summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source3/auth/auth_domain.c101
-rw-r--r--source3/auth/auth_server.c39
-rw-r--r--source3/auth/auth_util.c181
-rw-r--r--source3/lib/server_mutex.c57
4 files changed, 282 insertions, 96 deletions
diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c
index b41848076d..8c6bb8908f 100644
--- a/source3/auth/auth_domain.c
+++ b/source3/auth/auth_domain.c
@@ -29,32 +29,6 @@ BOOL global_machine_password_needs_changing = False;
extern pstring global_myname;
extern userdom_struct current_user_info;
-static char *mutex_server_name;
-
-static BOOL grab_server_mutex(const char *name)
-{
- mutex_server_name = strdup(name);
- if (!mutex_server_name) {
- DEBUG(0,("grab_server_mutex: malloc failed for %s\n", name));
- return False;
- }
- if (!message_named_mutex(name, 20)) {
- DEBUG(10,("grab_server_mutex: failed for %s\n", name));
- SAFE_FREE(mutex_server_name);
- return False;
- }
-
- return True;
-}
-
-static void release_server_mutex(void)
-{
- if (mutex_server_name) {
- message_named_mutex_release(mutex_server_name);
- SAFE_FREE(mutex_server_name);
- }
-}
-
/**
* Connect to a remote server for domain security authenticaion.
*
@@ -113,9 +87,10 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli,
logonserver. We can avoid a 30-second timeout if the DC is down
if the SAMLOGON request fails as it is only over UDP. */
- /* we use a mutex to prevent two connections at once - when a NT PDC gets
- two connections where one hasn't completed a negprot yet it will send a
- TCP reset to the first connection (tridge) */
+ /* we use a mutex to prevent two connections at once - when a
+ Win2k PDC get two connections where one hasn't completed a
+ session setup yet it will send a TCP reset to the first
+ connection (tridge) */
/*
* With NT4.x DC's *all* authentication must be serialized to avoid
@@ -307,14 +282,13 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx,
auth_serversupplied_info **server_info,
char *server, char *setup_creds_as,
uint16 sec_chan,
- unsigned char *trust_passwd,
+ unsigned char trust_passwd[16],
time_t last_change_time)
{
fstring remote_machine;
NET_USER_INFO_3 info3;
struct cli_state *cli = NULL;
NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
- struct passwd *pass;
/*
* At this point, smb_apasswd points to the lanman response to
@@ -358,63 +332,14 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx,
user_info->domain.str, cli->srv_name_slash,
nt_errstr(nt_status)));
} else {
- char *dom_user;
-
- /* Check DOMAIN\username first to catch winbind users, then
- just the username for local users. */
+ nt_status = make_server_info_info3(mem_ctx, domain, server_info, &info3);
+#if 0
+ /* The stuff doesn't work right yet */
+ SMB_ASSERT(sizeof((*server_info)->session_key) == sizeof(info3.user_sess_key));
+ memcpy((*server_info)->session_key, info3.user_sess_key, sizeof((*server_info)->session_key)/* 16 */);
+ SamOEMhash((*server_info)->session_key, trust_passwd, sizeof((*server_info)->session_key));
+#endif
- dom_user = talloc_asprintf(mem_ctx, "%s%s%s", user_info->domain.str,
- lp_winbind_separator(),
- user_info->internal_username.str);
-
- if (!dom_user) {
- DEBUG(0, ("talloc_asprintf failed!\n"));
- nt_status = NT_STATUS_NO_MEMORY;
- } else {
-
- if (!(pass = Get_Pwnam(dom_user)))
- pass = Get_Pwnam(user_info->internal_username.str);
-
- if (pass) {
- make_server_info_pw(server_info, pass);
- if (!server_info) {
- nt_status = NT_STATUS_NO_MEMORY;
- }
- } else {
- nt_status = NT_STATUS_NO_SUCH_USER;
- }
- }
- }
-
- /* Store the user group information in the server_info returned to the caller. */
-
- if (NT_STATUS_IS_OK(nt_status) && (info3.num_groups2 != 0)) {
- int i;
- NT_USER_TOKEN *ptok;
- auth_serversupplied_info *pserver_info = *server_info;
-
- if ((pserver_info->ptok = malloc( sizeof(NT_USER_TOKEN) ) ) == NULL) {
- DEBUG(0, ("domain_client_validate: out of memory allocating rid group membership\n"));
- nt_status = NT_STATUS_NO_MEMORY;
- free_server_info(server_info);
- goto done;
- }
-
- ptok = pserver_info->ptok;
- ptok->num_sids = (size_t)info3.num_groups2;
-
- if ((ptok->user_sids = (DOM_SID *)malloc( sizeof(DOM_SID) * ptok->num_sids )) == NULL) {
- DEBUG(0, ("domain_client_validate: Out of memory allocating group SIDS\n"));
- nt_status = NT_STATUS_NO_MEMORY;
- free_server_info(server_info);
- goto done;
- }
-
- for (i = 0; i < ptok->num_sids; i++) {
- sid_copy(&ptok->user_sids[i], &info3.dom_sid.sid);
- sid_append_rid(&ptok->user_sids[i], info3.gids[i].g_rid);
- }
-
uni_group_cache_store_netlogon(mem_ctx, &info3);
}
@@ -434,8 +359,6 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx,
}
#endif /* 0 */
- done:
-
/* Note - once the cli stream is shutdown the mem_ctx used
to allocate the other_sids and gids structures has been deleted - so
these pointers are no longer valid..... */
diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c
index 0e650aa6e3..919cc8d3d8 100644
--- a/source3/auth/auth_server.c
+++ b/source3/auth/auth_server.c
@@ -62,6 +62,15 @@ static struct cli_state *server_cryptkey(TALLOC_CTX *mem_ctx)
continue;
}
+ /* we use a mutex to prevent two connections at once - when a
+ Win2k PDC get two connections where one hasn't completed a
+ session setup yet it will send a TCP reset to the first
+ connection (tridge) */
+
+ if (!grab_server_mutex(desthost)) {
+ return NULL;
+ }
+
if (cli_connect(cli, desthost, &dest_ip)) {
DEBUG(3,("connected to password server %s\n",desthost));
connected_ok = True;
@@ -70,13 +79,19 @@ static struct cli_state *server_cryptkey(TALLOC_CTX *mem_ctx)
}
if (!connected_ok) {
+ release_server_mutex();
DEBUG(0,("password server not available\n"));
cli_shutdown(cli);
return NULL;
}
-
- if (!attempt_netbios_session_request(cli, global_myname, desthost, &dest_ip))
+
+ if (!attempt_netbios_session_request(cli, global_myname,
+ desthost, &dest_ip)) {
+ release_server_mutex();
+ DEBUG(1,("password server fails session request\n"));
+ cli_shutdown(cli);
return NULL;
+ }
if (strequal(desthost,myhostname())) {
exit_server("Password server loop!");
@@ -86,6 +101,7 @@ static struct cli_state *server_cryptkey(TALLOC_CTX *mem_ctx)
if (!cli_negprot(cli)) {
DEBUG(1,("%s rejected the negprot\n",desthost));
+ release_server_mutex();
cli_shutdown(cli);
return NULL;
}
@@ -93,12 +109,29 @@ static struct cli_state *server_cryptkey(TALLOC_CTX *mem_ctx)
if (cli->protocol < PROTOCOL_LANMAN2 ||
!(cli->sec_mode & NEGOTIATE_SECURITY_USER_LEVEL)) {
DEBUG(1,("%s isn't in user level security mode\n",desthost));
+ release_server_mutex();
cli_shutdown(cli);
return NULL;
}
- DEBUG(3,("password server OK\n"));
+ /* Get the first session setup done quickly, to avoid silly
+ Win2k bugs. (The next connection to the server will kill
+ this one...
+ */
+ if (!cli_session_setup(cli, "", "", 0, "", 0,
+ "")) {
+ DEBUG(0,("%s rejected the initial session setup (%s)\n",
+ desthost, cli_errstr(cli)));
+ release_server_mutex();
+ cli_shutdown(cli);
+ return NULL;
+ }
+
+ release_server_mutex();
+
+ DEBUG(3,("password server OK\n"));
+
return cli;
}
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 785815814d..a66cd6ffc7 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -460,7 +460,7 @@ BOOL make_user_info_guest(auth_usersupplied_info **user_info)
Make a user_info struct
***************************************************************************/
-BOOL make_server_info(auth_serversupplied_info **server_info)
+static BOOL make_server_info(auth_serversupplied_info **server_info)
{
*server_info = malloc(sizeof(**server_info));
if (!*server_info) {
@@ -566,6 +566,179 @@ BOOL make_server_info_guest(auth_serversupplied_info **server_info)
}
/***************************************************************************
+ Make a server_info struct from the info3 returned by a domain logon
+***************************************************************************/
+
+NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
+ const char *domain,
+ auth_serversupplied_info **server_info,
+ NET_USER_INFO_3 *info3)
+{
+ NTSTATUS nt_status = NT_STATUS_OK;
+
+ char *nt_domain;
+ char *nt_username;
+
+ SAM_ACCOUNT *sam_account = NULL;
+ DOM_SID user_sid;
+ DOM_SID group_sid;
+
+ struct passwd *passwd;
+
+ uid_t uid;
+ gid_t gid;
+
+ /*
+ Here is where we should check the list of
+ trusted domains, and verify that the SID
+ matches.
+ */
+
+ sid_copy(&user_sid, &info3->dom_sid.sid);
+ if (!sid_append_rid(&user_sid, info3->user_rid)) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ sid_copy(&group_sid, &info3->dom_sid.sid);
+ if (!sid_append_rid(&group_sid, info3->group_rid)) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ if (!(nt_username = unistr2_tdup(mem_ctx, &(info3->uni_user_name)))) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ if (!(nt_domain = unistr2_tdup(mem_ctx, &(info3->uni_logon_dom)))) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ if (winbind_sid_to_uid(&uid, &user_sid)
+ && winbind_sid_to_gid(&gid, &group_sid)
+ && ((passwd = getpwuid_alloc(uid)))) {
+ nt_status = pdb_init_sam_pw(&sam_account, passwd);
+ passwd_free(&passwd);
+ } else {
+ char *dom_user;
+ dom_user = talloc_asprintf(mem_ctx, "%s%s%s",
+ nt_domain,
+ lp_winbind_separator(),
+ nt_username);
+
+ if (!dom_user) {
+ DEBUG(0, ("talloc_asprintf failed!\n"));
+ return NT_STATUS_NO_MEMORY;
+ } else {
+
+ if (!(passwd = Get_Pwnam(dom_user))
+ /* Only lookup local for the local
+ domain, we don't want this for
+ trusted domains */
+ && strequal(nt_domain, lp_workgroup())) {
+ passwd = Get_Pwnam(nt_username);
+ }
+
+ if (passwd) {
+ return NT_STATUS_NO_SUCH_USER;
+ } else {
+ nt_status = pdb_init_sam_pw(&sam_account, passwd);
+ }
+ }
+ }
+
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ DEBUG(0, ("make_server_info_info3: pdb_init_sam failed!\n"));
+ return nt_status;
+ }
+
+ if (!pdb_set_user_sid(sam_account, &user_sid)) {
+ pdb_free_sam(&sam_account);
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ if (!pdb_set_group_sid(sam_account, &group_sid)) {
+ pdb_free_sam(&sam_account);
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ if (!pdb_set_nt_username(sam_account, nt_username)) {
+ pdb_free_sam(&sam_account);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ if (!pdb_set_domain(sam_account, nt_domain)) {
+ pdb_free_sam(&sam_account);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ if (!pdb_set_fullname(sam_account, pdb_unistr2_convert(&(info3->uni_full_name)))) {
+ pdb_free_sam(&sam_account);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ if (!pdb_set_logon_script(sam_account, pdb_unistr2_convert(&(info3->uni_logon_script)), True)) {
+ pdb_free_sam(&sam_account);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ if (!pdb_set_profile_path(sam_account, pdb_unistr2_convert(&(info3->uni_profile_path)), True)) {
+ pdb_free_sam(&sam_account);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ if (!pdb_set_homedir(sam_account, pdb_unistr2_convert(&(info3->uni_home_dir)), True)) {
+ pdb_free_sam(&sam_account);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ if (!pdb_set_dir_drive(sam_account, pdb_unistr2_convert(&(info3->uni_dir_drive)), True)) {
+ pdb_free_sam(&sam_account);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ if (!make_server_info_sam(server_info, sam_account)) {
+ DEBUG(0, ("make_server_info_info3: make_server_info_sam failed!\n"));
+ pdb_free_sam(&sam_account);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ /* Store the user group information in the server_info
+ returned to the caller. */
+
+ if (info3->num_groups2 != 0) {
+ int i;
+ NT_USER_TOKEN *ptok;
+ auth_serversupplied_info *pserver_info = *server_info;
+
+ if ((pserver_info->ptok = malloc( sizeof(NT_USER_TOKEN) ) ) == NULL) {
+ DEBUG(0, ("domain_client_validate: out of memory allocating rid group membership\n"));
+ nt_status = NT_STATUS_NO_MEMORY;
+ free_server_info(server_info);
+ return nt_status;
+ }
+
+ ptok = pserver_info->ptok;
+ ptok->num_sids = (size_t)info3->num_groups2;
+
+ if ((ptok->user_sids = (DOM_SID *)malloc( sizeof(DOM_SID) * ptok->num_sids )) == NULL) {
+ DEBUG(0, ("domain_client_validate: Out of memory allocating group SIDS\n"));
+ nt_status = NT_STATUS_NO_MEMORY;
+ free_server_info(server_info);
+ return nt_status;
+ }
+
+ for (i = 0; i < ptok->num_sids; i++) {
+ sid_copy(&ptok->user_sids[i], &(info3->dom_sid.sid));
+ if (!sid_append_rid(&ptok->user_sids[i], info3->gids[i].g_rid)) {
+ nt_status = NT_STATUS_INVALID_PARAMETER;
+ free_server_info(server_info);
+ return nt_status;
+ }
+ }
+ }
+ return NT_STATUS_OK;
+}
+
+/***************************************************************************
Make an auth_methods struct
***************************************************************************/
@@ -596,9 +769,9 @@ BOOL make_auth_methods(struct auth_context *auth_context, auth_methods **auth_me
void delete_nt_token(NT_USER_TOKEN **pptoken)
{
if (*pptoken) {
- NT_USER_TOKEN *ptoken = *pptoken;
- SAFE_FREE( ptoken->user_sids );
- ZERO_STRUCTP(ptoken);
+ NT_USER_TOKEN *ptoken = *pptoken;
+ SAFE_FREE( ptoken->user_sids );
+ ZERO_STRUCTP(ptoken);
}
SAFE_FREE(*pptoken);
}
diff --git a/source3/lib/server_mutex.c b/source3/lib/server_mutex.c
new file mode 100644
index 0000000000..416d77564d
--- /dev/null
+++ b/source3/lib/server_mutex.c
@@ -0,0 +1,57 @@
+/*
+ Unix SMB/CIFS implementation.
+ Authenticate against a remote domain
+ Copyright (C) Andrew Tridgell 1992-2002
+ Copyright (C) Andrew Bartlett 2002
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+#include "includes.h"
+
+/* For reasons known only to MS, many of their NT/Win2k versions
+ need serialised access only. Two connections at the same time
+ may (in certain situations) cause connections to be reset,
+ or access to be denied.
+
+ This locking allows smbd's mutlithread architecture to look
+ like the single-connection that NT makes. */
+
+static char *mutex_server_name;
+
+BOOL grab_server_mutex(const char *name)
+{
+ mutex_server_name = strdup(name);
+ if (!mutex_server_name) {
+ DEBUG(0,("grab_server_mutex: malloc failed for %s\n", name));
+ return False;
+ }
+ if (!message_named_mutex(mutex_server_name, 20)) {
+ DEBUG(10,("grab_server_mutex: failed for %s\n", name));
+ SAFE_FREE(mutex_server_name);
+ return False;
+ }
+
+ return True;
+}
+
+void release_server_mutex(void)
+{
+ if (mutex_server_name) {
+ message_named_mutex_release(mutex_server_name);
+ SAFE_FREE(mutex_server_name);
+ }
+}
+