summaryrefslogtreecommitdiff
path: root/source3
diff options
context:
space:
mode:
Diffstat (limited to 'source3')
-rw-r--r--source3/auth/auth_util.c116
1 files changed, 57 insertions, 59 deletions
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 46b7af4d87..6ec19da61a 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -11,12 +11,12 @@
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
-
+
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
-
+
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
@@ -136,7 +136,7 @@ static NTSTATUS make_user_info(struct auth_usersupplied_info **user_info,
free_user_info(user_info);
return NT_STATUS_NO_MEMORY;
}
-
+
(*user_info)->internal_username = SMB_STRDUP(internal_username);
if ((*user_info)->internal_username == NULL) {
free_user_info(user_info);
@@ -305,40 +305,40 @@ bool make_user_info_netlogon_interactive(struct auth_usersupplied_info **user_in
unsigned char local_lm_response[24];
unsigned char local_nt_response[24];
unsigned char key[16];
-
+
memcpy(key, dc_sess_key, 16);
-
+
if (lm_interactive_pwd)
memcpy(lm_pwd, lm_interactive_pwd, sizeof(lm_pwd));
if (nt_interactive_pwd)
memcpy(nt_pwd, nt_interactive_pwd, sizeof(nt_pwd));
-
+
#ifdef DEBUG_PASSWORD
DEBUG(100,("key:"));
dump_data(100, key, sizeof(key));
-
+
DEBUG(100,("lm owf password:"));
dump_data(100, lm_pwd, sizeof(lm_pwd));
-
+
DEBUG(100,("nt owf password:"));
dump_data(100, nt_pwd, sizeof(nt_pwd));
#endif
-
+
if (lm_interactive_pwd)
arcfour_crypt(lm_pwd, key, sizeof(lm_pwd));
-
+
if (nt_interactive_pwd)
arcfour_crypt(nt_pwd, key, sizeof(nt_pwd));
-
+
#ifdef DEBUG_PASSWORD
DEBUG(100,("decrypt of lm owf password:"));
dump_data(100, lm_pwd, sizeof(lm_pwd));
-
+
DEBUG(100,("decrypt of nt owf password:"));
dump_data(100, nt_pwd, sizeof(nt_pwd));
#endif
-
+
if (lm_interactive_pwd)
SMBOWFencrypt(lm_pwd, chal,
local_lm_response);
@@ -346,7 +346,7 @@ bool make_user_info_netlogon_interactive(struct auth_usersupplied_info **user_in
if (nt_interactive_pwd)
SMBOWFencrypt(nt_pwd, chal,
local_nt_response);
-
+
/* Password info paranoia */
ZERO_STRUCT(key);
@@ -358,7 +358,7 @@ bool make_user_info_netlogon_interactive(struct auth_usersupplied_info **user_in
DATA_BLOB lm_interactive_blob;
DATA_BLOB nt_interactive_blob;
-
+
if (lm_interactive_pwd) {
local_lm_blob = data_blob(local_lm_response,
sizeof(local_lm_response));
@@ -366,7 +366,7 @@ bool make_user_info_netlogon_interactive(struct auth_usersupplied_info **user_in
sizeof(lm_pwd));
ZERO_STRUCT(lm_pwd);
}
-
+
if (nt_interactive_pwd) {
local_nt_blob = data_blob(local_nt_response,
sizeof(local_nt_response));
@@ -412,17 +412,17 @@ bool make_user_info_for_reply(struct auth_usersupplied_info **user_info,
DATA_BLOB local_lm_blob;
DATA_BLOB local_nt_blob;
NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
-
+
/*
* Not encrypted - do so.
*/
-
+
DEBUG(5,("make_user_info_for_reply: User passwords not in encrypted "
"format.\n"));
-
+
if (plaintext_password.data) {
unsigned char local_lm_response[24];
-
+
#ifdef DEBUG_PASSWORD
DEBUG(10,("Unencrypted password (len %d):\n",
(int)plaintext_password.length));
@@ -433,16 +433,15 @@ bool make_user_info_for_reply(struct auth_usersupplied_info **user_info,
SMBencrypt( (const char *)plaintext_password.data,
(const uchar*)chal, local_lm_response);
local_lm_blob = data_blob(local_lm_response, 24);
-
+
/* We can't do an NT hash here, as the password needs to be
case insensitive */
local_nt_blob = data_blob_null;
-
} else {
local_lm_blob = data_blob_null;
local_nt_blob = data_blob_null;
}
-
+
ret = make_user_info_map(
user_info, smb_name, client_domain,
get_remote_machine_name(),
@@ -451,7 +450,7 @@ bool make_user_info_for_reply(struct auth_usersupplied_info **user_info,
NULL, NULL,
plaintext_password.data ? &plaintext_password : NULL,
False);
-
+
data_blob_free(&local_lm_blob);
return NT_STATUS_IS_OK(ret) ? True : False;
}
@@ -490,7 +489,7 @@ bool make_user_info_guest(struct auth_usersupplied_info **user_info)
NULL, NULL,
NULL,
True);
-
+
return NT_STATUS_IS_OK(nt_status) ? True : False;
}
@@ -642,7 +641,7 @@ NTSTATUS make_server_info_sam(struct auth_serversupplied_info **server_info,
/* For now we throw away the gids and convert via sid_to_gid
* later. This needs fixing, but I'd like to get the code straight and
* simple first. */
-
+
TALLOC_FREE(gids);
DEBUG(5,("make_server_info_sam: made server info for user %s -> %s\n",
@@ -1108,7 +1107,6 @@ bool user_in_group_sid(const char *username, const DOM_SID *group_sid)
TALLOC_FREE(mem_ctx);
return result;
-
}
bool user_in_group(const char *username, const char *groupname)
@@ -1152,11 +1150,11 @@ NTSTATUS make_server_info_pw(struct auth_serversupplied_info **server_info,
DOM_SID u_sid;
enum lsa_SidType type;
struct auth_serversupplied_info *result;
-
+
if ( !(sampass = samu_new( NULL )) ) {
return NT_STATUS_NO_MEMORY;
}
-
+
status = samu_set_unix( sampass, pwd );
if (!NT_STATUS_IS_OK(status)) {
return status;
@@ -1290,7 +1288,7 @@ static NTSTATUS make_new_server_info_guest(struct auth_serversupplied_info **ser
TALLOC_FREE(sampass);
return status;
}
-
+
(*server_info)->guest = True;
status = create_local_token(*server_info);
@@ -1381,7 +1379,7 @@ struct auth_serversupplied_info *copy_serverinfo(TALLOC_CTX *mem_ctx,
return NULL;
}
}
-
+
dst->user_session_key = data_blob_talloc( dst, src->user_session_key.data,
src->user_session_key.length);
@@ -1398,7 +1396,7 @@ struct auth_serversupplied_info *copy_serverinfo(TALLOC_CTX *mem_ctx,
TALLOC_FREE(dst);
return NULL;
}
-
+
dst->pam_handle = NULL;
dst->unix_name = talloc_strdup(dst, src->unix_name);
if (!dst->unix_name) {
@@ -1514,15 +1512,15 @@ static NTSTATUS fill_sam_account(TALLOC_CTX *mem_ctx,
one we actually looked up and succeeded. Have I mentioned
why I hate the 'winbind use default domain' parameter?
--jerry */
-
+
*found_username = talloc_strdup( mem_ctx, real_username );
-
+
DEBUG(5,("fill_sam_account: located username was [%s]\n", *found_username));
nt_status = samu_set_unix( account, passwd );
-
+
TALLOC_FREE(passwd);
-
+
return nt_status;
}
@@ -1531,28 +1529,28 @@ static NTSTATUS fill_sam_account(TALLOC_CTX *mem_ctx,
try again in case a local UNIX user is already there. Also run through
the username if we fallback to the username only.
****************************************************************************/
-
+
struct passwd *smb_getpwnam( TALLOC_CTX *mem_ctx, char *domuser,
fstring save_username, bool create )
{
struct passwd *pw = NULL;
char *p;
fstring username;
-
+
/* we only save a copy of the username it has been mangled
by winbindd use default domain */
-
+
save_username[0] = '\0';
-
+
/* don't call map_username() here since it has to be done higher
up the stack so we don't call it mutliple times */
fstrcpy( username, domuser );
-
+
p = strchr_m( username, *lp_winbind_separator() );
-
+
/* code for a DOMAIN\user string */
-
+
if ( p ) {
fstring strip_username;
@@ -1563,7 +1561,7 @@ struct passwd *smb_getpwnam( TALLOC_CTX *mem_ctx, char *domuser,
if ( !strchr_m( pw->pw_name, *lp_winbind_separator() ) ) {
char *domain;
-
+
/* split the domain and username into 2 strings */
*p = '\0';
domain = username;
@@ -1584,16 +1582,16 @@ struct passwd *smb_getpwnam( TALLOC_CTX *mem_ctx, char *domuser,
fstrcpy( strip_username, p );
fstrcpy( username, strip_username );
}
-
+
/* just lookup a plain username */
-
+
pw = Get_Pwnam_alloc(mem_ctx, username);
-
+
/* Create local user if requested but only if winbindd
is not running. We need to protect against cases
where winbindd is failing and then prematurely
creating users in /etc/passwd */
-
+
if ( !pw && create && !winbind_ping() ) {
/* Don't add a machine account. */
if (username[strlen(username)-1] == '$')
@@ -1602,9 +1600,9 @@ struct passwd *smb_getpwnam( TALLOC_CTX *mem_ctx, char *domuser,
_smb_create_user(NULL, username, NULL);
pw = Get_Pwnam_alloc(mem_ctx, username);
}
-
+
/* one last check for a valid passwd struct */
-
+
if ( pw )
fstrcpy( save_username, pw->pw_name );
@@ -1646,7 +1644,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
if (!sid_compose(&user_sid, info3->base.domain_sid, info3->base.rid)) {
return NT_STATUS_INVALID_PARAMETER;
}
-
+
if (!sid_compose(&group_sid, info3->base.domain_sid,
info3->base.primary_gid)) {
return NT_STATUS_INVALID_PARAMETER;
@@ -1665,7 +1663,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
* them */
nt_domain = domain;
}
-
+
/* try to fill the SAM account.. If getpwnam() fails, then try the
add user script (2.2.x behavior).
@@ -1677,7 +1675,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
called map_username() unnecessarily in make_user_info_map() but
that is how the current code is designed. Making the change here
is the least disruptive place. -- jerry */
-
+
if ( !(sam_account = samu_new( NULL )) ) {
return NT_STATUS_NO_MEMORY;
}
@@ -1688,10 +1686,10 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
&found_username, &uid, &gid, sam_account,
&username_was_mapped);
-
+
/* if we still don't have a valid unix account check for
'map to guest = bad uid' */
-
+
if (!NT_STATUS_IS_OK(nt_status)) {
TALLOC_FREE( sam_account );
if ( lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_UID ) {
@@ -1700,7 +1698,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
}
return nt_status;
}
-
+
if (!pdb_set_nt_username(sam_account, nt_username, PDB_CHANGED)) {
TALLOC_FREE(sam_account);
return NT_STATUS_NO_MEMORY;
@@ -1799,7 +1797,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
/* save this here to _net_sam_logon() doesn't fail (it assumes a
valid struct samu) */
-
+
result->sam_account = sam_account;
result->unix_name = talloc_strdup(result, found_username);
@@ -2152,7 +2150,7 @@ bool make_auth_methods(struct auth_context *auth_context, auth_methods **auth_me
return False;
}
ZERO_STRUCTP(*auth_method);
-
+
return True;
}
@@ -2212,7 +2210,7 @@ bool is_trusted_domain(const char* dom_name)
/* The only other possible result is that winbind is not up
and running. We need to update the trustdom_cache
ourselves */
-
+
update_trustdom_cache();
}