diff options
-rw-r--r-- | source3/auth/auth_domain.c | 19 | ||||
-rw-r--r-- | source3/auth/auth_ntlmssp.c | 2 | ||||
-rw-r--r-- | source3/auth/auth_sam.c | 15 | ||||
-rw-r--r-- | source3/auth/auth_util.c | 15 | ||||
-rw-r--r-- | source3/auth/auth_winbind.c | 2 | ||||
-rw-r--r-- | source3/include/auth.h | 18 | ||||
-rw-r--r-- | source3/include/libsmbclient.h | 5 | ||||
-rw-r--r-- | source3/include/rpc_netlogon.h | 3 | ||||
-rw-r--r-- | source3/nsswitch/wbinfo.c | 2 | ||||
-rw-r--r-- | source3/nsswitch/winbindd_nss.h | 1 | ||||
-rw-r--r-- | source3/nsswitch/winbindd_pam.c | 38 | ||||
-rw-r--r-- | source3/rpc_client/cli_netlogon.c | 18 | ||||
-rw-r--r-- | source3/rpc_server/srv_netlog_nt.c | 5 | ||||
-rw-r--r-- | source3/rpcclient/cmd_netlogon.c | 2 | ||||
-rw-r--r-- | source3/utils/ntlm_auth.c | 2 |
15 files changed, 92 insertions, 55 deletions
diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 8d29367835..94b138e55b 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -218,15 +218,16 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, */ nt_status = rpccli_netlogon_sam_network_logon(netlogon_pipe, - mem_ctx, - dc_name, /* server name */ - user_info->smb_name.str, /* user name logging on. */ - user_info->domain.str, /* domain name */ - user_info->wksta_name.str, /* workstation name */ - chal, /* 8 byte challenge. */ - user_info->lm_resp, /* lanman 24 byte response */ - user_info->nt_resp, /* nt 24 byte response */ - &info3); /* info3 out */ + mem_ctx, + user_info->logon_parameters,/* flags such as 'allow workstation logon' */ + dc_name, /* server name */ + user_info->smb_name.str, /* user name logging on. */ + user_info->domain.str, /* domain name */ + user_info->wksta_name.str, /* workstation name */ + chal, /* 8 byte challenge. */ + user_info->lm_resp, /* lanman 24 byte response */ + user_info->nt_resp, /* nt 24 byte response */ + &info3); /* info3 out */ /* Let go as soon as possible so we avoid any potential deadlocks with winbind lookup up users or groups. */ diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c index 738af73f49..2fef8f1e9b 100644 --- a/source3/auth/auth_ntlmssp.c +++ b/source3/auth/auth_ntlmssp.c @@ -101,6 +101,8 @@ static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state, NULL, NULL, NULL, True); + user_info->logon_parameters = MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT; + if (!NT_STATUS_IS_OK(nt_status)) { return nt_status; } diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index bb4df707ef..c92cecdde5 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -208,15 +208,18 @@ static NTSTATUS sam_account_ok(TALLOC_CTX *mem_ctx, } if (acct_ctrl & ACB_SVRTRUST) { - DEBUG(2,("sam_account_ok: Server trust account %s denied by server\n", pdb_get_username(sampass))); - return NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT; + if (!(user_info->logon_parameters & MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT)) { + DEBUG(2,("sam_account_ok: Server trust account %s denied by server\n", pdb_get_username(sampass))); + return NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT; + } } - + if (acct_ctrl & ACB_WSTRUST) { - DEBUG(4,("sam_account_ok: Wksta trust account %s denied by server\n", pdb_get_username(sampass))); - return NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT; + if (!(user_info->logon_parameters & MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT)) { + DEBUG(2,("sam_account_ok: Wksta trust account %s denied by server\n", pdb_get_username(sampass))); + return NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT; + } } - return NT_STATUS_OK; } diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 49122bd441..6a92c8782e 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -164,6 +164,8 @@ static NTSTATUS make_user_info(auth_usersupplied_info **user_info, (*user_info)->encrypted = encrypted; + (*user_info)->logon_parameters = 0; + DEBUG(10,("made an %sencrypted user_info for %s (%s)\n", encrypted ? "":"un" , internal_username, smb_name)); return NT_STATUS_OK; @@ -223,6 +225,7 @@ BOOL make_user_info_netlogon_network(auth_usersupplied_info **user_info, const char *smb_name, const char *client_domain, const char *wksta_name, + uint32 logon_parameters, const uchar *lm_network_pwd, int lm_pwd_len, const uchar *nt_network_pwd, int nt_pwd_len) { @@ -238,9 +241,12 @@ BOOL make_user_info_netlogon_network(auth_usersupplied_info **user_info, nt_pwd_len ? &nt_blob : NULL, NULL, NULL, NULL, True); - + + if (NT_STATUS_IS_OK(nt_status)) { + (*user_info)->logon_parameters = logon_parameters; + } ret = NT_STATUS_IS_OK(nt_status) ? True : False; - + data_blob_free(&lm_blob); data_blob_free(&nt_blob); return ret; @@ -255,6 +261,7 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, const char *smb_name, const char *client_domain, const char *wksta_name, + uint32 logon_parameters, const uchar chal[8], const uchar lm_interactive_pwd[16], const uchar nt_interactive_pwd[16], @@ -337,6 +344,10 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, NULL, True); + if (NT_STATUS_IS_OK(nt_status)) { + (*user_info)->logon_parameters = logon_parameters; + } + ret = NT_STATUS_IS_OK(nt_status) ? True : False; data_blob_free(&local_lm_blob); data_blob_free(&local_nt_blob); diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c index 0c263b6ab3..ad72bd9a1f 100644 --- a/source3/auth/auth_winbind.c +++ b/source3/auth/auth_winbind.c @@ -88,6 +88,8 @@ static NTSTATUS check_winbind_security(const struct auth_context *auth_context, request.flags = WBFLAG_PAM_INFO3_NDR; + request.data.auth_crap.logon_parameters = user_info->logon_parameters; + fstrcpy(request.data.auth_crap.user, user_info->smb_name.str); fstrcpy(request.data.auth_crap.domain, diff --git a/source3/include/auth.h b/source3/include/auth.h index 7282f4d38b..f3dae1108b 100644 --- a/source3/include/auth.h +++ b/source3/include/auth.h @@ -21,15 +21,12 @@ */ /* AUTH_STR - string */ -typedef struct normal_string -{ +typedef struct normal_string { int len; char *str; } AUTH_STR; -typedef struct auth_usersupplied_info -{ - +typedef struct auth_usersupplied_info { DATA_BLOB lm_resp; DATA_BLOB nt_resp; DATA_BLOB lm_interactive_pwd; @@ -44,6 +41,8 @@ typedef struct auth_usersupplied_info AUTH_STR smb_name; /* username before mapping */ AUTH_STR wksta_name; /* workstation name (netbios calling name) unicode string */ + uint32 logon_parameters; + } auth_usersupplied_info; #define SAM_FILL_NAME 0x01 @@ -52,8 +51,7 @@ typedef struct auth_usersupplied_info #define SAM_FILL_UNIX 0x08 #define SAM_FILL_ALL (SAM_FILL_NAME | SAM_FILL_INFO3 | SAM_FILL_SAM | SAM_FILL_UNIX) -typedef struct auth_serversupplied_info -{ +typedef struct auth_serversupplied_info { BOOL guest; uid_t uid; @@ -144,14 +142,14 @@ struct auth_init_function_entry { struct auth_init_function_entry *prev, *next; }; -typedef struct auth_ntlmssp_state -{ +typedef struct auth_ntlmssp_state { TALLOC_CTX *mem_ctx; struct auth_context *auth_context; struct auth_serversupplied_info *server_info; struct ntlmssp_state *ntlmssp_state; } AUTH_NTLMSSP_STATE; -#define AUTH_INTERFACE_VERSION 1 +/* Changed from 1 -> 2 to add the logon_parameters field. */ +#define AUTH_INTERFACE_VERSION 2 #endif /* _SMBAUTH_H_ */ diff --git a/source3/include/libsmbclient.h b/source3/include/libsmbclient.h index 2d7d96c2dd..46896d68e4 100644 --- a/source3/include/libsmbclient.h +++ b/source3/include/libsmbclient.h @@ -339,6 +339,11 @@ typedef int (*smbc_remove_cached_srv_fn)(SMBCCTX * c, SMBCSRV *srv); typedef int (*smbc_purge_cached_fn) (SMBCCTX * c); +/* close was renamed to close_fn, because close is often a macro. + * Allow backward compatability where this is not the case */ +#ifndef close +#define close close_fn +#endif /**@ingroup structure diff --git a/source3/include/rpc_netlogon.h b/source3/include/rpc_netlogon.h index b004e26397..c73cd03f10 100644 --- a/source3/include/rpc_netlogon.h +++ b/source3/include/rpc_netlogon.h @@ -95,6 +95,9 @@ #define SE_GROUP_LOGON_ID 0xC0000000 #define SE_GROUP_RESOURCE 0x20000000 +/* Flags for controlling the behaviour of a particular logon */ +#define MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT ( 0x020 ) +#define MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT ( 0x800 ) #if 0 /* I think this is correct - it's what gets parsed on the wire. JRA. */ diff --git a/source3/nsswitch/wbinfo.c b/source3/nsswitch/wbinfo.c index 6436346668..45195fb86a 100644 --- a/source3/nsswitch/wbinfo.c +++ b/source3/nsswitch/wbinfo.c @@ -630,6 +630,8 @@ static BOOL wbinfo_auth_crap(char *username) parse_wbinfo_domain_user(username, name_domain, name_user); + request.data.auth_crap.logon_parameters = MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT | MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT; + fstrcpy(request.data.auth_crap.user, name_user); fstrcpy(request.data.auth_crap.domain, diff --git a/source3/nsswitch/winbindd_nss.h b/source3/nsswitch/winbindd_nss.h index c851ca7480..eda68ae5c7 100644 --- a/source3/nsswitch/winbindd_nss.h +++ b/source3/nsswitch/winbindd_nss.h @@ -202,6 +202,7 @@ struct winbindd_request { } auth; /* pam_winbind auth module */ struct { unsigned char chal[8]; + uint32 logon_parameters; fstring user; fstring domain; fstring lm_resp; diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c index c2324291a6..3571142c58 100644 --- a/source3/nsswitch/winbindd_pam.c +++ b/source3/nsswitch/winbindd_pam.c @@ -343,15 +343,16 @@ enum winbindd_result winbindd_dual_pam_auth(struct winbindd_domain *domain, } result = rpccli_netlogon_sam_network_logon(netlogon_pipe, - state->mem_ctx, - contact_domain->dcname, /* server name */ - name_user, /* user name */ - name_domain, /* target domain */ - global_myname(), /* workstation */ - chal, - lm_resp, - nt_resp, - &info3); + state->mem_ctx, + 0, + contact_domain->dcname, /* server name */ + name_user, /* user name */ + name_domain, /* target domain */ + global_myname(), /* workstation */ + chal, + lm_resp, + nt_resp, + &info3); attempts += 1; /* We have to try a second time as cm_connect_netlogon @@ -624,15 +625,16 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain, } result = rpccli_netlogon_sam_network_logon(netlogon_pipe, - state->mem_ctx, - contact_domain->dcname, - name_user, - name_domain, - global_myname(), - state->request.data.auth_crap.chal, - lm_resp, - nt_resp, - &info3); + state->mem_ctx, + state->request.data.auth_crap.logon_parameters, + contact_domain->dcname, + name_user, + name_domain, + global_myname(), + state->request.data.auth_crap.chal, + lm_resp, + nt_resp, + &info3); attempts += 1; diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 85b557471b..af0062f2b3 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -528,11 +528,12 @@ NTSTATUS rpccli_netlogon_sam_deltas(struct rpc_pipe_client *cli, TALLOC_CTX *mem /* Logon domain user */ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli, - TALLOC_CTX *mem_ctx, - const char *domain, - const char *username, - const char *password, - int logon_type) + TALLOC_CTX *mem_ctx, + uint32 logon_parameters, + const char *domain, + const char *username, + const char *password, + int logon_type) { prs_struct qbuf, rbuf; NET_Q_SAM_LOGON q; @@ -566,7 +567,7 @@ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli, nt_lm_owf_gen(password, nt_owf_user_pwd, lm_owf_user_pwd); init_id_info1(&ctr.auth.id1, domain, - 0, /* param_ctrl */ + logon_parameters, /* param_ctrl */ 0xdead, 0xbeef, /* LUID? */ username, clnt_name_slash, (const char *)cli->dc->sess_key, lm_owf_user_pwd, @@ -585,7 +586,7 @@ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli, SMBNTencrypt(password, chal, local_nt_response); init_id_info2(&ctr.auth.id2, domain, - 0, /* param_ctrl */ + logon_parameters, /* param_ctrl */ 0xdead, 0xbeef, /* LUID? */ username, clnt_name_slash, chal, local_lm_response, 24, local_nt_response, 24); @@ -636,6 +637,7 @@ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli, NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, + uint32 logon_parameters, const char *server, const char *username, const char *domain, @@ -688,7 +690,7 @@ NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli, ctr.switch_value = NET_LOGON_TYPE; init_id_info2(&ctr.auth.id2, domain, - 0, /* param_ctrl */ + logon_parameters, /* param_ctrl */ 0xdead, 0xbeef, /* LUID? */ username, workstation_name_slash, (const uchar*)chal, lm_response.data, lm_response.length, nt_response.data, nt_response.length); diff --git a/source3/rpc_server/srv_netlog_nt.c b/source3/rpc_server/srv_netlog_nt.c index f75ad6bba0..91566d325c 100644 --- a/source3/rpc_server/srv_netlog_nt.c +++ b/source3/rpc_server/srv_netlog_nt.c @@ -695,6 +695,7 @@ NTSTATUS _net_sam_logon(pipes_struct *p, NET_Q_SAM_LOGON *q_u, NET_R_SAM_LOGON * if (!make_user_info_netlogon_network(&user_info, nt_username, nt_domain, wksname, + ctr->auth.id2.param_ctrl, ctr->auth.id2.lm_chal_resp.buffer, ctr->auth.id2.lm_chal_resp.str_str_len, ctr->auth.id2.nt_chal_resp.buffer, @@ -719,7 +720,9 @@ NTSTATUS _net_sam_logon(pipes_struct *p, NET_Q_SAM_LOGON *q_u, NET_R_SAM_LOGON * if (!make_user_info_netlogon_interactive(&user_info, nt_username, nt_domain, - nt_workstation, chal, + nt_workstation, + ctr->auth.id1.param_ctrl, + chal, ctr->auth.id1.lm_owf.data, ctr->auth.id1.nt_owf.data, p->dc->sess_key)) { diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c index 153daa5cf2..d8f5a75b54 100644 --- a/source3/rpcclient/cmd_netlogon.c +++ b/source3/rpcclient/cmd_netlogon.c @@ -272,7 +272,7 @@ static NTSTATUS cmd_netlogon_sam_logon(struct rpc_pipe_client *cli, /* Perform the sam logon */ - result = rpccli_netlogon_sam_logon(cli, mem_ctx, lp_workgroup(), username, password, logon_type); + result = rpccli_netlogon_sam_logon(cli, mem_ctx, 0, lp_workgroup(), username, password, logon_type); if (!NT_STATUS_IS_OK(result)) goto done; diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c index d61abb6465..433ba06982 100644 --- a/source3/utils/ntlm_auth.c +++ b/source3/utils/ntlm_auth.c @@ -323,6 +323,8 @@ NTSTATUS contact_winbind_auth_crap(const char *username, request.flags = flags; + request.data.auth_crap.logon_parameters = MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT | MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT; + if (require_membership_of_sid) fstrcpy(request.data.auth_crap.require_membership_of_sid, require_membership_of_sid); |