diff options
-rw-r--r-- | source4/auth/auth_sam.c | 129 | ||||
-rw-r--r-- | source4/lib/util_sid.c | 3 |
2 files changed, 102 insertions, 30 deletions
diff --git a/source4/auth/auth_sam.c b/source4/auth/auth_sam.c index 681907e74a..d7e4e97826 100644 --- a/source4/auth/auth_sam.c +++ b/source4/auth/auth_sam.c @@ -40,17 +40,20 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, { if (acct_flags & ACB_PWNOTREQ) { if (lp_null_passwords()) { - DEBUG(3,("Account for user '%s' has no password and null passwords are allowed.\n", username)); + DEBUG(3,("Account for user '%s' has no password and null passwords are allowed.\n", + username)); return NT_STATUS_OK; } else { - DEBUG(3,("Account for user '%s' has no password and null passwords are NOT allowed.\n", username)); + DEBUG(3,("Account for user '%s' has no password and null passwords are NOT allowed.\n", + username)); return NT_STATUS_LOGON_FAILURE; } } return ntlm_password_check(mem_ctx, &auth_context->challenge, &user_info->lm_resp, &user_info->nt_resp, - &user_info->lm_interactive_pwd, &user_info->nt_interactive_pwd, + &user_info->lm_interactive_pwd, + &user_info->nt_interactive_pwd, username, user_info->smb_name.str, user_info->client_domain.str, @@ -66,12 +69,12 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, static NTSTATUS sam_account_ok(TALLOC_CTX *mem_ctx, const char *username, uint16 acct_flags, - struct ldb_message **msgs, + NTTIME *acct_expiry, + NTTIME *must_change_time, + NTTIME *last_set_time, + const char *workstation_list, const auth_usersupplied_info *user_info) { - char *workstation_list; - time_t kickoff_time; - DEBUG(4,("sam_account_ok: Checking SMB password for user %s\n", username)); /* Quit if the account was disabled. */ @@ -86,41 +89,37 @@ static NTSTATUS sam_account_ok(TALLOC_CTX *mem_ctx, return NT_STATUS_ACCOUNT_LOCKED_OUT; } -#if 0 /* Test account expire time */ - kickoff_time = pdb_get_kickoff_time(sampass); - if (kickoff_time != 0 && time(NULL) > kickoff_time) { + if (!nt_time_is_zero(acct_expiry) && time(NULL) > nt_time_to_unix(acct_expiry)) { DEBUG(1,("sam_account_ok: Account for user '%s' has expired.\n", username)); - DEBUG(3,("sam_account_ok: Account expired at '%ld' unix time.\n", (long)kickoff_time)); + DEBUG(3,("sam_account_ok: Account expired at '%s'.\n", + nt_time_string(mem_ctx, acct_expiry))); return NT_STATUS_ACCOUNT_EXPIRED; } if (!(acct_flags & ACB_PWNOEXP)) { - time_t must_change_time = pdb_get_pass_must_change_time(sampass); - time_t last_set_time = pdb_get_pass_last_set_time(sampass); /* check for immediate expiry "must change at next logon" */ - if (must_change_time == 0 && last_set_time != 0) { - DEBUG(1,("sam_account_ok: Account for user '%s' password must change!.\n", username)); + if (nt_time_is_zero(must_change_time) && !nt_time_is_zero(last_set_time)) { + DEBUG(1,("sam_account_ok: Account for user '%s' password must change!.\n", + username)); return NT_STATUS_PASSWORD_MUST_CHANGE; } /* check for expired password */ - if (must_change_time < time(NULL) && must_change_time != 0) { - DEBUG(1,("sam_account_ok: Account for user '%s' password expired!.\n", username)); - DEBUG(1,("sam_account_ok: Password expired at '%s' (%ld) unix time.\n", timestring(mem_ctx, must_change_time), (long)must_change_time)); + if (!nt_time_is_zero(must_change_time) && nt_time_to_unix(must_change_time) < time(NULL)) { + DEBUG(1,("sam_account_ok: Account for user '%s' password expired!.\n", + username)); + DEBUG(1,("sam_account_ok: Password expired at '%s' unix time.\n", + nt_time_string(mem_ctx, must_change_time))); return NT_STATUS_PASSWORD_EXPIRED; } } /* Test workstation. Workstation list is comma separated. */ - workstation_list = talloc_strdup(mem_ctx, pdb_get_workstations(sampass)); - if (!workstation_list) - return NT_STATUS_NO_MEMORY; - - if (*workstation_list) { + if (workstation_list && *workstation_list) { BOOL invalid_ws = True; const char *s = workstation_list; @@ -129,6 +128,7 @@ static NTSTATUS sam_account_ok(TALLOC_CTX *mem_ctx, while (next_token(&s, tok, ",", sizeof(tok))) { DEBUG(10,("sam_account_ok: checking for workstation match %s and %s (len=%d)\n", tok, user_info->wksta_name.str, user_info->wksta_name.len)); + if(strequal(tok, user_info->wksta_name.str)) { invalid_ws = False; break; @@ -138,7 +138,7 @@ static NTSTATUS sam_account_ok(TALLOC_CTX *mem_ctx, if (invalid_ws) return NT_STATUS_INVALID_WORKSTATION; } -#endif + if (acct_flags & ACB_DOMTRUST) { DEBUG(2,("sam_account_ok: Domain trust account %s denied by server\n", username)); return NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT; @@ -170,10 +170,20 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context, auth_serversupplied_info **server_info) { struct ldb_message **msgs; + struct ldb_message **msgs_domain; void *sam_ctx; - uint16 acct_flags; char *username = user_info->internal_username.str; - BOOL ret; + uint16 acct_flags; + const char *workstation_list; + NTTIME acct_expiry; + NTTIME must_change_time; + NTTIME last_set_time; + + uint_t ret; + uint_t ret_domain; + + const char *domain_dn; + NTSTATUS nt_status; DATA_BLOB user_sess_key = data_blob(NULL, 0); DATA_BLOB lm_sess_key = data_blob(NULL, 0); @@ -183,6 +193,19 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context, struct samr_Hash *lmPwdHash, *ntPwdHash; uint_t num_lm, num_nt; + struct dom_sid *domain_sid; + + const char *attrs[] = {"unicodePwd", "lmPwdHash", "ntPwdHash", + "sAMAcctFlags", + "pwdLastSet", + "accountExpires", + "objectSid", + "userWorkstations", + NULL, + }; + + const char *domain_attrs[] = {NULL}; + if (!user_info || !auth_context) { return NT_STATUS_UNSUCCESSFUL; } @@ -191,28 +214,59 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context, if (sam_ctx == NULL) { return NT_STATUS_INVALID_SYSTEM_SERVICE; } - /* pull all the user attributes */ - ret = samdb_search(sam_ctx, mem_ctx, NULL, &msgs, NULL, + /* pull the user attributes */ + ret = samdb_search(sam_ctx, mem_ctx, NULL, &msgs, attrs, "(&(sAMAccountName=%s)(objectclass=user))", username); if (ret == 0) { DEBUG(3,("check_sam_security: Couldn't find user [%s] in passdb file.\n", username)); + samdb_close(sam_ctx); return NT_STATUS_NO_SUCH_USER; } if (ret > 1) { DEBUG(1,("Found %d records matching user [%s]\n", ret, username)); + samdb_close(sam_ctx); return NT_STATUS_INTERNAL_DB_CORRUPTION; } + domain_sid = dom_sid_parse_talloc(mem_ctx, samdb_result_string(msgs[0], "objectSid", NULL)); + if (!domain_sid) { + samdb_close(sam_ctx); + return NT_STATUS_INTERNAL_DB_CORRUPTION; + } + + sid_split_rid(domain_sid, NULL); + + /* find the domain's DN */ + ret_domain = samdb_search(sam_ctx, mem_ctx, NULL, &msgs_domain, domain_attrs, + "(&(objectSid=%s)(objectclass=domain))", + dom_sid_string(mem_ctx, domain_sid)); + + if (ret_domain == 0) { + DEBUG(3,("check_sam_security: Couldn't find domain [%s] in passdb file.\n", + dom_sid_string(mem_ctx, domain_sid))); + samdb_close(sam_ctx); + return NT_STATUS_NO_SUCH_USER; + } + + if (ret_domain > 1) { + DEBUG(1,("Found %d records matching domain [%s]\n", ret, dom_sid_string(mem_ctx, domain_sid))); + samdb_close(sam_ctx); + return NT_STATUS_INTERNAL_DB_CORRUPTION; + } + + domain_dn = msgs_domain[0]->dn; + acct_flags = samdb_result_acct_flags(msgs[0], "sAMAcctFlags"); /* Quit if the account was locked out. */ if (acct_flags & ACB_AUTOLOCK) { DEBUG(3,("check_sam_security: Account for user %s was locked out.\n", username)); + samdb_close(sam_ctx); return NT_STATUS_ACCOUNT_LOCKED_OUT; } @@ -258,17 +312,32 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context, user_info, &user_sess_key, &lm_sess_key); if (!NT_STATUS_IS_OK(nt_status)) { + samdb_close(sam_ctx); return nt_status; } - nt_status = sam_account_ok(mem_ctx, username, acct_flags, msgs, user_info); + acct_expiry = samdb_result_nttime(msgs[0], "accountExpires", 0); + must_change_time = samdb_result_force_pwd_change(sam_ctx, mem_ctx, + domain_dn, msgs[0], "pwdLastSet"); + last_set_time = samdb_result_nttime(msgs[0], "pwdLastSet", 0); + + workstation_list = samdb_result_string(msgs[0], "userWorkstations", NULL); + + nt_status = sam_account_ok(mem_ctx, username, acct_flags, + &acct_expiry, + &must_change_time, + &last_set_time, + workstation_list, + user_info); if (!NT_STATUS_IS_OK(nt_status)) { + samdb_close(sam_ctx); return nt_status; } if (!NT_STATUS_IS_OK(nt_status = make_server_info(server_info, username))) { DEBUG(0,("check_sam_security: make_server_info_sam() failed with '%s'\n", nt_errstr(nt_status))); + samdb_close(sam_ctx); return nt_status; } @@ -292,6 +361,7 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context, if (!(groupSIDs = talloc_realloc_p((*server_info)->mem_ctx, groupSIDs, struct dom_sid *, group_ret))) { talloc_destroy((*server_info)->mem_ctx); + samdb_close(sam_ctx); return NT_STATUS_NO_MEMORY; } @@ -313,6 +383,7 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context, False, &(*server_info)->ptok))) { DEBUG(1,("check_sam_security: create_nt_user_token failed with '%s'\n", nt_errstr(nt_status))); free_server_info(server_info); + samdb_close(sam_ctx); return nt_status; } } diff --git a/source4/lib/util_sid.c b/source4/lib/util_sid.c index 505555fe7e..6f63e25c5d 100644 --- a/source4/lib/util_sid.c +++ b/source4/lib/util_sid.c @@ -206,7 +206,8 @@ BOOL sid_split_rid(struct dom_sid *sid, uint32 *rid) { if (sid->num_auths > 0) { sid->num_auths--; - *rid = sid->sub_auths[sid->num_auths]; + if (rid) + *rid = sid->sub_auths[sid->num_auths]; return True; } return False; |