diff options
Diffstat (limited to 'source3')
-rw-r--r-- | source3/include/proto.h | 5 | ||||
-rw-r--r-- | source3/libsmb/clientgen.c | 71 | ||||
-rw-r--r-- | source3/smbd/password.c | 215 | ||||
-rw-r--r-- | source3/utils/smbpasswd.c | 66 |
4 files changed, 233 insertions, 124 deletions
diff --git a/source3/include/proto.h b/source3/include/proto.h index 9bba68df48..adf753ccf5 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -51,6 +51,8 @@ void cmd_help(char *dum_in, char *dum_out); /*The following definitions come from clientgen.c */ +char *cli_smb_errstr(struct cli_state *cli); +char *cli_errstr(struct cli_state *cli); BOOL cli_api_pipe(struct cli_state *cli, char *pipe_name, int pipe_name_len, uint16 *setup, uint32 setup_count, uint32 max_setup_count, char *params, uint32 param_count, uint32 max_param_count, @@ -97,7 +99,6 @@ BOOL cli_session_request(struct cli_state *cli, char *host, int name_type, BOOL cli_connect(struct cli_state *cli, char *host, struct in_addr *ip); BOOL cli_initialise(struct cli_state *cli); void cli_shutdown(struct cli_state *cli); -char *cli_errstr(struct cli_state *cli); void cli_error(struct cli_state *cli, int *eclass, int *num); void cli_sockopt(struct cli_state *cli, char *options); int cli_setpid(struct cli_state *cli, int pid); @@ -1726,7 +1727,7 @@ struct smb_passwd *getsmbpwuid(unsigned int uid); char *encode_acct_ctrl(uint16 acct_ctrl); BOOL add_smbpwd_entry(struct smb_passwd *newpwd); BOOL mod_smbpwd_entry(struct smb_passwd* pwd); -void *machine_password_lock( char *doman, char *name, BOOL update); +void *machine_password_lock( char *domain, char *name, BOOL update); BOOL machine_password_unlock( void *token ); BOOL get_machine_account_password( void *mach_tok, unsigned char *ret_pwd, time_t *last_change_time); diff --git a/source3/libsmb/clientgen.c b/source3/libsmb/clientgen.c index ea51395a8f..9de6afccee 100644 --- a/source3/libsmb/clientgen.c +++ b/source3/libsmb/clientgen.c @@ -29,6 +29,69 @@ extern int DEBUGLEVEL; +/***************************************************** + RAP error codes - a small start but will be extended. +*******************************************************/ + +struct +{ + int err; + char *message; +} rap_errmap[] = +{ + {5, "User has insufficient privilege" }, + {86, "The specified password is invalid" }, + {2226, "Operation only permitted on a Primary Domain Controller" }, + {2242, "The password of this user has expired." }, + {2243, "The password of this user cannot change." }, + {2244, "This password cannot be used now (password history conflict)." }, + {2245, "The password is shorter than required." }, + {2246, "The password of this user is too recent to change."}, + {0, NULL} +}; + +/**************************************************************************** + return a description of an SMB error +****************************************************************************/ +char *cli_smb_errstr(struct cli_state *cli) +{ + return smb_errstr(cli->inbuf); +} + +/****************************************************** + Return an error message - either an SMB error or a RAP + error. +*******************************************************/ + +char *cli_errstr(struct cli_state *cli) +{ + static fstring error_message; + int errclass; + int errnum; + int i; + + /* + * Errors are of two kinds - smb errors, + * dealt with by cli_smb_errstr, and rap + * errors, whose error code is in cli.error. + */ + + cli_error(cli, &errclass, &errnum); + if(errclass != 0) + return cli_smb_errstr(cli); + + sprintf(error_message, "code %d", cli->error); + + for(i = 0; rap_errmap[i].message != NULL; i++) { + if (rap_errmap[i].err == cli->error) { + fstrcpy( error_message, rap_errmap[i].message); + break; + } + } + + return error_message; +} + /**************************************************************************** setup basics in a outgoing packet ****************************************************************************/ @@ -1567,14 +1630,6 @@ void cli_shutdown(struct cli_state *cli) } /**************************************************************************** - return a description of the error -****************************************************************************/ -char *cli_errstr(struct cli_state *cli) -{ - return smb_errstr(cli->inbuf); -} - -/**************************************************************************** return error codes for the last packet ****************************************************************************/ void cli_error(struct cli_state *cli, int *eclass, int *num) diff --git a/source3/smbd/password.c b/source3/smbd/password.c index 04a1795e7f..d627edf1cd 100644 --- a/source3/smbd/password.c +++ b/source3/smbd/password.c @@ -1673,14 +1673,14 @@ BOOL check_hosts_equiv(char *user) } -static struct cli_state cli; +static struct cli_state pw_cli; /**************************************************************************** return the client state structure ****************************************************************************/ struct cli_state *server_client(void) { - return &cli; + return &pw_cli; } /**************************************************************************** @@ -1692,61 +1692,63 @@ struct cli_state *server_cryptkey(void) struct in_addr dest_ip; extern fstring local_machine; char *p; + BOOL connected_ok = False; - if (!cli_initialise(&cli)) + if (!cli_initialise(&pw_cli)) return NULL; - - for (p=strtok(lp_passwordserver(),LIST_SEP); p ; p = strtok(NULL,LIST_SEP)) { - fstrcpy(desthost,p); + + p = lp_passwordserver(); + while(p && next_token( &p, desthost, LIST_SEP)) { standard_sub_basic(desthost); strupper(desthost); if(!resolve_name( desthost, &dest_ip)) { - DEBUG(1,("server_cryptkey: Can't resolve address for %s\n",p)); + DEBUG(1,("server_cryptkey: Can't resolve address for %s\n",desthost)); continue; } if (ismyip(dest_ip)) { - DEBUG(1,("Password server loop - disabling password server %s\n",p)); + DEBUG(1,("Password server loop - disabling password server %s\n",desthost)); continue; } - if (cli_connect(&cli, desthost, &dest_ip)) { - DEBUG(3,("connected to password server %s\n",p)); + if (cli_connect(&pw_cli, desthost, &dest_ip)) { + DEBUG(3,("connected to password server %s\n",desthost)); + connected_ok = True; break; } } - if (!p) { - DEBUG(1,("password server not available\n")); - cli_shutdown(&cli); + if (!connected_ok) { + DEBUG(0,("password server not available\n")); + cli_shutdown(&pw_cli); return NULL; } - if (!cli_session_request(&cli, desthost, 0x20, local_machine)) { + if (!cli_session_request(&pw_cli, desthost, 0x20, local_machine)) { DEBUG(1,("%s rejected the session\n",desthost)); - cli_shutdown(&cli); + cli_shutdown(&pw_cli); return NULL; } DEBUG(3,("got session\n")); - if (!cli_negprot(&cli)) { + if (!cli_negprot(&pw_cli)) { DEBUG(1,("%s rejected the negprot\n",desthost)); - cli_shutdown(&cli); + cli_shutdown(&pw_cli); return NULL; } - if (cli.protocol < PROTOCOL_LANMAN2 || - !(cli.sec_mode & 1)) { + if (pw_cli.protocol < PROTOCOL_LANMAN2 || + !(pw_cli.sec_mode & 1)) { DEBUG(1,("%s isn't in user level security mode\n",desthost)); - cli_shutdown(&cli); + cli_shutdown(&pw_cli); return NULL; } DEBUG(3,("password server OK\n")); - return &cli; + return &pw_cli; } /**************************************************************************** @@ -1759,8 +1761,8 @@ BOOL server_validate(char *user, char *domain, extern fstring local_machine; static unsigned char badpass[24]; - if (!cli.initialised) { - DEBUG(1,("password server %s is not connected\n", cli.desthost)); + if (!pw_cli.initialised) { + DEBUG(1,("password server %s is not connected\n", pw_cli.desthost)); return(False); } @@ -1781,17 +1783,17 @@ BOOL server_validate(char *user, char *domain, * need to detect this as some versions of NT4.x are broken. JRA. */ - if (cli_session_setup(&cli, user, badpass, sizeof(badpass), badpass, sizeof(badpass), + if (cli_session_setup(&pw_cli, user, badpass, sizeof(badpass), badpass, sizeof(badpass), domain)) { - if ((SVAL(cli.inbuf,smb_vwv2) & 1) == 0) { + if ((SVAL(pw_cli.inbuf,smb_vwv2) & 1) == 0) { DEBUG(0,("server_validate: password server %s allows users as non-guest \ -with a bad password.\n", cli.desthost)); +with a bad password.\n", pw_cli.desthost)); DEBUG(0,("server_validate: This is broken (and insecure) behaviour. Please do not \ use this machine as the password server.\n")); - cli_ulogoff(&cli); + cli_ulogoff(&pw_cli); return False; } - cli_ulogoff(&cli); + cli_ulogoff(&pw_cli); } /* @@ -1799,21 +1801,21 @@ use this machine as the password server.\n")); * not guest enabled, we can try with the real password. */ - if (!cli_session_setup(&cli, user, pass, passlen, ntpass, ntpasslen, domain)) { - DEBUG(1,("password server %s rejected the password\n", cli.desthost)); + if (!cli_session_setup(&pw_cli, user, pass, passlen, ntpass, ntpasslen, domain)) { + DEBUG(1,("password server %s rejected the password\n", pw_cli.desthost)); return False; } /* if logged in as guest then reject */ - if ((SVAL(cli.inbuf,smb_vwv2) & 1) != 0) { - DEBUG(1,("password server %s gave us guest only\n", cli.desthost)); - cli_ulogoff(&cli); + if ((SVAL(pw_cli.inbuf,smb_vwv2) & 1) != 0) { + DEBUG(1,("password server %s gave us guest only\n", pw_cli.desthost)); + cli_ulogoff(&pw_cli); return(False); } - if (!cli_send_tconX(&cli, "IPC$", "IPC", "", 1)) { - DEBUG(1,("password server %s refused IPC$ connect\n", cli.desthost)); - cli_ulogoff(&cli); + if (!cli_send_tconX(&pw_cli, "IPC$", "IPC", "", 1)) { + DEBUG(1,("password server %s refused IPC$ connect\n", pw_cli.desthost)); + cli_ulogoff(&pw_cli); return False; } @@ -1827,43 +1829,48 @@ use this machine as the password server.\n")); */ if (lp_net_wksta_user_logon()) { - DEBUG(3,("trying NetWkstaUserLogon with password server %s\n", cli.desthost)); - if (!cli_NetWkstaUserLogon(&cli,user,local_machine)) { - DEBUG(1,("password server %s failed NetWkstaUserLogon\n", cli.desthost)); - cli_tdis(&cli); - cli_ulogoff(&cli); + DEBUG(3,("trying NetWkstaUserLogon with password server %s\n", pw_cli.desthost)); + if (!cli_NetWkstaUserLogon(&pw_cli,user,local_machine)) { + DEBUG(1,("password server %s failed NetWkstaUserLogon\n", pw_cli.desthost)); + cli_tdis(&pw_cli); + cli_ulogoff(&pw_cli); return False; } - if (cli.privilages == 0) { - DEBUG(1,("password server %s gave guest privilages\n", cli.desthost)); - cli_tdis(&cli); - cli_ulogoff(&cli); + if (pw_cli.privilages == 0) { + DEBUG(1,("password server %s gave guest privilages\n", pw_cli.desthost)); + cli_tdis(&pw_cli); + cli_ulogoff(&pw_cli); return False; } - if (!strequal(cli.eff_name, user)) { + if (!strequal(pw_cli.eff_name, user)) { DEBUG(1,("password server %s gave different username %s\n", - cli.desthost, - cli.eff_name)); - cli_tdis(&cli); - cli_ulogoff(&cli); + pw_cli.desthost, + pw_cli.eff_name)); + cli_tdis(&pw_cli); + cli_ulogoff(&pw_cli); return False; } } else { - DEBUG(3,("skipping NetWkstaUserLogon with password server %s\n", cli.desthost)); + DEBUG(3,("skipping NetWkstaUserLogon with password server %s\n", pw_cli.desthost)); } - DEBUG(3,("password server %s accepted the password\n", cli.desthost)); + DEBUG(3,("password server %s accepted the password\n", pw_cli.desthost)); - cli_tdis(&cli); - cli_ulogoff(&cli); + cli_tdis(&pw_cli); + cli_ulogoff(&pw_cli); return(True); } #ifdef DOMAIN_CLIENT +/*********************************************************************** + Do the same as security=server, but using NT Domain calls and a session + key from the machine password. +************************************************************************/ + BOOL domain_client_validate( char *user, char *domain, char *smb_apasswd, int smb_apasslen, char *smb_ntpasswd, int smb_ntpasslen) @@ -1874,6 +1881,11 @@ BOOL domain_client_validate( char *user, char *domain, unsigned char local_lm_response[24]; unsigned char local_nt_reponse[24]; BOOL encrypted = True; + fstring remote_machine; + char *p; + struct in_addr dest_ip; + struct cli_state cli; + BOOL connected_ok = False; /* * Check that the requested domain is not our own machine name. @@ -1930,6 +1942,101 @@ BOOL domain_client_validate( char *user, char *domain, * see if they were valid. */ + /* + * Treat each name in the 'password server =' line as a potential + * PDC/BDC. Contact each in turn and try and authenticate. + */ + + p = lp_passwordserver(); + while(p && next_token( &p, remote_machine, LIST_SEP)) { + + standard_sub_basic(remote_machine); + strupper(remote_machine); + + if(!resolve_name( remote_machine, &dest_ip)) { + DEBUG(1,("domain_client_validate: Can't resolve address for %s\n", remote_machine)); + continue; + } + + if (ismyip(dest_ip)) { + DEBUG(1,("domain_client_validate: Password server loop - not using password server %s\n",remote_machine)); + continue; + } + + memset(&cli, '\0', sizeof(struct cli_state)); + + if (!cli_connect(&cli, remote_machine, &dest_ip)) { + DEBUG(0,("domain_client_validate: unable to connect to SMB server on \ +machine %s. Error was : %s.\n", remote_machine, cli_errstr(&cli) )); + continue; + } + + if (!cli_session_request(&cli, remote_machine, 0x20, myname)) { + DEBUG(0,("domain_client_validate: machine %s rejected the session setup. \ +Error was : %s.\n", remote_machine, cli_errstr(&cli) )); + cli_shutdown(&cli); + continue; + } + + cli.protocol = PROTOCOL_NT1; + + if (!cli_negprot(&cli)) { + DEBUG(0,("domain_client_validate: machine %s rejected the negotiate protocol. \ +Error was : %s.\n", remote_machine, cli_errstr(&cli) )); + cli_shutdown(&cli); + continue; + } + + if (cli.protocol != PROTOCOL_NT1) { + DEBUG(0,("domain_client_validate: machine %s didn't negotiate NT protocol.\n", + remote_machine)); + cli_shutdown(&cli); + continue; + } + + /* + * Do an anonymous session setup. + */ + + if (!cli_session_setup(&cli, "", "", 0, "", 0, "")) { + DEBUG(0,("domain_client_validate: machine %s rejected the session setup. \ +Error was : %s.\n", remote_machine, cli_errstr(&cli) )); + cli_shutdown(&cli); + continue; + } + + if (!(cli.sec_mode & 1)) { + DEBUG(1,("domain_client_validate: machine %s isn't in user level security mode\n", + remote_machine)); + cli_shutdown(&cli); + continue; + } + + if (!cli_send_tconX(&cli, "IPC$", "IPC", "", 1)) { + DEBUG(0,("domain_client_validate: machine %s rejected the tconX on the IPC$ share. \ +Error was : %s.\n", remote_machine, cli_errstr(&cli) )); + cli_shutdown(&cli); + continue; + } + + /* + * We have an anonymous connection to IPC$. + */ + connected_ok = True; + break; + } + + if (!connected_ok) { + DEBUG(0,("domain_client_validate: Domain password server not available.\n")); + cli_shutdown(&cli); + return False; + } + + /* + * Ok - we have an anonymous connection to the IPC$ share. + * Now start the NT Domain stuff :-). + */ + return False; } #endif /* DOMAIN_CLIENT */ diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c index cf9cd54ef3..91ccb609bb 100644 --- a/source3/utils/smbpasswd.c +++ b/source3/utils/smbpasswd.c @@ -19,60 +19,6 @@ #include "includes.h" -/* - * Password changing error codes. - */ - -struct -{ - int err; - char *message; -} pw_change_errmap[] = -{ - {5, "User has insufficient privilege" }, - {86, "The specified password is invalid" }, - {2226, "Operation only permitted on a Primary Domain Controller" }, - {2242, "The password of this user has expired." }, - {2243, "The password of this user cannot change." }, - {2244, "This password cannot be used now (password history conflict)." }, - {2245, "The password is shorter than required." }, - {2246, "The password of this user is too recent to change."}, - {0, NULL} -}; - -/****************************************************** - Return an error message for a remote password change. -*******************************************************/ - -char *get_error_message(struct cli_state *cli) -{ - static fstring error_message; - int errclass; - int errnum; - int i; - - /* - * Errors are of two kinds - smb errors, - * dealt with by cli_errstr, and rap - * errors, whose error code is in cli.error. - */ - - cli_error(cli, &errclass, &errnum); - if(errclass != 0) - return cli_errstr(cli); - - sprintf(error_message, "code %d", cli->error); - - for(i = 0; pw_change_errmap[i].message != NULL; i++) { - if (pw_change_errmap[i].err == cli->error) { - fstrcpy( error_message, pw_change_errmap[i].message); - break; - } - } - - return error_message; -} - /********************************************************* Print command usage on stderr and die. **********************************************************/ @@ -365,13 +311,13 @@ int main(int argc, char **argv) if (!cli_initialise(&cli) || !cli_connect(&cli, remote_machine, &ip)) { fprintf(stderr, "%s: unable to connect to SMB server on machine %s. Error was : %s.\n", - prog_name, remote_machine, get_error_message(&cli) ); + prog_name, remote_machine, cli_errstr(&cli) ); exit(1); } if (!cli_session_request(&cli, remote_machine, 0x20, myname)) { fprintf(stderr, "%s: machine %s rejected the session setup. Error was : %s.\n", - prog_name, remote_machine, get_error_message(&cli) ); + prog_name, remote_machine, cli_errstr(&cli) ); cli_shutdown(&cli); exit(1); } @@ -380,7 +326,7 @@ int main(int argc, char **argv) if (!cli_negprot(&cli)) { fprintf(stderr, "%s: machine %s rejected the negotiate protocol. Error was : %s.\n", - prog_name, remote_machine, get_error_message(&cli) ); + prog_name, remote_machine, cli_errstr(&cli) ); cli_shutdown(&cli); exit(1); } @@ -388,21 +334,21 @@ int main(int argc, char **argv) if (!cli_session_setup(&cli, user_name, old_passwd, strlen(old_passwd), "", 0, "")) { fprintf(stderr, "%s: machine %s rejected the session setup. Error was : %s.\n", - prog_name, remote_machine, get_error_message(&cli) ); + prog_name, remote_machine, cli_errstr(&cli) ); cli_shutdown(&cli); exit(1); } if (!cli_send_tconX(&cli, "IPC$", "IPC", "", 1)) { fprintf(stderr, "%s: machine %s rejected the tconX on the IPC$ share. Error was : %s.\n", - prog_name, remote_machine, get_error_message(&cli) ); + prog_name, remote_machine, cli_errstr(&cli) ); cli_shutdown(&cli); exit(1); } if(!cli_oem_change_password(&cli, user_name, new_passwd, old_passwd)) { fprintf(stderr, "%s: machine %s rejected the password change: Error was : %s.\n", - prog_name, remote_machine, get_error_message(&cli) ); + prog_name, remote_machine, cli_errstr(&cli) ); cli_shutdown(&cli); exit(1); } |