summaryrefslogtreecommitdiff
path: root/source4
diff options
context:
space:
mode:
Diffstat (limited to 'source4')
-rw-r--r--source4/auth/auth_sam.c174
-rw-r--r--source4/kdc/hdb-ldb.c65
2 files changed, 127 insertions, 112 deletions
diff --git a/source4/auth/auth_sam.c b/source4/auth/auth_sam.c
index 3bf0d24e38..000de0486c 100644
--- a/source4/auth/auth_sam.c
+++ b/source4/auth/auth_sam.c
@@ -26,30 +26,45 @@
#include "auth/auth.h"
#include "lib/ldb/include/ldb.h"
-const char *user_attrs[] = {"unicodePwd", "lmPwdHash", "ntPwdHash",
- "userAccountControl",
- "pwdLastSet",
- "accountExpires",
- "objectSid",
- "userWorkstations",
+const char *user_attrs[] = {
+ /* requried for the krb5 kdc*/
+ "objectClass",
+ "sAMAccountName",
+ "userPrincipalName",
+ "servicePrincipalName",
+ "msDS-KeyVersionNumber",
+
+ /* passwords */
+ "unicodePwd",
+ "lmPwdHash",
+ "ntPwdHash",
+
+ "userAccountControl",
+
+ "pwdLastSet",
+ "accountExpires",
+
+ "objectSid",
+
+ /* check 'allowed workstations' */
+ "userWorkstations",
- /* required for server_info, not access control: */
- "sAMAccountName",
- "displayName",
- "scriptPath",
- "profilePath",
- "homeDirectory",
- "homeDrive",
- "lastLogon",
- "lastLogoff",
- "accountExpires",
- "badPwdCount",
- "logonCount",
- "primaryGroupID",
- NULL,
+ /* required for server_info, not access control: */
+ "displayName",
+ "scriptPath",
+ "profilePath",
+ "homeDirectory",
+ "homeDrive",
+ "lastLogon",
+ "lastLogoff",
+ "accountExpires",
+ "badPwdCount",
+ "logonCount",
+ "primaryGroupID",
+ NULL,
};
-const char *domain_ref_attrs[] = {"nETBIOSName", "nCName", NULL};
+const char *domain_ref_attrs[] = {"nETBIOSName", "nCName", "dnsRoot", NULL};
/****************************************************************************
Do a specific test for an smb password being correct, given a smb_password and
@@ -134,17 +149,33 @@ static NTSTATUS authsam_password_ok(struct auth_context *auth_context,
(ie not disabled, expired and the like).
****************************************************************************/
static NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx,
+ struct ldb_context *sam_ctx,
uint32_t logon_parameters,
- uint16_t acct_flags,
- NTTIME acct_expiry,
- NTTIME must_change_time,
- NTTIME last_set_time,
- const char *workstation_list,
+ struct ldb_message **msgs,
+ struct ldb_message **msgs_domain_ref,
const struct auth_usersupplied_info *user_info)
{
+ uint16_t acct_flags;
+ const char *workstation_list;
+ NTTIME acct_expiry;
+ NTTIME must_change_time;
+ NTTIME last_set_time;
+
+ struct ldb_dn *domain_dn = samdb_result_dn(mem_ctx, msgs_domain_ref[0], "nCName", ldb_dn_new(mem_ctx));
+
NTTIME now;
DEBUG(4,("authsam_account_ok: Checking SMB password for user %s\n", user_info->mapped.account_name));
+ acct_flags = samdb_result_acct_flags(msgs[0], "userAccountControl");
+
+ acct_expiry = samdb_result_nttime(msgs[0], "accountExpires", 0);
+ must_change_time = samdb_result_force_password_change(sam_ctx, mem_ctx,
+ domain_dn, msgs[0],
+ "pwdLastSet");
+ last_set_time = samdb_result_nttime(msgs[0], "pwdLastSet", 0);
+
+ workstation_list = samdb_result_string(msgs[0], "userWorkstations", NULL);
+
/* Quit if the account was disabled. */
if (acct_flags & ACB_DISABLED) {
DEBUG(1,("authsam_account_ok: Account for user '%s' was disabled.\n", user_info->mapped.account_name));
@@ -348,20 +379,13 @@ static NTSTATUS authsam_search_account(TALLOC_CTX *mem_ctx, struct ldb_context *
static NTSTATUS authsam_authenticate(struct auth_context *auth_context,
TALLOC_CTX *mem_ctx, struct ldb_context *sam_ctx,
struct ldb_message **msgs,
- struct ldb_message **msgs_domain,
+ struct ldb_message **msgs_domain_ref,
const struct auth_usersupplied_info *user_info,
DATA_BLOB *user_sess_key, DATA_BLOB *lm_sess_key)
{
- uint16_t acct_flags;
- const char *workstation_list;
- NTTIME acct_expiry;
- NTTIME must_change_time;
- NTTIME last_set_time;
struct samr_Password *lm_pwd, *nt_pwd;
NTSTATUS nt_status;
- struct ldb_dn *domain_dn = samdb_result_dn(mem_ctx, msgs_domain[0], "nCName", ldb_dn_new(mem_ctx));
-
- acct_flags = samdb_result_acct_flags(msgs[0], "userAccountControl");
+ uint16_t acct_flags = samdb_result_acct_flags(msgs[0], "userAccountControl");
/* Quit if the account was locked out. */
if (acct_flags & ACB_AUTOLOCK) {
@@ -385,21 +409,10 @@ static NTSTATUS authsam_authenticate(struct auth_context *auth_context,
user_info, user_sess_key, lm_sess_key);
NT_STATUS_NOT_OK_RETURN(nt_status);
- acct_expiry = samdb_result_nttime(msgs[0], "accountExpires", 0);
- must_change_time = samdb_result_force_password_change(sam_ctx, mem_ctx,
- domain_dn, msgs[0],
- "pwdLastSet");
- last_set_time = samdb_result_nttime(msgs[0], "pwdLastSet", 0);
-
- workstation_list = samdb_result_string(msgs[0], "userWorkstations", NULL);
-
- nt_status = authsam_account_ok(mem_ctx,
+ nt_status = authsam_account_ok(mem_ctx, sam_ctx,
user_info->logon_parameters,
- acct_flags,
- acct_expiry,
- must_change_time,
- last_set_time,
- workstation_list,
+ msgs,
+ msgs_domain_ref,
user_info);
return nt_status;
@@ -528,31 +541,20 @@ static NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, struct ldb_context
return NT_STATUS_OK;
}
-NTSTATUS sam_get_server_info_principal(TALLOC_CTX *mem_ctx, const char *principal,
- struct auth_serversupplied_info **server_info)
-{
- NTSTATUS nt_status;
- DATA_BLOB user_sess_key = data_blob(NULL, 0);
- DATA_BLOB lm_sess_key = data_blob(NULL, 0);
-
+NTSTATUS sam_get_results_principal(struct ldb_context *sam_ctx,
+ TALLOC_CTX *mem_ctx, const char *principal,
+ struct ldb_message ***msgs,
+ struct ldb_message ***msgs_domain_ref)
+{
struct ldb_dn *user_dn, *domain_dn;
- struct ldb_message **msgs;
- struct ldb_message **msgs_domain_ref;
- struct ldb_context *sam_ctx;
-
+ NTSTATUS nt_status;
+ TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
int ret;
- TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
if (!tmp_ctx) {
return NT_STATUS_NO_MEMORY;
}
- sam_ctx = samdb_connect(tmp_ctx, system_session(tmp_ctx));
- if (sam_ctx == NULL) {
- talloc_free(tmp_ctx);
- return NT_STATUS_INVALID_SYSTEM_SERVICE;
- }
-
nt_status = crack_user_principal_name(sam_ctx, tmp_ctx, principal, &user_dn, &domain_dn);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(tmp_ctx);
@@ -560,7 +562,7 @@ NTSTATUS sam_get_server_info_principal(TALLOC_CTX *mem_ctx, const char *principa
}
/* grab domain info from the reference */
- ret = gendb_search(sam_ctx, tmp_ctx, NULL, &msgs_domain_ref, domain_ref_attrs,
+ ret = gendb_search(sam_ctx, tmp_ctx, NULL, msgs_domain_ref, domain_ref_attrs,
"(ncName=%s)", ldb_dn_linearize(tmp_ctx, domain_dn));
if (ret != 1) {
@@ -570,11 +572,45 @@ NTSTATUS sam_get_server_info_principal(TALLOC_CTX *mem_ctx, const char *principa
/* pull the user attributes */
ret = gendb_search_dn(sam_ctx, tmp_ctx,
- user_dn, &msgs, user_attrs);
+ user_dn, msgs, user_attrs);
if (ret != 1) {
talloc_free(tmp_ctx);
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
+ talloc_steal(mem_ctx, *msgs);
+ talloc_steal(mem_ctx, *msgs_domain_ref);
+
+ return NT_STATUS_OK;
+}
+
+
+NTSTATUS sam_get_server_info_principal(TALLOC_CTX *mem_ctx, const char *principal,
+ struct auth_serversupplied_info **server_info)
+{
+ NTSTATUS nt_status;
+ DATA_BLOB user_sess_key = data_blob(NULL, 0);
+ DATA_BLOB lm_sess_key = data_blob(NULL, 0);
+
+ struct ldb_message **msgs;
+ struct ldb_message **msgs_domain_ref;
+ struct ldb_context *sam_ctx;
+
+ TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
+ if (!tmp_ctx) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ sam_ctx = samdb_connect(tmp_ctx, system_session(tmp_ctx));
+ if (sam_ctx == NULL) {
+ talloc_free(tmp_ctx);
+ return NT_STATUS_INVALID_SYSTEM_SERVICE;
+ }
+
+ nt_status = sam_get_results_principal(sam_ctx, mem_ctx, principal,
+ &msgs, &msgs_domain_ref);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
+ }
nt_status = authsam_make_server_info(mem_ctx, sam_ctx, msgs, msgs_domain_ref,
user_sess_key, lm_sess_key,
diff --git a/source4/kdc/hdb-ldb.c b/source4/kdc/hdb-ldb.c
index 57218d72d9..80e8cdc74e 100644
--- a/source4/kdc/hdb-ldb.c
+++ b/source4/kdc/hdb-ldb.c
@@ -45,31 +45,23 @@ enum hdb_ldb_ent_type
static const char * const krb5_attrs[] = {
"objectClass",
- "cn",
"sAMAccountName",
"userPrincipalName",
"servicePrincipalName",
- "userAccountControl",
-
"unicodePwd",
"lmPwdHash",
"ntPwdHash",
- "badPwdCount",
- "badPasswordTime",
- "lastLogoff",
- "lastLogon",
+ "userAccountControl",
+
"pwdLastSet",
"accountExpires",
- "logonCount",
- "objectGUID",
"whenCreated",
"whenChanged",
- "uSNCreated",
- "uSNChanged",
+
"msDS-KeyVersionNumber",
NULL
};
@@ -211,8 +203,9 @@ static HDBFlags uf2HDBFlags(krb5_context context, int userAccountControl, enum h
*/
static krb5_error_code LDB_message2entry(krb5_context context, HDB *db,
TALLOC_CTX *mem_ctx, krb5_const_principal principal,
- enum hdb_ldb_ent_type ent_type, struct ldb_message *realm_ref_msg,
+ enum hdb_ldb_ent_type ent_type,
struct ldb_message *msg,
+ struct ldb_message *realm_ref_msg,
hdb_entry *ent)
{
const char *unicodePwd;
@@ -222,16 +215,17 @@ static krb5_error_code LDB_message2entry(krb5_context context, HDB *db,
const char *dnsdomain = ldb_msg_find_string(realm_ref_msg, "dnsRoot", NULL);
char *realm = strupper_talloc(mem_ctx, dnsdomain);
+
+ memset(ent, 0, sizeof(*ent));
+
+ krb5_warnx(context, "LDB_message2entry:\n");
+
if (!realm) {
krb5_set_error_string(context, "talloc_strdup: out of memory");
ret = ENOMEM;
goto out;
}
- krb5_warnx(context, "LDB_message2entry:\n");
-
- memset(ent, 0, sizeof(*ent));
-
userAccountControl = ldb_msg_find_int(msg, "userAccountControl", 0);
ent->principal = malloc(sizeof(*(ent->principal)));
@@ -644,9 +638,7 @@ static krb5_error_code LDB_fetch(krb5_context context, HDB *db, unsigned flags,
switch (ent_type) {
case HDB_ENT_TYPE_CLIENT:
{
- int ldb_ret;
NTSTATUS nt_status;
- struct ldb_dn *user_dn, *domain_dn;
char *principal_string;
ldb_ent_type = HDB_LDB_ENT_TYPE_CLIENT;
@@ -657,34 +649,20 @@ static krb5_error_code LDB_fetch(krb5_context context, HDB *db, unsigned flags,
return ret;
}
- nt_status = crack_user_principal_name((struct ldb_context *)db->hdb_db,
+ nt_status = sam_get_results_principal((struct ldb_context *)db->hdb_db,
mem_ctx, principal_string,
- &user_dn, &domain_dn);
- free(principal_string);
-
- if (!NT_STATUS_IS_OK(nt_status)) {
- talloc_free(mem_ctx);
- return HDB_ERR_NOENTRY;
- }
-
- ldb_ret = gendb_search_dn((struct ldb_context *)db->hdb_db,
- mem_ctx, user_dn, &msg, krb5_attrs);
-
- if (ldb_ret != 1) {
- return HDB_ERR_NOENTRY;
- }
-
- ldb_ret = gendb_search((struct ldb_context *)db->hdb_db,
- mem_ctx, NULL, &realm_ref_msg, realm_ref_attrs,
- "ncName=%s", ldb_dn_linearize(mem_ctx, domain_dn));
-
- if (ldb_ret != 1) {
+ &msg, &realm_ref_msg);
+ if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER)) {
return HDB_ERR_NOENTRY;
+ } else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_MEMORY)) {
+ return ENOMEM;
+ } else if (!NT_STATUS_IS_OK(nt_status)) {
+ return EINVAL;
}
ret = LDB_message2entry(context, db, mem_ctx,
principal, ldb_ent_type,
- realm_ref_msg[0], msg[0], entry);
+ msg[0], realm_ref_msg[0], entry);
talloc_free(mem_ctx);
return ret;
}
@@ -763,7 +741,7 @@ static krb5_error_code LDB_fetch(krb5_context context, HDB *db, unsigned flags,
ret = LDB_message2entry(context, db, mem_ctx,
principal, ldb_ent_type,
- realm_ref_msg[0], msg[0], entry);
+ msg[0], realm_ref_msg[0], entry);
talloc_free(mem_ctx);
return ret;
@@ -806,7 +784,7 @@ static krb5_error_code LDB_fetch(krb5_context context, HDB *db, unsigned flags,
} else {
ret = LDB_message2entry(context, db, mem_ctx,
principal, ldb_ent_type,
- realm_ref_msg[0], msg[0], entry);
+ msg[0], realm_ref_msg[0], entry);
if (ret != 0) {
krb5_warnx(context, "LDB_fetch: message2entry failed\n");
}
@@ -853,7 +831,8 @@ static krb5_error_code LDB_seq(krb5_context context, HDB *db, unsigned flags, hd
if (priv->index < priv->count) {
ret = LDB_message2entry(context, db, mem_ctx,
NULL, HDB_LDB_ENT_TYPE_ANY,
- priv->realm_ref_msgs[0], priv->msgs[priv->index++], entry);
+ priv->msgs[priv->index++],
+ priv->realm_ref_msgs[0], entry);
} else {
ret = HDB_ERR_NOENTRY;
}