From 986372901e85a79343ba32f590a4a3e7658d2565 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 3 Aug 2001 13:09:23 +0000 Subject: This is my 'Authentication Rewrite' version 1.01, mostly as submitted to samba-technical a few weeks ago. The idea here is to standardize the checking of user names and passwords, thereby ensuring that all authtentications pass the same standards. The interface currently implemented in as nt_status = check_password(user_info, server_info) where user_info contains (mostly) the authentication data, and server_info contains things like the user-id they got, and their resolved user name. The current ugliness with the way the structures are created will be killed the next revision, when they will be created and malloced by creator functions. This patch also includes the first implementation of NTLMv2 in HEAD, but which needs some more testing. We also add a hack to allow plaintext passwords to be compared with smbpasswd, not the system password database. Finally, this patch probably reintroduces the PAM accounts bug we had in 2.2.0, I'll fix that once this hits the tree. (I've just finished testing it on a wide variety of platforms, so I want to get this patch in). (This used to be commit b30b6202f31d339b48d51c0d38174cafd1cfcd42) --- source3/auth/auth_util.c | 141 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 141 insertions(+) create mode 100644 source3/auth/auth_util.c (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c new file mode 100644 index 0000000000..1c12a4322d --- /dev/null +++ b/source3/auth/auth_util.c @@ -0,0 +1,141 @@ +/* + Unix SMB/Netbios implementation. + Version 1.9. + Authentication utility functions + Copyright (C) Andrew Tridgell 1992-1998 + Copyright (C) Andrew Bartlett 2001 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ +#include "includes.h" + +extern int DEBUGLEVEL; + +/* Data to do lanman1/2 password challenge. */ +static unsigned char saved_challenge[8]; +static BOOL challenge_sent=False; + +/******************************************************************* +Get the next challenge value - no repeats. +********************************************************************/ +void generate_next_challenge(char *challenge) +{ + unsigned char buf[8]; + + generate_random_buffer(buf,8,False); + memcpy(saved_challenge, buf, 8); + memcpy(challenge,buf,8); + challenge_sent = True; +} + +/******************************************************************* +set the last challenge sent, usually from a password server +********************************************************************/ +BOOL set_challenge(unsigned char *challenge) +{ + memcpy(saved_challenge,challenge,8); + challenge_sent = True; + return(True); +} + +/******************************************************************* +get the last challenge sent +********************************************************************/ +BOOL last_challenge(unsigned char *challenge) +{ + if (!challenge_sent) return(False); + memcpy(challenge,saved_challenge,8); + return(True); +} + + +/**************************************************************************** + Create a UNIX user on demand. +****************************************************************************/ + +static int smb_create_user(char *unix_user, char *homedir) +{ + pstring add_script; + int ret; + + pstrcpy(add_script, lp_adduser_script()); + if (! *add_script) return -1; + all_string_sub(add_script, "%u", unix_user, sizeof(pstring)); + if (homedir) + all_string_sub(add_script, "%H", homedir, sizeof(pstring)); + ret = smbrun(add_script,NULL); + DEBUG(3,("smb_create_user: Running the command `%s' gave %d\n",add_script,ret)); + return ret; +} + +/**************************************************************************** + Delete a UNIX user on demand. +****************************************************************************/ + +static int smb_delete_user(char *unix_user) +{ + pstring del_script; + int ret; + + pstrcpy(del_script, lp_deluser_script()); + if (! *del_script) return -1; + all_string_sub(del_script, "%u", unix_user, sizeof(pstring)); + ret = smbrun(del_script,NULL); + DEBUG(3,("smb_delete_user: Running the command `%s' gave %d\n",del_script,ret)); + return ret; +} + +/**************************************************************************** + Add and Delete UNIX users on demand, based on NT_STATUS codes. +****************************************************************************/ + +void smb_user_control(char *unix_user, uint32 nt_status) +{ + struct passwd *pwd=NULL; + + if(nt_status == NT_STATUS_NOPROBLEMO) { + /* + * User validated ok against Domain controller. + * If the admin wants us to try and create a UNIX + * user on the fly, do so. + */ + if(lp_adduser_script() && !(pwd = smb_getpwnam(unix_user,True))) + smb_create_user(unix_user, NULL); + + if(lp_adduser_script() && pwd) { + SMB_STRUCT_STAT st; + + /* + * Also call smb_create_user if the users home directory + * doesn't exist. Used with winbindd to allow the script to + * create the home directory for a user mapped with winbindd. + */ + + if (pwd->pw_dir && (sys_stat(pwd->pw_dir, &st) == -1) && (errno == ENOENT)) + smb_create_user(unix_user, pwd->pw_dir); + } + + } else if (nt_status == NT_STATUS_NO_SUCH_USER) { + /* + * User failed to validate ok against Domain controller. + * If the failure was "user doesn't exist" and admin + * wants us to try and delete that UNIX user on the fly, + * do so. + */ + if(lp_deluser_script() && smb_getpwnam(unix_user,True)) + smb_delete_user(unix_user); + } + +} -- cgit From 2f6486b55f05947205c380e071b16cd40af4d057 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 23 Aug 2001 18:13:56 +0000 Subject: Fix up some unused variables and functions, fix up formatting (This used to be commit bfce4ba7b6db261d981a60a7e262f2f690355f5c) --- source3/auth/auth_util.c | 1 - 1 file changed, 1 deletion(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 1c12a4322d..4a0f45f843 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -137,5 +137,4 @@ void smb_user_control(char *unix_user, uint32 nt_status) if(lp_deluser_script() && smb_getpwnam(unix_user,True)) smb_delete_user(unix_user); } - } -- cgit From b031af348c7dcc8c74bf49945211c466b8eca079 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 27 Aug 2001 19:46:22 +0000 Subject: converted another bunch of stuff to NTSTATUS (This used to be commit 1d36250e338ae0ff9fbbf86019809205dd97d05e) --- source3/auth/auth_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 4a0f45f843..5ccf963889 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -105,7 +105,7 @@ void smb_user_control(char *unix_user, uint32 nt_status) { struct passwd *pwd=NULL; - if(nt_status == NT_STATUS_NOPROBLEMO) { + if(nt_status == NT_STATUS_OK) { /* * User validated ok against Domain controller. * If the admin wants us to try and create a UNIX -- cgit From 19fea3242cf6234786b6cbb60631e0071f31ff9f Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 4 Sep 2001 07:13:01 +0000 Subject: the next stage in the NTSTATUS/WERROR change. smbd and nmbd now compile, but the client code still needs some work (This used to be commit dcd6e735f709a9231860ceb9682db40ff26c9a66) --- source3/auth/auth_util.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 5ccf963889..28f58eb8ae 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -101,11 +101,11 @@ static int smb_delete_user(char *unix_user) Add and Delete UNIX users on demand, based on NT_STATUS codes. ****************************************************************************/ -void smb_user_control(char *unix_user, uint32 nt_status) +void smb_user_control(char *unix_user, NTSTATUS nt_status) { struct passwd *pwd=NULL; - if(nt_status == NT_STATUS_OK) { + if (NT_STATUS_IS_OK(nt_status)) { /* * User validated ok against Domain controller. * If the admin wants us to try and create a UNIX @@ -127,7 +127,7 @@ void smb_user_control(char *unix_user, uint32 nt_status) smb_create_user(unix_user, pwd->pw_dir); } - } else if (nt_status == NT_STATUS_NO_SUCH_USER) { + } else if (NT_STATUS_V(nt_status) == NT_STATUS_V(NT_STATUS_NO_SUCH_USER)) { /* * User failed to validate ok against Domain controller. * If the failure was "user doesn't exist" and admin -- cgit From b7a0c132894e15712a55aaa92175df73fb8814a9 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 14 Sep 2001 10:38:40 +0000 Subject: Now that we always get back an NTSTATUS code actually pass it on to the auth subsytem. Also kill off the (unneeded) wrapper fuction. Andrew Bartlett (This used to be commit 96f06b490ac5e9fd86debccf8d41675fa41f7726) --- source3/auth/auth_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 28f58eb8ae..1967c32b9a 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -98,7 +98,7 @@ static int smb_delete_user(char *unix_user) } /**************************************************************************** - Add and Delete UNIX users on demand, based on NT_STATUS codes. + Add and Delete UNIX users on demand, based on NTSTATUS codes. ****************************************************************************/ void smb_user_control(char *unix_user, NTSTATUS nt_status) -- cgit From dc1fc3ee8ec2199bc73bb5d7ec711c6800f61d65 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Tue, 2 Oct 2001 04:29:50 +0000 Subject: Removed 'extern int DEBUGLEVEL' as it is now in the smb.h header. (This used to be commit 2d0922b0eabfdc0aaf1d0797482fef47ed7fde8e) --- source3/auth/auth_util.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 1967c32b9a..d3b9aa7001 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -19,9 +19,8 @@ along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. */ -#include "includes.h" -extern int DEBUGLEVEL; +#include "includes.h" /* Data to do lanman1/2 password challenge. */ static unsigned char saved_challenge[8]; -- cgit From 60f0627afb167faad57385d44f0b587186a7ac2b Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 31 Oct 2001 10:46:25 +0000 Subject: This is a farily large patch (3300 lines) and reworks most of the AuthRewrite code. In particular this assists tpot in some of his work, becouse it provides the connection between the authenticaion and the vuid generation. Major Changes: - Fully malloc'ed structures. - Massive rework of the code so that all structures are made and destroyed using malloc and free, rather than hanging around on the stack. - SAM_ACCOUNT unix uids and gids are now pointers to the same, to allow them to be declared 'invalid' without the chance that people might get ROOT by default. - kill off some of the "DOMAIN\user" lookups. These can be readded at a more appropriate place (probably domain_client_validate.c) in the future. They don't belong in session setups. - Massive introduction of DATA_BLOB structures, particularly for passwords. - Use NTLMSSP flags to tell the backend what its getting, rather than magic lenghths. - Fix winbind back up again, but tpot is redoing this soon anyway. - Abstract much of the work in srv_netlog_nt back into auth helper functions. This is a LARGE change, and any assistance is testing it is appriciated. Domain logons are still broken (as far as I can tell) but other functionality seems intact. Needs testing with a wide variety of MS clients. Andrew Bartlett (This used to be commit f70fb819b2f57bd57232b51808345e2319d52f6c) --- source3/auth/auth_util.c | 564 +++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 543 insertions(+), 21 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index d3b9aa7001..297c482af5 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -25,6 +25,8 @@ /* Data to do lanman1/2 password challenge. */ static unsigned char saved_challenge[8]; static BOOL challenge_sent=False; +extern fstring remote_machine; +extern pstring global_myname; /******************************************************************* Get the next challenge value - no repeats. @@ -64,7 +66,7 @@ BOOL last_challenge(unsigned char *challenge) Create a UNIX user on demand. ****************************************************************************/ -static int smb_create_user(char *unix_user, char *homedir) +static int smb_create_user(const char *unix_user, const char *homedir) { pstring add_script; int ret; @@ -100,40 +102,560 @@ static int smb_delete_user(char *unix_user) Add and Delete UNIX users on demand, based on NTSTATUS codes. ****************************************************************************/ -void smb_user_control(char *unix_user, NTSTATUS nt_status) +void smb_user_control(const auth_usersupplied_info *user_info, auth_serversupplied_info *server_info, NTSTATUS nt_status) { struct passwd *pwd=NULL; if (NT_STATUS_IS_OK(nt_status)) { - /* - * User validated ok against Domain controller. - * If the admin wants us to try and create a UNIX - * user on the fly, do so. - */ - if(lp_adduser_script() && !(pwd = smb_getpwnam(unix_user,True))) - smb_create_user(unix_user, NULL); - - if(lp_adduser_script() && pwd) { - SMB_STRUCT_STAT st; + if (!(server_info->sam_fill_level & SAM_FILL_UNIX)) { + /* - * Also call smb_create_user if the users home directory - * doesn't exist. Used with winbindd to allow the script to - * create the home directory for a user mapped with winbindd. + * User validated ok against Domain controller. + * If the admin wants us to try and create a UNIX + * user on the fly, do so. */ + + if(lp_adduser_script() && !(pwd = Get_Pwnam(user_info->internal_username.str))) { + smb_create_user(user_info->internal_username.str, NULL); + } + } else { + if(lp_adduser_script()) { + SMB_STRUCT_STAT st; + const char *home_dir = pdb_get_homedir(server_info->sam_account); + /* + * Also call smb_create_user if the users home directory + * doesn't exist. Used with winbindd to allow the script to + * create the home directory for a user mapped with winbindd. + */ - if (pwd->pw_dir && (sys_stat(pwd->pw_dir, &st) == -1) && (errno == ENOENT)) - smb_create_user(unix_user, pwd->pw_dir); + if (home_dir && + (sys_stat(home_dir, &st) == -1) && (errno == ENOENT)) { + smb_create_user(user_info->internal_username.str, home_dir); + } + } } - - } else if (NT_STATUS_V(nt_status) == NT_STATUS_V(NT_STATUS_NO_SUCH_USER)) { + } else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER)) { /* * User failed to validate ok against Domain controller. * If the failure was "user doesn't exist" and admin * wants us to try and delete that UNIX user on the fly, * do so. */ - if(lp_deluser_script() && smb_getpwnam(unix_user,True)) - smb_delete_user(unix_user); + if (lp_deluser_script()) { + smb_delete_user(user_info->internal_username.str); + } + } +} + +/**************************************************************************** + Create an auth_usersupplied_data structure +****************************************************************************/ + +BOOL make_user_info(auth_usersupplied_info **user_info, + char *smb_name, char *internal_username, + char *client_domain, char *domain, + char *wksta_name, DATA_BLOB sec_blob, + DATA_BLOB lm_pwd, DATA_BLOB nt_pwd, + DATA_BLOB plaintext, + uint32 ntlmssp_flags, BOOL encrypted) +{ + + DEBUG(5,("attempting to make a user_info for %s (%s)\n", internal_username, smb_name)); + + *user_info = malloc(sizeof(**user_info)); + if (!user_info) { + DEBUG(0,("malloc failed for user_info (size %d)\n", sizeof(*user_info))); + return False; + } + + ZERO_STRUCTP(*user_info); + + DEBUG(5,("makeing strings for %s's user_info struct\n", internal_username)); + + (*user_info)->smb_name.str = strdup(smb_name); + if ((*user_info)->smb_name.str) { + (*user_info)->smb_name.len = strlen(smb_name); + } else { + free_user_info(user_info); + return False; + } + + (*user_info)->internal_username.str = strdup(internal_username); + if ((*user_info)->internal_username.str) { + (*user_info)->internal_username.len = strlen(internal_username); + } else { + free_user_info(user_info); + return False; + } + + (*user_info)->domain.str = strdup(domain); + if ((*user_info)->domain.str) { + (*user_info)->domain.len = strlen(domain); + } else { + free_user_info(user_info); + return False; + } + + (*user_info)->client_domain.str = strdup(client_domain); + if ((*user_info)->client_domain.str) { + (*user_info)->client_domain.len = strlen(client_domain); + } else { + free_user_info(user_info); + return False; + } + + (*user_info)->wksta_name.str = strdup(wksta_name); + if ((*user_info)->wksta_name.str) { + (*user_info)->wksta_name.len = strlen(wksta_name); + } else { + free_user_info(user_info); + return False; } + + DEBUG(5,("makeing blobs for %s's user_info struct\n", internal_username)); + + (*user_info)->sec_blob = data_blob(sec_blob.data, sec_blob.length); + (*user_info)->lm_resp = data_blob(lm_pwd.data, lm_pwd.length); + (*user_info)->nt_resp = data_blob(nt_pwd.data, nt_pwd.length); + (*user_info)->plaintext_password = data_blob(plaintext.data, plaintext.length); + + (*user_info)->encrypted = encrypted; + (*user_info)->ntlmssp_flags = ntlmssp_flags; + + DEBUG(10,("made an %sencrypted user_info for %s (%s)\n", encrypted ? "":"un" , internal_username, smb_name)); + + return True; } + +/**************************************************************************** + Create an auth_usersupplied_data structure after appropriate mapping. +****************************************************************************/ + +BOOL make_user_info_map(auth_usersupplied_info **user_info, + char *smb_name, + char *client_domain, + char *wksta_name, DATA_BLOB sec_blob, + DATA_BLOB lm_pwd, DATA_BLOB nt_pwd, + DATA_BLOB plaintext, + uint32 ntlmssp_flags, BOOL encrypted) +{ + char *domain; + fstring internal_username; + fstrcpy(internal_username, smb_name); + map_username(internal_username); + + if (lp_allow_trusted_domains()) { + domain = client_domain; + } else { + domain = lp_workgroup(); + } + + return make_user_info(user_info, + smb_name, internal_username, + client_domain, domain, + wksta_name, sec_blob, + lm_pwd, nt_pwd, + plaintext, + ntlmssp_flags, encrypted); + +} + +/**************************************************************************** + Create an auth_usersupplied_data, making the DATA_BLOBs here. + Decrupt and encrypt the passwords. +****************************************************************************/ + +BOOL make_user_info_netlogon_network(auth_usersupplied_info **user_info, + char *smb_name, + char *client_domain, + char *wksta_name, uchar chal[8], + uchar *lm_network_pwd, int lm_pwd_len, + uchar *nt_network_pwd, int nt_pwd_len) +{ + BOOL ret; + DATA_BLOB sec_blob = data_blob(chal, sizeof(chal)); + DATA_BLOB lm_blob = data_blob(lm_network_pwd, lm_pwd_len); + DATA_BLOB nt_blob = data_blob(nt_network_pwd, nt_pwd_len); + DATA_BLOB plaintext_blob = data_blob(NULL, 0); + uint32 ntlmssp_flags = 0; + + if (lm_pwd_len) + ntlmssp_flags |= NTLMSSP_NEGOTIATE_OEM; + if (nt_pwd_len) + ntlmssp_flags |= NTLMSSP_NEGOTIATE_NTLM; + + ret = make_user_info_map(user_info, + smb_name, client_domain, + wksta_name, sec_blob, + nt_blob, lm_blob, + plaintext_blob, + ntlmssp_flags, True); + + data_blob_free(&lm_blob); + data_blob_free(&nt_blob); + return ret; +} + +/**************************************************************************** + Create an auth_usersupplied_data, making the DATA_BLOBs here. + Decrupt and encrypt the passwords. +****************************************************************************/ + +BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, + char *smb_name, + char *client_domain, + char *wksta_name, + uchar *lm_interactive_pwd, int lm_pwd_len, + uchar *nt_interactive_pwd, int nt_pwd_len, + uchar *dc_sess_key) +{ + char nt_pwd[16]; + char lm_pwd[16]; + unsigned char local_lm_response[24]; + unsigned char local_nt_response[24]; + unsigned char key[16]; + uint8 chal[8]; + uint32 ntlmssp_flags = 0; + + generate_random_buffer(chal, 8, False); + + memset(key, 0, 16); + memcpy(key, dc_sess_key, 8); + + memcpy(lm_pwd, lm_interactive_pwd, 16); + memcpy(nt_pwd, nt_interactive_pwd, 16); + +#ifdef DEBUG_PASSWORD + DEBUG(100,("key:")); + dump_data(100, (char *)key, 16); + + DEBUG(100,("lm owf password:")); + dump_data(100, lm_pwd, 16); + + DEBUG(100,("nt owf password:")); + dump_data(100, nt_pwd, 16); +#endif + + SamOEMhash((uchar *)lm_pwd, key, 16); + SamOEMhash((uchar *)nt_pwd, key, 16); + +#ifdef DEBUG_PASSWORD + DEBUG(100,("decrypt of lm owf password:")); + dump_data(100, lm_pwd, 16); + + DEBUG(100,("decrypt of nt owf password:")); + dump_data(100, nt_pwd, 16); +#endif + + generate_random_buffer(chal, 8, False); + SMBOWFencrypt((const unsigned char *)lm_pwd, chal, local_lm_response); + SMBOWFencrypt((const unsigned char *)nt_pwd, chal, local_nt_response); + + /* Password info parinoia */ + ZERO_STRUCT(lm_pwd); + ZERO_STRUCT(nt_pwd); + ZERO_STRUCT(key); + + { + BOOL ret; + DATA_BLOB sec_blob = data_blob(chal, sizeof(chal)); + DATA_BLOB local_lm_blob = data_blob(local_lm_response, sizeof(local_lm_response)); + DATA_BLOB local_nt_blob = data_blob(local_nt_response, sizeof(local_nt_response)); + DATA_BLOB plaintext_blob = data_blob(NULL, 0); + + ntlmssp_flags = NTLMSSP_NEGOTIATE_OEM | NTLMSSP_NEGOTIATE_NTLM; + ret = make_user_info_map(user_info, + smb_name, client_domain, + wksta_name, sec_blob, + local_nt_blob, + local_lm_blob, + plaintext_blob, + ntlmssp_flags, True); + + data_blob_free(&local_lm_blob); + data_blob_free(&local_nt_blob); + return ret; + } +} + +/**************************************************************************** + Create an auth_usersupplied_data structure +****************************************************************************/ + +BOOL make_user_info_for_winbind(auth_usersupplied_info **user_info, + char *username, + char *domain, + char *password) +{ + unsigned char local_lm_response[24]; + unsigned char local_nt_response[24]; + char chal[8]; + DATA_BLOB local_lm_blob; + DATA_BLOB local_nt_blob; + DATA_BLOB plaintext_blob; + uint32 ntlmssp_flags = 0; + + /* + * Not encrypted - do so. + */ + + DEBUG(5,("pass_check_smb: User passwords not in encrypted format.\n")); + + generate_random_buffer(chal, 8, False); + + if (*password) { + SMBencrypt( (uchar *)password, chal, local_lm_response); + + /* This encrypts the lm_pwd feild, which actualy contains the password + rather than the nt_pwd field becouse that contains nothing */ + + /* WATCH OUT. This doesn't work if the incoming password is incorrectly cased. + We might want to add a check here and only do an LM in that case */ + + SMBNTencrypt((uchar *)password, chal, local_nt_response); + + local_lm_blob = data_blob(local_lm_response, sizeof(local_lm_response)); + local_nt_blob = data_blob(local_nt_response, sizeof(local_nt_response)); + plaintext_blob = data_blob(password, strlen(password)+1); + if ((!local_lm_blob.data) || (!local_nt_blob.data)|| (!plaintext_blob.data)) { + data_blob_free(&local_lm_blob); + data_blob_free(&local_nt_blob); + data_blob_clear_free(&plaintext_blob); + return False; + } + ntlmssp_flags = NTLMSSP_NEGOTIATE_OEM | NTLMSSP_NEGOTIATE_NTLM; + } else { + local_lm_blob = data_blob(NULL, 0); + local_nt_blob = data_blob(NULL, 0); + plaintext_blob = data_blob(NULL, 0); + } + + { + BOOL ret; + DATA_BLOB sec_blob = data_blob(chal, sizeof(chal)); + + if (!sec_blob.data) { + return False; + } + + ret = make_user_info(user_info, + username, username, + domain, domain, + global_myname, sec_blob, + local_nt_blob, + local_lm_blob, + plaintext_blob, + ntlmssp_flags, False); + + data_blob_free(&local_lm_blob); + data_blob_free(&local_nt_blob); + data_blob_clear_free(&plaintext_blob); + return ret; + } +} + +/**************************************************************************** + Create an auth_usersupplied_data, making the DATA_BLOBs here. + Decrupt and encrypt the passwords. +****************************************************************************/ + +BOOL make_user_info_winbind_crap(auth_usersupplied_info **user_info, + char *smb_name, + char *client_domain, + uchar chal[8], + uchar *lm_network_pwd, int lm_pwd_len, + uchar *nt_network_pwd, int nt_pwd_len) +{ + BOOL ret; + DATA_BLOB sec_blob = data_blob(chal, sizeof(chal)); + DATA_BLOB lm_blob = data_blob(lm_network_pwd, lm_pwd_len); + DATA_BLOB nt_blob = data_blob(nt_network_pwd, nt_pwd_len); + DATA_BLOB plaintext_blob = data_blob(NULL, 0); + uint32 ntlmssp_flags = 0; + + if (lm_pwd_len) + ntlmssp_flags |= NTLMSSP_NEGOTIATE_OEM; + if (nt_pwd_len) + ntlmssp_flags |= NTLMSSP_NEGOTIATE_NTLM; + + ret = make_user_info(user_info, + smb_name, smb_name, + client_domain, client_domain, + global_myname, sec_blob, + nt_blob, lm_blob, + plaintext_blob, + ntlmssp_flags, True); + + data_blob_free(&lm_blob); + data_blob_free(&nt_blob); + return ret; +} + +/**************************************************************************** + Create an auth_usersupplied_data structure +****************************************************************************/ + +BOOL make_user_info_for_reply(auth_usersupplied_info **user_info, + char *smb_name, + char *client_domain, + DATA_BLOB lm_resp, DATA_BLOB nt_resp, + DATA_BLOB plaintext_password, + BOOL encrypted) +{ + uchar chal[8]; + + DATA_BLOB local_lm_blob; + DATA_BLOB local_nt_blob; + DATA_BLOB sec_blob; + BOOL ret = False; + uint32 ntlmssp_flags = 0; + + if (encrypted) { + DATA_BLOB no_plaintext_blob = data_blob(NULL, 0); + if (!last_challenge(chal)) { + DEBUG(0,("Encrypted login but no challange set!\n")); + return False; + } + sec_blob = data_blob(chal, 8); + + if (lm_resp.length == 24) { + ntlmssp_flags |= NTLMSSP_NEGOTIATE_OEM; + } + if (nt_resp.length == 0) { + } else if (nt_resp.length == 24) { + ntlmssp_flags |= NTLMSSP_NEGOTIATE_NTLM; + } else { + ntlmssp_flags |= NTLMSSP_NEGOTIATE_NTLM2; + } + + return make_user_info_map(user_info, smb_name, + client_domain, + remote_machine, sec_blob, + lm_resp, + nt_resp, + no_plaintext_blob, + ntlmssp_flags, encrypted); + } + + generate_random_buffer(chal, 8, False); + + sec_blob = data_blob(chal, 8); + + /* + * Not encrypted - do so. + */ + + DEBUG(5,("pass_check_smb: User passwords not in encrypted format.\n")); + + if (plaintext_password.data) { + unsigned char local_lm_response[24]; + + SMBencrypt( (uchar *)plaintext_password.data, chal, local_lm_response); + local_lm_blob = data_blob(local_lm_response, 24); + + /* We can't do an NT hash here, as the password needs to be case insensitive */ + local_nt_blob = data_blob(NULL, 0); + + ntlmssp_flags = NTLMSSP_NEGOTIATE_OEM; + } else { + local_lm_blob = data_blob(NULL, 0); + local_nt_blob = data_blob(NULL, 0); + } + + ret = make_user_info_map(user_info, smb_name, + client_domain, + remote_machine, + sec_blob, + local_lm_blob, + local_nt_blob, + plaintext_password, + ntlmssp_flags, encrypted); + + data_blob_free(&local_lm_blob); + return ret; +} + +BOOL make_server_info(auth_serversupplied_info **server_info) +{ + *server_info = malloc(sizeof(**server_info)); + if (!*server_info) { + DEBUG(0,("make_server_info_sam: malloc failed!\n")); + return False; + } + ZERO_STRUCTP(*server_info); + return True; +} + +BOOL make_server_info_sam(auth_serversupplied_info **server_info, SAM_ACCOUNT *sampass) +{ + if (!make_server_info(server_info)) { + return False; + } + + (*server_info)->sam_fill_level = SAM_FILL_ALL; + (*server_info)->sam_account = sampass; + + DEBUG(5,("make_server_info_sam: made sever info for user %s\n", + pdb_get_username((*server_info)->sam_account))); + return True; +} + +BOOL make_server_info_pw(auth_serversupplied_info **server_info, struct passwd *pwd) +{ + SAM_ACCOUNT *sampass = NULL; + if (!pdb_init_sam_pw(&sampass, pwd)) { + return False; + } + return make_server_info_sam(server_info, sampass); +} + +void free_user_info(auth_usersupplied_info **user_info) +{ + DEBUG(5,("attempting to free (and zero) a user_info structure\n")); + if (*user_info != NULL) { + if ((*user_info)->smb_name.str) { + DEBUG(10,("structure was created for %s\n", (*user_info)->smb_name.str)); + } + SAFE_FREE((*user_info)->smb_name.str); + SAFE_FREE((*user_info)->internal_username.str); + SAFE_FREE((*user_info)->client_domain.str); + SAFE_FREE((*user_info)->domain.str); + data_blob_free(&(*user_info)->sec_blob); + data_blob_free(&(*user_info)->lm_resp); + data_blob_free(&(*user_info)->nt_resp); + SAFE_FREE((*user_info)->interactive_password); + data_blob_clear_free(&(*user_info)->plaintext_password); + ZERO_STRUCT(**user_info); + } + SAFE_FREE(*user_info); +} + +/*************************************************************************** + Clear out a server_info struct that has been allocated +***************************************************************************/ +void free_server_info(auth_serversupplied_info **server_info) +{ + if (*server_info != NULL) { + pdb_free_sam(&(*server_info)->sam_account); + + /* call pam_end here, unless we know we are keeping it */ + SAFE_FREE((*server_info)->group_rids); + + ZERO_STRUCT(**server_info); + } + SAFE_FREE(*server_info); +} + +/*************************************************************************** + Make a server_info struct for a guest user +***************************************************************************/ +void make_server_info_guest(auth_serversupplied_info **server_info) +{ + struct passwd *pass = sys_getpwnam(lp_guestaccount(-1)); + + if (pass) { + make_server_info_pw(server_info, pass); + } +} + -- cgit From be93100240c4d81e9465015e82d5b71a5e4bf193 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 31 Oct 2001 12:07:59 +0000 Subject: Fix up domain logons. Tested with NT4. (This used to be commit c8b2718adfe114b74a155116c5e74f014d6df887) --- source3/auth/auth_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 297c482af5..85f01605ab 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -368,8 +368,8 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, ret = make_user_info_map(user_info, smb_name, client_domain, wksta_name, sec_blob, - local_nt_blob, local_lm_blob, + local_nt_blob, plaintext_blob, ntlmssp_flags, True); -- cgit From acb81fe408f0e674088f0952aaba442ddb494b0c Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 1 Nov 2001 05:02:41 +0000 Subject: Various post AuthRewrite cleanups, fixups and tidyups. Zero out some of the plaintext passwords for paranoia Fix up some of the other passdb backends with the change to *uid_t rather than uid_t. Make some of the code in srv_netlog_nt.c clearer, is passing an array around, so pass its lenght in is definition, not as a seperate paramater. Use sizeof() rather than magic numbers, it makes things easier to read. Cope with a PAM authenticated user who is not in /etc/passwd - currently by saying NO_SUCH_USER, but this can change in future. Andrew Bartlett (This used to be commit 514c91b16baca639bb04638042bf9894d881172a) --- source3/auth/auth_util.c | 47 +++++++++++++++++++++++++++-------------------- 1 file changed, 27 insertions(+), 20 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 85f01605ab..9de8142578 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -282,9 +282,12 @@ BOOL make_user_info_netlogon_network(auth_usersupplied_info **user_info, if (lm_pwd_len) ntlmssp_flags |= NTLMSSP_NEGOTIATE_OEM; - if (nt_pwd_len) + if (nt_pwd_len == 24) { ntlmssp_flags |= NTLMSSP_NEGOTIATE_NTLM; - + } else if (nt_pwd_len != 0) { + ntlmssp_flags |= NTLMSSP_NEGOTIATE_NTLM2; + } + ret = make_user_info_map(user_info, smb_name, client_domain, wksta_name, sec_blob, @@ -303,15 +306,15 @@ BOOL make_user_info_netlogon_network(auth_usersupplied_info **user_info, ****************************************************************************/ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, - char *smb_name, - char *client_domain, - char *wksta_name, - uchar *lm_interactive_pwd, int lm_pwd_len, - uchar *nt_interactive_pwd, int nt_pwd_len, - uchar *dc_sess_key) + char *smb_name, + char *client_domain, + char *wksta_name, + uchar lm_interactive_pwd[16], + uchar nt_interactive_pwd[16], + uchar *dc_sess_key) { - char nt_pwd[16]; char lm_pwd[16]; + char nt_pwd[16]; unsigned char local_lm_response[24]; unsigned char local_nt_response[24]; unsigned char key[16]; @@ -320,32 +323,32 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, generate_random_buffer(chal, 8, False); - memset(key, 0, 16); + ZERO_STRUCT(key); memcpy(key, dc_sess_key, 8); - memcpy(lm_pwd, lm_interactive_pwd, 16); - memcpy(nt_pwd, nt_interactive_pwd, 16); + if (lm_interactive_pwd) memcpy(lm_pwd, lm_interactive_pwd, sizeof(lm_pwd)); + if (nt_interactive_pwd) memcpy(nt_pwd, nt_interactive_pwd, sizeof(nt_pwd)); #ifdef DEBUG_PASSWORD DEBUG(100,("key:")); - dump_data(100, (char *)key, 16); + dump_data(100, (char *)key, sizeof(key)); DEBUG(100,("lm owf password:")); - dump_data(100, lm_pwd, 16); + dump_data(100, lm_pwd, sizeof(lm_pwd)); DEBUG(100,("nt owf password:")); - dump_data(100, nt_pwd, 16); + dump_data(100, nt_pwd, sizeof(nt_pwd)); #endif - SamOEMhash((uchar *)lm_pwd, key, 16); - SamOEMhash((uchar *)nt_pwd, key, 16); + SamOEMhash((uchar *)lm_pwd, key, sizeof(lm_pwd)); + SamOEMhash((uchar *)nt_pwd, key, sizeof(nt_pwd)); #ifdef DEBUG_PASSWORD DEBUG(100,("decrypt of lm owf password:")); - dump_data(100, lm_pwd, 16); + dump_data(100, lm_pwd, sizeof(lm_pwd)); DEBUG(100,("decrypt of nt owf password:")); - dump_data(100, nt_pwd, 16); + dump_data(100, nt_pwd, sizeof(nt_pwd)); #endif generate_random_buffer(chal, 8, False); @@ -364,7 +367,11 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, DATA_BLOB local_nt_blob = data_blob(local_nt_response, sizeof(local_nt_response)); DATA_BLOB plaintext_blob = data_blob(NULL, 0); - ntlmssp_flags = NTLMSSP_NEGOTIATE_OEM | NTLMSSP_NEGOTIATE_NTLM; + if (lm_interactive_pwd) + ntlmssp_flags |= NTLMSSP_NEGOTIATE_OEM; + if (nt_interactive_pwd) + ntlmssp_flags |= NTLMSSP_NEGOTIATE_NTLM; + ret = make_user_info_map(user_info, smb_name, client_domain, wksta_name, sec_blob, -- cgit From f8e2baf39eb864481dd48f61404136b325cd73c2 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Sat, 3 Nov 2001 23:34:24 +0000 Subject: Added NT_USER_TOKEN into server_info to fix extra groups problem. Got "medieval on our ass" about const warnings (as many as I could :-). Jeremy. (This used to be commit ee5e7ca547eff016818ba5c43b8ea0c9fa69b808) --- source3/auth/auth_util.c | 70 +++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 58 insertions(+), 12 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 9de8142578..9a99b2643e 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -4,6 +4,7 @@ Authentication utility functions Copyright (C) Andrew Tridgell 1992-1998 Copyright (C) Andrew Bartlett 2001 + Copyright (C) Jeremy Allison 2000-2001 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -29,21 +30,23 @@ extern fstring remote_machine; extern pstring global_myname; /******************************************************************* -Get the next challenge value - no repeats. + Get the next challenge value - no repeats. ********************************************************************/ + void generate_next_challenge(char *challenge) { - unsigned char buf[8]; + unsigned char buf[8]; - generate_random_buffer(buf,8,False); + generate_random_buffer(buf,8,False); memcpy(saved_challenge, buf, 8); memcpy(challenge,buf,8); challenge_sent = True; } /******************************************************************* -set the last challenge sent, usually from a password server + Set the last challenge sent, usually from a password server. ********************************************************************/ + BOOL set_challenge(unsigned char *challenge) { memcpy(saved_challenge,challenge,8); @@ -52,16 +55,17 @@ BOOL set_challenge(unsigned char *challenge) } /******************************************************************* -get the last challenge sent + Get the last challenge sent. ********************************************************************/ + BOOL last_challenge(unsigned char *challenge) { - if (!challenge_sent) return(False); + if (!challenge_sent) + return(False); memcpy(challenge,saved_challenge,8); return(True); } - /**************************************************************************** Create a UNIX user on demand. ****************************************************************************/ @@ -72,7 +76,8 @@ static int smb_create_user(const char *unix_user, const char *homedir) int ret; pstrcpy(add_script, lp_adduser_script()); - if (! *add_script) return -1; + if (! *add_script) + return -1; all_string_sub(add_script, "%u", unix_user, sizeof(pstring)); if (homedir) all_string_sub(add_script, "%H", homedir, sizeof(pstring)); @@ -91,7 +96,8 @@ static int smb_delete_user(char *unix_user) int ret; pstrcpy(del_script, lp_deluser_script()); - if (! *del_script) return -1; + if (! *del_script) + return -1; all_string_sub(del_script, "%u", unix_user, sizeof(pstring)); ret = smbrun(del_script,NULL); DEBUG(3,("smb_delete_user: Running the command `%s' gave %d\n",del_script,ret)); @@ -131,7 +137,7 @@ void smb_user_control(const auth_usersupplied_info *user_info, auth_serversuppli if (home_dir && (sys_stat(home_dir, &st) == -1) && (errno == ENOENT)) { - smb_create_user(user_info->internal_username.str, home_dir); + smb_create_user(user_info->internal_username.str, home_dir); } } } @@ -641,14 +647,14 @@ void free_user_info(auth_usersupplied_info **user_info) /*************************************************************************** Clear out a server_info struct that has been allocated ***************************************************************************/ + void free_server_info(auth_serversupplied_info **server_info) { if (*server_info != NULL) { pdb_free_sam(&(*server_info)->sam_account); /* call pam_end here, unless we know we are keeping it */ - SAFE_FREE((*server_info)->group_rids); - + delete_nt_token( &(*server_info)->ptok ); ZERO_STRUCT(**server_info); } SAFE_FREE(*server_info); @@ -657,6 +663,7 @@ void free_server_info(auth_serversupplied_info **server_info) /*************************************************************************** Make a server_info struct for a guest user ***************************************************************************/ + void make_server_info_guest(auth_serversupplied_info **server_info) { struct passwd *pass = sys_getpwnam(lp_guestaccount(-1)); @@ -666,3 +673,42 @@ void make_server_info_guest(auth_serversupplied_info **server_info) } } +/**************************************************************************** + Delete a SID token. +****************************************************************************/ + +void delete_nt_token(NT_USER_TOKEN **pptoken) +{ + if (*pptoken) { + NT_USER_TOKEN *ptoken = *pptoken; + SAFE_FREE( ptoken->user_sids ); + ZERO_STRUCTP(ptoken); + } + SAFE_FREE(*pptoken); +} + +/**************************************************************************** + Duplicate a SID token. +****************************************************************************/ + +NT_USER_TOKEN *dup_nt_token(NT_USER_TOKEN *ptoken) +{ + NT_USER_TOKEN *token; + + if (!ptoken) + return NULL; + + if ((token = (NT_USER_TOKEN *)malloc( sizeof(NT_USER_TOKEN) ) ) == NULL) + return NULL; + + ZERO_STRUCTP(token); + + if ((token->user_sids = (DOM_SID *)memdup( ptoken->user_sids, sizeof(DOM_SID) * ptoken->num_sids )) == NULL) { + SAFE_FREE(token); + return NULL; + } + + token->num_sids = ptoken->num_sids; + + return token; +} -- cgit From 9d56e23591f64d8b0f4378e64615fe018f3a6d68 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Mon, 5 Nov 2001 01:04:45 +0000 Subject: Renamed make_user_info_for_winbindd() to be more consistent with the names of the other functions in this file. (This used to be commit 4880f37e4ee08b6363314a3fb67051a6708988d0) --- source3/auth/auth_util.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 9a99b2643e..421ab3f1e4 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -396,10 +396,10 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, Create an auth_usersupplied_data structure ****************************************************************************/ -BOOL make_user_info_for_winbind(auth_usersupplied_info **user_info, - char *username, - char *domain, - char *password) +BOOL make_user_info_winbind(auth_usersupplied_info **user_info, + char *username, + char *domain, + char *password) { unsigned char local_lm_response[24]; unsigned char local_nt_response[24]; -- cgit From 55dfb66079333acd8e0aee91c0ee90d0a413a8e6 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 8 Nov 2001 22:19:01 +0000 Subject: Change to guest logon code. This changes the way we process guest logons - we now treat them as normal logons, but set the 'guest' flag. In particular this is needed becouse Win2k will do an NTLMSSP login with username "", therefore missing our previous guest connection code - this is getting a pain to do as a special case all over the shop. Tridge: We don't seem to be setting a guest bit for NTLMSSP, in either the anonymous or authenticated case, can you take a look at this? Also some cleanups in the check_password() code that should make some of the debugs clearer. Various other minor cleanups: - change the session code to just take a vuser, rather than having to do a vuid lookup on vuser.vuid - Change some of the global_client_caps linking - Better debug in authorise_login(): show the vuid. Andrew Bartlett (This used to be commit 62f4e4bd0aef9ade653b3f8d575d2864c166ab4d) --- source3/auth/auth_util.c | 53 ++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 51 insertions(+), 2 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 421ab3f1e4..cfdf3a6acc 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -589,6 +589,27 @@ BOOL make_user_info_for_reply(auth_usersupplied_info **user_info, return ret; } +/**************************************************************************** + Create a guest user_info blob, for anonymous authenticaion. +****************************************************************************/ + +BOOL make_user_info_guest(auth_usersupplied_info **user_info) +{ + DATA_BLOB sec_blob = data_blob(NULL, 0); + DATA_BLOB lm_blob = data_blob(NULL, 0); + DATA_BLOB nt_blob = data_blob(NULL, 0); + DATA_BLOB plaintext_blob = data_blob(NULL, 0); + uint32 ntlmssp_flags = 0; + + return make_user_info(user_info, + "","", + "","", + "", sec_blob, + nt_blob, lm_blob, + plaintext_blob, + ntlmssp_flags, True); +} + BOOL make_server_info(auth_serversupplied_info **server_info) { *server_info = malloc(sizeof(**server_info)); @@ -664,13 +685,19 @@ void free_server_info(auth_serversupplied_info **server_info) Make a server_info struct for a guest user ***************************************************************************/ -void make_server_info_guest(auth_serversupplied_info **server_info) +BOOL make_server_info_guest(auth_serversupplied_info **server_info) { struct passwd *pass = sys_getpwnam(lp_guestaccount(-1)); if (pass) { - make_server_info_pw(server_info, pass); + if (!make_server_info_pw(server_info, pass)) { + return False; + } + (*server_info)->guest = True; + return True; } + DEBUG(0,("make_server_info_guest: sys_getpwnam() failed on guest account!\n")); + return False; } /**************************************************************************** @@ -712,3 +739,25 @@ NT_USER_TOKEN *dup_nt_token(NT_USER_TOKEN *ptoken) return token; } + +/**************************************************************************** + Check for a guest logon (username = "") and if so create the required + structure. +****************************************************************************/ + +NTSTATUS check_guest_security(const auth_usersupplied_info *user_info, + auth_serversupplied_info **server_info) +{ + NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; + + if (!(user_info->internal_username.str + && *user_info->internal_username.str)) { + if (make_server_info_guest(server_info)) { + nt_status = NT_STATUS_OK; + } else { + nt_status = NT_STATUS_NO_SUCH_USER; + } + } + + return nt_status; +} -- cgit From 395aa946cd4fb9d5e07dd2fee418045a8064dfab Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 9 Nov 2001 11:16:06 +0000 Subject: This change updates lp_guestaccount() to be a *global* paramater, rather than per-share. I beleive that almost all the things that this could have done on a per-share basis can be done with other tools, like 'force user'. Almost all the user's of this paramater used it as a global anyway... While this is one step at a time, I hope it will allow me to considerably simplfy the make_connection() code, particularly for the user-level security case. This already removes an absolute truckload of extra attempted password lookups on the guest account. Andrew Bartlett (This used to be commit 8e708332eded210c1d1fe0cebca3c9c19f054b71) --- source3/auth/auth_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index cfdf3a6acc..d442f73a93 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -687,7 +687,7 @@ void free_server_info(auth_serversupplied_info **server_info) BOOL make_server_info_guest(auth_serversupplied_info **server_info) { - struct passwd *pass = sys_getpwnam(lp_guestaccount(-1)); + struct passwd *pass = sys_getpwnam(lp_guestaccount()); if (pass) { if (!make_server_info_pw(server_info, pass)) { -- cgit From e903a34b2ecf6bca515dbe57274f4186d7f3955e Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 11 Nov 2001 11:00:38 +0000 Subject: Minor updates. A small dose of const. (This used to be commit 80667cb0dd1a2cdef17711c8580af9f524971cea) --- source3/auth/auth_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index d442f73a93..3f03097de4 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -426,7 +426,7 @@ BOOL make_user_info_winbind(auth_usersupplied_info **user_info, /* WATCH OUT. This doesn't work if the incoming password is incorrectly cased. We might want to add a check here and only do an LM in that case */ - SMBNTencrypt((uchar *)password, chal, local_nt_response); + SMBNTencrypt((const uchar *)password, chal, local_nt_response); local_lm_blob = data_blob(local_lm_response, sizeof(local_lm_response)); local_nt_blob = data_blob(local_nt_response, sizeof(local_nt_response)); -- cgit From 989e0409ba581eb2ed2031a72b9d32a41417f860 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 11 Nov 2001 11:34:46 +0000 Subject: Fix up some DEBUG()s Add and fix comments Add 'const' to some more input paramaters. (This used to be commit 0c7eefcb5c5db63294d0584029e0d32cd1523e80) --- source3/auth/auth_util.c | 54 +++++++++++++++++++++++++++++++++--------------- 1 file changed, 37 insertions(+), 17 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 3f03097de4..e6ce7d186e 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -158,13 +158,16 @@ void smb_user_control(const auth_usersupplied_info *user_info, auth_serversuppli Create an auth_usersupplied_data structure ****************************************************************************/ -BOOL make_user_info(auth_usersupplied_info **user_info, - char *smb_name, char *internal_username, - char *client_domain, char *domain, - char *wksta_name, DATA_BLOB sec_blob, - DATA_BLOB lm_pwd, DATA_BLOB nt_pwd, - DATA_BLOB plaintext, - uint32 ntlmssp_flags, BOOL encrypted) +static BOOL make_user_info(auth_usersupplied_info **user_info, + const char *smb_name, + const char *internal_username, + const char *client_domain, + const char *domain, + const char *wksta_name, + DATA_BLOB sec_blob, + DATA_BLOB lm_pwd, DATA_BLOB nt_pwd, + DATA_BLOB plaintext, + uint32 ntlmssp_flags, BOOL encrypted) { DEBUG(5,("attempting to make a user_info for %s (%s)\n", internal_username, smb_name)); @@ -239,14 +242,14 @@ BOOL make_user_info(auth_usersupplied_info **user_info, ****************************************************************************/ BOOL make_user_info_map(auth_usersupplied_info **user_info, - char *smb_name, - char *client_domain, - char *wksta_name, DATA_BLOB sec_blob, + const char *smb_name, + const char *client_domain, + const char *wksta_name, DATA_BLOB sec_blob, DATA_BLOB lm_pwd, DATA_BLOB nt_pwd, DATA_BLOB plaintext, uint32 ntlmssp_flags, BOOL encrypted) { - char *domain; + const char *domain; fstring internal_username; fstrcpy(internal_username, smb_name); map_username(internal_username); @@ -418,7 +421,7 @@ BOOL make_user_info_winbind(auth_usersupplied_info **user_info, generate_random_buffer(chal, 8, False); if (*password) { - SMBencrypt( (uchar *)password, chal, local_lm_response); + SMBencrypt( (const uchar *)password, chal, local_lm_response); /* This encrypts the lm_pwd feild, which actualy contains the password rather than the nt_pwd field becouse that contains nothing */ @@ -564,7 +567,7 @@ BOOL make_user_info_for_reply(auth_usersupplied_info **user_info, if (plaintext_password.data) { unsigned char local_lm_response[24]; - SMBencrypt( (uchar *)plaintext_password.data, chal, local_lm_response); + SMBencrypt( (const uchar *)plaintext_password.data, chal, local_lm_response); local_lm_blob = data_blob(local_lm_response, 24); /* We can't do an NT hash here, as the password needs to be case insensitive */ @@ -604,23 +607,31 @@ BOOL make_user_info_guest(auth_usersupplied_info **user_info) return make_user_info(user_info, "","", "","", - "", sec_blob, + "", sec_blob, nt_blob, lm_blob, plaintext_blob, ntlmssp_flags, True); } +/*************************************************************************** + Make a user_info struct +***************************************************************************/ + BOOL make_server_info(auth_serversupplied_info **server_info) { *server_info = malloc(sizeof(**server_info)); if (!*server_info) { - DEBUG(0,("make_server_info_sam: malloc failed!\n")); + DEBUG(0,("make_server_info: malloc failed!\n")); return False; } ZERO_STRUCTP(*server_info); return True; } +/*************************************************************************** + Make (and fill) a user_info struct from a SAM_ACCOUNT +***************************************************************************/ + BOOL make_server_info_sam(auth_serversupplied_info **server_info, SAM_ACCOUNT *sampass) { if (!make_server_info(server_info)) { @@ -630,12 +641,17 @@ BOOL make_server_info_sam(auth_serversupplied_info **server_info, SAM_ACCOUNT *s (*server_info)->sam_fill_level = SAM_FILL_ALL; (*server_info)->sam_account = sampass; - DEBUG(5,("make_server_info_sam: made sever info for user %s\n", + DEBUG(5,("make_server_info_sam: made server info for user %s\n", pdb_get_username((*server_info)->sam_account))); return True; } -BOOL make_server_info_pw(auth_serversupplied_info **server_info, struct passwd *pwd) +/*************************************************************************** + Make (and fill) a user_info struct from a 'struct passwd' by conversion + to a SAM_ACCOUNT +***************************************************************************/ + +BOOL make_server_info_pw(auth_serversupplied_info **server_info, const struct passwd *pwd) { SAM_ACCOUNT *sampass = NULL; if (!pdb_init_sam_pw(&sampass, pwd)) { @@ -644,6 +660,10 @@ BOOL make_server_info_pw(auth_serversupplied_info **server_info, struct passwd * return make_server_info_sam(server_info, sampass); } +/*************************************************************************** + Free a user_info struct +***************************************************************************/ + void free_user_info(auth_usersupplied_info **user_info) { DEBUG(5,("attempting to free (and zero) a user_info structure\n")); -- cgit From 96d884cc0f42ea694f7648ae12a3643bd1322a2b Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Tue, 20 Nov 2001 23:20:00 +0000 Subject: Fixed sizeof vs array length bug in make_user_info_winbind_crap() Spelling fix. (This used to be commit 3d87c1a2444c3b9267e0dda7a2da77657fba143e) --- source3/auth/auth_util.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index e6ce7d186e..16efdbc54e 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -473,7 +473,7 @@ BOOL make_user_info_winbind(auth_usersupplied_info **user_info, /**************************************************************************** Create an auth_usersupplied_data, making the DATA_BLOBs here. - Decrupt and encrypt the passwords. + Decrypt and encrypt the passwords. ****************************************************************************/ BOOL make_user_info_winbind_crap(auth_usersupplied_info **user_info, @@ -484,7 +484,7 @@ BOOL make_user_info_winbind_crap(auth_usersupplied_info **user_info, uchar *nt_network_pwd, int nt_pwd_len) { BOOL ret; - DATA_BLOB sec_blob = data_blob(chal, sizeof(chal)); + DATA_BLOB sec_blob = data_blob(chal, 8); DATA_BLOB lm_blob = data_blob(lm_network_pwd, lm_pwd_len); DATA_BLOB nt_blob = data_blob(nt_network_pwd, nt_pwd_len); DATA_BLOB plaintext_blob = data_blob(NULL, 0); -- cgit From 54432c412958ca4cafcc033c2d311cfccc1603f2 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Wed, 21 Nov 2001 20:14:25 +0000 Subject: Spelling fix, reformatted comment. (This used to be commit 096868bd35b374f97e570676fc23c006b6c7a1d3) --- source3/auth/auth_util.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 16efdbc54e..5a86e02928 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -423,11 +423,13 @@ BOOL make_user_info_winbind(auth_usersupplied_info **user_info, if (*password) { SMBencrypt( (const uchar *)password, chal, local_lm_response); - /* This encrypts the lm_pwd feild, which actualy contains the password - rather than the nt_pwd field becouse that contains nothing */ + /* This encrypts the lm_pwd field, which actualy contains + the password rather than the nt_pwd field becouse that + contains nothing */ - /* WATCH OUT. This doesn't work if the incoming password is incorrectly cased. - We might want to add a check here and only do an LM in that case */ + /* WATCH OUT. This doesn't work if the incoming password is + incorrectly cased. We might want to add a check here + and only do an LM in that case */ SMBNTencrypt((const uchar *)password, chal, local_nt_response); -- cgit From 646f8ca3e822290897e6298dd16ad3b4be78c07a Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Wed, 21 Nov 2001 21:10:13 +0000 Subject: More spelling fixes, comment reformatting. (This used to be commit edb556b47446f75dc4987eee15276661eb6cec8d) --- source3/auth/auth_util.c | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 5a86e02928..25e0830fc7 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -130,9 +130,11 @@ void smb_user_control(const auth_usersupplied_info *user_info, auth_serversuppli SMB_STRUCT_STAT st; const char *home_dir = pdb_get_homedir(server_info->sam_account); /* - * Also call smb_create_user if the users home directory - * doesn't exist. Used with winbindd to allow the script to - * create the home directory for a user mapped with winbindd. + * Also call smb_create_user if the users + * home directory doesn't exist. Used with + * winbindd to allow the script to create + * the home directory for a user mapped + * with winbindd. */ if (home_dir && @@ -272,7 +274,7 @@ BOOL make_user_info_map(auth_usersupplied_info **user_info, /**************************************************************************** Create an auth_usersupplied_data, making the DATA_BLOBs here. - Decrupt and encrypt the passwords. + Decrypt and encrypt the passwords. ****************************************************************************/ BOOL make_user_info_netlogon_network(auth_usersupplied_info **user_info, @@ -311,7 +313,7 @@ BOOL make_user_info_netlogon_network(auth_usersupplied_info **user_info, /**************************************************************************** Create an auth_usersupplied_data, making the DATA_BLOBs here. - Decrupt and encrypt the passwords. + Decrypt and encrypt the passwords. ****************************************************************************/ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, @@ -423,8 +425,8 @@ BOOL make_user_info_winbind(auth_usersupplied_info **user_info, if (*password) { SMBencrypt( (const uchar *)password, chal, local_lm_response); - /* This encrypts the lm_pwd field, which actualy contains - the password rather than the nt_pwd field becouse that + /* This encrypts the lm_pwd field, which actually contains + the password rather than the nt_pwd field because that contains nothing */ /* WATCH OUT. This doesn't work if the incoming password is @@ -572,7 +574,8 @@ BOOL make_user_info_for_reply(auth_usersupplied_info **user_info, SMBencrypt( (const uchar *)plaintext_password.data, chal, local_lm_response); local_lm_blob = data_blob(local_lm_response, 24); - /* We can't do an NT hash here, as the password needs to be case insensitive */ + /* We can't do an NT hash here, as the password needs to be + case insensitive */ local_nt_blob = data_blob(NULL, 0); ntlmssp_flags = NTLMSSP_NEGOTIATE_OEM; -- cgit From d0a2faf78d316fec200497f5f7997df4c477a1e1 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 24 Nov 2001 12:12:38 +0000 Subject: This is another rather major change to the samba authenticaion subystem. The particular aim is to modularized the interface - so that we can have arbitrary password back-ends. This code adds one such back-end, a 'winbind' module to authenticate against the winbind_auth_crap functionality. While fully-functional this code is mainly useful as a demonstration, because we don't get back the info3 as we would for direct ntdomain authentication. This commit introduced the new 'auth methods' parameter, in the spirit of the 'auth order' discussed on the lists. It is renamed because not all the methods may be consulted, even if previous methods fail - they may not have a suitable challenge for example. Also, we have a 'local' authentication method, for old-style 'unix if plaintext, sam if encrypted' authentication and a 'guest' module to handle guest logins in a single place. While this current design is not ideal, I feel that it does provide a better infrastructure than the current design, and can be built upon. The following parameters have changed: - use rhosts = This has been replaced by the 'rhosts' authentication method, and can be specified like 'auth methods = guest rhosts' - hosts equiv = This needs both this parameter and an 'auth methods' entry to be effective. (auth methods = guest hostsequiv ....) - plaintext to smbpasswd = This is replaced by specifying 'sam' rather than 'local' in the auth methods. The security = parameter is unchanged, and now provides defaults for the 'auth methods' parameter. The available auth methods are: guest rhosts hostsequiv sam (passdb direct hash access) unix (PAM, crypt() etc) local (the combination of the above, based on encryption) smbserver (old security=server) ntdomain (old security=domain) winbind (use winbind to cache DC connections) Assistance in testing, or the production of new and interesting authentication modules is always appreciated. Andrew Bartlett (This used to be commit 8d31eae52a9757739711dbb82035a4dfe6b40c99) --- source3/auth/auth_util.c | 208 +++++++++++++++++------------------------------ 1 file changed, 75 insertions(+), 133 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 25e0830fc7..d1b2cc92e5 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -23,49 +23,9 @@ #include "includes.h" -/* Data to do lanman1/2 password challenge. */ -static unsigned char saved_challenge[8]; -static BOOL challenge_sent=False; extern fstring remote_machine; extern pstring global_myname; -/******************************************************************* - Get the next challenge value - no repeats. -********************************************************************/ - -void generate_next_challenge(char *challenge) -{ - unsigned char buf[8]; - - generate_random_buffer(buf,8,False); - memcpy(saved_challenge, buf, 8); - memcpy(challenge,buf,8); - challenge_sent = True; -} - -/******************************************************************* - Set the last challenge sent, usually from a password server. -********************************************************************/ - -BOOL set_challenge(unsigned char *challenge) -{ - memcpy(saved_challenge,challenge,8); - challenge_sent = True; - return(True); -} - -/******************************************************************* - Get the last challenge sent. -********************************************************************/ - -BOOL last_challenge(unsigned char *challenge) -{ - if (!challenge_sent) - return(False); - memcpy(challenge,saved_challenge,8); - return(True); -} - /**************************************************************************** Create a UNIX user on demand. ****************************************************************************/ @@ -166,7 +126,6 @@ static BOOL make_user_info(auth_usersupplied_info **user_info, const char *client_domain, const char *domain, const char *wksta_name, - DATA_BLOB sec_blob, DATA_BLOB lm_pwd, DATA_BLOB nt_pwd, DATA_BLOB plaintext, uint32 ntlmssp_flags, BOOL encrypted) @@ -226,7 +185,6 @@ static BOOL make_user_info(auth_usersupplied_info **user_info, DEBUG(5,("makeing blobs for %s's user_info struct\n", internal_username)); - (*user_info)->sec_blob = data_blob(sec_blob.data, sec_blob.length); (*user_info)->lm_resp = data_blob(lm_pwd.data, lm_pwd.length); (*user_info)->nt_resp = data_blob(nt_pwd.data, nt_pwd.length); (*user_info)->plaintext_password = data_blob(plaintext.data, plaintext.length); @@ -246,7 +204,7 @@ static BOOL make_user_info(auth_usersupplied_info **user_info, BOOL make_user_info_map(auth_usersupplied_info **user_info, const char *smb_name, const char *client_domain, - const char *wksta_name, DATA_BLOB sec_blob, + const char *wksta_name, DATA_BLOB lm_pwd, DATA_BLOB nt_pwd, DATA_BLOB plaintext, uint32 ntlmssp_flags, BOOL encrypted) @@ -265,7 +223,7 @@ BOOL make_user_info_map(auth_usersupplied_info **user_info, return make_user_info(user_info, smb_name, internal_username, client_domain, domain, - wksta_name, sec_blob, + wksta_name, lm_pwd, nt_pwd, plaintext, ntlmssp_flags, encrypted); @@ -280,12 +238,11 @@ BOOL make_user_info_map(auth_usersupplied_info **user_info, BOOL make_user_info_netlogon_network(auth_usersupplied_info **user_info, char *smb_name, char *client_domain, - char *wksta_name, uchar chal[8], + char *wksta_name, uchar *lm_network_pwd, int lm_pwd_len, uchar *nt_network_pwd, int nt_pwd_len) { BOOL ret; - DATA_BLOB sec_blob = data_blob(chal, sizeof(chal)); DATA_BLOB lm_blob = data_blob(lm_network_pwd, lm_pwd_len); DATA_BLOB nt_blob = data_blob(nt_network_pwd, nt_pwd_len); DATA_BLOB plaintext_blob = data_blob(NULL, 0); @@ -301,8 +258,8 @@ BOOL make_user_info_netlogon_network(auth_usersupplied_info **user_info, ret = make_user_info_map(user_info, smb_name, client_domain, - wksta_name, sec_blob, - nt_blob, lm_blob, + wksta_name, + lm_blob, nt_blob, plaintext_blob, ntlmssp_flags, True); @@ -320,6 +277,7 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, char *smb_name, char *client_domain, char *wksta_name, + char chal[8], uchar lm_interactive_pwd[16], uchar nt_interactive_pwd[16], uchar *dc_sess_key) @@ -329,11 +287,8 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, unsigned char local_lm_response[24]; unsigned char local_nt_response[24]; unsigned char key[16]; - uint8 chal[8]; uint32 ntlmssp_flags = 0; - generate_random_buffer(chal, 8, False); - ZERO_STRUCT(key); memcpy(key, dc_sess_key, 8); @@ -362,7 +317,6 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, dump_data(100, nt_pwd, sizeof(nt_pwd)); #endif - generate_random_buffer(chal, 8, False); SMBOWFencrypt((const unsigned char *)lm_pwd, chal, local_lm_response); SMBOWFencrypt((const unsigned char *)nt_pwd, chal, local_nt_response); @@ -373,7 +327,6 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, { BOOL ret; - DATA_BLOB sec_blob = data_blob(chal, sizeof(chal)); DATA_BLOB local_lm_blob = data_blob(local_lm_response, sizeof(local_lm_response)); DATA_BLOB local_nt_blob = data_blob(local_nt_response, sizeof(local_nt_response)); DATA_BLOB plaintext_blob = data_blob(NULL, 0); @@ -385,7 +338,7 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, ret = make_user_info_map(user_info, smb_name, client_domain, - wksta_name, sec_blob, + wksta_name, local_lm_blob, local_nt_blob, plaintext_blob, @@ -402,13 +355,14 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, ****************************************************************************/ BOOL make_user_info_winbind(auth_usersupplied_info **user_info, - char *username, - char *domain, - char *password) + const char *username, + const char *domain, + const char *password, + char chal[8] /* Give winbind back the challange we used */ + ) { unsigned char local_lm_response[24]; unsigned char local_nt_response[24]; - char chal[8]; DATA_BLOB local_lm_blob; DATA_BLOB local_nt_blob; DATA_BLOB plaintext_blob; @@ -453,16 +407,11 @@ BOOL make_user_info_winbind(auth_usersupplied_info **user_info, { BOOL ret; - DATA_BLOB sec_blob = data_blob(chal, sizeof(chal)); - - if (!sec_blob.data) { - return False; - } ret = make_user_info(user_info, username, username, domain, domain, - global_myname, sec_blob, + global_myname, local_nt_blob, local_lm_blob, plaintext_blob, @@ -483,12 +432,10 @@ BOOL make_user_info_winbind(auth_usersupplied_info **user_info, BOOL make_user_info_winbind_crap(auth_usersupplied_info **user_info, char *smb_name, char *client_domain, - uchar chal[8], uchar *lm_network_pwd, int lm_pwd_len, uchar *nt_network_pwd, int nt_pwd_len) { BOOL ret; - DATA_BLOB sec_blob = data_blob(chal, 8); DATA_BLOB lm_blob = data_blob(lm_network_pwd, lm_pwd_len); DATA_BLOB nt_blob = data_blob(nt_network_pwd, nt_pwd_len); DATA_BLOB plaintext_blob = data_blob(NULL, 0); @@ -502,7 +449,7 @@ BOOL make_user_info_winbind_crap(auth_usersupplied_info **user_info, ret = make_user_info(user_info, smb_name, smb_name, client_domain, client_domain, - global_myname, sec_blob, + global_myname, nt_blob, lm_blob, plaintext_blob, ntlmssp_flags, True); @@ -517,59 +464,30 @@ BOOL make_user_info_winbind_crap(auth_usersupplied_info **user_info, ****************************************************************************/ BOOL make_user_info_for_reply(auth_usersupplied_info **user_info, - char *smb_name, - char *client_domain, - DATA_BLOB lm_resp, DATA_BLOB nt_resp, - DATA_BLOB plaintext_password, - BOOL encrypted) + char *smb_name, + char *client_domain, + char chal[8], + DATA_BLOB plaintext_password) { - uchar chal[8]; DATA_BLOB local_lm_blob; DATA_BLOB local_nt_blob; - DATA_BLOB sec_blob; BOOL ret = False; uint32 ntlmssp_flags = 0; - if (encrypted) { - DATA_BLOB no_plaintext_blob = data_blob(NULL, 0); - if (!last_challenge(chal)) { - DEBUG(0,("Encrypted login but no challange set!\n")); - return False; - } - sec_blob = data_blob(chal, 8); - - if (lm_resp.length == 24) { - ntlmssp_flags |= NTLMSSP_NEGOTIATE_OEM; - } - if (nt_resp.length == 0) { - } else if (nt_resp.length == 24) { - ntlmssp_flags |= NTLMSSP_NEGOTIATE_NTLM; - } else { - ntlmssp_flags |= NTLMSSP_NEGOTIATE_NTLM2; - } - - return make_user_info_map(user_info, smb_name, - client_domain, - remote_machine, sec_blob, - lm_resp, - nt_resp, - no_plaintext_blob, - ntlmssp_flags, encrypted); - } - - generate_random_buffer(chal, 8, False); - - sec_blob = data_blob(chal, 8); - /* * Not encrypted - do so. */ - DEBUG(5,("pass_check_smb: User passwords not in encrypted format.\n")); + DEBUG(5,("make_user_info_for_reply: User passwords not in encrypted format.\n")); if (plaintext_password.data) { unsigned char local_lm_response[24]; + +#ifdef DEBUG_PASSWORD + DEBUG(10,("Unencrypted password (len %d):\n",plaintext_password.length)); + dump_data(100, plaintext_password.data, plaintext_password.length); +#endif SMBencrypt( (const uchar *)plaintext_password.data, chal, local_lm_response); local_lm_blob = data_blob(local_lm_response, 24); @@ -587,23 +505,54 @@ BOOL make_user_info_for_reply(auth_usersupplied_info **user_info, ret = make_user_info_map(user_info, smb_name, client_domain, remote_machine, - sec_blob, local_lm_blob, local_nt_blob, plaintext_password, - ntlmssp_flags, encrypted); + ntlmssp_flags, False); data_blob_free(&local_lm_blob); return ret; } +/**************************************************************************** + Create an auth_usersupplied_data structure +****************************************************************************/ + +BOOL make_user_info_for_reply_enc(auth_usersupplied_info **user_info, + char *smb_name, + char *client_domain, + DATA_BLOB lm_resp, DATA_BLOB nt_resp, + DATA_BLOB plaintext_password) +{ + uint32 ntlmssp_flags = 0; + + DATA_BLOB no_plaintext_blob = data_blob(NULL, 0); + + if (lm_resp.length == 24) { + ntlmssp_flags |= NTLMSSP_NEGOTIATE_OEM; + } + if (nt_resp.length == 0) { + } else if (nt_resp.length == 24) { + ntlmssp_flags |= NTLMSSP_NEGOTIATE_NTLM; + } else { + ntlmssp_flags |= NTLMSSP_NEGOTIATE_NTLM2; + } + + return make_user_info_map(user_info, smb_name, + client_domain, + remote_machine, + lm_resp, + nt_resp, + no_plaintext_blob, + ntlmssp_flags, True); +} + /**************************************************************************** Create a guest user_info blob, for anonymous authenticaion. ****************************************************************************/ BOOL make_user_info_guest(auth_usersupplied_info **user_info) { - DATA_BLOB sec_blob = data_blob(NULL, 0); DATA_BLOB lm_blob = data_blob(NULL, 0); DATA_BLOB nt_blob = data_blob(NULL, 0); DATA_BLOB plaintext_blob = data_blob(NULL, 0); @@ -612,7 +561,7 @@ BOOL make_user_info_guest(auth_usersupplied_info **user_info) return make_user_info(user_info, "","", "","", - "", sec_blob, + "", nt_blob, lm_blob, plaintext_blob, ntlmssp_flags, True); @@ -680,7 +629,6 @@ void free_user_info(auth_usersupplied_info **user_info) SAFE_FREE((*user_info)->internal_username.str); SAFE_FREE((*user_info)->client_domain.str); SAFE_FREE((*user_info)->domain.str); - data_blob_free(&(*user_info)->sec_blob); data_blob_free(&(*user_info)->lm_resp); data_blob_free(&(*user_info)->nt_resp); SAFE_FREE((*user_info)->interactive_password); @@ -725,6 +673,22 @@ BOOL make_server_info_guest(auth_serversupplied_info **server_info) return False; } +/*************************************************************************** + Make an auth_methods struct +***************************************************************************/ + +BOOL make_auth_methods(auth_methods **auth_method) +{ + *auth_method = malloc(sizeof(**auth_method)); + if (!*auth_method) { + DEBUG(0,("make_auth_method: malloc failed!\n")); + return False; + } + ZERO_STRUCTP(*auth_method); + + return True; +} + /**************************************************************************** Delete a SID token. ****************************************************************************/ @@ -764,25 +728,3 @@ NT_USER_TOKEN *dup_nt_token(NT_USER_TOKEN *ptoken) return token; } - -/**************************************************************************** - Check for a guest logon (username = "") and if so create the required - structure. -****************************************************************************/ - -NTSTATUS check_guest_security(const auth_usersupplied_info *user_info, - auth_serversupplied_info **server_info) -{ - NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; - - if (!(user_info->internal_username.str - && *user_info->internal_username.str)) { - if (make_server_info_guest(server_info)) { - nt_status = NT_STATUS_OK; - } else { - nt_status = NT_STATUS_NO_SUCH_USER; - } - } - - return nt_status; -} -- cgit From 178f6a64b26d828db6b516392d7072e9c29f6233 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Mon, 26 Nov 2001 04:05:28 +0000 Subject: challange -> challenge (This used to be commit d6318add27f6bca5be00cbedf2226b642341297a) --- source3/auth/auth_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index d1b2cc92e5..b7927e970c 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -358,7 +358,7 @@ BOOL make_user_info_winbind(auth_usersupplied_info **user_info, const char *username, const char *domain, const char *password, - char chal[8] /* Give winbind back the challange we used */ + char chal[8] /* Give winbind back the challenge we used */ ) { unsigned char local_lm_response[24]; -- cgit From 32a811ce762bc9061ac71633cd299160ea955737 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 27 Nov 2001 04:07:57 +0000 Subject: fixed leak in free_user_info() (This used to be commit 8eb4277b12b600cdbf8a5205ebc76d1d9d52f1aa) --- source3/auth/auth_util.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index b7927e970c..fed4efd36c 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -629,6 +629,7 @@ void free_user_info(auth_usersupplied_info **user_info) SAFE_FREE((*user_info)->internal_username.str); SAFE_FREE((*user_info)->client_domain.str); SAFE_FREE((*user_info)->domain.str); + SAFE_FREE((*user_info)->wksta_name.str); data_blob_free(&(*user_info)->lm_resp); data_blob_free(&(*user_info)->nt_resp); SAFE_FREE((*user_info)->interactive_password); -- cgit From 0ff1a9568b4bc0220cf90ea78f2657a92682307d Mon Sep 17 00:00:00 2001 From: Jean-François Micouleau Date: Mon, 10 Dec 2001 15:03:16 +0000 Subject: added info level 3 to samrgetgroupinfo. I don't know what the value is. It's just to keep usermanager happy ;-) clean up a bit samr_query_aliasinfo to return the group description added: samr_del_aliasmem, samr_del_groupmem and samr_del_domuser with the correct scripts, you can now entirely manage the users from usermanager ! Closer to full PDC every day ;-) J.F. (This used to be commit 0a727afc669704cda9b44d44dbac9e989e906ae3) --- source3/auth/auth_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index fed4efd36c..04b3cbbecf 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -50,7 +50,7 @@ static int smb_create_user(const char *unix_user, const char *homedir) Delete a UNIX user on demand. ****************************************************************************/ -static int smb_delete_user(char *unix_user) +int smb_delete_user(char *unix_user) { pstring del_script; int ret; -- cgit From db9d6374a312ba5acb89d80bb41dbd5fdc8d0b17 Mon Sep 17 00:00:00 2001 From: Jim McDonough Date: Mon, 17 Dec 2001 18:53:57 +0000 Subject: make sure we pass the lm and nt data in the right order. They were swapped, and somehow this worked when both were provided, but not when only one was. (This used to be commit 477309b1e653761b291daa4693976d341880beab) --- source3/auth/auth_util.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 04b3cbbecf..60495ad23b 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -412,8 +412,8 @@ BOOL make_user_info_winbind(auth_usersupplied_info **user_info, username, username, domain, domain, global_myname, - local_nt_blob, local_lm_blob, + local_nt_blob, plaintext_blob, ntlmssp_flags, False); @@ -450,7 +450,7 @@ BOOL make_user_info_winbind_crap(auth_usersupplied_info **user_info, smb_name, smb_name, client_domain, client_domain, global_myname, - nt_blob, lm_blob, + lm_blob, nt_blob, plaintext_blob, ntlmssp_flags, True); -- cgit From 9126a40e2c33e0eb4cd57ab381634e08fa59e7a7 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Wed, 19 Dec 2001 09:53:30 +0000 Subject: added trusted realm support to ADS authentication the method used for checking if a domain is a trusted domain is very crude, we should really call a backend fn of some sort. For now I'm using winbindd to do the dirty work. (This used to be commit adf44a9bd0d997ba4dcfadc564a29149531525af) --- source3/auth/auth_util.c | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 60495ad23b..3e480b4fd1 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -215,7 +215,26 @@ BOOL make_user_info_map(auth_usersupplied_info **user_info, map_username(internal_username); if (lp_allow_trusted_domains()) { - domain = client_domain; + char *user; + /* the client could have given us a workstation name + or other crap for the workgroup - we really need a + way of telling if this domain name is one of our + trusted domain names + + The way I do it here is by checking if the fully + qualified username exists. This is rather reliant + on winbind, but until we have a better method this + will have to do + */ + asprintf(&user, "%s%s%s", + client_domain, lp_winbind_separator(), + smb_name); + if (Get_Pwnam(user) != NULL) { + domain = client_domain; + } else { + domain = lp_workgroup(); + } + free(user); } else { domain = lp_workgroup(); } -- cgit From 11b14e838988e71880e707174493da5fd3b0b75a Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Sat, 29 Dec 2001 20:29:43 +0000 Subject: Removed extra lp_adduser() call. Fixed up error returns in get_correct_cversion(). Jeremy. (This used to be commit 7ce2d1fe37d2be26c407f3dc9427851d00ca216a) --- source3/auth/auth_util.c | 17 ----------------- 1 file changed, 17 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 3e480b4fd1..6f7ec8c0d7 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -85,23 +85,6 @@ void smb_user_control(const auth_usersupplied_info *user_info, auth_serversuppli if(lp_adduser_script() && !(pwd = Get_Pwnam(user_info->internal_username.str))) { smb_create_user(user_info->internal_username.str, NULL); } - } else { - if(lp_adduser_script()) { - SMB_STRUCT_STAT st; - const char *home_dir = pdb_get_homedir(server_info->sam_account); - /* - * Also call smb_create_user if the users - * home directory doesn't exist. Used with - * winbindd to allow the script to create - * the home directory for a user mapped - * with winbindd. - */ - - if (home_dir && - (sys_stat(home_dir, &st) == -1) && (errno == ENOENT)) { - smb_create_user(user_info->internal_username.str, home_dir); - } - } } } else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER)) { /* -- cgit From eb4e10115310b6ed23b92abac2e79454c80930b1 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 31 Dec 2001 13:46:26 +0000 Subject: - portablitity fixes for cc -64 on irix - fixed gid* bug in rpc_server (This used to be commit 48aa90c48c5f0e3054c4acdc49668e222e7c0d36) --- source3/auth/auth_util.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 6f7ec8c0d7..4265e77093 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -279,7 +279,7 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, char *smb_name, char *client_domain, char *wksta_name, - char chal[8], + uchar chal[8], uchar lm_interactive_pwd[16], uchar nt_interactive_pwd[16], uchar *dc_sess_key) @@ -360,7 +360,7 @@ BOOL make_user_info_winbind(auth_usersupplied_info **user_info, const char *username, const char *domain, const char *password, - char chal[8] /* Give winbind back the challenge we used */ + uchar chal[8] /* Give winbind back the challenge we used */ ) { unsigned char local_lm_response[24]; @@ -468,7 +468,7 @@ BOOL make_user_info_winbind_crap(auth_usersupplied_info **user_info, BOOL make_user_info_for_reply(auth_usersupplied_info **user_info, char *smb_name, char *client_domain, - char chal[8], + unsigned char chal[8], DATA_BLOB plaintext_password) { -- cgit From 62d528520b543b63419e76f3e32219c987f7756a Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 1 Jan 2002 05:49:27 +0000 Subject: Now that winbind doesn't rely on this, we may as well remove it... Andrew Bartlett (This used to be commit 6673fdda3cb6b90189d8f82274fdffa89f68101b) --- source3/auth/auth_util.c | 108 ----------------------------------------------- 1 file changed, 108 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 4265e77093..13dfdb59cc 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -352,114 +352,6 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, } } -/**************************************************************************** - Create an auth_usersupplied_data structure -****************************************************************************/ - -BOOL make_user_info_winbind(auth_usersupplied_info **user_info, - const char *username, - const char *domain, - const char *password, - uchar chal[8] /* Give winbind back the challenge we used */ - ) -{ - unsigned char local_lm_response[24]; - unsigned char local_nt_response[24]; - DATA_BLOB local_lm_blob; - DATA_BLOB local_nt_blob; - DATA_BLOB plaintext_blob; - uint32 ntlmssp_flags = 0; - - /* - * Not encrypted - do so. - */ - - DEBUG(5,("pass_check_smb: User passwords not in encrypted format.\n")); - - generate_random_buffer(chal, 8, False); - - if (*password) { - SMBencrypt( (const uchar *)password, chal, local_lm_response); - - /* This encrypts the lm_pwd field, which actually contains - the password rather than the nt_pwd field because that - contains nothing */ - - /* WATCH OUT. This doesn't work if the incoming password is - incorrectly cased. We might want to add a check here - and only do an LM in that case */ - - SMBNTencrypt((const uchar *)password, chal, local_nt_response); - - local_lm_blob = data_blob(local_lm_response, sizeof(local_lm_response)); - local_nt_blob = data_blob(local_nt_response, sizeof(local_nt_response)); - plaintext_blob = data_blob(password, strlen(password)+1); - if ((!local_lm_blob.data) || (!local_nt_blob.data)|| (!plaintext_blob.data)) { - data_blob_free(&local_lm_blob); - data_blob_free(&local_nt_blob); - data_blob_clear_free(&plaintext_blob); - return False; - } - ntlmssp_flags = NTLMSSP_NEGOTIATE_OEM | NTLMSSP_NEGOTIATE_NTLM; - } else { - local_lm_blob = data_blob(NULL, 0); - local_nt_blob = data_blob(NULL, 0); - plaintext_blob = data_blob(NULL, 0); - } - - { - BOOL ret; - - ret = make_user_info(user_info, - username, username, - domain, domain, - global_myname, - local_lm_blob, - local_nt_blob, - plaintext_blob, - ntlmssp_flags, False); - - data_blob_free(&local_lm_blob); - data_blob_free(&local_nt_blob); - data_blob_clear_free(&plaintext_blob); - return ret; - } -} - -/**************************************************************************** - Create an auth_usersupplied_data, making the DATA_BLOBs here. - Decrypt and encrypt the passwords. -****************************************************************************/ - -BOOL make_user_info_winbind_crap(auth_usersupplied_info **user_info, - char *smb_name, - char *client_domain, - uchar *lm_network_pwd, int lm_pwd_len, - uchar *nt_network_pwd, int nt_pwd_len) -{ - BOOL ret; - DATA_BLOB lm_blob = data_blob(lm_network_pwd, lm_pwd_len); - DATA_BLOB nt_blob = data_blob(nt_network_pwd, nt_pwd_len); - DATA_BLOB plaintext_blob = data_blob(NULL, 0); - uint32 ntlmssp_flags = 0; - - if (lm_pwd_len) - ntlmssp_flags |= NTLMSSP_NEGOTIATE_OEM; - if (nt_pwd_len) - ntlmssp_flags |= NTLMSSP_NEGOTIATE_NTLM; - - ret = make_user_info(user_info, - smb_name, smb_name, - client_domain, client_domain, - global_myname, - lm_blob, nt_blob, - plaintext_blob, - ntlmssp_flags, True); - - data_blob_free(&lm_blob); - data_blob_free(&nt_blob); - return ret; -} /**************************************************************************** Create an auth_usersupplied_data structure -- cgit From 493c34b8f3de4b402d9496424e250faa4743e310 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 2 Jan 2002 06:55:21 +0000 Subject: Another touch of 'const' (This used to be commit 3d812aacff98eec62c748cb89109a2e58806d92d) --- source3/auth/auth_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 13dfdb59cc..d9f3098e7c 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -50,7 +50,7 @@ static int smb_create_user(const char *unix_user, const char *homedir) Delete a UNIX user on demand. ****************************************************************************/ -int smb_delete_user(char *unix_user) +int smb_delete_user(const char *unix_user) { pstring del_script; int ret; -- cgit From 2e28f8ff0e3bb50ac5b2742c7678c39cb65bcd95 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 5 Jan 2002 04:55:41 +0000 Subject: I've decided to move the auth code around a bit more... The auth_authsupplied_info typedef is now just a plain struct - auth_context, but it has been modified to contain the function pointers to the rest of the auth subsystem's components. (Who needs non-static functions anyway?) In working all this mess out, I fixed a number of memory leaks and moved the entire auth subsystem over to talloc(). Note that the TALLOC_CTX attached to the auth_context can be rather long-lived, it is provided for things that are intended to live as long. (The global_negprot_auth_context lasts the whole life of the smbd). I've also adjusted a few things in auth_domain.c, mainly passing the domain as a paramater to a few functions instead of looking up lp_workgroup(). I'm hopign to make this entire thing a bit more trusted domains (as PDC) freindly in the near future. Other than that, I moved a bit of the code around, hence the rather messy diff. Andrew Bartlett (This used to be commit 12f5515f556cf39fea98134fe3e2ac4540501048) --- source3/auth/auth_util.c | 63 ++++++++++++++++++++++++++++++++++++++---------- 1 file changed, 50 insertions(+), 13 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index d9f3098e7c..a479f52ab2 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -276,13 +276,13 @@ BOOL make_user_info_netlogon_network(auth_usersupplied_info **user_info, ****************************************************************************/ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, - char *smb_name, - char *client_domain, - char *wksta_name, - uchar chal[8], - uchar lm_interactive_pwd[16], - uchar nt_interactive_pwd[16], - uchar *dc_sess_key) + const char *smb_name, + const char *client_domain, + const char *wksta_name, + const uchar chal[8], + const uchar lm_interactive_pwd[16], + const uchar nt_interactive_pwd[16], + const uchar *dc_sess_key) { char lm_pwd[16]; char nt_pwd[16]; @@ -360,7 +360,7 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, BOOL make_user_info_for_reply(auth_usersupplied_info **user_info, char *smb_name, char *client_domain, - unsigned char chal[8], + const uint8 chal[8], DATA_BLOB plaintext_password) { @@ -383,7 +383,7 @@ BOOL make_user_info_for_reply(auth_usersupplied_info **user_info, dump_data(100, plaintext_password.data, plaintext_password.length); #endif - SMBencrypt( (const uchar *)plaintext_password.data, chal, local_lm_response); + SMBencrypt( (const uchar *)plaintext_password.data, (const uchar*)chal, local_lm_response); local_lm_blob = data_blob(local_lm_response, 24); /* We can't do an NT hash here, as the password needs to be @@ -415,8 +415,7 @@ BOOL make_user_info_for_reply(auth_usersupplied_info **user_info, BOOL make_user_info_for_reply_enc(auth_usersupplied_info **user_info, char *smb_name, char *client_domain, - DATA_BLOB lm_resp, DATA_BLOB nt_resp, - DATA_BLOB plaintext_password) + DATA_BLOB lm_resp, DATA_BLOB nt_resp) { uint32 ntlmssp_flags = 0; @@ -572,9 +571,17 @@ BOOL make_server_info_guest(auth_serversupplied_info **server_info) Make an auth_methods struct ***************************************************************************/ -BOOL make_auth_methods(auth_methods **auth_method) +BOOL make_auth_methods(struct auth_context *auth_context, auth_methods **auth_method) { - *auth_method = malloc(sizeof(**auth_method)); + if (!auth_context) { + smb_panic("no auth_context supplied to make_auth_methods()!\n"); + } + + if (!auth_method) { + smb_panic("make_auth_methods: pointer to auth_method pointer is NULL!\n"); + } + + *auth_method = talloc(auth_context->mem_ctx, sizeof(**auth_method)); if (!*auth_method) { DEBUG(0,("make_auth_method: malloc failed!\n")); return False; @@ -623,3 +630,33 @@ NT_USER_TOKEN *dup_nt_token(NT_USER_TOKEN *ptoken) return token; } + +/** + * Squash an NT_STATUS in line with security requirements. + * In an attempt to avoid giving the whole game away when users + * are authenticating, NT replaces both NT_STATUS_NO_SUCH_USER and + * NT_STATUS_WRONG_PASSWORD with NT_STATUS_LOGON_FAILURE in certain situations + * (session setups in particular). + * + * @param nt_status NTSTATUS input for squashing. + * @return the 'squashed' nt_status + **/ + +NTSTATUS nt_status_squash(NTSTATUS nt_status) +{ + if NT_STATUS_IS_OK(nt_status) { + return nt_status; + } else if NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER) { + /* Match WinXP and don't give the game away */ + return NT_STATUS_LOGON_FAILURE; + + } else if NT_STATUS_EQUAL(nt_status, NT_STATUS_WRONG_PASSWORD) { + /* Match WinXP and don't give the game away */ + return NT_STATUS_LOGON_FAILURE; + } else { + return nt_status; + } +} + + + -- cgit From 5047a66d39fdd56a5895037de8c519a828a03b19 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 11 Jan 2002 05:29:09 +0000 Subject: Back out the crazy notion that the NTLMSSP flags actually mean anything... Replace this with some flags that *we* define. We can do a mapping later if we actually get some more reliable info about what passwords are actually valid. Andrew Bartlett (This used to be commit 7f7a42c3e4d5798ac87ea16a42e4976c3778a76b) --- source3/auth/auth_util.c | 42 +++++++++++++++++++++--------------------- 1 file changed, 21 insertions(+), 21 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index a479f52ab2..a747cf8a35 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -111,7 +111,7 @@ static BOOL make_user_info(auth_usersupplied_info **user_info, const char *wksta_name, DATA_BLOB lm_pwd, DATA_BLOB nt_pwd, DATA_BLOB plaintext, - uint32 ntlmssp_flags, BOOL encrypted) + uint32 auth_flags, BOOL encrypted) { DEBUG(5,("attempting to make a user_info for %s (%s)\n", internal_username, smb_name)); @@ -173,7 +173,7 @@ static BOOL make_user_info(auth_usersupplied_info **user_info, (*user_info)->plaintext_password = data_blob(plaintext.data, plaintext.length); (*user_info)->encrypted = encrypted; - (*user_info)->ntlmssp_flags = ntlmssp_flags; + (*user_info)->auth_flags = auth_flags; DEBUG(10,("made an %sencrypted user_info for %s (%s)\n", encrypted ? "":"un" , internal_username, smb_name)); @@ -248,14 +248,14 @@ BOOL make_user_info_netlogon_network(auth_usersupplied_info **user_info, DATA_BLOB lm_blob = data_blob(lm_network_pwd, lm_pwd_len); DATA_BLOB nt_blob = data_blob(nt_network_pwd, nt_pwd_len); DATA_BLOB plaintext_blob = data_blob(NULL, 0); - uint32 ntlmssp_flags = 0; + uint32 auth_flags = AUTH_FLAG_NONE; if (lm_pwd_len) - ntlmssp_flags |= NTLMSSP_NEGOTIATE_OEM; + auth_flags |= AUTH_FLAG_LM_RESP; if (nt_pwd_len == 24) { - ntlmssp_flags |= NTLMSSP_NEGOTIATE_NTLM; + auth_flags |= AUTH_FLAG_NTLM_RESP; } else if (nt_pwd_len != 0) { - ntlmssp_flags |= NTLMSSP_NEGOTIATE_NTLM2; + auth_flags |= AUTH_FLAG_NTLMv2_RESP; } ret = make_user_info_map(user_info, @@ -263,7 +263,7 @@ BOOL make_user_info_netlogon_network(auth_usersupplied_info **user_info, wksta_name, lm_blob, nt_blob, plaintext_blob, - ntlmssp_flags, True); + auth_flags, True); data_blob_free(&lm_blob); data_blob_free(&nt_blob); @@ -289,7 +289,7 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, unsigned char local_lm_response[24]; unsigned char local_nt_response[24]; unsigned char key[16]; - uint32 ntlmssp_flags = 0; + uint32 auth_flags = AUTH_FLAG_NONE; ZERO_STRUCT(key); memcpy(key, dc_sess_key, 8); @@ -334,9 +334,9 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, DATA_BLOB plaintext_blob = data_blob(NULL, 0); if (lm_interactive_pwd) - ntlmssp_flags |= NTLMSSP_NEGOTIATE_OEM; + auth_flags |= AUTH_FLAG_LM_RESP; if (nt_interactive_pwd) - ntlmssp_flags |= NTLMSSP_NEGOTIATE_NTLM; + auth_flags |= AUTH_FLAG_NTLM_RESP; ret = make_user_info_map(user_info, smb_name, client_domain, @@ -344,7 +344,7 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, local_lm_blob, local_nt_blob, plaintext_blob, - ntlmssp_flags, True); + auth_flags, True); data_blob_free(&local_lm_blob); data_blob_free(&local_nt_blob); @@ -367,7 +367,7 @@ BOOL make_user_info_for_reply(auth_usersupplied_info **user_info, DATA_BLOB local_lm_blob; DATA_BLOB local_nt_blob; BOOL ret = False; - uint32 ntlmssp_flags = 0; + uint32 auth_flags = AUTH_FLAG_NONE; /* * Not encrypted - do so. @@ -390,7 +390,7 @@ BOOL make_user_info_for_reply(auth_usersupplied_info **user_info, case insensitive */ local_nt_blob = data_blob(NULL, 0); - ntlmssp_flags = NTLMSSP_NEGOTIATE_OEM; + auth_flags = (AUTH_FLAG_PLAINTEXT | AUTH_FLAG_LM_RESP); } else { local_lm_blob = data_blob(NULL, 0); local_nt_blob = data_blob(NULL, 0); @@ -402,7 +402,7 @@ BOOL make_user_info_for_reply(auth_usersupplied_info **user_info, local_lm_blob, local_nt_blob, plaintext_password, - ntlmssp_flags, False); + auth_flags, False); data_blob_free(&local_lm_blob); return ret; @@ -417,18 +417,18 @@ BOOL make_user_info_for_reply_enc(auth_usersupplied_info **user_info, char *client_domain, DATA_BLOB lm_resp, DATA_BLOB nt_resp) { - uint32 ntlmssp_flags = 0; + uint32 auth_flags = AUTH_FLAG_NONE; DATA_BLOB no_plaintext_blob = data_blob(NULL, 0); if (lm_resp.length == 24) { - ntlmssp_flags |= NTLMSSP_NEGOTIATE_OEM; + auth_flags |= AUTH_FLAG_LM_RESP; } if (nt_resp.length == 0) { } else if (nt_resp.length == 24) { - ntlmssp_flags |= NTLMSSP_NEGOTIATE_NTLM; + auth_flags |= AUTH_FLAG_NTLM_RESP; } else { - ntlmssp_flags |= NTLMSSP_NEGOTIATE_NTLM2; + auth_flags |= AUTH_FLAG_NTLMv2_RESP; } return make_user_info_map(user_info, smb_name, @@ -437,7 +437,7 @@ BOOL make_user_info_for_reply_enc(auth_usersupplied_info **user_info, lm_resp, nt_resp, no_plaintext_blob, - ntlmssp_flags, True); + auth_flags, True); } /**************************************************************************** @@ -449,7 +449,7 @@ BOOL make_user_info_guest(auth_usersupplied_info **user_info) DATA_BLOB lm_blob = data_blob(NULL, 0); DATA_BLOB nt_blob = data_blob(NULL, 0); DATA_BLOB plaintext_blob = data_blob(NULL, 0); - uint32 ntlmssp_flags = 0; + uint32 auth_flags = AUTH_FLAG_NONE; return make_user_info(user_info, "","", @@ -457,7 +457,7 @@ BOOL make_user_info_guest(auth_usersupplied_info **user_info) "", nt_blob, lm_blob, plaintext_blob, - ntlmssp_flags, True); + auth_flags, True); } /*************************************************************************** -- cgit From 90558370ab9019c425019083a6dcb129a808a5ed Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 15 Jan 2002 01:14:58 +0000 Subject: Commit the auth associated changes I missed from the last commit. Also set the default value of all the allocated strings to "" to avoid changing the interface (becouse pdb_get...() would point to a null string, rather than a null pointer and parts of samba rely on that). Andrew Bartlett (This used to be commit 5b4079f748e25f21162e21b439063249baf8dca6) --- source3/auth/auth_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index a747cf8a35..d2748e30d4 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -501,7 +501,7 @@ BOOL make_server_info_sam(auth_serversupplied_info **server_info, SAM_ACCOUNT *s BOOL make_server_info_pw(auth_serversupplied_info **server_info, const struct passwd *pwd) { SAM_ACCOUNT *sampass = NULL; - if (!pdb_init_sam_pw(&sampass, pwd)) { + if (!NT_STATUS_IS_OK(pdb_init_sam_pw(&sampass, pwd))) { return False; } return make_server_info_sam(server_info, sampass); -- cgit From c311d24ce32d2a8aa244f126bcec67ec03549727 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 17 Jan 2002 08:45:58 +0000 Subject: A nice *big* change to the fundemental way we do things. Samba (ab)uses the returns from getpwnam() a lot - in particular it keeps them around for a long time - often past the next call... This adds a getpwnam_alloc and a getpwuid_alloc to the collection. These function as expected, returning a malloced structure that can be free()ed with passwd_free(&passwd). This patch also cuts down on the number of calls to getpwnam - mostly by taking advantage of the fact that the passdb interface is already case-insensiteve. With this patch most of the recursive cases have been removed (that I know of) and the problems are reduced further by not using the sys_ interface in the new code. This means that pointers to the cache won't be affected. (This is a tempoary HACK, I intend to kill the password cache entirly). The only change I'm a little worried about is the change to rpc_server/srv_samr_nt.c for private groups. In this case we are getting groups from the new group mapping DB. Do we still need to check for private groups? I've toned down the check to a case sensitve match with the new code, but we might be able to kill it entirly. I've also added a make_modifyable_passwd() function, that copies a passwd struct into the form that the old sys_getpw* code provided. As far as I can tell this is only actually used in the pass_check.c crazies, where I moved the final 'special case' for shadow passwords (out of _Get_Pwnam()). The matching case for getpwent() is dealt with already, in lib/util_getent.c Also included in here is a small change to register the [homes] share at vuid creation rather than just in one varient of the session setup. (This picks up the SPNEGO cases). The home directory is now stored on the vuid, and I am hoping this might provide a saner way to do %H substitions. TODO: Kill off remaining Get_Pwnam_Modify calls (they are not needed), change the remaining sys_getpwnam() callers to use getpwnam_alloc() and move Get_Pwnam to return an allocated struct. Andrew Bartlett (This used to be commit 1d86c7f94230bc53daebd4d2cd829da6292e05da) --- source3/auth/auth_util.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index d2748e30d4..643c2e1996 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -554,16 +554,18 @@ void free_server_info(auth_serversupplied_info **server_info) BOOL make_server_info_guest(auth_serversupplied_info **server_info) { - struct passwd *pass = sys_getpwnam(lp_guestaccount()); + struct passwd *pass = getpwnam_alloc(lp_guestaccount()); if (pass) { if (!make_server_info_pw(server_info, pass)) { + passwd_free(&pass); return False; } (*server_info)->guest = True; + passwd_free(&pass); return True; } - DEBUG(0,("make_server_info_guest: sys_getpwnam() failed on guest account!\n")); + DEBUG(0,("make_server_info_guest: getpwnam_alloc() failed on guest account!\n")); return False; } -- cgit From aea134de2c4d3e67c17263bdc8545bd6f6167199 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 18 Jan 2002 08:12:10 +0000 Subject: Don't do tridge's crazy 'am I a trusted domain' lookup for guests. Andrew Bartlett (This used to be commit 9bfe54a3d484919fe830f9c6ae01f67663974af2) --- source3/auth/auth_util.c | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 643c2e1996..0839b19665 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -198,7 +198,6 @@ BOOL make_user_info_map(auth_usersupplied_info **user_info, map_username(internal_username); if (lp_allow_trusted_domains()) { - char *user; /* the client could have given us a workstation name or other crap for the workgroup - we really need a way of telling if this domain name is one of our @@ -209,15 +208,19 @@ BOOL make_user_info_map(auth_usersupplied_info **user_info, on winbind, but until we have a better method this will have to do */ - asprintf(&user, "%s%s%s", - client_domain, lp_winbind_separator(), - smb_name); - if (Get_Pwnam(user) != NULL) { - domain = client_domain; - } else { - domain = lp_workgroup(); + + domain = client_domain; + + if ((smb_name) && (*smb_name)) { /* Don't do this for guests */ + char *user; + asprintf(&user, "%s%s%s", + client_domain, lp_winbind_separator(), + smb_name); + if (Get_Pwnam(user) == NULL) { + domain = lp_workgroup(); + } + free(user); } - free(user); } else { domain = lp_workgroup(); } -- cgit From 2d06adc3f02ba18b832886bf4cda95679b13a39b Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 20 Jan 2002 08:58:21 +0000 Subject: Add a touch of 'const' to some auth components, and move the simple plaintext password check into its own helper funciton. (This will allow it to be called from other places). Andrew Bartlett (This used to be commit 9e96f438057da21254f40facdd9a31dd20652f35) --- source3/auth/auth_util.c | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 0839b19665..5b252f42cd 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -241,11 +241,11 @@ BOOL make_user_info_map(auth_usersupplied_info **user_info, ****************************************************************************/ BOOL make_user_info_netlogon_network(auth_usersupplied_info **user_info, - char *smb_name, - char *client_domain, - char *wksta_name, - uchar *lm_network_pwd, int lm_pwd_len, - uchar *nt_network_pwd, int nt_pwd_len) + const char *smb_name, + const char *client_domain, + const char *wksta_name, + const uchar *lm_network_pwd, int lm_pwd_len, + const uchar *nt_network_pwd, int nt_pwd_len) { BOOL ret; DATA_BLOB lm_blob = data_blob(lm_network_pwd, lm_pwd_len); @@ -361,8 +361,8 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, ****************************************************************************/ BOOL make_user_info_for_reply(auth_usersupplied_info **user_info, - char *smb_name, - char *client_domain, + const char *smb_name, + const char *client_domain, const uint8 chal[8], DATA_BLOB plaintext_password) { @@ -416,9 +416,9 @@ BOOL make_user_info_for_reply(auth_usersupplied_info **user_info, ****************************************************************************/ BOOL make_user_info_for_reply_enc(auth_usersupplied_info **user_info, - char *smb_name, - char *client_domain, - DATA_BLOB lm_resp, DATA_BLOB nt_resp) + const char *smb_name, + const char *client_domain, + DATA_BLOB lm_resp, DATA_BLOB nt_resp) { uint32 auth_flags = AUTH_FLAG_NONE; -- cgit From cd68afe31256ad60748b34f7318a180cfc2127cc Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Wed, 30 Jan 2002 06:08:46 +0000 Subject: Removed version number from file header. Changed "SMB/Netbios" to "SMB/CIFS" in file header. (This used to be commit 6a58c9bd06d0d7502a24bf5ce5a2faf0a146edfa) --- source3/auth/auth_util.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 5b252f42cd..cd53b6b7c2 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1,6 +1,5 @@ /* - Unix SMB/Netbios implementation. - Version 1.9. + Unix SMB/CIFS implementation. Authentication utility functions Copyright (C) Andrew Tridgell 1992-1998 Copyright (C) Andrew Bartlett 2001 -- cgit From d79e11ad6d4be78a4140d0f33acea702cbd1d944 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 1 Mar 2002 01:24:30 +0000 Subject: Various comment fixes from Rafal Szczesniak (This used to be commit 3bf4b42771d115500941be374bfdd9b8c2fdba4a) --- source3/auth/auth_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index cd53b6b7c2..a4dea39d2d 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -123,7 +123,7 @@ static BOOL make_user_info(auth_usersupplied_info **user_info, ZERO_STRUCTP(*user_info); - DEBUG(5,("makeing strings for %s's user_info struct\n", internal_username)); + DEBUG(5,("making strings for %s's user_info struct\n", internal_username)); (*user_info)->smb_name.str = strdup(smb_name); if ((*user_info)->smb_name.str) { -- cgit From 9802310b2aa919964f4f312cd99349d02cc12afc Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 13 Mar 2002 01:51:01 +0000 Subject: Ensure we never use "" as a domain name (Win9X apparently does this for 'net use' duirng login). Picked up from a post to a TNG list by Volker. Andrew Bartlett (This used to be commit f81882fc9510aadd7d1db77753b307800ab50f9b) --- source3/auth/auth_util.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index a4dea39d2d..587273d9b6 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -196,12 +196,17 @@ BOOL make_user_info_map(auth_usersupplied_info **user_info, fstrcpy(internal_username, smb_name); map_username(internal_username); - if (lp_allow_trusted_domains()) { + if (lp_allow_trusted_domains() && *client_domain) { + /* the client could have given us a workstation name or other crap for the workgroup - we really need a way of telling if this domain name is one of our trusted domain names + Also don't allow "" as a domain, fixes a Win9X bug + where it doens't supply a domain for logon script + 'net use' commands. + The way I do it here is by checking if the fully qualified username exists. This is rather reliant on winbind, but until we have a better method this -- cgit From bf281ae3e5d686efc49c57952b9ffde52d3d8abf Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 23 Mar 2002 09:01:30 +0000 Subject: Extra parinoa and DEBUG()s for the make_user_info_map() code. (This used to be commit aa5f125bc0efeee99254e03f36426420db676527) --- source3/auth/auth_util.c | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 587273d9b6..a834227e1f 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -195,6 +195,9 @@ BOOL make_user_info_map(auth_usersupplied_info **user_info, fstring internal_username; fstrcpy(internal_username, smb_name); map_username(internal_username); + + DEBUG(5, ("make_user_info_map: Mapping user [%s]\\[%s] from workstation [%s]\n", + client_domain, smb_name, wksta_name)); if (lp_allow_trusted_domains() && *client_domain) { @@ -216,14 +219,25 @@ BOOL make_user_info_map(auth_usersupplied_info **user_info, domain = client_domain; if ((smb_name) && (*smb_name)) { /* Don't do this for guests */ - char *user; - asprintf(&user, "%s%s%s", + char *user = NULL; + if (asprintf(&user, "%s%s%s", client_domain, lp_winbind_separator(), - smb_name); + smb_name) < 0) { + DEBUG(0, ("make_user_info_map: asprintf() failed!\n")); + return False; + } + + DEBUG(5, ("make_user_info_map: testing for user %s\n", user)); + if (Get_Pwnam(user) == NULL) { + DEBUG(5, ("make_user_info_map: test for user %s failed\n", user)); domain = lp_workgroup(); + DEBUG(5, ("make_user_info_map: trusted domain %s doesn't appear to exist, using %s\n", + client_domain, domain)); + } else { + DEBUG(5, ("make_user_info_map: using trusted domain %s\n", domain)); } - free(user); + SAFE_FREE(user); } } else { domain = lp_workgroup(); -- cgit From 1d582af3c0dcbfad9a158f3ed38219c95424b045 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Sun, 24 Mar 2002 23:25:05 +0000 Subject: Spelling fixes. (This used to be commit a5ac2ac4ada48ee3be061a32ba40bd8c4b3b3865) --- source3/auth/auth_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index a834227e1f..d80c927c19 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -343,7 +343,7 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, SMBOWFencrypt((const unsigned char *)lm_pwd, chal, local_lm_response); SMBOWFencrypt((const unsigned char *)nt_pwd, chal, local_nt_response); - /* Password info parinoia */ + /* Password info paranoia */ ZERO_STRUCT(lm_pwd); ZERO_STRUCT(nt_pwd); ZERO_STRUCT(key); -- cgit From e90b65284812aaa5ff9e9935ce9bbad7791cbbcd Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 15 Jul 2002 10:35:28 +0000 Subject: updated the 3.0 branch from the head branch - ready for alpha18 (This used to be commit 03ac082dcb375b6f3ca3d810a6a6367542bc23ce) --- source3/auth/auth_util.c | 218 ++++++++++++++++++++++++++++++++++++++++------- 1 file changed, 185 insertions(+), 33 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index d80c927c19..3ade220c0f 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -22,6 +22,9 @@ #include "includes.h" +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_AUTH + extern fstring remote_machine; extern pstring global_myname; @@ -45,24 +48,6 @@ static int smb_create_user(const char *unix_user, const char *homedir) return ret; } -/**************************************************************************** - Delete a UNIX user on demand. -****************************************************************************/ - -int smb_delete_user(const char *unix_user) -{ - pstring del_script; - int ret; - - pstrcpy(del_script, lp_deluser_script()); - if (! *del_script) - return -1; - all_string_sub(del_script, "%u", unix_user, sizeof(pstring)); - ret = smbrun(del_script,NULL); - DEBUG(3,("smb_delete_user: Running the command `%s' gave %d\n",del_script,ret)); - return ret; -} - /**************************************************************************** Add and Delete UNIX users on demand, based on NTSTATUS codes. ****************************************************************************/ @@ -85,16 +70,6 @@ void smb_user_control(const auth_usersupplied_info *user_info, auth_serversuppli smb_create_user(user_info->internal_username.str, NULL); } } - } else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER)) { - /* - * User failed to validate ok against Domain controller. - * If the failure was "user doesn't exist" and admin - * wants us to try and delete that UNIX user on the fly, - * do so. - */ - if (lp_deluser_script()) { - smb_delete_user(user_info->internal_username.str); - } } } @@ -165,7 +140,7 @@ static BOOL make_user_info(auth_usersupplied_info **user_info, return False; } - DEBUG(5,("makeing blobs for %s's user_info struct\n", internal_username)); + DEBUG(5,("making blobs for %s's user_info struct\n", internal_username)); (*user_info)->lm_resp = data_blob(lm_pwd.data, lm_pwd.length); (*user_info)->nt_resp = data_blob(nt_pwd.data, nt_pwd.length); @@ -485,7 +460,7 @@ BOOL make_user_info_guest(auth_usersupplied_info **user_info) Make a user_info struct ***************************************************************************/ -BOOL make_server_info(auth_serversupplied_info **server_info) +static BOOL make_server_info(auth_serversupplied_info **server_info) { *server_info = malloc(sizeof(**server_info)); if (!*server_info) { @@ -590,6 +565,183 @@ BOOL make_server_info_guest(auth_serversupplied_info **server_info) return False; } +/*************************************************************************** + Make a server_info struct from the info3 returned by a domain logon +***************************************************************************/ + +NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, + const char *internal_username, + const char *sent_nt_username, + const char *domain, + auth_serversupplied_info **server_info, + NET_USER_INFO_3 *info3) +{ + NTSTATUS nt_status = NT_STATUS_OK; + + const char *nt_domain; + const char *nt_username; + + SAM_ACCOUNT *sam_account = NULL; + DOM_SID user_sid; + DOM_SID group_sid; + + struct passwd *passwd; + + uid_t uid; + gid_t gid; + + /* + Here is where we should check the list of + trusted domains, and verify that the SID + matches. + */ + + sid_copy(&user_sid, &info3->dom_sid.sid); + if (!sid_append_rid(&user_sid, info3->user_rid)) { + return NT_STATUS_INVALID_PARAMETER; + } + + sid_copy(&group_sid, &info3->dom_sid.sid); + if (!sid_append_rid(&group_sid, info3->group_rid)) { + return NT_STATUS_INVALID_PARAMETER; + } + + if (!(nt_username = unistr2_tdup(mem_ctx, &(info3->uni_user_name)))) { + /* If the server didn't give us one, just use the one we sent them */ + nt_username = sent_nt_username; + } + + if (!(nt_domain = unistr2_tdup(mem_ctx, &(info3->uni_logon_dom)))) { + /* If the server didn't give us one, just use the one we sent them */ + domain = domain; + } + + if (winbind_sid_to_uid(&uid, &user_sid) + && winbind_sid_to_gid(&gid, &group_sid) + && ((passwd = getpwuid_alloc(uid)))) { + nt_status = pdb_init_sam_pw(&sam_account, passwd); + passwd_free(&passwd); + } else { + char *dom_user; + dom_user = talloc_asprintf(mem_ctx, "%s%s%s", + nt_domain, + lp_winbind_separator(), + internal_username); + + if (!dom_user) { + DEBUG(0, ("talloc_asprintf failed!\n")); + return NT_STATUS_NO_MEMORY; + } else { + + if (!(passwd = Get_Pwnam(dom_user)) + /* Only lookup local for the local + domain, we don't want this for + trusted domains */ + && strequal(nt_domain, lp_workgroup())) { + passwd = Get_Pwnam(internal_username); + } + + if (!passwd) { + return NT_STATUS_NO_SUCH_USER; + } else { + nt_status = pdb_init_sam_pw(&sam_account, passwd); + } + } + } + + if (!NT_STATUS_IS_OK(nt_status)) { + DEBUG(0, ("make_server_info_info3: pdb_init_sam failed!\n")); + return nt_status; + } + + if (!pdb_set_user_sid(sam_account, &user_sid)) { + pdb_free_sam(&sam_account); + return NT_STATUS_UNSUCCESSFUL; + } + + if (!pdb_set_group_sid(sam_account, &group_sid)) { + pdb_free_sam(&sam_account); + return NT_STATUS_UNSUCCESSFUL; + } + + if (!pdb_set_nt_username(sam_account, nt_username)) { + pdb_free_sam(&sam_account); + return NT_STATUS_NO_MEMORY; + } + + if (!pdb_set_domain(sam_account, nt_domain)) { + pdb_free_sam(&sam_account); + return NT_STATUS_NO_MEMORY; + } + + if (!pdb_set_fullname(sam_account, pdb_unistr2_convert(&(info3->uni_full_name)))) { + pdb_free_sam(&sam_account); + return NT_STATUS_NO_MEMORY; + } + + if (!pdb_set_logon_script(sam_account, pdb_unistr2_convert(&(info3->uni_logon_script)), True)) { + pdb_free_sam(&sam_account); + return NT_STATUS_NO_MEMORY; + } + + if (!pdb_set_profile_path(sam_account, pdb_unistr2_convert(&(info3->uni_profile_path)), True)) { + pdb_free_sam(&sam_account); + return NT_STATUS_NO_MEMORY; + } + + if (!pdb_set_homedir(sam_account, pdb_unistr2_convert(&(info3->uni_home_dir)), True)) { + pdb_free_sam(&sam_account); + return NT_STATUS_NO_MEMORY; + } + + if (!pdb_set_dir_drive(sam_account, pdb_unistr2_convert(&(info3->uni_dir_drive)), True)) { + pdb_free_sam(&sam_account); + return NT_STATUS_NO_MEMORY; + } + + if (!make_server_info_sam(server_info, sam_account)) { + DEBUG(0, ("make_server_info_info3: make_server_info_sam failed!\n")); + pdb_free_sam(&sam_account); + return NT_STATUS_NO_MEMORY; + } + + /* Store the user group information in the server_info + returned to the caller. */ + + if (info3->num_groups2 != 0) { + int i; + NT_USER_TOKEN *ptok; + auth_serversupplied_info *pserver_info = *server_info; + + if ((pserver_info->ptok = malloc( sizeof(NT_USER_TOKEN) ) ) == NULL) { + DEBUG(0, ("domain_client_validate: out of memory allocating rid group membership\n")); + nt_status = NT_STATUS_NO_MEMORY; + free_server_info(server_info); + return nt_status; + } + + ptok = pserver_info->ptok; + ptok->num_sids = (size_t)info3->num_groups2; + + if ((ptok->user_sids = (DOM_SID *)malloc( sizeof(DOM_SID) * ptok->num_sids )) == NULL) { + DEBUG(0, ("domain_client_validate: Out of memory allocating group SIDS\n")); + nt_status = NT_STATUS_NO_MEMORY; + free_server_info(server_info); + return nt_status; + } + + for (i = 0; i < ptok->num_sids; i++) { + sid_copy(&ptok->user_sids[i], &(info3->dom_sid.sid)); + if (!sid_append_rid(&ptok->user_sids[i], info3->gids[i].g_rid)) { + nt_status = NT_STATUS_INVALID_PARAMETER; + free_server_info(server_info); + return nt_status; + } + } + } + return NT_STATUS_OK; +} + /*************************************************************************** Make an auth_methods struct ***************************************************************************/ @@ -621,9 +773,9 @@ BOOL make_auth_methods(struct auth_context *auth_context, auth_methods **auth_me void delete_nt_token(NT_USER_TOKEN **pptoken) { if (*pptoken) { - NT_USER_TOKEN *ptoken = *pptoken; - SAFE_FREE( ptoken->user_sids ); - ZERO_STRUCTP(ptoken); + NT_USER_TOKEN *ptoken = *pptoken; + SAFE_FREE( ptoken->user_sids ); + ZERO_STRUCTP(ptoken); } SAFE_FREE(*pptoken); } -- cgit From b2edf254eda92f775e7d3d9b6793b4d77f9000b6 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sat, 17 Aug 2002 17:00:51 +0000 Subject: sync 3.0 branch with head (This used to be commit 3928578b52cfc949be5e0ef444fce1558d75f290) --- source3/auth/auth_util.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 3ade220c0f..f914d91871 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -25,7 +25,6 @@ #undef DBGC_CLASS #define DBGC_CLASS DBGC_AUTH -extern fstring remote_machine; extern pstring global_myname; /**************************************************************************** @@ -394,7 +393,7 @@ BOOL make_user_info_for_reply(auth_usersupplied_info **user_info, ret = make_user_info_map(user_info, smb_name, client_domain, - remote_machine, + get_remote_machine_name(), local_lm_blob, local_nt_blob, plaintext_password, @@ -429,7 +428,7 @@ BOOL make_user_info_for_reply_enc(auth_usersupplied_info **user_info, return make_user_info_map(user_info, smb_name, client_domain, - remote_machine, + get_remote_machine_name(), lm_resp, nt_resp, no_plaintext_blob, -- cgit From a834a73e341059be154426390304a42e4a011f72 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 25 Sep 2002 15:19:00 +0000 Subject: sync'ing up for 3.0alpha20 release (This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139) --- source3/auth/auth_util.c | 647 ++++++++++++++++++++++++++++++++++++----------- 1 file changed, 502 insertions(+), 145 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index f914d91871..ce5fd32337 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -4,6 +4,7 @@ Copyright (C) Andrew Tridgell 1992-1998 Copyright (C) Andrew Bartlett 2001 Copyright (C) Jeremy Allison 2000-2001 + Copyright (C) Rafal Szczesniak 2002 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -26,6 +27,11 @@ #define DBGC_CLASS DBGC_AUTH extern pstring global_myname; +extern DOM_SID global_sid_World; +extern DOM_SID global_sid_Network; +extern DOM_SID global_sid_Builtin_Guests; +extern DOM_SID global_sid_Authenticated_Users; + /**************************************************************************** Create a UNIX user on demand. @@ -51,7 +57,7 @@ static int smb_create_user(const char *unix_user, const char *homedir) Add and Delete UNIX users on demand, based on NTSTATUS codes. ****************************************************************************/ -void smb_user_control(const auth_usersupplied_info *user_info, auth_serversupplied_info *server_info, NTSTATUS nt_status) +void smb_user_control(const auth_usersupplied_info *user_info, auth_serversupplied_info *server_info, NTSTATUS nt_status) { struct passwd *pwd=NULL; @@ -76,15 +82,15 @@ void smb_user_control(const auth_usersupplied_info *user_info, auth_serversuppli Create an auth_usersupplied_data structure ****************************************************************************/ -static BOOL make_user_info(auth_usersupplied_info **user_info, - const char *smb_name, - const char *internal_username, - const char *client_domain, - const char *domain, - const char *wksta_name, - DATA_BLOB lm_pwd, DATA_BLOB nt_pwd, - DATA_BLOB plaintext, - uint32 auth_flags, BOOL encrypted) +static NTSTATUS make_user_info(auth_usersupplied_info **user_info, + const char *smb_name, + const char *internal_username, + const char *client_domain, + const char *domain, + const char *wksta_name, + DATA_BLOB lm_pwd, DATA_BLOB nt_pwd, + DATA_BLOB plaintext, + uint32 auth_flags, BOOL encrypted) { DEBUG(5,("attempting to make a user_info for %s (%s)\n", internal_username, smb_name)); @@ -92,7 +98,7 @@ static BOOL make_user_info(auth_usersupplied_info **user_info, *user_info = malloc(sizeof(**user_info)); if (!user_info) { DEBUG(0,("malloc failed for user_info (size %d)\n", sizeof(*user_info))); - return False; + return NT_STATUS_NO_MEMORY; } ZERO_STRUCTP(*user_info); @@ -104,7 +110,7 @@ static BOOL make_user_info(auth_usersupplied_info **user_info, (*user_info)->smb_name.len = strlen(smb_name); } else { free_user_info(user_info); - return False; + return NT_STATUS_NO_MEMORY; } (*user_info)->internal_username.str = strdup(internal_username); @@ -112,7 +118,7 @@ static BOOL make_user_info(auth_usersupplied_info **user_info, (*user_info)->internal_username.len = strlen(internal_username); } else { free_user_info(user_info); - return False; + return NT_STATUS_NO_MEMORY; } (*user_info)->domain.str = strdup(domain); @@ -120,7 +126,7 @@ static BOOL make_user_info(auth_usersupplied_info **user_info, (*user_info)->domain.len = strlen(domain); } else { free_user_info(user_info); - return False; + return NT_STATUS_NO_MEMORY; } (*user_info)->client_domain.str = strdup(client_domain); @@ -128,7 +134,7 @@ static BOOL make_user_info(auth_usersupplied_info **user_info, (*user_info)->client_domain.len = strlen(client_domain); } else { free_user_info(user_info); - return False; + return NT_STATUS_NO_MEMORY; } (*user_info)->wksta_name.str = strdup(wksta_name); @@ -136,7 +142,7 @@ static BOOL make_user_info(auth_usersupplied_info **user_info, (*user_info)->wksta_name.len = strlen(wksta_name); } else { free_user_info(user_info); - return False; + return NT_STATUS_NO_MEMORY; } DEBUG(5,("making blobs for %s's user_info struct\n", internal_username)); @@ -150,26 +156,26 @@ static BOOL make_user_info(auth_usersupplied_info **user_info, DEBUG(10,("made an %sencrypted user_info for %s (%s)\n", encrypted ? "":"un" , internal_username, smb_name)); - return True; + return NT_STATUS_OK; } /**************************************************************************** Create an auth_usersupplied_data structure after appropriate mapping. ****************************************************************************/ -BOOL make_user_info_map(auth_usersupplied_info **user_info, - const char *smb_name, - const char *client_domain, - const char *wksta_name, - DATA_BLOB lm_pwd, DATA_BLOB nt_pwd, - DATA_BLOB plaintext, - uint32 ntlmssp_flags, BOOL encrypted) +NTSTATUS make_user_info_map(auth_usersupplied_info **user_info, + const char *smb_name, + const char *client_domain, + const char *wksta_name, + DATA_BLOB lm_pwd, DATA_BLOB nt_pwd, + DATA_BLOB plaintext, + uint32 ntlmssp_flags, BOOL encrypted) { const char *domain; fstring internal_username; fstrcpy(internal_username, smb_name); map_username(internal_username); - + DEBUG(5, ("make_user_info_map: Mapping user [%s]\\[%s] from workstation [%s]\n", client_domain, smb_name, wksta_name)); @@ -198,7 +204,7 @@ BOOL make_user_info_map(auth_usersupplied_info **user_info, client_domain, lp_winbind_separator(), smb_name) < 0) { DEBUG(0, ("make_user_info_map: asprintf() failed!\n")); - return False; + return NT_STATUS_NO_MEMORY; } DEBUG(5, ("make_user_info_map: testing for user %s\n", user)); @@ -240,6 +246,7 @@ BOOL make_user_info_netlogon_network(auth_usersupplied_info **user_info, const uchar *nt_network_pwd, int nt_pwd_len) { BOOL ret; + NTSTATUS nt_status; DATA_BLOB lm_blob = data_blob(lm_network_pwd, lm_pwd_len); DATA_BLOB nt_blob = data_blob(nt_network_pwd, nt_pwd_len); DATA_BLOB plaintext_blob = data_blob(NULL, 0); @@ -253,12 +260,14 @@ BOOL make_user_info_netlogon_network(auth_usersupplied_info **user_info, auth_flags |= AUTH_FLAG_NTLMv2_RESP; } - ret = make_user_info_map(user_info, - smb_name, client_domain, - wksta_name, - lm_blob, nt_blob, - plaintext_blob, - auth_flags, True); + nt_status = make_user_info_map(user_info, + smb_name, client_domain, + wksta_name, + lm_blob, nt_blob, + plaintext_blob, + auth_flags, True); + + ret = NT_STATUS_IS_OK(nt_status) ? True : False; data_blob_free(&lm_blob); data_blob_free(&nt_blob); @@ -324,6 +333,7 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, { BOOL ret; + NTSTATUS nt_status; DATA_BLOB local_lm_blob = data_blob(local_lm_response, sizeof(local_lm_response)); DATA_BLOB local_nt_blob = data_blob(local_nt_response, sizeof(local_nt_response)); DATA_BLOB plaintext_blob = data_blob(NULL, 0); @@ -333,14 +343,15 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, if (nt_interactive_pwd) auth_flags |= AUTH_FLAG_NTLM_RESP; - ret = make_user_info_map(user_info, - smb_name, client_domain, - wksta_name, - local_lm_blob, - local_nt_blob, - plaintext_blob, - auth_flags, True); + nt_status = make_user_info_map(user_info, + smb_name, client_domain, + wksta_name, + local_lm_blob, + local_nt_blob, + plaintext_blob, + auth_flags, True); + ret = NT_STATUS_IS_OK(nt_status) ? True : False; data_blob_free(&local_lm_blob); data_blob_free(&local_nt_blob); return ret; @@ -361,7 +372,7 @@ BOOL make_user_info_for_reply(auth_usersupplied_info **user_info, DATA_BLOB local_lm_blob; DATA_BLOB local_nt_blob; - BOOL ret = False; + NTSTATUS ret = NT_STATUS_UNSUCCESSFUL; uint32 auth_flags = AUTH_FLAG_NONE; /* @@ -392,25 +403,25 @@ BOOL make_user_info_for_reply(auth_usersupplied_info **user_info, } ret = make_user_info_map(user_info, smb_name, - client_domain, - get_remote_machine_name(), - local_lm_blob, - local_nt_blob, - plaintext_password, - auth_flags, False); + client_domain, + get_remote_machine_name(), + local_lm_blob, + local_nt_blob, + plaintext_password, + auth_flags, False); data_blob_free(&local_lm_blob); - return ret; + return NT_STATUS_IS_OK(ret) ? True : False; } /**************************************************************************** Create an auth_usersupplied_data structure ****************************************************************************/ -BOOL make_user_info_for_reply_enc(auth_usersupplied_info **user_info, - const char *smb_name, - const char *client_domain, - DATA_BLOB lm_resp, DATA_BLOB nt_resp) +NTSTATUS make_user_info_for_reply_enc(auth_usersupplied_info **user_info, + const char *smb_name, + const char *client_domain, + DATA_BLOB lm_resp, DATA_BLOB nt_resp) { uint32 auth_flags = AUTH_FLAG_NONE; @@ -445,47 +456,338 @@ BOOL make_user_info_guest(auth_usersupplied_info **user_info) DATA_BLOB nt_blob = data_blob(NULL, 0); DATA_BLOB plaintext_blob = data_blob(NULL, 0); uint32 auth_flags = AUTH_FLAG_NONE; + NTSTATUS nt_status; - return make_user_info(user_info, + nt_status = make_user_info(user_info, "","", "","", "", nt_blob, lm_blob, plaintext_blob, auth_flags, True); + + return NT_STATUS_IS_OK(nt_status) ? True : False; +} + +/**************************************************************************** + prints a NT_USER_TOKEN to debug output. +****************************************************************************/ + +void debug_nt_user_token(int dbg_class, int dbg_lev, NT_USER_TOKEN *token) +{ + fstring sid_str; + int i; + + if (!token) { + DEBUGC(dbg_class, dbg_lev, ("NT user token: (NULL)\n")); + return; + } + + DEBUGC(dbg_class, dbg_lev, ("NT user token of user %s\n", + sid_to_string(sid_str, &token->user_sids[0]) )); + DEBUGADDC(dbg_class, dbg_lev, ("contains %i SIDs\n", token->num_sids)); + for (i = 0; i < token->num_sids; i++) + DEBUGADDC(dbg_class, dbg_lev, ("SID[%3i]: %s\n", i, + sid_to_string(sid_str, &token->user_sids[i]))); +} + +/**************************************************************************** + prints a UNIX 'token' to debug output. +****************************************************************************/ + +void debug_unix_user_token(int dbg_class, int dbg_lev, uid_t uid, gid_t gid, int n_groups, gid_t *groups) +{ + int i; + DEBUGC(dbg_class, dbg_lev, ("UNIX token of user %ld\n", (long int)uid)); + + DEBUGADDC(dbg_class, dbg_lev, ("Primary group is %ld and contains %i supplementary groups\n", (long int)gid, n_groups)); + for (i = 0; i < n_groups; i++) + DEBUGADDC(dbg_class, dbg_lev, ("Group[%3i]: %ld\n", i, + (long int)groups[i])); +} + +/**************************************************************************** + Create the SID list for this user. +****************************************************************************/ + +static NTSTATUS create_nt_user_token(const DOM_SID *user_sid, const DOM_SID *group_sid, + int n_groupSIDs, DOM_SID *groupSIDs, + BOOL is_guest, NT_USER_TOKEN **token) +{ + NTSTATUS nt_status = NT_STATUS_OK; + NT_USER_TOKEN *ptoken; + int i; + int sid_ndx; + + if ((ptoken = malloc( sizeof(NT_USER_TOKEN) ) ) == NULL) { + DEBUG(0, ("create_nt_token: Out of memory allocating token\n")); + nt_status = NT_STATUS_NO_MEMORY; + return nt_status; + } + + ZERO_STRUCTP(ptoken); + + ptoken->num_sids = n_groupSIDs + 5; + + if ((ptoken->user_sids = (DOM_SID *)malloc( sizeof(DOM_SID) * ptoken->num_sids )) == NULL) { + DEBUG(0, ("create_nt_token: Out of memory allocating SIDs\n")); + nt_status = NT_STATUS_NO_MEMORY; + return nt_status; + } + + memset((char*)ptoken->user_sids,0,sizeof(DOM_SID) * ptoken->num_sids); + + /* + * Note - user SID *MUST* be first in token ! + * se_access_check depends on this. + * + * Primary group SID is second in token. Convention. + */ + + sid_copy(&ptoken->user_sids[PRIMARY_USER_SID_INDEX], user_sid); + if (group_sid) + sid_copy(&ptoken->user_sids[PRIMARY_GROUP_SID_INDEX], group_sid); + + /* + * Finally add the "standard" SIDs. + * The only difference between guest and "anonymous" (which we + * don't really support) is the addition of Authenticated_Users. + */ + + sid_copy(&ptoken->user_sids[2], &global_sid_World); + sid_copy(&ptoken->user_sids[3], &global_sid_Network); + + if (is_guest) + sid_copy(&ptoken->user_sids[4], &global_sid_Builtin_Guests); + else + sid_copy(&ptoken->user_sids[4], &global_sid_Authenticated_Users); + + sid_ndx = 5; /* next available spot */ + + for (i = 0; i < n_groupSIDs; i++) { + int check_sid_idx; + for (check_sid_idx = 1; check_sid_idx < ptoken->num_sids; check_sid_idx++) { + if (sid_equal(&ptoken->user_sids[check_sid_idx], + &groupSIDs[i])) { + break; + } + } + + if (check_sid_idx >= ptoken->num_sids) /* Not found already */ { + sid_copy(&ptoken->user_sids[sid_ndx++], &groupSIDs[i]); + } else { + ptoken->num_sids--; + } + } + + debug_nt_user_token(DBGC_AUTH, 10, ptoken); + + *token = ptoken; + + return nt_status; +} + +/**************************************************************************** + Create the SID list for this user. +****************************************************************************/ + +NT_USER_TOKEN *create_nt_token(uid_t uid, gid_t gid, int ngroups, gid_t *groups, BOOL is_guest) +{ + DOM_SID user_sid; + DOM_SID group_sid; + DOM_SID *group_sids; + NT_USER_TOKEN *token; + int i; + + if (!uid_to_sid(&user_sid, uid)) { + return NULL; + } + if (!gid_to_sid(&group_sid, gid)) { + return NULL; + } + + group_sids = malloc(sizeof(DOM_SID) * ngroups); + if (!group_sids) { + DEBUG(0, ("create_nt_token: malloc() failed for DOM_SID list!\n")); + return NULL; + } + + for (i = 0; i < ngroups; i++) { + if (!gid_to_sid(&(group_sids)[i], (groups)[i])) { + DEBUG(1, ("create_nt_token: failed to convert gid %ld to a sid!\n", (long int)groups[i])); + SAFE_FREE(group_sids); + return NULL; + } + } + + if (!NT_STATUS_IS_OK(create_nt_user_token(&user_sid, &group_sid, + ngroups, group_sids, is_guest, &token))) { + SAFE_FREE(group_sids); + return NULL; + } + + SAFE_FREE(group_sids); + + return token; +} + +/****************************************************************************** + * this function returns the groups (SIDs) of the local SAM the user is in. + * If this samba server is a DC of the domain the user belongs to, it returns + * both domain groups and local / builtin groups. If the user is in a trusted + * domain, or samba is a member server of a domain, then this function returns + * local and builtin groups the user is a member of. + * + * currently this is a hack, as there is no sam implementation that is capable + * of groups. + ******************************************************************************/ + +static NTSTATUS get_user_groups_from_local_sam(const DOM_SID *user_sid, + int *n_groups, DOM_SID **groups, gid_t **unix_groups) +{ + uid_t uid; + enum SID_NAME_USE snu; + fstring str; + int n_unix_groups; + int i; + struct passwd *usr; + + *n_groups = 0; + *groups = NULL; + + if (!sid_to_uid(user_sid, &uid, &snu)) { + DEBUG(2, ("get_user_groups_from_local_sam: Failed to convert user SID %s to a uid!\n", + sid_to_string(str, user_sid))); + /* This might be a non-unix account */ + return NT_STATUS_OK; + } + + /* + * This is _essential_ to prevent occasional segfaults when + * winbind can't find uid -> username mapping + */ + if (!(usr = getpwuid_alloc(uid))) { + DEBUG(0, ("Couldn't find passdb structure for UID = %d ! Aborting.\n", uid)); + return NT_STATUS_NO_SUCH_USER; + }; + + n_unix_groups = groups_max(); + if ((*unix_groups = malloc( sizeof(gid_t) * groups_max() ) ) == NULL) { + DEBUG(0, ("get_user_groups_from_local_sam: Out of memory allocating unix group list\n")); + passwd_free(&usr); + return NT_STATUS_NO_MEMORY; + } + + if (sys_getgrouplist(usr->pw_name, usr->pw_gid, *unix_groups, &n_unix_groups) == -1) { + *unix_groups = Realloc(unix_groups, sizeof(gid_t) * n_unix_groups); + if (sys_getgrouplist(usr->pw_name, usr->pw_gid, *unix_groups, &n_unix_groups) == -1) { + DEBUG(0, ("get_user_groups_from_local_sam: failed to get the unix group list\n")); + SAFE_FREE(unix_groups); + passwd_free(&usr); + return NT_STATUS_NO_SUCH_USER; /* what should this return value be? */ + } + } + + debug_unix_user_token(DBGC_CLASS, 5, usr->pw_uid, usr->pw_gid, n_unix_groups, *unix_groups); + + passwd_free(&usr); + + if (n_unix_groups > 0) { + *groups = malloc(sizeof(DOM_SID) * n_unix_groups); + if (!*groups) { + DEBUG(0, ("get_user_group_from_local_sam: malloc() failed for DOM_SID list!\n")); + SAFE_FREE(unix_groups); + return NT_STATUS_NO_MEMORY; + } + } + + *n_groups = n_unix_groups; + + for (i = 0; i < *n_groups; i++) { + if (!gid_to_sid(&(*groups)[i], (*unix_groups)[i])) { + DEBUG(1, ("get_user_groups_from_local_sam: failed to convert gid %ld to a sid!\n", (long int)unix_groups[i+1])); + SAFE_FREE(groups); + SAFE_FREE(unix_groups); + return NT_STATUS_NO_SUCH_USER; + } + } + + return NT_STATUS_OK; } /*************************************************************************** Make a user_info struct ***************************************************************************/ -static BOOL make_server_info(auth_serversupplied_info **server_info) +static NTSTATUS make_server_info(auth_serversupplied_info **server_info, SAM_ACCOUNT *sampass) { *server_info = malloc(sizeof(**server_info)); if (!*server_info) { DEBUG(0,("make_server_info: malloc failed!\n")); - return False; + return NT_STATUS_NO_MEMORY; } ZERO_STRUCTP(*server_info); - return True; + + (*server_info)->sam_fill_level = SAM_FILL_ALL; + (*server_info)->sam_account = sampass; + + return NT_STATUS_OK; } /*************************************************************************** Make (and fill) a user_info struct from a SAM_ACCOUNT ***************************************************************************/ -BOOL make_server_info_sam(auth_serversupplied_info **server_info, SAM_ACCOUNT *sampass) +NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, + SAM_ACCOUNT *sampass) { - if (!make_server_info(server_info)) { - return False; + NTSTATUS nt_status = NT_STATUS_OK; + const DOM_SID *user_sid = pdb_get_user_sid(sampass); + const DOM_SID *group_sid = pdb_get_group_sid(sampass); + int n_groupSIDs = 0; + DOM_SID *groupSIDs = NULL; + gid_t *unix_groups = NULL; + NT_USER_TOKEN *token; + BOOL is_guest; + uint32 rid; + + if (!NT_STATUS_IS_OK(nt_status = make_server_info(server_info, sampass))) { + return nt_status; } + + if (!NT_STATUS_IS_OK(nt_status + = get_user_groups_from_local_sam(pdb_get_user_sid(sampass), + &n_groupSIDs, &groupSIDs, &unix_groups))) + { + DEBUG(4,("get_user_groups_from_local_sam failed\n")); + free_server_info(server_info); + return nt_status; + } + + is_guest = (sid_peek_rid(user_sid, &rid) && rid == DOMAIN_USER_RID_GUEST); - (*server_info)->sam_fill_level = SAM_FILL_ALL; - (*server_info)->sam_account = sampass; + if (!NT_STATUS_IS_OK(nt_status = create_nt_user_token(user_sid, group_sid, + n_groupSIDs, groupSIDs, is_guest, + &token))) + { + DEBUG(4,("create_nt_user_token failed\n")); + SAFE_FREE(groupSIDs); + SAFE_FREE(unix_groups); + free_server_info(server_info); + return nt_status; + } + + SAFE_FREE(groupSIDs); + (*server_info)->n_groups = n_groupSIDs; + (*server_info)->groups = unix_groups; + + (*server_info)->ptok = token; + DEBUG(5,("make_server_info_sam: made server info for user %s\n", pdb_get_username((*server_info)->sam_account))); - return True; + + return nt_status; } /*************************************************************************** @@ -493,75 +795,42 @@ BOOL make_server_info_sam(auth_serversupplied_info **server_info, SAM_ACCOUNT *s to a SAM_ACCOUNT ***************************************************************************/ -BOOL make_server_info_pw(auth_serversupplied_info **server_info, const struct passwd *pwd) +NTSTATUS make_server_info_pw(auth_serversupplied_info **server_info, const struct passwd *pwd) { + NTSTATUS nt_status; SAM_ACCOUNT *sampass = NULL; - if (!NT_STATUS_IS_OK(pdb_init_sam_pw(&sampass, pwd))) { - return False; + if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam_pw(&sampass, pwd))) { + return nt_status; } return make_server_info_sam(server_info, sampass); } /*************************************************************************** - Free a user_info struct + Make (and fill) a user_info struct for a guest login. ***************************************************************************/ -void free_user_info(auth_usersupplied_info **user_info) +NTSTATUS make_server_info_guest(auth_serversupplied_info **server_info) { - DEBUG(5,("attempting to free (and zero) a user_info structure\n")); - if (*user_info != NULL) { - if ((*user_info)->smb_name.str) { - DEBUG(10,("structure was created for %s\n", (*user_info)->smb_name.str)); - } - SAFE_FREE((*user_info)->smb_name.str); - SAFE_FREE((*user_info)->internal_username.str); - SAFE_FREE((*user_info)->client_domain.str); - SAFE_FREE((*user_info)->domain.str); - SAFE_FREE((*user_info)->wksta_name.str); - data_blob_free(&(*user_info)->lm_resp); - data_blob_free(&(*user_info)->nt_resp); - SAFE_FREE((*user_info)->interactive_password); - data_blob_clear_free(&(*user_info)->plaintext_password); - ZERO_STRUCT(**user_info); + NTSTATUS nt_status; + SAM_ACCOUNT *sampass = NULL; + DOM_SID guest_sid; + + if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam(&sampass))) { + return nt_status; } - SAFE_FREE(*user_info); -} -/*************************************************************************** - Clear out a server_info struct that has been allocated -***************************************************************************/ + sid_copy(&guest_sid, get_global_sam_sid()); + sid_append_rid(&guest_sid, DOMAIN_USER_RID_GUEST); -void free_server_info(auth_serversupplied_info **server_info) -{ - if (*server_info != NULL) { - pdb_free_sam(&(*server_info)->sam_account); - - /* call pam_end here, unless we know we are keeping it */ - delete_nt_token( &(*server_info)->ptok ); - ZERO_STRUCT(**server_info); + if (!pdb_getsampwsid(sampass, &guest_sid)) { + return NT_STATUS_NO_SUCH_USER; } - SAFE_FREE(*server_info); -} -/*************************************************************************** - Make a server_info struct for a guest user -***************************************************************************/ + nt_status = make_server_info_sam(server_info, sampass); -BOOL make_server_info_guest(auth_serversupplied_info **server_info) -{ - struct passwd *pass = getpwnam_alloc(lp_guestaccount()); - - if (pass) { - if (!make_server_info_pw(server_info, pass)) { - passwd_free(&pass); - return False; - } - (*server_info)->guest = True; - passwd_free(&pass); - return True; - } - DEBUG(0,("make_server_info_guest: getpwnam_alloc() failed on guest account!\n")); - return False; + (*server_info)->guest = True; + + return nt_status; } /*************************************************************************** @@ -589,6 +858,15 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, uid_t uid; gid_t gid; + int n_lgroupSIDs; + DOM_SID *lgroupSIDs = NULL; + + gid_t *unix_groups = NULL; + NT_USER_TOKEN *token; + + DOM_SID *all_group_SIDs; + int i; + /* Here is where we should check the list of trusted domains, and verify that the SID @@ -698,49 +976,128 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, return NT_STATUS_NO_MEMORY; } - if (!make_server_info_sam(server_info, sam_account)) { - DEBUG(0, ("make_server_info_info3: make_server_info_sam failed!\n")); + if (!NT_STATUS_IS_OK(nt_status = make_server_info(server_info, sam_account))) { + DEBUG(4, ("make_server_info failed!\n")); pdb_free_sam(&sam_account); - return NT_STATUS_NO_MEMORY; + return nt_status; } /* Store the user group information in the server_info returned to the caller. */ - if (info3->num_groups2 != 0) { - int i; - NT_USER_TOKEN *ptok; - auth_serversupplied_info *pserver_info = *server_info; - - if ((pserver_info->ptok = malloc( sizeof(NT_USER_TOKEN) ) ) == NULL) { - DEBUG(0, ("domain_client_validate: out of memory allocating rid group membership\n")); - nt_status = NT_STATUS_NO_MEMORY; - free_server_info(server_info); - return nt_status; - } - - ptok = pserver_info->ptok; - ptok->num_sids = (size_t)info3->num_groups2; - - if ((ptok->user_sids = (DOM_SID *)malloc( sizeof(DOM_SID) * ptok->num_sids )) == NULL) { - DEBUG(0, ("domain_client_validate: Out of memory allocating group SIDS\n")); - nt_status = NT_STATUS_NO_MEMORY; - free_server_info(server_info); + if (!NT_STATUS_IS_OK(nt_status + = get_user_groups_from_local_sam(&user_sid, + &n_lgroupSIDs, + &lgroupSIDs, + &unix_groups))) + { + DEBUG(4,("get_user_groups_from_local_sam failed\n")); + return nt_status; + } + + (*server_info)->groups = unix_groups; + (*server_info)->n_groups = n_lgroupSIDs; + + /* Create a 'combined' list of all SIDs we might want in the SD */ + all_group_SIDs = malloc(sizeof(DOM_SID) * + (n_lgroupSIDs + info3->num_groups2 + + info3->num_other_sids)); + if (!all_group_SIDs) { + DEBUG(0, ("create_nt_token_info3: malloc() failed for DOM_SID list!\n")); + SAFE_FREE(lgroupSIDs); + return NT_STATUS_NO_MEMORY; + } + + /* Copy the 'local' sids */ + memcpy(all_group_SIDs, lgroupSIDs, sizeof(DOM_SID) * n_lgroupSIDs); + SAFE_FREE(lgroupSIDs); + + /* and create (by appending rids) the 'domain' sids */ + for (i = 0; i < info3->num_groups2; i++) { + sid_copy(&all_group_SIDs[i+n_lgroupSIDs], &(info3->dom_sid.sid)); + if (!sid_append_rid(&all_group_SIDs[i+n_lgroupSIDs], info3->gids[i].g_rid)) { + nt_status = NT_STATUS_INVALID_PARAMETER; + DEBUG(3,("create_nt_token_info3: could not append additional group rid 0x%x\n", + info3->gids[i].g_rid)); + SAFE_FREE(lgroupSIDs); return nt_status; } - - for (i = 0; i < ptok->num_sids; i++) { - sid_copy(&ptok->user_sids[i], &(info3->dom_sid.sid)); - if (!sid_append_rid(&ptok->user_sids[i], info3->gids[i].g_rid)) { - nt_status = NT_STATUS_INVALID_PARAMETER; - free_server_info(server_info); - return nt_status; - } - } } + + /* Copy 'other' sids. We need to do sid filtering here to + prevent possible elevation of privileges. See: + + http://www.microsoft.com/windows2000/techinfo/administration/security/sidfilter.asp + */ + + for (i = 0; i < info3->num_other_sids; i++) + sid_copy(&all_group_SIDs[ + n_lgroupSIDs + info3->num_groups2 + i], + &info3->other_sids[i].sid); + + /* Where are the 'global' sids... */ + + /* can the user be guest? if yes, where is it stored? */ + if (!NT_STATUS_IS_OK( + nt_status = create_nt_user_token( + &user_sid, &group_sid, + n_lgroupSIDs + info3->num_groups2 + info3->num_other_sids, + all_group_SIDs, False, &token))) { + DEBUG(4,("create_nt_user_token failed\n")); + SAFE_FREE(all_group_SIDs); + return nt_status; + } + + (*server_info)->ptok = token; + + SAFE_FREE(all_group_SIDs); + return NT_STATUS_OK; } +/*************************************************************************** + Free a user_info struct +***************************************************************************/ + +void free_user_info(auth_usersupplied_info **user_info) +{ + DEBUG(5,("attempting to free (and zero) a user_info structure\n")); + if (*user_info != NULL) { + if ((*user_info)->smb_name.str) { + DEBUG(10,("structure was created for %s\n", (*user_info)->smb_name.str)); + } + SAFE_FREE((*user_info)->smb_name.str); + SAFE_FREE((*user_info)->internal_username.str); + SAFE_FREE((*user_info)->client_domain.str); + SAFE_FREE((*user_info)->domain.str); + SAFE_FREE((*user_info)->wksta_name.str); + data_blob_free(&(*user_info)->lm_resp); + data_blob_free(&(*user_info)->nt_resp); + SAFE_FREE((*user_info)->interactive_password); + data_blob_clear_free(&(*user_info)->plaintext_password); + ZERO_STRUCT(**user_info); + } + SAFE_FREE(*user_info); +} + +/*************************************************************************** + Clear out a server_info struct that has been allocated +***************************************************************************/ + +void free_server_info(auth_serversupplied_info **server_info) +{ + DEBUG(5,("attempting to free (and zero) a server_info structure\n")); + if (*server_info != NULL) { + pdb_free_sam(&(*server_info)->sam_account); + + /* call pam_end here, unless we know we are keeping it */ + delete_nt_token( &(*server_info)->ptok ); + SAFE_FREE((*server_info)->groups); + ZERO_STRUCT(**server_info); + } + SAFE_FREE(*server_info); +} + /*************************************************************************** Make an auth_methods struct ***************************************************************************/ -- cgit From 6d7195d1d79c43f5ccc8dc4a9215c02177d5fa89 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 2 Nov 2002 03:47:48 +0000 Subject: Merge passdb from HEAD -> 3.0 The work here includes: - metze' set/changed patch, which avoids making changes to ldap on unmodified attributes. - volker's group mapping in passdb patch - volker's samsync stuff - volkers SAMR changes. - mezte's connection caching patch - my recent changes (fix magic root check, ldap ssl) Andrew Bartlett (This used to be commit 2044d60bbe0043cdbb9aba931115672bde975d2f) --- source3/auth/auth_util.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index ce5fd32337..b14344ef50 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -931,47 +931,47 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, return nt_status; } - if (!pdb_set_user_sid(sam_account, &user_sid)) { + if (!pdb_set_user_sid(sam_account, &user_sid, PDB_CHANGED)) { pdb_free_sam(&sam_account); return NT_STATUS_UNSUCCESSFUL; } - if (!pdb_set_group_sid(sam_account, &group_sid)) { + if (!pdb_set_group_sid(sam_account, &group_sid, PDB_CHANGED)) { pdb_free_sam(&sam_account); return NT_STATUS_UNSUCCESSFUL; } - if (!pdb_set_nt_username(sam_account, nt_username)) { + if (!pdb_set_nt_username(sam_account, nt_username, PDB_CHANGED)) { pdb_free_sam(&sam_account); return NT_STATUS_NO_MEMORY; } - if (!pdb_set_domain(sam_account, nt_domain)) { + if (!pdb_set_domain(sam_account, nt_domain, PDB_CHANGED)) { pdb_free_sam(&sam_account); return NT_STATUS_NO_MEMORY; } - if (!pdb_set_fullname(sam_account, pdb_unistr2_convert(&(info3->uni_full_name)))) { + if (!pdb_set_fullname(sam_account, pdb_unistr2_convert(&(info3->uni_full_name)), PDB_CHANGED)) { pdb_free_sam(&sam_account); return NT_STATUS_NO_MEMORY; } - if (!pdb_set_logon_script(sam_account, pdb_unistr2_convert(&(info3->uni_logon_script)), True)) { + if (!pdb_set_logon_script(sam_account, pdb_unistr2_convert(&(info3->uni_logon_script)), PDB_CHANGED)) { pdb_free_sam(&sam_account); return NT_STATUS_NO_MEMORY; } - if (!pdb_set_profile_path(sam_account, pdb_unistr2_convert(&(info3->uni_profile_path)), True)) { + if (!pdb_set_profile_path(sam_account, pdb_unistr2_convert(&(info3->uni_profile_path)), PDB_CHANGED)) { pdb_free_sam(&sam_account); return NT_STATUS_NO_MEMORY; } - if (!pdb_set_homedir(sam_account, pdb_unistr2_convert(&(info3->uni_home_dir)), True)) { + if (!pdb_set_homedir(sam_account, pdb_unistr2_convert(&(info3->uni_home_dir)), PDB_CHANGED)) { pdb_free_sam(&sam_account); return NT_STATUS_NO_MEMORY; } - if (!pdb_set_dir_drive(sam_account, pdb_unistr2_convert(&(info3->uni_dir_drive)), True)) { + if (!pdb_set_dir_drive(sam_account, pdb_unistr2_convert(&(info3->uni_dir_drive)), PDB_CHANGED)) { pdb_free_sam(&sam_account); return NT_STATUS_NO_MEMORY; } -- cgit From 2f194322d419350f35a48dff750066894d68eccf Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 12 Nov 2002 23:20:50 +0000 Subject: Removed global_myworkgroup, global_myname, global_myscope. Added liberal dashes of const. This is a rather large check-in, some things may break. It does compile though :-). Jeremy. (This used to be commit f755711df8f74f9b8e8c1a2b0d07d02a931eeb89) --- source3/auth/auth_util.c | 1 - 1 file changed, 1 deletion(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index b14344ef50..98b15f3fb6 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -26,7 +26,6 @@ #undef DBGC_CLASS #define DBGC_CLASS DBGC_AUTH -extern pstring global_myname; extern DOM_SID global_sid_World; extern DOM_SID global_sid_Network; extern DOM_SID global_sid_Builtin_Guests; -- cgit From c64d762997c80bd9ad2d47d1799cf9ec870d455a Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 15 Nov 2002 21:43:57 +0000 Subject: Updates from HEAD: - const for PACKS() in lanman.c - change auth to 'account before password' - add help to net rpc {vampire,samsync} - configure updates for sun workshop cc - become_root() around pdb_ calls in auth_util for guest login. Andrew Bartlett (This used to be commit 43e90eb6e331d478013a9c038292f245edc51bd0) --- source3/auth/auth_util.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 98b15f3fb6..5696b8f2dc 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -821,9 +821,12 @@ NTSTATUS make_server_info_guest(auth_serversupplied_info **server_info) sid_copy(&guest_sid, get_global_sam_sid()); sid_append_rid(&guest_sid, DOMAIN_USER_RID_GUEST); + become_root(); if (!pdb_getsampwsid(sampass, &guest_sid)) { + unbecome_root(); return NT_STATUS_NO_SUCH_USER; } + unbecome_root(); nt_status = make_server_info_sam(server_info, sampass); -- cgit From 302bffc08f4e0ff48dedd35c0580b143ab52671f Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 4 Jan 2003 08:57:51 +0000 Subject: Merge from HEAD - we already have one function for converting a unistr2 to a static 'unix' string, so we don't need a second pdb specific version. Andrew Bartlett (This used to be commit 91ca4771c6b834747b06fff21822a14e929de2c1) --- source3/auth/auth_util.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 5696b8f2dc..dd3f55539f 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -953,27 +953,27 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, return NT_STATUS_NO_MEMORY; } - if (!pdb_set_fullname(sam_account, pdb_unistr2_convert(&(info3->uni_full_name)), PDB_CHANGED)) { + if (!pdb_set_fullname(sam_account, unistr2_static(&(info3->uni_full_name)), PDB_CHANGED)) { pdb_free_sam(&sam_account); return NT_STATUS_NO_MEMORY; } - if (!pdb_set_logon_script(sam_account, pdb_unistr2_convert(&(info3->uni_logon_script)), PDB_CHANGED)) { + if (!pdb_set_logon_script(sam_account, unistr2_static(&(info3->uni_logon_script)), PDB_CHANGED)) { pdb_free_sam(&sam_account); return NT_STATUS_NO_MEMORY; } - if (!pdb_set_profile_path(sam_account, pdb_unistr2_convert(&(info3->uni_profile_path)), PDB_CHANGED)) { + if (!pdb_set_profile_path(sam_account, unistr2_static(&(info3->uni_profile_path)), PDB_CHANGED)) { pdb_free_sam(&sam_account); return NT_STATUS_NO_MEMORY; } - if (!pdb_set_homedir(sam_account, pdb_unistr2_convert(&(info3->uni_home_dir)), PDB_CHANGED)) { + if (!pdb_set_homedir(sam_account, unistr2_static(&(info3->uni_home_dir)), PDB_CHANGED)) { pdb_free_sam(&sam_account); return NT_STATUS_NO_MEMORY; } - if (!pdb_set_dir_drive(sam_account, pdb_unistr2_convert(&(info3->uni_dir_drive)), PDB_CHANGED)) { + if (!pdb_set_dir_drive(sam_account, unistr2_static(&(info3->uni_dir_drive)), PDB_CHANGED)) { pdb_free_sam(&sam_account); return NT_STATUS_NO_MEMORY; } -- cgit From 2467a2f0ce1a99f933773f295c8146c5cd3e66c0 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 13 Jan 2003 23:07:26 +0000 Subject: Merge of indirection fixes from HEAD. Jeremy (This used to be commit 67a0b30f50aa323185cbcf3a9d39804239222480) --- source3/auth/auth_util.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index dd3f55539f..0a27e6176d 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -681,7 +681,7 @@ static NTSTATUS get_user_groups_from_local_sam(const DOM_SID *user_sid, *unix_groups = Realloc(unix_groups, sizeof(gid_t) * n_unix_groups); if (sys_getgrouplist(usr->pw_name, usr->pw_gid, *unix_groups, &n_unix_groups) == -1) { DEBUG(0, ("get_user_groups_from_local_sam: failed to get the unix group list\n")); - SAFE_FREE(unix_groups); + SAFE_FREE(*unix_groups); passwd_free(&usr); return NT_STATUS_NO_SUCH_USER; /* what should this return value be? */ } @@ -695,7 +695,7 @@ static NTSTATUS get_user_groups_from_local_sam(const DOM_SID *user_sid, *groups = malloc(sizeof(DOM_SID) * n_unix_groups); if (!*groups) { DEBUG(0, ("get_user_group_from_local_sam: malloc() failed for DOM_SID list!\n")); - SAFE_FREE(unix_groups); + SAFE_FREE(*unix_groups); return NT_STATUS_NO_MEMORY; } } @@ -704,9 +704,9 @@ static NTSTATUS get_user_groups_from_local_sam(const DOM_SID *user_sid, for (i = 0; i < *n_groups; i++) { if (!gid_to_sid(&(*groups)[i], (*unix_groups)[i])) { - DEBUG(1, ("get_user_groups_from_local_sam: failed to convert gid %ld to a sid!\n", (long int)unix_groups[i+1])); - SAFE_FREE(groups); - SAFE_FREE(unix_groups); + DEBUG(1, ("get_user_groups_from_local_sam: failed to convert gid %ld to a sid!\n", (long int)(*unix_groups)[i+1])); + SAFE_FREE(*groups); + SAFE_FREE(*unix_groups); return NT_STATUS_NO_SUCH_USER; } } -- cgit From 212077afa275b7111e2a28798affa9689dede2ba Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 14 Jan 2003 07:26:12 +0000 Subject: Merge indirection, signed/unsigned and uninitialiased-value fixes from HEAD. Andrew Bartlett (This used to be commit 2a1adb8f81d8966e8919fffb9b4c69f3e6acd44f) --- source3/auth/auth_util.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 0a27e6176d..5fdfd0694a 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -475,7 +475,7 @@ BOOL make_user_info_guest(auth_usersupplied_info **user_info) void debug_nt_user_token(int dbg_class, int dbg_lev, NT_USER_TOKEN *token) { fstring sid_str; - int i; + size_t i; if (!token) { DEBUGC(dbg_class, dbg_lev, ("NT user token: (NULL)\n")); @@ -564,7 +564,7 @@ static NTSTATUS create_nt_user_token(const DOM_SID *user_sid, const DOM_SID *gro sid_ndx = 5; /* next available spot */ for (i = 0; i < n_groupSIDs; i++) { - int check_sid_idx; + size_t check_sid_idx; for (check_sid_idx = 1; check_sid_idx < ptoken->num_sids; check_sid_idx++) { if (sid_equal(&ptoken->user_sids[check_sid_idx], &groupSIDs[i])) { @@ -678,7 +678,7 @@ static NTSTATUS get_user_groups_from_local_sam(const DOM_SID *user_sid, } if (sys_getgrouplist(usr->pw_name, usr->pw_gid, *unix_groups, &n_unix_groups) == -1) { - *unix_groups = Realloc(unix_groups, sizeof(gid_t) * n_unix_groups); + *unix_groups = Realloc(*unix_groups, sizeof(gid_t) * n_unix_groups); if (sys_getgrouplist(usr->pw_name, usr->pw_gid, *unix_groups, &n_unix_groups) == -1) { DEBUG(0, ("get_user_groups_from_local_sam: failed to get the unix group list\n")); SAFE_FREE(*unix_groups); @@ -867,7 +867,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, NT_USER_TOKEN *token; DOM_SID *all_group_SIDs; - int i; + size_t i; /* Here is where we should check the list of -- cgit From 8a20407442efa0f9fe43e1b1c61140a0771c6ff8 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 10 Feb 2003 11:47:21 +0000 Subject: Cleanups: (merge from HEAD) - use safe_strcpy() instead of pstrcpy() for malloc()ed strings - CUPS: a failure in an attempt to automaticly add a printer is not level 0 stuff. - Fix up a possible Realloc() failure segfault Andrew Bartlett (This used to be commit c1cfc296c2efdb2b5972202146e80f0e3b6a3da4) --- source3/auth/auth_util.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 5fdfd0694a..bbe0c7cf43 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -671,14 +671,22 @@ static NTSTATUS get_user_groups_from_local_sam(const DOM_SID *user_sid, }; n_unix_groups = groups_max(); - if ((*unix_groups = malloc( sizeof(gid_t) * groups_max() ) ) == NULL) { + if ((*unix_groups = malloc( sizeof(gid_t) * n_unix_groups ) ) == NULL) { DEBUG(0, ("get_user_groups_from_local_sam: Out of memory allocating unix group list\n")); passwd_free(&usr); return NT_STATUS_NO_MEMORY; } if (sys_getgrouplist(usr->pw_name, usr->pw_gid, *unix_groups, &n_unix_groups) == -1) { - *unix_groups = Realloc(*unix_groups, sizeof(gid_t) * n_unix_groups); + gid_t *groups_tmp; + groups_tmp = Realloc(*unix_groups, sizeof(gid_t) * n_unix_groups); + if (!groups_tmp) { + SAFE_FREE(*unix_groups); + passwd_free(&usr); + return NT_STATUS_NO_MEMORY; + } + *unix_groups = groups_tmp; + if (sys_getgrouplist(usr->pw_name, usr->pw_gid, *unix_groups, &n_unix_groups) == -1) { DEBUG(0, ("get_user_groups_from_local_sam: failed to get the unix group list\n")); SAFE_FREE(*unix_groups); -- cgit From e72ecdc862804339912325fe848401e8ec57cde7 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 24 Feb 2003 02:35:54 +0000 Subject: Merge of server-side authentication changes to 3.0: - user_ok() and user_in_group() now take a list of groups, instead of looking for the user in the members of all groups. - The 'server_info' returned from the authentication is now kept around - in future we won't copy the sesion key, username etc, we will just referece them directly. - rhosts upgraded to use the SAM if possible, otherwise fake up based on getpwnam(). - auth_util code to deal with groups upgraded to deal with non-winbind domain members again. Andrew Bartlett (This used to be commit 74b5436c75114170ce7c780c19226103d0df9060) --- source3/auth/auth_util.c | 73 +++++++++++++++++++++++++++++++----------------- 1 file changed, 47 insertions(+), 26 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index bbe0c7cf43..7d85153bd0 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -77,6 +77,36 @@ void smb_user_control(const auth_usersupplied_info *user_info, auth_serversuppli } } +/**************************************************************************** + Create a SAM_ACCOUNT - either by looking in the pdb, or by faking it up from + unix info. +****************************************************************************/ + +NTSTATUS auth_get_sam_account(const char *user, SAM_ACCOUNT **account) +{ + BOOL pdb_ret; + NTSTATUS nt_status; + if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam(account))) { + return nt_status; + } + + become_root(); + pdb_ret = pdb_getsampwnam(*account, user); + unbecome_root(); + + if (!pdb_ret) { + + struct passwd *pass = Get_Pwnam(user); + if (!pass) + return NT_STATUS_NO_SUCH_USER; + + if (!NT_STATUS_IS_OK(nt_status = pdb_fill_sam_pw(*account, pass))) { + return nt_status; + } + } + return NT_STATUS_OK; +} + /**************************************************************************** Create an auth_usersupplied_data structure ****************************************************************************/ @@ -641,34 +671,25 @@ NT_USER_TOKEN *create_nt_token(uid_t uid, gid_t gid, int ngroups, gid_t *groups, * of groups. ******************************************************************************/ -static NTSTATUS get_user_groups_from_local_sam(const DOM_SID *user_sid, +static NTSTATUS get_user_groups_from_local_sam(SAM_ACCOUNT *sampass, int *n_groups, DOM_SID **groups, gid_t **unix_groups) { uid_t uid; - enum SID_NAME_USE snu; - fstring str; + gid_t gid; int n_unix_groups; int i; struct passwd *usr; - + *n_groups = 0; *groups = NULL; - - if (!sid_to_uid(user_sid, &uid, &snu)) { - DEBUG(2, ("get_user_groups_from_local_sam: Failed to convert user SID %s to a uid!\n", - sid_to_string(str, user_sid))); - /* This might be a non-unix account */ - return NT_STATUS_OK; - } - /* - * This is _essential_ to prevent occasional segfaults when - * winbind can't find uid -> username mapping - */ - if (!(usr = getpwuid_alloc(uid))) { - DEBUG(0, ("Couldn't find passdb structure for UID = %d ! Aborting.\n", uid)); + if (!IS_SAM_UNIX_USER(sampass)) { + DEBUG(1, ("user %s does not have a unix identity!\n", pdb_get_username(sampass))); return NT_STATUS_NO_SUCH_USER; - }; + } + + uid = pdb_get_uid(sampass); + gid = pdb_get_gid(sampass); n_unix_groups = groups_max(); if ((*unix_groups = malloc( sizeof(gid_t) * n_unix_groups ) ) == NULL) { @@ -677,7 +698,7 @@ static NTSTATUS get_user_groups_from_local_sam(const DOM_SID *user_sid, return NT_STATUS_NO_MEMORY; } - if (sys_getgrouplist(usr->pw_name, usr->pw_gid, *unix_groups, &n_unix_groups) == -1) { + if (sys_getgrouplist(pdb_get_username(sampass), gid, *unix_groups, &n_unix_groups) == -1) { gid_t *groups_tmp; groups_tmp = Realloc(*unix_groups, sizeof(gid_t) * n_unix_groups); if (!groups_tmp) { @@ -687,7 +708,7 @@ static NTSTATUS get_user_groups_from_local_sam(const DOM_SID *user_sid, } *unix_groups = groups_tmp; - if (sys_getgrouplist(usr->pw_name, usr->pw_gid, *unix_groups, &n_unix_groups) == -1) { + if (sys_getgrouplist(pdb_get_username(sampass), gid, *unix_groups, &n_unix_groups) == -1) { DEBUG(0, ("get_user_groups_from_local_sam: failed to get the unix group list\n")); SAFE_FREE(*unix_groups); passwd_free(&usr); @@ -695,9 +716,7 @@ static NTSTATUS get_user_groups_from_local_sam(const DOM_SID *user_sid, } } - debug_unix_user_token(DBGC_CLASS, 5, usr->pw_uid, usr->pw_gid, n_unix_groups, *unix_groups); - - passwd_free(&usr); + debug_unix_user_token(DBGC_CLASS, 5, uid, gid, n_unix_groups, *unix_groups); if (n_unix_groups > 0) { *groups = malloc(sizeof(DOM_SID) * n_unix_groups); @@ -763,7 +782,7 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, } if (!NT_STATUS_IS_OK(nt_status - = get_user_groups_from_local_sam(pdb_get_user_sid(sampass), + = get_user_groups_from_local_sam(sampass, &n_groupSIDs, &groupSIDs, &unix_groups))) { DEBUG(4,("get_user_groups_from_local_sam failed\n")); @@ -838,7 +857,9 @@ NTSTATUS make_server_info_guest(auth_serversupplied_info **server_info) nt_status = make_server_info_sam(server_info, sampass); - (*server_info)->guest = True; + if (NT_STATUS_IS_OK(nt_status)) { + (*server_info)->guest = True; + } return nt_status; } @@ -996,7 +1017,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, returned to the caller. */ if (!NT_STATUS_IS_OK(nt_status - = get_user_groups_from_local_sam(&user_sid, + = get_user_groups_from_local_sam(sam_account, &n_lgroupSIDs, &lgroupSIDs, &unix_groups))) -- cgit From 53beee9e5675a59c67d9ecfbaec50dca4ac01750 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 24 Mar 2003 09:54:13 +0000 Subject: (merge from HEAD) NTLM Authentication: - Add a 'privileged' mode to Winbindd. This is achieved by means of a directory under lockdir, that the admin can change the group access for. - This mode is now required to access with 'CRAP' authentication feature. - This *will* break the current SQUID helper, so I've fixed up our ntlm_auth replacement: - Update our NTLMSSP code to cope with 'datagram' mode, where we don't get a challenge. - Use this to make our ntlm_auth utility suitable for use in current Squid 2.5 servers. - Tested - works for Win2k clients, but not Win9X at present. NTLMSSP updates are needed. - Now uses fgets(), not x_fgets() to cope with Squid environment (I think somthing to do with non-blocking stdin). - Add much more robust connection code to wb_common.c - it will not connect to a server of a different protocol version, and it will automatically try and reconnect to the 'privileged' pipe if possible. - This could help with 'privileged' idmap operations etc in future. - Add a generic HEX encode routine to util_str.c, - fix a small line of dodgy C in StrnCpy_fn() - Correctly pull our 'session key' out of the info3 from th the DC. This is used in both the auth code, and in for export over the winbind pipe to ntlm_auth. - Given the user's challenge/response and access to the privileged pipe, allow external access to the 'session key'. To be used for MSCHAPv2 integration. Andrew Bartlett (This used to be commit ec071ca3dcbd3881dc08e6a8d7ac2ff0bcd57664) --- source3/auth/auth_util.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 7d85153bd0..d0f1fc1e34 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1083,6 +1083,9 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, SAFE_FREE(all_group_SIDs); + memcpy((*server_info)->session_key, info3->user_sess_key, sizeof((*server_info)->session_key)/* 16 */); + memcpy((*server_info)->first_8_lm_hash, info3->padding, 8); + return NT_STATUS_OK; } -- cgit From 59e0836b7f4221fd002abab083f71f04dffe7648 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 24 Apr 2003 11:56:09 +0000 Subject: Merge auth changes from HEAD: - better error codes than NT_STATUS_UNSUCCESSFUL for domain logon errors - make auth_winbind load the ntdomain module if winbind isn't there. - use new trusted domains cache to determine if the domain is valid. Andrew Bartlett (This used to be commit ec8d6524c6b0c70927a2b57aab71d9e3a7f8a150) --- source3/auth/auth_util.c | 31 +++++++------------------------ 1 file changed, 7 insertions(+), 24 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index d0f1fc1e34..a3ca0b226f 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -219,35 +219,18 @@ NTSTATUS make_user_info_map(auth_usersupplied_info **user_info, where it doens't supply a domain for logon script 'net use' commands. - The way I do it here is by checking if the fully - qualified username exists. This is rather reliant - on winbind, but until we have a better method this - will have to do + Finally, we do this by looking up a cache of trusted domains! */ domain = client_domain; - if ((smb_name) && (*smb_name)) { /* Don't do this for guests */ - char *user = NULL; - if (asprintf(&user, "%s%s%s", - client_domain, lp_winbind_separator(), - smb_name) < 0) { - DEBUG(0, ("make_user_info_map: asprintf() failed!\n")); - return NT_STATUS_NO_MEMORY; - } - - DEBUG(5, ("make_user_info_map: testing for user %s\n", user)); - - if (Get_Pwnam(user) == NULL) { - DEBUG(5, ("make_user_info_map: test for user %s failed\n", user)); - domain = lp_workgroup(); - DEBUG(5, ("make_user_info_map: trusted domain %s doesn't appear to exist, using %s\n", - client_domain, domain)); - } else { - DEBUG(5, ("make_user_info_map: using trusted domain %s\n", domain)); - } - SAFE_FREE(user); + if (is_trusted_domain(domain)) { + return make_user_info(user_info, smb_name, internal_username, + client_domain, domain, wksta_name, + lm_pwd, nt_pwd, plaintext, ntlmssp_flags, + encrypted); } + } else { domain = lp_workgroup(); } -- cgit From c823b191ab476fc2583d6d6aaa1e2edb09cbb88e Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Mon, 12 May 2003 18:12:31 +0000 Subject: And finally IDMAP in 3_0 We really need idmap_ldap to have a good solution with ldapsam, porting it from the prvious code is beeing made, the code is really simple to do so I am confident it is not a problem to commit this code in. Not committing it would have been worst. I really would have been able to finish also the group code, maybe we can put it into a followin release after 3.0.0 even if it may be an upgrade problem. The code has been tested and seem to work right, more testing is needed for corner cases. Currently winbind pdc (working only for users and not for groups) is disabled as I was not able to make a complete group code replacement that works somewhat in a week (I have a complete patch, but there are bugs) Simo. (This used to be commit 0e58085978f984436815114a2ec347cf7899a89d) --- source3/auth/auth_util.c | 43 ++++++++++++++++++++++--------------------- 1 file changed, 22 insertions(+), 21 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index a3ca0b226f..e8f2af41f3 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -611,21 +611,21 @@ NT_USER_TOKEN *create_nt_token(uid_t uid, gid_t gid, int ngroups, gid_t *groups, NT_USER_TOKEN *token; int i; - if (!uid_to_sid(&user_sid, uid)) { + if (NT_STATUS_IS_ERR(uid_to_sid(&user_sid, uid))) { return NULL; } - if (!gid_to_sid(&group_sid, gid)) { + if (NT_STATUS_IS_ERR(gid_to_sid(&group_sid, gid))) { return NULL; } - group_sids = malloc(sizeof(DOM_SID) * ngroups); + group_sids = malloc(sizeof(DOM_SID) * ngroups); if (!group_sids) { DEBUG(0, ("create_nt_token: malloc() failed for DOM_SID list!\n")); return NULL; } for (i = 0; i < ngroups; i++) { - if (!gid_to_sid(&(group_sids)[i], (groups)[i])) { + if (NT_STATUS_IS_ERR(gid_to_sid(&(group_sids)[i], (groups)[i]))) { DEBUG(1, ("create_nt_token: failed to convert gid %ld to a sid!\n", (long int)groups[i])); SAFE_FREE(group_sids); return NULL; @@ -648,7 +648,7 @@ NT_USER_TOKEN *create_nt_token(uid_t uid, gid_t gid, int ngroups, gid_t *groups, * If this samba server is a DC of the domain the user belongs to, it returns * both domain groups and local / builtin groups. If the user is in a trusted * domain, or samba is a member server of a domain, then this function returns - * local and builtin groups the user is a member of. + * local and builtin groups the user is a member of. * * currently this is a hack, as there is no sam implementation that is capable * of groups. @@ -661,23 +661,18 @@ static NTSTATUS get_user_groups_from_local_sam(SAM_ACCOUNT *sampass, gid_t gid; int n_unix_groups; int i; - struct passwd *usr; *n_groups = 0; *groups = NULL; - if (!IS_SAM_UNIX_USER(sampass)) { - DEBUG(1, ("user %s does not have a unix identity!\n", pdb_get_username(sampass))); - return NT_STATUS_NO_SUCH_USER; + if (NT_STATUS_IS_ERR(sid_to_uid(pdb_get_user_sid(sampass), &uid)) || NT_STATUS_IS_ERR(sid_to_gid(pdb_get_group_sid(sampass), &gid))) { + DEBUG(0, ("get_user_groups_from_local_sam: error fetching uid or gid for user!\n")); + return NT_STATUS_UNSUCCESSFUL; } - - uid = pdb_get_uid(sampass); - gid = pdb_get_gid(sampass); n_unix_groups = groups_max(); if ((*unix_groups = malloc( sizeof(gid_t) * n_unix_groups ) ) == NULL) { DEBUG(0, ("get_user_groups_from_local_sam: Out of memory allocating unix group list\n")); - passwd_free(&usr); return NT_STATUS_NO_MEMORY; } @@ -686,7 +681,6 @@ static NTSTATUS get_user_groups_from_local_sam(SAM_ACCOUNT *sampass, groups_tmp = Realloc(*unix_groups, sizeof(gid_t) * n_unix_groups); if (!groups_tmp) { SAFE_FREE(*unix_groups); - passwd_free(&usr); return NT_STATUS_NO_MEMORY; } *unix_groups = groups_tmp; @@ -694,7 +688,6 @@ static NTSTATUS get_user_groups_from_local_sam(SAM_ACCOUNT *sampass, if (sys_getgrouplist(pdb_get_username(sampass), gid, *unix_groups, &n_unix_groups) == -1) { DEBUG(0, ("get_user_groups_from_local_sam: failed to get the unix group list\n")); SAFE_FREE(*unix_groups); - passwd_free(&usr); return NT_STATUS_NO_SUCH_USER; /* what should this return value be? */ } } @@ -713,7 +706,7 @@ static NTSTATUS get_user_groups_from_local_sam(SAM_ACCOUNT *sampass, *n_groups = n_unix_groups; for (i = 0; i < *n_groups; i++) { - if (!gid_to_sid(&(*groups)[i], (*unix_groups)[i])) { + if (NT_STATUS_IS_ERR(gid_to_sid(&(*groups)[i], (*unix_groups)[i]))) { DEBUG(1, ("get_user_groups_from_local_sam: failed to convert gid %ld to a sid!\n", (long int)(*unix_groups)[i+1])); SAFE_FREE(*groups); SAFE_FREE(*unix_groups); @@ -730,6 +723,8 @@ static NTSTATUS get_user_groups_from_local_sam(SAM_ACCOUNT *sampass, static NTSTATUS make_server_info(auth_serversupplied_info **server_info, SAM_ACCOUNT *sampass) { + NTSTATUS ret; + *server_info = malloc(sizeof(**server_info)); if (!*server_info) { DEBUG(0,("make_server_info: malloc failed!\n")); @@ -739,6 +734,10 @@ static NTSTATUS make_server_info(auth_serversupplied_info **server_info, SAM_ACC (*server_info)->sam_fill_level = SAM_FILL_ALL; (*server_info)->sam_account = sampass; + if (NT_STATUS_IS_ERR(ret = sid_to_uid(pdb_get_user_sid(sampass), &((*server_info)->uid)))) + return ret; + if (NT_STATUS_IS_ERR(ret = sid_to_gid(pdb_get_group_sid(sampass), &((*server_info)->gid)))) + return ret; return NT_STATUS_OK; } @@ -869,8 +868,8 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, struct passwd *passwd; - uid_t uid; - gid_t gid; + unid_t u_id, g_id; + int u_type, g_type; int n_lgroupSIDs; DOM_SID *lgroupSIDs = NULL; @@ -907,9 +906,11 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, domain = domain; } - if (winbind_sid_to_uid(&uid, &user_sid) - && winbind_sid_to_gid(&gid, &group_sid) - && ((passwd = getpwuid_alloc(uid)))) { + u_type = ID_USERID; + g_type = ID_GROUPID; + if (NT_STATUS_IS_OK(idmap_get_id_from_sid(&u_id, &u_type, &user_sid)) + && NT_STATUS_IS_OK(idmap_get_id_from_sid(&g_id, &g_type, &group_sid)) + && ((passwd = getpwuid_alloc(u_id.uid)))) { nt_status = pdb_init_sam_pw(&sam_account, passwd); passwd_free(&passwd); } else { -- cgit From 6ace723c44f61c1166b90666ca6f5b2546ced46b Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 25 May 2003 23:56:41 +0000 Subject: Get 'add user script' working again for Samba 3.0. I'm still not convinced that sharing the option name with the administrative code is the best idea, but anyway... Tested by vl, bug #41. Andrew Bartlett (This used to be commit 9d78f064c5e4e6b340f994204977aaac6513320b) --- source3/auth/auth_util.c | 82 +++++++++++++++++++++++++----------------------- 1 file changed, 43 insertions(+), 39 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index e8f2af41f3..d57619942c 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -36,7 +36,7 @@ extern DOM_SID global_sid_Authenticated_Users; Create a UNIX user on demand. ****************************************************************************/ -static int smb_create_user(const char *unix_user, const char *homedir) +static int smb_create_user(const char *domain, const char *unix_username, const char *homedir) { pstring add_script; int ret; @@ -44,7 +44,9 @@ static int smb_create_user(const char *unix_user, const char *homedir) pstrcpy(add_script, lp_adduser_script()); if (! *add_script) return -1; - all_string_sub(add_script, "%u", unix_user, sizeof(pstring)); + all_string_sub(add_script, "%u", unix_username, sizeof(pstring)); + if (domain) + all_string_sub(add_script, "%D", domain, sizeof(pstring)); if (homedir) all_string_sub(add_script, "%H", homedir, sizeof(pstring)); ret = smbrun(add_script,NULL); @@ -56,24 +58,18 @@ static int smb_create_user(const char *unix_user, const char *homedir) Add and Delete UNIX users on demand, based on NTSTATUS codes. ****************************************************************************/ -void smb_user_control(const auth_usersupplied_info *user_info, auth_serversupplied_info *server_info, NTSTATUS nt_status) +void auth_add_user_script(const char *domain, const char *username) { struct passwd *pwd=NULL; - if (NT_STATUS_IS_OK(nt_status)) { - - if (!(server_info->sam_fill_level & SAM_FILL_UNIX)) { - - /* - * User validated ok against Domain controller. - * If the admin wants us to try and create a UNIX - * user on the fly, do so. - */ - - if(lp_adduser_script() && !(pwd = Get_Pwnam(user_info->internal_username.str))) { - smb_create_user(user_info->internal_username.str, NULL); - } - } + /* + * User validated ok against Domain controller. + * If the admin wants us to try and create a UNIX + * user on the fly, do so. + */ + + if(lp_adduser_script() && !(pwd = Get_Pwnam(username))) { + smb_create_user(domain, username, NULL); } } @@ -914,30 +910,38 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, nt_status = pdb_init_sam_pw(&sam_account, passwd); passwd_free(&passwd); } else { - char *dom_user; - dom_user = talloc_asprintf(mem_ctx, "%s%s%s", - nt_domain, - lp_winbind_separator(), - internal_username); - - if (!dom_user) { - DEBUG(0, ("talloc_asprintf failed!\n")); - return NT_STATUS_NO_MEMORY; - } else { - - if (!(passwd = Get_Pwnam(dom_user)) - /* Only lookup local for the local - domain, we don't want this for - trusted domains */ - && strequal(nt_domain, lp_workgroup())) { - passwd = Get_Pwnam(internal_username); + int try = 0; + while (try < 2) { + char *dom_user; + dom_user = talloc_asprintf(mem_ctx, "%s%s%s", + nt_domain, + lp_winbind_separator(), + internal_username); + + if (!dom_user) { + DEBUG(0, ("talloc_asprintf failed!\n")); + nt_status = NT_STATUS_NO_MEMORY; + } else { + + if (!(passwd = Get_Pwnam(dom_user)) + /* Only lookup local for the local + domain, we don't want this for + trusted domains */ + && strequal(nt_domain, lp_workgroup())) { + passwd = Get_Pwnam(internal_username); + } + + if (!passwd) { + nt_status = NT_STATUS_NO_SUCH_USER; + } else { + nt_status = pdb_init_sam_pw(&sam_account, passwd); + break; + } } - - if (!passwd) { - return NT_STATUS_NO_SUCH_USER; - } else { - nt_status = pdb_init_sam_pw(&sam_account, passwd); + if (try == 0) { + auth_add_user_script(nt_domain, internal_username); } + try++; } } -- cgit From a7e1bbbd06a4a7c2cd6ff4fed8bdc8455b9a75d6 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Wed, 11 Jun 2003 16:36:04 +0000 Subject: Fix 'security = domain' without winbind. This stores the sid we got from the PDC as a mapping to the uid we got from getpwnam in the local idmap. This should not be worse than the current state, so I decided to commit it. It is different from abartlet's preliminary patch, but I believe this is the better solution. Feel free to comment and/or revert it. Volker (This used to be commit 0c16965e6f49a2c0d73b1392e9f8cfc7449e2e59) --- source3/auth/auth_util.c | 92 +++++++++++++++++++++++++++++++----------------- 1 file changed, 60 insertions(+), 32 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index d57619942c..ed3ebdbabc 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -842,6 +842,52 @@ NTSTATUS make_server_info_guest(auth_serversupplied_info **server_info) return nt_status; } +static NTSTATUS fill_sam_account(const char *domain, + const char *username, + const DOM_SID *user_sid, + const DOM_SID *group_sid, + SAM_ACCOUNT **sam_account) +{ + fstring dom_user; + struct passwd *passwd; + NTSTATUS result; + unid_t id; + + fstr_sprintf(dom_user, "%s%s%s", + domain, lp_winbind_separator(), username); + + passwd = Get_Pwnam(dom_user); + + if ( (passwd == NULL) && is_myworkgroup(domain) ) { + /* For our own domain also try unqualified */ + passwd = Get_Pwnam(username); + } + + if (passwd == NULL) + return NT_STATUS_NO_SUCH_USER; + + result = pdb_init_sam_pw(sam_account, passwd); + + if (!NT_STATUS_IS_OK(result)) + return result; + + id.uid = passwd->pw_uid; + result = idmap_set_mapping(user_sid, id, ID_USERID); + if (!NT_STATUS_IS_OK(result)) + return result; + + /* This is currently broken. We have two different sources of + information for the primary group: The info3 and + /etc/passwd. To make this work at all, the info3 sid is + mapped to the user's primary group from /etc/passwd. + This is broken, but it basically works. */ + + id.gid = passwd->pw_gid; + result = idmap_set_mapping(group_sid, id, ID_GROUPID); + + return result; +} + /*************************************************************************** Make a server_info struct from the info3 returned by a domain logon ***************************************************************************/ @@ -910,38 +956,20 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, nt_status = pdb_init_sam_pw(&sam_account, passwd); passwd_free(&passwd); } else { - int try = 0; - while (try < 2) { - char *dom_user; - dom_user = talloc_asprintf(mem_ctx, "%s%s%s", - nt_domain, - lp_winbind_separator(), - internal_username); - - if (!dom_user) { - DEBUG(0, ("talloc_asprintf failed!\n")); - nt_status = NT_STATUS_NO_MEMORY; - } else { - - if (!(passwd = Get_Pwnam(dom_user)) - /* Only lookup local for the local - domain, we don't want this for - trusted domains */ - && strequal(nt_domain, lp_workgroup())) { - passwd = Get_Pwnam(internal_username); - } - - if (!passwd) { - nt_status = NT_STATUS_NO_SUCH_USER; - } else { - nt_status = pdb_init_sam_pw(&sam_account, passwd); - break; - } - } - if (try == 0) { - auth_add_user_script(nt_domain, internal_username); - } - try++; + + nt_status = fill_sam_account(nt_domain, + internal_username, + &user_sid, &group_sid, + &sam_account); + + if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER)) { + DEBUG(3,("User %s does not exist, trying to add it\n", + internal_username)); + auth_add_user_script(nt_domain, internal_username); + nt_status = fill_sam_account(nt_domain, + internal_username, + &user_sid, &group_sid, + &sam_account); } } -- cgit From 0d8307fac322601a867cebeeb36428aadda59a07 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Thu, 12 Jun 2003 07:21:26 +0000 Subject: Andrew is right, this is probably the wrong approach. Take away the automatic mapping of users and groups again. Volker (This used to be commit 74510369d48545e813ac07e52814840803dd6ba2) --- source3/auth/auth_util.c | 31 +++++-------------------------- 1 file changed, 5 insertions(+), 26 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index ed3ebdbabc..8e5fc44291 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -842,16 +842,16 @@ NTSTATUS make_server_info_guest(auth_serversupplied_info **server_info) return nt_status; } +/*************************************************************************** + Purely internal function for make_server_info_info3 + Fill the sam account from getpwnam +***************************************************************************/ static NTSTATUS fill_sam_account(const char *domain, const char *username, - const DOM_SID *user_sid, - const DOM_SID *group_sid, SAM_ACCOUNT **sam_account) { fstring dom_user; struct passwd *passwd; - NTSTATUS result; - unid_t id; fstr_sprintf(dom_user, "%s%s%s", domain, lp_winbind_separator(), username); @@ -866,26 +866,7 @@ static NTSTATUS fill_sam_account(const char *domain, if (passwd == NULL) return NT_STATUS_NO_SUCH_USER; - result = pdb_init_sam_pw(sam_account, passwd); - - if (!NT_STATUS_IS_OK(result)) - return result; - - id.uid = passwd->pw_uid; - result = idmap_set_mapping(user_sid, id, ID_USERID); - if (!NT_STATUS_IS_OK(result)) - return result; - - /* This is currently broken. We have two different sources of - information for the primary group: The info3 and - /etc/passwd. To make this work at all, the info3 sid is - mapped to the user's primary group from /etc/passwd. - This is broken, but it basically works. */ - - id.gid = passwd->pw_gid; - result = idmap_set_mapping(group_sid, id, ID_GROUPID); - - return result; + return pdb_init_sam_pw(sam_account, passwd); } /*************************************************************************** @@ -959,7 +940,6 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, nt_status = fill_sam_account(nt_domain, internal_username, - &user_sid, &group_sid, &sam_account); if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER)) { @@ -968,7 +948,6 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, auth_add_user_script(nt_domain, internal_username); nt_status = fill_sam_account(nt_domain, internal_username, - &user_sid, &group_sid, &sam_account); } } -- cgit From 2cd38cd8e8f0a6f2b81adbd5c4b9146335781377 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Thu, 12 Jun 2003 08:22:55 +0000 Subject: Fix some misleading debug messages. (This used to be commit 9c003ae4ff21040b55264f8b4c34bd5956c97dc6) --- source3/auth/auth_util.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 8e5fc44291..789193c610 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1029,7 +1029,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, (n_lgroupSIDs + info3->num_groups2 + info3->num_other_sids)); if (!all_group_SIDs) { - DEBUG(0, ("create_nt_token_info3: malloc() failed for DOM_SID list!\n")); + DEBUG(0, ("malloc() failed for DOM_SID list!\n")); SAFE_FREE(lgroupSIDs); return NT_STATUS_NO_MEMORY; } @@ -1043,7 +1043,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, sid_copy(&all_group_SIDs[i+n_lgroupSIDs], &(info3->dom_sid.sid)); if (!sid_append_rid(&all_group_SIDs[i+n_lgroupSIDs], info3->gids[i].g_rid)) { nt_status = NT_STATUS_INVALID_PARAMETER; - DEBUG(3,("create_nt_token_info3: could not append additional group rid 0x%x\n", + DEBUG(3,("could not append additional group rid 0x%x\n", info3->gids[i].g_rid)); SAFE_FREE(lgroupSIDs); return nt_status; -- cgit From 511789b8555213d2f3d1b96c5434d2d0ebfd666f Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Thu, 12 Jun 2003 14:24:15 +0000 Subject: Andrew's change to make 'security = domain' work again. Leave the user and group that has been authenticated unmapped. We need to make sure that every caller of idmap handles failure gracefully. Volker (This used to be commit 902d607b668b2e997778a0ca676ea689943c2817) --- source3/auth/auth_util.c | 126 +++++++++++++++++++++++++++++++++-------------- 1 file changed, 88 insertions(+), 38 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 789193c610..f7b46465f7 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -650,29 +650,22 @@ NT_USER_TOKEN *create_nt_token(uid_t uid, gid_t gid, int ngroups, gid_t *groups, * of groups. ******************************************************************************/ -static NTSTATUS get_user_groups_from_local_sam(SAM_ACCOUNT *sampass, +static NTSTATUS get_user_groups_from_local_sam(const char *username, uid_t uid, gid_t gid, int *n_groups, DOM_SID **groups, gid_t **unix_groups) { - uid_t uid; - gid_t gid; int n_unix_groups; int i; *n_groups = 0; *groups = NULL; - if (NT_STATUS_IS_ERR(sid_to_uid(pdb_get_user_sid(sampass), &uid)) || NT_STATUS_IS_ERR(sid_to_gid(pdb_get_group_sid(sampass), &gid))) { - DEBUG(0, ("get_user_groups_from_local_sam: error fetching uid or gid for user!\n")); - return NT_STATUS_UNSUCCESSFUL; - } - n_unix_groups = groups_max(); if ((*unix_groups = malloc( sizeof(gid_t) * n_unix_groups ) ) == NULL) { DEBUG(0, ("get_user_groups_from_local_sam: Out of memory allocating unix group list\n")); return NT_STATUS_NO_MEMORY; } - if (sys_getgrouplist(pdb_get_username(sampass), gid, *unix_groups, &n_unix_groups) == -1) { + if (sys_getgrouplist(username, gid, *unix_groups, &n_unix_groups) == -1) { gid_t *groups_tmp; groups_tmp = Realloc(*unix_groups, sizeof(gid_t) * n_unix_groups); if (!groups_tmp) { @@ -681,7 +674,7 @@ static NTSTATUS get_user_groups_from_local_sam(SAM_ACCOUNT *sampass, } *unix_groups = groups_tmp; - if (sys_getgrouplist(pdb_get_username(sampass), gid, *unix_groups, &n_unix_groups) == -1) { + if (sys_getgrouplist(username, gid, *unix_groups, &n_unix_groups) == -1) { DEBUG(0, ("get_user_groups_from_local_sam: failed to get the unix group list\n")); SAFE_FREE(*unix_groups); return NT_STATUS_NO_SUCH_USER; /* what should this return value be? */ @@ -717,35 +710,26 @@ static NTSTATUS get_user_groups_from_local_sam(SAM_ACCOUNT *sampass, Make a user_info struct ***************************************************************************/ -static NTSTATUS make_server_info(auth_serversupplied_info **server_info, SAM_ACCOUNT *sampass) +static NTSTATUS make_server_info(auth_serversupplied_info **server_info) { - NTSTATUS ret; - *server_info = malloc(sizeof(**server_info)); if (!*server_info) { DEBUG(0,("make_server_info: malloc failed!\n")); return NT_STATUS_NO_MEMORY; } ZERO_STRUCTP(*server_info); - - (*server_info)->sam_fill_level = SAM_FILL_ALL; - (*server_info)->sam_account = sampass; - if (NT_STATUS_IS_ERR(ret = sid_to_uid(pdb_get_user_sid(sampass), &((*server_info)->uid)))) - return ret; - if (NT_STATUS_IS_ERR(ret = sid_to_gid(pdb_get_group_sid(sampass), &((*server_info)->gid)))) - return ret; - return NT_STATUS_OK; } /*************************************************************************** - Make (and fill) a user_info struct from a SAM_ACCOUNT +Fill a server_info struct from a SAM_ACCOUNT with their groups ***************************************************************************/ -NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, - SAM_ACCOUNT *sampass) +static NTSTATUS add_user_groups(auth_serversupplied_info **server_info, + SAM_ACCOUNT *sampass, + uid_t uid, gid_t gid) { - NTSTATUS nt_status = NT_STATUS_OK; + NTSTATUS nt_status; const DOM_SID *user_sid = pdb_get_user_sid(sampass); const DOM_SID *group_sid = pdb_get_group_sid(sampass); int n_groupSIDs = 0; @@ -755,14 +739,11 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, BOOL is_guest; uint32 rid; - if (!NT_STATUS_IS_OK(nt_status = make_server_info(server_info, sampass))) { - return nt_status; - } - - if (!NT_STATUS_IS_OK(nt_status - = get_user_groups_from_local_sam(sampass, - &n_groupSIDs, &groupSIDs, &unix_groups))) - { + nt_status = get_user_groups_from_local_sam(pdb_get_username(sampass), + uid, gid, + &n_groupSIDs, &groupSIDs, + &unix_groups); + if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(4,("get_user_groups_from_local_sam failed\n")); free_server_info(server_info); return nt_status; @@ -785,9 +766,36 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, (*server_info)->n_groups = n_groupSIDs; (*server_info)->groups = unix_groups; - (*server_info)->ptok = token; - + + return nt_status; +} + +/*************************************************************************** + Make (and fill) a user_info struct from a SAM_ACCOUNT +***************************************************************************/ + +NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, + SAM_ACCOUNT *sampass) +{ + NTSTATUS nt_status; + + if (!NT_STATUS_IS_OK(nt_status = make_server_info(server_info))) + return nt_status; + + (*server_info)->sam_account = sampass; + + if (!NT_STATUS_IS_OK(nt_status = sid_to_uid(pdb_get_user_sid(sampass), &((*server_info)->uid)))) + return nt_status; + + if (!NT_STATUS_IS_OK(nt_status = sid_to_gid(pdb_get_group_sid(sampass), &((*server_info)->gid)))) + return nt_status; + + if (!NT_STATUS_IS_OK(nt_status = add_user_groups(server_info, sampass, + (*server_info)->uid, (*server_info)->gid))) + return nt_status; + + (*server_info)->sam_fill_level = SAM_FILL_ALL; DEBUG(5,("make_server_info_sam: made server info for user %s\n", pdb_get_username((*server_info)->sam_account))); @@ -806,7 +814,20 @@ NTSTATUS make_server_info_pw(auth_serversupplied_info **server_info, const struc if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam_pw(&sampass, pwd))) { return nt_status; } - return make_server_info_sam(server_info, sampass); + if (!NT_STATUS_IS_OK(nt_status = make_server_info(server_info))) { + return nt_status; + } + + (*server_info)->sam_account = sampass; + + if (!NT_STATUS_IS_OK(nt_status = add_user_groups(server_info, sampass, pwd->pw_uid, pwd->pw_gid))) { + return nt_status; + } + + (*server_info)->sam_fill_level = SAM_FILL_ALL; + (*server_info)->uid = pwd->pw_uid; + (*server_info)->gid = pwd->pw_gid; + return nt_status; } /*************************************************************************** @@ -848,6 +869,7 @@ NTSTATUS make_server_info_guest(auth_serversupplied_info **server_info) ***************************************************************************/ static NTSTATUS fill_sam_account(const char *domain, const char *username, + uid_t *uid, gid_t *gid, SAM_ACCOUNT **sam_account) { fstring dom_user; @@ -866,6 +888,9 @@ static NTSTATUS fill_sam_account(const char *domain, if (passwd == NULL) return NT_STATUS_NO_SUCH_USER; + *uid = passwd->pw_uid; + *gid = passwd->pw_gid; + return pdb_init_sam_pw(sam_account, passwd); } @@ -892,6 +917,8 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, struct passwd *passwd; unid_t u_id, g_id; + uid_t uid; + gid_t gid; int u_type, g_type; int n_lgroupSIDs; @@ -931,15 +958,27 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, u_type = ID_USERID; g_type = ID_GROUPID; + + /* we are trying to check that idmap isn't stuffing us over - does this + user actually exist? */ if (NT_STATUS_IS_OK(idmap_get_id_from_sid(&u_id, &u_type, &user_sid)) && NT_STATUS_IS_OK(idmap_get_id_from_sid(&g_id, &g_type, &group_sid)) && ((passwd = getpwuid_alloc(u_id.uid)))) { + nt_status = pdb_init_sam_pw(&sam_account, passwd); + + uid = passwd->pw_uid; + gid = passwd->pw_gid; + + /* we should check this is the same name */ + passwd_free(&passwd); } else { + /* User not from winbind - try and find them by getpwnam() */ nt_status = fill_sam_account(nt_domain, internal_username, + &uid, &gid, &sam_account); if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER)) { @@ -948,6 +987,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, auth_add_user_script(nt_domain, internal_username); nt_status = fill_sam_account(nt_domain, internal_username, + &uid, &gid, &sam_account); } } @@ -1002,17 +1042,27 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, return NT_STATUS_NO_MEMORY; } - if (!NT_STATUS_IS_OK(nt_status = make_server_info(server_info, sam_account))) { + /* now that we have a SAM_ACCOUNT that looks real, make a server_info + to wrap it in, and use pass it on down */ + + if (!NT_STATUS_IS_OK(nt_status = make_server_info(server_info))) { DEBUG(4, ("make_server_info failed!\n")); pdb_free_sam(&sam_account); return nt_status; } + /* Fill in the unix info we found on the way */ + + (*server_info)->sam_fill_level = SAM_FILL_ALL; + (*server_info)->uid = uid; + (*server_info)->gid = gid; + /* Store the user group information in the server_info returned to the caller. */ if (!NT_STATUS_IS_OK(nt_status - = get_user_groups_from_local_sam(sam_account, + = get_user_groups_from_local_sam(pdb_get_username(sam_account), + uid, gid, &n_lgroupSIDs, &lgroupSIDs, &unix_groups))) -- cgit From f5974dfaae680d98b78d600cd1f1aaece332a085 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Sun, 22 Jun 2003 10:09:52 +0000 Subject: Found out a good number of NT_STATUS_IS_ERR used the wrong way. As abartlet rememberd me NT_STATUS_IS_ERR != !NT_STATUS_IS_OK This patch will cure the problem. Working on this one I found 16 functions where I think NT_STATUS_IS_ERR() is used correctly, but I'm not 100% sure, coders should check the use of NT_STATUS_IS_ERR() in samba is ok now. Simo. (This used to be commit c501e84d412563eb3f674f76038ec48c2b458687) --- source3/auth/auth_util.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index f7b46465f7..7d0f44f1d1 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -607,10 +607,10 @@ NT_USER_TOKEN *create_nt_token(uid_t uid, gid_t gid, int ngroups, gid_t *groups, NT_USER_TOKEN *token; int i; - if (NT_STATUS_IS_ERR(uid_to_sid(&user_sid, uid))) { + if (!NT_STATUS_IS_OK(uid_to_sid(&user_sid, uid))) { return NULL; } - if (NT_STATUS_IS_ERR(gid_to_sid(&group_sid, gid))) { + if (!NT_STATUS_IS_OK(gid_to_sid(&group_sid, gid))) { return NULL; } @@ -621,7 +621,7 @@ NT_USER_TOKEN *create_nt_token(uid_t uid, gid_t gid, int ngroups, gid_t *groups, } for (i = 0; i < ngroups; i++) { - if (NT_STATUS_IS_ERR(gid_to_sid(&(group_sids)[i], (groups)[i]))) { + if (!NT_STATUS_IS_OK(gid_to_sid(&(group_sids)[i], (groups)[i]))) { DEBUG(1, ("create_nt_token: failed to convert gid %ld to a sid!\n", (long int)groups[i])); SAFE_FREE(group_sids); return NULL; @@ -695,7 +695,7 @@ static NTSTATUS get_user_groups_from_local_sam(const char *username, uid_t uid, *n_groups = n_unix_groups; for (i = 0; i < *n_groups; i++) { - if (NT_STATUS_IS_ERR(gid_to_sid(&(*groups)[i], (*unix_groups)[i]))) { + if (!NT_STATUS_IS_OK(gid_to_sid(&(*groups)[i], (*unix_groups)[i]))) { DEBUG(1, ("get_user_groups_from_local_sam: failed to convert gid %ld to a sid!\n", (long int)(*unix_groups)[i+1])); SAFE_FREE(*groups); SAFE_FREE(*unix_groups); -- cgit From 8a6fc79ad8d9f1b6c4f604b173426bf821f98208 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Sat, 28 Jun 2003 08:29:42 +0000 Subject: add check for NT_STATUS_NOT_IMPLEMENTED in auth check so that map to guest = bad user works again when "trustdomain" is listed as last auth method. Also clean up some more DC location calls. (This used to be commit 77a5b1032f39b8d20925721b719fdcfff910cb06) --- source3/auth/auth_util.c | 31 ++++++++++--------------------- 1 file changed, 10 insertions(+), 21 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 7d0f44f1d1..fe4900f9f4 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -204,32 +204,22 @@ NTSTATUS make_user_info_map(auth_usersupplied_info **user_info, DEBUG(5, ("make_user_info_map: Mapping user [%s]\\[%s] from workstation [%s]\n", client_domain, smb_name, wksta_name)); - if (lp_allow_trusted_domains() && *client_domain) { - - /* the client could have given us a workstation name - or other crap for the workgroup - we really need a - way of telling if this domain name is one of our - trusted domain names - - Also don't allow "" as a domain, fixes a Win9X bug + /* don't allow "" as a domain, fixes a Win9X bug where it doens't supply a domain for logon script - 'net use' commands. - - Finally, we do this by looking up a cache of trusted domains! - */ + 'net use' commands.*/ + if ( *client_domain ) domain = client_domain; + else + domain = lp_workgroup(); - if (is_trusted_domain(domain)) { - return make_user_info(user_info, smb_name, internal_username, - client_domain, domain, wksta_name, - lm_pwd, nt_pwd, plaintext, ntlmssp_flags, - encrypted); - } + /* do what win2k does. Always map unknown domains to our own + and let the "passdb backend" handle unknown users */ - } else { + if ( !is_trusted_domain(domain) ) domain = lp_workgroup(); - } + + /* we know that it is a trusted domain (and we are allowing them) or it is our domain */ return make_user_info(user_info, smb_name, internal_username, @@ -238,7 +228,6 @@ NTSTATUS make_user_info_map(auth_usersupplied_info **user_info, lm_pwd, nt_pwd, plaintext, ntlmssp_flags, encrypted); - } /**************************************************************************** -- cgit From b8723aaa65a2bd760d6d2d9c9409f7c39867484c Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Sun, 29 Jun 2003 03:39:50 +0000 Subject: Here's the code to make winbindd work on a Samba DC to handle domain trusts. Jeremy and I talked about this and it's going in as working code. It keeps winbind clean and solves the trust problem with minimal changes. To summarize, there are 2 basic cases where the deadlock would occur. (1) lookuping up secondary groups for a user, and (2) get[gr|pw]nam() calls that fall through the NSS layer because they don't exist anywhere. o To handle case #1, we bypass winbindd in sys_getgrouplist() unless the username includes the 'winbind separator'. o Case #2 is handled by adding checks in winbindd to return failure if we are a DC and the domain matches our own. This code has been tested using basic share connections, domain logons, and with pam_winbind (both with and without 'winbind use default domain'). The 'trustdomain' auth module should work as well if an admin wants to manually create UNIX users for acounts in the trusted domains. Other misc fixes: * we need to fix check_ntlm_password() to be able to determine if an auth module is authoritative over a user (NT_STATUS_WRONG_PASSWORD, etc...). I worked around my specific situation, but this needs to be fixed. the winbindd auth module was causing delays. * fix named server mutex deadlock between trust domain auth module and winbindd looking up a uid * make sure SAM_ACCOUNT gets stored in the server_info struct for the _net_sam_logon() reply. Configuration details: The recommended method for supporting trusts is to use winbind. The gets us around some of the server mutex issues as well. * set 'files winbind' for passwd: and group: in /etc/nsswitch.conf * create domain trusts like normal * join winbind on the pdc to the Samba domain using 'net rpc join' * add normal parameters to smb.conf for winbind * set 'auth method = guest sam winbind' * start smbd, nmbd, & winbindd Problems that remain: * join a Windows 2k/XP box to a Samba domain. * create a 2-way trust between the Samba domain and an NT domain * logon to the windows client as a user from theh trusted domain * try to browse server in the trusted domain (or other workstations). an NT client seems to work ok, but 2k and XP either prompt for passwords or fail with errors. apparanently this never got tested since no one has ever been able to logon as a trusted user to a Samba domain from a Windows client. (This used to be commit f804b590f9dbf1f0147c06a0a2f12e221ae6fc3b) --- source3/auth/auth_util.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index fe4900f9f4..71fdb0050b 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1031,15 +1031,17 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, return NT_STATUS_NO_MEMORY; } - /* now that we have a SAM_ACCOUNT that looks real, make a server_info - to wrap it in, and use pass it on down */ - if (!NT_STATUS_IS_OK(nt_status = make_server_info(server_info))) { DEBUG(4, ("make_server_info failed!\n")); pdb_free_sam(&sam_account); return nt_status; } + /* save this here to _net_sam_logon() doesn't fail (it assumes a + valid SAM_ACCOUNT) */ + + (*server_info)->sam_account = sam_account; + /* Fill in the unix info we found on the way */ (*server_info)->sam_fill_level = SAM_FILL_ALL; -- cgit From f2659351017a8b2ec12548a3967cdf2767738e08 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Mon, 30 Jun 2003 17:24:59 +0000 Subject: * rename samstrict auth method to sam * rename original sam auth method to sam_ignoredomain * remove samstrict_dc auth method (now covered by 'sam') * fix wbinfo -a '...' and getent passwd bugs when running winbindd on a samba PDC (reported by Volker) (This used to be commit 52166faee793d337e045d64f7cb27ea7ac895f60) --- source3/auth/auth_util.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 71fdb0050b..1538fc50a1 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -216,8 +216,8 @@ NTSTATUS make_user_info_map(auth_usersupplied_info **user_info, /* do what win2k does. Always map unknown domains to our own and let the "passdb backend" handle unknown users */ - if ( !is_trusted_domain(domain) ) - domain = lp_workgroup(); + if ( !is_trusted_domain(domain) ) + domain = get_global_sam_name(); /* we know that it is a trusted domain (and we are allowing them) or it is our domain */ -- cgit From e359dbcedb53b03df79140c30ecfdfdbcb904595 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Mon, 30 Jun 2003 20:45:14 +0000 Subject: * cleanup more DC name resolution issues in check_*domain_security() * is_trusted_domain() is broken without winbind. Still working on this. * get_global_sam_name() should return the workgroup name unless we are a standalone server (verified by volker) * Get_Pwnam() should always fall back to the username (minus domain name) even if it is not our workgroup so that TRUSTEDOMAIN\user can logon if 'user' exists in the local list of accounts (on domain members w/o winbind) Tested using Samba PDC with trusts (running winbindd) and a Samba 3.0 domain member not running winbindd. notes: make_user_info_map() is slightly broken now due to the fact that is_trusted_domain() only works with winbindd. disabled checks temporarily until I can sort this out. (This used to be commit e1d6094d066d4c16ab73075caba40a1ae6c56b1e) --- source3/auth/auth_util.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 1538fc50a1..30510c1bfa 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -216,6 +216,9 @@ NTSTATUS make_user_info_map(auth_usersupplied_info **user_info, /* do what win2k does. Always map unknown domains to our own and let the "passdb backend" handle unknown users */ + /* FIXME!!!! grr...this is a broken check currently since is_trusted_domain() + is useless without winbindd --jerry */ + if ( !is_trusted_domain(domain) ) domain = get_global_sam_name(); @@ -869,10 +872,12 @@ static NTSTATUS fill_sam_account(const char *domain, passwd = Get_Pwnam(dom_user); - if ( (passwd == NULL) && is_myworkgroup(domain) ) { - /* For our own domain also try unqualified */ + /* if the lookup for DOMAIN\username failed, try again + with just 'username'. This is need for accessing the server + as a trust user that actually maps to a local account */ + + if ( !passwd ) passwd = Get_Pwnam(username); - } if (passwd == NULL) return NT_STATUS_NO_SUCH_USER; -- cgit From db6ce132e360a42ea6843c81429be194662fce39 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Tue, 1 Jul 2003 03:49:41 +0000 Subject: * fix the trustdom_cache to work when winbindd is not running. smbd will update the trustdom_cache periodically after locking the timestamp key (This used to be commit 7bc4b65b91f98271089335cc301146d5f0c76c3a) --- source3/auth/auth_util.c | 3 --- 1 file changed, 3 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 30510c1bfa..5185f876c6 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -216,9 +216,6 @@ NTSTATUS make_user_info_map(auth_usersupplied_info **user_info, /* do what win2k does. Always map unknown domains to our own and let the "passdb backend" handle unknown users */ - /* FIXME!!!! grr...this is a broken check currently since is_trusted_domain() - is useless without winbindd --jerry */ - if ( !is_trusted_domain(domain) ) domain = get_global_sam_name(); -- cgit From 0362868fa73bc339d40625ec0adade05fb80a9a7 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Tue, 1 Jul 2003 04:11:42 +0000 Subject: * revert change to get_global_sam_name() * add get_default_sam_name() to be used by make_user_info_map() * add comments describing get_*_sam_name() (This used to be commit 90470366ea4bdb8021a3453c4bbeb29f009668c1) --- source3/auth/auth_util.c | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 5185f876c6..ab08a28ff6 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -214,20 +214,16 @@ NTSTATUS make_user_info_map(auth_usersupplied_info **user_info, domain = lp_workgroup(); /* do what win2k does. Always map unknown domains to our own - and let the "passdb backend" handle unknown users */ + and let the "passdb backend" handle unknown users. */ if ( !is_trusted_domain(domain) ) - domain = get_global_sam_name(); + domain = get_default_sam_name(); /* we know that it is a trusted domain (and we are allowing them) or it is our domain */ - return make_user_info(user_info, - smb_name, internal_username, - client_domain, domain, - wksta_name, - lm_pwd, nt_pwd, - plaintext, - ntlmssp_flags, encrypted); + return make_user_info(user_info, smb_name, internal_username, + client_domain, domain, wksta_name, lm_pwd, nt_pwd, + plaintext, ntlmssp_flags, encrypted); } /**************************************************************************** -- cgit From 814968d41b04fd6a3e889039d227ed6abb429ae2 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Tue, 1 Jul 2003 17:51:52 +0000 Subject: * fixed volker's wbinfo -a lockup again. This one was my fault. It was caused by the winbind_ping() call in is_trusted_domain() o if we are a DC then we check our own direct trust relationships we have to rely on winbindd to update the truatdom_cache o if we are a domain member, then we can update the trustdom_cache ourselves if winbindd is not there (This used to be commit 22dfcafb37f7109dc455f4fb6323a25ba4f097bc) --- source3/auth/auth_util.c | 45 ++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 44 insertions(+), 1 deletion(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index ab08a28ff6..4e25d7fd34 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1,4 +1,4 @@ -/* +/* Unix SMB/CIFS implementation. Authentication utility functions Copyright (C) Andrew Tridgell 1992-1998 @@ -1258,4 +1258,47 @@ NTSTATUS nt_status_squash(NTSTATUS nt_status) } +/** + * Verify whether or not given domain is trusted. + * + * @param domain_name name of the domain to be verified + * @return true if domain is one of the trusted once or + * false if otherwise + **/ + +BOOL is_trusted_domain(const char* dom_name) +{ + DOM_SID trustdom_sid; + char *pass = NULL; + time_t lct; + BOOL ret; + + /* if we are a DC, then check for a direct trust relationships */ + + if (lp_server_role() == ROLE_DOMAIN_BDC || lp_server_role() == ROLE_DOMAIN_PDC) { + become_root(); + ret = secrets_fetch_trusted_domain_password(dom_name, &pass, &trustdom_sid, &lct); + unbecome_root(); + SAFE_FREE(pass); + if (ret) + return True; + } + else { + /* if winbindd is not up and we are a domain member) then we need to update the + trustdom_cache ourselves */ + + if ( !winbind_ping() ) + update_trustdom_cache(); + } + + /* now the trustdom cache should be available a DC could still + * have a transitive trust so fall back to the cache of trusted + * domains (like a domain member would use */ + + if ( trustdom_cache_fetch(dom_name, &trustdom_sid) ) { + return True; + } + + return False; +} -- cgit From 61116049cabc292c2f2d570af4d68ddc537b91f5 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 3 Jul 2003 14:36:42 +0000 Subject: This patch takes the work the jerry did for beta2, and generalises it: - The 'not implmented' checks are now done by all auth modules - the ntdomain/trustdomain/winbind modules are more presise as to what domain names they can and cannot handle - The become_root() calls are now around the winbind pipe opening only, not the entire auth call - The unix username is kept seperate from the NT username, removing the need for 'clean off the domain\' in parse_net.c - All sid->uid translations are now validated with getpwuid() to put a very basic stop to logins with 'half deleted' accounts. Andrew Bartlett (This used to be commit 85f88191b9927cc434645ef4c1eaf5ec0e8af2ec) --- source3/auth/auth_util.c | 79 ++++++++++++++++++++++++++++++++++++------------ 1 file changed, 60 insertions(+), 19 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 4e25d7fd34..ea46d27e9e 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -764,6 +764,7 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, SAM_ACCOUNT *sampass) { NTSTATUS nt_status; + struct passwd *pwd; if (!NT_STATUS_IS_OK(nt_status = make_server_info(server_info))) return nt_status; @@ -773,16 +774,35 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, if (!NT_STATUS_IS_OK(nt_status = sid_to_uid(pdb_get_user_sid(sampass), &((*server_info)->uid)))) return nt_status; - if (!NT_STATUS_IS_OK(nt_status = sid_to_gid(pdb_get_group_sid(sampass), &((*server_info)->gid)))) + if (!(pwd = getpwuid_alloc(((*server_info)->uid)))) { + fstring sid; + DEBUG(1, ("User %s in passdb (%s) maps to UID, but getpwuid(%u) fails!\n", + pdb_get_username(sampass), + sid_to_string(sid, pdb_get_user_sid(sampass)), + (unsigned)(*server_info)->uid)); + free_server_info(server_info); + return NT_STATUS_NO_SUCH_USER; + } + (*server_info)->unix_name = smb_xstrdup(pwd->pw_name); + passwd_free(&pwd); + + if (!NT_STATUS_IS_OK(nt_status = sid_to_gid(pdb_get_group_sid(sampass), + &((*server_info)->gid)))) { + free_server_info(server_info); return nt_status; + } if (!NT_STATUS_IS_OK(nt_status = add_user_groups(server_info, sampass, - (*server_info)->uid, (*server_info)->gid))) + (*server_info)->uid, + (*server_info)->gid))) { + free_server_info(server_info); return nt_status; + } (*server_info)->sam_fill_level = SAM_FILL_ALL; - DEBUG(5,("make_server_info_sam: made server info for user %s\n", - pdb_get_username((*server_info)->sam_account))); + DEBUG(5,("make_server_info_sam: made server info for user %s -> %s\n", + pdb_get_username(sampass), + (*server_info)->unix_name)); return nt_status; } @@ -809,6 +829,8 @@ NTSTATUS make_server_info_pw(auth_serversupplied_info **server_info, const struc return nt_status; } + (*server_info)->unix_name = smb_xstrdup(pwd->pw_name); + (*server_info)->sam_fill_level = SAM_FILL_ALL; (*server_info)->uid = pwd->pw_uid; (*server_info)->gid = pwd->pw_gid; @@ -852,8 +874,10 @@ NTSTATUS make_server_info_guest(auth_serversupplied_info **server_info) Purely internal function for make_server_info_info3 Fill the sam account from getpwnam ***************************************************************************/ -static NTSTATUS fill_sam_account(const char *domain, +static NTSTATUS fill_sam_account(TALLOC_CTX *mem_ctx, + const char *domain, const char *username, + char **found_username, uid_t *uid, gid_t *gid, SAM_ACCOUNT **sam_account) { @@ -878,6 +902,8 @@ static NTSTATUS fill_sam_account(const char *domain, *uid = passwd->pw_uid; *gid = passwd->pw_gid; + *found_username = talloc_strdup(mem_ctx, passwd->pw_name); + return pdb_init_sam_pw(sam_account, passwd); } @@ -893,7 +919,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, NET_USER_INFO_3 *info3) { NTSTATUS nt_status = NT_STATUS_OK; - + char *found_username; const char *nt_domain; const char *nt_username; @@ -958,13 +984,15 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, gid = passwd->pw_gid; /* we should check this is the same name */ - + found_username = talloc_strdup(mem_ctx, passwd->pw_name); + passwd_free(&passwd); } else { /* User not from winbind - try and find them by getpwnam() */ - nt_status = fill_sam_account(nt_domain, + nt_status = fill_sam_account(mem_ctx, nt_domain, internal_username, + &found_username, &uid, &gid, &sam_account); @@ -972,8 +1000,9 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, DEBUG(3,("User %s does not exist, trying to add it\n", internal_username)); auth_add_user_script(nt_domain, internal_username); - nt_status = fill_sam_account(nt_domain, + nt_status = fill_sam_account(mem_ctx, nt_domain, internal_username, + &found_username, &uid, &gid, &sam_account); } @@ -984,17 +1013,12 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, return nt_status; } - if (!pdb_set_user_sid(sam_account, &user_sid, PDB_CHANGED)) { + if (!pdb_set_nt_username(sam_account, nt_username, PDB_CHANGED)) { pdb_free_sam(&sam_account); - return NT_STATUS_UNSUCCESSFUL; + return NT_STATUS_NO_MEMORY; } - if (!pdb_set_group_sid(sam_account, &group_sid, PDB_CHANGED)) { - pdb_free_sam(&sam_account); - return NT_STATUS_UNSUCCESSFUL; - } - - if (!pdb_set_nt_username(sam_account, nt_username, PDB_CHANGED)) { + if (!pdb_set_username(sam_account, nt_username, PDB_CHANGED)) { pdb_free_sam(&sam_account); return NT_STATUS_NO_MEMORY; } @@ -1004,7 +1028,18 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, return NT_STATUS_NO_MEMORY; } - if (!pdb_set_fullname(sam_account, unistr2_static(&(info3->uni_full_name)), PDB_CHANGED)) { + if (!pdb_set_user_sid(sam_account, &user_sid, PDB_CHANGED)) { + pdb_free_sam(&sam_account); + return NT_STATUS_UNSUCCESSFUL; + } + + if (!pdb_set_group_sid(sam_account, &group_sid, PDB_CHANGED)) { + pdb_free_sam(&sam_account); + return NT_STATUS_UNSUCCESSFUL; + } + + if (!pdb_set_fullname(sam_account, unistr2_static(&(info3->uni_full_name)), + PDB_CHANGED)) { pdb_free_sam(&sam_account); return NT_STATUS_NO_MEMORY; } @@ -1040,6 +1075,8 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, (*server_info)->sam_account = sam_account; + (*server_info)->unix_name = smb_xstrdup(found_username); + /* Fill in the unix info we found on the way */ (*server_info)->sam_fill_level = SAM_FILL_ALL; @@ -1050,7 +1087,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, returned to the caller. */ if (!NT_STATUS_IS_OK(nt_status - = get_user_groups_from_local_sam(pdb_get_username(sam_account), + = get_user_groups_from_local_sam((*server_info)->unix_name, uid, gid, &n_lgroupSIDs, &lgroupSIDs, @@ -1070,6 +1107,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, if (!all_group_SIDs) { DEBUG(0, ("malloc() failed for DOM_SID list!\n")); SAFE_FREE(lgroupSIDs); + free_server_info(server_info); return NT_STATUS_NO_MEMORY; } @@ -1085,6 +1123,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, DEBUG(3,("could not append additional group rid 0x%x\n", info3->gids[i].g_rid)); SAFE_FREE(lgroupSIDs); + free_server_info(server_info); return nt_status; } } @@ -1110,6 +1149,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, all_group_SIDs, False, &token))) { DEBUG(4,("create_nt_user_token failed\n")); SAFE_FREE(all_group_SIDs); + free_server_info(server_info); return nt_status; } @@ -1161,6 +1201,7 @@ void free_server_info(auth_serversupplied_info **server_info) /* call pam_end here, unless we know we are keeping it */ delete_nt_token( &(*server_info)->ptok ); SAFE_FREE((*server_info)->groups); + SAFE_FREE((*server_info)->unix_name); ZERO_STRUCT(**server_info); } SAFE_FREE(*server_info); -- cgit From b475d0b88924a0af4a8519a2e7bc183945de0f9c Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 6 Jul 2003 05:51:20 +0000 Subject: This changes our Unix primary GID behaviour back to what most people expect: Samba will now use the user's UNIX primary group, as the primary group when dealing with the filesystem. The NT primary group is ignored in unix. For the NT_TOKEN, the primary group is the NT priamry group, and the unix primary group is added to the NT_TOKEN as a supplementary group. This should fix bug #109, but will need to be revisited when we get a full NT group database. Also in this commit: - Fix debug statements in service.c - Make idmap_ldap show if it's adding, or modifying an existing DN - Make idmap_ldap show both the error message and error string (This used to be commit 32e455a714b2090fcfd1f6d73daccf600c15d51b) --- source3/auth/auth_util.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index ea46d27e9e..f77ee350b4 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -784,13 +784,9 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, return NT_STATUS_NO_SUCH_USER; } (*server_info)->unix_name = smb_xstrdup(pwd->pw_name); - passwd_free(&pwd); + (*server_info)->gid = pwd->pw_gid; - if (!NT_STATUS_IS_OK(nt_status = sid_to_gid(pdb_get_group_sid(sampass), - &((*server_info)->gid)))) { - free_server_info(server_info); - return nt_status; - } + passwd_free(&pwd); if (!NT_STATUS_IS_OK(nt_status = add_user_groups(server_info, sampass, (*server_info)->uid, -- cgit From 0b18acb841f6a372b3aa285d4734875e5e35fe3b Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Mon, 7 Jul 2003 05:11:10 +0000 Subject: and so it begins.... * remove idmap_XX_to_XX calls from smbd. Move back to the the winbind_XXX and local_XXX calls used in 2.2 * all uid/gid allocation must involve winbindd now * move flags field around in winbindd_request struct * add WBFLAG_QUERY_ONLY option to winbindd_sid_to_[ug]id() to prevent automatic allocation for unknown SIDs * add 'winbind trusted domains only' parameter to force a domain member server to use matching users names from /etc/passwd for its domain (needed for domain member of a Samba domain) * rename 'idmap only' to 'enable rid algorithm' for better clarity (defaults to "yes") code has been tested on * domain member of native mode 2k domain * ads domain member of native mode 2k domain * domain member of NT4 domain * domain member of Samba domain * Samba PDC running winbindd with trusts Logons tested using 2k clients and smbclient as domain users and trusted users. Tested both 'winbind trusted domains only = [yes|no]' This will be a long week of changes. The next item on the list is winbindd_passdb.c & machine trust accounts not in /etc/passwd (done via winbindd_passdb) (This used to be commit 8266dffab4aedba12a33289ff32880037ce950a8) --- source3/auth/auth_util.c | 65 +++++++++++++----------------------------------- 1 file changed, 17 insertions(+), 48 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index f77ee350b4..399a1e9006 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -923,12 +923,8 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, DOM_SID user_sid; DOM_SID group_sid; - struct passwd *passwd; - - unid_t u_id, g_id; uid_t uid; gid_t gid; - int u_type, g_type; int n_lgroupSIDs; DOM_SID *lgroupSIDs = NULL; @@ -964,44 +960,20 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, /* If the server didn't give us one, just use the one we sent them */ domain = domain; } - - u_type = ID_USERID; - g_type = ID_GROUPID; - - /* we are trying to check that idmap isn't stuffing us over - does this - user actually exist? */ - if (NT_STATUS_IS_OK(idmap_get_id_from_sid(&u_id, &u_type, &user_sid)) - && NT_STATUS_IS_OK(idmap_get_id_from_sid(&g_id, &g_type, &group_sid)) - && ((passwd = getpwuid_alloc(u_id.uid)))) { - - nt_status = pdb_init_sam_pw(&sam_account, passwd); - - uid = passwd->pw_uid; - gid = passwd->pw_gid; - - /* we should check this is the same name */ - found_username = talloc_strdup(mem_ctx, passwd->pw_name); - - passwd_free(&passwd); - } else { - - /* User not from winbind - try and find them by getpwnam() */ - nt_status = fill_sam_account(mem_ctx, nt_domain, - internal_username, - &found_username, - &uid, &gid, - &sam_account); - - if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER)) { - DEBUG(3,("User %s does not exist, trying to add it\n", - internal_username)); - auth_add_user_script(nt_domain, internal_username); - nt_status = fill_sam_account(mem_ctx, nt_domain, - internal_username, - &found_username, - &uid, &gid, - &sam_account); - } + + /* try to fill the same account.. If getpwnam() fails, then try the + add user script (2.2.x behavior) */ + + nt_status = fill_sam_account(mem_ctx, nt_domain, internal_username, + &found_username, &uid, &gid, &sam_account); + + if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER)) { + DEBUG(3,("User %s does not exist, trying to add it\n", + internal_username)); + auth_add_user_script(nt_domain, internal_username); + nt_status = fill_sam_account(mem_ctx, nt_domain, + internal_username, &found_username, + &uid, &gid, &sam_account); } if (!NT_STATUS_IS_OK(nt_status)) { @@ -1082,12 +1054,9 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, /* Store the user group information in the server_info returned to the caller. */ - if (!NT_STATUS_IS_OK(nt_status - = get_user_groups_from_local_sam((*server_info)->unix_name, - uid, gid, - &n_lgroupSIDs, - &lgroupSIDs, - &unix_groups))) + nt_status = get_user_groups_from_local_sam((*server_info)->unix_name, + uid, gid, &n_lgroupSIDs, &lgroupSIDs, &unix_groups); + if ( !NT_STATUS_IS_OK(nt_status) ) { DEBUG(4,("get_user_groups_from_local_sam failed\n")); return nt_status; -- cgit From 5365869b683e696863eb27545dc4608edff3408a Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Mon, 7 Jul 2003 05:28:51 +0000 Subject: temporarily disable a sanity check to prevent winbindd from deadlocking on a Samba PDC. Will be re-enabled after winbind_passdb is done. (This used to be commit c4762aa3bc0d5d2dc5161b543b22808a369e0698) --- source3/auth/auth_util.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 399a1e9006..ae1be761da 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -771,9 +771,11 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, (*server_info)->sam_account = sampass; +#if 0 /* JERRY */ + /* disabled until winbindd_passdb is completed to prevent winbindd deadlock on a Samba PDC */ if (!NT_STATUS_IS_OK(nt_status = sid_to_uid(pdb_get_user_sid(sampass), &((*server_info)->uid)))) return nt_status; - +#endif if (!(pwd = getpwuid_alloc(((*server_info)->uid)))) { fstring sid; DEBUG(1, ("User %s in passdb (%s) maps to UID, but getpwuid(%u) fails!\n", -- cgit From 0c3d46f17f79a4e1d0330de4c7b4145a4334c804 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Tue, 8 Jul 2003 02:19:16 +0000 Subject: fix temporary bug so people can test 3.0 again; make sure to initialize the uid for the server_info struct (This used to be commit 6a84297da53e8658f4bcfa4951ceed011b69201f) --- source3/auth/auth_util.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index ae1be761da..408b26f514 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -787,7 +787,8 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, } (*server_info)->unix_name = smb_xstrdup(pwd->pw_name); (*server_info)->gid = pwd->pw_gid; - + (*server_info)->uid = pwd->pw_uid; + passwd_free(&pwd); if (!NT_STATUS_IS_OK(nt_status = add_user_groups(server_info, sampass, -- cgit From 0d0f89461edf95bc584423cca4de1915afe4ba90 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Tue, 8 Jul 2003 05:37:13 +0000 Subject: Initialise the uid and gid values to a safe default in make_server_info() (This used to be commit 3a1f4f5ea5379b0deb6dc6b8ed81dedc3a08f70e) --- source3/auth/auth_util.c | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 408b26f514..7d6a5ff8c9 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -703,6 +703,14 @@ static NTSTATUS make_server_info(auth_serversupplied_info **server_info) return NT_STATUS_NO_MEMORY; } ZERO_STRUCTP(*server_info); + + /* Initialise the uid and gid values to something non-zero + which may save us from giving away root access if there + is a bug in allocating these fields. */ + + (*server_info)->uid = -1; + (*server_info)->gid = -1; + return NT_STATUS_OK; } -- cgit From 499b3e33153527420b3945b5eeb699e6b02d3420 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Tue, 8 Jul 2003 17:04:11 +0000 Subject: fix bone head mistake when setting the uid in the server_info struct. (This used to be commit 43f21078ec0f885d4d1a0b90476b55f8f92de9e7) --- source3/auth/auth_util.c | 14 +++----------- 1 file changed, 3 insertions(+), 11 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 7d6a5ff8c9..d1c3b107e7 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -779,17 +779,9 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, (*server_info)->sam_account = sampass; -#if 0 /* JERRY */ - /* disabled until winbindd_passdb is completed to prevent winbindd deadlock on a Samba PDC */ - if (!NT_STATUS_IS_OK(nt_status = sid_to_uid(pdb_get_user_sid(sampass), &((*server_info)->uid)))) - return nt_status; -#endif - if (!(pwd = getpwuid_alloc(((*server_info)->uid)))) { - fstring sid; - DEBUG(1, ("User %s in passdb (%s) maps to UID, but getpwuid(%u) fails!\n", - pdb_get_username(sampass), - sid_to_string(sid, pdb_get_user_sid(sampass)), - (unsigned)(*server_info)->uid)); + if ( !(pwd = getpwnam_alloc(pdb_get_username(sampass))) ) { + DEBUG(1, ("User %s in passdb, but getpwnam() fails!\n", + pdb_get_username(sampass))); free_server_info(server_info); return NT_STATUS_NO_SUCH_USER; } -- cgit From f637448150ef248726363ae0df0b0f7e096c256e Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Tue, 8 Jul 2003 17:19:37 +0000 Subject: standlone servers don't have any trusted domains (This used to be commit 4acdfc5c944aa8830d6cec7bd1225200448e45c5) --- source3/auth/auth_util.c | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index d1c3b107e7..6fc1d772ec 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1282,6 +1282,11 @@ BOOL is_trusted_domain(const char* dom_name) time_t lct; BOOL ret; + /* no trusted domains for a standalone server */ + + if ( lp_server_role() == ROLE_STANDALONE ) + return False; + /* if we are a DC, then check for a direct trust relationships */ if (lp_server_role() == ROLE_DOMAIN_BDC || lp_server_role() == ROLE_DOMAIN_PDC) { -- cgit From 16ff7b26f6b9d288cbd1d39e075b637e24da13a6 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 9 Jul 2003 16:44:47 +0000 Subject: Large set of changes to add UNIX account/group management to winbindd. See README.idmap-and-winbind-changes for details. (This used to be commit 1111bc7b0c7165e1cdf8d90eb49f4c368d2eded6) --- source3/auth/auth_util.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 6fc1d772ec..51cd1994f9 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -60,16 +60,23 @@ static int smb_create_user(const char *domain, const char *unix_username, const void auth_add_user_script(const char *domain, const char *username) { - struct passwd *pwd=NULL; - /* * User validated ok against Domain controller. * If the admin wants us to try and create a UNIX * user on the fly, do so. */ - if(lp_adduser_script() && !(pwd = Get_Pwnam(username))) { + if ( lp_adduser_script() ) smb_create_user(domain, username, NULL); + else { + DEBUG(10,("auth_add_user_script: no 'add user script'. Asking winbindd\n")); + + /* should never get here is we a re a domain member running winbindd + However, a host set for 'security = server' might run winbindd for + account allocation */ + + if ( !winbind_create_user(username) ) + DEBUG(5,("auth_add_user_script: winbindd_create_user() failed\n")); } } -- cgit From 03d5867d529f126da368ebda70bf2d997aa602e0 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 11 Jul 2003 05:33:40 +0000 Subject: moving more code around. * move rid allocation into IDMAP. See comments in _api_samr_create_user() * add winbind delete user/group functions I'm checking this in to sync up with everyone. But I'm going to split the add a separate winbindd_allocate_rid() function for systems that have an 'add user script' but need idmap to give them a RID. Life would be so much simplier without 'enable rid algorithm'. The current RID allocation is horrible due to this one fact. Tested idmap_tdb but not idmap_ldap yet. Will do that tomorrow. Nothing has changed in the way a samba domain is represented, stored, or search in the directory so things should be ok with previous installations. going to bed now. (This used to be commit 0463045cc7ff177fab44b25faffad5bf7140244d) --- source3/auth/auth_util.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 51cd1994f9..3f9c120cfb 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -56,10 +56,12 @@ static int smb_create_user(const char *domain, const char *unix_username, const /**************************************************************************** Add and Delete UNIX users on demand, based on NTSTATUS codes. + We don't care about RID's here so ignore. ****************************************************************************/ void auth_add_user_script(const char *domain, const char *username) { + uint32 rid; /* * User validated ok against Domain controller. * If the admin wants us to try and create a UNIX @@ -75,8 +77,10 @@ void auth_add_user_script(const char *domain, const char *username) However, a host set for 'security = server' might run winbindd for account allocation */ - if ( !winbind_create_user(username) ) + if ( !winbind_create_user(username, NULL) ) { DEBUG(5,("auth_add_user_script: winbindd_create_user() failed\n")); + rid = 0; + } } } -- cgit From 9b9f1697ee2b24f28ce31c6a860c9b6c8a0c5e99 Mon Sep 17 00:00:00 2001 From: Richard Sharpe Date: Fri, 11 Jul 2003 17:50:59 +0000 Subject: Fix a small typo in a comment and pretty it up a bit. (This used to be commit 3b5ddd8e1f021f6a38434c0d9a47317ab6ff2614) --- source3/auth/auth_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 3f9c120cfb..8e1b420b47 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -975,7 +975,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, domain = domain; } - /* try to fill the same account.. If getpwnam() fails, then try the + /* try to fill the SAM account.. If getpwnam() fails, then try the add user script (2.2.x behavior) */ nt_status = fill_sam_account(mem_ctx, nt_domain, internal_username, -- cgit From 77373f1f8e3b2f61e9bbcd9fadfb83257d390cf2 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Thu, 24 Jul 2003 23:46:27 +0000 Subject: More printf fixes - size_t is long on some architectures. (This used to be commit ba4d334b822248d8ab929c9568533431603d967e) --- source3/auth/auth_util.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 8e1b420b47..d4d08e2273 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -133,7 +133,7 @@ static NTSTATUS make_user_info(auth_usersupplied_info **user_info, *user_info = malloc(sizeof(**user_info)); if (!user_info) { - DEBUG(0,("malloc failed for user_info (size %d)\n", sizeof(*user_info))); + DEBUG(0,("malloc failed for user_info (size %l)\n", sizeof(*user_info))); return NT_STATUS_NO_MEMORY; } @@ -489,9 +489,9 @@ void debug_nt_user_token(int dbg_class, int dbg_lev, NT_USER_TOKEN *token) DEBUGC(dbg_class, dbg_lev, ("NT user token of user %s\n", sid_to_string(sid_str, &token->user_sids[0]) )); - DEBUGADDC(dbg_class, dbg_lev, ("contains %i SIDs\n", token->num_sids)); + DEBUGADDC(dbg_class, dbg_lev, ("contains %l SIDs\n", token->num_sids)); for (i = 0; i < token->num_sids; i++) - DEBUGADDC(dbg_class, dbg_lev, ("SID[%3i]: %s\n", i, + DEBUGADDC(dbg_class, dbg_lev, ("SID[%3l]: %s\n", i, sid_to_string(sid_str, &token->user_sids[i]))); } -- cgit From 7d833de662b83f026b54a236588da27dd8899630 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Fri, 25 Jul 2003 04:24:40 +0000 Subject: More printf portability fixes. Got caught out by some gcc'isms last time. )-: (This used to be commit 59dae1da66a5eb7e128263bd578f167d8746e9f0) --- source3/auth/auth_util.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index d4d08e2273..3a95ae591d 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -133,7 +133,7 @@ static NTSTATUS make_user_info(auth_usersupplied_info **user_info, *user_info = malloc(sizeof(**user_info)); if (!user_info) { - DEBUG(0,("malloc failed for user_info (size %l)\n", sizeof(*user_info))); + DEBUG(0,("malloc failed for user_info (size %lu)\n", (unsigned long)sizeof(*user_info))); return NT_STATUS_NO_MEMORY; } @@ -489,9 +489,9 @@ void debug_nt_user_token(int dbg_class, int dbg_lev, NT_USER_TOKEN *token) DEBUGC(dbg_class, dbg_lev, ("NT user token of user %s\n", sid_to_string(sid_str, &token->user_sids[0]) )); - DEBUGADDC(dbg_class, dbg_lev, ("contains %l SIDs\n", token->num_sids)); + DEBUGADDC(dbg_class, dbg_lev, ("contains %lu SIDs\n", (unsigned long)token->num_sids)); for (i = 0; i < token->num_sids; i++) - DEBUGADDC(dbg_class, dbg_lev, ("SID[%3l]: %s\n", i, + DEBUGADDC(dbg_class, dbg_lev, ("SID[%3lu]: %s\n", (unsigned long)i, sid_to_string(sid_str, &token->user_sids[i]))); } -- cgit From 0c4358889e53187a6b839c8a66a5333df5580769 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Sat, 26 Jul 2003 01:21:06 +0000 Subject: Correctly detect an "add user script" - check that *lp_adduser_script() != '\0', not lp_adduser_script() != NULL. Jeremy. (This used to be commit 2eac65ebe7147b36a34e0ca1c3f455f559ab0361) --- source3/auth/auth_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 3a95ae591d..5403ee8c39 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -68,7 +68,7 @@ void auth_add_user_script(const char *domain, const char *username) * user on the fly, do so. */ - if ( lp_adduser_script() ) + if ( *lp_adduser_script() ) smb_create_user(domain, username, NULL); else { DEBUG(10,("auth_add_user_script: no 'add user script'. Asking winbindd\n")); -- cgit From 56bb027696d5d0c8b72fe9d37d09b00f60b62ca1 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 8 Aug 2003 05:11:11 +0000 Subject: need to be able to connect to a domain member as a local account; don't always map to the domain name (This used to be commit 20b6e64da2669e5dfc7265cae331ec9c89aa02dc) --- source3/auth/auth_util.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 5403ee8c39..061cc7345b 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -216,8 +216,8 @@ NTSTATUS make_user_info_map(auth_usersupplied_info **user_info, client_domain, smb_name, wksta_name)); /* don't allow "" as a domain, fixes a Win9X bug - where it doens't supply a domain for logon script - 'net use' commands.*/ + where it doens't supply a domain for logon script + 'net use' commands. */ if ( *client_domain ) domain = client_domain; @@ -227,7 +227,7 @@ NTSTATUS make_user_info_map(auth_usersupplied_info **user_info, /* do what win2k does. Always map unknown domains to our own and let the "passdb backend" handle unknown users. */ - if ( !is_trusted_domain(domain) ) + if ( !is_trusted_domain(domain) && !strequal(domain, get_global_sam_name()) ) domain = get_default_sam_name(); /* we know that it is a trusted domain (and we are allowing them) or it is our domain */ -- cgit From c1bc3a7841890d8af470863e018721c035754999 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Sat, 9 Aug 2003 23:12:35 +0000 Subject: fix for BUG #267 (problem with supplementary groups). Use winbindd to get the group list if possible since we already know it from netsamlogon_cache.tdb. More effecient than letting libc call getgrent() to get seconary groups. Tested by Ken Cross. (This used to be commit 3c537c906f29a08e75895c8c8e3ed5c5abaaa940) --- source3/auth/auth_util.c | 118 ++++++++++++++++++++++++++++++----------------- 1 file changed, 76 insertions(+), 42 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 061cc7345b..d07681ee7d 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -646,43 +646,66 @@ NT_USER_TOKEN *create_nt_token(uid_t uid, gid_t gid, int ngroups, gid_t *groups, * of groups. ******************************************************************************/ -static NTSTATUS get_user_groups_from_local_sam(const char *username, uid_t uid, gid_t gid, - int *n_groups, DOM_SID **groups, gid_t **unix_groups) +static NTSTATUS get_user_groups(const char *username, uid_t uid, gid_t gid, + int *n_groups, DOM_SID **groups, gid_t **unix_groups) { - int n_unix_groups; - int i; + int n_unix_groups; + int i; *n_groups = 0; *groups = NULL; + + /* Try winbind first */ - n_unix_groups = groups_max(); - if ((*unix_groups = malloc( sizeof(gid_t) * n_unix_groups ) ) == NULL) { - DEBUG(0, ("get_user_groups_from_local_sam: Out of memory allocating unix group list\n")); - return NT_STATUS_NO_MEMORY; + if ( strchr(username, *lp_winbind_separator()) ) { + n_unix_groups = winbind_getgroups( username, unix_groups ); + + DEBUG(10,("get_user_groups: winbind_getgroups(%s): result = %s\n", username, + n_unix_groups == -1 ? "FAIL" : "SUCCESS")); + + if ( n_unix_groups == -1 ) + return NT_STATUS_NO_SUCH_USER; /* what should this return value be? */ } - - if (sys_getgrouplist(username, gid, *unix_groups, &n_unix_groups) == -1) { - gid_t *groups_tmp; - groups_tmp = Realloc(*unix_groups, sizeof(gid_t) * n_unix_groups); - if (!groups_tmp) { - SAFE_FREE(*unix_groups); + else { + /* fallback to getgrouplist() */ + + n_unix_groups = groups_max(); + + if ((*unix_groups = malloc( sizeof(gid_t) * n_unix_groups ) ) == NULL) { + DEBUG(0, ("get_user_groups: Out of memory allocating unix group list\n")); return NT_STATUS_NO_MEMORY; } - *unix_groups = groups_tmp; - + if (sys_getgrouplist(username, gid, *unix_groups, &n_unix_groups) == -1) { - DEBUG(0, ("get_user_groups_from_local_sam: failed to get the unix group list\n")); - SAFE_FREE(*unix_groups); - return NT_STATUS_NO_SUCH_USER; /* what should this return value be? */ + + gid_t *groups_tmp; + + groups_tmp = Realloc(*unix_groups, sizeof(gid_t) * n_unix_groups); + + if (!groups_tmp) { + SAFE_FREE(*unix_groups); + return NT_STATUS_NO_MEMORY; + } + *unix_groups = groups_tmp; + + if (sys_getgrouplist(username, gid, *unix_groups, &n_unix_groups) == -1) { + DEBUG(0, ("get_user_groups: failed to get the unix group list\n")); + SAFE_FREE(*unix_groups); + return NT_STATUS_NO_SUCH_USER; /* what should this return value be? */ + } } } debug_unix_user_token(DBGC_CLASS, 5, uid, gid, n_unix_groups, *unix_groups); + /* now setup the space for storing the SIDS */ + if (n_unix_groups > 0) { + *groups = malloc(sizeof(DOM_SID) * n_unix_groups); + if (!*groups) { - DEBUG(0, ("get_user_group_from_local_sam: malloc() failed for DOM_SID list!\n")); + DEBUG(0, ("get_user_group: malloc() failed for DOM_SID list!\n")); SAFE_FREE(*unix_groups); return NT_STATUS_NO_MEMORY; } @@ -692,7 +715,8 @@ static NTSTATUS get_user_groups_from_local_sam(const char *username, uid_t uid, for (i = 0; i < *n_groups; i++) { if (!NT_STATUS_IS_OK(gid_to_sid(&(*groups)[i], (*unix_groups)[i]))) { - DEBUG(1, ("get_user_groups_from_local_sam: failed to convert gid %ld to a sid!\n", (long int)(*unix_groups)[i+1])); + DEBUG(1, ("get_user_groups: failed to convert gid %ld to a sid!\n", + (long int)(*unix_groups)[i+1])); SAFE_FREE(*groups); SAFE_FREE(*unix_groups); return NT_STATUS_NO_SUCH_USER; @@ -743,10 +767,9 @@ static NTSTATUS add_user_groups(auth_serversupplied_info **server_info, BOOL is_guest; uint32 rid; - nt_status = get_user_groups_from_local_sam(pdb_get_username(sampass), - uid, gid, - &n_groupSIDs, &groupSIDs, - &unix_groups); + nt_status = get_user_groups(pdb_get_username(sampass), uid, gid, + &n_groupSIDs, &groupSIDs, &unix_groups); + if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(4,("get_user_groups_from_local_sam failed\n")); free_server_info(server_info); @@ -1068,11 +1091,11 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, /* Store the user group information in the server_info returned to the caller. */ - nt_status = get_user_groups_from_local_sam((*server_info)->unix_name, + nt_status = get_user_groups((*server_info)->unix_name, uid, gid, &n_lgroupSIDs, &lgroupSIDs, &unix_groups); - if ( !NT_STATUS_IS_OK(nt_status) ) - { - DEBUG(4,("get_user_groups_from_local_sam failed\n")); + + if ( !NT_STATUS_IS_OK(nt_status) ) { + DEBUG(4,("get_user_groups failed\n")); return nt_status; } @@ -1080,9 +1103,9 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, (*server_info)->n_groups = n_lgroupSIDs; /* Create a 'combined' list of all SIDs we might want in the SD */ - all_group_SIDs = malloc(sizeof(DOM_SID) * - (n_lgroupSIDs + info3->num_groups2 + - info3->num_other_sids)); + + all_group_SIDs = malloc(sizeof(DOM_SID) * (info3->num_groups2 +info3->num_other_sids)); + if (!all_group_SIDs) { DEBUG(0, ("malloc() failed for DOM_SID list!\n")); SAFE_FREE(lgroupSIDs); @@ -1090,20 +1113,30 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, return NT_STATUS_NO_MEMORY; } +#if 0 /* JERRY -- no such thing as local groups in current code */ /* Copy the 'local' sids */ memcpy(all_group_SIDs, lgroupSIDs, sizeof(DOM_SID) * n_lgroupSIDs); SAFE_FREE(lgroupSIDs); +#endif /* and create (by appending rids) the 'domain' sids */ + for (i = 0; i < info3->num_groups2; i++) { - sid_copy(&all_group_SIDs[i+n_lgroupSIDs], &(info3->dom_sid.sid)); - if (!sid_append_rid(&all_group_SIDs[i+n_lgroupSIDs], info3->gids[i].g_rid)) { + + sid_copy(&all_group_SIDs[i], &(info3->dom_sid.sid)); + + if (!sid_append_rid(&all_group_SIDs[i], info3->gids[i].g_rid)) { + nt_status = NT_STATUS_INVALID_PARAMETER; + DEBUG(3,("could not append additional group rid 0x%x\n", info3->gids[i].g_rid)); + SAFE_FREE(lgroupSIDs); free_server_info(server_info); + return nt_status; + } } @@ -1113,19 +1146,20 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, http://www.microsoft.com/windows2000/techinfo/administration/security/sidfilter.asp */ - for (i = 0; i < info3->num_other_sids; i++) - sid_copy(&all_group_SIDs[ - n_lgroupSIDs + info3->num_groups2 + i], + for (i = 0; i < info3->num_other_sids; i++) { + sid_copy(&all_group_SIDs[info3->num_groups2 + i], &info3->other_sids[i].sid); + } /* Where are the 'global' sids... */ /* can the user be guest? if yes, where is it stored? */ - if (!NT_STATUS_IS_OK( - nt_status = create_nt_user_token( - &user_sid, &group_sid, - n_lgroupSIDs + info3->num_groups2 + info3->num_other_sids, - all_group_SIDs, False, &token))) { + + nt_status = create_nt_user_token(&user_sid, &group_sid, + info3->num_groups2 + info3->num_other_sids, + all_group_SIDs, False, &token); + + if ( !NT_STATUS_IS_OK(nt_status) ) { DEBUG(4,("create_nt_user_token failed\n")); SAFE_FREE(all_group_SIDs); free_server_info(server_info); -- cgit From aa39cc37dab9c4f8c3295d872bb8cc143890b378 Mon Sep 17 00:00:00 2001 From: Herb Lewis Date: Fri, 15 Aug 2003 04:42:05 +0000 Subject: get rid of more compiler warnings (This used to be commit 398bd14fc6e2f8ab2f34211270e179b8928a6669) --- source3/auth/auth_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index d07681ee7d..952aa8ba59 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -393,7 +393,7 @@ BOOL make_user_info_for_reply(auth_usersupplied_info **user_info, dump_data(100, plaintext_password.data, plaintext_password.length); #endif - SMBencrypt( (const uchar *)plaintext_password.data, (const uchar*)chal, local_lm_response); + SMBencrypt( (const char *)plaintext_password.data, (const uchar*)chal, local_lm_response); local_lm_blob = data_blob(local_lm_response, 24); /* We can't do an NT hash here, as the password needs to be -- cgit From e7f41de758a39e6ad242ecbd8162cbf5117ad5a7 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Tue, 7 Oct 2003 16:34:23 +0000 Subject: make sure to call get_user_groups() with the full winbindd name for a user if he;she has one; bug 406 (This used to be commit 1737b36e9193e30285c598ad75d90f610bab47fe) --- source3/auth/auth_util.c | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 952aa8ba59..3803741466 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -644,6 +644,9 @@ NT_USER_TOKEN *create_nt_token(uid_t uid, gid_t gid, int ngroups, gid_t *groups, * * currently this is a hack, as there is no sam implementation that is capable * of groups. + * + * NOTE!! This function will fail if you pass in a winbind user without + * the domain --jerry ******************************************************************************/ static NTSTATUS get_user_groups(const char *username, uid_t uid, gid_t gid, @@ -926,8 +929,10 @@ static NTSTATUS fill_sam_account(TALLOC_CTX *mem_ctx, with just 'username'. This is need for accessing the server as a trust user that actually maps to a local account */ - if ( !passwd ) - passwd = Get_Pwnam(username); + if ( !passwd ) { + fstrcpy( dom_user, username ); + passwd = Get_Pwnam( dom_user ); + } if (passwd == NULL) return NT_STATUS_NO_SUCH_USER; @@ -935,7 +940,13 @@ static NTSTATUS fill_sam_account(TALLOC_CTX *mem_ctx, *uid = passwd->pw_uid; *gid = passwd->pw_gid; - *found_username = talloc_strdup(mem_ctx, passwd->pw_name); + /* This is pointless -- there is no suport for differeing + unix and windows names. Make sure to always store the + one we actuall looked up and succeeded. Have I mentioned + why I hate the 'winbind use default domain' parameter? + --jerry */ + + *found_username = talloc_strdup(mem_ctx, dom_user); return pdb_init_sam_pw(sam_account, passwd); } -- cgit From 3fb80f1926e1770f650bca1485c21cf5ee6b9c4f Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Mon, 20 Oct 2003 16:49:45 +0000 Subject: more 2.2.x compatibility fixes - allow user looksup in the kerb5 sesssetup to fall back to 'user' instaed of failing is REA.LM\user doesn't exist. also fix include line in smb_acls.h as requested by metze (This used to be commit 62ed2598b3441b3c198872df8eb55e594332807b) --- source3/auth/auth_util.c | 26 +++++++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 3803741466..71634f08ed 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -942,7 +942,7 @@ static NTSTATUS fill_sam_account(TALLOC_CTX *mem_ctx, /* This is pointless -- there is no suport for differeing unix and windows names. Make sure to always store the - one we actuall looked up and succeeded. Have I mentioned + one we actually looked up and succeeded. Have I mentioned why I hate the 'winbind use default domain' parameter? --jerry */ @@ -951,6 +951,30 @@ static NTSTATUS fill_sam_account(TALLOC_CTX *mem_ctx, return pdb_init_sam_pw(sam_account, passwd); } +/**************************************************************************** + Wrapper to allow the getpwnam() call to styrip the domain name and + try again in case a local UNIX user is already there. + ****************************************************************************/ + +struct passwd *smb_getpwnam( char *domuser ) +{ + struct passwd *pw; + char *p; + + pw = Get_Pwnam( domuser ); + if ( pw ) + return pw; + + /* fallback to looking up just the username */ + + p = strchr( domuser, *lp_winbind_separator() ); + + if ( p ) + return Get_Pwnam(p+1); + + return NULL; +} + /*************************************************************************** Make a server_info struct from the info3 returned by a domain logon ***************************************************************************/ -- cgit From b922425cacd85d32b1471836636ab3675ebb17be Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 6 Nov 2003 17:28:44 +0000 Subject: run krb5 logins through the username map if the winbindd lookup fails; bug 698 (This used to be commit efe257bce2020e94d00946a27e2e586c82a1480f) --- source3/auth/auth_util.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 71634f08ed..dd0c0b02dd 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -952,14 +952,16 @@ static NTSTATUS fill_sam_account(TALLOC_CTX *mem_ctx, } /**************************************************************************** - Wrapper to allow the getpwnam() call to styrip the domain name and - try again in case a local UNIX user is already there. + Wrapper to allow the getpwnam() call to strip the domain name and + try again in case a local UNIX user is already there. Also run through + the username if we fallback to the username only. ****************************************************************************/ struct passwd *smb_getpwnam( char *domuser ) { struct passwd *pw; char *p; + fstring mapped_username; pw = Get_Pwnam( domuser ); if ( pw ) @@ -969,8 +971,11 @@ struct passwd *smb_getpwnam( char *domuser ) p = strchr( domuser, *lp_winbind_separator() ); - if ( p ) - return Get_Pwnam(p+1); + if ( p ) { + fstrcpy( mapped_username, p ); + map_username( mapped_username ); + return Get_Pwnam(mapped_username); + } return NULL; } -- cgit From 39ccc0f5157ba4f2c574d73b8e484211a24b677b Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sun, 9 Nov 2003 17:23:57 +0000 Subject: Skip over the winbind separator when looking up a user. Volker (This used to be commit 6b457d0c5c1a18b6e09c2c4cc489ce791aac3c6b) --- source3/auth/auth_util.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index dd0c0b02dd..d7d7f53e2d 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -972,6 +972,7 @@ struct passwd *smb_getpwnam( char *domuser ) p = strchr( domuser, *lp_winbind_separator() ); if ( p ) { + p += 1; fstrcpy( mapped_username, p ); map_username( mapped_username ); return Get_Pwnam(mapped_username); -- cgit From fcbfc7ad0669009957c65fa61bb20df75a9701b4 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 22 Nov 2003 13:19:38 +0000 Subject: Changes all over the shop, but all towards: - NTLM2 support in the server - KEY_EXCH support in the server - variable length session keys. In detail: - NTLM2 is an extension of NTLMv1, that is compatible with existing domain controllers (unlike NTLMv2, which requires a DC upgrade). * This is known as 'NTLMv2 session security' * (This is not yet implemented on the RPC pipes however, so there may well still be issues for PDC setups, particuarly around password changes. We do not fully understand the sign/seal implications of NTLM2 on RPC pipes.) This requires modifications to our authentication subsystem, as we must handle the 'challege' input into the challenge-response algorithm being changed. This also needs to be turned off for 'security=server', which does not support this. - KEY_EXCH is another 'security' mechanism, whereby the session key actually used by the server is sent by the client, rather than being the shared-secret directly or indirectly. - As both these methods change the session key, the auth subsystem needed to be changed, to 'override' session keys provided by the backend. - There has also been a major overhaul of the NTLMSSP subsystem, to merge the 'client' and 'server' functions, so they both operate on a single structure. This should help the SPNEGO implementation. - The 'names blob' in NTLMSSP is always in unicode - never in ascii. Don't make an ascii version ever. - The other big change is to allow variable length session keys. We have always assumed that session keys are 16 bytes long - and padded to this length if shorter. However, Kerberos session keys are 8 bytes long, when the krb5 login uses DES. * This fix allows SMB signging on machines not yet running MIT KRB5 1.3.1. * - Add better DEBUG() messages to ntlm_auth, warning administrators of misconfigurations that prevent access to the privileged pipe. This should help reduce some of the 'it just doesn't work' issues. - Fix data_blob_talloc() to behave the same way data_blob() does when passed a NULL data pointer. (just allocate) REMEMBER to make clean after this commit - I have changed plenty of data structures... (This used to be commit f3bbc87b0dac63426cda6fac7a295d3aad810ecc) --- source3/auth/auth_util.c | 24 ++++++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index d7d7f53e2d..5d3f8f0277 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -900,7 +900,13 @@ NTSTATUS make_server_info_guest(auth_serversupplied_info **server_info) nt_status = make_server_info_sam(server_info, sampass); if (NT_STATUS_IS_OK(nt_status)) { + static const char zeros[16]; (*server_info)->guest = True; + + /* annoying, but the Guest really does have a session key, + and it is all zeros! */ + (*server_info)->nt_session_key = data_blob(zeros, sizeof(zeros)); + (*server_info)->lm_session_key = data_blob(zeros, sizeof(zeros)); } return nt_status; @@ -992,6 +998,8 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, auth_serversupplied_info **server_info, NET_USER_INFO_3 *info3) { + static const char zeros[16]; + NTSTATUS nt_status = NT_STATUS_OK; char *found_username; const char *nt_domain; @@ -1210,10 +1218,20 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, (*server_info)->ptok = token; SAFE_FREE(all_group_SIDs); + + /* ensure we are never given NULL session keys */ - memcpy((*server_info)->session_key, info3->user_sess_key, sizeof((*server_info)->session_key)/* 16 */); - memcpy((*server_info)->first_8_lm_hash, info3->padding, 8); + if (memcmp(info3->user_sess_key, zeros, sizeof(zeros)) == 0) { + (*server_info)->nt_session_key = data_blob(NULL, 0); + } else { + (*server_info)->nt_session_key = data_blob(info3->user_sess_key, sizeof(info3->user_sess_key)); + } + if (memcmp(info3->padding, zeros, sizeof(zeros)) == 0) { + (*server_info)->lm_session_key = data_blob(NULL, 0); + } else { + (*server_info)->lm_session_key = data_blob(info3->padding, 16); + } return NT_STATUS_OK; } @@ -1256,6 +1274,8 @@ void free_server_info(auth_serversupplied_info **server_info) delete_nt_token( &(*server_info)->ptok ); SAFE_FREE((*server_info)->groups); SAFE_FREE((*server_info)->unix_name); + data_blob_free(&(*server_info)->lm_session_key); + data_blob_free(&(*server_info)->nt_session_key); ZERO_STRUCT(**server_info); } SAFE_FREE(*server_info); -- cgit From aad0b08cbb74211eb035afe2e95e102db89db87f Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Sat, 6 Dec 2003 02:34:02 +0000 Subject: Fix for bug #445 (missing unix user on kerberos auth doesn't call add user script). Jeremy. (This used to be commit 5d9f06bdae4e7b878a87fb97367cf10afbc5f6b2) --- source3/auth/auth_util.c | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 5d3f8f0277..6df31b94a7 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -965,7 +965,7 @@ static NTSTATUS fill_sam_account(TALLOC_CTX *mem_ctx, struct passwd *smb_getpwnam( char *domuser ) { - struct passwd *pw; + struct passwd *pw = NULL; char *p; fstring mapped_username; @@ -981,10 +981,20 @@ struct passwd *smb_getpwnam( char *domuser ) p += 1; fstrcpy( mapped_username, p ); map_username( mapped_username ); - return Get_Pwnam(mapped_username); + pw = Get_Pwnam(mapped_username); + if (!pw) { + /* Create local user if requested. */ + p = strchr( mapped_username, *lp_winbind_separator() ); + if (p) + p += 1; + else + p = mapped_username; + auth_add_user_script(NULL, p); + return Get_Pwnam(p); + } } - return NULL; + return pw; } /*************************************************************************** -- cgit From 8d019a9682c6d6b42f296b7db5d3c342a5633b3b Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 9 Dec 2003 18:34:29 +0000 Subject: Final part of fix for #445. Don't add user for machine accounts. Jeremy. (This used to be commit 3684cffbd269389d14b37edd5959e29912c13a60) --- source3/auth/auth_util.c | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 6df31b94a7..3dc0fdbe46 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -983,6 +983,10 @@ struct passwd *smb_getpwnam( char *domuser ) map_username( mapped_username ); pw = Get_Pwnam(mapped_username); if (!pw) { + /* Don't add a machine account. */ + if (mapped_username[strlen(mapped_username)-1] == '$') + return NULL; + /* Create local user if requested. */ p = strchr( mapped_username, *lp_winbind_separator() ); if (p) -- cgit From 682f20c9ca501cca0d60f838547917db7dd361d7 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 19 Dec 2003 00:33:09 +0000 Subject: * add a few useful debug lines * fix bug involving Win9x clients. Make sure we save the right case for the located username in fill_sam_account() (This used to be commit 850e4be29e185ebe890f094372aa8c2cc86de76a) --- source3/auth/auth_util.c | 36 ++++++++++++++++++++++++++++-------- 1 file changed, 28 insertions(+), 8 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 3dc0fdbe46..c474049617 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -926,21 +926,38 @@ static NTSTATUS fill_sam_account(TALLOC_CTX *mem_ctx, fstring dom_user; struct passwd *passwd; - fstr_sprintf(dom_user, "%s%s%s", - domain, lp_winbind_separator(), username); + fstr_sprintf(dom_user, "%s%s%s", domain, lp_winbind_separator(), + username); passwd = Get_Pwnam(dom_user); + + if ( passwd ) { + char *p; + + /* make sure we get the case of the username correct */ + /* work around 'winbind use default domain = yes' */ + + p = strchr( passwd->pw_name, *lp_winbind_separator() ); + if ( !p ) + fstr_sprintf(dom_user, "%s%s%s", domain, + lp_winbind_separator(), passwd->pw_name); + else + fstrcpy( dom_user, passwd->pw_name ); + } + else { + /* if the lookup for DOMAIN\username failed, try again + with just 'username'. This is need for accessing the server + as a trust user that actually maps to a local account */ - /* if the lookup for DOMAIN\username failed, try again - with just 'username'. This is need for accessing the server - as a trust user that actually maps to a local account */ - - if ( !passwd ) { fstrcpy( dom_user, username ); passwd = Get_Pwnam( dom_user ); + + /* make sure we get the case of the username correct */ + if ( passwd ) + fstrcpy( dom_user, passwd->pw_name ); } - if (passwd == NULL) + if ( !passwd ) return NT_STATUS_NO_SUCH_USER; *uid = passwd->pw_uid; @@ -953,6 +970,9 @@ static NTSTATUS fill_sam_account(TALLOC_CTX *mem_ctx, --jerry */ *found_username = talloc_strdup(mem_ctx, dom_user); + + DEBUG(5,("fill_sam_account: located username was [%s]\n", + *found_username)); return pdb_init_sam_pw(sam_account, passwd); } -- cgit From 5eee23cc64139ba1d23101c87709e6d5198a6c68 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 31 Dec 2003 00:31:43 +0000 Subject: auth/auth_util.c: - Fill in the 'backup' idea of a domain, if the DC didn't supply one. This doesn't seem to occour in reality, hence why we missed the typo. lib/charcnv.c: lib/smbldap.c: libads/ldap.c: libsmb/libsmbclient.c: printing/nt_printing.c: - all the callers to pull_utf8_allocate() pass a char ** as the first parammeter, so don't make them all cast it to a void ** nsswitch/winbind_util.c: - Allow for a more 'correct' view of when usernames should be qualified in winbindd. If we are a PDC, or have 'winbind trusted domains only', then for the authentication returns stip the domain portion. - Fix valgrind warning about use of free()ed name when looking up our local domain. lp_workgroup() is maniplated inside a procedure that uses it's former value. Instead, use the fact that our local domain is always the first in the list. Andrew Bartlett (This used to be commit 494781f628683d6e68e8ba21ae54f738727e8c21) --- source3/auth/auth_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index c474049617..0f945b33cb 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1078,7 +1078,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, if (!(nt_domain = unistr2_tdup(mem_ctx, &(info3->uni_logon_dom)))) { /* If the server didn't give us one, just use the one we sent them */ - domain = domain; + nt_domain = domain; } /* try to fill the SAM account.. If getpwnam() fails, then try the -- cgit From d24b8a2032a2e92d954781e610ab535361fefd88 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Tue, 16 Mar 2004 16:41:54 +0000 Subject: BUG 1165, 1126: Fix bug with secondary groups (security = ads) and winbind use default domain = yes (This used to be commit f2eaa14b1eb7e89c945b2b06a48e17998c75d620) --- source3/auth/auth_util.c | 137 ++++++++++++++++++++++++++--------------------- 1 file changed, 77 insertions(+), 60 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 0f945b33cb..dfc3f6cc21 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -757,6 +757,7 @@ Fill a server_info struct from a SAM_ACCOUNT with their groups ***************************************************************************/ static NTSTATUS add_user_groups(auth_serversupplied_info **server_info, + const char * unix_username, SAM_ACCOUNT *sampass, uid_t uid, gid_t gid) { @@ -770,7 +771,7 @@ static NTSTATUS add_user_groups(auth_serversupplied_info **server_info, BOOL is_guest; uint32 rid; - nt_status = get_user_groups(pdb_get_username(sampass), uid, gid, + nt_status = get_user_groups(unix_username, uid, gid, &n_groupSIDs, &groupSIDs, &unix_groups); if (!NT_STATUS_IS_OK(nt_status)) { @@ -828,9 +829,11 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, passwd_free(&pwd); - if (!NT_STATUS_IS_OK(nt_status = add_user_groups(server_info, sampass, + if (!NT_STATUS_IS_OK(nt_status = add_user_groups(server_info, pdb_get_username(sampass), + sampass, (*server_info)->uid, - (*server_info)->gid))) { + (*server_info)->gid))) + { free_server_info(server_info); return nt_status; } @@ -848,7 +851,9 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, to a SAM_ACCOUNT ***************************************************************************/ -NTSTATUS make_server_info_pw(auth_serversupplied_info **server_info, const struct passwd *pwd) +NTSTATUS make_server_info_pw(auth_serversupplied_info **server_info, + char *unix_username, + struct passwd *pwd) { NTSTATUS nt_status; SAM_ACCOUNT *sampass = NULL; @@ -861,11 +866,13 @@ NTSTATUS make_server_info_pw(auth_serversupplied_info **server_info, const struc (*server_info)->sam_account = sampass; - if (!NT_STATUS_IS_OK(nt_status = add_user_groups(server_info, sampass, pwd->pw_uid, pwd->pw_gid))) { + if (!NT_STATUS_IS_OK(nt_status = add_user_groups(server_info, unix_username, + sampass, pwd->pw_uid, pwd->pw_gid))) + { return nt_status; } - (*server_info)->unix_name = smb_xstrdup(pwd->pw_name); + (*server_info)->unix_name = smb_xstrdup(unix_username); (*server_info)->sam_fill_level = SAM_FILL_ALL; (*server_info)->uid = pwd->pw_uid; @@ -924,52 +931,30 @@ static NTSTATUS fill_sam_account(TALLOC_CTX *mem_ctx, SAM_ACCOUNT **sam_account) { fstring dom_user; + fstring real_username; struct passwd *passwd; fstr_sprintf(dom_user, "%s%s%s", domain, lp_winbind_separator(), username); - passwd = Get_Pwnam(dom_user); - - if ( passwd ) { - char *p; - - /* make sure we get the case of the username correct */ - /* work around 'winbind use default domain = yes' */ - - p = strchr( passwd->pw_name, *lp_winbind_separator() ); - if ( !p ) - fstr_sprintf(dom_user, "%s%s%s", domain, - lp_winbind_separator(), passwd->pw_name); - else - fstrcpy( dom_user, passwd->pw_name ); - } - else { - /* if the lookup for DOMAIN\username failed, try again - with just 'username'. This is need for accessing the server - as a trust user that actually maps to a local account */ - - fstrcpy( dom_user, username ); - passwd = Get_Pwnam( dom_user ); - - /* make sure we get the case of the username correct */ - if ( passwd ) - fstrcpy( dom_user, passwd->pw_name ); - } + /* get the passwd struct but don't create the user if he/she + does not exist. We were explicitly called from a following + a winbindd authentication request so we should assume that + nss_winbindd is working */ - if ( !passwd ) + if ( !(passwd = smb_getpwnam( dom_user, real_username, True )) ) return NT_STATUS_NO_SUCH_USER; *uid = passwd->pw_uid; *gid = passwd->pw_gid; - /* This is pointless -- there is no suport for differeing + /* This is pointless -- there is no suport for differing unix and windows names. Make sure to always store the one we actually looked up and succeeded. Have I mentioned why I hate the 'winbind use default domain' parameter? --jerry */ - *found_username = talloc_strdup(mem_ctx, dom_user); + *found_username = talloc_strdup( mem_ctx, real_username ); DEBUG(5,("fill_sam_account: located username was [%s]\n", *found_username)); @@ -983,40 +968,72 @@ static NTSTATUS fill_sam_account(TALLOC_CTX *mem_ctx, the username if we fallback to the username only. ****************************************************************************/ -struct passwd *smb_getpwnam( char *domuser ) +struct passwd *smb_getpwnam( char *domuser, fstring save_username, BOOL create ) { struct passwd *pw = NULL; char *p; fstring mapped_username; + + /* we only save a copy of the username it has been mangled + by winbindd use default domain */ + + save_username[0] = '\0'; + + /* save a local copy of the username and run it through the + username map */ + + fstrcpy( mapped_username, domuser ); + map_username( mapped_username ); + + p = strchr_m( mapped_username, *lp_winbind_separator() ); + + /* code for a DOMAIN\user string */ + + if ( p ) { + pw = Get_Pwnam( domuser ); + if ( pw ) { + /* make sure we get the case of the username correct */ + /* work around 'winbind use default domain = yes' */ - pw = Get_Pwnam( domuser ); - if ( pw ) - return pw; - - /* fallback to looking up just the username */ + if ( !strchr_m( pw->pw_name, *lp_winbind_separator() ) ) { + char *domain; + + domain = mapped_username; + *p = '\0'; + fstr_sprintf(save_username, "%s%c%s", domain, *lp_winbind_separator(), pw->pw_name); + } + else + fstrcpy( save_username, pw->pw_name ); - p = strchr( domuser, *lp_winbind_separator() ); + /* whew -- done! */ + return pw; + } - if ( p ) { - p += 1; + /* setup for lookup of just the username */ + p++; fstrcpy( mapped_username, p ); - map_username( mapped_username ); + + } + + /* just lookup a plain username */ + + pw = Get_Pwnam(mapped_username); + + /* Create local user if requested. */ + + if ( !pw && create ) { + /* Don't add a machine account. */ + if (mapped_username[strlen(mapped_username)-1] == '$') + return NULL; + + auth_add_user_script(NULL, mapped_username); pw = Get_Pwnam(mapped_username); - if (!pw) { - /* Don't add a machine account. */ - if (mapped_username[strlen(mapped_username)-1] == '$') - return NULL; - - /* Create local user if requested. */ - p = strchr( mapped_username, *lp_winbind_separator() ); - if (p) - p += 1; - else - p = mapped_username; - auth_add_user_script(NULL, p); - return Get_Pwnam(p); - } } + + /* one last check for a valid passwd struct */ + + if ( pw ) + fstrcpy( save_username, pw->pw_name ); return pw; } -- cgit From c340b2e5e49c14c2e8377234b399f0682c7e3d5a Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Tue, 16 Mar 2004 20:28:47 +0000 Subject: fix overlapping memory bug when copying username (This used to be commit a7cac639c2cf0e2606d9cfbdb08e961212ee3bfa) --- source3/auth/auth_util.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index dfc3f6cc21..f62cc2fb9e 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -973,6 +973,7 @@ struct passwd *smb_getpwnam( char *domuser, fstring save_username, BOOL create ) struct passwd *pw = NULL; char *p; fstring mapped_username; + fstring strip_username; /* we only save a copy of the username it has been mangled by winbindd use default domain */ @@ -1010,9 +1011,11 @@ struct passwd *smb_getpwnam( char *domuser, fstring save_username, BOOL create ) } /* setup for lookup of just the username */ - p++; - fstrcpy( mapped_username, p ); + /* remember that p and mapped_username are overlapping memory */ + p++; + fstrcpy( strip_username, p ); + fstrcpy( mapped_username, strip_username ); } /* just lookup a plain username */ -- cgit From c2ff214772ac1934731938b3804d37e514e45c32 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 3 Apr 2004 15:41:32 +0000 Subject: Fix most of bug #169. For a (very) long time, we have had a bug in Samba were an NTLMv2-only PDC would fail, because it converted the password into NTLM format for checking. This patch performs the direct comparison required for interactive logons to function in this situation. It also removes the 'auth flags', which simply where not ever used. Natrually, this plays with the size of structures, so rebuild, rebuild rebuild... Andrew Bartlett (This used to be commit 9598593bcf2d877b1d08cd6a7323ee0bc160d4ba) --- source3/auth/auth_util.c | 167 ++++++++++++++++++++++++----------------------- 1 file changed, 84 insertions(+), 83 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index f62cc2fb9e..9df5873983 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -124,9 +124,10 @@ static NTSTATUS make_user_info(auth_usersupplied_info **user_info, const char *client_domain, const char *domain, const char *wksta_name, - DATA_BLOB lm_pwd, DATA_BLOB nt_pwd, - DATA_BLOB plaintext, - uint32 auth_flags, BOOL encrypted) + DATA_BLOB *lm_pwd, DATA_BLOB *nt_pwd, + DATA_BLOB *lm_interactive_pwd, DATA_BLOB *nt_interactive_pwd, + DATA_BLOB *plaintext, + BOOL encrypted) { DEBUG(5,("attempting to make a user_info for %s (%s)\n", internal_username, smb_name)); @@ -183,12 +184,19 @@ static NTSTATUS make_user_info(auth_usersupplied_info **user_info, DEBUG(5,("making blobs for %s's user_info struct\n", internal_username)); - (*user_info)->lm_resp = data_blob(lm_pwd.data, lm_pwd.length); - (*user_info)->nt_resp = data_blob(nt_pwd.data, nt_pwd.length); - (*user_info)->plaintext_password = data_blob(plaintext.data, plaintext.length); + if (lm_pwd) + (*user_info)->lm_resp = data_blob(lm_pwd->data, lm_pwd->length); + if (nt_pwd) + (*user_info)->nt_resp = data_blob(nt_pwd->data, nt_pwd->length); + if (lm_interactive_pwd) + (*user_info)->lm_interactive_pwd = data_blob(lm_interactive_pwd->data, lm_interactive_pwd->length); + if (nt_interactive_pwd) + (*user_info)->nt_interactive_pwd = data_blob(nt_interactive_pwd->data, nt_interactive_pwd->length); + + if (plaintext) + (*user_info)->plaintext_password = data_blob(plaintext->data, plaintext->length); (*user_info)->encrypted = encrypted; - (*user_info)->auth_flags = auth_flags; DEBUG(10,("made an %sencrypted user_info for %s (%s)\n", encrypted ? "":"un" , internal_username, smb_name)); @@ -203,9 +211,10 @@ NTSTATUS make_user_info_map(auth_usersupplied_info **user_info, const char *smb_name, const char *client_domain, const char *wksta_name, - DATA_BLOB lm_pwd, DATA_BLOB nt_pwd, - DATA_BLOB plaintext, - uint32 ntlmssp_flags, BOOL encrypted) + DATA_BLOB *lm_pwd, DATA_BLOB *nt_pwd, + DATA_BLOB *lm_interactive_pwd, DATA_BLOB *nt_interactive_pwd, + DATA_BLOB *plaintext, + BOOL encrypted) { const char *domain; fstring internal_username; @@ -233,8 +242,10 @@ NTSTATUS make_user_info_map(auth_usersupplied_info **user_info, /* we know that it is a trusted domain (and we are allowing them) or it is our domain */ return make_user_info(user_info, smb_name, internal_username, - client_domain, domain, wksta_name, lm_pwd, nt_pwd, - plaintext, ntlmssp_flags, encrypted); + client_domain, domain, wksta_name, + lm_pwd, nt_pwd, + lm_interactive_pwd, nt_interactive_pwd, + plaintext, encrypted); } /**************************************************************************** @@ -253,23 +264,14 @@ BOOL make_user_info_netlogon_network(auth_usersupplied_info **user_info, NTSTATUS nt_status; DATA_BLOB lm_blob = data_blob(lm_network_pwd, lm_pwd_len); DATA_BLOB nt_blob = data_blob(nt_network_pwd, nt_pwd_len); - DATA_BLOB plaintext_blob = data_blob(NULL, 0); - uint32 auth_flags = AUTH_FLAG_NONE; - - if (lm_pwd_len) - auth_flags |= AUTH_FLAG_LM_RESP; - if (nt_pwd_len == 24) { - auth_flags |= AUTH_FLAG_NTLM_RESP; - } else if (nt_pwd_len != 0) { - auth_flags |= AUTH_FLAG_NTLMv2_RESP; - } nt_status = make_user_info_map(user_info, - smb_name, client_domain, - wksta_name, - lm_blob, nt_blob, - plaintext_blob, - auth_flags, True); + smb_name, client_domain, + wksta_name, + lm_pwd_len ? &lm_blob : NULL, + nt_pwd_len ? &nt_blob : NULL, + NULL, NULL, NULL, + True); ret = NT_STATUS_IS_OK(nt_status) ? True : False; @@ -297,7 +299,6 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, unsigned char local_lm_response[24]; unsigned char local_nt_response[24]; unsigned char key[16]; - uint32 auth_flags = AUTH_FLAG_NONE; ZERO_STRUCT(key); memcpy(key, dc_sess_key, 8); @@ -316,8 +317,11 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, dump_data(100, nt_pwd, sizeof(nt_pwd)); #endif - SamOEMhash((uchar *)lm_pwd, key, sizeof(lm_pwd)); - SamOEMhash((uchar *)nt_pwd, key, sizeof(nt_pwd)); + if (lm_interactive_pwd) + SamOEMhash((uchar *)lm_pwd, key, sizeof(lm_pwd)); + + if (nt_interactive_pwd) + SamOEMhash((uchar *)nt_pwd, key, sizeof(nt_pwd)); #ifdef DEBUG_PASSWORD DEBUG(100,("decrypt of lm owf password:")); @@ -327,37 +331,51 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, dump_data(100, nt_pwd, sizeof(nt_pwd)); #endif - SMBOWFencrypt((const unsigned char *)lm_pwd, chal, local_lm_response); - SMBOWFencrypt((const unsigned char *)nt_pwd, chal, local_nt_response); + if (lm_interactive_pwd) + SMBOWFencrypt((const unsigned char *)lm_pwd, chal, local_lm_response); + + if (nt_interactive_pwd) + SMBOWFencrypt((const unsigned char *)nt_pwd, chal, local_nt_response); /* Password info paranoia */ - ZERO_STRUCT(lm_pwd); - ZERO_STRUCT(nt_pwd); ZERO_STRUCT(key); { BOOL ret; NTSTATUS nt_status; - DATA_BLOB local_lm_blob = data_blob(local_lm_response, sizeof(local_lm_response)); - DATA_BLOB local_nt_blob = data_blob(local_nt_response, sizeof(local_nt_response)); - DATA_BLOB plaintext_blob = data_blob(NULL, 0); + DATA_BLOB local_lm_blob; + DATA_BLOB local_nt_blob; - if (lm_interactive_pwd) - auth_flags |= AUTH_FLAG_LM_RESP; - if (nt_interactive_pwd) - auth_flags |= AUTH_FLAG_NTLM_RESP; + DATA_BLOB lm_interactive_blob; + DATA_BLOB nt_interactive_blob; + + if (lm_interactive_pwd) { + local_lm_blob = data_blob(local_lm_response, sizeof(local_lm_response)); + lm_interactive_blob = data_blob(lm_pwd, sizeof(lm_pwd)); + ZERO_STRUCT(lm_pwd); + } + + if (nt_interactive_pwd) { + local_nt_blob = data_blob(local_nt_response, sizeof(local_nt_response)); + nt_interactive_blob = data_blob(nt_pwd, sizeof(nt_pwd)); + ZERO_STRUCT(nt_pwd); + } nt_status = make_user_info_map(user_info, smb_name, client_domain, wksta_name, - local_lm_blob, - local_nt_blob, - plaintext_blob, - auth_flags, True); - + lm_interactive_pwd ? &local_lm_blob : NULL, + nt_interactive_pwd ? &local_nt_blob : NULL, + lm_interactive_pwd ? &lm_interactive_blob : NULL, + nt_interactive_pwd ? &nt_interactive_blob : NULL, + NULL, + True); + ret = NT_STATUS_IS_OK(nt_status) ? True : False; data_blob_free(&local_lm_blob); data_blob_free(&local_nt_blob); + data_blob_free(&lm_interactive_blob); + data_blob_free(&nt_interactive_blob); return ret; } } @@ -377,7 +395,6 @@ BOOL make_user_info_for_reply(auth_usersupplied_info **user_info, DATA_BLOB local_lm_blob; DATA_BLOB local_nt_blob; NTSTATUS ret = NT_STATUS_UNSUCCESSFUL; - uint32 auth_flags = AUTH_FLAG_NONE; /* * Not encrypted - do so. @@ -400,7 +417,6 @@ BOOL make_user_info_for_reply(auth_usersupplied_info **user_info, case insensitive */ local_nt_blob = data_blob(NULL, 0); - auth_flags = (AUTH_FLAG_PLAINTEXT | AUTH_FLAG_LM_RESP); } else { local_lm_blob = data_blob(NULL, 0); local_nt_blob = data_blob(NULL, 0); @@ -409,10 +425,11 @@ BOOL make_user_info_for_reply(auth_usersupplied_info **user_info, ret = make_user_info_map(user_info, smb_name, client_domain, get_remote_machine_name(), - local_lm_blob, - local_nt_blob, - plaintext_password, - auth_flags, False); + local_lm_blob.data ? &local_lm_blob : NULL, + local_nt_blob.data ? &local_nt_blob : NULL, + NULL, NULL, + plaintext_password.data ? &plaintext_password : NULL, + False); data_blob_free(&local_lm_blob); return NT_STATUS_IS_OK(ret) ? True : False; @@ -427,27 +444,13 @@ NTSTATUS make_user_info_for_reply_enc(auth_usersupplied_info **user_info, const char *client_domain, DATA_BLOB lm_resp, DATA_BLOB nt_resp) { - uint32 auth_flags = AUTH_FLAG_NONE; - - DATA_BLOB no_plaintext_blob = data_blob(NULL, 0); - - if (lm_resp.length == 24) { - auth_flags |= AUTH_FLAG_LM_RESP; - } - if (nt_resp.length == 0) { - } else if (nt_resp.length == 24) { - auth_flags |= AUTH_FLAG_NTLM_RESP; - } else { - auth_flags |= AUTH_FLAG_NTLMv2_RESP; - } - return make_user_info_map(user_info, smb_name, - client_domain, - get_remote_machine_name(), - lm_resp, - nt_resp, - no_plaintext_blob, - auth_flags, True); + client_domain, + get_remote_machine_name(), + lm_resp.data ? &lm_resp : NULL, + nt_resp.data ? &nt_resp : NULL, + NULL, NULL, NULL, + True); } /**************************************************************************** @@ -456,19 +459,16 @@ NTSTATUS make_user_info_for_reply_enc(auth_usersupplied_info **user_info, BOOL make_user_info_guest(auth_usersupplied_info **user_info) { - DATA_BLOB lm_blob = data_blob(NULL, 0); - DATA_BLOB nt_blob = data_blob(NULL, 0); - DATA_BLOB plaintext_blob = data_blob(NULL, 0); - uint32 auth_flags = AUTH_FLAG_NONE; NTSTATUS nt_status; nt_status = make_user_info(user_info, - "","", - "","", - "", - nt_blob, lm_blob, - plaintext_blob, - auth_flags, True); + "","", + "","", + "", + NULL, NULL, + NULL, NULL, + NULL, + True); return NT_STATUS_IS_OK(nt_status) ? True : False; } @@ -1307,7 +1307,8 @@ void free_user_info(auth_usersupplied_info **user_info) SAFE_FREE((*user_info)->wksta_name.str); data_blob_free(&(*user_info)->lm_resp); data_blob_free(&(*user_info)->nt_resp); - SAFE_FREE((*user_info)->interactive_password); + data_blob_clear_free(&(*user_info)->lm_interactive_pwd); + data_blob_clear_free(&(*user_info)->nt_interactive_pwd); data_blob_clear_free(&(*user_info)->plaintext_password); ZERO_STRUCT(**user_info); } -- cgit From d17425ed52b086b7046708a207e849271cedc804 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 6 Apr 2004 08:11:16 +0000 Subject: r69: Global rename of 'nt_session_key' -> 'user_session_key'. The session key could be anything, and may not be based on anything 'NT'. This is also what microsoft calls it. (This used to be commit 724e8d3f33719543146280062435c69a835c491e) --- source3/auth/auth_util.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 9df5873983..3f1ac9c975 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -912,7 +912,7 @@ NTSTATUS make_server_info_guest(auth_serversupplied_info **server_info) /* annoying, but the Guest really does have a session key, and it is all zeros! */ - (*server_info)->nt_session_key = data_blob(zeros, sizeof(zeros)); + (*server_info)->user_session_key = data_blob(zeros, sizeof(zeros)); (*server_info)->lm_session_key = data_blob(zeros, sizeof(zeros)); } @@ -1276,9 +1276,9 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, /* ensure we are never given NULL session keys */ if (memcmp(info3->user_sess_key, zeros, sizeof(zeros)) == 0) { - (*server_info)->nt_session_key = data_blob(NULL, 0); + (*server_info)->user_session_key = data_blob(NULL, 0); } else { - (*server_info)->nt_session_key = data_blob(info3->user_sess_key, sizeof(info3->user_sess_key)); + (*server_info)->user_session_key = data_blob(info3->user_sess_key, sizeof(info3->user_sess_key)); } if (memcmp(info3->padding, zeros, sizeof(zeros)) == 0) { @@ -1330,7 +1330,7 @@ void free_server_info(auth_serversupplied_info **server_info) SAFE_FREE((*server_info)->groups); SAFE_FREE((*server_info)->unix_name); data_blob_free(&(*server_info)->lm_session_key); - data_blob_free(&(*server_info)->nt_session_key); + data_blob_free(&(*server_info)->user_session_key); ZERO_STRUCT(**server_info); } SAFE_FREE(*server_info); -- cgit From 50ac33f5825015b723ddf60ef170d22e93623463 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 6 Apr 2004 16:49:09 +0000 Subject: r86: This function was moved to lib/nterr.h Andrew Bartlett (This used to be commit 1c6d0399d67c9206baf7d4173cc00540146fa897) --- source3/auth/auth_util.c | 28 ---------------------------- 1 file changed, 28 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 3f1ac9c975..e6ed83a79a 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1400,34 +1400,6 @@ NT_USER_TOKEN *dup_nt_token(NT_USER_TOKEN *ptoken) return token; } -/** - * Squash an NT_STATUS in line with security requirements. - * In an attempt to avoid giving the whole game away when users - * are authenticating, NT replaces both NT_STATUS_NO_SUCH_USER and - * NT_STATUS_WRONG_PASSWORD with NT_STATUS_LOGON_FAILURE in certain situations - * (session setups in particular). - * - * @param nt_status NTSTATUS input for squashing. - * @return the 'squashed' nt_status - **/ - -NTSTATUS nt_status_squash(NTSTATUS nt_status) -{ - if NT_STATUS_IS_OK(nt_status) { - return nt_status; - } else if NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER) { - /* Match WinXP and don't give the game away */ - return NT_STATUS_LOGON_FAILURE; - - } else if NT_STATUS_EQUAL(nt_status, NT_STATUS_WRONG_PASSWORD) { - /* Match WinXP and don't give the game away */ - return NT_STATUS_LOGON_FAILURE; - } else { - return nt_status; - } -} - - /** * Verify whether or not given domain is trusted. * -- cgit From 8c0db1bbc469932694ed877eebecffa3d1948abd Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 19 May 2004 21:49:58 +0000 Subject: r786: Memory leak fixes in (mostly) error code paths from kawasa_r@itg.hitachi.co.jp. A couple of mem leak fixes in mainline code paths though :-). Jeremy. (This used to be commit 4695cc95fe576b6da0d0cb0686f208fc306b2646) --- source3/auth/auth_util.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index e6ed83a79a..9a03e7fe13 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1236,6 +1236,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, info3->gids[i].g_rid)); SAFE_FREE(lgroupSIDs); + SAFE_FREE(all_group_SIDs); free_server_info(server_info); return nt_status; @@ -1264,6 +1265,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, if ( !NT_STATUS_IS_OK(nt_status) ) { DEBUG(4,("create_nt_user_token failed\n")); + SAFE_FREE(lgroupSIDs); SAFE_FREE(all_group_SIDs); free_server_info(server_info); return nt_status; @@ -1271,6 +1273,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, (*server_info)->ptok = token; + SAFE_FREE(lgroupSIDs); SAFE_FREE(all_group_SIDs); /* ensure we are never given NULL session keys */ -- cgit From 9dbf2e2419e2ba0f2293b4a7a5971123f34a09ad Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 3 Jun 2004 18:00:22 +0000 Subject: r991: Allow winbindd to use the domain trust account password for setting up an schannel connection. This solves the problem of a Samba DC running winbind, trusting a native mode AD domain, and needing to enumerate AD users via wbinfo -u. (This used to be commit e9f109d1b38e0b0adec9b7e9a907f90a79d297ea) --- source3/auth/auth_util.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 9a03e7fe13..e6cc0fe5b3 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1425,8 +1425,10 @@ BOOL is_trusted_domain(const char* dom_name) /* if we are a DC, then check for a direct trust relationships */ - if (lp_server_role() == ROLE_DOMAIN_BDC || lp_server_role() == ROLE_DOMAIN_PDC) { + if ( IS_DC ) { become_root(); + DEBUG (5,("is_trusted_domain: Checking for domain trust with [%s]\n", + dom_name )); ret = secrets_fetch_trusted_domain_password(dom_name, &pass, &trustdom_sid, &lct); unbecome_root(); SAFE_FREE(pass); -- cgit From 5be2af482253306b0a1ddbdb813d928664f5a622 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Thu, 17 Jun 2004 12:23:00 +0000 Subject: r1175: Nowadays we actually do have local groups, so add the corresponding SIDs to the NT token we build. Thanks to Guenther Deschner . Volker (This used to be commit 2f9143dee901f7fc9e5ff0218527f1f4cff1991e) --- source3/auth/auth_util.c | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index e6cc0fe5b3..ddfe88d28d 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1207,7 +1207,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, /* Create a 'combined' list of all SIDs we might want in the SD */ - all_group_SIDs = malloc(sizeof(DOM_SID) * (info3->num_groups2 +info3->num_other_sids)); + all_group_SIDs = malloc(sizeof(DOM_SID) * (info3->num_groups2 + info3->num_other_sids + n_lgroupSIDs)); if (!all_group_SIDs) { DEBUG(0, ("malloc() failed for DOM_SID list!\n")); @@ -1216,12 +1216,6 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, return NT_STATUS_NO_MEMORY; } -#if 0 /* JERRY -- no such thing as local groups in current code */ - /* Copy the 'local' sids */ - memcpy(all_group_SIDs, lgroupSIDs, sizeof(DOM_SID) * n_lgroupSIDs); - SAFE_FREE(lgroupSIDs); -#endif - /* and create (by appending rids) the 'domain' sids */ for (i = 0; i < info3->num_groups2; i++) { @@ -1254,13 +1248,22 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, sid_copy(&all_group_SIDs[info3->num_groups2 + i], &info3->other_sids[i].sid); } + + + /* add local alias sids */ + + for (i = 0; i < n_lgroupSIDs; i++) { + sid_copy(&all_group_SIDs[info3->num_groups2 + + info3->num_other_sids + i], + &lgroupSIDs[i]); + } /* Where are the 'global' sids... */ /* can the user be guest? if yes, where is it stored? */ nt_status = create_nt_user_token(&user_sid, &group_sid, - info3->num_groups2 + info3->num_other_sids, + info3->num_groups2 + info3->num_other_sids + n_lgroupSIDs, all_group_SIDs, False, &token); if ( !NT_STATUS_IS_OK(nt_status) ) { -- cgit From 600e904aa1ddf620df2ed6e5a02d0fe00e627dbb Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Tue, 6 Jul 2004 21:43:12 +0000 Subject: r1370: BUG 1297 - prevent map_username() from being called twice during logon (This used to be commit e1364ff774b62f46c0f50864695da49972352126) --- source3/auth/auth_util.c | 32 +++++++++++++++++--------------- 1 file changed, 17 insertions(+), 15 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index ddfe88d28d..5e8f18881f 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -972,25 +972,25 @@ struct passwd *smb_getpwnam( char *domuser, fstring save_username, BOOL create ) { struct passwd *pw = NULL; char *p; - fstring mapped_username; - fstring strip_username; + fstring username; /* we only save a copy of the username it has been mangled by winbindd use default domain */ save_username[0] = '\0'; - - /* save a local copy of the username and run it through the - username map */ - fstrcpy( mapped_username, domuser ); - map_username( mapped_username ); + /* don't call map_username() here since it has to be done higher + up the stack so we don't call it mutliple times */ + + fstrcpy( username, domuser ); - p = strchr_m( mapped_username, *lp_winbind_separator() ); + p = strchr_m( username, *lp_winbind_separator() ); /* code for a DOMAIN\user string */ if ( p ) { + fstring strip_username; + pw = Get_Pwnam( domuser ); if ( pw ) { /* make sure we get the case of the username correct */ @@ -999,8 +999,10 @@ struct passwd *smb_getpwnam( char *domuser, fstring save_username, BOOL create ) if ( !strchr_m( pw->pw_name, *lp_winbind_separator() ) ) { char *domain; - domain = mapped_username; + /* split the domain and username into 2 strings */ *p = '\0'; + domain = username; + fstr_sprintf(save_username, "%s%c%s", domain, *lp_winbind_separator(), pw->pw_name); } else @@ -1011,26 +1013,26 @@ struct passwd *smb_getpwnam( char *domuser, fstring save_username, BOOL create ) } /* setup for lookup of just the username */ - /* remember that p and mapped_username are overlapping memory */ + /* remember that p and username are overlapping memory */ p++; fstrcpy( strip_username, p ); - fstrcpy( mapped_username, strip_username ); + fstrcpy( username, strip_username ); } /* just lookup a plain username */ - pw = Get_Pwnam(mapped_username); + pw = Get_Pwnam(username); /* Create local user if requested. */ if ( !pw && create ) { /* Don't add a machine account. */ - if (mapped_username[strlen(mapped_username)-1] == '$') + if (username[strlen(username)-1] == '$') return NULL; - auth_add_user_script(NULL, mapped_username); - pw = Get_Pwnam(mapped_username); + auth_add_user_script(NULL, username); + pw = Get_Pwnam(username); } /* one last check for a valid passwd struct */ -- cgit From 841868d290400272e50bcfb5fadd7b9dba4638b6 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 22 Oct 2004 20:15:24 +0000 Subject: r3140: * try to ensure consistent usage of the username map. Use the fully qualified DOMAIN\user format for 'security = domain|ads' and apply after authentication has succeeded. * also change fill_domain_username() to only lowercase the username and not the domain+username. This was a cosmetic fix only. makes the output more consistent with %D and %U. (This used to be commit 30ee2d5b0906d5cd73a8faf5170e5aebcc6d69c8) --- source3/auth/auth_util.c | 34 +++++++++++++++++++++++----------- 1 file changed, 23 insertions(+), 11 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 5e8f18881f..9be297818f 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -930,18 +930,23 @@ static NTSTATUS fill_sam_account(TALLOC_CTX *mem_ctx, uid_t *uid, gid_t *gid, SAM_ACCOUNT **sam_account) { - fstring dom_user; + fstring dom_user, lower_username; fstring real_username; struct passwd *passwd; - fstr_sprintf(dom_user, "%s%s%s", domain, lp_winbind_separator(), - username); + fstrcpy( lower_username, username ); + strlower_m( lower_username ); + + fstr_sprintf(dom_user, "%s%c%s", domain, *lp_winbind_separator(), + lower_username); /* get the passwd struct but don't create the user if he/she does not exist. We were explicitly called from a following a winbindd authentication request so we should assume that nss_winbindd is working */ + map_username( dom_user ); + if ( !(passwd = smb_getpwnam( dom_user, real_username, True )) ) return NT_STATUS_NO_SUCH_USER; @@ -1104,18 +1109,25 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, } /* try to fill the SAM account.. If getpwnam() fails, then try the - add user script (2.2.x behavior) */ + add user script (2.2.x behavior). + + We use the _unmapped_ username here in an attempt to provide + consistent username mapping behavior between kerberos and NTLM[SSP] + authentication in domain mode security. I.E. Username mapping should + be applied to the fully qualified username (e.g. DOMAIN\user) and + no just the login name. Yes this mean swe called map_username() + unnecessarily in make_user_info_map() but that is how the current + code is designed. Making the change here is the least disruptive + place. -- jerry */ - nt_status = fill_sam_account(mem_ctx, nt_domain, internal_username, + nt_status = fill_sam_account(mem_ctx, nt_domain, sent_nt_username, &found_username, &uid, &gid, &sam_account); if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER)) { - DEBUG(3,("User %s does not exist, trying to add it\n", - internal_username)); - auth_add_user_script(nt_domain, internal_username); - nt_status = fill_sam_account(mem_ctx, nt_domain, - internal_username, &found_username, - &uid, &gid, &sam_account); + DEBUG(3,("User %s does not exist, trying to add it\n", internal_username)); + auth_add_user_script( nt_domain, sent_nt_username ); + nt_status = fill_sam_account( mem_ctx, nt_domain, sent_nt_username, + &found_username, &uid, &gid, &sam_account ); } if (!NT_STATUS_IS_OK(nt_status)) { -- cgit From 55fe875a44bd63de766d4fbdb91bcc26be146a21 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Fri, 5 Nov 2004 22:53:35 +0000 Subject: r3563: During a typical logon a modern workstation makes a lot of anonymous session setups on its way to open a pipe. This gets rid of many round-trips to the LDAP server during logon by setting up the server_info_guest once and not asking the LDAP server and nss every time. Make sure that the ldap connection is reopened in the child. (I did not look at the sql backends.) Volker (This used to be commit 3298f6105e6a88c9390cac02245c8f2eee1e5046) --- source3/auth/auth_util.c | 45 ++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 44 insertions(+), 1 deletion(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 9be297818f..96a229f0dc 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -884,7 +884,7 @@ NTSTATUS make_server_info_pw(auth_serversupplied_info **server_info, Make (and fill) a user_info struct for a guest login. ***************************************************************************/ -NTSTATUS make_server_info_guest(auth_serversupplied_info **server_info) +static NTSTATUS make_new_server_info_guest(auth_serversupplied_info **server_info) { NTSTATUS nt_status; SAM_ACCOUNT *sampass = NULL; @@ -919,6 +919,49 @@ NTSTATUS make_server_info_guest(auth_serversupplied_info **server_info) return nt_status; } +static auth_serversupplied_info *copy_serverinfo(auth_serversupplied_info *src) +{ + auth_serversupplied_info *dst; + + if (!NT_STATUS_IS_OK(make_server_info(&dst))) + return NULL; + + dst->guest = src->guest; + dst->uid = src->uid; + dst->gid = src->gid; + dst->n_groups = src->n_groups; + if (src->n_groups != 0) + dst->groups = memdup(src->groups, sizeof(gid_t)*dst->n_groups); + else + dst->groups = NULL; + dst->ptok = dup_nt_token(src->ptok); + dst->user_session_key = data_blob(src->user_session_key.data, + src->user_session_key.length); + dst->lm_session_key = data_blob(src->lm_session_key.data, + src->lm_session_key.length); + pdb_copy_sam_account(src->sam_account, &dst->sam_account); + dst->pam_handle = NULL; + dst->unix_name = smb_xstrdup(src->unix_name); + + return dst; +} + +static auth_serversupplied_info *guest_info = NULL; + +BOOL init_guest_info(void) +{ + if (guest_info != NULL) + return True; + + return NT_STATUS_IS_OK(make_new_server_info_guest(&guest_info)); +} + +NTSTATUS make_server_info_guest(auth_serversupplied_info **server_info) +{ + *server_info = copy_serverinfo(guest_info); + return (*server_info != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY; +} + /*************************************************************************** Purely internal function for make_server_info_info3 Fill the sam account from getpwnam -- cgit From f9e87b9ba65f37bafa45eacb1a6c9b8c5483d46b Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Fri, 12 Nov 2004 15:49:47 +0000 Subject: r3705: Nobody has commented, so I'll take this as an ack... abartlet, I'd like to ask you to take a severe look at this! We have solved the problem to find the global groups a user is in twice: Once in auth_util.c and another time for the corresponding samr call. The attached patch unifies these and sends them through the passdb backend (new function pdb_enum_group_memberships). Thus it gives pdb_ldap.c the chance to further optimize the corresponding call if the samba and posix accounts are unified by issuing a specialized ldap query. The parameter to activate this ldapsam behaviour is ldapsam:trusted = yes Volker (This used to be commit b94838aff1a009f8d8c2c3efd48756a5b8f3f989) --- source3/auth/auth_util.c | 52 +++++++++++++++--------------------------------- 1 file changed, 16 insertions(+), 36 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 96a229f0dc..1ef64ab845 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -657,47 +657,27 @@ static NTSTATUS get_user_groups(const char *username, uid_t uid, gid_t gid, *n_groups = 0; *groups = NULL; - - /* Try winbind first */ - if ( strchr(username, *lp_winbind_separator()) ) { - n_unix_groups = winbind_getgroups( username, unix_groups ); + if (strchr(username, *lp_winbind_separator()) == NULL) { + NTSTATUS result; - DEBUG(10,("get_user_groups: winbind_getgroups(%s): result = %s\n", username, - n_unix_groups == -1 ? "FAIL" : "SUCCESS")); - - if ( n_unix_groups == -1 ) - return NT_STATUS_NO_SUCH_USER; /* what should this return value be? */ + become_root(); + result = pdb_enum_group_memberships(username, gid, groups, + unix_groups, n_groups); + unbecome_root(); + return result; } - else { - /* fallback to getgrouplist() */ - - n_unix_groups = groups_max(); - - if ((*unix_groups = malloc( sizeof(gid_t) * n_unix_groups ) ) == NULL) { - DEBUG(0, ("get_user_groups: Out of memory allocating unix group list\n")); - return NT_STATUS_NO_MEMORY; - } + + /* We have the separator, this must be winbind */ - if (sys_getgrouplist(username, gid, *unix_groups, &n_unix_groups) == -1) { - - gid_t *groups_tmp; - - groups_tmp = Realloc(*unix_groups, sizeof(gid_t) * n_unix_groups); - - if (!groups_tmp) { - SAFE_FREE(*unix_groups); - return NT_STATUS_NO_MEMORY; - } - *unix_groups = groups_tmp; + n_unix_groups = winbind_getgroups( username, unix_groups ); - if (sys_getgrouplist(username, gid, *unix_groups, &n_unix_groups) == -1) { - DEBUG(0, ("get_user_groups: failed to get the unix group list\n")); - SAFE_FREE(*unix_groups); - return NT_STATUS_NO_SUCH_USER; /* what should this return value be? */ - } - } - } + DEBUG(10,("get_user_groups: winbind_getgroups(%s): result = %s\n", + username, n_unix_groups == -1 ? "FAIL" : "SUCCESS")); + + if ( n_unix_groups == -1 ) + return NT_STATUS_NO_SUCH_USER; /* what should this return + * value be? */ debug_unix_user_token(DBGC_CLASS, 5, uid, gid, n_unix_groups, *unix_groups); -- cgit From acf9d61421faa6c0055d57fdee7db300dc5431aa Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 7 Dec 2004 18:25:53 +0000 Subject: r4088: Get medieval on our ass about malloc.... :-). Take control of all our allocation functions so we can funnel through some well known functions. Should help greatly with malloc checking. HEAD patch to follow. Jeremy. (This used to be commit 620f2e608f70ba92f032720c031283d295c5c06a) --- source3/auth/auth_util.c | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 1ef64ab845..d985c0a54f 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -132,7 +132,7 @@ static NTSTATUS make_user_info(auth_usersupplied_info **user_info, DEBUG(5,("attempting to make a user_info for %s (%s)\n", internal_username, smb_name)); - *user_info = malloc(sizeof(**user_info)); + *user_info = SMB_MALLOC_P(auth_usersupplied_info); if (!user_info) { DEBUG(0,("malloc failed for user_info (size %lu)\n", (unsigned long)sizeof(*user_info))); return NT_STATUS_NO_MEMORY; @@ -142,7 +142,7 @@ static NTSTATUS make_user_info(auth_usersupplied_info **user_info, DEBUG(5,("making strings for %s's user_info struct\n", internal_username)); - (*user_info)->smb_name.str = strdup(smb_name); + (*user_info)->smb_name.str = SMB_STRDUP(smb_name); if ((*user_info)->smb_name.str) { (*user_info)->smb_name.len = strlen(smb_name); } else { @@ -150,7 +150,7 @@ static NTSTATUS make_user_info(auth_usersupplied_info **user_info, return NT_STATUS_NO_MEMORY; } - (*user_info)->internal_username.str = strdup(internal_username); + (*user_info)->internal_username.str = SMB_STRDUP(internal_username); if ((*user_info)->internal_username.str) { (*user_info)->internal_username.len = strlen(internal_username); } else { @@ -158,7 +158,7 @@ static NTSTATUS make_user_info(auth_usersupplied_info **user_info, return NT_STATUS_NO_MEMORY; } - (*user_info)->domain.str = strdup(domain); + (*user_info)->domain.str = SMB_STRDUP(domain); if ((*user_info)->domain.str) { (*user_info)->domain.len = strlen(domain); } else { @@ -166,7 +166,7 @@ static NTSTATUS make_user_info(auth_usersupplied_info **user_info, return NT_STATUS_NO_MEMORY; } - (*user_info)->client_domain.str = strdup(client_domain); + (*user_info)->client_domain.str = SMB_STRDUP(client_domain); if ((*user_info)->client_domain.str) { (*user_info)->client_domain.len = strlen(client_domain); } else { @@ -174,7 +174,7 @@ static NTSTATUS make_user_info(auth_usersupplied_info **user_info, return NT_STATUS_NO_MEMORY; } - (*user_info)->wksta_name.str = strdup(wksta_name); + (*user_info)->wksta_name.str = SMB_STRDUP(wksta_name); if ((*user_info)->wksta_name.str) { (*user_info)->wksta_name.len = strlen(wksta_name); } else { @@ -523,7 +523,7 @@ static NTSTATUS create_nt_user_token(const DOM_SID *user_sid, const DOM_SID *gro int i; int sid_ndx; - if ((ptoken = malloc( sizeof(NT_USER_TOKEN) ) ) == NULL) { + if ((ptoken = SMB_MALLOC_P(NT_USER_TOKEN)) == NULL) { DEBUG(0, ("create_nt_token: Out of memory allocating token\n")); nt_status = NT_STATUS_NO_MEMORY; return nt_status; @@ -533,7 +533,7 @@ static NTSTATUS create_nt_user_token(const DOM_SID *user_sid, const DOM_SID *gro ptoken->num_sids = n_groupSIDs + 5; - if ((ptoken->user_sids = (DOM_SID *)malloc( sizeof(DOM_SID) * ptoken->num_sids )) == NULL) { + if ((ptoken->user_sids = SMB_MALLOC_ARRAY( DOM_SID, ptoken->num_sids )) == NULL) { DEBUG(0, ("create_nt_token: Out of memory allocating SIDs\n")); nt_status = NT_STATUS_NO_MEMORY; return nt_status; @@ -610,7 +610,7 @@ NT_USER_TOKEN *create_nt_token(uid_t uid, gid_t gid, int ngroups, gid_t *groups, return NULL; } - group_sids = malloc(sizeof(DOM_SID) * ngroups); + group_sids = SMB_MALLOC_ARRAY(DOM_SID, ngroups); if (!group_sids) { DEBUG(0, ("create_nt_token: malloc() failed for DOM_SID list!\n")); return NULL; @@ -685,7 +685,7 @@ static NTSTATUS get_user_groups(const char *username, uid_t uid, gid_t gid, if (n_unix_groups > 0) { - *groups = malloc(sizeof(DOM_SID) * n_unix_groups); + *groups = SMB_MALLOC_ARRAY(DOM_SID, n_unix_groups); if (!*groups) { DEBUG(0, ("get_user_group: malloc() failed for DOM_SID list!\n")); @@ -715,7 +715,7 @@ static NTSTATUS get_user_groups(const char *username, uid_t uid, gid_t gid, static NTSTATUS make_server_info(auth_serversupplied_info **server_info) { - *server_info = malloc(sizeof(**server_info)); + *server_info = SMB_MALLOC_P(auth_serversupplied_info); if (!*server_info) { DEBUG(0,("make_server_info: malloc failed!\n")); return NT_STATUS_NO_MEMORY; @@ -1244,7 +1244,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, /* Create a 'combined' list of all SIDs we might want in the SD */ - all_group_SIDs = malloc(sizeof(DOM_SID) * (info3->num_groups2 + info3->num_other_sids + n_lgroupSIDs)); + all_group_SIDs = SMB_MALLOC_ARRAY(DOM_SID,info3->num_groups2 + info3->num_other_sids + n_lgroupSIDs); if (!all_group_SIDs) { DEBUG(0, ("malloc() failed for DOM_SID list!\n")); @@ -1393,7 +1393,7 @@ BOOL make_auth_methods(struct auth_context *auth_context, auth_methods **auth_me smb_panic("make_auth_methods: pointer to auth_method pointer is NULL!\n"); } - *auth_method = talloc(auth_context->mem_ctx, sizeof(**auth_method)); + *auth_method = TALLOC_P(auth_context->mem_ctx, auth_methods); if (!*auth_method) { DEBUG(0,("make_auth_method: malloc failed!\n")); return False; @@ -1428,7 +1428,7 @@ NT_USER_TOKEN *dup_nt_token(NT_USER_TOKEN *ptoken) if (!ptoken) return NULL; - if ((token = (NT_USER_TOKEN *)malloc( sizeof(NT_USER_TOKEN) ) ) == NULL) + if ((token = SMB_MALLOC_P(NT_USER_TOKEN)) == NULL) return NULL; ZERO_STRUCTP(token); -- cgit From 992ad2848522e5219291d6b9b7a6be982c147a12 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Mon, 20 Dec 2004 11:36:39 +0000 Subject: r4286: Give back 8 byte lm_session_key in Netrsamlogon-reply. The old #ifdef JRATEST-block was copying 16 bytes and thus overwriting acct_flags with bizarre values, breaking a lot of things. This patch is successfully running in a production environment for quite some time now and is required to finally allow Exchange 5.5 to access another Exchange Server when both are running on NT4 in a samba-controlled domain. This also allows Exchange Replication to take place, Exchange Administrator to access other Servers in the network, etc. Fixes Bugzilla #1136. Thanks abartlet for helping me with that one. Guenther (This used to be commit bd4c5125d6989cebc90152a23e113b345806c660) --- source3/auth/auth_util.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index d985c0a54f..2eacc2b0d1 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1324,11 +1324,12 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, (*server_info)->user_session_key = data_blob(info3->user_sess_key, sizeof(info3->user_sess_key)); } - if (memcmp(info3->padding, zeros, sizeof(zeros)) == 0) { + if (memcmp(info3->lm_sess_key, zeros, 8) == 0) { (*server_info)->lm_session_key = data_blob(NULL, 0); } else { - (*server_info)->lm_session_key = data_blob(info3->padding, 16); - } + (*server_info)->lm_session_key = data_blob(info3->lm_sess_key, sizeof(info3->lm_sess_key)); + } + return NT_STATUS_OK; } -- cgit From be606e8eeb0a419189bd8f44975c80e182474993 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 6 Jan 2005 23:27:28 +0000 Subject: r4579: small changes to allow the members og the Domain Admins group on the Samba DC to join clients to the domain -- needs more testing and security review but does work with initial testing (This used to be commit 9ade9bf49c7125fb29658f943e9ebb6be9496180) --- source3/auth/auth_util.c | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 2eacc2b0d1..98ecd00d1c 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1444,6 +1444,35 @@ NT_USER_TOKEN *dup_nt_token(NT_USER_TOKEN *ptoken) return token; } +/**************************************************************************** + Check for a SID in an NT_USER_TOKEN +****************************************************************************/ + +BOOL nt_token_check_sid ( DOM_SID *sid, NT_USER_TOKEN *token ) +{ + int i; + + if ( !sid || !token ) + return False; + + for ( i=0; inum_sids; i++ ) { + if ( sid_equal( sid, &token->user_sids[i] ) ) + return True; + } + + return False; +} + +BOOL nt_token_check_domain_rid( NT_USER_TOKEN *token, uint32 rid ) +{ + DOM_SID domain_sid; + + sid_copy( &domain_sid, get_global_sam_sid() ); + sid_append_rid( &domain_sid, rid ); + + return nt_token_check_sid( &domain_sid, token );\ +} + /** * Verify whether or not given domain is trusted. * -- cgit From d94d87472ca2f3875caa146424caa178ce20274f Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 13 Jan 2005 18:20:37 +0000 Subject: r4724: Add support for Windows privileges in Samba 3.0 (based on Simo's code in trunk). Rewritten with the following changes: * privilege set is based on a 32-bit mask instead of strings (plans are to extend this to a 64 or 128-bit mask before the next 3.0.11preX release). * Remove the privilege code from the passdb API (replication to come later) * Only support the minimum amount of privileges that make sense. * Rewrite the domain join checks to use the SeMachineAccountPrivilege instead of the 'is a member of "Domain Admins"?' check that started all this. Still todo: * Utilize the SePrintOperatorPrivilege in addition to the 'printer admin' parameter * Utilize the SeAddUserPrivilege for adding users and groups * Fix some of the hard coded _lsa_*() calls * Start work on enough of SAM replication to get privileges from one Samba DC to another. * Come up with some management tool for manipultaing privileges instead of user manager since it is buggy when run on a 2k client (haven't tried xp). Works ok on NT4. (This used to be commit 77c10ff9aa6414a31eece6dfec00793f190a9d6c) --- source3/auth/auth_util.c | 54 ++++++++++++++++++++++++++++++++++-------------- 1 file changed, 39 insertions(+), 15 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 98ecd00d1c..e4793c3df3 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -493,6 +493,11 @@ void debug_nt_user_token(int dbg_class, int dbg_lev, NT_USER_TOKEN *token) for (i = 0; i < token->num_sids; i++) DEBUGADDC(dbg_class, dbg_lev, ("SID[%3lu]: %s\n", (unsigned long)i, sid_to_string(sid_str, &token->user_sids[i]))); + + DEBUGADDC(dbg_class, dbg_lev, ("Privileges: [%d]\n", token->privileges.count)); + for ( i=0; iprivileges.count; i++ ) { + DEBUGADDC(dbg_class, dbg_lev, ("\t%s\n", luid_to_privilege_name(&token->privileges.set[i].luid) )); + } } /**************************************************************************** @@ -583,6 +588,13 @@ static NTSTATUS create_nt_user_token(const DOM_SID *user_sid, const DOM_SID *gro ptoken->num_sids--; } } + + /* add privileges assigned to this user */ + + privilege_set_init( &ptoken->privileges ); + + get_privileges_for_sids( &ptoken->privileges, ptoken->user_sids, ptoken->num_sids ); + debug_nt_user_token(DBGC_AUTH, 10, ptoken); @@ -1410,12 +1422,15 @@ BOOL make_auth_methods(struct auth_context *auth_context, auth_methods **auth_me void delete_nt_token(NT_USER_TOKEN **pptoken) { - if (*pptoken) { - NT_USER_TOKEN *ptoken = *pptoken; - SAFE_FREE( ptoken->user_sids ); - ZERO_STRUCTP(ptoken); - } - SAFE_FREE(*pptoken); + if (*pptoken) { + NT_USER_TOKEN *ptoken = *pptoken; + + SAFE_FREE( ptoken->user_sids ); + privilege_set_free( &ptoken->privileges ); + + ZERO_STRUCTP(ptoken); + } + SAFE_FREE(*pptoken); } /**************************************************************************** @@ -1429,17 +1444,26 @@ NT_USER_TOKEN *dup_nt_token(NT_USER_TOKEN *ptoken) if (!ptoken) return NULL; - if ((token = SMB_MALLOC_P(NT_USER_TOKEN)) == NULL) - return NULL; - - ZERO_STRUCTP(token); + if ((token = SMB_MALLOC_P(NT_USER_TOKEN)) == NULL) + return NULL; - if ((token->user_sids = (DOM_SID *)memdup( ptoken->user_sids, sizeof(DOM_SID) * ptoken->num_sids )) == NULL) { - SAFE_FREE(token); - return NULL; - } + ZERO_STRUCTP(token); + + token->user_sids = (DOM_SID *)memdup( ptoken->user_sids, sizeof(DOM_SID) * ptoken->num_sids ); + + if ( !token ) { + SAFE_FREE(token); + return NULL; + } - token->num_sids = ptoken->num_sids; + token->num_sids = ptoken->num_sids; + + /* copy the privileges; don't consider failure to be critical here */ + + privilege_set_init( &token->privileges); + if ( !dup_privilege_set( &token->privileges, &ptoken->privileges ) ) { + DEBUG(0,("dup_nt_token: Failure to copy PRIVILEGE_SET!. Continuing with 0 privileges assigned.\n")); + } return token; } -- cgit From 46e5effea948931509283cb84b27007d34b521c8 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Mon, 17 Jan 2005 15:23:11 +0000 Subject: r4805: Last planned change to the privileges infrastructure: * rewrote the tdb layout of privilege records in account_pol.tdb (allow for 128 bits instead of 32 bit flags) * migrated to using SE_PRIV structure instead of the PRIVILEGE_SET structure. The latter is now used for parsing routines mainly. Still need to incorporate some client support into 'net' so for setting privileges. And make use of the SeAddUserPrivilege right. (This used to be commit 41dc7f7573c6d637e19a01e7ed0e716ac0f1fb15) --- source3/auth/auth_util.c | 15 +++------------ 1 file changed, 3 insertions(+), 12 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index e4793c3df3..4a23ec8adc 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -494,10 +494,7 @@ void debug_nt_user_token(int dbg_class, int dbg_lev, NT_USER_TOKEN *token) DEBUGADDC(dbg_class, dbg_lev, ("SID[%3lu]: %s\n", (unsigned long)i, sid_to_string(sid_str, &token->user_sids[i]))); - DEBUGADDC(dbg_class, dbg_lev, ("Privileges: [%d]\n", token->privileges.count)); - for ( i=0; iprivileges.count; i++ ) { - DEBUGADDC(dbg_class, dbg_lev, ("\t%s\n", luid_to_privilege_name(&token->privileges.set[i].luid) )); - } + dump_se_priv( dbg_class, dbg_lev, &token->privileges ); } /**************************************************************************** @@ -591,10 +588,7 @@ static NTSTATUS create_nt_user_token(const DOM_SID *user_sid, const DOM_SID *gro /* add privileges assigned to this user */ - privilege_set_init( &ptoken->privileges ); - get_privileges_for_sids( &ptoken->privileges, ptoken->user_sids, ptoken->num_sids ); - debug_nt_user_token(DBGC_AUTH, 10, ptoken); @@ -1426,8 +1420,6 @@ void delete_nt_token(NT_USER_TOKEN **pptoken) NT_USER_TOKEN *ptoken = *pptoken; SAFE_FREE( ptoken->user_sids ); - privilege_set_free( &ptoken->privileges ); - ZERO_STRUCTP(ptoken); } SAFE_FREE(*pptoken); @@ -1460,9 +1452,8 @@ NT_USER_TOKEN *dup_nt_token(NT_USER_TOKEN *ptoken) /* copy the privileges; don't consider failure to be critical here */ - privilege_set_init( &token->privileges); - if ( !dup_privilege_set( &token->privileges, &ptoken->privileges ) ) { - DEBUG(0,("dup_nt_token: Failure to copy PRIVILEGE_SET!. Continuing with 0 privileges assigned.\n")); + if ( !se_priv_copy( &token->privileges, &ptoken->privileges ) ) { + DEBUG(0,("dup_nt_token: Failure to copy SE_PRIV!. Continuing with 0 privileges assigned.\n")); } return token; -- cgit From 5f54cc9bd3fa76e62926de0670f832f7b0e3739d Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Mon, 7 Feb 2005 18:20:06 +0000 Subject: r5264: Log with loglevel 0 when account-administration scripts fail. Guenther (This used to be commit 3d391ef149639750db376b05528a27422f8a3321) --- source3/auth/auth_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 4a23ec8adc..30902a8dad 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -50,7 +50,7 @@ static int smb_create_user(const char *domain, const char *unix_username, const if (homedir) all_string_sub(add_script, "%H", homedir, sizeof(pstring)); ret = smbrun(add_script,NULL); - DEBUG(3,("smb_create_user: Running the command `%s' gave %d\n",add_script,ret)); + DEBUG(ret ? 0 : 3,("smb_create_user: Running the command `%s' gave %d\n",add_script,ret)); return ret; } -- cgit From aa9132cc55d43d9d197e3196fc7098eec6e8615a Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Fri, 11 Feb 2005 10:32:46 +0000 Subject: r5331: Support SIDs as %s replacements in the afs username map parameter. Add 'log nt token command' parameter. If set, %s is replaced with the user sid, and %t takes all the group sids. Volker (This used to be commit e7dc9fde45c750013ad07f584599dd51f8eb8a54) --- source3/auth/auth_util.c | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 30902a8dad..5c933e90c9 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -592,6 +592,39 @@ static NTSTATUS create_nt_user_token(const DOM_SID *user_sid, const DOM_SID *gro debug_nt_user_token(DBGC_AUTH, 10, ptoken); + if ((lp_log_nt_token_command() != NULL) && + (strlen(lp_log_nt_token_command()) > 0)) { + TALLOC_CTX *mem_ctx; + char *command; + fstring sidstr; + char *user_sidstr, *group_sidstr; + + mem_ctx = talloc_init("setnttoken"); + if (mem_ctx == NULL) + return NT_STATUS_NO_MEMORY; + + sid_to_string(sidstr, &ptoken->user_sids[0]); + user_sidstr = talloc_strdup(mem_ctx, sidstr); + + group_sidstr = talloc_strdup(mem_ctx, ""); + for (i=1; inum_sids; i++) { + sid_to_string(sidstr, &ptoken->user_sids[i]); + group_sidstr = talloc_asprintf(mem_ctx, "%s %s", + group_sidstr, sidstr); + } + + command = strdup(lp_log_nt_token_command()); + command = realloc_string_sub(command, "%s", user_sidstr); + command = realloc_string_sub(command, "%t", group_sidstr); + DEBUG(8, ("running command: [%s]\n", command)); + if (smbrun(command, NULL) != 0) { + DEBUG(0, ("Could not log NT token\n")); + nt_status = NT_STATUS_ACCESS_DENIED; + } + talloc_destroy(mem_ctx); + SAFE_FREE(command); + } + *token = ptoken; return nt_status; -- cgit From 467da937c7e1361dca1d4a535db96cdb78e10b13 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Mon, 14 Feb 2005 02:41:34 +0000 Subject: r5385: when operating in security = domain, allow domain admins to manage rigths assignments (This used to be commit fec9cb7daa9b780aab019c0e0d7f2692c168019f) --- source3/auth/auth_util.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 5c933e90c9..7a186f65cd 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1515,7 +1515,19 @@ BOOL nt_token_check_domain_rid( NT_USER_TOKEN *token, uint32 rid ) { DOM_SID domain_sid; - sid_copy( &domain_sid, get_global_sam_sid() ); + /* if we are a domain member, the get the domain SID, else for + a DC or standalone server, use our own SID */ + + if ( lp_server_role() == ROLE_DOMAIN_MEMBER ) { + if ( !secrets_fetch_domain_sid( lp_workgroup(), &domain_sid ) ) { + DEBUG(1,("nt_token_check_domain_rid: Cannot lookup SID for domain [%s]\n", + lp_workgroup())); + return False; + } + } + else + sid_copy( &domain_sid, get_global_sam_sid() ); + sid_append_rid( &domain_sid, rid ); return nt_token_check_sid( &domain_sid, token );\ -- cgit From 732f09990fda978fe1cbef786d6b2d15897e6f97 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 17 Feb 2005 15:17:16 +0000 Subject: r5431: couple of cimpile fixes from Jason Mader -- BUGS 2341 & 2342 (This used to be commit 0edcfc7fa20fd8e3273b29c8f1a97cb7c7179fb6) --- source3/auth/auth_util.c | 2 -- 1 file changed, 2 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 7a186f65cd..f3c01a58ca 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -61,7 +61,6 @@ static int smb_create_user(const char *domain, const char *unix_username, const void auth_add_user_script(const char *domain, const char *username) { - uint32 rid; /* * User validated ok against Domain controller. * If the admin wants us to try and create a UNIX @@ -79,7 +78,6 @@ void auth_add_user_script(const char *domain, const char *username) if ( !winbind_create_user(username, NULL) ) { DEBUG(5,("auth_add_user_script: winbindd_create_user() failed\n")); - rid = 0; } } } -- cgit From 140752fd35bd5701b3078abf695f811d933fe893 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Thu, 3 Mar 2005 16:52:44 +0000 Subject: r5647: Caches are good for performance, but you get a consistency problem. Fix bug # 2401. Volker (This used to be commit eb4ef94f244d28fe531d0b9f724a66ed3834b687) --- source3/auth/auth_util.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index f3c01a58ca..7cab3df99e 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -50,6 +50,7 @@ static int smb_create_user(const char *domain, const char *unix_username, const if (homedir) all_string_sub(add_script, "%H", homedir, sizeof(pstring)); ret = smbrun(add_script,NULL); + flush_pwnam_cache(); DEBUG(ret ? 0 : 3,("smb_create_user: Running the command `%s' gave %d\n",add_script,ret)); return ret; } -- cgit From 83e11ba86c2401ece3c845fd10c22b84e6be7811 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 9 Apr 2005 11:46:40 +0000 Subject: r6263: Get rid of generate_wellknown_sids, they are const static and initializable statically. Volker (This used to be commit 3493d9f383567d286e69c0e60c0708ed400a04d9) --- source3/auth/auth_util.c | 5 ----- 1 file changed, 5 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 7cab3df99e..a50a449815 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -26,11 +26,6 @@ #undef DBGC_CLASS #define DBGC_CLASS DBGC_AUTH -extern DOM_SID global_sid_World; -extern DOM_SID global_sid_Network; -extern DOM_SID global_sid_Builtin_Guests; -extern DOM_SID global_sid_Authenticated_Users; - /**************************************************************************** Create a UNIX user on demand. -- cgit From 2e0cac8e3eb021aa8f5cad4ce8b72f98036af639 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 23 Apr 2005 18:07:01 +0000 Subject: r6445: Make us survive the PARANOID_MALLOC_CHECKER. Should we enable that for --enable-developer=yes? Volker (This used to be commit 61d40ac60dd9c8c9bbcf92e4fc57fe1d706bc721) --- source3/auth/auth_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index a50a449815..30933c6c93 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -607,7 +607,7 @@ static NTSTATUS create_nt_user_token(const DOM_SID *user_sid, const DOM_SID *gro group_sidstr, sidstr); } - command = strdup(lp_log_nt_token_command()); + command = SMB_STRDUP(lp_log_nt_token_command()); command = realloc_string_sub(command, "%s", user_sidstr); command = realloc_string_sub(command, "%t", group_sidstr); DEBUG(8, ("running command: [%s]\n", command)); -- cgit From 450e8d5749504f8392c0cfe8b79218f03b88076a Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Tue, 31 May 2005 02:23:47 +0000 Subject: r7130: remove 'winbind enable local accounts' code from the 3.0 tree (This used to be commit 318c3db4cb1c85be40b2f812f781bcf5f1da5c19) --- source3/auth/auth_util.c | 32 ++------------------------------ 1 file changed, 2 insertions(+), 30 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 30933c6c93..79205f1206 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -50,34 +50,6 @@ static int smb_create_user(const char *domain, const char *unix_username, const return ret; } -/**************************************************************************** - Add and Delete UNIX users on demand, based on NTSTATUS codes. - We don't care about RID's here so ignore. -****************************************************************************/ - -void auth_add_user_script(const char *domain, const char *username) -{ - /* - * User validated ok against Domain controller. - * If the admin wants us to try and create a UNIX - * user on the fly, do so. - */ - - if ( *lp_adduser_script() ) - smb_create_user(domain, username, NULL); - else { - DEBUG(10,("auth_add_user_script: no 'add user script'. Asking winbindd\n")); - - /* should never get here is we a re a domain member running winbindd - However, a host set for 'security = server' might run winbindd for - account allocation */ - - if ( !winbind_create_user(username, NULL) ) { - DEBUG(5,("auth_add_user_script: winbindd_create_user() failed\n")); - } - } -} - /**************************************************************************** Create a SAM_ACCOUNT - either by looking in the pdb, or by faking it up from unix info. @@ -1092,7 +1064,7 @@ struct passwd *smb_getpwnam( char *domuser, fstring save_username, BOOL create ) if (username[strlen(username)-1] == '$') return NULL; - auth_add_user_script(NULL, username); + smb_create_user(NULL, username, NULL); pw = Get_Pwnam(username); } @@ -1181,7 +1153,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER)) { DEBUG(3,("User %s does not exist, trying to add it\n", internal_username)); - auth_add_user_script( nt_domain, sent_nt_username ); + smb_create_user( nt_domain, sent_nt_username, NULL); nt_status = fill_sam_account( mem_ctx, nt_domain, sent_nt_username, &found_username, &uid, &gid, &sam_account ); } -- cgit From 5084d49052f47626b61e53add818fefaacc101b0 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Fri, 3 Jun 2005 15:42:03 +0000 Subject: r7243: Don't look at gencache.tdb for the trusted domains if winbind is around. Volker (This used to be commit 94acb93f57b963bf137c6ddd644a147f4d0b5175) --- source3/auth/auth_util.c | 23 +++++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 79205f1206..31bfa2fe01 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1532,11 +1532,26 @@ BOOL is_trusted_domain(const char* dom_name) return True; } else { - /* if winbindd is not up and we are a domain member) then we need to update the - trustdom_cache ourselves */ + NSS_STATUS result; - if ( !winbind_ping() ) - update_trustdom_cache(); + /* If winbind is around, ask it */ + + result = wb_is_trusted_domain(dom_name); + + if (result == NSS_STATUS_SUCCESS) { + return True; + } + + if (result == NSS_STATUS_NOTFOUND) { + /* winbind could not find the domain */ + return False; + } + + /* The only other possible result is that winbind is not up + and running. We need to update the trustdom_cache + ourselves */ + + update_trustdom_cache(); } /* now the trustdom cache should be available a DC could still -- cgit From b279ee16e982d419c2205a7f790bd9cb8035d6e5 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Tue, 7 Jun 2005 17:52:19 +0000 Subject: r7372: abartet's patch for BUG 2391 (segv caused by free a static pointer) (This used to be commit 4cda2bd035276bd090bf0fbd4e3b2eff657a80cb) --- source3/auth/auth_util.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 31bfa2fe01..021f780112 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -958,6 +958,7 @@ static NTSTATUS fill_sam_account(TALLOC_CTX *mem_ctx, uid_t *uid, gid_t *gid, SAM_ACCOUNT **sam_account) { + NTSTATUS nt_status; fstring dom_user, lower_username; fstring real_username; struct passwd *passwd; @@ -992,7 +993,9 @@ static NTSTATUS fill_sam_account(TALLOC_CTX *mem_ctx, DEBUG(5,("fill_sam_account: located username was [%s]\n", *found_username)); - return pdb_init_sam_pw(sam_account, passwd); + nt_status = pdb_init_sam_pw(sam_account, passwd); + passwd_free(&passwd); + return nt_status; } /**************************************************************************** @@ -1024,7 +1027,7 @@ struct passwd *smb_getpwnam( char *domuser, fstring save_username, BOOL create ) if ( p ) { fstring strip_username; - pw = Get_Pwnam( domuser ); + pw = Get_Pwnam_alloc( domuser ); if ( pw ) { /* make sure we get the case of the username correct */ /* work around 'winbind use default domain = yes' */ @@ -1055,7 +1058,7 @@ struct passwd *smb_getpwnam( char *domuser, fstring save_username, BOOL create ) /* just lookup a plain username */ - pw = Get_Pwnam(username); + pw = Get_Pwnam_alloc(username); /* Create local user if requested. */ @@ -1065,7 +1068,7 @@ struct passwd *smb_getpwnam( char *domuser, fstring save_username, BOOL create ) return NULL; smb_create_user(NULL, username, NULL); - pw = Get_Pwnam(username); + pw = Get_Pwnam_alloc(username); } /* one last check for a valid passwd struct */ -- cgit From 958624a9fc36f89de1b33ca79b1a72fcb63cbb62 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 9 Jun 2005 18:45:56 +0000 Subject: r7450: fix my bone head mistake with ntlm authentcation and 'map to guest = bad uid'; make sure the authentication suceeds (This used to be commit 5de1ffce2f2a0a340f6591939b8f63a3d96a627e) --- source3/auth/auth_util.c | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 021f780112..49df15533a 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1161,7 +1161,15 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, &found_username, &uid, &gid, &sam_account ); } + /* if we still don't have a valid unix account check for + 'map to gues = bad uid' */ + if (!NT_STATUS_IS_OK(nt_status)) { + if ( lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_UID ) { + make_server_info_guest(server_info); + return NT_STATUS_OK; + } + DEBUG(0, ("make_server_info_info3: pdb_init_sam failed!\n")); return nt_status; } -- cgit From e7c48884a5c7e1f88ce2decf7d12db338ff8995e Mon Sep 17 00:00:00 2001 From: Jim McDonough Date: Wed, 13 Jul 2005 20:04:26 +0000 Subject: r8432: Fix #2077 - login to trusted domain doesn't allow home drive map and login scripts to be executed. We were filling in our name as the server which processed the login, even when it was done by a trusted DC. Thanks to John Janosik for the fix. (This used to be commit 0446319a3b8096df385978449ffaa231bc5cfd0c) --- source3/auth/auth_util.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 49df15533a..6624631b53 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1327,6 +1327,9 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, return nt_status; } + (*server_info)->login_server = unistr2_tdup(mem_ctx, + &(info3->uni_logon_srv)); + (*server_info)->ptok = token; SAFE_FREE(lgroupSIDs); -- cgit From 54abd2aa66069e6baf7769c496f46d9dba18db39 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 30 Sep 2005 17:13:37 +0000 Subject: r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3) --- source3/auth/auth_util.c | 95 +++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 94 insertions(+), 1 deletion(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 6624631b53..194a1ad532 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -372,7 +372,7 @@ BOOL make_user_info_for_reply(auth_usersupplied_info **user_info, unsigned char local_lm_response[24]; #ifdef DEBUG_PASSWORD - DEBUG(10,("Unencrypted password (len %d):\n",plaintext_password.length)); + DEBUG(10,("Unencrypted password (len %d):\n",(int)plaintext_password.length)); dump_data(100, plaintext_password.data, plaintext_password.length); #endif @@ -640,6 +640,44 @@ NT_USER_TOKEN *create_nt_token(uid_t uid, gid_t gid, int ngroups, gid_t *groups, return token; } +/****************************************************************************** + Create a token for the root user to be used internally by smbd. + This is similar to running under the context of the LOCAL_SYSTEM account + in Windows. This is a read-only token. Do not modify it or free() it. + Create a copy if your need to change it. +******************************************************************************/ + +NT_USER_TOKEN *get_root_nt_token( void ) +{ + static NT_USER_TOKEN *token = NULL; + DOM_SID u_sid, g_sid; + DOM_SID g_sids[1]; + struct passwd *pw; + NTSTATUS result; + + if ( token ) + return token; + + if ( !(pw = getpwnam( "root" )) ) { + DEBUG(0,("create_root_nt_token: getpwnam\"root\") failed!\n")); + return NULL; + } + + /* get the user and primary group SIDs; although the + BUILTIN\Administrators SId is really the one that matters here */ + + if ( !NT_STATUS_IS_OK(uid_to_sid(&u_sid, pw->pw_uid)) ) + return NULL; + if ( !NT_STATUS_IS_OK(gid_to_sid(&g_sid, pw->pw_gid)) ) + return NULL; + + sid_copy( &g_sids[0], &global_sid_Builtin_Administrators ); + + result = create_nt_user_token( &u_sid, &g_sid, 1, g_sids, False, &token); + + return NT_STATUS_IS_OK(result) ? token : NULL; +} + /****************************************************************************** * this function returns the groups (SIDs) of the local SAM the user is in. * If this samba server is a DC of the domain the user belongs to, it returns @@ -831,6 +869,61 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, return nt_status; } +/*************************************************************************** + Make (and fill) a user_info struct from a Kerberos PAC logon_info by conversion + to a SAM_ACCOUNT +***************************************************************************/ + +NTSTATUS make_server_info_pac(auth_serversupplied_info **server_info, + char *unix_username, + struct passwd *pwd, + PAC_LOGON_INFO *logon_info) +{ + NTSTATUS nt_status; + SAM_ACCOUNT *sampass = NULL; + DOM_SID user_sid, group_sid; + fstring dom_name; + + if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam_pw(&sampass, pwd))) { + return nt_status; + } + if (!NT_STATUS_IS_OK(nt_status = make_server_info(server_info))) { + return nt_status; + } + + /* only copy user_sid, group_sid and domain name out of the PAC for + * now, we will benefit from more later - Guenther */ + + sid_copy(&user_sid, &logon_info->info3.dom_sid.sid); + sid_append_rid(&user_sid, logon_info->info3.user_rid); + pdb_set_user_sid(sampass, &user_sid, PDB_SET); + + sid_copy(&group_sid, &logon_info->info3.dom_sid.sid); + sid_append_rid(&group_sid, logon_info->info3.group_rid); + pdb_set_group_sid(sampass, &group_sid, PDB_SET); + + unistr2_to_ascii(dom_name, &logon_info->info3.uni_logon_dom, -1); + pdb_set_domain(sampass, dom_name, PDB_SET); + + pdb_set_logon_count(sampass, logon_info->info3.logon_count, PDB_SET); + + (*server_info)->sam_account = sampass; + + if (!NT_STATUS_IS_OK(nt_status = add_user_groups(server_info, unix_username, + sampass, pwd->pw_uid, pwd->pw_gid))) + { + return nt_status; + } + + (*server_info)->unix_name = smb_xstrdup(unix_username); + + (*server_info)->sam_fill_level = SAM_FILL_ALL; + (*server_info)->uid = pwd->pw_uid; + (*server_info)->gid = pwd->pw_gid; + return nt_status; +} + + /*************************************************************************** Make (and fill) a user_info struct from a 'struct passwd' by conversion to a SAM_ACCOUNT -- cgit From 8d7c88667190fe286971ac4fffb64ee5bd9eeeb0 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 18 Oct 2005 03:24:00 +0000 Subject: r11137: Compile with only 2 warnings (I'm still working on that code) on a gcc4 x86_64 box. Jeremy. (This used to be commit d720867a788c735e56d53d63265255830ec21208) --- source3/auth/auth_util.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 194a1ad532..49122bd441 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -373,7 +373,7 @@ BOOL make_user_info_for_reply(auth_usersupplied_info **user_info, #ifdef DEBUG_PASSWORD DEBUG(10,("Unencrypted password (len %d):\n",(int)plaintext_password.length)); - dump_data(100, plaintext_password.data, plaintext_password.length); + dump_data(100, (const char *)plaintext_password.data, plaintext_password.length); #endif SMBencrypt( (const char *)plaintext_password.data, (const uchar*)chal, local_lm_response); @@ -693,7 +693,7 @@ NT_USER_TOKEN *get_root_nt_token( void ) ******************************************************************************/ static NTSTATUS get_user_groups(const char *username, uid_t uid, gid_t gid, - int *n_groups, DOM_SID **groups, gid_t **unix_groups) + size_t *n_groups, DOM_SID **groups, gid_t **unix_groups) { int n_unix_groups; int i; @@ -787,7 +787,7 @@ static NTSTATUS add_user_groups(auth_serversupplied_info **server_info, NTSTATUS nt_status; const DOM_SID *user_sid = pdb_get_user_sid(sampass); const DOM_SID *group_sid = pdb_get_group_sid(sampass); - int n_groupSIDs = 0; + size_t n_groupSIDs = 0; DOM_SID *groupSIDs = NULL; gid_t *unix_groups = NULL; NT_USER_TOKEN *token; @@ -1197,7 +1197,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, uid_t uid; gid_t gid; - int n_lgroupSIDs; + size_t n_lgroupSIDs; DOM_SID *lgroupSIDs = NULL; gid_t *unix_groups = NULL; -- cgit From fcceedd67c29bae6941949a16ebef37e95dab601 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 8 Nov 2005 06:19:34 +0000 Subject: r11573: Adding Andrew Bartlett's patch to make machine account logons work if the client gives the MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT or MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT flags. This changes the auth module interface to 2 (from 1). The effect of this is that clients can access resources as a machine account if they set these flags. This is the same as Windows (think of a VPN where the vpn client authenticates itself to a VPN server using machine account credentials - the vpn server checks that the machine password was valid by performing a machine account check with the PDC in the same was as it would a user account check. I may add in a restriction (parameter) to allow this behaviour to be turned off (as it was previously). That may be on by default. Andrew Bartlett please review this change carefully. Jeremy. (This used to be commit d1caef866326346fb191f8129d13d98379f18cd8) --- source3/auth/auth_util.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 49122bd441..6a92c8782e 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -164,6 +164,8 @@ static NTSTATUS make_user_info(auth_usersupplied_info **user_info, (*user_info)->encrypted = encrypted; + (*user_info)->logon_parameters = 0; + DEBUG(10,("made an %sencrypted user_info for %s (%s)\n", encrypted ? "":"un" , internal_username, smb_name)); return NT_STATUS_OK; @@ -223,6 +225,7 @@ BOOL make_user_info_netlogon_network(auth_usersupplied_info **user_info, const char *smb_name, const char *client_domain, const char *wksta_name, + uint32 logon_parameters, const uchar *lm_network_pwd, int lm_pwd_len, const uchar *nt_network_pwd, int nt_pwd_len) { @@ -238,9 +241,12 @@ BOOL make_user_info_netlogon_network(auth_usersupplied_info **user_info, nt_pwd_len ? &nt_blob : NULL, NULL, NULL, NULL, True); - + + if (NT_STATUS_IS_OK(nt_status)) { + (*user_info)->logon_parameters = logon_parameters; + } ret = NT_STATUS_IS_OK(nt_status) ? True : False; - + data_blob_free(&lm_blob); data_blob_free(&nt_blob); return ret; @@ -255,6 +261,7 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, const char *smb_name, const char *client_domain, const char *wksta_name, + uint32 logon_parameters, const uchar chal[8], const uchar lm_interactive_pwd[16], const uchar nt_interactive_pwd[16], @@ -337,6 +344,10 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, NULL, True); + if (NT_STATUS_IS_OK(nt_status)) { + (*user_info)->logon_parameters = logon_parameters; + } + ret = NT_STATUS_IS_OK(nt_status) ? True : False; data_blob_free(&local_lm_blob); data_blob_free(&local_nt_blob); -- cgit From 5cc200ae5509d73176cdcbf0180bf450077d512a Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 26 Nov 2005 18:20:58 +0000 Subject: r11916: auth_get_sam_account is only used in auth_rhosts.c -- move it there (This used to be commit 8e5bea3f84c61ea312278cbbb70542664be7bd14) --- source3/auth/auth_util.c | 30 ------------------------------ 1 file changed, 30 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 6a92c8782e..61cb7f31cc 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -50,36 +50,6 @@ static int smb_create_user(const char *domain, const char *unix_username, const return ret; } -/**************************************************************************** - Create a SAM_ACCOUNT - either by looking in the pdb, or by faking it up from - unix info. -****************************************************************************/ - -NTSTATUS auth_get_sam_account(const char *user, SAM_ACCOUNT **account) -{ - BOOL pdb_ret; - NTSTATUS nt_status; - if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam(account))) { - return nt_status; - } - - become_root(); - pdb_ret = pdb_getsampwnam(*account, user); - unbecome_root(); - - if (!pdb_ret) { - - struct passwd *pass = Get_Pwnam(user); - if (!pass) - return NT_STATUS_NO_SUCH_USER; - - if (!NT_STATUS_IS_OK(nt_status = pdb_fill_sam_pw(*account, pass))) { - return nt_status; - } - } - return NT_STATUS_OK; -} - /**************************************************************************** Create an auth_usersupplied_data structure ****************************************************************************/ -- cgit From 05ac2de0df78d22ad5afb42ea5c72ba17bef8395 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 3 Dec 2005 18:34:13 +0000 Subject: r12051: Merge across the lookup_name and lookup_sid work. Lets see how the build farm reacts :-) Volker (This used to be commit 9f99d04a54588cd9d1a1ab163ebb304437f932f7) --- source3/auth/auth_util.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 61cb7f31cc..ce1ce31d08 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1550,7 +1550,7 @@ NT_USER_TOKEN *dup_nt_token(NT_USER_TOKEN *ptoken) Check for a SID in an NT_USER_TOKEN ****************************************************************************/ -BOOL nt_token_check_sid ( DOM_SID *sid, NT_USER_TOKEN *token ) +static BOOL nt_token_check_sid ( DOM_SID *sid, NT_USER_TOKEN *token ) { int i; @@ -1598,8 +1598,6 @@ BOOL nt_token_check_domain_rid( NT_USER_TOKEN *token, uint32 rid ) BOOL is_trusted_domain(const char* dom_name) { DOM_SID trustdom_sid; - char *pass = NULL; - time_t lct; BOOL ret; /* no trusted domains for a standalone server */ @@ -1613,9 +1611,8 @@ BOOL is_trusted_domain(const char* dom_name) become_root(); DEBUG (5,("is_trusted_domain: Checking for domain trust with [%s]\n", dom_name )); - ret = secrets_fetch_trusted_domain_password(dom_name, &pass, &trustdom_sid, &lct); + ret = secrets_fetch_trusted_domain_password(dom_name, NULL, NULL, NULL); unbecome_root(); - SAFE_FREE(pass); if (ret) return True; } -- cgit From 143103954cf80c211b7799ebfd4f9ad12ff7c420 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Sun, 11 Dec 2005 04:39:33 +0000 Subject: r12174: Simple patch to work around the current lack of BUILTIN nested group support. Always add the BUILTIN\Administrators SID to a Domain Admins token. This solves the extra steps of establishing a group map for the local Administrators SID in order to control services. Windows also tends to expect the Administrators group to be usable when setting up security permissions on shares. Volker's work will probably fix this long term, but this gets us past some of the setup hurdles for 3.0.21. (This used to be commit 170b6a68bcbd66bae322c5b1b8c8501ca96acab2) --- source3/auth/auth_util.c | 56 +++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 53 insertions(+), 3 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index ce1ce31d08..497f16adf2 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -471,9 +471,12 @@ static NTSTATUS create_nt_user_token(const DOM_SID *user_sid, const DOM_SID *gro NT_USER_TOKEN *ptoken; int i; int sid_ndx; + DOM_SID domadm; + BOOL is_domain_admin = False; + BOOL domain_mode = False; if ((ptoken = SMB_MALLOC_P(NT_USER_TOKEN)) == NULL) { - DEBUG(0, ("create_nt_token: Out of memory allocating token\n")); + DEBUG(0, ("create_nt_user_token: Out of memory allocating token\n")); nt_status = NT_STATUS_NO_MEMORY; return nt_status; } @@ -483,7 +486,7 @@ static NTSTATUS create_nt_user_token(const DOM_SID *user_sid, const DOM_SID *gro ptoken->num_sids = n_groupSIDs + 5; if ((ptoken->user_sids = SMB_MALLOC_ARRAY( DOM_SID, ptoken->num_sids )) == NULL) { - DEBUG(0, ("create_nt_token: Out of memory allocating SIDs\n")); + DEBUG(0, ("create_nt_user_token: Out of memory allocating SIDs\n")); nt_status = NT_STATUS_NO_MEMORY; return nt_status; } @@ -517,6 +520,27 @@ static NTSTATUS create_nt_user_token(const DOM_SID *user_sid, const DOM_SID *gro sid_ndx = 5; /* next available spot */ + /* this is where we construct the domain admins SID if we can + so that we can add the BUILTIN\Administrators SID to the token */ + + ZERO_STRUCT( domadm ); + if ( IS_DC || lp_server_role()==ROLE_DOMAIN_MEMBER ) { + domain_mode = True; + + if ( IS_DC ) + sid_copy( &domadm, get_global_sam_sid() ); + else { + /* if we a re a member server and cannot find + out domain SID then reset the domain_mode flag */ + if ( !secrets_fetch_domain_sid( lp_workgroup(), &domadm ) ) + domain_mode = False; + } + + sid_append_rid( &domadm, DOMAIN_GROUP_RID_ADMINS ); + } + + /* add the group SIDs to teh token */ + for (i = 0; i < n_groupSIDs; i++) { size_t check_sid_idx; for (check_sid_idx = 1; check_sid_idx < ptoken->num_sids; check_sid_idx++) { @@ -531,6 +555,30 @@ static NTSTATUS create_nt_user_token(const DOM_SID *user_sid, const DOM_SID *gro } else { ptoken->num_sids--; } + + /* here we check if the user is a domain admin and add the + BUILTIN\Administrators SID to the token the group membership + check succeeds. */ + + if ( domain_mode ) { + if ( sid_equal( &domadm, &groupSIDs[i] ) ) + is_domain_admin = True; + } + + } + + /* finally realloc the SID array and add the BUILTIN\Administrators + SID if necessary */ + + if ( is_domain_admin ) { + DOM_SID *sids; + + if ( !(sids = SMB_REALLOC_ARRAY( ptoken->user_sids, DOM_SID, ptoken->num_sids+1 )) ) + DEBUG(0,("create_nt_user_token: Failed to realloc SID arry of size %d\n", ptoken->num_sids+1)); + else { + ptoken->user_sids = sids; + sid_copy( &(ptoken->user_sids)[ptoken->num_sids++], &global_sid_Builtin_Administrators ); + } } /* add privileges assigned to this user */ @@ -602,6 +650,8 @@ NT_USER_TOKEN *create_nt_token(uid_t uid, gid_t gid, int ngroups, gid_t *groups, return NULL; } + /* convert the Unix group ids to SIDS */ + for (i = 0; i < ngroups; i++) { if (!NT_STATUS_IS_OK(gid_to_sid(&(group_sids)[i], (groups)[i]))) { DEBUG(1, ("create_nt_token: failed to convert gid %ld to a sid!\n", (long int)groups[i])); @@ -640,7 +690,7 @@ NT_USER_TOKEN *get_root_nt_token( void ) return token; if ( !(pw = getpwnam( "root" )) ) { - DEBUG(0,("create_root_nt_token: getpwnam\"root\") failed!\n")); + DEBUG(0,("get_root_nt_token: getpwnam\"root\") failed!\n")); return NULL; } -- cgit From 28fb5b6f97c17af58ae99be98219de70ee95baba Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sun, 18 Dec 2005 18:06:15 +0000 Subject: r12313: Introduce yet another copy of the string_sub function: talloc_string_sub. Someone with time on his hands could convert all the callers of all_string_sub to this. realloc_string_sub is *only* called from within substitute.c, it could be moved there I think. Volker (This used to be commit be6c9012da174d5d5116e5172a53bbe6486d6c38) --- source3/auth/auth_util.c | 27 +++++++++++++++------------ 1 file changed, 15 insertions(+), 12 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 497f16adf2..eb15fff7c8 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -591,33 +591,36 @@ static NTSTATUS create_nt_user_token(const DOM_SID *user_sid, const DOM_SID *gro (strlen(lp_log_nt_token_command()) > 0)) { TALLOC_CTX *mem_ctx; char *command; - fstring sidstr; - char *user_sidstr, *group_sidstr; + char *group_sidstr; mem_ctx = talloc_init("setnttoken"); if (mem_ctx == NULL) return NT_STATUS_NO_MEMORY; - sid_to_string(sidstr, &ptoken->user_sids[0]); - user_sidstr = talloc_strdup(mem_ctx, sidstr); - group_sidstr = talloc_strdup(mem_ctx, ""); for (i=1; inum_sids; i++) { - sid_to_string(sidstr, &ptoken->user_sids[i]); - group_sidstr = talloc_asprintf(mem_ctx, "%s %s", - group_sidstr, sidstr); + group_sidstr = talloc_asprintf( + mem_ctx, "%s %s", group_sidstr, + sid_string_static(&ptoken->user_sids[i])); + } + + command = talloc_string_sub( + mem_ctx, lp_log_nt_token_command(), + "%s", sid_string_static(&ptoken->user_sids[0])); + command = talloc_string_sub( + mem_ctx, command, "%t", group_sidstr); + + if (command == NULL) { + talloc_destroy(mem_ctx); + return NT_STATUS_NO_MEMORY; } - command = SMB_STRDUP(lp_log_nt_token_command()); - command = realloc_string_sub(command, "%s", user_sidstr); - command = realloc_string_sub(command, "%t", group_sidstr); DEBUG(8, ("running command: [%s]\n", command)); if (smbrun(command, NULL) != 0) { DEBUG(0, ("Could not log NT token\n")); nt_status = NT_STATUS_ACCESS_DENIED; } talloc_destroy(mem_ctx); - SAFE_FREE(command); } *token = ptoken; -- cgit From 0af1500fc0bafe61019f1b2ab1d9e1d369221240 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 3 Feb 2006 22:19:41 +0000 Subject: r13316: Let the carnage begin.... Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f) --- source3/auth/auth_util.c | 1441 +++++++++++++++++++++++++--------------------- 1 file changed, 787 insertions(+), 654 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index eb15fff7c8..27dab9b9aa 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -5,6 +5,7 @@ Copyright (C) Andrew Bartlett 2001 Copyright (C) Jeremy Allison 2000-2001 Copyright (C) Rafal Szczesniak 2002 + Copyright (C) Volker Lendecke 2006 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -26,6 +27,12 @@ #undef DBGC_CLASS #define DBGC_CLASS DBGC_AUTH +static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, + const DOM_SID *user_sid, + const DOM_SID *group_sid, + BOOL is_guest, + int num_groupsids, + const DOM_SID *groupsids); /**************************************************************************** Create a UNIX user on demand. @@ -78,42 +85,32 @@ static NTSTATUS make_user_info(auth_usersupplied_info **user_info, DEBUG(5,("making strings for %s's user_info struct\n", internal_username)); - (*user_info)->smb_name.str = SMB_STRDUP(smb_name); - if ((*user_info)->smb_name.str) { - (*user_info)->smb_name.len = strlen(smb_name); - } else { + (*user_info)->smb_name = SMB_STRDUP(smb_name); + if ((*user_info)->smb_name == NULL) { free_user_info(user_info); return NT_STATUS_NO_MEMORY; } - (*user_info)->internal_username.str = SMB_STRDUP(internal_username); - if ((*user_info)->internal_username.str) { - (*user_info)->internal_username.len = strlen(internal_username); - } else { + (*user_info)->internal_username = SMB_STRDUP(internal_username); + if ((*user_info)->internal_username == NULL) { free_user_info(user_info); return NT_STATUS_NO_MEMORY; } - (*user_info)->domain.str = SMB_STRDUP(domain); - if ((*user_info)->domain.str) { - (*user_info)->domain.len = strlen(domain); - } else { + (*user_info)->domain = SMB_STRDUP(domain); + if ((*user_info)->domain == NULL) { free_user_info(user_info); return NT_STATUS_NO_MEMORY; } - (*user_info)->client_domain.str = SMB_STRDUP(client_domain); - if ((*user_info)->client_domain.str) { - (*user_info)->client_domain.len = strlen(client_domain); - } else { + (*user_info)->client_domain = SMB_STRDUP(client_domain); + if ((*user_info)->client_domain == NULL) { free_user_info(user_info); return NT_STATUS_NO_MEMORY; } - (*user_info)->wksta_name.str = SMB_STRDUP(wksta_name); - if ((*user_info)->wksta_name.str) { - (*user_info)->wksta_name.len = strlen(wksta_name); - } else { + (*user_info)->wksta_name = SMB_STRDUP(wksta_name); + if ((*user_info)->wksta_name == NULL) { free_user_info(user_info); return NT_STATUS_NO_MEMORY; } @@ -196,26 +193,28 @@ BOOL make_user_info_netlogon_network(auth_usersupplied_info **user_info, const char *client_domain, const char *wksta_name, uint32 logon_parameters, - const uchar *lm_network_pwd, int lm_pwd_len, - const uchar *nt_network_pwd, int nt_pwd_len) + const uchar *lm_network_pwd, + int lm_pwd_len, + const uchar *nt_network_pwd, + int nt_pwd_len) { BOOL ret; - NTSTATUS nt_status; + NTSTATUS status; DATA_BLOB lm_blob = data_blob(lm_network_pwd, lm_pwd_len); DATA_BLOB nt_blob = data_blob(nt_network_pwd, nt_pwd_len); - nt_status = make_user_info_map(user_info, - smb_name, client_domain, - wksta_name, - lm_pwd_len ? &lm_blob : NULL, - nt_pwd_len ? &nt_blob : NULL, - NULL, NULL, NULL, - True); + status = make_user_info_map(user_info, + smb_name, client_domain, + wksta_name, + lm_pwd_len ? &lm_blob : NULL, + nt_pwd_len ? &nt_blob : NULL, + NULL, NULL, NULL, + True); - if (NT_STATUS_IS_OK(nt_status)) { + if (NT_STATUS_IS_OK(status)) { (*user_info)->logon_parameters = logon_parameters; } - ret = NT_STATUS_IS_OK(nt_status) ? True : False; + ret = NT_STATUS_IS_OK(status) ? True : False; data_blob_free(&lm_blob); data_blob_free(&nt_blob); @@ -246,8 +245,11 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, ZERO_STRUCT(key); memcpy(key, dc_sess_key, 8); - if (lm_interactive_pwd) memcpy(lm_pwd, lm_interactive_pwd, sizeof(lm_pwd)); - if (nt_interactive_pwd) memcpy(nt_pwd, nt_interactive_pwd, sizeof(nt_pwd)); + if (lm_interactive_pwd) + memcpy(lm_pwd, lm_interactive_pwd, sizeof(lm_pwd)); + + if (nt_interactive_pwd) + memcpy(nt_pwd, nt_interactive_pwd, sizeof(nt_pwd)); #ifdef DEBUG_PASSWORD DEBUG(100,("key:")); @@ -275,10 +277,12 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, #endif if (lm_interactive_pwd) - SMBOWFencrypt((const unsigned char *)lm_pwd, chal, local_lm_response); + SMBOWFencrypt((const unsigned char *)lm_pwd, chal, + local_lm_response); if (nt_interactive_pwd) - SMBOWFencrypt((const unsigned char *)nt_pwd, chal, local_nt_response); + SMBOWFencrypt((const unsigned char *)nt_pwd, chal, + local_nt_response); /* Password info paranoia */ ZERO_STRUCT(key); @@ -293,26 +297,29 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, DATA_BLOB nt_interactive_blob; if (lm_interactive_pwd) { - local_lm_blob = data_blob(local_lm_response, sizeof(local_lm_response)); - lm_interactive_blob = data_blob(lm_pwd, sizeof(lm_pwd)); + local_lm_blob = data_blob(local_lm_response, + sizeof(local_lm_response)); + lm_interactive_blob = data_blob(lm_pwd, + sizeof(lm_pwd)); ZERO_STRUCT(lm_pwd); } if (nt_interactive_pwd) { - local_nt_blob = data_blob(local_nt_response, sizeof(local_nt_response)); - nt_interactive_blob = data_blob(nt_pwd, sizeof(nt_pwd)); + local_nt_blob = data_blob(local_nt_response, + sizeof(local_nt_response)); + nt_interactive_blob = data_blob(nt_pwd, + sizeof(nt_pwd)); ZERO_STRUCT(nt_pwd); } - nt_status = make_user_info_map(user_info, - smb_name, client_domain, - wksta_name, - lm_interactive_pwd ? &local_lm_blob : NULL, - nt_interactive_pwd ? &local_nt_blob : NULL, - lm_interactive_pwd ? &lm_interactive_blob : NULL, - nt_interactive_pwd ? &nt_interactive_blob : NULL, - NULL, - True); + nt_status = make_user_info_map( + user_info, + smb_name, client_domain, wksta_name, + lm_interactive_pwd ? &local_lm_blob : NULL, + nt_interactive_pwd ? &local_nt_blob : NULL, + lm_interactive_pwd ? &lm_interactive_blob : NULL, + nt_interactive_pwd ? &nt_interactive_blob : NULL, + NULL, True); if (NT_STATUS_IS_OK(nt_status)) { (*user_info)->logon_parameters = logon_parameters; @@ -347,17 +354,21 @@ BOOL make_user_info_for_reply(auth_usersupplied_info **user_info, * Not encrypted - do so. */ - DEBUG(5,("make_user_info_for_reply: User passwords not in encrypted format.\n")); + DEBUG(5,("make_user_info_for_reply: User passwords not in encrypted " + "format.\n")); if (plaintext_password.data) { unsigned char local_lm_response[24]; #ifdef DEBUG_PASSWORD - DEBUG(10,("Unencrypted password (len %d):\n",(int)plaintext_password.length)); - dump_data(100, (const char *)plaintext_password.data, plaintext_password.length); + DEBUG(10,("Unencrypted password (len %d):\n", + (int)plaintext_password.length)); + dump_data(100, (const char *)plaintext_password.data, + plaintext_password.length); #endif - SMBencrypt( (const char *)plaintext_password.data, (const uchar*)chal, local_lm_response); + SMBencrypt( (const char *)plaintext_password.data, + (const uchar*)chal, local_lm_response); local_lm_blob = data_blob(local_lm_response, 24); /* We can't do an NT hash here, as the password needs to be @@ -369,14 +380,14 @@ BOOL make_user_info_for_reply(auth_usersupplied_info **user_info, local_nt_blob = data_blob(NULL, 0); } - ret = make_user_info_map(user_info, smb_name, - client_domain, - get_remote_machine_name(), - local_lm_blob.data ? &local_lm_blob : NULL, - local_nt_blob.data ? &local_nt_blob : NULL, - NULL, NULL, - plaintext_password.data ? &plaintext_password : NULL, - False); + ret = make_user_info_map( + user_info, smb_name, client_domain, + get_remote_machine_name(), + local_lm_blob.data ? &local_lm_blob : NULL, + local_nt_blob.data ? &local_nt_blob : NULL, + NULL, NULL, + plaintext_password.data ? &plaintext_password : NULL, + False); data_blob_free(&local_lm_blob); return NT_STATUS_IS_OK(ret) ? True : False; @@ -426,7 +437,6 @@ BOOL make_user_info_guest(auth_usersupplied_info **user_info) void debug_nt_user_token(int dbg_class, int dbg_lev, NT_USER_TOKEN *token) { - fstring sid_str; size_t i; if (!token) { @@ -434,12 +444,15 @@ void debug_nt_user_token(int dbg_class, int dbg_lev, NT_USER_TOKEN *token) return; } - DEBUGC(dbg_class, dbg_lev, ("NT user token of user %s\n", - sid_to_string(sid_str, &token->user_sids[0]) )); - DEBUGADDC(dbg_class, dbg_lev, ("contains %lu SIDs\n", (unsigned long)token->num_sids)); + DEBUGC(dbg_class, dbg_lev, + ("NT user token of user %s\n", + sid_string_static(&token->user_sids[0]) )); + DEBUGADDC(dbg_class, dbg_lev, + ("contains %lu SIDs\n", (unsigned long)token->num_sids)); for (i = 0; i < token->num_sids; i++) - DEBUGADDC(dbg_class, dbg_lev, ("SID[%3lu]: %s\n", (unsigned long)i, - sid_to_string(sid_str, &token->user_sids[i]))); + DEBUGADDC(dbg_class, dbg_lev, + ("SID[%3lu]: %s\n", (unsigned long)i, + sid_string_static(&token->user_sids[i]))); dump_se_priv( dbg_class, dbg_lev, &token->privileges ); } @@ -448,464 +461,568 @@ void debug_nt_user_token(int dbg_class, int dbg_lev, NT_USER_TOKEN *token) prints a UNIX 'token' to debug output. ****************************************************************************/ -void debug_unix_user_token(int dbg_class, int dbg_lev, uid_t uid, gid_t gid, int n_groups, gid_t *groups) +void debug_unix_user_token(int dbg_class, int dbg_lev, uid_t uid, gid_t gid, + int n_groups, gid_t *groups) { int i; - DEBUGC(dbg_class, dbg_lev, ("UNIX token of user %ld\n", (long int)uid)); + DEBUGC(dbg_class, dbg_lev, + ("UNIX token of user %ld\n", (long int)uid)); - DEBUGADDC(dbg_class, dbg_lev, ("Primary group is %ld and contains %i supplementary groups\n", (long int)gid, n_groups)); + DEBUGADDC(dbg_class, dbg_lev, + ("Primary group is %ld and contains %i supplementary " + "groups\n", (long int)gid, n_groups)); for (i = 0; i < n_groups; i++) DEBUGADDC(dbg_class, dbg_lev, ("Group[%3i]: %ld\n", i, (long int)groups[i])); } -/**************************************************************************** - Create the SID list for this user. -****************************************************************************/ +/****************************************************************************** + Create a token for the root user to be used internally by smbd. + This is similar to running under the context of the LOCAL_SYSTEM account + in Windows. This is a read-only token. Do not modify it or free() it. + Create a copy if your need to change it. +******************************************************************************/ -static NTSTATUS create_nt_user_token(const DOM_SID *user_sid, const DOM_SID *group_sid, - int n_groupSIDs, DOM_SID *groupSIDs, - BOOL is_guest, NT_USER_TOKEN **token) +NT_USER_TOKEN *get_root_nt_token( void ) { - NTSTATUS nt_status = NT_STATUS_OK; - NT_USER_TOKEN *ptoken; - int i; - int sid_ndx; - DOM_SID domadm; - BOOL is_domain_admin = False; - BOOL domain_mode = False; + static NT_USER_TOKEN *token = NULL; + DOM_SID u_sid, g_sid; + struct passwd *pw; - if ((ptoken = SMB_MALLOC_P(NT_USER_TOKEN)) == NULL) { - DEBUG(0, ("create_nt_user_token: Out of memory allocating token\n")); - nt_status = NT_STATUS_NO_MEMORY; - return nt_status; + if ( token ) + return token; + + if ( !(pw = getpwnam( "root" )) ) { + DEBUG(0,("get_root_nt_token: getpwnam\"root\") failed!\n")); + return NULL; } + + /* get the user and primary group SIDs; although the + BUILTIN\Administrators SId is really the one that matters here */ + + uid_to_sid(&u_sid, pw->pw_uid); + gid_to_sid(&g_sid, pw->pw_gid); - ZERO_STRUCTP(ptoken); + token = create_local_nt_token(NULL, &u_sid, &g_sid, False, + 1, &global_sid_Builtin_Administrators); + return token; +} - ptoken->num_sids = n_groupSIDs + 5; +static int server_info_dtor(void *p) +{ + auth_serversupplied_info *server_info = + talloc_get_type_abort(p, auth_serversupplied_info); - if ((ptoken->user_sids = SMB_MALLOC_ARRAY( DOM_SID, ptoken->num_sids )) == NULL) { - DEBUG(0, ("create_nt_user_token: Out of memory allocating SIDs\n")); - nt_status = NT_STATUS_NO_MEMORY; - return nt_status; + if (server_info->sam_account != NULL) { + pdb_free_sam(&server_info->sam_account); } - - memset((char*)ptoken->user_sids,0,sizeof(DOM_SID) * ptoken->num_sids); - - /* - * Note - user SID *MUST* be first in token ! - * se_access_check depends on this. - * - * Primary group SID is second in token. Convention. - */ - sid_copy(&ptoken->user_sids[PRIMARY_USER_SID_INDEX], user_sid); - if (group_sid) - sid_copy(&ptoken->user_sids[PRIMARY_GROUP_SID_INDEX], group_sid); + ZERO_STRUCTP(server_info); + return 0; +} - /* - * Finally add the "standard" SIDs. - * The only difference between guest and "anonymous" (which we - * don't really support) is the addition of Authenticated_Users. - */ +/*************************************************************************** + Make a server_info struct. Free with talloc_free(). +***************************************************************************/ + +static auth_serversupplied_info *make_server_info(TALLOC_CTX *mem_ctx) +{ + struct auth_serversupplied_info *result; - sid_copy(&ptoken->user_sids[2], &global_sid_World); - sid_copy(&ptoken->user_sids[3], &global_sid_Network); + result = TALLOC_ZERO_P(mem_ctx, auth_serversupplied_info); + if (result == NULL) { + DEBUG(0, ("talloc failed\n")); + return NULL; + } - if (is_guest) - sid_copy(&ptoken->user_sids[4], &global_sid_Builtin_Guests); - else - sid_copy(&ptoken->user_sids[4], &global_sid_Authenticated_Users); - - sid_ndx = 5; /* next available spot */ - - /* this is where we construct the domain admins SID if we can - so that we can add the BUILTIN\Administrators SID to the token */ - - ZERO_STRUCT( domadm ); - if ( IS_DC || lp_server_role()==ROLE_DOMAIN_MEMBER ) { - domain_mode = True; - - if ( IS_DC ) - sid_copy( &domadm, get_global_sam_sid() ); - else { - /* if we a re a member server and cannot find - out domain SID then reset the domain_mode flag */ - if ( !secrets_fetch_domain_sid( lp_workgroup(), &domadm ) ) - domain_mode = False; - } + talloc_set_destructor(result, server_info_dtor); + + /* Initialise the uid and gid values to something non-zero + which may save us from giving away root access if there + is a bug in allocating these fields. */ + + result->uid = -1; + result->gid = -1; + return result; +} - sid_append_rid( &domadm, DOMAIN_GROUP_RID_ADMINS ); +/*************************************************************************** + Make (and fill) a user_info struct from a SAM_ACCOUNT +***************************************************************************/ + +NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, + SAM_ACCOUNT *sampass) +{ + NTSTATUS status; + struct passwd *pwd; + gid_t *gids; + auth_serversupplied_info *result; + + pwd = getpwnam_alloc(NULL, pdb_get_username(sampass)); + if ( pwd == NULL ) { + DEBUG(1, ("User %s in passdb, but getpwnam() fails!\n", + pdb_get_username(sampass))); + return NT_STATUS_NO_SUCH_USER; } - - /* add the group SIDs to teh token */ - - for (i = 0; i < n_groupSIDs; i++) { - size_t check_sid_idx; - for (check_sid_idx = 1; check_sid_idx < ptoken->num_sids; check_sid_idx++) { - if (sid_equal(&ptoken->user_sids[check_sid_idx], - &groupSIDs[i])) { - break; - } - } - - if (check_sid_idx >= ptoken->num_sids) /* Not found already */ { - sid_copy(&ptoken->user_sids[sid_ndx++], &groupSIDs[i]); - } else { - ptoken->num_sids--; - } - - /* here we check if the user is a domain admin and add the - BUILTIN\Administrators SID to the token the group membership - check succeeds. */ - if ( domain_mode ) { - if ( sid_equal( &domadm, &groupSIDs[i] ) ) - is_domain_admin = True; - } - + result = make_server_info(NULL); + if (result == NULL) { + talloc_free(pwd); + return NT_STATUS_NO_MEMORY; } - /* finally realloc the SID array and add the BUILTIN\Administrators - SID if necessary */ + result->sam_account = sampass; + result->unix_name = talloc_strdup(result, pwd->pw_name); + result->gid = pwd->pw_gid; + result->uid = pwd->pw_uid; + + talloc_free(pwd); - if ( is_domain_admin ) { - DOM_SID *sids; + status = pdb_enum_group_memberships(result, sampass, + &result->sids, &gids, + &result->num_sids); - if ( !(sids = SMB_REALLOC_ARRAY( ptoken->user_sids, DOM_SID, ptoken->num_sids+1 )) ) - DEBUG(0,("create_nt_user_token: Failed to realloc SID arry of size %d\n", ptoken->num_sids+1)); - else { - ptoken->user_sids = sids; - sid_copy( &(ptoken->user_sids)[ptoken->num_sids++], &global_sid_Builtin_Administrators ); - } + if (!NT_STATUS_IS_OK(status)) { + DEBUG(10, ("pdb_enum_group_memberships failed: %s\n", + nt_errstr(status))); + result->sam_account = NULL; /* Don't free on error exit. */ + talloc_free(result); + return status; } - /* add privileges assigned to this user */ + /* For now we throw away the gids and convert via sid_to_gid + * later. This needs fixing, but I'd like to get the code straight and + * simple first. */ + talloc_free(gids); - get_privileges_for_sids( &ptoken->privileges, ptoken->user_sids, ptoken->num_sids ); - - debug_nt_user_token(DBGC_AUTH, 10, ptoken); - - if ((lp_log_nt_token_command() != NULL) && - (strlen(lp_log_nt_token_command()) > 0)) { - TALLOC_CTX *mem_ctx; - char *command; - char *group_sidstr; - - mem_ctx = talloc_init("setnttoken"); - if (mem_ctx == NULL) - return NT_STATUS_NO_MEMORY; + DEBUG(5,("make_server_info_sam: made server info for user %s -> %s\n", + pdb_get_username(sampass), result->unix_name)); - group_sidstr = talloc_strdup(mem_ctx, ""); - for (i=1; inum_sids; i++) { - group_sidstr = talloc_asprintf( - mem_ctx, "%s %s", group_sidstr, - sid_string_static(&ptoken->user_sids[i])); - } + *server_info = result; - command = talloc_string_sub( - mem_ctx, lp_log_nt_token_command(), - "%s", sid_string_static(&ptoken->user_sids[0])); - command = talloc_string_sub( - mem_ctx, command, "%t", group_sidstr); + return NT_STATUS_OK; +} + +/* + * Add alias SIDs from memberships within the partially created token SID list + */ - if (command == NULL) { - talloc_destroy(mem_ctx); +static NTSTATUS add_aliases(TALLOC_CTX *tmp_ctx, const DOM_SID *domain_sid, + struct nt_user_token *token) +{ + uint32 *aliases; + size_t i, num_aliases; + NTSTATUS status; + + aliases = NULL; + num_aliases = 0; + + status = pdb_enum_alias_memberships(tmp_ctx, domain_sid, + token->user_sids, + token->num_sids, + &aliases, &num_aliases); + + if (!NT_STATUS_IS_OK(status)) { + DEBUG(10, ("pdb_enum_alias_memberships failed: %s\n", + nt_errstr(status))); + return status; + } + + for (i=0; iuser_sids, + &token->num_sids); + if (token->user_sids == NULL) { + DEBUG(0, ("add_sid_to_array failed\n")); return NT_STATUS_NO_MEMORY; } + } - DEBUG(8, ("running command: [%s]\n", command)); - if (smbrun(command, NULL) != 0) { - DEBUG(0, ("Could not log NT token\n")); - nt_status = NT_STATUS_ACCESS_DENIED; - } - talloc_destroy(mem_ctx); + return NT_STATUS_OK; +} + +static NTSTATUS log_nt_token(TALLOC_CTX *tmp_ctx, NT_USER_TOKEN *token) +{ + char *command; + char *group_sidstr; + size_t i; + + if ((lp_log_nt_token_command() == NULL) || + (strlen(lp_log_nt_token_command()) == 0)) { + return NT_STATUS_OK; } - *token = ptoken; + group_sidstr = talloc_strdup(tmp_ctx, ""); + for (i=1; inum_sids; i++) { + group_sidstr = talloc_asprintf( + tmp_ctx, "%s %s", group_sidstr, + sid_string_static(&token->user_sids[i])); + } - return nt_status; -} + command = talloc_string_sub( + tmp_ctx, lp_log_nt_token_command(), + "%s", sid_string_static(&token->user_sids[0])); + command = talloc_string_sub(tmp_ctx, command, "%t", group_sidstr); -/**************************************************************************** - Create the SID list for this user. -****************************************************************************/ + if (command == NULL) { + return NT_STATUS_NO_MEMORY; + } + + DEBUG(8, ("running command: [%s]\n", command)); + if (smbrun(command, NULL) != 0) { + DEBUG(0, ("Could not log NT token\n")); + return NT_STATUS_ACCESS_DENIED; + } + + return NT_STATUS_OK; +} -NT_USER_TOKEN *create_nt_token(uid_t uid, gid_t gid, int ngroups, gid_t *groups, BOOL is_guest) +/* + * Create a NT token for the user, expanding local aliases + */ + +static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, + const DOM_SID *user_sid, + const DOM_SID *group_sid, + BOOL is_guest, + int num_groupsids, + const DOM_SID *groupsids) { - DOM_SID user_sid; - DOM_SID group_sid; - DOM_SID *group_sids; - NT_USER_TOKEN *token; + TALLOC_CTX *tmp_ctx; + struct nt_user_token *result = NULL; int i; + NTSTATUS status; - if (!NT_STATUS_IS_OK(uid_to_sid(&user_sid, uid))) { + tmp_ctx = talloc_new(mem_ctx); + if (tmp_ctx == NULL) { + DEBUG(0, ("talloc_new failed\n")); return NULL; } - if (!NT_STATUS_IS_OK(gid_to_sid(&group_sid, gid))) { - return NULL; + + result = TALLOC_ZERO_P(tmp_ctx, NT_USER_TOKEN); + if (result == NULL) { + DEBUG(0, ("talloc failed\n")); + goto done; } - group_sids = SMB_MALLOC_ARRAY(DOM_SID, ngroups); - if (!group_sids) { - DEBUG(0, ("create_nt_token: malloc() failed for DOM_SID list!\n")); - return NULL; + /* First create the default SIDs */ + + add_sid_to_array(result, user_sid, + &result->user_sids, &result->num_sids); + add_sid_to_array(result, group_sid, + &result->user_sids, &result->num_sids); + add_sid_to_array(result, &global_sid_World, + &result->user_sids, &result->num_sids); + add_sid_to_array(result, &global_sid_Network, + &result->user_sids, &result->num_sids); + + if (is_guest) { + add_sid_to_array(result, &global_sid_Builtin_Guests, + &result->user_sids, &result->num_sids); + } else { + add_sid_to_array(result, &global_sid_Authenticated_Users, + &result->user_sids, &result->num_sids); } - /* convert the Unix group ids to SIDS */ + /* Now the SIDs we got from authentication. These are the ones from + * the info3 struct or from the pdb_enum_group_memberships, depending + * on who authenticated the user. */ - for (i = 0; i < ngroups; i++) { - if (!NT_STATUS_IS_OK(gid_to_sid(&(group_sids)[i], (groups)[i]))) { - DEBUG(1, ("create_nt_token: failed to convert gid %ld to a sid!\n", (long int)groups[i])); - SAFE_FREE(group_sids); - return NULL; - } + for (i=0; iuser_sids, &result->num_sids); } - if (!NT_STATUS_IS_OK(create_nt_user_token(&user_sid, &group_sid, - ngroups, group_sids, is_guest, &token))) { - SAFE_FREE(group_sids); - return NULL; + if (lp_winbind_nested_groups()) { + + /* Now add the aliases. First the one from our local SAM */ + + status = add_aliases(tmp_ctx, get_global_sam_sid(), result); + + if (!NT_STATUS_IS_OK(status)) { + result = NULL; + goto done; + } + + /* Finally the builtin ones */ + + status = add_aliases(tmp_ctx, &global_sid_Builtin, result); + + if (!NT_STATUS_IS_OK(status)) { + result = NULL; + goto done; + } + } else { + + /* Play jerry's trick to auto-add local admins if we're a + * domain admin. */ + + DOM_SID dom_admins; + BOOL domain_mode = False; + + if (IS_DC) { + sid_compose(&dom_admins, get_global_sam_sid(), + DOMAIN_GROUP_RID_ADMINS); + domain_mode = True; + } + if ((lp_server_role() == ROLE_DOMAIN_MEMBER) && + (secrets_fetch_domain_sid(lp_workgroup(), &dom_admins))) { + sid_append_rid(&dom_admins, DOMAIN_GROUP_RID_ADMINS); + domain_mode = True; + } + + if (domain_mode) { + for (i=0; inum_sids; i++) { + if (sid_equal(&dom_admins, + &result->user_sids[i])) { + add_sid_to_array_unique( + result, + &global_sid_Builtin_Administrators, + &result->user_sids, + &result->num_sids); + break; + } + } + + } } - SAFE_FREE(group_sids); + get_privileges_for_sids(&result->privileges, result->user_sids, + result->num_sids); - return token; + talloc_steal(mem_ctx, result); + + done: + talloc_free(tmp_ctx); + return result; } -/****************************************************************************** - Create a token for the root user to be used internally by smbd. - This is similar to running under the context of the LOCAL_SYSTEM account - in Windows. This is a read-only token. Do not modify it or free() it. - Create a copy if your need to change it. -******************************************************************************/ +/* + * Create the token to use from server_info->sam_account and + * server_info->sids (the info3/sam groups). Find the unix gids. + */ -NT_USER_TOKEN *get_root_nt_token( void ) +NTSTATUS create_local_token(auth_serversupplied_info *server_info) { - static NT_USER_TOKEN *token = NULL; - DOM_SID u_sid, g_sid; - DOM_SID g_sids[1]; - struct passwd *pw; - NTSTATUS result; + TALLOC_CTX *mem_ctx; + NTSTATUS status; + size_t i; - if ( token ) - return token; - - if ( !(pw = getpwnam( "root" )) ) { - DEBUG(0,("get_root_nt_token: getpwnam\"root\") failed!\n")); - return NULL; + + mem_ctx = talloc_new(NULL); + if (mem_ctx == NULL) { + DEBUG(0, ("talloc_new failed\n")); + return NT_STATUS_NO_MEMORY; } + + server_info->ptok = create_local_nt_token( + server_info, + pdb_get_user_sid(server_info->sam_account), + pdb_get_group_sid(server_info->sam_account), + server_info->guest, + server_info->num_sids, server_info->sids); - /* get the user and primary group SIDs; although the - BUILTIN\Administrators SId is really the one that matters here */ - - if ( !NT_STATUS_IS_OK(uid_to_sid(&u_sid, pw->pw_uid)) ) - return NULL; - if ( !NT_STATUS_IS_OK(gid_to_sid(&g_sid, pw->pw_gid)) ) - return NULL; - - sid_copy( &g_sids[0], &global_sid_Builtin_Administrators ); - - result = create_nt_user_token( &u_sid, &g_sid, 1, g_sids, False, &token); + /* Convert the SIDs to gids. */ + + server_info->n_groups = 0; + server_info->groups = NULL; + + /* Start at index 1, where the groups start. */ + + for (i=1; iptok->num_sids; i++) { + gid_t gid; + DOM_SID *sid = &server_info->ptok->user_sids[i]; + + if (!sid_to_gid(sid, &gid)) { + DEBUG(10, ("Could not convert SID %s to gid, " + "ignoring it\n", sid_string_static(sid))); + continue; + } + add_gid_to_array_unique(server_info, gid, &server_info->groups, + &server_info->n_groups); + } - return NT_STATUS_IS_OK(result) ? token : NULL; + debug_nt_user_token(DBGC_AUTH, 10, server_info->ptok); + + status = log_nt_token(mem_ctx, server_info->ptok); + + talloc_free(mem_ctx); + return status; } -/****************************************************************************** - * this function returns the groups (SIDs) of the local SAM the user is in. - * If this samba server is a DC of the domain the user belongs to, it returns - * both domain groups and local / builtin groups. If the user is in a trusted - * domain, or samba is a member server of a domain, then this function returns - * local and builtin groups the user is a member of. +/* + * Create an artificial NT token given just a username. (Initially indended + * for force user) * - * currently this is a hack, as there is no sam implementation that is capable - * of groups. + * We go through lookup_name() to avoid problems we had with 'winbind use + * default domain'. * - * NOTE!! This function will fail if you pass in a winbind user without - * the domain --jerry - ******************************************************************************/ - -static NTSTATUS get_user_groups(const char *username, uid_t uid, gid_t gid, - size_t *n_groups, DOM_SID **groups, gid_t **unix_groups) + * We have 3 cases: + * + * unmapped unix users: Go directly to nss to find the user's group. + * + * A passdb user: The list of groups is provided by pdb_enum_group_memberships. + * + * If the user is provided by winbind, the primary gid is set to "domain + * users" of the user's domain. For an explanation why this is necessary, see + * the thread starting at + * http://lists.samba.org/archive/samba-technical/2006-January/044803.html. + */ + +NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, + BOOL is_guest, + uid_t *uid, gid_t *gid, + char **found_username, + struct nt_user_token **token) { - int n_unix_groups; - int i; + NTSTATUS result = NT_STATUS_NO_SUCH_USER; + TALLOC_CTX *tmp_ctx; + DOM_SID user_sid; + enum SID_NAME_USE type; + gid_t *gids; + DOM_SID primary_group_sid; + DOM_SID *group_sids; + size_t num_group_sids; - *n_groups = 0; - *groups = NULL; + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(0, ("talloc_new failed\n")); + return NT_STATUS_NO_MEMORY; + } - if (strchr(username, *lp_winbind_separator()) == NULL) { - NTSTATUS result; + if (!lookup_name(tmp_ctx, username, LOOKUP_NAME_ALL, + NULL, NULL, &user_sid, &type)) { + DEBUG(1, ("lookup_name for %s failed\n", username)); + goto done; + } - become_root(); - result = pdb_enum_group_memberships(username, gid, groups, - unix_groups, n_groups); - unbecome_root(); - return result; + if (type != SID_NAME_USER) { + DEBUG(1, ("%s is a %s, not a user\n", username, + sid_type_lookup(type))); + goto done; } - /* We have the separator, this must be winbind */ - - n_unix_groups = winbind_getgroups( username, unix_groups ); + if (!sid_to_uid(&user_sid, uid)) { + DEBUG(1, ("sid_to_uid for %s (%s) failed\n", + username, sid_string_static(&user_sid))); + goto done; + } - DEBUG(10,("get_user_groups: winbind_getgroups(%s): result = %s\n", - username, n_unix_groups == -1 ? "FAIL" : "SUCCESS")); - - if ( n_unix_groups == -1 ) - return NT_STATUS_NO_SUCH_USER; /* what should this return - * value be? */ + if (sid_check_is_in_unix_users(&user_sid)) { - debug_unix_user_token(DBGC_CLASS, 5, uid, gid, n_unix_groups, *unix_groups); - - /* now setup the space for storing the SIDS */ - - if (n_unix_groups > 0) { - - *groups = SMB_MALLOC_ARRAY(DOM_SID, n_unix_groups); - - if (!*groups) { - DEBUG(0, ("get_user_group: malloc() failed for DOM_SID list!\n")); - SAFE_FREE(*unix_groups); - return NT_STATUS_NO_MEMORY; + /* This is a unix user not in passdb. We need to ask nss + * directly, without consulting passdb */ + + struct passwd *pass; + size_t i; + + pass = getpwuid_alloc(tmp_ctx, *uid); + if (pass == NULL) { + DEBUG(1, ("getpwuid(%d) for user %s failed\n", + *uid, username)); + goto done; } - } - *n_groups = n_unix_groups; + *gid = pass->pw_gid; + gid_to_sid(&primary_group_sid, pass->pw_gid); - for (i = 0; i < *n_groups; i++) { - if (!NT_STATUS_IS_OK(gid_to_sid(&(*groups)[i], (*unix_groups)[i]))) { - DEBUG(1, ("get_user_groups: failed to convert gid %ld to a sid!\n", - (long int)(*unix_groups)[i+1])); - SAFE_FREE(*groups); - SAFE_FREE(*unix_groups); - return NT_STATUS_NO_SUCH_USER; + if (!getgroups_unix_user(tmp_ctx, username, pass->pw_gid, + &gids, &num_group_sids)) { + DEBUG(1, ("getgroups_unix_user for user %s failed\n", + username)); + goto done; } - } - - return NT_STATUS_OK; -} -/*************************************************************************** - Make a user_info struct -***************************************************************************/ + group_sids = talloc_array(tmp_ctx, DOM_SID, num_group_sids); + if (group_sids == NULL) { + DEBUG(1, ("talloc_array failed\n")); + result = NT_STATUS_NO_MEMORY; + goto done; + } -static NTSTATUS make_server_info(auth_serversupplied_info **server_info) -{ - *server_info = SMB_MALLOC_P(auth_serversupplied_info); - if (!*server_info) { - DEBUG(0,("make_server_info: malloc failed!\n")); - return NT_STATUS_NO_MEMORY; - } - ZERO_STRUCTP(*server_info); + for (i=0; ipw_name); - /* Initialise the uid and gid values to something non-zero - which may save us from giving away root access if there - is a bug in allocating these fields. */ + } else if (sid_check_is_in_our_domain(&user_sid)) { - (*server_info)->uid = -1; - (*server_info)->gid = -1; + /* This is a passdb user, so ask passdb */ - return NT_STATUS_OK; -} + SAM_ACCOUNT *sam_acct = NULL; -/*************************************************************************** -Fill a server_info struct from a SAM_ACCOUNT with their groups -***************************************************************************/ + result = pdb_init_sam_talloc(tmp_ctx, &sam_acct); + if (!NT_STATUS_IS_OK(result)) { + goto done; + } -static NTSTATUS add_user_groups(auth_serversupplied_info **server_info, - const char * unix_username, - SAM_ACCOUNT *sampass, - uid_t uid, gid_t gid) -{ - NTSTATUS nt_status; - const DOM_SID *user_sid = pdb_get_user_sid(sampass); - const DOM_SID *group_sid = pdb_get_group_sid(sampass); - size_t n_groupSIDs = 0; - DOM_SID *groupSIDs = NULL; - gid_t *unix_groups = NULL; - NT_USER_TOKEN *token; - BOOL is_guest; - uint32 rid; + if (!pdb_getsampwsid(sam_acct, &user_sid)) { + DEBUG(1, ("pdb_getsampwsid(%s) for user %s failed\n", + sid_string_static(&user_sid), username)); + result = NT_STATUS_NO_SUCH_USER; + goto done; + } - nt_status = get_user_groups(unix_username, uid, gid, - &n_groupSIDs, &groupSIDs, &unix_groups); - - if (!NT_STATUS_IS_OK(nt_status)) { - DEBUG(4,("get_user_groups_from_local_sam failed\n")); - free_server_info(server_info); - return nt_status; - } - - is_guest = (sid_peek_rid(user_sid, &rid) && rid == DOMAIN_USER_RID_GUEST); + sid_copy(&primary_group_sid, pdb_get_group_sid(sam_acct)); - if (!NT_STATUS_IS_OK(nt_status = create_nt_user_token(user_sid, group_sid, - n_groupSIDs, groupSIDs, is_guest, - &token))) - { - DEBUG(4,("create_nt_user_token failed\n")); - SAFE_FREE(groupSIDs); - SAFE_FREE(unix_groups); - free_server_info(server_info); - return nt_status; - } - - SAFE_FREE(groupSIDs); + result = pdb_enum_group_memberships(tmp_ctx, sam_acct, + &group_sids, &gids, + &num_group_sids); + if (!NT_STATUS_IS_OK(result)) { + DEBUG(10, ("enum_group_memberships failed for %s\n", + username)); + goto done; + } - (*server_info)->n_groups = n_groupSIDs; - (*server_info)->groups = unix_groups; - (*server_info)->ptok = token; + *found_username = talloc_strdup(mem_ctx, + pdb_get_username(sam_acct)); - return nt_status; -} + } else { -/*************************************************************************** - Make (and fill) a user_info struct from a SAM_ACCOUNT -***************************************************************************/ + /* This user is from winbind, force the primary gid to the + * user's "domain users" group. Under certain circumstances + * (user comes from NT4), this might be a loss of + * information. But we can not rely on winbind getting the + * correct info. AD might prohibit winbind looking up that + * information. */ -NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, - SAM_ACCOUNT *sampass) -{ - NTSTATUS nt_status; - struct passwd *pwd; + uint32 dummy; - if (!NT_STATUS_IS_OK(nt_status = make_server_info(server_info))) - return nt_status; + sid_copy(&primary_group_sid, &user_sid); + sid_split_rid(&primary_group_sid, &dummy); + sid_append_rid(&primary_group_sid, DOMAIN_GROUP_RID_USERS); - (*server_info)->sam_account = sampass; + if (!sid_to_gid(&primary_group_sid, gid)) { + DEBUG(1, ("sid_to_gid(%s) failed\n", + sid_string_static(&primary_group_sid))); + goto done; + } - if ( !(pwd = getpwnam_alloc(pdb_get_username(sampass))) ) { - DEBUG(1, ("User %s in passdb, but getpwnam() fails!\n", - pdb_get_username(sampass))); - free_server_info(server_info); - return NT_STATUS_NO_SUCH_USER; - } - (*server_info)->unix_name = smb_xstrdup(pwd->pw_name); - (*server_info)->gid = pwd->pw_gid; - (*server_info)->uid = pwd->pw_uid; - - passwd_free(&pwd); + num_group_sids = 0; + group_sids = NULL; - if (!NT_STATUS_IS_OK(nt_status = add_user_groups(server_info, pdb_get_username(sampass), - sampass, - (*server_info)->uid, - (*server_info)->gid))) - { - free_server_info(server_info); - return nt_status; + *found_username = talloc_strdup(mem_ctx, username); } - (*server_info)->sam_fill_level = SAM_FILL_ALL; - DEBUG(5,("make_server_info_sam: made server info for user %s -> %s\n", - pdb_get_username(sampass), - (*server_info)->unix_name)); + *token = create_local_nt_token(mem_ctx, &user_sid, &primary_group_sid, + is_guest, num_group_sids, group_sids); - return nt_status; + if ((*token == NULL) || (*found_username == NULL)) { + result = NT_STATUS_NO_MEMORY; + goto done; + } + + result = NT_STATUS_OK; + done: + talloc_free(tmp_ctx); + return result; } /*************************************************************************** - Make (and fill) a user_info struct from a Kerberos PAC logon_info by conversion - to a SAM_ACCOUNT + Make (and fill) a user_info struct from a Kerberos PAC logon_info by + conversion to a SAM_ACCOUNT ***************************************************************************/ NTSTATUS make_server_info_pac(auth_serversupplied_info **server_info, @@ -913,16 +1030,22 @@ NTSTATUS make_server_info_pac(auth_serversupplied_info **server_info, struct passwd *pwd, PAC_LOGON_INFO *logon_info) { - NTSTATUS nt_status; + NTSTATUS status; SAM_ACCOUNT *sampass = NULL; DOM_SID user_sid, group_sid; fstring dom_name; + auth_serversupplied_info *result; - if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam_pw(&sampass, pwd))) { - return nt_status; + status = pdb_init_sam_pw(&sampass, pwd); + + if (!NT_STATUS_IS_OK(status)) { + return status; } - if (!NT_STATUS_IS_OK(nt_status = make_server_info(server_info))) { - return nt_status; + + result = make_server_info(NULL); + if (result == NULL) { + pdb_free_sam(&sampass); + return NT_STATUS_NO_MEMORY; } /* only copy user_sid, group_sid and domain name out of the PAC for @@ -941,20 +1064,18 @@ NTSTATUS make_server_info_pac(auth_serversupplied_info **server_info, pdb_set_logon_count(sampass, logon_info->info3.logon_count, PDB_SET); - (*server_info)->sam_account = sampass; + result->sam_account = sampass; + result->unix_name = talloc_strdup(result, unix_username); + result->uid = pwd->pw_uid; + result->gid = pwd->pw_gid; - if (!NT_STATUS_IS_OK(nt_status = add_user_groups(server_info, unix_username, - sampass, pwd->pw_uid, pwd->pw_gid))) - { - return nt_status; - } + /* TODO: Add groups from pac */ + result->sids = NULL; + result->num_sids = 0; - (*server_info)->unix_name = smb_xstrdup(unix_username); + *server_info = result; - (*server_info)->sam_fill_level = SAM_FILL_ALL; - (*server_info)->uid = pwd->pw_uid; - (*server_info)->gid = pwd->pw_gid; - return nt_status; + return NT_STATUS_OK; } @@ -967,93 +1088,172 @@ NTSTATUS make_server_info_pw(auth_serversupplied_info **server_info, char *unix_username, struct passwd *pwd) { - NTSTATUS nt_status; + NTSTATUS status; SAM_ACCOUNT *sampass = NULL; - if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam_pw(&sampass, pwd))) { - return nt_status; + gid_t *gids; + auth_serversupplied_info *result; + + status = pdb_init_sam_pw(&sampass, pwd); + + if (!NT_STATUS_IS_OK(status)) { + return status; } - if (!NT_STATUS_IS_OK(nt_status = make_server_info(server_info))) { - return nt_status; + + result = make_server_info(NULL); + + if (!NT_STATUS_IS_OK(status)) { + pdb_free_sam(&sampass); + return status; } - (*server_info)->sam_account = sampass; + result->sam_account = sampass; + result->unix_name = talloc_strdup(result, unix_username); + result->uid = pwd->pw_uid; + result->gid = pwd->pw_gid; - if (!NT_STATUS_IS_OK(nt_status = add_user_groups(server_info, unix_username, - sampass, pwd->pw_uid, pwd->pw_gid))) - { - return nt_status; + status = pdb_enum_group_memberships(result, sampass, + &result->sids, &gids, + &result->num_sids); + + if (!NT_STATUS_IS_OK(status)) { + DEBUG(10, ("pdb_enum_group_memberships failed: %s\n", + nt_errstr(status))); + talloc_free(result); + return status; } - (*server_info)->unix_name = smb_xstrdup(unix_username); + /* For now we throw away the gids and convert via sid_to_gid + * later. This needs fixing, but I'd like to get the code straight and + * simple first. */ + talloc_free(gids); - (*server_info)->sam_fill_level = SAM_FILL_ALL; - (*server_info)->uid = pwd->pw_uid; - (*server_info)->gid = pwd->pw_gid; - return nt_status; + *server_info = result; + + return NT_STATUS_OK; } /*************************************************************************** Make (and fill) a user_info struct for a guest login. + This *must* succeed for smbd to start. If there is no mapping entry for + the guest gid, then create one. ***************************************************************************/ static NTSTATUS make_new_server_info_guest(auth_serversupplied_info **server_info) { - NTSTATUS nt_status; + NTSTATUS status; SAM_ACCOUNT *sampass = NULL; DOM_SID guest_sid; + BOOL ret; + static const char zeros[16]; - if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam(&sampass))) { - return nt_status; + status = pdb_init_sam(&sampass); + + if (!NT_STATUS_IS_OK(status)) { + return status; } sid_copy(&guest_sid, get_global_sam_sid()); sid_append_rid(&guest_sid, DOMAIN_USER_RID_GUEST); become_root(); - if (!pdb_getsampwsid(sampass, &guest_sid)) { - unbecome_root(); + ret = pdb_getsampwsid(sampass, &guest_sid); + unbecome_root(); + + if (!ret) { + pdb_free_sam(&sampass); return NT_STATUS_NO_SUCH_USER; } - unbecome_root(); - nt_status = make_server_info_sam(server_info, sampass); + status = make_server_info_sam(server_info, sampass); - if (NT_STATUS_IS_OK(nt_status)) { - static const char zeros[16]; - (*server_info)->guest = True; - - /* annoying, but the Guest really does have a session key, - and it is all zeros! */ - (*server_info)->user_session_key = data_blob(zeros, sizeof(zeros)); - (*server_info)->lm_session_key = data_blob(zeros, sizeof(zeros)); + if (!NT_STATUS_IS_OK(status)) { + + /* If there was no initial group mapping for the nobody user, + create one*/ + + if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) { + GROUP_MAP map; + struct passwd *pwd = getpwnam_alloc(NULL, pdb_get_username(sampass)); + + if ( pwd == NULL ) { + DEBUG(1, ("No guest user %s!\n", + pdb_get_username(sampass))); + pdb_free_sam(&sampass); + return NT_STATUS_NO_SUCH_USER; + } + + map.gid = pwd->pw_gid; + sid_copy(&map.sid, get_global_sam_sid()); + sid_append_rid(&map.sid, DOMAIN_GROUP_RID_GUESTS); + map.sid_name_use = SID_NAME_DOM_GRP; + fstrcpy(map.nt_name, "Domain Guests"); + map.comment[0] = '\0'; + + if ( !NT_STATUS_IS_OK(pdb_update_group_mapping_entry(&map)) ) { + DEBUG(1, ("Could not update group database for guest user %s\n", + pdb_get_username(sampass) )); + talloc_free(pwd); + pdb_free_sam(&sampass); + return NT_STATUS_NO_SUCH_USER; + } + + talloc_free(pwd); + + /* And try again. */ + status = make_server_info_sam(server_info, sampass); + } + + if (!NT_STATUS_IS_OK(status)) { + pdb_free_sam(&sampass); + return status; + } } + + (*server_info)->guest = True; - return nt_status; + status = create_local_token(*server_info); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(10, ("create_local_token failed: %s\n", + nt_errstr(status))); + return status; + } + + /* annoying, but the Guest really does have a session key, and it is + all zeros! */ + (*server_info)->user_session_key = data_blob(zeros, sizeof(zeros)); + (*server_info)->lm_session_key = data_blob(zeros, sizeof(zeros)); + + return NT_STATUS_OK; } static auth_serversupplied_info *copy_serverinfo(auth_serversupplied_info *src) { auth_serversupplied_info *dst; - if (!NT_STATUS_IS_OK(make_server_info(&dst))) + dst = make_server_info(NULL); + if (dst == NULL) { return NULL; + } dst->guest = src->guest; dst->uid = src->uid; dst->gid = src->gid; dst->n_groups = src->n_groups; if (src->n_groups != 0) - dst->groups = memdup(src->groups, sizeof(gid_t)*dst->n_groups); + dst->groups = talloc_memdup(dst, src->groups, + sizeof(gid_t)*dst->n_groups); else dst->groups = NULL; - dst->ptok = dup_nt_token(src->ptok); - dst->user_session_key = data_blob(src->user_session_key.data, - src->user_session_key.length); - dst->lm_session_key = data_blob(src->lm_session_key.data, - src->lm_session_key.length); + dst->ptok = dup_nt_token(dst, src->ptok); + dst->user_session_key = data_blob_talloc( + dst, src->user_session_key.data, + src->user_session_key.length); + dst->lm_session_key = data_blob_talloc( + dst, src->lm_session_key.data, + src->lm_session_key.length); pdb_copy_sam_account(src->sam_account, &dst->sam_account); dst->pam_handle = NULL; - dst->unix_name = smb_xstrdup(src->unix_name); + dst->unix_name = talloc_strdup(dst, src->unix_name); return dst; } @@ -1103,7 +1303,7 @@ static NTSTATUS fill_sam_account(TALLOC_CTX *mem_ctx, map_username( dom_user ); - if ( !(passwd = smb_getpwnam( dom_user, real_username, True )) ) + if ( !(passwd = smb_getpwnam( NULL, dom_user, real_username, True )) ) return NT_STATUS_NO_SUCH_USER; *uid = passwd->pw_uid; @@ -1121,7 +1321,7 @@ static NTSTATUS fill_sam_account(TALLOC_CTX *mem_ctx, *found_username)); nt_status = pdb_init_sam_pw(sam_account, passwd); - passwd_free(&passwd); + talloc_free(passwd); return nt_status; } @@ -1131,7 +1331,8 @@ static NTSTATUS fill_sam_account(TALLOC_CTX *mem_ctx, the username if we fallback to the username only. ****************************************************************************/ -struct passwd *smb_getpwnam( char *domuser, fstring save_username, BOOL create ) +struct passwd *smb_getpwnam( TALLOC_CTX *mem_ctx, char *domuser, + fstring save_username, BOOL create ) { struct passwd *pw = NULL; char *p; @@ -1154,7 +1355,7 @@ struct passwd *smb_getpwnam( char *domuser, fstring save_username, BOOL create ) if ( p ) { fstring strip_username; - pw = Get_Pwnam_alloc( domuser ); + pw = Get_Pwnam_alloc( mem_ctx, domuser ); if ( pw ) { /* make sure we get the case of the username correct */ /* work around 'winbind use default domain = yes' */ @@ -1185,7 +1386,7 @@ struct passwd *smb_getpwnam( char *domuser, fstring save_username, BOOL create ) /* just lookup a plain username */ - pw = Get_Pwnam_alloc(username); + pw = Get_Pwnam_alloc(mem_ctx, username); /* Create local user if requested. */ @@ -1195,7 +1396,7 @@ struct passwd *smb_getpwnam( char *domuser, fstring save_username, BOOL create ) return NULL; smb_create_user(NULL, username, NULL); - pw = Get_Pwnam_alloc(username); + pw = Get_Pwnam_alloc(mem_ctx, username); } /* one last check for a valid passwd struct */ @@ -1231,15 +1432,10 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, uid_t uid; gid_t gid; - size_t n_lgroupSIDs; - DOM_SID *lgroupSIDs = NULL; - - gid_t *unix_groups = NULL; - NT_USER_TOKEN *token; - - DOM_SID *all_group_SIDs; size_t i; + auth_serversupplied_info *result; + /* Here is where we should check the list of trusted domains, and verify that the SID @@ -1257,12 +1453,14 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, } if (!(nt_username = unistr2_tdup(mem_ctx, &(info3->uni_user_name)))) { - /* If the server didn't give us one, just use the one we sent them */ + /* If the server didn't give us one, just use the one we sent + * them */ nt_username = sent_nt_username; } if (!(nt_domain = unistr2_tdup(mem_ctx, &(info3->uni_logon_dom)))) { - /* If the server didn't give us one, just use the one we sent them */ + /* If the server didn't give us one, just use the one we sent + * them */ nt_domain = domain; } @@ -1271,21 +1469,25 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, We use the _unmapped_ username here in an attempt to provide consistent username mapping behavior between kerberos and NTLM[SSP] - authentication in domain mode security. I.E. Username mapping should - be applied to the fully qualified username (e.g. DOMAIN\user) and - no just the login name. Yes this mean swe called map_username() - unnecessarily in make_user_info_map() but that is how the current - code is designed. Making the change here is the least disruptive - place. -- jerry */ + authentication in domain mode security. I.E. Username mapping + should be applied to the fully qualified username + (e.g. DOMAIN\user) and not just the login name. Yes this means we + called map_username() unnecessarily in make_user_info_map() but + that is how the current code is designed. Making the change here + is the least disruptive place. -- jerry */ nt_status = fill_sam_account(mem_ctx, nt_domain, sent_nt_username, - &found_username, &uid, &gid, &sam_account); + &found_username, &uid, &gid, + &sam_account); if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER)) { - DEBUG(3,("User %s does not exist, trying to add it\n", internal_username)); + DEBUG(3,("User %s does not exist, trying to add it\n", + internal_username)); smb_create_user( nt_domain, sent_nt_username, NULL); - nt_status = fill_sam_account( mem_ctx, nt_domain, sent_nt_username, - &found_username, &uid, &gid, &sam_account ); + nt_status = fill_sam_account( mem_ctx, nt_domain, + sent_nt_username, + &found_username, &uid, &gid, + &sam_account ); } /* if we still don't have a valid unix account check for @@ -1326,96 +1528,77 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, return NT_STATUS_UNSUCCESSFUL; } - if (!pdb_set_fullname(sam_account, unistr2_static(&(info3->uni_full_name)), + if (!pdb_set_fullname(sam_account, + unistr2_static(&(info3->uni_full_name)), PDB_CHANGED)) { pdb_free_sam(&sam_account); return NT_STATUS_NO_MEMORY; } - if (!pdb_set_logon_script(sam_account, unistr2_static(&(info3->uni_logon_script)), PDB_CHANGED)) { + if (!pdb_set_logon_script(sam_account, + unistr2_static(&(info3->uni_logon_script)), + PDB_CHANGED)) { pdb_free_sam(&sam_account); return NT_STATUS_NO_MEMORY; } - if (!pdb_set_profile_path(sam_account, unistr2_static(&(info3->uni_profile_path)), PDB_CHANGED)) { + if (!pdb_set_profile_path(sam_account, + unistr2_static(&(info3->uni_profile_path)), + PDB_CHANGED)) { pdb_free_sam(&sam_account); return NT_STATUS_NO_MEMORY; } - if (!pdb_set_homedir(sam_account, unistr2_static(&(info3->uni_home_dir)), PDB_CHANGED)) { + if (!pdb_set_homedir(sam_account, + unistr2_static(&(info3->uni_home_dir)), + PDB_CHANGED)) { pdb_free_sam(&sam_account); return NT_STATUS_NO_MEMORY; } - if (!pdb_set_dir_drive(sam_account, unistr2_static(&(info3->uni_dir_drive)), PDB_CHANGED)) { + if (!pdb_set_dir_drive(sam_account, + unistr2_static(&(info3->uni_dir_drive)), + PDB_CHANGED)) { pdb_free_sam(&sam_account); return NT_STATUS_NO_MEMORY; } - if (!NT_STATUS_IS_OK(nt_status = make_server_info(server_info))) { + result = make_server_info(NULL); + if (result == NULL) { DEBUG(4, ("make_server_info failed!\n")); pdb_free_sam(&sam_account); - return nt_status; + return NT_STATUS_NO_MEMORY; } /* save this here to _net_sam_logon() doesn't fail (it assumes a valid SAM_ACCOUNT) */ - (*server_info)->sam_account = sam_account; - - (*server_info)->unix_name = smb_xstrdup(found_username); + result->sam_account = sam_account; + result->unix_name = talloc_strdup(result, found_username); /* Fill in the unix info we found on the way */ - (*server_info)->sam_fill_level = SAM_FILL_ALL; - (*server_info)->uid = uid; - (*server_info)->gid = gid; - - /* Store the user group information in the server_info - returned to the caller. */ - - nt_status = get_user_groups((*server_info)->unix_name, - uid, gid, &n_lgroupSIDs, &lgroupSIDs, &unix_groups); - - if ( !NT_STATUS_IS_OK(nt_status) ) { - DEBUG(4,("get_user_groups failed\n")); - return nt_status; - } + result->uid = uid; + result->gid = gid; - (*server_info)->groups = unix_groups; - (*server_info)->n_groups = n_lgroupSIDs; - /* Create a 'combined' list of all SIDs we might want in the SD */ - - all_group_SIDs = SMB_MALLOC_ARRAY(DOM_SID,info3->num_groups2 + info3->num_other_sids + n_lgroupSIDs); - - if (!all_group_SIDs) { - DEBUG(0, ("malloc() failed for DOM_SID list!\n")); - SAFE_FREE(lgroupSIDs); - free_server_info(server_info); - return NT_STATUS_NO_MEMORY; - } + + result->num_sids = 0; + result->sids = NULL; /* and create (by appending rids) the 'domain' sids */ for (i = 0; i < info3->num_groups2; i++) { - - sid_copy(&all_group_SIDs[i], &(info3->dom_sid.sid)); - - if (!sid_append_rid(&all_group_SIDs[i], info3->gids[i].g_rid)) { - - nt_status = NT_STATUS_INVALID_PARAMETER; - - DEBUG(3,("could not append additional group rid 0x%x\n", - info3->gids[i].g_rid)); - - SAFE_FREE(lgroupSIDs); - SAFE_FREE(all_group_SIDs); - free_server_info(server_info); - - return nt_status; - + DOM_SID sid; + if (!sid_compose(&sid, &info3->dom_sid.sid, + info3->gids[i].g_rid)) { + DEBUG(3,("could not append additional group rid " + "0x%x\n", info3->gids[i].g_rid)); + talloc_free(result); + return NT_STATUS_INVALID_PARAMETER; } + add_sid_to_array(result, &sid, &result->sids, + &result->num_sids); } /* Copy 'other' sids. We need to do sid filtering here to @@ -1425,56 +1608,33 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, */ for (i = 0; i < info3->num_other_sids; i++) { - sid_copy(&all_group_SIDs[info3->num_groups2 + i], - &info3->other_sids[i].sid); - } - - - /* add local alias sids */ - - for (i = 0; i < n_lgroupSIDs; i++) { - sid_copy(&all_group_SIDs[info3->num_groups2 + - info3->num_other_sids + i], - &lgroupSIDs[i]); - } - - /* Where are the 'global' sids... */ - - /* can the user be guest? if yes, where is it stored? */ - - nt_status = create_nt_user_token(&user_sid, &group_sid, - info3->num_groups2 + info3->num_other_sids + n_lgroupSIDs, - all_group_SIDs, False, &token); - - if ( !NT_STATUS_IS_OK(nt_status) ) { - DEBUG(4,("create_nt_user_token failed\n")); - SAFE_FREE(lgroupSIDs); - SAFE_FREE(all_group_SIDs); - free_server_info(server_info); - return nt_status; + add_sid_to_array(result, &info3->other_sids[i].sid, + &result->sids, + &result->num_sids); } - (*server_info)->login_server = unistr2_tdup(mem_ctx, - &(info3->uni_logon_srv)); - - (*server_info)->ptok = token; - - SAFE_FREE(lgroupSIDs); - SAFE_FREE(all_group_SIDs); + result->login_server = unistr2_tdup(result, + &(info3->uni_logon_srv)); /* ensure we are never given NULL session keys */ if (memcmp(info3->user_sess_key, zeros, sizeof(zeros)) == 0) { - (*server_info)->user_session_key = data_blob(NULL, 0); + result->user_session_key = data_blob(NULL, 0); } else { - (*server_info)->user_session_key = data_blob(info3->user_sess_key, sizeof(info3->user_sess_key)); + result->user_session_key = data_blob_talloc( + result, info3->user_sess_key, + sizeof(info3->user_sess_key)); } if (memcmp(info3->lm_sess_key, zeros, 8) == 0) { - (*server_info)->lm_session_key = data_blob(NULL, 0); + result->lm_session_key = data_blob(NULL, 0); } else { - (*server_info)->lm_session_key = data_blob(info3->lm_sess_key, sizeof(info3->lm_sess_key)); - } + result->lm_session_key = data_blob_talloc( + result, info3->lm_sess_key, + sizeof(info3->lm_sess_key)); + } + + *server_info = result; return NT_STATUS_OK; } @@ -1487,14 +1647,15 @@ void free_user_info(auth_usersupplied_info **user_info) { DEBUG(5,("attempting to free (and zero) a user_info structure\n")); if (*user_info != NULL) { - if ((*user_info)->smb_name.str) { - DEBUG(10,("structure was created for %s\n", (*user_info)->smb_name.str)); + if ((*user_info)->smb_name) { + DEBUG(10,("structure was created for %s\n", + (*user_info)->smb_name)); } - SAFE_FREE((*user_info)->smb_name.str); - SAFE_FREE((*user_info)->internal_username.str); - SAFE_FREE((*user_info)->client_domain.str); - SAFE_FREE((*user_info)->domain.str); - SAFE_FREE((*user_info)->wksta_name.str); + SAFE_FREE((*user_info)->smb_name); + SAFE_FREE((*user_info)->internal_username); + SAFE_FREE((*user_info)->client_domain); + SAFE_FREE((*user_info)->domain); + SAFE_FREE((*user_info)->wksta_name); data_blob_free(&(*user_info)->lm_resp); data_blob_free(&(*user_info)->nt_resp); data_blob_clear_free(&(*user_info)->lm_interactive_pwd); @@ -1505,27 +1666,6 @@ void free_user_info(auth_usersupplied_info **user_info) SAFE_FREE(*user_info); } -/*************************************************************************** - Clear out a server_info struct that has been allocated -***************************************************************************/ - -void free_server_info(auth_serversupplied_info **server_info) -{ - DEBUG(5,("attempting to free (and zero) a server_info structure\n")); - if (*server_info != NULL) { - pdb_free_sam(&(*server_info)->sam_account); - - /* call pam_end here, unless we know we are keeping it */ - delete_nt_token( &(*server_info)->ptok ); - SAFE_FREE((*server_info)->groups); - SAFE_FREE((*server_info)->unix_name); - data_blob_free(&(*server_info)->lm_session_key); - data_blob_free(&(*server_info)->user_session_key); - ZERO_STRUCT(**server_info); - } - SAFE_FREE(*server_info); -} - /*************************************************************************** Make an auth_methods struct ***************************************************************************/ @@ -1533,11 +1673,13 @@ void free_server_info(auth_serversupplied_info **server_info) BOOL make_auth_methods(struct auth_context *auth_context, auth_methods **auth_method) { if (!auth_context) { - smb_panic("no auth_context supplied to make_auth_methods()!\n"); + smb_panic("no auth_context supplied to " + "make_auth_methods()!\n"); } if (!auth_method) { - smb_panic("make_auth_methods: pointer to auth_method pointer is NULL!\n"); + smb_panic("make_auth_methods: pointer to auth_method pointer " + "is NULL!\n"); } *auth_method = TALLOC_P(auth_context->mem_ctx, auth_methods); @@ -1550,41 +1692,29 @@ BOOL make_auth_methods(struct auth_context *auth_context, auth_methods **auth_me return True; } -/**************************************************************************** - Delete a SID token. -****************************************************************************/ - -void delete_nt_token(NT_USER_TOKEN **pptoken) -{ - if (*pptoken) { - NT_USER_TOKEN *ptoken = *pptoken; - - SAFE_FREE( ptoken->user_sids ); - ZERO_STRUCTP(ptoken); - } - SAFE_FREE(*pptoken); -} - /**************************************************************************** Duplicate a SID token. ****************************************************************************/ -NT_USER_TOKEN *dup_nt_token(NT_USER_TOKEN *ptoken) +NT_USER_TOKEN *dup_nt_token(TALLOC_CTX *mem_ctx, NT_USER_TOKEN *ptoken) { NT_USER_TOKEN *token; if (!ptoken) return NULL; - if ((token = SMB_MALLOC_P(NT_USER_TOKEN)) == NULL) + token = TALLOC_P(mem_ctx, NT_USER_TOKEN); + if (token == NULL) { + DEBUG(0, ("talloc failed\n")); return NULL; + } - ZERO_STRUCTP(token); - - token->user_sids = (DOM_SID *)memdup( ptoken->user_sids, sizeof(DOM_SID) * ptoken->num_sids ); - - if ( !token ) { - SAFE_FREE(token); + token->user_sids = talloc_memdup(token, ptoken->user_sids, + sizeof(DOM_SID) * ptoken->num_sids ); + + if ((ptoken->user_sids != NULL) && (token->user_sids == NULL)) { + DEBUG(0, ("talloc_memdup failed\n")); + talloc_free(token); return NULL; } @@ -1593,7 +1723,8 @@ NT_USER_TOKEN *dup_nt_token(NT_USER_TOKEN *ptoken) /* copy the privileges; don't consider failure to be critical here */ if ( !se_priv_copy( &token->privileges, &ptoken->privileges ) ) { - DEBUG(0,("dup_nt_token: Failure to copy SE_PRIV!. Continuing with 0 privileges assigned.\n")); + DEBUG(0,("dup_nt_token: Failure to copy SE_PRIV!. " + "Continuing with 0 privileges assigned.\n")); } return token; @@ -1603,7 +1734,7 @@ NT_USER_TOKEN *dup_nt_token(NT_USER_TOKEN *ptoken) Check for a SID in an NT_USER_TOKEN ****************************************************************************/ -static BOOL nt_token_check_sid ( DOM_SID *sid, NT_USER_TOKEN *token ) +BOOL nt_token_check_sid ( const DOM_SID *sid, const NT_USER_TOKEN *token ) { int i; @@ -1626,9 +1757,10 @@ BOOL nt_token_check_domain_rid( NT_USER_TOKEN *token, uint32 rid ) a DC or standalone server, use our own SID */ if ( lp_server_role() == ROLE_DOMAIN_MEMBER ) { - if ( !secrets_fetch_domain_sid( lp_workgroup(), &domain_sid ) ) { - DEBUG(1,("nt_token_check_domain_rid: Cannot lookup SID for domain [%s]\n", - lp_workgroup())); + if ( !secrets_fetch_domain_sid( lp_workgroup(), + &domain_sid ) ) { + DEBUG(1,("nt_token_check_domain_rid: Cannot lookup " + "SID for domain [%s]\n", lp_workgroup())); return False; } } @@ -1662,9 +1794,10 @@ BOOL is_trusted_domain(const char* dom_name) if ( IS_DC ) { become_root(); - DEBUG (5,("is_trusted_domain: Checking for domain trust with [%s]\n", - dom_name )); - ret = secrets_fetch_trusted_domain_password(dom_name, NULL, NULL, NULL); + DEBUG (5,("is_trusted_domain: Checking for domain trust with " + "[%s]\n", dom_name )); + ret = secrets_fetch_trusted_domain_password(dom_name, NULL, + NULL, NULL); unbecome_root(); if (ret) return True; -- cgit From 75ef18fa7510d894ccc4540d82616110c3166db3 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Sat, 11 Feb 2006 21:27:08 +0000 Subject: r13460: by popular demand.... * remove pdb_context data structure * set default group for DOMAIN_RID_GUEST user as RID 513 (just like Windows) * Allow RID 513 to resolve to always resolve to a name * Remove auto mapping of guest account primary group given the previous 2 changes (This used to be commit 7a2da5f0cc05c1920c664c9a690a23bdf854e285) --- source3/auth/auth_util.c | 54 +++++++----------------------------------------- 1 file changed, 8 insertions(+), 46 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 27dab9b9aa..1567b6e40b 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -558,15 +558,13 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, gid_t *gids; auth_serversupplied_info *result; - pwd = getpwnam_alloc(NULL, pdb_get_username(sampass)); - if ( pwd == NULL ) { + if ( !(pwd = getpwnam_alloc(NULL, pdb_get_username(sampass))) ) { DEBUG(1, ("User %s in passdb, but getpwnam() fails!\n", pdb_get_username(sampass))); return NT_STATUS_NO_SUCH_USER; } - result = make_server_info(NULL); - if (result == NULL) { + if ( !(result = make_server_info(NULL)) ) { talloc_free(pwd); return NT_STATUS_NO_MEMORY; } @@ -1136,7 +1134,8 @@ NTSTATUS make_server_info_pw(auth_serversupplied_info **server_info, Make (and fill) a user_info struct for a guest login. This *must* succeed for smbd to start. If there is no mapping entry for the guest gid, then create one. -***************************************************************************/ +********************** +*****************************************************/ static NTSTATUS make_new_server_info_guest(auth_serversupplied_info **server_info) { @@ -1165,48 +1164,9 @@ static NTSTATUS make_new_server_info_guest(auth_serversupplied_info **server_inf } status = make_server_info_sam(server_info, sampass); - if (!NT_STATUS_IS_OK(status)) { - - /* If there was no initial group mapping for the nobody user, - create one*/ - - if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) { - GROUP_MAP map; - struct passwd *pwd = getpwnam_alloc(NULL, pdb_get_username(sampass)); - - if ( pwd == NULL ) { - DEBUG(1, ("No guest user %s!\n", - pdb_get_username(sampass))); - pdb_free_sam(&sampass); - return NT_STATUS_NO_SUCH_USER; - } - - map.gid = pwd->pw_gid; - sid_copy(&map.sid, get_global_sam_sid()); - sid_append_rid(&map.sid, DOMAIN_GROUP_RID_GUESTS); - map.sid_name_use = SID_NAME_DOM_GRP; - fstrcpy(map.nt_name, "Domain Guests"); - map.comment[0] = '\0'; - - if ( !NT_STATUS_IS_OK(pdb_update_group_mapping_entry(&map)) ) { - DEBUG(1, ("Could not update group database for guest user %s\n", - pdb_get_username(sampass) )); - talloc_free(pwd); - pdb_free_sam(&sampass); - return NT_STATUS_NO_SUCH_USER; - } - - talloc_free(pwd); - - /* And try again. */ - status = make_server_info_sam(server_info, sampass); - } - - if (!NT_STATUS_IS_OK(status)) { - pdb_free_sam(&sampass); - return status; - } + pdb_free_sam(&sampass); + return status; } (*server_info)->guest = True; @@ -1264,6 +1224,8 @@ BOOL init_guest_info(void) { if (guest_info != NULL) return True; + + return NT_STATUS_IS_OK(make_new_server_info_guest(&guest_info)); } -- cgit From 301d51e13a1aa4e633e2da161b0dd260a8a499cd Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Mon, 13 Feb 2006 17:08:25 +0000 Subject: r13494: Merge the stuff I've done in head the last days. Volker (This used to be commit bb40e544de68f01a6e774753f508e69373b39899) --- source3/auth/auth_util.c | 66 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 66 insertions(+) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 1567b6e40b..ad02b24a42 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1018,6 +1018,72 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, return result; } +/*************************************************************************** + Build upon create_token_from_username: + + Expensive helper function to figure out whether a user given its name is + member of a particular group. +***************************************************************************/ +BOOL user_in_group_sid(const char *username, const DOM_SID *group_sid) +{ + NTSTATUS status; + uid_t uid; + gid_t gid; + char *found_username; + struct nt_user_token *token; + BOOL result; + + TALLOC_CTX *mem_ctx; + + mem_ctx = talloc_new(NULL); + if (mem_ctx == NULL) { + DEBUG(0, ("talloc_new failed\n")); + return False; + } + + status = create_token_from_username(mem_ctx, username, False, + &uid, &gid, &found_username, + &token); + + if (!NT_STATUS_IS_OK(status)) { + DEBUG(10, ("could not create token for %s\n", username)); + return False; + } + + result = nt_token_check_sid(group_sid, token); + + talloc_free(mem_ctx); + return result; + +} + +BOOL user_in_group(const char *username, const char *groupname) +{ + TALLOC_CTX *mem_ctx; + DOM_SID group_sid; + NTSTATUS status; + BOOL ret; + + mem_ctx = talloc_new(NULL); + if (mem_ctx == NULL) { + DEBUG(0, ("talloc_new failed\n")); + return False; + } + + ret = lookup_name(mem_ctx, groupname, LOOKUP_NAME_ALL, + NULL, NULL, &group_sid, NULL); + talloc_free(mem_ctx); + + if (!ret) { + DEBUG(10, ("lookup_name(%s) failed: %s\n", groupname, + nt_errstr(status))); + return False; + } + + return user_in_group_sid(username, &group_sid); +} + + /*************************************************************************** Make (and fill) a user_info struct from a Kerberos PAC logon_info by conversion to a SAM_ACCOUNT -- cgit From fb5362c069b5b6548478b2217a0519c56d856705 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Mon, 20 Feb 2006 17:59:58 +0000 Subject: r13571: Replace all calls to talloc_free() with thye TALLOC_FREE() macro which sets the freed pointer to NULL. (This used to be commit b65be8874a2efe5a4b167448960a4fcf6bd995e2) --- source3/auth/auth_util.c | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index ad02b24a42..3e7c520fc5 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -522,7 +522,7 @@ static int server_info_dtor(void *p) } /*************************************************************************** - Make a server_info struct. Free with talloc_free(). + Make a server_info struct. Free with TALLOC_FREE(). ***************************************************************************/ static auth_serversupplied_info *make_server_info(TALLOC_CTX *mem_ctx) @@ -565,7 +565,7 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, } if ( !(result = make_server_info(NULL)) ) { - talloc_free(pwd); + TALLOC_FREE(pwd); return NT_STATUS_NO_MEMORY; } @@ -574,7 +574,7 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, result->gid = pwd->pw_gid; result->uid = pwd->pw_uid; - talloc_free(pwd); + TALLOC_FREE(pwd); status = pdb_enum_group_memberships(result, sampass, &result->sids, &gids, @@ -584,14 +584,14 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, DEBUG(10, ("pdb_enum_group_memberships failed: %s\n", nt_errstr(status))); result->sam_account = NULL; /* Don't free on error exit. */ - talloc_free(result); + TALLOC_FREE(result); return status; } /* For now we throw away the gids and convert via sid_to_gid * later. This needs fixing, but I'd like to get the code straight and * simple first. */ - talloc_free(gids); + TALLOC_FREE(gids); DEBUG(5,("make_server_info_sam: made server info for user %s -> %s\n", pdb_get_username(sampass), result->unix_name)); @@ -793,7 +793,7 @@ static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, talloc_steal(mem_ctx, result); done: - talloc_free(tmp_ctx); + TALLOC_FREE(tmp_ctx); return result; } @@ -846,7 +846,7 @@ NTSTATUS create_local_token(auth_serversupplied_info *server_info) status = log_nt_token(mem_ctx, server_info->ptok); - talloc_free(mem_ctx); + TALLOC_FREE(mem_ctx); return status; } @@ -1014,7 +1014,7 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, result = NT_STATUS_OK; done: - talloc_free(tmp_ctx); + TALLOC_FREE(tmp_ctx); return result; } @@ -1052,7 +1052,7 @@ BOOL user_in_group_sid(const char *username, const DOM_SID *group_sid) result = nt_token_check_sid(group_sid, token); - talloc_free(mem_ctx); + TALLOC_FREE(mem_ctx); return result; } @@ -1072,7 +1072,7 @@ BOOL user_in_group(const char *username, const char *groupname) ret = lookup_name(mem_ctx, groupname, LOOKUP_NAME_ALL, NULL, NULL, &group_sid, NULL); - talloc_free(mem_ctx); + TALLOC_FREE(mem_ctx); if (!ret) { DEBUG(10, ("lookup_name(%s) failed: %s\n", groupname, @@ -1182,14 +1182,14 @@ NTSTATUS make_server_info_pw(auth_serversupplied_info **server_info, if (!NT_STATUS_IS_OK(status)) { DEBUG(10, ("pdb_enum_group_memberships failed: %s\n", nt_errstr(status))); - talloc_free(result); + TALLOC_FREE(result); return status; } /* For now we throw away the gids and convert via sid_to_gid * later. This needs fixing, but I'd like to get the code straight and * simple first. */ - talloc_free(gids); + TALLOC_FREE(gids); *server_info = result; @@ -1349,7 +1349,7 @@ static NTSTATUS fill_sam_account(TALLOC_CTX *mem_ctx, *found_username)); nt_status = pdb_init_sam_pw(sam_account, passwd); - talloc_free(passwd); + TALLOC_FREE(passwd); return nt_status; } @@ -1622,7 +1622,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, info3->gids[i].g_rid)) { DEBUG(3,("could not append additional group rid " "0x%x\n", info3->gids[i].g_rid)); - talloc_free(result); + TALLOC_FREE(result); return NT_STATUS_INVALID_PARAMETER; } add_sid_to_array(result, &sid, &result->sids, @@ -1742,7 +1742,7 @@ NT_USER_TOKEN *dup_nt_token(TALLOC_CTX *mem_ctx, NT_USER_TOKEN *ptoken) if ((ptoken->user_sids != NULL) && (token->user_sids == NULL)) { DEBUG(0, ("talloc_memdup failed\n")); - talloc_free(token); + TALLOC_FREE(token); return NULL; } -- cgit From 2203bed32c84c63737f402accf73452efb76b483 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Mon, 20 Feb 2006 20:09:36 +0000 Subject: r13576: This is the beginnings of moving the SAM_ACCOUNT data structure to make full use of the new talloc() interface. Discussed with Volker and Jeremy. * remove the internal mem_ctx and simply use the talloc() structure as the context. * replace the internal free_fn() with a talloc_destructor() function * remove the unnecessary private nested structure * rename SAM_ACCOUNT to 'struct samu' to indicate the current an upcoming changes. Groups will most likely be replaced with a 'struct samg' in the future. Note that there are now passbd API changes. And for the most part, the wrapper functions remain the same. While this code has been tested on tdb and ldap based Samba PDC's as well as Samba member servers, there are probably still some bugs. The code also needs more testing under valgrind to ensure it's not leaking memory. But it's a start...... (This used to be commit 19b7593972480540283c5bf02c02e5ecd8d2c3f0) --- source3/auth/auth_util.c | 54 ++++++++++++++++++++++++------------------------ 1 file changed, 27 insertions(+), 27 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 3e7c520fc5..7e6ab021b4 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -514,7 +514,7 @@ static int server_info_dtor(void *p) talloc_get_type_abort(p, auth_serversupplied_info); if (server_info->sam_account != NULL) { - pdb_free_sam(&server_info->sam_account); + TALLOC_FREE(server_info->sam_account); } ZERO_STRUCTP(server_info); @@ -547,11 +547,11 @@ static auth_serversupplied_info *make_server_info(TALLOC_CTX *mem_ctx) } /*************************************************************************** - Make (and fill) a user_info struct from a SAM_ACCOUNT + Make (and fill) a user_info struct from a struct samu ***************************************************************************/ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, - SAM_ACCOUNT *sampass) + struct samu *sampass) { NTSTATUS status; struct passwd *pwd; @@ -949,7 +949,7 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, /* This is a passdb user, so ask passdb */ - SAM_ACCOUNT *sam_acct = NULL; + struct samu *sam_acct = NULL; result = pdb_init_sam_talloc(tmp_ctx, &sam_acct); if (!NT_STATUS_IS_OK(result)) { @@ -1086,7 +1086,7 @@ BOOL user_in_group(const char *username, const char *groupname) /*************************************************************************** Make (and fill) a user_info struct from a Kerberos PAC logon_info by - conversion to a SAM_ACCOUNT + conversion to a struct samu ***************************************************************************/ NTSTATUS make_server_info_pac(auth_serversupplied_info **server_info, @@ -1095,7 +1095,7 @@ NTSTATUS make_server_info_pac(auth_serversupplied_info **server_info, PAC_LOGON_INFO *logon_info) { NTSTATUS status; - SAM_ACCOUNT *sampass = NULL; + struct samu *sampass = NULL; DOM_SID user_sid, group_sid; fstring dom_name; auth_serversupplied_info *result; @@ -1108,7 +1108,7 @@ NTSTATUS make_server_info_pac(auth_serversupplied_info **server_info, result = make_server_info(NULL); if (result == NULL) { - pdb_free_sam(&sampass); + TALLOC_FREE(sampass); return NT_STATUS_NO_MEMORY; } @@ -1145,7 +1145,7 @@ NTSTATUS make_server_info_pac(auth_serversupplied_info **server_info, /*************************************************************************** Make (and fill) a user_info struct from a 'struct passwd' by conversion - to a SAM_ACCOUNT + to a struct samu ***************************************************************************/ NTSTATUS make_server_info_pw(auth_serversupplied_info **server_info, @@ -1153,7 +1153,7 @@ NTSTATUS make_server_info_pw(auth_serversupplied_info **server_info, struct passwd *pwd) { NTSTATUS status; - SAM_ACCOUNT *sampass = NULL; + struct samu *sampass = NULL; gid_t *gids; auth_serversupplied_info *result; @@ -1166,7 +1166,7 @@ NTSTATUS make_server_info_pw(auth_serversupplied_info **server_info, result = make_server_info(NULL); if (!NT_STATUS_IS_OK(status)) { - pdb_free_sam(&sampass); + TALLOC_FREE(sampass); return status; } @@ -1206,7 +1206,7 @@ NTSTATUS make_server_info_pw(auth_serversupplied_info **server_info, static NTSTATUS make_new_server_info_guest(auth_serversupplied_info **server_info) { NTSTATUS status; - SAM_ACCOUNT *sampass = NULL; + struct samu *sampass = NULL; DOM_SID guest_sid; BOOL ret; static const char zeros[16]; @@ -1225,13 +1225,13 @@ static NTSTATUS make_new_server_info_guest(auth_serversupplied_info **server_inf unbecome_root(); if (!ret) { - pdb_free_sam(&sampass); + TALLOC_FREE(sampass); return NT_STATUS_NO_SUCH_USER; } status = make_server_info_sam(server_info, sampass); if (!NT_STATUS_IS_OK(status)) { - pdb_free_sam(&sampass); + TALLOC_FREE(sampass); return status; } @@ -1311,7 +1311,7 @@ static NTSTATUS fill_sam_account(TALLOC_CTX *mem_ctx, const char *username, char **found_username, uid_t *uid, gid_t *gid, - SAM_ACCOUNT **sam_account) + struct samu **sam_account) { NTSTATUS nt_status; fstring dom_user, lower_username; @@ -1453,7 +1453,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, const char *nt_domain; const char *nt_username; - SAM_ACCOUNT *sam_account = NULL; + struct samu *sam_account = NULL; DOM_SID user_sid; DOM_SID group_sid; @@ -1532,74 +1532,74 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, } if (!pdb_set_nt_username(sam_account, nt_username, PDB_CHANGED)) { - pdb_free_sam(&sam_account); + TALLOC_FREE(sam_account); return NT_STATUS_NO_MEMORY; } if (!pdb_set_username(sam_account, nt_username, PDB_CHANGED)) { - pdb_free_sam(&sam_account); + TALLOC_FREE(sam_account); return NT_STATUS_NO_MEMORY; } if (!pdb_set_domain(sam_account, nt_domain, PDB_CHANGED)) { - pdb_free_sam(&sam_account); + TALLOC_FREE(sam_account); return NT_STATUS_NO_MEMORY; } if (!pdb_set_user_sid(sam_account, &user_sid, PDB_CHANGED)) { - pdb_free_sam(&sam_account); + TALLOC_FREE(sam_account); return NT_STATUS_UNSUCCESSFUL; } if (!pdb_set_group_sid(sam_account, &group_sid, PDB_CHANGED)) { - pdb_free_sam(&sam_account); + TALLOC_FREE(sam_account); return NT_STATUS_UNSUCCESSFUL; } if (!pdb_set_fullname(sam_account, unistr2_static(&(info3->uni_full_name)), PDB_CHANGED)) { - pdb_free_sam(&sam_account); + TALLOC_FREE(sam_account); return NT_STATUS_NO_MEMORY; } if (!pdb_set_logon_script(sam_account, unistr2_static(&(info3->uni_logon_script)), PDB_CHANGED)) { - pdb_free_sam(&sam_account); + TALLOC_FREE(sam_account); return NT_STATUS_NO_MEMORY; } if (!pdb_set_profile_path(sam_account, unistr2_static(&(info3->uni_profile_path)), PDB_CHANGED)) { - pdb_free_sam(&sam_account); + TALLOC_FREE(sam_account); return NT_STATUS_NO_MEMORY; } if (!pdb_set_homedir(sam_account, unistr2_static(&(info3->uni_home_dir)), PDB_CHANGED)) { - pdb_free_sam(&sam_account); + TALLOC_FREE(sam_account); return NT_STATUS_NO_MEMORY; } if (!pdb_set_dir_drive(sam_account, unistr2_static(&(info3->uni_dir_drive)), PDB_CHANGED)) { - pdb_free_sam(&sam_account); + TALLOC_FREE(sam_account); return NT_STATUS_NO_MEMORY; } result = make_server_info(NULL); if (result == NULL) { DEBUG(4, ("make_server_info failed!\n")); - pdb_free_sam(&sam_account); + TALLOC_FREE(sam_account); return NT_STATUS_NO_MEMORY; } /* save this here to _net_sam_logon() doesn't fail (it assumes a - valid SAM_ACCOUNT) */ + valid struct samu) */ result->sam_account = sam_account; result->unix_name = talloc_strdup(result, found_username); -- cgit From cd559192633d78a9f06e239c6a448955f6ea0842 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Tue, 21 Feb 2006 14:34:11 +0000 Subject: r13590: * replace all pdb_init_sam[_talloc]() calls with samu_new() * replace all pdb_{init,fill}_sam_pw() calls with samu_set_unix() (This used to be commit 6f1afa4acc93a07d0ee9940822d7715acaae634f) --- source3/auth/auth_util.c | 55 +++++++++++++++++++++++++----------------------- 1 file changed, 29 insertions(+), 26 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 7e6ab021b4..bc929fc81d 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -172,7 +172,7 @@ NTSTATUS make_user_info_map(auth_usersupplied_info **user_info, and let the "passdb backend" handle unknown users. */ if ( !is_trusted_domain(domain) && !strequal(domain, get_global_sam_name()) ) - domain = get_default_sam_name(); + domain = my_sam_name(); /* we know that it is a trusted domain (and we are allowing them) or it is our domain */ @@ -492,7 +492,7 @@ NT_USER_TOKEN *get_root_nt_token( void ) if ( token ) return token; - if ( !(pw = getpwnam( "root" )) ) { + if ( !(pw = sys_getpwnam( "root" )) ) { DEBUG(0,("get_root_nt_token: getpwnam\"root\") failed!\n")); return NULL; } @@ -951,8 +951,7 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, struct samu *sam_acct = NULL; - result = pdb_init_sam_talloc(tmp_ctx, &sam_acct); - if (!NT_STATUS_IS_OK(result)) { + if ( !(sam_acct = samu_new( tmp_ctx )) ) { goto done; } @@ -1100,9 +1099,12 @@ NTSTATUS make_server_info_pac(auth_serversupplied_info **server_info, fstring dom_name; auth_serversupplied_info *result; - status = pdb_init_sam_pw(&sampass, pwd); - - if (!NT_STATUS_IS_OK(status)) { + if ( !(sampass = samu_new( NULL )) ) { + return NT_STATUS_NO_MEMORY; + } + + status = samu_set_unix( sampass, pwd ); + if ( !NT_STATUS_IS_OK(status) ) { return status; } @@ -1157,8 +1159,11 @@ NTSTATUS make_server_info_pw(auth_serversupplied_info **server_info, gid_t *gids; auth_serversupplied_info *result; - status = pdb_init_sam_pw(&sampass, pwd); - + if ( !(sampass = samu_new( NULL )) ) { + return NT_STATUS_NO_MEMORY; + } + + status = samu_set_unix( sampass, pwd ); if (!NT_STATUS_IS_OK(status)) { return status; } @@ -1211,10 +1216,8 @@ static NTSTATUS make_new_server_info_guest(auth_serversupplied_info **server_inf BOOL ret; static const char zeros[16]; - status = pdb_init_sam(&sampass); - - if (!NT_STATUS_IS_OK(status)) { - return status; + if ( !(sampass = samu_new( NULL )) ) { + return NT_STATUS_NO_MEMORY; } sid_copy(&guest_sid, get_global_sam_sid()); @@ -1311,7 +1314,7 @@ static NTSTATUS fill_sam_account(TALLOC_CTX *mem_ctx, const char *username, char **found_username, uid_t *uid, gid_t *gid, - struct samu **sam_account) + struct samu *account) { NTSTATUS nt_status; fstring dom_user, lower_username; @@ -1345,11 +1348,12 @@ static NTSTATUS fill_sam_account(TALLOC_CTX *mem_ctx, *found_username = talloc_strdup( mem_ctx, real_username ); - DEBUG(5,("fill_sam_account: located username was [%s]\n", - *found_username)); + DEBUG(5,("fill_sam_account: located username was [%s]\n", *found_username)); - nt_status = pdb_init_sam_pw(sam_account, passwd); + nt_status = samu_set_unix( account, passwd ); + TALLOC_FREE(passwd); + return nt_status; } @@ -1452,7 +1456,6 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, char *found_username; const char *nt_domain; const char *nt_username; - struct samu *sam_account = NULL; DOM_SID user_sid; DOM_SID group_sid; @@ -1504,30 +1507,30 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, that is how the current code is designed. Making the change here is the least disruptive place. -- jerry */ + if ( !(sam_account = samu_new( NULL )) ) { + return NT_STATUS_NO_MEMORY; + } + nt_status = fill_sam_account(mem_ctx, nt_domain, sent_nt_username, - &found_username, &uid, &gid, - &sam_account); + &found_username, &uid, &gid, sam_account); if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER)) { DEBUG(3,("User %s does not exist, trying to add it\n", internal_username)); smb_create_user( nt_domain, sent_nt_username, NULL); - nt_status = fill_sam_account( mem_ctx, nt_domain, - sent_nt_username, - &found_username, &uid, &gid, - &sam_account ); + nt_status = fill_sam_account( mem_ctx, nt_domain, sent_nt_username, + &found_username, &uid, &gid, sam_account ); } /* if we still don't have a valid unix account check for 'map to gues = bad uid' */ if (!NT_STATUS_IS_OK(nt_status)) { + TALLOC_FREE( sam_account ); if ( lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_UID ) { make_server_info_guest(server_info); return NT_STATUS_OK; } - - DEBUG(0, ("make_server_info_info3: pdb_init_sam failed!\n")); return nt_status; } -- cgit From d95e13e68f3c7ac517a45877b351849ef4a99b93 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 24 Feb 2006 21:36:40 +0000 Subject: r13679: Commiting the rm_primary_group.patch posted on samba-technical * ignore the primary group SID attribute from struct samu* * generate the primary group SID strictlky from the Unix primary group when dealing with passdb users * Fix memory leak in original patch caused by failing to free a talloc * * add wrapper around samu_set_unix() to prevent exposing the create BOOL to callers. Wrappers are samu_set_unix() and samu-allic_rid_unix() (This used to be commit bcf269e2ec6630b78d909010fabd3b69dd6dda84) --- source3/auth/auth_util.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index bc929fc81d..1d6a3a21a8 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1273,14 +1273,18 @@ static auth_serversupplied_info *copy_serverinfo(auth_serversupplied_info *src) sizeof(gid_t)*dst->n_groups); else dst->groups = NULL; + dst->ptok = dup_nt_token(dst, src->ptok); - dst->user_session_key = data_blob_talloc( - dst, src->user_session_key.data, + + dst->user_session_key = data_blob_talloc( dst, src->user_session_key.data, src->user_session_key.length); - dst->lm_session_key = data_blob_talloc( - dst, src->lm_session_key.data, + + dst->lm_session_key = data_blob_talloc(dst, src->lm_session_key.data, src->lm_session_key.length); - pdb_copy_sam_account(src->sam_account, &dst->sam_account); + + if ( (dst->sam_account = samu_new( NULL )) != NULL ) + pdb_copy_sam_account(dst->sam_account, src->sam_account); + dst->pam_handle = NULL; dst->unix_name = talloc_strdup(dst, src->unix_name); -- cgit From 49739134adb58d0a90c0f0d6f63ca8e6d1d5493a Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Mon, 27 Feb 2006 02:14:26 +0000 Subject: r13705: Fix a typo (and janitor for myself). (This used to be commit 37b0166d3f15bfcf155b0c3d927cc838b8f55c3c) --- source3/auth/auth_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 1d6a3a21a8..e5cf840c03 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1527,7 +1527,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, } /* if we still don't have a valid unix account check for - 'map to gues = bad uid' */ + 'map to guest = bad user' */ if (!NT_STATUS_IS_OK(nt_status)) { TALLOC_FREE( sam_account ); -- cgit From bd97e1a5eae982feda5e5bbd08e7f4e3b6473baf Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Mon, 27 Feb 2006 02:44:41 +0000 Subject: r13706: Fix typo in typo fix. (-: (This used to be commit 06be7711269acbcd481ebdef5b9493dab138c81c) --- source3/auth/auth_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index e5cf840c03..2de362cabe 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1527,7 +1527,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, } /* if we still don't have a valid unix account check for - 'map to guest = bad user' */ + 'map to guest = bad uid' */ if (!NT_STATUS_IS_OK(nt_status)) { TALLOC_FREE( sam_account ); -- cgit From e54786b53543b4667288c64abb55478fddd95061 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Mon, 27 Feb 2006 10:32:45 +0000 Subject: r13711: * Correctly handle acb_info/acct_flags as uint32 not as uint16. * Fix a couple of related parsing issues. * in the info3 reply in a samlogon, return the ACB-flags (instead of returning zero) Guenther (This used to be commit 5b89e8bc24f0fdc8b52d5c9e849aba723df34ea7) --- source3/auth/auth_util.c | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 2de362cabe..1f853e5eb9 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1598,6 +1598,11 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, return NT_STATUS_NO_MEMORY; } + if (!pdb_set_acct_ctrl(sam_account, info3->acct_flags, PDB_CHANGED)) { + TALLOC_FREE(sam_account); + return NT_STATUS_NO_MEMORY; + } + result = make_server_info(NULL); if (result == NULL) { DEBUG(4, ("make_server_info failed!\n")); -- cgit From 5f76ee419e98bb113eead87eac9a1d7fee80e82f Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Tue, 7 Mar 2006 20:14:47 +0000 Subject: r13981: Fix Coverity bug # 138 (This used to be commit 303067ba3bdf34ab501f0d99e386cfdb6ab10233) --- source3/auth/auth_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 1f853e5eb9..065e9d1899 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -76,7 +76,7 @@ static NTSTATUS make_user_info(auth_usersupplied_info **user_info, DEBUG(5,("attempting to make a user_info for %s (%s)\n", internal_username, smb_name)); *user_info = SMB_MALLOC_P(auth_usersupplied_info); - if (!user_info) { + if (*user_info == NULL) { DEBUG(0,("malloc failed for user_info (size %lu)\n", (unsigned long)sizeof(*user_info))); return NT_STATUS_NO_MEMORY; } -- cgit From 29c8cef22d48cdc95f121d6e3eea66d471a1e4fb Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 8 Mar 2006 15:18:14 +0000 Subject: r14042: check that create_local_nt_token() succeeds before dereferncing the NT_USER_TOKEN* (This used to be commit 4e5df4cb643886144d0fff4cac303e493c825955) --- source3/auth/auth_util.c | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 065e9d1899..263d8f2df7 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -821,6 +821,10 @@ NTSTATUS create_local_token(auth_serversupplied_info *server_info) pdb_get_group_sid(server_info->sam_account), server_info->guest, server_info->num_sids, server_info->sids); + + if ( !server_info->ptok ) { + return NT_STATUS_NO_SUCH_USER; + } /* Convert the SIDs to gids. */ -- cgit From 1de2983de4ea1a482c294a9ecce8437cc35ff7ee Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 9 Mar 2006 22:31:37 +0000 Subject: r14112: * fix checks on return code from register_vuid() which could actually fail and we would still return success in the SMBsesssetup reply :-( * Make sure to create the local token for the server_fino struct in reply_spnego_kerberos() so that register_vuid() does not fail. (how did this ever work?) (This used to be commit 8dafa45b97020d1aceb027a85e18401c965bf402) --- source3/auth/auth_util.c | 2 -- 1 file changed, 2 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 263d8f2df7..357da1fdb7 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1301,8 +1301,6 @@ BOOL init_guest_info(void) { if (guest_info != NULL) return True; - - return NT_STATUS_IS_OK(make_new_server_info_guest(&guest_info)); } -- cgit From d3d4e224785cae86b99cc748555aff9ac57de200 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 10 Mar 2006 08:26:40 +0000 Subject: r14129: Add the group sids from the Kerberos PAC to the user token. Guenther (This used to be commit 1280d79111ae56c6a1b4daf7a1d6d413d1f4df64) --- source3/auth/auth_util.c | 29 ++++++++++++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 357da1fdb7..99ce6620c3 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1102,6 +1102,7 @@ NTSTATUS make_server_info_pac(auth_serversupplied_info **server_info, DOM_SID user_sid, group_sid; fstring dom_name; auth_serversupplied_info *result; + int i; if ( !(sampass = samu_new( NULL )) ) { return NT_STATUS_NO_MEMORY; @@ -1139,10 +1140,36 @@ NTSTATUS make_server_info_pac(auth_serversupplied_info **server_info, result->uid = pwd->pw_uid; result->gid = pwd->pw_gid; - /* TODO: Add groups from pac */ result->sids = NULL; result->num_sids = 0; + /* and create (by appending rids) the 'domain' sids */ + + for (i = 0; i < logon_info->info3.num_groups2; i++) { + DOM_SID sid; + if (!sid_compose(&sid, &logon_info->info3.dom_sid.sid, + logon_info->info3.gids[i].g_rid)) { + DEBUG(3,("could not append additional group rid " + "0x%x\n", logon_info->info3.gids[i].g_rid)); + TALLOC_FREE(result); + return NT_STATUS_INVALID_PARAMETER; + } + add_sid_to_array(result, &sid, &result->sids, + &result->num_sids); + } + + /* Copy 'other' sids. We need to do sid filtering here to + prevent possible elevation of privileges. See: + + http://www.microsoft.com/windows2000/techinfo/administration/security/sidfilter.asp + */ + + for (i = 0; i < logon_info->info3.num_other_sids; i++) { + add_sid_to_array(result, &logon_info->info3.other_sids[i].sid, + &result->sids, + &result->num_sids); + } + *server_info = result; return NT_STATUS_OK; -- cgit From c077d363a4f14afd2c83d57dcd52e6a2c1a2d42b Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 10 Mar 2006 08:43:32 +0000 Subject: r14130: Remove make_server_info_pac alltogether, make_server_info_info3 does already do what we need. Guenther (This used to be commit 773e33c9717ae04f48983ddc49f7619a97523603) --- source3/auth/auth_util.c | 89 ------------------------------------------------ 1 file changed, 89 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 99ce6620c3..14aaa4c5ee 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1087,95 +1087,6 @@ BOOL user_in_group(const char *username, const char *groupname) } -/*************************************************************************** - Make (and fill) a user_info struct from a Kerberos PAC logon_info by - conversion to a struct samu -***************************************************************************/ - -NTSTATUS make_server_info_pac(auth_serversupplied_info **server_info, - char *unix_username, - struct passwd *pwd, - PAC_LOGON_INFO *logon_info) -{ - NTSTATUS status; - struct samu *sampass = NULL; - DOM_SID user_sid, group_sid; - fstring dom_name; - auth_serversupplied_info *result; - int i; - - if ( !(sampass = samu_new( NULL )) ) { - return NT_STATUS_NO_MEMORY; - } - - status = samu_set_unix( sampass, pwd ); - if ( !NT_STATUS_IS_OK(status) ) { - return status; - } - - result = make_server_info(NULL); - if (result == NULL) { - TALLOC_FREE(sampass); - return NT_STATUS_NO_MEMORY; - } - - /* only copy user_sid, group_sid and domain name out of the PAC for - * now, we will benefit from more later - Guenther */ - - sid_copy(&user_sid, &logon_info->info3.dom_sid.sid); - sid_append_rid(&user_sid, logon_info->info3.user_rid); - pdb_set_user_sid(sampass, &user_sid, PDB_SET); - - sid_copy(&group_sid, &logon_info->info3.dom_sid.sid); - sid_append_rid(&group_sid, logon_info->info3.group_rid); - pdb_set_group_sid(sampass, &group_sid, PDB_SET); - - unistr2_to_ascii(dom_name, &logon_info->info3.uni_logon_dom, -1); - pdb_set_domain(sampass, dom_name, PDB_SET); - - pdb_set_logon_count(sampass, logon_info->info3.logon_count, PDB_SET); - - result->sam_account = sampass; - result->unix_name = talloc_strdup(result, unix_username); - result->uid = pwd->pw_uid; - result->gid = pwd->pw_gid; - - result->sids = NULL; - result->num_sids = 0; - - /* and create (by appending rids) the 'domain' sids */ - - for (i = 0; i < logon_info->info3.num_groups2; i++) { - DOM_SID sid; - if (!sid_compose(&sid, &logon_info->info3.dom_sid.sid, - logon_info->info3.gids[i].g_rid)) { - DEBUG(3,("could not append additional group rid " - "0x%x\n", logon_info->info3.gids[i].g_rid)); - TALLOC_FREE(result); - return NT_STATUS_INVALID_PARAMETER; - } - add_sid_to_array(result, &sid, &result->sids, - &result->num_sids); - } - - /* Copy 'other' sids. We need to do sid filtering here to - prevent possible elevation of privileges. See: - - http://www.microsoft.com/windows2000/techinfo/administration/security/sidfilter.asp - */ - - for (i = 0; i < logon_info->info3.num_other_sids; i++) { - add_sid_to_array(result, &logon_info->info3.other_sids[i].sid, - &result->sids, - &result->num_sids); - } - - *server_info = result; - - return NT_STATUS_OK; -} - - /*************************************************************************** Make (and fill) a user_info struct from a 'struct passwd' by conversion to a struct samu -- cgit From 0ce53f8ba5110381ad6f910abe581a69019135b8 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 15 Mar 2006 00:10:38 +0000 Subject: r14403: * modifies create_local_nt_token() to create a BUILTIN\Administrators group IFF sid_to_gid(S-1-5-32-544) fails and 'winbind nested groups = yes' * Add a SID domain to the group mapping enumeration passdb call to fix the checks for local and builtin groups. The SID can be NULL if you want the old semantics for internal maintenance. I only updated the tdb group mapping code. * remove any group mapping from the tdb that have a gid of -1 for better consistency with pdb_ldap.c. The fixes the problem with calling add_group_map() in the tdb code for unmapped groups which might have had a record present. * Ensure that we distinguish between groups in the BUILTIN and local machine domains via getgrnam() Other wise BUILTIN\Administrators & SERVER\Administrators would resolve to the same gid. * Doesn't strip the global_sam_name() from groups in the local machine's domain (this is required to work with 'winbind default domain' code) Still todo. * Fix fallback Administrators membership for root and domain Admins if nested groups = no or winbindd is not running * issues with "su - user -c 'groups'" command * There are a few outstanding issues with BUILTIN\Users that Windows apparently tends to assume. I worked around this presently with a manual group mapping but I do not think this is a good solution. So I'll probably add some similar as I did for Administrators. (This used to be commit 612979476aef62e8e8eef632fa6be7d30282bb83) --- source3/auth/auth_util.c | 135 ++++++++++++++++++++++++++++++++++------------- 1 file changed, 97 insertions(+), 38 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 14aaa4c5ee..5b88945284 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -677,9 +677,68 @@ static NTSTATUS log_nt_token(TALLOC_CTX *tmp_ctx, NT_USER_TOKEN *token) return NT_STATUS_OK; } -/* - * Create a NT token for the user, expanding local aliases - */ +/******************************************************************* +*******************************************************************/ + +static NTSTATUS add_builtin_administrators( TALLOC_CTX *ctx, struct nt_user_token *token ) +{ + return NT_STATUS_OK; +} + +/******************************************************************* +*******************************************************************/ + +static NTSTATUS create_builtin_administrators( void ) +{ + NTSTATUS status; + DOM_SID dom_admins, root_sid; + fstring root_name; + enum SID_NAME_USE type; + TALLOC_CTX *ctx; + BOOL ret; + + status = pdb_create_builtin_alias( BUILTIN_ALIAS_RID_ADMINS ); + if ( !NT_STATUS_IS_OK(status) ) { + DEBUG(0,("create_builtin_administrators: Failed to create Administrators\n")); + return status; + } + + /* add domain admins */ + if ((IS_DC || (lp_server_role() == ROLE_DOMAIN_MEMBER)) + && secrets_fetch_domain_sid(lp_workgroup(), &dom_admins)) + { + sid_append_rid(&dom_admins, DOMAIN_GROUP_RID_ADMINS); + status = pdb_add_aliasmem( &global_sid_Builtin_Administrators, &dom_admins ); + if ( !NT_STATUS_IS_OK(status) ) { + DEBUG(0,("create_builtin_administrators: Failed to add Domain Admins" + " Administrators\n")); + return status; + } + } + + /* add root */ + if ( (ctx = talloc_init(NULL)) == NULL ) { + return NT_STATUS_NO_MEMORY; + } + fstr_sprintf( root_name, "%s\\root", get_global_sam_name() ); + ret = lookup_name( ctx, root_name, 0, NULL, NULL, &root_sid, &type ); + TALLOC_FREE( ctx ); + + if ( ret ) { + status = pdb_add_aliasmem( &global_sid_Builtin_Administrators, &root_sid ); + if ( !NT_STATUS_IS_OK(status) ) { + DEBUG(0,("create_builtin_administrators: Failed to add root" + " Administrators\n")); + return status; + } + } + + return NT_STATUS_OK; +} + +/******************************************************************* + Create a NT token for the user, expanding local aliases +*******************************************************************/ static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, const DOM_SID *user_sid, @@ -692,6 +751,7 @@ static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, struct nt_user_token *result = NULL; int i; NTSTATUS status; + gid_t gid; tmp_ctx = talloc_new(mem_ctx); if (tmp_ctx == NULL) { @@ -705,12 +765,15 @@ static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, goto done; } - /* First create the default SIDs */ + /* Add the user and primary group sid */ add_sid_to_array(result, user_sid, &result->user_sids, &result->num_sids); add_sid_to_array(result, group_sid, &result->user_sids, &result->num_sids); + + /* Add in BUILTIN sids */ + add_sid_to_array(result, &global_sid_World, &result->user_sids, &result->num_sids); add_sid_to_array(result, &global_sid_Network, @@ -723,7 +786,7 @@ static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, add_sid_to_array(result, &global_sid_Authenticated_Users, &result->user_sids, &result->num_sids); } - + /* Now the SIDs we got from authentication. These are the ones from * the info3 struct or from the pdb_enum_group_memberships, depending * on who authenticated the user. */ @@ -732,7 +795,35 @@ static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, add_sid_to_array_unique(result, &groupsids[i], &result->user_sids, &result->num_sids); } + + /* Deal with the BUILTIN\Administrators group. If the SID can + be resolved then assume that the add_aliasmem( S-1-5-32 ) + handled it. */ + + if ( !sid_to_gid( &global_sid_Builtin_Administrators, &gid ) ) { + /* We can only create a mapping if winbind is running + and the nested group functionality has been enabled */ + + if ( lp_winbind_nested_groups() ) { + become_root(); + status = create_builtin_administrators( ); + if ( !NT_STATUS_IS_OK(status) ) { + DEBUG(0,("create_local_nt_token: Failed to create BUILTIN\\Administrators group!\n")); + /* don't fail, just log the message */ + } + unbecome_root(); + } + else { + status = add_builtin_administrators( tmp_ctx, result ); + if ( !NT_STATUS_IS_OK(status) ) { + result = NULL; + goto done; + } + } + } + /* Deal with local groups */ + if (lp_winbind_nested_groups()) { /* Now add the aliases. First the one from our local SAM */ @@ -752,40 +843,8 @@ static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, result = NULL; goto done; } - } else { - - /* Play jerry's trick to auto-add local admins if we're a - * domain admin. */ - - DOM_SID dom_admins; - BOOL domain_mode = False; - - if (IS_DC) { - sid_compose(&dom_admins, get_global_sam_sid(), - DOMAIN_GROUP_RID_ADMINS); - domain_mode = True; - } - if ((lp_server_role() == ROLE_DOMAIN_MEMBER) && - (secrets_fetch_domain_sid(lp_workgroup(), &dom_admins))) { - sid_append_rid(&dom_admins, DOMAIN_GROUP_RID_ADMINS); - domain_mode = True; - } + } - if (domain_mode) { - for (i=0; inum_sids; i++) { - if (sid_equal(&dom_admins, - &result->user_sids[i])) { - add_sid_to_array_unique( - result, - &global_sid_Builtin_Administrators, - &result->user_sids, - &result->num_sids); - break; - } - } - - } - } get_privileges_for_sids(&result->privileges, result->user_sids, result->num_sids); -- cgit From 8723178048f3b98938476c41679d46ed1f809515 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 15 Mar 2006 03:46:20 +0000 Subject: r14421: This does two things * Automatically creates the BUILTIN\Users group similar to how BUILTIN\Administrators is done. This code does need to be cleaned up considerably. I'll continue to work on this. * The important fix is for getusergroups() when dealing with a local user and nested groups. Now I can run the following successfully: $ su - jerry -c groups users BUILTIN\users (This used to be commit f54d911e686ffd68ddc6dbc073987b9d8eb2fa5b) --- source3/auth/auth_util.c | 49 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 5b88945284..776b2fb3d7 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -688,6 +688,36 @@ static NTSTATUS add_builtin_administrators( TALLOC_CTX *ctx, struct nt_user_toke /******************************************************************* *******************************************************************/ +static NTSTATUS create_builtin_users( void ) +{ + NTSTATUS status; + DOM_SID dom_users; + + status = pdb_create_builtin_alias( BUILTIN_ALIAS_RID_USERS ); + if ( !NT_STATUS_IS_OK(status) ) { + DEBUG(0,("create_builtin_users: Failed to create Users\n")); + return status; + } + + /* add domain users */ + if ((IS_DC || (lp_server_role() == ROLE_DOMAIN_MEMBER)) + && secrets_fetch_domain_sid(lp_workgroup(), &dom_users)) + { + sid_append_rid(&dom_users, DOMAIN_GROUP_RID_USERS ); + status = pdb_add_aliasmem( &global_sid_Builtin_Users, &dom_users); + if ( !NT_STATUS_IS_OK(status) ) { + DEBUG(0,("create_builtin_administrators: Failed to add Domain Users to" + " Users\n")); + return status; + } + } + + return NT_STATUS_OK; +} + +/******************************************************************* +*******************************************************************/ + static NTSTATUS create_builtin_administrators( void ) { NTSTATUS status; @@ -822,6 +852,25 @@ static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, } } + /* Deal with the BUILTIN\Users group. If the SID can + be resolved then assume that the add_aliasmem( S-1-5-32 ) + handled it. */ + + if ( !sid_to_gid( &global_sid_Builtin_Users, &gid ) ) { + /* We can only create a mapping if winbind is running + and the nested group functionality has been enabled */ + + if ( lp_winbind_nested_groups() ) { + become_root(); + status = create_builtin_users( ); + if ( !NT_STATUS_IS_OK(status) ) { + DEBUG(0,("create_local_nt_token: Failed to create BUILTIN\\Administrators group!\n")); + /* don't fail, just log the message */ + } + unbecome_root(); + } + } + /* Deal with local groups */ if (lp_winbind_nested_groups()) { -- cgit From 8641d7d4067b0037b6ddb7216ada7d497bbf091c Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Mon, 20 Mar 2006 10:55:48 +0000 Subject: r14578: fix incorrect comment in fill_sam_account(). This function is called from multiple places now (krb5, winbindd auth and domain_client_validate() (This used to be commit ddad66ec58d09f89105ceb822b7bea534dafd9e6) --- source3/auth/auth_util.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 776b2fb3d7..2ece2a6150 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1379,10 +1379,7 @@ static NTSTATUS fill_sam_account(TALLOC_CTX *mem_ctx, fstr_sprintf(dom_user, "%s%c%s", domain, *lp_winbind_separator(), lower_username); - /* get the passwd struct but don't create the user if he/she - does not exist. We were explicitly called from a following - a winbindd authentication request so we should assume that - nss_winbindd is working */ + /* Get the passwd struct. Try to create the account is necessary. */ map_username( dom_user ); -- cgit From 1839b4be14e905428257eb999def184d73dcf08f Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 22 Mar 2006 08:04:13 +0000 Subject: r14634: Many bug fixes thanks to train rides and overnight stays in airports * Finally fix parsing idmap uid/gid ranges not to break with spaces surrounding the '-' * Allow local groups to renamed by adding info level 2 to _samr_set_aliasinfo() * Fix parsing bug in _samr_del_dom_alias() reply * Prevent root from being deleted via Samba * Prevent builting groups from being renamed or deleted * Fix bug in pdb_tdb that broke renaming user accounts * Make sure winbindd is running when trying to create the Administrators and Users BUILTIN groups automatically from smbd (and not just check the winbind nexted groups parameter value). * Have the top level rid allocator verify that the RID it is about to grant is not already assigned in our own SAM (retries up to 250 times). This fixes passdb with existing SIDs assigned to users from the RID algorithm but not monotonically allocating the RIDs from passdb. (This used to be commit db1162241f79c2af8afb7d8c26e8ed1c4a4b476f) --- source3/auth/auth_util.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 2ece2a6150..31bc2664b8 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -834,7 +834,7 @@ static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, /* We can only create a mapping if winbind is running and the nested group functionality has been enabled */ - if ( lp_winbind_nested_groups() ) { + if ( lp_winbind_nested_groups() && winbind_ping() ) { become_root(); status = create_builtin_administrators( ); if ( !NT_STATUS_IS_OK(status) ) { @@ -860,7 +860,7 @@ static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, /* We can only create a mapping if winbind is running and the nested group functionality has been enabled */ - if ( lp_winbind_nested_groups() ) { + if ( lp_winbind_nested_groups() && winbind_ping() ) { become_root(); status = create_builtin_users( ); if ( !NT_STATUS_IS_OK(status) ) { -- cgit From a2e2032d080804b4555df8938e53b395e3fe0b7b Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 14 Apr 2006 19:36:36 +0000 Subject: r15086: Get defensive about creating user accounts when winbindd fails (but is present). (This used to be commit 77fb19c45dcb07f5b675831979fbd74a99e30638) --- source3/auth/auth_util.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 31bc2664b8..4ffbba2e23 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1469,9 +1469,12 @@ struct passwd *smb_getpwnam( TALLOC_CTX *mem_ctx, char *domuser, pw = Get_Pwnam_alloc(mem_ctx, username); - /* Create local user if requested. */ + /* Create local user if requested but only if winbindd + is not running. We need to protect against cases + where winbindd is failing and then prematurely + creating users in /etc/passwd */ - if ( !pw && create ) { + if ( !pw && create && !winbind_ping() ) { /* Don't add a machine account. */ if (username[strlen(username)-1] == '$') return NULL; -- cgit From 8719dc2b93a93e97284cee8b9a9136d8c9c46657 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Tue, 2 May 2006 12:13:23 +0000 Subject: r15393: remove extra call to fallback user creation on member servers; it's handled by the smb_getpwnam() call deeper in (This used to be commit 7433dba78bda27cd6366a49b0efc10a387439ccd) --- source3/auth/auth_util.c | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 4ffbba2e23..c6d7b44d4e 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1563,16 +1563,11 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, return NT_STATUS_NO_MEMORY; } + /* this call will try to create the user if necessary */ + nt_status = fill_sam_account(mem_ctx, nt_domain, sent_nt_username, &found_username, &uid, &gid, sam_account); - if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER)) { - DEBUG(3,("User %s does not exist, trying to add it\n", - internal_username)); - smb_create_user( nt_domain, sent_nt_username, NULL); - nt_status = fill_sam_account( mem_ctx, nt_domain, sent_nt_username, - &found_username, &uid, &gid, sam_account ); - } /* if we still don't have a valid unix account check for 'map to guest = bad uid' */ -- cgit From 83e4ea7e852e4ae9a4ba6fd187787c76f2d54ef6 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 6 May 2006 15:46:53 +0000 Subject: r15472: Remove an unused function parameter (This used to be commit d2f39ae7fe79fd31846c555849655023a2d1cbc7) --- source3/auth/auth_util.c | 1 - 1 file changed, 1 deletion(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index c6d7b44d4e..8822d3358c 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1496,7 +1496,6 @@ struct passwd *smb_getpwnam( TALLOC_CTX *mem_ctx, char *domuser, ***************************************************************************/ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, - const char *internal_username, const char *sent_nt_username, const char *domain, auth_serversupplied_info **server_info, -- cgit From dc9f30b8b0ace8d6e2c8c0cbed537fde68d1556a Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 6 May 2006 19:24:35 +0000 Subject: r15475: Ugly and disgusting patch to fix the username map problem I created by changing the token generation. I *hate* this code! Jerry, you have been looking at this as well, can you double-check that I did not screw it up? Thanks, Volker (This used to be commit 2765c4ff8d44c970db3e075b0a2412662f1936c6) --- source3/auth/auth_util.c | 51 ++++++++++++++++++++++++++++++++++++------------ 1 file changed, 38 insertions(+), 13 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 8822d3358c..06fbe1b7e6 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -152,9 +152,11 @@ NTSTATUS make_user_info_map(auth_usersupplied_info **user_info, BOOL encrypted) { const char *domain; + NTSTATUS result; + BOOL was_mapped; fstring internal_username; fstrcpy(internal_username, smb_name); - map_username(internal_username); + was_mapped = map_username(internal_username); DEBUG(5, ("make_user_info_map: Mapping user [%s]\\[%s] from workstation [%s]\n", client_domain, smb_name, wksta_name)); @@ -176,11 +178,15 @@ NTSTATUS make_user_info_map(auth_usersupplied_info **user_info, /* we know that it is a trusted domain (and we are allowing them) or it is our domain */ - return make_user_info(user_info, smb_name, internal_username, + result = make_user_info(user_info, smb_name, internal_username, client_domain, domain, wksta_name, lm_pwd, nt_pwd, lm_interactive_pwd, nt_interactive_pwd, plaintext, encrypted); + if (NT_STATUS_IS_OK(result)) { + (*user_info)->was_mapped = was_mapped; + } + return result; } /**************************************************************************** @@ -923,15 +929,29 @@ NTSTATUS create_local_token(auth_serversupplied_info *server_info) return NT_STATUS_NO_MEMORY; } - server_info->ptok = create_local_nt_token( - server_info, - pdb_get_user_sid(server_info->sam_account), - pdb_get_group_sid(server_info->sam_account), - server_info->guest, - server_info->num_sids, server_info->sids); + if (server_info->was_mapped) { + status = create_token_from_username(server_info, + server_info->unix_name, + server_info->guest, + &server_info->uid, + &server_info->gid, + &server_info->unix_name, + &server_info->ptok); + + } else { + server_info->ptok = create_local_nt_token( + server_info, + pdb_get_user_sid(server_info->sam_account), + pdb_get_group_sid(server_info->sam_account), + server_info->guest, + server_info->num_sids, server_info->sids); + status = server_info->ptok ? + NT_STATUS_OK : NT_STATUS_NO_SUCH_USER; + } - if ( !server_info->ptok ) { - return NT_STATUS_NO_SUCH_USER; + if (!NT_STATUS_IS_OK(status)) { + TALLOC_FREE(mem_ctx); + return status; } /* Convert the SIDs to gids. */ @@ -1366,7 +1386,8 @@ static NTSTATUS fill_sam_account(TALLOC_CTX *mem_ctx, const char *username, char **found_username, uid_t *uid, gid_t *gid, - struct samu *account) + struct samu *account, + BOOL *username_was_mapped) { NTSTATUS nt_status; fstring dom_user, lower_username; @@ -1381,7 +1402,7 @@ static NTSTATUS fill_sam_account(TALLOC_CTX *mem_ctx, /* Get the passwd struct. Try to create the account is necessary. */ - map_username( dom_user ); + *username_was_mapped = map_username( dom_user ); if ( !(passwd = smb_getpwnam( NULL, dom_user, real_username, True )) ) return NT_STATUS_NO_SUCH_USER; @@ -1510,6 +1531,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, struct samu *sam_account = NULL; DOM_SID user_sid; DOM_SID group_sid; + BOOL username_was_mapped; uid_t uid; gid_t gid; @@ -1565,7 +1587,8 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, /* this call will try to create the user if necessary */ nt_status = fill_sam_account(mem_ctx, nt_domain, sent_nt_username, - &found_username, &uid, &gid, sam_account); + &found_username, &uid, &gid, sam_account, + &username_was_mapped); /* if we still don't have a valid unix account check for @@ -1716,6 +1739,8 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, sizeof(info3->lm_sess_key)); } + result->was_mapped = username_was_mapped; + *server_info = result; return NT_STATUS_OK; -- cgit From 990c406a89f9ec52d2570928d07f6913a4c31808 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sun, 14 May 2006 14:39:10 +0000 Subject: r15600: Correctly fill in the gid for local users. Volker (This used to be commit 6071dd5db0dbb79a80b248ab93942911bf08fd2b) --- source3/auth/auth_util.c | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 06fbe1b7e6..64b707bc1a 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1096,6 +1096,12 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, sid_copy(&primary_group_sid, pdb_get_group_sid(sam_acct)); + if (!sid_to_gid(&primary_group_sid, gid)) { + DEBUG(1, ("sid_to_gid(%s) failed\n", + sid_string_static(&primary_group_sid))); + goto done; + } + result = pdb_enum_group_memberships(tmp_ctx, sam_acct, &group_sids, &gids, &num_group_sids); -- cgit From 905bac92ba1b487e733b989089c649ea3b6cf4dc Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 18 May 2006 02:05:53 +0000 Subject: r15676: Fix meaningless debug statement from uninitialized variable. Spotted by "John E. Malmberg" . Jeremy. (This used to be commit ff3fe39b837e0d0de2edaa284c2dd7d1c8161c46) --- source3/auth/auth_util.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 64b707bc1a..f4d32ebdc0 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1198,7 +1198,6 @@ BOOL user_in_group(const char *username, const char *groupname) { TALLOC_CTX *mem_ctx; DOM_SID group_sid; - NTSTATUS status; BOOL ret; mem_ctx = talloc_new(NULL); @@ -1212,8 +1211,7 @@ BOOL user_in_group(const char *username, const char *groupname) TALLOC_FREE(mem_ctx); if (!ret) { - DEBUG(10, ("lookup_name(%s) failed: %s\n", groupname, - nt_errstr(status))); + DEBUG(10, ("lookup_name for (%s) failed.\n", groupname)); return False; } -- cgit From 21eeddb80df515d1b3969f42dc56b9c8e02db3ff Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sun, 11 Jun 2006 16:13:41 +0000 Subject: r16141: Dummy commit to make the build farm re-test against Samba4 16140 (This used to be commit a1fcacf75683e4c08236bb4cc4164678ea1a1ce4) --- source3/auth/auth_util.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index f4d32ebdc0..d02ad66200 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1279,8 +1279,7 @@ NTSTATUS make_server_info_pw(auth_serversupplied_info **server_info, Make (and fill) a user_info struct for a guest login. This *must* succeed for smbd to start. If there is no mapping entry for the guest gid, then create one. -********************** -*****************************************************/ +***************************************************************************/ static NTSTATUS make_new_server_info_guest(auth_serversupplied_info **server_info) { -- cgit From 780f121462b91c520c5a1bd13e7fcde288e1fad2 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Mon, 12 Jun 2006 11:03:49 +0000 Subject: r16150: Fix possible NULL dereference found by Klocwork ID # 17 (This used to be commit 3159bd3a4e3ad70c60fea4cacc892be9f1d71ab9) --- source3/auth/auth_util.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index d02ad66200..43ae5c1af6 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1243,10 +1243,9 @@ NTSTATUS make_server_info_pw(auth_serversupplied_info **server_info, } result = make_server_info(NULL); - - if (!NT_STATUS_IS_OK(status)) { + if (result == NULL) { TALLOC_FREE(sampass); - return status; + return NT_STATUS_NO_MEMORY; } result->sam_account = sampass; -- cgit From d4a80fdf38428c7a0e6cda6da838c8ccc5d8f2ab Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 13 Jun 2006 21:21:44 +0000 Subject: r16209: Klocwork bug #66, ensure no null deref. Jeremy. (This used to be commit 79e693798cf322071ea64a4014a01ad9eaba73e8) --- source3/auth/auth_util.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 43ae5c1af6..fb21d424c5 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1082,6 +1082,7 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, /* This is a passdb user, so ask passdb */ struct samu *sam_acct = NULL; + const DOM_SID *gr_sid = NULL; if ( !(sam_acct = samu_new( tmp_ctx )) ) { goto done; @@ -1094,7 +1095,13 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, goto done; } - sid_copy(&primary_group_sid, pdb_get_group_sid(sam_acct)); + gr_sid = pdb_get_group_sid(sam_acct); + if (!gr_sid) { + result = NT_STATUS_NO_MEMORY; + goto done; + } + + sid_copy(&primary_group_sid, gr_sid); if (!sid_to_gid(&primary_group_sid, gid)) { DEBUG(1, ("sid_to_gid(%s) failed\n", -- cgit From f9147c4e408d316d194c4e367dfccbf433cb8ec9 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 15 Jun 2006 01:54:09 +0000 Subject: r16241: Fix Klocwork #106 and others like it. Make 2 important changes. pdb_get_methods() returning NULL is a *fatal* error. Don't try and cope with it just call smb_panic. This removes a *lot* of pointless "if (!pdb)" handling code. Secondly, ensure that if samu_init() fails we *always* back out of a function. That way we are never in a situation where the pdb_XXX() functions need to start with a "if (sampass)" test - this was just bad design, not defensive programming. Jeremy. (This used to be commit a0d368197d6ae6777b7c2c3c6e970ab8ae7ca2ae) --- source3/auth/auth_util.c | 40 ++++++++++++++++++++++++++++++---------- 1 file changed, 30 insertions(+), 10 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index fb21d424c5..9427c7681e 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1085,6 +1085,7 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, const DOM_SID *gr_sid = NULL; if ( !(sam_acct = samu_new( tmp_ctx )) ) { + result = NT_STATUS_NO_MEMORY; goto done; } @@ -1347,25 +1348,44 @@ static auth_serversupplied_info *copy_serverinfo(auth_serversupplied_info *src) dst->uid = src->uid; dst->gid = src->gid; dst->n_groups = src->n_groups; - if (src->n_groups != 0) + if (src->n_groups != 0) { dst->groups = talloc_memdup(dst, src->groups, sizeof(gid_t)*dst->n_groups); - else + } else { dst->groups = NULL; - - dst->ptok = dup_nt_token(dst, src->ptok); + } + + if (src->ptok) { + dst->ptok = dup_nt_token(dst, src->ptok); + if (!dst->ptok) { + TALLOC_FREE(dst); + return NULL; + } + } dst->user_session_key = data_blob_talloc( dst, src->user_session_key.data, - src->user_session_key.length); - + src->user_session_key.length); + dst->lm_session_key = data_blob_talloc(dst, src->lm_session_key.data, - src->lm_session_key.length); - - if ( (dst->sam_account = samu_new( NULL )) != NULL ) - pdb_copy_sam_account(dst->sam_account, src->sam_account); + src->lm_session_key.length); + + dst->sam_account = samu_new(NULL); + if (!dst->sam_account) { + TALLOC_FREE(dst); + return NULL; + } + + if (!pdb_copy_sam_account(dst->sam_account, src->sam_account)) { + TALLOC_FREE(dst); + return NULL; + } dst->pam_handle = NULL; dst->unix_name = talloc_strdup(dst, src->unix_name); + if (!dst->unix_name) { + TALLOC_FREE(dst); + return NULL; + } return dst; } -- cgit From 600b0ae2e97967ebc19639312f03561e4004a7ee Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 22 Jun 2006 19:47:44 +0000 Subject: r16471: Bug reported by Vitaly Protsko in 3.0.23rc1. Add missing automatic add of the Administrators SID in the absence of winbindd and precense of Domain Admins SID in the user's token. (This used to be commit ce7846d6f19f63ca99179b75e6f2195cc593795f) --- source3/auth/auth_util.c | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 9427c7681e..0401e02b7d 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -688,6 +688,31 @@ static NTSTATUS log_nt_token(TALLOC_CTX *tmp_ctx, NT_USER_TOKEN *token) static NTSTATUS add_builtin_administrators( TALLOC_CTX *ctx, struct nt_user_token *token ) { + DOM_SID domadm; + + /* nothing to do if we aren't in a domain */ + + if ( !(IS_DC || lp_server_role()==ROLE_DOMAIN_MEMBER) ) { + return NT_STATUS_OK; + } + + /* Find the Domain Admins SID */ + + if ( IS_DC ) { + sid_copy( &domadm, get_global_sam_sid() ); + } else { + if ( !secrets_fetch_domain_sid( lp_workgroup(), &domadm ) ) + return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; + } + sid_append_rid( &domadm, DOMAIN_GROUP_RID_ADMINS ); + + /* Add Administrators if the user beloongs to Domain Admins */ + + if ( nt_token_check_sid( &domadm, token ) ) { + add_sid_to_array(token, &global_sid_Builtin_Administrators, + &token->user_sids, &token->num_sids); + } + return NT_STATUS_OK; } -- cgit From 9d0ccba34c645de612821c929f56b44f74c88c71 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Sat, 1 Jul 2006 17:55:07 +0000 Subject: r16749: BUG 3905: don't fail in create_local_nt_token() when a checking for the builtin Administrators group membership. security = server has no domain info in secrets.tdb (This used to be commit fa477969fbbcd9f707461a2d9015bebf719ddfbb) --- source3/auth/auth_util.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 0401e02b7d..df4a4e1b38 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -876,9 +876,10 @@ static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, } else { status = add_builtin_administrators( tmp_ctx, result ); - if ( !NT_STATUS_IS_OK(status) ) { - result = NULL; - goto done; + if ( !NT_STATUS_IS_OK(status) ) { + /* just log a complaint but do not fail */ + DEBUG(3,("create_local_nt_token: failed to check for local Administrators" + " membership (%s)\n", nt_errstr(status))); } } } -- cgit From 355cbde8df75d429906e1e2f6e465b20222b4173 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sun, 2 Jul 2006 22:04:29 +0000 Subject: r16766: A warning found by RHEL3. This might actually be 3.0.23 code, maybe there are vasprintf implementations that don't like a NULL format. Volker (This used to be commit 03c665c307e518c9ff66096904873266b145637c) --- source3/auth/auth_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index df4a4e1b38..c5ce55bc8c 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -778,7 +778,7 @@ static NTSTATUS create_builtin_administrators( void ) } /* add root */ - if ( (ctx = talloc_init(NULL)) == NULL ) { + if ( (ctx = talloc_init("create_builtin_administrators")) == NULL ) { return NT_STATUS_NO_MEMORY; } fstr_sprintf( root_name, "%s\\root", get_global_sam_name() ); -- cgit From fc4abcf02857596c40110f2421facfb70f9be41d Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Fri, 7 Jul 2006 18:22:26 +0000 Subject: r16864: Intermediate checkin -- swap the sid_check_is_in_unix_users and sid_check_is_in_our_domain cases. Volker (This used to be commit dc403cec88d91fdeb09cbd04321d88bbdc0f490c) --- source3/auth/auth_util.c | 76 ++++++++++++++++++++++++------------------------ 1 file changed, 38 insertions(+), 38 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index c5ce55bc8c..1c629bca82 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1066,44 +1066,7 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, goto done; } - if (sid_check_is_in_unix_users(&user_sid)) { - - /* This is a unix user not in passdb. We need to ask nss - * directly, without consulting passdb */ - - struct passwd *pass; - size_t i; - - pass = getpwuid_alloc(tmp_ctx, *uid); - if (pass == NULL) { - DEBUG(1, ("getpwuid(%d) for user %s failed\n", - *uid, username)); - goto done; - } - - *gid = pass->pw_gid; - gid_to_sid(&primary_group_sid, pass->pw_gid); - - if (!getgroups_unix_user(tmp_ctx, username, pass->pw_gid, - &gids, &num_group_sids)) { - DEBUG(1, ("getgroups_unix_user for user %s failed\n", - username)); - goto done; - } - - group_sids = talloc_array(tmp_ctx, DOM_SID, num_group_sids); - if (group_sids == NULL) { - DEBUG(1, ("talloc_array failed\n")); - result = NT_STATUS_NO_MEMORY; - goto done; - } - - for (i=0; ipw_name); - - } else if (sid_check_is_in_our_domain(&user_sid)) { + if (sid_check_is_in_our_domain(&user_sid)) { /* This is a passdb user, so ask passdb */ @@ -1148,6 +1111,43 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, *found_username = talloc_strdup(mem_ctx, pdb_get_username(sam_acct)); + } else if (sid_check_is_in_unix_users(&user_sid)) { + + /* This is a unix user not in passdb. We need to ask nss + * directly, without consulting passdb */ + + struct passwd *pass; + size_t i; + + pass = getpwuid_alloc(tmp_ctx, *uid); + if (pass == NULL) { + DEBUG(1, ("getpwuid(%d) for user %s failed\n", + *uid, username)); + goto done; + } + + *gid = pass->pw_gid; + gid_to_sid(&primary_group_sid, pass->pw_gid); + + if (!getgroups_unix_user(tmp_ctx, username, pass->pw_gid, + &gids, &num_group_sids)) { + DEBUG(1, ("getgroups_unix_user for user %s failed\n", + username)); + goto done; + } + + group_sids = talloc_array(tmp_ctx, DOM_SID, num_group_sids); + if (group_sids == NULL) { + DEBUG(1, ("talloc_array failed\n")); + result = NT_STATUS_NO_MEMORY; + goto done; + } + + for (i=0; ipw_name); + } else { /* This user is from winbind, force the primary gid to the -- cgit From 3899f95e1f44a4dfe31b42119ad5e14304d8a4b4 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Fri, 7 Jul 2006 18:53:19 +0000 Subject: r16865: This is a proposal to fix bug 3915. Before sending patches around, this is what svn is for. The idea is that we fall back to a pure unix user with S-1-22 SIDs in the token in case anything weird is going on with the 'force user'. Volker (This used to be commit 9ec5ccfe851ac8a1f88b88c8c8461a5cf75b4c57) --- source3/auth/auth_util.c | 23 +++++++++++++++++------ 1 file changed, 17 insertions(+), 6 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 1c629bca82..493d7393d0 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1081,14 +1081,13 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, if (!pdb_getsampwsid(sam_acct, &user_sid)) { DEBUG(1, ("pdb_getsampwsid(%s) for user %s failed\n", sid_string_static(&user_sid), username)); - result = NT_STATUS_NO_SUCH_USER; - goto done; + DEBUGADD(1, ("Fall back to unix user %s\n", username)); + goto unix_user; } gr_sid = pdb_get_group_sid(sam_acct); if (!gr_sid) { - result = NT_STATUS_NO_MEMORY; - goto done; + goto unix_user; } sid_copy(&primary_group_sid, gr_sid); @@ -1096,7 +1095,8 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, if (!sid_to_gid(&primary_group_sid, gid)) { DEBUG(1, ("sid_to_gid(%s) failed\n", sid_string_static(&primary_group_sid))); - goto done; + DEBUGADD(1, ("Fall back to unix user %s\n", username)); + goto unix_user; } result = pdb_enum_group_memberships(tmp_ctx, sam_acct, @@ -1105,7 +1105,8 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, if (!NT_STATUS_IS_OK(result)) { DEBUG(10, ("enum_group_memberships failed for %s\n", username)); - goto done; + DEBUGADD(1, ("Fall back to unix user %s\n", username)); + goto unix_user; } *found_username = talloc_strdup(mem_ctx, @@ -1119,6 +1120,16 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, struct passwd *pass; size_t i; + /* + * This goto target is used as a fallback for the passdb + * case. The concrete bug report is when passdb gave us an + * unmapped gid. + */ + + unix_user: + + uid_to_unix_users_sid(*uid, &user_sid); + pass = getpwuid_alloc(tmp_ctx, *uid); if (pass == NULL) { DEBUG(1, ("getpwuid(%d) for user %s failed\n", -- cgit From fbdcf2663b56007a438ac4f0d8d82436b1bfe688 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 11 Jul 2006 18:01:26 +0000 Subject: r16945: Sync trunk -> 3.0 for 3.0.24 code. Still need to do the upper layer directories but this is what everyone is waiting for.... Jeremy. (This used to be commit 9dafb7f48ca3e7af956b0a7d1720c2546fc4cfb8) --- source3/auth/auth_util.c | 104 +++++++++++++++++++++++++++++++++++------------ 1 file changed, 79 insertions(+), 25 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 493d7393d0..823bf8c322 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -611,12 +611,17 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, * Add alias SIDs from memberships within the partially created token SID list */ -static NTSTATUS add_aliases(TALLOC_CTX *tmp_ctx, const DOM_SID *domain_sid, +static NTSTATUS add_aliases(const DOM_SID *domain_sid, struct nt_user_token *token) { uint32 *aliases; size_t i, num_aliases; NTSTATUS status; + TALLOC_CTX *tmp_ctx; + + if (!(tmp_ctx = talloc_init("add_aliases"))) { + return NT_STATUS_NO_MEMORY; + } aliases = NULL; num_aliases = 0; @@ -629,6 +634,7 @@ static NTSTATUS add_aliases(TALLOC_CTX *tmp_ctx, const DOM_SID *domain_sid, if (!NT_STATUS_IS_OK(status)) { DEBUG(10, ("pdb_enum_alias_memberships failed: %s\n", nt_errstr(status))); + TALLOC_FREE(tmp_ctx); return status; } @@ -640,10 +646,12 @@ static NTSTATUS add_aliases(TALLOC_CTX *tmp_ctx, const DOM_SID *domain_sid, &token->num_sids); if (token->user_sids == NULL) { DEBUG(0, ("add_sid_to_array failed\n")); + TALLOC_FREE(tmp_ctx); return NT_STATUS_NO_MEMORY; } } + TALLOC_FREE(tmp_ctx); return NT_STATUS_OK; } @@ -686,7 +694,7 @@ static NTSTATUS log_nt_token(TALLOC_CTX *tmp_ctx, NT_USER_TOKEN *token) /******************************************************************* *******************************************************************/ -static NTSTATUS add_builtin_administrators( TALLOC_CTX *ctx, struct nt_user_token *token ) +static NTSTATUS add_builtin_administrators( struct nt_user_token *token ) { DOM_SID domadm; @@ -808,22 +816,14 @@ static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, int num_groupsids, const DOM_SID *groupsids) { - TALLOC_CTX *tmp_ctx; struct nt_user_token *result = NULL; int i; NTSTATUS status; gid_t gid; - tmp_ctx = talloc_new(mem_ctx); - if (tmp_ctx == NULL) { - DEBUG(0, ("talloc_new failed\n")); - return NULL; - } - - result = TALLOC_ZERO_P(tmp_ctx, NT_USER_TOKEN); - if (result == NULL) { + if (!(result = TALLOC_ZERO_P(mem_ctx, NT_USER_TOKEN))) { DEBUG(0, ("talloc failed\n")); - goto done; + return NULL; } /* Add the user and primary group sid */ @@ -875,7 +875,7 @@ static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, unbecome_root(); } else { - status = add_builtin_administrators( tmp_ctx, result ); + status = add_builtin_administrators( result ); if ( !NT_STATUS_IS_OK(status) ) { /* just log a complaint but do not fail */ DEBUG(3,("create_local_nt_token: failed to check for local Administrators" @@ -896,7 +896,7 @@ static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, become_root(); status = create_builtin_users( ); if ( !NT_STATUS_IS_OK(status) ) { - DEBUG(0,("create_local_nt_token: Failed to create BUILTIN\\Administrators group!\n")); + DEBUG(0,("create_local_nt_token: Failed to create BUILTIN\\Users group!\n")); /* don't fail, just log the message */ } unbecome_root(); @@ -909,31 +909,26 @@ static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, /* Now add the aliases. First the one from our local SAM */ - status = add_aliases(tmp_ctx, get_global_sam_sid(), result); + status = add_aliases(get_global_sam_sid(), result); if (!NT_STATUS_IS_OK(status)) { - result = NULL; - goto done; + TALLOC_FREE(result); + return NULL; } /* Finally the builtin ones */ - status = add_aliases(tmp_ctx, &global_sid_Builtin, result); + status = add_aliases(&global_sid_Builtin, result); if (!NT_STATUS_IS_OK(status)) { - result = NULL; - goto done; + TALLOC_FREE(result); + return NULL; } } get_privileges_for_sids(&result->privileges, result->user_sids, result->num_sids); - - talloc_steal(mem_ctx, result); - - done: - TALLOC_FREE(tmp_ctx); return result; } @@ -1443,6 +1438,65 @@ NTSTATUS make_server_info_guest(auth_serversupplied_info **server_info) return (*server_info != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY; } +BOOL copy_current_user(struct current_user *dst, struct current_user *src) +{ + gid_t *groups; + NT_USER_TOKEN *nt_token; + + groups = memdup(src->ut.groups, sizeof(gid_t) * src->ut.ngroups); + if ((src->ut.ngroups != 0) && (groups == NULL)) { + return False; + } + + nt_token = dup_nt_token(NULL, src->nt_user_token); + if (nt_token == NULL) { + SAFE_FREE(groups); + return False; + } + + dst->conn = src->conn; + dst->vuid = src->vuid; + dst->ut.uid = src->ut.uid; + dst->ut.gid = src->ut.gid; + dst->ut.ngroups = src->ut.ngroups; + dst->ut.groups = groups; + dst->nt_user_token = nt_token; + return True; +} + +BOOL set_current_user_guest(struct current_user *dst) +{ + gid_t *groups; + NT_USER_TOKEN *nt_token; + + groups = memdup(guest_info->groups, + sizeof(gid_t) * guest_info->n_groups); + if (groups == NULL) { + return False; + } + + nt_token = dup_nt_token(NULL, guest_info->ptok); + if (nt_token == NULL) { + SAFE_FREE(groups); + return False; + } + + TALLOC_FREE(dst->nt_user_token); + SAFE_FREE(dst->ut.groups); + + /* dst->conn is never really dereferenced, it's only tested for + * equality in uid.c */ + dst->conn = NULL; + + dst->vuid = UID_FIELD_INVALID; + dst->ut.uid = guest_info->uid; + dst->ut.gid = guest_info->gid; + dst->ut.ngroups = guest_info->n_groups; + dst->ut.groups = groups; + dst->nt_user_token = nt_token; + return True; +} + /*************************************************************************** Purely internal function for make_server_info_info3 Fill the sam account from getpwnam -- cgit From a85395e0f5b18b9359d5785dcbe43e8f42c3448f Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Thu, 13 Jul 2006 15:03:46 +0000 Subject: r17010: If winbind is not around, add S-1-22-1- to the user's token. See the comment in the patch for the reason. Volker (This used to be commit 5e07ab750af3744e1ee5bfc813d5c6532aff4ecb) --- source3/auth/auth_util.c | 43 ++++++++++++++++++++++++++++++++++--------- 1 file changed, 34 insertions(+), 9 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 823bf8c322..56a3568933 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -958,23 +958,48 @@ NTSTATUS create_local_token(auth_serversupplied_info *server_info) &server_info->gid, &server_info->unix_name, &server_info->ptok); - + if (!NT_STATUS_IS_OK(status)) { + TALLOC_FREE(mem_ctx); + return status; + } } else { - server_info->ptok = create_local_nt_token( + struct nt_user_token *token; + + token = create_local_nt_token( server_info, pdb_get_user_sid(server_info->sam_account), pdb_get_group_sid(server_info->sam_account), server_info->guest, server_info->num_sids, server_info->sids); - status = server_info->ptok ? - NT_STATUS_OK : NT_STATUS_NO_SUCH_USER; - } - if (!NT_STATUS_IS_OK(status)) { - TALLOC_FREE(mem_ctx); - return status; + if (token == NULL) { + TALLOC_FREE(mem_ctx); + return NT_STATUS_NO_SUCH_USER; + } + + /* + * We need to add the unix user sid as not necessarily the + * unix username resolves to the domain user sid. This is an + * artifact of an incomplete lookup_name/sid implementation + * when winbind is not around. + */ + + if (!winbind_ping()) { + DOM_SID unix_user_sid; + uid_to_unix_users_sid(server_info->uid, + &unix_user_sid); + + add_sid_to_array(token, &unix_user_sid, + &token->user_sids, &token->num_sids); + if (token->user_sids == NULL) { + TALLOC_FREE(mem_ctx); + return NT_STATUS_NO_MEMORY; + } + } + server_info->ptok = token; + status = NT_STATUS_OK; } - + /* Convert the SIDs to gids. */ server_info->n_groups = 0; -- cgit From de4492b28d6c598a9db37e389e14bdb65330e65a Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Thu, 13 Jul 2006 15:37:58 +0000 Subject: r17011: Back out r17010 after talking to Jerry. Another fix pending... Volker (This used to be commit 7a629118ee6f468505172147724f7f532f0f4a4f) --- source3/auth/auth_util.c | 43 +++++++++---------------------------------- 1 file changed, 9 insertions(+), 34 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 56a3568933..823bf8c322 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -958,48 +958,23 @@ NTSTATUS create_local_token(auth_serversupplied_info *server_info) &server_info->gid, &server_info->unix_name, &server_info->ptok); - if (!NT_STATUS_IS_OK(status)) { - TALLOC_FREE(mem_ctx); - return status; - } + } else { - struct nt_user_token *token; - - token = create_local_nt_token( + server_info->ptok = create_local_nt_token( server_info, pdb_get_user_sid(server_info->sam_account), pdb_get_group_sid(server_info->sam_account), server_info->guest, server_info->num_sids, server_info->sids); - - if (token == NULL) { - TALLOC_FREE(mem_ctx); - return NT_STATUS_NO_SUCH_USER; - } - - /* - * We need to add the unix user sid as not necessarily the - * unix username resolves to the domain user sid. This is an - * artifact of an incomplete lookup_name/sid implementation - * when winbind is not around. - */ - - if (!winbind_ping()) { - DOM_SID unix_user_sid; - uid_to_unix_users_sid(server_info->uid, - &unix_user_sid); - - add_sid_to_array(token, &unix_user_sid, - &token->user_sids, &token->num_sids); - if (token->user_sids == NULL) { - TALLOC_FREE(mem_ctx); - return NT_STATUS_NO_MEMORY; - } - } - server_info->ptok = token; - status = NT_STATUS_OK; + status = server_info->ptok ? + NT_STATUS_OK : NT_STATUS_NO_SUCH_USER; } + if (!NT_STATUS_IS_OK(status)) { + TALLOC_FREE(mem_ctx); + return status; + } + /* Convert the SIDs to gids. */ server_info->n_groups = 0; -- cgit From f8004328f41db5eec4332b2d6fc54ff91dd3a0c1 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Thu, 13 Jul 2006 16:28:38 +0000 Subject: r17016: Different and smaller fix for the valid users = username problem. If no winbind is around, the best we can do to get the user's token correct is to ask unix via create_token_from_username. More investigation is needed if this also fixes the +groupname for unmapped groups problems more cleanly. Volker (This used to be commit f6e3ee147ffde572532fb44b619dda01388d4a31) --- source3/auth/auth_util.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 823bf8c322..9fcaffa3d6 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -950,7 +950,13 @@ NTSTATUS create_local_token(auth_serversupplied_info *server_info) return NT_STATUS_NO_MEMORY; } - if (server_info->was_mapped) { + /* + * If winbind is not around, we can not make much use of the SIDs the + * domain controller provided us with. Likewise if the user name was + * mapped to some local unix user. + */ + + if ((!winbind_ping()) || (server_info->was_mapped)) { status = create_token_from_username(server_info, server_info->unix_name, server_info->guest, -- cgit From 413ec64f27bb955f477b0b6b5737ed58453acd9c Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Thu, 13 Jul 2006 20:16:12 +0000 Subject: r17022: Fix the build farm -- maybe this is the real fix, testing more (This used to be commit 19d02690002a35cb6e0204db236d2b768e48c6d8) --- source3/auth/auth_util.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 9fcaffa3d6..dfb4193357 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -956,7 +956,8 @@ NTSTATUS create_local_token(auth_serversupplied_info *server_info) * mapped to some local unix user. */ - if ((!winbind_ping()) || (server_info->was_mapped)) { + if (((lp_server_role() == ROLE_DOMAIN_MEMBER) && !winbind_ping()) || + (server_info->was_mapped)) { status = create_token_from_username(server_info, server_info->unix_name, server_info->guest, -- cgit From dca7d08e61ecd0f6695a05c44feb58abbc2d8826 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 3 Aug 2006 01:49:14 +0000 Subject: r17378: Fix the issues people have been having with mapped users (username map) and failure to connect to a share. Essentially, even on a standalone system we were going into the create_token_from_username() code (I think by mistake) if the username was mapped. Fixes bug #3991. Volker & Jerry - please go over this with a very careful eye and let me know if this isn't correct (I think it is, but this isn't my code and it's a dangerous area for me to be playing in :-). Jeremy (This used to be commit 0b5b2b53ec6e4c25b5f6645451dfce4aa7ae8a61) --- source3/auth/auth_util.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index dfb4193357..d59c6b40cc 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -956,8 +956,8 @@ NTSTATUS create_local_token(auth_serversupplied_info *server_info) * mapped to some local unix user. */ - if (((lp_server_role() == ROLE_DOMAIN_MEMBER) && !winbind_ping()) || - (server_info->was_mapped)) { + if ((lp_server_role() == ROLE_DOMAIN_MEMBER) && + (server_info->was_mapped || !winbind_ping())) { status = create_token_from_username(server_info, server_info->unix_name, server_info->guest, -- cgit From ba5f9c4ef9b91b636157647fdd9f610cfdde97ff Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 3 Aug 2006 19:07:12 +0000 Subject: r17388: Fix the "valid users"/token issue for now. Volker, please come in and fix it in a less ugly way once you have some time. Thanks, Jeremy. (This used to be commit 79b1e668e2ce263c84ff8fafaafb3e57b06717ab) --- source3/auth/auth_util.c | 28 +++++++++++++++++++++++----- 1 file changed, 23 insertions(+), 5 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index d59c6b40cc..77da182f57 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -599,6 +599,14 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, * simple first. */ TALLOC_FREE(gids); + /* For a local user the real primary group sid is the result->sids[0] */ + + if (!pdb_set_group_sid(sampass, &result->sids[0], PDB_CHANGED)) { + result->sam_account = NULL; /* Don't free on error exit. */ + TALLOC_FREE(result); + return NT_STATUS_UNSUCCESSFUL; + } + DEBUG(5,("make_server_info_sam: made server info for user %s -> %s\n", pdb_get_username(sampass), result->unix_name)); @@ -1089,7 +1097,7 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, gr_sid = pdb_get_group_sid(sam_acct); if (!gr_sid) { - goto unix_user; + goto unix_group; } sid_copy(&primary_group_sid, gr_sid); @@ -1097,8 +1105,8 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, if (!sid_to_gid(&primary_group_sid, gid)) { DEBUG(1, ("sid_to_gid(%s) failed\n", sid_string_static(&primary_group_sid))); - DEBUGADD(1, ("Fall back to unix user %s\n", username)); - goto unix_user; + DEBUGADD(1, ("Fall back to unix group %s\n", username)); + goto unix_group; } result = pdb_enum_group_memberships(tmp_ctx, sam_acct, @@ -1107,8 +1115,8 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, if (!NT_STATUS_IS_OK(result)) { DEBUG(10, ("enum_group_memberships failed for %s\n", username)); - DEBUGADD(1, ("Fall back to unix user %s\n", username)); - goto unix_user; + DEBUGADD(1, ("Fall back to unix group %s\n", username)); + goto unix_group; } *found_username = talloc_strdup(mem_ctx, @@ -1132,6 +1140,8 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, uid_to_unix_users_sid(*uid, &user_sid); + unix_group: + pass = getpwuid_alloc(tmp_ctx, *uid); if (pass == NULL) { DEBUG(1, ("getpwuid(%d) for user %s failed\n", @@ -1316,6 +1326,14 @@ NTSTATUS make_server_info_pw(auth_serversupplied_info **server_info, * simple first. */ TALLOC_FREE(gids); + /* For a local user the real primary group sid is the result->sids[0] */ + + if (!pdb_set_group_sid(sampass, &result->sids[0], PDB_CHANGED)) { + result->sam_account = NULL; /* Don't free on error exit. */ + TALLOC_FREE(sampass); + return NT_STATUS_UNSUCCESSFUL; + } + *server_info = result; return NT_STATUS_OK; -- cgit From 74ee62a45b4cdb32ae7291c1bdae322692bb64c2 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 3 Aug 2006 23:44:07 +0000 Subject: r17391: Revert the second part of the valid users fix - the netlogon code uses pdb_get_group_sid() which could return a S-1-1-22 unix sid. Who knew.... :-(. I'm going to test Volker's fix instead. Once 3.0.23b is out we *have* to rip out the pdb_set_group_sid() code.... Jeremy. (This used to be commit 65003e1b251b4762cef2b3cdcc895269f9319eb8) --- source3/auth/auth_util.c | 28 +++++----------------------- 1 file changed, 5 insertions(+), 23 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 77da182f57..d59c6b40cc 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -599,14 +599,6 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, * simple first. */ TALLOC_FREE(gids); - /* For a local user the real primary group sid is the result->sids[0] */ - - if (!pdb_set_group_sid(sampass, &result->sids[0], PDB_CHANGED)) { - result->sam_account = NULL; /* Don't free on error exit. */ - TALLOC_FREE(result); - return NT_STATUS_UNSUCCESSFUL; - } - DEBUG(5,("make_server_info_sam: made server info for user %s -> %s\n", pdb_get_username(sampass), result->unix_name)); @@ -1097,7 +1089,7 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, gr_sid = pdb_get_group_sid(sam_acct); if (!gr_sid) { - goto unix_group; + goto unix_user; } sid_copy(&primary_group_sid, gr_sid); @@ -1105,8 +1097,8 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, if (!sid_to_gid(&primary_group_sid, gid)) { DEBUG(1, ("sid_to_gid(%s) failed\n", sid_string_static(&primary_group_sid))); - DEBUGADD(1, ("Fall back to unix group %s\n", username)); - goto unix_group; + DEBUGADD(1, ("Fall back to unix user %s\n", username)); + goto unix_user; } result = pdb_enum_group_memberships(tmp_ctx, sam_acct, @@ -1115,8 +1107,8 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, if (!NT_STATUS_IS_OK(result)) { DEBUG(10, ("enum_group_memberships failed for %s\n", username)); - DEBUGADD(1, ("Fall back to unix group %s\n", username)); - goto unix_group; + DEBUGADD(1, ("Fall back to unix user %s\n", username)); + goto unix_user; } *found_username = talloc_strdup(mem_ctx, @@ -1140,8 +1132,6 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, uid_to_unix_users_sid(*uid, &user_sid); - unix_group: - pass = getpwuid_alloc(tmp_ctx, *uid); if (pass == NULL) { DEBUG(1, ("getpwuid(%d) for user %s failed\n", @@ -1326,14 +1316,6 @@ NTSTATUS make_server_info_pw(auth_serversupplied_info **server_info, * simple first. */ TALLOC_FREE(gids); - /* For a local user the real primary group sid is the result->sids[0] */ - - if (!pdb_set_group_sid(sampass, &result->sids[0], PDB_CHANGED)) { - result->sam_account = NULL; /* Don't free on error exit. */ - TALLOC_FREE(sampass); - return NT_STATUS_UNSUCCESSFUL; - } - *server_info = result; return NT_STATUS_OK; -- cgit From 87b2b16cbf211675a23c4f4282f026098d7334ed Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 4 Aug 2006 00:00:15 +0000 Subject: r17392: Commit Volker's fix for the valid users problem. Let's look at the build farm now... :-). Jeremy. (This used to be commit 6d822b85676f033a1a2e422e2d5ac92aaf566aef) --- source3/auth/auth_util.c | 52 ++++++++++++++++++++---------------------------- 1 file changed, 22 insertions(+), 30 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index d59c6b40cc..89792bca94 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -29,7 +29,6 @@ static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, const DOM_SID *user_sid, - const DOM_SID *group_sid, BOOL is_guest, int num_groupsids, const DOM_SID *groupsids); @@ -509,7 +508,7 @@ NT_USER_TOKEN *get_root_nt_token( void ) uid_to_sid(&u_sid, pw->pw_uid); gid_to_sid(&g_sid, pw->pw_gid); - token = create_local_nt_token(NULL, &u_sid, &g_sid, False, + token = create_local_nt_token(NULL, &u_sid, False, 1, &global_sid_Builtin_Administrators); return token; } @@ -811,7 +810,6 @@ static NTSTATUS create_builtin_administrators( void ) static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, const DOM_SID *user_sid, - const DOM_SID *group_sid, BOOL is_guest, int num_groupsids, const DOM_SID *groupsids) @@ -830,7 +828,9 @@ static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, add_sid_to_array(result, user_sid, &result->user_sids, &result->num_sids); - add_sid_to_array(result, group_sid, + + SMB_ASSERT(num_groupsids > 0); + add_sid_to_array(result, &groupsids[0], &result->user_sids, &result->num_sids); /* Add in BUILTIN sids */ @@ -850,9 +850,11 @@ static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, /* Now the SIDs we got from authentication. These are the ones from * the info3 struct or from the pdb_enum_group_memberships, depending - * on who authenticated the user. */ + * on who authenticated the user. + * Note that we start the for loop at "1" here, we already added the + * first group sid as primary above. */ - for (i=0; iuser_sids, &result->num_sids); } @@ -956,8 +958,8 @@ NTSTATUS create_local_token(auth_serversupplied_info *server_info) * mapped to some local unix user. */ - if ((lp_server_role() == ROLE_DOMAIN_MEMBER) && - (server_info->was_mapped || !winbind_ping())) { + if (((lp_server_role() == ROLE_DOMAIN_MEMBER) && !winbind_ping()) || + (server_info->was_mapped)) { status = create_token_from_username(server_info, server_info->unix_name, server_info->guest, @@ -970,7 +972,6 @@ NTSTATUS create_local_token(auth_serversupplied_info *server_info) server_info->ptok = create_local_nt_token( server_info, pdb_get_user_sid(server_info->sam_account), - pdb_get_group_sid(server_info->sam_account), server_info->guest, server_info->num_sids, server_info->sids); status = server_info->ptok ? @@ -1073,7 +1074,6 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, /* This is a passdb user, so ask passdb */ struct samu *sam_acct = NULL; - const DOM_SID *gr_sid = NULL; if ( !(sam_acct = samu_new( tmp_ctx )) ) { result = NT_STATUS_NO_MEMORY; @@ -1087,20 +1087,6 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, goto unix_user; } - gr_sid = pdb_get_group_sid(sam_acct); - if (!gr_sid) { - goto unix_user; - } - - sid_copy(&primary_group_sid, gr_sid); - - if (!sid_to_gid(&primary_group_sid, gid)) { - DEBUG(1, ("sid_to_gid(%s) failed\n", - sid_string_static(&primary_group_sid))); - DEBUGADD(1, ("Fall back to unix user %s\n", username)); - goto unix_user; - } - result = pdb_enum_group_memberships(tmp_ctx, sam_acct, &group_sids, &gids, &num_group_sids); @@ -1111,6 +1097,10 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, goto unix_user; } + /* see the smb_panic() in pdb_default_enum_group_memberships */ + SMB_ASSERT(num_group_sids > 0); + + *gid = gids[0]; *found_username = talloc_strdup(mem_ctx, pdb_get_username(sam_acct)); @@ -1139,9 +1129,6 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, goto done; } - *gid = pass->pw_gid; - gid_to_sid(&primary_group_sid, pass->pw_gid); - if (!getgroups_unix_user(tmp_ctx, username, pass->pw_gid, &gids, &num_group_sids)) { DEBUG(1, ("getgroups_unix_user for user %s failed\n", @@ -1159,6 +1146,11 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, for (i=0; i 0); + + *gid = gids[0]; *found_username = talloc_strdup(mem_ctx, pass->pw_name); } else { @@ -1182,13 +1174,13 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, goto done; } - num_group_sids = 0; - group_sids = NULL; + num_group_sids = 1; + group_sids = &primary_group_sid; *found_username = talloc_strdup(mem_ctx, username); } - *token = create_local_nt_token(mem_ctx, &user_sid, &primary_group_sid, + *token = create_local_nt_token(mem_ctx, &user_sid, is_guest, num_group_sids, group_sids); if ((*token == NULL) || (*found_username == NULL)) { -- cgit From 49051067785befb4e549248084f583bdcdc191da Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 4 Aug 2006 01:09:57 +0000 Subject: r17393: Remove Volker's ASSERT that num_groupsids > 0. For guest connection they may well be zero. This should fix up the buildfarm (fingers crossed). Jeremy. (This used to be commit 16ebccbc5889c3b4c1a20bf3453bd523ddf6f5b0) --- source3/auth/auth_util.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 89792bca94..b7d3fdfcbd 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -829,9 +829,11 @@ static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, add_sid_to_array(result, user_sid, &result->user_sids, &result->num_sids); - SMB_ASSERT(num_groupsids > 0); - add_sid_to_array(result, &groupsids[0], - &result->user_sids, &result->num_sids); + /* For guest, num_groupsids may be zero. */ + if (num_groupsids) { + add_sid_to_array(result, &groupsids[0], + &result->user_sids, &result->num_sids); + } /* Add in BUILTIN sids */ -- cgit From 749c8d587c50a8761e6c9a86c2cdafb7a7fc537d Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Fri, 4 Aug 2006 12:15:53 +0000 Subject: r17399: Some C++ warnings (This used to be commit d12b08fc619f7b566ef5c4cc7294174e887014fe) --- source3/auth/auth_util.c | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index b7d3fdfcbd..90ec3ecaab 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1382,8 +1382,8 @@ static auth_serversupplied_info *copy_serverinfo(auth_serversupplied_info *src) dst->gid = src->gid; dst->n_groups = src->n_groups; if (src->n_groups != 0) { - dst->groups = talloc_memdup(dst, src->groups, - sizeof(gid_t)*dst->n_groups); + dst->groups = (gid_t *)talloc_memdup( + dst, src->groups, sizeof(gid_t)*dst->n_groups); } else { dst->groups = NULL; } @@ -1444,7 +1444,8 @@ BOOL copy_current_user(struct current_user *dst, struct current_user *src) gid_t *groups; NT_USER_TOKEN *nt_token; - groups = memdup(src->ut.groups, sizeof(gid_t) * src->ut.ngroups); + groups = (gid_t *)memdup(src->ut.groups, + sizeof(gid_t) * src->ut.ngroups); if ((src->ut.ngroups != 0) && (groups == NULL)) { return False; } @@ -1470,8 +1471,8 @@ BOOL set_current_user_guest(struct current_user *dst) gid_t *groups; NT_USER_TOKEN *nt_token; - groups = memdup(guest_info->groups, - sizeof(gid_t) * guest_info->n_groups); + groups = (gid_t *)memdup(guest_info->groups, + sizeof(gid_t) * guest_info->n_groups); if (groups == NULL) { return False; } @@ -1937,8 +1938,8 @@ NT_USER_TOKEN *dup_nt_token(TALLOC_CTX *mem_ctx, NT_USER_TOKEN *ptoken) return NULL; } - token->user_sids = talloc_memdup(token, ptoken->user_sids, - sizeof(DOM_SID) * ptoken->num_sids ); + token->user_sids = (DOM_SID *)talloc_memdup( + token, ptoken->user_sids, sizeof(DOM_SID) * ptoken->num_sids ); if ((ptoken->user_sids != NULL) && (token->user_sids == NULL)) { DEBUG(0, ("talloc_memdup failed\n")); -- cgit From f8aa1c75f4961739863928392c8870c9c9a019d8 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 4 Aug 2006 20:35:52 +0000 Subject: r17402: Added lookup_name_smbconf() to be called when looking up names from smb.conf. If the name is unqualified it causes the lookup to be done in WORKGROUP\name, then "Unix [users|groups]"\name rather than searching the domain. Should fix the problems with "force user" selecting a domain user by preference. Jeremy. (This used to be commit 1e1fcb5eb2ac4bd360461b29f85c07dbf460025d) --- source3/auth/auth_util.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 90ec3ecaab..45b3bcccef 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1053,9 +1053,9 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, return NT_STATUS_NO_MEMORY; } - if (!lookup_name(tmp_ctx, username, LOOKUP_NAME_ALL, + if (!lookup_name_smbconf(tmp_ctx, username, LOOKUP_NAME_ALL, NULL, NULL, &user_sid, &type)) { - DEBUG(1, ("lookup_name for %s failed\n", username)); + DEBUG(1, ("lookup_name_smbconf for %s failed\n", username)); goto done; } -- cgit From 21e35f8e73a5d63e17486b286827a06a6029afbe Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Tue, 22 Aug 2006 16:01:24 +0000 Subject: r17710: Thanks to Thomas Bork for testing and continued feedback on this. Comments from the patch: /* Add the "Unix Group" SID for each gid to catch mapped groups and their Unix equivalent. This is to solve the backwards compatibility problem of 'valid users = +ntadmin' where ntadmin has been paired with "Domain Admins" in the group mapping table. Otherwise smb.conf would need to be changed to 'valid user = "Domain Admins"'. --jerry */ (This used to be commit 3848199287c5829aef66d0dee38a79056fe1ff5c) --- source3/auth/auth_util.c | 27 +++++++++++++++++++++++++-- 1 file changed, 25 insertions(+), 2 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 45b3bcccef..7ba1bea955 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -562,6 +562,10 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, struct passwd *pwd; gid_t *gids; auth_serversupplied_info *result; + int i; + size_t num_gids; + DOM_SID unix_group_sid; + if ( !(pwd = getpwnam_alloc(NULL, pdb_get_username(sampass))) ) { DEBUG(1, ("User %s in passdb, but getpwnam() fails!\n", @@ -592,10 +596,29 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, TALLOC_FREE(result); return status; } + + /* Add the "Unix Group" SID for each gid to catch mapped groups + and their Unix equivalent. This is to solve the backwards + compatibility problem of 'valid users = +ntadmin' where + ntadmin has been paired with "Domain Admins" in the group + mapping table. Otherwise smb.conf would need to be changed + to 'valid user = "Domain Admins"'. --jerry */ + + num_gids = result->num_sids; + for ( i=0; isids, &result->num_sids ); + } /* For now we throw away the gids and convert via sid_to_gid * later. This needs fixing, but I'd like to get the code straight and * simple first. */ + TALLOC_FREE(gids); DEBUG(5,("make_server_info_sam: made server info for user %s -> %s\n", @@ -873,7 +896,7 @@ static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, become_root(); status = create_builtin_administrators( ); if ( !NT_STATUS_IS_OK(status) ) { - DEBUG(0,("create_local_nt_token: Failed to create BUILTIN\\Administrators group!\n")); + DEBUG(2,("create_local_nt_token: Failed to create BUILTIN\\Administrators group!\n")); /* don't fail, just log the message */ } unbecome_root(); @@ -900,7 +923,7 @@ static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, become_root(); status = create_builtin_users( ); if ( !NT_STATUS_IS_OK(status) ) { - DEBUG(0,("create_local_nt_token: Failed to create BUILTIN\\Users group!\n")); + DEBUG(2,("create_local_nt_token: Failed to create BUILTIN\\Users group!\n")); /* don't fail, just log the message */ } unbecome_root(); -- cgit From 049fcc8dd54a5fc93b27f84366880cc308a12ca6 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 23 Aug 2006 02:45:45 +0000 Subject: r17736: Apply the Unix group patch when creating the token for a username map. (This used to be commit 0298a3466bc6c5e322db7dac386e4e5eef0e2702) --- source3/auth/auth_util.c | 29 ++++++++++++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 7ba1bea955..2c20beb33c 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1068,7 +1068,10 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, gid_t *gids; DOM_SID primary_group_sid; DOM_SID *group_sids; + DOM_SID unix_group_sid; size_t num_group_sids; + size_t num_gids; + size_t i; tmp_ctx = talloc_new(NULL); if (tmp_ctx == NULL) { @@ -1135,7 +1138,6 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, * directly, without consulting passdb */ struct passwd *pass; - size_t i; /* * This goto target is used as a fallback for the passdb @@ -1205,6 +1207,31 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, *found_username = talloc_strdup(mem_ctx, username); } + /* Add the "Unix Group" SID for each gid to catch mapped groups + and their Unix equivalent. This is to solve the backwards + compatibility problem of 'valid users = +ntadmin' where + ntadmin has been paired with "Domain Admins" in the group + mapping table. Otherwise smb.conf would need to be changed + to 'valid user = "Domain Admins"'. --jerry */ + + num_gids = num_group_sids; + for ( i=0; i= low) && (gids[i] <= high) ) + continue; + + if ( !gid_to_unix_groups_sid( gids[i], &unix_group_sid ) ) { + DEBUG(1,("create_token_from_username: Failed to create SID " + "for gid %d!\n", gids[i])); + continue; + } + add_sid_to_array_unique( mem_ctx, &unix_group_sid, + &group_sids, &num_group_sids ); + } + *token = create_local_nt_token(mem_ctx, &user_sid, is_guest, num_group_sids, group_sids); -- cgit From 9ab430ac4b9555206c25d04cddd57283397dd529 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 28 Aug 2006 05:22:10 +0000 Subject: r17875: Fix (rather theoretical, but still...) null deref found by Stanford checker. Jeremy. (This used to be commit 45d77ae12235e6b39cc30845d69ac3777d3eefd0) --- source3/auth/auth_util.c | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 2c20beb33c..26d1eb710f 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1988,16 +1988,19 @@ NT_USER_TOKEN *dup_nt_token(TALLOC_CTX *mem_ctx, NT_USER_TOKEN *ptoken) return NULL; } - token->user_sids = (DOM_SID *)talloc_memdup( - token, ptoken->user_sids, sizeof(DOM_SID) * ptoken->num_sids ); + ZERO_STRUCTP(token); - if ((ptoken->user_sids != NULL) && (token->user_sids == NULL)) { - DEBUG(0, ("talloc_memdup failed\n")); - TALLOC_FREE(token); - return NULL; - } + if (ptoken->user_sids && ptoken->num_sids) { + token->user_sids = (DOM_SID *)talloc_memdup( + token, ptoken->user_sids, sizeof(DOM_SID) * ptoken->num_sids ); - token->num_sids = ptoken->num_sids; + if (token->user_sids == NULL) { + DEBUG(0, ("talloc_memdup failed\n")); + TALLOC_FREE(token); + return NULL; + } + token->num_sids = ptoken->num_sids; + } /* copy the privileges; don't consider failure to be critical here */ -- cgit From 3bc4fd1bb9bfbd0e0efd89d47c50bf798e5a1481 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Tue, 29 Aug 2006 19:14:25 +0000 Subject: r17924: Get rid of warnings now that talloc is merged. Destructors now take a pointer to the "real" destroyed object as an argument. Volker (This used to be commit 70edd716ef0ccb218fe18d1233bd30abe46b62bf) --- source3/auth/auth_util.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 26d1eb710f..c2f32f4f95 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -513,11 +513,8 @@ NT_USER_TOKEN *get_root_nt_token( void ) return token; } -static int server_info_dtor(void *p) +static int server_info_dtor(auth_serversupplied_info *server_info) { - auth_serversupplied_info *server_info = - talloc_get_type_abort(p, auth_serversupplied_info); - if (server_info->sam_account != NULL) { TALLOC_FREE(server_info->sam_account); } -- cgit From 6655e1e997fa96408ce257f1c96773db4551f69f Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Mon, 4 Sep 2006 09:51:47 +0000 Subject: r18029: More C++ stuff (This used to be commit 089b51e28cc5e3674e4edf5464c7a15673c5ec0f) --- source3/auth/auth_util.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index c2f32f4f95..1ab9d2a49e 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1374,7 +1374,7 @@ static NTSTATUS make_new_server_info_guest(auth_serversupplied_info **server_inf struct samu *sampass = NULL; DOM_SID guest_sid; BOOL ret; - static const char zeros[16]; + static const char zeros[16] = { 0, }; if ( !(sampass = samu_new( NULL )) ) { return NT_STATUS_NO_MEMORY; @@ -1691,7 +1691,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, auth_serversupplied_info **server_info, NET_USER_INFO_3 *info3) { - static const char zeros[16]; + static const char zeros[16] = { 0, }; NTSTATUS nt_status = NT_STATUS_OK; char *found_username; -- cgit From 2b27c93a9a8471693d7dcb5fdbe8afe65b22ff66 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 8 Sep 2006 14:28:06 +0000 Subject: r18271: Big change: * autogenerate lsa ndr code * rename 'enum SID_NAME_USE' to 'enum lsa_SidType' * merge a log more security descriptor functions from gen_ndr/ndr_security.c in SAMBA_4_0 The most embarassing thing is the "#define strlen_m strlen" We need a real implementation in SAMBA_3_0 which I'll work on after this code is in. (This used to be commit 3da9f80c28b1e75ef6d46d38fbb81ade6b9fa951) --- source3/auth/auth_util.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 1ab9d2a49e..fd857a2806 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -781,7 +781,7 @@ static NTSTATUS create_builtin_administrators( void ) NTSTATUS status; DOM_SID dom_admins, root_sid; fstring root_name; - enum SID_NAME_USE type; + enum lsa_SidType type; TALLOC_CTX *ctx; BOOL ret; @@ -1061,7 +1061,7 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, NTSTATUS result = NT_STATUS_NO_SUCH_USER; TALLOC_CTX *tmp_ctx; DOM_SID user_sid; - enum SID_NAME_USE type; + enum lsa_SidType type; gid_t *gids; DOM_SID primary_group_sid; DOM_SID *group_sids; -- cgit From 2b7d1fc7797e3124e3f6e5d579bfc275141f6000 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Fri, 29 Sep 2006 21:26:33 +0000 Subject: r19008: Fix a segfault (This used to be commit adfc82f0e6b12f8ccfe00f3ff49a089a4c936239) --- source3/auth/auth_util.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index fd857a2806..7d6effebc4 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1200,6 +1200,7 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, num_group_sids = 1; group_sids = &primary_group_sid; + gids = gid; *found_username = talloc_strdup(mem_ctx, username); } -- cgit From 5e48602456f50cc3e261acfb005e6ee28231f64c Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 18 Nov 2006 17:05:50 +0000 Subject: r19773: TALLOC_FREE checks for NULL itself (This used to be commit fb3983ae1fdd1935333ffee80bceb747228ac0f3) --- source3/auth/auth_util.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 7d6effebc4..82a13fd9e7 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -515,10 +515,7 @@ NT_USER_TOKEN *get_root_nt_token( void ) static int server_info_dtor(auth_serversupplied_info *server_info) { - if (server_info->sam_account != NULL) { - TALLOC_FREE(server_info->sam_account); - } - + TALLOC_FREE(server_info->sam_account); ZERO_STRUCTP(server_info); return 0; } -- cgit From cb0402c2d3941a813e33b2b5e07c54b9ff644ca4 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Fri, 1 Dec 2006 15:06:34 +0000 Subject: r19980: Implement pam account stack checks when obey pam restrictions is true. It was missing for security=server/domain/ads Simo. (This used to be commit 550f651499c22c3c11594a0a39061a8a9b438d82) --- source3/auth/auth_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 82a13fd9e7..357ca5f626 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -496,7 +496,7 @@ NT_USER_TOKEN *get_root_nt_token( void ) if ( token ) return token; - + if ( !(pw = sys_getpwnam( "root" )) ) { DEBUG(0,("get_root_nt_token: getpwnam\"root\") failed!\n")); return NULL; -- cgit From ecf90c495eb850cd6f376fb4e090640b69f0c029 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Fri, 1 Dec 2006 20:01:09 +0000 Subject: r19991: Sorry for this 2000-liner... The main thing here is a rewrite of srv_winreg_nt.c. The core functionality has moved to registry/reg_api.c which is then usable by the rest of Samba as well. On that way it fixes creating keys with more than one element in the path. This did not work before. Two things that sneaked in (sorry :-) is the change of some routines from NTSTATUS to WERROR the removed "parent" argument to regkey_open_internal. Volker (This used to be commit fea52801de8c7b85c578d200c599475680c5339f) --- source3/auth/auth_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 357ca5f626..e066ba279c 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1970,7 +1970,7 @@ BOOL make_auth_methods(struct auth_context *auth_context, auth_methods **auth_me Duplicate a SID token. ****************************************************************************/ -NT_USER_TOKEN *dup_nt_token(TALLOC_CTX *mem_ctx, NT_USER_TOKEN *ptoken) +NT_USER_TOKEN *dup_nt_token(TALLOC_CTX *mem_ctx, const NT_USER_TOKEN *ptoken) { NT_USER_TOKEN *token; -- cgit From 63609fbb04d2ce620338b4b79e7c1abf39f08ef8 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Sat, 9 Dec 2006 02:58:18 +0000 Subject: r20090: Fix a class of bugs found by James Peach. Ensure we never mix malloc and talloc'ed contexts in the add_XX_to_array() and add_XX_to_array_unique() calls. Ensure that these calls always return False on out of memory, True otherwise and always check them. Ensure that the relevent parts of the conn struct and the nt_user_tokens are TALLOC_DESTROYED not SAFE_FREE'd. James - this should fix your crash bug in both branches. Jeremy. (This used to be commit 0ffca7559e07500bd09a64b775e230d448ce5c24) --- source3/auth/auth_util.c | 117 +++++++++++++++++++++++++++++++---------------- 1 file changed, 77 insertions(+), 40 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index e066ba279c..7e65121b2d 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -605,8 +605,12 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, "for gid %d!\n", gids[i])); continue; } - add_sid_to_array_unique( result, &unix_group_sid, - &result->sids, &result->num_sids ); + if (!add_sid_to_array_unique( result, &unix_group_sid, + &result->sids, &result->num_sids )) { + result->sam_account = NULL; /* Don't free on error exit. */ + TALLOC_FREE(result); + return NT_STATUS_NO_MEMORY; + } } /* For now we throw away the gids and convert via sid_to_gid @@ -657,10 +661,9 @@ static NTSTATUS add_aliases(const DOM_SID *domain_sid, for (i=0; iuser_sids, - &token->num_sids); - if (token->user_sids == NULL) { + &token->num_sids)) { DEBUG(0, ("add_sid_to_array failed\n")); TALLOC_FREE(tmp_ctx); return NT_STATUS_NO_MEMORY; @@ -733,8 +736,10 @@ static NTSTATUS add_builtin_administrators( struct nt_user_token *token ) /* Add Administrators if the user beloongs to Domain Admins */ if ( nt_token_check_sid( &domadm, token ) ) { - add_sid_to_array(token, &global_sid_Builtin_Administrators, - &token->user_sids, &token->num_sids); + if (!add_sid_to_array(token, &global_sid_Builtin_Administrators, + &token->user_sids, &token->num_sids)) { + return NT_STATUS_NO_MEMORY; + } } return NT_STATUS_OK; @@ -843,28 +848,40 @@ static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, /* Add the user and primary group sid */ - add_sid_to_array(result, user_sid, - &result->user_sids, &result->num_sids); + if (!add_sid_to_array(result, user_sid, + &result->user_sids, &result->num_sids)) { + return NULL; + } /* For guest, num_groupsids may be zero. */ if (num_groupsids) { - add_sid_to_array(result, &groupsids[0], - &result->user_sids, &result->num_sids); + if (!add_sid_to_array(result, &groupsids[0], + &result->user_sids, &result->num_sids)) { + return NULL; + } } /* Add in BUILTIN sids */ - add_sid_to_array(result, &global_sid_World, - &result->user_sids, &result->num_sids); - add_sid_to_array(result, &global_sid_Network, - &result->user_sids, &result->num_sids); + if (!add_sid_to_array(result, &global_sid_World, + &result->user_sids, &result->num_sids)) { + return NULL; + } + if (!add_sid_to_array(result, &global_sid_Network, + &result->user_sids, &result->num_sids)) { + return NULL; + } if (is_guest) { - add_sid_to_array(result, &global_sid_Builtin_Guests, - &result->user_sids, &result->num_sids); + if (!add_sid_to_array(result, &global_sid_Builtin_Guests, + &result->user_sids, &result->num_sids)) { + return NULL; + } } else { - add_sid_to_array(result, &global_sid_Authenticated_Users, - &result->user_sids, &result->num_sids); + if (!add_sid_to_array(result, &global_sid_Authenticated_Users, + &result->user_sids, &result->num_sids)) { + return NULL; + } } /* Now the SIDs we got from authentication. These are the ones from @@ -874,8 +891,10 @@ static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, * first group sid as primary above. */ for (i=1; iuser_sids, &result->num_sids); + if (!add_sid_to_array_unique(result, &groupsids[i], + &result->user_sids, &result->num_sids)) { + return NULL; + } } /* Deal with the BUILTIN\Administrators group. If the SID can @@ -1018,8 +1037,11 @@ NTSTATUS create_local_token(auth_serversupplied_info *server_info) "ignoring it\n", sid_string_static(sid))); continue; } - add_gid_to_array_unique(server_info, gid, &server_info->groups, - &server_info->n_groups); + if (!add_gid_to_array_unique(server_info, gid, &server_info->groups, + &server_info->n_groups)) { + TALLOC_FREE(mem_ctx); + return NT_STATUS_NO_MEMORY; + } } debug_nt_user_token(DBGC_AUTH, 10, server_info->ptok); @@ -1060,7 +1082,6 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, DOM_SID user_sid; enum lsa_SidType type; gid_t *gids; - DOM_SID primary_group_sid; DOM_SID *group_sids; DOM_SID unix_group_sid; size_t num_group_sids; @@ -1109,7 +1130,7 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, goto unix_user; } - result = pdb_enum_group_memberships(tmp_ctx, sam_acct, + result = pdb_enum_group_memberships(mem_ctx, sam_acct, &group_sids, &gids, &num_group_sids); if (!NT_STATUS_IS_OK(result)) { @@ -1157,7 +1178,8 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, goto done; } - group_sids = talloc_array(tmp_ctx, DOM_SID, num_group_sids); + /* group_sids can be realloced - must be done on mem_ctx not tmp_ctx. */ + group_sids = talloc_array(mem_ctx, DOM_SID, num_group_sids); if (group_sids == NULL) { DEBUG(1, ("talloc_array failed\n")); result = NT_STATUS_NO_MEMORY; @@ -1185,18 +1207,24 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, uint32 dummy; - sid_copy(&primary_group_sid, &user_sid); - sid_split_rid(&primary_group_sid, &dummy); - sid_append_rid(&primary_group_sid, DOMAIN_GROUP_RID_USERS); + num_group_sids = 1; + group_sids = talloc_array(mem_ctx, DOM_SID, num_group_sids); + if (group_sids == NULL) { + DEBUG(1, ("talloc_array failed\n")); + result = NT_STATUS_NO_MEMORY; + goto done; + } + + sid_copy(&group_sids[0], &user_sid); + sid_split_rid(&group_sids[0], &dummy); + sid_append_rid(&group_sids[0], DOMAIN_GROUP_RID_USERS); - if (!sid_to_gid(&primary_group_sid, gid)) { + if (!sid_to_gid(&group_sids[0], gid)) { DEBUG(1, ("sid_to_gid(%s) failed\n", - sid_string_static(&primary_group_sid))); + sid_string_static(&group_sids[0]))); goto done; } - num_group_sids = 1; - group_sids = &primary_group_sid; gids = gid; *found_username = talloc_strdup(mem_ctx, username); @@ -1223,8 +1251,11 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, "for gid %d!\n", gids[i])); continue; } - add_sid_to_array_unique( mem_ctx, &unix_group_sid, - &group_sids, &num_group_sids ); + if (!add_sid_to_array_unique( mem_ctx, &unix_group_sid, + &group_sids, &num_group_sids )) { + result = NT_STATUS_NO_MEMORY; + goto done; + } } *token = create_local_nt_token(mem_ctx, &user_sid, @@ -1869,8 +1900,11 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, TALLOC_FREE(result); return NT_STATUS_INVALID_PARAMETER; } - add_sid_to_array(result, &sid, &result->sids, - &result->num_sids); + if (!add_sid_to_array(result, &sid, &result->sids, + &result->num_sids)) { + TALLOC_FREE(result); + return NT_STATUS_NO_MEMORY; + } } /* Copy 'other' sids. We need to do sid filtering here to @@ -1880,9 +1914,12 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, */ for (i = 0; i < info3->num_other_sids; i++) { - add_sid_to_array(result, &info3->other_sids[i].sid, - &result->sids, - &result->num_sids); + if (!add_sid_to_array(result, &info3->other_sids[i].sid, + &result->sids, + &result->num_sids)) { + TALLOC_FREE(result); + return NT_STATUS_NO_MEMORY; + } } result->login_server = unistr2_tdup(result, -- cgit From 25d6eaae8d0d885add7e64b96df7a489328c6b0f Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Sun, 10 Dec 2006 05:23:47 +0000 Subject: r20098: Properly fix issues with create_token_from_username() reported by James. Ensure that this function allocates everything on the temporary context except the return memory. Never call this with a null mem context, and now use conn->mem_ctx instead in smbd/service.c. Remove separate free functions for conn->ngroups and conn->nt_user_token as they are now always talloc'ed off the conn->mem_ctx. Future optimization will be to remove conn->mem_ctx and make all objects pointed to in the conn struct talloc'ed off conn itself. Easy to free then :-). Jeremy. (This used to be commit f83b6de44f1058811ff94ac72a8a71bd8e49e4e8) --- source3/auth/auth_util.c | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 7e65121b2d..870dc9b5d0 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1130,7 +1130,7 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, goto unix_user; } - result = pdb_enum_group_memberships(mem_ctx, sam_acct, + result = pdb_enum_group_memberships(tmp_ctx, sam_acct, &group_sids, &gids, &num_group_sids); if (!NT_STATUS_IS_OK(result)) { @@ -1144,6 +1144,8 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, SMB_ASSERT(num_group_sids > 0); *gid = gids[0]; + + /* Ensure we're returning the found_username on the right context. */ *found_username = talloc_strdup(mem_ctx, pdb_get_username(sam_acct)); @@ -1178,8 +1180,7 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, goto done; } - /* group_sids can be realloced - must be done on mem_ctx not tmp_ctx. */ - group_sids = talloc_array(mem_ctx, DOM_SID, num_group_sids); + group_sids = talloc_array(tmp_ctx, DOM_SID, num_group_sids); if (group_sids == NULL) { DEBUG(1, ("talloc_array failed\n")); result = NT_STATUS_NO_MEMORY; @@ -1194,8 +1195,9 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, SMB_ASSERT(num_group_sids > 0); *gid = gids[0]; - *found_username = talloc_strdup(mem_ctx, pass->pw_name); + /* Ensure we're returning the found_username on the right context. */ + *found_username = talloc_strdup(mem_ctx, pass->pw_name); } else { /* This user is from winbind, force the primary gid to the @@ -1208,7 +1210,7 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, uint32 dummy; num_group_sids = 1; - group_sids = talloc_array(mem_ctx, DOM_SID, num_group_sids); + group_sids = talloc_array(tmp_ctx, DOM_SID, num_group_sids); if (group_sids == NULL) { DEBUG(1, ("talloc_array failed\n")); result = NT_STATUS_NO_MEMORY; @@ -1227,6 +1229,7 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, gids = gid; + /* Ensure we're returning the found_username on the right context. */ *found_username = talloc_strdup(mem_ctx, username); } @@ -1251,13 +1254,14 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, "for gid %d!\n", gids[i])); continue; } - if (!add_sid_to_array_unique( mem_ctx, &unix_group_sid, + if (!add_sid_to_array_unique(tmp_ctx, &unix_group_sid, &group_sids, &num_group_sids )) { result = NT_STATUS_NO_MEMORY; goto done; } } + /* Ensure we're creating the nt_token on the right context. */ *token = create_local_nt_token(mem_ctx, &user_sid, is_guest, num_group_sids, group_sids); @@ -1278,6 +1282,7 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, Expensive helper function to figure out whether a user given its name is member of a particular group. ***************************************************************************/ + BOOL user_in_group_sid(const char *username, const DOM_SID *group_sid) { NTSTATUS status; -- cgit From 4225f9a4bd5eece4d57820bbabb7b882610aa7cc Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Tue, 12 Dec 2006 14:52:13 +0000 Subject: r20116: Start merging in the work done to create the new idmap subsystem. Simo. (This used to be commit 50cd8bffeeed2cac755f75fc3d76fe41c451976b) --- source3/auth/auth_util.c | 27 ++++++++++++++++++++------- 1 file changed, 20 insertions(+), 7 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 870dc9b5d0..709d77bb36 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -841,6 +841,8 @@ static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, NTSTATUS status; gid_t gid; + DEBUG(10, ("Create local NT token for %s\n", sid_string_static(user_sid))); + if (!(result = TALLOC_ZERO_P(mem_ctx, NT_USER_TOKEN))) { DEBUG(0, ("talloc failed\n")); return NULL; @@ -980,6 +982,7 @@ static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, NTSTATUS create_local_token(auth_serversupplied_info *server_info) { TALLOC_CTX *mem_ctx; + struct id_map *ids; NTSTATUS status; size_t i; @@ -1027,23 +1030,33 @@ NTSTATUS create_local_token(auth_serversupplied_info *server_info) server_info->groups = NULL; /* Start at index 1, where the groups start. */ + ids = talloc_zero_array(mem_ctx, struct id_map, server_info->ptok->num_sids); + for (i = 0; i < server_info->ptok->num_sids-1; i++) { + ids[i].sid = &server_info->ptok->user_sids[i + 1]; /* store the sids */ + } - for (i=1; iptok->num_sids; i++) { - gid_t gid; - DOM_SID *sid = &server_info->ptok->user_sids[i]; + if (!winbind_sids_to_unixids(ids, server_info->ptok->num_sids-1)) { + DEBUG(2, ("Query to map secondary SIDs failed!\n")); + } - if (!sid_to_gid(sid, &gid)) { + for (i = 0; i < server_info->ptok->num_sids-1; i++) { + if ( ! ids[i].mapped) { DEBUG(10, ("Could not convert SID %s to gid, " - "ignoring it\n", sid_string_static(sid))); + "ignoring it\n", sid_string_static(ids[i].sid))); continue; } - if (!add_gid_to_array_unique(server_info, gid, &server_info->groups, + if ( ! ids[i].xid.type == ID_TYPE_UID) { + DEBUG(10, ("SID %s is a User ID (%u) not a Group ID, " + "ignoring it\n", sid_string_static(ids[i].sid), ids[i].xid.id)); + continue; + } + if (!add_gid_to_array_unique(server_info, (gid_t)ids[i].xid.id, &server_info->groups, &server_info->n_groups)) { TALLOC_FREE(mem_ctx); return NT_STATUS_NO_MEMORY; } } - + debug_nt_user_token(DBGC_AUTH, 10, server_info->ptok); status = log_nt_token(mem_ctx, server_info->ptok); -- cgit From 35a3773a6df72fc4031b90fb94010193966dbdc0 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Thu, 14 Dec 2006 15:30:54 +0000 Subject: r20169: Support for fallback to legacy mapping code was not completely tested. Add necessary fixes. (This used to be commit 4a81ee9608d45f95eaaccc78a080e717cb7d4682) --- source3/auth/auth_util.c | 34 ++++++++++++++++++++++++---------- 1 file changed, 24 insertions(+), 10 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 709d77bb36..c1f58cfecd 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -984,6 +984,7 @@ NTSTATUS create_local_token(auth_serversupplied_info *server_info) TALLOC_CTX *mem_ctx; struct id_map *ids; NTSTATUS status; + BOOL wb = True; size_t i; @@ -1037,20 +1038,33 @@ NTSTATUS create_local_token(auth_serversupplied_info *server_info) if (!winbind_sids_to_unixids(ids, server_info->ptok->num_sids-1)) { DEBUG(2, ("Query to map secondary SIDs failed!\n")); + if (!winbind_ping()) { + DEBUG(2, ("Winbindd is not running, will try to map SIDs one by one with legacy code\n")); + wb = False; + } } for (i = 0; i < server_info->ptok->num_sids-1; i++) { - if ( ! ids[i].mapped) { - DEBUG(10, ("Could not convert SID %s to gid, " - "ignoring it\n", sid_string_static(ids[i].sid))); - continue; - } - if ( ! ids[i].xid.type == ID_TYPE_UID) { - DEBUG(10, ("SID %s is a User ID (%u) not a Group ID, " - "ignoring it\n", sid_string_static(ids[i].sid), ids[i].xid.id)); - continue; + gid_t agid; + + if (wb) { + if ( ! ids[i].mapped) { + DEBUG(10, ("Could not convert SID %s to gid, " + "ignoring it\n", sid_string_static(ids[i].sid))); + continue; + } + if (ids[i].xid.type == ID_TYPE_UID) { + DEBUG(10, ("SID %s is a User ID (%u) not a Group ID, " + "ignoring it\n", sid_string_static(ids[i].sid), ids[i].xid.id)); + continue; + } + agid = (gid_t)ids[i].xid.id; + } else { + if (! sid_to_gid(ids[i].sid, &agid)) { + continue; + } } - if (!add_gid_to_array_unique(server_info, (gid_t)ids[i].xid.id, &server_info->groups, + if (!add_gid_to_array_unique(server_info, agid, &server_info->groups, &server_info->n_groups)) { TALLOC_FREE(mem_ctx); return NT_STATUS_NO_MEMORY; -- cgit From c50c8d0dc31b95a98e09b1cfdd2e54e4bac336f2 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Sun, 14 Jan 2007 17:58:24 +0000 Subject: r20774: I thought I committed this before Xmas holidays ... This change is needed to make it possible to not expire caches in disconnected mode. Jerry, please can you look at this and confirm it is ok? Simo. (This used to be commit 9e8715e4e15d9cede8f4aa9652642995392617e6) --- source3/auth/auth_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index c1f58cfecd..94551cb8a5 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1048,7 +1048,7 @@ NTSTATUS create_local_token(auth_serversupplied_info *server_info) gid_t agid; if (wb) { - if ( ! ids[i].mapped) { + if (ids[i].status != ID_MAPPED) { DEBUG(10, ("Could not convert SID %s to gid, " "ignoring it\n", sid_string_static(ids[i].sid))); continue; -- cgit From b906886e9e9739877fef4c381c46a9a9d61859ba Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Tue, 16 Jan 2007 08:17:26 +0000 Subject: r20824: Send access to the trusted domain passwords through the pdb backend, so that in the next step we can store them in LDAP to be replicated across DCs. Thanks to Michael Adam Volker (This used to be commit 3c879745cfc39be6128b63a88ecdbfa3d9ce6c2d) --- source3/auth/auth_util.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 94551cb8a5..1080ced51b 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -2142,8 +2142,7 @@ BOOL is_trusted_domain(const char* dom_name) become_root(); DEBUG (5,("is_trusted_domain: Checking for domain trust with " "[%s]\n", dom_name )); - ret = secrets_fetch_trusted_domain_password(dom_name, NULL, - NULL, NULL); + ret = pdb_get_trusteddom_pw(dom_name, NULL, NULL, NULL); unbecome_root(); if (ret) return True; -- cgit From 6784d54a77c6ef67102b1b2c6a73ac16991b0b50 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Mon, 26 Feb 2007 09:46:05 +0000 Subject: r21536: Fix copy/paste typo. Guenther (This used to be commit 7edbb636f7caf43135f0320cc08ff18a34a80594) --- source3/auth/auth_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 1080ced51b..7a12508a3b 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -766,7 +766,7 @@ static NTSTATUS create_builtin_users( void ) sid_append_rid(&dom_users, DOMAIN_GROUP_RID_USERS ); status = pdb_add_aliasmem( &global_sid_Builtin_Users, &dom_users); if ( !NT_STATUS_IS_OK(status) ) { - DEBUG(0,("create_builtin_administrators: Failed to add Domain Users to" + DEBUG(0,("create_builtin_users: Failed to add Domain Users to" " Users\n")); return status; } -- cgit From 5b7c813104c652cfa215090361946ab33e8f0679 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 28 Mar 2007 13:26:43 +0000 Subject: r21999: remove useless casts metze (This used to be commit f948005ca69c50b07fdbcf7801975676d19d1486) --- source3/auth/auth_util.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 7a12508a3b..0afcabcf07 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -241,8 +241,8 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, const uchar nt_interactive_pwd[16], const uchar *dc_sess_key) { - char lm_pwd[16]; - char nt_pwd[16]; + unsigned char lm_pwd[16]; + unsigned char nt_pwd[16]; unsigned char local_lm_response[24]; unsigned char local_nt_response[24]; unsigned char key[16]; @@ -268,10 +268,10 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, #endif if (lm_interactive_pwd) - SamOEMhash((uchar *)lm_pwd, key, sizeof(lm_pwd)); + SamOEMhash(lm_pwd, key, sizeof(lm_pwd)); if (nt_interactive_pwd) - SamOEMhash((uchar *)nt_pwd, key, sizeof(nt_pwd)); + SamOEMhash(nt_pwd, key, sizeof(nt_pwd)); #ifdef DEBUG_PASSWORD DEBUG(100,("decrypt of lm owf password:")); @@ -282,11 +282,11 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, #endif if (lm_interactive_pwd) - SMBOWFencrypt((const unsigned char *)lm_pwd, chal, + SMBOWFencrypt(lm_pwd, chal, local_lm_response); if (nt_interactive_pwd) - SMBOWFencrypt((const unsigned char *)nt_pwd, chal, + SMBOWFencrypt(nt_pwd, chal, local_nt_response); /* Password info paranoia */ -- cgit From 56ba44766854ed7cda265bdaf85913f2a1008282 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 28 Mar 2007 13:34:59 +0000 Subject: r22001: change prototype of dump_data(), so that it takes unsigned char * now, which matches what samba4 has. also fix all the callers to prevent compiler warnings metze (This used to be commit fa322f0cc9c26a9537ba3f0a7d4e4a25941317e7) --- source3/auth/auth_util.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 0afcabcf07..82567473b5 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -258,7 +258,7 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, #ifdef DEBUG_PASSWORD DEBUG(100,("key:")); - dump_data(100, (char *)key, sizeof(key)); + dump_data(100, key, sizeof(key)); DEBUG(100,("lm owf password:")); dump_data(100, lm_pwd, sizeof(lm_pwd)); @@ -368,7 +368,7 @@ BOOL make_user_info_for_reply(auth_usersupplied_info **user_info, #ifdef DEBUG_PASSWORD DEBUG(10,("Unencrypted password (len %d):\n", (int)plaintext_password.length)); - dump_data(100, (const char *)plaintext_password.data, + dump_data(100, plaintext_password.data, plaintext_password.length); #endif -- cgit From fb3835846ef89a632230ff808259dad1cddc05c0 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 2 Apr 2007 03:46:13 +0000 Subject: r22020: Make it more clear that both the vuser struct and it's contents are talloc_free()'ed at the end of a session. Rework the passwd cache code to use talloc_unlink and talloc_reference, to more carefully manage the cache. Andrew Bartlett (This used to be commit e3e0ec25e67308de314aa61852905ee42aa2c8fe) --- source3/auth/auth_util.c | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 82567473b5..5c3bf7acce 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -561,19 +561,23 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, DOM_SID unix_group_sid; - if ( !(pwd = getpwnam_alloc(NULL, pdb_get_username(sampass))) ) { - DEBUG(1, ("User %s in passdb, but getpwnam() fails!\n", - pdb_get_username(sampass))); - return NT_STATUS_NO_SUCH_USER; - } - if ( !(result = make_server_info(NULL)) ) { TALLOC_FREE(pwd); return NT_STATUS_NO_MEMORY; } + if ( !(pwd = getpwnam_alloc(result, pdb_get_username(sampass))) ) { + DEBUG(1, ("User %s in passdb, but getpwnam() fails!\n", + pdb_get_username(sampass))); + return NT_STATUS_NO_SUCH_USER; + } + result->sam_account = sampass; - result->unix_name = talloc_strdup(result, pwd->pw_name); + /* Ensure thaat the sampass will be freed with the result */ + talloc_steal(result, sampass); + result->unix_name = pwd->pw_name; + /* Ensure that we keep pwd->pw_name, because we will free pwd below */ + talloc_steal(result, pwd->pw_name); result->gid = pwd->pw_gid; result->uid = pwd->pw_uid; -- cgit From ccc06f84415a0496b8f3771e8888f81442acd808 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 2 Apr 2007 05:53:34 +0000 Subject: r22022: - Clarify the comments - make sure never to free an uninitialised variable - ensure to free result on getpwnam_alloc failure Andrew Bartlett (This used to be commit 5fe3328e66661371182cc1c3b6e239797c3b4f93) --- source3/auth/auth_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 5c3bf7acce..7891ce1599 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -562,13 +562,13 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, if ( !(result = make_server_info(NULL)) ) { - TALLOC_FREE(pwd); return NT_STATUS_NO_MEMORY; } if ( !(pwd = getpwnam_alloc(result, pdb_get_username(sampass))) ) { DEBUG(1, ("User %s in passdb, but getpwnam() fails!\n", pdb_get_username(sampass))); + TALLOC_FREE(result); return NT_STATUS_NO_SUCH_USER; } -- cgit From a40df6f92d42676a9184fb2c20a11d5662ca5b3a Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Mon, 9 Apr 2007 10:38:55 +0000 Subject: r22135: Check in most of Michael Adam's net conf utility. A good share of this patch is moving functions around to fix some linker dependencies for the registry. Michael, I've renamed your auth_utils2.c to token_utils.c. Thanks! Volker (This used to be commit 9de16f25c1c3e0b203da47391772ef2e2fe291ac) --- source3/auth/auth_util.c | 432 ----------------------------------------------- 1 file changed, 432 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 7891ce1599..0de3bf2325 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -27,12 +27,6 @@ #undef DBGC_CLASS #define DBGC_CLASS DBGC_AUTH -static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, - const DOM_SID *user_sid, - BOOL is_guest, - int num_groupsids, - const DOM_SID *groupsids); - /**************************************************************************** Create a UNIX user on demand. ****************************************************************************/ @@ -481,38 +475,6 @@ void debug_unix_user_token(int dbg_class, int dbg_lev, uid_t uid, gid_t gid, (long int)groups[i])); } -/****************************************************************************** - Create a token for the root user to be used internally by smbd. - This is similar to running under the context of the LOCAL_SYSTEM account - in Windows. This is a read-only token. Do not modify it or free() it. - Create a copy if your need to change it. -******************************************************************************/ - -NT_USER_TOKEN *get_root_nt_token( void ) -{ - static NT_USER_TOKEN *token = NULL; - DOM_SID u_sid, g_sid; - struct passwd *pw; - - if ( token ) - return token; - - if ( !(pw = sys_getpwnam( "root" )) ) { - DEBUG(0,("get_root_nt_token: getpwnam\"root\") failed!\n")); - return NULL; - } - - /* get the user and primary group SIDs; although the - BUILTIN\Administrators SId is really the one that matters here */ - - uid_to_sid(&u_sid, pw->pw_uid); - gid_to_sid(&g_sid, pw->pw_gid); - - token = create_local_nt_token(NULL, &u_sid, False, - 1, &global_sid_Builtin_Administrators); - return token; -} - static int server_info_dtor(auth_serversupplied_info *server_info) { TALLOC_FREE(server_info->sam_account); @@ -631,53 +593,6 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, return NT_STATUS_OK; } -/* - * Add alias SIDs from memberships within the partially created token SID list - */ - -static NTSTATUS add_aliases(const DOM_SID *domain_sid, - struct nt_user_token *token) -{ - uint32 *aliases; - size_t i, num_aliases; - NTSTATUS status; - TALLOC_CTX *tmp_ctx; - - if (!(tmp_ctx = talloc_init("add_aliases"))) { - return NT_STATUS_NO_MEMORY; - } - - aliases = NULL; - num_aliases = 0; - - status = pdb_enum_alias_memberships(tmp_ctx, domain_sid, - token->user_sids, - token->num_sids, - &aliases, &num_aliases); - - if (!NT_STATUS_IS_OK(status)) { - DEBUG(10, ("pdb_enum_alias_memberships failed: %s\n", - nt_errstr(status))); - TALLOC_FREE(tmp_ctx); - return status; - } - - for (i=0; iuser_sids, - &token->num_sids)) { - DEBUG(0, ("add_sid_to_array failed\n")); - TALLOC_FREE(tmp_ctx); - return NT_STATUS_NO_MEMORY; - } - } - - TALLOC_FREE(tmp_ctx); - return NT_STATUS_OK; -} - static NTSTATUS log_nt_token(TALLOC_CTX *tmp_ctx, NT_USER_TOKEN *token) { char *command; @@ -714,270 +629,6 @@ static NTSTATUS log_nt_token(TALLOC_CTX *tmp_ctx, NT_USER_TOKEN *token) return NT_STATUS_OK; } -/******************************************************************* -*******************************************************************/ - -static NTSTATUS add_builtin_administrators( struct nt_user_token *token ) -{ - DOM_SID domadm; - - /* nothing to do if we aren't in a domain */ - - if ( !(IS_DC || lp_server_role()==ROLE_DOMAIN_MEMBER) ) { - return NT_STATUS_OK; - } - - /* Find the Domain Admins SID */ - - if ( IS_DC ) { - sid_copy( &domadm, get_global_sam_sid() ); - } else { - if ( !secrets_fetch_domain_sid( lp_workgroup(), &domadm ) ) - return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; - } - sid_append_rid( &domadm, DOMAIN_GROUP_RID_ADMINS ); - - /* Add Administrators if the user beloongs to Domain Admins */ - - if ( nt_token_check_sid( &domadm, token ) ) { - if (!add_sid_to_array(token, &global_sid_Builtin_Administrators, - &token->user_sids, &token->num_sids)) { - return NT_STATUS_NO_MEMORY; - } - } - - return NT_STATUS_OK; -} - -/******************************************************************* -*******************************************************************/ - -static NTSTATUS create_builtin_users( void ) -{ - NTSTATUS status; - DOM_SID dom_users; - - status = pdb_create_builtin_alias( BUILTIN_ALIAS_RID_USERS ); - if ( !NT_STATUS_IS_OK(status) ) { - DEBUG(0,("create_builtin_users: Failed to create Users\n")); - return status; - } - - /* add domain users */ - if ((IS_DC || (lp_server_role() == ROLE_DOMAIN_MEMBER)) - && secrets_fetch_domain_sid(lp_workgroup(), &dom_users)) - { - sid_append_rid(&dom_users, DOMAIN_GROUP_RID_USERS ); - status = pdb_add_aliasmem( &global_sid_Builtin_Users, &dom_users); - if ( !NT_STATUS_IS_OK(status) ) { - DEBUG(0,("create_builtin_users: Failed to add Domain Users to" - " Users\n")); - return status; - } - } - - return NT_STATUS_OK; -} - -/******************************************************************* -*******************************************************************/ - -static NTSTATUS create_builtin_administrators( void ) -{ - NTSTATUS status; - DOM_SID dom_admins, root_sid; - fstring root_name; - enum lsa_SidType type; - TALLOC_CTX *ctx; - BOOL ret; - - status = pdb_create_builtin_alias( BUILTIN_ALIAS_RID_ADMINS ); - if ( !NT_STATUS_IS_OK(status) ) { - DEBUG(0,("create_builtin_administrators: Failed to create Administrators\n")); - return status; - } - - /* add domain admins */ - if ((IS_DC || (lp_server_role() == ROLE_DOMAIN_MEMBER)) - && secrets_fetch_domain_sid(lp_workgroup(), &dom_admins)) - { - sid_append_rid(&dom_admins, DOMAIN_GROUP_RID_ADMINS); - status = pdb_add_aliasmem( &global_sid_Builtin_Administrators, &dom_admins ); - if ( !NT_STATUS_IS_OK(status) ) { - DEBUG(0,("create_builtin_administrators: Failed to add Domain Admins" - " Administrators\n")); - return status; - } - } - - /* add root */ - if ( (ctx = talloc_init("create_builtin_administrators")) == NULL ) { - return NT_STATUS_NO_MEMORY; - } - fstr_sprintf( root_name, "%s\\root", get_global_sam_name() ); - ret = lookup_name( ctx, root_name, 0, NULL, NULL, &root_sid, &type ); - TALLOC_FREE( ctx ); - - if ( ret ) { - status = pdb_add_aliasmem( &global_sid_Builtin_Administrators, &root_sid ); - if ( !NT_STATUS_IS_OK(status) ) { - DEBUG(0,("create_builtin_administrators: Failed to add root" - " Administrators\n")); - return status; - } - } - - return NT_STATUS_OK; -} - -/******************************************************************* - Create a NT token for the user, expanding local aliases -*******************************************************************/ - -static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, - const DOM_SID *user_sid, - BOOL is_guest, - int num_groupsids, - const DOM_SID *groupsids) -{ - struct nt_user_token *result = NULL; - int i; - NTSTATUS status; - gid_t gid; - - DEBUG(10, ("Create local NT token for %s\n", sid_string_static(user_sid))); - - if (!(result = TALLOC_ZERO_P(mem_ctx, NT_USER_TOKEN))) { - DEBUG(0, ("talloc failed\n")); - return NULL; - } - - /* Add the user and primary group sid */ - - if (!add_sid_to_array(result, user_sid, - &result->user_sids, &result->num_sids)) { - return NULL; - } - - /* For guest, num_groupsids may be zero. */ - if (num_groupsids) { - if (!add_sid_to_array(result, &groupsids[0], - &result->user_sids, &result->num_sids)) { - return NULL; - } - } - - /* Add in BUILTIN sids */ - - if (!add_sid_to_array(result, &global_sid_World, - &result->user_sids, &result->num_sids)) { - return NULL; - } - if (!add_sid_to_array(result, &global_sid_Network, - &result->user_sids, &result->num_sids)) { - return NULL; - } - - if (is_guest) { - if (!add_sid_to_array(result, &global_sid_Builtin_Guests, - &result->user_sids, &result->num_sids)) { - return NULL; - } - } else { - if (!add_sid_to_array(result, &global_sid_Authenticated_Users, - &result->user_sids, &result->num_sids)) { - return NULL; - } - } - - /* Now the SIDs we got from authentication. These are the ones from - * the info3 struct or from the pdb_enum_group_memberships, depending - * on who authenticated the user. - * Note that we start the for loop at "1" here, we already added the - * first group sid as primary above. */ - - for (i=1; iuser_sids, &result->num_sids)) { - return NULL; - } - } - - /* Deal with the BUILTIN\Administrators group. If the SID can - be resolved then assume that the add_aliasmem( S-1-5-32 ) - handled it. */ - - if ( !sid_to_gid( &global_sid_Builtin_Administrators, &gid ) ) { - /* We can only create a mapping if winbind is running - and the nested group functionality has been enabled */ - - if ( lp_winbind_nested_groups() && winbind_ping() ) { - become_root(); - status = create_builtin_administrators( ); - if ( !NT_STATUS_IS_OK(status) ) { - DEBUG(2,("create_local_nt_token: Failed to create BUILTIN\\Administrators group!\n")); - /* don't fail, just log the message */ - } - unbecome_root(); - } - else { - status = add_builtin_administrators( result ); - if ( !NT_STATUS_IS_OK(status) ) { - /* just log a complaint but do not fail */ - DEBUG(3,("create_local_nt_token: failed to check for local Administrators" - " membership (%s)\n", nt_errstr(status))); - } - } - } - - /* Deal with the BUILTIN\Users group. If the SID can - be resolved then assume that the add_aliasmem( S-1-5-32 ) - handled it. */ - - if ( !sid_to_gid( &global_sid_Builtin_Users, &gid ) ) { - /* We can only create a mapping if winbind is running - and the nested group functionality has been enabled */ - - if ( lp_winbind_nested_groups() && winbind_ping() ) { - become_root(); - status = create_builtin_users( ); - if ( !NT_STATUS_IS_OK(status) ) { - DEBUG(2,("create_local_nt_token: Failed to create BUILTIN\\Users group!\n")); - /* don't fail, just log the message */ - } - unbecome_root(); - } - } - - /* Deal with local groups */ - - if (lp_winbind_nested_groups()) { - - /* Now add the aliases. First the one from our local SAM */ - - status = add_aliases(get_global_sam_sid(), result); - - if (!NT_STATUS_IS_OK(status)) { - TALLOC_FREE(result); - return NULL; - } - - /* Finally the builtin ones */ - - status = add_aliases(&global_sid_Builtin, result); - - if (!NT_STATUS_IS_OK(status)) { - TALLOC_FREE(result); - return NULL; - } - } - - - get_privileges_for_sids(&result->privileges, result->user_sids, - result->num_sids); - return result; -} - /* * Create the token to use from server_info->sam_account and * server_info->sids (the info3/sam groups). Find the unix gids. @@ -2039,89 +1690,6 @@ BOOL make_auth_methods(struct auth_context *auth_context, auth_methods **auth_me return True; } -/**************************************************************************** - Duplicate a SID token. -****************************************************************************/ - -NT_USER_TOKEN *dup_nt_token(TALLOC_CTX *mem_ctx, const NT_USER_TOKEN *ptoken) -{ - NT_USER_TOKEN *token; - - if (!ptoken) - return NULL; - - token = TALLOC_P(mem_ctx, NT_USER_TOKEN); - if (token == NULL) { - DEBUG(0, ("talloc failed\n")); - return NULL; - } - - ZERO_STRUCTP(token); - - if (ptoken->user_sids && ptoken->num_sids) { - token->user_sids = (DOM_SID *)talloc_memdup( - token, ptoken->user_sids, sizeof(DOM_SID) * ptoken->num_sids ); - - if (token->user_sids == NULL) { - DEBUG(0, ("talloc_memdup failed\n")); - TALLOC_FREE(token); - return NULL; - } - token->num_sids = ptoken->num_sids; - } - - /* copy the privileges; don't consider failure to be critical here */ - - if ( !se_priv_copy( &token->privileges, &ptoken->privileges ) ) { - DEBUG(0,("dup_nt_token: Failure to copy SE_PRIV!. " - "Continuing with 0 privileges assigned.\n")); - } - - return token; -} - -/**************************************************************************** - Check for a SID in an NT_USER_TOKEN -****************************************************************************/ - -BOOL nt_token_check_sid ( const DOM_SID *sid, const NT_USER_TOKEN *token ) -{ - int i; - - if ( !sid || !token ) - return False; - - for ( i=0; inum_sids; i++ ) { - if ( sid_equal( sid, &token->user_sids[i] ) ) - return True; - } - - return False; -} - -BOOL nt_token_check_domain_rid( NT_USER_TOKEN *token, uint32 rid ) -{ - DOM_SID domain_sid; - - /* if we are a domain member, the get the domain SID, else for - a DC or standalone server, use our own SID */ - - if ( lp_server_role() == ROLE_DOMAIN_MEMBER ) { - if ( !secrets_fetch_domain_sid( lp_workgroup(), - &domain_sid ) ) { - DEBUG(1,("nt_token_check_domain_rid: Cannot lookup " - "SID for domain [%s]\n", lp_workgroup())); - return False; - } - } - else - sid_copy( &domain_sid, get_global_sam_sid() ); - - sid_append_rid( &domain_sid, rid ); - - return nt_token_check_sid( &domain_sid, token );\ -} - /** * Verify whether or not given domain is trusted. * -- cgit From 36da6cb5847df2754e8f9223e0784da6013c572b Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 19 Apr 2007 22:26:09 +0000 Subject: r22390: Patchset sent to samba-technical to address the winbind loop when allocating a new id for a SID: auth_util.patch Revert create_local_token() to the 3.0.24 codebase idmap_type.patch Have the caller fillin the id_map.xid.type field when resolving a SID so that if we allocate a new id, we know what type to use winbindd_api.patch Remove the WINBINDD_SIDS_TO_XIDS calls from the public winbindd interface for the 3.0.25 release idmap_rid.patch Cleanup the idmap_rid backend to not call back into winbindd to resolve the SID in order to verify it's type. (This used to be commit 3b24dae9e73b244540a68b631b428a4d0f57440b) --- source3/auth/auth_util.c | 48 ++++++++++-------------------------------------- 1 file changed, 10 insertions(+), 38 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 0de3bf2325..336daa906d 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -637,9 +637,7 @@ static NTSTATUS log_nt_token(TALLOC_CTX *tmp_ctx, NT_USER_TOKEN *token) NTSTATUS create_local_token(auth_serversupplied_info *server_info) { TALLOC_CTX *mem_ctx; - struct id_map *ids; NTSTATUS status; - BOOL wb = True; size_t i; @@ -686,46 +684,20 @@ NTSTATUS create_local_token(auth_serversupplied_info *server_info) server_info->groups = NULL; /* Start at index 1, where the groups start. */ - ids = talloc_zero_array(mem_ctx, struct id_map, server_info->ptok->num_sids); - for (i = 0; i < server_info->ptok->num_sids-1; i++) { - ids[i].sid = &server_info->ptok->user_sids[i + 1]; /* store the sids */ - } - - if (!winbind_sids_to_unixids(ids, server_info->ptok->num_sids-1)) { - DEBUG(2, ("Query to map secondary SIDs failed!\n")); - if (!winbind_ping()) { - DEBUG(2, ("Winbindd is not running, will try to map SIDs one by one with legacy code\n")); - wb = False; - } - } - for (i = 0; i < server_info->ptok->num_sids-1; i++) { - gid_t agid; + for (i=1; iptok->num_sids; i++) { + gid_t gid; + DOM_SID *sid = &server_info->ptok->user_sids[i]; - if (wb) { - if (ids[i].status != ID_MAPPED) { - DEBUG(10, ("Could not convert SID %s to gid, " - "ignoring it\n", sid_string_static(ids[i].sid))); - continue; - } - if (ids[i].xid.type == ID_TYPE_UID) { - DEBUG(10, ("SID %s is a User ID (%u) not a Group ID, " - "ignoring it\n", sid_string_static(ids[i].sid), ids[i].xid.id)); - continue; - } - agid = (gid_t)ids[i].xid.id; - } else { - if (! sid_to_gid(ids[i].sid, &agid)) { - continue; - } - } - if (!add_gid_to_array_unique(server_info, agid, &server_info->groups, - &server_info->n_groups)) { - TALLOC_FREE(mem_ctx); - return NT_STATUS_NO_MEMORY; + if (!sid_to_gid(sid, &gid)) { + DEBUG(10, ("Could not convert SID %s to gid, " + "ignoring it\n", sid_string_static(sid))); + continue; } + add_gid_to_array_unique(server_info, gid, &server_info->groups, + &server_info->n_groups); } - + debug_nt_user_token(DBGC_AUTH, 10, server_info->ptok); status = log_nt_token(mem_ctx, server_info->ptok); -- cgit From 12ba88574bf91bdcc4447bfc3d429b799064bfd9 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 27 Apr 2007 23:18:41 +0000 Subject: r22542: Move over to using the _strict varients of the talloc calls. No functional changes. Looks bigger than it is :-). Jeremy. (This used to be commit f6fa3080fee1b20df9f1968500840a88cf0ee592) --- source3/auth/auth_util.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 336daa906d..e2bc8e75b5 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -834,9 +834,9 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, goto done; } - group_sids = talloc_array(tmp_ctx, DOM_SID, num_group_sids); + group_sids = TALLOC_ARRAY(tmp_ctx, DOM_SID, num_group_sids); if (group_sids == NULL) { - DEBUG(1, ("talloc_array failed\n")); + DEBUG(1, ("TALLOC_ARRAY failed\n")); result = NT_STATUS_NO_MEMORY; goto done; } @@ -864,9 +864,9 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, uint32 dummy; num_group_sids = 1; - group_sids = talloc_array(tmp_ctx, DOM_SID, num_group_sids); + group_sids = TALLOC_ARRAY(tmp_ctx, DOM_SID, num_group_sids); if (group_sids == NULL) { - DEBUG(1, ("talloc_array failed\n")); + DEBUG(1, ("TALLOC_ARRAY failed\n")); result = NT_STATUS_NO_MEMORY; goto done; } @@ -1117,7 +1117,7 @@ static auth_serversupplied_info *copy_serverinfo(auth_serversupplied_info *src) dst->gid = src->gid; dst->n_groups = src->n_groups; if (src->n_groups != 0) { - dst->groups = (gid_t *)talloc_memdup( + dst->groups = (gid_t *)TALLOC_MEMDUP( dst, src->groups, sizeof(gid_t)*dst->n_groups); } else { dst->groups = NULL; -- cgit From be8b0685a55700c6bce3681734800ec6434b0364 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 30 Apr 2007 02:39:34 +0000 Subject: r22589: Make TALLOC_ARRAY consistent across all uses. Jeremy. (This used to be commit 8968808c3b5b0208cbad9ac92eaf948f2c546dd9) --- source3/auth/auth_util.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index e2bc8e75b5..db92c50df0 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -834,11 +834,15 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, goto done; } - group_sids = TALLOC_ARRAY(tmp_ctx, DOM_SID, num_group_sids); - if (group_sids == NULL) { - DEBUG(1, ("TALLOC_ARRAY failed\n")); - result = NT_STATUS_NO_MEMORY; - goto done; + if (num_group_sids) { + group_sids = TALLOC_ARRAY(tmp_ctx, DOM_SID, num_group_sids); + if (group_sids == NULL) { + DEBUG(1, ("TALLOC_ARRAY failed\n")); + result = NT_STATUS_NO_MEMORY; + goto done; + } + } else { + group_sids = NULL; } for (i=0; i Date: Mon, 7 May 2007 12:15:11 +0000 Subject: r22740: Move debug_*_user_token to token_utils.c (This used to be commit 4ad9f8aa61cef94be8d38c6e91aac3a5c848f81f) --- source3/auth/auth_util.c | 45 --------------------------------------------- 1 file changed, 45 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index db92c50df0..399cf3ad9e 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -430,51 +430,6 @@ BOOL make_user_info_guest(auth_usersupplied_info **user_info) return NT_STATUS_IS_OK(nt_status) ? True : False; } -/**************************************************************************** - prints a NT_USER_TOKEN to debug output. -****************************************************************************/ - -void debug_nt_user_token(int dbg_class, int dbg_lev, NT_USER_TOKEN *token) -{ - size_t i; - - if (!token) { - DEBUGC(dbg_class, dbg_lev, ("NT user token: (NULL)\n")); - return; - } - - DEBUGC(dbg_class, dbg_lev, - ("NT user token of user %s\n", - sid_string_static(&token->user_sids[0]) )); - DEBUGADDC(dbg_class, dbg_lev, - ("contains %lu SIDs\n", (unsigned long)token->num_sids)); - for (i = 0; i < token->num_sids; i++) - DEBUGADDC(dbg_class, dbg_lev, - ("SID[%3lu]: %s\n", (unsigned long)i, - sid_string_static(&token->user_sids[i]))); - - dump_se_priv( dbg_class, dbg_lev, &token->privileges ); -} - -/**************************************************************************** - prints a UNIX 'token' to debug output. -****************************************************************************/ - -void debug_unix_user_token(int dbg_class, int dbg_lev, uid_t uid, gid_t gid, - int n_groups, gid_t *groups) -{ - int i; - DEBUGC(dbg_class, dbg_lev, - ("UNIX token of user %ld\n", (long int)uid)); - - DEBUGADDC(dbg_class, dbg_lev, - ("Primary group is %ld and contains %i supplementary " - "groups\n", (long int)gid, n_groups)); - for (i = 0; i < n_groups; i++) - DEBUGADDC(dbg_class, dbg_lev, ("Group[%3i]: %ld\n", i, - (long int)groups[i])); -} - static int server_info_dtor(auth_serversupplied_info *server_info) { TALLOC_FREE(server_info->sam_account); -- cgit From 8190e0466330fbdfb1beed7a073122c752d7fa31 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 12 May 2007 19:53:47 +0000 Subject: r22819: Fix Bug 4613. We just dumped the must change & friends. With the pass_last_changed == 0 we now return "Change now!" instead of "Change never" (This used to be commit 450e4d94f64f86a3dd709265d15ed5082d4b53e8) --- source3/auth/auth_util.c | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 399cf3ad9e..1795322b55 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1484,6 +1484,30 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, return NT_STATUS_NO_MEMORY; } + if (!pdb_set_pass_last_set_time( + sam_account, + nt_time_to_unix(info3->pass_last_set_time), + PDB_CHANGED)) { + TALLOC_FREE(sam_account); + return NT_STATUS_NO_MEMORY; + } + + if (!pdb_set_pass_can_change_time( + sam_account, + nt_time_to_unix(info3->pass_can_change_time), + PDB_CHANGED)) { + TALLOC_FREE(sam_account); + return NT_STATUS_NO_MEMORY; + } + + if (!pdb_set_pass_must_change_time( + sam_account, + nt_time_to_unix(info3->pass_must_change_time), + PDB_CHANGED)) { + TALLOC_FREE(sam_account); + return NT_STATUS_NO_MEMORY; + } + result = make_server_info(NULL); if (result == NULL) { DEBUG(4, ("make_server_info failed!\n")); -- cgit From b4a7b7a8889737e2891fc1176feabd4ce47f2737 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Mon, 14 May 2007 12:16:20 +0000 Subject: r22844: Introduce const DATA_BLOB data_blob_null = { NULL, 0, NULL }; and replace all data_blob(NULL, 0) calls. (This used to be commit 3d3d61687ef00181f4f04e001d42181d93ac931e) --- source3/auth/auth_util.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 1795322b55..f66c500943 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -372,11 +372,11 @@ BOOL make_user_info_for_reply(auth_usersupplied_info **user_info, /* We can't do an NT hash here, as the password needs to be case insensitive */ - local_nt_blob = data_blob(NULL, 0); + local_nt_blob = data_blob_null; } else { - local_lm_blob = data_blob(NULL, 0); - local_nt_blob = data_blob(NULL, 0); + local_lm_blob = data_blob_null; + local_nt_blob = data_blob_null; } ret = make_user_info_map( @@ -1570,7 +1570,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, /* ensure we are never given NULL session keys */ if (memcmp(info3->user_sess_key, zeros, sizeof(zeros)) == 0) { - result->user_session_key = data_blob(NULL, 0); + result->user_session_key = data_blob_null; } else { result->user_session_key = data_blob_talloc( result, info3->user_sess_key, @@ -1578,7 +1578,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, } if (memcmp(info3->lm_sess_key, zeros, 8) == 0) { - result->lm_session_key = data_blob(NULL, 0); + result->lm_session_key = data_blob_null; } else { result->lm_session_key = data_blob_talloc( result, info3->lm_sess_key, -- cgit From a4354d399d65e0b0e660b0e41647c0116d51bd37 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Sun, 17 Jun 2007 19:23:32 +0000 Subject: r23530: Fix bugs #4678 and #4697 which had the same root cause. In make_server_info_pw() we assign a user SID in our authoritative SAM, even though this may be from a pure "Unix User" that doesn't exist in the SAM. This causes lookups on "[in]valid users" to fail as they will lookup this name as a "Unix User" SID to check against the user token. Fix this by adding the "Unix User"\unix_username SID to the sid array. The correct fix should probably be changing the server_info->sam_account user SID to be a S-1-22 Unix SID, but this might break old configs where plaintext passwords were used with no SAM backend. Jeremy (This used to be commit 80d1da7e6cce451d3934751feaa6ad60a337e3db) --- source3/auth/auth_util.c | 54 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index f66c500943..7509b5ad1c 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -966,6 +966,10 @@ NTSTATUS make_server_info_pw(auth_serversupplied_info **server_info, NTSTATUS status; struct samu *sampass = NULL; gid_t *gids; + char *qualified_name = NULL; + TALLOC_CTX *mem_ctx = NULL; + DOM_SID u_sid; + enum lsa_SidType type; auth_serversupplied_info *result; if ( !(sampass = samu_new( NULL )) ) { @@ -999,6 +1003,56 @@ NTSTATUS make_server_info_pw(auth_serversupplied_info **server_info, return status; } + /* + * The SID returned in server_info->sam_account is based + * on our SAM sid even though for a pure UNIX account this should + * not be the case as it doesn't really exist in the SAM db. + * This causes lookups on "[in]valid users" to fail as they + * will lookup this name as a "Unix User" SID to check against + * the user token. Fix this by adding the "Unix User"\unix_username + * SID to the sid array. The correct fix should probably be + * changing the server_info->sam_account user SID to be a + * S-1-22 Unix SID, but this might break old configs where + * plaintext passwords were used with no SAM backend. + */ + + mem_ctx = talloc_init("make_server_info_pw_tmp"); + if (!mem_ctx) { + TALLOC_FREE(result); + return NT_STATUS_NO_MEMORY; + } + + qualified_name = talloc_asprintf(mem_ctx, "%s\\%s", + unix_users_domain_name(), + unix_username ); + if (!qualified_name) { + TALLOC_FREE(result); + TALLOC_FREE(mem_ctx); + return NT_STATUS_NO_MEMORY; + } + + if (!lookup_name(mem_ctx, qualified_name, LOOKUP_NAME_ALL, + NULL, NULL, + &u_sid, &type)) { + TALLOC_FREE(result); + TALLOC_FREE(mem_ctx); + return NT_STATUS_NO_SUCH_USER; + } + + TALLOC_FREE(mem_ctx); + + if (type != SID_NAME_USER) { + TALLOC_FREE(result); + return NT_STATUS_NO_SUCH_USER; + } + + if (!add_sid_to_array_unique(result, &u_sid, + &result->sids, + &result->num_sids)) { + TALLOC_FREE(result); + return NT_STATUS_NO_MEMORY; + } + /* For now we throw away the gids and convert via sid_to_gid * later. This needs fixing, but I'd like to get the code straight and * simple first. */ -- cgit From d824b98f80ba186030cbb70b3a1e5daf80469ecd Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 9 Jul 2007 19:25:36 +0000 Subject: r23779: Change from v2 or later to v3 or later. Jeremy. (This used to be commit 407e6e695b8366369b7c76af1ff76869b45347b3) --- source3/auth/auth_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 7509b5ad1c..14d2fbed09 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -9,7 +9,7 @@ This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or + the Free Software Foundation; either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, -- cgit From 5e54558c6dea67b56bbfaba5698f3a434d3dffb6 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 10 Jul 2007 00:52:41 +0000 Subject: r23784: use the GPLv3 boilerplate as recommended by the FSF and the license text (This used to be commit b0132e94fc5fef936aa766fb99a306b3628e9f07) --- source3/auth/auth_util.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 14d2fbed09..0d8c3b3f95 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -18,8 +18,7 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + along with this program. If not, see . */ #include "includes.h" -- cgit From 4b4a3c7df1b894c32473ee559185f6253b895800 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Tue, 17 Jul 2007 11:47:17 +0000 Subject: r23928: Merge all "copy-info3-groups-to-sid-array" blocks to a sid_array_from_info3() function. Guenther (This used to be commit 1e1e480115e37b3f4c85f979ddd800b8de0b9c57) --- source3/auth/auth_util.c | 38 ++++++-------------------------------- 1 file changed, 6 insertions(+), 32 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 0d8c3b3f95..325b05f80f 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1405,8 +1405,6 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, uid_t uid; gid_t gid; - size_t i; - auth_serversupplied_info *result; /* @@ -1584,37 +1582,13 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, result->num_sids = 0; result->sids = NULL; - /* and create (by appending rids) the 'domain' sids */ - - for (i = 0; i < info3->num_groups2; i++) { - DOM_SID sid; - if (!sid_compose(&sid, &info3->dom_sid.sid, - info3->gids[i].g_rid)) { - DEBUG(3,("could not append additional group rid " - "0x%x\n", info3->gids[i].g_rid)); - TALLOC_FREE(result); - return NT_STATUS_INVALID_PARAMETER; - } - if (!add_sid_to_array(result, &sid, &result->sids, - &result->num_sids)) { - TALLOC_FREE(result); - return NT_STATUS_NO_MEMORY; - } - } - - /* Copy 'other' sids. We need to do sid filtering here to - prevent possible elevation of privileges. See: - - http://www.microsoft.com/windows2000/techinfo/administration/security/sidfilter.asp - */ - - for (i = 0; i < info3->num_other_sids; i++) { - if (!add_sid_to_array(result, &info3->other_sids[i].sid, + nt_status = sid_array_from_info3(result, info3, &result->sids, - &result->num_sids)) { - TALLOC_FREE(result); - return NT_STATUS_NO_MEMORY; - } + &result->num_sids, + False); + if (!NT_STATUS_IS_OK(nt_status)) { + TALLOC_FREE(result); + return nt_status; } result->login_server = unistr2_tdup(result, -- cgit From ea33a1c22f834f985766347c8505935b59a808d8 Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Fri, 12 Oct 2007 13:20:07 +0200 Subject: Add become_root/unbecome_root around one call of getsampwsid() in create_token_from_username(). This caused set_nt_acl to partially fail in certain circumstances. This is expected to bring an improvement to bug #4308. Michael (This used to be commit e68671b59500d7e1b645c80ee264c49893f8df84) --- source3/auth/auth_util.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 325b05f80f..2c05f04b9b 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -721,6 +721,7 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, } if (sid_check_is_in_our_domain(&user_sid)) { + BOOL ret; /* This is a passdb user, so ask passdb */ @@ -731,7 +732,11 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, goto done; } - if (!pdb_getsampwsid(sam_acct, &user_sid)) { + become_root(); + ret = pdb_getsampwsid(sam_acct, &user_sid); + unbecome_root(); + + if (!ret) { DEBUG(1, ("pdb_getsampwsid(%s) for user %s failed\n", sid_string_static(&user_sid), username)); DEBUGADD(1, ("Fall back to unix user %s\n", username)); -- cgit From 30191d1a5704ad2b158386b511558972d539ce47 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 18 Oct 2007 17:40:25 -0700 Subject: RIP BOOL. Convert BOOL -> bool. I found a few interesting bugs in various places whilst doing this (places that assumed BOOL == int). I also need to fix the Samba4 pidl generation (next checkin). Jeremy. (This used to be commit f35a266b3cbb3e5fa6a86be60f34fe340a3ca71f) --- source3/auth/auth_util.c | 50 ++++++++++++++++++++++++------------------------ 1 file changed, 25 insertions(+), 25 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 2c05f04b9b..99eea6cdd2 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -62,7 +62,7 @@ static NTSTATUS make_user_info(auth_usersupplied_info **user_info, DATA_BLOB *lm_pwd, DATA_BLOB *nt_pwd, DATA_BLOB *lm_interactive_pwd, DATA_BLOB *nt_interactive_pwd, DATA_BLOB *plaintext, - BOOL encrypted) + bool encrypted) { DEBUG(5,("attempting to make a user_info for %s (%s)\n", internal_username, smb_name)); @@ -141,11 +141,11 @@ NTSTATUS make_user_info_map(auth_usersupplied_info **user_info, DATA_BLOB *lm_pwd, DATA_BLOB *nt_pwd, DATA_BLOB *lm_interactive_pwd, DATA_BLOB *nt_interactive_pwd, DATA_BLOB *plaintext, - BOOL encrypted) + bool encrypted) { const char *domain; NTSTATUS result; - BOOL was_mapped; + bool was_mapped; fstring internal_username; fstrcpy(internal_username, smb_name); was_mapped = map_username(internal_username); @@ -186,7 +186,7 @@ NTSTATUS make_user_info_map(auth_usersupplied_info **user_info, Decrypt and encrypt the passwords. ****************************************************************************/ -BOOL make_user_info_netlogon_network(auth_usersupplied_info **user_info, +bool make_user_info_netlogon_network(auth_usersupplied_info **user_info, const char *smb_name, const char *client_domain, const char *wksta_name, @@ -196,7 +196,7 @@ BOOL make_user_info_netlogon_network(auth_usersupplied_info **user_info, const uchar *nt_network_pwd, int nt_pwd_len) { - BOOL ret; + bool ret; NTSTATUS status; DATA_BLOB lm_blob = data_blob(lm_network_pwd, lm_pwd_len); DATA_BLOB nt_blob = data_blob(nt_network_pwd, nt_pwd_len); @@ -224,7 +224,7 @@ BOOL make_user_info_netlogon_network(auth_usersupplied_info **user_info, Decrypt and encrypt the passwords. ****************************************************************************/ -BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, +bool make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, const char *smb_name, const char *client_domain, const char *wksta_name, @@ -286,7 +286,7 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, ZERO_STRUCT(key); { - BOOL ret; + bool ret; NTSTATUS nt_status; DATA_BLOB local_lm_blob; DATA_BLOB local_nt_blob; @@ -337,7 +337,7 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, Create an auth_usersupplied_data structure ****************************************************************************/ -BOOL make_user_info_for_reply(auth_usersupplied_info **user_info, +bool make_user_info_for_reply(auth_usersupplied_info **user_info, const char *smb_name, const char *client_domain, const uint8 chal[8], @@ -413,7 +413,7 @@ NTSTATUS make_user_info_for_reply_enc(auth_usersupplied_info **user_info, Create a guest user_info blob, for anonymous authenticaion. ****************************************************************************/ -BOOL make_user_info_guest(auth_usersupplied_info **user_info) +bool make_user_info_guest(auth_usersupplied_info **user_info) { NTSTATUS nt_status; @@ -680,7 +680,7 @@ NTSTATUS create_local_token(auth_serversupplied_info *server_info) */ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, - BOOL is_guest, + bool is_guest, uid_t *uid, gid_t *gid, char **found_username, struct nt_user_token **token) @@ -721,7 +721,7 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, } if (sid_check_is_in_our_domain(&user_sid)) { - BOOL ret; + bool ret; /* This is a passdb user, so ask passdb */ @@ -900,14 +900,14 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, member of a particular group. ***************************************************************************/ -BOOL user_in_group_sid(const char *username, const DOM_SID *group_sid) +bool user_in_group_sid(const char *username, const DOM_SID *group_sid) { NTSTATUS status; uid_t uid; gid_t gid; char *found_username; struct nt_user_token *token; - BOOL result; + bool result; TALLOC_CTX *mem_ctx; @@ -933,11 +933,11 @@ BOOL user_in_group_sid(const char *username, const DOM_SID *group_sid) } -BOOL user_in_group(const char *username, const char *groupname) +bool user_in_group(const char *username, const char *groupname) { TALLOC_CTX *mem_ctx; DOM_SID group_sid; - BOOL ret; + bool ret; mem_ctx = talloc_new(NULL); if (mem_ctx == NULL) { @@ -1078,7 +1078,7 @@ static NTSTATUS make_new_server_info_guest(auth_serversupplied_info **server_inf NTSTATUS status; struct samu *sampass = NULL; DOM_SID guest_sid; - BOOL ret; + bool ret; static const char zeros[16] = { 0, }; if ( !(sampass = samu_new( NULL )) ) { @@ -1177,7 +1177,7 @@ static auth_serversupplied_info *copy_serverinfo(auth_serversupplied_info *src) static auth_serversupplied_info *guest_info = NULL; -BOOL init_guest_info(void) +bool init_guest_info(void) { if (guest_info != NULL) return True; @@ -1191,7 +1191,7 @@ NTSTATUS make_server_info_guest(auth_serversupplied_info **server_info) return (*server_info != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY; } -BOOL copy_current_user(struct current_user *dst, struct current_user *src) +bool copy_current_user(struct current_user *dst, struct current_user *src) { gid_t *groups; NT_USER_TOKEN *nt_token; @@ -1218,7 +1218,7 @@ BOOL copy_current_user(struct current_user *dst, struct current_user *src) return True; } -BOOL set_current_user_guest(struct current_user *dst) +bool set_current_user_guest(struct current_user *dst) { gid_t *groups; NT_USER_TOKEN *nt_token; @@ -1261,7 +1261,7 @@ static NTSTATUS fill_sam_account(TALLOC_CTX *mem_ctx, char **found_username, uid_t *uid, gid_t *gid, struct samu *account, - BOOL *username_was_mapped) + bool *username_was_mapped) { NTSTATUS nt_status; fstring dom_user, lower_username; @@ -1308,7 +1308,7 @@ static NTSTATUS fill_sam_account(TALLOC_CTX *mem_ctx, ****************************************************************************/ struct passwd *smb_getpwnam( TALLOC_CTX *mem_ctx, char *domuser, - fstring save_username, BOOL create ) + fstring save_username, bool create ) { struct passwd *pw = NULL; char *p; @@ -1405,7 +1405,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, struct samu *sam_account = NULL; DOM_SID user_sid; DOM_SID group_sid; - BOOL username_was_mapped; + bool username_was_mapped; uid_t uid; gid_t gid; @@ -1655,7 +1655,7 @@ void free_user_info(auth_usersupplied_info **user_info) Make an auth_methods struct ***************************************************************************/ -BOOL make_auth_methods(struct auth_context *auth_context, auth_methods **auth_method) +bool make_auth_methods(struct auth_context *auth_context, auth_methods **auth_method) { if (!auth_context) { smb_panic("no auth_context supplied to " @@ -1685,10 +1685,10 @@ BOOL make_auth_methods(struct auth_context *auth_context, auth_methods **auth_me * false if otherwise **/ -BOOL is_trusted_domain(const char* dom_name) +bool is_trusted_domain(const char* dom_name) { DOM_SID trustdom_sid; - BOOL ret; + bool ret; /* no trusted domains for a standalone server */ -- cgit From d07eabcb444a281ec63a36c6612aca6e34730f18 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 14 Nov 2007 10:37:18 -0800 Subject: Remove pstring from auth/* Jeremy. (This used to be commit 72c19d114b40ee307bbe45d9828667165a26d7a3) --- source3/auth/auth_util.c | 52 +++++++++++++++++++++++++++++++++++------------- 1 file changed, 38 insertions(+), 14 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 99eea6cdd2..7ef894239e 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -32,20 +32,44 @@ static int smb_create_user(const char *domain, const char *unix_username, const char *homedir) { - pstring add_script; + TALLOC_CTX *ctx = talloc_tos(); + char *add_script; int ret; - pstrcpy(add_script, lp_adduser_script()); - if (! *add_script) + add_script = talloc_strdup(ctx, lp_adduser_script()); + if (!add_script || !*add_script) { return -1; - all_string_sub(add_script, "%u", unix_username, sizeof(pstring)); - if (domain) - all_string_sub(add_script, "%D", domain, sizeof(pstring)); - if (homedir) - all_string_sub(add_script, "%H", homedir, sizeof(pstring)); + } + add_script = talloc_all_string_sub(ctx, + add_script, + "%u", + unix_username); + if (!add_script) { + return -1; + } + if (domain) { + add_script = talloc_all_string_sub(ctx, + add_script, + "%D", + domain); + if (!add_script) { + return -1; + } + } + if (homedir) { + add_script = talloc_all_string_sub(ctx, + add_script, + "%H", + homedir); + if (!add_script) { + return -1; + } + } ret = smbrun(add_script,NULL); flush_pwnam_cache(); - DEBUG(ret ? 0 : 3,("smb_create_user: Running the command `%s' gave %d\n",add_script,ret)); + DEBUG(ret ? 0 : 3, + ("smb_create_user: Running the command `%s' gave %d\n", + add_script,ret)); return ret; } @@ -53,15 +77,15 @@ static int smb_create_user(const char *domain, const char *unix_username, const Create an auth_usersupplied_data structure ****************************************************************************/ -static NTSTATUS make_user_info(auth_usersupplied_info **user_info, - const char *smb_name, +static NTSTATUS make_user_info(auth_usersupplied_info **user_info, + const char *smb_name, const char *internal_username, - const char *client_domain, + const char *client_domain, const char *domain, - const char *wksta_name, + const char *wksta_name, DATA_BLOB *lm_pwd, DATA_BLOB *nt_pwd, DATA_BLOB *lm_interactive_pwd, DATA_BLOB *nt_interactive_pwd, - DATA_BLOB *plaintext, + DATA_BLOB *plaintext, bool encrypted) { -- cgit From 6b6655edd90850d09c7711fc3b9fe98271e3e625 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 27 Nov 2007 14:35:30 -0800 Subject: Remove pstrings from everything except srv_spoolss_nt.c. Jeremy. (This used to be commit 0002a9e96b0ef78316295a6eb94ff29b64e2f988) --- source3/auth/auth_util.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 7ef894239e..c0a9e9bc84 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1452,13 +1452,13 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, return NT_STATUS_INVALID_PARAMETER; } - if (!(nt_username = unistr2_tdup(mem_ctx, &(info3->uni_user_name)))) { + if (!(nt_username = unistr2_to_ascii_talloc(mem_ctx, &(info3->uni_user_name)))) { /* If the server didn't give us one, just use the one we sent * them */ nt_username = sent_nt_username; } - if (!(nt_domain = unistr2_tdup(mem_ctx, &(info3->uni_logon_dom)))) { + if (!(nt_domain = unistr2_to_ascii_talloc(mem_ctx, &(info3->uni_logon_dom)))) { /* If the server didn't give us one, just use the one we sent * them */ nt_domain = domain; @@ -1620,7 +1620,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, return nt_status; } - result->login_server = unistr2_tdup(result, + result->login_server = unistr2_to_ascii_talloc(result, &(info3->uni_logon_srv)); /* ensure we are never given NULL session keys */ -- cgit From 105635e23c5c77c5efed727bbc686650406ab82e Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 15 Dec 2007 21:10:58 +0100 Subject: Use sid_string_talloc where we have a tmp talloc ctx (This used to be commit f00ab810d2540679bec109498ac89e1eafe18f03) --- source3/auth/auth_util.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index c0a9e9bc84..0d4caecb2d 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -586,12 +586,12 @@ static NTSTATUS log_nt_token(TALLOC_CTX *tmp_ctx, NT_USER_TOKEN *token) for (i=1; inum_sids; i++) { group_sidstr = talloc_asprintf( tmp_ctx, "%s %s", group_sidstr, - sid_string_static(&token->user_sids[i])); + sid_string_talloc(tmp_ctx, &token->user_sids[i])); } command = talloc_string_sub( tmp_ctx, lp_log_nt_token_command(), - "%s", sid_string_static(&token->user_sids[0])); + "%s", sid_string_talloc(tmp_ctx, &token->user_sids[0])); command = talloc_string_sub(tmp_ctx, command, "%t", group_sidstr); if (command == NULL) { -- cgit From 900288a2b86abd247f9eb4cd15dc5617a17cfef1 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 15 Dec 2007 21:11:36 +0100 Subject: Replace sid_string_static by sid_string_dbg in DEBUGs (This used to be commit bb35e794ec129805e874ceba882bcc1e84791a09) --- source3/auth/auth_util.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 0d4caecb2d..1e33869ea9 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -669,7 +669,7 @@ NTSTATUS create_local_token(auth_serversupplied_info *server_info) if (!sid_to_gid(sid, &gid)) { DEBUG(10, ("Could not convert SID %s to gid, " - "ignoring it\n", sid_string_static(sid))); + "ignoring it\n", sid_string_dbg(sid))); continue; } add_gid_to_array_unique(server_info, gid, &server_info->groups, @@ -740,7 +740,7 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, if (!sid_to_uid(&user_sid, uid)) { DEBUG(1, ("sid_to_uid for %s (%s) failed\n", - username, sid_string_static(&user_sid))); + username, sid_string_dbg(&user_sid))); goto done; } @@ -762,7 +762,7 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, if (!ret) { DEBUG(1, ("pdb_getsampwsid(%s) for user %s failed\n", - sid_string_static(&user_sid), username)); + sid_string_dbg(&user_sid), username)); DEBUGADD(1, ("Fall back to unix user %s\n", username)); goto unix_user; } @@ -864,7 +864,7 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, if (!sid_to_gid(&group_sids[0], gid)) { DEBUG(1, ("sid_to_gid(%s) failed\n", - sid_string_static(&group_sids[0]))); + sid_string_dbg(&group_sids[0]))); goto done; } -- cgit From 59ce7650f24eb7c35b8d3ee9f830711a4af8f8e9 Mon Sep 17 00:00:00 2001 From: "Gerald (Jerry) Carter" Date: Fri, 21 Dec 2007 11:59:56 -0600 Subject: De-couple smbd from staticly linking against winbindd client files. Implements a wrapper layer in winbind_util.c which are just stubs if compiled --without-winbind. When building with winbindd, it is now required to build the libwbclient DSO first (in the Makefile) and then either set LD_LIBRARY_PATH or /etc/ld.so.conf to pick up the library PATH. (This used to be commit 42787bccff4fcffafc7aae6a678e792604ecaaa5) --- source3/auth/auth_util.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 1e33869ea9..373a2a375f 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1731,17 +1731,17 @@ bool is_trusted_domain(const char* dom_name) return True; } else { - NSS_STATUS result; + wbcErr result; /* If winbind is around, ask it */ result = wb_is_trusted_domain(dom_name); - if (result == NSS_STATUS_SUCCESS) { + if (result == WBC_ERR_SUCCESS) { return True; } - if (result == NSS_STATUS_NOTFOUND) { + if (result == WBC_ERR_DOMAIN_NOT_FOUND) { /* winbind could not find the domain */ return False; } -- cgit From 4dc0c1b88be359cbf4e5273e1670ef0f87b9e36b Mon Sep 17 00:00:00 2001 From: James Peach Date: Sat, 22 Dec 2007 14:10:06 -0800 Subject: Fix "may be used uninitialized" compiler warnings. (This used to be commit 22ac34a329c9be9cf7d1e6749ebcfb50215378e4) --- source3/auth/auth_util.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 373a2a375f..3f65e6b126 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1423,7 +1423,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, static const char zeros[16] = { 0, }; NTSTATUS nt_status = NT_STATUS_OK; - char *found_username; + char *found_username = NULL; const char *nt_domain; const char *nt_username; struct samu *sam_account = NULL; @@ -1431,8 +1431,8 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, DOM_SID group_sid; bool username_was_mapped; - uid_t uid; - gid_t gid; + uid_t uid = (uid_t)-1; + gid_t gid = (gid_t)-1; auth_serversupplied_info *result; -- cgit From 533d6f617efc4dfe1e145785cb9736df07671bdf Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Fri, 28 Dec 2007 17:02:34 +0100 Subject: Remove static zeros (This used to be commit dbcc213710a9af31b6094d4741a6f68f573dcdad) --- source3/auth/auth_util.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 3f65e6b126..fea1b2d761 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1103,7 +1103,7 @@ static NTSTATUS make_new_server_info_guest(auth_serversupplied_info **server_inf struct samu *sampass = NULL; DOM_SID guest_sid; bool ret; - static const char zeros[16] = { 0, }; + char zeros[16]; if ( !(sampass = samu_new( NULL )) ) { return NT_STATUS_NO_MEMORY; @@ -1138,6 +1138,7 @@ static NTSTATUS make_new_server_info_guest(auth_serversupplied_info **server_inf /* annoying, but the Guest really does have a session key, and it is all zeros! */ + ZERO_STRUCT(zeros); (*server_info)->user_session_key = data_blob(zeros, sizeof(zeros)); (*server_info)->lm_session_key = data_blob(zeros, sizeof(zeros)); @@ -1420,7 +1421,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, auth_serversupplied_info **server_info, NET_USER_INFO_3 *info3) { - static const char zeros[16] = { 0, }; + char zeros[16]; NTSTATUS nt_status = NT_STATUS_OK; char *found_username = NULL; @@ -1624,7 +1625,9 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, &(info3->uni_logon_srv)); /* ensure we are never given NULL session keys */ - + + ZERO_STRUCT(zeros); + if (memcmp(info3->user_sess_key, zeros, sizeof(zeros)) == 0) { result->user_session_key = data_blob_null; } else { -- cgit From f3603d5a5ab878d45b67bf0f33e2beca50d0af2d Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Wed, 9 Jan 2008 00:11:31 +0100 Subject: Convert add_sid_to_array() add_sid_to_array_unique() to return NTSTATUS. Michael (This used to be commit 6b2b9a60ef857ec31da5fea631535205fbdede4a) --- source3/auth/auth_util.c | 23 +++++++++++++---------- 1 file changed, 13 insertions(+), 10 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index fea1b2d761..ce47e94eb5 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -549,11 +549,13 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, "for gid %d!\n", gids[i])); continue; } - if (!add_sid_to_array_unique( result, &unix_group_sid, - &result->sids, &result->num_sids )) { + status = add_sid_to_array_unique(result, &unix_group_sid, + &result->sids, + &result->num_sids); + if (!NT_STATUS_IS_OK(status)) { result->sam_account = NULL; /* Don't free on error exit. */ TALLOC_FREE(result); - return NT_STATUS_NO_MEMORY; + return status; } } @@ -895,9 +897,9 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, "for gid %d!\n", gids[i])); continue; } - if (!add_sid_to_array_unique(tmp_ctx, &unix_group_sid, - &group_sids, &num_group_sids )) { - result = NT_STATUS_NO_MEMORY; + result = add_sid_to_array_unique(tmp_ctx, &unix_group_sid, + &group_sids, &num_group_sids); + if (!NT_STATUS_IS_OK(result)) { goto done; } } @@ -1074,11 +1076,12 @@ NTSTATUS make_server_info_pw(auth_serversupplied_info **server_info, return NT_STATUS_NO_SUCH_USER; } - if (!add_sid_to_array_unique(result, &u_sid, - &result->sids, - &result->num_sids)) { + status = add_sid_to_array_unique(result, &u_sid, + &result->sids, + &result->num_sids); + if (!NT_STATUS_IS_OK(status)) { TALLOC_FREE(result); - return NT_STATUS_NO_MEMORY; + return status; } /* For now we throw away the gids and convert via sid_to_gid -- cgit From b397b5cb8f0a9ca5d5b2fa3349635a4cebd81779 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 4 Feb 2008 18:18:36 +0100 Subject: auth_winbind: use wbcAuthenticateUserEx() smbd doesn't need $(WBCOMMON_OBJ) anymore, it works with any libwbclient.so now and may talk to an older winbindd. metze (This used to be commit e3435930a307cff3066fe2047ed8c5c48911f001) --- source3/auth/auth_util.c | 233 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 233 insertions(+) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index ce47e94eb5..6efd31d574 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1654,6 +1654,239 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, return NT_STATUS_OK; } +/***************************************************************************** + Make a server_info struct from the wbcAuthUserInfo returned by a domain logon +******************************************************************************/ + +NTSTATUS make_server_info_wbcAuthUserInfo(TALLOC_CTX *mem_ctx, + const char *sent_nt_username, + const char *domain, + const struct wbcAuthUserInfo *info, + auth_serversupplied_info **server_info) +{ + char zeros[16]; + + NTSTATUS nt_status = NT_STATUS_OK; + char *found_username = NULL; + const char *nt_domain; + const char *nt_username; + struct samu *sam_account = NULL; + DOM_SID user_sid; + DOM_SID group_sid; + bool username_was_mapped; + uint32_t i; + + uid_t uid = (uid_t)-1; + gid_t gid = (gid_t)-1; + + auth_serversupplied_info *result; + + result = make_server_info(NULL); + if (result == NULL) { + DEBUG(4, ("make_server_info failed!\n")); + return NT_STATUS_NO_MEMORY; + } + + /* + Here is where we should check the list of + trusted domains, and verify that the SID + matches. + */ + + memcpy(&user_sid, &info->sids[0].sid, sizeof(user_sid)); + memcpy(&group_sid, &info->sids[1].sid, sizeof(group_sid)); + + if (info->account_name) { + nt_username = talloc_strdup(result, info->account_name); + } else { + /* If the server didn't give us one, just use the one we sent + * them */ + nt_username = talloc_strdup(result, sent_nt_username); + } + if (!nt_username) { + TALLOC_FREE(result); + return NT_STATUS_NO_MEMORY; + } + + if (info->domain_name) { + nt_domain = talloc_strdup(result, info->domain_name); + } else { + /* If the server didn't give us one, just use the one we sent + * them */ + nt_domain = talloc_strdup(result, domain); + } + if (!nt_domain) { + TALLOC_FREE(result); + return NT_STATUS_NO_MEMORY; + } + + /* try to fill the SAM account.. If getpwnam() fails, then try the + add user script (2.2.x behavior). + + We use the _unmapped_ username here in an attempt to provide + consistent username mapping behavior between kerberos and NTLM[SSP] + authentication in domain mode security. I.E. Username mapping + should be applied to the fully qualified username + (e.g. DOMAIN\user) and not just the login name. Yes this means we + called map_username() unnecessarily in make_user_info_map() but + that is how the current code is designed. Making the change here + is the least disruptive place. -- jerry */ + + if ( !(sam_account = samu_new( result )) ) { + TALLOC_FREE(result); + return NT_STATUS_NO_MEMORY; + } + + /* this call will try to create the user if necessary */ + + nt_status = fill_sam_account(result, nt_domain, sent_nt_username, + &found_username, &uid, &gid, sam_account, + &username_was_mapped); + + /* if we still don't have a valid unix account check for + 'map to guest = bad uid' */ + + if (!NT_STATUS_IS_OK(nt_status)) { + TALLOC_FREE( result ); + if ( lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_UID ) { + make_server_info_guest(server_info); + return NT_STATUS_OK; + } + return nt_status; + } + + if (!pdb_set_nt_username(sam_account, nt_username, PDB_CHANGED)) { + TALLOC_FREE(result); + return NT_STATUS_NO_MEMORY; + } + + if (!pdb_set_username(sam_account, nt_username, PDB_CHANGED)) { + TALLOC_FREE(result); + return NT_STATUS_NO_MEMORY; + } + + if (!pdb_set_domain(sam_account, nt_domain, PDB_CHANGED)) { + TALLOC_FREE(result); + return NT_STATUS_NO_MEMORY; + } + + if (!pdb_set_user_sid(sam_account, &user_sid, PDB_CHANGED)) { + TALLOC_FREE(result); + return NT_STATUS_UNSUCCESSFUL; + } + + if (!pdb_set_group_sid(sam_account, &group_sid, PDB_CHANGED)) { + TALLOC_FREE(result); + return NT_STATUS_UNSUCCESSFUL; + } + + if (!pdb_set_fullname(sam_account, info->full_name, PDB_CHANGED)) { + TALLOC_FREE(result); + return NT_STATUS_NO_MEMORY; + } + + if (!pdb_set_logon_script(sam_account, info->logon_script, PDB_CHANGED)) { + TALLOC_FREE(result); + return NT_STATUS_NO_MEMORY; + } + + if (!pdb_set_profile_path(sam_account, info->profile_path, PDB_CHANGED)) { + TALLOC_FREE(result); + return NT_STATUS_NO_MEMORY; + } + + if (!pdb_set_homedir(sam_account, info->home_directory, PDB_CHANGED)) { + TALLOC_FREE(result); + return NT_STATUS_NO_MEMORY; + } + + if (!pdb_set_dir_drive(sam_account, info->home_drive, PDB_CHANGED)) { + TALLOC_FREE(result); + return NT_STATUS_NO_MEMORY; + } + + if (!pdb_set_acct_ctrl(sam_account, info->acct_flags, PDB_CHANGED)) { + TALLOC_FREE(result); + return NT_STATUS_NO_MEMORY; + } + + if (!pdb_set_pass_last_set_time( + sam_account, + nt_time_to_unix(info->pass_last_set_time), + PDB_CHANGED)) { + TALLOC_FREE(result); + return NT_STATUS_NO_MEMORY; + } + + if (!pdb_set_pass_can_change_time( + sam_account, + nt_time_to_unix(info->pass_can_change_time), + PDB_CHANGED)) { + TALLOC_FREE(result); + return NT_STATUS_NO_MEMORY; + } + + if (!pdb_set_pass_must_change_time( + sam_account, + nt_time_to_unix(info->pass_must_change_time), + PDB_CHANGED)) { + TALLOC_FREE(result); + return NT_STATUS_NO_MEMORY; + } + + /* save this here to _net_sam_logon() doesn't fail (it assumes a + valid struct samu) */ + + result->sam_account = sam_account; + result->unix_name = talloc_strdup(result, found_username); + + result->login_server = talloc_strdup(result, info->logon_server); + + /* Fill in the unix info we found on the way */ + + result->uid = uid; + result->gid = gid; + + /* Create a 'combined' list of all SIDs we might want in the SD */ + + result->num_sids = info->num_sids - 2; + result->sids = talloc_array(result, DOM_SID, result->num_sids); + if (result->sids == NULL) { + TALLOC_FREE(result); + return NT_STATUS_NO_MEMORY; + } + + for (i=0; i < result->num_sids; i++) { + memcpy(&result->sids[i], &info->sids[i+2].sid, sizeof(result->sids[i])); + } + + /* ensure we are never given NULL session keys */ + + ZERO_STRUCT(zeros); + + if (memcmp(info->user_session_key, zeros, sizeof(zeros)) == 0) { + result->user_session_key = data_blob_null; + } else { + result->user_session_key = data_blob_talloc( + result, info->user_session_key, + sizeof(info->user_session_key)); + } + + if (memcmp(info->lm_session_key, zeros, 8) == 0) { + result->lm_session_key = data_blob_null; + } else { + result->lm_session_key = data_blob_talloc( + result, info->lm_session_key, + sizeof(info->lm_session_key)); + } + + result->was_mapped = username_was_mapped; + + *server_info = result; + + return NT_STATUS_OK; +} + /*************************************************************************** Free a user_info struct ***************************************************************************/ -- cgit From c52dcc7b92ce96e5d3804f839f7464432902bf3a Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Sat, 16 Feb 2008 19:08:22 +0100 Subject: Use netr_SamInfo3 in make_server_info_info3(). Guenther (This used to be commit 5866c11b288c217f0c38240c44f8bfeff185890d) --- source3/auth/auth_util.c | 52 +++++++++++++++++++++++++----------------------- 1 file changed, 27 insertions(+), 25 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 6efd31d574..a95a59ea46 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1422,7 +1422,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, const char *sent_nt_username, const char *domain, auth_serversupplied_info **server_info, - NET_USER_INFO_3 *info3) + struct netr_SamInfo3 *info3) { char zeros[16]; @@ -1446,23 +1446,25 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, matches. */ - sid_copy(&user_sid, &info3->dom_sid.sid); - if (!sid_append_rid(&user_sid, info3->user_rid)) { + sid_copy(&user_sid, info3->base.domain_sid); + if (!sid_append_rid(&user_sid, info3->base.rid)) { return NT_STATUS_INVALID_PARAMETER; } - sid_copy(&group_sid, &info3->dom_sid.sid); - if (!sid_append_rid(&group_sid, info3->group_rid)) { + sid_copy(&group_sid, info3->base.domain_sid); + if (!sid_append_rid(&group_sid, info3->base.primary_gid)) { return NT_STATUS_INVALID_PARAMETER; } - if (!(nt_username = unistr2_to_ascii_talloc(mem_ctx, &(info3->uni_user_name)))) { + nt_username = talloc_strdup(mem_ctx, info3->base.account_name.string); + if (!nt_username) { /* If the server didn't give us one, just use the one we sent * them */ nt_username = sent_nt_username; } - if (!(nt_domain = unistr2_to_ascii_talloc(mem_ctx, &(info3->uni_logon_dom)))) { + nt_domain = talloc_strdup(mem_ctx, info3->base.domain.string); + if (!nt_domain) { /* If the server didn't give us one, just use the one we sent * them */ nt_domain = domain; @@ -1527,50 +1529,50 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, TALLOC_FREE(sam_account); return NT_STATUS_UNSUCCESSFUL; } - + if (!pdb_set_fullname(sam_account, - unistr2_static(&(info3->uni_full_name)), + info3->base.full_name.string, PDB_CHANGED)) { TALLOC_FREE(sam_account); return NT_STATUS_NO_MEMORY; } if (!pdb_set_logon_script(sam_account, - unistr2_static(&(info3->uni_logon_script)), + info3->base.logon_script.string, PDB_CHANGED)) { TALLOC_FREE(sam_account); return NT_STATUS_NO_MEMORY; } if (!pdb_set_profile_path(sam_account, - unistr2_static(&(info3->uni_profile_path)), + info3->base.profile_path.string, PDB_CHANGED)) { TALLOC_FREE(sam_account); return NT_STATUS_NO_MEMORY; } if (!pdb_set_homedir(sam_account, - unistr2_static(&(info3->uni_home_dir)), + info3->base.home_directory.string, PDB_CHANGED)) { TALLOC_FREE(sam_account); return NT_STATUS_NO_MEMORY; } if (!pdb_set_dir_drive(sam_account, - unistr2_static(&(info3->uni_dir_drive)), + info3->base.home_drive.string, PDB_CHANGED)) { TALLOC_FREE(sam_account); return NT_STATUS_NO_MEMORY; } - if (!pdb_set_acct_ctrl(sam_account, info3->acct_flags, PDB_CHANGED)) { + if (!pdb_set_acct_ctrl(sam_account, info3->base.acct_flags, PDB_CHANGED)) { TALLOC_FREE(sam_account); return NT_STATUS_NO_MEMORY; } if (!pdb_set_pass_last_set_time( sam_account, - nt_time_to_unix(info3->pass_last_set_time), + nt_time_to_unix(info3->base.last_password_change), PDB_CHANGED)) { TALLOC_FREE(sam_account); return NT_STATUS_NO_MEMORY; @@ -1578,7 +1580,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, if (!pdb_set_pass_can_change_time( sam_account, - nt_time_to_unix(info3->pass_can_change_time), + nt_time_to_unix(info3->base.allow_password_change), PDB_CHANGED)) { TALLOC_FREE(sam_account); return NT_STATUS_NO_MEMORY; @@ -1586,7 +1588,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, if (!pdb_set_pass_must_change_time( sam_account, - nt_time_to_unix(info3->pass_must_change_time), + nt_time_to_unix(info3->base.force_password_change), PDB_CHANGED)) { TALLOC_FREE(sam_account); return NT_STATUS_NO_MEMORY; @@ -1624,27 +1626,27 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, return nt_status; } - result->login_server = unistr2_to_ascii_talloc(result, - &(info3->uni_logon_srv)); + result->login_server = talloc_strdup(result, + info3->base.logon_server.string); /* ensure we are never given NULL session keys */ ZERO_STRUCT(zeros); - if (memcmp(info3->user_sess_key, zeros, sizeof(zeros)) == 0) { + if (memcmp(info3->base.key.key, zeros, sizeof(zeros)) == 0) { result->user_session_key = data_blob_null; } else { result->user_session_key = data_blob_talloc( - result, info3->user_sess_key, - sizeof(info3->user_sess_key)); + result, info3->base.key.key, + sizeof(info3->base.key.key)); } - if (memcmp(info3->lm_sess_key, zeros, 8) == 0) { + if (memcmp(info3->base.LMSessKey.key, zeros, 8) == 0) { result->lm_session_key = data_blob_null; } else { result->lm_session_key = data_blob_talloc( - result, info3->lm_sess_key, - sizeof(info3->lm_sess_key)); + result, info3->base.LMSessKey.key, + sizeof(info3->base.LMSessKey.key)); } result->was_mapped = username_was_mapped; -- cgit From bea4541e11f0664aaa8b62d525e0a02b14fc3afa Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 4 Apr 2008 02:53:40 +0200 Subject: Use sid_array_from_info3 in lookup_usergroups_cached(). Guenther (This used to be commit 65b4cb20ea3fb806cfd50281e08f32bea70fafce) --- source3/auth/auth_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index a95a59ea46..7013285809 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1620,7 +1620,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, nt_status = sid_array_from_info3(result, info3, &result->sids, &result->num_sids, - False); + false, false); if (!NT_STATUS_IS_OK(nt_status)) { TALLOC_FREE(result); return nt_status; -- cgit From dd11f1d8a89a5d5f20395ca6aea0bf32b7f273c4 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Wed, 30 Apr 2008 17:06:45 +0200 Subject: Remove unused set_current_user_guest() (This used to be commit a33e8d2ffa4daea1deba13b3571cb0b36d521476) --- source3/auth/auth_util.c | 33 --------------------------------- 1 file changed, 33 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 7013285809..34d0048b4b 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1246,39 +1246,6 @@ bool copy_current_user(struct current_user *dst, struct current_user *src) return True; } -bool set_current_user_guest(struct current_user *dst) -{ - gid_t *groups; - NT_USER_TOKEN *nt_token; - - groups = (gid_t *)memdup(guest_info->groups, - sizeof(gid_t) * guest_info->n_groups); - if (groups == NULL) { - return False; - } - - nt_token = dup_nt_token(NULL, guest_info->ptok); - if (nt_token == NULL) { - SAFE_FREE(groups); - return False; - } - - TALLOC_FREE(dst->nt_user_token); - SAFE_FREE(dst->ut.groups); - - /* dst->conn is never really dereferenced, it's only tested for - * equality in uid.c */ - dst->conn = NULL; - - dst->vuid = UID_FIELD_INVALID; - dst->ut.uid = guest_info->uid; - dst->ut.gid = guest_info->gid; - dst->ut.ngroups = guest_info->n_groups; - dst->ut.groups = groups; - dst->nt_user_token = nt_token; - return True; -} - /*************************************************************************** Purely internal function for make_server_info_info3 Fill the sam account from getpwnam -- cgit From a683625d7fe0be58da23b98828b445478df1606f Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 3 May 2008 09:52:24 +0200 Subject: Fix a typo (This used to be commit 964bd02220c04030d8cb0f97ca9b409400d1238c) --- source3/auth/auth_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 34d0048b4b..78f275d867 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -985,7 +985,7 @@ bool user_in_group(const char *username, const char *groupname) /*************************************************************************** - Make (and fill) a user_info struct from a 'struct passwd' by conversion + Make (and fill) a server_info struct from a 'struct passwd' by conversion to a struct samu ***************************************************************************/ -- cgit From bec1dfab27be3db888eeb451b4547f16e08e93c3 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Wed, 30 Apr 2008 17:42:39 +0200 Subject: Remove "userdom_struct user" from "struct user_struct" (This used to be commit 420de035237bb08bc470c9eb820f3da2edaa6805) --- source3/auth/auth_util.c | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 78f275d867..5116425606 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1107,6 +1107,7 @@ static NTSTATUS make_new_server_info_guest(auth_serversupplied_info **server_inf DOM_SID guest_sid; bool ret; char zeros[16]; + fstring tmp; if ( !(sampass = samu_new( NULL )) ) { return NT_STATUS_NO_MEMORY; @@ -1145,6 +1146,9 @@ static NTSTATUS make_new_server_info_guest(auth_serversupplied_info **server_inf (*server_info)->user_session_key = data_blob(zeros, sizeof(zeros)); (*server_info)->lm_session_key = data_blob(zeros, sizeof(zeros)); + alpha_strcpy(tmp, pdb_get_username(sampass), ". _-$", sizeof(tmp)); + (*server_info)->sanitized_username = talloc_strdup(*server_info, tmp); + return NT_STATUS_OK; } @@ -1200,6 +1204,12 @@ static auth_serversupplied_info *copy_serverinfo(auth_serversupplied_info *src) return NULL; } + dst->sanitized_username = talloc_strdup(dst, src->sanitized_username); + if (!dst->sanitized_username) { + TALLOC_FREE(dst); + return NULL; + } + return dst; } -- cgit From 64ddd381b74ca94e8ff8ae62d8f019a9b5290a80 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Tue, 6 May 2008 17:37:00 +0200 Subject: Rename server_info->was_mapped to server_info->nss_token "nss_token" from my point of view much better reflects what this flag actually represents (This used to be commit b121a5acb2ef0bb3067d953b028696175432f10d) --- source3/auth/auth_util.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 5116425606..5e9da4eaff 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -634,7 +634,7 @@ NTSTATUS create_local_token(auth_serversupplied_info *server_info) */ if (((lp_server_role() == ROLE_DOMAIN_MEMBER) && !winbind_ping()) || - (server_info->was_mapped)) { + (server_info->nss_token)) { status = create_token_from_username(server_info, server_info->unix_name, server_info->guest, @@ -1626,7 +1626,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, sizeof(info3->base.LMSessKey.key)); } - result->was_mapped = username_was_mapped; + result->nss_token |= username_was_mapped; *server_info = result; @@ -1859,7 +1859,7 @@ NTSTATUS make_server_info_wbcAuthUserInfo(TALLOC_CTX *mem_ctx, sizeof(info->lm_session_key)); } - result->was_mapped = username_was_mapped; + result->nss_token |= username_was_mapped; *server_info = result; -- cgit From 505205b1cba38eed14d6a2d4b9c80a82b5ae8b1f Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Tue, 6 May 2008 16:10:23 +0200 Subject: Make copy_serverinfo non-static, add mem_ctx (This used to be commit a3651ced9e0859578df8cc44da64e7a8066bde76) --- source3/auth/auth_util.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 5e9da4eaff..038636f868 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1152,11 +1152,12 @@ static NTSTATUS make_new_server_info_guest(auth_serversupplied_info **server_inf return NT_STATUS_OK; } -static auth_serversupplied_info *copy_serverinfo(auth_serversupplied_info *src) +struct auth_serversupplied_info *copy_serverinfo(TALLOC_CTX *mem_ctx, + auth_serversupplied_info *src) { auth_serversupplied_info *dst; - dst = make_server_info(NULL); + dst = make_server_info(mem_ctx); if (dst == NULL) { return NULL; } @@ -1225,7 +1226,7 @@ bool init_guest_info(void) NTSTATUS make_server_info_guest(auth_serversupplied_info **server_info) { - *server_info = copy_serverinfo(guest_info); + *server_info = copy_serverinfo(NULL, guest_info); return (*server_info != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY; } -- cgit From 0283e95a7c20bb0aeedbdd0b657a1293e449a62d Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Tue, 6 May 2008 17:26:49 +0200 Subject: Add a mem_ctx argument to make_server_info_guest() (This used to be commit e4a9492967f3d2b64f27943f99414608e0c03d21) --- source3/auth/auth_util.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 038636f868..bb3dc78e83 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1224,9 +1224,10 @@ bool init_guest_info(void) return NT_STATUS_IS_OK(make_new_server_info_guest(&guest_info)); } -NTSTATUS make_server_info_guest(auth_serversupplied_info **server_info) +NTSTATUS make_server_info_guest(TALLOC_CTX *mem_ctx, + auth_serversupplied_info **server_info) { - *server_info = copy_serverinfo(NULL, guest_info); + *server_info = copy_serverinfo(mem_ctx, guest_info); return (*server_info != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY; } @@ -1477,7 +1478,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, if (!NT_STATUS_IS_OK(nt_status)) { TALLOC_FREE( sam_account ); if ( lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_UID ) { - make_server_info_guest(server_info); + make_server_info_guest(NULL, server_info); return NT_STATUS_OK; } return nt_status; @@ -1729,7 +1730,7 @@ NTSTATUS make_server_info_wbcAuthUserInfo(TALLOC_CTX *mem_ctx, if (!NT_STATUS_IS_OK(nt_status)) { TALLOC_FREE( result ); if ( lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_UID ) { - make_server_info_guest(server_info); + make_server_info_guest(NULL, server_info); return NT_STATUS_OK; } return nt_status; -- cgit From b446bb05d0438cd5f831a738c59cd37975e25b67 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Tue, 6 May 2008 17:47:26 +0200 Subject: Add function make_serverinfo_from_username() This will be used for 'security=share' and 'force user' (This used to be commit 88e43097cafcd2849d9f1200a377357fde4cce99) --- source3/auth/auth_util.c | 38 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index bb3dc78e83..e07d687d35 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1152,6 +1152,44 @@ static NTSTATUS make_new_server_info_guest(auth_serversupplied_info **server_inf return NT_STATUS_OK; } +/**************************************************************************** + Fake a auth_serversupplied_info just from a username +****************************************************************************/ + +NTSTATUS make_serverinfo_from_username(TALLOC_CTX *mem_ctx, + const char *username, + bool is_guest, + struct auth_serversupplied_info **presult) +{ + struct auth_serversupplied_info *result; + NTSTATUS status; + + result = make_server_info(mem_ctx); + if (result == NULL) { + return NT_STATUS_NO_MEMORY; + } + + result->nss_token = true; + result->guest = is_guest; + + result->unix_name = talloc_strdup(result, username); + if (result->unix_name == NULL) { + TALLOC_FREE(result); + return NT_STATUS_NO_MEMORY; + } + + status = create_local_token(result); + + if (!NT_STATUS_IS_OK(status)) { + TALLOC_FREE(result); + return status; + } + + *presult = result; + return NT_STATUS_OK; +} + + struct auth_serversupplied_info *copy_serverinfo(TALLOC_CTX *mem_ctx, auth_serversupplied_info *src) { -- cgit From 87803073ec78859e67d072c014dce98feee3b58f Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sun, 11 May 2008 00:25:55 +0200 Subject: Make sure we have serversupplied_info->sanitized_username everywhere (This used to be commit 88423a17b966652eba4085e88f7ddb5c86b463dd) --- source3/auth/auth_util.c | 63 ++++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 53 insertions(+), 10 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index e07d687d35..790b2f0624 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -485,6 +485,14 @@ static auth_serversupplied_info *make_server_info(TALLOC_CTX *mem_ctx) return result; } +static char *sanitize_username(TALLOC_CTX *mem_ctx, const char *username) +{ + fstring tmp; + + alpha_strcpy(tmp, username, ". _-$", sizeof(tmp)); + return talloc_strdup(mem_ctx, tmp); +} + /*************************************************************************** Make (and fill) a user_info struct from a struct samu ***************************************************************************/ @@ -523,6 +531,13 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, TALLOC_FREE(pwd); + result->sanitized_username = sanitize_username(result, + result->unix_name); + if (result->sanitized_username == NULL) { + TALLOC_FREE(result); + return NT_STATUS_NO_MEMORY; + } + status = pdb_enum_group_memberships(result, sampass, &result->sids, &gids, &result->num_sids); @@ -983,7 +998,6 @@ bool user_in_group(const char *username, const char *groupname) return user_in_group_sid(username, &group_sid); } - /*************************************************************************** Make (and fill) a server_info struct from a 'struct passwd' by conversion to a struct samu @@ -1018,7 +1032,17 @@ NTSTATUS make_server_info_pw(auth_serversupplied_info **server_info, } result->sam_account = sampass; + result->unix_name = talloc_strdup(result, unix_username); + result->sanitized_username = sanitize_username(result, unix_username); + + if ((result->unix_name == NULL) + || (result->sanitized_username == NULL)) { + TALLOC_FREE(sampass); + TALLOC_FREE(result); + return NT_STATUS_NO_MEMORY; + } + result->uid = pwd->pw_uid; result->gid = pwd->pw_gid; @@ -1162,22 +1186,25 @@ NTSTATUS make_serverinfo_from_username(TALLOC_CTX *mem_ctx, struct auth_serversupplied_info **presult) { struct auth_serversupplied_info *result; + struct passwd *pwd; NTSTATUS status; - result = make_server_info(mem_ctx); - if (result == NULL) { - return NT_STATUS_NO_MEMORY; + pwd = getpwnam_alloc(talloc_tos(), username); + if (pwd == NULL) { + return NT_STATUS_NO_SUCH_USER; } - result->nss_token = true; - result->guest = is_guest; + status = make_server_info_pw(&result, pwd->pw_name, pwd); - result->unix_name = talloc_strdup(result, username); - if (result->unix_name == NULL) { - TALLOC_FREE(result); - return NT_STATUS_NO_MEMORY; + TALLOC_FREE(pwd); + + if (!NT_STATUS_IS_OK(status)) { + return status; } + result->nss_token = true; + result->guest = is_guest; + status = create_local_token(result); if (!NT_STATUS_IS_OK(status)) { @@ -1624,6 +1651,13 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, result->sam_account = sam_account; result->unix_name = talloc_strdup(result, found_username); + result->sanitized_username = sanitize_username(result, + result->unix_name); + if (result->sanitized_username == NULL) { + TALLOC_FREE(result); + return NT_STATUS_NO_MEMORY; + } + /* Fill in the unix info we found on the way */ result->uid = uid; @@ -1859,8 +1893,17 @@ NTSTATUS make_server_info_wbcAuthUserInfo(TALLOC_CTX *mem_ctx, result->sam_account = sam_account; result->unix_name = talloc_strdup(result, found_username); + result->sanitized_username = sanitize_username(result, + result->unix_name); result->login_server = talloc_strdup(result, info->logon_server); + if ((result->unix_name == NULL) + || (result->sanitized_username == NULL) + || (result->login_server == NULL)) { + TALLOC_FREE(result); + return NT_STATUS_NO_MEMORY; + } + /* Fill in the unix info we found on the way */ result->uid = uid; -- cgit From 40f5eab5eb515937e1b23cf6762b77c194d29b9d Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Thu, 19 Jun 2008 16:54:12 +0200 Subject: Wrap the unix token info in a unix_user_token in auth_serversupplied_info No functional change, this is a preparation for more current_user ref removal (This used to be commit dcaedf345e62ab74ea87f0a3fa1e3199c75c5445) --- source3/auth/auth_util.c | 48 +++++++++++++++++++++++++----------------------- 1 file changed, 25 insertions(+), 23 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 790b2f0624..f3fccb0a88 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -480,8 +480,8 @@ static auth_serversupplied_info *make_server_info(TALLOC_CTX *mem_ctx) which may save us from giving away root access if there is a bug in allocating these fields. */ - result->uid = -1; - result->gid = -1; + result->utok.uid = -1; + result->utok.gid = -1; return result; } @@ -526,8 +526,8 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, result->unix_name = pwd->pw_name; /* Ensure that we keep pwd->pw_name, because we will free pwd below */ talloc_steal(result, pwd->pw_name); - result->gid = pwd->pw_gid; - result->uid = pwd->pw_uid; + result->utok.gid = pwd->pw_gid; + result->utok.uid = pwd->pw_uid; TALLOC_FREE(pwd); @@ -653,8 +653,8 @@ NTSTATUS create_local_token(auth_serversupplied_info *server_info) status = create_token_from_username(server_info, server_info->unix_name, server_info->guest, - &server_info->uid, - &server_info->gid, + &server_info->utok.uid, + &server_info->utok.gid, &server_info->unix_name, &server_info->ptok); @@ -675,8 +675,8 @@ NTSTATUS create_local_token(auth_serversupplied_info *server_info) /* Convert the SIDs to gids. */ - server_info->n_groups = 0; - server_info->groups = NULL; + server_info->utok.ngroups = 0; + server_info->utok.groups = NULL; /* Start at index 1, where the groups start. */ @@ -689,8 +689,9 @@ NTSTATUS create_local_token(auth_serversupplied_info *server_info) "ignoring it\n", sid_string_dbg(sid))); continue; } - add_gid_to_array_unique(server_info, gid, &server_info->groups, - &server_info->n_groups); + add_gid_to_array_unique(server_info, gid, + &server_info->utok.groups, + &server_info->utok.ngroups); } debug_nt_user_token(DBGC_AUTH, 10, server_info->ptok); @@ -1043,8 +1044,8 @@ NTSTATUS make_server_info_pw(auth_serversupplied_info **server_info, return NT_STATUS_NO_MEMORY; } - result->uid = pwd->pw_uid; - result->gid = pwd->pw_gid; + result->utok.uid = pwd->pw_uid; + result->utok.gid = pwd->pw_gid; status = pdb_enum_group_memberships(result, sampass, &result->sids, &gids, @@ -1228,14 +1229,15 @@ struct auth_serversupplied_info *copy_serverinfo(TALLOC_CTX *mem_ctx, } dst->guest = src->guest; - dst->uid = src->uid; - dst->gid = src->gid; - dst->n_groups = src->n_groups; - if (src->n_groups != 0) { - dst->groups = (gid_t *)TALLOC_MEMDUP( - dst, src->groups, sizeof(gid_t)*dst->n_groups); + dst->utok.uid = src->utok.uid; + dst->utok.gid = src->utok.gid; + dst->utok.ngroups = src->utok.ngroups; + if (src->utok.ngroups != 0) { + dst->utok.groups = (gid_t *)TALLOC_MEMDUP( + dst, src->utok.groups, + sizeof(gid_t)*dst->utok.ngroups); } else { - dst->groups = NULL; + dst->utok.groups = NULL; } if (src->ptok) { @@ -1660,8 +1662,8 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, /* Fill in the unix info we found on the way */ - result->uid = uid; - result->gid = gid; + result->utok.uid = uid; + result->utok.gid = gid; /* Create a 'combined' list of all SIDs we might want in the SD */ @@ -1906,8 +1908,8 @@ NTSTATUS make_server_info_wbcAuthUserInfo(TALLOC_CTX *mem_ctx, /* Fill in the unix info we found on the way */ - result->uid = uid; - result->gid = gid; + result->utok.uid = uid; + result->utok.gid = gid; /* Create a 'combined' list of all SIDs we might want in the SD */ -- cgit From da70f8ab1ec840bbdcc73c22c4d4c54705c83980 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 24 Jun 2008 18:01:59 -0700 Subject: Fix for bug #5551, smbd recursing back into winbindd from a winbindd call. Jeremy. (This used to be commit a07fe72538e8e724b9736d5a85cc590864c5cab2) --- source3/auth/auth_util.c | 79 ++++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 66 insertions(+), 13 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index f3fccb0a88..b1558bceac 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -493,27 +493,51 @@ static char *sanitize_username(TALLOC_CTX *mem_ctx, const char *username) return talloc_strdup(mem_ctx, tmp); } +/*************************************************************************** + Is the incoming username our own machine account ? + If so, the connection is almost certainly from winbindd. +***************************************************************************/ + +static bool is_our_machine_account(const char *username) +{ + bool ret; + char *truncname = NULL; + size_t ulen = strlen(username); + + if (ulen == 0 || username[ulen-1] != '$') { + return false; + } + truncname = SMB_STRDUP(username); + if (!truncname) { + return false; + } + truncname[ulen-1] = '\0'; + ret = strequal(truncname, global_myname()); + SAFE_FREE(truncname); + return ret; +} + /*************************************************************************** Make (and fill) a user_info struct from a struct samu ***************************************************************************/ -NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, +NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, struct samu *sampass) { - NTSTATUS status; struct passwd *pwd; gid_t *gids; auth_serversupplied_info *result; int i; size_t num_gids; DOM_SID unix_group_sid; - + const char *username = pdb_get_username(sampass); + NTSTATUS status; if ( !(result = make_server_info(NULL)) ) { return NT_STATUS_NO_MEMORY; } - if ( !(pwd = getpwnam_alloc(result, pdb_get_username(sampass))) ) { + if ( !(pwd = getpwnam_alloc(result, username)) ) { DEBUG(1, ("User %s in passdb, but getpwnam() fails!\n", pdb_get_username(sampass))); TALLOC_FREE(result); @@ -528,7 +552,7 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, talloc_steal(result, pwd->pw_name); result->utok.gid = pwd->pw_gid; result->utok.uid = pwd->pw_uid; - + TALLOC_FREE(pwd); result->sanitized_username = sanitize_username(result, @@ -538,18 +562,47 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, return NT_STATUS_NO_MEMORY; } - status = pdb_enum_group_memberships(result, sampass, + if (IS_DC && is_our_machine_account(username)) { + /* + * Ensure for a connection from our own + * machine account (from winbindd on a DC) + * there are no supplementary groups. + * Prevents loops in calling gid_to_sid(). + */ + result->sids = NULL; + gids = NULL; + result->num_sids = 0; + + /* + * This is a hack of monstrous proportions. + * If we know it's winbindd talking to us, + * we know we must never recurse into it, + * so turn off contacting winbindd for this + * entire process. This will get fixed when + * winbindd doesn't need to talk to smbd on + * a PDC. JRA. + */ + + winbind_off(); + + DEBUG(10, ("make_server_info_sam: our machine account %s " + "setting supplementary group list empty and " + "turning off winbindd requests.\n", + username)); + } else { + status = pdb_enum_group_memberships(result, sampass, &result->sids, &gids, &result->num_sids); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(10, ("pdb_enum_group_memberships failed: %s\n", - nt_errstr(status))); - result->sam_account = NULL; /* Don't free on error exit. */ - TALLOC_FREE(result); - return status; + if (!NT_STATUS_IS_OK(status)) { + DEBUG(10, ("pdb_enum_group_memberships failed: %s\n", + nt_errstr(status))); + result->sam_account = NULL; /* Don't free on error exit. */ + TALLOC_FREE(result); + return status; + } } - + /* Add the "Unix Group" SID for each gid to catch mapped groups and their Unix equivalent. This is to solve the backwards compatibility problem of 'valid users = +ntadmin' where -- cgit From d331624fdfe9fc72f1da7fd01c59a1a20cf1c7d7 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Tue, 24 Jun 2008 14:18:55 +0200 Subject: Add server_info to pipes_struct (This used to be commit d621867bb8767e1c4236d28dd9294a61db6cbb10) --- source3/auth/auth_util.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index b1558bceac..998a81b61a 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1334,6 +1334,22 @@ struct auth_serversupplied_info *copy_serverinfo(TALLOC_CTX *mem_ctx, return dst; } +/* + * Set a new session key. Used in the rpc server where we have to override the + * SMB level session key with SystemLibraryDTC + */ + +bool server_info_set_session_key(struct auth_serversupplied_info *info, + DATA_BLOB session_key) +{ + TALLOC_FREE(info->user_session_key.data); + + info->user_session_key = data_blob_talloc( + info, session_key.data, session_key.length); + + return (info->user_session_key.data != NULL); +} + static auth_serversupplied_info *guest_info = NULL; bool init_guest_info(void) -- cgit From 799252f635a4cf1790a24f9ba8765dba9fb7df86 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 26 Jun 2008 19:46:18 -0700 Subject: Fix the non-LDAP, non-krb5 build, fix gcc -O3 warnings. Jeremy. (This used to be commit 9e2ab30d3cf6950fc79152b2169e7aeae8d6a366) --- source3/auth/auth_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 998a81b61a..a7fce46923 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -583,7 +583,7 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, * a PDC. JRA. */ - winbind_off(); + (void)winbind_off(); DEBUG(10, ("make_server_info_sam: our machine account %s " "setting supplementary group list empty and " -- cgit From 9ab5cffcfa3320ec298e8759e96efa1670ebd770 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 14 Aug 2008 14:36:02 -0700 Subject: Make it clear that this is a temporary context byusing a talloc stackframe instead. Jeremy (This used to be commit 7f7dd5e8883e23d7fe3f9cb804905c5b23a5a41c) --- source3/auth/auth_util.c | 38 ++++++++++++++++---------------------- 1 file changed, 16 insertions(+), 22 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index a7fce46923..98884eaddb 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -641,39 +641,44 @@ NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info, return NT_STATUS_OK; } -static NTSTATUS log_nt_token(TALLOC_CTX *tmp_ctx, NT_USER_TOKEN *token) +static NTSTATUS log_nt_token(NT_USER_TOKEN *token) { + TALLOC_CTX *frame = talloc_stackframe(); char *command; char *group_sidstr; size_t i; if ((lp_log_nt_token_command() == NULL) || (strlen(lp_log_nt_token_command()) == 0)) { + TALLOC_FREE(frame); return NT_STATUS_OK; } - group_sidstr = talloc_strdup(tmp_ctx, ""); + group_sidstr = talloc_strdup(frame, ""); for (i=1; inum_sids; i++) { group_sidstr = talloc_asprintf( - tmp_ctx, "%s %s", group_sidstr, - sid_string_talloc(tmp_ctx, &token->user_sids[i])); + frame, "%s %s", group_sidstr, + sid_string_talloc(frame, &token->user_sids[i])); } command = talloc_string_sub( - tmp_ctx, lp_log_nt_token_command(), - "%s", sid_string_talloc(tmp_ctx, &token->user_sids[0])); - command = talloc_string_sub(tmp_ctx, command, "%t", group_sidstr); + frame, lp_log_nt_token_command(), + "%s", sid_string_talloc(frame, &token->user_sids[0])); + command = talloc_string_sub(frame, command, "%t", group_sidstr); if (command == NULL) { + TALLOC_FREE(frame); return NT_STATUS_NO_MEMORY; } DEBUG(8, ("running command: [%s]\n", command)); if (smbrun(command, NULL) != 0) { DEBUG(0, ("Could not log NT token\n")); + TALLOC_FREE(frame); return NT_STATUS_ACCESS_DENIED; } + TALLOC_FREE(frame); return NT_STATUS_OK; } @@ -684,16 +689,8 @@ static NTSTATUS log_nt_token(TALLOC_CTX *tmp_ctx, NT_USER_TOKEN *token) NTSTATUS create_local_token(auth_serversupplied_info *server_info) { - TALLOC_CTX *mem_ctx; NTSTATUS status; size_t i; - - - mem_ctx = talloc_new(NULL); - if (mem_ctx == NULL) { - DEBUG(0, ("talloc_new failed\n")); - return NT_STATUS_NO_MEMORY; - } /* * If winbind is not around, we can not make much use of the SIDs the @@ -710,7 +707,7 @@ NTSTATUS create_local_token(auth_serversupplied_info *server_info) &server_info->utok.gid, &server_info->unix_name, &server_info->ptok); - + } else { server_info->ptok = create_local_nt_token( server_info, @@ -722,10 +719,9 @@ NTSTATUS create_local_token(auth_serversupplied_info *server_info) } if (!NT_STATUS_IS_OK(status)) { - TALLOC_FREE(mem_ctx); return status; } - + /* Convert the SIDs to gids. */ server_info->utok.ngroups = 0; @@ -746,12 +742,10 @@ NTSTATUS create_local_token(auth_serversupplied_info *server_info) &server_info->utok.groups, &server_info->utok.ngroups); } - - debug_nt_user_token(DBGC_AUTH, 10, server_info->ptok); - status = log_nt_token(mem_ctx, server_info->ptok); + debug_nt_user_token(DBGC_AUTH, 10, server_info->ptok); - TALLOC_FREE(mem_ctx); + status = log_nt_token(server_info->ptok); return status; } -- cgit From 8bda4e059edba4807feeafa88cb90e16ca7a1d91 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 14 Aug 2008 21:52:11 -0700 Subject: Fix show-stopper for 3.2. Smbd depends on group SID position zero being the primary group sid. Authenicating via winbindd call returned a non-sorted sid list. This fixes is for both a winbindd call and a pac list from an info3 struct. Without this we mess up the primary group associated with created files. Found by Herb. Jeremy. (This used to be commit cb925dec85cfc4cfc194c3ff76dbeba2bd2178d7) --- source3/auth/auth_util.c | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 98884eaddb..9220df01c0 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -26,6 +26,34 @@ #undef DBGC_CLASS #define DBGC_CLASS DBGC_AUTH +/**************************************************************************** + Ensure primary group SID is always at position 0 in a + auth_serversupplied_info struct. +****************************************************************************/ + +static void sort_sid_array_for_smbd(auth_serversupplied_info *result, + const DOM_SID *pgroup_sid) +{ + unsigned int i; + + if (!result->sids) { + return; + } + + if (sid_compare(&result->sids[0], pgroup_sid)==0) { + return; + } + + for (i = 1; i < result->num_sids; i++) { + if (sid_compare(pgroup_sid, + &result->sids[i]) == 0) { + sid_copy(&result->sids[i], &result->sids[0]); + sid_copy(&result->sids[0], pgroup_sid); + return; + } + } +} + /**************************************************************************** Create a UNIX user on demand. ****************************************************************************/ @@ -1742,6 +1770,9 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, return nt_status; } + /* Ensure the primary group sid is at position 0. */ + sort_sid_array_for_smbd(result, &group_sid); + result->login_server = talloc_strdup(result, info3->base.logon_server.string); @@ -1987,6 +2018,9 @@ NTSTATUS make_server_info_wbcAuthUserInfo(TALLOC_CTX *mem_ctx, memcpy(&result->sids[i], &info->sids[i+2].sid, sizeof(result->sids[i])); } + /* Ensure the primary group sid is at position 0. */ + sort_sid_array_for_smbd(result, &group_sid); + /* ensure we are never given NULL session keys */ ZERO_STRUCT(zeros); -- cgit From 5e7655fa27f7b2c9c54edfc25f86974dbdb23ea4 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Sun, 17 Aug 2008 19:54:41 -0400 Subject: Split lookup_name() and create a new functiong called lookup_domain_name(). This new function accept separated strings for domain and name. (This used to be commit 8594edf666c29fd4ddf1780da842683dd81483b6) --- source3/auth/auth_util.c | 17 ++++------------- 1 file changed, 4 insertions(+), 13 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 9220df01c0..5b2c3045c3 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1086,7 +1086,6 @@ NTSTATUS make_server_info_pw(auth_serversupplied_info **server_info, NTSTATUS status; struct samu *sampass = NULL; gid_t *gids; - char *qualified_name = NULL; TALLOC_CTX *mem_ctx = NULL; DOM_SID u_sid; enum lsa_SidType type; @@ -1152,18 +1151,10 @@ NTSTATUS make_server_info_pw(auth_serversupplied_info **server_info, return NT_STATUS_NO_MEMORY; } - qualified_name = talloc_asprintf(mem_ctx, "%s\\%s", - unix_users_domain_name(), - unix_username ); - if (!qualified_name) { - TALLOC_FREE(result); - TALLOC_FREE(mem_ctx); - return NT_STATUS_NO_MEMORY; - } - - if (!lookup_name(mem_ctx, qualified_name, LOOKUP_NAME_ALL, - NULL, NULL, - &u_sid, &type)) { + if (!lookup_domain_name(mem_ctx, + unix_users_domain_name(), unix_username, + LOOKUP_NAME_ALL, + NULL, NULL, &u_sid, &type)) { TALLOC_FREE(result); TALLOC_FREE(mem_ctx); return NT_STATUS_NO_SUCH_USER; -- cgit From 3fa16da8c70af9c54e03ea2a497d18009d2126e9 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Wed, 3 Sep 2008 14:36:43 -0400 Subject: Revert "Split lookup_name() and create a new functiong called" This reverts commit 8594edf666c29fd4ddf1780da842683dd81483b6. (This used to be commit ad462e2e2d025a7fc23e7dea32b2b442b528970b) --- source3/auth/auth_util.c | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) (limited to 'source3/auth/auth_util.c') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 5b2c3045c3..9220df01c0 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1086,6 +1086,7 @@ NTSTATUS make_server_info_pw(auth_serversupplied_info **server_info, NTSTATUS status; struct samu *sampass = NULL; gid_t *gids; + char *qualified_name = NULL; TALLOC_CTX *mem_ctx = NULL; DOM_SID u_sid; enum lsa_SidType type; @@ -1151,10 +1152,18 @@ NTSTATUS make_server_info_pw(auth_serversupplied_info **server_info, return NT_STATUS_NO_MEMORY; } - if (!lookup_domain_name(mem_ctx, - unix_users_domain_name(), unix_username, - LOOKUP_NAME_ALL, - NULL, NULL, &u_sid, &type)) { + qualified_name = talloc_asprintf(mem_ctx, "%s\\%s", + unix_users_domain_name(), + unix_username ); + if (!qualified_name) { + TALLOC_FREE(result); + TALLOC_FREE(mem_ctx); + return NT_STATUS_NO_MEMORY; + } + + if (!lookup_name(mem_ctx, qualified_name, LOOKUP_NAME_ALL, + NULL, NULL, + &u_sid, &type)) { TALLOC_FREE(result); TALLOC_FREE(mem_ctx); return NT_STATUS_NO_SUCH_USER; -- cgit