From 7e46a84bb769c2e781e2650b4227b05ee3cb9635 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Wed, 8 Jun 2011 18:55:37 +0200 Subject: s3-auth: Pass the remote_address down to user_info. Signed-off-by: Andrew Bartlett --- source3/auth/auth.c | 16 +++++++--- source3/auth/auth_compat.c | 45 ++++++++++++++++++++++++----- source3/auth/auth_ntlmssp.c | 4 +-- source3/auth/auth_util.c | 19 +++++++++--- source3/auth/proto.h | 16 ++++++++-- source3/auth/user_info.c | 5 ++++ source3/rpc_server/netlogon/srv_netlog_nt.c | 2 ++ source3/smbd/password.c | 16 +++++++--- source3/smbd/sesssetup.c | 12 +++++--- source3/winbindd/winbindd_pam.c | 15 ++++++++-- 10 files changed, 121 insertions(+), 29 deletions(-) diff --git a/source3/auth/auth.c b/source3/auth/auth.c index dbe337faa8..0f661a953f 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -19,7 +19,7 @@ #include "includes.h" #include "auth.h" -#include "smbd/globals.h" +#include "../lib/tsocket/tsocket.h" #undef DBGC_CLASS #define DBGC_CLASS DBGC_AUTH @@ -284,11 +284,19 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context, if (NT_STATUS_IS_OK(nt_status)) { unix_username = (*server_info)->unix_name; if (!(*server_info)->guest) { + char *rhost; + int rc; + + rhost = tsocket_address_inet_addr_string(user_info->remote_host, + talloc_tos()); + if (rhost == NULL) { + return NT_STATUS_NO_MEMORY; + } + /* We might not be root if we are an RPC call */ become_root(); - nt_status = smb_pam_accountcheck( - unix_username, - smbd_server_conn->client_id.name); + nt_status = smb_pam_accountcheck(unix_username, + rhost); unbecome_root(); if (NT_STATUS_IS_OK(nt_status)) { diff --git a/source3/auth/auth_compat.c b/source3/auth/auth_compat.c index 0ae712a517..e7225a2756 100644 --- a/source3/auth/auth_compat.c +++ b/source3/auth/auth_compat.c @@ -19,6 +19,7 @@ #include "includes.h" #include "auth.h" +#include "../lib/tsocket/tsocket.h" extern struct auth_context *negprot_global_auth_context; extern bool global_encrypted_passwords_negotiated; @@ -36,6 +37,7 @@ return True if the password is correct, False otherwise ****************************************************************************/ NTSTATUS check_plaintext_password(const char *smb_name, + const struct tsocket_address *remote_address, DATA_BLOB plaintext_blob, struct auth_serversupplied_info **server_info) { @@ -54,7 +56,9 @@ NTSTATUS check_plaintext_password(const char *smb_name, chal); if (!make_user_info_for_reply(&user_info, - smb_name, lp_workgroup(), chal, + smb_name, lp_workgroup(), + remote_address, + chal, plaintext_blob)) { return NT_STATUS_NO_MEMORY; } @@ -70,6 +74,7 @@ NTSTATUS check_plaintext_password(const char *smb_name, static NTSTATUS pass_check_smb(struct auth_context *actx, const char *smb_name, const char *domain, + const struct tsocket_address *remote_address, DATA_BLOB lm_pwd, DATA_BLOB nt_pwd) @@ -82,6 +87,7 @@ static NTSTATUS pass_check_smb(struct auth_context *actx, } make_user_info_for_reply_enc(&user_info, smb_name, domain, + remote_address, lm_pwd, nt_pwd); nt_status = actx->check_ntlm_password(actx, user_info, &server_info); @@ -97,7 +103,9 @@ return True if the password is correct, False otherwise bool password_ok(struct auth_context *actx, bool global_encrypted, const char *session_workgroup, - const char *smb_name, DATA_BLOB password_blob) + const char *smb_name, + const struct tsocket_address *remote_address, + DATA_BLOB password_blob) { DATA_BLOB null_password = data_blob_null; @@ -110,24 +118,47 @@ bool password_ok(struct auth_context *actx, bool global_encrypted, * Vista sends NTLMv2 here - we need to try the client given workgroup. */ if (session_workgroup) { - if (NT_STATUS_IS_OK(pass_check_smb(actx, smb_name, session_workgroup, null_password, password_blob))) { + if (NT_STATUS_IS_OK(pass_check_smb(actx, + smb_name, + session_workgroup, + remote_address, + null_password, + password_blob))) { return True; } - if (NT_STATUS_IS_OK(pass_check_smb(actx, smb_name, session_workgroup, password_blob, null_password))) { + if (NT_STATUS_IS_OK(pass_check_smb(actx, + smb_name, + session_workgroup, + remote_address, + password_blob, + null_password))) { return True; } } - if (NT_STATUS_IS_OK(pass_check_smb(actx, smb_name, lp_workgroup(), null_password, password_blob))) { + if (NT_STATUS_IS_OK(pass_check_smb(actx, + smb_name, + lp_workgroup(), + remote_address, + null_password, + password_blob))) { return True; } - if (NT_STATUS_IS_OK(pass_check_smb(actx, smb_name, lp_workgroup(), password_blob, null_password))) { + if (NT_STATUS_IS_OK(pass_check_smb(actx, + smb_name, + lp_workgroup(), + remote_address, + password_blob, + null_password))) { return True; } } else { struct auth_serversupplied_info *server_info = NULL; - NTSTATUS nt_status = check_plaintext_password(smb_name, password_blob, &server_info); + NTSTATUS nt_status = check_plaintext_password(smb_name, + remote_address, + password_blob, + &server_info); TALLOC_FREE(server_info); if (NT_STATUS_IS_OK(nt_status)) { return True; diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c index 54f7e6d5fc..2d1aef18f0 100644 --- a/source3/auth/auth_ntlmssp.c +++ b/source3/auth/auth_ntlmssp.c @@ -25,7 +25,6 @@ #include "../libcli/auth/ntlmssp.h" #include "ntlmssp_wrap.h" #include "../librpc/gen_ndr/netlogon.h" -#include "smbd/smbd.h" #include "../lib/tsocket/tsocket.h" NTSTATUS auth_ntlmssp_steal_session_info(TALLOC_CTX *mem_ctx, @@ -122,10 +121,11 @@ static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state, lp_load(get_dyn_CONFIGFILE(), false, false, true, true); - nt_status = make_user_info_map(&user_info, + nt_status = make_user_info_map(&user_info, auth_ntlmssp_state->ntlmssp_state->user, auth_ntlmssp_state->ntlmssp_state->domain, auth_ntlmssp_state->ntlmssp_state->client.netbios_name, + auth_ntlmssp_state->remote_address, auth_ntlmssp_state->ntlmssp_state->lm_resp.data ? &auth_ntlmssp_state->ntlmssp_state->lm_resp : NULL, auth_ntlmssp_state->ntlmssp_state->nt_resp.data ? &auth_ntlmssp_state->ntlmssp_state->nt_resp : NULL, NULL, NULL, NULL, diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 64c290eb04..dd126929e9 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -89,6 +89,7 @@ NTSTATUS make_user_info_map(struct auth_usersupplied_info **user_info, const char *smb_name, const char *client_domain, const char *workstation_name, + const struct tsocket_address *remote_address, DATA_BLOB *lm_pwd, DATA_BLOB *nt_pwd, const struct samr_Password *lm_interactive_pwd, @@ -137,7 +138,7 @@ NTSTATUS make_user_info_map(struct auth_usersupplied_info **user_info, result = make_user_info(user_info, smb_name, internal_username, client_domain, domain, workstation_name, - lm_pwd, nt_pwd, + remote_address, lm_pwd, nt_pwd, lm_interactive_pwd, nt_interactive_pwd, plaintext, password_state); if (NT_STATUS_IS_OK(result)) { @@ -158,6 +159,7 @@ bool make_user_info_netlogon_network(struct auth_usersupplied_info **user_info, const char *smb_name, const char *client_domain, const char *workstation_name, + const struct tsocket_address *remote_address, uint32 logon_parameters, const uchar *lm_network_pwd, int lm_pwd_len, @@ -172,6 +174,7 @@ bool make_user_info_netlogon_network(struct auth_usersupplied_info **user_info, status = make_user_info_map(user_info, smb_name, client_domain, workstation_name, + remote_address, lm_pwd_len ? &lm_blob : NULL, nt_pwd_len ? &nt_blob : NULL, NULL, NULL, NULL, @@ -196,6 +199,7 @@ bool make_user_info_netlogon_interactive(struct auth_usersupplied_info **user_in const char *smb_name, const char *client_domain, const char *workstation_name, + const struct tsocket_address *remote_address, uint32 logon_parameters, const uchar chal[8], const uchar lm_interactive_pwd[16], @@ -271,6 +275,7 @@ bool make_user_info_netlogon_interactive(struct auth_usersupplied_info **user_in nt_status = make_user_info_map( user_info, smb_name, client_domain, workstation_name, + remote_address, lm_interactive_pwd ? &local_lm_blob : NULL, nt_interactive_pwd ? &local_nt_blob : NULL, lm_interactive_pwd ? &lm_pwd : NULL, @@ -296,6 +301,7 @@ bool make_user_info_netlogon_interactive(struct auth_usersupplied_info **user_in bool make_user_info_for_reply(struct auth_usersupplied_info **user_info, const char *smb_name, const char *client_domain, + const struct tsocket_address *remote_address, const uint8 chal[8], DATA_BLOB plaintext_password) { @@ -342,6 +348,7 @@ bool make_user_info_for_reply(struct auth_usersupplied_info **user_info, ret = make_user_info_map( user_info, smb_name, client_domain, get_remote_machine_name(), + remote_address, local_lm_blob.data ? &local_lm_blob : NULL, local_nt_blob.data ? &local_nt_blob : NULL, NULL, NULL, @@ -363,12 +370,14 @@ bool make_user_info_for_reply(struct auth_usersupplied_info **user_info, NTSTATUS make_user_info_for_reply_enc(struct auth_usersupplied_info **user_info, const char *smb_name, - const char *client_domain, + const char *client_domain, + const struct tsocket_address *remote_address, DATA_BLOB lm_resp, DATA_BLOB nt_resp) { return make_user_info_map(user_info, smb_name, client_domain, - get_remote_machine_name(), + get_remote_machine_name(), + remote_address, lm_resp.data && (lm_resp.length > 0) ? &lm_resp : NULL, nt_resp.data && (nt_resp.length > 0) ? &nt_resp : NULL, NULL, NULL, NULL, @@ -379,7 +388,8 @@ NTSTATUS make_user_info_for_reply_enc(struct auth_usersupplied_info **user_info, Create a guest user_info blob, for anonymous authenticaion. ****************************************************************************/ -bool make_user_info_guest(struct auth_usersupplied_info **user_info) +bool make_user_info_guest(const struct tsocket_address *remote_address, + struct auth_usersupplied_info **user_info) { NTSTATUS nt_status; @@ -387,6 +397,7 @@ bool make_user_info_guest(struct auth_usersupplied_info **user_info) "","", "","", "", + remote_address, NULL, NULL, NULL, NULL, NULL, diff --git a/source3/auth/proto.h b/source3/auth/proto.h index a4330155d1..2839793472 100644 --- a/source3/auth/proto.h +++ b/source3/auth/proto.h @@ -51,11 +51,14 @@ NTSTATUS auth_builtin_init(void); /* The following definitions come from auth/auth_compat.c */ NTSTATUS check_plaintext_password(const char *smb_name, + const struct tsocket_address *remote_address, DATA_BLOB plaintext_password, struct auth_serversupplied_info **server_info); bool password_ok(struct auth_context *actx, bool global_encrypted, const char *session_workgroup, - const char *smb_name, DATA_BLOB password_blob); + const char *smb_name, + const struct tsocket_address *remote_address, + DATA_BLOB password_blob); /* The following definitions come from auth/auth_domain.c */ @@ -94,11 +97,13 @@ NTSTATUS auth_server_init(void); NTSTATUS auth_unix_init(void); /* The following definitions come from auth/auth_util.c */ +struct tsocket_address; NTSTATUS make_user_info_map(struct auth_usersupplied_info **user_info, const char *smb_name, const char *client_domain, const char *workstation_name, + const struct tsocket_address *remote_address, DATA_BLOB *lm_pwd, DATA_BLOB *nt_pwd, const struct samr_Password *lm_interactive_pwd, @@ -109,6 +114,7 @@ bool make_user_info_netlogon_network(struct auth_usersupplied_info **user_info, const char *smb_name, const char *client_domain, const char *workstation_name, + const struct tsocket_address *remote_address, uint32 logon_parameters, const uchar *lm_network_pwd, int lm_pwd_len, @@ -118,6 +124,7 @@ bool make_user_info_netlogon_interactive(struct auth_usersupplied_info **user_in const char *smb_name, const char *client_domain, const char *workstation_name, + const struct tsocket_address *remote_address, uint32 logon_parameters, const uchar chal[8], const uchar lm_interactive_pwd[16], @@ -126,13 +133,17 @@ bool make_user_info_netlogon_interactive(struct auth_usersupplied_info **user_in bool make_user_info_for_reply(struct auth_usersupplied_info **user_info, const char *smb_name, const char *client_domain, + const struct tsocket_address *remote_address, const uint8 chal[8], DATA_BLOB plaintext_password); NTSTATUS make_user_info_for_reply_enc(struct auth_usersupplied_info **user_info, const char *smb_name, const char *client_domain, + const struct tsocket_address *remote_address, DATA_BLOB lm_resp, DATA_BLOB nt_resp); -bool make_user_info_guest(struct auth_usersupplied_info **user_info) ; +bool make_user_info_guest(const struct tsocket_address *remote_address, + struct auth_usersupplied_info **user_info); + struct samu; NTSTATUS make_server_info_sam(struct auth_serversupplied_info **server_info, struct samu *sampass); @@ -192,6 +203,7 @@ NTSTATUS make_user_info(struct auth_usersupplied_info **ret_user_info, const char *client_domain, const char *domain, const char *workstation_name, + const struct tsocket_address *remote_address, const DATA_BLOB *lm_pwd, const DATA_BLOB *nt_pwd, const struct samr_Password *lm_interactive_pwd, diff --git a/source3/auth/user_info.c b/source3/auth/user_info.c index 606381b0e3..6b9841220f 100644 --- a/source3/auth/user_info.c +++ b/source3/auth/user_info.c @@ -20,6 +20,7 @@ #include "includes.h" #include "auth.h" #include "librpc/gen_ndr/samr.h" +#include "../lib/tsocket/tsocket.h" #undef DBGC_CLASS #define DBGC_CLASS DBGC_AUTH @@ -46,6 +47,7 @@ NTSTATUS make_user_info(struct auth_usersupplied_info **ret_user_info, const char *client_domain, const char *domain, const char *workstation_name, + const struct tsocket_address *remote_address, const DATA_BLOB *lm_pwd, const DATA_BLOB *nt_pwd, const struct samr_Password *lm_interactive_pwd, @@ -84,6 +86,9 @@ NTSTATUS make_user_info(struct auth_usersupplied_info **ret_user_info, user_info->workstation_name = talloc_strdup(user_info, workstation_name); NT_STATUS_HAVE_NO_MEMORY_AND_FREE(user_info->workstation_name, user_info); + user_info->remote_host = tsocket_address_copy(remote_address, user_info); + NT_STATUS_HAVE_NO_MEMORY_AND_FREE(user_info->remote_host, user_info); + DEBUG(5,("making blobs for %s's user_info struct\n", internal_username)); if (lm_pwd && lm_pwd->data) { diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c index e52dd85352..cabc7088ee 100644 --- a/source3/rpc_server/netlogon/srv_netlog_nt.c +++ b/source3/rpc_server/netlogon/srv_netlog_nt.c @@ -1523,6 +1523,7 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p, if (!make_user_info_netlogon_network(&user_info, nt_username, nt_domain, wksname, + p->remote_address, logon->network->identity_info.parameter_control, logon->network->lm.data, logon->network->lm.length, @@ -1555,6 +1556,7 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p, if (!make_user_info_netlogon_interactive(&user_info, nt_username, nt_domain, nt_workstation, + p->remote_address, logon->password->identity_info.parameter_control, chal, logon->password->lmpassword.hash, diff --git a/source3/smbd/password.c b/source3/smbd/password.c index 69b37596c5..6a3b6ddf2f 100644 --- a/source3/smbd/password.c +++ b/source3/smbd/password.c @@ -495,7 +495,9 @@ static char *validate_group(struct smbd_server_connection *sconn, if (user_ok(user, snum) && password_ok(actx, enc, get_session_workgroup(sconn), - user,password)) { + user, + sconn->remote_address, + password)) { endnetgrent(); return(user); } @@ -561,7 +563,9 @@ static char *validate_group(struct smbd_server_connection *sconn, if (user_ok(member,snum) && password_ok(actx, enc, get_session_workgroup(sconn), - member,password)) { + member, + sconn->remote_address, + password)) { char *name = talloc_strdup(talloc_tos(), member); SAFE_FREE(member_list); @@ -642,7 +646,9 @@ bool authorise_login(struct smbd_server_connection *sconn, if (password_ok(actx, enc, get_session_workgroup(sconn), - user2,password)) { + user2, + sconn->remote_address, + password)) { ok = True; strlcpy(user,user2,sizeof(fstring)); DEBUG(3,("authorise_login: ACCEPTED: session " @@ -693,7 +699,9 @@ bool authorise_login(struct smbd_server_connection *sconn, if (user_ok(user2,snum) && password_ok(actx, enc, get_session_workgroup(sconn), - user2,password)) { + user2, + sconn->remote_address, + password)) { ok = True; strlcpy(user,user2,sizeof(fstring)); DEBUG(3,("authorise_login: ACCEPTED: " diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c index 7d111e3219..de766308da 100644 --- a/source3/smbd/sesssetup.c +++ b/source3/smbd/sesssetup.c @@ -140,7 +140,8 @@ static void reply_sesssetup_blob(struct smb_request *req, Do a 'guest' logon, getting back the ****************************************************************************/ -static NTSTATUS check_guest_password(struct auth_serversupplied_info **server_info) +static NTSTATUS check_guest_password(const struct tsocket_address *remote_address, + struct auth_serversupplied_info **server_info) { struct auth_context *auth_context; struct auth_usersupplied_info *user_info = NULL; @@ -155,7 +156,7 @@ static NTSTATUS check_guest_password(struct auth_serversupplied_info **server_in return nt_status; } - if (!make_user_info_guest(&user_info)) { + if (!make_user_info_guest(remote_address, &user_info)) { TALLOC_FREE(auth_context); return NT_STATUS_NO_MEMORY; } @@ -1577,7 +1578,7 @@ void reply_sesssetup_and_X(struct smb_request *req) if (!*user) { - nt_status = check_guest_password(&server_info); + nt_status = check_guest_password(sconn->remote_address, &server_info); } else if (doencrypt) { struct auth_context *negprot_auth_context = NULL; @@ -1592,6 +1593,7 @@ void reply_sesssetup_and_X(struct smb_request *req) } nt_status = make_user_info_for_reply_enc(&user_info, user, domain, + sconn->remote_address, lm_resp, nt_resp); if (NT_STATUS_IS_OK(nt_status)) { nt_status = negprot_auth_context->check_ntlm_password( @@ -1612,7 +1614,9 @@ void reply_sesssetup_and_X(struct smb_request *req) plaintext_auth_context, chal); if (!make_user_info_for_reply(&user_info, - user, domain, chal, + user, domain, + sconn->remote_address, + chal, plaintext_password)) { nt_status = NT_STATUS_NO_MEMORY; } diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c index 21b237a1f1..7417bf42cb 100644 --- a/source3/winbindd/winbindd_pam.c +++ b/source3/winbindd/winbindd_pam.c @@ -37,6 +37,7 @@ #include "../librpc/gen_ndr/krb5pac.h" #include "passdb/machine_sid.h" #include "auth.h" +#include "../lib/tsocket/tsocket.h" #undef DBGC_CLASS #define DBGC_CLASS DBGC_WINBIND @@ -1115,10 +1116,20 @@ static NTSTATUS winbindd_dual_auth_passdb(TALLOC_CTX *mem_ctx, struct netr_SamInfo3 **pinfo3) { struct auth_usersupplied_info *user_info = NULL; + struct tsocket_address *local; NTSTATUS status; - + int rc; + + rc = tsocket_address_inet_from_strings(mem_ctx, + "ip", + "127.0.0.1", + 0, + &local); + if (rc < 0) { + return NT_STATUS_NO_MEMORY; + } status = make_user_info(&user_info, user, user, domain, domain, - lp_netbios_name(), lm_resp, nt_resp, NULL, NULL, + lp_netbios_name(), local, lm_resp, nt_resp, NULL, NULL, NULL, AUTH_PASSWORD_RESPONSE); if (!NT_STATUS_IS_OK(status)) { DEBUG(10, ("make_user_info failed: %s\n", nt_errstr(status))); -- cgit