diff options
Diffstat (limited to 'source3/auth')
| -rw-r--r-- | source3/auth/auth.c | 14 | ||||
| -rw-r--r-- | source3/auth/auth_builtin.c | 8 | ||||
| -rw-r--r-- | source3/auth/auth_domain.c | 246 | ||||
| -rw-r--r-- | source3/auth/auth_info.c | 9 | ||||
| -rw-r--r-- | source3/auth/auth_rhosts.c | 2 | ||||
| -rw-r--r-- | source3/auth/auth_sam.c | 32 | ||||
| -rw-r--r-- | source3/auth/auth_server.c | 21 | ||||
| -rw-r--r-- | source3/auth/auth_unix.c | 3 | ||||
| -rw-r--r-- | source3/auth/auth_winbind.c | 7 |
9 files changed, 158 insertions, 184 deletions
diff --git a/source3/auth/auth.c b/source3/auth/auth.c index 94927fe96e..bfd15dff34 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -82,13 +82,14 @@ static BOOL check_domain_match(const char *user, const char *domain) **/ NTSTATUS check_password(const auth_usersupplied_info *user_info, - const auth_authsupplied_info *auth_info, - auth_serversupplied_info **server_info) + const auth_authsupplied_info *auth_info, + auth_serversupplied_info **server_info) { NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; const char *pdb_username; auth_methods *auth_method; + TALLOC_CTX *mem_ctx; if (!user_info || !auth_info || !server_info) { return NT_STATUS_LOGON_FAILURE; @@ -121,7 +122,10 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info, for (auth_method = auth_info->auth_method_list;auth_method; auth_method = auth_method->next) { - nt_status = auth_method->auth(auth_method->private_data, user_info, auth_info, server_info); + mem_ctx = talloc_init_named("%s authentication for user %s\\%s", auth_method->name, + user_info->domain.str, user_info->smb_name.str); + + nt_status = auth_method->auth(auth_method->private_data, mem_ctx, user_info, auth_info, server_info); if (NT_STATUS_IS_OK(nt_status)) { DEBUG(3, ("check_password: %s authentication for user [%s] suceeded\n", auth_method->name, user_info->smb_name.str)); @@ -129,7 +133,9 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info, DEBUG(5, ("check_password: %s authentication for user [%s] FAILED with error %s\n", auth_method->name, user_info->smb_name.str, get_nt_error_msg(nt_status))); } - + + talloc_destroy(mem_ctx); + if (NT_STATUS_IS_OK(nt_status)) { break; } diff --git a/source3/auth/auth_builtin.c b/source3/auth/auth_builtin.c index 8f283fd856..b5bb673e2c 100644 --- a/source3/auth/auth_builtin.c +++ b/source3/auth/auth_builtin.c @@ -30,9 +30,10 @@ **/ static NTSTATUS check_guest_security(void *my_private_data, - const auth_usersupplied_info *user_info, - const auth_authsupplied_info *auth_info, - auth_serversupplied_info **server_info) + TALLOC_CTX *mem_ctx, + const auth_usersupplied_info *user_info, + const auth_authsupplied_info *auth_info, + auth_serversupplied_info **server_info) { NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; @@ -73,6 +74,7 @@ BOOL auth_init_guest(auth_methods **auth_method) **/ static NTSTATUS check_name_to_ntstatus_security(void *my_private_data, + TALLOC_CTX *mem_ctx, const auth_usersupplied_info *user_info, const auth_authsupplied_info *auth_info, auth_serversupplied_info **server_info) diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index a5e90aff39..6e3eb643d8 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -27,23 +27,24 @@ BOOL global_machine_password_needs_changing = False; extern pstring global_myname; extern userdom_struct current_user_info; -/*********************************************************************** - Connect to a remote machine for domain security authentication - given a name or IP address. - ***********************************************************************/ - -static BOOL connect_to_domain_password_server(struct cli_state *pcli, - char *server, unsigned char *trust_passwd) +/** + * Connect to a remote server for domain security authenticaion. + * + * @param cli the cli to return containing the active connection + * @param server either a machine name or text IP address to + * connect to. + * @param trust_password the trust password to establish the + * credentials with. + * + **/ + +static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, + char *server, unsigned char *trust_passwd) { struct in_addr dest_ip; fstring remote_machine; NTSTATUS result; - if (cli_initialise(pcli) == NULL) { - DEBUG(0,("connect_to_domain_password_server: unable to initialize client connection.\n")); - return False; - } - if (is_ipaddress(server)) { struct in_addr to_ip; @@ -51,13 +52,13 @@ static BOOL connect_to_domain_password_server(struct cli_state *pcli, a password server anyways */ if ((to_ip.s_addr=inet_addr(server)) == 0xFFFFFFFF) { DEBUG (0,("connect_to_domain_password_server: inet_addr(%s) returned 0xFFFFFFFF!\n", server)); - return False; + return NT_STATUS_UNSUCCESSFUL; } if (!name_status_find("*", 0x20, 0x20, to_ip, remote_machine)) { DEBUG(0, ("connect_to_domain_password_server: Can't " "resolve name for IP %s\n", server)); - return False; + return NT_STATUS_UNSUCCESSFUL; } } else { fstrcpy(remote_machine, server); @@ -68,69 +69,20 @@ static BOOL connect_to_domain_password_server(struct cli_state *pcli, if(!resolve_name( remote_machine, &dest_ip, 0x20)) { DEBUG(1,("connect_to_domain_password_server: Can't resolve address for %s\n", remote_machine)); - cli_shutdown(pcli); - return False; + return NT_STATUS_UNSUCCESSFUL; } if (ismyip(dest_ip)) { DEBUG(1,("connect_to_domain_password_server: Password server loop - not using password server %s\n", remote_machine)); - cli_shutdown(pcli); - return False; - } - - if (!cli_connect(pcli, remote_machine, &dest_ip)) { - DEBUG(0,("connect_to_domain_password_server: unable to connect to SMB server on \ -machine %s. Error was : %s.\n", remote_machine, cli_errstr(pcli) )); - cli_shutdown(pcli); - return False; - } - - if (!attempt_netbios_session_request(pcli, global_myname, remote_machine, &dest_ip)) { - DEBUG(0,("connect_to_password_server: machine %s rejected the NetBIOS \ -session request. Error was : %s.\n", remote_machine, cli_errstr(pcli) )); - return False; + return NT_STATUS_UNSUCCESSFUL; } - pcli->protocol = PROTOCOL_NT1; - - if (!cli_negprot(pcli)) { - DEBUG(0,("connect_to_domain_password_server: machine %s rejected the negotiate protocol. \ -Error was : %s.\n", remote_machine, cli_errstr(pcli) )); - cli_shutdown(pcli); - return False; - } - - if (pcli->protocol != PROTOCOL_NT1) { - DEBUG(0,("connect_to_domain_password_server: machine %s didn't negotiate NT protocol.\n", - remote_machine)); - cli_shutdown(pcli); - return False; - } - - /* - * Do an anonymous session setup. - */ - - if (!cli_session_setup(pcli, "", "", 0, "", 0, "")) { - DEBUG(0,("connect_to_domain_password_server: machine %s rejected the session setup. \ -Error was : %s.\n", remote_machine, cli_errstr(pcli) )); - cli_shutdown(pcli); - return False; - } - - if (!(pcli->sec_mode & 1)) { - DEBUG(1,("connect_to_domain_password_server: machine %s isn't in user level security mode\n", - remote_machine)); - cli_shutdown(pcli); - return False; - } - - if (!cli_send_tconX(pcli, "IPC$", "IPC", "", 1)) { - DEBUG(0,("connect_to_domain_password_server: machine %s rejected the tconX on the IPC$ share. \ -Error was : %s.\n", remote_machine, cli_errstr(pcli) )); - cli_shutdown(pcli); - return False; + result = cli_full_connection(cli, global_myname, server, + &dest_ip, 0, "IPC$", "IPC", "", "", "", 0); + + if (!NT_STATUS_IS_OK(result)) { + return result; } /* @@ -146,34 +98,34 @@ Error was : %s.\n", remote_machine, cli_errstr(pcli) )); * into account also. This patch from "Bjart Kvarme" <bjart.kvarme@usit.uio.no>. */ - if(cli_nt_session_open(pcli, PIPE_NETLOGON) == False) { + if(cli_nt_session_open(*cli, PIPE_NETLOGON) == False) { DEBUG(0,("connect_to_domain_password_server: unable to open the domain client session to \ -machine %s. Error was : %s.\n", remote_machine, cli_errstr(pcli))); - cli_nt_session_close(pcli); - cli_ulogoff(pcli); - cli_shutdown(pcli); - return False; +machine %s. Error was : %s.\n", remote_machine, cli_errstr(*cli))); + cli_nt_session_close(*cli); + cli_ulogoff(*cli); + cli_shutdown(*cli); + return NT_STATUS_UNSUCCESSFUL; } - result = cli_nt_setup_creds(pcli, trust_passwd); + result = new_cli_nt_setup_creds(*cli, trust_passwd); if (!NT_STATUS_IS_OK(result)) { DEBUG(0,("connect_to_domain_password_server: unable to setup the PDC credentials to machine \ %s. Error was : %s.\n", remote_machine, get_nt_error_msg(result))); - cli_nt_session_close(pcli); - cli_ulogoff(pcli); - cli_shutdown(pcli); - return(False); + cli_nt_session_close(*cli); + cli_ulogoff(*cli); + cli_shutdown(*cli); + return result; } - return True; + return NT_STATUS_OK; } /*********************************************************************** Utility function to attempt a connection to an IP address of a DC. ************************************************************************/ -static BOOL attempt_connect_to_dc(struct cli_state *pcli, struct in_addr *ip, +static NTSTATUS attempt_connect_to_dc(struct cli_state **cli, struct in_addr *ip, unsigned char *trust_passwd) { fstring dc_name; @@ -183,26 +135,26 @@ static BOOL attempt_connect_to_dc(struct cli_state *pcli, struct in_addr *ip, */ if (is_zero_ip(*ip)) - return False; + return NT_STATUS_UNSUCCESSFUL; if (!lookup_dc_name(global_myname, lp_workgroup(), ip, dc_name)) - return False; + return NT_STATUS_UNSUCCESSFUL; - return connect_to_domain_password_server(pcli, dc_name, trust_passwd); + return connect_to_domain_password_server(cli, dc_name, trust_passwd); } /*********************************************************************** We have been asked to dynamcially determine the IP addresses of the PDC and BDC's for this DOMAIN, and query them in turn. ************************************************************************/ -static BOOL find_connect_pdc(struct cli_state *pcli, - unsigned char *trust_passwd, - time_t last_change_time) +static NTSTATUS find_connect_pdc(struct cli_state **cli, + unsigned char *trust_passwd, + time_t last_change_time) { struct in_addr *ip_list = NULL; int count = 0; int i; - BOOL connected_ok = False; + NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL; time_t time_now = time(NULL); BOOL use_pdc_only = False; @@ -218,7 +170,7 @@ static BOOL find_connect_pdc(struct cli_state *pcli, use_pdc_only = True; if (!get_dc_list(use_pdc_only, lp_workgroup(), &ip_list, &count)) - return False; + return NT_STATUS_UNSUCCESSFUL; /* * Firstly try and contact a PDC/BDC who has the same @@ -228,7 +180,7 @@ static BOOL find_connect_pdc(struct cli_state *pcli, if(!is_local_net(ip_list[i])) continue; - if((connected_ok = attempt_connect_to_dc(pcli, &ip_list[i], trust_passwd))) + if(NT_STATUS_IS_OK(nt_status = attempt_connect_to_dc(cli, &ip_list[i], trust_passwd))) break; zero_ip(&ip_list[i]); /* Tried and failed. */ @@ -237,10 +189,10 @@ static BOOL find_connect_pdc(struct cli_state *pcli, /* * Secondly try and contact a random PDC/BDC. */ - if(!connected_ok) { + if(!NT_STATUS_IS_OK(nt_status)) { i = (sys_random() % count); - if (!(connected_ok = attempt_connect_to_dc(pcli, &ip_list[i], trust_passwd))) + if (!NT_STATUS_IS_OK(nt_status = attempt_connect_to_dc(cli, &ip_list[i], trust_passwd))) zero_ip(&ip_list[i]); /* Tried and failed. */ } @@ -248,21 +200,20 @@ static BOOL find_connect_pdc(struct cli_state *pcli, * Finally go through the IP list in turn, ignoring any addresses * we have already tried. */ - if(!connected_ok) { + if(!NT_STATUS_IS_OK(nt_status)) { /* * Try and connect to any of the other IP addresses in the PDC/BDC list. * Note that from a WINS server the #1 IP address is the PDC. */ for(i = 0; i < count; i++) { - if((connected_ok = attempt_connect_to_dc(pcli, &ip_list[i], trust_passwd))) + if (NT_STATUS_IS_OK(nt_status = attempt_connect_to_dc(cli, &ip_list[i], trust_passwd))) break; } } SAFE_FREE(ip_list); - - return connected_ok; + return nt_status; } /*********************************************************************** @@ -271,19 +222,17 @@ static BOOL find_connect_pdc(struct cli_state *pcli, use it, otherwise figure out a server from the 'password server' param. ************************************************************************/ -static NTSTATUS domain_client_validate(const auth_usersupplied_info *user_info, +static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, + const auth_usersupplied_info *user_info, uchar chal[8], auth_serversupplied_info **server_info, char *server, unsigned char *trust_passwd, time_t last_change_time) { fstring remote_machine; - NET_ID_INFO_CTR ctr; NET_USER_INFO_3 info3; - struct cli_state cli; - uint32 smb_uid_low; - BOOL connected_ok = False; - NTSTATUS status; + struct cli_state *cli; + NTSTATUS nt_status; struct passwd *pass; /* @@ -294,26 +243,21 @@ static NTSTATUS domain_client_validate(const auth_usersupplied_info *user_info, * see if they were valid. */ - ZERO_STRUCT(cli); - - while (!connected_ok && + while (!NT_STATUS_IS_OK(nt_status) && next_token(&server,remote_machine,LIST_SEP,sizeof(remote_machine))) { if(strequal(remote_machine, "*")) { - connected_ok = find_connect_pdc(&cli, trust_passwd, last_change_time); + nt_status = find_connect_pdc(&cli, trust_passwd, last_change_time); } else { - connected_ok = connect_to_domain_password_server(&cli, remote_machine, trust_passwd); + nt_status = connect_to_domain_password_server(&cli, remote_machine, trust_passwd); } } - if (!connected_ok) { + if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(0,("domain_client_validate: Domain password server not available.\n")); - cli_shutdown(&cli); - return NT_STATUS_LOGON_FAILURE; + cli_shutdown(cli); + return nt_status; } - /* We really don't care what LUID we give the user. */ - generate_random_buffer( (unsigned char *)&smb_uid_low, 4, False); - ZERO_STRUCT(info3); /* @@ -321,43 +265,50 @@ static NTSTATUS domain_client_validate(const auth_usersupplied_info *user_info, * in the info3 structure. */ - status = cli_nt_login_network(&cli, user_info, chal, smb_uid_low, - &ctr, &info3); + nt_status = cli_netlogon_sam_network_logon(cli, mem_ctx, + user_info->internal_username.str, user_info->domain.str, + user_info->wksta_name.str, chal, + user_info->lm_resp, user_info->nt_resp, + &info3); - if (!NT_STATUS_IS_OK(status)) { + if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(0,("domain_client_validate: unable to validate password " "for user %s in domain %s to Domain controller %s. " "Error was %s.\n", user_info->smb_name.str, - user_info->domain.str, cli.srv_name_slash, - get_nt_error_msg(status))); + user_info->domain.str, cli->srv_name_slash, + get_nt_error_msg(nt_status))); } else { char *dom_user; /* Check DOMAIN\username first to catch winbind users, then just the username for local users. */ - asprintf(&dom_user, "%s%s%s", user_info->domain.str, - lp_winbind_separator(), - user_info->internal_username.str); - - if (!(pass = Get_Pwnam(dom_user))) - pass = Get_Pwnam(user_info->internal_username.str); - - free(dom_user); - - if (pass) { - make_server_info_pw(server_info, pass); - if (!server_info) { - status = NT_STATUS_NO_MEMORY; + dom_user = talloc_asprintf(mem_ctx, "%s%s%s", user_info->domain.str, + lp_winbind_separator(), + user_info->internal_username.str); + + if (!dom_user) { + DEBUG(0, ("talloc_asprintf failed!\n")); + nt_status = NT_STATUS_NO_MEMORY; + } else { + + if (!(pass = Get_Pwnam(dom_user))) + pass = Get_Pwnam(user_info->internal_username.str); + + if (pass) { + make_server_info_pw(server_info, pass); + if (!server_info) { + nt_status = NT_STATUS_NO_MEMORY; + } + } else { + nt_status = NT_STATUS_NO_SUCH_USER; } - } else { - status = NT_STATUS_NO_SUCH_USER; } } /* Store the user group information in the server_info returned to the caller. */ - if (NT_STATUS_IS_OK(status) && (info3.num_groups2 != 0)) { + if (NT_STATUS_IS_OK(nt_status) && (info3.num_groups2 != 0)) { DOM_SID domain_sid; int i; NT_USER_TOKEN *ptok; @@ -365,7 +316,7 @@ static NTSTATUS domain_client_validate(const auth_usersupplied_info *user_info, if ((pserver_info->ptok = malloc( sizeof(NT_USER_TOKEN) ) ) == NULL) { DEBUG(0, ("domain_client_validate: out of memory allocating rid group membership\n")); - status = NT_STATUS_NO_MEMORY; + nt_status = NT_STATUS_NO_MEMORY; free_server_info(server_info); goto done; } @@ -375,14 +326,14 @@ static NTSTATUS domain_client_validate(const auth_usersupplied_info *user_info, if ((ptok->user_sids = (DOM_SID *)malloc( sizeof(DOM_SID) * ptok->num_sids )) == NULL) { DEBUG(0, ("domain_client_validate: Out of memory allocating group SIDS\n")); - status = NT_STATUS_NO_MEMORY; + nt_status = NT_STATUS_NO_MEMORY; free_server_info(server_info); goto done; } if (!secrets_fetch_domain_sid(lp_workgroup(), &domain_sid)) { DEBUG(0, ("domain_client_validate: unable to fetch domain sid.\n")); - status = NT_STATUS_CANT_ACCESS_DOMAIN_INFO; + nt_status = NT_STATUS_CANT_ACCESS_DOMAIN_INFO; free_server_info(server_info); goto done; } @@ -404,7 +355,7 @@ static NTSTATUS domain_client_validate(const auth_usersupplied_info *user_info, if(cli_nt_logoff(&cli, &ctr) == False) { DEBUG(0,("domain_client_validate: unable to log off user %s in domain \ %s to Domain controller %s. Error was %s.\n", user, domain, remote_machine, cli_errstr(&cli))); - status = NT_STATUS_LOGON_FAILURE; + nt_status = NT_STATUS_LOGON_FAILURE; } } #endif /* 0 */ @@ -415,10 +366,10 @@ static NTSTATUS domain_client_validate(const auth_usersupplied_info *user_info, to allocate the other_sids and gids structures has been deleted - so these pointers are no longer valid..... */ - cli_nt_session_close(&cli); - cli_ulogoff(&cli); - cli_shutdown(&cli); - return status; + cli_nt_session_close(cli); + cli_ulogoff(cli); + cli_shutdown(cli); + return nt_status; } /**************************************************************************** @@ -426,6 +377,7 @@ static NTSTATUS domain_client_validate(const auth_usersupplied_info *user_info, ****************************************************************************/ static NTSTATUS check_ntdomain_security(void *my_private_data, + TALLOC_CTX *mem_ctx, const auth_usersupplied_info *user_info, const auth_authsupplied_info *auth_info, auth_serversupplied_info **server_info) @@ -461,7 +413,7 @@ static NTSTATUS check_ntdomain_security(void *my_private_data, { DEBUG(0, ("check_domain_security: could not fetch trust account password for domain %s\n", lp_workgroup())); unbecome_root(); - return NT_STATUS_LOGON_FAILURE; + return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; } unbecome_root(); @@ -481,9 +433,9 @@ static NTSTATUS check_ntdomain_security(void *my_private_data, if (! *pserver) pserver = "*"; p = pserver; - nt_status = domain_client_validate(user_info, (uchar *)auth_info->challenge.data,server_info, + nt_status = domain_client_validate(mem_ctx, user_info, (uchar *)auth_info->challenge.data,server_info, p, trust_passwd, last_change_time); - + return nt_status; } diff --git a/source3/auth/auth_info.c b/source3/auth/auth_info.c index bdd490d3ef..9d399a88eb 100644 --- a/source3/auth/auth_info.c +++ b/source3/auth/auth_info.c @@ -253,6 +253,7 @@ DATA_BLOB auth_get_challenge(auth_authsupplied_info *auth_info) DATA_BLOB challenge = data_blob(NULL, 0); char *challenge_set_by = NULL; auth_methods *auth_method; + TALLOC_CTX *mem_ctx; if (auth_info->challenge.length) { DEBUG(5, ("auth_get_challenge: returning previous challenge (normal)\n")); @@ -267,7 +268,12 @@ DATA_BLOB auth_get_challenge(auth_authsupplied_info *auth_info) DEBUG(1, ("auth_get_challenge: CONFIGURATION ERROR: authenticaion method %s has already specified a challenge. Challenge by %s ignored.\n", challenge_set_by, auth_method->name)); } else { - challenge = auth_method->get_chal(&auth_method->private_data, auth_info); + mem_ctx = talloc_init_named("auth_get_challange for module %s", auth_method->name); + if (!mem_ctx) { + smb_panic("talloc_init_named() failed!"); + } + + challenge = auth_method->get_chal(&auth_method->private_data, mem_ctx, auth_info); if (challenge.length) { DEBUG(5, ("auth_get_challenge: sucessfully got challenge from module %s\n", auth_method->name)); auth_info->challenge = challenge; @@ -277,6 +283,7 @@ DATA_BLOB auth_get_challenge(auth_authsupplied_info *auth_info) DEBUG(3, ("auth_get_challenge: getting challenge from authenticaion method %s FAILED.\n", auth_method->name)); } + talloc_destroy(mem_ctx); } } else { DEBUG(5, ("auth_get_challenge: module %s did not want to specify a challenge\n", auth_method->name)); diff --git a/source3/auth/auth_rhosts.c b/source3/auth/auth_rhosts.c index 2605f0770a..1dd97872da 100644 --- a/source3/auth/auth_rhosts.c +++ b/source3/auth/auth_rhosts.c @@ -156,6 +156,7 @@ static BOOL check_hosts_equiv(struct passwd *pass) ****************************************************************************/ static NTSTATUS check_hostsequiv_security(void *my_private_data, + TALLOC_CTX *mem_ctx, const auth_usersupplied_info *user_info, const auth_authsupplied_info *auth_info, auth_serversupplied_info **server_info) @@ -181,6 +182,7 @@ static NTSTATUS check_hostsequiv_security(void *my_private_data, ****************************************************************************/ static NTSTATUS check_rhosts_security(void *my_private_data, + TALLOC_CTX *mem_ctx, const auth_usersupplied_info *user_info, const auth_authsupplied_info *auth_info, auth_serversupplied_info **server_info) diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index d899006cf8..b75e300655 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -132,7 +132,8 @@ static BOOL smb_pwd_check_ntlmv2(const DATA_BLOB ntv2_response, Do a specific test for an smb password being correct, given a smb_password and the lanman and NT responses. ****************************************************************************/ -static NTSTATUS sam_password_ok(SAM_ACCOUNT *sampass, +static NTSTATUS sam_password_ok(TALLOC_CTX *mem_ctx, + SAM_ACCOUNT *sampass, const auth_usersupplied_info *user_info, const auth_authsupplied_info *auth_info, uint8 user_sess_key[16]) @@ -243,7 +244,9 @@ static NTSTATUS sam_password_ok(SAM_ACCOUNT *sampass, Do a specific test for a SAM_ACCOUNT being vaild for this connection (ie not disabled, expired and the like). ****************************************************************************/ -static NTSTATUS sam_account_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_info *user_info) +static NTSTATUS sam_account_ok(TALLOC_CTX *mem_ctx, + SAM_ACCOUNT *sampass, + const auth_usersupplied_info *user_info) { uint16 acct_ctrl = pdb_get_acct_ctrl(sampass); char *workstation_list; @@ -286,7 +289,7 @@ static NTSTATUS sam_account_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_inf /* Test workstation. Workstation list is comma separated. */ - workstation_list = strdup(pdb_get_workstations(sampass)); + workstation_list = talloc_strdup(mem_ctx, pdb_get_workstations(sampass)); if (!workstation_list) return NT_STATUS_NO_MEMORY; @@ -305,11 +308,8 @@ static NTSTATUS sam_account_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_inf } } - SAFE_FREE(workstation_list); if (invalid_ws) return NT_STATUS_INVALID_WORKSTATION; - } else { - SAFE_FREE(workstation_list); } if (acct_ctrl & ACB_DOMTRUST) { @@ -338,9 +338,10 @@ return an NT_STATUS constant. ****************************************************************************/ static NTSTATUS check_sam_security(void *my_private_data, - const auth_usersupplied_info *user_info, - const auth_authsupplied_info *auth_info, - auth_serversupplied_info **server_info) + TALLOC_CTX *mem_ctx, + const auth_usersupplied_info *user_info, + const auth_authsupplied_info *auth_info, + auth_serversupplied_info **server_info) { SAM_ACCOUNT *sampass=NULL; BOOL ret; @@ -369,14 +370,14 @@ static NTSTATUS check_sam_security(void *my_private_data, return NT_STATUS_NO_SUCH_USER; } - nt_status = sam_password_ok(sampass, user_info, auth_info, user_sess_key); + nt_status = sam_password_ok(mem_ctx, sampass, user_info, auth_info, user_sess_key); if (!NT_STATUS_IS_OK(nt_status)) { pdb_free_sam(&sampass); return nt_status; } - nt_status = sam_account_ok(sampass, user_info); + nt_status = sam_account_ok(mem_ctx, sampass, user_info); if (!NT_STATUS_IS_OK(nt_status)) { pdb_free_sam(&sampass); @@ -415,9 +416,10 @@ return an NT_STATUS constant. ****************************************************************************/ static NTSTATUS check_samstrict_security(void *my_private_data, - const auth_usersupplied_info *user_info, - const auth_authsupplied_info *auth_info, - auth_serversupplied_info **server_info) + TALLOC_CTX *mem_ctx, + const auth_usersupplied_info *user_info, + const auth_authsupplied_info *auth_info, + auth_serversupplied_info **server_info) { if (!user_info || !auth_info) { @@ -432,7 +434,7 @@ static NTSTATUS check_samstrict_security(void *my_private_data, return NT_STATUS_NO_SUCH_USER; } - return check_sam_security(my_private_data, user_info, auth_info, server_info); + return check_sam_security(my_private_data, mem_ctx, user_info, auth_info, server_info); } BOOL auth_init_samstrict(auth_methods **auth_method) diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c index 7e43d529d2..7178e3147c 100644 --- a/source3/auth/auth_server.c +++ b/source3/auth/auth_server.c @@ -29,7 +29,7 @@ extern userdom_struct current_user_info; Support for server level security. ****************************************************************************/ -static struct cli_state *server_cryptkey(void) +static struct cli_state *server_cryptkey(TALLOC_CTX *mem_ctx) { struct cli_state *cli = NULL; fstring desthost; @@ -43,7 +43,7 @@ static struct cli_state *server_cryptkey(void) /* security = server just can't function with spnego */ cli->use_spnego = False; - pserver = strdup(lp_passwordserver()); + pserver = talloc_strdup(mem_ctx, lp_passwordserver()); p = pserver; while(next_token( &p, desthost, LIST_SEP, sizeof(desthost))) { @@ -67,8 +67,6 @@ static struct cli_state *server_cryptkey(void) } } - SAFE_FREE(pserver); - if (!connected_ok) { DEBUG(0,("password server not available\n")); cli_shutdown(cli); @@ -136,9 +134,11 @@ static void send_server_keepalive(void **private_data_pointer) Get the challenge out of a password server. ****************************************************************************/ -static DATA_BLOB auth_get_challenge_server(void **my_private_data, const struct authsupplied_info *auth_info) +static DATA_BLOB auth_get_challenge_server(void **my_private_data, + TALLOC_CTX *mem_ctx, + const struct authsupplied_info *auth_info) { - struct cli_state *cli = server_cryptkey(); + struct cli_state *cli = server_cryptkey(mem_ctx); if (cli) { DEBUG(3,("using password server validation\n")); @@ -175,9 +175,10 @@ static DATA_BLOB auth_get_challenge_server(void **my_private_data, const struct ****************************************************************************/ static NTSTATUS check_smbserver_security(void *my_private_data, - const auth_usersupplied_info *user_info, - const auth_authsupplied_info *auth_info, - auth_serversupplied_info **server_info) + TALLOC_CTX *mem_ctx, + const auth_usersupplied_info *user_info, + const auth_authsupplied_info *auth_info, + auth_serversupplied_info **server_info) { struct cli_state *cli; static unsigned char badpass[24]; @@ -202,7 +203,7 @@ static NTSTATUS check_smbserver_security(void *my_private_data, if (cli) { } else { - cli = server_cryptkey(); + cli = server_cryptkey(mem_ctx); locally_made_cli = True; } diff --git a/source3/auth/auth_unix.c b/source3/auth/auth_unix.c index 2e753cb29c..fa889af5f6 100644 --- a/source3/auth/auth_unix.c +++ b/source3/auth/auth_unix.c @@ -83,7 +83,8 @@ static BOOL update_smbpassword_file(char *user, char *password) * unless the account has a null password. **/ -NTSTATUS check_unix_security(void *my_private_data, +NTSTATUS check_unix_security(void *my_private_data, + TALLOC_CTX *mem_ctx, const auth_usersupplied_info *user_info, const auth_authsupplied_info *auth_info, auth_serversupplied_info **server_info) diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c index 9ca87fe0dd..74654f8bba 100644 --- a/source3/auth/auth_winbind.c +++ b/source3/auth/auth_winbind.c @@ -34,9 +34,10 @@ NSS_STATUS winbindd_request(int req_type, /* Authenticate a user with a challenge/response */ static NTSTATUS check_winbind_security(void *my_private_data, - const auth_usersupplied_info *user_info, - const auth_authsupplied_info *auth_info, - auth_serversupplied_info **server_info) + TALLOC_CTX *mem_ctx, + const auth_usersupplied_info *user_info, + const auth_authsupplied_info *auth_info, + auth_serversupplied_info **server_info) { struct winbindd_request request; struct winbindd_response response; |