diff options
Diffstat (limited to 'source3/auth')
| -rw-r--r-- | source3/auth/auth.c | 16 | ||||
| -rw-r--r-- | source3/auth/auth_compat.c | 45 | ||||
| -rw-r--r-- | source3/auth/auth_ntlmssp.c | 4 | ||||
| -rw-r--r-- | source3/auth/auth_util.c | 19 | ||||
| -rw-r--r-- | source3/auth/proto.h | 16 | ||||
| -rw-r--r-- | source3/auth/user_info.c | 5 |
6 files changed, 86 insertions, 19 deletions
diff --git a/source3/auth/auth.c b/source3/auth/auth.c index dbe337faa8..0f661a953f 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -19,7 +19,7 @@ #include "includes.h" #include "auth.h" -#include "smbd/globals.h" +#include "../lib/tsocket/tsocket.h" #undef DBGC_CLASS #define DBGC_CLASS DBGC_AUTH @@ -284,11 +284,19 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context, if (NT_STATUS_IS_OK(nt_status)) { unix_username = (*server_info)->unix_name; if (!(*server_info)->guest) { + char *rhost; + int rc; + + rhost = tsocket_address_inet_addr_string(user_info->remote_host, + talloc_tos()); + if (rhost == NULL) { + return NT_STATUS_NO_MEMORY; + } + /* We might not be root if we are an RPC call */ become_root(); - nt_status = smb_pam_accountcheck( - unix_username, - smbd_server_conn->client_id.name); + nt_status = smb_pam_accountcheck(unix_username, + rhost); unbecome_root(); if (NT_STATUS_IS_OK(nt_status)) { diff --git a/source3/auth/auth_compat.c b/source3/auth/auth_compat.c index 0ae712a517..e7225a2756 100644 --- a/source3/auth/auth_compat.c +++ b/source3/auth/auth_compat.c @@ -19,6 +19,7 @@ #include "includes.h" #include "auth.h" +#include "../lib/tsocket/tsocket.h" extern struct auth_context *negprot_global_auth_context; extern bool global_encrypted_passwords_negotiated; @@ -36,6 +37,7 @@ return True if the password is correct, False otherwise ****************************************************************************/ NTSTATUS check_plaintext_password(const char *smb_name, + const struct tsocket_address *remote_address, DATA_BLOB plaintext_blob, struct auth_serversupplied_info **server_info) { @@ -54,7 +56,9 @@ NTSTATUS check_plaintext_password(const char *smb_name, chal); if (!make_user_info_for_reply(&user_info, - smb_name, lp_workgroup(), chal, + smb_name, lp_workgroup(), + remote_address, + chal, plaintext_blob)) { return NT_STATUS_NO_MEMORY; } @@ -70,6 +74,7 @@ NTSTATUS check_plaintext_password(const char *smb_name, static NTSTATUS pass_check_smb(struct auth_context *actx, const char *smb_name, const char *domain, + const struct tsocket_address *remote_address, DATA_BLOB lm_pwd, DATA_BLOB nt_pwd) @@ -82,6 +87,7 @@ static NTSTATUS pass_check_smb(struct auth_context *actx, } make_user_info_for_reply_enc(&user_info, smb_name, domain, + remote_address, lm_pwd, nt_pwd); nt_status = actx->check_ntlm_password(actx, user_info, &server_info); @@ -97,7 +103,9 @@ return True if the password is correct, False otherwise bool password_ok(struct auth_context *actx, bool global_encrypted, const char *session_workgroup, - const char *smb_name, DATA_BLOB password_blob) + const char *smb_name, + const struct tsocket_address *remote_address, + DATA_BLOB password_blob) { DATA_BLOB null_password = data_blob_null; @@ -110,24 +118,47 @@ bool password_ok(struct auth_context *actx, bool global_encrypted, * Vista sends NTLMv2 here - we need to try the client given workgroup. */ if (session_workgroup) { - if (NT_STATUS_IS_OK(pass_check_smb(actx, smb_name, session_workgroup, null_password, password_blob))) { + if (NT_STATUS_IS_OK(pass_check_smb(actx, + smb_name, + session_workgroup, + remote_address, + null_password, + password_blob))) { return True; } - if (NT_STATUS_IS_OK(pass_check_smb(actx, smb_name, session_workgroup, password_blob, null_password))) { + if (NT_STATUS_IS_OK(pass_check_smb(actx, + smb_name, + session_workgroup, + remote_address, + password_blob, + null_password))) { return True; } } - if (NT_STATUS_IS_OK(pass_check_smb(actx, smb_name, lp_workgroup(), null_password, password_blob))) { + if (NT_STATUS_IS_OK(pass_check_smb(actx, + smb_name, + lp_workgroup(), + remote_address, + null_password, + password_blob))) { return True; } - if (NT_STATUS_IS_OK(pass_check_smb(actx, smb_name, lp_workgroup(), password_blob, null_password))) { + if (NT_STATUS_IS_OK(pass_check_smb(actx, + smb_name, + lp_workgroup(), + remote_address, + password_blob, + null_password))) { return True; } } else { struct auth_serversupplied_info *server_info = NULL; - NTSTATUS nt_status = check_plaintext_password(smb_name, password_blob, &server_info); + NTSTATUS nt_status = check_plaintext_password(smb_name, + remote_address, + password_blob, + &server_info); TALLOC_FREE(server_info); if (NT_STATUS_IS_OK(nt_status)) { return True; diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c index 54f7e6d5fc..2d1aef18f0 100644 --- a/source3/auth/auth_ntlmssp.c +++ b/source3/auth/auth_ntlmssp.c @@ -25,7 +25,6 @@ #include "../libcli/auth/ntlmssp.h" #include "ntlmssp_wrap.h" #include "../librpc/gen_ndr/netlogon.h" -#include "smbd/smbd.h" #include "../lib/tsocket/tsocket.h" NTSTATUS auth_ntlmssp_steal_session_info(TALLOC_CTX *mem_ctx, @@ -122,10 +121,11 @@ static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state, lp_load(get_dyn_CONFIGFILE(), false, false, true, true); - nt_status = make_user_info_map(&user_info, + nt_status = make_user_info_map(&user_info, auth_ntlmssp_state->ntlmssp_state->user, auth_ntlmssp_state->ntlmssp_state->domain, auth_ntlmssp_state->ntlmssp_state->client.netbios_name, + auth_ntlmssp_state->remote_address, auth_ntlmssp_state->ntlmssp_state->lm_resp.data ? &auth_ntlmssp_state->ntlmssp_state->lm_resp : NULL, auth_ntlmssp_state->ntlmssp_state->nt_resp.data ? &auth_ntlmssp_state->ntlmssp_state->nt_resp : NULL, NULL, NULL, NULL, diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 64c290eb04..dd126929e9 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -89,6 +89,7 @@ NTSTATUS make_user_info_map(struct auth_usersupplied_info **user_info, const char *smb_name, const char *client_domain, const char *workstation_name, + const struct tsocket_address *remote_address, DATA_BLOB *lm_pwd, DATA_BLOB *nt_pwd, const struct samr_Password *lm_interactive_pwd, @@ -137,7 +138,7 @@ NTSTATUS make_user_info_map(struct auth_usersupplied_info **user_info, result = make_user_info(user_info, smb_name, internal_username, client_domain, domain, workstation_name, - lm_pwd, nt_pwd, + remote_address, lm_pwd, nt_pwd, lm_interactive_pwd, nt_interactive_pwd, plaintext, password_state); if (NT_STATUS_IS_OK(result)) { @@ -158,6 +159,7 @@ bool make_user_info_netlogon_network(struct auth_usersupplied_info **user_info, const char *smb_name, const char *client_domain, const char *workstation_name, + const struct tsocket_address *remote_address, uint32 logon_parameters, const uchar *lm_network_pwd, int lm_pwd_len, @@ -172,6 +174,7 @@ bool make_user_info_netlogon_network(struct auth_usersupplied_info **user_info, status = make_user_info_map(user_info, smb_name, client_domain, workstation_name, + remote_address, lm_pwd_len ? &lm_blob : NULL, nt_pwd_len ? &nt_blob : NULL, NULL, NULL, NULL, @@ -196,6 +199,7 @@ bool make_user_info_netlogon_interactive(struct auth_usersupplied_info **user_in const char *smb_name, const char *client_domain, const char *workstation_name, + const struct tsocket_address *remote_address, uint32 logon_parameters, const uchar chal[8], const uchar lm_interactive_pwd[16], @@ -271,6 +275,7 @@ bool make_user_info_netlogon_interactive(struct auth_usersupplied_info **user_in nt_status = make_user_info_map( user_info, smb_name, client_domain, workstation_name, + remote_address, lm_interactive_pwd ? &local_lm_blob : NULL, nt_interactive_pwd ? &local_nt_blob : NULL, lm_interactive_pwd ? &lm_pwd : NULL, @@ -296,6 +301,7 @@ bool make_user_info_netlogon_interactive(struct auth_usersupplied_info **user_in bool make_user_info_for_reply(struct auth_usersupplied_info **user_info, const char *smb_name, const char *client_domain, + const struct tsocket_address *remote_address, const uint8 chal[8], DATA_BLOB plaintext_password) { @@ -342,6 +348,7 @@ bool make_user_info_for_reply(struct auth_usersupplied_info **user_info, ret = make_user_info_map( user_info, smb_name, client_domain, get_remote_machine_name(), + remote_address, local_lm_blob.data ? &local_lm_blob : NULL, local_nt_blob.data ? &local_nt_blob : NULL, NULL, NULL, @@ -363,12 +370,14 @@ bool make_user_info_for_reply(struct auth_usersupplied_info **user_info, NTSTATUS make_user_info_for_reply_enc(struct auth_usersupplied_info **user_info, const char *smb_name, - const char *client_domain, + const char *client_domain, + const struct tsocket_address *remote_address, DATA_BLOB lm_resp, DATA_BLOB nt_resp) { return make_user_info_map(user_info, smb_name, client_domain, - get_remote_machine_name(), + get_remote_machine_name(), + remote_address, lm_resp.data && (lm_resp.length > 0) ? &lm_resp : NULL, nt_resp.data && (nt_resp.length > 0) ? &nt_resp : NULL, NULL, NULL, NULL, @@ -379,7 +388,8 @@ NTSTATUS make_user_info_for_reply_enc(struct auth_usersupplied_info **user_info, Create a guest user_info blob, for anonymous authenticaion. ****************************************************************************/ -bool make_user_info_guest(struct auth_usersupplied_info **user_info) +bool make_user_info_guest(const struct tsocket_address *remote_address, + struct auth_usersupplied_info **user_info) { NTSTATUS nt_status; @@ -387,6 +397,7 @@ bool make_user_info_guest(struct auth_usersupplied_info **user_info) "","", "","", "", + remote_address, NULL, NULL, NULL, NULL, NULL, diff --git a/source3/auth/proto.h b/source3/auth/proto.h index a4330155d1..2839793472 100644 --- a/source3/auth/proto.h +++ b/source3/auth/proto.h @@ -51,11 +51,14 @@ NTSTATUS auth_builtin_init(void); /* The following definitions come from auth/auth_compat.c */ NTSTATUS check_plaintext_password(const char *smb_name, + const struct tsocket_address *remote_address, DATA_BLOB plaintext_password, struct auth_serversupplied_info **server_info); bool password_ok(struct auth_context *actx, bool global_encrypted, const char *session_workgroup, - const char *smb_name, DATA_BLOB password_blob); + const char *smb_name, + const struct tsocket_address *remote_address, + DATA_BLOB password_blob); /* The following definitions come from auth/auth_domain.c */ @@ -94,11 +97,13 @@ NTSTATUS auth_server_init(void); NTSTATUS auth_unix_init(void); /* The following definitions come from auth/auth_util.c */ +struct tsocket_address; NTSTATUS make_user_info_map(struct auth_usersupplied_info **user_info, const char *smb_name, const char *client_domain, const char *workstation_name, + const struct tsocket_address *remote_address, DATA_BLOB *lm_pwd, DATA_BLOB *nt_pwd, const struct samr_Password *lm_interactive_pwd, @@ -109,6 +114,7 @@ bool make_user_info_netlogon_network(struct auth_usersupplied_info **user_info, const char *smb_name, const char *client_domain, const char *workstation_name, + const struct tsocket_address *remote_address, uint32 logon_parameters, const uchar *lm_network_pwd, int lm_pwd_len, @@ -118,6 +124,7 @@ bool make_user_info_netlogon_interactive(struct auth_usersupplied_info **user_in const char *smb_name, const char *client_domain, const char *workstation_name, + const struct tsocket_address *remote_address, uint32 logon_parameters, const uchar chal[8], const uchar lm_interactive_pwd[16], @@ -126,13 +133,17 @@ bool make_user_info_netlogon_interactive(struct auth_usersupplied_info **user_in bool make_user_info_for_reply(struct auth_usersupplied_info **user_info, const char *smb_name, const char *client_domain, + const struct tsocket_address *remote_address, const uint8 chal[8], DATA_BLOB plaintext_password); NTSTATUS make_user_info_for_reply_enc(struct auth_usersupplied_info **user_info, const char *smb_name, const char *client_domain, + const struct tsocket_address *remote_address, DATA_BLOB lm_resp, DATA_BLOB nt_resp); -bool make_user_info_guest(struct auth_usersupplied_info **user_info) ; +bool make_user_info_guest(const struct tsocket_address *remote_address, + struct auth_usersupplied_info **user_info); + struct samu; NTSTATUS make_server_info_sam(struct auth_serversupplied_info **server_info, struct samu *sampass); @@ -192,6 +203,7 @@ NTSTATUS make_user_info(struct auth_usersupplied_info **ret_user_info, const char *client_domain, const char *domain, const char *workstation_name, + const struct tsocket_address *remote_address, const DATA_BLOB *lm_pwd, const DATA_BLOB *nt_pwd, const struct samr_Password *lm_interactive_pwd, diff --git a/source3/auth/user_info.c b/source3/auth/user_info.c index 606381b0e3..6b9841220f 100644 --- a/source3/auth/user_info.c +++ b/source3/auth/user_info.c @@ -20,6 +20,7 @@ #include "includes.h" #include "auth.h" #include "librpc/gen_ndr/samr.h" +#include "../lib/tsocket/tsocket.h" #undef DBGC_CLASS #define DBGC_CLASS DBGC_AUTH @@ -46,6 +47,7 @@ NTSTATUS make_user_info(struct auth_usersupplied_info **ret_user_info, const char *client_domain, const char *domain, const char *workstation_name, + const struct tsocket_address *remote_address, const DATA_BLOB *lm_pwd, const DATA_BLOB *nt_pwd, const struct samr_Password *lm_interactive_pwd, @@ -84,6 +86,9 @@ NTSTATUS make_user_info(struct auth_usersupplied_info **ret_user_info, user_info->workstation_name = talloc_strdup(user_info, workstation_name); NT_STATUS_HAVE_NO_MEMORY_AND_FREE(user_info->workstation_name, user_info); + user_info->remote_host = tsocket_address_copy(remote_address, user_info); + NT_STATUS_HAVE_NO_MEMORY_AND_FREE(user_info->remote_host, user_info); + DEBUG(5,("making blobs for %s's user_info struct\n", internal_username)); if (lm_pwd && lm_pwd->data) { |