbpasswd.c | 229 | ||||
| -rw-r--r-- | source3/smbd/auth_util.c | 141 | ||||
| -rw-r--r-- | source3/smbd/negprot.c | 3 | ||||
| -rw-r--r-- | source3/smbd/password.c | 1072 | ||||
| -rw-r--r-- | source3/smbd/reply.c | 256 |
25 files changed, 3312 insertions, 1417 deletions
diff --git a/source3/Makefile.in b/source3/Makefile.in index ac3c301b5f..0d5a1a8898 100644 --- a/source3/Makefile.in +++ b/source3/Makefile.in @@ -182,6 +182,9 @@ OPLOCK_OBJ = smbd/oplock.o smbd/oplock_irix.o smbd/oplock_linux.o NOTIFY_OBJ = smbd/notify.o smbd/notify_hash.o smbd/notify_kernel.o +AUTH_OBJ = smbd/auth.o smbd/auth_smbpasswd.o smbd/auth_server.o smbd/auth_domain.o \ + smbd/auth_rhosts.o smbd/auth_util.o + SMBD_OBJ1 = smbd/server.o smbd/files.o smbd/chgpasswd.o smbd/connection.o \ smbd/utmp.o smbd/session.o \ smbd/dfree.o smbd/dir.o smbd/password.o smbd/conn.o smbd/fileio.o \ @@ -207,7 +210,7 @@ SMBD_OBJ = $(SMBD_OBJ1) $(MSDFS_OBJ) $(PARAM_OBJ) $(LIBSMB_OBJ) $(UBIQX_OBJ) \ $(RPC_SERVER_OBJ) $(RPC_CLIENT_OBJ) $(RPC_PARSE_OBJ) \ $(LOCKING_OBJ) $(PASSDB_OBJ) $(PRINTING_OBJ) $(PROFILE_OBJ) \ $(LIB_OBJ) $(PRINTBACKEND_OBJ) $(QUOTAOBJS) $(OPLOCK_OBJ) \ - $(NOTIFY_OBJ) $(GROUPDB_OBJ) + $(NOTIFY_OBJ) $(GROUPDB_OBJ) $(AUTH_OBJ) NMBD_OBJ1 = nmbd/asyncdns.o nmbd/nmbd.o nmbd/nmbd_become_dmb.o \ @@ -342,7 +345,7 @@ SMBFILTER_OBJ = utils/smbfilter.o $(LIBSMB_OBJ) $(PARAM_OBJ) \ PROTO_OBJ = $(SMBD_OBJ) $(NMBD_OBJ) $(SWAT_OBJ) $(CLIENT_OBJ) \ $(SMBWRAPPER_OBJ) $(SMBTORTURE_OBJ) $(RPCCLIENT_OBJ1) \ - $(LIBMSRPC_OBJ) $(RPC_CLIENT_OBJ) + $(LIBMSRPC_OBJ) $(RPC_CLIENT_OBJ) $(AUTH_OBJ) NSS_OBJ_0 = nsswitch/wins.o $(PARAM_OBJ) $(UBIQX_OBJ) $(LIBSMB_OBJ) $(LIB_OBJ) $(NSSWINS_OBJ) NSS_OBJ = $(NSS_OBJ_0:.o=.po) @@ -381,9 +384,8 @@ WINBINDD_OBJ1 = \ nsswitch/winbindd_misc.o NECESSARY_BECAUSE_SAMBA_DEPENDENCIES_ARE_SO_BROKEN_OBJ = \ - smbd/password.o smbd/utmp.o smbd/session.o smbd/uid.o smbd/sec_ctx.o \ - rpc_client/cli_netlogon.o rpc_client/cli_login.o \ - smbd/chgpasswd.o + smbd/auth_domain.o \ + rpc_client/cli_netlogon.o rpc_client/cli_login.o WINBINDD_OBJ = \ $(WINBINDD_OBJ1) $(NOPROTO_OBJ) $(PASSDB_OBJ) \ diff --git a/source3/auth/auth.c b/source3/auth/auth.c new file mode 100644 index 0000000000..851e1f53cf --- /dev/null +++ b/source3/auth/auth.c @@ -0,0 +1,275 @@ +/* + Unix SMB/Netbios implementation. + Version 1.9. + Password and authentication handling + Copyright (C) Andrew Tridgell 1992-2000 + Copyright (C) Luke Kenneth Casson Leighton 1996-2000 + Copyright (C) Andrew Bartlett 2001 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" + +extern int DEBUGLEVEL; + +extern pstring global_myname; + + +/**************************************************************************** +update the encrypted smbpasswd file from the plaintext username and password + +this ugly hack needs to die, but not quite yet... +*****************************************************************************/ +static BOOL update_smbpassword_file(char *user, char *password) +{ + SAM_ACCOUNT *sampass = NULL; + BOOL ret; + + pdb_init_sam(&sampass); + + become_root(); + ret = pdb_getsampwnam(sampass, user); + unbecome_root(); + + if(ret == False) { + DEBUG(0,("pdb_getsampwnam returned NULL\n")); + pdb_free_sam(sampass); + return False; + } + + /* + * Remove the account disabled flag - we are updating the + * users password from a login. + */ + pdb_set_acct_ctrl(sampass, pdb_get_acct_ctrl(sampass) & ~ACB_DISABLED); + + /* Here, the flag is one, because we want to ignore the + XXXXXXX'd out password */ + ret = change_oem_password( sampass, password, True); + if (ret == False) { + DEBUG(3,("change_oem_password returned False\n")); + } + + pdb_free_sam(sampass); + return ret; +} + +/**************************************************************************** + Check user is in correct domain if required +****************************************************************************/ + +static BOOL check_domain_match(char *user, char *domain) +{ + /* + * If we aren't serving to trusted domains, we must make sure that + * the validation request comes from an account in the same domain + * as the Samba server + */ + + if (!lp_allow_trusted_domains() && + !strequal(lp_workgroup(), domain) ) { + DEBUG(1, ("check_domain_match: Attempt to connect as user %s from domain %s denied.\n", user, domain)); + return False; + } else { + return True; + } +} + + +uint32 check_password(const auth_usersupplied_info *user_info, auth_serversupplied_info *server_info) +{ + + uint32 nt_status = NT_STATUS_LOGON_FAILURE; + + DEBUG(3, ("check_password: Checking password for user %s with the new password interface\n", user_info->smb_username.str)); + if (check_hosts_equiv(user_info->smb_username.str)) { + nt_status = NT_STATUS_NOPROBLEMO; + } + + if (!check_domain_match(user_info->smb_username.str, user_info->domain.str)) { + return NT_STATUS_LOGON_FAILURE; + } + + if ((lp_security() == SEC_DOMAIN) && (nt_status != NT_STATUS_NOPROBLEMO)) { + nt_status = check_domain_security(user_info, server_info); + } + + if ((lp_security() == SEC_SERVER) && (nt_status != NT_STATUS_NOPROBLEMO)) { + nt_status = check_server_security(user_info, server_info); + } + + if (lp_security() >= SEC_SERVER) { + smb_user_control(user_info->smb_username.str, nt_status); + } + + if ((nt_status != NT_STATUS_NOPROBLEMO) + && (user_info->plaintext_password.len > 0) + && (!lp_plaintext_to_smbpasswd())) { + return (pass_check(user_info->smb_username.str, + user_info->plaintext_password.str, + user_info->plaintext_password.len, + lp_update_encrypted() ? + update_smbpassword_file : NULL) + ? NT_STATUS_NOPROBLEMO : NT_STATUS_LOGON_FAILURE); + } + + if (nt_status != NT_STATUS_NOPROBLEMO) { + nt_status = check_smbpasswd_security(user_info, server_info); + } + + if (nt_status == NT_STATUS_NOPROBLEMO) { + nt_status = smb_pam_accountcheck(user_info->smb_username.str); + } + + if (nt_status == NT_STATUS_NOPROBLEMO) { + DEBUG(5, ("check_password: Password for user %s suceeded\n", user_info->smb_username.str)); + } else { + DEBUG(3, ("check_password: Password for user %s FAILED with error %d\n", user_info->smb_username.str, nt_status)); + } + return nt_status; + +} + +/**************************************************************************** + COMPATABILITY INTERFACES: + ***************************************************************************/ + +/**************************************************************************** +check if a username/password is OK assuming the password is a 24 byte +SMB hash +return True if the password is correct, False otherwise +****************************************************************************/ + +uint32 pass_check_smb_with_chal(char *user, char *domain, uchar chal[8], + uchar *lm_pwd, int lm_pwd_len, + uchar *nt_pwd, int nt_pwd_len) +{ + + auth_usersupplied_info user_info; + auth_serversupplied_info server_info; + AUTH_STR ourdomain, theirdomain, smb_username, wksta_name; + + ZERO_STRUCT(user_info); + ZERO_STRUCT(ourdomain); + ZERO_STRUCT(theirdomain); + ZERO_STRUCT(smb_username); + ZERO_STRUCT(wksta_name); + + ourdomain.str = lp_workgroup(); + ourdomain.len = strlen(ourdomain.str); + + theirdomain.str = domain; + theirdomain.len = strlen(theirdomain.str); + + user_info.requested_domain = theirdomain; + user_info.domain = ourdomain; + + smb_username.str = user; + smb_username.len = strlen(smb_username.str); + + user_info.requested_username = smb_username; /* For the time-being */ + user_info.smb_username = smb_username; + + user_info.wksta_name.str = client_name(); + user_info.wksta_name.len = strlen(client_name()); + + user_info.wksta_name = wksta_name; + + memcpy(user_info.chal, chal, 8); + + if (lm_pwd_len >= 24 || (lp_encrypted_passwords() && (lm_pwd_len == 0) && lp_null_passwords())) { + /* if 24 bytes long assume it is an encrypted password */ + + user_info.lm_resp.buffer = (uint8 *)lm_pwd; + user_info.lm_resp.len = lm_pwd_len; + user_info.nt_resp.buffer = (uint8 *)nt_pwd; + user_info.nt_resp.len = nt_pwd_len; + + } else { + unsigned char local_lm_response[24]; + unsigned char local_nt_response[24]; + + /* + * Not encrypted - do so. + */ + + DEBUG(5,("pass_check_smb: User passwords not in encrypted format.\n")); + + if (lm_pwd_len > 0) { + SMBencrypt( (uchar *)lm_pwd, user_info.chal, local_lm_response); + user_info.lm_resp.buffer = (uint8 *)local_lm_response; + user_info.lm_resp.len = 24; + + /* This encrypts the lm_pwd feild, which actualy contains the password + rather than the nt_pwd field becouse that contains nothing */ + SMBNTencrypt((uchar *)lm_pwd, user_info.chal, local_nt_response); + user_info.nt_resp.buffer = (uint8 *)local_nt_response; + user_info.nt_resp.len = 24; + } + + user_info.plaintext_password.str = lm_pwd; + user_info.plaintext_password.len = lm_pwd_len; + + } + + return check_password(&user_info, &server_info); +} + +uint32 pass_check_smb(char *user, char *domain, + uchar *lm_pwd, int lm_pwd_len, + uchar *nt_pwd, int nt_pwd_len) +{ + uchar chal[8]; + + if (!last_challenge(chal)) { + generate_random_buffer( chal, 8, False); + } + + return pass_check_smb_with_chal(user, domain, chal, + lm_pwd, lm_pwd_len, + nt_pwd, nt_pwd_len); + +} + +/**************************************************************************** +check if a username/password pair is OK either via the system password +database or the encrypted SMB password database +return True if the password is correct, False otherwise +****************************************************************************/ +BOOL password_ok(char *user, char *password, int pwlen) +{ + + /* + * This hack must die! But until I rewrite the rest of samba + * it must stay - abartlet 2001-08-03 + */ + + if ((pwlen == 0) && !lp_null_passwords()) { + DEBUG(4,("Null passwords not allowed.\n")); + return False; + } + + if (pass_check_smb(user, lp_workgroup(), NULL, 0, password, pwlen) == NT_STATUS_NOPROBLEMO) { + return True; + } + + if (pass_check_smb(user, lp_workgroup(), password, pwlen, NULL, 0) == NT_STATUS_NOPROBLEMO) { + return True; + } + + return False; +} + diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c new file mode 100644 index 0000000000..4bf0a05d7f --- /dev/null +++ b/source3/auth/auth_domain.c @@ -0,0 +1,417 @@ +/* + Unix SMB/Netbios implementation. + Version 1.9. + Authenticate against a remote domain + Copyright (C) Andrew Tridgell 1992-1998 + Copyright (C) Andrew Bartlett 2001 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" + +extern int DEBUGLEVEL; +extern struct in_addr ipzero; + +BOOL global_machine_password_needs_changing = False; + +extern pstring global_myname; + +/*********************************************************************** + Connect to a remote machine for domain security authentication + given a name or IP address. + ***********************************************************************/ + +static BOOL connect_to_domain_password_server(struct cli_state *pcli, + char *server, unsigned char *trust_passwd) +{ + struct in_addr dest_ip; + fstring remote_machine; + + if(cli_initialise(pcli) == NULL) { + DEBUG(0,("connect_to_domain_password_server: unable to initialize client connection.\n")); + return False; + } + + if (is_ipaddress(server)) { + struct in_addr to_ip; + + /* we shouldn't have 255.255.255.255 forthe IP address of + a password server anyways */ + if ((to_ip.s_addr=inet_addr(server)) == 0xFFFFFFFF) { + DEBUG (0,("connect_to_domain_password_server: inet_addr(%s) returned 0xFFFFFFFF!\n", server)); + return False; + } + + if (!name_status_find(0x20, to_ip, remote_machine)) { + DEBUG(0, ("connect_to_domain_password_server: Can't " + "resolve name for IP %s\n", server)); + return False; + } + } else { + fstrcpy(remote_machine, server); + } + + standard_sub_basic(remote_machine); + strupper(remote_machine); + + if(!resolve_name( remote_machine, &dest_ip, 0x20)) { + DEBUG(1,("connect_to_domain_password_server: Can't resolve address for %s\n", remote_machine)); + cli_shutdown(pcli); + return False; + } + + if (ismyip(dest_ip)) { + DEBUG(1,("connect_to_domain_password_server: Password server loop - not using password server %s\n", + remote_machine)); + cli_shutdown(pcli); + return False; + } + + if (!cli_connect(pcli, remote_machine, &dest_ip)) { + DEBUG(0,("connect_to_domain_password_server: unable to connect to SMB server on \ +machine %s. Error was : %s.\n", remote_machine, cli_errstr(pcli) )); + cli_shutdown(pcli); + return False; + } + + if (!attempt_netbios_session_request(pcli, global_myname, remote_machine, &dest_ip)) { + DEBUG(0,("connect_to_password_server: machine %s rejected the NetBIOS \ +session request. Error was : %s.\n", remote_machine, cli_errstr(pcli) )); + return False; + } + + pcli->protocol = PROTOCOL_NT1; + + if (!cli_negprot(pcli)) { + DEBUG(0,("connect_to_domain_password_server: machine %s rejected the negotiate protocol. \ +Error was : %s.\n", remote_machine, cli_errstr(pcli) )); + cli_shutdown(pcli); + return False; + } + + if (pcli->protocol != PROTOCOL_NT1) { + DEBUG(0,("connect_to_domain_password_server: machine %s didn't negotiate NT protocol.\n", + remote_machine)); + cli_shutdown(pcli); + return False; + } + + /* + * Do an anonymous session setup. + */ + + if (!cli_session_setup(pcli, "", "", 0, "", 0, "")) { + DEBUG(0,("connect_to_domain_password_server: machine %s rejected the session setup. \ +Error was : %s.\n", remote_machine, cli_errstr(pcli) )); + cli_shutdown(pcli); + return False; + } + + if (!(pcli->sec_mode & 1)) { + DEBUG(1,("connect_to_domain_password_server: machine %s isn't in user level security mode\n", + remote_machine)); + cli_shutdown(pcli); + return False; + } + + if (!cli_send_tconX(pcli, "IPC$", "IPC", "", 1)) { + DEBUG(0,("connect_to_domain_password_server: machine %s rejected the tconX on the IPC$ share. \ +Error was : %s.\n", remote_machine, cli_errstr(pcli) )); + cli_shutdown(pcli); + return False; + } + + /* + * We now have an anonymous connection to IPC$ on the domain password server. + */ + + /* + * Even if the connect succeeds we need to setup the netlogon + * pipe here. We do this as we may just have changed the domain + * account password on the PDC and yet we may be talking to + * a BDC that doesn't have this replicated yet. In this case + * a successful connect to a DC needs to take the netlogon connect + * into account also. This patch from "Bjart Kvarme" <bjart.kvarme@usit.uio.no>. + */ + + if(cli_nt_session_open(pcli, PIPE_NETLOGON) == False) { + DEBUG(0,("connect_to_domain_password_server: unable to open the domain client session to \ +machine %s. Error was : %s.\n", remote_machine, cli_errstr(pcli))); + cli_nt_session_close(pcli); + cli_ulogoff(pcli); + cli_shutdown(pcli); + return False; + } + + if (cli_nt_setup_creds(pcli, trust_passwd) == False) { + DEBUG(0,("connect_to_domain_password_server: unable to setup the PDC credentials to machine \ +%s. Error was : %s.\n", remote_machine, cli_errstr(pcli))); + cli_nt_session_close(pcli); + cli_ulogoff(pcli); + cli_shutdown(pcli); + return(False); + } + + return True; +} + +/*********************************************************************** + Utility function to attempt a connection to an IP address of a DC. +************************************************************************/ + +static BOOL attempt_connect_to_dc(struct cli_state *pcli, struct in_addr *ip, + unsigned char *trust_passwd) +{ + fstring dc_name; + + /* + * Ignore addresses we have already tried. + */ + + if (ip_equal(ipzero, *ip)) + return False; + + if (!lookup_pdc_name(global_myname, lp_workgroup(), ip, dc_name)) + return False; + + return connect_to_domain_password_server(pcli, dc_name, trust_passwd); +} + +/*********************************************************************** + We have been asked to dynamcially determine the IP addresses of + the PDC and BDC's for this DOMAIN, and query them in turn. +************************************************************************/ +static BOOL find_connect_pdc(struct cli_state *pcli, + unsigned char *trust_passwd, + time_t last_change_time) +{ + struct in_addr *ip_list = NULL; + int count = 0; + int i; + BOOL connected_ok = False; + time_t time_now = time(NULL); + BOOL use_pdc_only = False; + + /* + * If the time the machine password has changed + * was less than an hour ago then we need to contact + * the PDC only, as we cannot be sure domain replication + * has yet taken place. Bug found by Gerald (way to go + * Gerald !). JRA. + */ + + if (time_now - last_change_time < 3600) + use_pdc_only = True; + + if (!get_dc_list(use_pdc_only, lp_workgroup(), &ip_list, &count)) + return False; + + /* + * Firstly try and contact a PDC/BDC who has the same + * network address as any of our interfaces. + */ + for(i = 0; i < count; i++) { + if(!is_local_net(ip_list[i])) + continue; + + if((connected_ok = attempt_connect_to_dc(pcli, &ip_list[i], trust_passwd))) + break; + + ip_list[i] = ipzero; /* Tried and failed. */ + } + + /* + * Secondly try and contact a random PDC/BDC. + */ + if(!connected_ok) { + i = (sys_random() % count); + + if (!(connected_ok = attempt_connect_to_dc(pcli, &ip_list[i], trust_passwd))) + ip_list[i] = ipzero; /* Tried and failed. */ + } + + /* + * Finally go through the IP list in turn, ignoring any addresses + * we have already tried. + */ + if(!connected_ok) { + /* + * Try and connect to any of the other IP addresses in the PDC/BDC list. + * Note that from a WINS server the #1 IP address is the PDC. + */ + for(i = 0; i < count; i++) { + if((connected_ok = attempt_connect_to_dc(pcli, &ip_list[i], trust_passwd))) + break; + } + } + + if(ip_list != NULL) + free((char *)ip_list); + + + return connected_ok; +} + +/*********************************************************************** + Do the same as security=server, but using NT Domain calls and a session + key from the machine password. If the server parameter is specified + use it, otherwise figure out a server from the 'password server' param. +************************************************************************/ + +uint32 domain_client_validate(const auth_usersupplied_info *user_info, + auth_serversupplied_info *server_info, + char *server) +{ + unsigned char trust_passwd[16]; + fstring remote_machine; + char *p, *pserver; + NET_ID_INFO_CTR ctr; + NET_USER_INFO_3 info3; + struct cli_state cli; + uint32 smb_uid_low; + BOOL connected_ok = False; + time_t last_change_time; + uint32 nt_status; + + /* + * Check that the requested domain is not our own machine name. + * If it is, we should never check the PDC here, we use our own local + * password file. + */ + + if(strequal(user_info->domain.str, global_myname)) { + DEBUG(3,("domain_client_validate: Requested domain was for this machine.\n")); + return NT_STATUS_LOGON_FAILURE; + } + + /* + * Get the machine account password for our primary domain + */ + if (!secrets_fetch_trust_account_password(lp_workgroup(), trust_passwd, &last_change_time)) + { + DEBUG(0, ("domain_client_validate: could not fetch trust account password for domain %s\n", lp_workgroup())); + return NT_STATUS_LOGON_FAILURE; + } + + /* Test if machine password is expired and need to be changed */ + if (time(NULL) > last_change_time + lp_machine_password_timeout()) + { + global_machine_password_needs_changing = True; + } + + /* + * At this point, smb_apasswd points to the lanman response to + * the challenge in local_challenge, and smb_ntpasswd points to + * the NT response to the challenge in local_challenge. Ship + * these over the secure channel to a domain controller and + * see if they were valid. + */ + + ZERO_STRUCT(cli); + + /* + * Treat each name in the 'password server =' line as a potential + * PDC/BDC. Contact each in turn and try and authenticate. + */ + + if (server) { + p = server; + } else { + pserver = lp_passwordserver(); + if (! *pserver) pserver = "*"; + p = pserver; + } + + while (!connected_ok && + next_token(&p,remote_machine,LIST_SEP,sizeof(remote_machine))) { + if(strequal(remote_machine, "*")) { + connected_ok = find_connect_pdc(&cli, trust_passwd, last_change_time); + } else { + connected_ok = connect_to_domain_password_server(&cli, remote_machine, trust_passwd); + } + } + + if (!connected_ok) { + DEBUG(0,("domain_client_validate: Domain password server not available.\n")); + cli_shutdown(&cli); + return NT_STATUS_LOGON_FAILURE; + } + + /* We really don't care what LUID we give the user. */ + generate_random_buffer( (unsigned char *)&smb_uid_low, 4, False); + + ZERO_STRUCT(info3); + + cli_nt_login_network(&cli, user_info->domain.str, user_info->smb_username.str, smb_uid_low, user_info->chal, + user_info->lm_resp.buffer, user_info->lm_resp.len, + user_info->nt_resp.buffer, user_info->lm_resp.len, + &ctr, &info3); + + cli_error(&cli, NULL, NULL, &nt_status); + if (nt_status != NT_STATUS_NOPROBLEMO) { + DEBUG(0,("domain_client_validate: unable to validate password for user %s in domain \ +%s to Domain controller %s. Error was %s.\n", user_info->smb_username.str, user_info->domain.str, remote_machine, cli_errstr(&cli))); + } + + /* + * Here, if we really want it, we have lots of info about the user in info3. + */ + +#if 0 + /* + * We don't actually need to do this - plus it fails currently with + * NT_STATUS_INVALID_INFO_CLASS - we need to know *exactly* what to + * send here. JRA. + */ + + if (nt_status == NT_STATUS_NOPROBLMO) { + if(cli_nt_logoff(&cli, &ctr) == False) { + DEBUG(0,("domain_client_validate: unable to log off user %s in domain \ +%s to Domain controller %s. Error was %s.\n", user, domain, remote_machine, cli_errstr(&cli))); + nt_status = NT_STATUS_LOGON_FAILURE; + } + } +#endif /* 0 */ + + /* Note - once the cli stream is shutdown the mem_ctx used + to allocate the other_sids and gids structures has been deleted - so + these pointers are no longer valid..... */ + + cli_nt_session_close(&cli); + cli_ulogoff(&cli); + cli_shutdown(&cli); + return nt_status; +} + +/**************************************************************************** + Check for a valid username and password in security=domain mode. +****************************************************************************/ + +uint32 check_domain_security(const auth_usersupplied_info *user_info, + auth_serversupplied_info *server_info) +{ + uint32 nt_status = NT_STATUS_LOGON_FAILURE; + + if(lp_security() != SEC_DOMAIN) + return NT_STATUS_LOGON_FAILURE; + + nt_status = domain_client_validate(user_info, server_info, NULL); + + return nt_status; +} + + + diff --git a/source3/auth/auth_rhosts.c b/source3/auth/auth_rhosts.c new file mode 100644 index 0000000000..c1bee6247c --- /dev/null +++ b/source3/auth/auth_rhosts.c @@ -0,0 +1,165 @@ +/* + Unix SMB/Netbios implementation. + Version 1.9. + Main SMB reply routines + Copyright (C) Andrew Tridgell 1992-1998 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" + +extern int DEBUGLEVEL; + + +/**************************************************************************** + Read the a hosts.equiv or .rhosts file and check if it + allows this user from this machine. +****************************************************************************/ + +static BOOL check_user_equiv(char *user, char *remote, char *equiv_file) +{ + int plus_allowed = 1; + char *file_host; + char *file_user; + char **lines = file_lines_load(equiv_file, NULL); + int i; + + DEBUG(5, ("check_user_equiv %s %s %s\n", user, remote, equiv_file)); + if (! lines) return False; + for (i=0; lines[i]; i++) { + char *buf = lines[i]; + trim_string(buf," "," "); + + if (buf[0] != '#' && buf[0] != '\n') + { + BOOL is_group = False; + int plus = 1; + char *bp = buf; + if (strcmp(buf, "NO_PLUS\n") == 0) + { + DEBUG(6, ("check_user_equiv NO_PLUS\n")); + plus_allowed = 0; + } + else { + if (buf[0] == '+') + { + bp++; + if (*bp == '\n' && plus_allowed) + { + /* a bare plus means everbody allowed */ + DEBUG(6, ("check_user_equiv everybody allowed\n")); + file_lines_free(lines); + return True; + } + } + else if (buf[0] == '-') + { + bp++; + plus = 0; + } + if (*bp == '@') + { + is_group = True; + bp++; + } + file_host = strtok(bp, " \t\n"); + file_user = strtok(NULL, " \t\n"); + DEBUG(7, ("check_user_equiv %s %s\n", file_host ? file_host : "(null)", + file_user ? file_user : "(null)" )); + if (file_host && *file_host) + { + BOOL host_ok = False; + +#if defined(HAVE_NETGROUP) && defined(HAVE_YP_GET_DEFAULT_DOMAIN) + if (is_group) + { + static char *mydomain = NULL; + if (!mydomain) + yp_get_default_domain(&mydomain); + if (mydomain && innetgr(file_host,remote,user,mydomain)) + host_ok = True; + } +#else + if (is_group) + { + DEBUG(1,("Netgroups not configured\n")); + continue; + } +#endif + + /* is it this host */ + /* the fact that remote has come from a call of gethostbyaddr + * means that it may have the fully qualified domain name + * so we could look up the file version to get it into + * a canonical form, but I would rather just type it + * in full in the equiv file + */ + if (!host_ok && !is_group && strequal(remote, file_host)) + host_ok = True; + + if (!host_ok) + continue; + + /* is it this user */ + if (file_user == 0 || strequal(user, file_user)) + { + DEBUG(5, ("check_user_equiv matched %s%s %s\n", + (plus ? "+" : "-"), file_host, + (file_user ? file_user : ""))); + file_lines_free(lines); + return (plus ? True : False); + } + } + } + } + } + file_lines_free(lines); + return False; +} + + +/**************************************************************************** +check for a possible hosts equiv or rhosts entry for the user +****************************************************************************/ +BOOL check_hosts_equiv(char *user) +{ + char *fname = NULL; + pstring rhostsfile; + struct passwd *pass = Get_Pwnam(user,True); + + if (!pass) + return(False); + + fname = lp_hosts_equiv(); + + /* note: don't allow hosts.equiv on root */ + if (fname && *fname && (pass->pw_uid != 0)) { + if (check_user_equiv(user,client_name(),fname)) + return(True); + } + + if (lp_use_rhosts()) + { + char *home = get_user_home_dir(user); + if (home) { + slprintf(rhostsfile, sizeof(rhostsfile)-1, "%s/.rhosts", home); + if (check_user_equiv(user,client_name(),rhostsfile)) + return(True); + } + } + + return(False); +} diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c new file mode 100644 index 0000000000..ce0b03d942 --- /dev/null +++ b/source3/auth/auth_sam.c @@ -0,0 +1,229 @@ +/* + Unix SMB/Netbios implementation. + Version 1.9. + Password and authentication handling + Copyright (C) Andrew Tridgell 1992-2000 + Copyright (C) Luke Kenneth Casson Leighton 1996-2000 + Copyright (C) Andrew Bartlett 2001 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" + +extern int DEBUGLEVEL; + +/**************************************************************************** +core of smb password checking routine. +****************************************************************************/ +static BOOL smb_pwd_check_ntlmv1(const uchar *password, + const uchar *part_passwd, + const uchar *c8, + uchar user_sess_key[16]) +{ + /* Finish the encryption of part_passwd. */ + uchar p24[24]; + + if (part_passwd == NULL) { + DEBUG(10,("No password set - DISALLOWING access\n")); + /* No password set - always false ! */ + return False; + } + + SMBOWFencrypt(part_passwd, c8, p24); + if (user_sess_key != NULL) + { + SMBsesskeygen_ntv1(part_passwd, NULL, user_sess_key); + } + + + +#if DEBUG_PASSWORD + DEBUG(100,("Part password (P16) was |")); + dump_data(100, part_passwd, 16); + DEBUG(100,("Password from client was |")); + dump_data(100, password, 24); + DEBUG(100,("Given challenge was |")); + dump_data(100, c8, 8); + DEBUG(100,("Value from encryption was |")); + dump_data(100, p24, 24); +#endif + return (memcmp(p24, password, 24) == 0); +} + +/**************************************************************************** +core of smb password checking routine. +****************************************************************************/ +static BOOL smb_pwd_check_ntlmv2(const uchar *password, size_t pwd_len, + uchar *part_passwd, + uchar const *c8, + const char *user, const char *domain, + char *user_sess_key) +{ + /* Finish the encryption of part_passwd. */ + uchar kr[16]; + uchar resp[16]; + + if (part_passwd == NULL) + { + DEBUG(10,("No password set - DISALLOWING access\n")); + /* No password set - always False */ + return False; + } + + ntv2_owf_gen(part_passwd, user, domain, kr); + SMBOWFencrypt_ntv2(kr, c8, 8, password+16, pwd_len-16, resp); + if (user_sess_key != NULL) + { + SMBsesskeygen_ntv2(kr, resp, user_sess_key); + } + +#if DEBUG_PASSWORD + DEBUG(100,("Part password (P16) was |")); + dump_data(100, part_passwd, 16); + DEBUG(100,("Password from client was |")); + dump_data(100, password, pwd_len); + DEBUG(100,("Given challenge was |")); + dump_data(100, c8, 8); + DEBUG(100,("Value from encryption was |")); + dump_data(100, resp, 16); +#endif + + return (memcmp(resp, password, 16) == 0); +} + + +/**************************************************************************** + Do a specific test for an smb password being correct, given a smb_password and + the lanman and NT responses. +****************************************************************************/ +uint32 smb_password_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_info *user_info, auth_serversupplied_info *server_info) +{ + uint8 *nt_pw, *lm_pw; + + /* Quit if the account was disabled. */ + if(pdb_get_acct_ctrl(sampass) & ACB_DISABLED) { + DEBUG(1,("Account for user '%s' was disabled.\n", user_info->smb_username.str)); + return(NT_STATUS_ACCOUNT_DISABLED); + } + + if (pdb_get_acct_ctrl(sampass) & ACB_PWNOTREQ) + { + if (lp_null_passwords()) + { + DEBUG(3,("Account for user '%s' has no password and null passwords are allowed.\n", user_info->smb_username.str)); + return(NT_STATUS_NOPROBLEMO); + } + else + { + DEBUG(3,("Account for user '%s' has no password and null passwords are NOT allowed.\n", user_info->smb_username.str)); + return(NT_STATUS_LOGON_FAILURE); + } + } + + if (!user_info || !sampass) + return(NT_STATUS_LOGON_FAILURE); + + DEBUG(4,("smb_password_ok: Checking SMB password for user %s\n",user_info->smb_username.str)); + + nt_pw = pdb_get_nt_passwd(sampass); + + if (nt_pw != NULL) { + if ((user_info->nt_resp.len > 24 )) { + /* We have the NT MD4 hash challenge available - see if we can + use it (ie. does it exist in the smbpasswd file). + */ + DEBUG(4,("smb_password_ok: Checking NTLMv2 password\n")); + if (smb_pwd_check_ntlmv2( user_info->nt_resp.buffer, + user_info->nt_resp.len, + nt_pw, + user_info->chal, user_info->requested_username.str, + user_info->requested_domain.str, + server_info->session_key)) + { + return NT_STATUS_NOPROBLEMO; + } + DEBUG(4,("smb_password_ok: NT MD4 password check failed\n")); + + } else if (lp_ntlm_auth() && (user_info->nt_resp.len == 24 )) { + /* We have the NT MD4 hash challenge available - see if we can + use it (ie. does it exist in the smbpasswd file). + */ + DEBUG(4,("smb_password_ok: Checking NT MD4 password\n")); + if (smb_pwd_check_ntlmv1(user_info->nt_resp.buffer, + nt_pw, user_info->chal, + server_info->session_key)) { + DEBUG(4,("smb_password_ok: NT MD4 password check succeeded\n")); + return NT_STATUS_NOPROBLEMO; + } else { + DEBUG(4,("smb_password_ok: NT MD4 password check failed\n")); + return NT_STATUS_WRONG_PASSWORD; + } + } + } + + lm_pw = pdb_get_lanman_passwd(sampass); + + if(lp_lanman_auth() && (lm_pw != NULL) && (user_info->lm_resp.len == 24 )) { + DEBUG(4,("smb_password_ok: Checking LM password\n")); + if (smb_pwd_check_ntlmv1(user_info->lm_resp.buffer, + lm_pw, user_info->chal, + server_info->session_key)) { + DEBUG(4,("smb_password_ok: LM password check succeeded\n")); + return NT_STATUS_NOPROBLEMO; + } else { + DEBUG(4,("smb_password_ok: LM password check failed\n")); + return NT_STATUS_WRONG_PASSWORD; + } + } + + return NT_STATUS_LOGON_FAILURE; +} + + +/**************************************************************************** +check if a username/password is OK assuming the password is a 24 byte +SMB hash +return True if the password is correct, False otherwise +****************************************************************************/ + +uint32 check_smbpasswd_security(const auth_usersupplied_info *user_info, auth_serversupplied_info *server_info) +{ + SAM_ACCOUNT *sampass=NULL; + BOOL ret; + uint32 nt_status; + + pdb_init_sam(&sampass); + + /* get the account information */ + ret = pdb_getsampwnam(sampass, user_info->smb_username.str); + if (ret == False) + { + DEBUG(1,("Couldn't find user '%s' in passdb file.\n", user_info->smb_username.str)); + pdb_free_sam(sampass); + return(NT_STATUS_NO_SUCH_USER); + } + + if ((nt_status = smb_password_ok(sampass, user_info, server_info)) != NT_STATUS_NOPROBLEMO) + { + pdb_free_sam(sampass); + return(nt_status); + } + + pdb_free_sam(sampass); + return nt_status; +} + + diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c new file mode 100644 index 0000000000..dc1d924b3c --- /dev/null +++ b/source3/auth/auth_server.c @@ -0,0 +1,244 @@ +/* + Unix SMB/Netbios implementation. + Version 1.9. + Authenticate to a remote server + Copyright (C) Andrew Tridgell 1992-1998 + Copyright (C) Andrew Bartlett 2001 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" + +extern int DEBUGLEVEL; + +extern pstring global_myname; + +/**************************************************************************** + Return the client state structure. +****************************************************************************/ + +struct cli_state *server_client(void) +{ + static struct cli_state pw_cli; + return &pw_cli; +} + +/**************************************************************************** + Support for server level security. +****************************************************************************/ + +struct cli_state *server_cryptkey(void) +{ + struct cli_state *cli; + fstring desthost; + struct in_addr dest_ip; + char *p, *pserver; + BOOL connected_ok = False; + + cli = server_client(); + + if (!cli_initialise(cli)) + return NULL; + + pserver = strdup(lp_passwordserver()); + p = pserver; + + while(next_token( &p, desthost, LIST_SEP, sizeof(desthost))) { + standard_sub_basic(desthost); + strupper(desthost); + + if(!resolve_name( desthost, &dest_ip, 0x20)) { + DEBUG(1,("server_cryptkey: Can't resolve address for %s\n",desthost)); + continue; + } + + if (ismyip(dest_ip)) { + DEBUG(1,("Password server loop - disabling password server %s\n",desthost)); + continue; + } + + if (cli_connect(cli, desthost, &dest_ip)) { + DEBUG(3,("connected to password server %s\n",desthost)); + connected_ok = True; + break; + } + } + + free(pserver); + + if (!connected_ok) { + DEBUG(0,("password server not available\n")); + cli_shutdown(cli); + return NULL; + } + + if (!attempt_netbios_session_request(cli, global_myname, desthost, &dest_ip)) + return NULL; + + DEBUG(3,("got session\n")); + + if (!cli_negprot(cli)) { + DEBUG(1,("%s rejected the negprot\n",desthost)); + cli_shutdown(cli); + return NULL; + } + + if (cli->protocol < PROTOCOL_LANMAN2 || + !(cli->sec_mode & 1)) { + DEBUG(1,("%s isn't in user level security mode\n",desthost)); + cli_shutdown(cli); + return NULL; + } + + DEBUG(3,("password server OK\n")); + + return cli; +} + + +/**************************************************************************** + Validate a password with the password server. +****************************************************************************/ + +static uint32 server_validate(const auth_usersupplied_info *user_info, auth_serversupplied_info *server_info) +{ + struct cli_state *cli; + static unsigned char badpass[24]; + static fstring baduser; + static BOOL tested_password_server = False; + static BOOL bad_password_server = False; + uint32 nt_status = NT_STATUS_LOGON_FAILURE; + + cli = server_client(); + + if (!cli->initialised) { + DEBUG(1,("password server %s is not connected\n", cli->desthost)); + return(NT_STATUS_LOGON_FAILURE); + } + + if(badpass[0] == 0) + memset(badpass, 0x1f, sizeof(badpass)); + + if((user_info->nt_resp.len == sizeof(badpass)) && + !memcmp(badpass, user_info->nt_resp.buffer, sizeof(badpass))) { + /* + * Very unlikely, our random bad password is the same as the users + * password. + */ + memset(badpass, badpass[0]+1, sizeof(badpass)); + } + + if(baduser[0] == 0) { + fstrcpy(baduser, INVALID_USER_PREFIX); + fstrcat(baduser, global_myname); + } + + /* + * Attempt a session setup with a totally incorrect password. + * If this succeeds with the guest bit *NOT* set then the password + * server is broken and is not correctly setting the guest bit. We + * need to detect this as some versions of NT4.x are broken. JRA. + */ + + /* I sure as hell hope that there arn't servers out there that take + * NTLMv2 and have this bug, as we don't test for that... + * - abartlet@samba.org + */ + + if(!tested_password_server) { + if (cli_session_setup(cli, baduser, (char *)badpass, sizeof(badpass), + (char *)badpass, sizeof(badpass), user_info->domain.str)) { + + /* + * We connected to the password server so we + * can say we've tested it. + */ + tested_password_server = True; + + if ((SVAL(cli->inbuf,smb_vwv2) & 1) == 0) { + DEBUG(0,("server_validate: password server %s allows users as non-guest \ +with a bad password.\n", cli->desthost)); + DEBUG(0,("server_validate: This is broken (and insecure) behaviour. Please do not \ +use this machine as the password server.\n")); + cli_ulogoff(cli); + + /* + * Password server has the bug. + */ + bad_password_server = True; + return NT_STATUS_LOGON_FAILURE; + } + cli_ulogoff(cli); + } + } else { + + /* + * We have already tested the password server. + * Fail immediately if it has the bug. + */ + + if(bad_password_server) { + DEBUG(0,("server_validate: [1] password server %s allows users as non-guest \ +with a bad password.\n", cli->desthost)); + DEBUG(0,("server_validate: [1] This is broken (and insecure) behaviour. Please do not \ +use this machine as the password server.\n")); + return NT_STATUS_LOGON_FAILURE; + } + } + + /* + * Now we know the password server will correctly set the guest bit, or is + * not guest enabled, we can try with the real password. + */ + + if (!cli_session_setup(cli, user_info->smb_username.str, + user_info->lm_resp.buffer, + user_info->lm_resp.len, + user_info->nt_resp.buffer, + user_info->nt_resp.len, + user_info->domain.str)) { + DEBUG(1,("password server %s rejected the password\n", cli->desthost)); + nt_status = NT_STATUS_LOGON_FAILURE; + } else { + nt_status = NT_STATUS_NOPROBLEMO; + } + + /* if logged in as guest then reject */ + if ((SVAL(cli->inbuf,smb_vwv2) & 1) != 0) { + DEBUG(1,("password server %s gave us guest only\n", cli->desthost)); + nt_status = NT_STATUS_LOGON_FAILURE; + } + + cli_ulogoff(cli); + + return(nt_status); +} + +/**************************************************************************** + Check for a valid username and password in security=server mode. +****************************************************************************/ + +uint32 check_server_security(const auth_usersupplied_info *user_info, auth_serversupplied_info *server_info) +{ + + if(lp_security() != SEC_SERVER) + return NT_STATUS_LOGON_FAILURE; + + return server_validate(user_info, server_info); + +} + + diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c new file mode 100644 index 0000000000..1c12a4322d --- /dev/null +++ b/source3/auth/auth_util.c @@ -0,0 +1,141 @@ +/* + Unix SMB/Netbios implementation. + Version 1.9. + Authentication utility functions + Copyright (C) Andrew Tridgell 1992-1998 + Copyright (C) Andrew Bartlett 2001 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ +#include "includes.h" + +extern int DEBUGLEVEL; + +/* Data to do lanman1/2 password challenge. */ +static unsigned char saved_challenge[8]; +static BOOL challenge_sent=False; + +/******************************************************************* +Get the next challenge value - no repeats. +********************************************************************/ +void generate_next_challenge(char *challenge) +{ + unsigned char buf[8]; + + generate_random_buffer(buf,8,False); + memcpy(saved_challenge, buf, 8); + memcpy(challenge,buf,8); + challenge_sent = True; +} + +/******************************************************************* +set the last challenge sent, usually from a password server +********************************************************************/ +BOOL set_challenge(unsigned char *challenge) +{ + memcpy(saved_challenge,challenge,8); + challenge_sent = True; + return(True); +} + +/******************************************************************* +get the last challenge sent +********************************************************************/ +BOOL last_challenge(unsigned char *challenge) +{ + if (!challenge_sent) return(False); + memcpy(challenge,saved_challenge,8); + return(True); +} + + +/**************************************************************************** + Create a UNIX user on demand. +****************************************************************************/ + +static int smb_create_user(char *unix_user, char *homedir) +{ + pstring add_script; + int ret; + + pstrcpy(add_script, lp_adduser_script()); + if (! *add_script) return -1; + all_string_sub(add_script, "%u", unix_user, sizeof(pstring)); + if (homedir) + all_string_sub(add_script, "%H", homedir, sizeof(pstring)); + ret = smbrun(add_script,NULL); + DEBUG(3,("smb_create_user: Running the command `%s' gave %d\n",add_script,ret)); + return ret; +} + +/**************************************************************************** + Delete a UNIX user on demand. +****************************************************************************/ + +static int smb_delete_user(char *unix_user) +{ + pstring del_script; + int ret; + + pstrcpy(del_script, lp_deluser_script()); + if (! *del_script) return -1; + all_string_sub(del_script, "%u", unix_user, sizeof(pstring)); + ret = smbrun(del_script,NULL); + DEBUG(3,("smb_delete_user: Running the command `%s' gave %d\n",del_script,ret)); + return ret; +} + +/**************************************************************************** + Add and Delete UNIX users on demand, based on NT_STATUS codes. +****************************************************************************/ + +void smb_user_control(char *unix_user, uint32 nt_status) +{ + struct passwd *pwd=NULL; + + if(nt_status == NT_STATUS_NOPROBLEMO) { + /* + * User validated ok against Domain controller. + * If the admin wants us to try and create a UNIX + * user on the fly, do so. + */ + if(lp_adduser_script() && !(pwd = smb_getpwnam(unix_user,True))) + smb_create_user(unix_user, NULL); + + if(lp_adduser_script() && pwd) { + SMB_STRUCT_STAT st; + + /* + * Also call smb_create_user if the users home directory + * doesn't exist. Used with winbindd to allow the script to + * create the home directory for a user mapped with winbindd. + */ + + if (pwd->pw_dir && (sys_stat(pwd->pw_dir, &st) == -1) && (errno == ENOENT)) + smb_create_user(unix_user, pwd->pw_dir); + } + + } else if (nt_status == NT_STATUS_NO_SUCH_USER) { + /* + * User failed to validate ok against Domain controller. + * If the failure was "user doesn't exist" and admin + * wants us to try and delete that UNIX user on the fly, + * do so. + */ + if(lp_deluser_script() && smb_getpwnam(unix_user,True)) + smb_delete_user(unix_user); + } + +} diff --git a/source3/include/auth.h b/source3/include/auth.h new file mode 100644 index 0000000000..b81f80eca5 --- /dev/null +++ b/source3/include/auth.h @@ -0,0 +1,95 @@ +/* + Unix SMB/Netbios implementation. + Version 2.2 + Standardised Authentication types + Copyright (C) Andrew Bartlett 2001 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +/* AUTH_STR - string */ +typedef struct normal_string +{ + int len; + char *str; +} AUTH_STR; + +/* AUTH_UNISTR - unicode string or buffer */ +typedef struct unicode_string +{ + int len; + uchar *unistr; +} AUTH_UNISTR; + +/* AUTH_BUFFER - 8-bit byte buffer */ +typedef struct auth_buffer +{ + int len; + uint8 *buffer; +} AUTH_BUFFER; + +typedef struct net_password +{ + AUTH_BUFFER lm_resp; + AUTH_BUFFER nt_resp; +} auth_net_password; + +typedef struct interactive_password +{ + OWF_INFO lm_owf; /* LM OWF Password */ + OWF_INFO nt_owf; /* NT OWF Password */ +} auth_interactive_password; + +typedef struct plaintext_password +{ + AUTH_STR password; +} auth_plaintext_password; + +typedef struct usersupplied_info +{ + + AUTH_BUFFER lm_resp; + AUTH_BUFFER nt_resp; + auth_interactive_password * interactive_password; + AUTH_STR plaintext_password; + + uint8 chal[8]; + + AUTH_STR requested_domain; /* domain name unicode string */ + AUTH_STR domain; /* domain name after mapping */ + AUTH_STR requested_username; + AUTH_STR smb_username; /* user name unicode string (after mapping) */ + AUTH_STR wksta_name; /* workstation name (netbios calling name) unicode string */ + +} auth_usersupplied_info; + +typedef struct serversupplied_info +{ + AUTH_STR full_name; + AUTH_STR unix_user; + + BOOL guest; + + uid_t unix_uid; + gid_t unix_gid; + + /* This groups info is needed for when we become_user() for this uid */ + int n_groups; + gid_t *groups; + + uchar session_key[16]; + +} auth_serversupplied_info; + diff --git a/source3/include/includes.h b/source3/include/includes.h index 2caeb255bd..63bcb1192e 100644 --- a/source3/include/includes.h +++ b/source3/include/includes.h @@ -666,6 +666,8 @@ extern int errno; #include "md5.h" #include "hmacmd5.h" +#include "auth.h" + #ifndef MAXCODEPAGELINES #define MAXCODEPAGELINES 256 #endif diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c index 0cbc3166c8..558f418d94 100644 --- a/source3/nsswitch/winbindd_pam.c +++ b/source3/nsswitch/winbindd_pam.c @@ -23,6 +23,8 @@ #include "winbindd.h" +extern pstring global_myname; + /* Copy of parse_domain_user from winbindd_util.c. Parse a string of the form DOMAIN/user into a domain and a user */ @@ -50,10 +52,17 @@ static void parse_domain_user(char *domuser, fstring domain, fstring user) enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state) { - BOOL result, user_exists; + BOOL result; fstring name_domain, name_user; int passlen; + unsigned char local_lm_response[24]; + unsigned char local_nt_response[24]; + + auth_usersupplied_info user_info; + auth_serversupplied_info server_info; + AUTH_STR theirdomain, smb_username, wksta_name; + DEBUG(3, ("[%5d]: pam auth %s\n", state->pid, state->request.data.auth.user)); @@ -68,17 +77,48 @@ enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state) return WINBINDD_ERROR; passlen = strlen(state->request.data.auth.pass); - + + ZERO_STRUCT(user_info); + ZERO_STRUCT(theirdomain); + ZERO_STRUCT(smb_username); + ZERO_STRUCT(wksta_name); + + theirdomain.str = name_domain; + theirdomain.len = strlen(theirdomain.str); + + user_info.requested_domain = theirdomain; + user_info.domain = theirdomain; + + user_info.smb_username.str = name_user; + user_info.smb_username.len = strlen(name_user); + + user_info.requested_username.str = name_user; + user_info.requested_username.len = strlen(name_user); + + user_info.wksta_name.str = global_myname; + user_info.wksta_name.len = strlen(user_info.wksta_name.str); + + user_info.wksta_name = wksta_name; + + generate_random_buffer( user_info.chal, 8, False); + + if (state->request.data.auth.pass) { + SMBencrypt((uchar *)state->request.data.auth.pass, user_info.chal, local_lm_response); + user_info.lm_resp.buffer = (uint8 *)local_lm_response; + user_info.lm_resp.len = 24; + SMBNTencrypt((uchar *)state->request.data.auth.pass, user_info.chal, local_nt_response); + user_info.nt_resp.buffer = (uint8 *)local_nt_response; + user_info.nt_resp.len = 24; + } else { + return WINBINDD_ERROR; + } + /* So domain_client_validate() actually opens a new connection for each authentication performed. This can theoretically be optimised to use an already open IPC$ connection. */ - result = domain_client_validate(name_user, name_domain, - state->request.data.auth.pass, - passlen, - state->request.data.auth.pass, - passlen, &user_exists, - server_state.controller); + result = (domain_client_validate(&user_info, &server_info, + server_state.controller) == NT_STATUS_NOPROBLEMO); return result ? WINBINDD_OK : WINBINDD_ERROR; } diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index c4073569a3..3fdb884a51 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -252,6 +252,8 @@ typedef struct BOOL bAllowTrustedDomains; BOOL bRestrictAnonymous; BOOL bLanmanAuth; + BOOL bNTLMAuth; + BOOL bPlaintextToSmbpasswd; BOOL bDebugHiresTimestamp; BOOL bDebugPid; BOOL bDebugUid; @@ -676,6 +678,8 @@ static struct parm_struct parm_table[] = { {"unix password sync", P_BOOL, P_GLOBAL, &Globals.bUnixPasswdSync, NULL, NULL, 0}, {"restrict anonymous", P_BOOL, P_GLOBAL, &Globals.bRestrictAnonymous, NULL, NULL, 0}, {"lanman auth", P_BOOL, P_GLOBAL, &Globals.bLanmanAuth, NULL, NULL, 0}, + {"ntlm auth", P_BOOL, P_GLOBAL, &Globals.bNTLMAuth, NULL, NULL, 0}, + {"plaintext to smbpasswd", P_BOOL, P_GLOBAL, &Globals.bPlaintextToSmbpasswd, NULL, NULL, 0}, {"use rhosts", P_BOOL, P_GLOBAL, &Globals.bUseRhosts, NULL, NULL, 0}, {"username", P_STRING, P_LOCAL, &sDefault.szUsername, NULL, NULL, FLAG_GLOBAL | FLAG_SHARE}, @@ -1265,6 +1269,8 @@ static void init_globals(void) Globals.bStatCache = True; /* use stat cache by default */ Globals.bRestrictAnonymous = False; Globals.bLanmanAuth = True; /* Do use the LanMan hash if it is available */ + Globals.bNTLMAuth = True; /* Do use NTLMv1 if it is available (otherwise NTLMv2) */ + Globals.bPlaintextToSmbpasswd = False; /* Check the passwords with smbpasswd, even if in plaintext */ Globals.map_to_guest = 0; /* By Default, "Never" */ Globals.min_passwd_length = MINPASSWDLENGTH; /* By Default, 5. */ Globals.oplock_break_wait_time = 0; /* By Default, 0 msecs. */ @@ -1540,6 +1546,8 @@ FN_GLOBAL_BOOL(lp_stat_cache, &Globals.bStatCache) FN_GLOBAL_BOOL(lp_allow_trusted_domains, &Globals.bAllowTrustedDomains) FN_GLOBAL_BOOL(lp_restrict_anonymous, &Globals.bRestrictAnonymous) FN_GLOBAL_BOOL(lp_lanman_auth, &Globals.bLanmanAuth) +FN_GLOBAL_BOOL(lp_ntlm_auth, &Globals.bNTLMAuth) +FN_GLOBAL_BOOL(lp_plaintext_to_smbpasswd, &Globals.bPlaintextToSmbpasswd) FN_GLOBAL_BOOL(lp_host_msdfs, &Globals.bHostMSDfs) FN_GLOBAL_BOOL(lp_kernel_oplocks, &Globals.bKernelOplocks) FN_GLOBAL_BOOL(lp_enhanced_browsing, &Globals.enhanced_browsing) diff --git a/source3/rpc_client/cli_login.c b/source3/rpc_client/cli_login.c index 3ac4762628..a099936476 100644 --- a/source3/rpc_client/cli_login.c +++ b/source3/rpc_client/cli_login.c @@ -155,9 +155,10 @@ NT login - network. password equivalents over the network. JRA. ****************************************************************************/ -BOOL cli_nt_login_network(struct cli_state *cli, char *domain, char *username, - uint32 smb_userid_low, char lm_chal[8], - char *lm_chal_resp, char *nt_chal_resp, +BOOL cli_nt_login_network(struct cli_state *cli, const char *domain, const char *username, + uint32 smb_userid_low, const uchar lm_chal[8], + const uchar *lm_chal_resp, int lm_chal_resp_len, + const uchar *nt_chal_resp, int nt_chal_resp_len, NET_ID_INFO_CTR *ctr, NET_USER_INFO_3 *user_info3) { DEBUG(5,("cli_nt_login_network: %d\n", __LINE__)); @@ -167,8 +168,9 @@ BOOL cli_nt_login_network(struct cli_state *cli, char *domain, char *username, /* Create the structure needed for SAM logon. */ init_id_info2(&ctr->auth.id2, domain, 0, smb_userid_low, 0, username, cli->clnt_name_slash, - (uchar *)lm_chal, (uchar *)lm_chal_resp, - (uchar *)nt_chal_resp); + lm_chal, + lm_chal_resp, lm_chal_resp_len, + nt_chal_resp, nt_chal_resp_len); /* Send client sam-logon request - update credentials on success. */ return cli_net_sam_logon(cli, ctr, user_info3); diff --git a/source3/rpc_parse/parse_misc.c b/source3/rpc_parse/parse_misc.c index 857f964e31..1a30d3d7a1 100644 --- a/source3/rpc_parse/parse_misc.c +++ b/source3/rpc_parse/parse_misc.c @@ -823,7 +823,7 @@ void copy_unistr2(UNISTR2 *str, UNISTR2 *from) Creates a STRING2 structure. ********************************************************************/ -void init_string2(STRING2 *str, char *buf, int len) +void init_string2(STRING2 *str, const char *buf, int len) { int alloc_len = 0; diff --git a/source3/rpc_parse/parse_net.c b/source3/rpc_parse/parse_net.c index d7253a53fd..7bc277247d 100644 --- a/source3/rpc_parse/parse_net.c +++ b/source3/rpc_parse/parse_net.c @@ -976,20 +976,19 @@ checking for a logon as it doesn't export the password hashes to anyone who has compromised the secure channel. JRA. ********************************************************************/ -void init_id_info2(NET_ID_INFO_2 *id, char *domain_name, - uint32 param_ctrl, uint32 log_id_low, uint32 log_id_high, - char *user_name, char *wksta_name, - unsigned char lm_challenge[8], - unsigned char *lm_chal_resp, - unsigned char *nt_chal_resp) +void init_id_info2(NET_ID_INFO_2 * id, const char *domain_name, + uint32 param_ctrl, + uint32 log_id_low, uint32 log_id_high, + const char *user_name, const char *wksta_name, + const uchar lm_challenge[8], + const uchar * lm_chal_resp, int lm_chal_resp_len, + const uchar * nt_chal_resp, int nt_chal_resp_len) { int len_domain_name = strlen(domain_name); int len_user_name = strlen(user_name ); int len_wksta_name = strlen(wksta_name ); - int nt_chal_resp_len = ((nt_chal_resp != NULL) ? 24 : 0); - int lm_chal_resp_len = ((lm_chal_resp != NULL) ? 24 : 0); unsigned char lm_owf[24]; - unsigned char nt_owf[24]; + unsigned char nt_owf[128]; DEBUG(5,("init_id_info2: %d\n", __LINE__)); @@ -1015,15 +1014,16 @@ void init_id_info2(NET_ID_INFO_2 *id, char *domain_name, } memcpy(id->lm_chal, lm_challenge, sizeof(id->lm_chal)); - init_str_hdr(&id->hdr_nt_chal_resp, 24, nt_chal_resp_len, (nt_chal_resp != NULL) ? 1 : 0); - init_str_hdr(&id->hdr_lm_chal_resp, 24, lm_chal_resp_len, (lm_chal_resp != NULL) ? 1 : 0); + init_str_hdr(&id->hdr_nt_chal_resp, sizeof(lm_owf), nt_chal_resp_len, (nt_chal_resp != NULL) ? 1 : 0); + init_str_hdr(&id->hdr_lm_chal_resp, sizeof(nt_owf), lm_chal_resp_len, (lm_chal_resp != NULL) ? 1 : 0); init_unistr2(&id->uni_domain_name, domain_name, len_domain_name); init_unistr2(&id->uni_user_name, user_name, len_user_name); init_unistr2(&id->uni_wksta_name, wksta_name, len_wksta_name); - init_string2(&id->nt_chal_resp, (char *)nt_chal_resp, nt_chal_resp_len); - init_string2(&id->lm_chal_resp, (char *)lm_chal_resp, lm_chal_resp_len); + init_string2(&id->nt_chal_resp, (const char *)nt_chal_resp, nt_chal_resp_len); + init_string2(&id->lm_chal_resp, (const char *)lm_chal_resp, lm_chal_resp_len); + } /******************************************************************* diff --git a/source3/rpc_server/srv_netlog_nt.c b/source3/rpc_server/srv_netlog_nt.c index 14f3e1d211..385fec5862 100644 --- a/source3/rpc_server/srv_netlog_nt.c +++ b/source3/rpc_server/srv_netlog_nt.c @@ -441,97 +441,138 @@ uint32 _net_sam_logoff(pipes_struct *p, NET_Q_SAM_LOGOFF *q_u, NET_R_SAM_LOGOFF } /************************************************************************* - net_login_interactive: + _net_logon_any: Use the new authentications subsystem to log in. *************************************************************************/ -static uint32 net_login_interactive(NET_ID_INFO_1 *id1, SAM_ACCOUNT *sampass, pipes_struct *p) +static uint32 _net_logon_any(NET_ID_INFO_CTR *ctr, char *user, char *domain, char *sess_key) { - uint32 status = 0x0; - char nt_pwd[16]; - char lm_pwd[16]; - unsigned char key[16]; + uint32 nt_status = NT_STATUS_LOGON_FAILURE; - memset(key, 0, 16); - memcpy(key, p->dc.sess_key, 8); + unsigned char local_lm_response[24]; + unsigned char local_nt_response[24]; - memcpy(lm_pwd, id1->lm_owf.data, 16); - memcpy(nt_pwd, id1->nt_owf.data, 16); + auth_usersupplied_info user_info; + auth_serversupplied_info server_info; + AUTH_STR ourdomain, theirdomain, smb_username, wksta_name; -#ifdef DEBUG_PASSWORD - DEBUG(100,("key:")); - dump_data(100, (char *)key, 16); + DEBUG(5, ("_net_logon_any: entered with user %s and domain %s\n", user, domain)); + + ZERO_STRUCT(user_info); + ZERO_STRUCT(server_info); + ZERO_STRUCT(ourdomain); + ZERO_STRUCT(theirdomain); + ZERO_STRUCT(smb_username); + ZERO_STRUCT(wksta_name); + + ourdomain.str = lp_workgroup(); + ourdomain.len = strlen(ourdomain.str); - DEBUG(100,("lm owf password:")); - dump_data(100, lm_pwd, 16); + theirdomain.str = domain; + theirdomain.len = strlen(theirdomain.str); - DEBUG(100,("nt owf password:")); - dump_data(100, nt_pwd, 16); -#endif + user_info.requested_domain = theirdomain; + user_info.domain = ourdomain; + + smb_username.str = user; + smb_username.len = strlen(smb_username.str); - SamOEMhash((uchar *)lm_pwd, key, 16); - SamOEMhash((uchar *)nt_pwd, key, 16); + user_info.requested_username = smb_username; /* For the time-being */ + user_info.smb_username = smb_username; -#ifdef DEBUG_PASSWORD - DEBUG(100,("decrypt of lm owf password:")); - dump_data(100, lm_pwd, 16); +#if 0 + user_info.wksta_name.str = cleint_name(); + user_info.wksta_name.len = strlen(client_name()); - DEBUG(100,("decrypt of nt owf password:")); - dump_data(100, nt_pwd, 16); + user_info.wksta_name = wksta_name; #endif - if (memcmp(pdb_get_lanman_passwd(sampass), lm_pwd, 16) != 0 || - memcmp(pdb_get_nt_passwd(sampass), nt_pwd, 16) != 0) { - status = NT_STATUS_WRONG_PASSWORD; - } - - return status; -} - -/************************************************************************* - _net_login_network: - *************************************************************************/ - -static uint32 net_login_network(NET_ID_INFO_2 *id2, SAM_ACCOUNT *sampass) -{ - uint8 *nt_pwd, *lanman_pwd; - - DEBUG(5,("net_login_network: lm_len: %d nt_len: %d\n", - id2->hdr_lm_chal_resp.str_str_len, - id2->hdr_nt_chal_resp.str_str_len)); - - /* JRA. Check the NT password first if it exists - this is a higher quality - password, if it exists and it doesn't match - fail. */ + DEBUG(10,("_net_logon_any: Attempting validation level %d.\n", ctr->switch_value)); + switch (ctr->switch_value) { + case NET_LOGON_TYPE: + user_info.lm_resp.buffer = (uint8 *)ctr->auth.id2.lm_chal_resp.buffer; + user_info.lm_resp.len = ctr->auth.id2.lm_chal_resp.str_str_len; + user_info.nt_resp.buffer = (uint8 *)ctr->auth.id2.nt_chal_resp.buffer; + user_info.nt_resp.len = ctr->auth.id2.nt_chal_resp.str_str_len; + memcpy(user_info.chal, ctr->auth.id2.lm_chal, 8); + break; + case INTERACTIVE_LOGON_TYPE: + { + char nt_pwd[16]; + char lm_pwd[16]; + unsigned char key[16]; + + memset(key, 0, 16); + memcpy(key, sess_key, 8); + + memcpy(lm_pwd, ctr->auth.id1.lm_owf.data, 16); + memcpy(nt_pwd, ctr->auth.id1.nt_owf.data, 16); - nt_pwd = pdb_get_nt_passwd(sampass); - lanman_pwd = pdb_get_lanman_passwd(sampass); +#ifdef DEBUG_PASSWORD + DEBUG(100,("key:")); + dump_data(100, (char *)key, 16); + + DEBUG(100,("lm owf password:")); + dump_data(100, lm_pwd, 16); + + DEBUG(100,("nt owf password:")); + dump_data(100, nt_pwd, 16); +#endif + + SamOEMhash((uchar *)lm_pwd, key, 16); + SamOEMhash((uchar *)nt_pwd, key, 16); + +#ifdef DEBUG_PASSWORD + DEBUG(100,("decrypt of lm owf password:")); + dump_data(100, lm_pwd, 16); + + DEBUG(100,("decrypt of nt owf password:")); + dump_data(100, nt_pwd, 16); +#endif - if (id2->hdr_nt_chal_resp.str_str_len == 24 && nt_pwd) { - if(smb_password_check((char *)id2->nt_chal_resp.buffer, - nt_pwd, id2->lm_chal)) - return NT_STATUS_NOPROBLEMO; - else - return NT_STATUS_WRONG_PASSWORD; + generate_random_buffer(user_info.chal, 8, False); + SMBOWFencrypt(lm_pwd, user_info.chal, local_lm_response); + SMBOWFencrypt(nt_pwd, user_info.chal, local_nt_response); + user_info.lm_resp.buffer = (uint8 *)local_lm_response; + user_info.lm_resp.len = 24; + user_info.nt_resp.buffer = (uint8 *)local_nt_response; + user_info.nt_resp.len = 24; + break; } +#if 0 + case GENERAL_LOGON_TYPE: + /* plaintext login. plaintext username and password */ - /* lkclXXXX this is not a good place to put disabling of LM hashes in. - if that is to be done, first move this entire function into a - library routine that calls the two smb_password_check() functions. - if disabling LM hashes (which nt can do for security reasons) then - an attempt should be made to disable them everywhere (which nt does - not do, for various security-hole reasons). - */ + /* + * Not encrypted - do so. + */ + + SMBencrypt( (uchar *)ctr->auth.id4....., user_info.chal, local_lm_response); + SMBNTencrypt((uchar *)ctr->auth.id4......., user_info.chal, local_nt_response); + user_info.lm_resp.buffer = (uint8 *)local_lm_response; + user_info.lm_resp.len = 24; + user_info.nt_resp.buffer = (uint8 *)local_nt_response; + user_info.nt_resp.len = 24; + + user_info.plaintext_password.str = ; + user_info.plaintext_password.len = ; + break; +#endif + default: + DEBUG(2,("SAM Logon: unsupported switch value\n")); + return NT_STATUS_INVALID_INFO_CLASS; + } /* end switch */ + + nt_status = check_password(&user_info, &server_info); - if (id2->hdr_lm_chal_resp.str_str_len == 24 && lanman_pwd && - smb_password_check((char *)id2->lm_chal_resp.buffer, - lanman_pwd, id2->lm_chal)) - return NT_STATUS_NOPROBLEMO; + DEBUG(5, ("_net_logon_any: exited with status %d\n", nt_status)); - /* oops! neither password check succeeded */ + return nt_status; - return NT_STATUS_WRONG_PASSWORD; } + + /************************************************************************* _net_sam_logon *************************************************************************/ @@ -542,11 +583,12 @@ uint32 _net_sam_logon(pipes_struct *p, NET_Q_SAM_LOGON *q_u, NET_R_SAM_LOGON *r_ NET_USER_INFO_3 *usr_info = NULL; DOM_CRED srv_cred; SAM_ACCOUNT *sampass = NULL; - uint16 acct_ctrl; UNISTR2 *uni_samlogon_user = NULL; + UNISTR2 *uni_samlogon_domain = NULL; fstring nt_username; + fstring nt_domain; BOOL ret; - + usr_info = (NET_USER_INFO_3 *)talloc(p->mem_ctx, sizeof(NET_USER_INFO_3)); if (!usr_info) return NT_STATUS_NO_MEMORY; @@ -576,11 +618,13 @@ uint32 _net_sam_logon(pipes_struct *p, NET_Q_SAM_LOGON *q_u, NET_R_SAM_LOGON *r_ switch (q_u->sam_id.logon_level) { case INTERACTIVE_LOGON_TYPE: uni_samlogon_user = &q_u->sam_id.ctr->auth.id1.uni_user_name; + uni_samlogon_domain = &q_u->sam_id.ctr->auth.id1.uni_domain_name; DEBUG(3,("SAM Logon (Interactive). Domain:[%s]. ", lp_workgroup())); break; case NET_LOGON_TYPE: uni_samlogon_user = &q_u->sam_id.ctr->auth.id2.uni_user_name; + uni_samlogon_domain = &q_u->sam_id.ctr->auth.id2.uni_domain_name; DEBUG(3,("SAM Logon (Network). Domain:[%s]. ", lp_workgroup())); break; @@ -592,8 +636,9 @@ uint32 _net_sam_logon(pipes_struct *p, NET_Q_SAM_LOGON *q_u, NET_R_SAM_LOGON *r_ /* check username exists */ rpcstr_pull(nt_username,uni_samlogon_user->buffer,sizeof(nt_username),uni_samlogon_user->uni_str_len*2,0); + rpcstr_pull(nt_domain,uni_samlogon_domain->buffer,sizeof(nt_domain),uni_samlogon_domain->uni_str_len*2,0); - DEBUG(3,("User:[%s]\n", nt_username)); + DEBUG(3,("User:[%s] Requested Domain:[%s]\n", nt_username, nt_domain)); /* * Convert to a UNIX username. @@ -601,6 +646,17 @@ uint32 _net_sam_logon(pipes_struct *p, NET_Q_SAM_LOGON *q_u, NET_R_SAM_LOGON *r_ map_username(nt_username); + DEBUG(10,("Attempting validation level %d for mapped username %s.\n", q_u->sam_id.ctr->switch_value, nt_username)); + + status = _net_logon_any(q_u->sam_id.ctr, nt_username, nt_domain, p->dc.sess_key); + + /* Check account and password */ + + if (status != NT_STATUS_NOPROBLEMO) { + pdb_free_sam(sampass); + return status; + } + pdb_init_sam(&sampass); /* get the account information */ @@ -613,33 +669,6 @@ uint32 _net_sam_logon(pipes_struct *p, NET_Q_SAM_LOGON *q_u, NET_R_SAM_LOGON *r_ return NT_STATUS_NO_SUCH_USER; } - acct_ctrl = pdb_get_acct_ctrl(sampass); - - if (acct_ctrl & ACB_DISABLED) { - pdb_free_sam(sampass); - return NT_STATUS_ACCOUNT_DISABLED; - } - - /* Validate password - if required. */ - - if (!(acct_ctrl & ACB_PWNOTREQ)) { - switch (q_u->sam_id.logon_level) { - case INTERACTIVE_LOGON_TYPE: - /* interactive login. */ - status = net_login_interactive(&q_u->sam_id.ctr->auth.id1, sampass, p); - break; - case NET_LOGON_TYPE: - /* network login. lm challenge and 24 byte responses */ - status = net_login_network(&q_u->sam_id.ctr->auth.id2, sampass); - break; - } - } - - if (status != NT_STATUS_NOPROBLEMO) { - pdb_free_sam(sampass); - return status; - } - /* lkclXXXX this is the point at which, if the login was successful, that the SAM Local Security Authority should record that the user is logged in to the domain. diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c index cd17de77f3..277cd13522 100644 --- a/source3/rpc_server/srv_pipe.c +++ b/source3/rpc_server/srv_pipe.c @@ -263,7 +263,9 @@ BOOL create_next_pdu(pipes_struct *p) static BOOL api_pipe_ntlmssp_verify(pipes_struct *p, RPC_AUTH_NTLMSSP_RESP *ntlmssp_resp) { uchar lm_owf[24]; - uchar nt_owf[24]; + uchar nt_owf[128]; + int nt_pw_len; + int lm_pw_len; fstring user_name; fstring pipe_user_name; fstring domain; @@ -307,13 +309,16 @@ static BOOL api_pipe_ntlmssp_verify(pipes_struct *p, RPC_AUTH_NTLMSSP_RESP *ntlm DEBUG(5,("user: %s domain: %s wks: %s\n", user_name, domain, wks)); + nt_pw_len = MIN(sizeof(nt_owf), ntlmssp_resp->hdr_nt_resp.str_str_len); + lm_pw_len = MIN(sizeof(lm_owf), ntlmssp_resp->hdr_lm_resp.str_str_len); + memcpy(lm_owf, ntlmssp_resp->lm_resp, sizeof(lm_owf)); - memcpy(nt_owf, ntlmssp_resp->nt_resp, sizeof(nt_owf)); + memcpy(nt_owf, ntlmssp_resp->nt_resp, nt_pw_len); #ifdef DEBUG_PASSWORD DEBUG(100,("lm, nt owfs, chal\n")); dump_data(100, (char *)lm_owf, sizeof(lm_owf)); - dump_data(100, (char *)nt_owf, sizeof(nt_owf)); + dump_data(100, (char *)nt_owf, nt_pw_len); dump_data(100, (char *)p->challenge, 8); #endif @@ -362,8 +367,11 @@ static BOOL api_pipe_ntlmssp_verify(pipes_struct *p, RPC_AUTH_NTLMSSP_RESP *ntlm become_root(); - if(!(p->ntlmssp_auth_validated = pass_check_smb(pipe_user_name, domain, - (uchar*)p->challenge, lm_owf, nt_owf))) { + if(!(p->ntlmssp_auth_validated = + pass_check_smb_with_chal(pipe_user_name, domain, + (uchar*)p->challenge, + lm_owf, lm_pw_len, + nt_owf, nt_pw_len) == NT_STATUS_NOPROBLEMO)) { DEBUG(1,("api_pipe_ntlmssp_verify: User %s\\%s from machine %s \ failed authentication on named pipe %s.\n", domain, pipe_user_name, wks, p->name )); unbecome_root(); diff --git a/source3/smbd/auth.c b/source3/smbd/auth.c new file mode 100644 index 0000000000..851e1f53cf --- /dev/null +++ b/source3/smbd/auth.c @@ -0,0 +1,275 @@ +/* + Unix SMB/Netbios implementation. + Version 1.9. + Password and authentication handling + Copyright (C) Andrew Tridgell 1992-2000 + Copyright (C) Luke Kenneth Casson Leighton 1996-2000 + Copyright (C) Andrew Bartlett 2001 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" + +extern int DEBUGLEVEL; + +extern pstring global_myname; + + +/**************************************************************************** +update the encrypted smbpasswd file from the plaintext username and password + +this ugly hack needs to die, but not quite yet... +*****************************************************************************/ +static BOOL update_smbpassword_file(char *user, char *password) +{ + SAM_ACCOUNT *sampass = NULL; + BOOL ret; + + pdb_init_sam(&sampass); + + become_root(); + ret = pdb_getsampwnam(sampass, user); + unbecome_root(); + + if(ret == False) { + DEBUG(0,("pdb_getsampwnam returned NULL\n")); + pdb_free_sam(sampass); + return False; + } + + /* + * Remove the account disabled flag - we are updating the + * users password from a login. + */ + pdb_set_acct_ctrl(sampass, pdb_get_acct_ctrl(sampass) & ~ACB_DISABLED); + + /* Here, the flag is one, because we want to ignore the + XXXXXXX'd out password */ + ret = change_oem_password( sampass, password, True); + if (ret == False) { + DEBUG(3,("change_oem_password returned False\n")); + } + + pdb_free_sam(sampass); + return ret; +} + +/**************************************************************************** + Check user is in correct domain if required +****************************************************************************/ + +static BOOL check_domain_match(char *user, char *domain) +{ + /* + * If we aren't serving to trusted domains, we must make sure that + * the validation request comes from an account in the same domain + * as the Samba server + */ + + if (!lp_allow_trusted_domains() && + !strequal(lp_workgroup(), domain) ) { + DEBUG(1, ("check_domain_match: Attempt to connect as user %s from domain %s denied.\n", user, domain)); + return False; + } else { + return True; + } +} + + +uint32 check_password(const auth_usersupplied_info *user_info, auth_serversupplied_info *server_info) +{ + + uint32 nt_status = NT_STATUS_LOGON_FAILURE; + + DEBUG(3, ("check_password: Checking password for user %s with the new password interface\n", user_info->smb_username.str)); + if (check_hosts_equiv(user_info->smb_username.str)) { + nt_status = NT_STATUS_NOPROBLEMO; + } + + if (!check_domain_match(user_info->smb_username.str, user_info->domain.str)) { + return NT_STATUS_LOGON_FAILURE; + } + + if ((lp_security() == SEC_DOMAIN) && (nt_status != NT_STATUS_NOPROBLEMO)) { + nt_status = check_domain_security(user_info, server_info); + } + + if ((lp_security() == SEC_SERVER) && (nt_status != NT_STATUS_NOPROBLEMO)) { + nt_status = check_server_security(user_info, server_info); + } + + if (lp_security() >= SEC_SERVER) { + smb_user_control(user_info->smb_username.str, nt_status); + } + + if ((nt_status != NT_STATUS_NOPROBLEMO) + && (user_info->plaintext_password.len > 0) + && (!lp_plaintext_to_smbpasswd())) { + return (pass_check(user_info->smb_username.str, + user_info->plaintext_password.str, + user_info->plaintext_password.len, + lp_update_encrypted() ? + update_smbpassword_file : NULL) + ? NT_STATUS_NOPROBLEMO : NT_STATUS_LOGON_FAILURE); + } + + if (nt_status != NT_STATUS_NOPROBLEMO) { + nt_status = check_smbpasswd_security(user_info, server_info); + } + + if (nt_status == NT_STATUS_NOPROBLEMO) { + nt_status = smb_pam_accountcheck(user_info->smb_username.str); + } + + if (nt_status == NT_STATUS_NOPROBLEMO) { + DEBUG(5, ("check_password: Password for user %s suceeded\n", user_info->smb_username.str)); + } else { + DEBUG(3, ("check_password: Password for user %s FAILED with error %d\n", user_info->smb_username.str, nt_status)); + } + return nt_status; + +} + +/**************************************************************************** + COMPATABILITY INTERFACES: + ***************************************************************************/ + +/**************************************************************************** +check if a username/password is OK assuming the password is a 24 byte +SMB hash +return True if the password is correct, False otherwise +****************************************************************************/ + +uint32 pass_check_smb_with_chal(char *user, char *domain, uchar chal[8], + uchar *lm_pwd, int lm_pwd_len, + uchar *nt_pwd, int nt_pwd_len) +{ + + auth_usersupplied_info user_info; + auth_serversupplied_info server_info; + AUTH_STR ourdomain, theirdomain, smb_username, wksta_name; + + ZERO_STRUCT(user_info); + ZERO_STRUCT(ourdomain); + ZERO_STRUCT(theirdomain); + ZERO_STRUCT(smb_username); + ZERO_STRUCT(wksta_name); + + ourdomain.str = lp_workgroup(); + ourdomain.len = strlen(ourdomain.str); + + theirdomain.str = domain; + theirdomain.len = strlen(theirdomain.str); + + user_info.requested_domain = theirdomain; + user_info.domain = ourdomain; + + smb_username.str = user; + smb_username.len = strlen(smb_username.str); + + user_info.requested_username = smb_username; /* For the time-being */ + user_info.smb_username = smb_username; + + user_info.wksta_name.str = client_name(); + user_info.wksta_name.len = strlen(client_name()); + + user_info.wksta_name = wksta_name; + + memcpy(user_info.chal, chal, 8); + + if (lm_pwd_len >= 24 || (lp_encrypted_passwords() && (lm_pwd_len == 0) && lp_null_passwords())) { + /* if 24 bytes long assume it is an encrypted password */ + + user_info.lm_resp.buffer = (uint8 *)lm_pwd; + user_info.lm_resp.len = lm_pwd_len; + user_info.nt_resp.buffer = (uint8 *)nt_pwd; + user_info.nt_resp.len = nt_pwd_len; + + } else { + unsigned char local_lm_response[24]; + unsigned char local_nt_response[24]; + + /* + * Not encrypted - do so. + */ + + DEBUG(5,("pass_check_smb: User passwords not in encrypted format.\n")); + + if (lm_pwd_len > 0) { + SMBencrypt( (uchar *)lm_pwd, user_info.chal, local_lm_response); + user_info.lm_resp.buffer = (uint8 *)local_lm_response; + user_info.lm_resp.len = 24; + + /* This encrypts the lm_pwd feild, which actualy contains the password + rather than the nt_pwd field becouse that contains nothing */ + SMBNTencrypt((uchar *)lm_pwd, user_info.chal, local_nt_response); + user_info.nt_resp.buffer = (uint8 *)local_nt_response; + user_info.nt_resp.len = 24; + } + + user_info.plaintext_password.str = lm_pwd; + user_info.plaintext_password.len = lm_pwd_len; + + } + + return check_password(&user_info, &server_info); +} + +uint32 pass_check_smb(char *user, char *domain, + uchar *lm_pwd, int lm_pwd_len, + uchar *nt_pwd, int nt_pwd_len) +{ + uchar chal[8]; + + if (!last_challenge(chal)) { + generate_random_buffer( chal, 8, False); + } + + return pass_check_smb_with_chal(user, domain, chal, + lm_pwd, lm_pwd_len, + nt_pwd, nt_pwd_len); + +} + +/**************************************************************************** +check if a username/password pair is OK either via the system password +database or the encrypted SMB password database +return True if the password is correct, False otherwise +****************************************************************************/ +BOOL password_ok(char *user, char *password, int pwlen) +{ + + /* + * This hack must die! But until I rewrite the rest of samba + * it must stay - abartlet 2001-08-03 + */ + + if ((pwlen == 0) && !lp_null_passwords()) { + DEBUG(4,("Null passwords not allowed.\n")); + return False; + } + + if (pass_check_smb(user, lp_workgroup(), NULL, 0, password, pwlen) == NT_STATUS_NOPROBLEMO) { + return True; + } + + if (pass_check_smb(user, lp_workgroup(), password, pwlen, NULL, 0) == NT_STATUS_NOPROBLEMO) { + return True; + } + + return False; +} + diff --git a/source3/smbd/auth_domain.c b/source3/smbd/auth_domain.c new file mode 100644 index 0000000000..4bf0a05d7f --- /dev/null +++ b/source3/smbd/auth_domain.c @@ -0,0 +1,417 @@ +/* + Unix SMB/Netbios implementation. + Version 1.9. + Authenticate against a remote domain + Copyright (C) Andrew Tridgell 1992-1998 + Copyright (C) Andrew Bartlett 2001 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" + +extern int DEBUGLEVEL; +extern struct in_addr ipzero; + +BOOL global_machine_password_needs_changing = False; + +extern pstring global_myname; + +/*********************************************************************** + Connect to a remote machine for domain security authentication + given a name or IP address. + ***********************************************************************/ + +static BOOL connect_to_domain_password_server(struct cli_state *pcli, + char *server, unsigned char *trust_passwd) +{ + struct in_addr dest_ip; + fstring remote_machine; + + if(cli_initialise(pcli) == NULL) { + DEBUG(0,("connect_to_domain_password_server: unable to initialize client connection.\n")); + return False; + } + + if (is_ipaddress(server)) { + struct in_addr to_ip; + + /* we shouldn't have 255.255.255.255 forthe IP address of + a password server anyways */ + if ((to_ip.s_addr=inet_addr(server)) == 0xFFFFFFFF) { + DEBUG (0,("connect_to_domain_password_server: inet_addr(%s) returned 0xFFFFFFFF!\n", server)); + return False; + } + + if (!name_status_find(0x20, to_ip, remote_machine)) { + DEBUG(0, ("connect_to_domain_password_server: Can't " + "resolve name for IP %s\n", server)); + return False; + } + } else { + fstrcpy(remote_machine, server); + } + + standard_sub_basic(remote_machine); + strupper(remote_machine); + + if(!resolve_name( remote_machine, &dest_ip, 0x20)) { + DEBUG(1,("connect_to_domain_password_server: Can't resolve address for %s\n", remote_machine)); + cli_shutdown(pcli); + return False; + } + + if (ismyip(dest_ip)) { + DEBUG(1,("connect_to_domain_password_server: Password server loop - not using password server %s\n", + remote_machine)); + cli_shutdown(pcli); + return False; + } + + if (!cli_connect(pcli, remote_machine, &dest_ip)) { + DEBUG(0,("connect_to_domain_password_server: unable to connect to SMB server on \ +machine %s. Error was : %s.\n", remote_machine, cli_errstr(pcli) )); + cli_shutdown(pcli); + return False; + } + + if (!attempt_netbios_session_request(pcli, global_myname, remote_machine, &dest_ip)) { + DEBUG(0,("connect_to_password_server: machine %s rejected the NetBIOS \ +session request. Error was : %s.\n", remote_machine, cli_errstr(pcli) )); + return False; + } + + pcli->protocol = PROTOCOL_NT1; + + if (!cli_negprot(pcli)) { + DEBUG(0,("connect_to_domain_password_server: machine %s rejected the negotiate protocol. \ +Error was : %s.\n", remote_machine, cli_errstr(pcli) )); + cli_shutdown(pcli); + return False; + } + + if (pcli->protocol != PROTOCOL_NT1) { + DEBUG(0,("connect_to_domain_password_server: machine %s didn't negotiate NT protocol.\n", + remote_machine)); + cli_shutdown(pcli); + return False; + } + + /* + * Do an anonymous session setup. + */ + + if (!cli_session_setup(pcli, "", "", 0, "", 0, "")) { + DEBUG(0,("connect_to_domain_password_server: machine %s rejected the session setup. \ +Error was : %s.\n", remote_machine, cli_errstr(pcli) )); + cli_shutdown(pcli); + return False; + } + + if (!(pcli->sec_mode & 1)) { + DEBUG(1,("connect_to_domain_password_server: machine %s isn't in user level security mode\n", + remote_machine)); + cli_shutdown(pcli); + return False; + } + + if (!cli_send_tconX(pcli, "IPC$", "IPC", "", 1)) { + DEBUG(0,("connect_to_domain_password_server: machine %s rejected the tconX on the IPC$ share. \ +Error was : %s.\n", remote_machine, cli_errstr(pcli) )); + cli_shutdown(pcli); + return False; + } + + /* + * We now have an anonymous connection to IPC$ on the domain password server. + */ + + /* + * Even if the connect succeeds we need to setup the netlogon + * pipe here. We do this as we may just have changed the domain + * account password on the PDC and yet we may be talking to + * a BDC that doesn't have this replicated yet. In this case + * a successful connect to a DC needs to take the netlogon connect + * into account also. This patch from "Bjart Kvarme" <bjart.kvarme@usit.uio.no>. + */ + + if(cli_nt_session_open(pcli, PIPE_NETLOGON) == False) { + DEBUG(0,("connect_to_domain_password_server: unable to open the domain client session to \ +machine %s. Error was : %s.\n", remote_machine, cli_errstr(pcli))); + cli_nt_session_close(pcli); + cli_ulogoff(pcli); + cli_shutdown(pcli); + return False; + } + + if (cli_nt_setup_creds(pcli, trust_passwd) == False) { + DEBUG(0,("connect_to_domain_password_server: unable to setup the PDC credentials to machine \ +%s. Error was : %s.\n", remote_machine, cli_errstr(pcli))); + cli_nt_session_close(pcli); + cli_ulogoff(pcli); + cli_shutdown(pcli); + return(False); + } + + return True; +} + +/*********************************************************************** + Utility function to attempt a connection to an IP address of a DC. +************************************************************************/ + +static BOOL attempt_connect_to_dc(struct cli_state *pcli, struct in_addr *ip, + unsigned char *trust_passwd) +{ + fstring dc_name; + + /* + * Ignore addresses we have already tried. + */ + + if (ip_equal(ipzero, *ip)) + return False; + + if (!lookup_pdc_name(global_myname, lp_workgroup(), ip, dc_name)) + return False; + + return connect_to_domain_password_server(pcli, dc_name, trust_passwd); +} + +/*********************************************************************** + We have been asked to dynamcially determine the IP addresses of + the PDC and BDC's for this DOMAIN, and query them in turn. +************************************************************************/ +static BOOL find_connect_pdc(struct cli_state *pcli, + unsigned char *trust_passwd, + time_t last_change_time) +{ + struct in_addr *ip_list = NULL; + int count = 0; + int i; + BOOL connected_ok = False; + time_t time_now = time(NULL); + BOOL use_pdc_only = False; + + /* + * If the time the machine password has changed + * was less than an hour ago then we need to contact + * the PDC only, as we cannot be sure domain replication + * has yet taken place. Bug found by Gerald (way to go + * Gerald !). JRA. + */ + + if (time_now - last_change_time < 3600) + use_pdc_only = True; + + if (!get_dc_list(use_pdc_only, lp_workgroup(), &ip_list, &count)) + return False; + + /* + * Firstly try and contact a PDC/BDC who has the same + * network address as any of our interfaces. + */ + for(i = 0; i < count; i++) { + if(!is_local_net(ip_list[i])) + continue; + + if((connected_ok = attempt_connect_to_dc(pcli, &ip_list[i], trust_passwd))) + break; + + ip_list[i] = ipzero; /* Tried and failed. */ + } + + /* + * Secondly try and contact a random PDC/BDC. + */ + if(!connected_ok) { + i = (sys_random() % count); + + if (!(connected_ok = attempt_connect_to_dc(pcli, &ip_list[i], trust_passwd))) + ip_list[i] = ipzero; /* Tried and failed. */ + } + + /* + * Finally go through the IP list in turn, ignoring any addresses + * we have already tried. + */ + if(!connected_ok) { + /* + * Try and connect to any of the other IP addresses in the PDC/BDC list. + * Note that from a WINS server the #1 IP address is the PDC. + */ + for(i = 0; i < count; i++) { + if((connected_ok = attempt_connect_to_dc(pcli, &ip_list[i], trust_passwd))) + break; + } + } + + if(ip_list != NULL) + free((char *)ip_list); + + + return connected_ok; +} + +/*********************************************************************** + Do the same as security=server, but using NT Domain calls and a session + key from the machine password. If the server parameter is specified + use it, otherwise figure out a server from the 'password server' param. +************************************************************************/ + +uint32 domain_client_validate(const auth_usersupplied_info *user_info, + auth_serversupplied_info *server_info, + char *server) +{ + unsigned char trust_passwd[16]; + fstring remote_machine; + char *p, *pserver; + NET_ID_INFO_CTR ctr; + NET_USER_INFO_3 info3; + struct cli_state cli; + uint32 smb_uid_low; + BOOL connected_ok = False; + time_t last_change_time; + uint32 nt_status; + + /* + * Check that the requested domain is not our own machine name. + * If it is, we should never check the PDC here, we use our own local + * password file. + */ + + if(strequal(user_info->domain.str, global_myname)) { + DEBUG(3,("domain_client_validate: Requested domain was for this machine.\n")); + return NT_STATUS_LOGON_FAILURE; + } + + /* + * Get the machine account password for our primary domain + */ + if (!secrets_fetch_trust_account_password(lp_workgroup(), trust_passwd, &last_change_time)) + { + DEBUG(0, ("domain_client_validate: could not fetch trust account password for domain %s\n", lp_workgroup())); + return NT_STATUS_LOGON_FAILURE; + } + + /* Test if machine password is expired and need to be changed */ + if (time(NULL) > last_change_time + lp_machine_password_timeout()) + { + global_machine_password_needs_changing = True; + } + + /* + * At this point, smb_apasswd points to the lanman response to + * the challenge in local_challenge, and smb_ntpasswd points to + * the NT response to the challenge in local_challenge. Ship + * these over the secure channel to a domain controller and + * see if they were valid. + */ + + ZERO_STRUCT(cli); + + /* + * Treat each name in the 'password server =' line as a potential + * PDC/BDC. Contact each in turn and try and authenticate. + */ + + if (server) { + p = server; + } else { + pserver = lp_passwordserver(); + if (! *pserver) pserver = "*"; + p = pserver; + } + + while (!connected_ok && + next_token(&p,remote_machine,LIST_SEP,sizeof(remote_machine))) { + if(strequal(remote_machine, "*")) { + connected_ok = find_connect_pdc(&cli, trust_passwd, last_change_time); + } else { + connected_ok = connect_to_domain_password_server(&cli, remote_machine, trust_passwd); + } + } + + if (!connected_ok) { + DEBUG(0,("domain_client_validate: Domain password server not available.\n")); + cli_shutdown(&cli); + return NT_STATUS_LOGON_FAILURE; + } + + /* We really don't care what LUID we give the user. */ + generate_random_buffer( (unsigned char *)&smb_uid_low, 4, False); + + ZERO_STRUCT(info3); + + cli_nt_login_network(&cli, user_info->domain.str, user_info->smb_username.str, smb_uid_low, user_info->chal, + user_info->lm_resp.buffer, user_info->lm_resp.len, + user_info->nt_resp.buffer, user_info->lm_resp.len, + &ctr, &info3); + + cli_error(&cli, NULL, NULL, &nt_status); + if (nt_status != NT_STATUS_NOPROBLEMO) { + DEBUG(0,("domain_client_validate: unable to validate password for user %s in domain \ +%s to Domain controller %s. Error was %s.\n", user_info->smb_username.str, user_info->domain.str, remote_machine, cli_errstr(&cli))); + } + + /* + * Here, if we really want it, we have lots of info about the user in info3. + */ + +#if 0 + /* + * We don't actually need to do this - plus it fails currently with + * NT_STATUS_INVALID_INFO_CLASS - we need to know *exactly* what to + * send here. JRA. + */ + + if (nt_status == NT_STATUS_NOPROBLMO) { + if(cli_nt_logoff(&cli, &ctr) == False) { + DEBUG(0,("domain_client_validate: unable to log off user %s in domain \ +%s to Domain controller %s. Error was %s.\n", user, domain, remote_machine, cli_errstr(&cli))); + nt_status = NT_STATUS_LOGON_FAILURE; + } + } +#endif /* 0 */ + + /* Note - once the cli stream is shutdown the mem_ctx used + to allocate the other_sids and gids structures has been deleted - so + these pointers are no longer valid..... */ + + cli_nt_session_close(&cli); + cli_ulogoff(&cli); + cli_shutdown(&cli); + return nt_status; +} + +/**************************************************************************** + Check for a valid username and password in security=domain mode. +****************************************************************************/ + +uint32 check_domain_security(const auth_usersupplied_info *user_info, + auth_serversupplied_info *server_info) +{ + uint32 nt_status = NT_STATUS_LOGON_FAILURE; + + if(lp_security() != SEC_DOMAIN) + return NT_STATUS_LOGON_FAILURE; + + nt_status = domain_client_validate(user_info, server_info, NULL); + + return nt_status; +} + + + diff --git a/source3/smbd/auth_rhosts.c b/source3/smbd/auth_rhosts.c new file mode 100644 index 0000000000..c1bee6247c --- /dev/null +++ b/source3/smbd/auth_rhosts.c @@ -0,0 +1,165 @@ +/* + Unix SMB/Netbios implementation. + Version 1.9. + Main SMB reply routines + Copyright (C) Andrew Tridgell 1992-1998 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" + +extern int DEBUGLEVEL; + + +/**************************************************************************** + Read the a hosts.equiv or .rhosts file and check if it + allows this user from this machine. +****************************************************************************/ + +static BOOL check_user_equiv(char *user, char *remote, char *equiv_file) +{ + int plus_allowed = 1; + char *file_host; + char *file_user; + char **lines = file_lines_load(equiv_file, NULL); + int i; + + DEBUG(5, ("check_user_equiv %s %s %s\n", user, remote, equiv_file)); + if (! lines) return False; + for (i=0; lines[i]; i++) { + char *buf = lines[i]; + trim_string(buf," "," "); + + if (buf[0] != '#' && buf[0] != '\n') + { + BOOL is_group = False; + int plus = 1; + char *bp = buf; + if (strcmp(buf, "NO_PLUS\n") == 0) + { + DEBUG(6, ("check_user_equiv NO_PLUS\n")); + plus_allowed = 0; + } + else { + if (buf[0] == '+') + { + bp++; + if (*bp == '\n' && plus_allowed) + { + /* a bare plus means everbody allowed */ + DEBUG(6, ("check_user_equiv everybody allowed\n")); + file_lines_free(lines); + return True; + } + } + else if (buf[0] == '-') + { + bp++; + plus = 0; + } + if (*bp == '@') + { + is_group = True; + bp++; + } + file_host = strtok(bp, " \t\n"); + file_user = strtok(NULL, " \t\n"); + DEBUG(7, ("check_user_equiv %s %s\n", file_host ? file_host : "(null)", + file_user ? file_user : "(null)" )); + if (file_host && *file_host) + { + BOOL host_ok = False; + +#if defined(HAVE_NETGROUP) && defined(HAVE_YP_GET_DEFAULT_DOMAIN) + if (is_group) + { + static char *mydomain = NULL; + if (!mydomain) + yp_get_default_domain(&mydomain); + if (mydomain && innetgr(file_host,remote,user,mydomain)) + host_ok = True; + } +#else + if (is_group) + { + DEBUG(1,("Netgroups not configured\n")); + continue; + } +#endif + + /* is it this host */ + /* the fact that remote has come from a call of gethostbyaddr + * means that it may have the fully qualified domain name + * so we could look up the file version to get it into + * a canonical form, but I would rather just type it + * in full in the equiv file + */ + if (!host_ok && !is_group && strequal(remote, file_host)) + host_ok = True; + + if (!host_ok) + continue; + + /* is it this user */ + if (file_user == 0 || strequal(user, file_user)) + { + DEBUG(5, ("check_user_equiv matched %s%s %s\n", + (plus ? "+" : "-"), file_host, + (file_user ? file_user : ""))); + file_lines_free(lines); + return (plus ? True : False); + } + } + } + } + } + file_lines_free(lines); + return False; +} + + +/**************************************************************************** +check for a possible hosts equiv or rhosts entry for the user +****************************************************************************/ +BOOL check_hosts_equiv(char *user) +{ + char *fname = NULL; + pstring rhostsfile; + struct passwd *pass = Get_Pwnam(user,True); + + if (!pass) + return(False); + + fname = lp_hosts_equiv(); + + /* note: don't allow hosts.equiv on root */ + if (fname && *fname && (pass->pw_uid != 0)) { + if (check_user_equiv(user,client_name(),fname)) + return(True); + } + + if (lp_use_rhosts()) + { + char *home = get_user_home_dir(user); + if (home) { + slprintf(rhostsfile, sizeof(rhostsfile)-1, "%s/.rhosts", home); + if (check_user_equiv(user,client_name(),rhostsfile)) + return(True); + } + } + + return(False); +} diff --git a/source3/smbd/auth_server.c b/source3/smbd/auth_server.c new file mode 100644 index 0000000000..dc1d924b3c --- /dev/null +++ b/source3/smbd/auth_server.c @@ -0,0 +1,244 @@ +/* + Unix SMB/Netbios implementation. + Version 1.9. + Authenticate to a remote server + Copyright (C) Andrew Tridgell 1992-1998 + Copyright (C) Andrew Bartlett 2001 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" + +extern int DEBUGLEVEL; + +extern pstring global_myname; + +/**************************************************************************** + Return the client state structure. +****************************************************************************/ + +struct cli_state *server_client(void) +{ + static struct cli_state pw_cli; + return &pw_cli; +} + +/**************************************************************************** + Support for server level security. +****************************************************************************/ + +struct cli_state *server_cryptkey(void) +{ + struct cli_state *cli; + fstring desthost; + struct in_addr dest_ip; + char *p, *pserver; + BOOL connected_ok = False; + + cli = server_client(); + + if (!cli_initialise(cli)) + return NULL; + + pserver = strdup(lp_passwordserver()); + p = pserver; + + while(next_token( &p, desthost, LIST_SEP, sizeof(desthost))) { + standard_sub_basic(desthost); + strupper(desthost); + + if(!resolve_name( desthost, &dest_ip, 0x20)) { + DEBUG(1,("server_cryptkey: Can't resolve address for %s\n",desthost)); + continue; + } + + if (ismyip(dest_ip)) { + DEBUG(1,("Password server loop - disabling password server %s\n",desthost)); + continue; + } + + if (cli_connect(cli, desthost, &dest_ip)) { + DEBUG(3,("connected to password server %s\n",desthost)); + connected_ok = True; + break; + } + } + + free(pserver); + + if (!connected_ok) { + DEBUG(0,("password server not available\n")); + cli_shutdown(cli); + return NULL; + } + + if (!attempt_netbios_session_request(cli, global_myname, desthost, &dest_ip)) + return NULL; + + DEBUG(3,("got session\n")); + + if (!cli_negprot(cli)) { + DEBUG(1,("%s rejected the negprot\n",desthost)); + cli_shutdown(cli); + return NULL; + } + + if (cli->protocol < PROTOCOL_LANMAN2 || + !(cli->sec_mode & 1)) { + DEBUG(1,("%s isn't in user level security mode\n",desthost)); + cli_shutdown(cli); + return NULL; + } + + DEBUG(3,("password server OK\n")); + + return cli; +} + + +/**************************************************************************** + Validate a password with the password server. +****************************************************************************/ + +static uint32 server_validate(const auth_usersupplied_info *user_info, auth_serversupplied_info *server_info) +{ + struct cli_state *cli; + static unsigned char badpass[24]; + static fstring baduser; + static BOOL tested_password_server = False; + static BOOL bad_password_server = False; + uint32 nt_status = NT_STATUS_LOGON_FAILURE; + + cli = server_client(); + + if (!cli->initialised) { + DEBUG(1,("password server %s is not connected\n", cli->desthost)); + return(NT_STATUS_LOGON_FAILURE); + } + + if(badpass[0] == 0) + memset(badpass, 0x1f, sizeof(badpass)); + + if((user_info->nt_resp.len == sizeof(badpass)) && + !memcmp(badpass, user_info->nt_resp.buffer, sizeof(badpass))) { + /* + * Very unlikely, our random bad password is the same as the users + * password. + */ + memset(badpass, badpass[0]+1, sizeof(badpass)); + } + + if(baduser[0] == 0) { + fstrcpy(baduser, INVALID_USER_PREFIX); + fstrcat(baduser, global_myname); + } + + /* + * Attempt a session setup with a totally incorrect password. + * If this succeeds with the guest bit *NOT* set then the password + * server is broken and is not correctly setting the guest bit. We + * need to detect this as some versions of NT4.x are broken. JRA. + */ + + /* I sure as hell hope that there arn't servers out there that take + * NTLMv2 and have this bug, as we don't test for that... + * - abartlet@samba.org + */ + + if(!tested_password_server) { + if (cli_session_setup(cli, baduser, (char *)badpass, sizeof(badpass), + (char *)badpass, sizeof(badpass), user_info->domain.str)) { + + /* + * We connected to the password server so we + * can say we've tested it. + */ + tested_password_server = True; + + if ((SVAL(cli->inbuf,smb_vwv2) & 1) == 0) { + DEBUG(0,("server_validate: password server %s allows users as non-guest \ +with a bad password.\n", cli->desthost)); + DEBUG(0,("server_validate: This is broken (and insecure) behaviour. Please do not \ +use this machine as the password server.\n")); + cli_ulogoff(cli); + + /* + * Password server has the bug. + */ + bad_password_server = True; + return NT_STATUS_LOGON_FAILURE; + } + cli_ulogoff(cli); + } + } else { + + /* + * We have already tested the password server. + * Fail immediately if it has the bug. + */ + + if(bad_password_server) { + DEBUG(0,("server_validate: [1] password server %s allows users as non-guest \ +with a bad password.\n", cli->desthost)); + DEBUG(0,("server_validate: [1] This is broken (and insecure) behaviour. Please do not \ +use this machine as the password server.\n")); + return NT_STATUS_LOGON_FAILURE; + } + } + + /* + * Now we know the password server will correctly set the guest bit, or is + * not guest enabled, we can try with the real password. + */ + + if (!cli_session_setup(cli, user_info->smb_username.str, + user_info->lm_resp.buffer, + user_info->lm_resp.len, + user_info->nt_resp.buffer, + user_info->nt_resp.len, + user_info->domain.str)) { + DEBUG(1,("password server %s rejected the password\n", cli->desthost)); + nt_status = NT_STATUS_LOGON_FAILURE; + } else { + nt_status = NT_STATUS_NOPROBLEMO; + } + + /* if logged in as guest then reject */ + if ((SVAL(cli->inbuf,smb_vwv2) & 1) != 0) { + DEBUG(1,("password server %s gave us guest only\n", cli->desthost)); + nt_status = NT_STATUS_LOGON_FAILURE; + } + + cli_ulogoff(cli); + + return(nt_status); +} + +/**************************************************************************** + Check for a valid username and password in security=server mode. +****************************************************************************/ + +uint32 check_server_security(const auth_usersupplied_info *user_info, auth_serversupplied_info *server_info) +{ + + if(lp_security() != SEC_SERVER) + return NT_STATUS_LOGON_FAILURE; + + return server_validate(user_info, server_info); + +} + + diff --git a/source3/smbd/auth_smbpasswd.c b/source3/smbd/auth_smbpasswd.c new file mode 100644 index 0000000000..ce0b03d942 --- /dev/null +++ b/source3/smbd/auth_smbpasswd.c @@ -0,0 +1,229 @@ +/* + Unix SMB/Netbios implementation. + Version 1.9. + Password and authentication handling + Copyright (C) Andrew Tridgell 1992-2000 + Copyright (C) Luke Kenneth Casson Leighton 1996-2000 + Copyright (C) Andrew Bartlett 2001 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" + +extern int DEBUGLEVEL; + +/**************************************************************************** +core of smb password checking routine. +****************************************************************************/ +static BOOL smb_pwd_check_ntlmv1(const uchar *password, + const uchar *part_passwd, + const uchar *c8, + uchar user_sess_key[16]) +{ + /* Finish the encryption of part_passwd. */ + uchar p24[24]; + + if (part_passwd == NULL) { + DEBUG(10,("No password set - DISALLOWING access\n")); + /* No password set - always false ! */ + return False; + } + + SMBOWFencrypt(part_passwd, c8, p24); + if (user_sess_key != NULL) + { + SMBsesskeygen_ntv1(part_passwd, NULL, user_sess_key); + } + + + +#if DEBUG_PASSWORD + DEBUG(100,("Part password (P16) was |")); + dump_data(100, part_passwd, 16); + DEBUG(100,("Password from client was |")); + dump_data(100, password, 24); + DEBUG(100,("Given challenge was |")); + dump_data(100, c8, 8); + DEBUG(100,("Value from encryption was |")); + dump_data(100, p24, 24); +#endif + return (memcmp(p24, password, 24) == 0); +} + +/**************************************************************************** +core of smb password checking routine. +****************************************************************************/ +static BOOL smb_pwd_check_ntlmv2(const uchar *password, size_t pwd_len, + uchar *part_passwd, + uchar const *c8, + const char *user, const char *domain, + char *user_sess_key) +{ + /* Finish the encryption of part_passwd. */ + uchar kr[16]; + uchar resp[16]; + + if (part_passwd == NULL) + { + DEBUG(10,("No password set - DISALLOWING access\n")); + /* No password set - always False */ + return False; + } + + ntv2_owf_gen(part_passwd, user, domain, kr); + SMBOWFencrypt_ntv2(kr, c8, 8, password+16, pwd_len-16, resp); + if (user_sess_key != NULL) + { + SMBsesskeygen_ntv2(kr, resp, user_sess_key); + } + +#if DEBUG_PASSWORD + DEBUG(100,("Part password (P16) was |")); + dump_data(100, part_passwd, 16); + DEBUG(100,("Password from client was |")); + dump_data(100, password, pwd_len); + DEBUG(100,("Given challenge was |")); + dump_data(100, c8, 8); + DEBUG(100,("Value from encryption was |")); + dump_data(100, resp, 16); +#endif + + return (memcmp(resp, password, 16) == 0); +} + + +/**************************************************************************** + Do a specific test for an smb password being correct, given a smb_password and + the lanman and NT responses. +****************************************************************************/ +uint32 smb_password_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_info *user_info, auth_serversupplied_info *server_info) +{ + uint8 *nt_pw, *lm_pw; + + /* Quit if the account was disabled. */ + if(pdb_get_acct_ctrl(sampass) & ACB_DISABLED) { + DEBUG(1,("Account for user '%s' was disabled.\n", user_info->smb_username.str)); + return(NT_STATUS_ACCOUNT_DISABLED); + } + + if (pdb_get_acct_ctrl(sampass) & ACB_PWNOTREQ) + { + if (lp_null_passwords()) + { + DEBUG(3,("Account for user '%s' has no password and null passwords are allowed.\n", user_info->smb_username.str)); + return(NT_STATUS_NOPROBLEMO); + } + else + { + DEBUG(3,("Account for user '%s' has no password and null passwords are NOT allowed.\n", user_info->smb_username.str)); + return(NT_STATUS_LOGON_FAILURE); + } + } + + if (!user_info || !sampass) + return(NT_STATUS_LOGON_FAILURE); + + DEBUG(4,("smb_password_ok: Checking SMB password for user %s\n",user_info->smb_username.str)); + + nt_pw = pdb_get_nt_passwd(sampass); + + if (nt_pw != NULL) { + if ((user_info->nt_resp.len > 24 )) { + /* We have the NT MD4 hash challenge available - see if we can + use it (ie. does it exist in the smbpasswd file). + */ + DEBUG(4,("smb_password_ok: Checking NTLMv2 password\n")); + if (smb_pwd_check_ntlmv2( user_info->nt_resp.buffer, + user_info->nt_resp.len, + nt_pw, + user_info->chal, user_info->requested_username.str, + user_info->requested_domain.str, + server_info->session_key)) + { + return NT_STATUS_NOPROBLEMO; + } + DEBUG(4,("smb_password_ok: NT MD4 password check failed\n")); + + } else if (lp_ntlm_auth() && (user_info->nt_resp.len == 24 )) { + /* We have the NT MD4 hash challenge available - see if we can + use it (ie. does it exist in the smbpasswd file). + */ + DEBUG(4,("smb_password_ok: Checking NT MD4 password\n")); + if (smb_pwd_check_ntlmv1(user_info->nt_resp.buffer, + nt_pw, user_info->chal, + server_info->session_key)) { + DEBUG(4,("smb_password_ok: NT MD4 password check succeeded\n")); + return NT_STATUS_NOPROBLEMO; + } else { + DEBUG(4,("smb_password_ok: NT MD4 password check failed\n")); + return NT_STATUS_WRONG_PASSWORD; + } + } + } + + lm_pw = pdb_get_lanman_passwd(sampass); + + if(lp_lanman_auth() && (lm_pw != NULL) && (user_info->lm_resp.len == 24 )) { + DEBUG(4,("smb_password_ok: Checking LM password\n")); + if (smb_pwd_check_ntlmv1(user_info->lm_resp.buffer, + lm_pw, user_info->chal, + server_info->session_key)) { + DEBUG(4,("smb_password_ok: LM password check succeeded\n")); + return NT_STATUS_NOPROBLEMO; + } else { + DEBUG(4,("smb_password_ok: LM password check failed\n")); + return NT_STATUS_WRONG_PASSWORD; + } + } + + return NT_STATUS_LOGON_FAILURE; +} + + +/**************************************************************************** +check if a username/password is OK assuming the password is a 24 byte +SMB hash +return True if the password is correct, False otherwise +****************************************************************************/ + +uint32 check_smbpasswd_security(const auth_usersupplied_info *user_info, auth_serversupplied_info *server_info) +{ + SAM_ACCOUNT *sampass=NULL; + BOOL ret; + uint32 nt_status; + + pdb_init_sam(&sampass); + + /* get the account information */ + ret = pdb_getsampwnam(sampass, user_info->smb_username.str); + if (ret == False) + { + DEBUG(1,("Couldn't find user '%s' in passdb file.\n", user_info->smb_username.str)); + pdb_free_sam(sampass); + return(NT_STATUS_NO_SUCH_USER); + } + + if ((nt_status = smb_password_ok(sampass, user_info, server_info)) != NT_STATUS_NOPROBLEMO) + { + pdb_free_sam(sampass); + return(nt_status); + } + + pdb_free_sam(sampass); + return nt_status; +} + + diff --git a/source3/smbd/auth_util.c b/source3/smbd/auth_util.c new file mode 100644 index 0000000000..1c12a4322d --- /dev/null +++ b/source3/smbd/auth_util.c @@ -0,0 +1,141 @@ +/* + Unix SMB/Netbios implementation. + Version 1.9. + Authentication utility functions + Copyright (C) Andrew Tridgell 1992-1998 + Copyright (C) Andrew Bartlett 2001 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ +#include "includes.h" + +extern int DEBUGLEVEL; + +/* Data to do lanman1/2 password challenge. */ +static unsigned char saved_challenge[8]; +static BOOL challenge_sent=False; + +/******************************************************************* +Get the next challenge value - no repeats. +********************************************************************/ +void generate_next_challenge(char *challenge) +{ + unsigned char buf[8]; + + generate_random_buffer(buf,8,False); + memcpy(saved_challenge, buf, 8); + memcpy(challenge,buf,8); + challenge_sent = True; +} + +/******************************************************************* +set the last challenge sent, usually from a password server +********************************************************************/ +BOOL set_challenge(unsigned char *challenge) +{ + memcpy(saved_challenge,challenge,8); + challenge_sent = True; + return(True); +} + +/******************************************************************* +get the last challenge sent +********************************************************************/ +BOOL last_challenge(unsigned char *challenge) +{ + if (!challenge_sent) return(False); + memcpy(challenge,saved_challenge,8); + return(True); +} + + +/**************************************************************************** + Create a UNIX user on demand. +****************************************************************************/ + +static int smb_create_user(char *unix_user, char *homedir) +{ + pstring add_script; + int ret; + + pstrcpy(add_script, lp_adduser_script()); + if (! *add_script) return -1; + all_string_sub(add_script, "%u", unix_user, sizeof(pstring)); + if (homedir) + all_string_sub(add_script, "%H", homedir, sizeof(pstring)); + ret = smbrun(add_script,NULL); + DEBUG(3,("smb_create_user: Running the command `%s' gave %d\n",add_script,ret)); + return ret; +} + +/**************************************************************************** + Delete a UNIX user on demand. +****************************************************************************/ + +static int smb_delete_user(char *unix_user) +{ + pstring del_script; + int ret; + + pstrcpy(del_script, lp_deluser_script()); + if (! *del_script) return -1; + all_string_sub(del_script, "%u", unix_user, sizeof(pstring)); + ret = smbrun(del_script,NULL); + DEBUG(3,("smb_delete_user: Running the command `%s' gave %d\n",del_script,ret)); + return ret; +} + +/**************************************************************************** + Add and Delete UNIX users on demand, based on NT_STATUS codes. +****************************************************************************/ + +void smb_user_control(char *unix_user, uint32 nt_status) +{ + struct passwd *pwd=NULL; + + if(nt_status == NT_STATUS_NOPROBLEMO) { + /* + * User validated ok against Domain controller. + * If the admin wants us to try and create a UNIX + * user on the fly, do so. + */ + if(lp_adduser_script() && !(pwd = smb_getpwnam(unix_user,True))) + smb_create_user(unix_user, NULL); + + if(lp_adduser_script() && pwd) { + SMB_STRUCT_STAT st; + + /* + * Also call smb_create_user if the users home directory + * doesn't exist. Used with winbindd to allow the script to + * create the home directory for a user mapped with winbindd. + */ + + if (pwd->pw_dir && (sys_stat(pwd->pw_dir, &st) == -1) && (errno == ENOENT)) + smb_create_user(unix_user, pwd->pw_dir); + } + + } else if (nt_status == NT_STATUS_NO_SUCH_USER) { + /* + * User failed to validate ok against Domain controller. + * If the failure was "user doesn't exist" and admin + * wants us to try and delete that UNIX user on the fly, + * do so. + */ + if(lp_deluser_script() && smb_getpwnam(unix_user,True)) + smb_delete_user(unix_user); + } + +} diff --git a/source3/smbd/negprot.c b/source3/smbd/negprot.c index de6f5d789f..6410aa2da6 100644 --- a/source3/smbd/negprot.c +++ b/source3/smbd/negprot.c @@ -179,7 +179,10 @@ static int reply_nt1(char *outbuf) char *p, *q; if (lp_security() == SEC_SERVER) { + DEBUG(5,("attempting password server validation\n")); cli = server_cryptkey(); + } else { + DEBUG(5,("attempting local password validation\n")); } if (cli) { diff --git a/source3/smbd/password.c b/source3/smbd/password.c index 743d6ebffe..4aa5a0211e 100644 --- a/source3/smbd/password.c +++ b/source3/smbd/password.c @@ -25,52 +25,12 @@ extern int DEBUGLEVEL; extern int Protocol; extern struct in_addr ipzero; -BOOL global_machine_password_needs_changing = False; - /* users from session setup */ static pstring session_users=""; extern pstring global_myname; extern fstring global_myworkgroup; -/* Data to do lanman1/2 password challenge. */ -static unsigned char saved_challenge[8]; -static BOOL challenge_sent=False; - -/******************************************************************* -Get the next challenge value - no repeats. -********************************************************************/ -void generate_next_challenge(char *challenge) -{ - unsigned char buf[8]; - - generate_random_buffer(buf,8,False); - - memcpy(saved_challenge, buf, 8); - memcpy(challenge,buf,8); - challenge_sent = True; -} - -/******************************************************************* -set the last challenge sent, usually from a password server -********************************************************************/ -BOOL set_challenge(unsigned char *challenge) -{ - memcpy(saved_challenge,challenge,8); - challenge_sent = True; - return(True); -} - -/******************************************************************* -get the last challenge sent -********************************************************************/ -static BOOL last_challenge(unsigned char *challenge) -{ - if (!challenge_sent) return(False); - memcpy(challenge,saved_challenge,8); - return(True); -} - /* this holds info on user ids that are already validated for this VC */ static user_struct *validated_users; static int next_vuid = VUID_OFFSET; @@ -342,287 +302,6 @@ void add_session_user(char *user) /**************************************************************************** -update the encrypted smbpasswd file from the plaintext username and password -*****************************************************************************/ -static BOOL update_smbpassword_file(char *user, char *password) -{ - SAM_ACCOUNT *sampass = NULL; - BOOL ret; - - pdb_init_sam(&sampass); - - become_root(); - ret = pdb_getsampwnam(sampass, user); - unbecome_root(); - - if(ret == False) { - DEBUG(0,("pdb_getsampwnam returned NULL\n")); - pdb_free_sam(sampass); - return False; - } - - /* - * Remove the account disabled flag - we are updating the - * users password from a login. - */ - pdb_set_acct_ctrl(sampass, pdb_get_acct_ctrl(sampass) & ~ACB_DISABLED); - - /* Here, the flag is one, because we want to ignore the - XXXXXXX'd out password */ - ret = change_oem_password( sampass, password, True); - if (ret == False) { - DEBUG(3,("change_oem_password returned False\n")); - } - - pdb_free_sam(sampass); - return ret; -} - -/**************************************************************************** -core of smb password checking routine. -****************************************************************************/ -BOOL smb_password_check(char *password, unsigned char *part_passwd, unsigned char *c8) -{ - /* Finish the encryption of part_passwd. */ - unsigned char p21[21]; - unsigned char p24[24]; - - if (part_passwd == NULL) - { - DEBUG(10,("No password set - allowing access\n")); - - /* No password set - always true ! */ - return 1; - } - - memset(p21,'\0',21); - memcpy(p21,part_passwd,16); - E_P24(p21, c8, p24); -#if DEBUG_PASSWORD - { - int i; - DEBUG(100,("Part password (P16) was |")); - for(i = 0; i < 16; i++) - DEBUG(100,("%X ", (unsigned char)part_passwd[i])); - DEBUG(100,("|\n")); - DEBUG(100,("Password from client was |")); - for(i = 0; i < 24; i++) - DEBUG(100,("%X ", (unsigned char)password[i])); - DEBUG(100,("|\n")); - DEBUG(100,("Given challenge was |")); - for(i = 0; i < 8; i++) - DEBUG(100,("%X ", (unsigned char)c8[i])); - DEBUG(100,("|\n")); - DEBUG(100,("Value from encryption was |")); - for(i = 0; i < 24; i++) - DEBUG(100,("%X ", (unsigned char)p24[i])); - DEBUG(100,("|\n")); - } -#endif - return (memcmp(p24, password, 24) == 0); -} - -/**************************************************************************** - Do a specific test for an smb password being correct, given a smb_password and - the lanman and NT responses. -****************************************************************************/ -BOOL smb_password_ok(SAM_ACCOUNT *sampass, uchar chal[8], - uchar lm_pass[24], uchar nt_pass[24]) -{ - uchar challenge[8]; - char* user_name; - uint8 *nt_pw, *lm_pw; - - if (!lm_pass || !sampass) - return(False); - - user_name = pdb_get_username(sampass); - - DEBUG(4,("smb_password_ok: Checking SMB password for user %s\n",user_name)); - - if(pdb_get_acct_ctrl(sampass) & ACB_DISABLED) { - DEBUG(1,("smb_password_ok: account for user %s was disabled.\n", user_name)); - return(False); - } - - if (chal == NULL) { - DEBUG(5,("smb_password_ok: use last SMBnegprot challenge\n")); - if (!last_challenge(challenge)) { - DEBUG(1,("smb_password_ok: no challenge done - password failed\n")); - return False; - } - } else { - DEBUG(5,("smb_password_ok: challenge received\n")); - memcpy(challenge, chal, 8); - } - - nt_pw = pdb_get_nt_passwd(sampass); - - if ((Protocol >= PROTOCOL_NT1) && (nt_pw != NULL)) { - /* We have the NT MD4 hash challenge available - see if we can - use it (ie. does it exist in the smbpasswd file). - */ - DEBUG(4,("smb_password_ok: Checking NT MD4 password\n")); - if (smb_password_check((char *)nt_pass, (uchar *)nt_pw, challenge)) { - DEBUG(4,("smb_password_ok: NT MD4 password check succeeded\n")); - return(True); - } - DEBUG(4,("smb_password_ok: NT MD4 password check failed\n")); - } - - /* Try against the lanman password. pdb_get_lanman_passwd(sampass) == NULL - means no password, allow access. */ - - lm_pw = pdb_get_lanman_passwd(sampass); - - if((lm_pw == NULL) && (pdb_get_acct_ctrl(sampass) & ACB_PWNOTREQ)) - { - DEBUG(4,("smb_password_ok: no password required for user %s\n",user_name)); - return True; - } - - if(lp_lanman_auth() && (lm_pw != NULL)) { - DEBUG(4,("smb_password_ok: Checking LM password\n")); - if(smb_password_check((char *)lm_pass,(uchar *)lm_pw, challenge)) { - DEBUG(4,("smb_password_ok: LM password check succeeded\n")); - return(True); - } - DEBUG(4,("smb_password_ok: LM password check failed\n")); - } - - return False; -} - - -/**************************************************************************** -check if a username/password is OK assuming the password is a 24 byte -SMB hash -return True if the password is correct, False otherwise -****************************************************************************/ - -BOOL pass_check_smb(char *user, char *domain, uchar *chal, - uchar *lm_pwd, uchar *nt_pwd) -{ - struct passwd *pass; - SAM_ACCOUNT *sampass=NULL; - BOOL ret; - - if (!lm_pwd || !nt_pwd) - { - return(False); - } - - /* FIXME! this code looks to be unnecessary now that the passdb - validates that the username exists and has a valid uid */ - - /* I don't get this call here. I think it should be moved. - Need to check on it. --jerry */ - pass = smb_getpwnam(user,True); - - if (pass == NULL) - { - DEBUG(1,("Couldn't find user '%s' in UNIX password database.\n",user)); - return(False); - } - - pdb_init_sam(&sampass); - - /* get the account information */ - ret = pdb_getsampwnam(sampass, user); - if (ret == False) - { - DEBUG(1,("Couldn't find user '%s' in passdb file.\n", user)); - pdb_free_sam(sampass); - return(False); - } - - /* Quit if the account was disabled. */ - if(pdb_get_acct_ctrl(sampass) & ACB_DISABLED) { - DEBUG(1,("Account for user '%s' was disabled.\n", user)); - pdb_free_sam(sampass); - return(False); - } - - /* Ensure the uid's match - FIXME! This also seems unnecessary --jerry */ -#if 0 /* GWC */ - if (smb_pass->smb_userid != pass->pw_uid) - { - DEBUG(0,("Error : UNIX and SMB uids in password files do not match for user '%s'!\n", user)); - pdb_free_sam(sampass); - return(False); - } -#endif - - if (pdb_get_acct_ctrl(sampass) & ACB_PWNOTREQ) - { - if (lp_null_passwords()) - { - DEBUG(3,("Account for user '%s' has no password and null passwords are allowed.\n", user)); - pdb_free_sam(sampass); - return(True); - } - else - { - DEBUG(3,("Account for user '%s' has no password and null passwords are NOT allowed.\n", user)); - pdb_free_sam(sampass); - return(False); - } - } - - if (smb_password_ok(sampass, chal, lm_pwd, nt_pwd)) - { - pdb_free_sam(sampass); - return(True); - } - - DEBUG(2,("pass_check_smb failed - invalid password for user [%s]\n", user)); - pdb_free_sam(sampass); - return False; -} - -/**************************************************************************** -check if a username/password pair is OK either via the system password -database or the encrypted SMB password database -return True if the password is correct, False otherwise -****************************************************************************/ -BOOL password_ok(char *user, char *password, int pwlen) -{ - BOOL ret; - - if ((pwlen == 0) && !lp_null_passwords()) { - DEBUG(4,("Null passwords not allowed.\n")); - return False; - } - - if (pwlen == 24 || (lp_encrypted_passwords() && (pwlen == 0) && lp_null_passwords())) { - /* if 24 bytes long assume it is an encrypted password */ - uchar challenge[8]; - - if (!last_challenge(challenge)) { - DEBUG(0,("Error: challenge not done for user=%s\n", user)); - return False; - } - - ret = pass_check_smb(user, global_myworkgroup, - challenge, (uchar *)password, (uchar *)password); - - /* - * Try with PAM (may not be compiled in - returns True if not. JRA). - * FIXME ! Should this be called if we're using winbindd ? What about - * non-local accounts ? JRA. - */ - - if (ret) - return (smb_pam_accountcheck(user) == NT_STATUS_NOPROBLEMO); - } - - return pass_check(user, password, pwlen, - lp_update_encrypted() ? - update_smbpassword_file : NULL); -} - -/**************************************************************************** check if a username is valid ****************************************************************************/ BOOL user_ok(char *user,int snum) @@ -660,9 +339,6 @@ BOOL user_ok(char *user,int snum) return(ret); } - - - /**************************************************************************** validate a group username entry. Return the username or NULL ****************************************************************************/ @@ -857,13 +533,6 @@ and given password ok\n", user)); ok = True; } - /* check for a rhosts entry */ - if (!ok && user_ok(user,snum) && check_hosts_equiv(user)) { - ok = True; - DEBUG(3,("authorise_login: ACCEPTED: hosts equiv or rhosts entry for %s\n", - user)); - } - /* check the user= fields and the given password */ if (!ok && lp_username(snum)) { char *auser; @@ -918,744 +587,3 @@ and given password ok (%s)\n", user)); return(ok); } - -/**************************************************************************** - Read the a hosts.equiv or .rhosts file and check if it - allows this user from this machine. -****************************************************************************/ - -static BOOL check_user_equiv(char *user, char *remote, char *equiv_file) -{ - int plus_allowed = 1; - char *file_host; - char *file_user; - char **lines = file_lines_load(equiv_file, NULL); - int i; - - DEBUG(5, ("check_user_equiv %s %s %s\n", user, remote, equiv_file)); - if (! lines) return False; - for (i=0; lines[i]; i++) { - char *buf = lines[i]; - trim_string(buf," "," "); - - if (buf[0] != '#' && buf[0] != '\n') - { - BOOL is_group = False; - int plus = 1; - char *bp = buf; - if (strcmp(buf, "NO_PLUS\n") == 0) - { - DEBUG(6, ("check_user_equiv NO_PLUS\n")); - plus_allowed = 0; - } - else { - if (buf[0] == '+') - { - bp++; - if (*bp == '\n' && plus_allowed) - { - /* a bare plus means everbody allowed */ - DEBUG(6, ("check_user_equiv everybody allowed\n")); - file_lines_free(lines); - return True; - } - } - else if (buf[0] == '-') - { - bp++; - plus = 0; - } - if (*bp == '@') - { - is_group = True; - bp++; - } - file_host = strtok(bp, " \t\n"); - file_user = strtok(NULL, " \t\n"); - DEBUG(7, ("check_user_equiv %s %s\n", file_host ? file_host : "(null)", - file_user ? file_user : "(null)" )); - if (file_host && *file_host) - { - BOOL host_ok = False; - -#if defined(HAVE_NETGROUP) && defined(HAVE_YP_GET_DEFAULT_DOMAIN) - if (is_group) - { - static char *mydomain = NULL; - if (!mydomain) - yp_get_default_domain(&mydomain); - if (mydomain && innetgr(file_host,remote,user,mydomain)) - host_ok = True; - } -#else - if (is_group) - { - DEBUG(1,("Netgroups not configured\n")); - continue; - } -#endif - - /* is it this host */ - /* the fact that remote has come from a call of gethostbyaddr - * means that it may have the fully qualified domain name - * so we could look up the file version to get it into - * a canonical form, but I would rather just type it - * in full in the equiv file - */ - if (!host_ok && !is_group && strequal(remote, file_host)) - host_ok = True; - - if (!host_ok) - continue; - - /* is it this user */ - if (file_user == 0 || strequal(user, file_user)) - { - DEBUG(5, ("check_user_equiv matched %s%s %s\n", - (plus ? "+" : "-"), file_host, - (file_user ? file_user : ""))); - file_lines_free(lines); - return (plus ? True : False); - } - } - } - } - } - file_lines_free(lines); - return False; -} - - -/**************************************************************************** -check for a possible hosts equiv or rhosts entry for the user -****************************************************************************/ -BOOL check_hosts_equiv(char *user) -{ - char *fname = NULL; - pstring rhostsfile; - struct passwd *pass = Get_Pwnam(user,True); - - if (!pass) - return(False); - - fname = lp_hosts_equiv(); - - /* note: don't allow hosts.equiv on root */ - if (fname && *fname && (pass->pw_uid != 0)) { - if (check_user_equiv(user,client_name(),fname)) - return(True); - } - - if (lp_use_rhosts()) - { - char *home = get_user_home_dir(user); - if (home) { - slprintf(rhostsfile, sizeof(rhostsfile)-1, "%s/.rhosts", home); - if (check_user_equiv(user,client_name(),rhostsfile)) - return(True); - } - } - - return(False); -} - - -/**************************************************************************** - Return the client state structure. -****************************************************************************/ - -struct cli_state *server_client(void) -{ - static struct cli_state pw_cli; - return &pw_cli; -} - -/**************************************************************************** - Support for server level security. -****************************************************************************/ - -struct cli_state *server_cryptkey(void) -{ - struct cli_state *cli; - fstring desthost; - struct in_addr dest_ip; - char *p, *pserver; - BOOL connected_ok = False; - - cli = server_client(); - - if (!cli_initialise(cli)) - return NULL; - - pserver = strdup(lp_passwordserver()); - p = pserver; - - while(next_token( &p, desthost, LIST_SEP, sizeof(desthost))) { - standard_sub_basic(desthost); - strupper(desthost); - - if(!resolve_name( desthost, &dest_ip, 0x20)) { - DEBUG(1,("server_cryptkey: Can't resolve address for %s\n",desthost)); - continue; - } - - if (ismyip(dest_ip)) { - DEBUG(1,("Password server loop - disabling password server %s\n",desthost)); - continue; - } - - if (cli_connect(cli, desthost, &dest_ip)) { - DEBUG(3,("connected to password server %s\n",desthost)); - connected_ok = True; - break; - } - } - - free(pserver); - - if (!connected_ok) { - DEBUG(0,("password server not available\n")); - cli_shutdown(cli); - return NULL; - } - - if (!attempt_netbios_session_request(cli, global_myname, desthost, &dest_ip)) - return NULL; - - DEBUG(3,("got session\n")); - - if (!cli_negprot(cli)) { - DEBUG(1,("%s rejected the negprot\n",desthost)); - cli_shutdown(cli); - return NULL; - } - - if (cli->protocol < PROTOCOL_LANMAN2 || - !(cli->sec_mode & 1)) { - DEBUG(1,("%s isn't in user level security mode\n",desthost)); - cli_shutdown(cli); - return NULL; - } - - DEBUG(3,("password server OK\n")); - - return cli; -} - -/**************************************************************************** - Validate a password with the password server. -****************************************************************************/ - -BOOL server_validate(char *user, char *domain, - char *pass, int passlen, - char *ntpass, int ntpasslen) -{ - struct cli_state *cli; - static unsigned char badpass[24]; - static fstring baduser; - static BOOL tested_password_server = False; - static BOOL bad_password_server = False; - - cli = server_client(); - - if (!cli->initialised) { - DEBUG(1,("password server %s is not connected\n", cli->desthost)); - return(False); - } - - if(badpass[0] == 0) - memset(badpass, 0x1f, sizeof(badpass)); - - if((passlen == sizeof(badpass)) && !memcmp(badpass, pass, passlen)) { - /* - * Very unlikely, our random bad password is the same as the users - * password. - */ - memset(badpass, badpass[0]+1, sizeof(badpass)); - } - - if(baduser[0] == 0) { - fstrcpy(baduser, INVALID_USER_PREFIX); - fstrcat(baduser, global_myname); - } - - /* - * Attempt a session setup with a totally incorrect password. - * If this succeeds with the guest bit *NOT* set then the password - * server is broken and is not correctly setting the guest bit. We - * need to detect this as some versions of NT4.x are broken. JRA. - */ - - if(!tested_password_server) { - if (cli_session_setup(cli, baduser, (char *)badpass, sizeof(badpass), - (char *)badpass, sizeof(badpass), domain)) { - - /* - * We connected to the password server so we - * can say we've tested it. - */ - tested_password_server = True; - - if ((SVAL(cli->inbuf,smb_vwv2) & 1) == 0) { - DEBUG(0,("server_validate: password server %s allows users as non-guest \ -with a bad password.\n", cli->desthost)); - DEBUG(0,("server_validate: This is broken (and insecure) behaviour. Please do not \ -use this machine as the password server.\n")); - cli_ulogoff(cli); - - /* - * Password server has the bug. - */ - bad_password_server = True; - return False; - } - cli_ulogoff(cli); - } - } else { - - /* - * We have already tested the password server. - * Fail immediately if it has the bug. - */ - - if(bad_password_server) { - DEBUG(0,("server_validate: [1] password server %s allows users as non-guest \ -with a bad password.\n", cli->desthost)); - DEBUG(0,("server_validate: [1] This is broken (and insecure) behaviour. Please do not \ -use this machine as the password server.\n")); - return False; - } - } - - /* - * Now we know the password server will correctly set the guest bit, or is - * not guest enabled, we can try with the real password. - */ - - if (!cli_session_setup(cli, user, pass, passlen, ntpass, ntpasslen, domain)) { - DEBUG(1,("password server %s rejected the password\n", cli->desthost)); - return False; - } - - /* if logged in as guest then reject */ - if ((SVAL(cli->inbuf,smb_vwv2) & 1) != 0) { - DEBUG(1,("password server %s gave us guest only\n", cli->desthost)); - cli_ulogoff(cli); - return(False); - } - - cli_ulogoff(cli); - - return(True); -} - -/*********************************************************************** - Connect to a remote machine for domain security authentication - given a name or IP address. -************************************************************************/ - -static BOOL connect_to_domain_password_server(struct cli_state *pcli, - char *server, unsigned char *trust_passwd) -{ - struct in_addr dest_ip; - fstring remote_machine; - - if(cli_initialise(pcli) == NULL) { - DEBUG(0,("connect_to_domain_password_server: unable to initialize client connection.\n")); - return False; - } - - if (is_ipaddress(server)) { - struct in_addr to_ip; - - /* we shouldn't have 255.255.255.255 forthe IP address of - a password server anyways */ - if ((to_ip.s_addr=inet_addr(server)) == 0xFFFFFFFF) { - DEBUG (0,("connect_to_domain_password_server: inet_addr(%s) returned 0xFFFFFFFF!\n", server)); - return False; - } - - if (!name_status_find(0x20, to_ip, remote_machine)) { - DEBUG(0, ("connect_to_domain_password_server: Can't " - "resolve name for IP %s\n", server)); - return False; - } - } else { - fstrcpy(remote_machine, server); - } - - standard_sub_basic(remote_machine); - strupper(remote_machine); - - if(!resolve_name( remote_machine, &dest_ip, 0x20)) { - DEBUG(1,("connect_to_domain_password_server: Can't resolve address for %s\n", remote_machine)); - cli_shutdown(pcli); - return False; - } - - if (ismyip(dest_ip)) { - DEBUG(1,("connect_to_domain_password_server: Password server loop - not using password server %s\n", - remote_machine)); - cli_shutdown(pcli); - return False; - } - - if (!cli_connect(pcli, remote_machine, &dest_ip)) { - DEBUG(0,("connect_to_domain_password_server: unable to connect to SMB server on \ -machine %s. Error was : %s.\n", remote_machine, cli_errstr(pcli) )); - cli_shutdown(pcli); - return False; - } - - if (!attempt_netbios_session_request(pcli, global_myname, remote_machine, &dest_ip)) { - DEBUG(0,("connect_to_password_server: machine %s rejected the NetBIOS \ -session request. Error was : %s.\n", remote_machine, cli_errstr(pcli) )); - return False; - } - - pcli->protocol = PROTOCOL_NT1; - - if (!cli_negprot(pcli)) { - DEBUG(0,("connect_to_domain_password_server: machine %s rejected the negotiate protocol. \ -Error was : %s.\n", remote_machine, cli_errstr(pcli) )); - cli_shutdown(pcli); - return False; - } - - if (pcli->protocol != PROTOCOL_NT1) { - DEBUG(0,("connect_to_domain_password_server: machine %s didn't negotiate NT protocol.\n", - remote_machine)); - cli_shutdown(pcli); - return False; - } - - /* - * Do an anonymous session setup. - */ - - if (!cli_session_setup(pcli, "", "", 0, "", 0, "")) { - DEBUG(0,("connect_to_domain_password_server: machine %s rejected the session setup. \ -Error was : %s.\n", remote_machine, cli_errstr(pcli) )); - cli_shutdown(pcli); - return False; - } - - if (!(pcli->sec_mode & 1)) { - DEBUG(1,("connect_to_domain_password_server: machine %s isn't in user level security mode\n", - remote_machine)); - cli_shutdown(pcli); - return False; - } - - if (!cli_send_tconX(pcli, "IPC$", "IPC", "", 1)) { - DEBUG(0,("connect_to_domain_password_server: machine %s rejected the tconX on the IPC$ share. \ -Error was : %s.\n", remote_machine, cli_errstr(pcli) )); - cli_shutdown(pcli); - return False; - } - - /* - * We now have an anonymous connection to IPC$ on the domain password server. - */ - - /* - * Even if the connect succeeds we need to setup the netlogon - * pipe here. We do this as we may just have changed the domain - * account password on the PDC and yet we may be talking to - * a BDC that doesn't have this replicated yet. In this case - * a successful connect to a DC needs to take the netlogon connect - * into account also. This patch from "Bjart Kvarme" <bjart.kvarme@usit.uio.no>. - */ - - if(cli_nt_session_open(pcli, PIPE_NETLOGON) == False) { - DEBUG(0,("connect_to_domain_password_server: unable to open the domain client session to \ -machine %s. Error was : %s.\n", remote_machine, cli_errstr(pcli))); - cli_nt_session_close(pcli); - cli_ulogoff(pcli); - cli_shutdown(pcli); - return False; - } - - if (cli_nt_setup_creds(pcli, trust_passwd) == False) { - DEBUG(0,("connect_to_domain_password_server: unable to setup the PDC credentials to machine \ -%s. Error was : %s.\n", remote_machine, cli_errstr(pcli))); - cli_nt_session_close(pcli); - cli_ulogoff(pcli); - cli_shutdown(pcli); - return(False); - } - - return True; -} - -/*********************************************************************** - Utility function to attempt a connection to an IP address of a DC. -************************************************************************/ - -static BOOL attempt_connect_to_dc(struct cli_state *pcli, struct in_addr *ip, unsigned char *trust_passwd) -{ - fstring dc_name; - - /* - * Ignore addresses we have already tried. - */ - - if (ip_equal(ipzero, *ip)) - return False; - - if (!lookup_pdc_name(global_myname, lp_workgroup(), ip, dc_name)) - return False; - - return connect_to_domain_password_server(pcli, dc_name, trust_passwd); -} - -/*********************************************************************** - We have been asked to dynamcially determine the IP addresses of - the PDC and BDC's for this DOMAIN, and query them in turn. -************************************************************************/ -static BOOL find_connect_pdc(struct cli_state *pcli, unsigned char *trust_passwd, time_t last_change_time) -{ - struct in_addr *ip_list = NULL; - int count = 0; - int i; - BOOL connected_ok = False; - time_t time_now = time(NULL); - BOOL use_pdc_only = False; - - /* - * If the time the machine password has changed - * was less than an hour ago then we need to contact - * the PDC only, as we cannot be sure domain replication - * has yet taken place. Bug found by Gerald (way to go - * Gerald !). JRA. - */ - - if (time_now - last_change_time < 3600) - use_pdc_only = True; - - if (!get_dc_list(use_pdc_only, lp_workgroup(), &ip_list, &count)) - return False; - - /* - * Firstly try and contact a PDC/BDC who has the same - * network address as any of our interfaces. - */ - for(i = 0; i < count; i++) { - if(!is_local_net(ip_list[i])) - continue; - - if((connected_ok = attempt_connect_to_dc(pcli, &ip_list[i], trust_passwd))) - break; - - ip_list[i] = ipzero; /* Tried and failed. */ - } - - /* - * Secondly try and contact a random PDC/BDC. - */ - if(!connected_ok) { - i = (sys_random() % count); - - if (!(connected_ok = attempt_connect_to_dc(pcli, &ip_list[i], trust_passwd))) - ip_list[i] = ipzero; /* Tried and failed. */ - } - - /* - * Finally go through the IP list in turn, ignoring any addresses - * we have already tried. - */ - if(!connected_ok) { - /* - * Try and connect to any of the other IP addresses in the PDC/BDC list. - * Note that from a WINS server the #1 IP address is the PDC. - */ - for(i = 0; i < count; i++) { - if((connected_ok = attempt_connect_to_dc(pcli, &ip_list[i], trust_passwd))) - break; - } - } - - if(ip_list != NULL) - free((char *)ip_list); - - - return connected_ok; -} - -/*********************************************************************** - Do the same as security=server, but using NT Domain calls and a session - key from the machine password. If the server parameter is specified - use it, otherwise figure out a server from the 'password server' param. -************************************************************************/ - -BOOL domain_client_validate( char *user, char *domain, - char *smb_apasswd, int smb_apasslen, - char *smb_ntpasswd, int smb_ntpasslen, - BOOL *user_exists, char *server) -{ - unsigned char local_challenge[8]; - unsigned char local_lm_response[24]; - unsigned char local_nt_response[24]; - unsigned char trust_passwd[16]; - fstring remote_machine; - char *p, *pserver; - NET_ID_INFO_CTR ctr; - NET_USER_INFO_3 info3; - struct cli_state cli; - uint32 smb_uid_low; - BOOL connected_ok = False; - time_t last_change_time; - - if(user_exists != NULL) - *user_exists = True; /* Only set false on a very specific error. */ - - /* - * Check that the requested domain is not our own machine name. - * If it is, we should never check the PDC here, we use our own local - * password file. - */ - - if(strequal( domain, global_myname)) { - DEBUG(3,("domain_client_validate: Requested domain was for this machine.\n")); - return False; - } - - /* - * Next, check that the passwords given were encrypted. - */ - - if(((smb_apasslen != 24) && (smb_apasslen != 0)) || - ((smb_ntpasslen != 24) && (smb_ntpasslen != 0))) { - - /* - * Not encrypted - do so. - */ - - DEBUG(5,("domain_client_validate: User passwords not in encrypted format.\n")); - generate_random_buffer( local_challenge, 8, False); - SMBencrypt( (uchar *)smb_apasswd, local_challenge, local_lm_response); - SMBNTencrypt((uchar *)smb_ntpasswd, local_challenge, local_nt_response); - smb_apasslen = 24; - smb_ntpasslen = 24; - smb_apasswd = (char *)local_lm_response; - smb_ntpasswd = (char *)local_nt_response; - } else { - - /* - * Encrypted - get the challenge we sent for these - * responses. - */ - - if (!last_challenge(local_challenge)) { - DEBUG(0,("domain_client_validate: no challenge done - password failed\n")); - return False; - } - } - - /* - * Get the machine account password for our primary domain - */ - if (!secrets_fetch_trust_account_password(global_myworkgroup, trust_passwd, &last_change_time)) - { - DEBUG(0, ("domain_client_validate: could not fetch trust account password for domain %s\n", global_myworkgroup)); - return False; - } - - /* Test if machine password is expired and need to be changed */ - if (time(NULL) > last_change_time + lp_machine_password_timeout()) - { - global_machine_password_needs_changing = True; - } - - /* - * At this point, smb_apasswd points to the lanman response to - * the challenge in local_challenge, and smb_ntpasswd points to - * the NT response to the challenge in local_challenge. Ship - * these over the secure channel to a domain controller and - * see if they were valid. - */ - - ZERO_STRUCT(cli); - - /* - * Treat each name in the 'password server =' line as a potential - * PDC/BDC. Contact each in turn and try and authenticate. - */ - - if (server) { - p = server; - } else { - pserver = lp_passwordserver(); - if (! *pserver) pserver = "*"; - p = pserver; - } - - while (!connected_ok && - next_token(&p,remote_machine,LIST_SEP,sizeof(remote_machine))) { - if(strequal(remote_machine, "*")) { - connected_ok = find_connect_pdc(&cli, trust_passwd, last_change_time); - } else { - connected_ok = connect_to_domain_password_server(&cli, remote_machine, trust_passwd); - } - } - - if (!connected_ok) { - DEBUG(0,("domain_client_validate: Domain password server not available.\n")); - cli_shutdown(&cli); - return False; - } - - /* We really don't care what LUID we give the user. */ - generate_random_buffer( (unsigned char *)&smb_uid_low, 4, False); - - ZERO_STRUCT(info3); - - if(cli_nt_login_network(&cli, domain, user, smb_uid_low, (char *)local_challenge, - ((smb_apasslen != 0) ? smb_apasswd : NULL), - ((smb_ntpasslen != 0) ? smb_ntpasswd : NULL), - &ctr, &info3) == False) { - uint32 nt_rpc_err; - - cli_error(&cli, NULL, NULL, &nt_rpc_err); - DEBUG(0,("domain_client_validate: unable to validate password for user %s in domain \ -%s to Domain controller %s. Error was %s.\n", user, domain, remote_machine, cli_errstr(&cli))); - cli_nt_session_close(&cli); - cli_ulogoff(&cli); - cli_shutdown(&cli); - - if((nt_rpc_err == NT_STATUS_NO_SUCH_USER) && (user_exists != NULL)) - *user_exists = False; - - return False; - } - - /* - * Here, if we really want it, we have lots of info about the user in info3. - */ - -#if 0 - /* - * We don't actually need to do this - plus it fails currently with - * NT_STATUS_INVALID_INFO_CLASS - we need to know *exactly* what to - * send here. JRA. - */ - - if(cli_nt_logoff(&cli, &ctr) == False) { - DEBUG(0,("domain_client_validate: unable to log off user %s in domain \ -%s to Domain controller %s. Error was %s.\n", user, domain, remote_machine, cli_errstr(&cli))); - cli_nt_session_close(&cli); - cli_ulogoff(&cli); - cli_shutdown(&cli); - return False; - } -#endif /* 0 */ - - /* Note - once the cli stream is shutdown the mem_ctx used - to allocate the other_sids and gids structures has been deleted - so - these pointers are no longer valid..... */ - - cli_nt_session_close(&cli); - cli_ulogoff(&cli); - cli_shutdown(&cli); - return True; -} diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c index 324734a79d..ab3fba9830 100644 --- a/source3/smbd/reply.c +++ b/source3/smbd/reply.c @@ -434,6 +434,11 @@ int reply_ioctl(connection_struct *conn, } /**************************************************************************** + This function breaks the authentication split. It needs sorting out. + I can't see why we can't hadle this INSIDE the check_password, as in then + end all it does it spit out an nt_status code. + ****************************************************************************/ +/**************************************************************************** always return an error: it's just a matter of which one... ****************************************************************************/ static int session_trust_account(connection_struct *conn, char *inbuf, char *outbuf, char *user, @@ -444,7 +449,40 @@ static int session_trust_account(connection_struct *conn, char *inbuf, char *out SAM_ACCOUNT *sam_trust_acct = NULL; uint16 acct_ctrl; BOOL ret; - + auth_usersupplied_info user_info; + auth_serversupplied_info server_info; + AUTH_STR domain, smb_username, wksta_name; + + ZERO_STRUCT(user_info); + ZERO_STRUCT(server_info); + ZERO_STRUCT(domain); + ZERO_STRUCT(smb_username); + ZERO_STRUCT(wksta_name); + + domain.str = lp_workgroup(); + domain.len = strlen(domain.str); + + user_info.requested_domain = domain; + user_info.domain = domain; + + smb_username.str = user; + smb_username.len = strlen(smb_username.str); + + user_info.requested_username = smb_username; /* For the time-being */ + user_info.smb_username = smb_username; + + user_info.wksta_name = wksta_name; + + user_info.lm_resp.buffer = (uint8 *)smb_passwd; + user_info.lm_resp.len = smb_passlen; + user_info.nt_resp.buffer = (uint8 *)smb_nt_passwd; + user_info.nt_resp.len = smb_nt_passlen; + + if (!last_challenge(user_info.chal)) { + DEBUG(1,("smb_password_ok: no challenge done - password failed\n")); + return NT_STATUS_LOGON_FAILURE; + } + pdb_init_sam(&sam_trust_acct); if (lp_security() == SEC_USER) { @@ -470,7 +508,7 @@ static int session_trust_account(connection_struct *conn, char *inbuf, char *out return(ERROR(0, NT_STATUS_LOGON_FAILURE)); } - if (!smb_password_ok(sam_trust_acct, NULL, (unsigned char *)smb_passwd, (unsigned char *)smb_nt_passwd)) { + if (!smb_password_ok(sam_trust_acct, &user_info, &server_info)) { DEBUG(0,("session_trust_account: Trust Account %s - password failed\n", user)); SSVAL(outbuf, smb_flg2, SVAL(outbuf, smb_flg2) | FLAGS2_32_BIT_ERROR_CODES); pdb_free_sam(sam_trust_acct); @@ -504,173 +542,6 @@ static int session_trust_account(connection_struct *conn, char *inbuf, char *out } /**************************************************************************** - Create a UNIX user on demand. -****************************************************************************/ - -int smb_create_user(char *unix_user, char *homedir) -{ - pstring add_script; - int ret; - - pstrcpy(add_script, lp_adduser_script()); - if (! *add_script) return -1; - all_string_sub(add_script, "%u", unix_user, sizeof(pstring)); - if (homedir) - all_string_sub(add_script, "%H", homedir, sizeof(pstring)); - ret = smbrun(add_script,NULL); - DEBUG(3,("smb_create_user: Running the command `%s' gave %d\n",add_script,ret)); - return ret; -} - -/**************************************************************************** - Delete a UNIX user on demand. -****************************************************************************/ - -static int smb_delete_user(char *unix_user) -{ - pstring del_script; - int ret; - - pstrcpy(del_script, lp_deluser_script()); - if (! *del_script) return -1; - all_string_sub(del_script, "%u", unix_user, sizeof(pstring)); - ret = smbrun(del_script,NULL); - DEBUG(3,("smb_delete_user: Running the command `%s' gave %d\n",del_script,ret)); - return ret; -} - -/**************************************************************************** - Check user is in correct domain if required -****************************************************************************/ - -static BOOL check_domain_match(char *user, char *domain) -{ - /* - * If we aren't serving to trusted domains, we must make sure that - * the validation request comes from an account in the same domain - * as the Samba server - */ - - if (!lp_allow_trusted_domains() && - !strequal(lp_workgroup(), domain) ) { - DEBUG(1, ("check_domain_match: Attempt to connect as user %s from domain %s denied.\n", user, domain)); - return False; - } else { - return True; - } -} - -/**************************************************************************** - Check for a valid username and password in security=server mode. -****************************************************************************/ - -static BOOL check_server_security(char *orig_user, char *domain, char *unix_user, - char *smb_apasswd, int smb_apasslen, - char *smb_ntpasswd, int smb_ntpasslen) -{ - BOOL ret = False; - - if(lp_security() != SEC_SERVER) - return False; - - if (!check_domain_match(orig_user, domain)) - return False; - - ret = server_validate(orig_user, domain, - smb_apasswd, smb_apasslen, - smb_ntpasswd, smb_ntpasslen); - if(ret) { - struct passwd *pwd=NULL; - - /* - * User validated ok against Domain controller. - * If the admin wants us to try and create a UNIX - * user on the fly, do so. - * Note that we can never delete users when in server - * level security as we never know if it was a failure - * due to a bad password, or the user really doesn't exist. - */ - if(lp_adduser_script() && !(pwd = smb_getpwnam(unix_user,True))) { - smb_create_user(unix_user, NULL); - } - - if(lp_adduser_script() && pwd) { - SMB_STRUCT_STAT st; - - /* - * Also call smb_create_user if the users home directory - * doesn't exist. Used with winbindd to allow the script to - * create the home directory for a user mapped with winbindd. - */ - - if (pwd->pw_shell && (sys_stat(pwd->pw_dir, &st) == -1) && (errno == ENOENT)) - smb_create_user(unix_user, pwd->pw_dir); - } - } - - return ret; -} - -/**************************************************************************** - Check for a valid username and password in security=domain mode. -****************************************************************************/ - -static BOOL check_domain_security(char *orig_user, char *domain, char *unix_user, - char *smb_apasswd, int smb_apasslen, - char *smb_ntpasswd, int smb_ntpasslen) -{ - BOOL ret = False; - BOOL user_exists = True; - struct passwd *pwd=NULL; - - if(lp_security() != SEC_DOMAIN) - return False; - - if (!check_domain_match(orig_user, domain)) - return False; - - ret = domain_client_validate(orig_user, domain, - smb_apasswd, smb_apasslen, - smb_ntpasswd, smb_ntpasslen, - &user_exists, NULL); - - if(ret) { - /* - * User validated ok against Domain controller. - * If the admin wants us to try and create a UNIX - * user on the fly, do so. - */ - if(user_exists && lp_adduser_script() && !(pwd = smb_getpwnam(unix_user,True))) - smb_create_user(unix_user, NULL); - - if(lp_adduser_script() && pwd) { - SMB_STRUCT_STAT st; - - /* - * Also call smb_create_user if the users home directory - * doesn't exist. Used with winbindd to allow the script to - * create the home directory for a user mapped with winbindd. - */ - - if (pwd->pw_dir && (sys_stat(pwd->pw_dir, &st) == -1) && (errno == ENOENT)) - smb_create_user(unix_user, pwd->pw_dir); - } - - } else { - /* - * User failed to validate ok against Domain controller. - * If the failure was "user doesn't exist" and admin - * wants us to try and delete that UNIX user on the fly, - * do so. - */ - if(!user_exists && lp_deluser_script() && smb_getpwnam(unix_user,True)) - smb_delete_user(unix_user); - } - - return ret; -} - -/**************************************************************************** Return a bad password error configured for the correct client type. ****************************************************************************/ @@ -701,8 +572,7 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf,int pstring smb_apasswd; int smb_ntpasslen = 0; pstring smb_ntpasswd; - BOOL valid_nt_password = False; - BOOL valid_lm_password = False; + BOOL valid_password = False; pstring user; pstring orig_user; fstring domain; @@ -926,50 +796,16 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf,int add_session_user(user); - /* - * Check with orig_user for security=server and - * security=domain. - */ - - if (!guest && !check_server_security(orig_user, domain, user, - smb_apasswd, smb_apasslen, smb_ntpasswd, smb_ntpasslen) && - !check_domain_security(orig_user, domain, user, smb_apasswd, - smb_apasslen, smb_ntpasswd, smb_ntpasslen) && - !check_hosts_equiv(user)) - { - /* - * If we get here then the user wasn't guest and the remote - * authentication methods failed. Check the authentication - * methods on this local server. - * - * If an NT password was supplied try and validate with that - * first. This is superior as the passwords are mixed case - * 128 length unicode. - */ - - if(smb_ntpasslen) - { - if(!password_ok(user, smb_ntpasswd,smb_ntpasslen)) - DEBUG(2,("NT Password did not match for user '%s'!\n", user)); - else - valid_nt_password = True; - } - - - /* check the LanMan password only if necessary and if allowed - by lp_lanman_auth() */ - if (!valid_nt_password && lp_lanman_auth()) - { - DEBUG(2,("Defaulting to Lanman password for %s\n", user)); - valid_lm_password = password_ok(user, smb_apasswd,smb_apasslen); - } - + if (!guest) { + valid_password = (pass_check_smb(user, domain, + smb_apasswd, smb_apasslen, + smb_ntpasswd, smb_ntpasslen) == NT_STATUS_NOPROBLEMO); /* The true branch will be executed if (1) the NT password failed (or was not tried), and (2) LanMan authentication failed (or was disabled) */ - if (!valid_nt_password && !valid_lm_password) + if (!valid_password) { if (lp_security() >= SEC_USER) { |