diff options
Diffstat (limited to 'source3/nsswitch/winbindd_pam.c')
-rw-r--r-- | source3/nsswitch/winbindd_pam.c | 151 |
1 files changed, 78 insertions, 73 deletions
diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c index a3b0849721..3099944301 100644 --- a/source3/nsswitch/winbindd_pam.c +++ b/source3/nsswitch/winbindd_pam.c @@ -1,4 +1,4 @@ -/* +/* Unix SMB/CIFS implementation. Winbind daemon - pam auth funcions @@ -53,7 +53,61 @@ static NTSTATUS append_info3_as_ndr(TALLOC_CTX *mem_ctx, return NT_STATUS_OK; } -/* Return a password structure from a username. */ +/******************************************************************* + wrapper around retreiving the trsut account password +*******************************************************************/ + +static BOOL get_trust_pw(const char *domain, uint8 ret_pwd[16], + time_t *pass_last_set_time, uint32 *channel) +{ + DOM_SID sid; + char *pwd; + + if ( lp_server_role()==ROLE_DOMAIN_MEMBER || strequal(domain, lp_workgroup()) ) + { + /* + * Get the machine account password for the domain to contact. + * This is either our own domain for a workstation, or possibly + * any domain for a PDC with trusted domains. + */ + + if ( !secrets_fetch_trust_account_password (domain, ret_pwd, + pass_last_set_time, channel) ) + { + DEBUG(0, ("get_trust_pw: could not fetch trust account " + "password for my domain %s\n", domain)); + return False; + } + + return True; + } + else if ( lp_allow_trusted_domains() ) + { + /* if we are not a domain member, then we must be a DC and + this must be a trusted domain */ + + if ( !secrets_fetch_trusted_domain_password(domain, &pwd, &sid, + pass_last_set_time) ) + { + DEBUG(0, ("get_trust_pw: could not fetch trust account " + "password for trusted domain %s\n", domain)); + return False; + } + + *channel = SEC_CHAN_DOMAIN; + E_md4hash(pwd, ret_pwd); + SAFE_FREE(pwd); + + return True; + } + + /* Failure */ + return False; +} + +/********************************************************************** + Authenticate a user with a clear test password +**********************************************************************/ enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state) { @@ -70,6 +124,8 @@ enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state) DATA_BLOB nt_resp; DOM_CRED ret_creds; int attempts = 0; + unsigned char local_lm_response[24]; + unsigned char local_nt_response[24]; /* Ensure null termination */ state->request.data.auth.user[sizeof(state->request.data.auth.user)-1]='\0'; @@ -95,38 +151,29 @@ enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state) goto done; } - { - unsigned char local_lm_response[24]; - unsigned char local_nt_response[24]; - - generate_random_buffer(chal, 8, False); - SMBencrypt(state->request.data.auth.pass, chal, local_lm_response); + /* do password magic */ + + generate_random_buffer(chal, 8, False); + SMBencrypt(state->request.data.auth.pass, chal, local_lm_response); - SMBNTencrypt(state->request.data.auth.pass, chal, local_nt_response); + SMBNTencrypt(state->request.data.auth.pass, chal, local_nt_response); - lm_resp = data_blob_talloc(mem_ctx, local_lm_response, sizeof(local_lm_response)); - nt_resp = data_blob_talloc(mem_ctx, local_nt_response, sizeof(local_nt_response)); - } + lm_resp = data_blob_talloc(mem_ctx, local_lm_response, sizeof(local_lm_response)); + nt_resp = data_blob_talloc(mem_ctx, local_nt_response, sizeof(local_nt_response)); - /* - * Get the machine account password for our primary domain - */ - - if (!secrets_fetch_trust_account_password( - lp_workgroup(), trust_passwd, &last_change_time, - &sec_channel_type)) { - DEBUG(0, ("winbindd_pam_auth: could not fetch trust account " - "password for domain %s\n", lp_workgroup())); + if ( !get_trust_pw(name_domain, trust_passwd, &last_change_time, &sec_channel_type) ) { result = NT_STATUS_CANT_ACCESS_DOMAIN_INFO; goto done; } + /* check authentication loop */ + do { ZERO_STRUCT(info3); ZERO_STRUCT(ret_creds); /* Don't shut this down - it belongs to the connection cache code */ - result = cm_get_netlogon_cli(lp_workgroup(), trust_passwd, + result = cm_get_netlogon_cli(name_domain, trust_passwd, sec_channel_type, False, &cli); if (!NT_STATUS_IS_OK(result)) { @@ -173,8 +220,10 @@ done: return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR; } - -/* Challenge Response Authentication Protocol */ + +/********************************************************************** + Challenge Response Authentication Protocol +**********************************************************************/ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state) { @@ -187,7 +236,6 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state) TALLOC_CTX *mem_ctx = NULL; char *user = NULL; const char *domain = NULL; - const char *contact_domain; const char *workstation; DOM_CRED ret_creds; int attempts = 0; @@ -235,52 +283,10 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state) DEBUG(3, ("[%5d]: pam auth crap domain: %s user: %s\n", state->pid, domain, user)); - - /* check our role as a domain member first */ - if ( lp_server_role() == ROLE_DOMAIN_MEMBER ) { - if ( !lp_allow_trusted_domains() && !strequal(domain, lp_workgroup()) ) { - DEBUG(5,("winbindd_pam_auth_crap: failing autghentication becuase of disallowed trust domains\n")); - result = NT_STATUS_LOGON_FAILURE; - goto done; - } - - contact_domain = domain; - - /* - * Get the machine account password for the domain to contact. - * This is either our own domain for a workstation, or possibly - * any domain for a PDC with trusted domains. - */ - - if (!secrets_fetch_trust_account_password (contact_domain, - trust_passwd, - &last_change_time, - &sec_channel_type)) { - DEBUG(0, ("winbindd_pam_auth_crap: could not fetch trust account " - "password for domain %s\n", contact_domain)); - result = NT_STATUS_CANT_ACCESS_DOMAIN_INFO; - goto done; - } - } - else if ( lp_allow_trusted_domains() ) { - /* if we are not a domain member, then we must be a DC. Must never - see a logon for our domain */ - DOM_SID sid; - char *pwd; - contact_domain = domain; - - if (!secrets_fetch_trusted_domain_password (contact_domain, - &pwd, &sid, - &last_change_time)) { - DEBUG(0, ("winbindd_pam_auth_crap: could not fetch trust account " - "password for domain %s\n", contact_domain)); - result = NT_STATUS_CANT_ACCESS_DOMAIN_INFO; - goto done; - } - sec_channel_type = SEC_CHAN_DOMAIN; - E_md4hash(pwd, trust_passwd); - SAFE_FREE(pwd); - + + if ( !get_trust_pw(domain, trust_passwd, &last_change_time, &sec_channel_type) ) { + result = NT_STATUS_CANT_ACCESS_DOMAIN_INFO; + goto done; } if (*state->request.data.auth_crap.workstation) { @@ -310,8 +316,7 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state) ZERO_STRUCT(ret_creds); /* Don't shut this down - it belongs to the connection cache code */ - result = cm_get_netlogon_cli(contact_domain, trust_passwd, - sec_channel_type, False, &cli); + result = cm_get_netlogon_cli(domain, trust_passwd, sec_channel_type, False, &cli); if (!NT_STATUS_IS_OK(result)) { DEBUG(3, ("could not open handle to NETLOGON pipe (error: %s)\n", |