From c383022f89a34b83039502cc58178498cc06370e Mon Sep 17 00:00:00 2001 From: Dan Sledz Date: Fri, 13 Feb 2009 12:24:22 -0800 Subject: Introduce a new authentication backend auth_onefs_wb This new backend is custom tailored to onefs' unique requirements: 1) No fallback logic 2) Does not validate the domain of the user 3) Handles unencrypted passwords --- source3/auth/auth_onefs_wb.c | 134 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 134 insertions(+) create mode 100644 source3/auth/auth_onefs_wb.c (limited to 'source3/auth') diff --git a/source3/auth/auth_onefs_wb.c b/source3/auth/auth_onefs_wb.c new file mode 100644 index 0000000000..49de6966b0 --- /dev/null +++ b/source3/auth/auth_onefs_wb.c @@ -0,0 +1,134 @@ +/* + Unix SMB/CIFS implementation. + + Winbind authentication mechnism, customized for onefs + + Copyright (C) Tim Potter 2000 + Copyright (C) Andrew Bartlett 2001 - 2002 + Copyright (C) Dan Sledz 2009 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "includes.h" + +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_AUTH + +/* Authenticate a user with a challenge/response */ + +static NTSTATUS check_onefs_wb_security(const struct auth_context *auth_context, + void *my_private_data, + TALLOC_CTX *mem_ctx, + const auth_usersupplied_info *user_info, + auth_serversupplied_info **server_info) +{ + NTSTATUS nt_status; + wbcErr wbc_status; + struct wbcAuthUserParams params; + struct wbcAuthUserInfo *info = NULL; + struct wbcAuthErrorInfo *err = NULL; + + if (!user_info || !auth_context || !server_info) { + return NT_STATUS_INVALID_PARAMETER; + } + /* Send off request */ + + params.account_name = user_info->smb_name; + params.domain_name = user_info->domain; + params.workstation_name = user_info->wksta_name; + + params.flags = 0; + params.parameter_control= user_info->logon_parameters; + + /* Handle plaintext */ + if (!user_info->encrypted) { + DEBUG(3,("Checking plaintext password for %s.\n", + user_info->internal_username)); + params.level = WBC_AUTH_USER_LEVEL_PLAIN; + + params.password.plaintext = user_info->plaintext_password.data; + } else { + DEBUG(3,("Checking encrypted password for %s.\n", + user_info->internal_username)); + params.level = WBC_AUTH_USER_LEVEL_RESPONSE; + + memcpy(params.password.response.challenge, + auth_context->challenge.data, + sizeof(params.password.response.challenge)); + + params.password.response.nt_length = user_info->nt_resp.length; + params.password.response.nt_data = user_info->nt_resp.data; + params.password.response.lm_length = user_info->lm_resp.length; + params.password.response.lm_data = user_info->lm_resp.data; + + } + + /* we are contacting the privileged pipe */ + become_root(); + wbc_status = wbcAuthenticateUserEx(¶ms, &info, &err); + unbecome_root(); + + if (!WBC_ERROR_IS_OK(wbc_status)) { + DEBUG(10,("wbcAuthenticateUserEx failed (%d): %s\n", + wbc_status, wbcErrorString(wbc_status))); + } + + if (wbc_status == WBC_ERR_NO_MEMORY) { + return NT_STATUS_NO_MEMORY; + } + + if (wbc_status == WBC_ERR_AUTH_ERROR) { + nt_status = NT_STATUS(err->nt_status); + wbcFreeMemory(err); + return nt_status; + } + + if (!WBC_ERROR_IS_OK(wbc_status)) { + return NT_STATUS_LOGON_FAILURE; + } + + DEBUG(10,("wbcAuthenticateUserEx succeeded\n")); + + nt_status = make_server_info_wbcAuthUserInfo(mem_ctx, + user_info->smb_name, + user_info->domain, + info, server_info); + wbcFreeMemory(info); + if (!NT_STATUS_IS_OK(nt_status)) { + return nt_status; + } + + (*server_info)->nss_token |= user_info->was_mapped; + + return nt_status; +} + +/* module initialisation */ +static NTSTATUS auth_init_onefs_wb(struct auth_context *auth_context, const char *param, auth_methods **auth_method) +{ + if (!make_auth_methods(auth_context, auth_method)) { + return NT_STATUS_NO_MEMORY; + } + + (*auth_method)->name = "onefs_wb"; + (*auth_method)->auth = check_onefs_wb_security; + + return NT_STATUS_OK; +} + +NTSTATUS auth_onefs_wb_init(void) +{ + return smb_register_auth(AUTH_INTERFACE_VERSION, "onefs_wb", auth_init_onefs_wb); +} -- cgit From 4aed9abbf84deb47e7a3aec025268a3c1e6b29bb Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Thu, 19 Feb 2009 23:41:48 +0100 Subject: Remove the static "chal" from ntlmssp.c:get_challenge() --- source3/auth/auth.c | 14 ++++++++------ source3/auth/auth_compat.c | 5 +++-- source3/auth/auth_ntlmssp.c | 6 ++++-- 3 files changed, 15 insertions(+), 10 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index 505098c76a..b19fa764f0 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -76,7 +76,8 @@ static struct auth_init_function_entry *auth_find_backend_entry(const char *name Returns a const char of length 8 bytes. ****************************************************************************/ -static const uint8 *get_ntlm_challenge(struct auth_context *auth_context) +static void get_ntlm_challenge(struct auth_context *auth_context, + uint8_t chal[8]) { DATA_BLOB challenge = data_blob_null; const char *challenge_set_by = NULL; @@ -86,7 +87,8 @@ static const uint8 *get_ntlm_challenge(struct auth_context *auth_context) if (auth_context->challenge.length) { DEBUG(5, ("get_ntlm_challenge (auth subsystem): returning previous challenge by module %s (normal)\n", auth_context->challenge_set_by)); - return auth_context->challenge.data; + memcpy(chal, auth_context->challenge.data, 8); + return; } auth_context->challenge_may_be_modified = False; @@ -123,11 +125,11 @@ static const uint8 *get_ntlm_challenge(struct auth_context *auth_context) } if (!challenge_set_by) { - uchar chal[8]; + uchar tmp[8]; - generate_random_buffer(chal, sizeof(chal)); + generate_random_buffer(tmp, sizeof(tmp)); auth_context->challenge = data_blob_talloc(auth_context->mem_ctx, - chal, sizeof(chal)); + tmp, sizeof(tmp)); challenge_set_by = "random"; auth_context->challenge_may_be_modified = True; @@ -141,7 +143,7 @@ static const uint8 *get_ntlm_challenge(struct auth_context *auth_context) auth_context->challenge_set_by=challenge_set_by; - return auth_context->challenge.data; + memcpy(chal, auth_context->challenge.data, 8); } diff --git a/source3/auth/auth_compat.c b/source3/auth/auth_compat.c index 00d9dea816..925c0d4f81 100644 --- a/source3/auth/auth_compat.c +++ b/source3/auth/auth_compat.c @@ -39,13 +39,14 @@ NTSTATUS check_plaintext_password(const char *smb_name, DATA_BLOB plaintext_pass { struct auth_context *plaintext_auth_context = NULL; auth_usersupplied_info *user_info = NULL; - const uint8 *chal; + uint8_t chal[8]; NTSTATUS nt_status; if (!NT_STATUS_IS_OK(nt_status = make_auth_context_subsystem(&plaintext_auth_context))) { return nt_status; } - chal = plaintext_auth_context->get_ntlm_challenge(plaintext_auth_context); + plaintext_auth_context->get_ntlm_challenge(plaintext_auth_context, + chal); if (!make_user_info_for_reply(&user_info, smb_name, lp_workgroup(), chal, diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c index 0d46b14f97..98f5838707 100644 --- a/source3/auth/auth_ntlmssp.c +++ b/source3/auth/auth_ntlmssp.c @@ -27,11 +27,13 @@ * @return an 8 byte random challenge */ -static const uint8 *auth_ntlmssp_get_challenge(const struct ntlmssp_state *ntlmssp_state) +static void auth_ntlmssp_get_challenge(const struct ntlmssp_state *ntlmssp_state, + uint8_t chal[8]) { AUTH_NTLMSSP_STATE *auth_ntlmssp_state = (AUTH_NTLMSSP_STATE *)ntlmssp_state->auth_context; - return auth_ntlmssp_state->auth_context->get_ntlm_challenge(auth_ntlmssp_state->auth_context); + return auth_ntlmssp_state->auth_context->get_ntlm_challenge( + auth_ntlmssp_state->auth_context, chal); } /** -- cgit From a3127ea9d7197af8ddde3f8e20a92794f389a992 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 21 Feb 2009 13:20:08 +0100 Subject: Fix some nonempty blank lines --- source3/auth/auth.c | 62 ++++++++++++++++++++++++++--------------------------- 1 file changed, 31 insertions(+), 31 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth.c b/source3/auth/auth.c index b19fa764f0..fd4c503752 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -2,17 +2,17 @@ Unix SMB/CIFS implementation. Password and authentication handling Copyright (C) Andrew Bartlett 2001-2002 - + This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. - + This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. - + You should have received a copy of the GNU General Public License along with this program. If not, see . */ @@ -49,7 +49,7 @@ NTSTATUS smb_register_auth(int version, const char *name, auth_init_function ini DEBUG(0,("There already is an auth method registered with the name %s!\n", name)); return NT_STATUS_OBJECT_NAME_COLLISION; } - + entry = SMB_XMALLOC_P(struct auth_init_function_entry); entry->name = smb_xstrdup(name); entry->init = init; @@ -67,7 +67,7 @@ static struct auth_init_function_entry *auth_find_backend_entry(const char *name if (strcmp(entry->name, name)==0) return entry; entry = entry->next; } - + return NULL; } @@ -110,7 +110,7 @@ static void get_ntlm_challenge(struct auth_context *auth_context, if (!mem_ctx) { smb_panic("talloc_init() failed!"); } - + challenge = auth_method->get_chal(auth_context, &auth_method->private_data, mem_ctx); if (!challenge.length) { DEBUG(3, ("auth_get_challenge: getting challenge from authentication method %s FAILED.\n", @@ -123,22 +123,22 @@ static void get_ntlm_challenge(struct auth_context *auth_context, } talloc_destroy(mem_ctx); } - + if (!challenge_set_by) { uchar tmp[8]; - + generate_random_buffer(tmp, sizeof(tmp)); auth_context->challenge = data_blob_talloc(auth_context->mem_ctx, tmp, sizeof(tmp)); - + challenge_set_by = "random"; auth_context->challenge_may_be_modified = True; } - + DEBUG(5, ("auth_context challenge created by %s\n", challenge_set_by)); DEBUG(5, ("challenge is: \n")); dump_data(5, auth_context->challenge.data, auth_context->challenge.length); - + SMB_ASSERT(auth_context->challenge.length == 8); auth_context->challenge_set_by=challenge_set_by; @@ -251,7 +251,7 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context, for (auth_method = auth_context->auth_method_list;auth_method; auth_method = auth_method->next) { NTSTATUS result; - + mem_ctx = talloc_init("%s authentication for user %s\\%s", auth_method->name, user_info->domain, user_info->smb_name); @@ -283,7 +283,7 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context, } /* successful authentication */ - + if (NT_STATUS_IS_OK(nt_status)) { unix_username = (*server_info)->unix_name; if (!(*server_info)->guest) { @@ -291,7 +291,7 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context, become_root(); nt_status = smb_pam_accountcheck(unix_username); unbecome_root(); - + if (NT_STATUS_IS_OK(nt_status)) { DEBUG(5, ("check_ntlm_password: PAM Account for user [%s] succeeded\n", unix_username)); @@ -300,7 +300,7 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context, unix_username, nt_errstr(nt_status))); } } - + if (NT_STATUS_IS_OK(nt_status)) { DEBUG((*server_info)->guest ? 5 : 2, ("check_ntlm_password: %sauthentication for user [%s] -> [%s] -> [%s] succeeded\n", @@ -309,17 +309,17 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context, user_info->internal_username, unix_username)); } - + return nt_status; } - + /* failed authentication; check for guest lapping */ - + DEBUG(2, ("check_ntlm_password: Authentication for user [%s] -> [%s] FAILED with error %s\n", user_info->smb_name, user_info->internal_username, nt_errstr(nt_status))); ZERO_STRUCTP(server_info); - + return nt_status; } @@ -351,7 +351,7 @@ static NTSTATUS make_auth_context(struct auth_context **auth_context) TALLOC_CTX *mem_ctx; mem_ctx = talloc_init("authentication context"); - + *auth_context = TALLOC_P(mem_ctx, struct auth_context); if (!*auth_context) { DEBUG(0,("make_auth_context: talloc failed!\n")); @@ -364,7 +364,7 @@ static NTSTATUS make_auth_context(struct auth_context **auth_context) (*auth_context)->check_ntlm_password = check_ntlm_password; (*auth_context)->get_ntlm_challenge = get_ntlm_challenge; (*auth_context)->free = free_auth_context; - + return NT_STATUS_OK; } @@ -384,21 +384,21 @@ bool load_auth_module(struct auth_context *auth_context, static_init_auth; initialised_static_modules = True; } - + DEBUG(5,("load_auth_module: Attempting to find an auth method to match %s\n", module)); - + p = strchr(module_name, ':'); if (p) { *p = 0; module_params = p+1; trim_char(module_params, ' ', ' '); } - + trim_char(module_name, ' ', ' '); - + entry = auth_find_backend_entry(module_name); - + if (entry == NULL) { if (NT_STATUS_IS_OK(smb_probe_module("auth", module_name))) { entry = auth_find_backend_entry(module_name); @@ -436,7 +436,7 @@ static NTSTATUS make_auth_context_text_list(struct auth_context **auth_context, DEBUG(2,("make_auth_context_text_list: No auth method list!?\n")); return NT_STATUS_UNSUCCESSFUL; } - + if (!NT_STATUS_IS_OK(nt_status = make_auth_context(auth_context))) return nt_status; @@ -445,9 +445,9 @@ static NTSTATUS make_auth_context_text_list(struct auth_context **auth_context, DLIST_ADD_END(list, t, auth_methods *); } } - + (*auth_context)->auth_method_list = list; - + return nt_status; } @@ -525,7 +525,7 @@ NTSTATUS make_auth_context_subsystem(struct auth_context **auth_context) } else { DEBUG(5,("Using specified auth order\n")); } - + nt_status = make_auth_context_text_list(auth_context, auth_method_list); @@ -543,7 +543,7 @@ NTSTATUS make_auth_context_fixed(struct auth_context **auth_context, uchar chal[ if (!NT_STATUS_IS_OK(nt_status = make_auth_context_subsystem(auth_context))) { return nt_status; } - + (*auth_context)->challenge = data_blob_talloc((*auth_context)->mem_ctx, chal, 8); (*auth_context)->challenge_set_by = "fixed"; return nt_status; -- cgit From 4a2e2c0c12e298cb72d4c03e59350393b0a5814f Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 21 Feb 2009 18:55:35 +0100 Subject: Fix the build on Solaris --- source3/auth/auth_ntlmssp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c index 98f5838707..034d354a33 100644 --- a/source3/auth/auth_ntlmssp.c +++ b/source3/auth/auth_ntlmssp.c @@ -32,7 +32,7 @@ static void auth_ntlmssp_get_challenge(const struct ntlmssp_state *ntlmssp_state { AUTH_NTLMSSP_STATE *auth_ntlmssp_state = (AUTH_NTLMSSP_STATE *)ntlmssp_state->auth_context; - return auth_ntlmssp_state->auth_context->get_ntlm_challenge( + auth_ntlmssp_state->auth_context->get_ntlm_challenge( auth_ntlmssp_state->auth_context, chal); } -- cgit From 1ff9696306894c136015f83456e4c6e039e31e26 Mon Sep 17 00:00:00 2001 From: Tim Prouty Date: Sat, 21 Feb 2009 13:57:10 -0800 Subject: Revert "s3 auth: Add parameter that forces every user through an NSS lookup" After the discussion on samba-technical, it was decided that the best answer for now was to revert this change. The right way to do this is to rewrite the token api to use opaque tokens with pluggable modules. This reverts commit 8e19a288052bca5efdb0277a40c1e0fdd099cc2b. --- source3/auth/auth_util.c | 26 ++++---------------------- 1 file changed, 4 insertions(+), 22 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 0dab05b97c..1f00e22a3c 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -710,8 +710,6 @@ NTSTATUS create_local_token(auth_serversupplied_info *server_info) NTSTATUS status; size_t i; struct dom_sid tmp_sid; - const char *name_to_use; - bool force_nss; /* * If winbind is not around, we can not make much use of the SIDs the @@ -719,22 +717,11 @@ NTSTATUS create_local_token(auth_serversupplied_info *server_info) * mapped to some local unix user. */ - DEBUG(10, ("creating token for %s (SAM: %s)\n", server_info->unix_name, - server_info->sam_account->username)); - - force_nss = lp_force_username_map() && !server_info->nss_token; if (((lp_server_role() == ROLE_DOMAIN_MEMBER) && !winbind_ping()) || - server_info->nss_token || force_nss) { - if (force_nss) - name_to_use = - pdb_get_username(server_info->sam_account); - else - name_to_use = server_info->unix_name; - + (server_info->nss_token)) { status = create_token_from_username(server_info, - name_to_use, + server_info->unix_name, server_info->guest, - force_nss, &server_info->utok.uid, &server_info->utok.gid, &server_info->unix_name, @@ -839,7 +826,6 @@ NTSTATUS create_local_token(auth_serversupplied_info *server_info) NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, bool is_guest, - bool force_nss, uid_t *uid, gid_t *gid, char **found_username, struct nt_user_token **token) @@ -855,9 +841,6 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, size_t num_gids; size_t i; - DEBUG(10, ("creating token for %s,%s guest,%s forcing NSS lookup\n", - username, is_guest ? "" : " not", force_nss ? "" : " not")); - tmp_ctx = talloc_new(NULL); if (tmp_ctx == NULL) { DEBUG(0, ("talloc_new failed\n")); @@ -882,7 +865,7 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, goto done; } - if (sid_check_is_in_our_domain(&user_sid) && !force_nss) { + if (sid_check_is_in_our_domain(&user_sid)) { bool ret; /* This is a passdb user, so ask passdb */ @@ -924,7 +907,7 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, *found_username = talloc_strdup(mem_ctx, pdb_get_username(sam_acct)); - } else if (force_nss || sid_check_is_in_unix_users(&user_sid)) { + } else if (sid_check_is_in_unix_users(&user_sid)) { /* This is a unix user not in passdb. We need to ask nss * directly, without consulting passdb */ @@ -1080,7 +1063,6 @@ bool user_in_group_sid(const char *username, const DOM_SID *group_sid) } status = create_token_from_username(mem_ctx, username, False, - lp_force_username_map(), &uid, &gid, &found_username, &token); -- cgit From aeab22b55cb1484ff6da7242bd525e30b69e5752 Mon Sep 17 00:00:00 2001 From: Dan Sledz Date: Mon, 23 Feb 2009 23:21:13 -0800 Subject: s3: Rename auth_onefs_wb and pdb_onefs_sam auth_onefs_wb.c -> auth_wbc.c pdb_onefs_sam.c -> pdb_wbc_sam.c No changes to functionality --- source3/auth/auth_onefs_wb.c | 134 -------------------------------------- source3/auth/auth_wbc.c | 150 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 150 insertions(+), 134 deletions(-) delete mode 100644 source3/auth/auth_onefs_wb.c create mode 100644 source3/auth/auth_wbc.c (limited to 'source3/auth') diff --git a/source3/auth/auth_onefs_wb.c b/source3/auth/auth_onefs_wb.c deleted file mode 100644 index 49de6966b0..0000000000 --- a/source3/auth/auth_onefs_wb.c +++ /dev/null @@ -1,134 +0,0 @@ -/* - Unix SMB/CIFS implementation. - - Winbind authentication mechnism, customized for onefs - - Copyright (C) Tim Potter 2000 - Copyright (C) Andrew Bartlett 2001 - 2002 - Copyright (C) Dan Sledz 2009 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . -*/ - -#include "includes.h" - -#undef DBGC_CLASS -#define DBGC_CLASS DBGC_AUTH - -/* Authenticate a user with a challenge/response */ - -static NTSTATUS check_onefs_wb_security(const struct auth_context *auth_context, - void *my_private_data, - TALLOC_CTX *mem_ctx, - const auth_usersupplied_info *user_info, - auth_serversupplied_info **server_info) -{ - NTSTATUS nt_status; - wbcErr wbc_status; - struct wbcAuthUserParams params; - struct wbcAuthUserInfo *info = NULL; - struct wbcAuthErrorInfo *err = NULL; - - if (!user_info || !auth_context || !server_info) { - return NT_STATUS_INVALID_PARAMETER; - } - /* Send off request */ - - params.account_name = user_info->smb_name; - params.domain_name = user_info->domain; - params.workstation_name = user_info->wksta_name; - - params.flags = 0; - params.parameter_control= user_info->logon_parameters; - - /* Handle plaintext */ - if (!user_info->encrypted) { - DEBUG(3,("Checking plaintext password for %s.\n", - user_info->internal_username)); - params.level = WBC_AUTH_USER_LEVEL_PLAIN; - - params.password.plaintext = user_info->plaintext_password.data; - } else { - DEBUG(3,("Checking encrypted password for %s.\n", - user_info->internal_username)); - params.level = WBC_AUTH_USER_LEVEL_RESPONSE; - - memcpy(params.password.response.challenge, - auth_context->challenge.data, - sizeof(params.password.response.challenge)); - - params.password.response.nt_length = user_info->nt_resp.length; - params.password.response.nt_data = user_info->nt_resp.data; - params.password.response.lm_length = user_info->lm_resp.length; - params.password.response.lm_data = user_info->lm_resp.data; - - } - - /* we are contacting the privileged pipe */ - become_root(); - wbc_status = wbcAuthenticateUserEx(¶ms, &info, &err); - unbecome_root(); - - if (!WBC_ERROR_IS_OK(wbc_status)) { - DEBUG(10,("wbcAuthenticateUserEx failed (%d): %s\n", - wbc_status, wbcErrorString(wbc_status))); - } - - if (wbc_status == WBC_ERR_NO_MEMORY) { - return NT_STATUS_NO_MEMORY; - } - - if (wbc_status == WBC_ERR_AUTH_ERROR) { - nt_status = NT_STATUS(err->nt_status); - wbcFreeMemory(err); - return nt_status; - } - - if (!WBC_ERROR_IS_OK(wbc_status)) { - return NT_STATUS_LOGON_FAILURE; - } - - DEBUG(10,("wbcAuthenticateUserEx succeeded\n")); - - nt_status = make_server_info_wbcAuthUserInfo(mem_ctx, - user_info->smb_name, - user_info->domain, - info, server_info); - wbcFreeMemory(info); - if (!NT_STATUS_IS_OK(nt_status)) { - return nt_status; - } - - (*server_info)->nss_token |= user_info->was_mapped; - - return nt_status; -} - -/* module initialisation */ -static NTSTATUS auth_init_onefs_wb(struct auth_context *auth_context, const char *param, auth_methods **auth_method) -{ - if (!make_auth_methods(auth_context, auth_method)) { - return NT_STATUS_NO_MEMORY; - } - - (*auth_method)->name = "onefs_wb"; - (*auth_method)->auth = check_onefs_wb_security; - - return NT_STATUS_OK; -} - -NTSTATUS auth_onefs_wb_init(void) -{ - return smb_register_auth(AUTH_INTERFACE_VERSION, "onefs_wb", auth_init_onefs_wb); -} diff --git a/source3/auth/auth_wbc.c b/source3/auth/auth_wbc.c new file mode 100644 index 0000000000..b0af9ffb1d --- /dev/null +++ b/source3/auth/auth_wbc.c @@ -0,0 +1,150 @@ +/* + Unix SMB/CIFS implementation. + + Winbind client authentication mechanism designed to defer all + authentication to the winbind daemon. + + Copyright (C) Tim Potter 2000 + Copyright (C) Andrew Bartlett 2001 - 2002 + Copyright (C) Dan Sledz 2009 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +/* This auth module is very similar to auth_winbind with 3 distinct + * differences. + * + * 1) Does not fallback to another auth module if winbindd is unavailable + * 2) Does not validate the domain of the user + * 3) Handles unencrypted passwords + * + * The purpose of this module is to defer all authentication decisions (ie: + * local user vs NIS vs LDAP vs AD; encrypted vs plaintext) to the wbc + * compatible daemon. This centeralizes all authentication decisions to a + * single provider. + * + * This auth backend is most useful when used in conjunction with pdb_wbc_sam. + */ + +#include "includes.h" + +#undef DBGC_CLASS +#define DBGC_CLASS DBGC_AUTH + +/* Authenticate a user with a challenge/response */ + +static NTSTATUS check_wbc_security(const struct auth_context *auth_context, + void *my_private_data, + TALLOC_CTX *mem_ctx, + const auth_usersupplied_info *user_info, + auth_serversupplied_info **server_info) +{ + NTSTATUS nt_status; + wbcErr wbc_status; + struct wbcAuthUserParams params; + struct wbcAuthUserInfo *info = NULL; + struct wbcAuthErrorInfo *err = NULL; + + if (!user_info || !auth_context || !server_info) { + return NT_STATUS_INVALID_PARAMETER; + } + /* Send off request */ + + params.account_name = user_info->smb_name; + params.domain_name = user_info->domain; + params.workstation_name = user_info->wksta_name; + + params.flags = 0; + params.parameter_control= user_info->logon_parameters; + + /* Handle plaintext */ + if (!user_info->encrypted) { + DEBUG(3,("Checking plaintext password for %s.\n", + user_info->internal_username)); + params.level = WBC_AUTH_USER_LEVEL_PLAIN; + + params.password.plaintext = user_info->plaintext_password.data; + } else { + DEBUG(3,("Checking encrypted password for %s.\n", + user_info->internal_username)); + params.level = WBC_AUTH_USER_LEVEL_RESPONSE; + + memcpy(params.password.response.challenge, + auth_context->challenge.data, + sizeof(params.password.response.challenge)); + + params.password.response.nt_length = user_info->nt_resp.length; + params.password.response.nt_data = user_info->nt_resp.data; + params.password.response.lm_length = user_info->lm_resp.length; + params.password.response.lm_data = user_info->lm_resp.data; + + } + + /* we are contacting the privileged pipe */ + become_root(); + wbc_status = wbcAuthenticateUserEx(¶ms, &info, &err); + unbecome_root(); + + if (!WBC_ERROR_IS_OK(wbc_status)) { + DEBUG(10,("wbcAuthenticateUserEx failed (%d): %s\n", + wbc_status, wbcErrorString(wbc_status))); + } + + if (wbc_status == WBC_ERR_NO_MEMORY) { + return NT_STATUS_NO_MEMORY; + } + + if (wbc_status == WBC_ERR_AUTH_ERROR) { + nt_status = NT_STATUS(err->nt_status); + wbcFreeMemory(err); + return nt_status; + } + + if (!WBC_ERROR_IS_OK(wbc_status)) { + return NT_STATUS_LOGON_FAILURE; + } + + DEBUG(10,("wbcAuthenticateUserEx succeeded\n")); + + nt_status = make_server_info_wbcAuthUserInfo(mem_ctx, + user_info->smb_name, + user_info->domain, + info, server_info); + wbcFreeMemory(info); + if (!NT_STATUS_IS_OK(nt_status)) { + return nt_status; + } + + (*server_info)->nss_token |= user_info->was_mapped; + + return nt_status; +} + +/* module initialisation */ +static NTSTATUS auth_init_wbc(struct auth_context *auth_context, const char *param, auth_methods **auth_method) +{ + if (!make_auth_methods(auth_context, auth_method)) { + return NT_STATUS_NO_MEMORY; + } + + (*auth_method)->name = "wbc"; + (*auth_method)->auth = check_wbc_security; + + return NT_STATUS_OK; +} + +NTSTATUS auth_wbc_init(void) +{ + return smb_register_auth(AUTH_INTERFACE_VERSION, "wbc", auth_init_wbc); +} -- cgit From 662f996b1554508baf7344b8618f152c179f1680 Mon Sep 17 00:00:00 2001 From: Tim Prouty Date: Wed, 25 Feb 2009 00:11:31 -0800 Subject: s3: Fix 'assignment differ in signedness' warning --- source3/auth/auth_wbc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_wbc.c b/source3/auth/auth_wbc.c index b0af9ffb1d..580c8b550d 100644 --- a/source3/auth/auth_wbc.c +++ b/source3/auth/auth_wbc.c @@ -74,7 +74,7 @@ static NTSTATUS check_wbc_security(const struct auth_context *auth_context, user_info->internal_username)); params.level = WBC_AUTH_USER_LEVEL_PLAIN; - params.password.plaintext = user_info->plaintext_password.data; + params.password.plaintext = (char *)user_info->plaintext_password.data; } else { DEBUG(3,("Checking encrypted password for %s.\n", user_info->internal_username)); -- cgit From 61bedb4263a73121bde3fb18295bc0abc4ccbcb2 Mon Sep 17 00:00:00 2001 From: Steven Danneman Date: Thu, 26 Feb 2009 17:47:32 -0800 Subject: s3: fix guest auth when winbindd is running This fix is very subtle. If a server is configured with "security = share" and "guest ok = yes" and winbindd is running authorization will fail during tree connect. This is due to our inability to map the guest sid S-1-5-21-X-501 to a uid through sid_to_uid(). Winbindd is unaware of the hard coded mapping between this sid and whatever uid the name in lp_guestaccount() is assigned. So sid_to_uid() fails and we exit create_token_from_username() without ever calling pdb_getsampwsid() which IS aware of the hard coded mapping. This patch just reorganizes the code, moving sid_to_uid() down to the block of code in which it is needed, avoiding this early failure. --- source3/auth/auth_util.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 1f00e22a3c..c39aa8501d 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -806,7 +806,7 @@ NTSTATUS create_local_token(auth_serversupplied_info *server_info) } /* - * Create an artificial NT token given just a username. (Initially indended + * Create an artificial NT token given just a username. (Initially intended * for force user) * * We go through lookup_name() to avoid problems we had with 'winbind use @@ -859,12 +859,6 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, goto done; } - if (!sid_to_uid(&user_sid, uid)) { - DEBUG(1, ("sid_to_uid for %s (%s) failed\n", - username, sid_string_dbg(&user_sid))); - goto done; - } - if (sid_check_is_in_our_domain(&user_sid)) { bool ret; @@ -922,6 +916,12 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, unix_user: + if (!sid_to_uid(&user_sid, uid)) { + DEBUG(1, ("sid_to_uid for %s (%s) failed\n", + username, sid_string_dbg(&user_sid))); + goto done; + } + uid_to_unix_users_sid(*uid, &user_sid); pass = getpwuid_alloc(tmp_ctx, *uid); -- cgit