summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source3/Makefile.in2
-rw-r--r--source3/include/client.h6
-rw-r--r--source3/include/proto.h10
-rw-r--r--source3/include/smb.h7
-rw-r--r--source3/libsmb/cliconnect.c35
-rw-r--r--source3/libsmb/clientgen.c59
-rw-r--r--source3/libsmb/passchange.c18
-rw-r--r--source3/libsmb/pwd_cache.c61
-rw-r--r--source3/rpc_client/cli_pipe.c4
-rw-r--r--source3/torture/torture.c6
-rw-r--r--source3/winbindd/winbindd_cm.c39
11 files changed, 135 insertions, 112 deletions
diff --git a/source3/Makefile.in b/source3/Makefile.in
index 76fd91a31e..6b0a1516d0 100644
--- a/source3/Makefile.in
+++ b/source3/Makefile.in
@@ -457,7 +457,7 @@ LIBSMB_OBJ = libsmb/clientgen.o libsmb/cliconnect.o libsmb/clifile.o \
libsmb/clireadwrite.o libsmb/clilist.o libsmb/cliprint.o \
libsmb/clitrans.o libsmb/clisecdesc.o libsmb/clidgram.o \
libsmb/clistr.o libsmb/cliquota.o libsmb/clifsinfo.o libsmb/clidfs.o \
- libsmb/credentials.o libsmb/pwd_cache.o \
+ libsmb/credentials.o \
libsmb/clioplock.o libsmb/clirap2.o \
libsmb/smb_seal.o libsmb/async_smb.o \
$(LIBSAMBA_OBJ) \
diff --git a/source3/include/client.h b/source3/include/client.h
index eae22fdbce..320a90e66b 100644
--- a/source3/include/client.h
+++ b/source3/include/client.h
@@ -187,9 +187,9 @@ struct cli_state {
fstring desthost;
/* The credentials used to open the cli_state connection. */
- fstring domain;
- fstring user_name;
- struct pwd_info pwd;
+ char *domain;
+ char *user_name;
+ char *password; /* Can be null to force use of zero NTLMSSP session key. */
/*
* The following strings are the
diff --git a/source3/include/proto.h b/source3/include/proto.h
index 5811574068..f992f0686a 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -2424,7 +2424,10 @@ bool cli_send_smb_direct_writeX(struct cli_state *cli,
void cli_setup_packet_buf(struct cli_state *cli, char *buf);
void cli_setup_packet(struct cli_state *cli);
void cli_setup_bcc(struct cli_state *cli, void *p);
-void cli_init_creds(struct cli_state *cli, const char *username, const char *domain, const char *password);
+NTSTATUS cli_set_domain(struct cli_state *cli, const char *domain);
+NTSTATUS cli_set_username(struct cli_state *cli, const char *username);
+NTSTATUS cli_set_password(struct cli_state *cli, const char *password);
+NTSTATUS cli_init_creds(struct cli_state *cli, const char *username, const char *domain, const char *password);
struct cli_state *cli_initialise(void);
struct cli_state *cli_initialise_ex(int signing_state);
void cli_nt_pipes_close(struct cli_state *cli);
@@ -3154,11 +3157,6 @@ NTSTATUS remote_password_change(const char *remote_machine, const char *user_nam
const char *old_passwd, const char *new_passwd,
char **err_str);
-/* The following definitions come from libsmb/pwd_cache.c */
-
-void pwd_set_cleartext(struct pwd_info *pwd, const char *clr);
-void pwd_get_cleartext(struct pwd_info *pwd, fstring clr);
-
/* The following definitions come from libsmb/samlogon_cache.c */
bool netsamlogon_cache_init(void);
diff --git a/source3/include/smb.h b/source3/include/smb.h
index a0140fe081..281a218256 100644
--- a/source3/include/smb.h
+++ b/source3/include/smb.h
@@ -1759,13 +1759,6 @@ struct node_status_extra {
/* There really is more here ... */
};
-struct pwd_info {
- bool null_pwd;
- bool cleartext;
-
- fstring password;
-};
-
/* For split krb5 SPNEGO blobs. */
struct pending_auth_data {
struct pending_auth_data *prev, *next;
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index ec2932488e..43326e912c 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -61,6 +61,7 @@ static NTSTATUS cli_session_setup_lanman2(struct cli_state *cli,
{
DATA_BLOB session_key = data_blob_null;
DATA_BLOB lm_response = data_blob_null;
+ NTSTATUS status;
fstring pword;
char *p;
@@ -129,7 +130,10 @@ static NTSTATUS cli_session_setup_lanman2(struct cli_state *cli,
/* use the returned vuid from now on */
cli->vuid = SVAL(cli->inbuf,smb_uid);
- fstrcpy(cli->user_name, user);
+ status = cli_set_username(cli, user);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
if (session_key.data) {
/* Have plaintext orginal */
@@ -237,7 +241,10 @@ NTSTATUS cli_session_setup_guest_recv(struct async_req *req)
cli->is_samba = True;
}
- fstrcpy(cli->user_name, "");
+ status = cli_set_username(cli, "");
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
return NT_STATUS_OK;
}
@@ -289,6 +296,7 @@ static NTSTATUS cli_session_setup_plaintext(struct cli_state *cli,
{
uint32 capabilities = cli_session_setup_capabilities(cli);
char *p;
+ NTSTATUS status;
fstring lanman;
fstr_sprintf( lanman, "Samba %s", samba_version_string());
@@ -349,8 +357,10 @@ static NTSTATUS cli_session_setup_plaintext(struct cli_state *cli,
-1, STR_TERMINATE);
p += clistr_pull(cli->inbuf, cli->server_domain, p, sizeof(fstring),
-1, STR_TERMINATE);
- fstrcpy(cli->user_name, user);
-
+ status = cli_set_username(cli, user);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
if (strstr(cli->server_type, "Samba")) {
cli->is_samba = True;
}
@@ -520,7 +530,10 @@ static NTSTATUS cli_session_setup_nt1(struct cli_state *cli, const char *user,
cli->is_samba = True;
}
- fstrcpy(cli->user_name, user);
+ result = cli_set_username(cli, user);
+ if (!NT_STATUS_IS_OK(result)) {
+ goto end;
+ }
if (session_key.data) {
/* Have plaintext orginal */
@@ -898,6 +911,7 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user,
DATA_BLOB blob;
const char *p = NULL;
char *account = NULL;
+ NTSTATUS status;
DEBUG(3,("Doing spnego session setup (blob length=%lu)\n", (unsigned long)cli->secblob.length));
@@ -936,7 +950,10 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user,
DEBUG(3,("got principal=%s\n", principal ? principal : "<null>"));
- fstrcpy(cli->user_name, user);
+ status = cli_set_username(cli, user);
+ if (!NT_STATUS_IS_OK(status)) {
+ return ADS_ERROR_NT(status);
+ }
#ifdef HAVE_KRB5
/* If password is set we reauthenticate to kerberos server
@@ -2101,7 +2118,11 @@ NTSTATUS cli_full_connection(struct cli_state **output_cli,
}
}
- cli_init_creds(cli, user, domain, password);
+ nt_status = cli_init_creds(cli, user, domain, password);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ cli_shutdown(cli);
+ return nt_status;
+ }
*output_cli = cli;
return NT_STATUS_OK;
diff --git a/source3/libsmb/clientgen.c b/source3/libsmb/clientgen.c
index 7c42da4430..295ccae456 100644
--- a/source3/libsmb/clientgen.c
+++ b/source3/libsmb/clientgen.c
@@ -409,19 +409,64 @@ void cli_setup_bcc(struct cli_state *cli, void *p)
}
/****************************************************************************
+ Initialize Domain, user or password.
+****************************************************************************/
+
+NTSTATUS cli_set_domain(struct cli_state *cli, const char *domain)
+{
+ TALLOC_FREE(cli->domain);
+ cli->domain = talloc_strdup(cli, domain ? domain : "");
+ if (cli->domain == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ return NT_STATUS_OK;
+}
+
+NTSTATUS cli_set_username(struct cli_state *cli, const char *username)
+{
+ TALLOC_FREE(cli->user_name);
+ cli->user_name = talloc_strdup(cli, username ? username : "");
+ if (cli->user_name == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ return NT_STATUS_OK;
+}
+
+NTSTATUS cli_set_password(struct cli_state *cli, const char *password)
+{
+ TALLOC_FREE(cli->password);
+
+ /* Password can be NULL. */
+ if (password) {
+ cli->password = talloc_strdup(cli, password);
+ if (cli->password == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ } else {
+ /* Use zero NTLMSSP hashes and session key. */
+ cli->password = NULL;
+ }
+
+ return NT_STATUS_OK;
+}
+
+/****************************************************************************
Initialise credentials of a client structure.
****************************************************************************/
-void cli_init_creds(struct cli_state *cli, const char *username, const char *domain, const char *password)
+NTSTATUS cli_init_creds(struct cli_state *cli, const char *username, const char *domain, const char *password)
{
- fstrcpy(cli->domain, domain);
- fstrcpy(cli->user_name, username);
- pwd_set_cleartext(&cli->pwd, password);
- if (!*username) {
- cli->pwd.null_pwd = true;
+ NTSTATUS status = cli_set_username(cli, username);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ status = cli_set_domain(cli, domain);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
}
+ DEBUG(10,("cli_init_creds: user %s domain %s\n", cli->user_name, cli->domain));
- DEBUG(10,("cli_init_creds: user %s domain %s\n", cli->user_name, cli->domain));
+ return cli_set_password(cli, password);
}
/****************************************************************************
diff --git a/source3/libsmb/passchange.c b/source3/libsmb/passchange.c
index f9ff4b3191..45cd392a5a 100644
--- a/source3/libsmb/passchange.c
+++ b/source3/libsmb/passchange.c
@@ -133,9 +133,17 @@ NTSTATUS remote_password_change(const char *remote_machine, const char *user_nam
return result;
}
- cli_init_creds(cli, "", "", NULL);
+ result = cli_init_creds(cli, "", "", NULL);
+ if (!NT_STATUS_IS_OK(result)) {
+ cli_shutdown(cli);
+ return result;
+ }
} else {
- cli_init_creds(cli, user_name, "", old_passwd);
+ result = cli_init_creds(cli, user_name, "", old_passwd);
+ if (!NT_STATUS_IS_OK(result)) {
+ cli_shutdown(cli);
+ return result;
+ }
}
result = cli_tcon_andx(cli, "IPC$", "IPC", "", 1);
@@ -222,7 +230,11 @@ NTSTATUS remote_password_change(const char *remote_machine, const char *user_nam
TALLOC_FREE(pipe_hnd);
/* Try anonymous NTLMSSP... */
- cli_init_creds(cli, "", "", NULL);
+ result = cli_init_creds(cli, "", "", NULL);
+ if (!NT_STATUS_IS_OK(result)) {
+ cli_shutdown(cli);
+ return result;
+ }
result = NT_STATUS_UNSUCCESSFUL;
diff --git a/source3/libsmb/pwd_cache.c b/source3/libsmb/pwd_cache.c
deleted file mode 100644
index 071e729e8c..0000000000
--- a/source3/libsmb/pwd_cache.c
+++ /dev/null
@@ -1,61 +0,0 @@
-/*
- Unix SMB/CIFS implementation.
- Password cacheing. obfuscation is planned
- Copyright (C) Luke Kenneth Casson Leighton 1996-1998
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 3 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program. If not, see <http://www.gnu.org/licenses/>.
-*/
-
-#include "includes.h"
-
-/****************************************************************************
- Initialises a password structure.
-****************************************************************************/
-
-static void pwd_init(struct pwd_info *pwd)
-{
- memset((char *)pwd->password , '\0', sizeof(pwd->password ));
-
- pwd->null_pwd = True; /* safest option... */
-}
-
-/****************************************************************************
- Stores a cleartext password.
-****************************************************************************/
-
-void pwd_set_cleartext(struct pwd_info *pwd, const char *clr)
-{
- pwd_init(pwd);
- if (clr) {
- fstrcpy(pwd->password, clr);
- pwd->null_pwd = False;
- } else {
- pwd->null_pwd = True;
- }
-
- pwd->cleartext = True;
-}
-
-/****************************************************************************
- Gets a cleartext password.
-****************************************************************************/
-
-void pwd_get_cleartext(struct pwd_info *pwd, fstring clr)
-{
- if (pwd->cleartext)
- fstrcpy(clr, pwd->password);
- else
- clr[0] = 0;
-
-}
diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index 24dbcb0193..ef10c123f3 100644
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -2974,7 +2974,7 @@ bool rpccli_get_pwd_hash(struct rpc_pipe_client *rpc_cli, uint8_t nt_hash[16])
if (cli == NULL) {
return false;
}
- E_md4hash(cli->pwd.password, nt_hash);
+ E_md4hash(cli->password ? cli->password : "", nt_hash);
return true;
}
@@ -3699,7 +3699,7 @@ static NTSTATUS cli_rpc_pipe_open_ntlmssp_internal(struct cli_state *cli,
status = rpccli_ntlmssp_bind_data(
result, auth_type, auth_level, domain, username,
- cli->pwd.null_pwd ? NULL : password, &auth);
+ password, &auth);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("rpccli_ntlmssp_bind_data returned %s\n",
nt_errstr(status)));
diff --git a/source3/torture/torture.c b/source3/torture/torture.c
index 64dfb5224c..e2d1497b28 100644
--- a/source3/torture/torture.c
+++ b/source3/torture/torture.c
@@ -333,6 +333,7 @@ bool torture_cli_session_setup2(struct cli_state *cli, uint16 *new_vuid)
uint16 old_vuid = cli->vuid;
fstring old_user_name;
size_t passlen = strlen(password);
+ NTSTATUS status;
bool ret;
fstrcpy(old_user_name, cli->user_name);
@@ -343,7 +344,10 @@ bool torture_cli_session_setup2(struct cli_state *cli, uint16 *new_vuid)
workgroup));
*new_vuid = cli->vuid;
cli->vuid = old_vuid;
- fstrcpy(cli->user_name, old_user_name);
+ status = cli_set_username(cli, old_user_name);
+ if (!NT_STATUS_IS_OK(status)) {
+ return false;
+ }
return ret;
}
diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index 7a53f19ffd..e06e30e0a8 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -866,7 +866,10 @@ static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
result = ads_ntstatus(ads_status);
if (NT_STATUS_IS_OK(result)) {
/* Ensure creds are stored for NTLMSSP authenticated pipe access. */
- cli_init_creds(*cli, machine_account, lp_workgroup(), machine_password);
+ result = cli_init_creds(*cli, machine_account, lp_workgroup(), machine_password);
+ if (!NT_STATUS_IS_OK(result)) {
+ goto done;
+ }
goto session_setup_done;
}
}
@@ -891,7 +894,10 @@ static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
result = ads_ntstatus(ads_status);
if (NT_STATUS_IS_OK(result)) {
/* Ensure creds are stored for NTLMSSP authenticated pipe access. */
- cli_init_creds(*cli, machine_account, lp_workgroup(), machine_password);
+ result = cli_init_creds(*cli, machine_account, lp_workgroup(), machine_password);
+ if (!NT_STATUS_IS_OK(result)) {
+ goto done;
+ }
goto session_setup_done;
}
}
@@ -917,7 +923,10 @@ static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
ipc_password, strlen(ipc_password)+1,
ipc_domain))) {
/* Successful logon with given username. */
- cli_init_creds(*cli, ipc_username, ipc_domain, ipc_password);
+ result = cli_init_creds(*cli, ipc_username, ipc_domain, ipc_password);
+ if (!NT_STATUS_IS_OK(result)) {
+ goto done;
+ }
goto session_setup_done;
} else {
DEBUG(4, ("authenticated session setup with user %s\\%s failed.\n",
@@ -935,7 +944,10 @@ static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
if (NT_STATUS_IS_OK(cli_session_setup(*cli, "", NULL, 0,
NULL, 0, ""))) {
DEBUG(5, ("Connected anonymously\n"));
- cli_init_creds(*cli, "", "", "");
+ result = cli_init_creds(*cli, "", "", "");
+ if (!NT_STATUS_IS_OK(result)) {
+ goto done;
+ }
goto session_setup_done;
}
@@ -970,8 +982,11 @@ static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
*retry = False;
/* set the domain if empty; needed for schannel connections */
- if ( !*(*cli)->domain ) {
- fstrcpy( (*cli)->domain, domain->name );
+ if ( !(*cli)->domain[0] ) {
+ result = cli_set_domain((*cli), domain->name);
+ if (!NT_STATUS_IS_OK(result)) {
+ return result;
+ }
}
result = NT_STATUS_OK;
@@ -1979,7 +1994,6 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
{
struct winbindd_cm_conn *conn;
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
- fstring conn_pwd;
struct dcinfo *p_dcinfo;
char *machine_password = NULL;
char *machine_account = NULL;
@@ -2004,10 +2018,9 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
* anonymous.
*/
- pwd_get_cleartext(&conn->cli->pwd, conn_pwd);
if ((conn->cli->user_name[0] == '\0') ||
(conn->cli->domain[0] == '\0') ||
- (conn_pwd[0] == '\0'))
+ (conn->cli->password == NULL || conn->cli->password[0] == '\0'))
{
result = get_trust_creds(domain, &machine_password,
&machine_account, NULL);
@@ -2018,7 +2031,7 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
}
domain_name = domain->name;
} else {
- machine_password = SMB_STRDUP(conn_pwd);
+ machine_password = SMB_STRDUP(conn->cli->password);
machine_account = SMB_STRDUP(conn->cli->user_name);
domain_name = conn->cli->domain;
}
@@ -2147,7 +2160,6 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
{
struct winbindd_cm_conn *conn;
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
- fstring conn_pwd;
struct dcinfo *p_dcinfo;
result = init_dc_connection(domain);
@@ -2160,10 +2172,9 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
goto done;
}
- pwd_get_cleartext(&conn->cli->pwd, conn_pwd);
if ((conn->cli->user_name[0] == '\0') ||
(conn->cli->domain[0] == '\0') ||
- (conn_pwd[0] == '\0')) {
+ (conn->cli->password == NULL || conn->cli->password[0] == '\0')) {
DEBUG(10, ("cm_connect_lsa: No no user available for "
"domain %s, trying schannel\n", conn->cli->domain));
goto schannel;
@@ -2174,7 +2185,7 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
result = cli_rpc_pipe_open_spnego_ntlmssp
(conn->cli, &ndr_table_lsarpc.syntax_id,
PIPE_AUTH_LEVEL_PRIVACY,
- conn->cli->domain, conn->cli->user_name, conn_pwd,
+ conn->cli->domain, conn->cli->user_name, conn->cli->password,
&conn->lsa_pipe);
if (!NT_STATUS_IS_OK(result)) {