From 986372901e85a79343ba32f590a4a3e7658d2565 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 3 Aug 2001 13:09:23 +0000 Subject: This is my 'Authentication Rewrite' version 1.01, mostly as submitted to samba-technical a few weeks ago. The idea here is to standardize the checking of user names and passwords, thereby ensuring that all authtentications pass the same standards. The interface currently implemented in as nt_status = check_password(user_info, server_info) where user_info contains (mostly) the authentication data, and server_info contains things like the user-id they got, and their resolved user name. The current ugliness with the way the structures are created will be killed the next revision, when they will be created and malloced by creator functions. This patch also includes the first implementation of NTLMv2 in HEAD, but which needs some more testing. We also add a hack to allow plaintext passwords to be compared with smbpasswd, not the system password database. Finally, this patch probably reintroduces the PAM accounts bug we had in 2.2.0, I'll fix that once this hits the tree. (I've just finished testing it on a wide variety of platforms, so I want to get this patch in). (This used to be commit b30b6202f31d339b48d51c0d38174cafd1cfcd42) --- source3/auth/auth_domain.c | 417 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 417 insertions(+) create mode 100644 source3/auth/auth_domain.c (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c new file mode 100644 index 0000000000..4bf0a05d7f --- /dev/null +++ b/source3/auth/auth_domain.c @@ -0,0 +1,417 @@ +/* + Unix SMB/Netbios implementation. + Version 1.9. + Authenticate against a remote domain + Copyright (C) Andrew Tridgell 1992-1998 + Copyright (C) Andrew Bartlett 2001 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" + +extern int DEBUGLEVEL; +extern struct in_addr ipzero; + +BOOL global_machine_password_needs_changing = False; + +extern pstring global_myname; + +/*********************************************************************** + Connect to a remote machine for domain security authentication + given a name or IP address. + ***********************************************************************/ + +static BOOL connect_to_domain_password_server(struct cli_state *pcli, + char *server, unsigned char *trust_passwd) +{ + struct in_addr dest_ip; + fstring remote_machine; + + if(cli_initialise(pcli) == NULL) { + DEBUG(0,("connect_to_domain_password_server: unable to initialize client connection.\n")); + return False; + } + + if (is_ipaddress(server)) { + struct in_addr to_ip; + + /* we shouldn't have 255.255.255.255 forthe IP address of + a password server anyways */ + if ((to_ip.s_addr=inet_addr(server)) == 0xFFFFFFFF) { + DEBUG (0,("connect_to_domain_password_server: inet_addr(%s) returned 0xFFFFFFFF!\n", server)); + return False; + } + + if (!name_status_find(0x20, to_ip, remote_machine)) { + DEBUG(0, ("connect_to_domain_password_server: Can't " + "resolve name for IP %s\n", server)); + return False; + } + } else { + fstrcpy(remote_machine, server); + } + + standard_sub_basic(remote_machine); + strupper(remote_machine); + + if(!resolve_name( remote_machine, &dest_ip, 0x20)) { + DEBUG(1,("connect_to_domain_password_server: Can't resolve address for %s\n", remote_machine)); + cli_shutdown(pcli); + return False; + } + + if (ismyip(dest_ip)) { + DEBUG(1,("connect_to_domain_password_server: Password server loop - not using password server %s\n", + remote_machine)); + cli_shutdown(pcli); + return False; + } + + if (!cli_connect(pcli, remote_machine, &dest_ip)) { + DEBUG(0,("connect_to_domain_password_server: unable to connect to SMB server on \ +machine %s. Error was : %s.\n", remote_machine, cli_errstr(pcli) )); + cli_shutdown(pcli); + return False; + } + + if (!attempt_netbios_session_request(pcli, global_myname, remote_machine, &dest_ip)) { + DEBUG(0,("connect_to_password_server: machine %s rejected the NetBIOS \ +session request. Error was : %s.\n", remote_machine, cli_errstr(pcli) )); + return False; + } + + pcli->protocol = PROTOCOL_NT1; + + if (!cli_negprot(pcli)) { + DEBUG(0,("connect_to_domain_password_server: machine %s rejected the negotiate protocol. \ +Error was : %s.\n", remote_machine, cli_errstr(pcli) )); + cli_shutdown(pcli); + return False; + } + + if (pcli->protocol != PROTOCOL_NT1) { + DEBUG(0,("connect_to_domain_password_server: machine %s didn't negotiate NT protocol.\n", + remote_machine)); + cli_shutdown(pcli); + return False; + } + + /* + * Do an anonymous session setup. + */ + + if (!cli_session_setup(pcli, "", "", 0, "", 0, "")) { + DEBUG(0,("connect_to_domain_password_server: machine %s rejected the session setup. \ +Error was : %s.\n", remote_machine, cli_errstr(pcli) )); + cli_shutdown(pcli); + return False; + } + + if (!(pcli->sec_mode & 1)) { + DEBUG(1,("connect_to_domain_password_server: machine %s isn't in user level security mode\n", + remote_machine)); + cli_shutdown(pcli); + return False; + } + + if (!cli_send_tconX(pcli, "IPC$", "IPC", "", 1)) { + DEBUG(0,("connect_to_domain_password_server: machine %s rejected the tconX on the IPC$ share. \ +Error was : %s.\n", remote_machine, cli_errstr(pcli) )); + cli_shutdown(pcli); + return False; + } + + /* + * We now have an anonymous connection to IPC$ on the domain password server. + */ + + /* + * Even if the connect succeeds we need to setup the netlogon + * pipe here. We do this as we may just have changed the domain + * account password on the PDC and yet we may be talking to + * a BDC that doesn't have this replicated yet. In this case + * a successful connect to a DC needs to take the netlogon connect + * into account also. This patch from "Bjart Kvarme" . + */ + + if(cli_nt_session_open(pcli, PIPE_NETLOGON) == False) { + DEBUG(0,("connect_to_domain_password_server: unable to open the domain client session to \ +machine %s. Error was : %s.\n", remote_machine, cli_errstr(pcli))); + cli_nt_session_close(pcli); + cli_ulogoff(pcli); + cli_shutdown(pcli); + return False; + } + + if (cli_nt_setup_creds(pcli, trust_passwd) == False) { + DEBUG(0,("connect_to_domain_password_server: unable to setup the PDC credentials to machine \ +%s. Error was : %s.\n", remote_machine, cli_errstr(pcli))); + cli_nt_session_close(pcli); + cli_ulogoff(pcli); + cli_shutdown(pcli); + return(False); + } + + return True; +} + +/*********************************************************************** + Utility function to attempt a connection to an IP address of a DC. +************************************************************************/ + +static BOOL attempt_connect_to_dc(struct cli_state *pcli, struct in_addr *ip, + unsigned char *trust_passwd) +{ + fstring dc_name; + + /* + * Ignore addresses we have already tried. + */ + + if (ip_equal(ipzero, *ip)) + return False; + + if (!lookup_pdc_name(global_myname, lp_workgroup(), ip, dc_name)) + return False; + + return connect_to_domain_password_server(pcli, dc_name, trust_passwd); +} + +/*********************************************************************** + We have been asked to dynamcially determine the IP addresses of + the PDC and BDC's for this DOMAIN, and query them in turn. +************************************************************************/ +static BOOL find_connect_pdc(struct cli_state *pcli, + unsigned char *trust_passwd, + time_t last_change_time) +{ + struct in_addr *ip_list = NULL; + int count = 0; + int i; + BOOL connected_ok = False; + time_t time_now = time(NULL); + BOOL use_pdc_only = False; + + /* + * If the time the machine password has changed + * was less than an hour ago then we need to contact + * the PDC only, as we cannot be sure domain replication + * has yet taken place. Bug found by Gerald (way to go + * Gerald !). JRA. + */ + + if (time_now - last_change_time < 3600) + use_pdc_only = True; + + if (!get_dc_list(use_pdc_only, lp_workgroup(), &ip_list, &count)) + return False; + + /* + * Firstly try and contact a PDC/BDC who has the same + * network address as any of our interfaces. + */ + for(i = 0; i < count; i++) { + if(!is_local_net(ip_list[i])) + continue; + + if((connected_ok = attempt_connect_to_dc(pcli, &ip_list[i], trust_passwd))) + break; + + ip_list[i] = ipzero; /* Tried and failed. */ + } + + /* + * Secondly try and contact a random PDC/BDC. + */ + if(!connected_ok) { + i = (sys_random() % count); + + if (!(connected_ok = attempt_connect_to_dc(pcli, &ip_list[i], trust_passwd))) + ip_list[i] = ipzero; /* Tried and failed. */ + } + + /* + * Finally go through the IP list in turn, ignoring any addresses + * we have already tried. + */ + if(!connected_ok) { + /* + * Try and connect to any of the other IP addresses in the PDC/BDC list. + * Note that from a WINS server the #1 IP address is the PDC. + */ + for(i = 0; i < count; i++) { + if((connected_ok = attempt_connect_to_dc(pcli, &ip_list[i], trust_passwd))) + break; + } + } + + if(ip_list != NULL) + free((char *)ip_list); + + + return connected_ok; +} + +/*********************************************************************** + Do the same as security=server, but using NT Domain calls and a session + key from the machine password. If the server parameter is specified + use it, otherwise figure out a server from the 'password server' param. +************************************************************************/ + +uint32 domain_client_validate(const auth_usersupplied_info *user_info, + auth_serversupplied_info *server_info, + char *server) +{ + unsigned char trust_passwd[16]; + fstring remote_machine; + char *p, *pserver; + NET_ID_INFO_CTR ctr; + NET_USER_INFO_3 info3; + struct cli_state cli; + uint32 smb_uid_low; + BOOL connected_ok = False; + time_t last_change_time; + uint32 nt_status; + + /* + * Check that the requested domain is not our own machine name. + * If it is, we should never check the PDC here, we use our own local + * password file. + */ + + if(strequal(user_info->domain.str, global_myname)) { + DEBUG(3,("domain_client_validate: Requested domain was for this machine.\n")); + return NT_STATUS_LOGON_FAILURE; + } + + /* + * Get the machine account password for our primary domain + */ + if (!secrets_fetch_trust_account_password(lp_workgroup(), trust_passwd, &last_change_time)) + { + DEBUG(0, ("domain_client_validate: could not fetch trust account password for domain %s\n", lp_workgroup())); + return NT_STATUS_LOGON_FAILURE; + } + + /* Test if machine password is expired and need to be changed */ + if (time(NULL) > last_change_time + lp_machine_password_timeout()) + { + global_machine_password_needs_changing = True; + } + + /* + * At this point, smb_apasswd points to the lanman response to + * the challenge in local_challenge, and smb_ntpasswd points to + * the NT response to the challenge in local_challenge. Ship + * these over the secure channel to a domain controller and + * see if they were valid. + */ + + ZERO_STRUCT(cli); + + /* + * Treat each name in the 'password server =' line as a potential + * PDC/BDC. Contact each in turn and try and authenticate. + */ + + if (server) { + p = server; + } else { + pserver = lp_passwordserver(); + if (! *pserver) pserver = "*"; + p = pserver; + } + + while (!connected_ok && + next_token(&p,remote_machine,LIST_SEP,sizeof(remote_machine))) { + if(strequal(remote_machine, "*")) { + connected_ok = find_connect_pdc(&cli, trust_passwd, last_change_time); + } else { + connected_ok = connect_to_domain_password_server(&cli, remote_machine, trust_passwd); + } + } + + if (!connected_ok) { + DEBUG(0,("domain_client_validate: Domain password server not available.\n")); + cli_shutdown(&cli); + return NT_STATUS_LOGON_FAILURE; + } + + /* We really don't care what LUID we give the user. */ + generate_random_buffer( (unsigned char *)&smb_uid_low, 4, False); + + ZERO_STRUCT(info3); + + cli_nt_login_network(&cli, user_info->domain.str, user_info->smb_username.str, smb_uid_low, user_info->chal, + user_info->lm_resp.buffer, user_info->lm_resp.len, + user_info->nt_resp.buffer, user_info->lm_resp.len, + &ctr, &info3); + + cli_error(&cli, NULL, NULL, &nt_status); + if (nt_status != NT_STATUS_NOPROBLEMO) { + DEBUG(0,("domain_client_validate: unable to validate password for user %s in domain \ +%s to Domain controller %s. Error was %s.\n", user_info->smb_username.str, user_info->domain.str, remote_machine, cli_errstr(&cli))); + } + + /* + * Here, if we really want it, we have lots of info about the user in info3. + */ + +#if 0 + /* + * We don't actually need to do this - plus it fails currently with + * NT_STATUS_INVALID_INFO_CLASS - we need to know *exactly* what to + * send here. JRA. + */ + + if (nt_status == NT_STATUS_NOPROBLMO) { + if(cli_nt_logoff(&cli, &ctr) == False) { + DEBUG(0,("domain_client_validate: unable to log off user %s in domain \ +%s to Domain controller %s. Error was %s.\n", user, domain, remote_machine, cli_errstr(&cli))); + nt_status = NT_STATUS_LOGON_FAILURE; + } + } +#endif /* 0 */ + + /* Note - once the cli stream is shutdown the mem_ctx used + to allocate the other_sids and gids structures has been deleted - so + these pointers are no longer valid..... */ + + cli_nt_session_close(&cli); + cli_ulogoff(&cli); + cli_shutdown(&cli); + return nt_status; +} + +/**************************************************************************** + Check for a valid username and password in security=domain mode. +****************************************************************************/ + +uint32 check_domain_security(const auth_usersupplied_info *user_info, + auth_serversupplied_info *server_info) +{ + uint32 nt_status = NT_STATUS_LOGON_FAILURE; + + if(lp_security() != SEC_DOMAIN) + return NT_STATUS_LOGON_FAILURE; + + nt_status = domain_client_validate(user_info, server_info, NULL); + + return nt_status; +} + + + -- cgit From 62f7f6a022dea6fd4fbe514dcb3154bda334a07f Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Fri, 10 Aug 2001 06:01:11 +0000 Subject: Use the new client error api. (This used to be commit 688da3c41dd944f7f69083518d25e9edbc55406f) --- source3/auth/auth_domain.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 4bf0a05d7f..e94ea13edc 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -360,7 +360,7 @@ uint32 domain_client_validate(const auth_usersupplied_info *user_info, user_info->nt_resp.buffer, user_info->lm_resp.len, &ctr, &info3); - cli_error(&cli, NULL, NULL, &nt_status); + nt_status = cli_nt_error(&cli); if (nt_status != NT_STATUS_NOPROBLEMO) { DEBUG(0,("domain_client_validate: unable to validate password for user %s in domain \ %s to Domain controller %s. Error was %s.\n", user_info->smb_username.str, user_info->domain.str, remote_machine, cli_errstr(&cli))); -- cgit From 6ad80352dd2523c310258de3211a2af0f1763d2a Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 12 Aug 2001 11:19:57 +0000 Subject: This patch does a number of things, mostly smaller than they look :-) In particuar, it moves the domain_client_validate stuff out of auth_domain.c to somwhere where they (I hope) they can be shared with winbind better. (This may need some work) The main purpose of this patch was however to improve some of the internal documentation and to correctly place become_root()/unbecome_root() calls within the code. Finally this patch moves some more of auth.c into other files, auth_unix.c in this case. Andrew Bartlett (This used to be commit ea1c547ac880def29f150de2172c95213509350e) --- source3/auth/auth_domain.c | 374 +++------------------------------------------ 1 file changed, 19 insertions(+), 355 deletions(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index e94ea13edc..a2e3c7a9b5 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -23,392 +23,56 @@ #include "includes.h" extern int DEBUGLEVEL; -extern struct in_addr ipzero; BOOL global_machine_password_needs_changing = False; -extern pstring global_myname; - -/*********************************************************************** - Connect to a remote machine for domain security authentication - given a name or IP address. - ***********************************************************************/ - -static BOOL connect_to_domain_password_server(struct cli_state *pcli, - char *server, unsigned char *trust_passwd) -{ - struct in_addr dest_ip; - fstring remote_machine; - - if(cli_initialise(pcli) == NULL) { - DEBUG(0,("connect_to_domain_password_server: unable to initialize client connection.\n")); - return False; - } - - if (is_ipaddress(server)) { - struct in_addr to_ip; - - /* we shouldn't have 255.255.255.255 forthe IP address of - a password server anyways */ - if ((to_ip.s_addr=inet_addr(server)) == 0xFFFFFFFF) { - DEBUG (0,("connect_to_domain_password_server: inet_addr(%s) returned 0xFFFFFFFF!\n", server)); - return False; - } - - if (!name_status_find(0x20, to_ip, remote_machine)) { - DEBUG(0, ("connect_to_domain_password_server: Can't " - "resolve name for IP %s\n", server)); - return False; - } - } else { - fstrcpy(remote_machine, server); - } - - standard_sub_basic(remote_machine); - strupper(remote_machine); - - if(!resolve_name( remote_machine, &dest_ip, 0x20)) { - DEBUG(1,("connect_to_domain_password_server: Can't resolve address for %s\n", remote_machine)); - cli_shutdown(pcli); - return False; - } - - if (ismyip(dest_ip)) { - DEBUG(1,("connect_to_domain_password_server: Password server loop - not using password server %s\n", - remote_machine)); - cli_shutdown(pcli); - return False; - } - - if (!cli_connect(pcli, remote_machine, &dest_ip)) { - DEBUG(0,("connect_to_domain_password_server: unable to connect to SMB server on \ -machine %s. Error was : %s.\n", remote_machine, cli_errstr(pcli) )); - cli_shutdown(pcli); - return False; - } - - if (!attempt_netbios_session_request(pcli, global_myname, remote_machine, &dest_ip)) { - DEBUG(0,("connect_to_password_server: machine %s rejected the NetBIOS \ -session request. Error was : %s.\n", remote_machine, cli_errstr(pcli) )); - return False; - } - - pcli->protocol = PROTOCOL_NT1; - - if (!cli_negprot(pcli)) { - DEBUG(0,("connect_to_domain_password_server: machine %s rejected the negotiate protocol. \ -Error was : %s.\n", remote_machine, cli_errstr(pcli) )); - cli_shutdown(pcli); - return False; - } - - if (pcli->protocol != PROTOCOL_NT1) { - DEBUG(0,("connect_to_domain_password_server: machine %s didn't negotiate NT protocol.\n", - remote_machine)); - cli_shutdown(pcli); - return False; - } - - /* - * Do an anonymous session setup. - */ - - if (!cli_session_setup(pcli, "", "", 0, "", 0, "")) { - DEBUG(0,("connect_to_domain_password_server: machine %s rejected the session setup. \ -Error was : %s.\n", remote_machine, cli_errstr(pcli) )); - cli_shutdown(pcli); - return False; - } - - if (!(pcli->sec_mode & 1)) { - DEBUG(1,("connect_to_domain_password_server: machine %s isn't in user level security mode\n", - remote_machine)); - cli_shutdown(pcli); - return False; - } - - if (!cli_send_tconX(pcli, "IPC$", "IPC", "", 1)) { - DEBUG(0,("connect_to_domain_password_server: machine %s rejected the tconX on the IPC$ share. \ -Error was : %s.\n", remote_machine, cli_errstr(pcli) )); - cli_shutdown(pcli); - return False; - } - - /* - * We now have an anonymous connection to IPC$ on the domain password server. - */ - - /* - * Even if the connect succeeds we need to setup the netlogon - * pipe here. We do this as we may just have changed the domain - * account password on the PDC and yet we may be talking to - * a BDC that doesn't have this replicated yet. In this case - * a successful connect to a DC needs to take the netlogon connect - * into account also. This patch from "Bjart Kvarme" . - */ - - if(cli_nt_session_open(pcli, PIPE_NETLOGON) == False) { - DEBUG(0,("connect_to_domain_password_server: unable to open the domain client session to \ -machine %s. Error was : %s.\n", remote_machine, cli_errstr(pcli))); - cli_nt_session_close(pcli); - cli_ulogoff(pcli); - cli_shutdown(pcli); - return False; - } - - if (cli_nt_setup_creds(pcli, trust_passwd) == False) { - DEBUG(0,("connect_to_domain_password_server: unable to setup the PDC credentials to machine \ -%s. Error was : %s.\n", remote_machine, cli_errstr(pcli))); - cli_nt_session_close(pcli); - cli_ulogoff(pcli); - cli_shutdown(pcli); - return(False); - } - - return True; -} - -/*********************************************************************** - Utility function to attempt a connection to an IP address of a DC. -************************************************************************/ - -static BOOL attempt_connect_to_dc(struct cli_state *pcli, struct in_addr *ip, - unsigned char *trust_passwd) -{ - fstring dc_name; - - /* - * Ignore addresses we have already tried. - */ - - if (ip_equal(ipzero, *ip)) - return False; - - if (!lookup_pdc_name(global_myname, lp_workgroup(), ip, dc_name)) - return False; - - return connect_to_domain_password_server(pcli, dc_name, trust_passwd); -} - -/*********************************************************************** - We have been asked to dynamcially determine the IP addresses of - the PDC and BDC's for this DOMAIN, and query them in turn. -************************************************************************/ -static BOOL find_connect_pdc(struct cli_state *pcli, - unsigned char *trust_passwd, - time_t last_change_time) -{ - struct in_addr *ip_list = NULL; - int count = 0; - int i; - BOOL connected_ok = False; - time_t time_now = time(NULL); - BOOL use_pdc_only = False; - - /* - * If the time the machine password has changed - * was less than an hour ago then we need to contact - * the PDC only, as we cannot be sure domain replication - * has yet taken place. Bug found by Gerald (way to go - * Gerald !). JRA. - */ - - if (time_now - last_change_time < 3600) - use_pdc_only = True; - - if (!get_dc_list(use_pdc_only, lp_workgroup(), &ip_list, &count)) - return False; - - /* - * Firstly try and contact a PDC/BDC who has the same - * network address as any of our interfaces. - */ - for(i = 0; i < count; i++) { - if(!is_local_net(ip_list[i])) - continue; - - if((connected_ok = attempt_connect_to_dc(pcli, &ip_list[i], trust_passwd))) - break; - - ip_list[i] = ipzero; /* Tried and failed. */ - } - - /* - * Secondly try and contact a random PDC/BDC. - */ - if(!connected_ok) { - i = (sys_random() % count); - - if (!(connected_ok = attempt_connect_to_dc(pcli, &ip_list[i], trust_passwd))) - ip_list[i] = ipzero; /* Tried and failed. */ - } - - /* - * Finally go through the IP list in turn, ignoring any addresses - * we have already tried. - */ - if(!connected_ok) { - /* - * Try and connect to any of the other IP addresses in the PDC/BDC list. - * Note that from a WINS server the #1 IP address is the PDC. - */ - for(i = 0; i < count; i++) { - if((connected_ok = attempt_connect_to_dc(pcli, &ip_list[i], trust_passwd))) - break; - } - } - - if(ip_list != NULL) - free((char *)ip_list); - - - return connected_ok; -} - -/*********************************************************************** - Do the same as security=server, but using NT Domain calls and a session - key from the machine password. If the server parameter is specified - use it, otherwise figure out a server from the 'password server' param. -************************************************************************/ +/**************************************************************************** + Check for a valid username and password in security=domain mode. +****************************************************************************/ -uint32 domain_client_validate(const auth_usersupplied_info *user_info, - auth_serversupplied_info *server_info, - char *server) +uint32 check_domain_security(const auth_usersupplied_info *user_info, + auth_serversupplied_info *server_info) { - unsigned char trust_passwd[16]; - fstring remote_machine; + uint32 nt_status = NT_STATUS_LOGON_FAILURE; char *p, *pserver; - NET_ID_INFO_CTR ctr; - NET_USER_INFO_3 info3; - struct cli_state cli; - uint32 smb_uid_low; - BOOL connected_ok = False; + unsigned char trust_passwd[16]; time_t last_change_time; - uint32 nt_status; - - /* - * Check that the requested domain is not our own machine name. - * If it is, we should never check the PDC here, we use our own local - * password file. - */ - if(strequal(user_info->domain.str, global_myname)) { - DEBUG(3,("domain_client_validate: Requested domain was for this machine.\n")); + if(lp_security() != SEC_DOMAIN) return NT_STATUS_LOGON_FAILURE; - } + + become_root(); /* * Get the machine account password for our primary domain */ + if (!secrets_fetch_trust_account_password(lp_workgroup(), trust_passwd, &last_change_time)) { DEBUG(0, ("domain_client_validate: could not fetch trust account password for domain %s\n", lp_workgroup())); + unbecome_root(); return NT_STATUS_LOGON_FAILURE; } + unbecome_root(); + /* Test if machine password is expired and need to be changed */ if (time(NULL) > last_change_time + lp_machine_password_timeout()) { global_machine_password_needs_changing = True; } - /* - * At this point, smb_apasswd points to the lanman response to - * the challenge in local_challenge, and smb_ntpasswd points to - * the NT response to the challenge in local_challenge. Ship - * these over the secure channel to a domain controller and - * see if they were valid. - */ - - ZERO_STRUCT(cli); - /* * Treat each name in the 'password server =' line as a potential * PDC/BDC. Contact each in turn and try and authenticate. */ - if (server) { - p = server; - } else { - pserver = lp_passwordserver(); - if (! *pserver) pserver = "*"; - p = pserver; - } - - while (!connected_ok && - next_token(&p,remote_machine,LIST_SEP,sizeof(remote_machine))) { - if(strequal(remote_machine, "*")) { - connected_ok = find_connect_pdc(&cli, trust_passwd, last_change_time); - } else { - connected_ok = connect_to_domain_password_server(&cli, remote_machine, trust_passwd); - } - } - - if (!connected_ok) { - DEBUG(0,("domain_client_validate: Domain password server not available.\n")); - cli_shutdown(&cli); - return NT_STATUS_LOGON_FAILURE; - } - - /* We really don't care what LUID we give the user. */ - generate_random_buffer( (unsigned char *)&smb_uid_low, 4, False); - - ZERO_STRUCT(info3); - - cli_nt_login_network(&cli, user_info->domain.str, user_info->smb_username.str, smb_uid_low, user_info->chal, - user_info->lm_resp.buffer, user_info->lm_resp.len, - user_info->nt_resp.buffer, user_info->lm_resp.len, - &ctr, &info3); - - nt_status = cli_nt_error(&cli); - if (nt_status != NT_STATUS_NOPROBLEMO) { - DEBUG(0,("domain_client_validate: unable to validate password for user %s in domain \ -%s to Domain controller %s. Error was %s.\n", user_info->smb_username.str, user_info->domain.str, remote_machine, cli_errstr(&cli))); - } - - /* - * Here, if we really want it, we have lots of info about the user in info3. - */ - -#if 0 - /* - * We don't actually need to do this - plus it fails currently with - * NT_STATUS_INVALID_INFO_CLASS - we need to know *exactly* what to - * send here. JRA. - */ - - if (nt_status == NT_STATUS_NOPROBLMO) { - if(cli_nt_logoff(&cli, &ctr) == False) { - DEBUG(0,("domain_client_validate: unable to log off user %s in domain \ -%s to Domain controller %s. Error was %s.\n", user, domain, remote_machine, cli_errstr(&cli))); - nt_status = NT_STATUS_LOGON_FAILURE; - } - } -#endif /* 0 */ - - /* Note - once the cli stream is shutdown the mem_ctx used - to allocate the other_sids and gids structures has been deleted - so - these pointers are no longer valid..... */ - - cli_nt_session_close(&cli); - cli_ulogoff(&cli); - cli_shutdown(&cli); - return nt_status; -} - -/**************************************************************************** - Check for a valid username and password in security=domain mode. -****************************************************************************/ - -uint32 check_domain_security(const auth_usersupplied_info *user_info, - auth_serversupplied_info *server_info) -{ - uint32 nt_status = NT_STATUS_LOGON_FAILURE; - - if(lp_security() != SEC_DOMAIN) - return NT_STATUS_LOGON_FAILURE; + pserver = lp_passwordserver(); + if (! *pserver) pserver = "*"; + p = pserver; - nt_status = domain_client_validate(user_info, server_info, NULL); + nt_status = domain_client_validate(user_info, server_info, + p, trust_passwd, last_change_time); return nt_status; } -- cgit From bb94537ab5858fecb34f047c9e5c0e6fe4fd8ae9 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Fri, 24 Aug 2001 18:55:56 +0000 Subject: Fixed incorrect debug. (This used to be commit cec051cf5fb93d9f45eca3f9cf462f78a7d7040d) --- source3/auth/auth_domain.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index a2e3c7a9b5..d9d7b6fd40 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -49,7 +49,7 @@ uint32 check_domain_security(const auth_usersupplied_info *user_info, if (!secrets_fetch_trust_account_password(lp_workgroup(), trust_passwd, &last_change_time)) { - DEBUG(0, ("domain_client_validate: could not fetch trust account password for domain %s\n", lp_workgroup())); + DEBUG(0, ("check_domain_security: could not fetch trust account password for domain %s\n", lp_workgroup())); unbecome_root(); return NT_STATUS_LOGON_FAILURE; } @@ -76,6 +76,3 @@ uint32 check_domain_security(const auth_usersupplied_info *user_info, return nt_status; } - - - -- cgit From 19fea3242cf6234786b6cbb60631e0071f31ff9f Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 4 Sep 2001 07:13:01 +0000 Subject: the next stage in the NTSTATUS/WERROR change. smbd and nmbd now compile, but the client code still needs some work (This used to be commit dcd6e735f709a9231860ceb9682db40ff26c9a66) --- source3/auth/auth_domain.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index d9d7b6fd40..111f0f143c 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -30,10 +30,10 @@ BOOL global_machine_password_needs_changing = False; Check for a valid username and password in security=domain mode. ****************************************************************************/ -uint32 check_domain_security(const auth_usersupplied_info *user_info, - auth_serversupplied_info *server_info) +NTSTATUS check_domain_security(const auth_usersupplied_info *user_info, + auth_serversupplied_info *server_info) { - uint32 nt_status = NT_STATUS_LOGON_FAILURE; + NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; char *p, *pserver; unsigned char trust_passwd[16]; time_t last_change_time; -- cgit From dc1fc3ee8ec2199bc73bb5d7ec711c6800f61d65 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Tue, 2 Oct 2001 04:29:50 +0000 Subject: Removed 'extern int DEBUGLEVEL' as it is now in the smb.h header. (This used to be commit 2d0922b0eabfdc0aaf1d0797482fef47ed7fde8e) --- source3/auth/auth_domain.c | 2 -- 1 file changed, 2 deletions(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 111f0f143c..bcd41bacdb 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -22,8 +22,6 @@ #include "includes.h" -extern int DEBUGLEVEL; - BOOL global_machine_password_needs_changing = False; /**************************************************************************** -- cgit From 60f0627afb167faad57385d44f0b587186a7ac2b Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 31 Oct 2001 10:46:25 +0000 Subject: This is a farily large patch (3300 lines) and reworks most of the AuthRewrite code. In particular this assists tpot in some of his work, becouse it provides the connection between the authenticaion and the vuid generation. Major Changes: - Fully malloc'ed structures. - Massive rework of the code so that all structures are made and destroyed using malloc and free, rather than hanging around on the stack. - SAM_ACCOUNT unix uids and gids are now pointers to the same, to allow them to be declared 'invalid' without the chance that people might get ROOT by default. - kill off some of the "DOMAIN\user" lookups. These can be readded at a more appropriate place (probably domain_client_validate.c) in the future. They don't belong in session setups. - Massive introduction of DATA_BLOB structures, particularly for passwords. - Use NTLMSSP flags to tell the backend what its getting, rather than magic lenghths. - Fix winbind back up again, but tpot is redoing this soon anyway. - Abstract much of the work in srv_netlog_nt back into auth helper functions. This is a LARGE change, and any assistance is testing it is appriciated. Domain logons are still broken (as far as I can tell) but other functionality seems intact. Needs testing with a wide variety of MS clients. Andrew Bartlett (This used to be commit f70fb819b2f57bd57232b51808345e2319d52f6c) --- source3/auth/auth_domain.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index bcd41bacdb..f20da19607 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -29,7 +29,7 @@ BOOL global_machine_password_needs_changing = False; ****************************************************************************/ NTSTATUS check_domain_security(const auth_usersupplied_info *user_info, - auth_serversupplied_info *server_info) + auth_serversupplied_info **server_info) { NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; char *p, *pserver; -- cgit From 2d07327a9595908370b901d52a85355fc668dcad Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 11 Nov 2001 11:11:56 +0000 Subject: This extra check isn't needed, we can only get here if secuirty=domain (This used to be commit 600d83e43f61eb138115731ce089ba42d63e0924) --- source3/auth/auth_domain.c | 3 --- 1 file changed, 3 deletions(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index f20da19607..4ada7d4a56 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -36,9 +36,6 @@ NTSTATUS check_domain_security(const auth_usersupplied_info *user_info, unsigned char trust_passwd[16]; time_t last_change_time; - if(lp_security() != SEC_DOMAIN) - return NT_STATUS_LOGON_FAILURE; - become_root(); /* -- cgit From d0a2faf78d316fec200497f5f7997df4c477a1e1 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 24 Nov 2001 12:12:38 +0000 Subject: This is another rather major change to the samba authenticaion subystem. The particular aim is to modularized the interface - so that we can have arbitrary password back-ends. This code adds one such back-end, a 'winbind' module to authenticate against the winbind_auth_crap functionality. While fully-functional this code is mainly useful as a demonstration, because we don't get back the info3 as we would for direct ntdomain authentication. This commit introduced the new 'auth methods' parameter, in the spirit of the 'auth order' discussed on the lists. It is renamed because not all the methods may be consulted, even if previous methods fail - they may not have a suitable challenge for example. Also, we have a 'local' authentication method, for old-style 'unix if plaintext, sam if encrypted' authentication and a 'guest' module to handle guest logins in a single place. While this current design is not ideal, I feel that it does provide a better infrastructure than the current design, and can be built upon. The following parameters have changed: - use rhosts = This has been replaced by the 'rhosts' authentication method, and can be specified like 'auth methods = guest rhosts' - hosts equiv = This needs both this parameter and an 'auth methods' entry to be effective. (auth methods = guest hostsequiv ....) - plaintext to smbpasswd = This is replaced by specifying 'sam' rather than 'local' in the auth methods. The security = parameter is unchanged, and now provides defaults for the 'auth methods' parameter. The available auth methods are: guest rhosts hostsequiv sam (passdb direct hash access) unix (PAM, crypt() etc) local (the combination of the above, based on encryption) smbserver (old security=server) ntdomain (old security=domain) winbind (use winbind to cache DC connections) Assistance in testing, or the production of new and interesting authentication modules is always appreciated. Andrew Bartlett (This used to be commit 8d31eae52a9757739711dbb82035a4dfe6b40c99) --- source3/auth/auth_domain.c | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 4ada7d4a56..ef0e5b2f10 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -28,8 +28,10 @@ BOOL global_machine_password_needs_changing = False; Check for a valid username and password in security=domain mode. ****************************************************************************/ -NTSTATUS check_domain_security(const auth_usersupplied_info *user_info, - auth_serversupplied_info **server_info) +static NTSTATUS check_ntdomain_security(void *my_private_data, + const auth_usersupplied_info *user_info, + const auth_authsupplied_info *auth_info, + auth_serversupplied_info **server_info) { NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; char *p, *pserver; @@ -66,8 +68,18 @@ NTSTATUS check_domain_security(const auth_usersupplied_info *user_info, if (! *pserver) pserver = "*"; p = pserver; - nt_status = domain_client_validate(user_info, server_info, + nt_status = domain_client_validate(user_info, (uchar *)auth_info->challange.data,server_info, p, trust_passwd, last_change_time); return nt_status; } + +BOOL auth_init_ntdomain(auth_methods **auth_method) +{ + if (!make_auth_methods(auth_method)) { + return False; + } + + (*auth_method)->auth = check_ntdomain_security; + return True; +} -- cgit From e75ad578d2578d756b7672fbf12d16f0823d472b Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 26 Nov 2001 01:37:01 +0000 Subject: This compleats the of the authenticaion subystem into the new 'auth' subdirectory. (The insertion of these files was done with some CVS backend magic, hence the lack of a commit message). This also moves libsmb/domain_client_validate.c back into auth_domain.c, becouse we no longer share it with winbind. Andrew Bartlett (This used to be commit 782835470cb68da2188a57007d6f55c17b094d08) --- source3/auth/auth_domain.c | 411 ++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 410 insertions(+), 1 deletion(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index ef0e5b2f10..fa6093a592 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -1,6 +1,6 @@ /* Unix SMB/Netbios implementation. - Version 1.9. + Version 3.0. Authenticate against a remote domain Copyright (C) Andrew Tridgell 1992-1998 Copyright (C) Andrew Bartlett 2001 @@ -24,6 +24,415 @@ BOOL global_machine_password_needs_changing = False; +extern struct in_addr ipzero; + +extern pstring global_myname; + +/*********************************************************************** + Connect to a remote machine for domain security authentication + given a name or IP address. + ***********************************************************************/ + +static BOOL connect_to_domain_password_server(struct cli_state *pcli, + char *server, unsigned char *trust_passwd) +{ + struct in_addr dest_ip; + fstring remote_machine; + NTSTATUS result; + + if(cli_initialise(pcli) == NULL) { + DEBUG(0,("connect_to_domain_password_server: unable to initialize client connection.\n")); + return False; + } + + if (is_ipaddress(server)) { + struct in_addr to_ip; + + /* we shouldn't have 255.255.255.255 forthe IP address of + a password server anyways */ + if ((to_ip.s_addr=inet_addr(server)) == 0xFFFFFFFF) { + DEBUG (0,("connect_to_domain_password_server: inet_addr(%s) returned 0xFFFFFFFF!\n", server)); + return False; + } + + if (!name_status_find("*", 0x20, 0x20, to_ip, remote_machine)) { + DEBUG(0, ("connect_to_domain_password_server: Can't " + "resolve name for IP %s\n", server)); + return False; + } + } else { + fstrcpy(remote_machine, server); + } + + standard_sub_basic(remote_machine); + strupper(remote_machine); + + if(!resolve_name( remote_machine, &dest_ip, 0x20)) { + DEBUG(1,("connect_to_domain_password_server: Can't resolve address for %s\n", remote_machine)); + cli_shutdown(pcli); + return False; + } + + if (ismyip(dest_ip)) { + DEBUG(1,("connect_to_domain_password_server: Password server loop - not using password server %s\n", + remote_machine)); + cli_shutdown(pcli); + return False; + } + + if (!cli_connect(pcli, remote_machine, &dest_ip)) { + DEBUG(0,("connect_to_domain_password_server: unable to connect to SMB server on \ +machine %s. Error was : %s.\n", remote_machine, cli_errstr(pcli) )); + cli_shutdown(pcli); + return False; + } + + if (!attempt_netbios_session_request(pcli, global_myname, remote_machine, &dest_ip)) { + DEBUG(0,("connect_to_password_server: machine %s rejected the NetBIOS \ +session request. Error was : %s.\n", remote_machine, cli_errstr(pcli) )); + return False; + } + + pcli->protocol = PROTOCOL_NT1; + + if (!cli_negprot(pcli)) { + DEBUG(0,("connect_to_domain_password_server: machine %s rejected the negotiate protocol. \ +Error was : %s.\n", remote_machine, cli_errstr(pcli) )); + cli_shutdown(pcli); + return False; + } + + if (pcli->protocol != PROTOCOL_NT1) { + DEBUG(0,("connect_to_domain_password_server: machine %s didn't negotiate NT protocol.\n", + remote_machine)); + cli_shutdown(pcli); + return False; + } + + /* + * Do an anonymous session setup. + */ + + if (!cli_session_setup(pcli, "", "", 0, "", 0, "")) { + DEBUG(0,("connect_to_domain_password_server: machine %s rejected the session setup. \ +Error was : %s.\n", remote_machine, cli_errstr(pcli) )); + cli_shutdown(pcli); + return False; + } + + if (!(pcli->sec_mode & 1)) { + DEBUG(1,("connect_to_domain_password_server: machine %s isn't in user level security mode\n", + remote_machine)); + cli_shutdown(pcli); + return False; + } + + if (!cli_send_tconX(pcli, "IPC$", "IPC", "", 1)) { + DEBUG(0,("connect_to_domain_password_server: machine %s rejected the tconX on the IPC$ share. \ +Error was : %s.\n", remote_machine, cli_errstr(pcli) )); + cli_shutdown(pcli); + return False; + } + + /* + * We now have an anonymous connection to IPC$ on the domain password server. + */ + + /* + * Even if the connect succeeds we need to setup the netlogon + * pipe here. We do this as we may just have changed the domain + * account password on the PDC and yet we may be talking to + * a BDC that doesn't have this replicated yet. In this case + * a successful connect to a DC needs to take the netlogon connect + * into account also. This patch from "Bjart Kvarme" . + */ + + if(cli_nt_session_open(pcli, PIPE_NETLOGON) == False) { + DEBUG(0,("connect_to_domain_password_server: unable to open the domain client session to \ +machine %s. Error was : %s.\n", remote_machine, cli_errstr(pcli))); + cli_nt_session_close(pcli); + cli_ulogoff(pcli); + cli_shutdown(pcli); + return False; + } + + result = cli_nt_setup_creds(pcli, trust_passwd); + + if (!NT_STATUS_IS_OK(result)) { + DEBUG(0,("connect_to_domain_password_server: unable to setup the PDC credentials to machine \ +%s. Error was : %s.\n", remote_machine, get_nt_error_msg(result))); + cli_nt_session_close(pcli); + cli_ulogoff(pcli); + cli_shutdown(pcli); + return(False); + } + + return True; +} + +/*********************************************************************** + Utility function to attempt a connection to an IP address of a DC. +************************************************************************/ + +static BOOL attempt_connect_to_dc(struct cli_state *pcli, struct in_addr *ip, + unsigned char *trust_passwd) +{ + fstring dc_name; + + /* + * Ignore addresses we have already tried. + */ + + if (ip_equal(ipzero, *ip)) + return False; + + if (!lookup_pdc_name(global_myname, lp_workgroup(), ip, dc_name)) + return False; + + return connect_to_domain_password_server(pcli, dc_name, trust_passwd); +} + +/*********************************************************************** + We have been asked to dynamcially determine the IP addresses of + the PDC and BDC's for this DOMAIN, and query them in turn. +************************************************************************/ +static BOOL find_connect_pdc(struct cli_state *pcli, + unsigned char *trust_passwd, + time_t last_change_time) +{ + struct in_addr *ip_list = NULL; + int count = 0; + int i; + BOOL connected_ok = False; + time_t time_now = time(NULL); + BOOL use_pdc_only = False; + + /* + * If the time the machine password has changed + * was less than an hour ago then we need to contact + * the PDC only, as we cannot be sure domain replication + * has yet taken place. Bug found by Gerald (way to go + * Gerald !). JRA. + */ + + if (time_now - last_change_time < 3600) + use_pdc_only = True; + + if (!get_dc_list(use_pdc_only, lp_workgroup(), &ip_list, &count)) + return False; + + /* + * Firstly try and contact a PDC/BDC who has the same + * network address as any of our interfaces. + */ + for(i = 0; i < count; i++) { + if(!is_local_net(ip_list[i])) + continue; + + if((connected_ok = attempt_connect_to_dc(pcli, &ip_list[i], trust_passwd))) + break; + + ip_list[i] = ipzero; /* Tried and failed. */ + } + + /* + * Secondly try and contact a random PDC/BDC. + */ + if(!connected_ok) { + i = (sys_random() % count); + + if (!(connected_ok = attempt_connect_to_dc(pcli, &ip_list[i], trust_passwd))) + ip_list[i] = ipzero; /* Tried and failed. */ + } + + /* + * Finally go through the IP list in turn, ignoring any addresses + * we have already tried. + */ + if(!connected_ok) { + /* + * Try and connect to any of the other IP addresses in the PDC/BDC list. + * Note that from a WINS server the #1 IP address is the PDC. + */ + for(i = 0; i < count; i++) { + if((connected_ok = attempt_connect_to_dc(pcli, &ip_list[i], trust_passwd))) + break; + } + } + + SAFE_FREE(ip_list); + + + return connected_ok; +} + +/*********************************************************************** + Do the same as security=server, but using NT Domain calls and a session + key from the machine password. If the server parameter is specified + use it, otherwise figure out a server from the 'password server' param. +************************************************************************/ + +static NTSTATUS domain_client_validate(const auth_usersupplied_info *user_info, + uchar chal[8], + auth_serversupplied_info **server_info, + char *server, unsigned char *trust_passwd, + time_t last_change_time) +{ + fstring remote_machine; + NET_ID_INFO_CTR ctr; + NET_USER_INFO_3 info3; + struct cli_state cli; + uint32 smb_uid_low; + BOOL connected_ok = False; + NTSTATUS status; + struct passwd *pass; + + /* + * Check that the requested domain is not our own machine name. + * If it is, we should never check the PDC here, we use our own local + * password file. + */ + + if(strequal(user_info->domain.str, global_myname)) { + DEBUG(3,("domain_client_validate: Requested domain was for this machine.\n")); + return NT_STATUS_LOGON_FAILURE; + } + + /* + * At this point, smb_apasswd points to the lanman response to + * the challenge in local_challenge, and smb_ntpasswd points to + * the NT response to the challenge in local_challenge. Ship + * these over the secure channel to a domain controller and + * see if they were valid. + */ + + ZERO_STRUCT(cli); + + while (!connected_ok && + next_token(&server,remote_machine,LIST_SEP,sizeof(remote_machine))) { + if(strequal(remote_machine, "*")) { + connected_ok = find_connect_pdc(&cli, trust_passwd, last_change_time); + } else { + connected_ok = connect_to_domain_password_server(&cli, remote_machine, trust_passwd); + } + } + + if (!connected_ok) { + DEBUG(0,("domain_client_validate: Domain password server not available.\n")); + cli_shutdown(&cli); + return NT_STATUS_LOGON_FAILURE; + } + + /* We really don't care what LUID we give the user. */ + generate_random_buffer( (unsigned char *)&smb_uid_low, 4, False); + + ZERO_STRUCT(info3); + + /* + * If this call succeeds, we now have lots of info about the user + * in the info3 structure. + */ + + status = cli_nt_login_network(&cli, user_info, chal, smb_uid_low, + &ctr, &info3); + + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0,("domain_client_validate: unable to validate password " + "for user %s in domain %s to Domain controller %s. " + "Error was %s.\n", user_info->smb_name.str, + user_info->domain.str, cli.srv_name_slash, + get_nt_error_msg(status))); + } else { + char *dom_user; + + /* Check DOMAIN\username first to catch winbind users, then + just the username for local users. */ + + asprintf(&dom_user, "%s%s%s", user_info->domain.str, + lp_winbind_separator(), + user_info->internal_username.str); + + if (!(pass = Get_Pwnam(dom_user))) + pass = Get_Pwnam(user_info->internal_username.str); + + free(dom_user); + + if (pass) { + make_server_info_pw(server_info, pass); + if (!server_info) { + status = NT_STATUS_NO_MEMORY; + } + } else { + status = NT_STATUS_NO_SUCH_USER; + } + } + + /* Store the user group information in the server_info returned to the caller. */ + + if (NT_STATUS_IS_OK(status) && (info3.num_groups2 != 0)) { + DOM_SID domain_sid; + int i; + NT_USER_TOKEN *ptok; + auth_serversupplied_info *pserver_info = *server_info; + + if ((pserver_info->ptok = malloc( sizeof(NT_USER_TOKEN) ) ) == NULL) { + DEBUG(0, ("domain_client_validate: out of memory allocating rid group membership\n")); + status = NT_STATUS_NO_MEMORY; + free_server_info(server_info); + goto done; + } + + ptok = pserver_info->ptok; + ptok->num_sids = (size_t)info3.num_groups2; + + if ((ptok->user_sids = (DOM_SID *)malloc( sizeof(DOM_SID) * ptok->num_sids )) == NULL) { + DEBUG(0, ("domain_client_validate: Out of memory allocating group SIDS\n")); + status = NT_STATUS_NO_MEMORY; + free_server_info(server_info); + goto done; + } + + if (!secrets_fetch_domain_sid(lp_workgroup(), &domain_sid)) { + DEBUG(0, ("domain_client_validate: unable to fetch domain sid.\n")); + status = NT_STATUS_NO_MEMORY; + free_server_info(server_info); + goto done; + } + + for (i = 0; i < ptok->num_sids; i++) { + sid_copy(&ptok->user_sids[i], &domain_sid); + sid_append_rid(&ptok->user_sids[i], info3.gids[i].g_rid); + } + } + +#if 0 + /* + * We don't actually need to do this - plus it fails currently with + * NT_STATUS_INVALID_INFO_CLASS - we need to know *exactly* what to + * send here. JRA. + */ + + if (NT_STATUS_IS_OK(status)) { + if(cli_nt_logoff(&cli, &ctr) == False) { + DEBUG(0,("domain_client_validate: unable to log off user %s in domain \ +%s to Domain controller %s. Error was %s.\n", user, domain, remote_machine, cli_errstr(&cli))); + status = NT_STATUS_LOGON_FAILURE; + } + } +#endif /* 0 */ + + done: + + /* Note - once the cli stream is shutdown the mem_ctx used + to allocate the other_sids and gids structures has been deleted - so + these pointers are no longer valid..... */ + + cli_nt_session_close(&cli); + cli_ulogoff(&cli); + cli_shutdown(&cli); + return status; +} + /**************************************************************************** Check for a valid username and password in security=domain mode. ****************************************************************************/ -- cgit From 585d0efbc6428e5876d354fee49c241c1bad809d Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Mon, 26 Nov 2001 03:11:44 +0000 Subject: Got medieval on another pointless extern. Removed extern struct ipzero and replaced with two functions: void zero_ip(struct in_adder *ip); BOOL is_zero_ip(struct in_addr ip); (This used to be commit 778f5f77a66cda76348a7c6f64cd63afe2bfe077) --- source3/auth/auth_domain.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index fa6093a592..f3c2fa97e4 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -24,8 +24,6 @@ BOOL global_machine_password_needs_changing = False; -extern struct in_addr ipzero; - extern pstring global_myname; /*********************************************************************** @@ -183,7 +181,7 @@ static BOOL attempt_connect_to_dc(struct cli_state *pcli, struct in_addr *ip, * Ignore addresses we have already tried. */ - if (ip_equal(ipzero, *ip)) + if (is_zero_ip(*ip)) return False; if (!lookup_pdc_name(global_myname, lp_workgroup(), ip, dc_name)) @@ -232,7 +230,7 @@ static BOOL find_connect_pdc(struct cli_state *pcli, if((connected_ok = attempt_connect_to_dc(pcli, &ip_list[i], trust_passwd))) break; - ip_list[i] = ipzero; /* Tried and failed. */ + zero_ip(&ip_list[i]); /* Tried and failed. */ } /* @@ -242,7 +240,7 @@ static BOOL find_connect_pdc(struct cli_state *pcli, i = (sys_random() % count); if (!(connected_ok = attempt_connect_to_dc(pcli, &ip_list[i], trust_passwd))) - ip_list[i] = ipzero; /* Tried and failed. */ + zero_ip(&ip_list[i]); /* Tried and failed. */ } /* -- cgit From 178f6a64b26d828db6b516392d7072e9c29f6233 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Mon, 26 Nov 2001 04:05:28 +0000 Subject: challange -> challenge (This used to be commit d6318add27f6bca5be00cbedf2226b642341297a) --- source3/auth/auth_domain.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index f3c2fa97e4..c605356af8 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -475,7 +475,7 @@ static NTSTATUS check_ntdomain_security(void *my_private_data, if (! *pserver) pserver = "*"; p = pserver; - nt_status = domain_client_validate(user_info, (uchar *)auth_info->challange.data,server_info, + nt_status = domain_client_validate(user_info, (uchar *)auth_info->challenge.data,server_info, p, trust_passwd, last_change_time); return nt_status; -- cgit From 4499007e45637f172c4afb0ec2e048cf795a3cbe Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 26 Nov 2001 06:47:04 +0000 Subject: A number of things to clean up the auth subsytem a bit... We now default encrypt passwords = yes We now check plaintext passwords (however aquired) with the 'sam' backend rather than unix, if encrypt passwords = yes. (this kills off the 'local' backed. The sam backend may be renamed in its place) The new 'samstrict' wrapper backend checks that the user's domain is one of our netbios aliases - this ensures that we don't get fallback crazies with security = domain. Similarly, the code in the 'ntdomain' and 'smbserver' backends now checks that the user was not local before contacting the DC. The default ordering has changed, we now check the local stuff first - but becouse of the changes above, we will really only ever contact one auth source. Andrew Bartlett (This used to be commit e89b47f65e7eaf5eb288a3d6ba2d3d115c628e7e) --- source3/auth/auth_domain.c | 27 ++++++++++++++++----------- 1 file changed, 16 insertions(+), 11 deletions(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index c605356af8..a41e43bd82 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -285,17 +285,6 @@ static NTSTATUS domain_client_validate(const auth_usersupplied_info *user_info, NTSTATUS status; struct passwd *pass; - /* - * Check that the requested domain is not our own machine name. - * If it is, we should never check the PDC here, we use our own local - * password file. - */ - - if(strequal(user_info->domain.str, global_myname)) { - DEBUG(3,("domain_client_validate: Requested domain was for this machine.\n")); - return NT_STATUS_LOGON_FAILURE; - } - /* * At this point, smb_apasswd points to the lanman response to * the challenge in local_challenge, and smb_ntpasswd points to @@ -445,6 +434,22 @@ static NTSTATUS check_ntdomain_security(void *my_private_data, unsigned char trust_passwd[16]; time_t last_change_time; + if (!user_info || !server_info || !auth_info) { + DEBUG(1,("check_ntdomain_security: Critical variables not present. Failing.\n")); + return NT_STATUS_LOGON_FAILURE; + } + + /* + * Check that the requested domain is not our own machine name. + * If it is, we should never check the PDC here, we use our own local + * password file. + */ + + if(is_netbios_alias_or_name(user_info->domain.str)) { + DEBUG(3,("check_ntdomain_security: Requested domain was for this machine.\n")); + return NT_STATUS_LOGON_FAILURE; + } + become_root(); /* -- cgit From 097d46653632855edd429fb8cd44d80f3e30c86c Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 27 Nov 2001 03:25:31 +0000 Subject: fix sense of lp_allow_trusted_domains() fix a memory leak (This used to be commit 1421f2fbcb296a894cb4e7548e0275e35e055b98) --- source3/auth/auth_domain.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index a41e43bd82..a779a7e9c0 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -38,7 +38,7 @@ static BOOL connect_to_domain_password_server(struct cli_state *pcli, fstring remote_machine; NTSTATUS result; - if(cli_initialise(pcli) == NULL) { + if (cli_initialise(pcli) == NULL) { DEBUG(0,("connect_to_domain_password_server: unable to initialize client connection.\n")); return False; } -- cgit From ff27a326f17223cba12b7e0b41ec84aad8238385 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Thu, 29 Nov 2001 05:50:32 +0000 Subject: I think the lookup_pdc_name() should be called lookup_dc_name() and the name_status_find() call here should look up a #1c name instead of #1d. This fixes some bugs currently with BDC authentication in winbindd and in smbd as you can't query the #1d name with the ip address of a BDC. Who is Uncle Tom Cobbley anyway? (This used to be commit 4215048f7b20a8f9e5877bdbb2f54841b2f7fa64) --- source3/auth/auth_domain.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index a779a7e9c0..125b3aa029 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -184,7 +184,7 @@ static BOOL attempt_connect_to_dc(struct cli_state *pcli, struct in_addr *ip, if (is_zero_ip(*ip)) return False; - if (!lookup_pdc_name(global_myname, lp_workgroup(), ip, dc_name)) + if (!lookup_dc_name(global_myname, lp_workgroup(), ip, dc_name)) return False; return connect_to_domain_password_server(pcli, dc_name, trust_passwd); -- cgit From e0066d2dd4d9a657d1fbcb474e66a304a64e2a31 Mon Sep 17 00:00:00 2001 From: Jean-François Micouleau Date: Thu, 6 Dec 2001 13:09:15 +0000 Subject: again an intrusive patch: - removed the ugly as hell sam_logon_in_ssb variable, I changed a bit the definition of standard_sub_basic() to cope with that. - removed the smb.conf: 'domain admin group' and 'domain guest group' parameters ! We're not playing anymore with the user's group RIDs ! - in get_domain_user_groups(), if the user's gid is a group, put it first in the group RID list. I just have to write an HOWTO now ;-) J.F. (This used to be commit fef52c4b96c987115fb1818c00c2352c67790e50) --- source3/auth/auth_domain.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 125b3aa029..6b048e5021 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -25,6 +25,7 @@ BOOL global_machine_password_needs_changing = False; extern pstring global_myname; +extern userdom_struct current_user_info; /*********************************************************************** Connect to a remote machine for domain security authentication @@ -62,7 +63,7 @@ static BOOL connect_to_domain_password_server(struct cli_state *pcli, fstrcpy(remote_machine, server); } - standard_sub_basic(remote_machine); + standard_sub_basic(current_user_info.smb_name, remote_machine); strupper(remote_machine); if(!resolve_name( remote_machine, &dest_ip, 0x20)) { -- cgit From d6b2d2867343cab82937aec791708baba37aef1f Mon Sep 17 00:00:00 2001 From: Jim McDonough Date: Fri, 14 Dec 2001 21:37:56 +0000 Subject: If domain SID can't be fetched, we shouldn't return NT_STATUS_NO_MEMORY. It causes a confusing client error. Changed to NT_STATUS_CANT_ACCESS_DOMAIN_INFO. (This used to be commit 07ea83e6f0f03ba4706c98abb58346a4f4ec983c) --- source3/auth/auth_domain.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 6b048e5021..a5e90aff39 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -382,7 +382,7 @@ static NTSTATUS domain_client_validate(const auth_usersupplied_info *user_info, if (!secrets_fetch_domain_sid(lp_workgroup(), &domain_sid)) { DEBUG(0, ("domain_client_validate: unable to fetch domain sid.\n")); - status = NT_STATUS_NO_MEMORY; + status = NT_STATUS_CANT_ACCESS_DOMAIN_INFO; free_server_info(server_info); goto done; } -- cgit From 4a6d1318bd9123f5a9c1d72721a9175320356fbe Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 1 Jan 2002 03:10:32 +0000 Subject: A farily large commit: - Move rpc_client/cli_trust.c to smbd/change_trust_pw.c - It hasn't been used by anything else since smbpasswd lost its -j - Add a TALLOC_CTX to the auth subsytem. These are only valid for the length of the calls to the individual modules, if you want a longer context hide it in your private data. Similarly, all returns (like the server_info) should still be malloced. - Move the 'ntdomain' module (security=domain in oldspeak) over to use the new libsmb domain logon code. Also rework much of the code to use some better helper functions for the connection - getting us much better error returns (the new code is NTSTATUS). The only remaining thing to do is to figure out if tpot's 0xdead 0xbeef for the LUID feilds is sufficient, or if we should do random LUIDs as per the old code. Similarly, I'll move winbind over to this when I get a chance. This leaves the SPOOLSS code and some cli_pipe code as the only stuff still in rpc_client, at least as far as smbd is concerned. While I've given this a basic rundown, any testing is as always appriciated. Andrew Bartlett (This used to be commit d870edce76ecca259230fbdbdacd0c86793b4837) --- source3/auth/auth_domain.c | 246 ++++++++++++++++++--------------------------- 1 file changed, 99 insertions(+), 147 deletions(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index a5e90aff39..6e3eb643d8 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -27,23 +27,24 @@ BOOL global_machine_password_needs_changing = False; extern pstring global_myname; extern userdom_struct current_user_info; -/*********************************************************************** - Connect to a remote machine for domain security authentication - given a name or IP address. - ***********************************************************************/ - -static BOOL connect_to_domain_password_server(struct cli_state *pcli, - char *server, unsigned char *trust_passwd) +/** + * Connect to a remote server for domain security authenticaion. + * + * @param cli the cli to return containing the active connection + * @param server either a machine name or text IP address to + * connect to. + * @param trust_password the trust password to establish the + * credentials with. + * + **/ + +static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, + char *server, unsigned char *trust_passwd) { struct in_addr dest_ip; fstring remote_machine; NTSTATUS result; - if (cli_initialise(pcli) == NULL) { - DEBUG(0,("connect_to_domain_password_server: unable to initialize client connection.\n")); - return False; - } - if (is_ipaddress(server)) { struct in_addr to_ip; @@ -51,13 +52,13 @@ static BOOL connect_to_domain_password_server(struct cli_state *pcli, a password server anyways */ if ((to_ip.s_addr=inet_addr(server)) == 0xFFFFFFFF) { DEBUG (0,("connect_to_domain_password_server: inet_addr(%s) returned 0xFFFFFFFF!\n", server)); - return False; + return NT_STATUS_UNSUCCESSFUL; } if (!name_status_find("*", 0x20, 0x20, to_ip, remote_machine)) { DEBUG(0, ("connect_to_domain_password_server: Can't " "resolve name for IP %s\n", server)); - return False; + return NT_STATUS_UNSUCCESSFUL; } } else { fstrcpy(remote_machine, server); @@ -68,69 +69,20 @@ static BOOL connect_to_domain_password_server(struct cli_state *pcli, if(!resolve_name( remote_machine, &dest_ip, 0x20)) { DEBUG(1,("connect_to_domain_password_server: Can't resolve address for %s\n", remote_machine)); - cli_shutdown(pcli); - return False; + return NT_STATUS_UNSUCCESSFUL; } if (ismyip(dest_ip)) { DEBUG(1,("connect_to_domain_password_server: Password server loop - not using password server %s\n", remote_machine)); - cli_shutdown(pcli); - return False; - } - - if (!cli_connect(pcli, remote_machine, &dest_ip)) { - DEBUG(0,("connect_to_domain_password_server: unable to connect to SMB server on \ -machine %s. Error was : %s.\n", remote_machine, cli_errstr(pcli) )); - cli_shutdown(pcli); - return False; - } - - if (!attempt_netbios_session_request(pcli, global_myname, remote_machine, &dest_ip)) { - DEBUG(0,("connect_to_password_server: machine %s rejected the NetBIOS \ -session request. Error was : %s.\n", remote_machine, cli_errstr(pcli) )); - return False; + return NT_STATUS_UNSUCCESSFUL; } - pcli->protocol = PROTOCOL_NT1; - - if (!cli_negprot(pcli)) { - DEBUG(0,("connect_to_domain_password_server: machine %s rejected the negotiate protocol. \ -Error was : %s.\n", remote_machine, cli_errstr(pcli) )); - cli_shutdown(pcli); - return False; - } - - if (pcli->protocol != PROTOCOL_NT1) { - DEBUG(0,("connect_to_domain_password_server: machine %s didn't negotiate NT protocol.\n", - remote_machine)); - cli_shutdown(pcli); - return False; - } - - /* - * Do an anonymous session setup. - */ - - if (!cli_session_setup(pcli, "", "", 0, "", 0, "")) { - DEBUG(0,("connect_to_domain_password_server: machine %s rejected the session setup. \ -Error was : %s.\n", remote_machine, cli_errstr(pcli) )); - cli_shutdown(pcli); - return False; - } - - if (!(pcli->sec_mode & 1)) { - DEBUG(1,("connect_to_domain_password_server: machine %s isn't in user level security mode\n", - remote_machine)); - cli_shutdown(pcli); - return False; - } - - if (!cli_send_tconX(pcli, "IPC$", "IPC", "", 1)) { - DEBUG(0,("connect_to_domain_password_server: machine %s rejected the tconX on the IPC$ share. \ -Error was : %s.\n", remote_machine, cli_errstr(pcli) )); - cli_shutdown(pcli); - return False; + result = cli_full_connection(cli, global_myname, server, + &dest_ip, 0, "IPC$", "IPC", "", "", "", 0); + + if (!NT_STATUS_IS_OK(result)) { + return result; } /* @@ -146,34 +98,34 @@ Error was : %s.\n", remote_machine, cli_errstr(pcli) )); * into account also. This patch from "Bjart Kvarme" . */ - if(cli_nt_session_open(pcli, PIPE_NETLOGON) == False) { + if(cli_nt_session_open(*cli, PIPE_NETLOGON) == False) { DEBUG(0,("connect_to_domain_password_server: unable to open the domain client session to \ -machine %s. Error was : %s.\n", remote_machine, cli_errstr(pcli))); - cli_nt_session_close(pcli); - cli_ulogoff(pcli); - cli_shutdown(pcli); - return False; +machine %s. Error was : %s.\n", remote_machine, cli_errstr(*cli))); + cli_nt_session_close(*cli); + cli_ulogoff(*cli); + cli_shutdown(*cli); + return NT_STATUS_UNSUCCESSFUL; } - result = cli_nt_setup_creds(pcli, trust_passwd); + result = new_cli_nt_setup_creds(*cli, trust_passwd); if (!NT_STATUS_IS_OK(result)) { DEBUG(0,("connect_to_domain_password_server: unable to setup the PDC credentials to machine \ %s. Error was : %s.\n", remote_machine, get_nt_error_msg(result))); - cli_nt_session_close(pcli); - cli_ulogoff(pcli); - cli_shutdown(pcli); - return(False); + cli_nt_session_close(*cli); + cli_ulogoff(*cli); + cli_shutdown(*cli); + return result; } - return True; + return NT_STATUS_OK; } /*********************************************************************** Utility function to attempt a connection to an IP address of a DC. ************************************************************************/ -static BOOL attempt_connect_to_dc(struct cli_state *pcli, struct in_addr *ip, +static NTSTATUS attempt_connect_to_dc(struct cli_state **cli, struct in_addr *ip, unsigned char *trust_passwd) { fstring dc_name; @@ -183,26 +135,26 @@ static BOOL attempt_connect_to_dc(struct cli_state *pcli, struct in_addr *ip, */ if (is_zero_ip(*ip)) - return False; + return NT_STATUS_UNSUCCESSFUL; if (!lookup_dc_name(global_myname, lp_workgroup(), ip, dc_name)) - return False; + return NT_STATUS_UNSUCCESSFUL; - return connect_to_domain_password_server(pcli, dc_name, trust_passwd); + return connect_to_domain_password_server(cli, dc_name, trust_passwd); } /*********************************************************************** We have been asked to dynamcially determine the IP addresses of the PDC and BDC's for this DOMAIN, and query them in turn. ************************************************************************/ -static BOOL find_connect_pdc(struct cli_state *pcli, - unsigned char *trust_passwd, - time_t last_change_time) +static NTSTATUS find_connect_pdc(struct cli_state **cli, + unsigned char *trust_passwd, + time_t last_change_time) { struct in_addr *ip_list = NULL; int count = 0; int i; - BOOL connected_ok = False; + NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL; time_t time_now = time(NULL); BOOL use_pdc_only = False; @@ -218,7 +170,7 @@ static BOOL find_connect_pdc(struct cli_state *pcli, use_pdc_only = True; if (!get_dc_list(use_pdc_only, lp_workgroup(), &ip_list, &count)) - return False; + return NT_STATUS_UNSUCCESSFUL; /* * Firstly try and contact a PDC/BDC who has the same @@ -228,7 +180,7 @@ static BOOL find_connect_pdc(struct cli_state *pcli, if(!is_local_net(ip_list[i])) continue; - if((connected_ok = attempt_connect_to_dc(pcli, &ip_list[i], trust_passwd))) + if(NT_STATUS_IS_OK(nt_status = attempt_connect_to_dc(cli, &ip_list[i], trust_passwd))) break; zero_ip(&ip_list[i]); /* Tried and failed. */ @@ -237,10 +189,10 @@ static BOOL find_connect_pdc(struct cli_state *pcli, /* * Secondly try and contact a random PDC/BDC. */ - if(!connected_ok) { + if(!NT_STATUS_IS_OK(nt_status)) { i = (sys_random() % count); - if (!(connected_ok = attempt_connect_to_dc(pcli, &ip_list[i], trust_passwd))) + if (!NT_STATUS_IS_OK(nt_status = attempt_connect_to_dc(cli, &ip_list[i], trust_passwd))) zero_ip(&ip_list[i]); /* Tried and failed. */ } @@ -248,21 +200,20 @@ static BOOL find_connect_pdc(struct cli_state *pcli, * Finally go through the IP list in turn, ignoring any addresses * we have already tried. */ - if(!connected_ok) { + if(!NT_STATUS_IS_OK(nt_status)) { /* * Try and connect to any of the other IP addresses in the PDC/BDC list. * Note that from a WINS server the #1 IP address is the PDC. */ for(i = 0; i < count; i++) { - if((connected_ok = attempt_connect_to_dc(pcli, &ip_list[i], trust_passwd))) + if (NT_STATUS_IS_OK(nt_status = attempt_connect_to_dc(cli, &ip_list[i], trust_passwd))) break; } } SAFE_FREE(ip_list); - - return connected_ok; + return nt_status; } /*********************************************************************** @@ -271,19 +222,17 @@ static BOOL find_connect_pdc(struct cli_state *pcli, use it, otherwise figure out a server from the 'password server' param. ************************************************************************/ -static NTSTATUS domain_client_validate(const auth_usersupplied_info *user_info, +static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, + const auth_usersupplied_info *user_info, uchar chal[8], auth_serversupplied_info **server_info, char *server, unsigned char *trust_passwd, time_t last_change_time) { fstring remote_machine; - NET_ID_INFO_CTR ctr; NET_USER_INFO_3 info3; - struct cli_state cli; - uint32 smb_uid_low; - BOOL connected_ok = False; - NTSTATUS status; + struct cli_state *cli; + NTSTATUS nt_status; struct passwd *pass; /* @@ -294,26 +243,21 @@ static NTSTATUS domain_client_validate(const auth_usersupplied_info *user_info, * see if they were valid. */ - ZERO_STRUCT(cli); - - while (!connected_ok && + while (!NT_STATUS_IS_OK(nt_status) && next_token(&server,remote_machine,LIST_SEP,sizeof(remote_machine))) { if(strequal(remote_machine, "*")) { - connected_ok = find_connect_pdc(&cli, trust_passwd, last_change_time); + nt_status = find_connect_pdc(&cli, trust_passwd, last_change_time); } else { - connected_ok = connect_to_domain_password_server(&cli, remote_machine, trust_passwd); + nt_status = connect_to_domain_password_server(&cli, remote_machine, trust_passwd); } } - if (!connected_ok) { + if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(0,("domain_client_validate: Domain password server not available.\n")); - cli_shutdown(&cli); - return NT_STATUS_LOGON_FAILURE; + cli_shutdown(cli); + return nt_status; } - /* We really don't care what LUID we give the user. */ - generate_random_buffer( (unsigned char *)&smb_uid_low, 4, False); - ZERO_STRUCT(info3); /* @@ -321,43 +265,50 @@ static NTSTATUS domain_client_validate(const auth_usersupplied_info *user_info, * in the info3 structure. */ - status = cli_nt_login_network(&cli, user_info, chal, smb_uid_low, - &ctr, &info3); + nt_status = cli_netlogon_sam_network_logon(cli, mem_ctx, + user_info->internal_username.str, user_info->domain.str, + user_info->wksta_name.str, chal, + user_info->lm_resp, user_info->nt_resp, + &info3); - if (!NT_STATUS_IS_OK(status)) { + if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(0,("domain_client_validate: unable to validate password " "for user %s in domain %s to Domain controller %s. " "Error was %s.\n", user_info->smb_name.str, - user_info->domain.str, cli.srv_name_slash, - get_nt_error_msg(status))); + user_info->domain.str, cli->srv_name_slash, + get_nt_error_msg(nt_status))); } else { char *dom_user; /* Check DOMAIN\username first to catch winbind users, then just the username for local users. */ - asprintf(&dom_user, "%s%s%s", user_info->domain.str, - lp_winbind_separator(), - user_info->internal_username.str); - - if (!(pass = Get_Pwnam(dom_user))) - pass = Get_Pwnam(user_info->internal_username.str); - - free(dom_user); - - if (pass) { - make_server_info_pw(server_info, pass); - if (!server_info) { - status = NT_STATUS_NO_MEMORY; + dom_user = talloc_asprintf(mem_ctx, "%s%s%s", user_info->domain.str, + lp_winbind_separator(), + user_info->internal_username.str); + + if (!dom_user) { + DEBUG(0, ("talloc_asprintf failed!\n")); + nt_status = NT_STATUS_NO_MEMORY; + } else { + + if (!(pass = Get_Pwnam(dom_user))) + pass = Get_Pwnam(user_info->internal_username.str); + + if (pass) { + make_server_info_pw(server_info, pass); + if (!server_info) { + nt_status = NT_STATUS_NO_MEMORY; + } + } else { + nt_status = NT_STATUS_NO_SUCH_USER; } - } else { - status = NT_STATUS_NO_SUCH_USER; } } /* Store the user group information in the server_info returned to the caller. */ - if (NT_STATUS_IS_OK(status) && (info3.num_groups2 != 0)) { + if (NT_STATUS_IS_OK(nt_status) && (info3.num_groups2 != 0)) { DOM_SID domain_sid; int i; NT_USER_TOKEN *ptok; @@ -365,7 +316,7 @@ static NTSTATUS domain_client_validate(const auth_usersupplied_info *user_info, if ((pserver_info->ptok = malloc( sizeof(NT_USER_TOKEN) ) ) == NULL) { DEBUG(0, ("domain_client_validate: out of memory allocating rid group membership\n")); - status = NT_STATUS_NO_MEMORY; + nt_status = NT_STATUS_NO_MEMORY; free_server_info(server_info); goto done; } @@ -375,14 +326,14 @@ static NTSTATUS domain_client_validate(const auth_usersupplied_info *user_info, if ((ptok->user_sids = (DOM_SID *)malloc( sizeof(DOM_SID) * ptok->num_sids )) == NULL) { DEBUG(0, ("domain_client_validate: Out of memory allocating group SIDS\n")); - status = NT_STATUS_NO_MEMORY; + nt_status = NT_STATUS_NO_MEMORY; free_server_info(server_info); goto done; } if (!secrets_fetch_domain_sid(lp_workgroup(), &domain_sid)) { DEBUG(0, ("domain_client_validate: unable to fetch domain sid.\n")); - status = NT_STATUS_CANT_ACCESS_DOMAIN_INFO; + nt_status = NT_STATUS_CANT_ACCESS_DOMAIN_INFO; free_server_info(server_info); goto done; } @@ -404,7 +355,7 @@ static NTSTATUS domain_client_validate(const auth_usersupplied_info *user_info, if(cli_nt_logoff(&cli, &ctr) == False) { DEBUG(0,("domain_client_validate: unable to log off user %s in domain \ %s to Domain controller %s. Error was %s.\n", user, domain, remote_machine, cli_errstr(&cli))); - status = NT_STATUS_LOGON_FAILURE; + nt_status = NT_STATUS_LOGON_FAILURE; } } #endif /* 0 */ @@ -415,10 +366,10 @@ static NTSTATUS domain_client_validate(const auth_usersupplied_info *user_info, to allocate the other_sids and gids structures has been deleted - so these pointers are no longer valid..... */ - cli_nt_session_close(&cli); - cli_ulogoff(&cli); - cli_shutdown(&cli); - return status; + cli_nt_session_close(cli); + cli_ulogoff(cli); + cli_shutdown(cli); + return nt_status; } /**************************************************************************** @@ -426,6 +377,7 @@ static NTSTATUS domain_client_validate(const auth_usersupplied_info *user_info, ****************************************************************************/ static NTSTATUS check_ntdomain_security(void *my_private_data, + TALLOC_CTX *mem_ctx, const auth_usersupplied_info *user_info, const auth_authsupplied_info *auth_info, auth_serversupplied_info **server_info) @@ -461,7 +413,7 @@ static NTSTATUS check_ntdomain_security(void *my_private_data, { DEBUG(0, ("check_domain_security: could not fetch trust account password for domain %s\n", lp_workgroup())); unbecome_root(); - return NT_STATUS_LOGON_FAILURE; + return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; } unbecome_root(); @@ -481,9 +433,9 @@ static NTSTATUS check_ntdomain_security(void *my_private_data, if (! *pserver) pserver = "*"; p = pserver; - nt_status = domain_client_validate(user_info, (uchar *)auth_info->challenge.data,server_info, + nt_status = domain_client_validate(mem_ctx, user_info, (uchar *)auth_info->challenge.data,server_info, p, trust_passwd, last_change_time); - + return nt_status; } -- cgit From 2e28f8ff0e3bb50ac5b2742c7678c39cb65bcd95 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 5 Jan 2002 04:55:41 +0000 Subject: I've decided to move the auth code around a bit more... The auth_authsupplied_info typedef is now just a plain struct - auth_context, but it has been modified to contain the function pointers to the rest of the auth subsystem's components. (Who needs non-static functions anyway?) In working all this mess out, I fixed a number of memory leaks and moved the entire auth subsystem over to talloc(). Note that the TALLOC_CTX attached to the auth_context can be rather long-lived, it is provided for things that are intended to live as long. (The global_negprot_auth_context lasts the whole life of the smbd). I've also adjusted a few things in auth_domain.c, mainly passing the domain as a paramater to a few functions instead of looking up lp_workgroup(). I'm hopign to make this entire thing a bit more trusted domains (as PDC) freindly in the near future. Other than that, I moved a bit of the code around, hence the rather messy diff. Andrew Bartlett (This used to be commit 12f5515f556cf39fea98134fe3e2ac4540501048) --- source3/auth/auth_domain.c | 51 ++++++++++++++++++++++++++++++---------------- 1 file changed, 33 insertions(+), 18 deletions(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 6e3eb643d8..e836375406 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -125,8 +125,10 @@ machine %s. Error was : %s.\n", remote_machine, cli_errstr(*cli))); Utility function to attempt a connection to an IP address of a DC. ************************************************************************/ -static NTSTATUS attempt_connect_to_dc(struct cli_state **cli, struct in_addr *ip, - unsigned char *trust_passwd) +static NTSTATUS attempt_connect_to_dc(struct cli_state **cli, + const char *domain, + struct in_addr *ip, + unsigned char *trust_passwd) { fstring dc_name; @@ -137,7 +139,7 @@ static NTSTATUS attempt_connect_to_dc(struct cli_state **cli, struct in_addr *ip if (is_zero_ip(*ip)) return NT_STATUS_UNSUCCESSFUL; - if (!lookup_dc_name(global_myname, lp_workgroup(), ip, dc_name)) + if (!lookup_dc_name(global_myname, domain, ip, dc_name)) return NT_STATUS_UNSUCCESSFUL; return connect_to_domain_password_server(cli, dc_name, trust_passwd); @@ -145,11 +147,12 @@ static NTSTATUS attempt_connect_to_dc(struct cli_state **cli, struct in_addr *ip /*********************************************************************** We have been asked to dynamcially determine the IP addresses of - the PDC and BDC's for this DOMAIN, and query them in turn. + the PDC and BDC's for DOMAIN, and query them in turn. ************************************************************************/ static NTSTATUS find_connect_pdc(struct cli_state **cli, - unsigned char *trust_passwd, - time_t last_change_time) + const char *domain, + unsigned char *trust_passwd, + time_t last_change_time) { struct in_addr *ip_list = NULL; int count = 0; @@ -169,7 +172,7 @@ static NTSTATUS find_connect_pdc(struct cli_state **cli, if (time_now - last_change_time < 3600) use_pdc_only = True; - if (!get_dc_list(use_pdc_only, lp_workgroup(), &ip_list, &count)) + if (!get_dc_list(use_pdc_only, domain, &ip_list, &count)) return NT_STATUS_UNSUCCESSFUL; /* @@ -180,7 +183,9 @@ static NTSTATUS find_connect_pdc(struct cli_state **cli, if(!is_local_net(ip_list[i])) continue; - if(NT_STATUS_IS_OK(nt_status = attempt_connect_to_dc(cli, &ip_list[i], trust_passwd))) + if(NT_STATUS_IS_OK(nt_status = + attempt_connect_to_dc(cli, domain, + &ip_list[i], trust_passwd))) break; zero_ip(&ip_list[i]); /* Tried and failed. */ @@ -192,7 +197,9 @@ static NTSTATUS find_connect_pdc(struct cli_state **cli, if(!NT_STATUS_IS_OK(nt_status)) { i = (sys_random() % count); - if (!NT_STATUS_IS_OK(nt_status = attempt_connect_to_dc(cli, &ip_list[i], trust_passwd))) + if (!NT_STATUS_IS_OK(nt_status = + attempt_connect_to_dc(cli, domain, + &ip_list[i], trust_passwd))) zero_ip(&ip_list[i]); /* Tried and failed. */ } @@ -206,7 +213,9 @@ static NTSTATUS find_connect_pdc(struct cli_state **cli, * Note that from a WINS server the #1 IP address is the PDC. */ for(i = 0; i < count; i++) { - if (NT_STATUS_IS_OK(nt_status = attempt_connect_to_dc(cli, &ip_list[i], trust_passwd))) + if (NT_STATUS_IS_OK(nt_status = + attempt_connect_to_dc(cli, domain, + &ip_list[i], trust_passwd))) break; } } @@ -224,6 +233,7 @@ static NTSTATUS find_connect_pdc(struct cli_state **cli, static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, const auth_usersupplied_info *user_info, + const char *domain, uchar chal[8], auth_serversupplied_info **server_info, char *server, unsigned char *trust_passwd, @@ -246,7 +256,7 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, while (!NT_STATUS_IS_OK(nt_status) && next_token(&server,remote_machine,LIST_SEP,sizeof(remote_machine))) { if(strequal(remote_machine, "*")) { - nt_status = find_connect_pdc(&cli, trust_passwd, last_change_time); + nt_status = find_connect_pdc(&cli, domain, trust_passwd, last_change_time); } else { nt_status = connect_to_domain_password_server(&cli, remote_machine, trust_passwd); } @@ -376,18 +386,19 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, Check for a valid username and password in security=domain mode. ****************************************************************************/ -static NTSTATUS check_ntdomain_security(void *my_private_data, +static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context, + void *my_private_data, TALLOC_CTX *mem_ctx, const auth_usersupplied_info *user_info, - const auth_authsupplied_info *auth_info, auth_serversupplied_info **server_info) { NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; char *p, *pserver; unsigned char trust_passwd[16]; time_t last_change_time; + char *domain = lp_workgroup(); - if (!user_info || !server_info || !auth_info) { + if (!user_info || !server_info || !auth_context) { DEBUG(1,("check_ntdomain_security: Critical variables not present. Failing.\n")); return NT_STATUS_LOGON_FAILURE; } @@ -409,7 +420,7 @@ static NTSTATUS check_ntdomain_security(void *my_private_data, * Get the machine account password for our primary domain */ - if (!secrets_fetch_trust_account_password(lp_workgroup(), trust_passwd, &last_change_time)) + if (!secrets_fetch_trust_account_password(domain, trust_passwd, &last_change_time)) { DEBUG(0, ("check_domain_security: could not fetch trust account password for domain %s\n", lp_workgroup())); unbecome_root(); @@ -433,18 +444,22 @@ static NTSTATUS check_ntdomain_security(void *my_private_data, if (! *pserver) pserver = "*"; p = pserver; - nt_status = domain_client_validate(mem_ctx, user_info, (uchar *)auth_info->challenge.data,server_info, + nt_status = domain_client_validate(mem_ctx, user_info, domain, + (uchar *)auth_context->challenge.data, + server_info, p, trust_passwd, last_change_time); return nt_status; } -BOOL auth_init_ntdomain(auth_methods **auth_method) +/* module initialisation */ +BOOL auth_init_ntdomain(struct auth_context *auth_context, auth_methods **auth_method) { - if (!make_auth_methods(auth_method)) { + if (!make_auth_methods(auth_context, auth_method)) { return False; } (*auth_method)->auth = check_ntdomain_security; return True; } + -- cgit From 7f8ae6e35c2733c0560d73266dc5d7c589b9a143 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 11 Jan 2002 06:22:42 +0000 Subject: The DC is meant to be sent the *unmapped* username... Andrew Bartlett (This used to be commit d7fca1806a304cb6eeecfe34d6c5c012c745114f) --- source3/auth/auth_domain.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index e836375406..a81af3b738 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -276,7 +276,7 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, */ nt_status = cli_netlogon_sam_network_logon(cli, mem_ctx, - user_info->internal_username.str, user_info->domain.str, + user_info->smb_name.str, user_info->domain.str, user_info->wksta_name.str, chal, user_info->lm_resp, user_info->nt_resp, &info3); -- cgit From 27655be3c1708d447b046a2b0d8b2013eeb21835 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Fri, 11 Jan 2002 13:14:28 +0000 Subject: fixed a crash bug in domain auth caused by an uninitialised nt_status (This used to be commit 0b0b937b58f4bf4e005fb622f0db19175fc46a47) --- source3/auth/auth_domain.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index a81af3b738..eba61114d6 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -242,7 +242,7 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, fstring remote_machine; NET_USER_INFO_3 info3; struct cli_state *cli; - NTSTATUS nt_status; + NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL; struct passwd *pass; /* -- cgit From e895b9004e57c62d7517198618f9fd788107629e Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 12 Jan 2002 23:57:10 +0000 Subject: Many thanks to Alexander Bokovoy . This work was sponsored by Optifacio Software Services, Inc. Andrew Bartlett (various e-mails announcements merged into some form of commit message below:) This patch which adds basics of universal groups support into Samba 3. Currently, only Winbind with RPC calls supports this, ADS support requires additional (possibly huge) work on KRB5 PAC. However, basic infrastructure is here. This patch adds: 1. Storing of universal groups for particular user logged into Samba software (smbd/ two winbind-pam methods) into netlogon_unigrp.tdb as array of uint32 supplemental group rids keyed as DOMAIN_SID/USER_RID in tdb. 2. Fetching of unversal groups for given user rid and domain sid from netlogon_unigrp.tdb. Since this is used in both smbd and winbindd, main code is in source/lib/netlogon_uingrp.c. Dependencies are added to AUTH_OBJ as UNIGRP_OBJ and WINBINDD_OBJ as UNIGRP_OBJ. This patch has had a few versions, the final version in particular: Many thanks to Andrew Bartlett for critics and comments, and partly rewritten code. New: - updated fetching code to changed byte order macros - moved functions to proper namespace - optimized memory usage by reusing caller's memory context - enhanced code to more follow Samba coding rules Todo: - proper universal group expiration after timeout (This used to be commit 80c2aefbe7c1aa363dd286a47d50c5d8b4595f43) --- source3/auth/auth_domain.c | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index eba61114d6..6dcf3119ea 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -352,6 +352,10 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, sid_copy(&ptok->user_sids[i], &domain_sid); sid_append_rid(&ptok->user_sids[i], info3.gids[i].g_rid); } + + become_root(); + uni_group_cache_store_netlogon(mem_ctx, &info3); + unbecome_root(); } #if 0 -- cgit From dd0f0f043f740a4099ed17a43fd7d5cbe1142540 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 14 Jan 2002 21:52:25 +0000 Subject: Fix a segfault in auth/auth_domain.c error cases. This occured when the attempt to contact the PDC failed. The connection code has already shut down the connection, and 'free'ed the cli or has never initialised it in the first place. Andrew Bartlett (This used to be commit 37ce7630434c1afae5164c64438f428dd8e1b731) --- source3/auth/auth_domain.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 6dcf3119ea..2b5104bf92 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -241,7 +241,7 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, { fstring remote_machine; NET_USER_INFO_3 info3; - struct cli_state *cli; + struct cli_state *cli = NULL; NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL; struct passwd *pass; @@ -264,7 +264,6 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(0,("domain_client_validate: Domain password server not available.\n")); - cli_shutdown(cli); return nt_status; } -- cgit From 5fb852d0477a40393c980c5a26e6d2ae8d0c1e9f Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Fri, 25 Jan 2002 05:17:49 +0000 Subject: Remove check for passwordserver = "*" as we now initialise it. Added TODO about perhaps doing a SAMLOGON udp/138 request before a cli_full_connection in connect_to_domain_password_server() (This used to be commit b61e40a5be3b8bacc74399902169755dbc4c7fca) --- source3/auth/auth_domain.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 2b5104bf92..e84d4e4724 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -78,6 +78,12 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, return NT_STATUS_UNSUCCESSFUL; } + /* TODO: Send a SAMLOGON request to determine whether this is a valid + logonserver. We can avoid a 30-second timeout if the DC is down + if the SAMLOGON request fails as it is only over UDP. */ + + /* Attempt connection */ + result = cli_full_connection(cli, global_myname, server, &dest_ip, 0, "IPC$", "IPC", "", "", "", 0); @@ -444,7 +450,6 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context, */ pserver = lp_passwordserver(); - if (! *pserver) pserver = "*"; p = pserver; nt_status = domain_client_validate(mem_ctx, user_info, domain, -- cgit From 714cdd47cb3e0e1f683c0a22396f9167a85e7df3 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 26 Jan 2002 06:24:53 +0000 Subject: Fix up a security issue with the way we handle domain groups retuned on the info3. These are RIDs, and it only makes sense to combine them with the domain SID returned with them. This is important for trusted domains, where that sid might be other than the one we currently reterive from the secrets.tdb. Also remove the become_root()/unbecome_root() wrapper from around both remaining TDB users: Both are now initialised at smbd startup. Andrew Bartlett (This used to be commit 554842e0a55155193f25aefca6480b89d5c512ca) --- source3/auth/auth_domain.c | 18 ++---------------- 1 file changed, 2 insertions(+), 16 deletions(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index e84d4e4724..704f600c66 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -324,7 +324,6 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, /* Store the user group information in the server_info returned to the caller. */ if (NT_STATUS_IS_OK(nt_status) && (info3.num_groups2 != 0)) { - DOM_SID domain_sid; int i; NT_USER_TOKEN *ptok; auth_serversupplied_info *pserver_info = *server_info; @@ -346,21 +345,12 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, goto done; } - if (!secrets_fetch_domain_sid(lp_workgroup(), &domain_sid)) { - DEBUG(0, ("domain_client_validate: unable to fetch domain sid.\n")); - nt_status = NT_STATUS_CANT_ACCESS_DOMAIN_INFO; - free_server_info(server_info); - goto done; - } - for (i = 0; i < ptok->num_sids; i++) { - sid_copy(&ptok->user_sids[i], &domain_sid); + sid_copy(&ptok->user_sids[i], &info3.dom_sid.sid); sid_append_rid(&ptok->user_sids[i], info3.gids[i].g_rid); } - become_root(); uni_group_cache_store_netlogon(mem_ctx, &info3); - unbecome_root(); } #if 0 @@ -423,10 +413,9 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context, return NT_STATUS_LOGON_FAILURE; } - become_root(); - /* * Get the machine account password for our primary domain + * No need to become_root() as secrets_init() is done at startup. */ if (!secrets_fetch_trust_account_password(domain, trust_passwd, &last_change_time)) @@ -436,8 +425,6 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context, return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; } - unbecome_root(); - /* Test if machine password is expired and need to be changed */ if (time(NULL) > last_change_time + lp_machine_password_timeout()) { @@ -470,4 +457,3 @@ BOOL auth_init_ntdomain(struct auth_context *auth_context, auth_methods **auth_m (*auth_method)->auth = check_ntdomain_security; return True; } - -- cgit From cd68afe31256ad60748b34f7318a180cfc2127cc Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Wed, 30 Jan 2002 06:08:46 +0000 Subject: Removed version number from file header. Changed "SMB/Netbios" to "SMB/CIFS" in file header. (This used to be commit 6a58c9bd06d0d7502a24bf5ce5a2faf0a146edfa) --- source3/auth/auth_domain.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 704f600c66..9e5f32c9a3 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -1,6 +1,5 @@ /* - Unix SMB/Netbios implementation. - Version 3.0. + Unix SMB/CIFS implementation. Authenticate against a remote domain Copyright (C) Andrew Tridgell 1992-1998 Copyright (C) Andrew Bartlett 2001 -- cgit From c2729d59a631822c7e5545d13a2eff8ed237401b Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 18 Feb 2002 11:07:57 +0000 Subject: serialise all domain auth requests this is needed because W2K will send a TCP reset to any open connections that have not done a negprot when a second connection is made. This meant that under heavy netlogon load a Samba domain member would fail authentications. Jeremy, you may wish to port this to 2.2.x (This used to be commit eb196070e62b45b113e5712f27198c50c5c95657) --- source3/auth/auth_domain.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 9e5f32c9a3..947cd41a26 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -81,10 +81,19 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, logonserver. We can avoid a 30-second timeout if the DC is down if the SAMLOGON request fails as it is only over UDP. */ + /* we use a mutex to prevent two connections at once - when a NT PDC gets + two connections where one hasn't completed a negprot yet it will send a + TCP reset to the first connection (tridge) */ + if (!message_named_mutex(server)) { + DEBUG(1,("domain mutex failed for %s\n", server)); + return NT_STATUS_UNSUCCESSFUL; + } + /* Attempt connection */ - result = cli_full_connection(cli, global_myname, server, &dest_ip, 0, "IPC$", "IPC", "", "", "", 0); + + message_named_mutex_release(server); if (!NT_STATUS_IS_OK(result)) { return result; -- cgit From df43f3d41009f170295f93f6d6df1b6e84077616 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 28 Feb 2002 01:05:15 +0000 Subject: Ensure that winbindd and smbd both use identical logic to find dc's. Fix bug where zeroip addresses were being checked. Jeremy. (This used to be commit 8ed49fe0df201833329c17b2afe1e3aa70646558) --- source3/auth/auth_domain.c | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 947cd41a26..c7bfea4f6a 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -197,9 +197,8 @@ static NTSTATUS find_connect_pdc(struct cli_state **cli, if(!is_local_net(ip_list[i])) continue; - if(NT_STATUS_IS_OK(nt_status = - attempt_connect_to_dc(cli, domain, - &ip_list[i], trust_passwd))) + if(NT_STATUS_IS_OK(nt_status = attempt_connect_to_dc(cli, domain, + &ip_list[i], trust_passwd))) break; zero_ip(&ip_list[i]); /* Tried and failed. */ @@ -211,10 +210,11 @@ static NTSTATUS find_connect_pdc(struct cli_state **cli, if(!NT_STATUS_IS_OK(nt_status)) { i = (sys_random() % count); - if (!NT_STATUS_IS_OK(nt_status = - attempt_connect_to_dc(cli, domain, - &ip_list[i], trust_passwd))) - zero_ip(&ip_list[i]); /* Tried and failed. */ + if (!is_zero_ip(ip_list[i])) { + if (!NT_STATUS_IS_OK(nt_status = attempt_connect_to_dc(cli, domain, + &ip_list[i], trust_passwd))) + zero_ip(&ip_list[i]); /* Tried and failed. */ + } } /* @@ -227,15 +227,16 @@ static NTSTATUS find_connect_pdc(struct cli_state **cli, * Note that from a WINS server the #1 IP address is the PDC. */ for(i = 0; i < count; i++) { - if (NT_STATUS_IS_OK(nt_status = - attempt_connect_to_dc(cli, domain, - &ip_list[i], trust_passwd))) + if (is_zero_ip(ip_list[i])) + continue; + + if (NT_STATUS_IS_OK(nt_status = attempt_connect_to_dc(cli, domain, + &ip_list[i], trust_passwd))) break; } } SAFE_FREE(ip_list); - return nt_status; } -- cgit From a07e040c8c8515d0ffc2a6cce31a4f0124e42023 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 1 Mar 2002 22:45:23 +0000 Subject: SECURITY FIXES: Remove a stray 'unbecome_root()' in the ntdomain an auth failure case. Only allow trust accounts to request a challange in srv_netlogon_nt.c. Currently any user can be the 'machine' for the domain logon. MERGE for 2.2. Andrew Bartlett (This used to be commit 0242d0e17827b05d8cd270f675d2595fa67fd5b9) --- source3/auth/auth_domain.c | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index c7bfea4f6a..6c858e056c 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -401,14 +401,14 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context, auth_serversupplied_info **server_info) { NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; - char *p, *pserver; + char *password_server; unsigned char trust_passwd[16]; time_t last_change_time; char *domain = lp_workgroup(); if (!user_info || !server_info || !auth_context) { DEBUG(1,("check_ntdomain_security: Critical variables not present. Failing.\n")); - return NT_STATUS_LOGON_FAILURE; + return NT_STATUS_INVALID_PARAMETER; } /* @@ -430,7 +430,6 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context, if (!secrets_fetch_trust_account_password(domain, trust_passwd, &last_change_time)) { DEBUG(0, ("check_domain_security: could not fetch trust account password for domain %s\n", lp_workgroup())); - unbecome_root(); return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; } @@ -445,13 +444,12 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context, * PDC/BDC. Contact each in turn and try and authenticate. */ - pserver = lp_passwordserver(); - p = pserver; + password_server = lp_passwordserver(); nt_status = domain_client_validate(mem_ctx, user_info, domain, (uchar *)auth_context->challenge.data, server_info, - p, trust_passwd, last_change_time); + password_server, trust_passwd, last_change_time); return nt_status; } -- cgit From 81b2d66c970c0df94823ad96f50b992fff0c8b94 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 2 Mar 2002 08:25:44 +0000 Subject: Allow Samba to trust NT4 Domains. This commit builds on the auth subsystem to give Samba support for trusting NT4 domains. It is off by default, but is enabled by adding 'trustdomain' to the 'auth methods' smb.conf paramater. Tested against NT4 only - there are still some issues with the join code for Win2k servers (spnego stuff). The main work TODO involves enumerating the trusted domains (including the RPC calls to match), and getting winbind to run on the PDC correctly. Similarly, work remains on getting NT4 to trust Samba domains. Andrew Bartlett (This used to be commit ac8c24a9a888a3f916e8b40238b936e6ad743ef7) --- source3/auth/auth_domain.c | 137 +++++++++++++++++++++++++++++++++++++++------ 1 file changed, 121 insertions(+), 16 deletions(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 6c858e056c..b57bd2bfcc 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -38,7 +38,10 @@ extern userdom_struct current_user_info; **/ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, - char *server, unsigned char *trust_passwd) + const char *server, + const char *setup_creds_as, + uint16 sec_chan, + const unsigned char *trust_passwd) { struct in_addr dest_ip; fstring remote_machine; @@ -121,7 +124,13 @@ machine %s. Error was : %s.\n", remote_machine, cli_errstr(*cli))); return NT_STATUS_UNSUCCESSFUL; } - result = new_cli_nt_setup_creds(*cli, trust_passwd); + snprintf((*cli)->mach_acct, sizeof((*cli)->mach_acct) - 1, "%s$", setup_creds_as); + + if (!(*cli)->mach_acct) { + return NT_STATUS_NO_MEMORY; + } + + result = new_cli_nt_setup_creds(*cli, sec_chan, trust_passwd); if (!NT_STATUS_IS_OK(result)) { DEBUG(0,("connect_to_domain_password_server: unable to setup the PDC credentials to machine \ @@ -142,7 +151,9 @@ machine %s. Error was : %s.\n", remote_machine, cli_errstr(*cli))); static NTSTATUS attempt_connect_to_dc(struct cli_state **cli, const char *domain, struct in_addr *ip, - unsigned char *trust_passwd) + const char *setup_creds_as, + uint16 sec_chan, + const unsigned char *trust_passwd) { fstring dc_name; @@ -156,7 +167,7 @@ static NTSTATUS attempt_connect_to_dc(struct cli_state **cli, if (!lookup_dc_name(global_myname, domain, ip, dc_name)) return NT_STATUS_UNSUCCESSFUL; - return connect_to_domain_password_server(cli, dc_name, trust_passwd); + return connect_to_domain_password_server(cli, dc_name, setup_creds_as, sec_chan, trust_passwd); } /*********************************************************************** @@ -165,6 +176,8 @@ static NTSTATUS attempt_connect_to_dc(struct cli_state **cli, ************************************************************************/ static NTSTATUS find_connect_pdc(struct cli_state **cli, const char *domain, + const char *setup_creds_as, + uint16 sec_chan, unsigned char *trust_passwd, time_t last_change_time) { @@ -197,8 +210,10 @@ static NTSTATUS find_connect_pdc(struct cli_state **cli, if(!is_local_net(ip_list[i])) continue; - if(NT_STATUS_IS_OK(nt_status = attempt_connect_to_dc(cli, domain, - &ip_list[i], trust_passwd))) + if(NT_STATUS_IS_OK(nt_status = + attempt_connect_to_dc(cli, domain, + &ip_list[i], setup_creds_as, + sec_chan, trust_passwd))) break; zero_ip(&ip_list[i]); /* Tried and failed. */ @@ -211,9 +226,11 @@ static NTSTATUS find_connect_pdc(struct cli_state **cli, i = (sys_random() % count); if (!is_zero_ip(ip_list[i])) { - if (!NT_STATUS_IS_OK(nt_status = attempt_connect_to_dc(cli, domain, - &ip_list[i], trust_passwd))) - zero_ip(&ip_list[i]); /* Tried and failed. */ + if (!NT_STATUS_IS_OK(nt_status = + attempt_connect_to_dc(cli, domain, + &ip_list[i], setup_creds_as, + sec_chan, trust_passwd))) + zero_ip(&ip_list[i]); /* Tried and failed. */ } } @@ -231,7 +248,7 @@ static NTSTATUS find_connect_pdc(struct cli_state **cli, continue; if (NT_STATUS_IS_OK(nt_status = attempt_connect_to_dc(cli, domain, - &ip_list[i], trust_passwd))) + &ip_list[i], setup_creds_as, sec_chan, trust_passwd))) break; } } @@ -251,7 +268,9 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, const char *domain, uchar chal[8], auth_serversupplied_info **server_info, - char *server, unsigned char *trust_passwd, + char *server, char *setup_creds_as, + uint16 sec_chan, + unsigned char *trust_passwd, time_t last_change_time) { fstring remote_machine; @@ -271,9 +290,9 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, while (!NT_STATUS_IS_OK(nt_status) && next_token(&server,remote_machine,LIST_SEP,sizeof(remote_machine))) { if(strequal(remote_machine, "*")) { - nt_status = find_connect_pdc(&cli, domain, trust_passwd, last_change_time); + nt_status = find_connect_pdc(&cli, domain, setup_creds_as, sec_chan, trust_passwd, last_change_time); } else { - nt_status = connect_to_domain_password_server(&cli, remote_machine, trust_passwd); + nt_status = connect_to_domain_password_server(&cli, remote_machine, setup_creds_as, sec_chan, trust_passwd); } } @@ -429,7 +448,7 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context, if (!secrets_fetch_trust_account_password(domain, trust_passwd, &last_change_time)) { - DEBUG(0, ("check_domain_security: could not fetch trust account password for domain %s\n", lp_workgroup())); + DEBUG(0, ("check_ntdomain_security: could not fetch trust account password for domain %s\n", lp_workgroup())); return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; } @@ -449,8 +468,7 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context, nt_status = domain_client_validate(mem_ctx, user_info, domain, (uchar *)auth_context->challenge.data, server_info, - password_server, trust_passwd, last_change_time); - + password_server, global_myname, SEC_CHAN_WKSTA, trust_passwd, last_change_time); return nt_status; } @@ -464,3 +482,90 @@ BOOL auth_init_ntdomain(struct auth_context *auth_context, auth_methods **auth_m (*auth_method)->auth = check_ntdomain_security; return True; } + + +/**************************************************************************** + Check for a valid username and password in a trusted domain +****************************************************************************/ + +static NTSTATUS check_trustdomain_security(const struct auth_context *auth_context, + void *my_private_data, + TALLOC_CTX *mem_ctx, + const auth_usersupplied_info *user_info, + auth_serversupplied_info **server_info) +{ + NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; + unsigned char trust_md4_password[16]; + char *trust_password; + time_t last_change_time; + DOM_SID sid; + + if (!user_info || !server_info || !auth_context) { + DEBUG(1,("check_trustdomain_security: Critical variables not present. Failing.\n")); + return NT_STATUS_INVALID_PARAMETER; + } + + /* + * Check that the requested domain is not our own machine name. + * If it is, we should never check the PDC here, we use our own local + * password file. + */ + + if(is_netbios_alias_or_name(user_info->domain.str)) { + DEBUG(3,("check_trustdomain_security: Requested domain was for this machine.\n")); + return NT_STATUS_LOGON_FAILURE; + } + + /* + * Check that the requested domain is not our own domain, + * If it is, we should use our own local password file. + */ + + if(strequal(lp_workgroup(), (user_info->domain.str))) { + DEBUG(3,("check_trustdomain_security: Requested domain was for this domain.\n")); + return NT_STATUS_LOGON_FAILURE; + } + + /* + * Get the machine account password for the trusted domain + * No need to become_root() as secrets_init() is done at startup. + */ + + if (!secrets_fetch_trusted_domain_password(user_info->domain.str, &trust_password, &sid, &last_change_time)) + { + DEBUG(0, ("check_trustdomain_security: could not fetch trust account password for domain %s\n", user_info->domain.str)); + return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; + } + +#ifdef DEBUG_PASSWORD + DEBUG(100, ("Trust password for domain %s is %s\n", user_info->domain.str, trust_password)); +#endif + E_md4hash((uchar *)trust_password, trust_md4_password); + SAFE_FREE(trust_password); + +#if 0 + /* Test if machine password is expired and need to be changed */ + if (time(NULL) > last_change_time + lp_machine_password_timeout()) + { + global_machine_password_needs_changing = True; + } +#endif + + nt_status = domain_client_validate(mem_ctx, user_info, user_info->domain.str, + (uchar *)auth_context->challenge.data, + server_info, "*" /* Do a lookup */, + lp_workgroup(), SEC_CHAN_DOMAIN, trust_md4_password, last_change_time); + + return nt_status; +} + +/* module initialisation */ +BOOL auth_init_trustdomain(struct auth_context *auth_context, auth_methods **auth_method) +{ + if (!make_auth_methods(auth_context, auth_method)) { + return False; + } + + (*auth_method)->auth = check_trustdomain_security; + return True; +} -- cgit From ab13654dc9ac23872e4d1384e1c54e336f113009 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Sun, 17 Mar 2002 04:36:35 +0000 Subject: Renamed get_nt_error_msg() to nt_errstr(). (This used to be commit 1f007d3ed41c1b71a89fa6be7d173e67e927c302) --- source3/auth/auth_domain.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index b57bd2bfcc..5e3a4cd95b 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -134,7 +134,7 @@ machine %s. Error was : %s.\n", remote_machine, cli_errstr(*cli))); if (!NT_STATUS_IS_OK(result)) { DEBUG(0,("connect_to_domain_password_server: unable to setup the PDC credentials to machine \ -%s. Error was : %s.\n", remote_machine, get_nt_error_msg(result))); +%s. Error was : %s.\n", remote_machine, nt_errstr(result))); cli_nt_session_close(*cli); cli_ulogoff(*cli); cli_shutdown(*cli); @@ -319,7 +319,7 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, "for user %s in domain %s to Domain controller %s. " "Error was %s.\n", user_info->smb_name.str, user_info->domain.str, cli->srv_name_slash, - get_nt_error_msg(nt_status))); + nt_errstr(nt_status))); } else { char *dom_user; -- cgit From 64d20453d97f08e412a2dc51d8d131d630f63999 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 26 Mar 2002 22:36:27 +0000 Subject: Don't hold the mutex for more than 20 seconds. Jeremy. (This used to be commit 1b9f1a368f2f37700cef357ab4bbc0389ec06378) --- source3/auth/auth_domain.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 5e3a4cd95b..38b48d85ad 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -87,11 +87,13 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, /* we use a mutex to prevent two connections at once - when a NT PDC gets two connections where one hasn't completed a negprot yet it will send a TCP reset to the first connection (tridge) */ - if (!message_named_mutex(server)) { - DEBUG(1,("domain mutex failed for %s\n", server)); + if (!message_named_mutex(server, 20)) { + DEBUG(1,("connect_to_domain_password_server: domain mutex failed for %s\n", server)); return NT_STATUS_UNSUCCESSFUL; } + DEBUG(10,("connect_to_domain_password_server: got mutex for %s\n", server)); + /* Attempt connection */ result = cli_full_connection(cli, global_myname, server, &dest_ip, 0, "IPC$", "IPC", "", "", "", 0); -- cgit From 94c52a00525c55db83d48c0ef76c3eb12de0af2b Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 27 Mar 2002 00:02:49 +0000 Subject: Moved debug messages for grabbing/releasing mutex. Jeremy. (This used to be commit e144c174eafc18f236c848b8f3a2c6382796f5a9) --- source3/auth/auth_domain.c | 2 -- 1 file changed, 2 deletions(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 38b48d85ad..af353ef812 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -92,8 +92,6 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, return NT_STATUS_UNSUCCESSFUL; } - DEBUG(10,("connect_to_domain_password_server: got mutex for %s\n", server)); - /* Attempt connection */ result = cli_full_connection(cli, global_myname, server, &dest_ip, 0, "IPC$", "IPC", "", "", "", 0); -- cgit From e90b65284812aaa5ff9e9935ce9bbad7791cbbcd Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 15 Jul 2002 10:35:28 +0000 Subject: updated the 3.0 branch from the head branch - ready for alpha18 (This used to be commit 03ac082dcb375b6f3ca3d810a6a6367542bc23ce) --- source3/auth/auth_domain.c | 118 ++++++++++++++++----------------------------- 1 file changed, 41 insertions(+), 77 deletions(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index af353ef812..3352c5f9c8 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -21,6 +21,9 @@ #include "includes.h" +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_AUTH + BOOL global_machine_password_needs_changing = False; extern pstring global_myname; @@ -66,7 +69,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, fstrcpy(remote_machine, server); } - standard_sub_basic(current_user_info.smb_name, remote_machine); + standard_sub_basic(current_user_info.smb_name, remote_machine, sizeof(remote_machine)); strupper(remote_machine); if(!resolve_name( remote_machine, &dest_ip, 0x20)) { @@ -84,21 +87,25 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, logonserver. We can avoid a 30-second timeout if the DC is down if the SAMLOGON request fails as it is only over UDP. */ - /* we use a mutex to prevent two connections at once - when a NT PDC gets - two connections where one hasn't completed a negprot yet it will send a - TCP reset to the first connection (tridge) */ - if (!message_named_mutex(server, 20)) { - DEBUG(1,("connect_to_domain_password_server: domain mutex failed for %s\n", server)); + /* we use a mutex to prevent two connections at once - when a + Win2k PDC get two connections where one hasn't completed a + session setup yet it will send a TCP reset to the first + connection (tridge) */ + + /* + * With NT4.x DC's *all* authentication must be serialized to avoid + * ACCESS_DENIED errors if 2 auths are done from the same machine. JRA. + */ + + if (!grab_server_mutex(server)) return NT_STATUS_UNSUCCESSFUL; - } /* Attempt connection */ result = cli_full_connection(cli, global_myname, server, &dest_ip, 0, "IPC$", "IPC", "", "", "", 0); - message_named_mutex_release(server); - if (!NT_STATUS_IS_OK(result)) { + release_server_mutex(); return result; } @@ -121,12 +128,14 @@ machine %s. Error was : %s.\n", remote_machine, cli_errstr(*cli))); cli_nt_session_close(*cli); cli_ulogoff(*cli); cli_shutdown(*cli); + release_server_mutex(); return NT_STATUS_UNSUCCESSFUL; } snprintf((*cli)->mach_acct, sizeof((*cli)->mach_acct) - 1, "%s$", setup_creds_as); if (!(*cli)->mach_acct) { + release_server_mutex(); return NT_STATUS_NO_MEMORY; } @@ -138,9 +147,12 @@ machine %s. Error was : %s.\n", remote_machine, cli_errstr(*cli))); cli_nt_session_close(*cli); cli_ulogoff(*cli); cli_shutdown(*cli); + release_server_mutex(); return result; } + /* We exit here with the mutex *locked*. JRA */ + return NT_STATUS_OK; } @@ -270,14 +282,13 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, auth_serversupplied_info **server_info, char *server, char *setup_creds_as, uint16 sec_chan, - unsigned char *trust_passwd, + unsigned char trust_passwd[16], time_t last_change_time) { fstring remote_machine; NET_USER_INFO_3 info3; struct cli_state *cli = NULL; NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL; - struct passwd *pass; /* * At this point, smb_apasswd points to the lanman response to @@ -321,63 +332,15 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, user_info->domain.str, cli->srv_name_slash, nt_errstr(nt_status))); } else { - char *dom_user; - - /* Check DOMAIN\username first to catch winbind users, then - just the username for local users. */ - - dom_user = talloc_asprintf(mem_ctx, "%s%s%s", user_info->domain.str, - lp_winbind_separator(), - user_info->internal_username.str); - - if (!dom_user) { - DEBUG(0, ("talloc_asprintf failed!\n")); - nt_status = NT_STATUS_NO_MEMORY; - } else { - - if (!(pass = Get_Pwnam(dom_user))) - pass = Get_Pwnam(user_info->internal_username.str); - - if (pass) { - make_server_info_pw(server_info, pass); - if (!server_info) { - nt_status = NT_STATUS_NO_MEMORY; - } - } else { - nt_status = NT_STATUS_NO_SUCH_USER; - } - } - } + nt_status = make_server_info_info3(mem_ctx, user_info->internal_username.str, + user_info->smb_name.str, domain, server_info, &info3); +#if 0 + /* The stuff doesn't work right yet */ + SMB_ASSERT(sizeof((*server_info)->session_key) == sizeof(info3.user_sess_key)); + memcpy((*server_info)->session_key, info3.user_sess_key, sizeof((*server_info)->session_key)/* 16 */); + SamOEMhash((*server_info)->session_key, trust_passwd, sizeof((*server_info)->session_key)); +#endif - /* Store the user group information in the server_info returned to the caller. */ - - if (NT_STATUS_IS_OK(nt_status) && (info3.num_groups2 != 0)) { - int i; - NT_USER_TOKEN *ptok; - auth_serversupplied_info *pserver_info = *server_info; - - if ((pserver_info->ptok = malloc( sizeof(NT_USER_TOKEN) ) ) == NULL) { - DEBUG(0, ("domain_client_validate: out of memory allocating rid group membership\n")); - nt_status = NT_STATUS_NO_MEMORY; - free_server_info(server_info); - goto done; - } - - ptok = pserver_info->ptok; - ptok->num_sids = (size_t)info3.num_groups2; - - if ((ptok->user_sids = (DOM_SID *)malloc( sizeof(DOM_SID) * ptok->num_sids )) == NULL) { - DEBUG(0, ("domain_client_validate: Out of memory allocating group SIDS\n")); - nt_status = NT_STATUS_NO_MEMORY; - free_server_info(server_info); - goto done; - } - - for (i = 0; i < ptok->num_sids; i++) { - sid_copy(&ptok->user_sids[i], &info3.dom_sid.sid); - sid_append_rid(&ptok->user_sids[i], info3.gids[i].g_rid); - } - uni_group_cache_store_netlogon(mem_ctx, &info3); } @@ -397,8 +360,6 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, } #endif /* 0 */ - done: - /* Note - once the cli stream is shutdown the mem_ctx used to allocate the other_sids and gids structures has been deleted - so these pointers are no longer valid..... */ @@ -406,6 +367,7 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, cli_nt_session_close(cli); cli_ulogoff(cli); cli_shutdown(cli); + release_server_mutex(); return nt_status; } @@ -448,7 +410,7 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context, if (!secrets_fetch_trust_account_password(domain, trust_passwd, &last_change_time)) { - DEBUG(0, ("check_ntdomain_security: could not fetch trust account password for domain %s\n", lp_workgroup())); + DEBUG(0, ("check_ntdomain_security: could not fetch trust account password for domain '%s'\n", domain)); return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; } @@ -473,14 +435,15 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context, } /* module initialisation */ -BOOL auth_init_ntdomain(struct auth_context *auth_context, auth_methods **auth_method) +NTSTATUS auth_init_ntdomain(struct auth_context *auth_context, const char* param, auth_methods **auth_method) { if (!make_auth_methods(auth_context, auth_method)) { - return False; + return NT_STATUS_NO_MEMORY; } + (*auth_method)->name = "ntdomain"; (*auth_method)->auth = check_ntdomain_security; - return True; + return NT_STATUS_OK; } @@ -527,7 +490,7 @@ static NTSTATUS check_trustdomain_security(const struct auth_context *auth_conte } /* - * Get the machine account password for the trusted domain + * Get the trusted account password for the trusted domain * No need to become_root() as secrets_init() is done at startup. */ @@ -560,12 +523,13 @@ static NTSTATUS check_trustdomain_security(const struct auth_context *auth_conte } /* module initialisation */ -BOOL auth_init_trustdomain(struct auth_context *auth_context, auth_methods **auth_method) +NTSTATUS auth_init_trustdomain(struct auth_context *auth_context, const char* param, auth_methods **auth_method) { if (!make_auth_methods(auth_context, auth_method)) { - return False; + return NT_STATUS_NO_MEMORY; } + (*auth_method)->name = "trustdomain"; (*auth_method)->auth = check_trustdomain_security; - return True; + return NT_STATUS_OK; } -- cgit From b2edf254eda92f775e7d3d9b6793b4d77f9000b6 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sat, 17 Aug 2002 17:00:51 +0000 Subject: sync 3.0 branch with head (This used to be commit 3928578b52cfc949be5e0ef444fce1558d75f290) --- source3/auth/auth_domain.c | 139 +++++++++++++++++++++++++++++++++------------ 1 file changed, 103 insertions(+), 36 deletions(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 3352c5f9c8..d48cec5b29 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -29,6 +29,88 @@ BOOL global_machine_password_needs_changing = False; extern pstring global_myname; extern userdom_struct current_user_info; + +/* + resolve the name of a DC in ways appropriate for an ADS domain mode + an ADS domain may not have Netbios enabled at all, so this is + quite different from the RPC case + Note that we ignore the 'server' parameter here. That has the effect of using + the 'ADS server' smb.conf parameter, which is what we really want anyway + */ +static NTSTATUS ads_resolve_dc(fstring remote_machine, + struct in_addr *dest_ip) +{ + ADS_STRUCT *ads; + ads = ads_init_simple(); + if (!ads) { + return NT_STATUS_NO_LOGON_SERVERS; + } + + DEBUG(4,("ads_resolve_dc: realm=%s\n", ads->config.realm)); + + ads->auth.no_bind = 1; + +#ifdef HAVE_ADS + /* a full ads_connect() is actually overkill, as we don't srictly need + to do the SASL auth in order to get the info we need, but libads + doesn't offer a better way right now */ + ads_connect(ads); +#endif + + fstrcpy(remote_machine, ads->config.ldap_server_name); + strupper(remote_machine); + *dest_ip = ads->ldap_ip; + ads_destroy(&ads); + + if (!*remote_machine || is_zero_ip(*dest_ip)) { + return NT_STATUS_NO_LOGON_SERVERS; + } + + DEBUG(4,("ads_resolve_dc: using server='%s' IP=%s\n", + remote_machine, inet_ntoa(*dest_ip))); + + return NT_STATUS_OK; +} + +/* + resolve the name of a DC in ways appropriate for RPC domain mode + this relies on the server supporting netbios and port 137 not being + firewalled + */ +static NTSTATUS rpc_resolve_dc(const char *server, + fstring remote_machine, + struct in_addr *dest_ip) +{ + if (is_ipaddress(server)) { + struct in_addr to_ip = *interpret_addr2(server); + + /* we need to know the machines netbios name - this is a lousy + way to find it, but until we have a RPC call that does this + it will have to do */ + if (!name_status_find("*", 0x20, 0x20, to_ip, remote_machine)) { + DEBUG(2, ("connect_to_domain_password_server: Can't " + "resolve name for IP %s\n", server)); + return NT_STATUS_NO_LOGON_SERVERS; + } + + *dest_ip = to_ip; + return NT_STATUS_OK; + } + + fstrcpy(remote_machine, server); + strupper(remote_machine); + if (!resolve_name(remote_machine, dest_ip, 0x20)) { + DEBUG(1,("connect_to_domain_password_server: Can't resolve address for %s\n", + remote_machine)); + return NT_STATUS_NO_LOGON_SERVERS; + } + + DEBUG(4,("rpc_resolve_dc: using server='%s' IP=%s\n", + remote_machine, inet_ntoa(*dest_ip))); + + return NT_STATUS_OK; +} + /** * Connect to a remote server for domain security authenticaion. * @@ -50,37 +132,22 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, fstring remote_machine; NTSTATUS result; - if (is_ipaddress(server)) { - struct in_addr to_ip; - - /* we shouldn't have 255.255.255.255 forthe IP address of - a password server anyways */ - if ((to_ip.s_addr=inet_addr(server)) == 0xFFFFFFFF) { - DEBUG (0,("connect_to_domain_password_server: inet_addr(%s) returned 0xFFFFFFFF!\n", server)); - return NT_STATUS_UNSUCCESSFUL; - } - - if (!name_status_find("*", 0x20, 0x20, to_ip, remote_machine)) { - DEBUG(0, ("connect_to_domain_password_server: Can't " - "resolve name for IP %s\n", server)); - return NT_STATUS_UNSUCCESSFUL; - } + if (lp_security() == SEC_ADS) { + result = ads_resolve_dc(remote_machine, &dest_ip); } else { - fstrcpy(remote_machine, server); + result = rpc_resolve_dc(server, remote_machine, &dest_ip); } - standard_sub_basic(current_user_info.smb_name, remote_machine, sizeof(remote_machine)); - strupper(remote_machine); - - if(!resolve_name( remote_machine, &dest_ip, 0x20)) { - DEBUG(1,("connect_to_domain_password_server: Can't resolve address for %s\n", remote_machine)); - return NT_STATUS_UNSUCCESSFUL; + if (!NT_STATUS_IS_OK(result)) { + DEBUG(2,("connect_to_domain_password_server: unable to resolve DC: %s\n", + nt_errstr(result))); + return result; } - + if (ismyip(dest_ip)) { DEBUG(1,("connect_to_domain_password_server: Password server loop - not using password server %s\n", remote_machine)); - return NT_STATUS_UNSUCCESSFUL; + return NT_STATUS_NO_LOGON_SERVERS; } /* TODO: Send a SAMLOGON request to determine whether this is a valid @@ -98,11 +165,11 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, */ if (!grab_server_mutex(server)) - return NT_STATUS_UNSUCCESSFUL; + return NT_STATUS_NO_LOGON_SERVERS; /* Attempt connection */ - result = cli_full_connection(cli, global_myname, server, - &dest_ip, 0, "IPC$", "IPC", "", "", "", 0); + result = cli_full_connection(cli, global_myname, remote_machine, + &dest_ip, 0, "IPC$", "IPC", "", "", "",0); if (!NT_STATUS_IS_OK(result)) { release_server_mutex(); @@ -129,7 +196,7 @@ machine %s. Error was : %s.\n", remote_machine, cli_errstr(*cli))); cli_ulogoff(*cli); cli_shutdown(*cli); release_server_mutex(); - return NT_STATUS_UNSUCCESSFUL; + return NT_STATUS_NO_LOGON_SERVERS; } snprintf((*cli)->mach_acct, sizeof((*cli)->mach_acct) - 1, "%s$", setup_creds_as); @@ -139,7 +206,7 @@ machine %s. Error was : %s.\n", remote_machine, cli_errstr(*cli))); return NT_STATUS_NO_MEMORY; } - result = new_cli_nt_setup_creds(*cli, sec_chan, trust_passwd); + result = cli_nt_setup_creds(*cli, sec_chan, trust_passwd); if (!NT_STATUS_IS_OK(result)) { DEBUG(0,("connect_to_domain_password_server: unable to setup the PDC credentials to machine \ @@ -174,10 +241,10 @@ static NTSTATUS attempt_connect_to_dc(struct cli_state **cli, */ if (is_zero_ip(*ip)) - return NT_STATUS_UNSUCCESSFUL; + return NT_STATUS_NO_LOGON_SERVERS; if (!lookup_dc_name(global_myname, domain, ip, dc_name)) - return NT_STATUS_UNSUCCESSFUL; + return NT_STATUS_NO_LOGON_SERVERS; return connect_to_domain_password_server(cli, dc_name, setup_creds_as, sec_chan, trust_passwd); } @@ -196,7 +263,7 @@ static NTSTATUS find_connect_pdc(struct cli_state **cli, struct in_addr *ip_list = NULL; int count = 0; int i; - NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL; + NTSTATUS nt_status = NT_STATUS_NO_LOGON_SERVERS; time_t time_now = time(NULL); BOOL use_pdc_only = False; @@ -212,7 +279,7 @@ static NTSTATUS find_connect_pdc(struct cli_state **cli, use_pdc_only = True; if (!get_dc_list(use_pdc_only, domain, &ip_list, &count)) - return NT_STATUS_UNSUCCESSFUL; + return NT_STATUS_NO_LOGON_SERVERS; /* * Firstly try and contact a PDC/BDC who has the same @@ -288,7 +355,7 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, fstring remote_machine; NET_USER_INFO_3 info3; struct cli_state *cli = NULL; - NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL; + NTSTATUS nt_status = NT_STATUS_NO_LOGON_SERVERS; /* * At this point, smb_apasswd points to the lanman response to @@ -300,7 +367,7 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, while (!NT_STATUS_IS_OK(nt_status) && next_token(&server,remote_machine,LIST_SEP,sizeof(remote_machine))) { - if(strequal(remote_machine, "*")) { + if(lp_security() != SEC_ADS && strequal(remote_machine, "*")) { nt_status = find_connect_pdc(&cli, domain, setup_creds_as, sec_chan, trust_passwd, last_change_time); } else { nt_status = connect_to_domain_password_server(&cli, remote_machine, setup_creds_as, sec_chan, trust_passwd); @@ -503,7 +570,7 @@ static NTSTATUS check_trustdomain_security(const struct auth_context *auth_conte #ifdef DEBUG_PASSWORD DEBUG(100, ("Trust password for domain %s is %s\n", user_info->domain.str, trust_password)); #endif - E_md4hash((uchar *)trust_password, trust_md4_password); + E_md4hash(trust_password, trust_md4_password); SAFE_FREE(trust_password); #if 0 -- cgit From a834a73e341059be154426390304a42e4a011f72 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 25 Sep 2002 15:19:00 +0000 Subject: sync'ing up for 3.0alpha20 release (This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139) --- source3/auth/auth_domain.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index d48cec5b29..2e51a85281 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -48,7 +48,7 @@ static NTSTATUS ads_resolve_dc(fstring remote_machine, DEBUG(4,("ads_resolve_dc: realm=%s\n", ads->config.realm)); - ads->auth.no_bind = 1; + ads->auth.flags |= ADS_AUTH_NO_BIND; #ifdef HAVE_ADS /* a full ads_connect() is actually overkill, as we don't srictly need @@ -131,6 +131,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, struct in_addr dest_ip; fstring remote_machine; NTSTATUS result; + uint32 neg_flags = 0x000001ff; if (lp_security() == SEC_ADS) { result = ads_resolve_dc(remote_machine, &dest_ip); @@ -206,7 +207,7 @@ machine %s. Error was : %s.\n", remote_machine, cli_errstr(*cli))); return NT_STATUS_NO_MEMORY; } - result = cli_nt_setup_creds(*cli, sec_chan, trust_passwd); + result = cli_nt_setup_creds(*cli, sec_chan, trust_passwd, &neg_flags, 2); if (!NT_STATUS_IS_OK(result)) { DEBUG(0,("connect_to_domain_password_server: unable to setup the PDC credentials to machine \ @@ -250,7 +251,7 @@ static NTSTATUS attempt_connect_to_dc(struct cli_state **cli, } /*********************************************************************** - We have been asked to dynamcially determine the IP addresses of + We have been asked to dynamically determine the IP addresses of the PDC and BDC's for DOMAIN, and query them in turn. ************************************************************************/ static NTSTATUS find_connect_pdc(struct cli_state **cli, -- cgit From 36ef82a52953384acedbd51f54ded9357fa8ca3e Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 4 Oct 2002 04:10:23 +0000 Subject: merge of new client side support the Win2k LSARPC UUID in rpcbind from APP_HEAD (This used to be commit 1cfd2ee433305e91e87804dd55d10e025d30a69e) --- source3/auth/auth_domain.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 2e51a85281..59b9233a2d 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -190,7 +190,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, * into account also. This patch from "Bjart Kvarme" . */ - if(cli_nt_session_open(*cli, PIPE_NETLOGON) == False) { + if(cli_nt_session_open(*cli, PI_NETLOGON) == False) { DEBUG(0,("connect_to_domain_password_server: unable to open the domain client session to \ machine %s. Error was : %s.\n", remote_machine, cli_errstr(*cli))); cli_nt_session_close(*cli); -- cgit From c53eb2ed540e79d6deae5f41e17febc5bf5dbf57 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 17 Oct 2002 17:10:24 +0000 Subject: Added new error codes. Fix up connection code to retry in the same way that app-head does. Jeremy. (This used to be commit ec7953f20145799f6286a295472df4826bfdfb8f) --- source3/auth/auth_domain.c | 33 +++++++++++++++++++++++---------- 1 file changed, 23 insertions(+), 10 deletions(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 59b9233a2d..129c486562 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -88,8 +88,7 @@ static NTSTATUS rpc_resolve_dc(const char *server, way to find it, but until we have a RPC call that does this it will have to do */ if (!name_status_find("*", 0x20, 0x20, to_ip, remote_machine)) { - DEBUG(2, ("connect_to_domain_password_server: Can't " - "resolve name for IP %s\n", server)); + DEBUG(2, ("rpc_resolve_dc: Can't resolve name for IP %s\n", server)); return NT_STATUS_NO_LOGON_SERVERS; } @@ -100,7 +99,7 @@ static NTSTATUS rpc_resolve_dc(const char *server, fstrcpy(remote_machine, server); strupper(remote_machine); if (!resolve_name(remote_machine, dest_ip, 0x20)) { - DEBUG(1,("connect_to_domain_password_server: Can't resolve address for %s\n", + DEBUG(1,("rpc_resolve_dc: Can't resolve address for %s\n", remote_machine)); return NT_STATUS_NO_LOGON_SERVERS; } @@ -126,18 +125,20 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, const char *server, const char *setup_creds_as, uint16 sec_chan, - const unsigned char *trust_passwd) + const unsigned char *trust_passwd, + BOOL *retry) { struct in_addr dest_ip; fstring remote_machine; NTSTATUS result; uint32 neg_flags = 0x000001ff; - if (lp_security() == SEC_ADS) { + *retry = False; + + if (lp_security() == SEC_ADS) result = ads_resolve_dc(remote_machine, &dest_ip); - } else { + else result = rpc_resolve_dc(server, remote_machine, &dest_ip); - } if (!NT_STATUS_IS_OK(result)) { DEBUG(2,("connect_to_domain_password_server: unable to resolve DC: %s\n", @@ -165,12 +166,14 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, * ACCESS_DENIED errors if 2 auths are done from the same machine. JRA. */ + *retry = True; + if (!grab_server_mutex(server)) return NT_STATUS_NO_LOGON_SERVERS; /* Attempt connection */ result = cli_full_connection(cli, global_myname, remote_machine, - &dest_ip, 0, "IPC$", "IPC", "", "", "",0); + &dest_ip, 0, "IPC$", "IPC", "", "", "",0, retry); if (!NT_STATUS_IS_OK(result)) { release_server_mutex(); @@ -235,7 +238,10 @@ static NTSTATUS attempt_connect_to_dc(struct cli_state **cli, uint16 sec_chan, const unsigned char *trust_passwd) { + NTSTATUS ret = NT_STATUS_UNSUCCESSFUL; + BOOL retry = True; fstring dc_name; + int i; /* * Ignore addresses we have already tried. @@ -247,7 +253,10 @@ static NTSTATUS attempt_connect_to_dc(struct cli_state **cli, if (!lookup_dc_name(global_myname, domain, ip, dc_name)) return NT_STATUS_NO_LOGON_SERVERS; - return connect_to_domain_password_server(cli, dc_name, setup_creds_as, sec_chan, trust_passwd); + for (i = 0; (!NT_STATUS_IS_OK(ret)) && retry && (i < 3); i++) + ret = connect_to_domain_password_server(cli, dc_name, setup_creds_as, + sec_chan, trust_passwd, &retry); + return ret; } /*********************************************************************** @@ -371,7 +380,11 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, if(lp_security() != SEC_ADS && strequal(remote_machine, "*")) { nt_status = find_connect_pdc(&cli, domain, setup_creds_as, sec_chan, trust_passwd, last_change_time); } else { - nt_status = connect_to_domain_password_server(&cli, remote_machine, setup_creds_as, sec_chan, trust_passwd); + int i; + BOOL retry = False; + for (i = 0; !NT_STATUS_IS_OK(nt_status) && retry && (i < 3); i++) + nt_status = connect_to_domain_password_server(&cli, remote_machine, setup_creds_as, + sec_chan, trust_passwd, &retry); } } -- cgit From ab1cf8d1cf447e85063b43b65fa05c8b4bfde2a9 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Wed, 6 Nov 2002 05:14:15 +0000 Subject: Merge of get_dc_list() api change from HEAD. (This used to be commit 6ba7847ce2756fde94e530fd0bf2a055f3e27373) --- source3/auth/auth_domain.c | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 129c486562..e18d809efb 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -288,8 +288,23 @@ static NTSTATUS find_connect_pdc(struct cli_state **cli, if (time_now - last_change_time < 3600) use_pdc_only = True; - if (!get_dc_list(use_pdc_only, domain, &ip_list, &count)) - return NT_STATUS_NO_LOGON_SERVERS; + if (use_pdc_only) { + struct in_addr pdc_ip; + + if (!get_pdc_ip(domain, &pdc_ip)) + return NT_STATUS_NO_LOGON_SERVERS; + + if ((ip_list = (struct in_addr *) + malloc(sizeof(struct in_addr))) == NULL) + return NT_STATUS_NO_MEMORY; + + ip_list[0] = pdc_ip; + count = 1; + + } else { + if (!get_dc_list(domain, &ip_list, &count)) + return NT_STATUS_NO_LOGON_SERVERS; + } /* * Firstly try and contact a PDC/BDC who has the same -- cgit From 66531104fed805080b53838eb720e81393675f98 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Fri, 8 Nov 2002 01:38:45 +0000 Subject: Don't set global_machine_password_needs_changing if lp_machine_password_timeout() is set to zero. (This used to be commit 3692919aee186498848715505047a1cde83758b7) --- source3/auth/auth_domain.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index e18d809efb..f58e8bac47 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -510,10 +510,12 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context, return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; } - /* Test if machine password is expired and need to be changed */ - if (time(NULL) > last_change_time + lp_machine_password_timeout()) - { - global_machine_password_needs_changing = True; + /* Test if machine password has expired and needs to be changed */ + if (lp_machine_password_timeout()) { + if (time(NULL) > (last_change_time + + lp_machine_password_timeout())) { + global_machine_password_needs_changing = True; + } } /* -- cgit From d4c4b3f2605071e8515c09c8e9aeba57e4d0fe98 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Sat, 9 Nov 2002 03:48:39 +0000 Subject: Fix bug found by tpot with given password server. Jeremy. (This used to be commit d46b4cb563850c77ee23b95df35a7f752a235d35) --- source3/auth/auth_domain.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index f58e8bac47..9d4824fbc7 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -396,7 +396,7 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, nt_status = find_connect_pdc(&cli, domain, setup_creds_as, sec_chan, trust_passwd, last_change_time); } else { int i; - BOOL retry = False; + BOOL retry = True; for (i = 0; !NT_STATUS_IS_OK(nt_status) && retry && (i < 3); i++) nt_status = connect_to_domain_password_server(&cli, remote_machine, setup_creds_as, sec_chan, trust_passwd, &retry); -- cgit From 2f194322d419350f35a48dff750066894d68eccf Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 12 Nov 2002 23:20:50 +0000 Subject: Removed global_myworkgroup, global_myname, global_myscope. Added liberal dashes of const. This is a rather large check-in, some things may break. It does compile though :-). Jeremy. (This used to be commit f755711df8f74f9b8e8c1a2b0d07d02a931eeb89) --- source3/auth/auth_domain.c | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 9d4824fbc7..2a6614e28e 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -26,7 +26,6 @@ BOOL global_machine_password_needs_changing = False; -extern pstring global_myname; extern userdom_struct current_user_info; @@ -172,7 +171,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, return NT_STATUS_NO_LOGON_SERVERS; /* Attempt connection */ - result = cli_full_connection(cli, global_myname, remote_machine, + result = cli_full_connection(cli, global_myname(), remote_machine, &dest_ip, 0, "IPC$", "IPC", "", "", "",0, retry); if (!NT_STATUS_IS_OK(result)) { @@ -250,7 +249,7 @@ static NTSTATUS attempt_connect_to_dc(struct cli_state **cli, if (is_zero_ip(*ip)) return NT_STATUS_NO_LOGON_SERVERS; - if (!lookup_dc_name(global_myname, domain, ip, dc_name)) + if (!lookup_dc_name(global_myname(), domain, ip, dc_name)) return NT_STATUS_NO_LOGON_SERVERS; for (i = 0; (!NT_STATUS_IS_OK(ret)) && retry && (i < 3); i++) @@ -372,7 +371,7 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, const char *domain, uchar chal[8], auth_serversupplied_info **server_info, - char *server, char *setup_creds_as, + const char *server, const char *setup_creds_as, uint16 sec_chan, unsigned char trust_passwd[16], time_t last_change_time) @@ -481,7 +480,7 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context, char *password_server; unsigned char trust_passwd[16]; time_t last_change_time; - char *domain = lp_workgroup(); + const char *domain = lp_workgroup(); if (!user_info || !server_info || !auth_context) { DEBUG(1,("check_ntdomain_security: Critical variables not present. Failing.\n")); @@ -494,7 +493,7 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context, * password file. */ - if(is_netbios_alias_or_name(user_info->domain.str)) { + if(is_myname(user_info->domain.str)) { DEBUG(3,("check_ntdomain_security: Requested domain was for this machine.\n")); return NT_STATUS_LOGON_FAILURE; } @@ -528,7 +527,7 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context, nt_status = domain_client_validate(mem_ctx, user_info, domain, (uchar *)auth_context->challenge.data, server_info, - password_server, global_myname, SEC_CHAN_WKSTA, trust_passwd, last_change_time); + password_server, global_myname(), SEC_CHAN_WKSTA, trust_passwd, last_change_time); return nt_status; } @@ -572,7 +571,7 @@ static NTSTATUS check_trustdomain_security(const struct auth_context *auth_conte * password file. */ - if(is_netbios_alias_or_name(user_info->domain.str)) { + if(is_myname(user_info->domain.str)) { DEBUG(3,("check_trustdomain_security: Requested domain was for this machine.\n")); return NT_STATUS_LOGON_FAILURE; } -- cgit From 3ab6fcc5c6160d322bdfd2ca771dcf7954e92df7 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Sat, 23 Nov 2002 14:52:34 +0000 Subject: [merge from APP_HEAD] 90% fix for CR 1076. The password server parameter will no take things like password server = DC1 * which means to contact DC1 first and the go to auto lookup if it fails. jerry (This used to be commit 016ef8b36b30846311a5321803298f8e28719244) --- source3/auth/auth_domain.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 2a6614e28e..eebe647ec0 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -275,6 +275,7 @@ static NTSTATUS find_connect_pdc(struct cli_state **cli, NTSTATUS nt_status = NT_STATUS_NO_LOGON_SERVERS; time_t time_now = time(NULL); BOOL use_pdc_only = False; + BOOL list_ordered; /* * If the time the machine password has changed @@ -301,7 +302,7 @@ static NTSTATUS find_connect_pdc(struct cli_state **cli, count = 1; } else { - if (!get_dc_list(domain, &ip_list, &count)) + if (!get_dc_list(domain, &ip_list, &count, &list_ordered)) return NT_STATUS_NO_LOGON_SERVERS; } @@ -310,7 +311,7 @@ static NTSTATUS find_connect_pdc(struct cli_state **cli, * network address as any of our interfaces. */ for(i = 0; i < count; i++) { - if(!is_local_net(ip_list[i])) + if( !list_ordered && !is_local_net(ip_list[i]) ) continue; if(NT_STATUS_IS_OK(nt_status = -- cgit From 899b6e6d0facd1ef5865ce550fadd292514955d6 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 13 Dec 2002 02:07:05 +0000 Subject: merge of get_dc_name()-like code from APP_HEAD; better support password server = DC1 * (This used to be commit f49de4c5176bf635ac080e082fda412066b466c8) --- source3/auth/auth_domain.c | 96 ++++------------------------------------------ 1 file changed, 8 insertions(+), 88 deletions(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index eebe647ec0..8c56b4484e 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -262,103 +262,23 @@ static NTSTATUS attempt_connect_to_dc(struct cli_state **cli, We have been asked to dynamically determine the IP addresses of the PDC and BDC's for DOMAIN, and query them in turn. ************************************************************************/ -static NTSTATUS find_connect_pdc(struct cli_state **cli, +static NTSTATUS find_connect_dc(struct cli_state **cli, const char *domain, const char *setup_creds_as, uint16 sec_chan, unsigned char *trust_passwd, time_t last_change_time) { - struct in_addr *ip_list = NULL; - int count = 0; - int i; - NTSTATUS nt_status = NT_STATUS_NO_LOGON_SERVERS; - time_t time_now = time(NULL); - BOOL use_pdc_only = False; - BOOL list_ordered; - - /* - * If the time the machine password has changed - * was less than an hour ago then we need to contact - * the PDC only, as we cannot be sure domain replication - * has yet taken place. Bug found by Gerald (way to go - * Gerald !). JRA. - */ - - if (time_now - last_change_time < 3600) - use_pdc_only = True; - - if (use_pdc_only) { - struct in_addr pdc_ip; + struct in_addr dc_ip; + fstring srv_name; - if (!get_pdc_ip(domain, &pdc_ip)) - return NT_STATUS_NO_LOGON_SERVERS; - - if ((ip_list = (struct in_addr *) - malloc(sizeof(struct in_addr))) == NULL) - return NT_STATUS_NO_MEMORY; - - ip_list[0] = pdc_ip; - count = 1; - - } else { - if (!get_dc_list(domain, &ip_list, &count, &list_ordered)) + if ( !rpc_find_dc(lp_workgroup(), srv_name, &dc_ip) ) { + DEBUG(0,("find_connect_dc: Failed to find an DCs for %s\n", lp_workgroup())); return NT_STATUS_NO_LOGON_SERVERS; } - /* - * Firstly try and contact a PDC/BDC who has the same - * network address as any of our interfaces. - */ - for(i = 0; i < count; i++) { - if( !list_ordered && !is_local_net(ip_list[i]) ) - continue; - - if(NT_STATUS_IS_OK(nt_status = - attempt_connect_to_dc(cli, domain, - &ip_list[i], setup_creds_as, - sec_chan, trust_passwd))) - break; - - zero_ip(&ip_list[i]); /* Tried and failed. */ - } - - /* - * Secondly try and contact a random PDC/BDC. - */ - if(!NT_STATUS_IS_OK(nt_status)) { - i = (sys_random() % count); - - if (!is_zero_ip(ip_list[i])) { - if (!NT_STATUS_IS_OK(nt_status = - attempt_connect_to_dc(cli, domain, - &ip_list[i], setup_creds_as, - sec_chan, trust_passwd))) - zero_ip(&ip_list[i]); /* Tried and failed. */ - } - } - - /* - * Finally go through the IP list in turn, ignoring any addresses - * we have already tried. - */ - if(!NT_STATUS_IS_OK(nt_status)) { - /* - * Try and connect to any of the other IP addresses in the PDC/BDC list. - * Note that from a WINS server the #1 IP address is the PDC. - */ - for(i = 0; i < count; i++) { - if (is_zero_ip(ip_list[i])) - continue; - - if (NT_STATUS_IS_OK(nt_status = attempt_connect_to_dc(cli, domain, - &ip_list[i], setup_creds_as, sec_chan, trust_passwd))) - break; - } - } - - SAFE_FREE(ip_list); - return nt_status; + return attempt_connect_to_dc( cli, domain, &dc_ip, setup_creds_as, + sec_chan, trust_passwd ); } /*********************************************************************** @@ -393,7 +313,7 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, while (!NT_STATUS_IS_OK(nt_status) && next_token(&server,remote_machine,LIST_SEP,sizeof(remote_machine))) { if(lp_security() != SEC_ADS && strequal(remote_machine, "*")) { - nt_status = find_connect_pdc(&cli, domain, setup_creds_as, sec_chan, trust_passwd, last_change_time); + nt_status = find_connect_dc(&cli, domain, setup_creds_as, sec_chan, trust_passwd, last_change_time); } else { int i; BOOL retry = True; -- cgit From db972ebb93d52624355191614a180b12a296a1c4 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 4 Jan 2003 08:59:34 +0000 Subject: Make it clear that the credentials are being setup on the NETLOGON channel, and may not be to our PDC (might be BDC, or trusted DC). Andrew Bartlett (This used to be commit 610be8d483f335226386f92b5e85ddeb07846d41) --- source3/auth/auth_domain.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 8c56b4484e..79cf5b156d 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -212,7 +212,7 @@ machine %s. Error was : %s.\n", remote_machine, cli_errstr(*cli))); result = cli_nt_setup_creds(*cli, sec_chan, trust_passwd, &neg_flags, 2); if (!NT_STATUS_IS_OK(result)) { - DEBUG(0,("connect_to_domain_password_server: unable to setup the PDC credentials to machine \ + DEBUG(0,("connect_to_domain_password_server: unable to setup the NETLOGON credentials to machine \ %s. Error was : %s.\n", remote_machine, nt_errstr(result))); cli_nt_session_close(*cli); cli_ulogoff(*cli); @@ -274,9 +274,9 @@ static NTSTATUS find_connect_dc(struct cli_state **cli, if ( !rpc_find_dc(lp_workgroup(), srv_name, &dc_ip) ) { DEBUG(0,("find_connect_dc: Failed to find an DCs for %s\n", lp_workgroup())); - return NT_STATUS_NO_LOGON_SERVERS; + return NT_STATUS_NO_LOGON_SERVERS; } - + return attempt_connect_to_dc( cli, domain, &dc_ip, setup_creds_as, sec_chan, trust_passwd ); } -- cgit From 212077afa275b7111e2a28798affa9689dede2ba Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 14 Jan 2003 07:26:12 +0000 Subject: Merge indirection, signed/unsigned and uninitialiased-value fixes from HEAD. Andrew Bartlett (This used to be commit 2a1adb8f81d8966e8919fffb9b4c69f3e6acd44f) --- source3/auth/auth_domain.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 79cf5b156d..b3f50072bc 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -432,7 +432,8 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context, /* Test if machine password has expired and needs to be changed */ if (lp_machine_password_timeout()) { - if (time(NULL) > (last_change_time + + if (last_change_time > 0 && + time(NULL) > (last_change_time + lp_machine_password_timeout())) { global_machine_password_needs_changing = True; } -- cgit From 45d3e78547cb2024d9cf7bf1fc838dd33ad8126b Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 17 Mar 2003 22:42:56 +0000 Subject: Mege from HEAD - doxygen. (This used to be commit 04a5cbc8964386774acdca759b4cfaded068c8f2) --- source3/auth/auth_domain.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index b3f50072bc..0d90a184a4 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -115,7 +115,7 @@ static NTSTATUS rpc_resolve_dc(const char *server, * @param cli the cli to return containing the active connection * @param server either a machine name or text IP address to * connect to. - * @param trust_password the trust password to establish the + * @param trust_passwd the trust password to establish the * credentials with. * **/ -- cgit From 53beee9e5675a59c67d9ecfbaec50dca4ac01750 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 24 Mar 2003 09:54:13 +0000 Subject: (merge from HEAD) NTLM Authentication: - Add a 'privileged' mode to Winbindd. This is achieved by means of a directory under lockdir, that the admin can change the group access for. - This mode is now required to access with 'CRAP' authentication feature. - This *will* break the current SQUID helper, so I've fixed up our ntlm_auth replacement: - Update our NTLMSSP code to cope with 'datagram' mode, where we don't get a challenge. - Use this to make our ntlm_auth utility suitable for use in current Squid 2.5 servers. - Tested - works for Win2k clients, but not Win9X at present. NTLMSSP updates are needed. - Now uses fgets(), not x_fgets() to cope with Squid environment (I think somthing to do with non-blocking stdin). - Add much more robust connection code to wb_common.c - it will not connect to a server of a different protocol version, and it will automatically try and reconnect to the 'privileged' pipe if possible. - This could help with 'privileged' idmap operations etc in future. - Add a generic HEX encode routine to util_str.c, - fix a small line of dodgy C in StrnCpy_fn() - Correctly pull our 'session key' out of the info3 from th the DC. This is used in both the auth code, and in for export over the winbind pipe to ntlm_auth. - Given the user's challenge/response and access to the privileged pipe, allow external access to the 'session key'. To be used for MSCHAPv2 integration. Andrew Bartlett (This used to be commit ec071ca3dcbd3881dc08e6a8d7ac2ff0bcd57664) --- source3/auth/auth_domain.c | 7 ------- 1 file changed, 7 deletions(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 0d90a184a4..534af2257d 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -350,13 +350,6 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, } else { nt_status = make_server_info_info3(mem_ctx, user_info->internal_username.str, user_info->smb_name.str, domain, server_info, &info3); -#if 0 - /* The stuff doesn't work right yet */ - SMB_ASSERT(sizeof((*server_info)->session_key) == sizeof(info3.user_sess_key)); - memcpy((*server_info)->session_key, info3.user_sess_key, sizeof((*server_info)->session_key)/* 16 */); - SamOEMhash((*server_info)->session_key, trust_passwd, sizeof((*server_info)->session_key)); -#endif - uni_group_cache_store_netlogon(mem_ctx, &info3); } -- cgit From a8c95d79f83b4097ee20d5f3f1005c38ccf00186 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Wed, 16 Apr 2003 12:13:07 +0000 Subject: Add support for the new modules system to auth/ (merge from HEAD) (This used to be commit c7a1de090db35835be1a1623bfc80c04065c5dd9) --- source3/auth/auth_domain.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 534af2257d..24a5bb562c 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -24,7 +24,7 @@ #undef DBGC_CLASS #define DBGC_CLASS DBGC_AUTH -BOOL global_machine_password_needs_changing = False; +extern BOOL global_machine_password_needs_changing; extern userdom_struct current_user_info; @@ -545,3 +545,10 @@ NTSTATUS auth_init_trustdomain(struct auth_context *auth_context, const char* pa (*auth_method)->auth = check_trustdomain_security; return NT_STATUS_OK; } + +int auth_domain_init(void) +{ + smb_register_auth("trustdomain", auth_init_trustdomain, AUTH_INTERFACE_VERSION); + smb_register_auth("ntdomain", auth_init_ntdomain, AUTH_INTERFACE_VERSION); + return True; +} -- cgit From f071020f5e49837154581c97c5af5f84d0e2de89 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 21 Apr 2003 14:09:03 +0000 Subject: Merge from HEAD - save the type of channel used to contact the DC. This allows us to join as a BDC, without appearing on the network as one until we have the database replicated, and the admin changes the configuration. This also change the SID retreval order from secrets.tdb, so we no longer require a 'net rpc getsid' - the sid fetch during the domain join is sufficient. Also minor fixes to 'net'. Andrew Bartlett (This used to be commit 876e00fd112e4aaf7519eec27f382eb99ec7562a) --- source3/auth/auth_domain.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 24a5bb562c..e49a41763b 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -347,6 +347,11 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, "Error was %s.\n", user_info->smb_name.str, user_info->domain.str, cli->srv_name_slash, nt_errstr(nt_status))); + + /* map to something more useful */ + if (NT_STATUS_EQUAL(nt_status, NT_STATUS_UNSUCCESSFUL)) { + nt_status = NT_STATUS_NO_LOGON_SERVERS; + } } else { nt_status = make_server_info_info3(mem_ctx, user_info->internal_username.str, user_info->smb_name.str, domain, server_info, &info3); @@ -395,6 +400,7 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context, unsigned char trust_passwd[16]; time_t last_change_time; const char *domain = lp_workgroup(); + uint32 sec_channel_type = 0; if (!user_info || !server_info || !auth_context) { DEBUG(1,("check_ntdomain_security: Critical variables not present. Failing.\n")); @@ -417,7 +423,7 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context, * No need to become_root() as secrets_init() is done at startup. */ - if (!secrets_fetch_trust_account_password(domain, trust_passwd, &last_change_time)) + if (!secrets_fetch_trust_account_password(domain, trust_passwd, &last_change_time, &sec_channel_type)) { DEBUG(0, ("check_ntdomain_security: could not fetch trust account password for domain '%s'\n", domain)); return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; @@ -442,7 +448,7 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context, nt_status = domain_client_validate(mem_ctx, user_info, domain, (uchar *)auth_context->challenge.data, server_info, - password_server, global_myname(), SEC_CHAN_WKSTA, trust_passwd, last_change_time); + password_server, global_myname(), sec_channel_type,trust_passwd, last_change_time); return nt_status; } -- cgit From 59e0836b7f4221fd002abab083f71f04dffe7648 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 24 Apr 2003 11:56:09 +0000 Subject: Merge auth changes from HEAD: - better error codes than NT_STATUS_UNSUCCESSFUL for domain logon errors - make auth_winbind load the ntdomain module if winbind isn't there. - use new trusted domains cache to determine if the domain is valid. Andrew Bartlett (This used to be commit ec8d6524c6b0c70927a2b57aab71d9e3a7f8a150) --- source3/auth/auth_domain.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index e49a41763b..db5f7d82b0 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -175,6 +175,11 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, &dest_ip, 0, "IPC$", "IPC", "", "", "",0, retry); if (!NT_STATUS_IS_OK(result)) { + /* map to something more useful */ + if (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)) { + result = NT_STATUS_NO_LOGON_SERVERS; + } + release_server_mutex(); return result; } @@ -272,7 +277,7 @@ static NTSTATUS find_connect_dc(struct cli_state **cli, struct in_addr dc_ip; fstring srv_name; - if ( !rpc_find_dc(lp_workgroup(), srv_name, &dc_ip) ) { + if (!rpc_find_dc(domain, srv_name, &dc_ip)) { DEBUG(0,("find_connect_dc: Failed to find an DCs for %s\n", lp_workgroup())); return NT_STATUS_NO_LOGON_SERVERS; } -- cgit From 17a3acafa89bfc6090b0767d05a00a7505003fcc Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Mon, 28 Apr 2003 17:48:48 +0000 Subject: Use NTSTATUS as return value for smb_register_*() functions and init_module() function. Patch by metze with some minor modifications. (This used to be commit bc4b51bcb2daa7271c884cb83bf8bdba6d3a9b6d) --- source3/auth/auth_domain.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index db5f7d82b0..bc03fecf74 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -557,9 +557,9 @@ NTSTATUS auth_init_trustdomain(struct auth_context *auth_context, const char* pa return NT_STATUS_OK; } -int auth_domain_init(void) +NTSTATUS auth_domain_init(void) { - smb_register_auth("trustdomain", auth_init_trustdomain, AUTH_INTERFACE_VERSION); - smb_register_auth("ntdomain", auth_init_ntdomain, AUTH_INTERFACE_VERSION); - return True; + smb_register_auth(AUTH_INTERFACE_VERSION, "trustdomain", auth_init_trustdomain); + smb_register_auth(AUTH_INTERFACE_VERSION, "ntdomain", auth_init_ntdomain); + return NT_STATUS_OK; } -- cgit From d1da999e0a84939e372ebe590861376e2c0075b3 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Thu, 8 May 2003 08:02:52 +0000 Subject: This puts real netlogon connection caching to winbind. This becomes important once we start doing schannel, as there would be a lot more roundtrips for the second PIPE open and bind. With this patch logging in to a member server is a matter of two (three if you count the ack...) packets between us and the DC. Volker (This used to be commit 5b3cb7725a974629d0bd8b707bc2940c36b8745e) --- source3/auth/auth_domain.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index bc03fecf74..827b4029d2 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -130,7 +130,6 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, struct in_addr dest_ip; fstring remote_machine; NTSTATUS result; - uint32 neg_flags = 0x000001ff; *retry = False; @@ -214,7 +213,7 @@ machine %s. Error was : %s.\n", remote_machine, cli_errstr(*cli))); return NT_STATUS_NO_MEMORY; } - result = cli_nt_setup_creds(*cli, sec_chan, trust_passwd, &neg_flags, 2); + result = cli_nt_establish_netlogon(*cli, sec_chan, trust_passwd); if (!NT_STATUS_IS_OK(result)) { DEBUG(0,("connect_to_domain_password_server: unable to setup the NETLOGON credentials to machine \ @@ -341,6 +340,7 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, */ nt_status = cli_netlogon_sam_network_logon(cli, mem_ctx, + NULL, user_info->smb_name.str, user_info->domain.str, user_info->wksta_name.str, chal, user_info->lm_resp, user_info->nt_resp, -- cgit From cad20ab63b55462836da007de39fc84ffa38eda8 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Wed, 4 Jun 2003 16:40:50 +0000 Subject: Add some static. Patch by Stefan Metzmacher (This used to be commit e1a8e9b7f3e69c7271d2b715703b2d5b2412bd42) --- source3/auth/auth_domain.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 827b4029d2..2991684280 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -458,7 +458,7 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context, } /* module initialisation */ -NTSTATUS auth_init_ntdomain(struct auth_context *auth_context, const char* param, auth_methods **auth_method) +static NTSTATUS auth_init_ntdomain(struct auth_context *auth_context, const char* param, auth_methods **auth_method) { if (!make_auth_methods(auth_context, auth_method)) { return NT_STATUS_NO_MEMORY; @@ -546,7 +546,7 @@ static NTSTATUS check_trustdomain_security(const struct auth_context *auth_conte } /* module initialisation */ -NTSTATUS auth_init_trustdomain(struct auth_context *auth_context, const char* param, auth_methods **auth_method) +static NTSTATUS auth_init_trustdomain(struct auth_context *auth_context, const char* param, auth_methods **auth_method) { if (!make_auth_methods(auth_context, auth_method)) { return NT_STATUS_NO_MEMORY; -- cgit From 292a51eda152f5e1885f38f3a811e956560f33f0 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 13 Jun 2003 21:03:15 +0000 Subject: Forward port the app-head changes for dc name cache into 3.0. Jeremy. (This used to be commit 8bcc3116a22ce11b55a35f3363230f54bc5735fc) --- source3/auth/auth_domain.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 2991684280..f1575e43b0 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -276,7 +276,7 @@ static NTSTATUS find_connect_dc(struct cli_state **cli, struct in_addr dc_ip; fstring srv_name; - if (!rpc_find_dc(domain, srv_name, &dc_ip)) { + if (!get_dc_name(domain, srv_name, &dc_ip)) { DEBUG(0,("find_connect_dc: Failed to find an DCs for %s\n", lp_workgroup())); return NT_STATUS_NO_LOGON_SERVERS; } -- cgit From 93bcb9963bef53b91a0b16c6389cefdb7bea2b0e Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Sat, 21 Jun 2003 04:05:01 +0000 Subject: merge of the netsamlogon caching code from APPLIANCE_HEAD This replaces the universal group caching code (was originally based on that code). Only applies to the the RPC code. One comment: domain local groups don't show up in 'getent group' that's easy to fix. Code has been tested against 2k domain but doesn't change anything with respect to NT4 domains. netsamlogon caching works pretty much like the universal group caching code did but has had much more testing and puts winbind mostly back in sync between branches. (This used to be commit aac01dc7bc95c20ee21c93f3581e2375d9a894e1) --- source3/auth/auth_domain.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index f1575e43b0..66684cc940 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -360,7 +360,7 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, } else { nt_status = make_server_info_info3(mem_ctx, user_info->internal_username.str, user_info->smb_name.str, domain, server_info, &info3); - uni_group_cache_store_netlogon(mem_ctx, &info3); + netsamlogon_cache_store( mem_ctx, &info3 ); } #if 0 -- cgit From f36c96d59c79a51610bb5a1fc42ac62bd8d08401 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Mon, 23 Jun 2003 19:05:23 +0000 Subject: * s/get_dc_name/rpc_dc_name/g (revert a previous change) * move back to qsort() for sorting IP address in get_dc_list() * remove dc_name_cache in cm_get_dc_name() since it slowed things down more than it helped. I've made a note of where to add in the negative connection cache in the ads code. Will come back to that. * fix rpcclient to use PRINTER_ALL_ACCESS for set printer (instead of MAX_ALLOWED) * only enumerate domain local groups in our domain * simplify ldap search for seqnum in winbindd's rpc backend (This used to be commit f8cab8635b02b205b4031279cedd804c1fb22c5b) --- source3/auth/auth_domain.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 66684cc940..5b2e287f6b 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -276,7 +276,7 @@ static NTSTATUS find_connect_dc(struct cli_state **cli, struct in_addr dc_ip; fstring srv_name; - if (!get_dc_name(domain, srv_name, &dc_ip)) { + if (!rpc_dc_name(domain, srv_name, &dc_ip)) { DEBUG(0,("find_connect_dc: Failed to find an DCs for %s\n", lp_workgroup())); return NT_STATUS_NO_LOGON_SERVERS; } -- cgit From f51d769dd303027a3dbf46fc89a482933988e866 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 25 Jun 2003 17:41:05 +0000 Subject: large change: *) consolidates the dc location routines again (dns and netbios) get_dc_list() or get_sorted_dc_list() is the authoritative means of locating DC's again. (also inludes a flag to get_dc_list() to define if this should be a DNS only lookup or not) (however, if you set "name resolve order = hosts wins" you could still get DNS queries for domain name IFF ldap_domain2hostlist() fails. The answer? Fix your DNS setup) *) enabled DOMAIN<0x1c> lookups to be funneled through resolve_hosts resulting in a call to ldap_domain2hostlist() if lp_security() == SEC_ADS *) enables name cache for winbind ADS backend *) enable the negative connection cache for winbind ADS backend *) removes some old dead code *) consolidates some duplicate code *) moves the internal_name_resolve() to use an IP/port pair to deal with SRV RR dns replies. The namecache code also supports the IP:port syntax now as well. *) removes 'ads server' and moves the functionality back into 'password server' (which can support "hostname:port" syntax now but works fine with defaults depending on the value of lp_security()) (This used to be commit d7f7fcda425bef380441509734eca33da943c091) --- source3/auth/auth_domain.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 5b2e287f6b..df19a274fb 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -253,7 +253,7 @@ static NTSTATUS attempt_connect_to_dc(struct cli_state **cli, if (is_zero_ip(*ip)) return NT_STATUS_NO_LOGON_SERVERS; - if (!lookup_dc_name(global_myname(), domain, ip, dc_name)) + if ( !name_status_find( domain, 0x1b, 0x20, *ip, dc_name) ) return NT_STATUS_NO_LOGON_SERVERS; for (i = 0; (!NT_STATUS_IS_OK(ret)) && retry && (i < 3); i++) -- cgit From 8a6fc79ad8d9f1b6c4f604b173426bf821f98208 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Sat, 28 Jun 2003 08:29:42 +0000 Subject: add check for NT_STATUS_NOT_IMPLEMENTED in auth check so that map to guest = bad user works again when "trustdomain" is listed as last auth method. Also clean up some more DC location calls. (This used to be commit 77a5b1032f39b8d20925721b719fdcfff910cb06) --- source3/auth/auth_domain.c | 41 +++++++++++++++++++++++++++-------------- 1 file changed, 27 insertions(+), 14 deletions(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index df19a274fb..84453ac3b5 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -401,11 +401,12 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context, auth_serversupplied_info **server_info) { NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; - char *password_server; unsigned char trust_passwd[16]; time_t last_change_time; const char *domain = lp_workgroup(); uint32 sec_channel_type = 0; + fstring dc_name; + struct in_addr dc_ip; if (!user_info || !server_info || !auth_context) { DEBUG(1,("check_ntdomain_security: Critical variables not present. Failing.\n")); @@ -443,17 +444,15 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context, } } - /* - * Treat each name in the 'password server =' line as a potential - * PDC/BDC. Contact each in turn and try and authenticate. - */ - - password_server = lp_passwordserver(); - + if ( !rpc_dc_name(user_info->domain.str, dc_name, &dc_ip) ) { + DEBUG(5,("check_trustdomain_security: unable to locate a DC for domain %s\n", + user_info->domain.str)); + return NT_STATUS_NO_LOGON_SERVERS; + } + nt_status = domain_client_validate(mem_ctx, user_info, domain, (uchar *)auth_context->challenge.data, - server_info, - password_server, global_myname(), sec_channel_type,trust_passwd, last_change_time); + server_info, dc_name, global_myname(), sec_channel_type,trust_passwd, last_change_time); return nt_status; } @@ -485,6 +484,8 @@ static NTSTATUS check_trustdomain_security(const struct auth_context *auth_conte char *trust_password; time_t last_change_time; DOM_SID sid; + fstring dc_name; + struct in_addr dc_ip; if (!user_info || !server_info || !auth_context) { DEBUG(1,("check_trustdomain_security: Critical variables not present. Failing.\n")); @@ -509,9 +510,15 @@ static NTSTATUS check_trustdomain_security(const struct auth_context *auth_conte if(strequal(lp_workgroup(), (user_info->domain.str))) { DEBUG(3,("check_trustdomain_security: Requested domain was for this domain.\n")); - return NT_STATUS_LOGON_FAILURE; + return NT_STATUS_NOT_IMPLEMENTED; } + /* no point is bothering if this is not a trusted domain */ + /* this return makes "map to guest = bad user" work again */ + + if ( !is_trusted_domain( user_info->domain.str ) ) + return NT_STATUS_NO_SUCH_USER; + /* * Get the trusted account password for the trusted domain * No need to become_root() as secrets_init() is done at startup. @@ -537,11 +544,17 @@ static NTSTATUS check_trustdomain_security(const struct auth_context *auth_conte } #endif + if ( !rpc_dc_name(user_info->domain.str, dc_name, &dc_ip) ) { + DEBUG(5,("check_trustdomain_security: unable to locate a DC for domain %s\n", + user_info->domain.str)); + return NT_STATUS_NO_LOGON_SERVERS; + } + nt_status = domain_client_validate(mem_ctx, user_info, user_info->domain.str, (uchar *)auth_context->challenge.data, - server_info, "*" /* Do a lookup */, - lp_workgroup(), SEC_CHAN_DOMAIN, trust_md4_password, last_change_time); - + server_info, dc_name, lp_workgroup(), + SEC_CHAN_DOMAIN, trust_md4_password, last_change_time); + return nt_status; } -- cgit From b8723aaa65a2bd760d6d2d9c9409f7c39867484c Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Sun, 29 Jun 2003 03:39:50 +0000 Subject: Here's the code to make winbindd work on a Samba DC to handle domain trusts. Jeremy and I talked about this and it's going in as working code. It keeps winbind clean and solves the trust problem with minimal changes. To summarize, there are 2 basic cases where the deadlock would occur. (1) lookuping up secondary groups for a user, and (2) get[gr|pw]nam() calls that fall through the NSS layer because they don't exist anywhere. o To handle case #1, we bypass winbindd in sys_getgrouplist() unless the username includes the 'winbind separator'. o Case #2 is handled by adding checks in winbindd to return failure if we are a DC and the domain matches our own. This code has been tested using basic share connections, domain logons, and with pam_winbind (both with and without 'winbind use default domain'). The 'trustdomain' auth module should work as well if an admin wants to manually create UNIX users for acounts in the trusted domains. Other misc fixes: * we need to fix check_ntlm_password() to be able to determine if an auth module is authoritative over a user (NT_STATUS_WRONG_PASSWORD, etc...). I worked around my specific situation, but this needs to be fixed. the winbindd auth module was causing delays. * fix named server mutex deadlock between trust domain auth module and winbindd looking up a uid * make sure SAM_ACCOUNT gets stored in the server_info struct for the _net_sam_logon() reply. Configuration details: The recommended method for supporting trusts is to use winbind. The gets us around some of the server mutex issues as well. * set 'files winbind' for passwd: and group: in /etc/nsswitch.conf * create domain trusts like normal * join winbind on the pdc to the Samba domain using 'net rpc join' * add normal parameters to smb.conf for winbind * set 'auth method = guest sam winbind' * start smbd, nmbd, & winbindd Problems that remain: * join a Windows 2k/XP box to a Samba domain. * create a 2-way trust between the Samba domain and an NT domain * logon to the windows client as a user from theh trusted domain * try to browse server in the trusted domain (or other workstations). an NT client seems to work ok, but 2k and XP either prompt for passwords or fail with errors. apparanently this never got tested since no one has ever been able to logon as a trusted user to a Samba domain from a Windows client. (This used to be commit f804b590f9dbf1f0147c06a0a2f12e221ae6fc3b) --- source3/auth/auth_domain.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 84453ac3b5..39ec864f75 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -346,6 +346,8 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, user_info->lm_resp, user_info->nt_resp, &info3); + release_server_mutex(); + if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(0,("domain_client_validate: unable to validate password " "for user %s in domain %s to Domain controller %s. " @@ -386,7 +388,6 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, cli_nt_session_close(cli); cli_ulogoff(cli); cli_shutdown(cli); - release_server_mutex(); return nt_status; } -- cgit From e359dbcedb53b03df79140c30ecfdfdbcb904595 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Mon, 30 Jun 2003 20:45:14 +0000 Subject: * cleanup more DC name resolution issues in check_*domain_security() * is_trusted_domain() is broken without winbind. Still working on this. * get_global_sam_name() should return the workgroup name unless we are a standalone server (verified by volker) * Get_Pwnam() should always fall back to the username (minus domain name) even if it is not our workgroup so that TRUSTEDOMAIN\user can logon if 'user' exists in the local list of accounts (on domain members w/o winbind) Tested using Samba PDC with trusts (running winbindd) and a Samba 3.0 domain member not running winbindd. notes: make_user_info_map() is slightly broken now due to the fact that is_trusted_domain() only works with winbindd. disabled checks temporarily until I can sort this out. (This used to be commit e1d6094d066d4c16ab73075caba40a1ae6c56b1e) --- source3/auth/auth_domain.c | 260 +++++++++------------------------------------ 1 file changed, 51 insertions(+), 209 deletions(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 39ec864f75..80320d8266 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -29,86 +29,6 @@ extern BOOL global_machine_password_needs_changing; extern userdom_struct current_user_info; -/* - resolve the name of a DC in ways appropriate for an ADS domain mode - an ADS domain may not have Netbios enabled at all, so this is - quite different from the RPC case - Note that we ignore the 'server' parameter here. That has the effect of using - the 'ADS server' smb.conf parameter, which is what we really want anyway - */ -static NTSTATUS ads_resolve_dc(fstring remote_machine, - struct in_addr *dest_ip) -{ - ADS_STRUCT *ads; - ads = ads_init_simple(); - if (!ads) { - return NT_STATUS_NO_LOGON_SERVERS; - } - - DEBUG(4,("ads_resolve_dc: realm=%s\n", ads->config.realm)); - - ads->auth.flags |= ADS_AUTH_NO_BIND; - -#ifdef HAVE_ADS - /* a full ads_connect() is actually overkill, as we don't srictly need - to do the SASL auth in order to get the info we need, but libads - doesn't offer a better way right now */ - ads_connect(ads); -#endif - - fstrcpy(remote_machine, ads->config.ldap_server_name); - strupper(remote_machine); - *dest_ip = ads->ldap_ip; - ads_destroy(&ads); - - if (!*remote_machine || is_zero_ip(*dest_ip)) { - return NT_STATUS_NO_LOGON_SERVERS; - } - - DEBUG(4,("ads_resolve_dc: using server='%s' IP=%s\n", - remote_machine, inet_ntoa(*dest_ip))); - - return NT_STATUS_OK; -} - -/* - resolve the name of a DC in ways appropriate for RPC domain mode - this relies on the server supporting netbios and port 137 not being - firewalled - */ -static NTSTATUS rpc_resolve_dc(const char *server, - fstring remote_machine, - struct in_addr *dest_ip) -{ - if (is_ipaddress(server)) { - struct in_addr to_ip = *interpret_addr2(server); - - /* we need to know the machines netbios name - this is a lousy - way to find it, but until we have a RPC call that does this - it will have to do */ - if (!name_status_find("*", 0x20, 0x20, to_ip, remote_machine)) { - DEBUG(2, ("rpc_resolve_dc: Can't resolve name for IP %s\n", server)); - return NT_STATUS_NO_LOGON_SERVERS; - } - - *dest_ip = to_ip; - return NT_STATUS_OK; - } - - fstrcpy(remote_machine, server); - strupper(remote_machine); - if (!resolve_name(remote_machine, dest_ip, 0x20)) { - DEBUG(1,("rpc_resolve_dc: Can't resolve address for %s\n", - remote_machine)); - return NT_STATUS_NO_LOGON_SERVERS; - } - - DEBUG(4,("rpc_resolve_dc: using server='%s' IP=%s\n", - remote_machine, inet_ntoa(*dest_ip))); - - return NT_STATUS_OK; -} - /** * Connect to a remote server for domain security authenticaion. * @@ -121,35 +41,14 @@ static NTSTATUS rpc_resolve_dc(const char *server, **/ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, - const char *server, + const char *dc_name, struct in_addr dc_ip, const char *setup_creds_as, uint16 sec_chan, const unsigned char *trust_passwd, BOOL *retry) { - struct in_addr dest_ip; - fstring remote_machine; NTSTATUS result; - *retry = False; - - if (lp_security() == SEC_ADS) - result = ads_resolve_dc(remote_machine, &dest_ip); - else - result = rpc_resolve_dc(server, remote_machine, &dest_ip); - - if (!NT_STATUS_IS_OK(result)) { - DEBUG(2,("connect_to_domain_password_server: unable to resolve DC: %s\n", - nt_errstr(result))); - return result; - } - - if (ismyip(dest_ip)) { - DEBUG(1,("connect_to_domain_password_server: Password server loop - not using password server %s\n", - remote_machine)); - return NT_STATUS_NO_LOGON_SERVERS; - } - /* TODO: Send a SAMLOGON request to determine whether this is a valid logonserver. We can avoid a 30-second timeout if the DC is down if the SAMLOGON request fails as it is only over UDP. */ @@ -164,14 +63,13 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, * ACCESS_DENIED errors if 2 auths are done from the same machine. JRA. */ - *retry = True; - - if (!grab_server_mutex(server)) + if (!grab_server_mutex(dc_name)) return NT_STATUS_NO_LOGON_SERVERS; /* Attempt connection */ - result = cli_full_connection(cli, global_myname(), remote_machine, - &dest_ip, 0, "IPC$", "IPC", "", "", "",0, retry); + *retry = True; + result = cli_full_connection(cli, global_myname(), dc_name, &dc_ip, 0, + "IPC$", "IPC", "", "", "", 0, retry); if (!NT_STATUS_IS_OK(result)) { /* map to something more useful */ @@ -198,7 +96,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, if(cli_nt_session_open(*cli, PI_NETLOGON) == False) { DEBUG(0,("connect_to_domain_password_server: unable to open the domain client session to \ -machine %s. Error was : %s.\n", remote_machine, cli_errstr(*cli))); +machine %s. Error was : %s.\n", dc_name, cli_errstr(*cli))); cli_nt_session_close(*cli); cli_ulogoff(*cli); cli_shutdown(*cli); @@ -217,7 +115,7 @@ machine %s. Error was : %s.\n", remote_machine, cli_errstr(*cli))); if (!NT_STATUS_IS_OK(result)) { DEBUG(0,("connect_to_domain_password_server: unable to setup the NETLOGON credentials to machine \ -%s. Error was : %s.\n", remote_machine, nt_errstr(result))); +%s. Error was : %s.\n", dc_name, nt_errstr(result))); cli_nt_session_close(*cli); cli_ulogoff(*cli); cli_shutdown(*cli); @@ -230,61 +128,6 @@ machine %s. Error was : %s.\n", remote_machine, cli_errstr(*cli))); return NT_STATUS_OK; } -/*********************************************************************** - Utility function to attempt a connection to an IP address of a DC. -************************************************************************/ - -static NTSTATUS attempt_connect_to_dc(struct cli_state **cli, - const char *domain, - struct in_addr *ip, - const char *setup_creds_as, - uint16 sec_chan, - const unsigned char *trust_passwd) -{ - NTSTATUS ret = NT_STATUS_UNSUCCESSFUL; - BOOL retry = True; - fstring dc_name; - int i; - - /* - * Ignore addresses we have already tried. - */ - - if (is_zero_ip(*ip)) - return NT_STATUS_NO_LOGON_SERVERS; - - if ( !name_status_find( domain, 0x1b, 0x20, *ip, dc_name) ) - return NT_STATUS_NO_LOGON_SERVERS; - - for (i = 0; (!NT_STATUS_IS_OK(ret)) && retry && (i < 3); i++) - ret = connect_to_domain_password_server(cli, dc_name, setup_creds_as, - sec_chan, trust_passwd, &retry); - return ret; -} - -/*********************************************************************** - We have been asked to dynamically determine the IP addresses of - the PDC and BDC's for DOMAIN, and query them in turn. -************************************************************************/ -static NTSTATUS find_connect_dc(struct cli_state **cli, - const char *domain, - const char *setup_creds_as, - uint16 sec_chan, - unsigned char *trust_passwd, - time_t last_change_time) -{ - struct in_addr dc_ip; - fstring srv_name; - - if (!rpc_dc_name(domain, srv_name, &dc_ip)) { - DEBUG(0,("find_connect_dc: Failed to find an DCs for %s\n", lp_workgroup())); - return NT_STATUS_NO_LOGON_SERVERS; - } - - return attempt_connect_to_dc( cli, domain, &dc_ip, setup_creds_as, - sec_chan, trust_passwd ); -} - /*********************************************************************** Do the same as security=server, but using NT Domain calls and a session key from the machine password. If the server parameter is specified @@ -296,15 +139,17 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, const char *domain, uchar chal[8], auth_serversupplied_info **server_info, - const char *server, const char *setup_creds_as, + const char *dc_name, struct in_addr dc_ip, + const char *setup_creds_as, uint16 sec_chan, unsigned char trust_passwd[16], time_t last_change_time) { - fstring remote_machine; NET_USER_INFO_3 info3; struct cli_state *cli = NULL; NTSTATUS nt_status = NT_STATUS_NO_LOGON_SERVERS; + int i; + BOOL retry = True; /* * At this point, smb_apasswd points to the lanman response to @@ -314,20 +159,14 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, * see if they were valid. */ - while (!NT_STATUS_IS_OK(nt_status) && - next_token(&server,remote_machine,LIST_SEP,sizeof(remote_machine))) { - if(lp_security() != SEC_ADS && strequal(remote_machine, "*")) { - nt_status = find_connect_dc(&cli, domain, setup_creds_as, sec_chan, trust_passwd, last_change_time); - } else { - int i; - BOOL retry = True; - for (i = 0; !NT_STATUS_IS_OK(nt_status) && retry && (i < 3); i++) - nt_status = connect_to_domain_password_server(&cli, remote_machine, setup_creds_as, - sec_chan, trust_passwd, &retry); - } + /* rety loop for robustness */ + + for (i = 0; !NT_STATUS_IS_OK(nt_status) && retry && (i < 3); i++) { + nt_status = connect_to_domain_password_server(&cli, dc_name, dc_ip, setup_creds_as, + sec_chan, trust_passwd, &retry); } - if (!NT_STATUS_IS_OK(nt_status)) { + if ( !NT_STATUS_IS_OK(nt_status) ) { DEBUG(0,("domain_client_validate: Domain password server not available.\n")); return nt_status; } @@ -340,12 +179,13 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, */ nt_status = cli_netlogon_sam_network_logon(cli, mem_ctx, - NULL, - user_info->smb_name.str, user_info->domain.str, - user_info->wksta_name.str, chal, - user_info->lm_resp, user_info->nt_resp, - &info3); + NULL, user_info->smb_name.str, user_info->domain.str, + user_info->wksta_name.str, chal, user_info->lm_resp, + user_info->nt_resp, &info3); + /* let go as soon as possible so we avoid any potential deadlocks + with winbind lookup up users or groups */ + release_server_mutex(); if (!NT_STATUS_IS_OK(nt_status)) { @@ -375,7 +215,7 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, if (NT_STATUS_IS_OK(status)) { if(cli_nt_logoff(&cli, &ctr) == False) { DEBUG(0,("domain_client_validate: unable to log off user %s in domain \ -%s to Domain controller %s. Error was %s.\n", user, domain, remote_machine, cli_errstr(&cli))); +%s to Domain controller %s. Error was %s.\n", user, domain, dc_name, cli_errstr(&cli))); nt_status = NT_STATUS_LOGON_FAILURE; } } @@ -409,6 +249,12 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context, fstring dc_name; struct in_addr dc_ip; + if ( lp_server_role() != ROLE_DOMAIN_MEMBER ) { + DEBUG(0,("check_ntdomain_security: Configuration error! Cannot use " + "ntdomain auth method when not a member of a domain.\n")); + return NT_STATUS_NOT_IMPLEMENTED; + } + if (!user_info || !server_info || !auth_context) { DEBUG(1,("check_ntdomain_security: Critical variables not present. Failing.\n")); return NT_STATUS_INVALID_PARAMETER; @@ -422,7 +268,7 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context, if(is_myname(user_info->domain.str)) { DEBUG(3,("check_ntdomain_security: Requested domain was for this machine.\n")); - return NT_STATUS_LOGON_FAILURE; + return NT_STATUS_NOT_IMPLEMENTED; } /* @@ -445,15 +291,18 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context, } } - if ( !rpc_dc_name(user_info->domain.str, dc_name, &dc_ip) ) { + /* we need our DC to send the net_sam_logon() request to */ + + if ( !get_dc_name(domain, dc_name, &dc_ip) ) { DEBUG(5,("check_trustdomain_security: unable to locate a DC for domain %s\n", user_info->domain.str)); return NT_STATUS_NO_LOGON_SERVERS; } nt_status = domain_client_validate(mem_ctx, user_info, domain, - (uchar *)auth_context->challenge.data, - server_info, dc_name, global_myname(), sec_channel_type,trust_passwd, last_change_time); + (uchar *)auth_context->challenge.data, server_info, dc_name, dc_ip, + global_myname(), sec_channel_type,trust_passwd, last_change_time); + return nt_status; } @@ -494,28 +343,19 @@ static NTSTATUS check_trustdomain_security(const struct auth_context *auth_conte } /* - * Check that the requested domain is not our own machine name. - * If it is, we should never check the PDC here, we use our own local - * password file. - */ - - if(is_myname(user_info->domain.str)) { - DEBUG(3,("check_trustdomain_security: Requested domain was for this machine.\n")); - return NT_STATUS_LOGON_FAILURE; - } - - /* - * Check that the requested domain is not our own domain, - * If it is, we should use our own local password file. + * Check that the requested domain is not our own machine name or domain name. */ - if(strequal(lp_workgroup(), (user_info->domain.str))) { - DEBUG(3,("check_trustdomain_security: Requested domain was for this domain.\n")); + if( is_myname(user_info->domain.str) || strequal(lp_workgroup(), user_info->domain.str) ) { + DEBUG(3,("check_trustdomain_security: Requested domain [%s] was for this machine.\n", + user_info->domain.str)); return NT_STATUS_NOT_IMPLEMENTED; } - /* no point is bothering if this is not a trusted domain */ - /* this return makes "map to guest = bad user" work again */ + /* No point is bothering if this is not a trusted domain. + This return makes "map to guest = bad user" work again. + The logic is that if we know nothing about the domain, that + user is known to us and does not exist */ if ( !is_trusted_domain( user_info->domain.str ) ) return NT_STATUS_NO_SUCH_USER; @@ -545,16 +385,18 @@ static NTSTATUS check_trustdomain_security(const struct auth_context *auth_conte } #endif - if ( !rpc_dc_name(user_info->domain.str, dc_name, &dc_ip) ) { + /* use get_dc_name() for consistency even through we know that it will be + a netbios name */ + + if ( !get_dc_name(user_info->domain.str, dc_name, &dc_ip) ) { DEBUG(5,("check_trustdomain_security: unable to locate a DC for domain %s\n", user_info->domain.str)); return NT_STATUS_NO_LOGON_SERVERS; } nt_status = domain_client_validate(mem_ctx, user_info, user_info->domain.str, - (uchar *)auth_context->challenge.data, - server_info, dc_name, lp_workgroup(), - SEC_CHAN_DOMAIN, trust_md4_password, last_change_time); + (uchar *)auth_context->challenge.data, server_info, dc_name, dc_ip, + lp_workgroup(), SEC_CHAN_DOMAIN, trust_md4_password, last_change_time); return nt_status; } -- cgit From 61116049cabc292c2f2d570af4d68ddc537b91f5 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 3 Jul 2003 14:36:42 +0000 Subject: This patch takes the work the jerry did for beta2, and generalises it: - The 'not implmented' checks are now done by all auth modules - the ntdomain/trustdomain/winbind modules are more presise as to what domain names they can and cannot handle - The become_root() calls are now around the winbind pipe opening only, not the entire auth call - The unix username is kept seperate from the NT username, removing the need for 'clean off the domain\' in parse_net.c - All sid->uid translations are now validated with getpwuid() to put a very basic stop to logins with 'half deleted' accounts. Andrew Bartlett (This used to be commit 85f88191b9927cc434645ef4c1eaf5ec0e8af2ec) --- source3/auth/auth_domain.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 80320d8266..56bd6b9aca 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -266,7 +266,7 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context, * password file. */ - if(is_myname(user_info->domain.str)) { + if(strequal(get_global_sam_name(), user_info->domain.str)) { DEBUG(3,("check_ntdomain_security: Requested domain was for this machine.\n")); return NT_STATUS_NOT_IMPLEMENTED; } @@ -346,7 +346,7 @@ static NTSTATUS check_trustdomain_security(const struct auth_context *auth_conte * Check that the requested domain is not our own machine name or domain name. */ - if( is_myname(user_info->domain.str) || strequal(lp_workgroup(), user_info->domain.str) ) { + if( strequal(get_global_sam_name(), user_info->domain.str)) { DEBUG(3,("check_trustdomain_security: Requested domain [%s] was for this machine.\n", user_info->domain.str)); return NT_STATUS_NOT_IMPLEMENTED; @@ -358,7 +358,7 @@ static NTSTATUS check_trustdomain_security(const struct auth_context *auth_conte user is known to us and does not exist */ if ( !is_trusted_domain( user_info->domain.str ) ) - return NT_STATUS_NO_SUCH_USER; + return NT_STATUS_NOT_IMPLEMENTED; /* * Get the trusted account password for the trusted domain -- cgit From 3a5dc7c2ecacecf7dd0cfd71ff1bb298d70b391b Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 23 Jul 2003 12:33:59 +0000 Subject: convert snprintf() calls using pstrings & fstrings to pstr_sprintf() and fstr_sprintf() to try to standardize. lots of snprintf() calls were using len-1; some were using len. At least this helps to be consistent. (This used to be commit 9f835b85dd38cbe655eb19021ff763f31886ac00) --- source3/auth/auth_domain.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 56bd6b9aca..e2fc273479 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -104,7 +104,7 @@ machine %s. Error was : %s.\n", dc_name, cli_errstr(*cli))); return NT_STATUS_NO_LOGON_SERVERS; } - snprintf((*cli)->mach_acct, sizeof((*cli)->mach_acct) - 1, "%s$", setup_creds_as); + fstr_sprintf((*cli)->mach_acct, "%s$", setup_creds_as); if (!(*cli)->mach_acct) { release_server_mutex(); -- cgit From 29ca70cd34d3ba927ea1a9915ebd247f64965bd5 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 30 Jul 2003 23:49:29 +0000 Subject: Add a command line option (-S on|off|required) to enable signing on client connections. Overrides smb.conf parameter if set. Jeremy. (This used to be commit 879309671df6b530e0bff69559422a417da4a307) --- source3/auth/auth_domain.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index e2fc273479..aacea261fe 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -69,7 +69,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, /* Attempt connection */ *retry = True; result = cli_full_connection(cli, global_myname(), dc_name, &dc_ip, 0, - "IPC$", "IPC", "", "", "", 0, retry); + "IPC$", "IPC", "", "", "", 0, Undefined, retry); if (!NT_STATUS_IS_OK(result)) { /* map to something more useful */ -- cgit From fcdebdae6fb69575bbe6e622b112d2e61f972898 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 28 Aug 2003 23:57:34 +0000 Subject: Fix bug found by tridge in 2.2.x. Ensure that %U substitution is restored on next valid packet if a logon fails. This has relevence if people are using su.exe within logon scripts ! Jeremy. (This used to be commit d405a93a9d3f9a1d93bb3289b00683fba3160bbe) --- source3/auth/auth_domain.c | 3 --- 1 file changed, 3 deletions(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index aacea261fe..43e7597cd9 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -26,9 +26,6 @@ extern BOOL global_machine_password_needs_changing; -extern userdom_struct current_user_info; - - /** * Connect to a remote server for domain security authenticaion. * -- cgit From a7f8c26d24b78dc6a0f829cf7b53112e5ddbdeda Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 5 Jan 2004 04:10:28 +0000 Subject: Change our Domain controller lookup routines to more carefully seperate DNS names (realms) from NetBIOS domain names. Until now, we would experience delays as we broadcast lookups for DNS names onto the local network segments. Now if DNS comes back negative, we fall straight back to looking up the short name. Andrew Bartlett (This used to be commit 32397c8b01f1dec7b05140d210bb32f836a80ca6) --- source3/auth/auth_domain.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 43e7597cd9..0f34bcc0e2 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -165,6 +165,9 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, if ( !NT_STATUS_IS_OK(nt_status) ) { DEBUG(0,("domain_client_validate: Domain password server not available.\n")); + if (NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCESS_DENIED)) { + return NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE; + } return nt_status; } @@ -290,7 +293,7 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context, /* we need our DC to send the net_sam_logon() request to */ - if ( !get_dc_name(domain, dc_name, &dc_ip) ) { + if ( !get_dc_name(domain, NULL, dc_name, &dc_ip) ) { DEBUG(5,("check_trustdomain_security: unable to locate a DC for domain %s\n", user_info->domain.str)); return NT_STATUS_NO_LOGON_SERVERS; @@ -385,7 +388,7 @@ static NTSTATUS check_trustdomain_security(const struct auth_context *auth_conte /* use get_dc_name() for consistency even through we know that it will be a netbios name */ - if ( !get_dc_name(user_info->domain.str, dc_name, &dc_ip) ) { + if ( !get_dc_name(user_info->domain.str, NULL, dc_name, &dc_ip) ) { DEBUG(5,("check_trustdomain_security: unable to locate a DC for domain %s\n", user_info->domain.str)); return NT_STATUS_NO_LOGON_SERVERS; -- cgit From 22457718b684a895834eab924d463a3b1e3ce0b1 Mon Sep 17 00:00:00 2001 From: Rafal Szczesniak Date: Wed, 7 Jan 2004 22:43:36 +0000 Subject: Doxygen comment fix. rafal (This used to be commit b5e492b8eaf7cefe185d44b6c708f96ff61bd27b) --- source3/auth/auth_domain.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 0f34bcc0e2..0bf2031a37 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -27,13 +27,16 @@ extern BOOL global_machine_password_needs_changing; /** - * Connect to a remote server for domain security authenticaion. + * Connect to a remote server for (inter)domain security authenticaion. * * @param cli the cli to return containing the active connection * @param server either a machine name or text IP address to * connect to. + * @param setup_creds_as domain account to setup credentials as + * @param sec_chan a switch value to distinguish between domain + * member and interdomain authentication * @param trust_passwd the trust password to establish the - * credentials with. + * credentials with. * **/ -- cgit From 919c261a490460a2e2189903139c0d4ad36a7aab Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 15 Jan 2004 06:55:10 +0000 Subject: BUG 936: fix bind credentials for schannel binds in smbd (and add a comment to winbindd_cm about this (This used to be commit 5134c6bcbc5180431e95a30559c453f3744fd427) --- source3/auth/auth_domain.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 0bf2031a37..73e0ae7949 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -41,7 +41,8 @@ extern BOOL global_machine_password_needs_changing; **/ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, - const char *dc_name, struct in_addr dc_ip, + const char *domain, const char *dc_name, + struct in_addr dc_ip, const char *setup_creds_as, uint16 sec_chan, const unsigned char *trust_passwd, @@ -111,6 +112,10 @@ machine %s. Error was : %s.\n", dc_name, cli_errstr(*cli))); return NT_STATUS_NO_MEMORY; } + /* This must be the remote domain (not ours) for schannel */ + + fstrcpy( (*cli)->domain, domain ); + result = cli_nt_establish_netlogon(*cli, sec_chan, trust_passwd); if (!NT_STATUS_IS_OK(result)) { @@ -162,8 +167,8 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, /* rety loop for robustness */ for (i = 0; !NT_STATUS_IS_OK(nt_status) && retry && (i < 3); i++) { - nt_status = connect_to_domain_password_server(&cli, dc_name, dc_ip, setup_creds_as, - sec_chan, trust_passwd, &retry); + nt_status = connect_to_domain_password_server(&cli, domain, dc_name, + dc_ip, setup_creds_as, sec_chan, trust_passwd, &retry); } if ( !NT_STATUS_IS_OK(nt_status) ) { @@ -297,7 +302,7 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context, /* we need our DC to send the net_sam_logon() request to */ if ( !get_dc_name(domain, NULL, dc_name, &dc_ip) ) { - DEBUG(5,("check_trustdomain_security: unable to locate a DC for domain %s\n", + DEBUG(5,("check_ntdomain_security: unable to locate a DC for domain %s\n", user_info->domain.str)); return NT_STATUS_NO_LOGON_SERVERS; } -- cgit From 590b60045d184a84659cfcb13c6a1a5039b51954 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Mon, 2 Feb 2004 07:53:56 +0000 Subject: Remove bogus check. No functional change, just cosmetics. Volker (This used to be commit e3a5e2d9c23e8ba6bc817e433e596f535644c862) --- source3/auth/auth_domain.c | 5 ----- 1 file changed, 5 deletions(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 73e0ae7949..fdff0b52f9 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -107,11 +107,6 @@ machine %s. Error was : %s.\n", dc_name, cli_errstr(*cli))); fstr_sprintf((*cli)->mach_acct, "%s$", setup_creds_as); - if (!(*cli)->mach_acct) { - release_server_mutex(); - return NT_STATUS_NO_MEMORY; - } - /* This must be the remote domain (not ours) for schannel */ fstrcpy( (*cli)->domain, domain ); -- cgit From ed5fd7117e931b2fce2c2a94adc53eeb3d8a8256 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 27 Aug 2004 13:39:09 +0000 Subject: r2086: fix bug with winbindd_getpwnam() caused by Microsoft DC's not filling in the username in the user_info3 (This used to be commit 4703a71fa88dff8bdc932f6c9af3a9d25a88938f) --- source3/auth/auth_domain.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index fdff0b52f9..6483dc143a 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -205,7 +205,7 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, } else { nt_status = make_server_info_info3(mem_ctx, user_info->internal_username.str, user_info->smb_name.str, domain, server_info, &info3); - netsamlogon_cache_store( mem_ctx, &info3 ); + netsamlogon_cache_store( mem_ctx, user_info->smb_name.str, &info3 ); } #if 0 -- cgit From dab71bed4e61b816b112433fc44e5f7259e4d2ab Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 24 Aug 2005 16:19:07 +0000 Subject: r9588: remove netsamlogon_cache interface...everything seems to work fine. Will deal with any fallout from special environments using a non-cache solution (This used to be commit e1de6f238f3981d81e49fb41919fdce4f07c8280) --- source3/auth/auth_domain.c | 1 - 1 file changed, 1 deletion(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 6483dc143a..cdf87adebb 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -205,7 +205,6 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, } else { nt_status = make_server_info_info3(mem_ctx, user_info->internal_username.str, user_info->smb_name.str, domain, server_info, &info3); - netsamlogon_cache_store( mem_ctx, user_info->smb_name.str, &info3 ); } #if 0 -- cgit From 54abd2aa66069e6baf7769c496f46d9dba18db39 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 30 Sep 2005 17:13:37 +0000 Subject: r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3) --- source3/auth/auth_domain.c | 204 ++++++++++++++++++++++++--------------------- 1 file changed, 108 insertions(+), 96 deletions(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index cdf87adebb..4abc6c6656 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -40,15 +40,17 @@ extern BOOL global_machine_password_needs_changing; * **/ -static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, - const char *domain, const char *dc_name, - struct in_addr dc_ip, - const char *setup_creds_as, - uint16 sec_chan, - const unsigned char *trust_passwd, - BOOL *retry) +static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, + const char *domain, + const char *dc_name, + struct in_addr dc_ip, + struct rpc_pipe_client **pipe_ret, + BOOL *retry) { NTSTATUS result; + struct rpc_pipe_client *netlogon_pipe = NULL; + + *pipe_ret = NULL; /* TODO: Send a SAMLOGON request to determine whether this is a valid logonserver. We can avoid a 30-second timeout if the DC is down @@ -64,8 +66,9 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, * ACCESS_DENIED errors if 2 auths are done from the same machine. JRA. */ - if (!grab_server_mutex(dc_name)) + if (!grab_server_mutex(dc_name)) { return NT_STATUS_NO_LOGON_SERVERS; + } /* Attempt connection */ *retry = True; @@ -95,36 +98,65 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, * into account also. This patch from "Bjart Kvarme" . */ - if(cli_nt_session_open(*cli, PI_NETLOGON) == False) { + /* open the netlogon pipe. */ + if (lp_client_schannel()) { + /* We also setup the creds chain in the open_schannel call. */ + netlogon_pipe = cli_rpc_pipe_open_schannel(*cli, PI_NETLOGON, + PIPE_AUTH_LEVEL_PRIVACY, domain, &result); + } else { + netlogon_pipe = cli_rpc_pipe_open_noauth(*cli, PI_NETLOGON, &result); + } + + if(!netlogon_pipe) { DEBUG(0,("connect_to_domain_password_server: unable to open the domain client session to \ -machine %s. Error was : %s.\n", dc_name, cli_errstr(*cli))); - cli_nt_session_close(*cli); - cli_ulogoff(*cli); +machine %s. Error was : %s.\n", dc_name, nt_errstr(result))); cli_shutdown(*cli); release_server_mutex(); - return NT_STATUS_NO_LOGON_SERVERS; + return result; } - fstr_sprintf((*cli)->mach_acct, "%s$", setup_creds_as); - - /* This must be the remote domain (not ours) for schannel */ - - fstrcpy( (*cli)->domain, domain ); + if (!lp_client_schannel()) { + /* We need to set up a creds chain on an unauthenticated netlogon pipe. */ + uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS; + uint32 sec_chan_type = 0; + char machine_pwd[16]; + + if (!get_trust_pw(domain, machine_pwd, &sec_chan_type)) { + DEBUG(0, ("connect_to_domain_password_server: could not fetch " + "trust account password for domain '%s'\n", + domain)); + cli_shutdown(*cli); + release_server_mutex(); + return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; + } - result = cli_nt_establish_netlogon(*cli, sec_chan, trust_passwd); + result = rpccli_netlogon_setup_creds(netlogon_pipe, + dc_name, + domain, + global_myname(), + machine_pwd, + sec_chan_type, + &neg_flags); + + if (!NT_STATUS_IS_OK(result)) { + cli_shutdown(*cli); + release_server_mutex(); + return result; + } + } - if (!NT_STATUS_IS_OK(result)) { - DEBUG(0,("connect_to_domain_password_server: unable to setup the NETLOGON credentials to machine \ -%s. Error was : %s.\n", dc_name, nt_errstr(result))); - cli_nt_session_close(*cli); - cli_ulogoff(*cli); + if(!netlogon_pipe) { + DEBUG(0,("connect_to_domain_password_server: unable to open the domain client session to \ +machine %s. Error was : %s.\n", dc_name, cli_errstr(*cli))); cli_shutdown(*cli); release_server_mutex(); - return result; + return NT_STATUS_NO_LOGON_SERVERS; } /* We exit here with the mutex *locked*. JRA */ + *pipe_ret = netlogon_pipe; + return NT_STATUS_OK; } @@ -135,18 +167,17 @@ machine %s. Error was : %s.\n", dc_name, cli_errstr(*cli))); ************************************************************************/ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, - const auth_usersupplied_info *user_info, - const char *domain, - uchar chal[8], - auth_serversupplied_info **server_info, - const char *dc_name, struct in_addr dc_ip, - const char *setup_creds_as, - uint16 sec_chan, - unsigned char trust_passwd[16], - time_t last_change_time) + const auth_usersupplied_info *user_info, + const char *domain, + uchar chal[8], + auth_serversupplied_info **server_info, + const char *dc_name, + struct in_addr dc_ip) + { NET_USER_INFO_3 info3; struct cli_state *cli = NULL; + struct rpc_pipe_client *netlogon_pipe = NULL; NTSTATUS nt_status = NT_STATUS_NO_LOGON_SERVERS; int i; BOOL retry = True; @@ -162,8 +193,12 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, /* rety loop for robustness */ for (i = 0; !NT_STATUS_IS_OK(nt_status) && retry && (i < 3); i++) { - nt_status = connect_to_domain_password_server(&cli, domain, dc_name, - dc_ip, setup_creds_as, sec_chan, trust_passwd, &retry); + nt_status = connect_to_domain_password_server(&cli, + domain, + dc_name, + dc_ip, + &netlogon_pipe, + &retry); } if ( !NT_STATUS_IS_OK(nt_status) ) { @@ -181,13 +216,19 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, * in the info3 structure. */ - nt_status = cli_netlogon_sam_network_logon(cli, mem_ctx, - NULL, user_info->smb_name.str, user_info->domain.str, - user_info->wksta_name.str, chal, user_info->lm_resp, - user_info->nt_resp, &info3); - - /* let go as soon as possible so we avoid any potential deadlocks - with winbind lookup up users or groups */ + nt_status = rpccli_netlogon_sam_network_logon(netlogon_pipe, + mem_ctx, + dc_name, /* server name */ + user_info->smb_name.str, /* user name logging on. */ + user_info->domain.str, /* domain name */ + user_info->wksta_name.str, /* workstation name */ + chal, /* 8 byte challenge. */ + user_info->lm_resp, /* lanman 24 byte response */ + user_info->nt_resp, /* nt 24 byte response */ + &info3); /* info3 out */ + + /* Let go as soon as possible so we avoid any potential deadlocks + with winbind lookup up users or groups. */ release_server_mutex(); @@ -195,7 +236,7 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, DEBUG(0,("domain_client_validate: unable to validate password " "for user %s in domain %s to Domain controller %s. " "Error was %s.\n", user_info->smb_name.str, - user_info->domain.str, cli->srv_name_slash, + user_info->domain.str, dc_name, nt_errstr(nt_status))); /* map to something more useful */ @@ -203,32 +244,18 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, nt_status = NT_STATUS_NO_LOGON_SERVERS; } } else { - nt_status = make_server_info_info3(mem_ctx, user_info->internal_username.str, - user_info->smb_name.str, domain, server_info, &info3); + nt_status = make_server_info_info3(mem_ctx, + user_info->internal_username.str, + user_info->smb_name.str, + domain, + server_info, + &info3); } -#if 0 - /* - * We don't actually need to do this - plus it fails currently with - * NT_STATUS_INVALID_INFO_CLASS - we need to know *exactly* what to - * send here. JRA. - */ - - if (NT_STATUS_IS_OK(status)) { - if(cli_nt_logoff(&cli, &ctr) == False) { - DEBUG(0,("domain_client_validate: unable to log off user %s in domain \ -%s to Domain controller %s. Error was %s.\n", user, domain, dc_name, cli_errstr(&cli))); - nt_status = NT_STATUS_LOGON_FAILURE; - } - } -#endif /* 0 */ - /* Note - once the cli stream is shutdown the mem_ctx used to allocate the other_sids and gids structures has been deleted - so these pointers are no longer valid..... */ - cli_nt_session_close(cli); - cli_ulogoff(cli); cli_shutdown(cli); return nt_status; } @@ -244,10 +271,7 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context, auth_serversupplied_info **server_info) { NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; - unsigned char trust_passwd[16]; - time_t last_change_time; const char *domain = lp_workgroup(); - uint32 sec_channel_type = 0; fstring dc_name; struct in_addr dc_ip; @@ -273,26 +297,6 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context, return NT_STATUS_NOT_IMPLEMENTED; } - /* - * Get the machine account password for our primary domain - * No need to become_root() as secrets_init() is done at startup. - */ - - if (!secrets_fetch_trust_account_password(domain, trust_passwd, &last_change_time, &sec_channel_type)) - { - DEBUG(0, ("check_ntdomain_security: could not fetch trust account password for domain '%s'\n", domain)); - return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; - } - - /* Test if machine password has expired and needs to be changed */ - if (lp_machine_password_timeout()) { - if (last_change_time > 0 && - time(NULL) > (last_change_time + - lp_machine_password_timeout())) { - global_machine_password_needs_changing = True; - } - } - /* we need our DC to send the net_sam_logon() request to */ if ( !get_dc_name(domain, NULL, dc_name, &dc_ip) ) { @@ -301,9 +305,13 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context, return NT_STATUS_NO_LOGON_SERVERS; } - nt_status = domain_client_validate(mem_ctx, user_info, domain, - (uchar *)auth_context->challenge.data, server_info, dc_name, dc_ip, - global_myname(), sec_channel_type,trust_passwd, last_change_time); + nt_status = domain_client_validate(mem_ctx, + user_info, + domain, + (uchar *)auth_context->challenge.data, + server_info, + dc_name, + dc_ip); return nt_status; } @@ -357,7 +365,7 @@ static NTSTATUS check_trustdomain_security(const struct auth_context *auth_conte /* No point is bothering if this is not a trusted domain. This return makes "map to guest = bad user" work again. The logic is that if we know nothing about the domain, that - user is known to us and does not exist */ + user is not known to us and does not exist */ if ( !is_trusted_domain( user_info->domain.str ) ) return NT_STATUS_NOT_IMPLEMENTED; @@ -367,8 +375,8 @@ static NTSTATUS check_trustdomain_security(const struct auth_context *auth_conte * No need to become_root() as secrets_init() is done at startup. */ - if (!secrets_fetch_trusted_domain_password(user_info->domain.str, &trust_password, &sid, &last_change_time)) - { + if (!secrets_fetch_trusted_domain_password(user_info->domain.str, &trust_password, + &sid, &last_change_time)) { DEBUG(0, ("check_trustdomain_security: could not fetch trust account password for domain %s\n", user_info->domain.str)); return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; } @@ -396,9 +404,13 @@ static NTSTATUS check_trustdomain_security(const struct auth_context *auth_conte return NT_STATUS_NO_LOGON_SERVERS; } - nt_status = domain_client_validate(mem_ctx, user_info, user_info->domain.str, - (uchar *)auth_context->challenge.data, server_info, dc_name, dc_ip, - lp_workgroup(), SEC_CHAN_DOMAIN, trust_md4_password, last_change_time); + nt_status = domain_client_validate(mem_ctx, + user_info, + user_info->domain.str, + (uchar *)auth_context->challenge.data, + server_info, + dc_name, + dc_ip); return nt_status; } -- cgit From 8d7c88667190fe286971ac4fffb64ee5bd9eeeb0 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 18 Oct 2005 03:24:00 +0000 Subject: r11137: Compile with only 2 warnings (I'm still working on that code) on a gcc4 x86_64 box. Jeremy. (This used to be commit d720867a788c735e56d53d63265255830ec21208) --- source3/auth/auth_domain.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 4abc6c6656..6e053b317e 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -119,7 +119,7 @@ machine %s. Error was : %s.\n", dc_name, nt_errstr(result))); /* We need to set up a creds chain on an unauthenticated netlogon pipe. */ uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS; uint32 sec_chan_type = 0; - char machine_pwd[16]; + unsigned char machine_pwd[16]; if (!get_trust_pw(domain, machine_pwd, &sec_chan_type)) { DEBUG(0, ("connect_to_domain_password_server: could not fetch " -- cgit From 5678e4abb04e546735bff4907854ca32094a5b71 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 4 Nov 2005 00:03:55 +0000 Subject: r11492: Fix bug #3224 (I hope). Correctly use machine_account_name and client_name when doing netlogon credential setup. Jeremy. (This used to be commit 37e6ef9389041f58eada167239fd022f01c5fecb) --- source3/auth/auth_domain.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 6e053b317e..8d29367835 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -131,9 +131,10 @@ machine %s. Error was : %s.\n", dc_name, nt_errstr(result))); } result = rpccli_netlogon_setup_creds(netlogon_pipe, - dc_name, - domain, - global_myname(), + dc_name, /* server name */ + domain, /* domain */ + global_myname(), /* client name */ + global_myname(), /* machine account name */ machine_pwd, sec_chan_type, &neg_flags); -- cgit From fcceedd67c29bae6941949a16ebef37e95dab601 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 8 Nov 2005 06:19:34 +0000 Subject: r11573: Adding Andrew Bartlett's patch to make machine account logons work if the client gives the MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT or MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT flags. This changes the auth module interface to 2 (from 1). The effect of this is that clients can access resources as a machine account if they set these flags. This is the same as Windows (think of a VPN where the vpn client authenticates itself to a VPN server using machine account credentials - the vpn server checks that the machine password was valid by performing a machine account check with the PDC in the same was as it would a user account check. I may add in a restriction (parameter) to allow this behaviour to be turned off (as it was previously). That may be on by default. Andrew Bartlett please review this change carefully. Jeremy. (This used to be commit d1caef866326346fb191f8129d13d98379f18cd8) --- source3/auth/auth_domain.c | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 8d29367835..94b138e55b 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -218,15 +218,16 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, */ nt_status = rpccli_netlogon_sam_network_logon(netlogon_pipe, - mem_ctx, - dc_name, /* server name */ - user_info->smb_name.str, /* user name logging on. */ - user_info->domain.str, /* domain name */ - user_info->wksta_name.str, /* workstation name */ - chal, /* 8 byte challenge. */ - user_info->lm_resp, /* lanman 24 byte response */ - user_info->nt_resp, /* nt 24 byte response */ - &info3); /* info3 out */ + mem_ctx, + user_info->logon_parameters,/* flags such as 'allow workstation logon' */ + dc_name, /* server name */ + user_info->smb_name.str, /* user name logging on. */ + user_info->domain.str, /* domain name */ + user_info->wksta_name.str, /* workstation name */ + chal, /* 8 byte challenge. */ + user_info->lm_resp, /* lanman 24 byte response */ + user_info->nt_resp, /* nt 24 byte response */ + &info3); /* info3 out */ /* Let go as soon as possible so we avoid any potential deadlocks with winbind lookup up users or groups. */ -- cgit From ce0a1fa159baab4c4bdaac601d0f56e29a406945 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 10 Nov 2005 20:28:23 +0000 Subject: r11652: Reinstate the netsamlogon_cache in order to work around failed query_user calls. This fixes logons to a member of a Samba domain as a user from a trusted AD domain. As per comments on samba-technical, I still need to add (a) cache the PAC info as werll as NTLM net_user_info_3 (b) expire the cache when the SMB session goes away Both Jeremy and Guenther have signed off on the idea. (This used to be commit 0c2bb5ba7b92d9210e7fa9f7b70aa67dfe9faaf4) --- source3/auth/auth_domain.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 94b138e55b..242105a664 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -252,6 +252,8 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, domain, server_info, &info3); + + netsamlogon_cache_store( mem_ctx, user_info->smb_name.str, &info3 ); } /* Note - once the cli stream is shutdown the mem_ctx used -- cgit From a4d729bdfadfc39fece612fcdd68955c3e3845bb Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 11 Nov 2005 03:03:41 +0000 Subject: r11661: Store the INFO3 in the PAC data into the netsamlogon_cache. Also remove the mem_ctx from the netsamlogon_cache_store() API. Guenther, what should we be doing with the other fields in the PAC_LOGON_INFO? (This used to be commit 8bead2d2825015fe41ba7d7401a12c06c29ea7f7) --- source3/auth/auth_domain.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 242105a664..266851b229 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -253,7 +253,7 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, server_info, &info3); - netsamlogon_cache_store( mem_ctx, user_info->smb_name.str, &info3 ); + netsamlogon_cache_store( user_info->smb_name.str, &info3 ); } /* Note - once the cli stream is shutdown the mem_ctx used -- cgit From 0af1500fc0bafe61019f1b2ab1d9e1d369221240 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 3 Feb 2006 22:19:41 +0000 Subject: r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f) --- source3/auth/auth_domain.c | 41 ++++++++++++++++++++++------------------- 1 file changed, 22 insertions(+), 19 deletions(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 266851b229..81ae7c1340 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -221,9 +221,9 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, mem_ctx, user_info->logon_parameters,/* flags such as 'allow workstation logon' */ dc_name, /* server name */ - user_info->smb_name.str, /* user name logging on. */ - user_info->domain.str, /* domain name */ - user_info->wksta_name.str, /* workstation name */ + user_info->smb_name, /* user name logging on. */ + user_info->domain, /* domain name */ + user_info->wksta_name, /* workstation name */ chal, /* 8 byte challenge. */ user_info->lm_resp, /* lanman 24 byte response */ user_info->nt_resp, /* nt 24 byte response */ @@ -237,8 +237,8 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(0,("domain_client_validate: unable to validate password " "for user %s in domain %s to Domain controller %s. " - "Error was %s.\n", user_info->smb_name.str, - user_info->domain.str, dc_name, + "Error was %s.\n", user_info->smb_name, + user_info->domain, dc_name, nt_errstr(nt_status))); /* map to something more useful */ @@ -247,13 +247,13 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, } } else { nt_status = make_server_info_info3(mem_ctx, - user_info->internal_username.str, - user_info->smb_name.str, + user_info->internal_username, + user_info->smb_name, domain, server_info, &info3); - netsamlogon_cache_store( user_info->smb_name.str, &info3 ); + netsamlogon_cache_store( user_info->smb_name, &info3 ); } /* Note - once the cli stream is shutdown the mem_ctx used @@ -296,7 +296,7 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context, * password file. */ - if(strequal(get_global_sam_name(), user_info->domain.str)) { + if(strequal(get_global_sam_name(), user_info->domain)) { DEBUG(3,("check_ntdomain_security: Requested domain was for this machine.\n")); return NT_STATUS_NOT_IMPLEMENTED; } @@ -305,7 +305,7 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context, if ( !get_dc_name(domain, NULL, dc_name, &dc_ip) ) { DEBUG(5,("check_ntdomain_security: unable to locate a DC for domain %s\n", - user_info->domain.str)); + user_info->domain)); return NT_STATUS_NO_LOGON_SERVERS; } @@ -360,9 +360,9 @@ static NTSTATUS check_trustdomain_security(const struct auth_context *auth_conte * Check that the requested domain is not our own machine name or domain name. */ - if( strequal(get_global_sam_name(), user_info->domain.str)) { + if( strequal(get_global_sam_name(), user_info->domain)) { DEBUG(3,("check_trustdomain_security: Requested domain [%s] was for this machine.\n", - user_info->domain.str)); + user_info->domain)); return NT_STATUS_NOT_IMPLEMENTED; } @@ -371,7 +371,7 @@ static NTSTATUS check_trustdomain_security(const struct auth_context *auth_conte The logic is that if we know nothing about the domain, that user is not known to us and does not exist */ - if ( !is_trusted_domain( user_info->domain.str ) ) + if ( !is_trusted_domain( user_info->domain ) ) return NT_STATUS_NOT_IMPLEMENTED; /* @@ -379,14 +379,17 @@ static NTSTATUS check_trustdomain_security(const struct auth_context *auth_conte * No need to become_root() as secrets_init() is done at startup. */ - if (!secrets_fetch_trusted_domain_password(user_info->domain.str, &trust_password, + if (!secrets_fetch_trusted_domain_password(user_info->domain, &trust_password, &sid, &last_change_time)) { - DEBUG(0, ("check_trustdomain_security: could not fetch trust account password for domain %s\n", user_info->domain.str)); + DEBUG(0, ("check_trustdomain_security: could not fetch trust " + "account password for domain %s\n", + user_info->domain)); return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; } #ifdef DEBUG_PASSWORD - DEBUG(100, ("Trust password for domain %s is %s\n", user_info->domain.str, trust_password)); + DEBUG(100, ("Trust password for domain %s is %s\n", user_info->domain, + trust_password)); #endif E_md4hash(trust_password, trust_md4_password); SAFE_FREE(trust_password); @@ -402,15 +405,15 @@ static NTSTATUS check_trustdomain_security(const struct auth_context *auth_conte /* use get_dc_name() for consistency even through we know that it will be a netbios name */ - if ( !get_dc_name(user_info->domain.str, NULL, dc_name, &dc_ip) ) { + if ( !get_dc_name(user_info->domain, NULL, dc_name, &dc_ip) ) { DEBUG(5,("check_trustdomain_security: unable to locate a DC for domain %s\n", - user_info->domain.str)); + user_info->domain)); return NT_STATUS_NO_LOGON_SERVERS; } nt_status = domain_client_validate(mem_ctx, user_info, - user_info->domain.str, + user_info->domain, (uchar *)auth_context->challenge.data, server_info, dc_name, -- cgit From f351b9c6eb05fc051d639ee47e3dd56a4de7ec16 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 8 Feb 2006 04:03:47 +0000 Subject: r13382: added server affinity cache stores for 'net rpc join' and trusted domain code (This used to be commit 9eb743584d32cdb67e0512ac915c34565bce1c01) --- source3/auth/auth_domain.c | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 81ae7c1340..c91cbf7af1 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -210,6 +210,10 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, return nt_status; } + /* store a successful connection */ + + saf_store( domain, cli->desthost ); + ZERO_STRUCT(info3); /* -- cgit From 83e4ea7e852e4ae9a4ba6fd187787c76f2d54ef6 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 6 May 2006 15:46:53 +0000 Subject: r15472: Remove an unused function parameter (This used to be commit d2f39ae7fe79fd31846c555849655023a2d1cbc7) --- source3/auth/auth_domain.c | 1 - 1 file changed, 1 deletion(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index c91cbf7af1..9360d28fac 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -251,7 +251,6 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, } } else { nt_status = make_server_info_info3(mem_ctx, - user_info->internal_username, user_info->smb_name, domain, server_info, -- cgit From 5ab7e77bc7659a9707fb702b162fc4201f244c60 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 6 May 2006 19:42:25 +0000 Subject: r15476: Transfer the was_mapped flag from user_info to server_info also in auth_sam and auth_domain. Thanks for Simo to point this out. Volker (This used to be commit 293b89dfb109d6e220ced433f025cf987aa1f500) --- source3/auth/auth_domain.c | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 9360d28fac..6360d10b69 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -256,6 +256,10 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, server_info, &info3); + if (NT_STATUS_IS_OK(nt_status)) { + (*server_info)->was_mapped |= user_info->was_mapped; + } + netsamlogon_cache_store( user_info->smb_name, &info3 ); } -- cgit From f897e7094f9630a808b9d4622bb542ac676a8fb2 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 7 Jun 2006 04:45:50 +0000 Subject: r16076: Fix for machine password timeout overflow from Shlomi Yaakobovich . Jeremy. (This used to be commit 5cd234a1fff1e9d025eea6600649e56c997eafc2) --- source3/auth/auth_domain.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 6360d10b69..bedd318c3c 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -403,7 +403,7 @@ static NTSTATUS check_trustdomain_security(const struct auth_context *auth_conte #if 0 /* Test if machine password is expired and need to be changed */ - if (time(NULL) > last_change_time + lp_machine_password_timeout()) + if (time(NULL) > last_change_time + (time_t)lp_machine_password_timeout()) { global_machine_password_needs_changing = True; } -- cgit From fbdcf2663b56007a438ac4f0d8d82436b1bfe688 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 11 Jul 2006 18:01:26 +0000 Subject: r16945: Sync trunk -> 3.0 for 3.0.24 code. Still need to do the upper layer directories but this is what everyone is waiting for.... Jeremy. (This used to be commit 9dafb7f48ca3e7af956b0a7d1720c2546fc4cfb8) --- source3/auth/auth_domain.c | 11 +++++++++++ 1 file changed, 11 insertions(+) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index bedd318c3c..8ad6329da9 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -50,6 +50,8 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, NTSTATUS result; struct rpc_pipe_client *netlogon_pipe = NULL; + *cli = NULL; + *pipe_ret = NULL; /* TODO: Send a SAMLOGON request to determine whether this is a valid @@ -81,6 +83,11 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, result = NT_STATUS_NO_LOGON_SERVERS; } + if (*cli) { + cli_shutdown(*cli); + *cli = NULL; + } + release_server_mutex(); return result; } @@ -111,6 +118,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, DEBUG(0,("connect_to_domain_password_server: unable to open the domain client session to \ machine %s. Error was : %s.\n", dc_name, nt_errstr(result))); cli_shutdown(*cli); + *cli = NULL; release_server_mutex(); return result; } @@ -126,6 +134,7 @@ machine %s. Error was : %s.\n", dc_name, nt_errstr(result))); "trust account password for domain '%s'\n", domain)); cli_shutdown(*cli); + *cli = NULL; release_server_mutex(); return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; } @@ -141,6 +150,7 @@ machine %s. Error was : %s.\n", dc_name, nt_errstr(result))); if (!NT_STATUS_IS_OK(result)) { cli_shutdown(*cli); + *cli = NULL; release_server_mutex(); return result; } @@ -150,6 +160,7 @@ machine %s. Error was : %s.\n", dc_name, nt_errstr(result))); DEBUG(0,("connect_to_domain_password_server: unable to open the domain client session to \ machine %s. Error was : %s.\n", dc_name, cli_errstr(*cli))); cli_shutdown(*cli); + *cli = NULL; release_server_mutex(); return NT_STATUS_NO_LOGON_SERVERS; } -- cgit From cb0402c2d3941a813e33b2b5e07c54b9ff644ca4 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Fri, 1 Dec 2006 15:06:34 +0000 Subject: r19980: Implement pam account stack checks when obey pam restrictions is true. It was missing for security=server/domain/ads Simo. (This used to be commit 550f651499c22c3c11594a0a39061a8a9b438d82) --- source3/auth/auth_domain.c | 11 +++++++++++ 1 file changed, 11 insertions(+) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 8ad6329da9..6468c18cb0 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -269,6 +269,17 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, if (NT_STATUS_IS_OK(nt_status)) { (*server_info)->was_mapped |= user_info->was_mapped; + + if ( ! (*server_info)->guest) { + /* if a real user check pam account restrictions */ + /* only really perfomed if "obey pam restriction" is true */ + nt_status = smb_pam_accountcheck((*server_info)->unix_name); + if ( !NT_STATUS_IS_OK(nt_status)) { + DEBUG(1, ("PAM account restriction prevents user login\n")); + cli_shutdown(cli); + return nt_status; + } + } } netsamlogon_cache_store( user_info->smb_name, &info3 ); -- cgit From b906886e9e9739877fef4c381c46a9a9d61859ba Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Tue, 16 Jan 2007 08:17:26 +0000 Subject: r20824: Send access to the trusted domain passwords through the pdb backend, so that in the next step we can store them in LDAP to be replicated across DCs. Thanks to Michael Adam Volker (This used to be commit 3c879745cfc39be6128b63a88ecdbfa3d9ce6c2d) --- source3/auth/auth_domain.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 6468c18cb0..6517852093 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -408,8 +408,8 @@ static NTSTATUS check_trustdomain_security(const struct auth_context *auth_conte * No need to become_root() as secrets_init() is done at startup. */ - if (!secrets_fetch_trusted_domain_password(user_info->domain, &trust_password, - &sid, &last_change_time)) { + if (!pdb_get_trusteddom_pw(user_info->domain, &trust_password, + &sid, &last_change_time)) { DEBUG(0, ("check_trustdomain_security: could not fetch trust " "account password for domain %s\n", user_info->domain)); -- cgit From 3bd2394b20723809b0736bb8bd6d2340a811471d Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Thu, 1 Mar 2007 22:12:49 +0000 Subject: r21642: Fix bug 4365. Please note that this was only tested with Vista so far, it needs testing with other clients as well. I'm afraid I'm visiting a conference tomorrow and saturday, so I'd be happy to get support in this. Thanks, Volker (This used to be commit 2186e276a0f15457ee6b29ecf2d109d812628ff9) --- source3/auth/auth_domain.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 6517852093..853108863b 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -237,7 +237,7 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, user_info->logon_parameters,/* flags such as 'allow workstation logon' */ dc_name, /* server name */ user_info->smb_name, /* user name logging on. */ - user_info->domain, /* domain name */ + user_info->client_domain, /* domain name */ user_info->wksta_name, /* workstation name */ chal, /* 8 byte challenge. */ user_info->lm_resp, /* lanman 24 byte response */ -- cgit From d824b98f80ba186030cbb70b3a1e5daf80469ecd Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 9 Jul 2007 19:25:36 +0000 Subject: r23779: Change from v2 or later to v3 or later. Jeremy. (This used to be commit 407e6e695b8366369b7c76af1ff76869b45347b3) --- source3/auth/auth_domain.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 853108863b..b0cd54638a 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -6,7 +6,7 @@ This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or + the Free Software Foundation; either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, -- cgit From 5e54558c6dea67b56bbfaba5698f3a434d3dffb6 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 10 Jul 2007 00:52:41 +0000 Subject: r23784: use the GPLv3 boilerplate as recommended by the FSF and the license text (This used to be commit b0132e94fc5fef936aa766fb99a306b3628e9f07) --- source3/auth/auth_domain.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index b0cd54638a..1e6857230f 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -15,8 +15,7 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + along with this program. If not, see . */ #include "includes.h" -- cgit From 3529156971e17c7ec13f6a6243f7b613e4666cdd Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 28 Sep 2007 03:54:42 +0000 Subject: r25400: Windows 2008 (Longhorn) Interop fixes for AD specific auth2 flags, and client fixes. Patch from Todd Stetcher . (This used to be commit 8304ccba7346597425307e260e88647e49081f68) --- source3/auth/auth_domain.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 1e6857230f..0010d8bc26 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -124,7 +124,7 @@ machine %s. Error was : %s.\n", dc_name, nt_errstr(result))); if (!lp_client_schannel()) { /* We need to set up a creds chain on an unauthenticated netlogon pipe. */ - uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS; + uint32 neg_flags = NETLOGON_NEG_SELECT_AUTH2_FLAGS; uint32 sec_chan_type = 0; unsigned char machine_pwd[16]; -- cgit From 5221ebb299081da6a806362212c6a8ceb9cc70a8 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 28 Sep 2007 18:15:34 +0000 Subject: r25407: Revert Longhorn join patch as it is not correct for the 3.2 tree. The translate_name() used by cli_session_setup_spnego() cann rely Winbindd since it is needed by the join process (and hence before Winbind can be run). (This used to be commit 00a93ed336c5f36643e6e33bd277608eaf05677c) --- source3/auth/auth_domain.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 0010d8bc26..1e6857230f 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -124,7 +124,7 @@ machine %s. Error was : %s.\n", dc_name, nt_errstr(result))); if (!lp_client_schannel()) { /* We need to set up a creds chain on an unauthenticated netlogon pipe. */ - uint32 neg_flags = NETLOGON_NEG_SELECT_AUTH2_FLAGS; + uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS; uint32 sec_chan_type = 0; unsigned char machine_pwd[16]; -- cgit From 30191d1a5704ad2b158386b511558972d539ce47 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 18 Oct 2007 17:40:25 -0700 Subject: RIP BOOL. Convert BOOL -> bool. I found a few interesting bugs in various places whilst doing this (places that assumed BOOL == int). I also need to fix the Samba4 pidl generation (next checkin). Jeremy. (This used to be commit f35a266b3cbb3e5fa6a86be60f34fe340a3ca71f) --- source3/auth/auth_domain.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 1e6857230f..72bdbab182 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -23,7 +23,7 @@ #undef DBGC_CLASS #define DBGC_CLASS DBGC_AUTH -extern BOOL global_machine_password_needs_changing; +extern bool global_machine_password_needs_changing; /** * Connect to a remote server for (inter)domain security authenticaion. @@ -44,7 +44,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, const char *dc_name, struct in_addr dc_ip, struct rpc_pipe_client **pipe_ret, - BOOL *retry) + bool *retry) { NTSTATUS result; struct rpc_pipe_client *netlogon_pipe = NULL; @@ -191,7 +191,7 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, struct rpc_pipe_client *netlogon_pipe = NULL; NTSTATUS nt_status = NT_STATUS_NO_LOGON_SERVERS; int i; - BOOL retry = True; + bool retry = True; /* * At this point, smb_apasswd points to the lanman response to -- cgit From f88b7a076be74a29a3bf876b4e2705f4a1ecf42b Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 24 Oct 2007 14:16:54 -0700 Subject: This is a large patch (sorry). Migrate from struct in_addr to struct sockaddr_storage in most places that matter (ie. not the nmbd and NetBIOS lookups). This passes make test on an IPv4 box, but I'll have to do more work/testing on IPv6 enabled boxes. This should now give us a framework for testing and finishing the IPv6 migration. It's at the state where someone with a working IPv6 setup should (theorecically) be able to type : smbclient //ipv6-address/share and have it work. Jeremy. (This used to be commit 98e154c3125d5732c37a72d74b0eb5cd7b6155fd) --- source3/auth/auth_domain.c | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 72bdbab182..7cddabbbbd 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -42,7 +42,7 @@ extern bool global_machine_password_needs_changing; static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, const char *domain, const char *dc_name, - struct in_addr dc_ip, + struct sockaddr_storage *dc_ss, struct rpc_pipe_client **pipe_ret, bool *retry) { @@ -73,7 +73,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, /* Attempt connection */ *retry = True; - result = cli_full_connection(cli, global_myname(), dc_name, &dc_ip, 0, + result = cli_full_connection(cli, global_myname(), dc_name, dc_ss, 0, "IPC$", "IPC", "", "", "", 0, Undefined, retry); if (!NT_STATUS_IS_OK(result)) { @@ -183,7 +183,7 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, uchar chal[8], auth_serversupplied_info **server_info, const char *dc_name, - struct in_addr dc_ip) + struct sockaddr_storage *dc_ss) { NET_USER_INFO_3 info3; @@ -207,7 +207,7 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, nt_status = connect_to_domain_password_server(&cli, domain, dc_name, - dc_ip, + dc_ss, &netlogon_pipe, &retry); } @@ -305,7 +305,7 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context, NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; const char *domain = lp_workgroup(); fstring dc_name; - struct in_addr dc_ip; + struct sockaddr_storage dc_ss; if ( lp_server_role() != ROLE_DOMAIN_MEMBER ) { DEBUG(0,("check_ntdomain_security: Configuration error! Cannot use " @@ -331,7 +331,7 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context, /* we need our DC to send the net_sam_logon() request to */ - if ( !get_dc_name(domain, NULL, dc_name, &dc_ip) ) { + if ( !get_dc_name(domain, NULL, dc_name, &dc_ss) ) { DEBUG(5,("check_ntdomain_security: unable to locate a DC for domain %s\n", user_info->domain)); return NT_STATUS_NO_LOGON_SERVERS; @@ -343,7 +343,7 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context, (uchar *)auth_context->challenge.data, server_info, dc_name, - dc_ip); + &dc_ss); return nt_status; } @@ -377,7 +377,7 @@ static NTSTATUS check_trustdomain_security(const struct auth_context *auth_conte time_t last_change_time; DOM_SID sid; fstring dc_name; - struct in_addr dc_ip; + struct sockaddr_storage dc_ss; if (!user_info || !server_info || !auth_context) { DEBUG(1,("check_trustdomain_security: Critical variables not present. Failing.\n")); @@ -433,7 +433,7 @@ static NTSTATUS check_trustdomain_security(const struct auth_context *auth_conte /* use get_dc_name() for consistency even through we know that it will be a netbios name */ - if ( !get_dc_name(user_info->domain, NULL, dc_name, &dc_ip) ) { + if ( !get_dc_name(user_info->domain, NULL, dc_name, &dc_ss) ) { DEBUG(5,("check_trustdomain_security: unable to locate a DC for domain %s\n", user_info->domain)); return NT_STATUS_NO_LOGON_SERVERS; @@ -445,7 +445,7 @@ static NTSTATUS check_trustdomain_security(const struct auth_context *auth_conte (uchar *)auth_context->challenge.data, server_info, dc_name, - dc_ip); + &dc_ss); return nt_status; } -- cgit From f793c99ca54d62cb8142607e8449f5b5b3a5e79d Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Tue, 11 Dec 2007 13:05:44 +0100 Subject: Let get_trust_pw() determine the machine_account_name to use. Up to now each caller used its own logic. This eliminates code paths where there was a special treatment of the following situation: the domain given is not our workgroup (i.e. our own domain) and we are not a DC (i.e. it is not a typical trusted domain situation). In situation the given domain name was previously used as the machine account name, resulting in an account name of DOMAIN\\DOMAIN$, which does not seem very reasonable to me. get_trust_pw would not have obtained a password in this situation anyways. I hope I have not missed an important point here! Michael (This used to be commit 6ced4a7f88798dc449a667d63bc29bf6c569291f) --- source3/auth/auth_domain.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 7cddabbbbd..b428723a06 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -127,8 +127,11 @@ machine %s. Error was : %s.\n", dc_name, nt_errstr(result))); uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS; uint32 sec_chan_type = 0; unsigned char machine_pwd[16]; + const char *account_name; - if (!get_trust_pw(domain, machine_pwd, &sec_chan_type)) { + if (!get_trust_pw(domain, machine_pwd, &account_name, + &sec_chan_type)) + { DEBUG(0, ("connect_to_domain_password_server: could not fetch " "trust account password for domain '%s'\n", domain)); @@ -142,7 +145,7 @@ machine %s. Error was : %s.\n", dc_name, nt_errstr(result))); dc_name, /* server name */ domain, /* domain */ global_myname(), /* client name */ - global_myname(), /* machine account name */ + account_name, /* machine account name */ machine_pwd, sec_chan_type, &neg_flags); -- cgit From 31f221ed9316c8dc2f4911d7b8ddcdf8b74367db Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Tue, 11 Dec 2007 14:07:32 +0100 Subject: Rename get_trust_pw() to get_trust_pw_hash(). Michael (This used to be commit 0cde7ac9cb39a0026a38ccf66dbecefc12931074) --- source3/auth/auth_domain.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index b428723a06..b2c87174fd 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -129,8 +129,8 @@ machine %s. Error was : %s.\n", dc_name, nt_errstr(result))); unsigned char machine_pwd[16]; const char *account_name; - if (!get_trust_pw(domain, machine_pwd, &account_name, - &sec_chan_type)) + if (!get_trust_pw_hash(domain, machine_pwd, &account_name, + &sec_chan_type)) { DEBUG(0, ("connect_to_domain_password_server: could not fetch " "trust account password for domain '%s'\n", -- cgit From 99e349b35da5ea5df0889a8eccc0c9774ecc24e9 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 4 Jan 2008 23:24:15 -0800 Subject: More logical operations on booleans. IBM checker. Jeremy. (This used to be commit e289a0c8592f9e5c58100ddcde2577b452725b88) --- source3/auth/auth_domain.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index b2c87174fd..1de9869f90 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -270,7 +270,9 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, &info3); if (NT_STATUS_IS_OK(nt_status)) { - (*server_info)->was_mapped |= user_info->was_mapped; + if (user_info->was_mapped) { + (*server_info)->was_mapped = user_info->was_mapped; + } if ( ! (*server_info)->guest) { /* if a real user check pam account restrictions */ -- cgit From 691c4b1a4175e3d4a073c396a2a7d8d315cd42bd Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Thu, 17 Jan 2008 10:11:11 +0100 Subject: Windows 2008 (Longhorn) auth2 flag fixes. Interop fixes for AD specific flags. Original patch from Todd Stetcher. (This used to be commit 5aadfcdaacd6f136eab9e107a88b8544e6d2105f) --- source3/auth/auth_domain.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 1de9869f90..40a2985600 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -124,7 +124,7 @@ machine %s. Error was : %s.\n", dc_name, nt_errstr(result))); if (!lp_client_schannel()) { /* We need to set up a creds chain on an unauthenticated netlogon pipe. */ - uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS; + uint32 neg_flags = NETLOGON_NEG_SELECT_AUTH2_FLAGS; uint32 sec_chan_type = 0; unsigned char machine_pwd[16]; const char *account_name; -- cgit From 7dfeae6073b31c04f6bdc33e9e835f256ba4f8d2 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Sun, 17 Feb 2008 02:09:35 +0100 Subject: Use netr_SamInfo3 in remaining places. Guenther (This used to be commit 92fca97951bf7adf8caaeabdaff21682b18dd91f) --- source3/auth/auth_domain.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 40a2985600..df51966f4c 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -189,7 +189,7 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, struct sockaddr_storage *dc_ss) { - NET_USER_INFO_3 info3; + struct netr_SamInfo3 *info3 = NULL; struct cli_state *cli = NULL; struct rpc_pipe_client *netlogon_pipe = NULL; NTSTATUS nt_status = NT_STATUS_NO_LOGON_SERVERS; @@ -227,8 +227,6 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, saf_store( domain, cli->desthost ); - ZERO_STRUCT(info3); - /* * If this call succeeds, we now have lots of info about the user * in the info3 structure. @@ -267,7 +265,7 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, user_info->smb_name, domain, server_info, - &info3); + info3); if (NT_STATUS_IS_OK(nt_status)) { if (user_info->was_mapped) { @@ -281,12 +279,14 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, if ( !NT_STATUS_IS_OK(nt_status)) { DEBUG(1, ("PAM account restriction prevents user login\n")); cli_shutdown(cli); + TALLOC_FREE(info3); return nt_status; } } } - netsamlogon_cache_store( user_info->smb_name, &info3 ); + netsamlogon_cache_store(user_info->smb_name, info3); + TALLOC_FREE(info3); } /* Note - once the cli stream is shutdown the mem_ctx used -- cgit From 1ebfc66b2c145289d1e1314e8415d9e3c6f405ae Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Mon, 10 Mar 2008 21:08:29 +0100 Subject: Use a separate tdb for mutexes Another preparation to convert secrets.c to dbwrap: The dbwrap API does not provide a sane tdb_lock_with_timeout abstraction. In the clustered case the DC mutex is needed per-node anyway, so it is perfectly fine to use a local mutex only. (This used to be commit f94a63cd8f94490780ad9331da229c0bcb2ca5d6) --- source3/auth/auth_domain.c | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index df51966f4c..26474089fb 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -24,6 +24,7 @@ #define DBGC_CLASS DBGC_AUTH extern bool global_machine_password_needs_changing; +static struct named_mutex *mutex; /** * Connect to a remote server for (inter)domain security authenticaion. @@ -67,7 +68,8 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, * ACCESS_DENIED errors if 2 auths are done from the same machine. JRA. */ - if (!grab_server_mutex(dc_name)) { + mutex = grab_named_mutex(NULL, dc_name, 10); + if (mutex == NULL) { return NT_STATUS_NO_LOGON_SERVERS; } @@ -87,7 +89,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, *cli = NULL; } - release_server_mutex(); + TALLOC_FREE(mutex); return result; } @@ -118,7 +120,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, machine %s. Error was : %s.\n", dc_name, nt_errstr(result))); cli_shutdown(*cli); *cli = NULL; - release_server_mutex(); + TALLOC_FREE(mutex); return result; } @@ -137,7 +139,7 @@ machine %s. Error was : %s.\n", dc_name, nt_errstr(result))); domain)); cli_shutdown(*cli); *cli = NULL; - release_server_mutex(); + TALLOC_FREE(mutex); return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; } @@ -153,7 +155,7 @@ machine %s. Error was : %s.\n", dc_name, nt_errstr(result))); if (!NT_STATUS_IS_OK(result)) { cli_shutdown(*cli); *cli = NULL; - release_server_mutex(); + TALLOC_FREE(mutex); return result; } } @@ -163,7 +165,7 @@ machine %s. Error was : %s.\n", dc_name, nt_errstr(result))); machine %s. Error was : %s.\n", dc_name, cli_errstr(*cli))); cli_shutdown(*cli); *cli = NULL; - release_server_mutex(); + TALLOC_FREE(mutex); return NT_STATUS_NO_LOGON_SERVERS; } @@ -247,7 +249,7 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, /* Let go as soon as possible so we avoid any potential deadlocks with winbind lookup up users or groups. */ - release_server_mutex(); + TALLOC_FREE(mutex); if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(0,("domain_client_validate: unable to validate password " -- cgit From 6b2da4d2f4a576038c272c6521d7c160949c6740 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Fri, 14 Mar 2008 22:22:30 +0100 Subject: Fix bug 5317 Thanks to oster@cs.usask.ca (This used to be commit f18a80575921a241c7243c5af5a0101a2956ff17) --- source3/auth/auth_domain.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 26474089fb..c9aa0648f4 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -255,7 +255,7 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, DEBUG(0,("domain_client_validate: unable to validate password " "for user %s in domain %s to Domain controller %s. " "Error was %s.\n", user_info->smb_name, - user_info->domain, dc_name, + user_info->client_domain, dc_name, nt_errstr(nt_status))); /* map to something more useful */ -- cgit From 99d35904552b01ef9f2adc40e16887da9eb4de69 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Wed, 2 Apr 2008 02:29:48 +0200 Subject: Fix NETLOGON credential chain with Windows 2008 all over the place. In order to avoid receiving NT_STATUS_DOWNGRADE_DETECTED from a w2k8 netr_ServerAuthenticate2 reply, we need to start with the AD netlogon negotiate flags everywhere (not only when running in security=ads). Only for NT4 we need to do a downgrade to the returned negotiate flags. Tested with w2k8, w2ksp4, w2k3r2 and nt4sp6. Guenther (This used to be commit 0970369ca0cb9ae465cff40e5c75739824daf1d0) --- source3/auth/auth_domain.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index c9aa0648f4..f526677eca 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -126,7 +126,7 @@ machine %s. Error was : %s.\n", dc_name, nt_errstr(result))); if (!lp_client_schannel()) { /* We need to set up a creds chain on an unauthenticated netlogon pipe. */ - uint32 neg_flags = NETLOGON_NEG_SELECT_AUTH2_FLAGS; + uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; uint32 sec_chan_type = 0; unsigned char machine_pwd[16]; const char *account_name; -- cgit From 64ddd381b74ca94e8ff8ae62d8f019a9b5290a80 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Tue, 6 May 2008 17:37:00 +0200 Subject: Rename server_info->was_mapped to server_info->nss_token "nss_token" from my point of view much better reflects what this flag actually represents (This used to be commit b121a5acb2ef0bb3067d953b028696175432f10d) --- source3/auth/auth_domain.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index f526677eca..f483718552 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -270,9 +270,7 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, info3); if (NT_STATUS_IS_OK(nt_status)) { - if (user_info->was_mapped) { - (*server_info)->was_mapped = user_info->was_mapped; - } + (*server_info)->nss_token |= user_info->was_mapped; if ( ! (*server_info)->guest) { /* if a real user check pam account restrictions */ -- cgit From 1335da2a7cc639310e5d389e8e8dbe67c4e7ca25 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sun, 20 Jul 2008 11:04:31 +0200 Subject: Refactoring: Change calling conventions for cli_rpc_pipe_open_noauth Pass in ndr_syntax_id instead of pipe_idx, return NTSTATUS (This used to be commit 9abc9dc4dc13bd3e42f98eff64eacf24b51f5779) --- source3/auth/auth_domain.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index f483718552..2c67bf9f1c 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -112,10 +112,11 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, netlogon_pipe = cli_rpc_pipe_open_schannel(*cli, PI_NETLOGON, PIPE_AUTH_LEVEL_PRIVACY, domain, &result); } else { - netlogon_pipe = cli_rpc_pipe_open_noauth(*cli, PI_NETLOGON, &result); + result = cli_rpc_pipe_open_noauth( + *cli, &ndr_table_netlogon.syntax_id, &netlogon_pipe); } - if(!netlogon_pipe) { + if (!NT_STATUS_IS_OK(result)) { DEBUG(0,("connect_to_domain_password_server: unable to open the domain client session to \ machine %s. Error was : %s.\n", dc_name, nt_errstr(result))); cli_shutdown(*cli); -- cgit From 99526d391dc274eb87cfd0b393363d8ceafccda9 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sun, 20 Jul 2008 11:04:31 +0200 Subject: Refactoring: Change calling conventions for cli_rpc_pipe_open_schannel Pass in ndr_syntax_id instead of pipe_idx, return NTSTATUS (This used to be commit 1fcfca007f33a2c4e979abf30c2ea0db65bac718) --- source3/auth/auth_domain.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'source3/auth/auth_domain.c') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 2c67bf9f1c..c25e62ab80 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -109,8 +109,9 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli, /* open the netlogon pipe. */ if (lp_client_schannel()) { /* We also setup the creds chain in the open_schannel call. */ - netlogon_pipe = cli_rpc_pipe_open_schannel(*cli, PI_NETLOGON, - PIPE_AUTH_LEVEL_PRIVACY, domain, &result); + result = cli_rpc_pipe_open_schannel( + *cli, &ndr_table_netlogon.syntax_id, + PIPE_AUTH_LEVEL_PRIVACY, domain, &netlogon_pipe); } else { result = cli_rpc_pipe_open_noauth( *cli, &ndr_table_netlogon.syntax_id, &netlogon_pipe); -- cgit