summaryrefslogtreecommitdiff
path: root/source3/auth
diff options
context:
space:
mode:
Diffstat (limited to 'source3/auth')
-rw-r--r--source3/auth/auth.c100
-rw-r--r--source3/auth/auth_builtin.c52
-rw-r--r--source3/auth/auth_domain.c16
-rw-r--r--source3/auth/auth_rhosts.c7
-rw-r--r--source3/auth/auth_sam.c51
-rw-r--r--source3/auth/auth_server.c5
-rw-r--r--source3/auth/auth_unix.c4
-rw-r--r--source3/auth/auth_util.c43
-rw-r--r--source3/auth/auth_winbind.c5
9 files changed, 113 insertions, 170 deletions
diff --git a/source3/auth/auth.c b/source3/auth/auth.c
index 71e9ab0428..126a712fbd 100644
--- a/source3/auth/auth.c
+++ b/source3/auth/auth.c
@@ -23,45 +23,26 @@
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_AUTH
-static struct auth_init_function_entry *backends = NULL;
-
-BOOL smb_register_auth(const char *name, auth_init_function init, int version)
-{
- struct auth_init_function_entry *entry = backends;
-
- if(version != AUTH_INTERFACE_VERSION)
- return False;
-
- DEBUG(5,("Attempting to register auth backend %s\n", name));
-
- while(entry) {
- if (strequal(name, entry->name)) {
- DEBUG(0,("There already is an auth backend registered with the name %s!\n", name));
- return False;
- }
- entry = entry->next;
- }
-
- entry = smb_xmalloc(sizeof(struct auth_init_function_entry));
- entry->name = smb_xstrdup(name);
- entry->init = init;
-
- DLIST_ADD(backends, entry);
- DEBUG(5,("Successfully added auth backend '%s'\n", name));
- return True;
-}
-
-static struct auth_init_function_entry *auth_find_backend_entry(const char *name)
-{
- struct auth_init_function_entry *entry = backends;
-
- while(entry) {
- if (strequal(entry->name, name)) return entry;
- entry = entry->next;
- }
-
- return NULL;
-}
+/** List of various built-in authentication modules */
+
+static const struct auth_init_function_entry builtin_auth_init_functions[] = {
+ { "guest", auth_init_guest },
+ { "rhosts", auth_init_rhosts },
+ { "hostsequiv", auth_init_hostsequiv },
+ { "sam", auth_init_sam },
+ { "samstrict", auth_init_samstrict },
+ { "unix", auth_init_unix },
+ { "smbserver", auth_init_smbserver },
+ { "ntdomain", auth_init_ntdomain },
+ { "trustdomain", auth_init_trustdomain },
+ { "winbind", auth_init_winbind },
+#ifdef DEVELOPER
+ { "name_to_ntstatus", auth_init_name_to_ntstatus },
+ { "fixed_challenge", auth_init_fixed_challenge },
+#endif
+ { "plugin", auth_init_plugin },
+ { NULL, NULL}
+};
/****************************************************************************
Try to get a challenge out of the various authentication modules.
@@ -343,8 +324,8 @@ static NTSTATUS make_auth_context_text_list(struct auth_context **auth_context,
auth_methods *list = NULL;
auth_methods *t = NULL;
auth_methods *tmp;
+ int i;
NTSTATUS nt_status;
- static BOOL initialised_static_modules = False;
if (!text_list) {
DEBUG(2,("make_auth_context_text_list: No auth method list!?\n"));
@@ -353,22 +334,15 @@ static NTSTATUS make_auth_context_text_list(struct auth_context **auth_context,
if (!NT_STATUS_IS_OK(nt_status = make_auth_context(auth_context)))
return nt_status;
-
- /* Initialise static modules if not done so yet */
- if(!initialised_static_modules) {
- static_init_auth;
- initialised_static_modules = True;
- }
for (;*text_list; text_list++) {
- struct auth_init_function_entry *entry;
+ DEBUG(5,("make_auth_context_text_list: Attempting to find an auth method to match %s\n",
+ *text_list));
+ for (i = 0; builtin_auth_init_functions[i].name; i++) {
char *module_name = smb_xstrdup(*text_list);
char *module_params = NULL;
char *p;
- DEBUG(5,("make_auth_context_text_list: Attempting to find an auth method to match %s\n",
- *text_list));
-
p = strchr(module_name, ':');
if (p) {
*p = 0;
@@ -378,20 +352,20 @@ static NTSTATUS make_auth_context_text_list(struct auth_context **auth_context,
trim_string(module_name, " ", " ");
- entry = auth_find_backend_entry(module_name);
-
- if(!(entry = auth_find_backend_entry(module_name)) && !smb_probe_module("auth", module_name) &&
- !(entry = auth_find_backend_entry(module_name))) {
- DEBUG(0,("make_auth_context_text_list: can't find auth method %s!\n", module_name));
- } else if (!NT_STATUS_IS_OK(entry->init(*auth_context, module_params, &t))) {
- DEBUG(0,("make_auth_context_text_list: auth method %s did not correctly init\n",
- *text_list));
- } else {
- DEBUG(5,("make_auth_context_text_list: auth method %s has a valid init\n",
- *text_list));
- DLIST_ADD_END(list, t, tmp);
+ if (strequal(builtin_auth_init_functions[i].name, module_name)) {
+ DEBUG(5,("make_auth_context_text_list: Found auth method %s (at pos %d)\n", *text_list, i));
+ if (NT_STATUS_IS_OK(builtin_auth_init_functions[i].init(*auth_context, module_params, &t))) {
+ DEBUG(5,("make_auth_context_text_list: auth method %s has a valid init\n",
+ *text_list));
+ DLIST_ADD_END(list, t, tmp);
+ } else {
+ DEBUG(0,("make_auth_context_text_list: auth method %s did not correctly init\n",
+ *text_list));
+ }
+ break;
}
SAFE_FREE(module_name);
+ }
}
(*auth_context)->auth_method_list = list;
@@ -443,7 +417,7 @@ NTSTATUS make_auth_context_subsystem(struct auth_context **auth_context)
break;
case SEC_ADS:
DEBUG(5,("Making default auth method list for security=ADS\n"));
- auth_method_list = str_list_make("guest sam winbind ntdomain", NULL);
+ auth_method_list = str_list_make("guest sam ads winbind ntdomain", NULL);
break;
default:
DEBUG(5,("Unknown auth method!\n"));
diff --git a/source3/auth/auth_builtin.c b/source3/auth/auth_builtin.c
index 509a4afba9..a19c532fc9 100644
--- a/source3/auth/auth_builtin.c
+++ b/source3/auth/auth_builtin.c
@@ -161,12 +161,50 @@ NTSTATUS auth_init_fixed_challenge(struct auth_context *auth_context, const char
return NT_STATUS_OK;
}
-int auth_builtin_init(void)
+/**
+ * Outsorce an auth module to an external loadable .so
+ *
+ * Only works on systems with dlopen() etc.
+ **/
+
+/* Plugin modules initialisation */
+
+NTSTATUS auth_init_plugin(struct auth_context *auth_context, const char *param, auth_methods **auth_method)
{
- smb_register_auth("guest", auth_init_guest, AUTH_INTERFACE_VERSION);
-#ifdef DEVELOPER
- smb_register_auth("fixed_challenge", auth_init_fixed_challenge, AUTH_INTERFACE_VERSION);
- smb_register_auth("name_to_ntstatus", auth_init_name_to_ntstatus, AUTH_INTERFACE_VERSION);
-#endif
- return True;
+ void * dl_handle;
+ char *plugin_param, *plugin_name, *p;
+ auth_init_function plugin_init;
+
+ if (param == NULL) {
+ DEBUG(0, ("auth_init_plugin: The plugin module needs an argument!\n"));
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ plugin_name = smb_xstrdup(param);
+ p = strchr(plugin_name, ':');
+ if (p) {
+ *p = 0;
+ plugin_param = p+1;
+ trim_string(plugin_param, " ", " ");
+ } else plugin_param = NULL;
+
+ trim_string(plugin_name, " ", " ");
+
+ DEBUG(5, ("auth_init_plugin: Trying to load auth plugin %s\n", plugin_name));
+ dl_handle = sys_dlopen(plugin_name, RTLD_NOW );
+ if (!dl_handle) {
+ DEBUG(0, ("auth_init_plugin: Failed to load auth plugin %s using sys_dlopen (%s)\n",
+ plugin_name, sys_dlerror()));
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ plugin_init = sys_dlsym(dl_handle, "auth_init");
+ if (!plugin_init){
+ DEBUG(0, ("Failed to find function 'auth_init' using sys_dlsym in sam plugin %s (%s)\n",
+ plugin_name, sys_dlerror()));
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ DEBUG(5, ("Starting sam plugin %s with paramater %s\n", plugin_name, plugin_param?plugin_param:"(null)"));
+ return plugin_init(auth_context, plugin_param, auth_method);
}
diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c
index 7dca5914f0..534af2257d 100644
--- a/source3/auth/auth_domain.c
+++ b/source3/auth/auth_domain.c
@@ -24,7 +24,7 @@
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_AUTH
-extern BOOL global_machine_password_needs_changing;
+BOOL global_machine_password_needs_changing = False;
extern userdom_struct current_user_info;
@@ -175,11 +175,6 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli,
&dest_ip, 0, "IPC$", "IPC", "", "", "",0, retry);
if (!NT_STATUS_IS_OK(result)) {
- /* map to something more useful */
- if (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)) {
- result = NT_STATUS_NO_LOGON_SERVERS;
- }
-
release_server_mutex();
return result;
}
@@ -277,7 +272,7 @@ static NTSTATUS find_connect_dc(struct cli_state **cli,
struct in_addr dc_ip;
fstring srv_name;
- if (!rpc_find_dc(domain, srv_name, &dc_ip)) {
+ if ( !rpc_find_dc(lp_workgroup(), srv_name, &dc_ip) ) {
DEBUG(0,("find_connect_dc: Failed to find an DCs for %s\n", lp_workgroup()));
return NT_STATUS_NO_LOGON_SERVERS;
}
@@ -550,10 +545,3 @@ NTSTATUS auth_init_trustdomain(struct auth_context *auth_context, const char* pa
(*auth_method)->auth = check_trustdomain_security;
return NT_STATUS_OK;
}
-
-int auth_domain_init(void)
-{
- smb_register_auth("trustdomain", auth_init_trustdomain, AUTH_INTERFACE_VERSION);
- smb_register_auth("ntdomain", auth_init_ntdomain, AUTH_INTERFACE_VERSION);
- return True;
-}
diff --git a/source3/auth/auth_rhosts.c b/source3/auth/auth_rhosts.c
index db37193579..5451f7d930 100644
--- a/source3/auth/auth_rhosts.c
+++ b/source3/auth/auth_rhosts.c
@@ -242,10 +242,3 @@ NTSTATUS auth_init_rhosts(struct auth_context *auth_context, const char *param,
(*auth_method)->name = "rhosts";
return NT_STATUS_OK;
}
-
-int auth_rhosts_init(void)
-{
- smb_register_auth("rhosts", auth_init_rhosts, AUTH_INTERFACE_VERSION);
- smb_register_auth("hostsequiv", auth_init_hostsequiv, AUTH_INTERFACE_VERSION);
- return True;
-}
diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c
index aa399f33e2..b309833440 100644
--- a/source3/auth/auth_sam.c
+++ b/source3/auth/auth_sam.c
@@ -500,8 +500,6 @@ static NTSTATUS check_samstrict_security(const struct auth_context *auth_context
unless it is one of our aliases. */
if (!is_myname(user_info->domain.str)) {
- DEBUG(7,("The requested user domain is not the local server name. [%s]\\[%s]\n",
- user_info->domain.str,user_info->internal_username.str));
return NT_STATUS_NO_SUCH_USER;
}
@@ -520,53 +518,4 @@ NTSTATUS auth_init_samstrict(struct auth_context *auth_context, const char *para
return NT_STATUS_OK;
}
-/****************************************************************************
-Check SAM security (above) but with a few extra checks if we're a DC.
-****************************************************************************/
-
-static NTSTATUS check_samstrict_dc_security(const struct auth_context *auth_context,
- void *my_private_data,
- TALLOC_CTX *mem_ctx,
- const auth_usersupplied_info *user_info,
- auth_serversupplied_info **server_info)
-{
-
- if (!user_info || !auth_context) {
- return NT_STATUS_LOGON_FAILURE;
- }
-
- /* If we are a domain member, we must not
- attempt to check the password locally,
- unless it is one of our aliases, empty
- or our domain if we are a logon server.*/
-
- if ((!is_myworkgroup(user_info->domain.str))&&
- (!is_myname(user_info->domain.str))) {
- DEBUG(7,("The requested user domain is not the local server name or our domain. [%s]\\[%s]\n",
- user_info->domain.str,user_info->internal_username.str));
- return NT_STATUS_NO_SUCH_USER;
- }
-
- return check_sam_security(auth_context, my_private_data, mem_ctx, user_info, server_info);
-}
-
-/* module initialisation */
-NTSTATUS auth_init_samstrict_dc(struct auth_context *auth_context, const char *param, auth_methods **auth_method)
-{
- if (!make_auth_methods(auth_context, auth_method)) {
- return NT_STATUS_NO_MEMORY;
- }
-
- (*auth_method)->auth = check_samstrict_dc_security;
- (*auth_method)->name = "samstrict_dc";
- return NT_STATUS_OK;
-}
-
-int auth_sam_init(void)
-{
- smb_register_auth("samstrict_dc", auth_init_samstrict_dc, AUTH_INTERFACE_VERSION);
- smb_register_auth("samstrict", auth_init_samstrict, AUTH_INTERFACE_VERSION);
- smb_register_auth("sam", auth_init_sam, AUTH_INTERFACE_VERSION);
- return True;
-}
diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c
index a311f01dc3..5144852d3b 100644
--- a/source3/auth/auth_server.c
+++ b/source3/auth/auth_server.c
@@ -400,8 +400,3 @@ NTSTATUS auth_init_smbserver(struct auth_context *auth_context, const char* para
(*auth_method)->free_private_data = free_server_private_data;
return NT_STATUS_OK;
}
-
-int auth_server_init(void)
-{
- return smb_register_auth("smbserver", auth_init_smbserver, AUTH_INTERFACE_VERSION);
-}
diff --git a/source3/auth/auth_unix.c b/source3/auth/auth_unix.c
index efab2046c3..4f44767a81 100644
--- a/source3/auth/auth_unix.c
+++ b/source3/auth/auth_unix.c
@@ -130,7 +130,3 @@ NTSTATUS auth_init_unix(struct auth_context *auth_context, const char* param, au
return NT_STATUS_OK;
}
-int auth_unix_init(void)
-{
- return smb_register_auth("unix", auth_init_unix, AUTH_INTERFACE_VERSION);
-}
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index ddb833a0e5..d0f1fc1e34 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -219,18 +219,35 @@ NTSTATUS make_user_info_map(auth_usersupplied_info **user_info,
where it doens't supply a domain for logon script
'net use' commands.
- Finally, we do this by looking up a cache of trusted domains!
+ The way I do it here is by checking if the fully
+ qualified username exists. This is rather reliant
+ on winbind, but until we have a better method this
+ will have to do
*/
domain = client_domain;
- if (is_trusted_domain(domain)) {
- return make_user_info(user_info, smb_name, internal_username,
- client_domain, domain, wksta_name,
- lm_pwd, nt_pwd, plaintext, ntlmssp_flags,
- encrypted);
- }
+ if ((smb_name) && (*smb_name)) { /* Don't do this for guests */
+ char *user = NULL;
+ if (asprintf(&user, "%s%s%s",
+ client_domain, lp_winbind_separator(),
+ smb_name) < 0) {
+ DEBUG(0, ("make_user_info_map: asprintf() failed!\n"));
+ return NT_STATUS_NO_MEMORY;
+ }
+ DEBUG(5, ("make_user_info_map: testing for user %s\n", user));
+
+ if (Get_Pwnam(user) == NULL) {
+ DEBUG(5, ("make_user_info_map: test for user %s failed\n", user));
+ domain = lp_workgroup();
+ DEBUG(5, ("make_user_info_map: trusted domain %s doesn't appear to exist, using %s\n",
+ client_domain, domain));
+ } else {
+ DEBUG(5, ("make_user_info_map: using trusted domain %s\n", domain));
+ }
+ SAFE_FREE(user);
+ }
} else {
domain = lp_workgroup();
}
@@ -869,8 +886,8 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
struct passwd *passwd;
- unid_t u_id, g_id;
- int u_type, g_type;
+ uid_t uid;
+ gid_t gid;
int n_lgroupSIDs;
DOM_SID *lgroupSIDs = NULL;
@@ -907,11 +924,9 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
domain = domain;
}
- u_type = ID_USERID;
- g_type = ID_GROUPID;
- if (NT_STATUS_IS_OK(idmap_get_id_from_sid(&u_id, &u_type, &user_sid))
- && NT_STATUS_IS_OK(idmap_get_id_from_sid(&g_id, &g_type, &group_sid))
- && ((passwd = getpwuid_alloc(u_id.uid)))) {
+ if (winbind_sid_to_uid(&uid, &user_sid)
+ && winbind_sid_to_gid(&gid, &group_sid)
+ && ((passwd = getpwuid_alloc(uid)))) {
nt_status = pdb_init_sam_pw(&sam_account, passwd);
passwd_free(&passwd);
} else {
diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c
index e2a292dd01..5e1567d3c1 100644
--- a/source3/auth/auth_winbind.c
+++ b/source3/auth/auth_winbind.c
@@ -134,8 +134,3 @@ NTSTATUS auth_init_winbind(struct auth_context *auth_context, const char *param,
(*auth_method)->auth = check_winbind_security;
return NT_STATUS_OK;
}
-
-int auth_winbind_init(void)
-{
- return smb_register_auth("winbind", auth_init_winbind, AUTH_INTERFACE_VERSION);
-}