From b800a36b1c81fb37ca963acdc49978ff065fb0d7 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Wed, 12 Sep 2001 06:39:50 +0000 Subject: Some patches to authentication: - the usersupplied_info now contains a smb_username (as it comes across on the wire) and a unix_username (after being passed through mapping functions) - when doing security={server,domain} use the smb_username, otherwise use the unix_username (This used to be commit d34fd8ec0716127c7a68eeb8e77d1ae8cc07b547) --- source3/auth/auth.c | 33 ++++++++++++++++++++------------- source3/auth/auth_rhosts.c | 2 +- source3/auth/auth_sam.c | 2 +- source3/auth/auth_unix.c | 6 ++++-- source3/include/auth.h | 4 ++-- source3/libsmb/domain_client_validate.c | 1 - source3/nsswitch/winbindd_pam.c | 8 ++++---- source3/rpc_server/srv_netlog_nt.c | 2 +- source3/rpc_server/srv_pipe.c | 2 +- source3/smbd/auth.c | 33 ++++++++++++++++++++------------- source3/smbd/auth_rhosts.c | 2 +- source3/smbd/auth_smbpasswd.c | 2 +- source3/smbd/auth_unix.c | 6 ++++-- source3/smbd/reply.c | 5 +++-- 14 files changed, 63 insertions(+), 45 deletions(-) diff --git a/source3/auth/auth.c b/source3/auth/auth.c index b707c38c62..0101aa65a2 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -63,7 +63,7 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info, NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; BOOL done_pam = False; - DEBUG(3, ("check_password: Checking password for user %s with the new password interface\n", user_info->smb_username.str)); + DEBUG(3, ("check_password: Checking password for smb user %s with the new password interface\n", user_info->smb_username.str)); if (!check_domain_match(user_info->smb_username.str, user_info->domain.str)) { return NT_STATUS_LOGON_FAILURE; } @@ -81,7 +81,7 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info, } if (lp_security() >= SEC_SERVER) { - smb_user_control(user_info->smb_username.str, nt_status); + smb_user_control(user_info->unix_username.str, nt_status); } if (!NT_STATUS_IS_OK(nt_status)) { @@ -97,14 +97,14 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info, if (NT_STATUS_IS_OK(nt_status) && !done_pam) { /* We might not be root if we are an RPC call */ become_root(); - nt_status = smb_pam_accountcheck(user_info->smb_username.str); + nt_status = smb_pam_accountcheck(user_info->unix_username.str); unbecome_root(); } if (NT_STATUS_IS_OK(nt_status)) { - DEBUG(5, ("check_password: Password for user %s suceeded\n", user_info->smb_username.str)); + DEBUG(5, ("check_password: Password for smb user %s suceeded\n", user_info->smb_username.str)); } else { - DEBUG(3, ("check_password: Password for user %s FAILED with error %s\n", user_info->smb_username.str, get_nt_error_msg(nt_status))); + DEBUG(3, ("check_password: Password for smb user %s FAILED with error %s\n", user_info->smb_username.str, get_nt_error_msg(nt_status))); } return nt_status; @@ -121,14 +121,16 @@ SMB hash return True if the password is correct, False otherwise ****************************************************************************/ -NTSTATUS pass_check_smb_with_chal(char *user, char *domain, uchar chal[8], +NTSTATUS pass_check_smb_with_chal(char *smb_user, char *unix_user, + char *domain, uchar chal[8], uchar *lm_pwd, int lm_pwd_len, uchar *nt_pwd, int nt_pwd_len) { auth_usersupplied_info user_info; auth_serversupplied_info server_info; - AUTH_STR ourdomain, theirdomain, smb_username, wksta_name; + AUTH_STR ourdomain, theirdomain, unix_username, smb_username, + wksta_name; ZERO_STRUCT(user_info); ZERO_STRUCT(ourdomain); @@ -145,10 +147,15 @@ NTSTATUS pass_check_smb_with_chal(char *user, char *domain, uchar chal[8], user_info.requested_domain = theirdomain; user_info.domain = ourdomain; - smb_username.str = user; + smb_username.str = smb_user; smb_username.len = strlen(smb_username.str); - user_info.requested_username = smb_username; /* For the time-being */ + /* If unix user is NULL, use smb user */ + + unix_username.str = unix_user ? unix_user : smb_user; + unix_username.len = strlen(unix_username.str); + + user_info.unix_username = unix_username; user_info.smb_username = smb_username; user_info.wksta_name.str = client_name(); @@ -197,7 +204,7 @@ NTSTATUS pass_check_smb_with_chal(char *user, char *domain, uchar chal[8], return check_password(&user_info, &server_info); } -NTSTATUS pass_check_smb(char *user, char *domain, +NTSTATUS pass_check_smb(char *smb_user, char *unix_user, char *domain, uchar *lm_pwd, int lm_pwd_len, uchar *nt_pwd, int nt_pwd_len) { @@ -207,7 +214,7 @@ NTSTATUS pass_check_smb(char *user, char *domain, generate_random_buffer( chal, 8, False); } - return pass_check_smb_with_chal(user, domain, chal, + return pass_check_smb_with_chal(smb_user, unix_user, domain, chal, lm_pwd, lm_pwd_len, nt_pwd, nt_pwd_len); @@ -233,11 +240,11 @@ BOOL password_ok(char *user, char *password, int pwlen) /* The password could be either NTLM or plain LM. Try NTLM first, but fall-through as required. */ - if (NT_STATUS_IS_OK(pass_check_smb(user, lp_workgroup(), NULL, 0, (unsigned char *)password, pwlen))) { + if (NT_STATUS_IS_OK(pass_check_smb(user, NULL, lp_workgroup(), NULL, 0, (unsigned char *)password, pwlen))) { return True; } - if (NT_STATUS_IS_OK(pass_check_smb(user, lp_workgroup(), (unsigned char *)password, pwlen, NULL, 0))) { + if (NT_STATUS_IS_OK(pass_check_smb(user, NULL, lp_workgroup(), (unsigned char *)password, pwlen, NULL, 0))) { return True; } diff --git a/source3/auth/auth_rhosts.c b/source3/auth/auth_rhosts.c index b447bed5d1..2492a2a68b 100644 --- a/source3/auth/auth_rhosts.c +++ b/source3/auth/auth_rhosts.c @@ -174,7 +174,7 @@ NTSTATUS check_rhosts_security(const auth_usersupplied_info *user_info, NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; become_root(); - if (check_hosts_equiv(user_info->smb_username.str)) { + if (check_hosts_equiv(user_info->unix_username.str)) { nt_status = NT_STATUS_OK; } unbecome_root(); diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c index 33b0623643..111a35e068 100644 --- a/source3/auth/auth_sam.c +++ b/source3/auth/auth_sam.c @@ -152,7 +152,7 @@ NTSTATUS smb_password_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_info *use if (smb_pwd_check_ntlmv2( user_info->nt_resp.buffer, user_info->nt_resp.len, nt_pw, - user_info->chal, user_info->requested_username.str, + user_info->chal, user_info->smb_username.str, user_info->requested_domain.str, (char *)server_info->session_key)) { diff --git a/source3/auth/auth_unix.c b/source3/auth/auth_unix.c index 1708320961..ea32a65457 100644 --- a/source3/auth/auth_unix.c +++ b/source3/auth/auth_unix.c @@ -73,9 +73,11 @@ NTSTATUS check_unix_security(const auth_usersupplied_info *user_info, auth_serve NTSTATUS nt_status; become_root(); - nt_status = (pass_check(user_info->smb_username.str, user_info->plaintext_password.str, + nt_status = (pass_check(user_info->unix_username.str, + user_info->plaintext_password.str, user_info->plaintext_password.len, - lp_update_encrypted() ? update_smbpassword_file : NULL) + lp_update_encrypted() ? + update_smbpassword_file : NULL) ? NT_STATUS_OK : NT_STATUS_LOGON_FAILURE); unbecome_root(); diff --git a/source3/include/auth.h b/source3/include/auth.h index 028f8303da..91230e4b6e 100644 --- a/source3/include/auth.h +++ b/source3/include/auth.h @@ -71,8 +71,8 @@ typedef struct usersupplied_info AUTH_STR requested_domain; /* domain name string */ AUTH_STR domain; /* domain name after mapping */ - AUTH_STR requested_username; - AUTH_STR smb_username; /* user name string (after mapping) */ + AUTH_STR unix_username; /* username after mapping */ + AUTH_STR smb_username; /* username before mapping */ AUTH_STR wksta_name; /* workstation name (netbios calling name) unicode string */ } auth_usersupplied_info; diff --git a/source3/libsmb/domain_client_validate.c b/source3/libsmb/domain_client_validate.c index a6890f1027..b23ab01c1d 100644 --- a/source3/libsmb/domain_client_validate.c +++ b/source3/libsmb/domain_client_validate.c @@ -362,4 +362,3 @@ NTSTATUS domain_client_validate(const auth_usersupplied_info *user_info, cli_shutdown(&cli); return status; } - diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c index 0408c3a2fb..262a9d7a33 100644 --- a/source3/nsswitch/winbindd_pam.c +++ b/source3/nsswitch/winbindd_pam.c @@ -96,8 +96,8 @@ enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state) user_info.smb_username.str = name_user; user_info.smb_username.len = strlen(name_user); - user_info.requested_username.str = name_user; - user_info.requested_username.len = strlen(name_user); + user_info.unix_username.str = name_user; + user_info.unix_username.len = strlen(name_user); user_info.wksta_name.str = global_myname; user_info.wksta_name.len = strlen(user_info.wksta_name.str); @@ -172,8 +172,8 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state) user_info.smb_username.str = name_user; user_info.smb_username.len = strlen(name_user); - user_info.requested_username.str = name_user; - user_info.requested_username.len = strlen(name_user); + user_info.unix_username.str = name_user; + user_info.unix_username.len = strlen(name_user); user_info.wksta_name.str = global_myname; user_info.wksta_name.len = strlen(user_info.wksta_name.str); diff --git a/source3/rpc_server/srv_netlog_nt.c b/source3/rpc_server/srv_netlog_nt.c index fd137e6038..26da5ac061 100644 --- a/source3/rpc_server/srv_netlog_nt.c +++ b/source3/rpc_server/srv_netlog_nt.c @@ -505,7 +505,7 @@ static NTSTATUS _net_logon_any(NET_ID_INFO_CTR *ctr, char *user, char *domain, c smb_username.str = user; smb_username.len = strlen(smb_username.str); - user_info.requested_username = smb_username; /* For the time-being */ + user_info.unix_username = smb_username; /* For the time-being */ user_info.smb_username = smb_username; #if 0 diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c index 3570969efc..4a09410e81 100644 --- a/source3/rpc_server/srv_pipe.c +++ b/source3/rpc_server/srv_pipe.c @@ -368,7 +368,7 @@ static BOOL api_pipe_ntlmssp_verify(pipes_struct *p, RPC_AUTH_NTLMSSP_RESP *ntlm become_root(); p->ntlmssp_auth_validated = - NT_STATUS_IS_OK(pass_check_smb_with_chal(pipe_user_name, domain, + NT_STATUS_IS_OK(pass_check_smb_with_chal(pipe_user_name, NULL, domain, (uchar*)p->challenge, lm_owf, lm_pw_len, nt_owf, nt_pw_len)); diff --git a/source3/smbd/auth.c b/source3/smbd/auth.c index b707c38c62..0101aa65a2 100644 --- a/source3/smbd/auth.c +++ b/source3/smbd/auth.c @@ -63,7 +63,7 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info, NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; BOOL done_pam = False; - DEBUG(3, ("check_password: Checking password for user %s with the new password interface\n", user_info->smb_username.str)); + DEBUG(3, ("check_password: Checking password for smb user %s with the new password interface\n", user_info->smb_username.str)); if (!check_domain_match(user_info->smb_username.str, user_info->domain.str)) { return NT_STATUS_LOGON_FAILURE; } @@ -81,7 +81,7 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info, } if (lp_security() >= SEC_SERVER) { - smb_user_control(user_info->smb_username.str, nt_status); + smb_user_control(user_info->unix_username.str, nt_status); } if (!NT_STATUS_IS_OK(nt_status)) { @@ -97,14 +97,14 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info, if (NT_STATUS_IS_OK(nt_status) && !done_pam) { /* We might not be root if we are an RPC call */ become_root(); - nt_status = smb_pam_accountcheck(user_info->smb_username.str); + nt_status = smb_pam_accountcheck(user_info->unix_username.str); unbecome_root(); } if (NT_STATUS_IS_OK(nt_status)) { - DEBUG(5, ("check_password: Password for user %s suceeded\n", user_info->smb_username.str)); + DEBUG(5, ("check_password: Password for smb user %s suceeded\n", user_info->smb_username.str)); } else { - DEBUG(3, ("check_password: Password for user %s FAILED with error %s\n", user_info->smb_username.str, get_nt_error_msg(nt_status))); + DEBUG(3, ("check_password: Password for smb user %s FAILED with error %s\n", user_info->smb_username.str, get_nt_error_msg(nt_status))); } return nt_status; @@ -121,14 +121,16 @@ SMB hash return True if the password is correct, False otherwise ****************************************************************************/ -NTSTATUS pass_check_smb_with_chal(char *user, char *domain, uchar chal[8], +NTSTATUS pass_check_smb_with_chal(char *smb_user, char *unix_user, + char *domain, uchar chal[8], uchar *lm_pwd, int lm_pwd_len, uchar *nt_pwd, int nt_pwd_len) { auth_usersupplied_info user_info; auth_serversupplied_info server_info; - AUTH_STR ourdomain, theirdomain, smb_username, wksta_name; + AUTH_STR ourdomain, theirdomain, unix_username, smb_username, + wksta_name; ZERO_STRUCT(user_info); ZERO_STRUCT(ourdomain); @@ -145,10 +147,15 @@ NTSTATUS pass_check_smb_with_chal(char *user, char *domain, uchar chal[8], user_info.requested_domain = theirdomain; user_info.domain = ourdomain; - smb_username.str = user; + smb_username.str = smb_user; smb_username.len = strlen(smb_username.str); - user_info.requested_username = smb_username; /* For the time-being */ + /* If unix user is NULL, use smb user */ + + unix_username.str = unix_user ? unix_user : smb_user; + unix_username.len = strlen(unix_username.str); + + user_info.unix_username = unix_username; user_info.smb_username = smb_username; user_info.wksta_name.str = client_name(); @@ -197,7 +204,7 @@ NTSTATUS pass_check_smb_with_chal(char *user, char *domain, uchar chal[8], return check_password(&user_info, &server_info); } -NTSTATUS pass_check_smb(char *user, char *domain, +NTSTATUS pass_check_smb(char *smb_user, char *unix_user, char *domain, uchar *lm_pwd, int lm_pwd_len, uchar *nt_pwd, int nt_pwd_len) { @@ -207,7 +214,7 @@ NTSTATUS pass_check_smb(char *user, char *domain, generate_random_buffer( chal, 8, False); } - return pass_check_smb_with_chal(user, domain, chal, + return pass_check_smb_with_chal(smb_user, unix_user, domain, chal, lm_pwd, lm_pwd_len, nt_pwd, nt_pwd_len); @@ -233,11 +240,11 @@ BOOL password_ok(char *user, char *password, int pwlen) /* The password could be either NTLM or plain LM. Try NTLM first, but fall-through as required. */ - if (NT_STATUS_IS_OK(pass_check_smb(user, lp_workgroup(), NULL, 0, (unsigned char *)password, pwlen))) { + if (NT_STATUS_IS_OK(pass_check_smb(user, NULL, lp_workgroup(), NULL, 0, (unsigned char *)password, pwlen))) { return True; } - if (NT_STATUS_IS_OK(pass_check_smb(user, lp_workgroup(), (unsigned char *)password, pwlen, NULL, 0))) { + if (NT_STATUS_IS_OK(pass_check_smb(user, NULL, lp_workgroup(), (unsigned char *)password, pwlen, NULL, 0))) { return True; } diff --git a/source3/smbd/auth_rhosts.c b/source3/smbd/auth_rhosts.c index b447bed5d1..2492a2a68b 100644 --- a/source3/smbd/auth_rhosts.c +++ b/source3/smbd/auth_rhosts.c @@ -174,7 +174,7 @@ NTSTATUS check_rhosts_security(const auth_usersupplied_info *user_info, NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; become_root(); - if (check_hosts_equiv(user_info->smb_username.str)) { + if (check_hosts_equiv(user_info->unix_username.str)) { nt_status = NT_STATUS_OK; } unbecome_root(); diff --git a/source3/smbd/auth_smbpasswd.c b/source3/smbd/auth_smbpasswd.c index 33b0623643..111a35e068 100644 --- a/source3/smbd/auth_smbpasswd.c +++ b/source3/smbd/auth_smbpasswd.c @@ -152,7 +152,7 @@ NTSTATUS smb_password_ok(SAM_ACCOUNT *sampass, const auth_usersupplied_info *use if (smb_pwd_check_ntlmv2( user_info->nt_resp.buffer, user_info->nt_resp.len, nt_pw, - user_info->chal, user_info->requested_username.str, + user_info->chal, user_info->smb_username.str, user_info->requested_domain.str, (char *)server_info->session_key)) { diff --git a/source3/smbd/auth_unix.c b/source3/smbd/auth_unix.c index 1708320961..ea32a65457 100644 --- a/source3/smbd/auth_unix.c +++ b/source3/smbd/auth_unix.c @@ -73,9 +73,11 @@ NTSTATUS check_unix_security(const auth_usersupplied_info *user_info, auth_serve NTSTATUS nt_status; become_root(); - nt_status = (pass_check(user_info->smb_username.str, user_info->plaintext_password.str, + nt_status = (pass_check(user_info->unix_username.str, + user_info->plaintext_password.str, user_info->plaintext_password.len, - lp_update_encrypted() ? update_smbpassword_file : NULL) + lp_update_encrypted() ? + update_smbpassword_file : NULL) ? NT_STATUS_OK : NT_STATUS_LOGON_FAILURE); unbecome_root(); diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c index c2d38a1076..9e88f58fa6 100644 --- a/source3/smbd/reply.c +++ b/source3/smbd/reply.c @@ -462,7 +462,7 @@ static int session_trust_account(connection_struct *conn, char *inbuf, char *out smb_username.str = user; smb_username.len = strlen(smb_username.str); - user_info.requested_username = smb_username; /* For the time-being */ + user_info.unix_username = smb_username; /* For the time-being */ user_info.smb_username = smb_username; user_info.wksta_name = wksta_name; @@ -776,7 +776,8 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf,int add_session_user(user); if (!guest) { - valid_password = NT_STATUS_IS_OK(pass_check_smb(user, domain, + valid_password = NT_STATUS_IS_OK(pass_check_smb(orig_user, user, + domain, (unsigned char *)smb_apasswd, smb_apasslen, (unsigned char *)smb_ntpasswd, -- cgit