diff options
Diffstat (limited to 'source3/auth')
-rw-r--r-- | source3/auth/auth.c | 100 | ||||
-rw-r--r-- | source3/auth/auth_builtin.c | 52 | ||||
-rw-r--r-- | source3/auth/auth_domain.c | 16 | ||||
-rw-r--r-- | source3/auth/auth_rhosts.c | 7 | ||||
-rw-r--r-- | source3/auth/auth_sam.c | 51 | ||||
-rw-r--r-- | source3/auth/auth_server.c | 5 | ||||
-rw-r--r-- | source3/auth/auth_unix.c | 4 | ||||
-rw-r--r-- | source3/auth/auth_util.c | 43 | ||||
-rw-r--r-- | source3/auth/auth_winbind.c | 5 |
9 files changed, 113 insertions, 170 deletions
diff --git a/source3/auth/auth.c b/source3/auth/auth.c index 71e9ab0428..126a712fbd 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -23,45 +23,26 @@ #undef DBGC_CLASS #define DBGC_CLASS DBGC_AUTH -static struct auth_init_function_entry *backends = NULL; - -BOOL smb_register_auth(const char *name, auth_init_function init, int version) -{ - struct auth_init_function_entry *entry = backends; - - if(version != AUTH_INTERFACE_VERSION) - return False; - - DEBUG(5,("Attempting to register auth backend %s\n", name)); - - while(entry) { - if (strequal(name, entry->name)) { - DEBUG(0,("There already is an auth backend registered with the name %s!\n", name)); - return False; - } - entry = entry->next; - } - - entry = smb_xmalloc(sizeof(struct auth_init_function_entry)); - entry->name = smb_xstrdup(name); - entry->init = init; - - DLIST_ADD(backends, entry); - DEBUG(5,("Successfully added auth backend '%s'\n", name)); - return True; -} - -static struct auth_init_function_entry *auth_find_backend_entry(const char *name) -{ - struct auth_init_function_entry *entry = backends; - - while(entry) { - if (strequal(entry->name, name)) return entry; - entry = entry->next; - } - - return NULL; -} +/** List of various built-in authentication modules */ + +static const struct auth_init_function_entry builtin_auth_init_functions[] = { + { "guest", auth_init_guest }, + { "rhosts", auth_init_rhosts }, + { "hostsequiv", auth_init_hostsequiv }, + { "sam", auth_init_sam }, + { "samstrict", auth_init_samstrict }, + { "unix", auth_init_unix }, + { "smbserver", auth_init_smbserver }, + { "ntdomain", auth_init_ntdomain }, + { "trustdomain", auth_init_trustdomain }, + { "winbind", auth_init_winbind }, +#ifdef DEVELOPER + { "name_to_ntstatus", auth_init_name_to_ntstatus }, + { "fixed_challenge", auth_init_fixed_challenge }, +#endif + { "plugin", auth_init_plugin }, + { NULL, NULL} +}; /**************************************************************************** Try to get a challenge out of the various authentication modules. @@ -343,8 +324,8 @@ static NTSTATUS make_auth_context_text_list(struct auth_context **auth_context, auth_methods *list = NULL; auth_methods *t = NULL; auth_methods *tmp; + int i; NTSTATUS nt_status; - static BOOL initialised_static_modules = False; if (!text_list) { DEBUG(2,("make_auth_context_text_list: No auth method list!?\n")); @@ -353,22 +334,15 @@ static NTSTATUS make_auth_context_text_list(struct auth_context **auth_context, if (!NT_STATUS_IS_OK(nt_status = make_auth_context(auth_context))) return nt_status; - - /* Initialise static modules if not done so yet */ - if(!initialised_static_modules) { - static_init_auth; - initialised_static_modules = True; - } for (;*text_list; text_list++) { - struct auth_init_function_entry *entry; + DEBUG(5,("make_auth_context_text_list: Attempting to find an auth method to match %s\n", + *text_list)); + for (i = 0; builtin_auth_init_functions[i].name; i++) { char *module_name = smb_xstrdup(*text_list); char *module_params = NULL; char *p; - DEBUG(5,("make_auth_context_text_list: Attempting to find an auth method to match %s\n", - *text_list)); - p = strchr(module_name, ':'); if (p) { *p = 0; @@ -378,20 +352,20 @@ static NTSTATUS make_auth_context_text_list(struct auth_context **auth_context, trim_string(module_name, " ", " "); - entry = auth_find_backend_entry(module_name); - - if(!(entry = auth_find_backend_entry(module_name)) && !smb_probe_module("auth", module_name) && - !(entry = auth_find_backend_entry(module_name))) { - DEBUG(0,("make_auth_context_text_list: can't find auth method %s!\n", module_name)); - } else if (!NT_STATUS_IS_OK(entry->init(*auth_context, module_params, &t))) { - DEBUG(0,("make_auth_context_text_list: auth method %s did not correctly init\n", - *text_list)); - } else { - DEBUG(5,("make_auth_context_text_list: auth method %s has a valid init\n", - *text_list)); - DLIST_ADD_END(list, t, tmp); + if (strequal(builtin_auth_init_functions[i].name, module_name)) { + DEBUG(5,("make_auth_context_text_list: Found auth method %s (at pos %d)\n", *text_list, i)); + if (NT_STATUS_IS_OK(builtin_auth_init_functions[i].init(*auth_context, module_params, &t))) { + DEBUG(5,("make_auth_context_text_list: auth method %s has a valid init\n", + *text_list)); + DLIST_ADD_END(list, t, tmp); + } else { + DEBUG(0,("make_auth_context_text_list: auth method %s did not correctly init\n", + *text_list)); + } + break; } SAFE_FREE(module_name); + } } (*auth_context)->auth_method_list = list; @@ -443,7 +417,7 @@ NTSTATUS make_auth_context_subsystem(struct auth_context **auth_context) break; case SEC_ADS: DEBUG(5,("Making default auth method list for security=ADS\n")); - auth_method_list = str_list_make("guest sam winbind ntdomain", NULL); + auth_method_list = str_list_make("guest sam ads winbind ntdomain", NULL); break; default: DEBUG(5,("Unknown auth method!\n")); diff --git a/source3/auth/auth_builtin.c b/source3/auth/auth_builtin.c index 509a4afba9..a19c532fc9 100644 --- a/source3/auth/auth_builtin.c +++ b/source3/auth/auth_builtin.c @@ -161,12 +161,50 @@ NTSTATUS auth_init_fixed_challenge(struct auth_context *auth_context, const char return NT_STATUS_OK; } -int auth_builtin_init(void) +/** + * Outsorce an auth module to an external loadable .so + * + * Only works on systems with dlopen() etc. + **/ + +/* Plugin modules initialisation */ + +NTSTATUS auth_init_plugin(struct auth_context *auth_context, const char *param, auth_methods **auth_method) { - smb_register_auth("guest", auth_init_guest, AUTH_INTERFACE_VERSION); -#ifdef DEVELOPER - smb_register_auth("fixed_challenge", auth_init_fixed_challenge, AUTH_INTERFACE_VERSION); - smb_register_auth("name_to_ntstatus", auth_init_name_to_ntstatus, AUTH_INTERFACE_VERSION); -#endif - return True; + void * dl_handle; + char *plugin_param, *plugin_name, *p; + auth_init_function plugin_init; + + if (param == NULL) { + DEBUG(0, ("auth_init_plugin: The plugin module needs an argument!\n")); + return NT_STATUS_UNSUCCESSFUL; + } + + plugin_name = smb_xstrdup(param); + p = strchr(plugin_name, ':'); + if (p) { + *p = 0; + plugin_param = p+1; + trim_string(plugin_param, " ", " "); + } else plugin_param = NULL; + + trim_string(plugin_name, " ", " "); + + DEBUG(5, ("auth_init_plugin: Trying to load auth plugin %s\n", plugin_name)); + dl_handle = sys_dlopen(plugin_name, RTLD_NOW ); + if (!dl_handle) { + DEBUG(0, ("auth_init_plugin: Failed to load auth plugin %s using sys_dlopen (%s)\n", + plugin_name, sys_dlerror())); + return NT_STATUS_UNSUCCESSFUL; + } + + plugin_init = sys_dlsym(dl_handle, "auth_init"); + if (!plugin_init){ + DEBUG(0, ("Failed to find function 'auth_init' using sys_dlsym in sam plugin %s (%s)\n", + plugin_name, sys_dlerror())); + return NT_STATUS_UNSUCCESSFUL; + } + + DEBUG(5, ("Starting sam plugin %s with paramater %s\n", plugin_name, plugin_param?plugin_param:"(null)")); + return plugin_init(auth_context, plugin_param, auth_method); } diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 7dca5914f0..534af2257d 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -24,7 +24,7 @@ #undef DBGC_CLASS #define DBGC_CLASS DBGC_AUTH -extern BOOL global_machine_password_needs_changing; +BOOL global_machine_password_needs_changing = False; extern userdom_struct current_user_info; @@ -175,11 +175,6 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, &dest_ip, 0, "IPC$", "IPC", "", "", "",0, retry); if (!NT_STATUS_IS_OK(result)) { - /* map to something more useful */ - if (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)) { - result = NT_STATUS_NO_LOGON_SERVERS; - } - release_server_mutex(); return result; } @@ -277,7 +272,7 @@ static NTSTATUS find_connect_dc(struct cli_state **cli, struct in_addr dc_ip; fstring srv_name; - if (!rpc_find_dc(domain, srv_name, &dc_ip)) { + if ( !rpc_find_dc(lp_workgroup(), srv_name, &dc_ip) ) { DEBUG(0,("find_connect_dc: Failed to find an DCs for %s\n", lp_workgroup())); return NT_STATUS_NO_LOGON_SERVERS; } @@ -550,10 +545,3 @@ NTSTATUS auth_init_trustdomain(struct auth_context *auth_context, const char* pa (*auth_method)->auth = check_trustdomain_security; return NT_STATUS_OK; } - -int auth_domain_init(void) -{ - smb_register_auth("trustdomain", auth_init_trustdomain, AUTH_INTERFACE_VERSION); - smb_register_auth("ntdomain", auth_init_ntdomain, AUTH_INTERFACE_VERSION); - return True; -} diff --git a/source3/auth/auth_rhosts.c b/source3/auth/auth_rhosts.c index db37193579..5451f7d930 100644 --- a/source3/auth/auth_rhosts.c +++ b/source3/auth/auth_rhosts.c @@ -242,10 +242,3 @@ NTSTATUS auth_init_rhosts(struct auth_context *auth_context, const char *param, (*auth_method)->name = "rhosts"; return NT_STATUS_OK; } - -int auth_rhosts_init(void) -{ - smb_register_auth("rhosts", auth_init_rhosts, AUTH_INTERFACE_VERSION); - smb_register_auth("hostsequiv", auth_init_hostsequiv, AUTH_INTERFACE_VERSION); - return True; -} diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index aa399f33e2..b309833440 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -500,8 +500,6 @@ static NTSTATUS check_samstrict_security(const struct auth_context *auth_context unless it is one of our aliases. */ if (!is_myname(user_info->domain.str)) { - DEBUG(7,("The requested user domain is not the local server name. [%s]\\[%s]\n", - user_info->domain.str,user_info->internal_username.str)); return NT_STATUS_NO_SUCH_USER; } @@ -520,53 +518,4 @@ NTSTATUS auth_init_samstrict(struct auth_context *auth_context, const char *para return NT_STATUS_OK; } -/**************************************************************************** -Check SAM security (above) but with a few extra checks if we're a DC. -****************************************************************************/ - -static NTSTATUS check_samstrict_dc_security(const struct auth_context *auth_context, - void *my_private_data, - TALLOC_CTX *mem_ctx, - const auth_usersupplied_info *user_info, - auth_serversupplied_info **server_info) -{ - - if (!user_info || !auth_context) { - return NT_STATUS_LOGON_FAILURE; - } - - /* If we are a domain member, we must not - attempt to check the password locally, - unless it is one of our aliases, empty - or our domain if we are a logon server.*/ - - if ((!is_myworkgroup(user_info->domain.str))&& - (!is_myname(user_info->domain.str))) { - DEBUG(7,("The requested user domain is not the local server name or our domain. [%s]\\[%s]\n", - user_info->domain.str,user_info->internal_username.str)); - return NT_STATUS_NO_SUCH_USER; - } - - return check_sam_security(auth_context, my_private_data, mem_ctx, user_info, server_info); -} - -/* module initialisation */ -NTSTATUS auth_init_samstrict_dc(struct auth_context *auth_context, const char *param, auth_methods **auth_method) -{ - if (!make_auth_methods(auth_context, auth_method)) { - return NT_STATUS_NO_MEMORY; - } - - (*auth_method)->auth = check_samstrict_dc_security; - (*auth_method)->name = "samstrict_dc"; - return NT_STATUS_OK; -} - -int auth_sam_init(void) -{ - smb_register_auth("samstrict_dc", auth_init_samstrict_dc, AUTH_INTERFACE_VERSION); - smb_register_auth("samstrict", auth_init_samstrict, AUTH_INTERFACE_VERSION); - smb_register_auth("sam", auth_init_sam, AUTH_INTERFACE_VERSION); - return True; -} diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c index a311f01dc3..5144852d3b 100644 --- a/source3/auth/auth_server.c +++ b/source3/auth/auth_server.c @@ -400,8 +400,3 @@ NTSTATUS auth_init_smbserver(struct auth_context *auth_context, const char* para (*auth_method)->free_private_data = free_server_private_data; return NT_STATUS_OK; } - -int auth_server_init(void) -{ - return smb_register_auth("smbserver", auth_init_smbserver, AUTH_INTERFACE_VERSION); -} diff --git a/source3/auth/auth_unix.c b/source3/auth/auth_unix.c index efab2046c3..4f44767a81 100644 --- a/source3/auth/auth_unix.c +++ b/source3/auth/auth_unix.c @@ -130,7 +130,3 @@ NTSTATUS auth_init_unix(struct auth_context *auth_context, const char* param, au return NT_STATUS_OK; } -int auth_unix_init(void) -{ - return smb_register_auth("unix", auth_init_unix, AUTH_INTERFACE_VERSION); -} diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index ddb833a0e5..d0f1fc1e34 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -219,18 +219,35 @@ NTSTATUS make_user_info_map(auth_usersupplied_info **user_info, where it doens't supply a domain for logon script 'net use' commands. - Finally, we do this by looking up a cache of trusted domains! + The way I do it here is by checking if the fully + qualified username exists. This is rather reliant + on winbind, but until we have a better method this + will have to do */ domain = client_domain; - if (is_trusted_domain(domain)) { - return make_user_info(user_info, smb_name, internal_username, - client_domain, domain, wksta_name, - lm_pwd, nt_pwd, plaintext, ntlmssp_flags, - encrypted); - } + if ((smb_name) && (*smb_name)) { /* Don't do this for guests */ + char *user = NULL; + if (asprintf(&user, "%s%s%s", + client_domain, lp_winbind_separator(), + smb_name) < 0) { + DEBUG(0, ("make_user_info_map: asprintf() failed!\n")); + return NT_STATUS_NO_MEMORY; + } + DEBUG(5, ("make_user_info_map: testing for user %s\n", user)); + + if (Get_Pwnam(user) == NULL) { + DEBUG(5, ("make_user_info_map: test for user %s failed\n", user)); + domain = lp_workgroup(); + DEBUG(5, ("make_user_info_map: trusted domain %s doesn't appear to exist, using %s\n", + client_domain, domain)); + } else { + DEBUG(5, ("make_user_info_map: using trusted domain %s\n", domain)); + } + SAFE_FREE(user); + } } else { domain = lp_workgroup(); } @@ -869,8 +886,8 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, struct passwd *passwd; - unid_t u_id, g_id; - int u_type, g_type; + uid_t uid; + gid_t gid; int n_lgroupSIDs; DOM_SID *lgroupSIDs = NULL; @@ -907,11 +924,9 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, domain = domain; } - u_type = ID_USERID; - g_type = ID_GROUPID; - if (NT_STATUS_IS_OK(idmap_get_id_from_sid(&u_id, &u_type, &user_sid)) - && NT_STATUS_IS_OK(idmap_get_id_from_sid(&g_id, &g_type, &group_sid)) - && ((passwd = getpwuid_alloc(u_id.uid)))) { + if (winbind_sid_to_uid(&uid, &user_sid) + && winbind_sid_to_gid(&gid, &group_sid) + && ((passwd = getpwuid_alloc(uid)))) { nt_status = pdb_init_sam_pw(&sam_account, passwd); passwd_free(&passwd); } else { diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c index e2a292dd01..5e1567d3c1 100644 --- a/source3/auth/auth_winbind.c +++ b/source3/auth/auth_winbind.c @@ -134,8 +134,3 @@ NTSTATUS auth_init_winbind(struct auth_context *auth_context, const char *param, (*auth_method)->auth = check_winbind_security; return NT_STATUS_OK; } - -int auth_winbind_init(void) -{ - return smb_register_auth("winbind", auth_init_winbind, AUTH_INTERFACE_VERSION); -} |