diff options
| -rw-r--r-- | source3/auth/auth.c | 2 | ||||
| -rw-r--r-- | source3/auth/auth_builtin.c | 30 | ||||
| -rw-r--r-- | source3/auth/auth_domain.c | 27 | ||||
| -rw-r--r-- | source3/auth/auth_info.c | 28 | ||||
| -rw-r--r-- | source3/auth/auth_sam.c | 37 | ||||
| -rw-r--r-- | source3/auth/auth_server.c | 11 | ||||
| -rw-r--r-- | source3/param/loadparm.c | 28 |
7 files changed, 110 insertions, 53 deletions
diff --git a/source3/auth/auth.c b/source3/auth/auth.c index e68f4a1aac..e22c52702c 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -36,7 +36,7 @@ static BOOL check_domain_match(char *user, char *domain) */ if (!lp_allow_trusted_domains() && - (!strequal(lp_workgroup(), domain) || strequal("", domain))) { + (strequal("", domain) || strequal(lp_workgroup(), domain) || is_netbios_alias_or_name(domain))) { DEBUG(1, ("check_domain_match: Attempt to connect as user %s from domain %s denied.\n", user, domain)); return False; } else { diff --git a/source3/auth/auth_builtin.c b/source3/auth/auth_builtin.c index 482ae6dee1..2bba36f754 100644 --- a/source3/auth/auth_builtin.c +++ b/source3/auth/auth_builtin.c @@ -56,36 +56,6 @@ BOOL auth_init_guest(auth_methods **auth_method) } /**************************************************************************** - Check against either sam or unix, depending on encryption. -****************************************************************************/ - -static NTSTATUS check_local_security(void *my_private_data, - const auth_usersupplied_info *user_info, - const auth_authsupplied_info *auth_info, - auth_serversupplied_info **server_info) -{ - NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; - - if (user_info->encrypted) { - nt_status = check_sam_security(my_private_data, user_info, auth_info, server_info); - } else { - nt_status = check_unix_security(my_private_data, user_info, auth_info, server_info); - } - - return nt_status; -} - -BOOL auth_init_local(auth_methods **auth_method) -{ - if (!make_auth_methods(auth_method)) { - return False; - } - - (*auth_method)->auth = check_local_security; - return True; -} - -/**************************************************************************** Return an error based on username ****************************************************************************/ diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index c605356af8..a41e43bd82 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -285,17 +285,6 @@ static NTSTATUS domain_client_validate(const auth_usersupplied_info *user_info, NTSTATUS status; struct passwd *pass; - /* - * Check that the requested domain is not our own machine name. - * If it is, we should never check the PDC here, we use our own local - * password file. - */ - - if(strequal(user_info->domain.str, global_myname)) { - DEBUG(3,("domain_client_validate: Requested domain was for this machine.\n")); - return NT_STATUS_LOGON_FAILURE; - } - /* * At this point, smb_apasswd points to the lanman response to * the challenge in local_challenge, and smb_ntpasswd points to @@ -445,6 +434,22 @@ static NTSTATUS check_ntdomain_security(void *my_private_data, unsigned char trust_passwd[16]; time_t last_change_time; + if (!user_info || !server_info || !auth_info) { + DEBUG(1,("check_ntdomain_security: Critical variables not present. Failing.\n")); + return NT_STATUS_LOGON_FAILURE; + } + + /* + * Check that the requested domain is not our own machine name. + * If it is, we should never check the PDC here, we use our own local + * password file. + */ + + if(is_netbios_alias_or_name(user_info->domain.str)) { + DEBUG(3,("check_ntdomain_security: Requested domain was for this machine.\n")); + return NT_STATUS_LOGON_FAILURE; + } + become_root(); /* diff --git a/source3/auth/auth_info.c b/source3/auth/auth_info.c index 8087be48f2..99648aba8d 100644 --- a/source3/auth/auth_info.c +++ b/source3/auth/auth_info.c @@ -25,9 +25,9 @@ const struct auth_init_function builtin_auth_init_functions[] = { { "guest", auth_init_guest }, { "rhosts", auth_init_rhosts }, { "hostsequiv", auth_init_hostsequiv }, - { "sam", auth_init_sam }, + { "sam", auth_init_sam }, + { "samstrict", auth_init_samstrict }, { "unix", auth_init_unix }, - { "local", auth_init_local }, { "smbserver", auth_init_smbserver }, { "ntdomain", auth_init_ntdomain }, { "winbind", auth_init_winbind }, @@ -139,23 +139,33 @@ BOOL make_auth_info_subsystem(auth_authsupplied_info **auth_info) { case SEC_DOMAIN: DEBUG(5,("Making default auth method list for security=domain\n")); - auth_method_list = lp_list_make("guest ntdomain local"); + auth_method_list = lp_list_make("guest samstrict ntdomain"); break; case SEC_SERVER: DEBUG(5,("Making default auth method list for security=server\n")); - auth_method_list = lp_list_make("guest smbserver local"); + auth_method_list = lp_list_make("guest samstrict smbserver"); break; case SEC_USER: - DEBUG(5,("Making default auth method list for security=user\n")); - auth_method_list = lp_list_make("guest local"); + if (lp_encrypted_passwords()) { + DEBUG(5,("Making default auth method list for security=user, encrypt passwords = yes\n")); + auth_method_list = lp_list_make("guest sam"); + } else { + DEBUG(5,("Making default auth method list for security=user, encrypt passwords = no\n")); + auth_method_list = lp_list_make("guest unix"); + } break; case SEC_SHARE: - DEBUG(5,("Making default auth method list for security=share\n")); - auth_method_list = lp_list_make("guest local"); + if (lp_encrypted_passwords()) { + DEBUG(5,("Making default auth method list for security=share, encrypt passwords = yes\n")); + auth_method_list = lp_list_make("guest sam"); + } else { + DEBUG(5,("Making default auth method list for security=share, encrypt passwords = no\n")); + auth_method_list = lp_list_make("guest unix"); + } break; case SEC_ADS: DEBUG(5,("Making default auth method list for security=ADS\n")); - auth_method_list = lp_list_make("guest ads ntdomain local"); + auth_method_list = lp_list_make("guest samstrict ads ntdomain"); break; default: DEBUG(5,("Unknown auth method!\n")); diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 421349a765..d899006cf8 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -337,7 +337,7 @@ SMB hash supplied in the user_info structure return an NT_STATUS constant. ****************************************************************************/ -NTSTATUS check_sam_security(void *my_private_dat, +static NTSTATUS check_sam_security(void *my_private_data, const auth_usersupplied_info *user_info, const auth_authsupplied_info *auth_info, auth_serversupplied_info **server_info) @@ -408,5 +408,40 @@ BOOL auth_init_sam(auth_methods **auth_method) return True; } +/**************************************************************************** +check if a username/password is OK assuming the password is a 24 byte +SMB hash supplied in the user_info structure +return an NT_STATUS constant. +****************************************************************************/ + +static NTSTATUS check_samstrict_security(void *my_private_data, + const auth_usersupplied_info *user_info, + const auth_authsupplied_info *auth_info, + auth_serversupplied_info **server_info) +{ + + if (!user_info || !auth_info) { + return NT_STATUS_LOGON_FAILURE; + } + + /* If we are a domain member, we must not + attempt to check the password locally, + unless it is one of our aliases. */ + + if (!is_netbios_alias_or_name(user_info->domain.str)) { + return NT_STATUS_NO_SUCH_USER; + } + + return check_sam_security(my_private_data, user_info, auth_info, server_info); +} + +BOOL auth_init_samstrict(auth_methods **auth_method) +{ + if (!make_auth_methods(auth_method)) { + return False; + } + (*auth_method)->auth = check_samstrict_security; + return True; +} diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c index a3cfc3a0e6..d061a5a84f 100644 --- a/source3/auth/auth_server.c +++ b/source3/auth/auth_server.c @@ -186,6 +186,17 @@ static NTSTATUS check_smbserver_security(void *my_private_data, NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; BOOL locally_made_cli = False; + /* + * Check that the requested domain is not our own machine name. + * If it is, we should never check the PDC here, we use our own local + * password file. + */ + + if(is_netbios_alias_or_name(user_info->domain.str)) { + DEBUG(3,("check_ntdomain_security: Requested domain was for this machine.\n")); + return NT_STATUS_LOGON_FAILURE; + } + cli = my_private_data; if (cli) { diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index 393c4a74a2..9d8a4abc5e 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -1238,7 +1238,7 @@ static void init_globals(void) Globals.minprotocol = PROTOCOL_CORE; Globals.security = SEC_USER; Globals.paranoid_server_security = True; - Globals.bEncryptPasswords = False; + Globals.bEncryptPasswords = True; Globals.bUpdateEncrypt = False; Globals.bReadRaw = True; Globals.bWriteRaw = True; @@ -3850,3 +3850,29 @@ void get_private_directory(pstring privdir) { pstrcpy (privdir, lp_private_dir()); } + + +/**************************************************************** + Is netbios alias or name +*****************************************************************/ + +BOOL is_netbios_alias_or_name(char *name) +{ + char **netbios_aliases = lp_netbios_aliases(); + + if (StrCaseCmp(name, global_myname) == 0) { + return True; + } + + for (netbios_aliases = lp_netbios_aliases(); + netbios_aliases && *netbios_aliases; + netbios_aliases++) { + if (StrCaseCmp(name, *netbios_aliases) == 0) { + return True; + } + } + + return False; +} + + |