summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source3/auth/auth_domain.c19
-rw-r--r--source3/auth/auth_ntlmssp.c2
-rw-r--r--source3/auth/auth_sam.c15
-rw-r--r--source3/auth/auth_util.c15
-rw-r--r--source3/auth/auth_winbind.c2
-rw-r--r--source3/include/auth.h18
-rw-r--r--source3/include/libsmbclient.h5
-rw-r--r--source3/include/rpc_netlogon.h3
-rw-r--r--source3/nsswitch/wbinfo.c2
-rw-r--r--source3/nsswitch/winbindd_nss.h1
-rw-r--r--source3/nsswitch/winbindd_pam.c38
-rw-r--r--source3/rpc_client/cli_netlogon.c18
-rw-r--r--source3/rpc_server/srv_netlog_nt.c5
-rw-r--r--source3/rpcclient/cmd_netlogon.c2
-rw-r--r--source3/utils/ntlm_auth.c2
15 files changed, 92 insertions, 55 deletions
diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c
index 8d29367835..94b138e55b 100644
--- a/source3/auth/auth_domain.c
+++ b/source3/auth/auth_domain.c
@@ -218,15 +218,16 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx,
*/
nt_status = rpccli_netlogon_sam_network_logon(netlogon_pipe,
- mem_ctx,
- dc_name, /* server name */
- user_info->smb_name.str, /* user name logging on. */
- user_info->domain.str, /* domain name */
- user_info->wksta_name.str, /* workstation name */
- chal, /* 8 byte challenge. */
- user_info->lm_resp, /* lanman 24 byte response */
- user_info->nt_resp, /* nt 24 byte response */
- &info3); /* info3 out */
+ mem_ctx,
+ user_info->logon_parameters,/* flags such as 'allow workstation logon' */
+ dc_name, /* server name */
+ user_info->smb_name.str, /* user name logging on. */
+ user_info->domain.str, /* domain name */
+ user_info->wksta_name.str, /* workstation name */
+ chal, /* 8 byte challenge. */
+ user_info->lm_resp, /* lanman 24 byte response */
+ user_info->nt_resp, /* nt 24 byte response */
+ &info3); /* info3 out */
/* Let go as soon as possible so we avoid any potential deadlocks
with winbind lookup up users or groups. */
diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c
index 738af73f49..2fef8f1e9b 100644
--- a/source3/auth/auth_ntlmssp.c
+++ b/source3/auth/auth_ntlmssp.c
@@ -101,6 +101,8 @@ static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state,
NULL, NULL, NULL,
True);
+ user_info->logon_parameters = MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT;
+
if (!NT_STATUS_IS_OK(nt_status)) {
return nt_status;
}
diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c
index bb4df707ef..c92cecdde5 100644
--- a/source3/auth/auth_sam.c
+++ b/source3/auth/auth_sam.c
@@ -208,15 +208,18 @@ static NTSTATUS sam_account_ok(TALLOC_CTX *mem_ctx,
}
if (acct_ctrl & ACB_SVRTRUST) {
- DEBUG(2,("sam_account_ok: Server trust account %s denied by server\n", pdb_get_username(sampass)));
- return NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT;
+ if (!(user_info->logon_parameters & MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT)) {
+ DEBUG(2,("sam_account_ok: Server trust account %s denied by server\n", pdb_get_username(sampass)));
+ return NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT;
+ }
}
-
+
if (acct_ctrl & ACB_WSTRUST) {
- DEBUG(4,("sam_account_ok: Wksta trust account %s denied by server\n", pdb_get_username(sampass)));
- return NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT;
+ if (!(user_info->logon_parameters & MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT)) {
+ DEBUG(2,("sam_account_ok: Wksta trust account %s denied by server\n", pdb_get_username(sampass)));
+ return NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT;
+ }
}
-
return NT_STATUS_OK;
}
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 49122bd441..6a92c8782e 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -164,6 +164,8 @@ static NTSTATUS make_user_info(auth_usersupplied_info **user_info,
(*user_info)->encrypted = encrypted;
+ (*user_info)->logon_parameters = 0;
+
DEBUG(10,("made an %sencrypted user_info for %s (%s)\n", encrypted ? "":"un" , internal_username, smb_name));
return NT_STATUS_OK;
@@ -223,6 +225,7 @@ BOOL make_user_info_netlogon_network(auth_usersupplied_info **user_info,
const char *smb_name,
const char *client_domain,
const char *wksta_name,
+ uint32 logon_parameters,
const uchar *lm_network_pwd, int lm_pwd_len,
const uchar *nt_network_pwd, int nt_pwd_len)
{
@@ -238,9 +241,12 @@ BOOL make_user_info_netlogon_network(auth_usersupplied_info **user_info,
nt_pwd_len ? &nt_blob : NULL,
NULL, NULL, NULL,
True);
-
+
+ if (NT_STATUS_IS_OK(nt_status)) {
+ (*user_info)->logon_parameters = logon_parameters;
+ }
ret = NT_STATUS_IS_OK(nt_status) ? True : False;
-
+
data_blob_free(&lm_blob);
data_blob_free(&nt_blob);
return ret;
@@ -255,6 +261,7 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info,
const char *smb_name,
const char *client_domain,
const char *wksta_name,
+ uint32 logon_parameters,
const uchar chal[8],
const uchar lm_interactive_pwd[16],
const uchar nt_interactive_pwd[16],
@@ -337,6 +344,10 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info,
NULL,
True);
+ if (NT_STATUS_IS_OK(nt_status)) {
+ (*user_info)->logon_parameters = logon_parameters;
+ }
+
ret = NT_STATUS_IS_OK(nt_status) ? True : False;
data_blob_free(&local_lm_blob);
data_blob_free(&local_nt_blob);
diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c
index 0c263b6ab3..ad72bd9a1f 100644
--- a/source3/auth/auth_winbind.c
+++ b/source3/auth/auth_winbind.c
@@ -88,6 +88,8 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context,
request.flags = WBFLAG_PAM_INFO3_NDR;
+ request.data.auth_crap.logon_parameters = user_info->logon_parameters;
+
fstrcpy(request.data.auth_crap.user,
user_info->smb_name.str);
fstrcpy(request.data.auth_crap.domain,
diff --git a/source3/include/auth.h b/source3/include/auth.h
index 7282f4d38b..f3dae1108b 100644
--- a/source3/include/auth.h
+++ b/source3/include/auth.h
@@ -21,15 +21,12 @@
*/
/* AUTH_STR - string */
-typedef struct normal_string
-{
+typedef struct normal_string {
int len;
char *str;
} AUTH_STR;
-typedef struct auth_usersupplied_info
-{
-
+typedef struct auth_usersupplied_info {
DATA_BLOB lm_resp;
DATA_BLOB nt_resp;
DATA_BLOB lm_interactive_pwd;
@@ -44,6 +41,8 @@ typedef struct auth_usersupplied_info
AUTH_STR smb_name; /* username before mapping */
AUTH_STR wksta_name; /* workstation name (netbios calling name) unicode string */
+ uint32 logon_parameters;
+
} auth_usersupplied_info;
#define SAM_FILL_NAME 0x01
@@ -52,8 +51,7 @@ typedef struct auth_usersupplied_info
#define SAM_FILL_UNIX 0x08
#define SAM_FILL_ALL (SAM_FILL_NAME | SAM_FILL_INFO3 | SAM_FILL_SAM | SAM_FILL_UNIX)
-typedef struct auth_serversupplied_info
-{
+typedef struct auth_serversupplied_info {
BOOL guest;
uid_t uid;
@@ -144,14 +142,14 @@ struct auth_init_function_entry {
struct auth_init_function_entry *prev, *next;
};
-typedef struct auth_ntlmssp_state
-{
+typedef struct auth_ntlmssp_state {
TALLOC_CTX *mem_ctx;
struct auth_context *auth_context;
struct auth_serversupplied_info *server_info;
struct ntlmssp_state *ntlmssp_state;
} AUTH_NTLMSSP_STATE;
-#define AUTH_INTERFACE_VERSION 1
+/* Changed from 1 -> 2 to add the logon_parameters field. */
+#define AUTH_INTERFACE_VERSION 2
#endif /* _SMBAUTH_H_ */
diff --git a/source3/include/libsmbclient.h b/source3/include/libsmbclient.h
index 2d7d96c2dd..46896d68e4 100644
--- a/source3/include/libsmbclient.h
+++ b/source3/include/libsmbclient.h
@@ -339,6 +339,11 @@ typedef int (*smbc_remove_cached_srv_fn)(SMBCCTX * c, SMBCSRV *srv);
typedef int (*smbc_purge_cached_fn) (SMBCCTX * c);
+/* close was renamed to close_fn, because close is often a macro.
+ * Allow backward compatability where this is not the case */
+#ifndef close
+#define close close_fn
+#endif
/**@ingroup structure
diff --git a/source3/include/rpc_netlogon.h b/source3/include/rpc_netlogon.h
index b004e26397..c73cd03f10 100644
--- a/source3/include/rpc_netlogon.h
+++ b/source3/include/rpc_netlogon.h
@@ -95,6 +95,9 @@
#define SE_GROUP_LOGON_ID 0xC0000000
#define SE_GROUP_RESOURCE 0x20000000
+/* Flags for controlling the behaviour of a particular logon */
+#define MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT ( 0x020 )
+#define MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT ( 0x800 )
#if 0
/* I think this is correct - it's what gets parsed on the wire. JRA. */
diff --git a/source3/nsswitch/wbinfo.c b/source3/nsswitch/wbinfo.c
index 6436346668..45195fb86a 100644
--- a/source3/nsswitch/wbinfo.c
+++ b/source3/nsswitch/wbinfo.c
@@ -630,6 +630,8 @@ static BOOL wbinfo_auth_crap(char *username)
parse_wbinfo_domain_user(username, name_domain, name_user);
+ request.data.auth_crap.logon_parameters = MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT | MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT;
+
fstrcpy(request.data.auth_crap.user, name_user);
fstrcpy(request.data.auth_crap.domain,
diff --git a/source3/nsswitch/winbindd_nss.h b/source3/nsswitch/winbindd_nss.h
index c851ca7480..eda68ae5c7 100644
--- a/source3/nsswitch/winbindd_nss.h
+++ b/source3/nsswitch/winbindd_nss.h
@@ -202,6 +202,7 @@ struct winbindd_request {
} auth; /* pam_winbind auth module */
struct {
unsigned char chal[8];
+ uint32 logon_parameters;
fstring user;
fstring domain;
fstring lm_resp;
diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c
index c2324291a6..3571142c58 100644
--- a/source3/nsswitch/winbindd_pam.c
+++ b/source3/nsswitch/winbindd_pam.c
@@ -343,15 +343,16 @@ enum winbindd_result winbindd_dual_pam_auth(struct winbindd_domain *domain,
}
result = rpccli_netlogon_sam_network_logon(netlogon_pipe,
- state->mem_ctx,
- contact_domain->dcname, /* server name */
- name_user, /* user name */
- name_domain, /* target domain */
- global_myname(), /* workstation */
- chal,
- lm_resp,
- nt_resp,
- &info3);
+ state->mem_ctx,
+ 0,
+ contact_domain->dcname, /* server name */
+ name_user, /* user name */
+ name_domain, /* target domain */
+ global_myname(), /* workstation */
+ chal,
+ lm_resp,
+ nt_resp,
+ &info3);
attempts += 1;
/* We have to try a second time as cm_connect_netlogon
@@ -624,15 +625,16 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
}
result = rpccli_netlogon_sam_network_logon(netlogon_pipe,
- state->mem_ctx,
- contact_domain->dcname,
- name_user,
- name_domain,
- global_myname(),
- state->request.data.auth_crap.chal,
- lm_resp,
- nt_resp,
- &info3);
+ state->mem_ctx,
+ state->request.data.auth_crap.logon_parameters,
+ contact_domain->dcname,
+ name_user,
+ name_domain,
+ global_myname(),
+ state->request.data.auth_crap.chal,
+ lm_resp,
+ nt_resp,
+ &info3);
attempts += 1;
diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
index 85b557471b..af0062f2b3 100644
--- a/source3/rpc_client/cli_netlogon.c
+++ b/source3/rpc_client/cli_netlogon.c
@@ -528,11 +528,12 @@ NTSTATUS rpccli_netlogon_sam_deltas(struct rpc_pipe_client *cli, TALLOC_CTX *mem
/* Logon domain user */
NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
- TALLOC_CTX *mem_ctx,
- const char *domain,
- const char *username,
- const char *password,
- int logon_type)
+ TALLOC_CTX *mem_ctx,
+ uint32 logon_parameters,
+ const char *domain,
+ const char *username,
+ const char *password,
+ int logon_type)
{
prs_struct qbuf, rbuf;
NET_Q_SAM_LOGON q;
@@ -566,7 +567,7 @@ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
nt_lm_owf_gen(password, nt_owf_user_pwd, lm_owf_user_pwd);
init_id_info1(&ctr.auth.id1, domain,
- 0, /* param_ctrl */
+ logon_parameters, /* param_ctrl */
0xdead, 0xbeef, /* LUID? */
username, clnt_name_slash,
(const char *)cli->dc->sess_key, lm_owf_user_pwd,
@@ -585,7 +586,7 @@ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
SMBNTencrypt(password, chal, local_nt_response);
init_id_info2(&ctr.auth.id2, domain,
- 0, /* param_ctrl */
+ logon_parameters, /* param_ctrl */
0xdead, 0xbeef, /* LUID? */
username, clnt_name_slash, chal,
local_lm_response, 24, local_nt_response, 24);
@@ -636,6 +637,7 @@ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli,
TALLOC_CTX *mem_ctx,
+ uint32 logon_parameters,
const char *server,
const char *username,
const char *domain,
@@ -688,7 +690,7 @@ NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli,
ctr.switch_value = NET_LOGON_TYPE;
init_id_info2(&ctr.auth.id2, domain,
- 0, /* param_ctrl */
+ logon_parameters, /* param_ctrl */
0xdead, 0xbeef, /* LUID? */
username, workstation_name_slash, (const uchar*)chal,
lm_response.data, lm_response.length, nt_response.data, nt_response.length);
diff --git a/source3/rpc_server/srv_netlog_nt.c b/source3/rpc_server/srv_netlog_nt.c
index f75ad6bba0..91566d325c 100644
--- a/source3/rpc_server/srv_netlog_nt.c
+++ b/source3/rpc_server/srv_netlog_nt.c
@@ -695,6 +695,7 @@ NTSTATUS _net_sam_logon(pipes_struct *p, NET_Q_SAM_LOGON *q_u, NET_R_SAM_LOGON *
if (!make_user_info_netlogon_network(&user_info,
nt_username, nt_domain,
wksname,
+ ctr->auth.id2.param_ctrl,
ctr->auth.id2.lm_chal_resp.buffer,
ctr->auth.id2.lm_chal_resp.str_str_len,
ctr->auth.id2.nt_chal_resp.buffer,
@@ -719,7 +720,9 @@ NTSTATUS _net_sam_logon(pipes_struct *p, NET_Q_SAM_LOGON *q_u, NET_R_SAM_LOGON *
if (!make_user_info_netlogon_interactive(&user_info,
nt_username, nt_domain,
- nt_workstation, chal,
+ nt_workstation,
+ ctr->auth.id1.param_ctrl,
+ chal,
ctr->auth.id1.lm_owf.data,
ctr->auth.id1.nt_owf.data,
p->dc->sess_key)) {
diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c
index 153daa5cf2..d8f5a75b54 100644
--- a/source3/rpcclient/cmd_netlogon.c
+++ b/source3/rpcclient/cmd_netlogon.c
@@ -272,7 +272,7 @@ static NTSTATUS cmd_netlogon_sam_logon(struct rpc_pipe_client *cli,
/* Perform the sam logon */
- result = rpccli_netlogon_sam_logon(cli, mem_ctx, lp_workgroup(), username, password, logon_type);
+ result = rpccli_netlogon_sam_logon(cli, mem_ctx, 0, lp_workgroup(), username, password, logon_type);
if (!NT_STATUS_IS_OK(result))
goto done;
diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
index d61abb6465..433ba06982 100644
--- a/source3/utils/ntlm_auth.c
+++ b/source3/utils/ntlm_auth.c
@@ -323,6 +323,8 @@ NTSTATUS contact_winbind_auth_crap(const char *username,
request.flags = flags;
+ request.data.auth_crap.logon_parameters = MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT | MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT;
+
if (require_membership_of_sid)
fstrcpy(request.data.auth_crap.require_membership_of_sid, require_membership_of_sid);