diff options
-rw-r--r-- | source3/codepages/codepage_def.936 | 2 | ||||
-rw-r--r-- | source3/param/loadparm.c | 11 | ||||
-rw-r--r-- | source3/passdb/passdb.c | 8 | ||||
-rw-r--r-- | source3/smbd/password.c | 162 | ||||
-rw-r--r-- | source3/utils/smbpasswd.c | 6 |
5 files changed, 80 insertions, 109 deletions
diff --git a/source3/codepages/codepage_def.936 b/source3/codepages/codepage_def.936 index 25a317ffea..400b60a633 100644 --- a/source3/codepages/codepage_def.936 +++ b/source3/codepages/codepage_def.936 @@ -14,7 +14,7 @@ # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. # -# Codepage definition file for IBM Code Page 949 - MS-DOS Simplified Chinese. +# Codepage definition file for IBM Code Page 936 - MS-DOS Simplified Chinese. # defines lower->upper mapping. # Written by Jeremy Allison <jallison@whistle.com> diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index 37e53f437e..fcdc2ae68d 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -145,7 +145,6 @@ typedef struct char *szNISHomeMapName; char *szAnnounceVersion; /* This is initialised in init_globals */ char *szNetbiosAliases; - char *szDomainSID; char *szDomainOtherSIDs; char *szDomainGroups; char *szDriverFile; @@ -207,7 +206,6 @@ typedef struct BOOL bWINSproxy; BOOL bLocalMaster; BOOL bPreferredMaster; - BOOL bDomainController; BOOL bDomainMaster; BOOL bDomainLogons; BOOL bEncryptPasswords; @@ -226,7 +224,6 @@ typedef struct BOOL bNISHomeMap; BOOL bTimeServer; BOOL bBindInterfacesOnly; - BOOL bNetWkstaUserLogon; BOOL bUnixPasswdSync; BOOL bPasswdChatDebug; BOOL bOleLockingCompat; @@ -577,7 +574,6 @@ static struct parm_struct parm_table[] = {"read bmpx", P_BOOL, P_GLOBAL, &Globals.bReadbmpx, NULL, NULL, 0}, {"read raw", P_BOOL, P_GLOBAL, &Globals.bReadRaw, NULL, NULL, 0}, {"write raw", P_BOOL, P_GLOBAL, &Globals.bWriteRaw, NULL, NULL, 0}, - {"networkstation user login", P_BOOL,P_GLOBAL, &Globals.bNetWkstaUserLogon,NULL, NULL, 0}, {"nt smb support", P_BOOL, P_GLOBAL, &Globals.bNTSmbSupport, NULL, NULL, 0}, {"nt pipe support", P_BOOL, P_GLOBAL, &Globals.bNTPipeSupport, NULL, NULL, 0}, {"announce version", P_STRING, P_GLOBAL, &Globals.szAnnounceVersion, NULL, NULL, 0}, @@ -659,9 +655,7 @@ static struct parm_struct parm_table[] = {"stat cache", P_BOOL, P_GLOBAL, &Globals.bStatCache, NULL, NULL, 0}, {"Domain Options", P_SEP, P_SEPARATOR}, - {"domain sid", P_USTRING, P_GLOBAL, &Globals.szDomainSID, NULL, NULL, 0}, {"domain groups", P_STRING, P_GLOBAL, &Globals.szDomainGroups, NULL, NULL, 0}, - {"domain controller",P_BOOL , P_GLOBAL, &Globals.bDomainController,NULL, NULL, 0}, {"domain admin group",P_STRING, P_GLOBAL, &Globals.szDomainAdminGroup, NULL, NULL, 0}, {"domain guest group",P_STRING, P_GLOBAL, &Globals.szDomainGuestGroup, NULL, NULL, 0}, {"domain admin users",P_STRING, P_GLOBAL, &Globals.szDomainAdminUsers, NULL, NULL, 0}, @@ -866,8 +860,6 @@ static void init_globals(void) Globals.client_code_page = DEFAULT_CLIENT_CODE_PAGE; Globals.bTimeServer = False; Globals.bBindInterfacesOnly = False; - Globals.bNetWkstaUserLogon = False; /* This is now set to false by default as - the code in password.c protects us from this bug. */ Globals.bUnixPasswdSync = False; Globals.bPasswdChatDebug = False; Globals.bOleLockingCompat = True; @@ -1105,7 +1097,6 @@ FN_GLOBAL_STRING(lp_netbios_aliases,&Globals.szNetbiosAliases) FN_GLOBAL_STRING(lp_driverfile,&Globals.szDriverFile) FN_GLOBAL_STRING(lp_panic_action,&Globals.szPanicAction) -FN_GLOBAL_STRING(lp_domain_sid,&Globals.szDomainSID) FN_GLOBAL_STRING(lp_domain_groups,&Globals.szDomainGroups) FN_GLOBAL_STRING(lp_domain_admin_group,&Globals.szDomainAdminGroup) FN_GLOBAL_STRING(lp_domain_guest_group,&Globals.szDomainGuestGroup) @@ -1142,7 +1133,6 @@ FN_GLOBAL_BOOL(lp_wins_support,&Globals.bWINSsupport) FN_GLOBAL_BOOL(lp_we_are_a_wins_server,&Globals.bWINSsupport) FN_GLOBAL_BOOL(lp_wins_proxy,&Globals.bWINSproxy) FN_GLOBAL_BOOL(lp_local_master,&Globals.bLocalMaster) -FN_GLOBAL_BOOL(lp_domain_controller,&Globals.bDomainController) FN_GLOBAL_BOOL(lp_domain_master,&Globals.bDomainMaster) FN_GLOBAL_BOOL(lp_domain_logons,&Globals.bDomainLogons) FN_GLOBAL_BOOL(lp_preferred_master,&Globals.bPreferredMaster) @@ -1163,7 +1153,6 @@ FN_GLOBAL_BOOL(lp_unix_realname,&Globals.bUnixRealname) FN_GLOBAL_BOOL(lp_nis_home_map,&Globals.bNISHomeMap) static FN_GLOBAL_BOOL(lp_time_server,&Globals.bTimeServer) FN_GLOBAL_BOOL(lp_bind_interfaces_only,&Globals.bBindInterfacesOnly) -FN_GLOBAL_BOOL(lp_net_wksta_user_logon,&Globals.bNetWkstaUserLogon) FN_GLOBAL_BOOL(lp_unix_password_sync,&Globals.bUnixPasswdSync) FN_GLOBAL_BOOL(lp_passwd_chat_debug,&Globals.bPasswdChatDebug) FN_GLOBAL_BOOL(lp_ole_locking_compat,&Globals.bOleLockingCompat) diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c index aae59b32f6..f29a9ff570 100644 --- a/source3/passdb/passdb.c +++ b/source3/passdb/passdb.c @@ -875,13 +875,11 @@ BOOL pdb_generate_sam_sid(void) } /* - * The file contains no data - we may need to generate our - * own sid. Try the lp_domain_sid() first. + * The file contains no data - we need to generate our + * own sid. */ - if(*lp_domain_sid()) - fstrcpy( sid_string, lp_domain_sid()); - else { + { /* * Generate the new sid data & turn it into a string. */ diff --git a/source3/smbd/password.c b/source3/smbd/password.c index 95560df66b..d49ea7c562 100644 --- a/source3/smbd/password.c +++ b/source3/smbd/password.c @@ -1036,114 +1036,98 @@ BOOL server_validate(char *user, char *domain, char *pass, int passlen, char *ntpass, int ntpasslen) { - struct cli_state *cli; - extern fstring local_machine; - static unsigned char badpass[24]; - cli = server_client(); + struct cli_state *cli; + extern fstring local_machine; + static unsigned char badpass[24]; + static BOOL tested_password_server = False; + static BOOL bad_password_server = False; - if (!cli->initialised) { - DEBUG(1,("password server %s is not connected\n", cli->desthost)); - return(False); - } + cli = server_client(); - if(badpass[0] == 0) { - memset(badpass, 0x1f, sizeof(badpass)); - } + if (!cli->initialised) { + DEBUG(1,("password server %s is not connected\n", cli->desthost)); + return(False); + } - if((passlen == sizeof(badpass)) && !memcmp(badpass, pass, passlen)) { - /* Very unlikely, our random bad password is the same as the users - password. */ - memset(badpass, badpass[0]+1, sizeof(badpass)); - } + if(badpass[0] == 0) + memset(badpass, 0x1f, sizeof(badpass)); - /* - * Attempt a session setup with a totally incorrect password. - * If this succeeds with the guest bit *NOT* set then the password - * server is broken and is not correctly setting the guest bit. We - * need to detect this as some versions of NT4.x are broken. JRA. - */ + if((passlen == sizeof(badpass)) && !memcmp(badpass, pass, passlen)) { + /* + * Very unlikely, our random bad password is the same as the users + * password. */ + memset(badpass, badpass[0]+1, sizeof(badpass)); + } - if (cli_session_setup(cli, user, (char *)badpass, sizeof(badpass), - (char *)badpass, sizeof(badpass), domain)) { - if ((SVAL(cli->inbuf,smb_vwv2) & 1) == 0) { - DEBUG(0,("server_validate: password server %s allows users as non-guest \ -with a bad password.\n", cli->desthost)); - DEBUG(0,("server_validate: This is broken (and insecure) behaviour. Please do not \ -use this machine as the password server.\n")); - cli_ulogoff(cli); - return False; - } - cli_ulogoff(cli); - } + /* + * Attempt a session setup with a totally incorrect password. + * If this succeeds with the guest bit *NOT* set then the password + * server is broken and is not correctly setting the guest bit. We + * need to detect this as some versions of NT4.x are broken. JRA. + */ - /* - * Now we know the password server will correctly set the guest bit, or is - * not guest enabled, we can try with the real password. - */ + if(!tested_password_server) { + if (cli_session_setup(cli, user, (char *)badpass, sizeof(badpass), + (char *)badpass, sizeof(badpass), domain)) { - if (!cli_session_setup(cli, user, pass, passlen, ntpass, ntpasslen, domain)) { - DEBUG(1,("password server %s rejected the password\n", cli->desthost)); - return False; - } + /* + * We connected to the password server so we + * can say we've tested it. + */ + tested_password_server = True; - /* if logged in as guest then reject */ - if ((SVAL(cli->inbuf,smb_vwv2) & 1) != 0) { - DEBUG(1,("password server %s gave us guest only\n", cli->desthost)); - cli_ulogoff(cli); - return(False); - } + if ((SVAL(cli->inbuf,smb_vwv2) & 1) == 0) { + DEBUG(0,("server_validate: password server %s allows users as non-guest \ +with a bad password.\n", cli->desthost)); + DEBUG(0,("server_validate: This is broken (and insecure) behaviour. Please do not \ +use this machine as the password server.\n")); + cli_ulogoff(cli); /* - * This patch from Rob Nielsen <ran@adc.com> makes doing - * the NetWksaUserLogon a dynamic, rather than compile-time - * parameter, defaulting to on. This is somewhat dangerous - * as it allows people to turn off this neccessary check, - * but so many people have had problems with this that I - * think it is a neccessary change. JRA. + * Password server has the bug. */ + bad_password_server = True; + return False; + } + cli_ulogoff(cli); + } + } else { - if (lp_net_wksta_user_logon()) { - DEBUG(3,("trying NetWkstaUserLogon with password server %s\n", cli->desthost)); + /* + * We have already tested the password server. + * Fail immediately if it has the bug. + */ - if (!cli_send_tconX(cli, "IPC$", "IPC", "", 1)) { - DEBUG(0,("password server %s refused IPC$ connect\n", cli->desthost)); - cli_ulogoff(cli); - return False; - } + if(bad_password_server) { + DEBUG(0,("server_validate: [1] password server %s allows users as non-guest \ +with a bad password.\n", cli->desthost)); + DEBUG(0,("server_validate: [1] This is broken (and insecure) behaviour. Please do not \ +use this machine as the password server.\n")); + return False; + } + } - if (!cli_NetWkstaUserLogon(cli,user,local_machine)) { - DEBUG(0,("password server %s failed NetWkstaUserLogon\n", cli->desthost)); - cli_tdis(cli); - cli_ulogoff(cli); - return False; - } + /* + * Now we know the password server will correctly set the guest bit, or is + * not guest enabled, we can try with the real password. + */ - if (cli->privilages == 0) { - DEBUG(0,("password server %s gave guest privilages\n", cli->desthost)); - cli_tdis(cli); - cli_ulogoff(cli); - return False; - } + if (!cli_session_setup(cli, user, pass, passlen, ntpass, ntpasslen, domain)) { + DEBUG(1,("password server %s rejected the password\n", cli->desthost)); + return False; + } - if (!strequal(cli->eff_name, user)) { - DEBUG(0,("password server %s gave different username %s\n", - cli->desthost, - cli->eff_name)); - cli_tdis(cli); - cli_ulogoff(cli); - return False; - } - cli_tdis(cli); - } - else { - DEBUG(3,("skipping NetWkstaUserLogon with password server %s\n", cli->desthost)); - } + /* if logged in as guest then reject */ + if ((SVAL(cli->inbuf,smb_vwv2) & 1) != 0) { + DEBUG(1,("password server %s gave us guest only\n", cli->desthost)); + cli_ulogoff(cli); + return(False); + } - DEBUG(3,("password server %s accepted the password\n", cli->desthost)); - cli_ulogoff(cli); + cli_ulogoff(cli); - return(True); + return(True); } /*********************************************************************** diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c index 147e3492af..b27bbbbd3b 100644 --- a/source3/utils/smbpasswd.c +++ b/source3/utils/smbpasswd.c @@ -60,9 +60,9 @@ static int join_domain( char *domain, char *remote) domain if we are locally set up as a domain controller. */ - if(lp_domain_controller() && strequal(lp_workgroup(), domain)) { - fprintf(stderr, "%s: Cannot join domain %s as we already configured as \ -domain controller for that domain.\n", prog_name, domain); + if(strequal(remote, global_myname)) { + fprintf(stderr, "%s: Cannot join domain %s as the domain controller name is our own. \ +We cannot be a domain controller for a domain and also be a domain member.\n", prog_name, domain); return 1; } |